CHANGES 547 KB
Newer Older
Ondřej Surý's avatar
Ondřej Surý committed
1 2 3 4 5 6
5315.	[bug]		Apply the inital RRSIG expiration spread fixed
			to all dynamically created records in the zone
			including NSEC3. Also fix the signature clusters
			when the server has been offline for prolonged
			period of times. [GL #1256]

7 8 9 10
5314.	[func]		Added a new statistics variable "tcp-highwater"
			that reports the maximum number of simultaneous TCP
			clients BIND has handled while running. [GL #1206]

Mark Andrews's avatar
Mark Andrews committed
11 12 13 14
5313.	[bug]		The default GeoIP2 database location did not match
			the ARM.  'named -V' now reports the default
			location. [GL #1301]

Michał Kępień's avatar
Michał Kępień committed
15 16
5310.	[bug]		TCP failures were affecting EDNS statistics. [GL #1059]

Michał Kępień's avatar
Michał Kępień committed
17 18 19
5309.	[bug]		"geoip-use-ecs yes;" was not working for GeoIP2.
			[GL #1275]

Mark Andrews's avatar
Mark Andrews committed
20 21 22
5308.	[bug]		Don't log DNS_R_UNCHANGED from sync_secure_journal()
			at ERROR level in receive_secure_serial(). [GL #1288]

Tony Finch's avatar
CHANGES  
Tony Finch committed
23 24 25
5307.	[bug]		Fix hang when named-compilezone output is sent to pipe.
			Thanks to Tony Finch. [GL !2481]

Mark Andrews's avatar
Mark Andrews committed
26
5302.	[bug]		Fix checking that "dnstap-output" is defined when
Tony Finch's avatar
CHANGES  
Tony Finch committed
27
			"dnstap" is specified in a view. [GL #1281]
Mark Andrews's avatar
Mark Andrews committed
28

29 30 31
5301.	[bug]		Detect partial prefixes / incomplete IPv4 address in
			acls. [GL #1143]

Tinderbox User's avatar
Tinderbox User committed
32 33
	--- 9.11.12 released ---

Mark Andrews's avatar
Mark Andrews committed
34 35
5296.	[bug]		Address various issues reported by cppcheck. [GL !2421]

Ondřej Surý's avatar
Ondřej Surý committed
36 37 38
5294.	[func]		Fallback to ACE name on output in locale, which does not
			support converting it to unicode.  [GL #846]

Michał Kępień's avatar
Michał Kępień committed
39 40 41
5293.	[bug]		On Windows, named crashed upon any attempt to fetch XML
			statistics from it. [GL #1245]

Mark Andrews's avatar
Mark Andrews committed
42 43 44
5292.	[bug]		Queue 'rndc nsec3param' requests while signing inline
			zone changes. [GL #1205]

Tinderbox User's avatar
Tinderbox User committed
45 46
	--- 9.11.11 released ---

Mark Andrews's avatar
Mark Andrews committed
47 48 49
5291.	[cleanup]	Revert change #4825 as it was not appropriate for 9.11.
			[GL #1213]

Mark Andrews's avatar
Mark Andrews committed
50 51 52
5290.	[bug]		Address potential NULL pointer dereference in
			isc_ht_find. [GL #1211]

Mark Andrews's avatar
Mark Andrews committed
53 54
5287.	[bug]		Address potential NULL pointer dereference. [GL #1208]

Mark Andrews's avatar
Mark Andrews committed
55 56 57
5286.	[contrib]	Address potential NULL pointer dereferences in
			dlz_mysqldyn_mod.c. [GL #1207]

Mark Andrews's avatar
Mark Andrews committed
58 59
5285.	[port]		win32: implement "-T maxudpXXX". [GL #837]

Evan Hunt's avatar
CHANGES  
Evan Hunt committed
60 61 62
5282.	[bug]		Fixed a bug in searching for possible wildcard matches
			for query names in the RPZ summary database. [GL #1146]

Mark Andrews's avatar
Mark Andrews committed
63 64 65
5281.	[cleanup]	Don't escape commas when reporting named's command
			line. [GL #1189]

66 67
5280.	[protocol]	Add support for displaying EDNS option LLQ. [GL #1201]

Mark Andrews's avatar
Mark Andrews committed
68 69 70 71 72 73
5279.	[bug]		When loading, reject zones containing CDS or CDNSKEY
			RRsets at the zone apex if they would cause DNSSEC
			validation failures if published in the parent zone
			as the DS RRset.  [GL #1187]

	--- 9.11.10 released ---
Tinderbox User's avatar
Tinderbox User committed
74

Mark Andrews's avatar
Mark Andrews committed
75 76 77 78 79
5275.	[bug]		Mark DS records included in referral messages
			with trust level "pending" so that they can be
			validated and cached immediately, with no need to
			re-query. [GL #964]

Mark Andrews's avatar
Mark Andrews committed
80 81 82
5273.	[bug]		Check that bits [64..71] of a dns64 prefix are zero.
			[GL #1159]

Mark Andrews's avatar
Mark Andrews committed
83 84 85
5269.	[port]		cygwin: can return ETIMEDOUT on connect() with a
			non-blocking socket. [GL #1133]

Evan Hunt's avatar
CHANGES  
Evan Hunt committed
86 87 88 89
5268.	[bug]		named could crash during configuration if
			configured to use "geoip continent" ACLs with
			legacy GeoIP. [GL #1163]

90 91 92 93
5266.	[bug]		named-checkconf failed to report dnstap-output
			missing from named.conf when dnstap was specified.
			[GL #1136]

Mark Andrews's avatar
Mark Andrews committed
94 95 96
5265.	[bug]		DNS64 and RPZ nodata (CNAME *.) rules interacted badly
			[GL #1106]

Ondřej Surý's avatar
Ondřej Surý committed
97 98 99
5264.	[func]		New DNS Cookie algorithm - siphash24 - has been added to
			BIND 9. [GL #605]

Tinderbox User's avatar
Tinderbox User committed
100 101
	--- 9.11.9 released ---

Michał Kępień's avatar
Michał Kępień committed
102 103 104
5260.	[bug]		dnstap-read was producing malformed output for large
			packets. [GL #1093]

Evan Hunt's avatar
Evan Hunt committed
105 106 107 108 109 110 111 112 113 114
5258.	[func]		Added support for the GeoIP2 API from MaxMind,
			when BIND is compiled using "configure --with-geoip2".
			The legacy GeoIP API can be enabled by using
			"configure --with-geoip" instead. These options
			cannot be used together.

			Certain geoip ACL settings that were available with
			legacy GeoIP are not available when using GeoIP2.
			See the ARM for details. [GL #182]

Mark Andrews's avatar
Mark Andrews committed
115 116 117
5257.	[bug]		Some statistics data was not being displayed.
			Add shading to the zone tables. [GL #1030]

Evan Hunt's avatar
Evan Hunt committed
118 119 120 121
5256.	[bug]		Ensure that glue records are included in root
			priming responses if "minimal-responses" is not
			set to "yes". [GL #1092]

Evan Hunt's avatar
CHANGES  
Evan Hunt committed
122 123 124 125 126
5255.	[bug]		Errors encountered while reloading inline-signing
			zones could be ignored, causing the zone content to
			be left in an incompletely updated state rather than
			reverted. [GL #1109]

Mark Andrews's avatar
Mark Andrews committed
127 128 129
5253.	[port]		Support platforms that don't define ULLONG_MAX.
			[GL #1098]

Witold Krecicki's avatar
Witold Krecicki committed
130 131 132 133
5249.	[bug]		Fix a possible underflow in recursion clients
			statistics when hitting recursive clients
			soft quota. [GL #1067]

Tinderbox User's avatar
Tinderbox User committed
134 135
	--- 9.11.8 released ---

Evan Hunt's avatar
Evan Hunt committed
136 137 138 139 140
5244.	[security]	Fixed a race condition in dns_dispatch_getnext()
			that could cause an assertion failure if a
			significant number of incoming packets were
			rejected. (CVE-2019-6471) [GL #942]

Mark Andrews's avatar
Mark Andrews committed
141 142 143
5241.	[bug]		Fix Ed448 private and public key ASN.1 prefix blobs.
			[GL #225]

