CHANGES 367 KB
Newer Older
Mark Andrews's avatar
Mark Andrews committed
1
3452.	[bug]		Accept duplicate singleton records. [RT #32329]
2

3
4
5
3451.	[port]		Increase per thread stack size from 64K to 1M.
			[RT #32230]

6
7
8
3450.	[bug]		Stop logfileconfig system test spam system logs.
			[RT #32315]

9
10
11
12
3449.	[bug]		gen.c: use the pre-processor to construct format
			strings so that compiler can perform sanity checks;
			check the snprintf results. [RT #17576]

Evan Hunt's avatar
Evan Hunt committed
13
14
15
3448.	[bug]		The allow-query-on ACL was not processed correctly.
			[RT #29486]

16
17
3447.	[port]		Add support for libxml2-2.9.x [RT #32231]

18
19
20
3446.	[port]		win32: Add source ID (see change #3400) to build.
			[RT #31683]

21
22
3445.	[bug]		Warn about zone files with blank owner names
			immediately after $ORIGIN directives. [RT #31848]
23

24
3444.	[bug]		The NOQNAME proof was not being returned from cached
25
26
			insecure responses. [RT #21409]

27
28
29
3443.	[bug]		ddns-confgen: Some TSIG algorithms were incorrectly
			rejected when generating keys. [RT #31927]

30
31
32
3442.	[port]		Net::DNS 0.69 introduced a non backwards compatible
			change. [RT #32216]

33
34
3441.	[maint]		D.ROOT-SERVERS.NET is now 199.7.91.13.

35
36
37
3440.	[bug]		Reorder get_key_struct to not trigger a assertion when
			cleaning up due to out of memory error. [RT #32131]

Mark Andrews's avatar
Mark Andrews committed
38
39
3439.	[placeholder]

40
41
3438.	[bug]		Don't accept unknown data escape in quotes. [RT #32031]

42
43
44
3437.	[bug]		isc_buffer_init -> isc_buffer_constinit to initialise
			buffers with constant data. [RT #32064]

45
46
3436.	[bug]		Check malloc/calloc return values. [RT #32088]

47
48
49
3435.	[bug]		Cross compilation support in configure was broken.
			[RT #32078]

50
51
52
53
54
55
3434.	[bug]		Pass client info to the DLZ findzone() entry
			point in addition to lookup().  This makes it
			possible for a database to answer differently
			whether it's authoritative for a name depending
			on the address of the client.  [RT #31775]

56
57
58
3433.	[bug]		dlz_findzone() did not correctly handle
			ISC_R_NOMORE. [RT #31172]

Evan Hunt's avatar
Evan Hunt committed
59
60
61
62
63
64
65
66
67
3432.	[func]		Multiple DLZ databases can now be configured.
			DLZ databases are searched in the order configured,
			unless set to "search no", in which case a
			zone can be configured to be retrieved from a
			particular DLZ database by using a "dlz <name>"
			option in the zone statement.  DLZ databases can
			support type "master" and "redirect" zones.
			[RT #27597]

68
69
70
3431.	[bug]		ddns-confgen: Some valid key algorithms were
			not accepted. [RT #31927]

71
72
73
3430.	[bug]		win32: isc_time_formatISO8601 was missing the
			'T' between the date and time. [RT #32044]

74
75
76
3429.	[bug]		dns_zone_getserial2 could a return success without
			returning a valid serial. [RT #32007]

Evan Hunt's avatar
Evan Hunt committed
77
78
3428.	[cleanup]	dig: Add timezone to date output. [RT #2269]

Evan Hunt's avatar
Evan Hunt committed
79
80
81
3427.	[bug]		dig +trace incorrectly displayed name server 
			addresses instead of names. [RT #31641]

82
83
84
3426.	[bug]		dnssec-checkds: Clearer output when records are not
			found. [RT #31968]

85
86
87
3425.	[bug]		"acacheentry" reference counting was broken resulting
			in use after free. [RT #31908]

88
89
90
3424.	[func]		dnssec-dsfromkey now emits the hash without spaces.
			[RT #31951]

91
92
93
94
3423.	[bug]		"rndc signing -nsec3param" didn't accept the full
			range of possible values.  Address portability issues.
			[RT #31938]

95
96
97
3422.	[bug]		Added a clear error message for when the SOA does not 
			match the referral. [RT #31281]

98
99
100
3421.	[bug]		Named loops when re-signing if all keys are offline.
			[RT #31916]

101
102
3420.	[bug]		Address VPATH compilation issues. [RT #31879]

103
104
3419.	[bug]		Memory leak on validation cancel. [RT #31869]

105
106
107
108
109
110
111
112
113
114
3418.   [func]          New XML schema (version 3.0) for the statistics channel 
			adds query type statistics at the zone level, and 
			flattens the XML tree and uses compressed format to 
			optimize parsing. Includes new XSL that permits 
			charting via the Google Charts API on browsers that 
			support javascript in XSL.  The old XML schema has been 
			deprecated. [RT #30023]

3417.   [placeholder]

115
116
117
3416.	[bug]		Named could die on shutdown if running with 128 UDP
			dispatches per interface. [RT #31743]

Mark Andrews's avatar
Mark Andrews committed
118
3415.	[bug]		named could die with a REQUIRE failure if a valdation
119
120
			was canceled. [RT #31804]

121
122
3414.	[bug]		Address locking issues found by Coverity. [RT #31626]

123
124
125
3413.	[func]		Record the number of DNS64 AAAA RRsets that have been
			synthesized. [RT #27636]

126
127
128
3412.	[bug]		Copy timeval structure from control message data.
			[RT #31548]

129
130
131
3411.	[tuning]	Use IPV6_USE_MIN_MTU or equivalent with TCP in addition
			to UDP. [RT #31690]

132
133
3410.	[bug]		Addressed Coverity warnings. [RT #31626]

Evan Hunt's avatar
Evan Hunt committed
134
135
136
137
138
3409.	[contrib]	contrib/dane/mkdane.sh: Tool to generate TLSA RR's
			from X.509 certificates, for use with DANE
			(DNS-based Authentication of Named Entities).
			[RT #30513]

139
140
141
142
143
3408.	[bug]		Some DNSSEC-related options (update-check-ksk,
			dnssec-loadkeys-interval, dnssec-dnskey-kskonly)
			are now legal in slave zones as long as
			inline-signing is in use. [RT #31078]

Mark Andrews's avatar
Mark Andrews committed
144
145
3407.	[placeholder]

146
147
3406.	[bug]		mem.c: Fix compilation errors when building with
			ISC_MEM_TRACKLINES or ISC_MEMPOOL_NAMES disabled.
Mark Andrews's avatar
Mark Andrews committed
148
			Also, ISC_MEM_DEBUG is no longer optional. [RT #31559]
149

150
151
3405.	[bug]		Handle time going backwards in acache. [RT #31253]

152
3404.	[bug]		dnssec-signzone: When re-signing a zone, remove
Mark Andrews's avatar
Mark Andrews committed
153
			RRSIG and NSEC records from nodes that used to be
154
155
			in-zone but are now below a zone cut. [RT #31556]

Evan Hunt's avatar
Evan Hunt committed
156
157
3403.	[bug]		Silence noisy OpenSSL logging. [RT #31497]

