CHANGES 380 KB
Newer Older
Evan Hunt's avatar
Evan Hunt committed
1
2
3567.	[bug]		Silence clang static analyzer warnings. [RT #33365]

Evan Hunt's avatar
Evan Hunt committed
3
4
3566.	[func]		Log when forwarding updates to master. [RT #33240]

5
6
3564.	[bug]		Improved handling of corrupted map files. [RT #33380]

Evan Hunt's avatar
Evan Hunt committed
7
8
3563.	[contrib]	zone2sqlite failed with some table names. [RT #33375]

Evan Hunt's avatar
Evan Hunt committed
9
10
11
12
3562.	[func]		Update map file header format to include a SHA-1 hash
			of the database content, so that corrupted map files
			can be rejected at load time. [RT #32459]

13
14
15
3561.	[bug]		dig: issue a warning if an EDNS query returns FORMERR
			or NOTIMP.  Adjust usage message. [RT #33363]
			
Evan Hunt's avatar
Evan Hunt committed
16
3560.	[bug]		isc-config.sh did not honour includedir and libdir
17
18
			when set via configure. [RT #33345]

19
20
21
3559.	[func]		Check that both forms of Sender Policy Framework
			records exist or do not exist. [RT #33355]

22
23
3558.	[bug]		IXFR of a DLZ stored zone was broken. [RT #33331]

24
25
3557.	[bug]		Reloading redirect zones was broken. [RT #33292]

Evan Hunt's avatar
Evan Hunt committed
26
27
3556.	[maint]		Added AAAA for D.ROOT-SERVERS.NET.

28
29
30
3555.	[bug]		Address theoretical race conditions in acache.c
			(change #3553 was incomplete). [RT #33252]

Evan Hunt's avatar
Evan Hunt committed
31
32
33
34
3554.	[bug]		RRL failed to correctly rate-limit upward
			referrals and failed to count dropped error
			responses in the statistics. [RT #33225]

35
36
3553.	[bug]		Address suspected double free in acache. [RT #33252]

37
3552.	[bug]		Wrong getopt option string for 'nsupdate -r'.
38
			[RT #33280]
39

40
41
3551.	[bug]		resolver.querydscp[46] were uninitialized.  [RT #32686]

42
43
44
45
3550.	[func]		Unified the internal and export versions of the
			BIND libraries, allowing external clients to use
			the same libraries as BIND. [RT #33131]

Evan Hunt's avatar
Evan Hunt committed
46
47
48
3549.	[doc]		Documentation for "request-nsid" was missing.
			[RT #33153]

49
50
51
52
3548.	[bug]		The NSID request code in resolver.c was broken
			resulting in invalid EDNS options being sent.
			[RT #33153]

53
54
55
3547.	[bug]		Some malformed unknown rdata records were not properly
			detected and rejected. [RT #33129]

56
57
3546.	[func]		Add EUI48 and EUI64 types. [RT #33082]

Evan Hunt's avatar
Evan Hunt committed
58
59
60
3545.	[bug]		RRL slip behavior was incorrect when set to 1.
			[RT #33111]

Evan Hunt's avatar
Evan Hunt committed
61
62
63
64
3544.	[contrib]	check5011.pl: Script to report the status of
			managed keys as recorded in managed-keys.bind.
			Contributed by Tony Finch <dot@dotat.at>

65
3543.	[bug]		Update socket stucture before attaching to socket
Mark Andrews's avatar
typo    
Mark Andrews committed
66
			manager after accept. [RT #33084]
67

Mark Andrews's avatar
Mark Andrews committed
68
69
3542.	[placeholder]

Evan Hunt's avatar
Evan Hunt committed
70
71
3541.	[bug]		Parts of libdns were not properly initialized when
			built in libexport mode. [RT #33028]
72

Evan Hunt's avatar
Evan Hunt committed
73
3540.	[test]		libt_api: t_info and t_assert were not thread safe.
74

75
76
3539.	[port]		win32: timestamp format didn't match other platforms.

Evan Hunt's avatar
Evan Hunt committed
77
78
3538.	[test]		Running "make test" now requires loopback interfaces
			to be set up. [RT #32452]
79

80
81
82
83
3537.	[tuning]	Slave zones, when updated, now send NOTIFY messages
			to peers before being dumped to disk rather than
			after. [RT #27242]

Evan Hunt's avatar
Evan Hunt committed
84
85
86
87
88
89
90
91
92
3536.	[func]		Add support for setting Differentiated Services Code
			Point (DSCP) values in named.  Most configuration
			options which take a "port" option (e.g.,
			listen-on, forwarders, also-notify, masters,
			notify-source, etc) can now also take a "dscp"
			option specifying a code point for use with
			outgoing traffic, if supported by the underlying
			OS. [RT #27596]

93
94
3535.	[bug]		Minor win32 cleanups. [RT #32962]

95
96
97
3534.	[bug]		Extra text after an embedded NULL was ignored when
			parsing zone files. [RT #32699]

98
99
100
101
3533.	[contrib]	query-loc-0.4.0: memory leaks. [RT #32960]

3532.	[contrib]	zkt: fixed buffer overrun, resource leaks. [RT #32960]

102
103
104
3531.	[bug]		win32: A uninitialized value could be returned on out
			of memory. [RT #32960]

Evan Hunt's avatar
Evan Hunt committed
105
106
3530.	[contrib]	Better RTT tracking in queryperf. [RT #30128]

107
108
109
110
111
3529.	[func]		Named now listens on both IPv4 and IPv6 interfaces
			by default.  Named previously only listened on IPv4
			interfaces by default unless named was running in
			IPv6 only mode.  [RT #32945]

Evan Hunt's avatar
Evan Hunt committed
112
113
114
115
116
117
118
3528.	[func]		New "dnssec-coverage" command scans the timing
			metadata for a set of DNSSEC keys and reports if a
			lapse in signing coverage has been scheduled
			inadvertently. (Note: This tool depends on python;
			it will not be built or installed on systems that
			do not have a python interpreter.) [RT #28098]

119
120
121
122
3527.	[compat]	Add a URI to allow applications to explicitly
			request a particular XML schema from the statistics
			channel, returning 404 if not supported. [RT #32481]

123
124
125
3526.	[cleanup]	Set up dependencies for unit tests correctly during
			build. [RT #32803]

126
127
128
129
130
131
132
3525.	[func]		Support for additional signing algorithms in rndc:
			hmac-sha1, -sha224, -sha256, -sha384, and -sha512.
			The -A option to rndc-confgen can be used to
			select the algorithm for the generated key.
			(The default is still hmac-md5; this may
			change in a future release.) [RT #20363]

133
134
3524.	[func]		Added an alternate statistics channel in JSON format,
			when the server is built with the json-c library:
Evan Hunt's avatar
Evan Hunt committed
135
			http://[address]:[port]/json. [RT #32630]
136

137
138
139
140
141
3523.	[contrib]	Ported filesystem and ldap DLZ drivers to
			dynamically-loadable modules, and added the
			"wildcard" module based on a contribution from
			Vadim Goncharov <vgoncharov@nic.ru>. [RT #23569]

142
143
144
3522.	[bug]		DLZ lookups could fail to return SERVFAIL when
			they ought to. [RT #32685]

145
146
3521.	[bug]		Address memory leak in opensslecdsa_link.c. [RT #32249]

