GitLab

			ARM documentation about RFC 5011 support. [RT #19874]

			applications.  See README.libdns. [RT #19369]

			"update-policy local;" to switch on local DDNS in a
			zone.  [RT #19875]

			maintenance.  The new "managed-keys" statement can
			be used in place of "trusted-keys" for zones which
			support this protocol.  (Note: this syntax is
			expected to change prior to 9.7.0 final.) [RT #19248]

			- add ddns-confgen command to generate
			  configuration text for named.conf
			- add zone option "ddns-autoconf yes;", which
			  causes named to generate a TSIG session key
			  and allow updates to the zone using that key
			- add '-l' (localhost) option to nsupdate, which
			  causes nsupdate to connect to a locally-running
			  named process using the session key generated
			  by named
			[RT #19284]

			65535 turns out to be reserved.  [RT #19477]

			"dnssec-lookaside auto;"  This is the equivalent
			of "dnssec-lookaside . trust-anchor dlv.isc.org;"
			plus setting a trusted-key for dlv.isc.org.

			Note: The trusted key is hard-coded into named,
			but is also stored in (and can be overridden
			by) $sysconfdir/bind.keys.  As the ISC DLV key
			rolls over it can be kept up to date by replacing
			the bind.keys file with a key downloaded from
			https://www.isc.org/solutions/dlv. [RT #18685]

                        are now /var/run/named/named.pid and
                        /var/run/lwresd/lwresd.pid respectively.

                        This allows the owner of the containing directory
                        to be set, for "named -u" support, and allows there
                        to be a permanent symbolic link in the path, for
                        "named -t" support.  [RT #18306]

			default.  It should be safe because expired cache
			entries are also purged.

                        temporary, named.conf option reserved-sockets,
                        default 512. [RT #18344]

                        'dig +nsid' requests NSID from server.
                        'request-nsid yes;' causes recursive server to send
                        NSID requests to upstream servers.  Server responds
                        to NSID requests with the string configured by
                        'server-id' option.  [RT #17091]

                        dynamic zones. [RT #1091]

back out incorrect branch rt1091 and apply correct branch rt1091a.

commit lruttl to the mainline.  A tag was set called skan_lruttl-mainline-base, and I will tag this as skan_lruttl-mainline-merge after this commit

                        SOA MNAME field to be disabled by specifying
                        'notify-to-soa yes;'.  [RT #17073]

                        if we will answer the query or recurse.
                        allow-query-on, allow-recursion-on and
                        allow-query-cache-on. [RT #16291]

                        optional. Default "try-tcp-refresh yes;" for BIND 8
                        compatibility. [RT #16123]

                        consistancy.  Default acache-enable off in BIND 9.4
                        as it requires memory usage to be configured.
                        It may be enabled by default in BIND 9.5 once we
                        have more experience with it.

                        validation.  default dnssec-validation no; to
                        be changed to yes in 9.5.0.  [RT #15674]

                        to the builtin acls "localnets" and "localhost".

                        This is being done to make caching servers less
                        attractive as reflective amplifying targets for
                        spoofed traffic.  This still leave authoritative
                        servers exposed.

                        The best fix is for full BCP 38 deployment to
                        remove spoofed traffic.

                        New zone option "update-check-ksk yes;".  [RT #15817]

                        as readonly.  Expand the use of const to enforce this
                        at compile time. [RT #15813]

                        HMACSHA512 support. [RT #13606]

                        a soa query.  Defaults "zero-no-soa-ttl yes;" and
                        "zero-no-soa-ttl-cache no;". [RT #15460]

                        512 byte receive buffer if the initial EDNS queries
                        fail.  [RT #14852]

1952.   [func]          The maximum EDNS UDP response named will send can
                        now be set in named.conf (max-udp-size).  This is
                        independent of the advertised receive buffer
                        (edns-udp-size). [RT #14852]

                        expired RRSIGs.  Default "dnssec-accept-expired no;".
                        Setting "dnssec-accept-expired yes;" leaves named
                        vulnerable to replay attacks.  [RT #14685]

                        Coverity.