CHANGES 628 KB
Newer Older
Evan Hunt's avatar
CHANGES  
Evan Hunt committed
1 2 3
5604.	[bug]		"dig -u" now uses CLOCK_REALTIME for more accurate
			time reporting. [GL #2592]

4 5 6 7 8
5603.	[experimental]	A "filter-a.so" plugin, which is similar to the
			"filter-aaaa.so" plugin but which omits A records
			instead of AAAA records, has been added. Thanks to
			'@treysis' (GitLab). [GL #2585]

9 10 11
5602.	[bug]		Fix the TCPDNS and TLSDNS timers, so TCP initial
			and idle timers work correctly. [GL #2573]

12 13 14 15 16
5601.	[bug]		Dynamic zones with dnssec-policy could not be thawed
			because KASP zones were always considered dynamic;
			previously, dynamic KASP zones did not check whether
			updates were disabled. This has been fixed. [GL #2523]

17 18 19 20
5600.	[bug]		Load a certificate chain file so that the full chain is
			sent to DNS-over-TLS (DoT) and DNS-over-HTTPS (DoH)
			clients that require full chain verification. [GL #2514]

Matthijs Mekking's avatar
Matthijs Mekking committed
21 22 23
5599.	[bug]		Fix a crash when transferring a zone over TLS,
			after "named" previously skipped a master. [GL #2562]

Mark Andrews's avatar
Mark Andrews committed
24 25 26
5598.	[port]		Cast (char) to (unsigned char) when calling ctype
			tests. [GL #2567]

Michal Nowak's avatar
Michal Nowak committed
27 28
	--- 9.17.11 released ---

29 30 31 32 33 34
5597.	[bug]		When serve-stale was enabled and starting the recursive
			resolution process for a query failed, a named instance
			could crash if it was configured as both a recursive and
			authoritative server. This problem was introduced by
			change 5573 and has now been fixed. [GL #2565]

35 36 37
5596.	[func]		Client-side support for DNS-over-HTTPS (DoH) has been
			added to dig. "dig +https" can now query a server via
			HTTP/2. [GL #1641]
Evan Hunt's avatar
Evan Hunt committed
38

Michal Nowak's avatar
Michal Nowak committed
39 40 41 42 43 44 45
5595.	[cleanup]	Public header files for BIND 9 libraries no longer
			directly include third-party library headers. This
			prevents the need to include paths to third-party header
			files in CFLAGS whenever BIND 9 public header files are
			used, which could cause build-time issues on hosts with
			older versions of BIND 9 installed. [GL #2357]

Mark Andrews's avatar
Mark Andrews committed
46 47 48
5594.	[bug]		Building with --enable-dnsrps --enable-dnsrps-dl failed.
			[GL #2298]

49 50 51 52 53
5593.	[bug]		Journal files written by older versions of named can now
			be read when loading zones, so that journal
			incompatibility does not cause problems on upgrade.
			Outdated journals are updated to the new format after
			loading. [GL #2505]
Evan Hunt's avatar
Evan Hunt committed
54

55 56 57 58
5592.	[bug]		Prevent hazard pointer table overflows on machines with
			many cores, by allowing the thread IDs (serving as
			indices into hazard pointer tables) of finished threads
			to be reused by those created later. [GL #2396]
Ondřej Surý's avatar
Ondřej Surý committed
59

60 61 62 63
5591.	[bug]		Fix a crash that occurred when
			"stale-answer-client-timeout" was triggered without any
			(stale) data available in the cache to answer the query.
			[GL #2503]
64

65 66 67 68 69
5590.	[bug]		NSEC3 records were not immediately created for dynamic
			zones using NSEC3 with "dnssec-policy", resulting in
			such zones going bogus. Add code to process the
			NSEC3PARAM queue at zone load time so that NSEC3 records
			for such zones are created immediately. [GL #2498]
70

Mark Andrews's avatar
Mark Andrews committed
71 72
5589.	[placeholder]

73 74 75
5588.	[func]		Add a new "purge-keys" option for "dnssec-policy". This
			option determines the period of time for which key files
			are retained after they become obsolete. [GL #2408]
76

Michał Kępień's avatar
Michał Kępień committed
77
5587.	[bug]		A standalone libtool script no longer needs to be
78 79
			present in PATH to build BIND 9 from a source tarball
			prepared using "make dist". [GL #2504]
Michał Kępień's avatar
Michał Kępień committed
80

Mark Andrews's avatar
Mark Andrews committed
81
5586.	[bug]		An invalid direction field in a LOC record resulted in
82 83
			an INSIST failure when a zone file containing such a
			record was loaded. [GL #2499]
Mark Andrews's avatar
Mark Andrews committed
84

85
5585.	[func]		Memory contexts and memory pool implementations were
Ondřej Surý's avatar
Ondřej Surý committed
86 87 88
			refactored to reduce lock contention for shared memory
			contexts by replacing mutexes with atomic operations.
			The internal memory allocator was simplified so that it
89 90 91
			is only a thin wrapper around the system allocator. This
			change made the "-M external" named option redundant and
			it was therefore removed. [GL #2433]
Ondřej Surý's avatar
Ondřej Surý committed
92

93 94 95
5584.	[bug]		No longer set the IP_DONTFRAG option on UDP sockets, to
			prevent dropping outgoing packets exceeding
			"max-udp-size". [GL #2466]
96

97
5583.	[func]		Changes to DNS-over-HTTPS (DoH) configuration syntax:
Evan Hunt's avatar
CHANGES  
Evan Hunt committed
98
			- When "http" is specified in "listen-on" or
99 100 101 102 103 104 105 106 107
			  "listen-on-v6" statements, "tls" must also now be
			  specified. If an unencrypted connection is desired
			  (for example, when running behind a reverse proxy),
			  use "tls none".
			- "http default" can now be specified in "listen-on" and
			  "listen-on-v6" statements to use the default HTTP
			  endpoint of "/dns-query". It is no longer necessary to
			  include an "http" statement in named.conf unless
			  overriding this value.
Evan Hunt's avatar
CHANGES  
Evan Hunt committed
108 109
			[GL #2472]