144 145 146
5237.	[bug]		Recurse to find the root server list with 'dig +trace'.
			[GL #1028]

Tinderbox User's avatar
Tinderbox User committed
147 148
	--- 9.11.7 released ---

Michał Kępień's avatar
Michał Kępień committed
149 150 151
5233.	[bug]		Negative trust anchors did not work with "forward only;"
			to validating resolvers. [GL #997]

152 153 154
5232.	[bug]		Fix a high-load race/crash in isc_socket_cancel().
			[GL #834]

155 156 157
5231.	[protocol]	Add support for displaying CLIENT-TAG and SERVER-TAG.
			[GL #960]

158 159
5229.	[protocol]	Enforce known SSHFP fingerprint lengths. [GL #852]

Evan Hunt's avatar
Evan Hunt committed
160 161 162 163 164
5228.	[cleanup]	If trusted-keys and managed-keys are configured
			simultaneously for the same name, the key cannot
			be rolled automatically. This configuration now
			logs a warning. [GL #868]

Mark Andrews's avatar
Mark Andrews committed
165 166 167
5224.	[bug]		Only test provide-ixfr on TCP streams. [GL #991]

5222.	[bug]		'delv -t ANY' could leak memory. [GL #983]
Mark Andrews's avatar
Mark Andrews committed
168

Evan Hunt's avatar
CHANGES  
Evan Hunt committed
169 170 171
5221.	[test]		Enable parallel execution of system tests on
			Windows. [GL !4101]

Mark Andrews's avatar
Mark Andrews committed
172 173
5218.	[bug]		Conditionally include <dlfcn.h>. [GL #995]

Michał Kępień's avatar
Michał Kępień committed
174 175 176
5214.	[bug]		win32: named now removes its lock file upon shutdown.
			[GL #979]

Michał Kępień's avatar
Michał Kępień committed
177 178 179 180
5213.	[bug]		win32: Eliminated a race which allowed named.exe running
			as a service to be killed prematurely during shutdown.
			[GL #978]

Evan Hunt's avatar
CHANGES  
Evan Hunt committed
181 182 183 184 185 186
5210.	[bug]		When dnstap is enabled and recursion is not
			available, incoming queries are now logged
			as "auth". Previously, this depended on whether
			recursion was requested by the client, not on
			whether recursion was available. [GL #963]

187 188 189 190
5209.	[bug]		When update-check-ksk is true, add_sigs was not
			considering offline keys, leaving record sets signed
			with the incorrect type key. [GL #763]

Mark Andrews's avatar
Mark Andrews committed
191 192 193 194
5208.	[test]		Run valid rdata wire encodings through totext+fromtext
			and tofmttext+fromtext methods to check these methods.
			[GL #899]

Mark Andrews's avatar
Mark Andrews committed
195 196
5207.	[test]		Check delv and dig TTL values. [GL #965]

Mark Andrews's avatar
Mark Andrews committed
197 198
5205.	[bug]		Enforce that a DS hash exists. [GL #899]

Mark Andrews's avatar
Mark Andrews committed
199 200 201
5204.	[test]		Check that dns_rdata_fromtext() produces a record that
			will be accepted by dns_rdata_fromwire(). [GL #852]

Mark Andrews's avatar
Mark Andrews committed
202 203 204
5203.	[bug]		Enforce whether key rdata exists or not in KEY,
			DNSKEY, CDNSKEY and RKEY. [GL #899]

Mark Andrews's avatar
Mark Andrews committed
205 206 207 208
5197.	[bug]		dig could die in best effort mode on multiple SIG(0)
			records. Similarly on multiple OPT and multiple TSIG
			records. [GL #920]

Mark Andrews's avatar
Mark Andrews committed
209 210
5194.	[bug]		Enforce non empty ZOMEMD hash. [GL #899]

Mark Andrews's avatar
Mark Andrews committed
211 212 213
5193.	[bug]		EID and NIMLOC failed to do multi-line output
			correctly. [GL #899]

Mark Andrews's avatar
Mark Andrews committed
214 215
5192.	[bug]		configure --fips-mode failed. [GL #946]

Mark Andrews's avatar
Mark Andrews committed
216 217 218
5191.	[port]		Darwin: dlzexternal/driver.so was not building.
			[GL #948]

219 220
5189.	[cleanup]	Remove revoked root DNSKEY from bind.keys. [GL #945]

Mark Andrews's avatar
Mark Andrews committed
221 222 223
5187.	[test]		Set time zone before running any tests in dnstap_test.
			[GL #940]

224 225 226
5185.	[bug]		PKCS11 build could fail if ECDSA is not supported.
			[GL #935]

Mark Andrews's avatar
Mark Andrews committed
227 228
5184.	[bug]		Missing unlocks in sdlz.c. [GL #936]

Witold Kręcicki's avatar
CHANGES  
Witold Kręcicki committed
229 230 231
5182.	[bug]		Fix a high-load race/crash in handling of
			isc_socket_close() in resolver. [GL #834]

Michał Kępień's avatar
Michał Kępień committed
232 233 234
5180.	[bug]		delv now honors the operating system's preferred
			ephemeral port range. [GL #925]

235 236 237 238
5179.	[cleanup]	Replace some vague type declarations with the more
			specific dns_secalg_t and dns_dsdigest_t.
			Thanks to Tony Finch. [GL !1498]

Mark Andrews's avatar
Mark Andrews committed
239 240 241
5178.	[bug]		Handle EDQUOT (disk quota) and ENOSPC (disk full)
			errors when writing files. [GL #902]

Mark Andrews's avatar
Mark Andrews committed
242 243 244
5176.	[tests]		Remove a dependency on libxml in statschannel system
			test. [GL #926]

Evan Hunt's avatar
Evan Hunt committed
245 246 247 248
5175.	[bug]		Fixed a problem with file input in dnssec-keymgr,
			dnssec-coverage and dnssec-checkds when using
			python3. [GL #882]

Tony Finch's avatar
Tony Finch committed
249 250
5174.	[doc]		Tidy dnssec-keygen manual. [GL !1557]

Michał Kępień's avatar
Michał Kępień committed
251 252 253
5172.	[bug]		nsupdate now honors the operating system's preferred
			ephemeral port range. [GL #905]

Mark Andrews's avatar
Mark Andrews committed
254 255
5170.	[test]		Added --with-dlz-filesystem to feature-test. [GL !1587]

256 257 258 259
5168.	[test]		Do not crash on shutdown when RPZ fails to load.  Also,
			keep previous version of the database if RPZ fails to
			load. [GL #813]

Mark Andrews's avatar
Mark Andrews committed
260 261 262
5167.	[bug]		nxdomain-redirect could sometimes lookup the wrong
			redirect name. [GL #892]

Evan Hunt's avatar
Evan Hunt committed
263 264 265 266 267 268
	--- 9.11.6-P1 released ---

5200.	[security]	tcp-clients settings could be exceeded in some cases,
			which could lead to exhaustion of file descriptors.
			(CVE-2018-5743) [GL #615]

Tinderbox User's avatar
Tinderbox User committed
269 270
	--- 9.11.6 released ---

Tinderbox User's avatar
Tinderbox User committed
271 272
	--- 9.11.6rc1 released ---

Evan Hunt's avatar
CHANGES  
Evan Hunt committed
273 274
5166.	[port]		openbsd: Threads are now enabled by default. [GL !1548]

Mark Andrews's avatar
Mark Andrews committed
275 276 277
5164.	[bug]		Correct errno to result translation in dlz filesystem
			modules. [GL #884]

Mark Andrews's avatar
Mark Andrews committed
278 279
5163.	[cleanup]	Out-of-tree builds failed --enable-dnstap. [GL #836]

Tony Finch's avatar
Tony Finch committed
280 281 282
5162.	[cleanup]	Improve dnssec-keymgr manual. Thanks to Tony Finch.
			[GL !1518]

283 284 285 286
5160.	[contrib]	Added DNAME support to the DLZ LDAP schema. Also
			fixed a compilation bug affecting several DLZ
			modules. [GL #872]

Evan Hunt's avatar
CHANGES  
Evan Hunt committed
287 288 289 290
5159.	[bug]		dnssec-coverage was incorrectly ignoring
			names specified on the command line without
			trailing dots. [GL !1478]

