GitLab

3777.	[bug]		EDNS EXPIRE code could dump core when processing
			DLZ queries. [RT #35493]

                        in draft-andrews-dnsext-expire-00.  Retrivial of
                        remaining time to expiry from slave zones is supported.

                        EXPIRE uses an experimental option code (65002) and
                        is subject to change. [RT #35416]

                        (which are similar to DNS Cookies by Donald Eastlake)
                        and are designed to help clients detect off path
                        spoofed responses and for servers to detect legitimate
                        clients.

                        SIT use a experimental EDNS option code (65001).

                        SIT can be enabled via --enable-developer or
                        --enable-sit.  It is on by default in Windows.

                        RRL processing as been updated to know about SIT with
                        legitimate clients not being rate limited. [RT #35389]

3739.	[func]		Added per-zone stats counters to track TCP and
			UDP queries. [RT #35375]

                        for, see prefetch option for details. [RT #35041]

3698.	[cleanup]	Replaced all uses of memcpy() with memmove().
			[RT #35120]

                        ranges resulting in malformed names being generated
                        on some platforms.  This could cause INSIST failures
                        when serving NSEC3 signed zones.  [RT #35120]

                        forward only "zones" beneath them. [RT #34583]

                        qtype is SIG. [RT #34600]

3622.	[tuning]	Eliminate an unnecessary lock when incrementing
			cache statistics. [RT #34339]

3620.	[func]		Added "rpz-client-ip" policy triggers, enabling
			RPZ responses to be configured on the basis of
			the client IP address; this can be used, for
			example, to blacklist misbehaving recursive
			or stub resolvers. [RT #33605]

3619.	[bug]		Fixed a bug in RPZ with "recursive-only no;"
			[RT #33776]

3590.	[bug]		When using RRL on recursive servers, defer
			rate-limiting until after recursion is complete;
			also, use correct rcode for slipped NXDOMAIN
			responses.  [RT #33604]

3575.	[func]		Changed the logging category for RRL events from
			'queries' to 'query-errors'. [RT #33540]

3554.	[bug]		RRL failed to correctly rate-limit upward
			referrals and failed to count dropped error
			responses in the statistics. [RT #33225]

3495.	[func]		Support multiple response-policy zones, while
			improving RPZ performance. [RT #32476]

3494.	[func]		DNS RRL: Blunt the impact of DNS reflection and
			amplification attacks by rate-limiting substantially-
			identical responses. [RT #28130]

3468.	[security]	RPZ rules to generate A records (but not AAAA records)
			could trigger an assertion failure when used in
			conjunction with DNS64. [RT #32141]

                        set. [RT #32237]

3448.	[bug]		The allow-query-on ACL was not processed correctly.
			[RT #29486]

3434.   [bug]           Pass client info to the DLZ findzone() entry
                        point in addition to lookup().  This makes it
                        possible for a database to answer differently
                        whether it's authoritative for a name depending
                        on the address of the client.  [RT #31775]

3432.	[func]		Multiple DLZ databases can now be configured.
			DLZ databases are searched in the order configured,
			unless set to "search no", in which case a
			zone can be configured to be retrieved from a
			particular DLZ database by using a "dlz <name>"
			option in the zone statement.  DLZ databases can
			support type "master" and "redirect" zones.
			[RT #27597]

			adds query type statistics at the zone level, and
			flattens the XML tree and uses compressed format to
			optimize parsing. Includes new XSL that permits
			charting via the Google Charts API on browsers that
			support javascript in XSL.  The old XML schema has been
			deprecated. [RT #30023]

3417.	[placeholder]