Mark Andrews's avatar
Mark Andrews committed
110
5582.	[bug]		BIND 9 failed to build when static OpenSSL libraries
111 112 113 114
			were used and the pkg-config files for libssl and/or
			libcrypto were unavailable. This has been fixed by
			ensuring that the correct linking order for libssl and
			libcrypto is always used. [GL #2402]
Mark Andrews's avatar
Mark Andrews committed
115

116 117
5581.	[bug]		Fix a memory leak that occurred when inline-signed zones
			were added to the configuration, followed by a
Diego Fronza's avatar
Diego Fronza committed
118 119
			reconfiguration of named. [GL #2041]

Michal Nowak's avatar
Michal Nowak committed
120 121 122 123 124
5580.	[test]		The system test framework no longer differentiates
			between SKIPPED and UNTESTED system test results. Any
			system test which is not run is now marked as SKIPPED.
			[GL !4517]

125 126 127 128 129
5579.	[bug]		If an invalid key name (e.g. "a..b") was specified in a
			primaries list in named.conf, the wrong size was passed
			to isc_mem_put(), resulting in the returned memory being
			put on the wrong free list. This prevented named from
			starting up. [GL #2460]
Mark Andrews's avatar
Mark Andrews committed
130

Michał Kępień's avatar
Michał Kępień committed
131 132
	--- 9.17.10 released ---

Mark Andrews's avatar
Mark Andrews committed
133
5578.	[protocol]	Make "check-names" accept A records below "_spf",
134
			"_spf_rate", and "_spf_verify" labels in order to cater
Mark Andrews's avatar
Mark Andrews committed
135
			for the "exists" SPF mechanism specified in RFC 7208
136
			section 5.7 and appendix D.1. [GL #2377]
Mark Andrews's avatar
Mark Andrews committed
137

138 139 140
5577.	[bug]		Fix the "three is a crowd" key rollover bug in KASP by
			correctly implementing Equation (2) of the "Flexible and
			Robust Key Rollover" paper. [GL #2375]
141

Evan Hunt's avatar
Evan Hunt committed
142 143 144 145 146 147
5576.	[experimental]	Initial server-side implementation of DNS-over-HTTPS
			(DoH). Support for both TLS-encrypted and unencrypted
			HTTP/2 connections has been added to the network manager
			and integrated into named. (Note: there is currently no
			client-side support for DNS-over-HTTPS; this will be
			added to dig in a future release.) [GL #1144]
148

149 150
5575.	[bug]		When migrating to KASP, BIND 9 considered keys with the
			"Inactive" and/or "Delete" timing metadata to be
151 152
			possible active keys. This has been fixed. [GL #2406]

153 154 155 156 157
5574.	[func]		Incoming zone transfers can now use TLS. Addresses in a
			"primaries" list take an optional "tls" argument,
			specifying either a previously configured "tls" block or
			"ephemeral"; SOA queries and zone transfer requests are
			then sent via TLS. [GL #2392]
Evan Hunt's avatar
Evan Hunt committed
158

159 160 161 162 163
5573.	[func]		When serve-stale is enabled and stale data is available,
			named now returns stale answers upon encountering any
			unexpected error in the query resolution process.
			However, the "stale-refresh-time" window is still only
			started upon a timeout. [GL #2434]
164

165
5572.	[bug]		Address potential double free in generatexml().
166 167
			[GL #2420]

168 169 170
5571.	[bug]		named failed to start when its configuration included a
			zone with a non-builtin "allow-update" ACL attached.
			[GL #2413]
Mark Andrews's avatar
Mark Andrews committed
171

172 173 174
5570.	[bug]		Improve performance of the DNSSEC verification code by
			reducing the number of repeated calls to
			dns_dnssec_keyfromrdata(). [GL #2073]
Mark Andrews's avatar
Mark Andrews committed
175

176
5569.	[bug]		Emit useful error message when "rndc retransfer" is
Mark Andrews's avatar
Mark Andrews committed
177 178
			applied to a zone of inappropriate type. [GL #2342]

179 180 181
5568.	[bug]		Fixed a crash in "dnssec-keyfromlabel" when using ECDSA
			keys. [GL #2178]

Mark Andrews's avatar
Mark Andrews committed
182
5567.	[bug]		Dig now reports unknown dash options while pre-parsing
183 184 185
			the options. This prevents "-multi" instead of "+multi"
			from reporting memory usage before ending option parsing
			with "Invalid option: -lti". [GL #2403]
Mark Andrews's avatar
Mark Andrews committed
186

187 188
5566.	[func]		Add "stale-answer-client-timeout" option, which is the
			amount of time a recursive resolver waits before
Mark Andrews's avatar
Mark Andrews committed
189 190
			attempting to answer the query using stale data from
			cache. [GL #2247]
Diego Fronza's avatar
Diego Fronza committed
191

192 193 194 195
5565.	[func]		The SONAMEs for BIND 9 libraries now include the current
			BIND 9 version number, in an effort to tightly couple
			internal libraries with a specific release. [GL #2387]

196 197 198
5564.	[cleanup]	Network manager's TLSDNS module was refactored to use
			libuv and libssl directly instead of a stack of TCP/TLS
			sockets. [GL #2335]
Evan Hunt's avatar
Evan Hunt committed
199

Matthijs Mekking's avatar
Matthijs Mekking committed
200
5563.	[cleanup]	Changed several obsolete configuration options to
201 202 203
			ancient, making them fatal errors. Also cleaned up the
			number of clause flags in the configuration parser.
			[GL #1086]
Matthijs Mekking's avatar
Matthijs Mekking committed
204

Ondřej Surý's avatar
Ondřej Surý committed
205 206
5562.	[placeholder]

207 208
5561.	[bug]		KASP incorrectly set signature validity to the value of
			the DNSKEY signature validity. This is now fixed.
209 210
			[GL #2383]

211 212
5560.	[func]		The default value of "max-stale-ttl" has been changed
			from 12 hours to 1 day and the default value of
213 214
			"stale-answer-ttl" has been changed from 1 second to 30
			seconds, following RFC 8767 recommendations. [GL #2248]
215

Michał Kępień's avatar
Michał Kępień committed
216 217
	--- 9.17.9 released ---

218 219 220 221
5559.	[bug]		The --with-maxminddb=PATH form of the build-time option
			enabling support for libmaxminddb was not working
			correctly. This has been fixed. [GL #2366]