147
148
149
3520.	[bug]		'mctx' was not being referenced counted in some places
			where it should have been.  [RT #32794]

150
151
152
153
3519.	[func]		Full replay protection via four-way handshake is
			now mandatory for rndc clients. Very old versions
			of rndc will no longer work. [RT #32798]

154
155
156
157
158
3518.	[bug]		Increase the size of dns_rrl_key.s.rtype by one bit
			so that all dns_rrl_rtype_t enum values fit regardless
			of whether it is teated as signed or unsigned by
			the compiler. [RT #32792]

159
160
3517.	[bug]		Reorder destruction to avoid shutdown race. [RT #32777]

Evan Hunt's avatar
Evan Hunt committed
161
162
3516.	[placeholder]

163
164
3515.	[port]		'%T' is not portable in strftime(). [RT #32763]

Evan Hunt's avatar
Evan Hunt committed
165
166
167
168
169
170
3514.	[bug]		The ranges for valid key sizes in ddns-confgen and
			rndc-confgen were too constrained. Keys up to 512
			bits are now allowed for most algorithms, and up
			to 1024 bits for hmac-sha384 and hmac-sha512.
			[RT #32753]

171
172
173
3513.	[func]		"dig -u" prints times in microseconds rather than
			milliseconds. [RT #32704]

Evan Hunt's avatar
Evan Hunt committed
174
175
176
3512.	[func]		"rndc validation check" reports the current status
			of DNSSEC validation. [RT #21397]

Evan Hunt's avatar
Evan Hunt committed
177
178
3511.	[doc]		Improve documentation of redirect zones. [RT #32756]

179
180
181
3510.	[func]		"rndc status" and XML statistics channel now report
			server start and reconfiguration times. [RT #21048]

182
183
184
185
3509.	[cleanup]	Added a product line to version file to allow for
			easy naming of different products (BIND
			vs BIND ESV, for example). [RT #32755]

186
187
188
3508.	[contrib]	queryperf was incorrectly rejecting the -T option.
			[RT #32338]

189
190
191
192
3507.	[bug]		Statistics channel XSL had a glitch when attempting
			to chart query data before any queries had been
			received. [RT #32620]

193
194
195
196
197
198
199
200
201
202
203
204
3506.	[func]		When setting "max-cache-size" and "max-acache-size",
			the keyword "unlimited" is no longer defined as equal
			to 4 gigabytes (except on 32-bit platforms); it
			means literally unlimited. [RT #32358]

3505.	[bug]		When setting "max-cache-size" and "max-acache-size",
			larger values than 4 gigabytes could not be set
			explicitly, though larger sizes were available
			when setting cache size to 0. This has been
			corrected; the full range is now available.
			[RT #32358]

Evan Hunt's avatar
Evan Hunt committed
205
206
207
208
3504.	[func]		Add support for ACLs based on geographic location,
			using MaxMind GeoIP databases. Based on code
			contributed by Ken Brownfield <kb@slide.com>.
			[RT #30681]
Mark Andrews's avatar
Mark Andrews committed
209

Evan Hunt's avatar
Evan Hunt committed
210
211
3503.	[doc]		Clarify size_spec syntax. [RT #32449]

212
213
214
3502.	[func]		zone-statistics: "no" is now a synonym for "none",
			instead of "terse". [RT #29165]

215
216
217
218
3501.	[func]		zone-statistics now takes three options: full,
			terse, and none. "yes" and "no" are retained as
			synonyms for full and terse, respectively. [RT #29165]

Evan Hunt's avatar
Evan Hunt committed
219
220
221
222
3500.	[security]	Support NAPTR regular expression validation on
			all platforms without using libregex, which
			can be vulnerable to memory exhaustion attack
			(CVE-2013-2266). [RT #32688]
223

Evan Hunt's avatar
Evan Hunt committed
224
225
226
3499.	[doc]		Corrected ARM documentation of built-in zones.
			[RT #32694]

227
228
229
230
3498.	[bug]		zone statistics for zones which matched a potential
			empty zone could have their zone-statistics setting
			overridden.

231
232
233
234
3497.	[func]		When deleting a slave/stub zone using 'rndc delzone'
			report the files that were being used so they can
			be cleaned up if desired. [RT #27899]

Evan Hunt's avatar
Evan Hunt committed
235
236
3496.	[placeholder]

237
3495.	[func]		Support multiple response-policy zones (up to 32),
Mark Andrews's avatar
Mark Andrews committed
238
			while improving RPZ performance.  "response-policy"
239
240
241
			syntax now includes a "min-ns-dots" clause, with
			default 1, to exclude top-level domains from
			NSIP and NSDNAME checking. --enable-rpz-nsip and
Mark Andrews's avatar
Mark Andrews committed
242
			--enable-rpz-nsdname are now the default. [RT #32251]
243

Evan Hunt's avatar
Evan Hunt committed
244
245
246
247
3494.	[func]		DNS RRL: Blunt the impact of DNS reflection and
			amplification attacks by rate-limiting substantially-
			identical responses. [RT #28130]

248
249
3493.	[contrib]	Added BDBHPT dynamically-lodable DLZ module,
			contributed by Mark Goldfinch. [RT #32549]
Mark Andrews's avatar
Mark Andrews committed
250

251
252
253
3492.	[bug]		Fixed a regression in zone loading performance
			due to lock contention. [RT #30399]

254
255
256
3491.	[bug]		Slave zones using inline-signing must specify a
			file name. [RT #31946]

257
3490.	[bug]		When logging RDATA during update, truncate if it's
Mark Andrews's avatar
Mark Andrews committed
258
			too long. [RT #32365]
259

260
261
262
263
264
3489.	[bug]		--enable-developer now turns on ISC_LIST_CHECKINIT.
			dns_dlzcreate() failed to properly initialize
			dlzdb.link.  When cloning a rdataset do not copy
			the link contents.  [RT #32651]

265
266
3488.	[bug]		Use after free error with DH generated keys. [RT #32649]

267
268
3487.	[bug]		Change 3444 was not complete.  There was a additional
			place where the NOQNAME proof needed to be saved.
Mark Andrews's avatar
Mark Andrews committed
269
			[RT #32629]
270

Evan Hunt's avatar
Evan Hunt committed
271
272
273
3486.	[bug]		named could crash when using TKEY-negotiated keys
			that had been deleted and then recreated. [RT #32506]

274
275
3485.	[cleanup]	Only compile openssl_gostlink.c if we support GOST.

