CHANGES 628 KB
Newer Older
1 2 3 4 5
5606.	[bug]		CDS/CDNSKEY DELETE records were not removed when a zone
			transitioned from secure to insecure. "named-checkzone"
			should not complain if such records exist in an
			unsigned zone. [GL #2517]

Evan Hunt's avatar
Evan Hunt committed
6
5605.	[bug]		"dig -u" now uses CLOCK_REALTIME for more accurate
Evan Hunt's avatar
CHANGES  
Evan Hunt committed
7 8
			time reporting. [GL #2592]

Evan Hunt's avatar
Evan Hunt committed
9
5604.	[experimental]	A "filter-a.so" plugin, which is similar to the
10 11 12 13
			"filter-aaaa.so" plugin but which omits A records
			instead of AAAA records, has been added. Thanks to
			'@treysis' (GitLab). [GL #2585]

Evan Hunt's avatar
Evan Hunt committed
14 15
5603.	[placeholder]

16 17 18
5602.	[bug]		Fix the TCPDNS and TLSDNS timers, so TCP initial
			and idle timers work correctly. [GL #2573]

19 20 21 22 23
5601.	[bug]		Dynamic zones with dnssec-policy could not be thawed
			because KASP zones were always considered dynamic;
			previously, dynamic KASP zones did not check whether
			updates were disabled. This has been fixed. [GL #2523]

24 25 26 27
5600.	[bug]		Load a certificate chain file so that the full chain is
			sent to DNS-over-TLS (DoT) and DNS-over-HTTPS (DoH)
			clients that require full chain verification. [GL #2514]

Matthijs Mekking's avatar
Matthijs Mekking committed
28 29 30
5599.	[bug]		Fix a crash when transferring a zone over TLS,
			after "named" previously skipped a master. [GL #2562]

Mark Andrews's avatar
Mark Andrews committed
31 32 33
5598.	[port]		Cast (char) to (unsigned char) when calling ctype
			tests. [GL #2567]

Michal Nowak's avatar
Michal Nowak committed
34 35
	--- 9.17.11 released ---

36 37 38 39 40 41
5597.	[bug]		When serve-stale was enabled and starting the recursive
			resolution process for a query failed, a named instance
			could crash if it was configured as both a recursive and
			authoritative server. This problem was introduced by
			change 5573 and has now been fixed. [GL #2565]

42 43 44
5596.	[func]		Client-side support for DNS-over-HTTPS (DoH) has been
			added to dig. "dig +https" can now query a server via
			HTTP/2. [GL #1641]
Evan Hunt's avatar
Evan Hunt committed
45

Michal Nowak's avatar
Michal Nowak committed
46 47 48 49 50 51 52
5595.	[cleanup]	Public header files for BIND 9 libraries no longer
			directly include third-party library headers. This
			prevents the need to include paths to third-party header
			files in CFLAGS whenever BIND 9 public header files are
			used, which could cause build-time issues on hosts with
			older versions of BIND 9 installed. [GL #2357]

Mark Andrews's avatar
Mark Andrews committed
53 54 55
5594.	[bug]		Building with --enable-dnsrps --enable-dnsrps-dl failed.
			[GL #2298]

56 57 58 59 60
5593.	[bug]		Journal files written by older versions of named can now
			be read when loading zones, so that journal
			incompatibility does not cause problems on upgrade.
			Outdated journals are updated to the new format after
			loading. [GL #2505]
Evan Hunt's avatar
Evan Hunt committed
61

62 63 64 65
5592.	[bug]		Prevent hazard pointer table overflows on machines with
			many cores, by allowing the thread IDs (serving as
			indices into hazard pointer tables) of finished threads
			to be reused by those created later. [GL #2396]
Ondřej Surý's avatar
Ondřej Surý committed
66

67 68 69 70
5591.	[bug]		Fix a crash that occurred when
			"stale-answer-client-timeout" was triggered without any
			(stale) data available in the cache to answer the query.
			[GL #2503]
71

72 73 74 75 76
5590.	[bug]		NSEC3 records were not immediately created for dynamic
			zones using NSEC3 with "dnssec-policy", resulting in
			such zones going bogus. Add code to process the
			NSEC3PARAM queue at zone load time so that NSEC3 records
			for such zones are created immediately. [GL #2498]
77

Mark Andrews's avatar
Mark Andrews committed
78 79
5589.	[placeholder]

80 81 82
5588.	[func]		Add a new "purge-keys" option for "dnssec-policy". This
			option determines the period of time for which key files
			are retained after they become obsolete. [GL #2408]
83

Michał Kępień's avatar
Michał Kępień committed
84
5587.	[bug]		A standalone libtool script no longer needs to be
85 86
			present in PATH to build BIND 9 from a source tarball
			prepared using "make dist". [GL #2504]
Michał Kępień's avatar
Michał Kępień committed
87

Mark Andrews's avatar
Mark Andrews committed
88
5586.	[bug]		An invalid direction field in a LOC record resulted in
89 90
			an INSIST failure when a zone file containing such a
			record was loaded. [GL #2499]
Mark Andrews's avatar
Mark Andrews committed
91

92
5585.	[func]		Memory contexts and memory pool implementations were
Ondřej Surý's avatar
Ondřej Surý committed
93 94 95
			refactored to reduce lock contention for shared memory
			contexts by replacing mutexes with atomic operations.
			The internal memory allocator was simplified so that it
96 97 98
			is only a thin wrapper around the system allocator. This
			change made the "-M external" named option redundant and
			it was therefore removed. [GL #2433]
Ondřej Surý's avatar
Ondřej Surý committed
99

100 101 102
5584.	[bug]		No longer set the IP_DONTFRAG option on UDP sockets, to
			prevent dropping outgoing packets exceeding
			"max-udp-size". [GL #2466]
103

104
5583.	[func]		Changes to DNS-over-HTTPS (DoH) configuration syntax:
Evan Hunt's avatar
CHANGES  
Evan Hunt committed
105
			- When "http" is specified in "listen-on" or
106 107 108 109 110 111 112 113 114
			  "listen-on-v6" statements, "tls" must also now be
			  specified. If an unencrypted connection is desired
			  (for example, when running behind a reverse proxy),
			  use "tls none".
			- "http default" can now be specified in "listen-on" and
			  "listen-on-v6" statements to use the default HTTP
			  endpoint of "/dns-query". It is no longer necessary to
			  include an "http" statement in named.conf unless
			  overriding this value.
Evan Hunt's avatar
CHANGES  
Evan Hunt committed
115 116
			[GL #2472]

