CHANGES 381 KB
Newer Older
1
2
3
3575.	[func]		Changed the logging category for RRL events from
			'queries' to 'query-errors'. [RT #33540]

4
5
6
3574.	[doc]		The 'hostname' keyword was missing from server-id
			description in the named.conf man page. [RT #33476]

Evan Hunt's avatar
Evan Hunt committed
7
8
9
3573.	[bug]		"rndc addzone" and "rndc delzone" incorrectly handled
			zone names containing punctuation marks and other
			nonstandard characters. [RT #33419]
10

Evan Hunt's avatar
Evan Hunt committed
11
12
13
3572.	[func]		Threads are now enabled by default on most
			operating systems. [RT #25483]

14
15
16
3571.	[bug]		Address race condition in dns_client_startresolve().
			[RT #33234]

17
18
19
3570.	[bug]		Check internal pointers are valid when loading map
                        files. [RT #33403]

Evan Hunt's avatar
Evan Hunt committed
20
21
22
3569.	[contrib]	Ported mysql DLZ driver to dynamically-loadable
			module, and added multithread support. [RT #33394]

Evan Hunt's avatar
Evan Hunt committed
23
24
25
3568.	[cleanup]	Add a product description line to the version file,
			to be reported by named -v/-V. [RT #33366]

Evan Hunt's avatar
Evan Hunt committed
26
27
3567.	[bug]		Silence clang static analyzer warnings. [RT #33365]

Evan Hunt's avatar
Evan Hunt committed
28
29
3566.	[func]		Log when forwarding updates to master. [RT #33240]

30
31
3565.   [placeholder]

32
33
3564.	[bug]		Improved handling of corrupted map files. [RT #33380]

Evan Hunt's avatar
Evan Hunt committed
34
35
3563.	[contrib]	zone2sqlite failed with some table names. [RT #33375]

Evan Hunt's avatar
Evan Hunt committed
36
37
38
39
3562.	[func]		Update map file header format to include a SHA-1 hash
			of the database content, so that corrupted map files
			can be rejected at load time. [RT #32459]

40
41
42
3561.	[bug]		dig: issue a warning if an EDNS query returns FORMERR
			or NOTIMP.  Adjust usage message. [RT #33363]
			
43
3560.	[bug]		isc-config.sh did not honor includedir and libdir
44
45
			when set via configure. [RT #33345]

46
47
48
3559.	[func]		Check that both forms of Sender Policy Framework
			records exist or do not exist. [RT #33355]

49
50
3558.	[bug]		IXFR of a DLZ stored zone was broken. [RT #33331]

51
52
3557.	[bug]		Reloading redirect zones was broken. [RT #33292]

Evan Hunt's avatar
Evan Hunt committed
53
54
3556.	[maint]		Added AAAA for D.ROOT-SERVERS.NET.

55
56
57
3555.	[bug]		Address theoretical race conditions in acache.c
			(change #3553 was incomplete). [RT #33252]

Evan Hunt's avatar
Evan Hunt committed
58
59
60
61
3554.	[bug]		RRL failed to correctly rate-limit upward
			referrals and failed to count dropped error
			responses in the statistics. [RT #33225]

62
63
3553.	[bug]		Address suspected double free in acache. [RT #33252]

64
3552.	[bug]		Wrong getopt option string for 'nsupdate -r'.
65
			[RT #33280]
66

67
68
3551.	[bug]		resolver.querydscp[46] were uninitialized.  [RT #32686]

69
70
71
72
3550.	[func]		Unified the internal and export versions of the
			BIND libraries, allowing external clients to use
			the same libraries as BIND. [RT #33131]

Evan Hunt's avatar
Evan Hunt committed
73
74
75
3549.	[doc]		Documentation for "request-nsid" was missing.
			[RT #33153]

76
77
78
79
3548.	[bug]		The NSID request code in resolver.c was broken
			resulting in invalid EDNS options being sent.
			[RT #33153]

80
81
82
3547.	[bug]		Some malformed unknown rdata records were not properly
			detected and rejected. [RT #33129]

83
84
3546.	[func]		Add EUI48 and EUI64 types. [RT #33082]

Evan Hunt's avatar
Evan Hunt committed
85
86
87
3545.	[bug]		RRL slip behavior was incorrect when set to 1.
			[RT #33111]

Evan Hunt's avatar
Evan Hunt committed
88
89
90
91
3544.	[contrib]	check5011.pl: Script to report the status of
			managed keys as recorded in managed-keys.bind.
			Contributed by Tony Finch <dot@dotat.at>

92
3543.	[bug]		Update socket structure before attaching to socket
Mark Andrews's avatar
typo    
Mark Andrews committed
93
			manager after accept. [RT #33084]
94

Mark Andrews's avatar
Mark Andrews committed
95
96
3542.	[placeholder]

Evan Hunt's avatar
Evan Hunt committed
97
98
3541.	[bug]		Parts of libdns were not properly initialized when
			built in libexport mode. [RT #33028]
99

Evan Hunt's avatar
Evan Hunt committed
100
3540.	[test]		libt_api: t_info and t_assert were not thread safe.
101

102
103
3539.	[port]		win32: timestamp format didn't match other platforms.

Evan Hunt's avatar
Evan Hunt committed
104
105
3538.	[test]		Running "make test" now requires loopback interfaces
			to be set up. [RT #32452]
106

107
108
109
110
3537.	[tuning]	Slave zones, when updated, now send NOTIFY messages
			to peers before being dumped to disk rather than
			after. [RT #27242]

Evan Hunt's avatar
Evan Hunt committed
111
112
113
114
115
116
117
118
119
3536.	[func]		Add support for setting Differentiated Services Code
			Point (DSCP) values in named.  Most configuration
			options which take a "port" option (e.g.,
			listen-on, forwarders, also-notify, masters,
			notify-source, etc) can now also take a "dscp"
			option specifying a code point for use with
			outgoing traffic, if supported by the underlying
			OS. [RT #27596]

120
121
3535.	[bug]		Minor win32 cleanups. [RT #32962]

122
123
124
3534.	[bug]		Extra text after an embedded NULL was ignored when
			parsing zone files. [RT #32699]

125
126
127
128
3533.	[contrib]	query-loc-0.4.0: memory leaks. [RT #32960]

3532.	[contrib]	zkt: fixed buffer overrun, resource leaks. [RT #32960]

129
130
131
3531.	[bug]		win32: A uninitialized value could be returned on out
			of memory. [RT #32960]

Evan Hunt's avatar
Evan Hunt committed
132
133
3530.	[contrib]	Better RTT tracking in queryperf. [RT #30128]

134
135
136
137
138
3529.	[func]		Named now listens on both IPv4 and IPv6 interfaces
			by default.  Named previously only listened on IPv4
			interfaces by default unless named was running in
			IPv6 only mode.  [RT #32945]

Evan Hunt's avatar
Evan Hunt committed
139
140
141
142
143
144
145
3528.	[func]		New "dnssec-coverage" command scans the timing
			metadata for a set of DNSSEC keys and reports if a
			lapse in signing coverage has been scheduled
			inadvertently. (Note: This tool depends on python;
			it will not be built or installed on systems that
			do not have a python interpreter.) [RT #28098]