276
277
278
3484.	[bug]		Some statistics were incorrectly rendered in XML.
			[RT #32587]

Evan Hunt's avatar
Evan Hunt committed
279
280
3483.	[placeholder]

281
282
283
284
3482.	[func]		dig +nssearch now prints name servers that don't
			have address records (missing AAAA or A, or the name
			doesn't exist). [RT #29348]

285
286
3481.	[cleanup]	removed use of const const in atf

Evan Hunt's avatar
Evan Hunt committed
287
288
289
3480.	[bug]		Silence logging noise when setting up zone
			statistics. [RT #32525]

290
291
292
3479.	[bug]		Address potential memory leaks in gssapi support
			code. [RT #32405]

Evan Hunt's avatar
Evan Hunt committed
293
294
295
296
3478.	[port]		Fix a build failure in strict C99 environments
			[RT #32475]

3477.	[func]		Expand logging when adding records via DDNS update
Mark Andrews's avatar
Mark Andrews committed
297
298
			[RT #32365]

299
300
301
3476.	[bug]		"rndc zonestatus" could report a spurious "not
			found" error on inline-signing zones. [RT #29226]

Evan Hunt's avatar
Evan Hunt committed
302
303
3475.	[cleanup]	Changed name of 'map' zone file format (previously
			'fast'). [RT #32458]
304

305
306
307
3474.	[bug]		nsupdate could assert when the local and remote
			address families didn't match. [RT #22897]

Evan Hunt's avatar
Evan Hunt committed
308
309
310
311
3473.	[bug]		dnssec-signzone/verify could incorrectly report
			an error condition due to an empty node above an
			opt-out delegation lacking an NSEC3. [RT #32072]

312
313
314
3472.	[bug]		The active-connections counter in the socket
			statistics could underflow. [RT #31747]

315
316
317
318
3471.	[bug]		The number of UDP dispatches now defaults to
			the number of CPUs even if -n has been set to
			a higher value. [RT #30964]

319
320
321
3470.	[bug]		Slave zones could fail to dump when successfully
			refreshing after an initial failure. [RT #31276]

Evan Hunt's avatar
Evan Hunt committed
322
323
324
325
3469.	[bug]		Handle DLZ lookup failures more gracefully. Improve
			backward compatibility between versions of DLZ dlopen
			API. [RT #32275]

326
327
3468.	[security]	RPZ rules to generate A records (but not AAAA records)
			could trigger an assertion failure when used in
328
			conjunction with DNS64 (CVE-2012-5689). [RT #32141]
329
330
331

3467.	[bug]		Added checks in dnssec-keygen and dnssec-settime
			to check for delete date < inactive date. [RT #31719]
332

333
334
335
3466.	[contrib]	Corrected the DNS_CLIENTINFOMETHODS_VERSION check
			in DLZ example driver. [RT #32275]

336
337
3465.	[bug]		Handle isolated reserved ports. [RT #31778]

338
339
340
3464.	[maint]		Updates to PKCS#11 openssl patches, supporting
			versions 0.9.8x, 1.0.0j, 1.0.1c [RT #29749]

341
3463.	[doc]		Clarify managed-keys syntax in ARM. [RT #32232]
342
343
344
345

3462.	[doc]		Clarify server selection behavior of dig when using
			-4 or -6 options. [RT #32181]

346
347
348
3461.	[bug]		Negative responses could incorrectly have AD=1
			set. [RT #32237]

349
350
3460.	[bug]		Only link against readline where needed. [RT #29810]

351
352
353
3459.	[func]		Added -J option to named-checkzone/named-compilezone
			to specify the path to the journal file. [RT #30958]

354
355
356
3458.	[bug]		Return FORMERR when presented with a overly long
			domain named in a request. [RT #29682]

357
358
3457.	[protocol]	Add ILNP records (NID, LP, L32, L64). [RT #31836]

Evan Hunt's avatar
Evan Hunt committed
359
3456.	[port]		g++47: ATF failed to compile. [RT #32012]
360

361
362
3455.	[contrib]	queryperf: fix getopt option list. [RT #32338]

363
364
3454.	[port]		sparc64: improve atomic support. [RT #25182]

365
366
367
3453.	[bug]		'rndc addzone' of a zone with 'inline-signing yes;'
			failed. [RT #31960]

Mark Andrews's avatar
Mark Andrews committed
368
3452.	[bug]		Accept duplicate singleton records. [RT #32329]
369

370
371
372
3451.	[port]		Increase per thread stack size from 64K to 1M.
			[RT #32230]

373
374
375
3450.	[bug]		Stop logfileconfig system test spam system logs.
			[RT #32315]

376
377
378
379
3449.	[bug]		gen.c: use the pre-processor to construct format
			strings so that compiler can perform sanity checks;
			check the snprintf results. [RT #17576]

Evan Hunt's avatar
Evan Hunt committed
380
381
382
3448.	[bug]		The allow-query-on ACL was not processed correctly.
			[RT #29486]

383
384
3447.	[port]		Add support for libxml2-2.9.x [RT #32231]

385
386
387
3446.	[port]		win32: Add source ID (see change #3400) to build.
			[RT #31683]

388
389
3445.	[bug]		Warn about zone files with blank owner names
			immediately after $ORIGIN directives. [RT #31848]
390

391
3444.	[bug]		The NOQNAME proof was not being returned from cached
392
393
			insecure responses. [RT #21409]

394
395
396
3443.	[bug]		ddns-confgen: Some TSIG algorithms were incorrectly
			rejected when generating keys. [RT #31927]

397
398
399
3442.	[port]		Net::DNS 0.69 introduced a non backwards compatible
			change. [RT #32216]

400
401
3441.	[maint]		D.ROOT-SERVERS.NET is now 199.7.91.13.

402
403
404
3440.	[bug]		Reorder get_key_struct to not trigger a assertion when
			cleaning up due to out of memory error. [RT #32131]

Mark Andrews's avatar
Mark Andrews committed
405
406
3439.	[placeholder]

407
408
3438.	[bug]		Don't accept unknown data escape in quotes. [RT #32031]

Mark Andrews's avatar
Mark Andrews committed
409
3437.	[bug]		isc_buffer_init -> isc_buffer_constinit to initialize
410
411
			buffers with constant data. [RT #32064]

412
413
3436.	[bug]		Check malloc/calloc return values. [RT #32088]

414
415
416
3435.	[bug]		Cross compilation support in configure was broken.
			[RT #32078]

417
418
419
420
421
422
3434.	[bug]		Pass client info to the DLZ findzone() entry
			point in addition to lookup().  This makes it
			possible for a database to answer differently
			whether it's authoritative for a name depending
			on the address of the client.  [RT #31775]

423
424
425
3433.	[bug]		dlz_findzone() did not correctly handle
			ISC_R_NOMORE. [RT #31172]

Evan Hunt's avatar
Evan Hunt committed
426
427
428
429
430
431
432
433
434
3432.	[func]		Multiple DLZ databases can now be configured.
			DLZ databases are searched in the order configured,
			unless set to "search no", in which case a
			zone can be configured to be retrieved from a
			particular DLZ database by using a "dlz <name>"
			option in the zone statement.  DLZ databases can
			support type "master" and "redirect" zones.
			[RT #27597]

435
436
437
3431.	[bug]		ddns-confgen: Some valid key algorithms were
			not accepted. [RT #31927]

438
439
440
3430.	[bug]		win32: isc_time_formatISO8601 was missing the
			'T' between the date and time. [RT #32044]

441
442
443
3429.	[bug]		dns_zone_getserial2 could a return success without
			returning a valid serial. [RT #32007]

Evan Hunt's avatar
Evan Hunt committed
444
445
3428.	[cleanup]	dig: Add timezone to date output. [RT #2269]

Mark Andrews's avatar
Mark Andrews committed
446
3427.	[bug]		dig +trace incorrectly displayed name server
Evan Hunt's avatar
Evan Hunt committed
447
448
			addresses instead of names. [RT #31641]

449
450
451
3426.	[bug]		dnssec-checkds: Clearer output when records are not
			found. [RT #31968]