222 223 224
5558.	[bug]		Asynchronous hook modules could trigger an assertion
			failure when the fetch handle was detached too late.
			Thanks to Jinmei Tatuya at Infoblox. [GL #2379]
Evan Hunt's avatar
CHANGES  
Evan Hunt committed
225

226
5557.	[bug]		Prevent RBTDB instances from being destroyed by multiple
227
			threads at the same time. [GL #2317]
Mark Andrews's avatar
Mark Andrews committed
228

229 230
5556.	[bug]		Further tweak newline printing in dnssec-signzone and
			dnssec-verify. [GL #2359]
231

Mark Andrews's avatar
Mark Andrews committed
232 233
5555.	[placeholder]

234 235
5554.	[bug]		dnssec-signzone and dnssec-verify were missing newlines
			between log messages. [GL #2359]
Mark Andrews's avatar
Mark Andrews committed
236

237 238
5553.	[bug]		When reconfiguring named, removing "auto-dnssec" did not
			turn off DNSSEC maintenance. [GL #2341]
239

240 241 242 243
5552.	[func]		When switching to "dnssec-policy none;", named now
			permits a safe transition to insecure mode and publishes
			the CDS and CDNSKEY DELETE records, as described in RFC
			8078. [GL #1750]
244

245 246 247
5551.	[bug]		named no longer attempts to assign threads to CPUs
			outside the CPU affinity set. Thanks to Ole Bjørn
			Hessen. [GL #2245]
248

249 250
5550.	[func]		dnssec-signzone and named now log a warning when falling
			back to the "increment" SOA serial method. [GL #2058]
251

252 253
5549.	[protocol]	ipv4only.arpa is now served when DNS64 is configured.
			[GL #385]
Mark Andrews's avatar
Mark Andrews committed
254

255 256 257 258
5548.	[placeholder]

5547.	[placeholder]

Michał Kępień's avatar
Michał Kępień committed
259 260
	--- 9.17.8 released ---

261 262
5546.	[placeholder]

263 264 265
5545.	[func]		OS support for load-balanced sockets is no longer
			required to receive incoming queries in multiple netmgr
			threads. [GL #2137]
266

267 268
5544.	[func]		Restore the default value of "nocookie-udp-size" to 4096
			bytes. [GL #2250]
269

270 271
5543.	[bug]		Fix UDP performance issues caused by making netmgr
			callbacks asynchronous-only. [GL #2320]
Ondřej Surý's avatar
Ondřej Surý committed
272

273 274 275
5542.	[bug]		Refactor netmgr. [GL #1920] [GL #2034] [GL #2061]
			[GL #2194] [GL #2221] [GL #2266] [GL #2283] [GL #2318]
			[GL #2321]
276

277 278 279
5541.	[func]		Adjust the "max-recursion-queries" default from 75 to
			100. [GL #2305]

Mark Andrews's avatar
Mark Andrews committed
280 281 282
5540.	[port]		Fix building with native PKCS#11 support for AEP Keyper.
			[GL #2315]

Mark Andrews's avatar
Mark Andrews committed
283 284 285
5539.	[bug]		Tighten handling of missing DNS COOKIE responses over
			UDP by falling back to TCP. [GL #2275]

286 287 288 289 290
5538.	[func]		Add NSEC3 support to KASP. A new option for
			"dnssec-policy", "nsec3param", can be used to set the
			desired NSEC3 parameters. NSEC3 salt collisions are
			automatically prevented during resalting. Salt
			generation is now logged with zone context. [GL #1620]
291

Evan Hunt's avatar
CHANGES  
Evan Hunt committed
292 293 294
5537.	[func]		The query plugin mechanism has been extended
			to support asynchronous operations. For example, a
			plugin can now trigger recursion and resume
295
			processing when it is complete. Thanks to Jinmei
Evan Hunt's avatar
CHANGES  
Evan Hunt committed
296 297
			Tatuya at Infoblox. [GL #2141]

Mark Andrews's avatar
Mark Andrews committed
298 299 300
5536.	[func]		Dig can now report the DNS64 prefixes in use
			(+dns64prefix). [GL #1154]

Evan Hunt's avatar
Evan Hunt committed
301
5535.	[bug]		dig/nslookup/host could crash on shutdown after an
302
			interrupt. [GL #2287] [GL #2288]
Evan Hunt's avatar
Evan Hunt committed
303

304
5534.	[bug]		The CNAME synthesized from a DNAME was incorrectly
305 306
			followed when the QTYPE was CNAME or ANY. [GL #2280]

Michał Kępień's avatar
Michał Kępień committed
307 308
	--- 9.17.7 released ---

309 310 311 312
5533.	[func]		Add the "stale-refresh-time" option, a time window that
			starts after a failed lookup, during which a stale RRset
			is served directly from cache before a new attempt to
			refresh it is made. [GL #2066]
313

Michal Nowak's avatar
Michal Nowak committed
314 315 316 317 318
5532.	[cleanup]	Unused header files were removed:
			bin/rndc/include/rndc/os.h, lib/isc/timer_p.h,
			lib/isccfg/include/isccfg/dnsconf.h and code related
			to those files. [GL #1913]

319
5531.	[func]		Add support for DNS over TLS (DoT) to dig and named.
320 321
			dig output now includes the transport protocol used.
			[GL #1816] [GL #1840]
Witold Krecicki's avatar
Witold Krecicki committed
322

323 324
5530.	[bug]		dnstap did not capture responses to forwarded UPDATE
			requests. [GL #2252]
Mark Andrews's avatar
Mark Andrews committed
325

326 327
5529.	[func]		The network manager API is now used by named to send
			zone transfer requests. [GL #2016]
Evan Hunt's avatar
Evan Hunt committed
328

329 330 331 332
5528.	[func]		Convert dig, host, and nslookup to use the network
			manager API. As a side effect of this change, "dig
			+unexpected" no longer works, and has been disabled.
			[GL #2140]
Evan Hunt's avatar
Evan Hunt committed
333

334 335
5527.	[bug]		A NULL pointer dereference occurred when creating an NTA
			recheck query failed. [GL #2244]
Mark Andrews's avatar
Mark Andrews committed
336

337 338
5526.	[bug]		Fix a race/NULL dereference in TCPDNS read. [GL #2227]