Mark Andrews's avatar
Mark Andrews committed
117
5582.	[bug]		BIND 9 failed to build when static OpenSSL libraries
118 119 120 121
			were used and the pkg-config files for libssl and/or
			libcrypto were unavailable. This has been fixed by
			ensuring that the correct linking order for libssl and
			libcrypto is always used. [GL #2402]
Mark Andrews's avatar
Mark Andrews committed
122

123 124
5581.	[bug]		Fix a memory leak that occurred when inline-signed zones
			were added to the configuration, followed by a
Diego Fronza's avatar
Diego Fronza committed
125 126
			reconfiguration of named. [GL #2041]

Michal Nowak's avatar
Michal Nowak committed
127 128 129 130 131
5580.	[test]		The system test framework no longer differentiates
			between SKIPPED and UNTESTED system test results. Any
			system test which is not run is now marked as SKIPPED.
			[GL !4517]

132 133 134 135 136
5579.	[bug]		If an invalid key name (e.g. "a..b") was specified in a
			primaries list in named.conf, the wrong size was passed
			to isc_mem_put(), resulting in the returned memory being
			put on the wrong free list. This prevented named from
			starting up. [GL #2460]
Mark Andrews's avatar
Mark Andrews committed
137

Michał Kępień's avatar
Michał Kępień committed
138 139
	--- 9.17.10 released ---

Mark Andrews's avatar
Mark Andrews committed
140
5578.	[protocol]	Make "check-names" accept A records below "_spf",
141
			"_spf_rate", and "_spf_verify" labels in order to cater
Mark Andrews's avatar
Mark Andrews committed
142
			for the "exists" SPF mechanism specified in RFC 7208
143
			section 5.7 and appendix D.1. [GL #2377]
Mark Andrews's avatar
Mark Andrews committed
144

145 146 147
5577.	[bug]		Fix the "three is a crowd" key rollover bug in KASP by
			correctly implementing Equation (2) of the "Flexible and
			Robust Key Rollover" paper. [GL #2375]
148

Evan Hunt's avatar
Evan Hunt committed
149 150 151 152 153 154
5576.	[experimental]	Initial server-side implementation of DNS-over-HTTPS
			(DoH). Support for both TLS-encrypted and unencrypted
			HTTP/2 connections has been added to the network manager
			and integrated into named. (Note: there is currently no
			client-side support for DNS-over-HTTPS; this will be
			added to dig in a future release.) [GL #1144]
155

156 157
5575.	[bug]		When migrating to KASP, BIND 9 considered keys with the
			"Inactive" and/or "Delete" timing metadata to be
158 159
			possible active keys. This has been fixed. [GL #2406]

160 161 162 163 164
5574.	[func]		Incoming zone transfers can now use TLS. Addresses in a
			"primaries" list take an optional "tls" argument,
			specifying either a previously configured "tls" block or
			"ephemeral"; SOA queries and zone transfer requests are
			then sent via TLS. [GL #2392]
Evan Hunt's avatar
Evan Hunt committed
165

166 167 168 169 170
5573.	[func]		When serve-stale is enabled and stale data is available,
			named now returns stale answers upon encountering any
			unexpected error in the query resolution process.
			However, the "stale-refresh-time" window is still only
			started upon a timeout. [GL #2434]
171

172
5572.	[bug]		Address potential double free in generatexml().
173 174
			[GL #2420]

175 176 177
5571.	[bug]		named failed to start when its configuration included a
			zone with a non-builtin "allow-update" ACL attached.
			[GL #2413]
Mark Andrews's avatar
Mark Andrews committed
178

179 180 181
5570.	[bug]		Improve performance of the DNSSEC verification code by
			reducing the number of repeated calls to
			dns_dnssec_keyfromrdata(). [GL #2073]
Mark Andrews's avatar
Mark Andrews committed
182

183
5569.	[bug]		Emit useful error message when "rndc retransfer" is
Mark Andrews's avatar
Mark Andrews committed
184 185
			applied to a zone of inappropriate type. [GL #2342]

186 187 188
5568.	[bug]		Fixed a crash in "dnssec-keyfromlabel" when using ECDSA
			keys. [GL #2178]

Mark Andrews's avatar
Mark Andrews committed
189
5567.	[bug]		Dig now reports unknown dash options while pre-parsing
190 191 192
			the options. This prevents "-multi" instead of "+multi"
			from reporting memory usage before ending option parsing
			with "Invalid option: -lti". [GL #2403]
Mark Andrews's avatar
Mark Andrews committed
193

194 195
5566.	[func]		Add "stale-answer-client-timeout" option, which is the
			amount of time a recursive resolver waits before
Mark Andrews's avatar
Mark Andrews committed
196 197
			attempting to answer the query using stale data from
			cache. [GL #2247]
Diego Fronza's avatar
Diego Fronza committed
198

199 200 201 202
5565.	[func]		The SONAMEs for BIND 9 libraries now include the current
			BIND 9 version number, in an effort to tightly couple
			internal libraries with a specific release. [GL #2387]

203 204 205
5564.	[cleanup]	Network manager's TLSDNS module was refactored to use
			libuv and libssl directly instead of a stack of TCP/TLS
			sockets. [GL #2335]
Evan Hunt's avatar
Evan Hunt committed
206

Matthijs Mekking's avatar
Matthijs Mekking committed
207
5563.	[cleanup]	Changed several obsolete configuration options to
208 209 210
			ancient, making them fatal errors. Also cleaned up the
			number of clause flags in the configuration parser.
			[GL #1086]
Matthijs Mekking's avatar
Matthijs Mekking committed
211

Ondřej Surý's avatar
Ondřej Surý committed
212 213
5562.	[placeholder]

214 215
5561.	[bug]		KASP incorrectly set signature validity to the value of
			the DNSKEY signature validity. This is now fixed.
216 217
			[GL #2383]

218 219
5560.	[func]		The default value of "max-stale-ttl" has been changed
			from 12 hours to 1 day and the default value of
220 221
			"stale-answer-ttl" has been changed from 1 second to 30
			seconds, following RFC 8767 recommendations. [GL #2248]
222

Michał Kępień's avatar
Michał Kępień committed
223 224
	--- 9.17.9 released ---

225 226 227 228
5559.	[bug]		The --with-maxminddb=PATH form of the build-time option
			enabling support for libmaxminddb was not working
			correctly. This has been fixed. [GL #2366]

229 230 231
5558.	[bug]		Asynchronous hook modules could trigger an assertion
			failure when the fetch handle was detached too late.
			Thanks to Jinmei Tatuya at Infoblox. [GL #2379]
Evan Hunt's avatar
CHANGES  
Evan Hunt committed
232

233
5557.	[bug]		Prevent RBTDB instances from being destroyed by multiple
234
			threads at the same time. [GL #2317]
Mark Andrews's avatar
Mark Andrews committed
235