Evan Hunt's avatar
Evan Hunt committed
158
3402.	[test]		The IPv6 interface numbers used for system
Mark Andrews's avatar
Mark Andrews committed
159
			tests were incorrect on some platforms. [RT #25085]
Curtis Blackburn's avatar
Curtis Blackburn committed
160

Evan Hunt's avatar
Evan Hunt committed
161
162
3401.	[bug]		Addressed Coverity warnings. [RT #31484]

Evan Hunt's avatar
Evan Hunt committed
163
164
165
166
3400.	[cleanup]	"named -V" can now report a source ID string, defined
			in the "srcid" file in the build tree and normally set
			to the most recent git hash.  [RT #31494]

167
168
169
3399.	[port]		netbsd: rename 'bool' parameter to avoid namespace
			clash.  [RT #31515]

170
171
172
173
3398.	[bug]		SOA parameters were not being updated with inline
			signed zones if the zone was modified while the
			server was offline. [RT #29272]

174
3397.	[bug]		dig crashed when using +nssearch with +tcp. [RT #25298]
Mark Andrews's avatar
Mark Andrews committed
175

176
177
178
3396.	[bug]		OPT records were incorrectly removed from signed,
			truncated responses. [RT #31439]

179
180
181
182
3395.	[protocol]	Add RFC 6598 reverse zones to built in empty zones
			list, 64.100.IN-ADDR.ARPA ... 127.100.IN-ADDR.ARPA.
			[RT #31336]

Mark Andrews's avatar
Mark Andrews committed
183
3394.	[bug]		Adjust 'successfully validated after lower casing
184
185
			signer' log level and category. [RT #31414]

186
187
188
3393.	[bug]		'host -C' could core dump if REFUSED was received.
			[RT #31381]

189
190
3392.	[func]		Keep statistics on REFUSED responses. [RT #31412]

Mark Andrews's avatar
Mark Andrews committed
191
192
3391.	[bug]		A DNSKEY lookup that encountered a CNAME failed.
			[RT #31262]
193

194
195
3390.	[bug]		Silence clang compiler warnings. [RT #30417]

196
197
3389.	[bug]		Always return NOERROR (not 0) in TSIG. [RT #31275]

Evan Hunt's avatar
Evan Hunt committed
198
199
3388.	[bug]		Fixed several Coverity warnings. [RT #30996]

200
201
3387.	[func]		DS digest can be disabled at runtime with
			disable-ds-digests. [RT #21581]
202

203
204
205
3386.	[bug]		Address locking violation when generating new NSEC /
			NSEC3 chains. [RT #31224]

206
207
208
3385.	[bug]		named-checkconf didn't detect missing master lists
			in also-notify clauses. [RT #30810]

Evan Hunt's avatar
Evan Hunt committed
209
210
3384.	[bug]		Improved logging of crypto errors. [RT #30963]

Evan Hunt's avatar
typo    
Evan Hunt committed
211
3383.	[security]	A certain combination of records in the RBT could
Mark Andrews's avatar
Mark Andrews committed
212
213
			cause named to hang while populating the additional
			section of a response. [RT #31090]
Evan Hunt's avatar
Evan Hunt committed
214

Evan Hunt's avatar
Evan Hunt committed
215
216
217
218
3382.	[bug]		SOA query from slave used use-v6-udp-ports range,
			if set, regardless of the address family in use.
			[RT #24173]

Evan Hunt's avatar
Evan Hunt committed
219
220
221
3381.	[contrib]	Update queryperf to support more RR types.
			[RT #30762]

222
223
224
3380.	[bug]		named could die if a non-existant master list was
			referenced in a also-notify. [RT #31004]

225
226
227
3379.	[bug]		isc_interval_zero and isc_time_epoch should be
			"const (type)* const". [RT #31069]

228
229
230
3378.	[bug]		Handle missing 'managed-keys-directory' better.
			[RT #30625]

Evan Hunt's avatar
Evan Hunt committed
231
232
233
3377.	[bug]		Removed spurious newline from NSEC3 multiline
			output. [RT #31044]

234
235
236
3376.	[bug]		Lack of EDNS support was being recorded without a
			successful response. [RT #30811]

237
238
3375.	[bug]		'rndc dumpdb' failed on empty caches. [RT #30808]

Mark Andrews's avatar
Mark Andrews committed
239
240
3374.	[bug]		isc_parse_uint32 failed to return a range error on
			systems with 64 bit longs. [RT #30232]
241

Mark Andrews's avatar
Mark Andrews committed
242
3373.	[bug]		win32: open raw files in binary mode. [RT #30944]
243

244
245
246
3372.	[bug]		Silence spurious "deleted from unreachable cache"
			messages.  [RT #30501]

247
248
249
250
3371.	[bug]		AD=1 should behave like DO=1 when deciding whether to
			add NS RRsets to the additional section or not.
			[RT #30479]

251
252
253
3370.	[bug]		Address use after free while shutting down. [RT #30241]

3369.	[bug]		nsupdate terminated unexpectedly in interactive mode
254
255
			if built with readline support. [RT #29550]

256
3368.	[bug]		<dns/iptable.h>, <dns/private.h> and <dns/zone.h>
Evan Hunt's avatar
Evan Hunt committed
257
			were not C++ safe.
258

259
260
261
3367.	[bug]		dns_dnsseckey_create() result was not being checked.
			[RT #30685]

Mark Andrews's avatar
Mark Andrews committed
262
3366.	[bug]		Fixed Read-After-Write dependency violation for IA64
263
264
			atomic operations. [RT #25181]

265
266
267
3365.	[bug]		Removed spurious newlines from log messages in
			zone.c [RT #30675]

268
269
270
3364.	[security]	Named could die on specially crafted record.
			[RT #30416]

271
272
273
274
3363.	[bug]		Need to allow "forward" and "fowarders" options
			in static-stub zones; this had been overlooked.
			[RT #30482]

275
276
277
278
3362.	[bug]		Setting some option values to 0 in named.conf
			could trigger an assertion failure on startup.
			[RT #27730]

279
280
3361.	[bug]		"rndc signing -nsec3param" didn't work correctly
			when salt was set to '-' (no salt). [RT #30099]
Mark Andrews's avatar
Mark Andrews committed
281

282
283
3360.	[bug]		'host -w' could die.  [RT #18723]

284
3359.	[bug]		An improperly-formed TSIG secret could cause a
Mark Andrews's avatar
Mark Andrews committed
285
			memory leak. [RT #30607]
286

Mark Andrews's avatar
Mark Andrews committed
287
288
3358.	[placeholder]

289
290
3357.	[port]		Add support for libxml2-2.8.x [RT #30440]

Mark Andrews's avatar
Mark Andrews committed
291
3356.	[bug]		Cap the TTL of signed RRsets when RRSIGs are
292
293
294
			approaching their expiry, so they don't remain
			in caches after expiry. [RT #26429]

295
296
3355.	[port]		Use more portable awk in verify system test.