Michał Kępień's avatar
Michał Kępień committed
339 340
5525.	[placeholder]

341 342 343
5524.	[func]		Added functionality to the network manager to support
			outgoing DNS queries in addition to incoming ones.
			[GL #2235]
Evan Hunt's avatar
CHANGES  
Evan Hunt committed
344

345 346 347
5523.	[bug]		The initial lookup in a zone transitioning to/from a
			signed state could fail if the DNSKEY RRset was not
			found. [GL #2236]
Mark Andrews's avatar
Mark Andrews committed
348

349
5522.	[bug]		Fixed a race/NULL dereference in TCPDNS send. [GL #2227]
350

351
5521.	[func]		All use of libltdl was dropped. libuv's shared library
Ondřej Surý's avatar
Ondřej Surý committed
352 353
			handling interface is now used instead. [GL !4278]

Evan Hunt's avatar
CHANGES  
Evan Hunt committed
354 355 356 357
5520.	[bug]		Fixed a number of shutdown races, reference counting
			errors, and spurious log messages that could occur
			in the network manager. [GL #2221]

Michal Nowak's avatar
Michal Nowak committed
358 359 360 361
5519.	[cleanup]	Unused source code was removed: lib/dns/dbtable.c,
			lib/dns/portlist.c, lib/isc/bufferlist.c, and code
			related to those files. [GL #2060]

362 363
5518.	[bug]		Stub zones now work correctly with primary servers using
			"minimal-responses yes". [GL #1736]
Diego Fronza's avatar
Diego Fronza committed
364

365 366
5517.	[bug]		Do not treat UV_EOF as a TCP4RecvErr or a TCP6RecvErr.
			[GL #2208]
367

Michał Kępień's avatar
Michał Kępień committed
368 369
	--- 9.17.6 released ---

370
5516.	[func]		The default EDNS buffer size has been changed from 4096
371 372 373
			to 1232 bytes, the EDNS buffer size probing has been
			removed, and named now sets the DF (Don't Fragment) flag
			on outgoing UDP packets. [GL #2183]
374

375 376
5515.	[func]		Add 'rndc dnssec -rollover' command to trigger a manual
			rollover for a specific key. [GL #1749]
377

378 379 380
5514.	[bug]		Fix KASP expected key size for Ed25519 and Ed448.
			[GL #2171]

Michał Kępień's avatar
Michał Kępień committed
381 382 383 384 385 386 387 388
5513.	[doc]		The ARM section describing the "rrset-order" statement
			was rewritten to make it unambiguous and up-to-date with
			the source code. [GL #2139]

5512.	[bug]		"rrset-order" rules using "order none" were causing
			named to crash despite named-checkconf treating them as
			valid. [GL #2139]

Mark Andrews's avatar
Mark Andrews committed
389 390 391
5511.	[bug]		'dig -u +yaml' failed to display timestamps to the
			microsecond. [GL #2190]

392
5510.	[bug]		Implement the attach/detach semantics for dns_message_t
393
			to fix a data race in accessing an already-destroyed
394 395
			fctx->rmessage. [GL #2124]

Michał Kępień's avatar
Michał Kępień committed
396 397 398
5509.	[bug]		filter-aaaa: named crashed upon shutdown if it was in
			the process of recursing for A RRsets. [GL #1040]

399 400 401 402
5508.	[func]		Added new parameter "-expired" for "rndc dumpdb" that
			also prints expired RRsets (awaiting cleanup) to the
			dump file. [GL #1870]

Mark Andrews's avatar
Mark Andrews committed
403 404 405
5507.	[bug]		Named could compute incorrect SIG(0) responses.
			[GL #2109]

406 407 408
5506.	[bug]		Properly handle failed sysconf() calls, so we don't
			report invalid memory size. [GL #2166]

Michał Kępień's avatar
Michał Kępień committed
409 410 411
5505.	[bug]		Updating contents of a mixed-case RPZ could cause some
			rules to be ignored. [GL #2169]

Michał Kępień's avatar
Michał Kępień committed
412 413 414 415
5504.	[func]		The "glue-cache" option has been marked as deprecated.
			The glue cache feature will be permanently enabled in a
			future release. [GL #2146]

Evan Hunt's avatar
CHANGES  
Evan Hunt committed
416 417 418 419
5503.	[bug]		Cleaned up reference counting of network manager
			handles, now using isc_nmhandle_attach() and _detach()
			instead of _ref() and _unref(). [GL #2122]

Michał Kępień's avatar
Michał Kępień committed
420 421
	--- 9.17.5 released ---

422 423
5502.	[func]		'dig +bufsize=0' no longer disables EDNS. [GL #2054]

424 425
5501.	[func]		Log CDS/CDNSKEY publication. [GL #1748]

Matthijs Mekking's avatar
Matthijs Mekking committed
426 427 428
5500.	[bug]		Fix (non-)publication of CDS and CDNSKEY records.
			[GL #2103]

429
5499.	[func]		Add '-P ds' and '-D ds' arguments to dnssec-settime.
430
			[GL #1748]
431

432 433 434
5498.	[test]		The --with-gperftools-profiler configure option was
			removed. [GL !4045]

Mark Andrews's avatar
Mark Andrews committed
435 436
5497.	[placeholder]

437 438
5496.	[bug]		Address a TSAN report by ensuring each rate limiter
			object holds a reference to its task. [GL #2081]
Mark Andrews's avatar
Mark Andrews committed
439

440
5495.	[bug]		With query minimization enabled, named failed to
441 442
			resolve ip6.arpa. names that had extra labels to the
			left of the IPv6 part. [GL #1847]
443

444 445 446
5494.	[bug]		Silence the EPROTO syslog message on older systems.
			[GL #1928]

447
5493.	[bug]		Fix off-by-one error when calculating new hash table
448 449
			size. [GL #2104]

450 451 452
5492.	[bug]		Tighten LOC parsing to reject a period (".") and/or "m"
			as a value. Fix handling of negative altitudes which are
			not whole meters. [GL #2074]
Mark Andrews's avatar
Mark Andrews committed
453

Mark Andrews's avatar
Mark Andrews committed
454 455 456
5491.	[bug]		rbtversion->glue_table_size could be read without the
			appropriate lock being held. [GL #2080]