236 237
5556.	[bug]		Further tweak newline printing in dnssec-signzone and
			dnssec-verify. [GL #2359]
238

Mark Andrews's avatar
Mark Andrews committed
239 240
5555.	[placeholder]

241 242
5554.	[bug]		dnssec-signzone and dnssec-verify were missing newlines
			between log messages. [GL #2359]
Mark Andrews's avatar
Mark Andrews committed
243

244 245
5553.	[bug]		When reconfiguring named, removing "auto-dnssec" did not
			turn off DNSSEC maintenance. [GL #2341]
246

247 248 249 250
5552.	[func]		When switching to "dnssec-policy none;", named now
			permits a safe transition to insecure mode and publishes
			the CDS and CDNSKEY DELETE records, as described in RFC
			8078. [GL #1750]
251

252 253 254
5551.	[bug]		named no longer attempts to assign threads to CPUs
			outside the CPU affinity set. Thanks to Ole Bjørn
			Hessen. [GL #2245]
255

256 257
5550.	[func]		dnssec-signzone and named now log a warning when falling
			back to the "increment" SOA serial method. [GL #2058]
258

259 260
5549.	[protocol]	ipv4only.arpa is now served when DNS64 is configured.
			[GL #385]
Mark Andrews's avatar
Mark Andrews committed
261

262 263 264 265
5548.	[placeholder]

5547.	[placeholder]

Michał Kępień's avatar
Michał Kępień committed
266 267
	--- 9.17.8 released ---

268 269
5546.	[placeholder]

270 271 272
5545.	[func]		OS support for load-balanced sockets is no longer
			required to receive incoming queries in multiple netmgr
			threads. [GL #2137]
273

274 275
5544.	[func]		Restore the default value of "nocookie-udp-size" to 4096
			bytes. [GL #2250]
276

277 278
5543.	[bug]		Fix UDP performance issues caused by making netmgr
			callbacks asynchronous-only. [GL #2320]
Ondřej Surý's avatar
Ondřej Surý committed
279

280 281 282
5542.	[bug]		Refactor netmgr. [GL #1920] [GL #2034] [GL #2061]
			[GL #2194] [GL #2221] [GL #2266] [GL #2283] [GL #2318]
			[GL #2321]
283

284 285 286
5541.	[func]		Adjust the "max-recursion-queries" default from 75 to
			100. [GL #2305]

Mark Andrews's avatar
Mark Andrews committed
287 288 289
5540.	[port]		Fix building with native PKCS#11 support for AEP Keyper.
			[GL #2315]

Mark Andrews's avatar
Mark Andrews committed
290 291 292
5539.	[bug]		Tighten handling of missing DNS COOKIE responses over
			UDP by falling back to TCP. [GL #2275]

293 294 295 296 297
5538.	[func]		Add NSEC3 support to KASP. A new option for
			"dnssec-policy", "nsec3param", can be used to set the
			desired NSEC3 parameters. NSEC3 salt collisions are
			automatically prevented during resalting. Salt
			generation is now logged with zone context. [GL #1620]
298

Evan Hunt's avatar
CHANGES  
Evan Hunt committed
299 300 301
5537.	[func]		The query plugin mechanism has been extended
			to support asynchronous operations. For example, a
			plugin can now trigger recursion and resume
302
			processing when it is complete. Thanks to Jinmei
Evan Hunt's avatar
CHANGES  
Evan Hunt committed
303 304
			Tatuya at Infoblox. [GL #2141]

Mark Andrews's avatar
Mark Andrews committed
305 306 307
5536.	[func]		Dig can now report the DNS64 prefixes in use
			(+dns64prefix). [GL #1154]

Evan Hunt's avatar
Evan Hunt committed
308
5535.	[bug]		dig/nslookup/host could crash on shutdown after an
309
			interrupt. [GL #2287] [GL #2288]
Evan Hunt's avatar
Evan Hunt committed
310

311
5534.	[bug]		The CNAME synthesized from a DNAME was incorrectly
312 313
			followed when the QTYPE was CNAME or ANY. [GL #2280]

Michał Kępień's avatar
Michał Kępień committed
314 315
	--- 9.17.7 released ---

316 317 318 319
5533.	[func]		Add the "stale-refresh-time" option, a time window that
			starts after a failed lookup, during which a stale RRset
			is served directly from cache before a new attempt to
			refresh it is made. [GL #2066]
320

Michal Nowak's avatar
Michal Nowak committed
321 322 323 324 325
5532.	[cleanup]	Unused header files were removed:
			bin/rndc/include/rndc/os.h, lib/isc/timer_p.h,
			lib/isccfg/include/isccfg/dnsconf.h and code related
			to those files. [GL #1913]

326
5531.	[func]		Add support for DNS over TLS (DoT) to dig and named.
327 328
			dig output now includes the transport protocol used.
			[GL #1816] [GL #1840]
Witold Krecicki's avatar
Witold Krecicki committed
329

330 331
5530.	[bug]		dnstap did not capture responses to forwarded UPDATE
			requests. [GL #2252]
Mark Andrews's avatar
Mark Andrews committed
332

333 334
5529.	[func]		The network manager API is now used by named to send
			zone transfer requests. [GL #2016]
Evan Hunt's avatar
Evan Hunt committed
335

336 337 338 339
5528.	[func]		Convert dig, host, and nslookup to use the network
			manager API. As a side effect of this change, "dig
			+unexpected" no longer works, and has been disabled.
			[GL #2140]
Evan Hunt's avatar
Evan Hunt committed
340

341 342
5527.	[bug]		A NULL pointer dereference occurred when creating an NTA
			recheck query failed. [GL #2244]
Mark Andrews's avatar
Mark Andrews committed
343

344 345
5526.	[bug]		Fix a race/NULL dereference in TCPDNS read. [GL #2227]

Michał Kępień's avatar
Michał Kępień committed
346 347
5525.	[placeholder]

348 349 350
5524.	[func]		Added functionality to the network manager to support
			outgoing DNS queries in addition to incoming ones.
			[GL #2235]
Evan Hunt's avatar
CHANGES  
Evan Hunt committed
351

352 353 354
5523.	[bug]		The initial lookup in a zone transitioning to/from a
			signed state could fail if the DNSKEY RRset was not
			found. [GL #2236]
Mark Andrews's avatar
Mark Andrews committed
355

356
5522.	[bug]		Fixed a race/NULL dereference in TCPDNS send. [GL #2227]
357

358
5521.	[func]		All use of libltdl was dropped. libuv's shared library
Ondřej Surý's avatar
Ondřej Surý committed
359 360
			handling interface is now used instead. [GL !4278]