452
453
454
3425.	[bug]		"acacheentry" reference counting was broken resulting
			in use after free. [RT #31908]

455
456
457
3424.	[func]		dnssec-dsfromkey now emits the hash without spaces.
			[RT #31951]

458
459
460
461
3423.	[bug]		"rndc signing -nsec3param" didn't accept the full
			range of possible values.  Address portability issues.
			[RT #31938]

Mark Andrews's avatar
Mark Andrews committed
462
3422.	[bug]		Added a clear error message for when the SOA does not
463
464
			match the referral. [RT #31281]

465
466
467
3421.	[bug]		Named loops when re-signing if all keys are offline.
			[RT #31916]

468
469
3420.	[bug]		Address VPATH compilation issues. [RT #31879]

470
471
3419.	[bug]		Memory leak on validation cancel. [RT #31869]

Mark Andrews's avatar
Mark Andrews committed
472
473
474
475
476
477
3418.	[func]		New XML schema (version 3.0) for the statistics channel
			adds query type statistics at the zone level, and
			flattens the XML tree and uses compressed format to
			optimize parsing. Includes new XSL that permits
			charting via the Google Charts API on browsers that
			support javascript in XSL.  The old XML schema has been
478
479
			deprecated. [RT #30023]

Mark Andrews's avatar
Mark Andrews committed
480
3417.	[placeholder]
481

482
483
484
3416.	[bug]		Named could die on shutdown if running with 128 UDP
			dispatches per interface. [RT #31743]

Mark Andrews's avatar
Mark Andrews committed
485
3415.	[bug]		named could die with a REQUIRE failure if a valdation
486
487
			was canceled. [RT #31804]

488
489
3414.	[bug]		Address locking issues found by Coverity. [RT #31626]

490
491
492
3413.	[func]		Record the number of DNS64 AAAA RRsets that have been
			synthesized. [RT #27636]

493
494
495
3412.	[bug]		Copy timeval structure from control message data.
			[RT #31548]

496
497
498
3411.	[tuning]	Use IPV6_USE_MIN_MTU or equivalent with TCP in addition
			to UDP. [RT #31690]

499
500
3410.	[bug]		Addressed Coverity warnings. [RT #31626]

Evan Hunt's avatar
Evan Hunt committed
501
502
503
504
505
3409.	[contrib]	contrib/dane/mkdane.sh: Tool to generate TLSA RR's
			from X.509 certificates, for use with DANE
			(DNS-based Authentication of Named Entities).
			[RT #30513]

506
507
508
509
510
3408.	[bug]		Some DNSSEC-related options (update-check-ksk,
			dnssec-loadkeys-interval, dnssec-dnskey-kskonly)
			are now legal in slave zones as long as
			inline-signing is in use. [RT #31078]

Mark Andrews's avatar
Mark Andrews committed
511
512
3407.	[placeholder]

513
514
3406.	[bug]		mem.c: Fix compilation errors when building with
			ISC_MEM_TRACKLINES or ISC_MEMPOOL_NAMES disabled.
Mark Andrews's avatar
Mark Andrews committed
515
			Also, ISC_MEM_DEBUG is no longer optional. [RT #31559]
516

517
518
3405.	[bug]		Handle time going backwards in acache. [RT #31253]

519
3404.	[bug]		dnssec-signzone: When re-signing a zone, remove
Mark Andrews's avatar
Mark Andrews committed
520
			RRSIG and NSEC records from nodes that used to be
521
522
			in-zone but are now below a zone cut. [RT #31556]

Evan Hunt's avatar
Evan Hunt committed
523
524
3403.	[bug]		Silence noisy OpenSSL logging. [RT #31497]

Evan Hunt's avatar
Evan Hunt committed
525
3402.	[test]		The IPv6 interface numbers used for system
Mark Andrews's avatar
Mark Andrews committed
526
			tests were incorrect on some platforms. [RT #25085]
Curtis Blackburn's avatar
Curtis Blackburn committed
527

Evan Hunt's avatar
Evan Hunt committed
528
529
3401.	[bug]		Addressed Coverity warnings. [RT #31484]

Evan Hunt's avatar
Evan Hunt committed
530
531
532
533
3400.	[cleanup]	"named -V" can now report a source ID string, defined
			in the "srcid" file in the build tree and normally set
			to the most recent git hash.  [RT #31494]

534
535
536
3399.	[port]		netbsd: rename 'bool' parameter to avoid namespace
			clash.  [RT #31515]

537
538
539
540
3398.	[bug]		SOA parameters were not being updated with inline
			signed zones if the zone was modified while the
			server was offline. [RT #29272]

541
3397.	[bug]		dig crashed when using +nssearch with +tcp. [RT #25298]
Mark Andrews's avatar
Mark Andrews committed
542

543
544
545
3396.	[bug]		OPT records were incorrectly removed from signed,
			truncated responses. [RT #31439]

546
547
548
549
3395.	[protocol]	Add RFC 6598 reverse zones to built in empty zones
			list, 64.100.IN-ADDR.ARPA ... 127.100.IN-ADDR.ARPA.
			[RT #31336]

Mark Andrews's avatar
Mark Andrews committed
550
3394.	[bug]		Adjust 'successfully validated after lower casing
551
552
			signer' log level and category. [RT #31414]

553
554
555
3393.	[bug]		'host -C' could core dump if REFUSED was received.
			[RT #31381]

556
557
3392.	[func]		Keep statistics on REFUSED responses. [RT #31412]

Mark Andrews's avatar
Mark Andrews committed
558
559
3391.	[bug]		A DNSKEY lookup that encountered a CNAME failed.
			[RT #31262]
560

561
562
3390.	[bug]		Silence clang compiler warnings. [RT #30417]

563
564
3389.	[bug]		Always return NOERROR (not 0) in TSIG. [RT #31275]

565
566
567
568
569
570
3388.	[bug]		Fixed several Coverity warnings.
			Note: This change includes a fix for a bug that
			was subsequently determined to be an exploitable
			security vulnerability, CVE-2012-5688: named could
			die on specific queries with dns64 enabled.
			[RT #30996]
Evan Hunt's avatar
Evan Hunt committed
571

572
573
3387.	[func]		DS digest can be disabled at runtime with
			disable-ds-digests. [RT #21581]
574

575
576
577
3386.	[bug]		Address locking violation when generating new NSEC /
			NSEC3 chains. [RT #31224]

578
579
580
3385.	[bug]		named-checkconf didn't detect missing master lists
			in also-notify clauses. [RT #30810]

Evan Hunt's avatar
Evan Hunt committed
581
582
3384.	[bug]		Improved logging of crypto errors. [RT #30963]

Evan Hunt's avatar
typo    
Evan Hunt committed
583
3383.	[security]	A certain combination of records in the RBT could
Mark Andrews's avatar
Mark Andrews committed
584
585
			cause named to hang while populating the additional
			section of a response. [RT #31090]
Evan Hunt's avatar
Evan Hunt committed
586

Evan Hunt's avatar
Evan Hunt committed
587
588
589
590
3382.	[bug]		SOA query from slave used use-v6-udp-ports range,
			if set, regardless of the address family in use.
			[RT #24173]

Evan Hunt's avatar
Evan Hunt committed
591
592
593
3381.	[contrib]	Update queryperf to support more RR types.
			[RT #30762]