Mark Andrews's avatar
Mark Andrews committed
291
5158.	[protocol]	Add support for AMTRELAY and ZONEMD. [GL #867]
Evan Hunt's avatar
CHANGES  
Evan Hunt committed
292

293 294 295
5157.	[bug]		Nslookup now errors out if there are extra command
			line arguments. [GL #207]

Mark Andrews's avatar
Mark Andrews committed
296 297 298
5154.	[bug]		dig: process_opt could be called twice on the same
			message leading to a assertion failure. [GL #860]

Matthijs Mekking's avatar
Matthijs Mekking committed
299 300
5148.	[bug]		named did not sign the TKEY response. [GL #821]

Mark Andrews's avatar
Mark Andrews committed
301 302 303
5147.	[bug]		dnssec-keymgr: Add a five-minute margin to better
			handle key events close to 'now'. [GL #848]

304 305 306 307
5146.	[bug]		Removed an unnecessary assert that could be
			triggered from PKCS#11 modules during
			deconstruction. [GL #841]

308 309 310
5143.	[bug]		dnssec-keymgr and dnssec-coverage failed to find
			key files for zone names ending in ".". [GL #560]

311 312 313 314
5141.	[security]	Zone transfer controls for writable DLZ zones were
			not effective as the allowzonexfr method was not being
			called for such zones. (CVE-2019-6465) [GL #790]

315 316 317 318
5140.	[bug]		Don't immediately mark existing keys as inactive and
			deleted when running dnssec-keymgr for the first
			time. [GL #117]

319 320 321 322 323 324
5139.	[bug]		If possible, don't use forwarders when priming.
			This ensures we can get root server IP addresses
			from priming query response glue, which may not
			be present if the forwarding server is returning
			minimal responses. [GL #752]

Mark Andrews's avatar
Mark Andrews committed
325 326 327
5134.	[bug]		win32: WSAStartup was not called before getservbyname
			was called. [GL #590]

Mark Andrews's avatar
Mark Andrews committed
328 329 330 331
5133.	[bug]		'rndc managed-keys' didn't handle class and view
			correctly and failed to add new lines between each
			view. [GL !1327]

Mark Andrews's avatar
Mark Andrews committed
332 333 334
5128.	[bug]		Refreshkeytime was not being updated for managed
			keys zones. [GL #784]

335 336 337
5127.	[bug]		rcode.c:maybe_numeric failed to handle NUL in text
			regions. [GL #807]

338 339 340
5126.	[bug]		Named incorrectly accepted empty base64 and hex encoded
			fields when reading master files. [GL #807]

Mark Andrews's avatar
Mark Andrews committed
341 342 343
5125.	[bug]		Allow for up to 100 records or 64k of data when caching
			a negative response. [GL #804]

Mark Andrews's avatar
Mark Andrews committed
344 345 346
5124.	[bug]		Named could incorrectly return FORMERR rather than
			SERVFAIL. [GL #804]

Michał Kępień's avatar
Michał Kępień committed
347 348 349
5123.	[bug]		dig could hang indefinitely after encountering an error
			before creating a TCP socket. [GL #692]

Michał Kępień's avatar
Michał Kępień committed
350 351 352 353 354
5122.	[bug]		In a "forward first;" configuration, a forwarder
			timeout did not prevent that forwarder from being
			queried again after falling back to full recursive
			resolution. [GL #315]

Mark Andrews's avatar
Mark Andrews committed
355 356 357
5121.	[contrib]	dlz_stub_driver.c fails to return ISC_R_NOTFOUND on none
			matching zone names. [GL !1299]

Matthijs Mekking's avatar
Matthijs Mekking committed
358 359 360 361 362
5118.	[security]	Named could crash if it is managing a key with
			`managed-keys` and the authoritative zone is rolling
			the key to an unsupported algorithm. (CVE-2018-5745)
			[GL #780]

363 364 365 366
5112.	[bug]		Named/named-checkconf could dump core if there was
			a missing masters clause and a bad notify clause.
			[GL #779]

Mark Andrews's avatar
Mark Andrews committed
367 368 369
5111.	[bug]		Occluded DNSKEY records could make it into the
			delegating NSEC/NSEC3 bitmap. [GL #742]

370 371 372
5110.	[security]	Named leaked memory if there were multiple Key Tag
			EDNS options present. (CVE-2018-5744) [GL #772]

373 374 375 376
5108.	[bug]		Named could fail to determine bottom of zone when
			removing out of date keys leading to invalid NSEC
			and NSEC3 records being added to the zone. [GL #771]

Mark Andrews's avatar
Mark Andrews committed
377
5107.	[bug]		'host -U' did not work. [GL #769]
Mark Andrews's avatar
Mark Andrews committed
378

Mark Andrews's avatar
Mark Andrews committed
379 380 381
5104.	[cleanup]	Log clearer informational message when a catz zone
			is overridden by a zone in named.conf.
			Thanks to Tony Finch. [GL !1157]
Mark Andrews's avatar
Mark Andrews committed
382

383 384 385
5103.	[bug]		Add missing design by contract tests to dns_catz*.
			[GL #748]

Mark Andrews's avatar
Mark Andrews committed
386 387 388 389
5102.	[bug]		dnssec-coverage failed to use the default TTL when
			checking KSK deletion times leading to a exception.
			[GL #585]

Michał Kępień's avatar
Michał Kępień committed
390 391 392
5101.	[bug]		Fix default installation path for Python modules.
			[GL #730]

Ondřej Surý's avatar
Ondřej Surý committed
393 394
5098.	[func]		Failed memory allocations are now fatal. [GL #674]

Ondřej Surý's avatar
Ondřej Surý committed
395 396 397
5097.	[cleanup]	Remove embedded ATF unit testing framework
			from BIND source distribution.  [GL !875]

Evan Hunt's avatar
CHANGES  
Evan Hunt committed
398 399 400 401 402
5095.	[test]		Converted all unit tests from ATF to CMocka;
			removed the source code for the ATF libraries.
			Build with "configure --with-cmocka" to enable
			unit testing. [GL #620]

Mark Andrews's avatar
Mark Andrews committed
403 404
5094.	[func]		Add 'dig -r' to disable reading of .digrc. [GL !970]

405 406 407
5092.	[bug]		Address memory leak on SIGTERM in nsupdate when using
			GSS-TSIG. [GL #558]

Mark Andrews's avatar
Mark Andrews committed
408 409
5090.	[bug]		dig and mdig failed to properly pre-parse dash value
			pairs when value was a separate argument and started
410 411
			with a dash. [GL #584]

Michał Kępień's avatar
Michał Kępień committed
412 413 414
5088.	[bug]		dig/host/nslookup could crash when interrupted close to
			a query timeout. [GL #599]

415 416
5087.	[test]		Check that result tables are complete. [GL #676]

Mark Andrews's avatar
Mark Andrews committed
417
5086.	[func]		Log of RPZ now includes the QTYPE and QCLASS. [GL #623]
Ondřej Surý's avatar
Ondřej Surý committed
418

Ondřej Surý's avatar
Ondřej Surý committed
419 420 421 422
5084.	[func]		Add configure time detection of Utimaco HSM
			and disable runtime md5/sha1 detection when it
			compiled with it. [GL #656]

Ondřej Surý's avatar
Ondřej Surý committed
423 424 425
5079.	[func]		Disable IDN processing in dig and nslookup
			when not on a tty. [GL #653]

426 427 428
5078.	[cleanup]	Require python components to be explicitly disabled if
			python is not available on unix platforms. [GL #601]

Mark Andrews's avatar
Mark Andrews committed
429 430 431
5076.	[bug]		"require-server-cookie" was not effective if
			"rate-limit" was configured. [GL #617]

Michał Kępień's avatar
Michał Kępień committed
432 433 434
5072.	[bug]		Add unit tests for isc_buffer_copyregion() and fix its
			behavior for auto-reallocated buffers. [GL #644]

Mark Andrews's avatar
Mark Andrews committed
435
5071.	[bug]		Comparison of NXT records was broken. [GL #631]
Mark Andrews's avatar
Mark Andrews committed
436