457 458
5490.	[func]		Refactor readline support to use pkg-config and add
			support for the editline library. [GL !3942]
Ondřej Surý's avatar
Ondřej Surý committed
459

460 461 462 463
5489.	[bug]		Named erroneously accepted certain invalid resource
			records that were incorrectly processed after
			subsequently being written to disk and loaded back, as
			the wire format differed. Such records include: CERT,
Mark Andrews's avatar
Mark Andrews committed
464 465 466
			IPSECKEY, NSEC3, NSEC3PARAM, NXT, SIG, TLSA, WKS, and
			X25. [GL !3953]

467 468 469
5488.	[bug]		NTA code needed to have a weak reference on its
			associated view to prevent the latter from being deleted
			while NTA tests were being performed. [GL #2067]
470

471 472 473
5487.	[cleanup]	Update managed keys log messages to be less confusing.
			[GL #2027]

474 475 476
5486.	[func]		Add 'rndc dnssec -checkds' command, which signals to
			named that the DS record for a given zone or key has
			been updated in the parent zone. [GL #1613]
477

Michał Kępień's avatar
Michał Kępień committed
478 479
	--- 9.17.4 released ---

Michał Kępień's avatar
Michał Kępień committed
480 481
5485.	[placeholder]

482 483
5484.	[func]		Expire zero TTL records quickly rather than using them
			for stale answers. [GL #1829]
484 485 486 487 488

5483.	[func]		Keeping "stale" answers in cache has been disabled by
			default and can be re-enabled with a new configuration
			option "stale-cache-enable". [GL #1712]

489 490 491 492
5482.	[bug]		If the Duplicate Address Detection (DAD) mechanism had
			not yet finished after adding a new IPv6 address to the
			system, BIND 9 would fail to bind to IPv6 addresses in a
			tentative state. [GL #2038]
493

494 495 496 497 498 499
5481.	[security]	"update-policy" rules of type "subdomain" were
			incorrectly treated as "zonesub" rules, which allowed
			keys used in "subdomain" rules to update names outside
			of the specified subdomains. The problem was fixed by
			making sure "subdomain" rules are again processed as
			described in the ARM. (CVE-2020-8624) [GL #2055]
500

501 502 503 504 505
5480.	[security]	When BIND 9 was compiled with native PKCS#11 support, it
			was possible to trigger an assertion failure in code
			determining the number of bits in the PKCS#11 RSA public
			key with a specially crafted packet. (CVE-2020-8623)
			[GL #2037]
506

507 508 509
5479.	[security]	named could crash in certain query resolution scenarios
			where QNAME minimization and forwarding were both
			enabled. (CVE-2020-8621) [GL #1997]
510

511 512 513
5478.	[security]	It was possible to trigger an assertion failure by
			sending a specially crafted large TCP DNS message.
			(CVE-2020-8620) [GL #1996]
514

515 516 517 518
5477.	[bug]		The idle timeout for connected TCP sockets, which was
			previously set to a high fixed value, is now derived
			from the client query processing timeout configured for
			a resolver. [GL #2024]
Michał Kępień's avatar
Michał Kępień committed
519

520 521 522
5476.	[security]	It was possible to trigger an assertion failure when
			verifying the response to a TSIG-signed request.
			(CVE-2020-8622) [GL #2028]
Mark Andrews's avatar
Mark Andrews committed
523

524 525 526 527
5475.	[bug]		Wildcard RPZ passthru rules could incorrectly be
			overridden by other rules that were loaded from RPZ
			zones which appeared later in the "response-policy"
			statement. This has been fixed. [GL #1619]
Diego Fronza's avatar
Diego Fronza committed
528

Mark Andrews's avatar
Mark Andrews committed
529 530 531
5474.	[bug]		dns_rdata_hip_next() failed to return ISC_R_NOMORE
			when it should have. [GL !3880]

532 533 534 535 536 537
5473.	[func]		The RBT hash table implementation has been changed
			to use a faster hash function (HalfSipHash2-4) and
			Fibonacci hashing for better distribution. Setting
			"max-cache-size" now preallocates a fixed-size hash
			table so that rehashing does not cause resolution
			brownouts while the hash table is grown. [GL #1775]
538

Evan Hunt's avatar
Evan Hunt committed
539 540 541
5472.	[func]		The statistics channel has been updated to use the
			new network manager. [GL #2022]

542 543 544 545 546
5471.	[bug]		The introduction of KASP support inadvertently caused
			the second field of "sig-validity-interval" to always be
			calculated in hours, even in cases when it should have
			been calculated in days. This has been fixed. (Thanks to
			Tony Finch.) [GL !3735]
Mark Andrews's avatar
Mark Andrews committed
547

548 549
5470.	[port]		gsskrb5_register_acceptor_identity() is now only called
			if gssapi_krb5.h is present. [GL #1995]
550

551 552 553 554
5469.	[port]		On illumos, a constant called SEC is already defined in
			<sys/time.h>, which conflicts with an identically named
			constant in libbind9. This conflict has been resolved.
			[GL #1993]
555

556
5468.	[bug]		Addressed potential double unlock in process_fd().
Mark Andrews's avatar
Mark Andrews committed
557 558
			[GL #2005]

Evan Hunt's avatar
Evan Hunt committed
559 560 561
5467.	[func]		The control channel and the rndc utility have been
			updated to use the new network manager. To support
			this, the network manager was updated to enable
562
			the initiation of client TCP connections. Its
Evan Hunt's avatar
Evan Hunt committed
563 564
			internal reference counting has been refactored.