594
595
596
3380.	[bug]		named could die if a non-existant master list was
			referenced in a also-notify. [RT #31004]

597
598
599
3379.	[bug]		isc_interval_zero and isc_time_epoch should be
			"const (type)* const". [RT #31069]

600
601
602
3378.	[bug]		Handle missing 'managed-keys-directory' better.
			[RT #30625]

Evan Hunt's avatar
Evan Hunt committed
603
604
605
3377.	[bug]		Removed spurious newline from NSEC3 multiline
			output. [RT #31044]

606
607
608
3376.	[bug]		Lack of EDNS support was being recorded without a
			successful response. [RT #30811]

609
610
3375.	[bug]		'rndc dumpdb' failed on empty caches. [RT #30808]

Mark Andrews's avatar
Mark Andrews committed
611
612
3374.	[bug]		isc_parse_uint32 failed to return a range error on
			systems with 64 bit longs. [RT #30232]
613

Mark Andrews's avatar
Mark Andrews committed
614
3373.	[bug]		win32: open raw files in binary mode. [RT #30944]
615

616
617
618
3372.	[bug]		Silence spurious "deleted from unreachable cache"
			messages.  [RT #30501]

619
620
621
622
3371.	[bug]		AD=1 should behave like DO=1 when deciding whether to
			add NS RRsets to the additional section or not.
			[RT #30479]

623
624
625
3370.	[bug]		Address use after free while shutting down. [RT #30241]

3369.	[bug]		nsupdate terminated unexpectedly in interactive mode
626
627
			if built with readline support. [RT #29550]

628
3368.	[bug]		<dns/iptable.h>, <dns/private.h> and <dns/zone.h>
Evan Hunt's avatar
Evan Hunt committed
629
			were not C++ safe.
630

631
632
633
3367.	[bug]		dns_dnsseckey_create() result was not being checked.
			[RT #30685]

Mark Andrews's avatar
Mark Andrews committed
634
3366.	[bug]		Fixed Read-After-Write dependency violation for IA64
635
636
			atomic operations. [RT #25181]

637
638
639
3365.	[bug]		Removed spurious newlines from log messages in
			zone.c [RT #30675]

640
641
642
3364.	[security]	Named could die on specially crafted record.
			[RT #30416]

643
644
645
646
3363.	[bug]		Need to allow "forward" and "fowarders" options
			in static-stub zones; this had been overlooked.
			[RT #30482]

647
648
649
650
3362.	[bug]		Setting some option values to 0 in named.conf
			could trigger an assertion failure on startup.
			[RT #27730]

651
652
3361.	[bug]		"rndc signing -nsec3param" didn't work correctly
			when salt was set to '-' (no salt). [RT #30099]
Mark Andrews's avatar
Mark Andrews committed
653

654
655
3360.	[bug]		'host -w' could die.  [RT #18723]

656
3359.	[bug]		An improperly-formed TSIG secret could cause a
Mark Andrews's avatar
Mark Andrews committed
657
			memory leak. [RT #30607]
658

Mark Andrews's avatar
Mark Andrews committed
659
660
3358.	[placeholder]

661
662
3357.	[port]		Add support for libxml2-2.8.x [RT #30440]

Mark Andrews's avatar
Mark Andrews committed
663
3356.	[bug]		Cap the TTL of signed RRsets when RRSIGs are
664
665
666
			approaching their expiry, so they don't remain
			in caches after expiry. [RT #26429]

667
668
3355.	[port]		Use more portable awk in verify system test.

669
670
3354.	[func]		Improve OpenSSL error logging. [RT #29932]

671
672
673
3353.	[bug]		Use a single task for task exclusive operations.
			[RT #29872]

674
675
676
3352.	[bug]		Ensure that learned server attributes timeout of the
			adb cache. [RT #29856]

677
678
679
680
3351.	[bug]		isc_mem_put and isc_mem_putanddetach didn't report
			caller if either ISC_MEM_DEBUGSIZE or ISC_MEM_DEBUGCTX
			memory debugging flags are set. [RT #30243]

681
682
683
684
3350.	[bug]		Memory read overrun in isc___mem_reallocate if
			ISC_MEM_DEBUGCTX memory debugging flag is set.
			[RT #30240]

Mark Andrews's avatar
Mark Andrews committed
685
686
3349.	[bug]		Change #3345 was incomplete. [RT #30233]

Mark Andrews's avatar
Mark Andrews committed
687
688
689
690
3348.	[bug]		Prevent RRSIG data from being cached if a negative
			record matching the covering type exists at a higher
			trust level. Such data already can't be retrieved from
			the cache since change 3218 -- this prevents it
Mark Andrews's avatar
Mark Andrews committed
691
			being inserted into the cache as well. [RT #26809]
Mark Andrews's avatar
Mark Andrews committed
692
693
694

3347.	[bug]		dnssec-settime: Issue a warning when writing a new
			private key file would cause a change in the
Evan Hunt's avatar
Evan Hunt committed
695
			permissions of the existing file. [RT #27724]
Curtis Blackburn's avatar
Curtis Blackburn committed
696

Evan Hunt's avatar
Evan Hunt committed
697
698
699
3346.	[security]	Bad-cache data could be used before it was
			initialized, causing an assert. [RT #30025]

700
701
702
703
3345.	[bug]		Addressed race condition when removing the last item
			or inserting the first item in an ISC_QUEUE.
			[RT #29539]

Mark Andrews's avatar
Mark Andrews committed
704
705
706
707
708
709
710
711
712
3344.	[func]		New "dnssec-checkds" command checks a zone to
			determine which DS records should be published
			in the parent zone, or which DLV records should be
			published in a DLV zone, and queries the DNS to
			ensure that it exists. (Note: This tool depends
			on python; it will not be built or installed on
			systems that do not have a python interpreter.)
			[RT #28099]

Mark Andrews's avatar
Mark Andrews committed
713
714
3343.	[placeholder]

715
716
717
718
3342.	[bug]		Change #3314 broke saving of stub zones to disk
			resulting in excessive cpu usage in some cases.
			[RT #29952]

719
720
721
722
3341.	[func]		New "dnssec-verify" command checks a signed zone
			to ensure correctness of signatures and of NSEC/NSEC3
			chains. [RT #23673]

Evan Hunt's avatar
Evan Hunt committed
723
3340.	[func]		Added new 'map' zone file format, which is an image
Mark Andrews's avatar
Mark Andrews committed
724
725
726
727
			of a zone database that can be loaded directly into
			memory via mmap(), allowing much faster zone loading.
			(Note: Because of pointer sizes and other
			considerations, this file format is platform-dependent;
Evan Hunt's avatar
Evan Hunt committed
728
			'map' zone files cannot always be transferred from one
Curtis Blackburn's avatar
Curtis Blackburn committed
729
730
			server to another.) [RT #25419]

731
732
733
3339.	[func]		Allow the maximum supported rsa exponent size to be
			specified: "max-rsa-exponent-size <value>;" [RT #29228]

734
735
736
3338.	[bug]		Address race condition in units tests: asyncload_zone
			and asyncload_zt. [RT #26100]

737
738
739
3337.	[bug]		Change #3294 broke support for the multiple keys
			in controls. [RT #29694]

740
741
742
3336.	[func]		Maintain statistics for RRsets tagged as "stale".
			[RT #29514]