146
147
148
149
3527.	[compat]	Add a URI to allow applications to explicitly
			request a particular XML schema from the statistics
			channel, returning 404 if not supported. [RT #32481]

150
151
152
3526.	[cleanup]	Set up dependencies for unit tests correctly during
			build. [RT #32803]

153
154
155
156
157
158
159
3525.	[func]		Support for additional signing algorithms in rndc:
			hmac-sha1, -sha224, -sha256, -sha384, and -sha512.
			The -A option to rndc-confgen can be used to
			select the algorithm for the generated key.
			(The default is still hmac-md5; this may
			change in a future release.) [RT #20363]

160
161
3524.	[func]		Added an alternate statistics channel in JSON format,
			when the server is built with the json-c library:
Evan Hunt's avatar
Evan Hunt committed
162
			http://[address]:[port]/json. [RT #32630]
163

164
165
166
167
168
3523.	[contrib]	Ported filesystem and ldap DLZ drivers to
			dynamically-loadable modules, and added the
			"wildcard" module based on a contribution from
			Vadim Goncharov <vgoncharov@nic.ru>. [RT #23569]

169
170
171
3522.	[bug]		DLZ lookups could fail to return SERVFAIL when
			they ought to. [RT #32685]

172
173
3521.	[bug]		Address memory leak in opensslecdsa_link.c. [RT #32249]

174
175
176
3520.	[bug]		'mctx' was not being referenced counted in some places
			where it should have been.  [RT #32794]

177
178
179
180
3519.	[func]		Full replay protection via four-way handshake is
			now mandatory for rndc clients. Very old versions
			of rndc will no longer work. [RT #32798]

181
182
183
184
185
3518.	[bug]		Increase the size of dns_rrl_key.s.rtype by one bit
			so that all dns_rrl_rtype_t enum values fit regardless
			of whether it is teated as signed or unsigned by
			the compiler. [RT #32792]

186
187
3517.	[bug]		Reorder destruction to avoid shutdown race. [RT #32777]

Evan Hunt's avatar
Evan Hunt committed
188
189
3516.	[placeholder]

190
191
3515.	[port]		'%T' is not portable in strftime(). [RT #32763]

Evan Hunt's avatar
Evan Hunt committed
192
193
194
195
196
197
3514.	[bug]		The ranges for valid key sizes in ddns-confgen and
			rndc-confgen were too constrained. Keys up to 512
			bits are now allowed for most algorithms, and up
			to 1024 bits for hmac-sha384 and hmac-sha512.
			[RT #32753]

198
199
200
3513.	[func]		"dig -u" prints times in microseconds rather than
			milliseconds. [RT #32704]

Evan Hunt's avatar
Evan Hunt committed
201
202
203
3512.	[func]		"rndc validation check" reports the current status
			of DNSSEC validation. [RT #21397]

Evan Hunt's avatar
Evan Hunt committed
204
205
3511.	[doc]		Improve documentation of redirect zones. [RT #32756]

206
207
208
3510.	[func]		"rndc status" and XML statistics channel now report
			server start and reconfiguration times. [RT #21048]

209
210
211
212
3509.	[cleanup]	Added a product line to version file to allow for
			easy naming of different products (BIND
			vs BIND ESV, for example). [RT #32755]

213
214
215
3508.	[contrib]	queryperf was incorrectly rejecting the -T option.
			[RT #32338]

216
217
218
219
3507.	[bug]		Statistics channel XSL had a glitch when attempting
			to chart query data before any queries had been
			received. [RT #32620]

220
221
222
223
224
225
226
227
228
229
230
231
3506.	[func]		When setting "max-cache-size" and "max-acache-size",
			the keyword "unlimited" is no longer defined as equal
			to 4 gigabytes (except on 32-bit platforms); it
			means literally unlimited. [RT #32358]

3505.	[bug]		When setting "max-cache-size" and "max-acache-size",
			larger values than 4 gigabytes could not be set
			explicitly, though larger sizes were available
			when setting cache size to 0. This has been
			corrected; the full range is now available.
			[RT #32358]

Evan Hunt's avatar
Evan Hunt committed
232
233
234
235
3504.	[func]		Add support for ACLs based on geographic location,
			using MaxMind GeoIP databases. Based on code
			contributed by Ken Brownfield <kb@slide.com>.
			[RT #30681]
Mark Andrews's avatar
Mark Andrews committed
236

Evan Hunt's avatar
Evan Hunt committed
237
238
3503.	[doc]		Clarify size_spec syntax. [RT #32449]

239
240
241
3502.	[func]		zone-statistics: "no" is now a synonym for "none",
			instead of "terse". [RT #29165]

242
243
244
245
3501.	[func]		zone-statistics now takes three options: full,
			terse, and none. "yes" and "no" are retained as
			synonyms for full and terse, respectively. [RT #29165]

Evan Hunt's avatar
Evan Hunt committed
246
247
248
249
3500.	[security]	Support NAPTR regular expression validation on
			all platforms without using libregex, which
			can be vulnerable to memory exhaustion attack
			(CVE-2013-2266). [RT #32688]
250

Evan Hunt's avatar
Evan Hunt committed
251
252
253
3499.	[doc]		Corrected ARM documentation of built-in zones.
			[RT #32694]

254
255
256
257
3498.	[bug]		zone statistics for zones which matched a potential
			empty zone could have their zone-statistics setting
			overridden.

258
259
260
261
3497.	[func]		When deleting a slave/stub zone using 'rndc delzone'
			report the files that were being used so they can
			be cleaned up if desired. [RT #27899]

Evan Hunt's avatar
Evan Hunt committed
262
263
3496.	[placeholder]

264
3495.	[func]		Support multiple response-policy zones (up to 32),
Mark Andrews's avatar
Mark Andrews committed
265
			while improving RPZ performance.  "response-policy"
266
267
268
			syntax now includes a "min-ns-dots" clause, with
			default 1, to exclude top-level domains from
			NSIP and NSDNAME checking. --enable-rpz-nsip and
Mark Andrews's avatar
Mark Andrews committed
269
			--enable-rpz-nsdname are now the default. [RT #32251]
270

Evan Hunt's avatar
Evan Hunt committed
271
272
273
274
3494.	[func]		DNS RRL: Blunt the impact of DNS reflection and
			amplification attacks by rate-limiting substantially-
			identical responses. [RT #28130]

275
276
3493.	[contrib]	Added BDBHPT dynamically-lodable DLZ module,
			contributed by Mark Goldfinch. [RT #32549]
Mark Andrews's avatar
Mark Andrews committed
277

278
279
280
3492.	[bug]		Fixed a regression in zone loading performance
			due to lock contention. [RT #30399]

281
282
283
3491.	[bug]		Slave zones using inline-signing must specify a
			file name. [RT #31946]

284
3490.	[bug]		When logging RDATA during update, truncate if it's
Mark Andrews's avatar
Mark Andrews committed
285
			too long. [RT #32365]
286

287
288
289
290
291
3489.	[bug]		--enable-developer now turns on ISC_LIST_CHECKINIT.
			dns_dlzcreate() failed to properly initialize
			dlzdb.link.  When cloning a rdataset do not copy
			the link contents.  [RT #32651]

292
293
3488.	[bug]		Use after free error with DH generated keys. [RT #32649]

294
295
3487.	[bug]		Change 3444 was not complete.  There was a additional
			place where the NOQNAME proof needed to be saved.
Mark Andrews's avatar
Mark Andrews committed
296
			[RT #32629]
297

Evan Hunt's avatar
Evan Hunt committed
298
299
300
3486.	[bug]		named could crash when using TKEY-negotiated keys
			that had been deleted and then recreated. [RT #32506]

301
302
3485.	[cleanup]	Only compile openssl_gostlink.c if we support GOST.