437 438 439
5070.	[bug]		Record types which support a empty rdata field were
			not handling the empty rdata field case. [GL #638]

440 441 442
5066.	[cleanup]	Allow unquoted strings to be used as a zone names
			in response-policy statements. [GL #641]

443 444
5065.	[bug]		Only set IPV6_USE_MIN_MTU on IPv6. [GL #553]

Mark Andrews's avatar
Mark Andrews committed
445
5064.	[test]		Initialize TZ environment variable before calling
446 447
			dns_test_begin in dnstap_test. [GL #624]

Mark Andrews's avatar
Mark Andrews committed
448 449
5061.	[protocol]	Add support for EID and NIMLOC. [GL #626]

450 451 452
5060.	[bug]		GID, UID and UINFO could not be loaded using unknown
			record format. [GL #627]

Michał Kępień's avatar
Michał Kępień committed
453 454 455
5059.	[bug]		Display a per-view list of zones in the web interface.
			[GL #427]

Mark Andrews's avatar
Mark Andrews committed
456 457
5057.	[protocol]	Add support for ATMA. [GL #619]

Michał Kępień's avatar
Michał Kępień committed
458 459 460 461
5051.	[doc]		Documentation incorrectly stated that the
			"server-addresses" static-stub zone option accepts
			custom port numbers. [GL #582]

Mark Andrews's avatar
Mark Andrews committed
462 463 464
5042.	[test]		Make the chained delegations in reclimit behave
			like they would in a regular name server. [GL  #578]

Mark Andrews's avatar
Mark Andrews committed
465 466 467
5041.	[test]		The chain test contains a incomplete delegation.
			[GL #568]

Mark Andrews's avatar
Mark Andrews committed
468 469 470
5039.	[bug]		Named could fail to preserve owner name case of new
			RRset. [GL #420]

Evan Hunt's avatar
Evan Hunt committed
471 472 473
4887.	[test]		Enable the rpzrecurse test to run on Windows.
			[RT #47093]

Tinderbox User's avatar
Tinderbox User committed
474 475
	--- 9.11.5 released ---

Tinderbox User's avatar
Tinderbox User committed
476 477
	--- 9.11.5rc1 released ---

Evan Hunt's avatar
Evan Hunt committed
478 479 480
5038.	[bug]		Chaosnet addresses were compared incorrectly.
			[GL #562]

Michał Kępień's avatar
Michał Kępień committed
481 482 483 484
5034.	[bug]		A race between threads could prevent zone maintenance
			scheduled immediately after zone load from being
			performed. [GL #542]

Evan Hunt's avatar
Evan Hunt committed
485 486 487 488 489 490 491 492
5033.	[bug]		When adding NTAs to multiple views using "rndc nta",
			the text returned via rndc was incorrectly terminated
			after the first line, making it look as if only one
			NTA had been added. Also, it was not possible to
			differentiate between views with the same name but
			different classes; this has been corrected with the
			addition of a "-class" option. [GL #105]

493 494 495
5032.	[func]		Add krb5-selfsub and ms-selfsub update policy rules.
			[GL #511]

496 497 498
5030.	[bug]		Align CMSG buffers to a 64-bit boundary, fixes crash
			on architectures with strict alignment. [GL #521]

Mark Andrews's avatar
Mark Andrews committed
499 500 501 502 503 504
5028.	[bug]		Spread the initial RRSIG expiration times over the
			entire working sig-validity-interval when signing a
			zone in named to even out re-signing and transfer
			loads. [GL #418]

5026.	[bug]		rndc reconfig should not touch already loaded zones.
Witold Krecicki's avatar
Witold Krecicki committed
505 506
			[GL #276]

Mark Andrews's avatar
Mark Andrews committed
507 508 509
5022.	[doc]		Update ms-self, ms-subdomain, krb5-self, and
			krb5-subdomain documentation. [GL !708]

Michał Kępień's avatar
Michał Kępień committed
510 511 512
5021.	[bug]		dig returned a non-zero exit code when it received a
			reply over TCP after a retry. [GL #487]

Michał Kępień's avatar
Michał Kępień committed
513 514 515
5019.	[cleanup]	A message is now logged when ixfr-from-differences is
			set at zone level for an inline-signed zone. [GL #470]

Mark Andrews's avatar
Mark Andrews committed
516 517 518
5018.	[bug]		Fix incorrect sizeof arguments in lib/isc/pk11.c.
			[GL !588]

Mark Andrews's avatar
Mark Andrews committed
519 520 521
5017.	[bug]		lib/isc/pk11.c failed to unlink the session before
			releasing the lock which is unsafe. [GL !589]

Mark Andrews's avatar
Mark Andrews committed
522 523 524
5016.	[bug]		Named could assert with overlapping filter-aaaa and
			dns64 acls. [GL #445]

Michał Kępień's avatar
Michał Kępień committed
525 526 527
5015.	[bug]		Reloading all zones caused zone maintenance to cease
			for inline-signed zones. [GL #435]

Michał Kępień's avatar
Michał Kępień committed
528 529 530 531
5014.	[bug]		Signatures loaded from the journal for the signed
			version of an inline-signed zone were not scheduled for
			refresh. [GL #482]

Mark Andrews's avatar
Mark Andrews committed
532 533
5012.	[bug]		Fix lock order reversal in pk11_initialize. [GL !590]

Michał Kępień's avatar
Michał Kępień committed
534 535 536
5009.	[bug]		Upon an OpenSSL failure, the first error in the OpenSSL
			error queue was not logged. [GL #476]

Michał Kępień's avatar
Michał Kępień committed
537 538 539 540
5008.	[bug]		"rndc signing -nsec3param ..." requests were silently
			ignored for zones which were not yet loaded or
			transferred. [GL #468]

Ondřej Surý's avatar
Ondřej Surý committed
541 542 543
5007.	[cleanup]	Replace custom ISC boolean and integer data types
			with C99 stdint.h and stdbool.h types. [GL #9]

Mark Andrews's avatar
Mark Andrews committed
544 545 546
5005.	[bug]		dnssec-verify, and dnssec-signzone at the verification
			step, failed on some validly signed zones. [GL #442]

Mark Andrews's avatar
Mark Andrews committed
547 548 549
5004.	[bug]		'rndc reconfig' could cause inline zones to stop
			re-signing. [GL #439]

Mark Andrews's avatar
Mark Andrews committed
550 551 552
5003.	[bug]		dns_acl_isinsecure did not handle geoip elements.
			[GL #406]

Mark Andrews's avatar
Mark Andrews committed
553 554 555 556 557
5002.	[bug]		mdig: Handle malformed +ednsopt option, support 100
			+ednsopt options per query rather than 100 total and
			address memory leaks if +ednsopt was specified.
			[GL #410]

Mark Andrews's avatar
Mark Andrews committed
558 559
5001.	[bug]		Fix refcount errors on error paths. [GL !563]

Mark Andrews's avatar
Mark Andrews committed
560
4996.	[bug]		dig: Handle malformed +ednsopt option. [GL #403]
Evan Hunt's avatar
CHANGES  
Evan Hunt committed
561

562 563
4995.	[test]		Add tests for "tcp-self" update policy. [GL !282]

Michał Kępień's avatar
Michał Kępień committed
564 565 566
4994.	[bug]		Trust anchor telemetry queries were not being sent
			upstream for locally served zones. [GL #392]

Mark Andrews's avatar
Mark Andrews committed
567 568 569
4992.	[bug]		The wrong address was being logged for trust anchor
			telemetry queries. [GL #379]

Evan Hunt's avatar
CHANGES  
Evan Hunt committed
570 571 572
4990.	[bug]		Prevent a possible NULL reference in pkcs11-keygen.
			[GL #401]

Tinderbox User's avatar
Tinderbox User committed
573 574
	--- 9.11.4-P1 released ---

Evan Hunt's avatar
Evan Hunt committed
575 576 577 578
4997.	[security]	named could crash during recursive processing
			of DNAME records when "deny-answer-aliases" was
			in use. (CVE-2018-5740) [GL #387]

Tinderbox User's avatar
Tinderbox User committed
579 580
	--- 9.11.4 released ---

Tinderbox User's avatar
Tinderbox User committed
581 582
	--- 9.11.4rc2 released ---

Evan Hunt's avatar
Evan Hunt committed
583 584 585
4984.	[bug]		Improve handling of very large incremental
			zone transfers to prevent journal corruption. [GL #339]

586 587 588
4983.	[cleanup]	Remove the deprecated flag from "answer-cookie";
			it will be allowed to persist into 9.13. [GL #275].