743
744
745
3335.	[func]		nslookup: return a nonzero exit code when unable
			to get an answer. [RT #29492]

746
3334.	[bug]		Hold a zone table reference while performing a
Mark Andrews's avatar
Mark Andrews committed
747
			asynchronous load of a zone. [RT #28326]
748

749
3333.	[bug]		Setting resolver-query-timeout too low can cause
Mark Andrews's avatar
Mark Andrews committed
750
			named to not recover if it loses connectivity.
751
752
			[RT #29623]

Mark Andrews's avatar
add #    
Mark Andrews committed
753
3332.	[bug]		Re-use cached DS rrsets if possible. [RT #29446]
754

Mark Andrews's avatar
Mark Andrews committed
755
3331.	[security]	dns_rdataslab_fromrdataset could produce bad
756
			rdataslabs. [RT #29644]
Mark Andrews's avatar
Mark Andrews committed
757

Vernon Schryver's avatar
Vernon Schryver committed
758
3330.	[func]		Fix missing signatures on NOERROR results despite
Mark Andrews's avatar
Mark Andrews committed
759
			RPZ rewriting.  Also
Vernon Schryver's avatar
Vernon Schryver committed
760
761
762
763
764
765
766
767
768
769
770
771
772
			 - add optional "recursive-only yes|no" to the
			   response-policy statement
			 - add optional "max-policy-ttl" to the response-policy
			    statement to limit the false data that
			    "recursive-only no" can introduce into
			    resolvers' caches
			 - add a RPZ performance test to bin/tests/system/rpz
			     when queryperf is available.
			 - the encoding of PASSTHRU action to "rpz-passthru".
			     (The old encoding is still accepted.)
		       [RT #26172]


773
774
775
776
777
778
3329.	[bug]		Handle RRSIG signer-name case consistently: We
			generate RRSIG records with the signer-name in
			lower case.  We accept them with any case, but if
			they fail to validate, we try again in lower case.
			[RT #27451]

Mark Andrews's avatar
Mark Andrews committed
779
780
3328.	[bug]		Fixed inconsistent data checking in dst_parse.c.
			[RT #29401]
Evan Hunt's avatar
Evan Hunt committed
781

Evan Hunt's avatar
Evan Hunt committed
782
783
784
785
786
3327.	[func]		Added 'filter-aaaa-on-v6' option; this is similar
			to 'filter-aaaa-on-v4' but applies to IPv6
			connections.  (Use "configure --enable-filter-aaaa"
			to enable this option.)  [RT #27308]

787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
3326.	[func]		Added task list statistics: task model, worker
			threads, quantum, tasks running, tasks ready.
			[RT #27678]

3325.	[func]		Report cache statistics: memory use, number of
			nodes, number of hash buckets, hit and miss counts.
			[RT #27056]

3324.	[test]		Add better tests for ADB stats [RT #27057]

3323.	[func]		Report the number of buckets the resolver is using.
			[RT #27020]

3322.	[func]		Monitor the number of active TCP and UDP dispatches.
			[RT #27055]

3321.	[func]		Monitor the number of recursive fetches and the
			number of open sockets, and report these values in
			the statistics channel. [RT #27054]

3320.	[func]		Added support for monitoring of recursing client
			count. [RT #27009]

3319.	[func]		Added support for monitoring of ADB entry count and
			hash size. [RT #27057]

813
3318.	[tuning]	Reduce the amount of work performed while holding a
Mark Andrews's avatar
Mark Andrews committed
814
			bucket lock when finished with a fetch context.
815
816
			[RT #29239]

Mark Andrews's avatar
Mark Andrews committed
817
3317.	[func]		Add ECDSA support (RFC 6605). [RT #21918]
818

819
820
821
3316.	[tuning]	Improved locking performance when recursing.
			[RT #28836]

822
823
824
825
826
3315.	[tuning]	Use multiple dispatch objects for sending upstream
			queries; this can improve performance on busy
			multiprocessor systems by reducing lock contention.
			[RT #28605]

827
828
829
3314.	[bug]		The masters list could be updated while refesh_callback
			and stub_callback were using it. [RT #26732]

830
831
3313.	[protocol]	Add TLSA record type. [RT #28989]

832
833
834
3312.	[bug]		named-checkconf didn't detect a bad dns64 clients acl.
			[RT #27631]

835
836
837
3311.	[bug]		Abort the zone dump if zone->db is NULL in
			zone.c:zone_gotwritehandle. [RT #29028]

838
839
3310.	[test]		Increase table size for mutex profiling. [RT #28809]

Mark Andrews's avatar
Mark Andrews committed
840
3309.	[bug]		resolver.c:fctx_finddone() was not thread safe.
841
842
			[RT #27995]

Mark Andrews's avatar
Mark Andrews committed
843
844
3308.	[placeholder]

845
846
3307.	[bug]		Add missing ISC_LANG_BEGINDECLS and ISC_LANG_ENDDECLS.
			[RT #28956]
847

848
849
850
851
3306.	[bug]		Improve DNS64 reverse zone performance. [RT #28563]

3305.	[func]		Add wire format lookup method to sdb. [RT #28563]

852
853
3304.	[bug]		Use hmctx, not mctx when freeing rbtdb->heaps.
			[RT #28571]
854

855
856
3303.	[bug]		named could die when reloading. [RT #28606]

857
858
859
860
3302.	[bug]		dns_dnssec_findmatchingkeys could fail to find
			keys if the zone name contained character that
			required special mappings. [RT #28600]

861
862
863
3301.	[contrib]	Update queryperf to build on darwin.  Add -R flag
			for non-recursive queries. [RT #28565]

864
865
866
3300.	[bug]		Named could die if gssapi was enabled in named.conf
			but was not compiled in. [RT #28338]

867
868
869
3299.	[bug]		Make SDB handle errors from database drivers better.
			[RT #28534]

870
871
872
873
3298.	[bug]		Named could dereference a NULL pointer in
			zmgr_start_xfrin_ifquota if the zone was being removed.
			[RT #28419]

874
875
3297.	[bug]		Named could die on a malformed master file. [RT #28467]

876
877
878
3296.	[bug]		Named could die with a INSIST failure in
			client.c:exit_check. [RT #28346]

879
880
881
3295.	[bug]		Adjust isc_time_secondsastimet range check to be more
			portable. [RT # 26542]

882
883
884
3294.	[bug]		isccc/cc.c:table_fromwire failed to free alist on
			error. [RT #28265]

885
886
3293.	[func]		nsupdate: list supported type. [RT #28261]

887
888
889
3292.	[func]		Log messages in the axfr stream at debug 10.
			[RT #28040]

890
891
892
3291.	[port]		Fixed a build error on systems without ENOTSUP.
			[RT #28200]

893
894
3290.	[bug]		<isc/hmacsha.h> was not being installed. [RT #28169]

895
896
3289.	[bug]		'rndc retransfer' failed for inline zones. [RT #28036]

897
898
899
3288.	[bug]		dlz_destroy() function wasn't correctly registered
			by the DLZ dlopen driver. [RT #28056]

900
901
3287.	[port]		Update ans.pl to work with Net::DNS 0.68. [RT #28028]

902
903
904
3286.	[bug]		Managed key maintenance timer could fail to start
			after 'rndc reconfig'. [RT #26786]