297
298
3354.	[func]		Improve OpenSSL error logging. [RT #29932]

299
300
301
3353.	[bug]		Use a single task for task exclusive operations.
			[RT #29872]

302
303
304
3352.	[bug]		Ensure that learned server attributes timeout of the
			adb cache. [RT #29856]

305
306
307
308
3351.	[bug]		isc_mem_put and isc_mem_putanddetach didn't report
			caller if either ISC_MEM_DEBUGSIZE or ISC_MEM_DEBUGCTX
			memory debugging flags are set. [RT #30243]

309
310
311
312
3350.	[bug]		Memory read overrun in isc___mem_reallocate if
			ISC_MEM_DEBUGCTX memory debugging flag is set.
			[RT #30240]

Mark Andrews's avatar
Mark Andrews committed
313
314
3349.	[bug]		Change #3345 was incomplete. [RT #30233]

Mark Andrews's avatar
Mark Andrews committed
315
316
317
318
3348.	[bug]		Prevent RRSIG data from being cached if a negative
			record matching the covering type exists at a higher
			trust level. Such data already can't be retrieved from
			the cache since change 3218 -- this prevents it
Mark Andrews's avatar
Mark Andrews committed
319
			being inserted into the cache as well. [RT #26809]
Mark Andrews's avatar
Mark Andrews committed
320
321
322

3347.	[bug]		dnssec-settime: Issue a warning when writing a new
			private key file would cause a change in the
Evan Hunt's avatar
Evan Hunt committed
323
			permissions of the existing file. [RT #27724]
Curtis Blackburn's avatar
Curtis Blackburn committed
324

Evan Hunt's avatar
Evan Hunt committed
325
326
327
3346.	[security]	Bad-cache data could be used before it was
			initialized, causing an assert. [RT #30025]

328
329
330
331
3345.	[bug]		Addressed race condition when removing the last item
			or inserting the first item in an ISC_QUEUE.
			[RT #29539]

Mark Andrews's avatar
Mark Andrews committed
332
333
334
335
336
337
338
339
340
3344.	[func]		New "dnssec-checkds" command checks a zone to
			determine which DS records should be published
			in the parent zone, or which DLV records should be
			published in a DLV zone, and queries the DNS to
			ensure that it exists. (Note: This tool depends
			on python; it will not be built or installed on
			systems that do not have a python interpreter.)
			[RT #28099]

Mark Andrews's avatar
Mark Andrews committed
341
342
3343.	[placeholder]

343
344
345
346
3342.	[bug]		Change #3314 broke saving of stub zones to disk
			resulting in excessive cpu usage in some cases.
			[RT #29952]

347
348
349
350
3341.	[func]		New "dnssec-verify" command checks a signed zone
			to ensure correctness of signatures and of NSEC/NSEC3
			chains. [RT #23673]

Mark Andrews's avatar
Mark Andrews committed
351
352
353
354
355
356
3340.	[func]		Added new 'fast' zone file format, which is an image
			of a zone database that can be loaded directly into
			memory via mmap(), allowing much faster zone loading.
			(Note: Because of pointer sizes and other
			considerations, this file format is platform-dependent;
			'fast' zone files cannot always be transfered from one
Curtis Blackburn's avatar
Curtis Blackburn committed
357
358
			server to another.) [RT #25419]

359
360
361
3339.	[func]		Allow the maximum supported rsa exponent size to be
			specified: "max-rsa-exponent-size <value>;" [RT #29228]

362
363
364
3338.	[bug]		Address race condition in units tests: asyncload_zone
			and asyncload_zt. [RT #26100]

365
366
367
3337.	[bug]		Change #3294 broke support for the multiple keys
			in controls. [RT #29694]

368
369
370
3336.	[func]		Maintain statistics for RRsets tagged as "stale".
			[RT #29514]

371
372
373
3335.	[func]		nslookup: return a nonzero exit code when unable
			to get an answer. [RT #29492]

374
375
376
3334.	[bug]		Hold a zone table reference while performing a
			asyncronous load of a zone. [RT #28326]

377
3333.	[bug]		Setting resolver-query-timeout too low can cause
Mark Andrews's avatar
Mark Andrews committed
378
			named to not recover if it loses connectivity.
379
380
			[RT #29623]

Mark Andrews's avatar
add #    
Mark Andrews committed
381
3332.	[bug]		Re-use cached DS rrsets if possible. [RT #29446]
382

Mark Andrews's avatar
Mark Andrews committed
383
3331.	[security]	dns_rdataslab_fromrdataset could produce bad
384
			rdataslabs. [RT #29644]
Mark Andrews's avatar
Mark Andrews committed
385

Vernon Schryver's avatar
Vernon Schryver committed
386
3330.	[func]		Fix missing signatures on NOERROR results despite
Mark Andrews's avatar
Mark Andrews committed
387
			RPZ rewriting.  Also
Vernon Schryver's avatar
Vernon Schryver committed
388
389
390
391
392
393
394
395
396
397
398
399
400
			 - add optional "recursive-only yes|no" to the
			   response-policy statement
			 - add optional "max-policy-ttl" to the response-policy
			    statement to limit the false data that
			    "recursive-only no" can introduce into
			    resolvers' caches
			 - add a RPZ performance test to bin/tests/system/rpz
			     when queryperf is available.
			 - the encoding of PASSTHRU action to "rpz-passthru".
			     (The old encoding is still accepted.)
		       [RT #26172]


401
402
403
404
405
406
3329.	[bug]		Handle RRSIG signer-name case consistently: We
			generate RRSIG records with the signer-name in
			lower case.  We accept them with any case, but if
			they fail to validate, we try again in lower case.
			[RT #27451]

Mark Andrews's avatar
Mark Andrews committed
407
408
3328.	[bug]		Fixed inconsistent data checking in dst_parse.c.
			[RT #29401]
Evan Hunt's avatar
Evan Hunt committed
409

Evan Hunt's avatar
Evan Hunt committed
410
411
412
413
414
3327.	[func]		Added 'filter-aaaa-on-v6' option; this is similar
			to 'filter-aaaa-on-v4' but applies to IPv6
			connections.  (Use "configure --enable-filter-aaaa"
			to enable this option.)  [RT #27308]

415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
3326.	[func]		Added task list statistics: task model, worker
			threads, quantum, tasks running, tasks ready.
			[RT #27678]

3325.	[func]		Report cache statistics: memory use, number of
			nodes, number of hash buckets, hit and miss counts.
			[RT #27056]

3324.	[test]		Add better tests for ADB stats [RT #27057]

3323.	[func]		Report the number of buckets the resolver is using.
			[RT #27020]

3322.	[func]		Monitor the number of active TCP and UDP dispatches.
			[RT #27055]

3321.	[func]		Monitor the number of recursive fetches and the
			number of open sockets, and report these values in
			the statistics channel. [RT #27054]

3320.	[func]		Added support for monitoring of recursing client
			count. [RT #27009]

3319.	[func]		Added support for monitoring of ADB entry count and
			hash size. [RT #27057]

441
442
443
444
3318.	[tuning]	Reduce the amount of work performed while holding a
			bucket lock when finshed with a fetch context.
			[RT #29239]

Mark Andrews's avatar
Mark Andrews committed
445
3317.	[func]		Add ECDSA support (RFC 6605). [RT #21918]
446

447
448
449
3316.	[tuning]	Improved locking performance when recursing.
			[RT #28836]

450
451
452
453
454
3315.	[tuning]	Use multiple dispatch objects for sending upstream
			queries; this can improve performance on busy
			multiprocessor systems by reducing lock contention.
			[RT #28605]

455
456
457
3314.	[bug]		The masters list could be updated while refesh_callback
			and stub_callback were using it. [RT #26732]