Evan Hunt's avatar
CHANGES  
Evan Hunt committed
361 362 363 364
5520.	[bug]		Fixed a number of shutdown races, reference counting
			errors, and spurious log messages that could occur
			in the network manager. [GL #2221]

Michal Nowak's avatar
Michal Nowak committed
365 366 367 368
5519.	[cleanup]	Unused source code was removed: lib/dns/dbtable.c,
			lib/dns/portlist.c, lib/isc/bufferlist.c, and code
			related to those files. [GL #2060]

369 370
5518.	[bug]		Stub zones now work correctly with primary servers using
			"minimal-responses yes". [GL #1736]
Diego Fronza's avatar
Diego Fronza committed
371

372 373
5517.	[bug]		Do not treat UV_EOF as a TCP4RecvErr or a TCP6RecvErr.
			[GL #2208]
374

Michał Kępień's avatar
Michał Kępień committed
375 376
	--- 9.17.6 released ---

377
5516.	[func]		The default EDNS buffer size has been changed from 4096
378 379 380
			to 1232 bytes, the EDNS buffer size probing has been
			removed, and named now sets the DF (Don't Fragment) flag
			on outgoing UDP packets. [GL #2183]
381

382 383
5515.	[func]		Add 'rndc dnssec -rollover' command to trigger a manual
			rollover for a specific key. [GL #1749]
384

385 386 387
5514.	[bug]		Fix KASP expected key size for Ed25519 and Ed448.
			[GL #2171]

Michał Kępień's avatar
Michał Kępień committed
388 389 390 391 392 393 394 395
5513.	[doc]		The ARM section describing the "rrset-order" statement
			was rewritten to make it unambiguous and up-to-date with
			the source code. [GL #2139]

5512.	[bug]		"rrset-order" rules using "order none" were causing
			named to crash despite named-checkconf treating them as
			valid. [GL #2139]

Mark Andrews's avatar
Mark Andrews committed
396 397 398
5511.	[bug]		'dig -u +yaml' failed to display timestamps to the
			microsecond. [GL #2190]

399
5510.	[bug]		Implement the attach/detach semantics for dns_message_t
400
			to fix a data race in accessing an already-destroyed
401 402
			fctx->rmessage. [GL #2124]

Michał Kępień's avatar
Michał Kępień committed
403 404 405
5509.	[bug]		filter-aaaa: named crashed upon shutdown if it was in
			the process of recursing for A RRsets. [GL #1040]

406 407 408 409
5508.	[func]		Added new parameter "-expired" for "rndc dumpdb" that
			also prints expired RRsets (awaiting cleanup) to the
			dump file. [GL #1870]

Mark Andrews's avatar
Mark Andrews committed
410 411 412
5507.	[bug]		Named could compute incorrect SIG(0) responses.
			[GL #2109]

413 414 415
5506.	[bug]		Properly handle failed sysconf() calls, so we don't
			report invalid memory size. [GL #2166]

Michał Kępień's avatar
Michał Kępień committed
416 417 418
5505.	[bug]		Updating contents of a mixed-case RPZ could cause some
			rules to be ignored. [GL #2169]

Michał Kępień's avatar
Michał Kępień committed
419 420 421 422
5504.	[func]		The "glue-cache" option has been marked as deprecated.
			The glue cache feature will be permanently enabled in a
			future release. [GL #2146]

Evan Hunt's avatar
CHANGES  
Evan Hunt committed
423 424 425 426
5503.	[bug]		Cleaned up reference counting of network manager
			handles, now using isc_nmhandle_attach() and _detach()
			instead of _ref() and _unref(). [GL #2122]

Michał Kępień's avatar
Michał Kępień committed
427 428
	--- 9.17.5 released ---

429 430
5502.	[func]		'dig +bufsize=0' no longer disables EDNS. [GL #2054]

431 432
5501.	[func]		Log CDS/CDNSKEY publication. [GL #1748]

Matthijs Mekking's avatar
Matthijs Mekking committed
433 434 435
5500.	[bug]		Fix (non-)publication of CDS and CDNSKEY records.
			[GL #2103]

436
5499.	[func]		Add '-P ds' and '-D ds' arguments to dnssec-settime.
437
			[GL #1748]
438

439 440 441
5498.	[test]		The --with-gperftools-profiler configure option was
			removed. [GL !4045]

Mark Andrews's avatar
Mark Andrews committed
442 443
5497.	[placeholder]

444 445
5496.	[bug]		Address a TSAN report by ensuring each rate limiter
			object holds a reference to its task. [GL #2081]
Mark Andrews's avatar
Mark Andrews committed
446

447
5495.	[bug]		With query minimization enabled, named failed to
448 449
			resolve ip6.arpa. names that had extra labels to the
			left of the IPv6 part. [GL #1847]
450

451 452 453
5494.	[bug]		Silence the EPROTO syslog message on older systems.
			[GL #1928]

454
5493.	[bug]		Fix off-by-one error when calculating new hash table
455 456
			size. [GL #2104]

457 458 459
5492.	[bug]		Tighten LOC parsing to reject a period (".") and/or "m"
			as a value. Fix handling of negative altitudes which are
			not whole meters. [GL #2074]
Mark Andrews's avatar
Mark Andrews committed
460

Mark Andrews's avatar
Mark Andrews committed
461 462 463
5491.	[bug]		rbtversion->glue_table_size could be read without the
			appropriate lock being held. [GL #2080]

464 465
5490.	[func]		Refactor readline support to use pkg-config and add
			support for the editline library. [GL !3942]
Ondřej Surý's avatar
Ondřej Surý committed
466

467 468 469 470
5489.	[bug]		Named erroneously accepted certain invalid resource
			records that were incorrectly processed after
			subsequently being written to disk and loaded back, as
			the wire format differed. Such records include: CERT,
Mark Andrews's avatar
Mark Andrews committed
471 472 473
			IPSECKEY, NSEC3, NSEC3PARAM, NXT, SIG, TLSA, WKS, and
			X25. [GL !3953]

474 475 476
5488.	[bug]		NTA code needed to have a weak reference on its
			associated view to prevent the latter from being deleted
			while NTA tests were being performed. [GL #2067]
477

478 479 480
5487.	[cleanup]	Update managed keys log messages to be less confusing.
			[GL #2027]

481 482 483
5486.	[func]		Add 'rndc dnssec -checkds' command, which signals to
			named that the DS record for a given zone or key has
			been updated in the parent zone. [GL #1613]
484

Michał Kępień's avatar
Michał Kępień committed
485 486
	--- 9.17.4 released ---

Michał Kępień's avatar
Michał Kępień committed
487 488
5485.	[placeholder]

489 490
5484.	[func]		Expire zero TTL records quickly rather than using them
			for stale answers. [GL #1829]
491 492 493 494 495