905
906
907
908
3285.	[bug]		val-frdataset was incorrectly disassociated in
			proveunsecure after calling startfinddlvsep.
			[RT #27928]

909
910
911
3284.	[bug]		Address race conditions with the handling of
			rbtnode.deadlink. [RT #27738]

912
913
914
3283.	[bug]		Raw zones with with more than 512 records in a RRset
			failed to load. [RT #27863]

915
3282.	[bug]		Restrict the TTL of NS RRset to no more than that
Mark Andrews's avatar
extend:    
Mark Andrews committed
916
917
			of the old NS RRset when replacing it.
			[RT #27792] [RT #27884]
918

919
920
921
922
3281.	[bug]		SOA refresh queries could be treated as cancelled
			despite succeeding over the loopback interface.
			[RT #27782]

923
924
925
3280.	[bug]		Potential double free of a rdataset on out of memory
			with DNS64. [RT #27762]

Mark Andrews's avatar
Mark Andrews committed
926
3279.	[bug]		Hold a internal reference to the zone while performing
927
928
929
			a asynchronous load.  Address potential memory leak
			if the asynchronous is cancelled. [RT #27750]

Mark Andrews's avatar
Mark Andrews committed
930
3278.	[bug]		Make sure automatic key maintenance is started
931
932
933
			when "auto-dnssec maintain" is turned on during
			"rndc reconfig". [RT #26805]

Mark Andrews's avatar
Mark Andrews committed
934
3277.	[bug]		win32: isc_socket_dup is not implemented. [RT #27696]
935
936
937
938

3276.	[bug]		win32: ns_os_openfile failed to return NULL on
			safe_open failure. [RT #27696]

939
3275.	[bug]		Corrected rndc -h output; the 'rndc sync -clean'
940
			option had been misspelled as '-clear'.  (To avoid
941
942
			future confusion, both options now work.) [RT #27173]

Mark Andrews's avatar
Mark Andrews committed
943
3274.	[placeholder]
Mark Andrews's avatar
Mark Andrews committed
944

Mark Andrews's avatar
Mark Andrews committed
945
946
947
3273.	[bug]		AAAA responses could be returned in the additional
			section even when filter-aaaa-on-v4 was in use.
			[RT #27292]
948
949
950
951

3272.	[func]		New "rndc zonestatus" command prints information
			about the specified zone. [RT #21671]

952
953
954
955
3271.	[port]		darwin: mksymtbl is not always stable, loop several
			times before giving up.  mksymtbl was using non
			portable perl to covert 64 bit hex strings. [RT #27653]

Evan Hunt's avatar
Evan Hunt committed
956
	--- 9.9.0rc2 released ---
Evan Hunt's avatar
Evan Hunt committed
957

958
959
960
3270.	[bug]		"rndc reload" didn't reuse existing zones correctly
			when inline-signing was in use. [RT #27650]

961
962
3269.	[port]		darwin 11 and later now built threaded by default.

963
964
965
3268.	[bug]		Convert RRSIG expiry times to 64 timestamps to work
			out the earliest expiry time. [RT #23311]

966
967
968
969
3267.	[bug]		Memory allocation failures could be mis-reported as
			unexpected error.  New ISC_R_UNSET result code.
			[RT #27336]

970
971
972
973
3266.	[bug]		The maximum number of NSEC3 iterations for a
			DNSKEY RRset was not being properly computed.
			[RT #26543]

Evan Hunt's avatar
Evan Hunt committed
974
975
3265.	[bug]		Corrected a problem with lock ordering in the
			inline-signing code. [RT #27557]
976

977
978
979
980
981
982
983
3264.	[bug]		Automatic regeneration of signatures in an
			inline-signing zone could stall when the server
			was restarted. [RT #27344]

3263.	[bug]		"rndc sync" did not affect the unsigned side of an
			inline-signing zone. [RT #27337]

984
985
986
3262.	[bug]		Signed responses were handled incorrectly by RPZ.
			[RT #27316]

987
988
3261.	[func]		RRset ordering now defaults to random. [RT #27174]

989
990
3260.	[bug]		"rrset-order cyclic" could appear not to rotate
			for some query patterns.  [RT #27170/27185]
991

Evan Hunt's avatar
Evan Hunt committed
992
993
	--- 9.9.0rc1 released ---

994
995
996
3259.	[bug]		named-compilezone: Suppress "dump zone to <file>"
			message when writing to stdout. [RT #27109]

997
998
999
3258.	[test]		Add "forcing full sign with unreadable keys" test.
			[RT #27153]

1000
1001
1002
3257.	[bug]		Do not generate a error message when calling fsync()
			in a pipe or socket. [RT #27109]

1003
1004
1005
1006
1007
1008
3256.	[bug]		Disable empty zones for lwresd -C. [RT #27139]

3255.	[func]		No longer require that a empty zones be explicitly
			enabled or that a empty zone is disabled for
			RFC 1918 empty zones to be configured. [RT #27139]

1009
1010
1011
3254.	[bug]		Set isc_socket_ipv6only() on the IPv6 control channels.
			[RT #22249]

1012
1013
1014
3253.	[bug]		Return DNS_R_SYNTAX when the input to a text field is
			too long. [RT #26956]

1015
1016
1017
1018
1019
3252.	[bug]		When master zones using inline-signing were
			updated while the server was offline, the source
			zone could fall out of sync with the signed
			copy. They can now resynchronize. [RT #26676]

1020
1021
1022
1023
1024
3251.	[bug]		Enforce a upper bound (65535 bytes) on the amount of
			memory dns_sdlz_putrr() can allocate per record to
			prevent run away memory consumption on ISC_R_NOSPACE.
			[RT #26956]

1025
1026
1027
1028
3250.	[func]		'configure --enable-developer'; turn on various
			configure options, normally off by default, that
			we want developers to build and test with. [RT #27103]

1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
3249.	[bug]		Update log message when saving slave zones files for
			analysis after load failures. [RT #27087]

3248.	[bug]		Configure options --enable-fixed-rrset and
			--enable-exportlib were incompatible with each
			other. [RT #27087]

3247.	[bug]		'raw' format zones failed to preserve load order
			breaking 'fixed' sort order. [RT #27087]

3246.	[bug]		Named failed to start with a empty also-notify list.
			[RT #27087]

1042
1043
1044
1045
3245.	[bug]		Don't report a error unchanged serials unless there
			were other changes when thawing a zone with
			ixfr-fromdifferences. [RT #26845]

1046
3244.	[func]		Added readline support to nslookup and nsupdate.
Mark Andrews's avatar
Mark Andrews committed
1047
			Also simplified nsupdate syntax to make "update"
1048
1049
			and "prereq" optional. [RT #24659]

1050
1051
1052
3243.	[port]		freebsd,netbsd,bsdi: the thread defaults were not
			being properly set.