458
459
3313.	[protocol]	Add TLSA record type. [RT #28989]

460
461
462
3312.	[bug]		named-checkconf didn't detect a bad dns64 clients acl.
			[RT #27631]

463
464
465
3311.	[bug]		Abort the zone dump if zone->db is NULL in
			zone.c:zone_gotwritehandle. [RT #29028]

466
467
3310.	[test]		Increase table size for mutex profiling. [RT #28809]

468
469
470
3309.	[bug]		resolver.c:fctx_finddone() was not threadsafe.
			[RT #27995]

Mark Andrews's avatar
Mark Andrews committed
471
472
3308.	[placeholder]

473
474
3307.	[bug]		Add missing ISC_LANG_BEGINDECLS and ISC_LANG_ENDDECLS.
			[RT #28956]
475

476
477
478
479
3306.	[bug]		Improve DNS64 reverse zone performance. [RT #28563]

3305.	[func]		Add wire format lookup method to sdb. [RT #28563]

480
481
3304.	[bug]		Use hmctx, not mctx when freeing rbtdb->heaps.
			[RT #28571]
482

483
484
3303.	[bug]		named could die when reloading. [RT #28606]

485
486
487
488
3302.	[bug]		dns_dnssec_findmatchingkeys could fail to find
			keys if the zone name contained character that
			required special mappings. [RT #28600]

489
490
491
3301.	[contrib]	Update queryperf to build on darwin.  Add -R flag
			for non-recursive queries. [RT #28565]

492
493
494
3300.	[bug]		Named could die if gssapi was enabled in named.conf
			but was not compiled in. [RT #28338]

495
496
497
3299.	[bug]		Make SDB handle errors from database drivers better.
			[RT #28534]

498
499
500
501
3298.	[bug]		Named could dereference a NULL pointer in
			zmgr_start_xfrin_ifquota if the zone was being removed.
			[RT #28419]

502
503
3297.	[bug]		Named could die on a malformed master file. [RT #28467]

504
505
506
3296.	[bug]		Named could die with a INSIST failure in
			client.c:exit_check. [RT #28346]

507
508
509
3295.	[bug]		Adjust isc_time_secondsastimet range check to be more
			portable. [RT # 26542]

510
511
512
3294.	[bug]		isccc/cc.c:table_fromwire failed to free alist on
			error. [RT #28265]

513
514
3293.	[func]		nsupdate: list supported type. [RT #28261]

515
516
517
3292.	[func]		Log messages in the axfr stream at debug 10.
			[RT #28040]

518
519
520
3291.	[port]		Fixed a build error on systems without ENOTSUP.
			[RT #28200]

521
522
3290.	[bug]		<isc/hmacsha.h> was not being installed. [RT #28169]

523
524
3289.	[bug]		'rndc retransfer' failed for inline zones. [RT #28036]

525
526
527
3288.	[bug]		dlz_destroy() function wasn't correctly registered
			by the DLZ dlopen driver. [RT #28056]

528
529
3287.	[port]		Update ans.pl to work with Net::DNS 0.68. [RT #28028]

530
531
532
3286.	[bug]		Managed key maintenance timer could fail to start
			after 'rndc reconfig'. [RT #26786]

533
534
535
536
3285.	[bug]		val-frdataset was incorrectly disassociated in
			proveunsecure after calling startfinddlvsep.
			[RT #27928]

537
538
539
3284.	[bug]		Address race conditions with the handling of
			rbtnode.deadlink. [RT #27738]

540
541
542
3283.	[bug]		Raw zones with with more than 512 records in a RRset
			failed to load. [RT #27863]

543
3282.	[bug]		Restrict the TTL of NS RRset to no more than that
Mark Andrews's avatar
extend:    
Mark Andrews committed
544
545
			of the old NS RRset when replacing it.
			[RT #27792] [RT #27884]
546

547
548
549
550
3281.	[bug]		SOA refresh queries could be treated as cancelled
			despite succeeding over the loopback interface.
			[RT #27782]

551
552
553
3280.	[bug]		Potential double free of a rdataset on out of memory
			with DNS64. [RT #27762]

Mark Andrews's avatar
Mark Andrews committed
554
3279.	[bug]		Hold a internal reference to the zone while performing
555
556
557
			a asynchronous load.  Address potential memory leak
			if the asynchronous is cancelled. [RT #27750]

Mark Andrews's avatar
Mark Andrews committed
558
3278.	[bug]		Make sure automatic key maintenance is started
559
560
561
			when "auto-dnssec maintain" is turned on during
			"rndc reconfig". [RT #26805]

Mark Andrews's avatar
Mark Andrews committed
562
3277.	[bug]		win32: isc_socket_dup is not implemented. [RT #27696]
563
564
565
566

3276.	[bug]		win32: ns_os_openfile failed to return NULL on
			safe_open failure. [RT #27696]

567
3275.	[bug]		Corrected rndc -h output; the 'rndc sync -clean'
568
			option had been misspelled as '-clear'.  (To avoid
569
570
			future confusion, both options now work.) [RT #27173]

Mark Andrews's avatar
Mark Andrews committed
571
3274.	[placeholder]
Mark Andrews's avatar
Mark Andrews committed
572

Mark Andrews's avatar
Mark Andrews committed
573
574
575
3273.	[bug]		AAAA responses could be returned in the additional
			section even when filter-aaaa-on-v4 was in use.
			[RT #27292]
576
577
578
579

3272.	[func]		New "rndc zonestatus" command prints information
			about the specified zone. [RT #21671]

580
581
582
583
3271.	[port]		darwin: mksymtbl is not always stable, loop several
			times before giving up.  mksymtbl was using non
			portable perl to covert 64 bit hex strings. [RT #27653]

Evan Hunt's avatar
Evan Hunt committed
584
	--- 9.9.0rc2 released ---
Evan Hunt's avatar
Evan Hunt committed
585

586
587
588
3270.	[bug]		"rndc reload" didn't reuse existing zones correctly
			when inline-signing was in use. [RT #27650]

589
590
3269.	[port]		darwin 11 and later now built threaded by default.

591
592
593
3268.	[bug]		Convert RRSIG expiry times to 64 timestamps to work
			out the earliest expiry time. [RT #23311]

594
595
596
597
3267.	[bug]		Memory allocation failures could be mis-reported as
			unexpected error.  New ISC_R_UNSET result code.
			[RT #27336]

598
599
600
601
3266.	[bug]		The maximum number of NSEC3 iterations for a
			DNSKEY RRset was not being properly computed.
			[RT #26543]

Evan Hunt's avatar
Evan Hunt committed
602
603
3265.	[bug]		Corrected a problem with lock ordering in the
			inline-signing code. [RT #27557]
604

605
606
607
608
609
610
611
3264.	[bug]		Automatic regeneration of signatures in an
			inline-signing zone could stall when the server
			was restarted. [RT #27344]

3263.	[bug]		"rndc sync" did not affect the unsigned side of an
			inline-signing zone. [RT #27337]

612
613
614
3262.	[bug]		Signed responses were handled incorrectly by RPZ.
			[RT #27316]

615
616
3261.	[func]		RRset ordering now defaults to random. [RT #27174]

617
618
3260.	[bug]		"rrset-order cyclic" could appear not to rotate
			for some query patterns.  [RT #27170/27185]
619