5483.	[func]		Keeping "stale" answers in cache has been disabled by
			default and can be re-enabled with a new configuration
			option "stale-cache-enable". [GL #1712]

496 497 498 499
5482.	[bug]		If the Duplicate Address Detection (DAD) mechanism had
			not yet finished after adding a new IPv6 address to the
			system, BIND 9 would fail to bind to IPv6 addresses in a
			tentative state. [GL #2038]
500

501 502 503 504 505 506
5481.	[security]	"update-policy" rules of type "subdomain" were
			incorrectly treated as "zonesub" rules, which allowed
			keys used in "subdomain" rules to update names outside
			of the specified subdomains. The problem was fixed by
			making sure "subdomain" rules are again processed as
			described in the ARM. (CVE-2020-8624) [GL #2055]
507

508 509 510 511 512
5480.	[security]	When BIND 9 was compiled with native PKCS#11 support, it
			was possible to trigger an assertion failure in code
			determining the number of bits in the PKCS#11 RSA public
			key with a specially crafted packet. (CVE-2020-8623)
			[GL #2037]
513

514 515 516
5479.	[security]	named could crash in certain query resolution scenarios
			where QNAME minimization and forwarding were both
			enabled. (CVE-2020-8621) [GL #1997]
517

518 519 520
5478.	[security]	It was possible to trigger an assertion failure by
			sending a specially crafted large TCP DNS message.
			(CVE-2020-8620) [GL #1996]
521

522 523 524 525
5477.	[bug]		The idle timeout for connected TCP sockets, which was
			previously set to a high fixed value, is now derived
			from the client query processing timeout configured for
			a resolver. [GL #2024]
Michał Kępień's avatar
Michał Kępień committed
526

527 528 529
5476.	[security]	It was possible to trigger an assertion failure when
			verifying the response to a TSIG-signed request.
			(CVE-2020-8622) [GL #2028]
Mark Andrews's avatar
Mark Andrews committed
530

531 532 533 534
5475.	[bug]		Wildcard RPZ passthru rules could incorrectly be
			overridden by other rules that were loaded from RPZ
			zones which appeared later in the "response-policy"
			statement. This has been fixed. [GL #1619]
Diego Fronza's avatar
Diego Fronza committed
535

Mark Andrews's avatar
Mark Andrews committed
536 537 538
5474.	[bug]		dns_rdata_hip_next() failed to return ISC_R_NOMORE
			when it should have. [GL !3880]

539 540 541 542 543 544
5473.	[func]		The RBT hash table implementation has been changed
			to use a faster hash function (HalfSipHash2-4) and
			Fibonacci hashing for better distribution. Setting
			"max-cache-size" now preallocates a fixed-size hash
			table so that rehashing does not cause resolution
			brownouts while the hash table is grown. [GL #1775]
545

Evan Hunt's avatar
Evan Hunt committed
546 547 548
5472.	[func]		The statistics channel has been updated to use the
			new network manager. [GL #2022]

549 550 551 552 553
5471.	[bug]		The introduction of KASP support inadvertently caused
			the second field of "sig-validity-interval" to always be
			calculated in hours, even in cases when it should have
			been calculated in days. This has been fixed. (Thanks to
			Tony Finch.) [GL !3735]
Mark Andrews's avatar
Mark Andrews committed
554

555 556
5470.	[port]		gsskrb5_register_acceptor_identity() is now only called
			if gssapi_krb5.h is present. [GL #1995]
557

558 559 560 561
5469.	[port]		On illumos, a constant called SEC is already defined in
			<sys/time.h>, which conflicts with an identically named
			constant in libbind9. This conflict has been resolved.
			[GL #1993]
562

563
5468.	[bug]		Addressed potential double unlock in process_fd().
Mark Andrews's avatar
Mark Andrews committed
564 565
			[GL #2005]

Evan Hunt's avatar
Evan Hunt committed
566 567 568
5467.	[func]		The control channel and the rndc utility have been
			updated to use the new network manager. To support
			this, the network manager was updated to enable
569
			the initiation of client TCP connections. Its
Evan Hunt's avatar
Evan Hunt committed
570 571
			internal reference counting has been refactored.

572
			Note: As a side effect of this change, rndc cannot
Evan Hunt's avatar
Evan Hunt committed
573 574 575 576 577
			currently be used with UNIX-domain sockets, and its
			default timeout has changed from 60 seconds to 30.
			These will be addressed in a future release.
			[GL #1759]

578 579 580
5466.	[bug]		Addressed an error in recursive clients stats reporting.
			[GL #1719]

581 582
5465.	[func]		Added fallback to built-in trust-anchors, managed-keys,
			or trusted-keys if the bindkeys-file (bind.keys) cannot
583 584
			be parsed. [GL #1235]

585 586 587
5464.	[bug]		Requesting more than 128 files to be saved when rolling
			dnstap log files caused a buffer overflow. This has been
			fixed. [GL #1989]
Mark Andrews's avatar
Mark Andrews committed
588

Mark Andrews's avatar
Mark Andrews committed
589 590
5463.	[placeholder]

Michał Kępień's avatar
Michał Kępień committed
591 592
5462.	[bug]		Move LMDB locking from LMDB itself to named. [GL #1976]

593 594 595 596
5461.	[bug]		The STALE rdataset header attribute was updated while
			the write lock was not being held, leading to incorrect
			statistics. The header attributes are now converted to
			use atomic operations. [GL #1475]
Mark Andrews's avatar
Mark Andrews committed
597

598 599 600 601 602
5460.	[cleanup]	tsig-keygen was previously an alias for
			ddns-confgen and was documented in the ddns-confgen
			man page. This has been reversed; tsig-keygen is
			now the primary name. [GL #1998]

603 604
5459.	[bug]		Fixed bad isc_mem_put() size when an invalid type was
			specified in an "update-policy" rule. [GL #1990]
605

Michał Kępień's avatar
Michał Kępień committed
606 607
	--- 9.17.3 released ---

Michał Kępień's avatar
Michał Kępień committed
608 609 610 611
5458.	[bug]		Prevent a theoretically possible NULL dereference caused
			by a data race between zone_maintenance() and
			dns_zone_setview_helper(). [GL #1627]

612 613
5457.	[placeholder]

Evan Hunt's avatar
Evan Hunt committed
614 615
5456.	[func]		Added "primaries" as a synonym for "masters" in
			named.conf, and "primary-only" as a synonym for
616 617
			"master-only" in the parameters to "notify", to bring
			terminology up-to-date with RFC 8499. [GL #1948]
Evan Hunt's avatar
Evan Hunt committed
618