303
304
305
3484.	[bug]		Some statistics were incorrectly rendered in XML.
			[RT #32587]

Evan Hunt's avatar
Evan Hunt committed
306
307
3483.	[placeholder]

308
309
310
311
3482.	[func]		dig +nssearch now prints name servers that don't
			have address records (missing AAAA or A, or the name
			doesn't exist). [RT #29348]

312
3481.	[cleanup]	Removed use of const const in atf.
313

Evan Hunt's avatar
Evan Hunt committed
314
315
316
3480.	[bug]		Silence logging noise when setting up zone
			statistics. [RT #32525]

317
318
319
3479.	[bug]		Address potential memory leaks in gssapi support
			code. [RT #32405]

Evan Hunt's avatar
Evan Hunt committed
320
321
322
323
3478.	[port]		Fix a build failure in strict C99 environments
			[RT #32475]

3477.	[func]		Expand logging when adding records via DDNS update
Mark Andrews's avatar
Mark Andrews committed
324
325
			[RT #32365]

326
327
328
3476.	[bug]		"rndc zonestatus" could report a spurious "not
			found" error on inline-signing zones. [RT #29226]

Evan Hunt's avatar
Evan Hunt committed
329
330
3475.	[cleanup]	Changed name of 'map' zone file format (previously
			'fast'). [RT #32458]
331

332
333
334
3474.	[bug]		nsupdate could assert when the local and remote
			address families didn't match. [RT #22897]

Evan Hunt's avatar
Evan Hunt committed
335
336
337
338
3473.	[bug]		dnssec-signzone/verify could incorrectly report
			an error condition due to an empty node above an
			opt-out delegation lacking an NSEC3. [RT #32072]

339
340
341
3472.	[bug]		The active-connections counter in the socket
			statistics could underflow. [RT #31747]

342
343
344
345
3471.	[bug]		The number of UDP dispatches now defaults to
			the number of CPUs even if -n has been set to
			a higher value. [RT #30964]

346
347
348
3470.	[bug]		Slave zones could fail to dump when successfully
			refreshing after an initial failure. [RT #31276]

Evan Hunt's avatar
Evan Hunt committed
349
350
351
352
3469.	[bug]		Handle DLZ lookup failures more gracefully. Improve
			backward compatibility between versions of DLZ dlopen
			API. [RT #32275]

353
354
3468.	[security]	RPZ rules to generate A records (but not AAAA records)
			could trigger an assertion failure when used in
355
			conjunction with DNS64 (CVE-2012-5689). [RT #32141]
356
357
358

3467.	[bug]		Added checks in dnssec-keygen and dnssec-settime
			to check for delete date < inactive date. [RT #31719]
359

360
361
362
3466.	[contrib]	Corrected the DNS_CLIENTINFOMETHODS_VERSION check
			in DLZ example driver. [RT #32275]

363
364
3465.	[bug]		Handle isolated reserved ports. [RT #31778]

365
366
367
3464.	[maint]		Updates to PKCS#11 openssl patches, supporting
			versions 0.9.8x, 1.0.0j, 1.0.1c [RT #29749]

368
3463.	[doc]		Clarify managed-keys syntax in ARM. [RT #32232]
369
370
371
372

3462.	[doc]		Clarify server selection behavior of dig when using
			-4 or -6 options. [RT #32181]

373
374
375
3461.	[bug]		Negative responses could incorrectly have AD=1
			set. [RT #32237]

376
377
3460.	[bug]		Only link against readline where needed. [RT #29810]

378
379
380
3459.	[func]		Added -J option to named-checkzone/named-compilezone
			to specify the path to the journal file. [RT #30958]

381
382
383
3458.	[bug]		Return FORMERR when presented with a overly long
			domain named in a request. [RT #29682]

384
385
3457.	[protocol]	Add ILNP records (NID, LP, L32, L64). [RT #31836]

Evan Hunt's avatar
Evan Hunt committed
386
3456.	[port]		g++47: ATF failed to compile. [RT #32012]
387

388
389
3455.	[contrib]	queryperf: fix getopt option list. [RT #32338]

390
391
3454.	[port]		sparc64: improve atomic support. [RT #25182]

392
393
394
3453.	[bug]		'rndc addzone' of a zone with 'inline-signing yes;'
			failed. [RT #31960]

Mark Andrews's avatar
Mark Andrews committed
395
3452.	[bug]		Accept duplicate singleton records. [RT #32329]
396

397
398
399
3451.	[port]		Increase per thread stack size from 64K to 1M.
			[RT #32230]

400
401
402
3450.	[bug]		Stop logfileconfig system test spam system logs.
			[RT #32315]

403
404
405
406
3449.	[bug]		gen.c: use the pre-processor to construct format
			strings so that compiler can perform sanity checks;
			check the snprintf results. [RT #17576]

Evan Hunt's avatar
Evan Hunt committed
407
408
409
3448.	[bug]		The allow-query-on ACL was not processed correctly.
			[RT #29486]

410
411
3447.	[port]		Add support for libxml2-2.9.x [RT #32231]

412
413
414
3446.	[port]		win32: Add source ID (see change #3400) to build.
			[RT #31683]

415
416
3445.	[bug]		Warn about zone files with blank owner names
			immediately after $ORIGIN directives. [RT #31848]
417

418
3444.	[bug]		The NOQNAME proof was not being returned from cached
419
420
			insecure responses. [RT #21409]

421
422
423
3443.	[bug]		ddns-confgen: Some TSIG algorithms were incorrectly
			rejected when generating keys. [RT #31927]

424
425
426
3442.	[port]		Net::DNS 0.69 introduced a non backwards compatible
			change. [RT #32216]

427
428
3441.	[maint]		D.ROOT-SERVERS.NET is now 199.7.91.13.

429
430
431
3440.	[bug]		Reorder get_key_struct to not trigger a assertion when
			cleaning up due to out of memory error. [RT #32131]

Mark Andrews's avatar
Mark Andrews committed
432
433
3439.	[placeholder]

434
435
3438.	[bug]		Don't accept unknown data escape in quotes. [RT #32031]

Mark Andrews's avatar
Mark Andrews committed
436
3437.	[bug]		isc_buffer_init -> isc_buffer_constinit to initialize
437
438
			buffers with constant data. [RT #32064]

439
440
3436.	[bug]		Check malloc/calloc return values. [RT #32088]

441
442
443
3435.	[bug]		Cross compilation support in configure was broken.
			[RT #32078]

444
445
446
447
448
449
3434.	[bug]		Pass client info to the DLZ findzone() entry
			point in addition to lookup().  This makes it
			possible for a database to answer differently
			whether it's authoritative for a name depending
			on the address of the client.  [RT #31775]

450
451
452
3433.	[bug]		dlz_findzone() did not correctly handle
			ISC_R_NOMORE. [RT #31172]