Evan Hunt's avatar
Evan Hunt committed
620
621
	--- 9.9.0rc1 released ---

622
623
624
3259.	[bug]		named-compilezone: Suppress "dump zone to <file>"
			message when writing to stdout. [RT #27109]

625
626
627
3258.	[test]		Add "forcing full sign with unreadable keys" test.
			[RT #27153]

628
629
630
3257.	[bug]		Do not generate a error message when calling fsync()
			in a pipe or socket. [RT #27109]

631
632
633
634
635
636
3256.	[bug]		Disable empty zones for lwresd -C. [RT #27139]

3255.	[func]		No longer require that a empty zones be explicitly
			enabled or that a empty zone is disabled for
			RFC 1918 empty zones to be configured. [RT #27139]

637
638
639
3254.	[bug]		Set isc_socket_ipv6only() on the IPv6 control channels.
			[RT #22249]

640
641
642
3253.	[bug]		Return DNS_R_SYNTAX when the input to a text field is
			too long. [RT #26956]

643
644
645
646
647
3252.	[bug]		When master zones using inline-signing were
			updated while the server was offline, the source
			zone could fall out of sync with the signed
			copy. They can now resynchronize. [RT #26676]

648
649
650
651
652
3251.	[bug]		Enforce a upper bound (65535 bytes) on the amount of
			memory dns_sdlz_putrr() can allocate per record to
			prevent run away memory consumption on ISC_R_NOSPACE.
			[RT #26956]

653
654
655
656
3250.	[func]		'configure --enable-developer'; turn on various
			configure options, normally off by default, that
			we want developers to build and test with. [RT #27103]

657
658
659
660
661
662
663
664
665
666
667
668
669
3249.	[bug]		Update log message when saving slave zones files for
			analysis after load failures. [RT #27087]

3248.	[bug]		Configure options --enable-fixed-rrset and
			--enable-exportlib were incompatible with each
			other. [RT #27087]

3247.	[bug]		'raw' format zones failed to preserve load order
			breaking 'fixed' sort order. [RT #27087]

3246.	[bug]		Named failed to start with a empty also-notify list.
			[RT #27087]

670
671
672
673
3245.	[bug]		Don't report a error unchanged serials unless there
			were other changes when thawing a zone with
			ixfr-fromdifferences. [RT #26845]

674
3244.	[func]		Added readline support to nslookup and nsupdate.
Mark Andrews's avatar
Mark Andrews committed
675
			Also simplified nsupdate syntax to make "update"
676
677
			and "prereq" optional. [RT #24659]

678
679
680
3243.	[port]		freebsd,netbsd,bsdi: the thread defaults were not
			being properly set.

Mark Andrews's avatar
Mark Andrews committed
681
3242.	[func]		Extended the header of raw-format master files to
682
683
684
685
686
687
			include the serial number of the zone from which
			they were generated, if different (as in the case
			of inline-signing zones).  This is to be used in
			inline-signing zones, to track changes between the
			unsigned and signed versions of the zone, which may
			have different serial numbers.
Mark Andrews's avatar
Mark Andrews committed
688

689
			(Note: raw zonefiles generated by this version of
Mark Andrews's avatar
Mark Andrews committed
690
			BIND are no longer compatble with prior versions.
691
692
693
694
695
			To generate a backward-compatible raw zonefile
			using dnssec-signzone or named-compilezone, specify
			output format "raw=0" instead of simply "raw".)
			[RT #26587]

696
697
698
3241.	[bug]		Address race conditions in the resolver code.
			[RT #26889]

699
700
3240.	[bug]		DNSKEY state change events could be missed. [RT #26874]

701
702
703
704
3239.	[bug]		dns_dnssec_findmatchingkeys needs to use a consistent
			timestamp. [RT #26883]

3238.	[bug]		keyrdata was not being reinitialized in
705
706
			lib/dns/rbtdb.c:iszonesecure. [RT#26913]

707
708
3237.	[bug]		dig -6 didn't work with +trace. [RT #26906]

Evan Hunt's avatar
Evan Hunt committed
709
710
711
3236.	[bug]		Backed out changes #3182 and #3202, related to
			EDNS(0) fallback behavior. [RT #26416]

712
713
714
715
3235.	[func]		dns_db_diffx, a extended dns_db_diff which returns
			the generated diff and optionally writes it to a
			journal. [RT #26386]

716
717
3234.	[bug]		'make depend' produced invalid makefiles. [RT #26830]

718
719
720
3233.	[bug]		'rndc freeze/thaw' didn't work for inline zones.
			[RT #26632]

721
722
723
3232.	[bug]		Zero zone->curmaster before return in
			dns_zone_setmasterswithkeys(). [RT #26732]

724
725
726
3231.	[bug]		named could fail to send a uncompressable zone.
			[RT #26796]

Mark Andrews's avatar
[ -> ]    
Mark Andrews committed
727
3230.	[bug]		'dig axfr' failed to properly handle a multi-message
728
729
			axfr with a serial of 0. [RT #26796]

730
731
732
3229.	[bug]		Fix local variable to struct var assignment
			found by CLANG warning.

Mark Andrews's avatar
Mark Andrews committed
733
734
3228.	[tuning]	Dynamically grow symbol table to improve zone
			loading performance. [RT #26523]
735

736
737
738
3227.	[bug]		Interim fix to make WKS's use of getprotobyname()
			and getservbyname() self thread safe. [RT #26232]

739
740
3226.	[bug]		Address minor resource leakages. [RT #26624]

741
742
743
3225.	[bug]		Silence spurious "setsockopt(517, IPV6_V6ONLY) failed"
			messages. [RT #26507]

744
745
3224.	[bug]		'rndc signing' argument parsing was broken. [RT #26684]

746
747
748
3223.	[bug]		'task_test privilege_drop' generated false positives.
			[RT #26766]

749
750
751
3222.	[cleanup]	Replace dns_journal_{get,set}_bitws with
			dns_journal_{get,set}_sourceserial. [RT #26634]

752
753
754
755
3221.	[bug]		Fixed a potential coredump on shutdown due to
			referencing fetch context after it's been freed.
			[RT #26720]

Mark Andrews's avatar
Mark Andrews committed
756
757
	--- 9.9.0b2 released ---

758
3220.	[bug]		Change #3186 was incomplete; dns_db_rpz_findips()
Mark Andrews's avatar
Mark Andrews committed
759
760
			could fail to set the database version correctly,
			causing an assertion failure. [RT #26180]
761

Mark Andrews's avatar
Mark Andrews committed
762
763
3219.	[bug]		Disable NOEDNS caching following a timeout.