Evan Hunt's avatar
CHANGES  
Evan Hunt committed
589 590 591 592 593
4982.	[cleanup]	Return FORMERR if the question section is empty
			and no COOKIE option is present; this restores
			older behavior except in the newly specified
			COOKIE case. [GL #260]

Witold Krecicki's avatar
Witold Krecicki committed
594 595 596
4981.	[bug]		Fix race in cmsg buffer usage in socket code.
			[GL #180]

Mark Andrews's avatar
Mark Andrews committed
597 598 599
4980.	[bug]		Named-checkconf failed to detect bad in-view targets.
			[GL #288]

Michał Kępień's avatar
Michał Kępień committed
600 601 602 603
4979.	[bug]		Non-libcap builds were not checking whether all
			requested capabilities are present in the permitted
			capability set. [GL #321]

604 605 606
4977.	[func]		When starting up, log the same details that
			would be reported by 'named -V'. [GL #247]

607 608 609
4975.	[bug]		The server cookie computation for sha1 and sha256 did
			not match the method described in RFC 7873. [GL #356]

610 611 612
4972.	[func]		Declare the 'rdata' argument for dns_rdata_tostruct()
			to be const. [GL #341]

Michał Kępień's avatar
Michał Kępień committed
613 614 615
4971.	[bug]		dnssec-signzone and dnssec-verify did not treat records
			below a DNAME as out-of-zone data. [GL #298]

Michał Kępień's avatar
Michał Kępień committed
616 617
4969.	[cleanup]	Refactor zone logging functions. [GL #269]

Evan Hunt's avatar
Evan Hunt committed
618 619
	--- 9.11.4rc1 released ---

620 621 622
4968.	[bug]		If glue records are signed, attempt to validate them.
			[GL #209]

Mark Andrews's avatar
Mark Andrews committed
623 624 625 626
4966.	[func]		Add the ability to not return a DNS COOKIE option
			when one is present in the request (answer-cookie no;).
			[GL #173]

627 628 629
4965.	[func]		Add support for marking options as deprecated.
			[GL #322]

Mark Andrews's avatar
Mark Andrews committed
630 631 632 633
4964.	[bug]		Reduce the probabilty of double signature when deleting
			a DNSKEY by checking if the node is otherwise signed
			by the algorithm of the key to be deleted. [GL #240]

Evan Hunt's avatar
CHANGES  
Evan Hunt committed
634 635 636 637
4963.	[test]		ifconfig.sh now uses "ip" instead of "ifconfig",
			if available, to configure the test interfaces on
			linux.  [GL #302]

Mark Andrews's avatar
Mark Andrews committed
638 639 640
4962.	[cleanup]	Move 'named -T' processing to its own function.
			[GL #316]

641 642 643 644 645 646 647
4960.	[security]	When recursion is enabled, but the "allow-recursion"
			and "allow-query-cache" ACLs are not specified,
			they should be limited to local networks,
			but were inadvertently set to match the default
			"allow-query", thus allowing remote queries.
			(CVE-2018-5738) [GL #309]

Mark Andrews's avatar
Mark Andrews committed
648 649
4958.	[bug]		Remove redundant space from NSEC3 record. [GL #281]

Mark Andrews's avatar
Mark Andrews committed
650 651 652
4955.	[cleanup]	Silence cppcheck warnings in lib/dns/master.c.
			[GL #286]

653 654 655
4951.	[protocol]	Add "HOME.ARPA" to list of built in empty zones as
			per RFC 8375. [GL #273]

656 657
4950.	[bug]		ISC_SOCKEVENTATTR_TRUNC was not be set. [GL #238]

Mark Andrews's avatar
Mark Andrews committed
658 659 660
4949.	[bug]		lib/isc/print.c failed to handle floating point
			output correctly. [GL #261]

Mukund Sivaraman's avatar
Mukund Sivaraman committed
661 662 663
4946.	[bug]		Additional glue was not being returned by resolver
			for unsigned zones since change 4596. [GL #209]

Michał Kępień's avatar
Michał Kępień committed
664 665
4939.	[test]		Add basic unit tests for update_sigs(). [GL #135]

Ondřej Surý's avatar
Ondřej Surý committed
666 667 668
4935.	[func]		Add support for LibreSSL >= 2.7.0 (some OpenSSL 1.1.0
			call were added). [GL #191]

Michał Kępień's avatar
Michał Kępień committed
669 670 671 672 673 674 675 676 677
4933.	[bug]		Not creating signing keys for an inline signed zone
			prevented changes applied to the raw zone from being
			reflected in the secure zone until signing keys were
			made available. [GL #159]

4932.	[bug]		Bumped signed serial of an inline signed zone was
			logged even when an error occurred while updating
			signatures. [GL #159]

Mukund Sivaraman's avatar
Mukund Sivaraman committed
678 679 680
4930.	[bug]		Remove a bogus check in nslookup command line
			argument processing. [GL #206]

681 682 683
4926.	[func]		Add root key sentinel support.  To disable, add
			'root-key-sentinel no;' to named.conf. [GL #37]

Evan Hunt's avatar
Evan Hunt committed
684
4922.	[bug]		dnstap: Log the destination address of client
Evan Hunt's avatar
Evan Hunt committed
685
			packets rather than the interface address.
Evan Hunt's avatar
Evan Hunt committed
686 687
			[GL #197]

Mukund Sivaraman's avatar
Mukund Sivaraman committed
688 689 690 691 692
4921.	[cleanup]	Add dns_fixedname_initname() and refactor the caller
			code to make usage of the new function, as a part of
			refactoring dns_fixedname_*() macros were turned into
			functions. [GL #183]

Ondřej Surý's avatar
Ondřej Surý committed
693 694 695 696
4918.	[bug]		Fix double free after keygen error in dnssec-keygen
			when OpenSSL >= 1.1.0 is used and RSA_generate_key_ex
			fails. [GL #109]

Ondřej Surý's avatar
Ondřej Surý committed
697 698 699 700 701 702
4915.	[func]		Implement IDNA2008 support in dig by adding support
			for libidn2.  New dig option +idnin has been added,
			which allows to process invalid domain names much
			like dig without IDN support.  libidn2 version 2.0
			or higher is needed for +idnout enabled by default.

Evan Hunt's avatar
Evan Hunt committed
703 704 705
4913.	[test]		Re-implemented older unit tests in bin/tests as ATF,
			removed the lib/tests unit testing library. [GL #115]

Michał Kępień's avatar
Michał Kępień committed
706 707 708
4911.	[test]		Improved the reliability of the 'mkeys' system test.
			[GL #128]

709 710 711
4910.	[func]		Update util/check-changes to work on release branches.
			[GL #113]

Mark Andrews's avatar
Mark Andrews committed
712
4909.	[bug]		named-checkconf did not detect in-view zone collisions.
713 714
			[GL #125]

715 716 717 718
4908.	[test]		Eliminated unnecessary waiting in the allow_query
			system test. Also changed its name to allow-query.
			[GL #81]

Michał Kępień's avatar
Michał Kępień committed
719
4907.	[test]		Improved the reliability of the 'notify' system
720 721
			test. [GL #59]

Michał Kępień's avatar
Michał Kępień committed
722 723 724 725
4905.	[bug]		irs_resconf_load() ignored resolv.conf syntax errors
			when "domain" or "search" options were present in that
			file. [GL #110]

Michał Kępień's avatar
Michał Kępień committed
726 727 728 729 730 731 732 733 734 735 736 737
4903.	[bug]		"check-mx fail;" did not prevent MX records containing
			IP addresses from being added to a zone by a dynamic
			update. [GL #112]

4902.	[test]		Improved the reliability of the 'ixfr' system
			test. [GL #66]