Evan Hunt's avatar
Evan Hunt committed
453
454
455
456
457
458
459
460
461
3432.	[func]		Multiple DLZ databases can now be configured.
			DLZ databases are searched in the order configured,
			unless set to "search no", in which case a
			zone can be configured to be retrieved from a
			particular DLZ database by using a "dlz <name>"
			option in the zone statement.  DLZ databases can
			support type "master" and "redirect" zones.
			[RT #27597]

462
463
464
3431.	[bug]		ddns-confgen: Some valid key algorithms were
			not accepted. [RT #31927]

465
466
467
3430.	[bug]		win32: isc_time_formatISO8601 was missing the
			'T' between the date and time. [RT #32044]

468
469
470
3429.	[bug]		dns_zone_getserial2 could a return success without
			returning a valid serial. [RT #32007]

Evan Hunt's avatar
Evan Hunt committed
471
472
3428.	[cleanup]	dig: Add timezone to date output. [RT #2269]

Mark Andrews's avatar
Mark Andrews committed
473
3427.	[bug]		dig +trace incorrectly displayed name server
Evan Hunt's avatar
Evan Hunt committed
474
475
			addresses instead of names. [RT #31641]

476
477
478
3426.	[bug]		dnssec-checkds: Clearer output when records are not
			found. [RT #31968]

479
480
481
3425.	[bug]		"acacheentry" reference counting was broken resulting
			in use after free. [RT #31908]

482
483
484
3424.	[func]		dnssec-dsfromkey now emits the hash without spaces.
			[RT #31951]

485
486
487
488
3423.	[bug]		"rndc signing -nsec3param" didn't accept the full
			range of possible values.  Address portability issues.
			[RT #31938]

Mark Andrews's avatar
Mark Andrews committed
489
3422.	[bug]		Added a clear error message for when the SOA does not
490
491
			match the referral. [RT #31281]

492
493
494
3421.	[bug]		Named loops when re-signing if all keys are offline.
			[RT #31916]

495
496
3420.	[bug]		Address VPATH compilation issues. [RT #31879]

497
498
3419.	[bug]		Memory leak on validation cancel. [RT #31869]

Mark Andrews's avatar
Mark Andrews committed
499
500
501
502
503
504
3418.	[func]		New XML schema (version 3.0) for the statistics channel
			adds query type statistics at the zone level, and
			flattens the XML tree and uses compressed format to
			optimize parsing. Includes new XSL that permits
			charting via the Google Charts API on browsers that
			support javascript in XSL.  The old XML schema has been
505
506
			deprecated. [RT #30023]

Mark Andrews's avatar
Mark Andrews committed
507
3417.	[placeholder]
508

509
510
511
3416.	[bug]		Named could die on shutdown if running with 128 UDP
			dispatches per interface. [RT #31743]

512
3415.	[bug]		named could die with a REQUIRE failure if a validation
513
514
			was canceled. [RT #31804]

515
516
3414.	[bug]		Address locking issues found by Coverity. [RT #31626]

517
518
519
3413.	[func]		Record the number of DNS64 AAAA RRsets that have been
			synthesized. [RT #27636]

520
521
522
3412.	[bug]		Copy timeval structure from control message data.
			[RT #31548]

523
524
525
3411.	[tuning]	Use IPV6_USE_MIN_MTU or equivalent with TCP in addition
			to UDP. [RT #31690]

526
527
3410.	[bug]		Addressed Coverity warnings. [RT #31626]

Evan Hunt's avatar
Evan Hunt committed
528
529
530
531
532
3409.	[contrib]	contrib/dane/mkdane.sh: Tool to generate TLSA RR's
			from X.509 certificates, for use with DANE
			(DNS-based Authentication of Named Entities).
			[RT #30513]

533
534
535
536
537
3408.	[bug]		Some DNSSEC-related options (update-check-ksk,
			dnssec-loadkeys-interval, dnssec-dnskey-kskonly)
			are now legal in slave zones as long as
			inline-signing is in use. [RT #31078]

Mark Andrews's avatar
Mark Andrews committed
538
539
3407.	[placeholder]

540
541
3406.	[bug]		mem.c: Fix compilation errors when building with
			ISC_MEM_TRACKLINES or ISC_MEMPOOL_NAMES disabled.
Mark Andrews's avatar
Mark Andrews committed
542
			Also, ISC_MEM_DEBUG is no longer optional. [RT #31559]
543

544
545
3405.	[bug]		Handle time going backwards in acache. [RT #31253]

546
3404.	[bug]		dnssec-signzone: When re-signing a zone, remove
Mark Andrews's avatar
Mark Andrews committed
547
			RRSIG and NSEC records from nodes that used to be
548
549
			in-zone but are now below a zone cut. [RT #31556]

Evan Hunt's avatar
Evan Hunt committed
550
551
3403.	[bug]		Silence noisy OpenSSL logging. [RT #31497]

Evan Hunt's avatar
Evan Hunt committed
552
3402.	[test]		The IPv6 interface numbers used for system
Mark Andrews's avatar
Mark Andrews committed
553
			tests were incorrect on some platforms. [RT #25085]
Curtis Blackburn's avatar
Curtis Blackburn committed
554

Evan Hunt's avatar
Evan Hunt committed
555
556
3401.	[bug]		Addressed Coverity warnings. [RT #31484]

Evan Hunt's avatar
Evan Hunt committed
557
558
559
560
3400.	[cleanup]	"named -V" can now report a source ID string, defined
			in the "srcid" file in the build tree and normally set
			to the most recent git hash.  [RT #31494]

561
562
563
3399.	[port]		netbsd: rename 'bool' parameter to avoid namespace
			clash.  [RT #31515]

564
565
566
567
3398.	[bug]		SOA parameters were not being updated with inline
			signed zones if the zone was modified while the
			server was offline. [RT #29272]

568
3397.	[bug]		dig crashed when using +nssearch with +tcp. [RT #25298]
Mark Andrews's avatar
Mark Andrews committed
569

570
571
572
3396.	[bug]		OPT records were incorrectly removed from signed,
			truncated responses. [RT #31439]

573
574
575
576
3395.	[protocol]	Add RFC 6598 reverse zones to built in empty zones
			list, 64.100.IN-ADDR.ARPA ... 127.100.IN-ADDR.ARPA.
			[RT #31336]

Mark Andrews's avatar
Mark Andrews committed
577
3394.	[bug]		Adjust 'successfully validated after lower casing
578
579
			signer' log level and category. [RT #31414]

580
581
582
3393.	[bug]		'host -C' could core dump if REFUSED was received.
			[RT #31381]

583
584
3392.	[func]		Keep statistics on REFUSED responses. [RT #31412]

Mark Andrews's avatar
Mark Andrews committed
585
586
3391.	[bug]		A DNSKEY lookup that encountered a CNAME failed.
			[RT #31262]
587

588
589
3390.	[bug]		Silence clang compiler warnings. [RT #30417]

590
591
3389.	[bug]		Always return NOERROR (not 0) in TSIG. [RT #31275]

592
593
594
595
596
597
3388.	[bug]		Fixed several Coverity warnings.
			Note: This change includes a fix for a bug that
			was subsequently determined to be an exploitable
			security vulnerability, CVE-2012-5688: named could
			die on specific queries with dns64 enabled.
			[RT #30996]
Evan Hunt's avatar
Evan Hunt committed
598