764
765
766
767
3218.	[security]	Cache lookup could return RRSIG data associated with
			nonexistent records, leading to an assertion
			failure. [RT #26590]

768
769
770
3217.	[cleanup]	Fix build problem with --disable-static. [RT #26476]

3216.	[bug]		resolver.c:validated() was not thread-safe. [RT #26478]
771

772
773
3215.	[bug]		'rndc recursing' could cause a core dump. [RT #26495]

774
775
3214.	[func]		Add 'named -U' option to set the number of UDP
			listener threads per interface. [RT #26485]
Mark Andrews's avatar
Mark Andrews committed
776

777
778
3213.	[doc]		Clarify ixfr-from-differences behavior. [RT #25188]

Mark Andrews's avatar
Mark Andrews committed
779
780
781
3212.	[bug]		rbtdb.c: failed to remove a node from the deadnodes
			list prior to adding a reference to it leading a
			possible assertion failure. [RT #23219]
782

783
784
785
786
3211.	[func]		dnssec-signzone: "-f -" prints to stdout; "-O full"
			option prints in single-line-per-record format.
			[RT #20287]

787
788
789
3210.	[bug]		Canceling the oldest query due to recursive-client
			overload could trigger an assertion failure. [RT #26463]

790
3209.	[func]		Add "dnssec-lookaside 'no'".  [RT #24858]
791

792
793
794
3208.	[bug]		'dig -y' handle unknown tsig alorithm better.
			[RT #25522]

795
796
3207.	[contrib]	Fixed build error in Berkeley DB DLZ module. [RT #26444]

797
798
3206.	[cleanup]	Add ISC information to log at start time. [RT #25484]

799
800
801
802
803
3205.	[func]		Upgrade dig's defaults to better reflect modern
			nameserver behaviour.  Enable "dig +adflag" and
			"dig +edns=0" by default.  Enable "+dnssec" when
			running "dig +trace". [RT #23497]

804
3204.	[bug]		When a master server that has been marked as
Evan Hunt's avatar
typo    
Evan Hunt committed
805
			unreachable sends a NOTIFY, mark it reachable
806
807
			again. [RT #25960]

808
809
810
3203.	[bug]		Increase log level to 'info' for validation failures
			from expired or not-yet-valid RRSIGs. [RT #21796]

811
812
813
3202.	[bug]		NOEDNS caching on timeout was too agressive.
			[RT #26416]

814
815
816
3201.	[func]		'rndc querylog' can now be given an on/off parameter
			instead of only being used as a toggle. [RT #18351]

817
818
819
3200.	[doc]		Some rndc functions were undocumented or were
			missing from 'rndc -h' output. [RT #25555]

820
821
822
3199.	[func]		When logging client information, include the name
			being queried. [RT #25944]

823
824
825
3198.	[doc]		Clarified that dnssec-settime can alter keyfile
			permissions. [RT #24866]

Mark Andrews's avatar
Mark Andrews committed
826
3197.	[bug]		Don't try to log the filename and line number when
827
828
			the config parser can't open a file. [RT #22263]

Mark Andrews's avatar
Mark Andrews committed
829
830
3196.	[bug]		nsupdate: return nonzero exit code when target zone
			doesn't exist. [RT #25783]
831

832
833
834
3195.	[cleanup]	Silence "file not found" warnings when loading
			managed-keys zone. [RT #26340]

835
836
837
3194.	[doc]		Updated RFC references in the 'empty-zones-enable'
			documentation. [RT #25203]

838
839
840
3193.	[cleanup]	Changed MAXZONEKEYS to DNS_MAXZONEKEYS, moved to
			dnssec.h. [RT #26415]

841
842
843
3192.	[bug]		A query structure could be used after being freed.
			[RT #22208]

844
845
3191.	[bug]		Print NULL records using "unknown" format. [RT #26392]

846
847
848
3190.	[bug]		Underflow in error handling in isc_mutexblock_init.
			[RT #26397]

849
3189.	[test]		Added a summary report after system tests. [RT #25517]
Mark Andrews's avatar
Mark Andrews committed
850

851
852
853
854
3188.	[bug]		zone.c:zone_refreshkeys() could fail to detach
			references correctly when errors occurred, causing
			a hang on shutdown. [RT #26372]

Mark Andrews's avatar
Mark Andrews committed
855
3187.	[port]		win32: support for Visual Studio 2008.  [RT #26356]
856

Mark Andrews's avatar
9.9.0b1    
Mark Andrews committed
857
858
	--- 9.9.0b1 released ---

859
860
3186.	[bug]		Version/db mis-match in rpz code. [RT #26180]

861
862
863
864
3185.	[func]		New 'rndc signing' option for auto-dnssec zones:
			 - 'rndc signing -list' displays the current
			   state of signing operations
			 - 'rndc signing -clear' clears the signing state
Mark Andrews's avatar
Mark Andrews committed
865
			   records for keys that have fully signed the zone
866
867
868
869
			 - 'rndc signing -nsec3param' sets the NSEC3
			   parameters for the zone
			The 'rndc keydone' syntax is removed. [RT #23729]

Mark Andrews's avatar
Mark Andrews committed
870
3184.	[bug]		named had excessive cpu usage when a redirect zone was
871
872
			configured. [RT #26013]

873
874
3183.	[bug]		Added RTLD_GLOBAL flag to dlopen call. [RT #26301]

Mark Andrews's avatar
Mark Andrews committed
875
3182.	[bug]		Auth servers behind firewalls which block packets
876
877
878
879
			greater than 512 bytes may cause other servers to
			perform poorly. Now, adb retains edns information
			and caches noedns servers. [RT #23392/24964]

880
881
882
3181.	[func]		Inline-signing is now supported for master zones.
			[RT #26224]

883
884
885
886
887
3180.	[func]		Local copies of slave zones are now saved in raw
			format by default, to improve startup performance.
			'masterfile-format text;' can be used to override
			the default, if desired. [RT #25867]

888
889
3179.	[port]		kfreebsd: build issues. [RT #26273]

890
891
892
3178.	[bug]		A race condition introduced by change #3163 could
			cause an assertion failure on shutdown. [RT #26271]

893
894
895
896
3177.	[func]		'rndc keydone', remove the indicator record that
			named has finished signing the zone with the
			corresponding key.  [RT #26206]

897
898
899
900
3176.	[doc]		Corrected example code and added a README to the
			sample external DLZ module in contrib/dlz/example.
			[RT #26215]

Mark Andrews's avatar
Mark Andrews committed
901
3175.	[bug]		Fix how DNSSEC positive wildcard responses from a
902
903
904
905
			NSEC3 signed zone are validated.  Stop sending a
			unnecessary NSEC3 record when generating such
			responses. [RT #26200]

906
3174.	[bug]		Always compute to revoked key tag from scratch.
907
			[RT #26186]
908

909
910
3173.	[port]		Correctly validate root DS responses. [RT #25726]

Mark Andrews's avatar
Mark Andrews committed
911
3172.	[port]		darwin 10.* and freebsd [89] are now built threaded by
912
913
			default.