565
			Note: As a side effect of this change, rndc cannot
Evan Hunt's avatar
Evan Hunt committed
566 567 568 569 570
			currently be used with UNIX-domain sockets, and its
			default timeout has changed from 60 seconds to 30.
			These will be addressed in a future release.
			[GL #1759]

571 572 573
5466.	[bug]		Addressed an error in recursive clients stats reporting.
			[GL #1719]

574 575
5465.	[func]		Added fallback to built-in trust-anchors, managed-keys,
			or trusted-keys if the bindkeys-file (bind.keys) cannot
576 577
			be parsed. [GL #1235]

578 579 580
5464.	[bug]		Requesting more than 128 files to be saved when rolling
			dnstap log files caused a buffer overflow. This has been
			fixed. [GL #1989]
Mark Andrews's avatar
Mark Andrews committed
581

Mark Andrews's avatar
Mark Andrews committed
582 583
5463.	[placeholder]

Michał Kępień's avatar
Michał Kępień committed
584 585
5462.	[bug]		Move LMDB locking from LMDB itself to named. [GL #1976]

586 587 588 589
5461.	[bug]		The STALE rdataset header attribute was updated while
			the write lock was not being held, leading to incorrect
			statistics. The header attributes are now converted to
			use atomic operations. [GL #1475]
Mark Andrews's avatar
Mark Andrews committed
590

591 592 593 594 595
5460.	[cleanup]	tsig-keygen was previously an alias for
			ddns-confgen and was documented in the ddns-confgen
			man page. This has been reversed; tsig-keygen is
			now the primary name. [GL #1998]

596 597
5459.	[bug]		Fixed bad isc_mem_put() size when an invalid type was
			specified in an "update-policy" rule. [GL #1990]
598

Michał Kępień's avatar
Michał Kępień committed
599 600
	--- 9.17.3 released ---

Michał Kępień's avatar
Michał Kępień committed
601 602 603 604
5458.	[bug]		Prevent a theoretically possible NULL dereference caused
			by a data race between zone_maintenance() and
			dns_zone_setview_helper(). [GL #1627]

605 606
5457.	[placeholder]

Evan Hunt's avatar
Evan Hunt committed
607 608
5456.	[func]		Added "primaries" as a synonym for "masters" in
			named.conf, and "primary-only" as a synonym for
609 610
			"master-only" in the parameters to "notify", to bring
			terminology up-to-date with RFC 8499. [GL #1948]
Evan Hunt's avatar
Evan Hunt committed
611

612 613
5455.	[bug]		named could crash when cleaning dead nodes in
			lib/dns/rbtdb.c that were being reused. [GL #1968]
614

615 616 617
5454.	[bug]		Address a startup crash that occurred when the server
			was under load and the root zone had not yet been
			loaded. [GL #1862]
Witold Krecicki's avatar
Witold Krecicki committed
618

619 620
5453.	[bug]		named crashed on shutdown when a new rndc connection was
			received during shutdown. [GL #1747]
621

622 623
5452.	[bug]		The "blackhole" ACL was accidentally disabled for client
			queries. [GL #1936]
Evan Hunt's avatar
Evan Hunt committed
624

625 626
5451.	[func]		Add 'rndc dnssec -status' command. [GL #1612]

Evan Hunt's avatar
Evan Hunt committed
627 628
5450.	[placeholder]

Evan Hunt's avatar
Evan Hunt committed
629 630 631 632 633
5449.	[bug]		Fix a socket shutdown race in netmgr udp. [GL #1938]

5448.	[bug]		Fix a race condition in isc__nm_tcpdns_send().
			[GL #1937]

634 635 636 637 638
5447.	[bug]		IPv6 addresses ending in "::" could break YAML
			parsing. A "0" is now appended to such addresses
			in YAML output from dig, mdig, delv, and dnstap-read.
			[GL #1952]

Mark Andrews's avatar
Mark Andrews committed
639 640
5446.	[bug]		The validator could fail to accept a properly signed
			RRset if an unsupported algorithm appeared earlier in
641
			the DNSKEY RRset than a supported algorithm. It could
Mark Andrews's avatar
Mark Andrews committed
642 643 644
			also stop if it detected a malformed public key.
			[GL #1689]

645 646
5445.	[cleanup]	Disable and disallow static linking. [GL #1933]

647 648
5444.	[bug]		'rndc dnstap -roll <value>' did not limit the number of
			saved files to <value>. [GL !3728]
Mark Andrews's avatar
Mark Andrews committed
649

650 651 652 653
5443.	[bug]		The "primary" and "secondary" keywords, when used
			as parameters for "check-names", were not
			processed correctly and were being ignored. [GL #1949]

Evan Hunt's avatar
CHANGES  
Evan Hunt committed
654 655 656
5442.	[func]		Add support for outgoing TCP connections in netmgr.
			[GL #1958]

Mark Andrews's avatar
Mark Andrews committed
657 658
5441.	[placeholder]

659 660
5440.	[placeholder]

661 662
5439.	[bug]		The DS RRset returned by dns_keynode_dsset() was used in
			a non-thread-safe manner. [GL #1926]
Mark Andrews's avatar
Mark Andrews committed
663

Michał Kępień's avatar
Michał Kępień committed
664 665
	--- 9.17.2 released ---

Witold Krecicki's avatar
Witold Krecicki committed
666 667
5438.	[bug]		Fix a race in TCP accepting code. [GL #1930]

668 669
5437.	[bug]		Fix a data race in lib/dns/resolver.c:log_formerr().
			[GL #1808]
Witold Krecicki's avatar
Witold Krecicki committed
670

Mark Andrews's avatar
Mark Andrews committed
671 672 673
5436.	[security]	It was possible to trigger an INSIST when determining
			whether a record would fit into a TCP message buffer.
			(CVE-2020-8618) [GL #1850]
Mark Andrews's avatar
Mark Andrews committed
674

Mark Andrews's avatar
Mark Andrews committed
675 676
5435.	[tests]		Add RFC 4592 responses examples to the wildcard system
			test. [GL #1718]
Mark Andrews's avatar
Mark Andrews committed
677

Mark Andrews's avatar
Mark Andrews committed
678 679 680 681
5434.	[security]	It was possible to trigger an INSIST in
			lib/dns/rbtdb.c:new_reference() with a particular zone
			content and query patterns. (CVE-2020-8619) [GL #1111]
			[GL #1718]
Mark Andrews's avatar
Mark Andrews committed
682

Mark Andrews's avatar
Mark Andrews committed
683 684
5433.	[placeholder]

685 686
5432.	[bug]		Check the question section when processing AXFR, IXFR,
			and SOA replies when transferring a zone in. [GL #1683]
687

Mark Andrews's avatar
Mark Andrews committed
688 689 690 691
5431.	[func]		Reject DS records at the zone apex when loading
			master files. Log but otherwise ignore attempts to
			add DS records at the zone apex via UPDATE. [GL #1798]