599
600
3387.	[func]		DS digest can be disabled at runtime with
			disable-ds-digests. [RT #21581]
601

602
603
604
3386.	[bug]		Address locking violation when generating new NSEC /
			NSEC3 chains. [RT #31224]

605
606
607
3385.	[bug]		named-checkconf didn't detect missing master lists
			in also-notify clauses. [RT #30810]

Evan Hunt's avatar
Evan Hunt committed
608
609
3384.	[bug]		Improved logging of crypto errors. [RT #30963]

Evan Hunt's avatar
typo    
Evan Hunt committed
610
3383.	[security]	A certain combination of records in the RBT could
Mark Andrews's avatar
Mark Andrews committed
611
612
			cause named to hang while populating the additional
			section of a response. [RT #31090]
Evan Hunt's avatar
Evan Hunt committed
613

Evan Hunt's avatar
Evan Hunt committed
614
615
616
617
3382.	[bug]		SOA query from slave used use-v6-udp-ports range,
			if set, regardless of the address family in use.
			[RT #24173]

Evan Hunt's avatar
Evan Hunt committed
618
619
620
3381.	[contrib]	Update queryperf to support more RR types.
			[RT #30762]

621
3380.	[bug]		named could die if a nonexistent master list was
622
623
			referenced in a also-notify. [RT #31004]

624
625
626
3379.	[bug]		isc_interval_zero and isc_time_epoch should be
			"const (type)* const". [RT #31069]

627
628
629
3378.	[bug]		Handle missing 'managed-keys-directory' better.
			[RT #30625]

Evan Hunt's avatar
Evan Hunt committed
630
631
632
3377.	[bug]		Removed spurious newline from NSEC3 multiline
			output. [RT #31044]

633
634
635
3376.	[bug]		Lack of EDNS support was being recorded without a
			successful response. [RT #30811]

636
637
3375.	[bug]		'rndc dumpdb' failed on empty caches. [RT #30808]

Mark Andrews's avatar
Mark Andrews committed
638
639
3374.	[bug]		isc_parse_uint32 failed to return a range error on
			systems with 64 bit longs. [RT #30232]
640

Mark Andrews's avatar
Mark Andrews committed
641
3373.	[bug]		win32: open raw files in binary mode. [RT #30944]
642

643
644
645
3372.	[bug]		Silence spurious "deleted from unreachable cache"
			messages.  [RT #30501]

646
647
648
649
3371.	[bug]		AD=1 should behave like DO=1 when deciding whether to
			add NS RRsets to the additional section or not.
			[RT #30479]

650
651
652
3370.	[bug]		Address use after free while shutting down. [RT #30241]

3369.	[bug]		nsupdate terminated unexpectedly in interactive mode
653
654
			if built with readline support. [RT #29550]

655
3368.	[bug]		<dns/iptable.h>, <dns/private.h> and <dns/zone.h>
Evan Hunt's avatar
Evan Hunt committed
656
			were not C++ safe.
657

658
659
660
3367.	[bug]		dns_dnsseckey_create() result was not being checked.
			[RT #30685]

Mark Andrews's avatar
Mark Andrews committed
661
3366.	[bug]		Fixed Read-After-Write dependency violation for IA64
662
663
			atomic operations. [RT #25181]

664
665
666
3365.	[bug]		Removed spurious newlines from log messages in
			zone.c [RT #30675]

667
668
669
3364.	[security]	Named could die on specially crafted record.
			[RT #30416]

670
671
672
673
3363.	[bug]		Need to allow "forward" and "fowarders" options
			in static-stub zones; this had been overlooked.
			[RT #30482]

674
675
676
677
3362.	[bug]		Setting some option values to 0 in named.conf
			could trigger an assertion failure on startup.
			[RT #27730]

678
679
3361.	[bug]		"rndc signing -nsec3param" didn't work correctly
			when salt was set to '-' (no salt). [RT #30099]
Mark Andrews's avatar
Mark Andrews committed
680

681
682
3360.	[bug]		'host -w' could die.  [RT #18723]

683
3359.	[bug]		An improperly-formed TSIG secret could cause a
Mark Andrews's avatar
Mark Andrews committed
684
			memory leak. [RT #30607]
685

Mark Andrews's avatar
Mark Andrews committed
686
687
3358.	[placeholder]

688
689
3357.	[port]		Add support for libxml2-2.8.x [RT #30440]

Mark Andrews's avatar
Mark Andrews committed
690
3356.	[bug]		Cap the TTL of signed RRsets when RRSIGs are
691
692
693
			approaching their expiry, so they don't remain
			in caches after expiry. [RT #26429]

694
695
3355.	[port]		Use more portable awk in verify system test.

696
697
3354.	[func]		Improve OpenSSL error logging. [RT #29932]

698
699
700
3353.	[bug]		Use a single task for task exclusive operations.
			[RT #29872]

701
702
703
3352.	[bug]		Ensure that learned server attributes timeout of the
			adb cache. [RT #29856]

704
705
706
707
3351.	[bug]		isc_mem_put and isc_mem_putanddetach didn't report
			caller if either ISC_MEM_DEBUGSIZE or ISC_MEM_DEBUGCTX
			memory debugging flags are set. [RT #30243]

708
709
710
711
3350.	[bug]		Memory read overrun in isc___mem_reallocate if
			ISC_MEM_DEBUGCTX memory debugging flag is set.
			[RT #30240]

Mark Andrews's avatar
Mark Andrews committed
712
713
3349.	[bug]		Change #3345 was incomplete. [RT #30233]

Mark Andrews's avatar
Mark Andrews committed
714
715
716
717
3348.	[bug]		Prevent RRSIG data from being cached if a negative
			record matching the covering type exists at a higher
			trust level. Such data already can't be retrieved from
			the cache since change 3218 -- this prevents it
Mark Andrews's avatar
Mark Andrews committed
718
			being inserted into the cache as well. [RT #26809]
Mark Andrews's avatar
Mark Andrews committed
719
720
721

3347.	[bug]		dnssec-settime: Issue a warning when writing a new
			private key file would cause a change in the
Evan Hunt's avatar
Evan Hunt committed
722
			permissions of the existing file. [RT #27724]
Curtis Blackburn's avatar
Curtis Blackburn committed
723

Evan Hunt's avatar
Evan Hunt committed
724
725
726
3346.	[security]	Bad-cache data could be used before it was
			initialized, causing an assert. [RT #30025]

727
728
729
730
3345.	[bug]		Addressed race condition when removing the last item
			or inserting the first item in an ISC_QUEUE.
			[RT #29539]

Mark Andrews's avatar
Mark Andrews committed
731
732
733
734
735
736
737
738
739
3344.	[func]		New "dnssec-checkds" command checks a zone to
			determine which DS records should be published
			in the parent zone, or which DLV records should be
			published in a DLV zone, and queries the DNS to
			ensure that it exists. (Note: This tool depends
			on python; it will not be built or installed on
			systems that do not have a python interpreter.)
			[RT #28099]

Mark Andrews's avatar
Mark Andrews committed
740
741
3343.	[placeholder]

742
743
744
745
3342.	[bug]		Change #3314 broke saving of stub zones to disk
			resulting in excessive cpu usage in some cases.
			[RT #29952]