Mark Andrews's avatar
Mark Andrews committed
1053
3242.	[func]		Extended the header of raw-format master files to
1054
1055
1056
1057
1058
1059
			include the serial number of the zone from which
			they were generated, if different (as in the case
			of inline-signing zones).  This is to be used in
			inline-signing zones, to track changes between the
			unsigned and signed versions of the zone, which may
			have different serial numbers.
Mark Andrews's avatar
Mark Andrews committed
1060

1061
			(Note: raw zonefiles generated by this version of
Mark Andrews's avatar
Mark Andrews committed
1062
			BIND are no longer compatible with prior versions.
1063
1064
1065
1066
1067
			To generate a backward-compatible raw zonefile
			using dnssec-signzone or named-compilezone, specify
			output format "raw=0" instead of simply "raw".)
			[RT #26587]

1068
1069
1070
3241.	[bug]		Address race conditions in the resolver code.
			[RT #26889]

1071
1072
3240.	[bug]		DNSKEY state change events could be missed. [RT #26874]

1073
1074
1075
1076
3239.	[bug]		dns_dnssec_findmatchingkeys needs to use a consistent
			timestamp. [RT #26883]

3238.	[bug]		keyrdata was not being reinitialized in
1077
1078
			lib/dns/rbtdb.c:iszonesecure. [RT#26913]

1079
1080
3237.	[bug]		dig -6 didn't work with +trace. [RT #26906]

Evan Hunt's avatar
Evan Hunt committed
1081
1082
1083
3236.	[bug]		Backed out changes #3182 and #3202, related to
			EDNS(0) fallback behavior. [RT #26416]

1084
1085
1086
1087
3235.	[func]		dns_db_diffx, a extended dns_db_diff which returns
			the generated diff and optionally writes it to a
			journal. [RT #26386]

1088
1089
3234.	[bug]		'make depend' produced invalid makefiles. [RT #26830]

1090
1091
1092
3233.	[bug]		'rndc freeze/thaw' didn't work for inline zones.
			[RT #26632]

1093
1094
1095
3232.	[bug]		Zero zone->curmaster before return in
			dns_zone_setmasterswithkeys(). [RT #26732]

Mark Andrews's avatar
Mark Andrews committed
1096
3231.	[bug]		named could fail to send a incompressible zone.
1097
1098
			[RT #26796]

Mark Andrews's avatar
[ -> ]    
Mark Andrews committed
1099
3230.	[bug]		'dig axfr' failed to properly handle a multi-message
1100
1101
			axfr with a serial of 0. [RT #26796]

1102
1103
1104
3229.	[bug]		Fix local variable to struct var assignment
			found by CLANG warning.

Mark Andrews's avatar
Mark Andrews committed
1105
1106
3228.	[tuning]	Dynamically grow symbol table to improve zone
			loading performance. [RT #26523]
1107

1108
1109
1110
3227.	[bug]		Interim fix to make WKS's use of getprotobyname()
			and getservbyname() self thread safe. [RT #26232]

1111
1112
3226.	[bug]		Address minor resource leakages. [RT #26624]

1113
1114
1115
3225.	[bug]		Silence spurious "setsockopt(517, IPV6_V6ONLY) failed"
			messages. [RT #26507]

1116
1117
3224.	[bug]		'rndc signing' argument parsing was broken. [RT #26684]

1118
1119
1120
3223.	[bug]		'task_test privilege_drop' generated false positives.
			[RT #26766]

1121
1122
1123
3222.	[cleanup]	Replace dns_journal_{get,set}_bitws with
			dns_journal_{get,set}_sourceserial. [RT #26634]

Mark Andrews's avatar
Mark Andrews committed
1124
3221.	[bug]		Fixed a potential core dump on shutdown due to
1125
1126
1127
			referencing fetch context after it's been freed.
			[RT #26720]

Mark Andrews's avatar
Mark Andrews committed
1128
1129
	--- 9.9.0b2 released ---

1130
3220.	[bug]		Change #3186 was incomplete; dns_db_rpz_findips()
Mark Andrews's avatar
Mark Andrews committed
1131
1132
			could fail to set the database version correctly,
			causing an assertion failure. [RT #26180]
1133

Mark Andrews's avatar
Mark Andrews committed
1134
1135
3219.	[bug]		Disable NOEDNS caching following a timeout.

1136
1137
1138
1139
3218.	[security]	Cache lookup could return RRSIG data associated with
			nonexistent records, leading to an assertion
			failure. [RT #26590]

1140
1141
1142
3217.	[cleanup]	Fix build problem with --disable-static. [RT #26476]

3216.	[bug]		resolver.c:validated() was not thread-safe. [RT #26478]
1143

1144
1145
3215.	[bug]		'rndc recursing' could cause a core dump. [RT #26495]

1146
1147
3214.	[func]		Add 'named -U' option to set the number of UDP
			listener threads per interface. [RT #26485]
Mark Andrews's avatar
Mark Andrews committed
1148

1149
1150
3213.	[doc]		Clarify ixfr-from-differences behavior. [RT #25188]

Mark Andrews's avatar
Mark Andrews committed
1151
1152
1153
3212.	[bug]		rbtdb.c: failed to remove a node from the deadnodes
			list prior to adding a reference to it leading a
			possible assertion failure. [RT #23219]
1154

1155
1156
1157
1158
3211.	[func]		dnssec-signzone: "-f -" prints to stdout; "-O full"
			option prints in single-line-per-record format.
			[RT #20287]

1159
1160
1161
3210.	[bug]		Canceling the oldest query due to recursive-client
			overload could trigger an assertion failure. [RT #26463]

1162
3209.	[func]		Add "dnssec-lookaside 'no'".  [RT #24858]
1163

Mark Andrews's avatar
Mark Andrews committed
1164
3208.	[bug]		'dig -y' handle unknown tsig algorithm better.
1165
1166
			[RT #25522]

1167
1168
3207.	[contrib]	Fixed build error in Berkeley DB DLZ module. [RT #26444]

1169
1170
3206.	[cleanup]	Add ISC information to log at start time. [RT #25484]

1171
3205.	[func]		Upgrade dig's defaults to better reflect modern
Mark Andrews's avatar
Mark Andrews committed
1172
			nameserver behavior.  Enable "dig +adflag" and
1173
1174
1175
			"dig +edns=0" by default.  Enable "+dnssec" when
			running "dig +trace". [RT #23497]

1176
3204.	[bug]		When a master server that has been marked as
Evan Hunt's avatar
typo    
Evan Hunt committed
1177
			unreachable sends a NOTIFY, mark it reachable
1178
1179
			again. [RT #25960]

1180
1181
1182
3203.	[bug]		Increase log level to 'info' for validation failures
			from expired or not-yet-valid RRSIGs. [RT #21796]

Mark Andrews's avatar
Mark Andrews committed
1183
3202.	[bug]		NOEDNS caching on timeout was too aggressive.
1184
1185
			[RT #26416]

1186
1187
1188
3201.	[func]		'rndc querylog' can now be given an on/off parameter
			instead of only being used as a toggle. [RT #18351]

1189
1190
1191
3200.	[doc]		Some rndc functions were undocumented or were
			missing from 'rndc -h' output. [RT #25555]

1192
1193
1194
3199.	[func]		When logging client information, include the name
			being queried. [RT #25944]

1195
1196
1197
3198.	[doc]		Clarified that dnssec-settime can alter keyfile
			permissions. [RT #24866]

Mark Andrews's avatar
Mark Andrews committed
1198
3197.	[bug]		Don't try to log the filename and line number when
1199
1200
			the config parser can't open a file. [RT #22263]

Mark Andrews's avatar
Mark Andrews committed
1201
1202
3196.	[bug]		nsupdate: return nonzero exit code when target zone
			doesn't exist. [RT #25783]
1203