GitLab

4152.   [func]          Implement DNS COOKIE option.  This replaces the
                        experimental SIT option of BIND 9.10.  The following
                        named.conf directives are available: send-cookie,
                        cookie-secret, cookie-algorithm, nocookie-udp-size
                        and require-server-cookie.  The following dig options
                        are available: +[no]cookie[=value] and +[no]badcookie.
                        [RT #39928]

                        experimental SIT option of BIND 9.10.  The following
                        named.conf directives are avaliable: send-cookie,
                        cookie-secret, cookie-algorithm and nocookie-udp-size.
                        The following dig options are available:
                        +[no]cookie[=value] and +[no]badcookie.  [RT #39928]

4131.	[bug]		Addressed further problems with reloading RPZ
			zones. [RT #39649]

4126.	[bug]		Addressed a regression introduced in change #4121.
			[RT #39611]

4120.	[bug]		A bug in RPZ could cause the server to crash if
			policy zones were updated while recursion was
			pending for RPZ processing of an active query.
			[RT #39415]

(cherry picked from commit 1d405c1412b3a2e5aafb37ea55b332914246349e)

                        method is now supported. [RT #37989]

                        the RRset level. [RT #37442]

4052.	[bug]		Fix a leak of query fetchlock. [RT #38454]

4050.	[cleanup]	Silence occasional spurious "duplicate query" log
			messages from RPZ. [RT #38510]

4039.	[cleanup]	Cleaned up warnings from gcc -Wshadow. [RT #37381]

                        [RT #37399]

- the counters weren't set correctly when fetches timed out.
  instead we now pass down a counter object.

4006.	[security]	A flaw in delegation handling could be exploited
			to put named into an infinite loop.  This has
			been addressed by placing limits on the number
			of levels of recursion named will allow (default 7),
			and the number of iterative queries that it will
			send (default 50) before terminating a recursive
			query (CVE-2014-8500).

			The recursion depth limit is configured via the
			"max-recursion-depth" option.  [RT #35780]

4000.	[bug]		NXDOMAIN redirection incorrectly handled NXRRSET
			from the redirect zone. [RT #37722]

                        don't request or use recursion. [RT #37466]

                        EDNS(1) queries (define DRAFT_ANDREWS_EDNS1 when
                        building).  Add support for limiting the EDNS version
                        advertised to servers: server { edns-version 0; };
                        Log the EDNS version received in the query log.
                        [RT #35864]

- possible use before assignment in query.c
- missing <varlistentry> in ARM

3943.	[func]		SERVFAIL responses can now be cached for a
			limited time (configured by "servfail-ttl",
			default 10 seconds, limit 30). This can reduce
			the frequency of retries when an authoritative
			server is known to be failing, e.g., due to
			ongoing DNSSEC validation problems. [RT #21347]

3937.	[func]		Added some debug logging to better indicate the
			conditions causing SERVFAILs when resolving.
			[RT #35538]

3882.	[func]		By default, negative trust anchors will be tested
			periodically to see whether data below them can be
			validated, and if so, they will be allowed to
			expire early. The "rndc nta -force" option
			overrides this behvaior.  The default NTA lifetime
			and the recheck frequency can be configured by the
			"nta-lifetime" and "nta-recheck" options. [RT #36146]