914
915
916
3171.	[bug]		Exclusively lock the task when adding a zone using
			'rndc addzone'.  [RT #25600]

Mark Andrews's avatar
9.9.0a3    
Mark Andrews committed
917
918
	--- 9.9.0a3 released ---

Mark Andrews's avatar
Mark Andrews committed
919
920
921
922
923
3170.	[func]		RPZ update:
			- fix precedence among competing rules
			- improve ARM text including documenting rule precedence
			- try to rewrite CNAME chains until first hit
			- new "rpz" logging channel
924
925
			- RDATA for CNAME rules can include wildcards
			- replace "NO-OP" named.conf policy override with
Evan Hunt's avatar
Evan Hunt committed
926
			  "PASSTHRU" and add "DISABLED" override ("NO-OP"
Mark Andrews's avatar
Mark Andrews committed
927
928
			  is still recognized)
			[RT #25172]
Mark Andrews's avatar
Mark Andrews committed
929

Evan Hunt's avatar
Evan Hunt committed
930
3169.	[func]		Catch db/version mis-matches when calling dns_db_*().
931
932
			[RT #26017]

Mark Andrews's avatar
9.9.0a3    
Mark Andrews committed
933
3168.	[bug]		Nxdomain redirection could trigger an assert with
934
935
			a ANY query. [RT #26017]

936
937
938
939
3167.	[bug]		Negative answers from forwarders were not being
			correctly tagged making them appear to not be cached.
			[RT #25380]

940
941
942
3166.	[bug]		Upgrading a zone to support inline-signing failed.
			[RT #26014]

943
944
945
946
3165.	[bug]		dnssec-signzone could generate new signatures when
			resigning, even when valid signatures were already
			present. [RT #26025]

947
948
949
950
3164.	[func]		Enable DLZ modules to retrieve client information,
			so that responses can be changed depending on the
			source address of the query. [RT #25768]

951
952
953
954
3163.	[bug]		Use finer-grained locking in client.c to address
			concurrency problems with large numbers of threads.
			[RT #26044]

Scott Mann's avatar
Scott Mann committed
955
956
957
958
3162.	[test]		start.pl: modified to allow for "named.args" in
			ns*/ subdirectory to override stock arguments to
			named. Largely from RT#26044, but no separate ticket.

959
960
961
3161.	[bug]		zone.c:del_sigs failed to always reset rdata leading
			assertion failures. [RT #25880]

962
963
964
3160.	[bug]		When printing out a NSEC3 record in multiline form
			the newline was not being printed causing type codes
			to be run together. [RT #25873]
Mark Andrews's avatar
Mark Andrews committed
965

966
967
968
969
970
971
972
973
3159.	[bug]		On some platforms, named could assert on startup
			when running in a chrooted environment without
			/proc. [RT #25863]

3158.	[bug]		Recursive servers would prefer a particular UDP
			socket instead of using all available sockets.
			[RT #26038]

974
975
976
3157.	[tuning]	Reduce the time spent in "rndc reconfig" by parsing
			the config file before pausing the server. [RT #21373]

Evan Hunt's avatar
Evan Hunt committed
977
3156.	[placeholder]
Mark Andrews's avatar
9.9.0b2    
Mark Andrews committed
978
979
980

	--- 9.9.0a2 released ---

981
982
983
3155.	[bug]		Fixed a build failure when using contrib DLZ
			drivers (e.g., mysql, postgresql, etc). [RT #25710]

984
985
986
3154.	[bug]		Attempting to print an empty rdataset could trigger
			an assert. [RT #25452]

987
3153.	[func]		Extend request-ixfr to zone level and remove the
Scott Mann's avatar
Scott Mann committed
988
			side effect of forcing an AXFR. [RT #25156]
989

990
991
992
3152.	[cleanup]	Some versions of gcc and clang failed due to
			incorrect use of __builtin_expect. [RT #25183]

993
3151.	[bug]		Queries for type RRSIG or SIG could be handled
Mark Andrews's avatar
Mark Andrews committed
994
			incorrectly.  [RT #21050]
995

996
997
998
999
1000
3150.	[func]		Improved startup and reconfiguration time by
			enabling zones to load in multiple threads. [RT #25333]

3149.	[placeholder]

1001
1002
1003
3148.	[bug]		Processing of normal queries could be stalled when
			forwarding a UPDATE message. [RT #24711]

1004
1005
3147.	[func]		Initial inline signing support.  [RT #23657]

Evan Hunt's avatar
Evan Hunt committed
1006
1007
	--- 9.9.0a1 released ---

Mark Andrews's avatar
Mark Andrews committed
1008
3146.	[test]		Fixed gcc4.6.0 errors in ATF. [RT #25598]
Evan Hunt's avatar
Evan Hunt committed
1009

1010
1011
1012
3145.	[test]		Capture output of ATF unit tests in "./atf.out" if
			there were any errors while running them. [RT #25527]

1013
1014
1015
3144.	[bug]		dns_dbiterator_seek() could trigger an assert when
			used with a nonexistent database node. [RT #25358]

1016
1017
3143.	[bug]		Silence clang compiler warnings. [RT #25174]

1018
1019
3142.	[bug]		NAPTR is class agnostic. [RT #25429]

1020
1021
1022
3141.	[bug]		Silence spurious "zone serial (0) unchanged" messages
			associated with empty zones. [RT #25079]

Mark Andrews's avatar
Mark Andrews committed
1023
3140.	[func]		New command "rndc flushtree <name>" clears the
1024
1025
1026
			specified name from the server cache along with
			all names under it. [RT #19970]

Evan Hunt's avatar
Evan Hunt committed
1027
1028
3139.	[test]		Added tests from RFC 6234, RFC 2202, and RFC 1321
			for the hashing algorithms (md5, sha1 - sha512, and
Mark Andrews's avatar
Mark Andrews committed
1029
			their hmac counterparts).  [RT #25067]
1030

1031
1032
1033
3138.	[bug]		Address memory leaks and out-of-order operations when
			shutting named down. [RT #25210]

1034
1035
1036
1037
1038
3137.	[func]		Improve hardware scalability by allowing multiple
			worker threads to process incoming UDP packets.
			This can significantly increase query throughput
			on some systems.  [RT #22992]

Mark Andrews's avatar
Mark Andrews committed
1039
3136.	[func]		Add RFC 1918 reverse zones to the list of built-in
1040
1041
1042
			empty zones switched on by the 'empty-zones-enable'
			option. [RT #24990]

1043
1044
1045
1046
3135.	[port]		FreeBSD: workaround broken IPV6_USE_MIN_MTU processing.
			See http://www.freebsd.org/cgi/query-pr.cgi?pr=158307
			[RT #24950]

1047
1048
1049
3134.	[bug]		Improve the accuracy of dnssec-signzone's signing
			statistics. [RT #16030]

1050
1051
3133.	[bug]		Change #3114 was incomplete. [RT #24577]

Evan Hunt's avatar
Evan Hunt committed
1052
1053
3132.	[placeholder]

1054
3131.	[tuning]	Improve scalability by allocating one zone task
1055
1056
1057
			per 100 zones at startup time, rather than using a
			fixed-size task table. [RT #24406]

1058
1059
1060
1061
1062
3130.	[func]		Support alternate methods for managing a dynamic
			zone's serial number.  Two methods are currently
			defined using serial-update-method, "increment"
			(default) and "unixtime".  [RT #23849]

1063
1064
3129.	[bug]		Named could crash on 'rndc reconfig' when
			allow-new-zones was set to yes and named ACLs
Mark Andrews's avatar
typo    
Mark Andrews committed
1065
			were used. [RT #22739]
1066

1067
1068
1069
1070
1071
1072
1073
1074
3128.	[func]		Inserting an NSEC3PARAM via dynamic update in an
			auto-dnssec zone that has not been signed yet
			will cause it to be signed with the specified NSEC3
			parameters when keys are activated.  The
			NSEC3PARAM record will not appear in the zone until
			it is signed, but the parameters will be stored.
			[RT #23684]

1075
1076
1077
1078
3127.	[bug]		'rndc thaw' will now remove a zone's journal file
			if the zone serial number has been changed and
			ixfr-from-differences is not in use.  [RT #24687]