619 620
5455.	[bug]		named could crash when cleaning dead nodes in
			lib/dns/rbtdb.c that were being reused. [GL #1968]
621

622 623 624
5454.	[bug]		Address a startup crash that occurred when the server
			was under load and the root zone had not yet been
			loaded. [GL #1862]
Witold Krecicki's avatar
Witold Krecicki committed
625

626 627
5453.	[bug]		named crashed on shutdown when a new rndc connection was
			received during shutdown. [GL #1747]
628

629 630
5452.	[bug]		The "blackhole" ACL was accidentally disabled for client
			queries. [GL #1936]
Evan Hunt's avatar
Evan Hunt committed
631

632 633
5451.	[func]		Add 'rndc dnssec -status' command. [GL #1612]

Evan Hunt's avatar
Evan Hunt committed
634 635
5450.	[placeholder]

Evan Hunt's avatar
Evan Hunt committed
636 637 638 639 640
5449.	[bug]		Fix a socket shutdown race in netmgr udp. [GL #1938]

5448.	[bug]		Fix a race condition in isc__nm_tcpdns_send().
			[GL #1937]

641 642 643 644 645
5447.	[bug]		IPv6 addresses ending in "::" could break YAML
			parsing. A "0" is now appended to such addresses
			in YAML output from dig, mdig, delv, and dnstap-read.
			[GL #1952]

Mark Andrews's avatar
Mark Andrews committed
646 647
5446.	[bug]		The validator could fail to accept a properly signed
			RRset if an unsupported algorithm appeared earlier in
648
			the DNSKEY RRset than a supported algorithm. It could
Mark Andrews's avatar
Mark Andrews committed
649 650 651
			also stop if it detected a malformed public key.
			[GL #1689]

652 653
5445.	[cleanup]	Disable and disallow static linking. [GL #1933]

654 655
5444.	[bug]		'rndc dnstap -roll <value>' did not limit the number of
			saved files to <value>. [GL !3728]
Mark Andrews's avatar
Mark Andrews committed
656

657 658 659 660
5443.	[bug]		The "primary" and "secondary" keywords, when used
			as parameters for "check-names", were not
			processed correctly and were being ignored. [GL #1949]

Evan Hunt's avatar
CHANGES  
Evan Hunt committed
661 662 663
5442.	[func]		Add support for outgoing TCP connections in netmgr.
			[GL #1958]

Mark Andrews's avatar
Mark Andrews committed
664 665
5441.	[placeholder]

666 667
5440.	[placeholder]

668 669
5439.	[bug]		The DS RRset returned by dns_keynode_dsset() was used in
			a non-thread-safe manner. [GL #1926]
Mark Andrews's avatar
Mark Andrews committed
670

Michał Kępień's avatar
Michał Kępień committed
671 672
	--- 9.17.2 released ---

Witold Krecicki's avatar
Witold Krecicki committed
673 674
5438.	[bug]		Fix a race in TCP accepting code. [GL #1930]

675 676
5437.	[bug]		Fix a data race in lib/dns/resolver.c:log_formerr().
			[GL #1808]
Witold Krecicki's avatar
Witold Krecicki committed
677

Mark Andrews's avatar
Mark Andrews committed
678 679 680
5436.	[security]	It was possible to trigger an INSIST when determining
			whether a record would fit into a TCP message buffer.
			(CVE-2020-8618) [GL #1850]
Mark Andrews's avatar
Mark Andrews committed
681

Mark Andrews's avatar
Mark Andrews committed
682 683
5435.	[tests]		Add RFC 4592 responses examples to the wildcard system
			test. [GL #1718]
Mark Andrews's avatar
Mark Andrews committed
684

Mark Andrews's avatar
Mark Andrews committed
685 686 687 688
5434.	[security]	It was possible to trigger an INSIST in
			lib/dns/rbtdb.c:new_reference() with a particular zone
			content and query patterns. (CVE-2020-8619) [GL #1111]
			[GL #1718]
Mark Andrews's avatar
Mark Andrews committed
689

Mark Andrews's avatar
Mark Andrews committed
690 691
5433.	[placeholder]

692 693
5432.	[bug]		Check the question section when processing AXFR, IXFR,
			and SOA replies when transferring a zone in. [GL #1683]
694

Mark Andrews's avatar
Mark Andrews committed
695 696 697 698
5431.	[func]		Reject DS records at the zone apex when loading
			master files. Log but otherwise ignore attempts to
			add DS records at the zone apex via UPDATE. [GL #1798]

699 700
5430.	[doc]		Update docs - with netmgr, a separate listening socket
			is created for each IPv6 interface (just as with IPv4).
701 702
			[GL #1782]

Michal Nowak's avatar
Michal Nowak committed
703 704 705
5429.	[cleanup]	Move BIND binaries which are neither daemons nor
			administrative programs to $bindir. [GL #1724]

706
5428.	[bug]		Clean up GSSAPI resources in nsupdate only after taskmgr
Ondřej Surý's avatar
Ondřej Surý committed
707 708
			has been destroyed. Thanks to Petr Menšík. [GL !3316]

709 710
5427.	[placeholder]

711
5426.	[bug]		Don't abort() when setting SO_INCOMING_CPU on the socket
Ondřej Surý's avatar
Ondřej Surý committed
712 713
			fails. [GL #1911]

714
5425.	[func]		The default value of "max-stale-ttl" has been changed
Ondřej Surý's avatar
Ondřej Surý committed
715 716
			from 1 week to 12 hours. [GL #1877]

717
5424.	[bug]		With KASP, when creating a successor key, the "goal"
718
			state of the current active key (predecessor) was not
719
			changed and thus never removed from the zone. [GL #1846]
720

721 722 723
5423.	[bug]		Fix a bug in keymgr_key_has_successor(): it incorrectly
			returned true if any other key in the keyring had a
			successor. [GL #1845]
724

725
5422.	[bug]		When using dnssec-policy, print correct key timing
Matthijs Mekking's avatar
Matthijs Mekking committed
726 727
			metadata. [GL #1843]

728 729 730
5421.	[bug]		Fix a race that could cause named to crash when looking
			up the nodename of an RBT node if the tree was modified.
			[GL #1857]
Evan Hunt's avatar
Evan Hunt committed
731

732
5420.	[bug]		Add missing isc_{mutex,conditional}_destroy() calls
Witold Krecicki's avatar
Witold Krecicki committed
733 734
			that caused a memory leak on FreeBSD. [GL #1893]

735 736 737 738 739
5419.	[func]		Add new dig command line option, "+qid=<num>", which
			allows the query ID to be set to an arbitrary value.
			Add a new ./configure option, --enable-singletrace,
			which allows trace logging of a single query when QID is
			set to 0. [GL #1851]
Evan Hunt's avatar
Evan Hunt committed
740