746
747
748
749
3341.	[func]		New "dnssec-verify" command checks a signed zone
			to ensure correctness of signatures and of NSEC/NSEC3
			chains. [RT #23673]

Evan Hunt's avatar
Evan Hunt committed
750
3340.	[func]		Added new 'map' zone file format, which is an image
Mark Andrews's avatar
Mark Andrews committed
751
752
753
754
			of a zone database that can be loaded directly into
			memory via mmap(), allowing much faster zone loading.
			(Note: Because of pointer sizes and other
			considerations, this file format is platform-dependent;
Evan Hunt's avatar
Evan Hunt committed
755
			'map' zone files cannot always be transferred from one
Curtis Blackburn's avatar
Curtis Blackburn committed
756
757
			server to another.) [RT #25419]

758
759
760
3339.	[func]		Allow the maximum supported rsa exponent size to be
			specified: "max-rsa-exponent-size <value>;" [RT #29228]

761
762
763
3338.	[bug]		Address race condition in units tests: asyncload_zone
			and asyncload_zt. [RT #26100]

764
765
766
3337.	[bug]		Change #3294 broke support for the multiple keys
			in controls. [RT #29694]

767
768
769
3336.	[func]		Maintain statistics for RRsets tagged as "stale".
			[RT #29514]

770
771
772
3335.	[func]		nslookup: return a nonzero exit code when unable
			to get an answer. [RT #29492]

773
3334.	[bug]		Hold a zone table reference while performing a
Mark Andrews's avatar
Mark Andrews committed
774
			asynchronous load of a zone. [RT #28326]
775

776
3333.	[bug]		Setting resolver-query-timeout too low can cause
Mark Andrews's avatar
Mark Andrews committed
777
			named to not recover if it loses connectivity.
778
779
			[RT #29623]

Mark Andrews's avatar
add #    
Mark Andrews committed
780
3332.	[bug]		Re-use cached DS rrsets if possible. [RT #29446]
781

Mark Andrews's avatar
Mark Andrews committed
782
3331.	[security]	dns_rdataslab_fromrdataset could produce bad
783
			rdataslabs. [RT #29644]
Mark Andrews's avatar
Mark Andrews committed
784

Vernon Schryver's avatar
Vernon Schryver committed
785
3330.	[func]		Fix missing signatures on NOERROR results despite
Mark Andrews's avatar
Mark Andrews committed
786
			RPZ rewriting.  Also
Vernon Schryver's avatar
Vernon Schryver committed
787
788
789
790
791
792
793
794
795
796
797
798
799
			 - add optional "recursive-only yes|no" to the
			   response-policy statement
			 - add optional "max-policy-ttl" to the response-policy
			    statement to limit the false data that
			    "recursive-only no" can introduce into
			    resolvers' caches
			 - add a RPZ performance test to bin/tests/system/rpz
			     when queryperf is available.
			 - the encoding of PASSTHRU action to "rpz-passthru".
			     (The old encoding is still accepted.)
		       [RT #26172]


800
801
802
803
804
805
3329.	[bug]		Handle RRSIG signer-name case consistently: We
			generate RRSIG records with the signer-name in
			lower case.  We accept them with any case, but if
			they fail to validate, we try again in lower case.
			[RT #27451]

Mark Andrews's avatar
Mark Andrews committed
806
807
3328.	[bug]		Fixed inconsistent data checking in dst_parse.c.
			[RT #29401]
Evan Hunt's avatar
Evan Hunt committed
808

Evan Hunt's avatar
Evan Hunt committed
809
810
811
812
813
3327.	[func]		Added 'filter-aaaa-on-v6' option; this is similar
			to 'filter-aaaa-on-v4' but applies to IPv6
			connections.  (Use "configure --enable-filter-aaaa"
			to enable this option.)  [RT #27308]

814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
3326.	[func]		Added task list statistics: task model, worker
			threads, quantum, tasks running, tasks ready.
			[RT #27678]

3325.	[func]		Report cache statistics: memory use, number of
			nodes, number of hash buckets, hit and miss counts.
			[RT #27056]

3324.	[test]		Add better tests for ADB stats [RT #27057]

3323.	[func]		Report the number of buckets the resolver is using.
			[RT #27020]

3322.	[func]		Monitor the number of active TCP and UDP dispatches.
			[RT #27055]

3321.	[func]		Monitor the number of recursive fetches and the
			number of open sockets, and report these values in
			the statistics channel. [RT #27054]

3320.	[func]		Added support for monitoring of recursing client
			count. [RT #27009]

3319.	[func]		Added support for monitoring of ADB entry count and
			hash size. [RT #27057]

840
3318.	[tuning]	Reduce the amount of work performed while holding a
Mark Andrews's avatar
Mark Andrews committed
841
			bucket lock when finished with a fetch context.
842
843
			[RT #29239]

Mark Andrews's avatar
Mark Andrews committed
844
3317.	[func]		Add ECDSA support (RFC 6605). [RT #21918]
845

846
847
848
3316.	[tuning]	Improved locking performance when recursing.
			[RT #28836]

849
850
851
852
853
3315.	[tuning]	Use multiple dispatch objects for sending upstream
			queries; this can improve performance on busy
			multiprocessor systems by reducing lock contention.
			[RT #28605]

854
855
3314.	[bug]		The masters list could be updated while stub_callback
			or refresh_callback were using it. [RT #26732]
856

857
858
3313.	[protocol]	Add TLSA record type. [RT #28989]

859
860
861
3312.	[bug]		named-checkconf didn't detect a bad dns64 clients acl.
			[RT #27631]

862
863
864
3311.	[bug]		Abort the zone dump if zone->db is NULL in
			zone.c:zone_gotwritehandle. [RT #29028]

865
866
3310.	[test]		Increase table size for mutex profiling. [RT #28809]

Mark Andrews's avatar
Mark Andrews committed
867
3309.	[bug]		resolver.c:fctx_finddone() was not thread safe.
868
869
			[RT #27995]

Mark Andrews's avatar
Mark Andrews committed
870
871
3308.	[placeholder]

872
873
3307.	[bug]		Add missing ISC_LANG_BEGINDECLS and ISC_LANG_ENDDECLS.
			[RT #28956]
874

875
876
877
878
3306.	[bug]		Improve DNS64 reverse zone performance. [RT #28563]

3305.	[func]		Add wire format lookup method to sdb. [RT #28563]

879
880
3304.	[bug]		Use hmctx, not mctx when freeing rbtdb->heaps.
			[RT #28571]
881

882
883
3303.	[bug]		named could die when reloading. [RT #28606]

884
885
886
887
3302.	[bug]		dns_dnssec_findmatchingkeys could fail to find
			keys if the zone name contained character that
			required special mappings. [RT #28600]

888
889
890
3301.	[contrib]	Update queryperf to build on darwin.  Add -R flag
			for non-recursive queries. [RT #28565]

891
892
893
3300.	[bug]		Named could die if gssapi was enabled in named.conf
			but was not compiled in. [RT #28338]

894
895
896
3299.	[bug]		Make SDB handle errors from database drivers better.
			[RT #28534]

897
898
899
900
3298.	[bug]		Named could dereference a NULL pointer in
			zmgr_start_xfrin_ifquota if the zone was being removed.
			[RT #28419]