1079
3126.	[security]	Using DNAME record to generate replacements caused
1080
			RPZ to exit with a assertion failure. [RT #24766]
1081

1082
1083
1084
1085
3125.	[security]	Using wildcard CNAME records as a replacement with
			RPZ caused named to exit with a assertion failure.
			[RT #24715]

1086
1087
1088
1089
1090
1091
1092
1093
1094
3124.	[bug]		Use an rdataset attribute flag to indicate
			negative-cache records rather than using rrtype 0;
			this will prevent problems when that rrtype is
			used in actual DNS packets. [RT #24777]

3123.	[security]	Change #2912 exposed a latent flaw in
			dns_rdataset_totext() that could cause named to
			crash with an assertion failure. [RT #24777]

1095
1096
3122.	[cleanup]	dnssec-settime: corrected usage message. [RT #24664]

Mark Andrews's avatar
Mark Andrews committed
1097
1098
1099
1100
3121.	[security]	An authoritative name server sending a negative
			response containing a very large RRset could
			trigger an off-by-one error in the ncache code
			and crash named. [RT #24650]
1101

Mark Andrews's avatar
Mark Andrews committed
1102
3120.	[bug]		Named could fail to validate zones listed in a DLV
1103
1104
1105
			that validated insecure without using DLV and had
			DS records in the parent zone. [RT #24631]

1106
1107
1108
1109
3119.	[bug]		When rolling to a new DNSSEC key, a private-type
			record could be created and never marked complete.
			[RT #23253]

1110
1111
1112
3118.	[bug]		nsupdate could dump core on shutdown when using
			SIG(0) keys. [RT #24604]

1113
1114
1115
1116
3117.	[cleanup]	Remove doc and parser references to the
			never-implemented 'auto-dnssec create' option.
			[RT #24533]

1117
1118
1119
1120
1121
1122
3116.	[func]		New 'dnssec-update-mode' option controls updates
			of DNSSEC records in signed dynamic zones.  Set to
			'no-resign' to disable automatic RRSIG regeneration
			while retaining the ability to sign new or changed
			data. [RT #24533]

1123
1124
3115.	[bug]		Named could fail to return requested data when
			following a CNAME that points into the same zone.
1125
			[RT #24455]
1126

1127
1128
3114.	[bug]		Retain expired RRSIGs in dynamic zones if key is
			inactive and there is no replacement key. [RT #23136]
Scott Mann's avatar
Scott Mann committed
1129

1130
1131
1132
3113.	[doc]		Document the relationship between serial-query-rate
			and NOTIFY messages.

1133
1134
1135
1136
1137
3112.	[doc]		Add missing descriptions of the update policy name
			types "ms-self", "ms-subdomain", "krb5-self" and
			"krb5-subdomain", which allow machines to update
			their own records, to the BIND 9 ARM.

Mark Andrews's avatar
Mark Andrews committed
1138
1139
1140
3111.	[bug]		Improved consistency checks for dnssec-enable and
			dnssec-validation, added test cases to the
			checkconf system test. [RT #24398]
1141

1142
1143
1144
3110.	[bug]		dnssec-signzone: Wrong error message could appear
			when attempting to sign with no KSK. [RT #24369]

1145
1146
1147
1148
1149
1150
1151
3109.	[func]		The also-notify option now uses the same syntax
			as a zone's masters clause.  This means it is
			now possible to specify a TSIG key to use when
			sending notifies to a given server, or to include
			an explicit named masters list in an also-notfiy
			statement.  [RT #23508]

1152
1153
1154
3108.	[cleanup]	dnssec-signzone: Clarified some error and
			warning messages; removed #ifdef ALLOW_KSKLESS_ZONES
			code (use -P instead). [RT #20852]
Mark Andrews's avatar
Mark Andrews committed
1155

1156
1157
1158
3107.	[bug]		dnssec-signzone: Report the correct number of ZSKs
			when using -x. [RT #20852]

1159
1160
1161
3106.	[func]		When logging client requests, include the name of
			the TSIG key if any. [RT #23619]

Mark Andrews's avatar
Mark Andrews committed
1162
1163
3105.	[bug]		GOST support can be suppressed by "configure
			--without-gost" [RT #24367]
1164

Mark Andrews's avatar
Mark Andrews committed
1165
3104.	[bug]		Better support for cross-compiling. [RT #24367]
1166

1167
1168
1169
1170
3103.	[bug]		Configuring 'dnssec-validation auto' in a view
			instead of in the options statement could trigger
			an assertion failure in named-checkconf. [RT #24382]

1171
1172
1173
1174
1175
3102.	[func]		New 'dnssec-loadkeys-interval' option configures
			how often, in minutes, to check the key repository
			for updates when using automatic key maintenance.
			Default is every 60 minutes (formerly hard-coded
			to 12 hours). [RT #23744]
Mark Andrews's avatar
Mark Andrews committed
1176

1177
1178
1179
3101.	[bug]		Zones using automatic key maintenance could fail
			to check the key repository for updates. [RT #23744]

1180
1181
1182
1183
3100.	[security]	Certain response policy zone configurations could
			trigger an INSIST when receiving a query of type
			RRSIG. [RT #24280]

1184
1185
1186
1187
1188
1189
3099.	[test]		"dlz" system test now runs but gives R:SKIPPED if
			not compiled with --with-dlz-filesystem.  [RT #24146]

3098.	[bug]		DLZ zones were answering without setting the AA bit.
			[RT #24146]

1190
1191
1192
3097.	[test]		Add a tool to test handling of malformed packets.
			[RT #24096]

1193
1194
1195
3096.	[bug]		Set KRB5_KTNAME before calling log_cred() in
			dst_gssapi_acceptctx(). [RT #24004]

1196
1197
1198
3095.	[bug]		Handle isolated reserved ports in the port range.
			[RT #23957]

1199
1200
3094.	[doc]		Expand dns64 documentation.

1201
1202
3093.	[bug]		Fix gssapi/kerberos dependencies [RT #23836]

1203
1204
1205
1206
1207
3092.	[bug]		Signatures for records at the zone apex could go
			stale due to an incorrect timer setting. [RT #23769]

3091.	[bug]		Fixed a bug in which zone keys that were published
			and then subsequently activated could fail to trigger
1208
			automatic signing. [RT #22911]
1209

1210
1211
3090.	[func]		Make --with-gssapi default [RT #23738]

1212
1213
1214
3089.	[func]		dnssec-dsfromkey now supports reading keys from
			standard input "dnssec-dsfromkey -f -". [RT# 20662]

1215
1216
1217
1218
3088.	[bug]		Remove bin/tests/system/logfileconfig/ns1/named.conf
			and add setup.sh in order to resolve changing
			named.conf issue.  [RT #23687]

1219
1220
1221
3087.	[bug]		DDNS updates using SIG(0) with update-policy match
			type "external" could cause a crash. [RT #23735]

1222
1223
1224
1225
1226
3086.	[bug]		Running dnssec-settime -f on an old-style key will
			now force an update to the new key format even if no
			other change has been specified, using "-P now -A now"
			as default values.  [RT #22474]

1227
1228
1229
1230
1231
3085.	[func]		New '-R' option in dnssec-signzone forces removal
			of signatures which have not yet expired but
			were generated by a key that no longer exists.
			[RT #22471]