741
5418.	[bug]		delv failed to parse deprecated trusted-keys-style
Mark Andrews's avatar
Mark Andrews committed
742 743
			trust anchors. [GL #1860]

Michał Kępień's avatar
Michał Kępień committed
744 745 746 747
5417.	[cleanup]	The code determining the advertised UDP buffer size in
			outgoing EDNS queries has been refactored to improve its
			clarity. [GL #1868]

748 749
5416.	[bug]		Fix a lock order inversion in lib/isc/unix/socket.c.
			[GL #1859]
750

Mark Andrews's avatar
Mark Andrews committed
751 752 753
5415.	[test]		Address race in dnssec system test that led to
			test failures. [GL #1852]

Mark Andrews's avatar
Mark Andrews committed
754 755 756 757
5414.	[test]		Adjust time allowed for journal truncation to occur
			in nsupdate system test to avoid test failure.
			[GL #1855]

Mark Andrews's avatar
Mark Andrews committed
758
5413.	[test]		Address race in autosign system test that led to
Mark Andrews's avatar
Mark Andrews committed
759 760
			test failures. [GL #1852]

761
5412.	[bug]		'provide-ixfr no;' failed to return up-to-date responses
Mark Andrews's avatar
Mark Andrews committed
762 763 764
			when the serial was greater than or equal to the
			current serial. [GL #1714]

765 766 767
5411.	[cleanup]	TCP accept code has been refactored to use a single
			accept() and pass the accepted socket to child threads
			for processing. [GL !3320]
Witold Krecicki's avatar
Witold Krecicki committed
768

769 770 771
5410.	[func]		Add the ability to specify per-type record count limits,
			which are enforced when adding records via UPDATE, in an
			"update-policy" statement. [GL #1657]
Mark Andrews's avatar
Mark Andrews committed
772

773 774 775
5409.	[performance]	When looking up NSEC3 data in a zone database, skip the
			check for empty non-terminal nodes; the NSEC3 tree does
			not have any. [GL #1834]
Evan Hunt's avatar
CHANGES  
Evan Hunt committed
776

Mark Andrews's avatar
Mark Andrews committed
777 778 779
5408.	[protocol]	Print Extended DNS Errors if present in OPT record.
			[GL #1835]

780 781
5407.	[func]		Zone timers are now exported via statistics channel.
			Thanks to Paul Frieden, Verizon Media. [GL #1232]
Ondřej Surý's avatar
Ondřej Surý committed
782

783 784 785
5406.	[func]		Add a new logging category, "rpz-passthru", which allows
			RPZ passthru actions to be logged in a separate channel.
			[GL #54]
Diego Fronza's avatar
Diego Fronza committed
786

787 788 789
5405.	[bug]		'named-checkconf -p' could include spurious text in
			server-addresses statements due to an uninitialized DSCP
			value. [GL #1812]
790

791 792 793 794
5404.	[bug]		'named-checkconf -z' could incorrectly indicate
			success if errors were found in one view but not in a
			subsequent one. [GL #1807]

795 796
5403.	[func]		Do not set UDP receive/send buffer sizes - use system
			defaults. [GL #1713]
Witold Krecicki's avatar
Witold Krecicki committed
797

798 799 800
5402.	[bug]		On FreeBSD, use SO_REUSEPORT_LB instead of SO_REUSEPORT.
			Enable use of SO_REUSEADDR on all platforms which
			support it. [GL !3365]
Ondřej Surý's avatar
Ondřej Surý committed
801

Michał Kępień's avatar
Michał Kępień committed
802 803 804 805 806
5401.	[bug]		The number of input queues allocated during dnstap
			initialization was too low, which could prevent some
			dnstap data from being logged. [GL #1795]

5400.	[func]		Add engine support to OpenSSL EdDSA implementation.
Ondřej Surý's avatar
Ondřej Surý committed
807 808
			[GL #1763]

Ondřej Surý's avatar
Ondřej Surý committed
809 810 811
5399.	[func]		Add engine support to OpenSSL ECDSA implementation.
			[GL #1534]

812 813 814
5398.	[bug]		Named could fail to restart if a zone with a double
			quote (") in its name was added with 'rndc addzone'.
			[GL #1695]
Mark Andrews's avatar
Mark Andrews committed
815

Ondřej Surý's avatar
Ondřej Surý committed
816 817 818
5397.	[func]		Update PKCS#11 EdDSA implementation to PKCS#11 v3.0.
			Thanks to Aaron Thompson. [GL !3326]

819 820 821
5396.	[func]		When necessary (i.e. in libuv >= 1.37), use the
			UV_UDP_RECVMMSG flag to enable recvmmsg() support in
			libuv. [GL #1797]
Witold Krecicki's avatar
Witold Krecicki committed
822

Mark Andrews's avatar
Mark Andrews committed
823 824 825 826 827 828
5395.	[security]	Further limit the number of queries that can be
			triggered from a request.  Root and TLD servers
			are no longer exempt from max-recursion-queries.
			Fetches for missing name server address records
			are limited to 4 for any domain. (CVE-2020-8616)
			[GL #1388]
Evan Hunt's avatar
Evan Hunt committed
829

830 831 832 833 834
5394.	[cleanup]	Named formerly attempted to change the effective UID and
			GID in named_os_openfile(), which could trigger a
			spurious log message if they were already set to the
			desired values. This has been fixed. [GL #1042]
			[GL #1090]
Ondřej Surý's avatar
Ondřej Surý committed
835

836
5393.	[cleanup]	Unused and/or redundant APIs were removed from libirs.
Ondřej Surý's avatar
Ondřej Surý committed
837 838
			[GL #1758]

Evan Hunt's avatar
CHANGES  
Evan Hunt committed
839 840 841 842
5392.	[bug]		It was possible for named to crash during shutdown
			or reconfiguration if an RPZ zone was still being
			updated. [GL #1779]

843 844 845
5391.	[func]		The BIND 9 build system has been changed to use a
			typical autoconf+automake+libtool stack. When building
			from the Git repository, run "autoreconf -fi" first.
Mark Andrews's avatar
Mark Andrews committed
846
			[GL #4]
Ondřej Surý's avatar
Ondřej Surý committed
847

Mark Andrews's avatar
Mark Andrews committed
848 849 850
5390.	[security]	Replaying a TSIG BADTIME response as a request could
			trigger an assertion failure. (CVE-2020-8617)
			[GL #1703]
Mark Andrews's avatar
Mark Andrews committed
851

852
5389.	[bug]		Finish PKCS#11 code cleanup, fix a couple of smaller
Ondřej Surý's avatar
Ondřej Surý committed
853 854 855
			bugs and use PKCS#11 v3.0 EdDSA macros and constants.
			Thanks to Aaron Thompson. [GL !3391]