4899.	[test]		Convert most of the remaining system tests to be able
			to run in parallel, continuing the work from change
			#4895. To take advantage of this, use "make -jN check",
			where N is the number of processors to use. [GL #91]

Mark Andrews's avatar
Mark Andrews committed
738 739
4896.	[test]		cacheclean system test was not robust. [GL #82]

740 741 742
4895.	[test]		Allow some system tests to run in parallel.
			[RT #46602]

Mark Andrews's avatar
Mark Andrews committed
743
4893.	[bug]		Address various issues reported by cppcheck. [GL #51]
Mark Andrews's avatar
Mark Andrews committed
744

Michał Kępień's avatar
Michał Kępień committed
745 746 747 748
4892.	[bug]		named could leak memory when "rndc reload" was invoked
			before all zone loading actions triggered by a previous
			"rndc reload" command were completed. [RT #47076]

749 750 751 752
4699.	[func]		Multiple cookie-secret clauses can now be specified.
			The first one specified is used to generate new
			server cookies.  [RT #45672]

Tinderbox User's avatar
Tinderbox User committed
753
	--- 9.11.3 released ---
754

Tinderbox User's avatar
Tinderbox User committed
755 756
	--- 9.11.3rc2 released ---

Evan Hunt's avatar
Evan Hunt committed
757 758
4904.	[bug]		Temporarily revert change #4859. [GL #124]

Evan Hunt's avatar
Evan Hunt committed
759 760
	--- 9.11.3rc1 released ---

761 762 763 764 765
4889.	[func]		Warn about the use of old root keys without the new
			root key being present.  Warn about dlv.isc.org's
			key being present. Warn about both managed and
			trusted root keys being present. [RT #43670]

766
4888.	[test]		Initialize sockets correctly in sample-update so
Evan Hunt's avatar
Evan Hunt committed
767
			that the nsupdate system test will run on Windows.
768 769
			[RT #47097]

770 771
4886.	[doc]		Document dig -u in manpage. [RT #47150]

772 773 774 775 776
4885.	[security]	update-policy rules that otherwise ignore the name
			field now require that it be set to "." to ensure
			that any type list present is properly interpreted.
			[RT #47126]

777 778 779
4882.	[bug]		Address potential memory leak in
			dns_update_signaturesinc. [RT #47084]

780 781 782
4881.	[bug]		Only include dst_openssl.h when OpenSSL is required.
			[RT #47068]

Evan Hunt's avatar
Evan Hunt committed
783 784
4879.	[bug]		dns_rdata_caa:value_len field was too small.
			[RT #47086]
785

786 787 788
4878.	[bug]		List 'ply' as a requirement for the 'isc' python
			package. [RT #47065]

789 790 791 792 793
4811.	[bug]		Revert api changes to use <isc/buffer.h> inline
			macros.  Provide a alternative mechanism to turn
			on the use of inline macros when building BIND.
			[RT #46520]

Evan Hunt's avatar
Evan Hunt committed
794 795
	--- 9.11.3b1 released ---

796 797
4876.	[bug]		Address deadlock with accessing a keytable. [RT #47000]

798 799
4875.	[bug]		Address compile failures on older systems. [RT #47015]

800 801 802
4874.	[bug]		Wrong time display when reporting new keywarntime.
			[RT #47042]

803 804 805 806 807 808 809 810
4873.	[doc]		Grammars for named.conf included in the ARM are now
			automatically generated by the configuration parser
			itself.  As a side effect of the work needed to
			separate zone type grammars from each other, this
			also makes checking of zone statements in
			named-checkconf more correct and consistent.
			[RT #36957]

811 812 813
4872.	[bug]		Don't permit loading meta RR types such as TKEY
			from master files. [RT #47009]

814 815 816 817
4871.	[bug]		Fix configure glitch in detecting stdatomic.h
			support on systems with multiple compilers.
			[RT #46959]

818 819 820
4870.	[test]		Update included ATF library to atf-0.21 preserving
			the ATF tool. [RT #46967]

821 822 823 824
4869.	[bug]		Address some cases where NULL with zero length could
			be passed to memmove which is undefined behaviour and
			can lead to bad optimisation. [RT #46888]

825 826 827 828 829
4867.	[cleanup]	Normalize rndc on/off commands (validation and
			querylog) so they accept the same synonyms
			for on/off (yes/no, true/false, enable/disable).
			Thanks to Tony Finch. [RT #47022]

830 831 832 833
4866.	[port]		DST library initialization verifies MD5 (when MD5
			was not disabled) and SHA-1 hash and HMAC support.
			[RT #46764]

834 835 836 837
4864.	[bug]		named acting as a slave for a catalog zone crashed if
			the latter contained a master definition without an IP
			address. [RT #45999]

838 839 840
4863.	[bug]		Fix various other bugs reported by Valgrind's
			memcheck tool. [RT #46978]

Mark Andrews's avatar
grammar  
Mark Andrews committed
841
4862.	[bug]		The rdata flags for RRSIG were not being properly set
842 843
			when constructing a rdataslab. [RT #46978]

844 845 846
4861.	[bug]		The isc_crc64 unit test was not endian independent.
			[RT #46973]

847 848
4860.	[bug]		isc_int8_t should be signed char.  [RT #46973]

849 850 851 852 853 854 855 856 857 858
4859.	[bug]		A loop was possible when attempting to validate
			unsigned CNAME responses from secure zones;
			this caused a delay in returning SERVFAIL and
			also increased the chances of encountering
			CVE-2017-3145. [RT #46839]

4858.	[security]	Addresses could be referenced after being freed
			in resolver.c, causing an assertion failure.
			(CVE-2017-3145) [RT #46839]

859 860 861 862
4857.	[bug]		Maintain attach/detach semantics for event->db,
			event->node, event->rdataset and event->sigrdataset
			in query.c. [RT #46891]

863 864 865
4856.	[bug]		'rndc zonestatus' reported the wrong underlying type
			for a inline slave zone. [RT #46875]

866 867 868 869 870
4852.	[bug]		Handle strftime() failing in isc_time_formatISO8601ms.
			Add REQUIRE's and INSIST's to isc_time_formattimestamp,
			isc_time_formathttptimestamp, isc_time_formatISO8601,
			isc_time_formatISO8601ms. [RT #46892]

871 872 873
4851.	[port]		Support using kyua as well as atf-run to run the unit
			tests. [RT #46853]

874 875 876
4850.	[bug]		Named failed to restart with multiple added zones in
			lmdb database. [RT #46889]

877 878 879
4849.	[bug]		Duplicate zones could appear in the .nzf file if
			addzone failed. [RT #46435]

880 881 882 883
4846.	[test]		Adjust timing values in runtime system test. Address
			named.pid removal races in runtime system test.
			[RT #46800]

884 885
4844.	[test]		Address memory leaks in libatf-c. [RT #46798]

886 887
4843.	[bug]		dnssec-signzone free hashlist on exit. [RT #46791]

888 889 890
4842.	[bug]		Conditionally compile opensslecdsa_link.c to avoid
			warnings about unused function. [RT #46790]

891 892
4841.	[bug]		Address -fsanitize=undefined warnings. [RT #46786]

893 894 895
4840.	[test]		Add tests to cover fallback to using ZSK on inactive
			KSK. [RT #46787]

896
4839.	[bug]		zone.c:zone_sign was not properly determining
897 898 899 900
			if there were active KSK and ZSK keys for
			a algorithm when update-check-ksk is true
			(default) leaving records unsigned with one or
			more DNSKEY algorithms. [RT #46774]
901

902 903 904 905 906 907
4838.	[bug]		zone.c:add_sigs was not properly determining
			if there were active KSK and ZSK keys for
			a algorithm when update-check-ksk is true
			(default) leaving records unsigned with one or
			more DNSKEY algorithms. [RT #46754]

908 909 910
4837.	[bug]		dns_update_signatures{inc} (add_sigs) was not
			properly determining if there were active KSK and
			ZSK keys for a algorithm when update-check-ksk is
911 912 913
			true (default) leaving records unsigned when there
			were multiple DNSKEY algorithms for the zone.
			[RT #46743]
914

915 916 917 918 919
4836.	[bug]		Zones created using "rndc addzone" could
			temporarily fail to inherit an "allow-transfer"
			ACL that had been configured in the options
			statement. [RT #46603]