692 693
5430.	[doc]		Update docs - with netmgr, a separate listening socket
			is created for each IPv6 interface (just as with IPv4).
694 695
			[GL #1782]

Michal Nowak's avatar
Michal Nowak committed
696 697 698
5429.	[cleanup]	Move BIND binaries which are neither daemons nor
			administrative programs to $bindir. [GL #1724]

699
5428.	[bug]		Clean up GSSAPI resources in nsupdate only after taskmgr
Ondřej Surý's avatar
Ondřej Surý committed
700 701
			has been destroyed. Thanks to Petr Menšík. [GL !3316]

702 703
5427.	[placeholder]

704
5426.	[bug]		Don't abort() when setting SO_INCOMING_CPU on the socket
Ondřej Surý's avatar
Ondřej Surý committed
705 706
			fails. [GL #1911]

707
5425.	[func]		The default value of "max-stale-ttl" has been changed
Ondřej Surý's avatar
Ondřej Surý committed
708 709
			from 1 week to 12 hours. [GL #1877]

710
5424.	[bug]		With KASP, when creating a successor key, the "goal"
711
			state of the current active key (predecessor) was not
712
			changed and thus never removed from the zone. [GL #1846]
713

714 715 716
5423.	[bug]		Fix a bug in keymgr_key_has_successor(): it incorrectly
			returned true if any other key in the keyring had a
			successor. [GL #1845]
717

718
5422.	[bug]		When using dnssec-policy, print correct key timing
Matthijs Mekking's avatar
Matthijs Mekking committed
719 720
			metadata. [GL #1843]

721 722 723
5421.	[bug]		Fix a race that could cause named to crash when looking
			up the nodename of an RBT node if the tree was modified.
			[GL #1857]
Evan Hunt's avatar
Evan Hunt committed
724

725
5420.	[bug]		Add missing isc_{mutex,conditional}_destroy() calls
Witold Krecicki's avatar
Witold Krecicki committed
726 727
			that caused a memory leak on FreeBSD. [GL #1893]

728 729 730 731 732
5419.	[func]		Add new dig command line option, "+qid=<num>", which
			allows the query ID to be set to an arbitrary value.
			Add a new ./configure option, --enable-singletrace,
			which allows trace logging of a single query when QID is
			set to 0. [GL #1851]
Evan Hunt's avatar
Evan Hunt committed
733

734
5418.	[bug]		delv failed to parse deprecated trusted-keys-style
Mark Andrews's avatar
Mark Andrews committed
735 736
			trust anchors. [GL #1860]

Michał Kępień's avatar
Michał Kępień committed
737 738 739 740
5417.	[cleanup]	The code determining the advertised UDP buffer size in
			outgoing EDNS queries has been refactored to improve its
			clarity. [GL #1868]

741 742
5416.	[bug]		Fix a lock order inversion in lib/isc/unix/socket.c.
			[GL #1859]
743

Mark Andrews's avatar
Mark Andrews committed
744 745 746
5415.	[test]		Address race in dnssec system test that led to
			test failures. [GL #1852]

Mark Andrews's avatar
Mark Andrews committed
747 748 749 750
5414.	[test]		Adjust time allowed for journal truncation to occur
			in nsupdate system test to avoid test failure.
			[GL #1855]

Mark Andrews's avatar
Mark Andrews committed
751
5413.	[test]		Address race in autosign system test that led to
Mark Andrews's avatar
Mark Andrews committed
752 753
			test failures. [GL #1852]

754
5412.	[bug]		'provide-ixfr no;' failed to return up-to-date responses
Mark Andrews's avatar
Mark Andrews committed
755 756 757
			when the serial was greater than or equal to the
			current serial. [GL #1714]

758 759 760
5411.	[cleanup]	TCP accept code has been refactored to use a single
			accept() and pass the accepted socket to child threads
			for processing. [GL !3320]
Witold Krecicki's avatar
Witold Krecicki committed
761

762 763 764
5410.	[func]		Add the ability to specify per-type record count limits,
			which are enforced when adding records via UPDATE, in an
			"update-policy" statement. [GL #1657]
Mark Andrews's avatar
Mark Andrews committed
765

766 767 768
5409.	[performance]	When looking up NSEC3 data in a zone database, skip the
			check for empty non-terminal nodes; the NSEC3 tree does
			not have any. [GL #1834]
Evan Hunt's avatar
CHANGES  
Evan Hunt committed
769

Mark Andrews's avatar
Mark Andrews committed
770 771 772
5408.	[protocol]	Print Extended DNS Errors if present in OPT record.
			[GL #1835]

773 774
5407.	[func]		Zone timers are now exported via statistics channel.
			Thanks to Paul Frieden, Verizon Media. [GL #1232]
Ondřej Surý's avatar
Ondřej Surý committed
775

776 777 778
5406.	[func]		Add a new logging category, "rpz-passthru", which allows
			RPZ passthru actions to be logged in a separate channel.
			[GL #54]
Diego Fronza's avatar
Diego Fronza committed
779

780 781 782
5405.	[bug]		'named-checkconf -p' could include spurious text in
			server-addresses statements due to an uninitialized DSCP
			value. [GL #1812]
783

784 785 786 787
5404.	[bug]		'named-checkconf -z' could incorrectly indicate
			success if errors were found in one view but not in a
			subsequent one. [GL #1807]

788 789
5403.	[func]		Do not set UDP receive/send buffer sizes - use system
			defaults. [GL #1713]
Witold Krecicki's avatar
Witold Krecicki committed
790

791 792 793
5402.	[bug]		On FreeBSD, use SO_REUSEPORT_LB instead of SO_REUSEPORT.
			Enable use of SO_REUSEADDR on all platforms which
			support it. [GL !3365]
Ondřej Surý's avatar
Ondřej Surý committed
794

Michał Kępień's avatar
Michał Kępień committed
795 796 797 798 799
5401.	[bug]		The number of input queues allocated during dnstap
			initialization was too low, which could prevent some
			dnstap data from being logged. [GL #1795]

5400.	[func]		Add engine support to OpenSSL EdDSA implementation.
Ondřej Surý's avatar
Ondřej Surý committed
800 801
			[GL #1763]