856
5388.	[func]		Reject AXFR streams where the message ID is not
857 858 859
			consistent. [GL #1674]

5387.	[placeholder]
860

861 862
5386.	[cleanup]	Address Coverity warnings in lib/dns/keymgr.c.
			[GL #1737]
863

Michał Kępień's avatar
Michał Kępień committed
864 865 866
5385.	[func]		Make ISC rwlock implementation the default again.
			[GL #1753]

867 868 869
5384.	[bug]		With "dnssec-policy" in effect, "inline-signing" was
			implicitly set to "yes". Now "inline-signing" is only
			set to "yes" if the zone is not dynamic. [GL #1709]
Matthijs Mekking's avatar
Matthijs Mekking committed
870

Tinderbox User's avatar
Tinderbox User committed
871 872
	--- 9.17.1 released ---

873
5383.	[func]		Add a quota attach function with a callback and clean up
874 875 876 877 878
			the isc_quota API. [GL !3280]

5382.	[bug]		Use clock_gettime() instead of gettimeofday() for
			isc_stdtime() function. [GL #1679]

879 880 881
5381.	[bug]		Fix logging API data race by adding rwlock and caching
			logging levels in stdatomic variables to restore
			performance to original levels. [GL #1675] [GL #1717]
882

883
5380.	[contrib]	Fix building MySQL DLZ modules against MySQL 8
884 885
			libraries. [GL #1678]

886
5379.	[placeholder]
887

888 889
5378.	[bug]		Receiving invalid DNS data was triggering an assertion
			failure in nslookup. [GL #1652]
890

Ondřej Surý's avatar
Ondřej Surý committed
891 892
5377.	[placeholder]

893 894 895
5376.	[bug]		Fix ineffective DNS rebinding protection when BIND is
			configured as a forwarding DNS server. Thanks to Tobias
			Klein. [GL #1574]
Ondřej Surý's avatar
Ondřej Surý committed
896

897
5375.	[test]		Fix timing issues in the "kasp" system test. [GL #1669]
898

899
5374.	[bug]		Statistics counters tracking recursive clients and
Ondřej Surý's avatar
Ondřej Surý committed
900 901
			active connections could underflow. [GL #1087]

902 903 904 905 906 907 908 909 910 911 912 913 914 915
5373.	[bug]		Collecting statistics for DNSSEC signing operations
			(change 5254) caused an array of significant size (over
			100 kB) to be allocated for each configured zone. Each
			of these arrays is tracking all possible key IDs; this
			could trigger an out-of-memory condition on servers with
			a high enough number of zones configured. Fixed by
			tracking up to four keys per zone and rotating counters
			when keys are replaced. This fixes the immediate problem
			of high memory usage, but should be improved in a future
			release by growing or shrinking the number of keys to
			track upon key rollover events. [GL #1179]

5372.	[bug]		Fix migration from existing DNSSEC key files
			("auto-dnssec maintain") to "dnssec-policy". [GL #1706]
916

Evan Hunt's avatar
Evan Hunt committed
917 918 919 920 921
5371.	[bug]		Improve incremental updates of the RPZ summary
			database to reduce delays that could occur when
			a policy zone update included a large number of
			record deletions. [GL #1447]

922 923 924 925 926
5370.	[bug]		Deactivation of a netmgr handle associated with a
			socket could be skipped in some circumstances.
			Fixed by deactivating the netmgr handle before
			scheduling the asynchronous close routine. [GL #1700]

927 928 929
5369.	[func]		Add the ability to specify whether to wait for
			nameserver domain names to be looked up, with a new RPZ
			modifying directive 'nsdname-wait-recurse'. [GL #1138]
Diego Fronza's avatar
Diego Fronza committed
930

Mark Andrews's avatar
Mark Andrews committed
931 932 933
5368.	[bug]		Named failed to restart if 'rndc addzone' names
			contained special characters (e.g. '/'). [GL #1655]

Evan Hunt's avatar
Evan Hunt committed
934 935
5367.	[placeholder]

Tinderbox User's avatar
Tinderbox User committed
936 937
	--- 9.17.0 released ---

938 939 940 941
5366.	[bug]		Fix a race condition with the keymgr when the same
			zone plus dnssec-policy is configured in multiple
			views. [GL #1653]

Matthijs Mekking's avatar
Matthijs Mekking committed
942 943
5365.	[bug]		Algorithm rollover was stuck on submitting DS
			because keymgr thought it would move to an invalid
Tinderbox User's avatar
Tinderbox User committed
944 945
			state.  Fixed by checking the current key against
			the desired state, not the existing state. [GL #1626]
Matthijs Mekking's avatar
Matthijs Mekking committed
946 947 948

5364.	[bug]		Algorithm rollover waited too long before introducing
			zone signatures.  It waited to make sure all signatures
Tinderbox User's avatar
Tinderbox User committed
949 950
			were regenerated, but when introducing a new algorithm,
			all signatures are regenerated immediately.  Only
Matthijs Mekking's avatar
Matthijs Mekking committed
951 952 953 954 955 956 957
			add the sign delay if there is a predecessor key.
			[GL #1625]

5363.	[bug]		When changing a dnssec-policy, existing keys with
			properties that no longer match were not being retired.
			[GL #1624]

Evan Hunt's avatar
Evan Hunt committed
958 959 960 961 962 963 964
5362.	[func]		Limit the size of IXFR responses so that AXFR will
			be used instead if it would be smaller. This is
			controlled by the "max-ixfr-ratio" option, which
			is a percentage representing the ratio of IXFR size
			to the size of the entire zone. This value cannot
			exceed 100%, which is the default. [GL #1515]

Witold Krecicki's avatar
Witold Krecicki committed
965 966 967
5361.	[bug]		named might not accept new connections after
			hitting tcp-clients quota. [GL #1643]

Evan Hunt's avatar
CHANGES  
Evan Hunt committed
968 969 970
5360.	[bug]		delv could fail to load trust anchors in DNSKEY
			format. [GL #1647]

971 972 973 974 975
5359.	[func]		"rndc nta -d" and "rndc secroots" now include
			"validate-except" entries when listing negative
			trust anchors. These are indicated by the keyword
			"permanent" in place of an expiry date. [GL #1532]

Mark Andrews's avatar
Mark Andrews committed
976 977 978 979
5358.	[bug]		Inline master zones whose master files were touched
			but otherwise unchanged and were subsequently reloaded
			may have stopped re-signing. [GL !3135]

Mark Andrews's avatar
Mark Andrews committed
980 981
5357.	[bug]		Newly added RRSIG records with expiry times before
			the previous earliest expiry times might not be