920 921 922 923
4835.	[cleanup]	Clean up and refactor LMDB-related code. [RT #46718]

4834.	[port]		Fix LMDB support on OpenBSD. [RT #46718]

924 925 926 927 928 929
4833.	[bug]		isc_event_free should check that the event is not
			linked when called. [RT #46725]

4832.	[bug]		Events were not being removed from zone->rss_events.
			[RT #46725]

930 931 932
4831.	[bug]		Convert the RRSIG expirytime to 64 bits for
			comparisions in diff.c:resign. [RT #46710]

933 934 935
4830.	[bug]		Failure to configure ATF when requested did not cause
			an error in top-level configure script. [RT #46655]

936 937 938 939
4829.	[bug]		isc_heap_delete did not zero the index value when
			the heap was created with a callback to do that.
			[RT #46709]

940 941 942
4828.	[bug]		Do not use thread-local storage for storing LMDB reader
			locktable slots. [RT #46556]

943 944 945
4827.	[misc]		Add a precommit check script util/checklibs.sh
			[RT #46215]

946 947 948
4826.	[cleanup]	Prevent potential build failures in bin/confgen/ and
			bin/named/ when using parallel make. [RT #46648]

949 950 951
4825.	[bug]		Prevent a bogus "error during managed-keys processing
			(no more)" warning from being logged. [RT #46645]

952 953 954
4823.	[test]		Refactor reclimit system test to improve its
			reliability and speed. [RT #46632]

955 956
4822.	[bug]		Use resign_sooner in dns_db_setsigningtime. [RT #46473]

957 958 959 960 961 962 963 964
4821.	[bug]		When resigning ensure that the SOA's expire time is
			always later that the resigning time of other records.
			[RT #46473]

4820.	[bug]		dns_db_subtractrdataset should transfer the resigning
			information to the new header. [RT #46473]

4819.	[bug]		Fully backout the transaction when adding a RRset
965
			to the resigning / removal heaps fails. [RT #46473]
966

967 968 969
4818.	[test]		The logfileconfig system test could intermittently
			report false negatives on some platforms. [RT #46615]

970 971 972
4817.	[cleanup]	Use DNS_NAME_INITABSOLUTE and DNS_NAME_INITNONABSOLUTE.
			[RT #45433]

973 974 975
4816.	[bug]		Don't use a common array for storing EDNS options
			in DiG as it could fill up. [RT #45611]

976 977 978
4815.	[bug]		rbt_test.c:insert_and_delete needed to call
			dns_rbt_addnode instead of dns_rbt_addname. [RT #46553]

979 980
4814.	[cleanup]	Use AS_HELP_STRING for consistent help text. [RT #46521]

981 982 983
4812.	[bug]		Minor improvements to stability and consistency of code
			handling managed keys. [RT #46468]

984 985 986
4810.	[test]		The chain system test failed if the IPv6 interfaces
			were not configured. [RT #46508]

987 988 989
4809.	[port]		Check at configure time whether -latomic is needed
			for stdatomic.h. [RT #46324]

990 991
4808.	[bug]		Properly test for zlib.h. [RT #46504]

992 993 994
4805.	[bug]		TCP4Active and TCP6Active weren't being updated
			correctly. [RT #46454]

995 996 997 998
4804.	[port]		win32: access() does not work on directories as
			required by POSIX.  Supply a alternative in
			isc_file_isdirwritable. [RT #46394]

Mark Andrews's avatar
Mark Andrews committed
999
4803.	[bug]		Backport parts of RT #45293 and RT #46267, specifically
1000 1001 1002
			the fix for RT #46055 and mkeys system test
			improvements. [RT #46430]

1003 1004 1005
4800.	[bug]		When processing delzone, write one zone config per
			line to the NZF. [RT #46323]

1006 1007
4799.	[cleanup]	Improve clarity of keytable unit tests. [RT #46407]

1008 1009
4792.	[bug]		Fix map file header correctness check. [RT #38418]

Evan Hunt's avatar
Evan Hunt committed
1010 1011 1012
4791.	[doc]		Fixed outdated documentation about export libraries.
			[RT #46341]

1013 1014 1015 1016
4790.	[bug]		nsupdate could trigger a require when sending a
			update to the second address of the server.
			[RT #45731]

1017 1018 1019 1020
4788.	[cleanup]	When using "update-policy local", log a warning
			when an update matching the session key is received
			from a remote host. [RT #46213]

1021 1022 1023 1024
4787.	[cleanup]	Turn nsec3param_salt_totext() into a public function,
			dns_nsec3param_salttotext(), and add unit tests for it.
			[RT #46289]

1025 1026
4783.	[test]		dnssec: 'check that NOTIFY is sent at the end of
			NSEC3 chain generation failed' required more time
1027
			on some machines for the IXFR to complete. [RT #46388]
1028

1029 1030 1031 1032
4782.	[test]		dnssec: 'checking positive and negative validation
			with negative trust anchors' required more time to
			complete on some machines. [RT #46386]

Evan Hunt's avatar
Evan Hunt committed
1033 1034
4781.	[maint]		B.ROOT-SERVERS.NET is now 199.9.14.201. [RT #45889]

1035 1036 1037 1038
4780.	[bug]		When answering ANY queries, don't include the NS
			RRset in the authority section if it was already
			in the answer section. [RT #44543]

1039 1040 1041 1042
4779.	[bug]		Expire NTA at the start of the second. Don't update
			the expiry value if the record has already expired
			after a successful check. [RT #46368]

Evan Hunt's avatar
Evan Hunt committed
1043 1044 1045
4777.	[cleanup]	Removed a redundant call to configure_view_acl().
			[RT #46369]

1046 1047
4776.	[bug]		Improve portability of ht_test. [RT #46333]

1048 1049
4775.	[bug]		Address Coverity warnings in ht_test.c [RT #46281]

1050 1051 1052
4774.	[bug]		<isc/util.h> was incorrectly included in several
			header files. [RT #46311]

1053 1054 1055 1056
4773.	[doc]		Fixed generating Doxygen documentation for functions
			annotated using certain macros.  Miscellaneous
			Doxygen-related cleanups. [RT #46276]

1057 1058 1059
4771.	[bug]		When sending RFC 5011 refresh queries, disregard
			cached DNSKEY rrsets. [RT #46251]

1060 1061 1062 1063 1064 1065 1066
4770.	[bug]		Cache additional data from priming queries as glue.
			Previously they were ignored as unsigned
			non-answer data from a secure zone, and never
			actually got added to the cache, causing hints
			to be used frequently for root-server
			addresses, which triggered re-priming. [RT #45241]

1067 1068 1069 1070 1071
4769.	[bug]		Enforce the requirement that the managed keys
			directory (specified by "managed-keys-directory",
			and defaulting to the working directory if not
			specified) must be writable. [RT #46077]

1072 1073
4766.	[cleanup]	Addresss Coverity warnings. [RT #46150]

1074 1075 1076 1077
4763.	[contrib]	Improve compatibility when building MySQL DLZ
			module by using mysql_config if available.
			[RT #45558]

1078 1079 1080 1081 1082
4762.	[func]		"update-policy local" is now restricted to updates
			from local addresses. (Previously, other addresses
			were allowed so long as updates were signed by the
			local session key.) [RT #45492]

Michał Kępień's avatar
Michał Kępień committed
1083 1084
4761.	[protocol]	Add support for DOA. [RT #45612]

Mark Andrews's avatar
Mark Andrews committed
1085 1086
4759.	[func]		Add logging channel "trust-anchor-telemetry" to
			record trust-anchor-telemetry in incoming requests.
1087 1088 1089
			Both _ta-XXXX.<anchor>/NULL and EDNS KEY-TAG options
			are logged.  [RT #46124]

Evan Hunt's avatar
Evan Hunt committed
1090 1091 1092
4758.	[doc]		Remove documentation of unimplemented "topology".
			[RT #46161]

1093 1094 1095 1096 1097 1098 1099 1100 1101
4756.	[bug]		Interrupting dig could lead to an INSIST failure after
			certain errors were encountered while querying a host
			whose name resolved to more than one address.  Change
			4537 increased the odds of triggering this issue by
			causing dig to hang indefinitely when certain error
			paths were evaluated.  dig now also retries TCP queries
			(once) if the server gracefully closes the connection
			before sending a response. [RT #42832, #45159]