901
902
3297.	[bug]		Named could die on a malformed master file. [RT #28467]

903
904
905
3296.	[bug]		Named could die with a INSIST failure in
			client.c:exit_check. [RT #28346]

906
907
908
3295.	[bug]		Adjust isc_time_secondsastimet range check to be more
			portable. [RT # 26542]

909
910
911
3294.	[bug]		isccc/cc.c:table_fromwire failed to free alist on
			error. [RT #28265]

912
913
3293.	[func]		nsupdate: list supported type. [RT #28261]

914
915
916
3292.	[func]		Log messages in the axfr stream at debug 10.
			[RT #28040]

917
918
919
3291.	[port]		Fixed a build error on systems without ENOTSUP.
			[RT #28200]

920
921
3290.	[bug]		<isc/hmacsha.h> was not being installed. [RT #28169]

922
923
3289.	[bug]		'rndc retransfer' failed for inline zones. [RT #28036]

924
925
926
3288.	[bug]		dlz_destroy() function wasn't correctly registered
			by the DLZ dlopen driver. [RT #28056]

927
928
3287.	[port]		Update ans.pl to work with Net::DNS 0.68. [RT #28028]

929
930
931
3286.	[bug]		Managed key maintenance timer could fail to start
			after 'rndc reconfig'. [RT #26786]

932
933
934
935
3285.	[bug]		val-frdataset was incorrectly disassociated in
			proveunsecure after calling startfinddlvsep.
			[RT #27928]

936
937
938
3284.	[bug]		Address race conditions with the handling of
			rbtnode.deadlink. [RT #27738]

939
940
941
3283.	[bug]		Raw zones with with more than 512 records in a RRset
			failed to load. [RT #27863]

942
3282.	[bug]		Restrict the TTL of NS RRset to no more than that
Mark Andrews's avatar
extend:    
Mark Andrews committed
943
944
			of the old NS RRset when replacing it.
			[RT #27792] [RT #27884]
945

946
947
948
949
3281.	[bug]		SOA refresh queries could be treated as cancelled
			despite succeeding over the loopback interface.
			[RT #27782]

950
951
952
3280.	[bug]		Potential double free of a rdataset on out of memory
			with DNS64. [RT #27762]

Mark Andrews's avatar
Mark Andrews committed
953
3279.	[bug]		Hold a internal reference to the zone while performing
954
955
956
			a asynchronous load.  Address potential memory leak
			if the asynchronous is cancelled. [RT #27750]

Mark Andrews's avatar
Mark Andrews committed
957
3278.	[bug]		Make sure automatic key maintenance is started
958
959
960
			when "auto-dnssec maintain" is turned on during
			"rndc reconfig". [RT #26805]

Mark Andrews's avatar
Mark Andrews committed
961
3277.	[bug]		win32: isc_socket_dup is not implemented. [RT #27696]
962
963
964
965

3276.	[bug]		win32: ns_os_openfile failed to return NULL on
			safe_open failure. [RT #27696]

966
3275.	[bug]		Corrected rndc -h output; the 'rndc sync -clean'
967
			option had been misspelled as '-clear'.  (To avoid
968
969
			future confusion, both options now work.) [RT #27173]

Mark Andrews's avatar
Mark Andrews committed
970
3274.	[placeholder]
Mark Andrews's avatar
Mark Andrews committed
971

Mark Andrews's avatar
Mark Andrews committed
972
973
974
3273.	[bug]		AAAA responses could be returned in the additional
			section even when filter-aaaa-on-v4 was in use.
			[RT #27292]
975
976
977
978

3272.	[func]		New "rndc zonestatus" command prints information
			about the specified zone. [RT #21671]

979
980
981
982
3271.	[port]		darwin: mksymtbl is not always stable, loop several
			times before giving up.  mksymtbl was using non
			portable perl to covert 64 bit hex strings. [RT #27653]

Evan Hunt's avatar
Evan Hunt committed
983
	--- 9.9.0rc2 released ---
Evan Hunt's avatar
Evan Hunt committed
984

985
986
987
3270.	[bug]		"rndc reload" didn't reuse existing zones correctly
			when inline-signing was in use. [RT #27650]

988
989
3269.	[port]		darwin 11 and later now built threaded by default.

990
991
992
3268.	[bug]		Convert RRSIG expiry times to 64 timestamps to work
			out the earliest expiry time. [RT #23311]

993
994
995
996
3267.	[bug]		Memory allocation failures could be mis-reported as
			unexpected error.  New ISC_R_UNSET result code.
			[RT #27336]

997
998
999
1000
3266.	[bug]		The maximum number of NSEC3 iterations for a
			DNSKEY RRset was not being properly computed.
			[RT #26543]

Evan Hunt's avatar
Evan Hunt committed
1001
1002
3265.	[bug]		Corrected a problem with lock ordering in the
			inline-signing code. [RT #27557]
1003

1004
1005
1006
1007
1008
1009
1010
3264.	[bug]		Automatic regeneration of signatures in an
			inline-signing zone could stall when the server
			was restarted. [RT #27344]

3263.	[bug]		"rndc sync" did not affect the unsigned side of an
			inline-signing zone. [RT #27337]

1011
1012
1013
3262.	[bug]		Signed responses were handled incorrectly by RPZ.
			[RT #27316]

1014
1015
3261.	[func]		RRset ordering now defaults to random. [RT #27174]

1016
1017
3260.	[bug]		"rrset-order cyclic" could appear not to rotate
			for some query patterns.  [RT #27170/27185]
1018

Evan Hunt's avatar
Evan Hunt committed
1019
1020
	--- 9.9.0rc1 released ---

1021
1022
1023
3259.	[bug]		named-compilezone: Suppress "dump zone to <file>"
			message when writing to stdout. [RT #27109]

1024
1025
1026
3258.	[test]		Add "forcing full sign with unreadable keys" test.
			[RT #27153]

1027
1028
1029
3257.	[bug]		Do not generate a error message when calling fsync()
			in a pipe or socket. [RT #27109]

1030
1031
1032
1033
1034
1035
3256.	[bug]		Disable empty zones for lwresd -C. [RT #27139]

3255.	[func]		No longer require that a empty zones be explicitly
			enabled or that a empty zone is disabled for
			RFC 1918 empty zones to be configured. [RT #27139]

1036
1037
1038
3254.	[bug]		Set isc_socket_ipv6only() on the IPv6 control channels.
			[RT #22249]

1039
1040
1041
3253.	[bug]		Return DNS_R_SYNTAX when the input to a text field is
			too long. [RT #26956]

1042
1043
1044
1045
1046
3252.	[bug]		When master zones using inline-signing were
			updated while the server was offline, the source
			zone could fall out of sync with the signed
			copy. They can now resynchronize. [RT #26676]

1047
1048
1049
1050
1051
3251.	[bug]		Enforce a upper bound (65535 bytes) on the amount of
			memory dns_sdlz_putrr() can allocate per record to
			prevent run away memory consumption on ISC_R_NOSPACE.
			[RT #26956]

1052
1053
1054
1055
3250.	[func]		'configure --enable-developer'; turn on various
			configure options, normally off by default, that
			we want developers to build and test with. [RT #27103]

1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
3249.	[bug]		Update log message when saving slave zones files for
			analysis after load failures. [RT #27087]

3248.	[bug]		Configure options --enable-fixed-rrset and
			--enable-exportlib were incompatible with each
			other. [RT #27087]

3247.	[bug]		'raw' format zones failed to preserve load order
			breaking 'fixed' sort order. [RT #27087]

3246.	[bug]		Named failed to start with a empty also-notify list.
			[RT #27087]

1069
1070
1071
1072
3245.	[bug]		Don't report a error unchanged serials unless there
			were other changes when thawing a zone with
			ixfr-fromdifferences. [RT #26845]

1073
3244.	[func]		Added readline support to nslookup and nsupdate.
Mark Andrews's avatar
Mark Andrews committed
1074
			Also simplified nsupdate syntax to make "update"
1075
1076
			and "prereq" optional. [RT #24659]

1077
1078
1079
3243.	[port]		freebsd,netbsd,bsdi: the thread defaults were not
			being properly set.