1102 1103 1104
4755.	[cleanup]	Silence unnecessary log message when NZF file doesn't
			exist. [RT #46186]

1105 1106 1107
4754.	[bug]		dns_zone_setview needs a two stage commit to properly
			handle errors. [RT #45841]

1108 1109 1110 1111 1112
4753.	[contrib]	Software obtainable from known upstream locations
			(i.e., zkt, nslint, query-loc) has been removed.
			Links to these and other packages can be found at
			https://www.isc.org/community/tools [RT #46182]

1113 1114
4752.	[test]		Add unit test for isc_net_pton. [RT #46171]

Evan Hunt's avatar
Evan Hunt committed
1115 1116 1117 1118 1119 1120 1121
4749.	[func]		The ISC DLV service has been shut down, and all
			DLV records have been removed from dlv.isc.org.
			- Removed references to ISC DLV in documentation
			- Removed DLV key from bind.keys
			- No longer use ISC DLV by default in delv
			[RT #46155]

1122 1123
4748.	[cleanup]	Sprintf to snprintf coversions. [RT #46132]

1124 1125 1126
4746.	[cleanup]	Add configured prefixes to configure summary
			output. [RT #46153]

Evan Hunt's avatar
Evan Hunt committed
1127 1128 1129 1130
4745.	[test]		Add color-coded pass/fail messages to system
			tests when running on terminals that support them.
			[RT #45977]

Mark Andrews's avatar
Mark Andrews committed
1131
4744.	[bug]		Suppress trust-anchor-telemetry queries if
1132 1133
			validation is disabled. [RT #46131]

1134 1135 1136
4741.	[bug]		Make isc_refcount_current() atomically read the
			counter value. [RT #46074]

1137 1138
4740.	[cleanup]	Avoid triggering format-truncated warnings. [RT #46107]

1139 1140
4739.	[cleanup]	Address clang static analysis warnings. [RT #45952]

1141 1142
4738.	[port]		win32: strftime mishandles %Z. [RT #46039]

1143 1144
4737.	[cleanup]	Address Coverity warnings. [RT #46012]

1145 1146 1147 1148 1149
4736.	[cleanup]	(a) Added comments to NSEC3-related functions in
			lib/dns/zone.c.  (b) Refactored NSEC3 salt formatting
			code.  (c) Minor tweaks to lock and result handling.
			[RT #46053]

1150 1151
4735.	[bug]		Add @ISC_OPENSSL_LIBS@ to isc-config. [RT #46078]

1152 1153 1154
4734.	[contrib]	Added sample configuration for DNS-over-TLS in
			contrib/dnspriv.

Mukund Sivaraman's avatar
Mukund Sivaraman committed
1155
4731.	[bug]		Fix use after free when closing an LMDB. [RT #46000]
1156

Mukund Sivaraman's avatar
Mukund Sivaraman committed
1157
4730.	[bug]		Fix out of bounds access in DHCID totext() method.
1158 1159
			[RT #46001]

1160 1161 1162 1163 1164
4729.	[bug]		Don't use memset() to wipe memory, as it may be
			removed by compiler optimizations when the
			memset() occurs on automatic stack allocation
			just before function return. [RT #45947]

1165 1166 1167
4728.	[func]		Use C11's stdatomic.h instead of isc_atomic
			where available. [RT #40668]

1168 1169 1170 1171
4727.	[bug]		Retransferring an inline-signed slave using NSEC3
			around the time its NSEC3 salt was changed could result
			in an infinite signing loop. [RT #45080]

1172 1173 1174 1175 1176 1177 1178
4726.	[port]		Prevent setsockopt() errors related to TCP_FASTOPEN
			from being logged on FreeBSD if the kernel does not
			support it.  Notify the user when the kernel does
			support TCP_FASTOPEN, but it is disabled by sysctl.
			Add a new configure option, --disable-tcp-fastopen, to
			disable use of TCP_FASTOPEN altogether. [RT #44754]

1179 1180 1181 1182 1183
4725.	[bug]		Nsupdate: "recvsoa" was incorrectly reported for
			failures in sending the update message.  The correct
			location to be reported is "update_completed".
			[RT #46014]

1184 1185
4723.	[bug]		Statistics counter DNSTAPdropped was misidentified
			as DNSSECdropped. [RT #46002]
1186

Evan Hunt's avatar
Evan Hunt committed
1187 1188 1189
4722.	[cleanup]	Clean up uses of strcpy() and strcat() in favor of
			strlcpy() and strlcat() for safety. [RT #45981]

1190 1191
4719.	[bug]		Address PVS static analyzer warnings. [RT #45946]

1192 1193 1194 1195
4717.	[bug]		Treat replies with QCOUNT=0 as truncated if TC=1,
			FORMERR if TC=0, and log the error correctly.
			[RT #45836]

1196 1197 1198
4715.	[bug]		TreeMemMax was mis-identified as a second HeapMemMax
			in the Json cache statistics. [RT #45980]

1199 1200 1201
4714.	[port]		openbsd/libressl: add support for building with
			--enable-openssl-hash. [RT #45982]

Evan Hunt's avatar
Evan Hunt committed
1202 1203 1204
4713.	[cleanup]	Minor revisions to RPZ code to reduce
			differences with the development branch. [RT #46037]

1205 1206 1207
4712.	[bug]		"dig +domain" and "dig +search" didn't retain the
			search domain when retrying with TCP. [RT #45547]

1208 1209 1210
4711.	[test]		Some RR types were missing from genzones.sh.
			[RT #45782]

1211 1212 1213
4709.	[cleanup]	Use dns_name_fullhash() to hash names for RRL.
			[RT #45435]

1214 1215 1216
4703.	[bug]		BINDInstall.exe was missing some buffer length checks.
			[RT #45898]

1217 1218 1219 1220
4698.	[port]		Add --with-python-install-dir configure option to allow
			specifying a nonstandard installation directory for
			Python modules. [RT #45407]

1221 1222 1223
4697.	[bug]		Restore workaround for Microsoft Windows TSIG hash
			computation bug. [RT #45854]

1224 1225 1226
4696.	[port]		Enable filter-aaaa support by default on Windows
			builds. [RT #45883]

1227 1228 1229
4695.	[bug]		cookie-secrets were not being properly checked by
			named-checkconf. [RT #45886]

1230 1231 1232
4692.	[bug]		Fix build failures with libressl introduced in 4676.
			[RT #45879]

1233 1234 1235
4690.	[bug]		Command line options -4/-6 were handled inconsistently
			between tools. [RT #45632]

Mark Andrews's avatar
Mark Andrews committed
1236
4689.	[cleanup]	Turn on minimal responses for CDNSKEY and CDS in
1237 1238 1239
			addition to DNSKEY and DS. Thanks to Tony Finch.
			[RT #45690]

1240 1241 1242
4688.	[protocol]	Check and display EDNS KEY TAG options (RFC 8145) in
			messages. [RT #44804]

1243 1244 1245 1246 1247
4686.	[bug]		dnssec-settime -p could print a bogus warning about
			key deletion scheduled before its inactivation when a
			key had an inactivation date set but no deletion date
			set. [RT #45807]

1248 1249 1250
4685.	[bug]		dnssec-settime incorrectly calculated publication and
			activation dates for a successor key. [RT #45806]

1251 1252 1253 1254
4684.	[bug]		delv could send bogus DNS queries when an explicit
			server address was specified on the command line along
			with -4/-6. [RT #45804]

1255 1256 1257
4683.	[bug]		Prevent nsupdate from immediately exiting on invalid
			user input in interactive mode. [RT #28194]

1258 1259 1260
4682.	[bug]		Don't report errors on records below a DNAME.
			[RT #44880]

1261 1262 1263
4680.	[bug]		Fix failing over to another master server address when
			nsupdate is used with GSS-API. [RT #45380]

1264 1265 1266
4679.	[cleanup]	Suggest using -o when dnssec-verify finds a SOA record
			not at top of zone and -o is not used. [RT #45519]