Mark Andrews's avatar
Mark Andrews committed
1080
3242.	[func]		Extended the header of raw-format master files to
1081
1082
1083
1084
1085
1086
			include the serial number of the zone from which
			they were generated, if different (as in the case
			of inline-signing zones).  This is to be used in
			inline-signing zones, to track changes between the
			unsigned and signed versions of the zone, which may
			have different serial numbers.
Mark Andrews's avatar
Mark Andrews committed
1087

1088
			(Note: raw zonefiles generated by this version of
Mark Andrews's avatar
Mark Andrews committed
1089
			BIND are no longer compatible with prior versions.
1090
1091
1092
1093
1094
			To generate a backward-compatible raw zonefile
			using dnssec-signzone or named-compilezone, specify
			output format "raw=0" instead of simply "raw".)
			[RT #26587]

1095
1096
1097
3241.	[bug]		Address race conditions in the resolver code.
			[RT #26889]

1098
1099
3240.	[bug]		DNSKEY state change events could be missed. [RT #26874]

1100
1101
1102
1103
3239.	[bug]		dns_dnssec_findmatchingkeys needs to use a consistent
			timestamp. [RT #26883]

3238.	[bug]		keyrdata was not being reinitialized in
1104
1105
			lib/dns/rbtdb.c:iszonesecure. [RT#26913]

1106
1107
3237.	[bug]		dig -6 didn't work with +trace. [RT #26906]

Evan Hunt's avatar
Evan Hunt committed
1108
1109
1110
3236.	[bug]		Backed out changes #3182 and #3202, related to
			EDNS(0) fallback behavior. [RT #26416]

1111
1112
1113
1114
3235.	[func]		dns_db_diffx, a extended dns_db_diff which returns
			the generated diff and optionally writes it to a
			journal. [RT #26386]

1115
1116
3234.	[bug]		'make depend' produced invalid makefiles. [RT #26830]

1117
1118
1119
3233.	[bug]		'rndc freeze/thaw' didn't work for inline zones.
			[RT #26632]

1120
1121
1122
3232.	[bug]		Zero zone->curmaster before return in
			dns_zone_setmasterswithkeys(). [RT #26732]

Mark Andrews's avatar
Mark Andrews committed
1123
3231.	[bug]		named could fail to send a incompressible zone.
1124
1125
			[RT #26796]

Mark Andrews's avatar
[ -> ]    
Mark Andrews committed
1126
3230.	[bug]		'dig axfr' failed to properly handle a multi-message
1127
1128
			axfr with a serial of 0. [RT #26796]

1129
1130
1131
3229.	[bug]		Fix local variable to struct var assignment
			found by CLANG warning.

Mark Andrews's avatar
Mark Andrews committed
1132
1133
3228.	[tuning]	Dynamically grow symbol table to improve zone
			loading performance. [RT #26523]
1134

1135
1136
1137
3227.	[bug]		Interim fix to make WKS's use of getprotobyname()
			and getservbyname() self thread safe. [RT #26232]

1138
1139
3226.	[bug]		Address minor resource leakages. [RT #26624]

1140
1141
1142
3225.	[bug]		Silence spurious "setsockopt(517, IPV6_V6ONLY) failed"
			messages. [RT #26507]

1143
1144
3224.	[bug]		'rndc signing' argument parsing was broken. [RT #26684]

1145
1146
1147
3223.	[bug]		'task_test privilege_drop' generated false positives.
			[RT #26766]

1148
1149
1150
3222.	[cleanup]	Replace dns_journal_{get,set}_bitws with
			dns_journal_{get,set}_sourceserial. [RT #26634]

Mark Andrews's avatar
Mark Andrews committed
1151
3221.	[bug]		Fixed a potential core dump on shutdown due to
1152
1153
1154
			referencing fetch context after it's been freed.
			[RT #26720]

Mark Andrews's avatar
Mark Andrews committed
1155
1156
	--- 9.9.0b2 released ---

1157
3220.	[bug]		Change #3186 was incomplete; dns_db_rpz_findips()
Mark Andrews's avatar
Mark Andrews committed
1158
1159
			could fail to set the database version correctly,
			causing an assertion failure. [RT #26180]
1160

Mark Andrews's avatar
Mark Andrews committed
1161
1162
3219.	[bug]		Disable NOEDNS caching following a timeout.

1163
1164
1165
1166
3218.	[security]	Cache lookup could return RRSIG data associated with
			nonexistent records, leading to an assertion
			failure. [RT #26590]

1167
1168
1169
3217.	[cleanup]	Fix build problem with --disable-static. [RT #26476]

3216.	[bug]		resolver.c:validated() was not thread-safe. [RT #26478]
1170

1171
1172
3215.	[bug]		'rndc recursing' could cause a core dump. [RT #26495]

1173
1174
3214.	[func]		Add 'named -U' option to set the number of UDP
			listener threads per interface. [RT #26485]
Mark Andrews's avatar
Mark Andrews committed
1175

1176
1177
3213.	[doc]		Clarify ixfr-from-differences behavior. [RT #25188]

Mark Andrews's avatar
Mark Andrews committed
1178
1179
1180
3212.	[bug]		rbtdb.c: failed to remove a node from the deadnodes
			list prior to adding a reference to it leading a
			possible assertion failure. [RT #23219]
1181

1182
1183
1184
1185
3211.	[func]		dnssec-signzone: "-f -" prints to stdout; "-O full"
			option prints in single-line-per-record format.
			[RT #20287]

1186
1187
1188
3210.	[bug]		Canceling the oldest query due to recursive-client
			overload could trigger an assertion failure. [RT #26463]

1189
3209.	[func]		Add "dnssec-lookaside 'no'".  [RT #24858]
1190

Mark Andrews's avatar
Mark Andrews committed
1191
3208.	[bug]		'dig -y' handle unknown tsig algorithm better.
1192
1193
			[RT #25522]

1194
1195
3207.	[contrib]	Fixed build error in Berkeley DB DLZ module. [RT #26444]

1196
1197
3206.	[cleanup]	Add ISC information to log at start time. [RT #25484]

1198
3205.	[func]		Upgrade dig's defaults to better reflect modern
Mark Andrews's avatar
Mark Andrews committed
1199
			nameserver behavior.  Enable "dig +adflag" and
1200
1201
1202
			"dig +edns=0" by default.  Enable "+dnssec" when
			running "dig +trace". [RT #23497]