Ondřej Surý's avatar
Ondřej Surý committed
802 803 804
5399.	[func]		Add engine support to OpenSSL ECDSA implementation.
			[GL #1534]

805 806 807
5398.	[bug]		Named could fail to restart if a zone with a double
			quote (") in its name was added with 'rndc addzone'.
			[GL #1695]
Mark Andrews's avatar
Mark Andrews committed
808

Ondřej Surý's avatar
Ondřej Surý committed
809 810 811
5397.	[func]		Update PKCS#11 EdDSA implementation to PKCS#11 v3.0.
			Thanks to Aaron Thompson. [GL !3326]

812 813 814
5396.	[func]		When necessary (i.e. in libuv >= 1.37), use the
			UV_UDP_RECVMMSG flag to enable recvmmsg() support in
			libuv. [GL #1797]
Witold Krecicki's avatar
Witold Krecicki committed
815

Mark Andrews's avatar
Mark Andrews committed
816 817 818 819 820 821
5395.	[security]	Further limit the number of queries that can be
			triggered from a request.  Root and TLD servers
			are no longer exempt from max-recursion-queries.
			Fetches for missing name server address records
			are limited to 4 for any domain. (CVE-2020-8616)
			[GL #1388]
Evan Hunt's avatar
Evan Hunt committed
822

823 824 825 826 827
5394.	[cleanup]	Named formerly attempted to change the effective UID and
			GID in named_os_openfile(), which could trigger a
			spurious log message if they were already set to the
			desired values. This has been fixed. [GL #1042]
			[GL #1090]
Ondřej Surý's avatar
Ondřej Surý committed
828

829
5393.	[cleanup]	Unused and/or redundant APIs were removed from libirs.
Ondřej Surý's avatar
Ondřej Surý committed
830 831
			[GL #1758]

Evan Hunt's avatar
CHANGES  
Evan Hunt committed
832 833 834 835
5392.	[bug]		It was possible for named to crash during shutdown
			or reconfiguration if an RPZ zone was still being
			updated. [GL #1779]

836 837 838
5391.	[func]		The BIND 9 build system has been changed to use a
			typical autoconf+automake+libtool stack. When building
			from the Git repository, run "autoreconf -fi" first.
Mark Andrews's avatar
Mark Andrews committed
839
			[GL #4]
Ondřej Surý's avatar
Ondřej Surý committed
840

Mark Andrews's avatar
Mark Andrews committed
841 842 843
5390.	[security]	Replaying a TSIG BADTIME response as a request could
			trigger an assertion failure. (CVE-2020-8617)
			[GL #1703]
Mark Andrews's avatar
Mark Andrews committed
844

845
5389.	[bug]		Finish PKCS#11 code cleanup, fix a couple of smaller
Ondřej Surý's avatar
Ondřej Surý committed
846 847 848
			bugs and use PKCS#11 v3.0 EdDSA macros and constants.
			Thanks to Aaron Thompson. [GL !3391]

849
5388.	[func]		Reject AXFR streams where the message ID is not
850 851 852
			consistent. [GL #1674]

5387.	[placeholder]
853

854 855
5386.	[cleanup]	Address Coverity warnings in lib/dns/keymgr.c.
			[GL #1737]
856

Michał Kępień's avatar
Michał Kępień committed
857 858 859
5385.	[func]		Make ISC rwlock implementation the default again.
			[GL #1753]

860 861 862
5384.	[bug]		With "dnssec-policy" in effect, "inline-signing" was
			implicitly set to "yes". Now "inline-signing" is only
			set to "yes" if the zone is not dynamic. [GL #1709]
Matthijs Mekking's avatar
Matthijs Mekking committed
863

Tinderbox User's avatar
Tinderbox User committed
864 865
	--- 9.17.1 released ---

866
5383.	[func]		Add a quota attach function with a callback and clean up
867 868 869 870 871
			the isc_quota API. [GL !3280]

5382.	[bug]		Use clock_gettime() instead of gettimeofday() for
			isc_stdtime() function. [GL #1679]

872 873 874
5381.	[bug]		Fix logging API data race by adding rwlock and caching
			logging levels in stdatomic variables to restore
			performance to original levels. [GL #1675] [GL #1717]
875

876
5380.	[contrib]	Fix building MySQL DLZ modules against MySQL 8
877 878
			libraries. [GL #1678]

879
5379.	[placeholder]
880

881 882
5378.	[bug]		Receiving invalid DNS data was triggering an assertion
			failure in nslookup. [GL #1652]
883

Ondřej Surý's avatar
Ondřej Surý committed
884 885
5377.	[placeholder]

886 887 888
5376.	[bug]		Fix ineffective DNS rebinding protection when BIND is
			configured as a forwarding DNS server. Thanks to Tobias
			Klein. [GL #1574]
Ondřej Surý's avatar
Ondřej Surý committed
889

890
5375.	[test]		Fix timing issues in the "kasp" system test. [GL #1669]
891

892
5374.	[bug]		Statistics counters tracking recursive clients and
Ondřej Surý's avatar
Ondřej Surý committed
893 894
			active connections could underflow. [GL #1087]

895 896 897 898 899 900 901 902 903 904 905 906 907 908
5373.	[bug]		Collecting statistics for DNSSEC signing operations
			(change 5254) caused an array of significant size (over
			100 kB) to be allocated for each configured zone. Each
			of these arrays is tracking all possible key IDs; this
			could trigger an out-of-memory condition on servers with
			a high enough number of zones configured. Fixed by
			tracking up to four keys per zone and rotating counters
			when keys are replaced. This fixes the immediate problem
			of high memory usage, but should be improved in a future
			release by growing or shrinking the number of keys to
			track upon key rollover events. [GL #1179]

5372.	[bug]		Fix migration from existing DNSSEC key files
			("auto-dnssec maintain") to "dnssec-policy". [GL #1706]
909

Evan Hunt's avatar
Evan Hunt committed
910 911 912 913 914
5371.	[bug]		Improve incremental updates of the RPZ summary
			database to reduce delays that could occur when
			a policy zone update included a large number of
			record deletions. [GL #1447]

915 916 917 918 919
5370.	[bug]		Deactivation of a netmgr handle associated with a
			socket could be skipped in some circumstances.
			Fixed by deactivating the netmgr handle before
			scheduling the asynchronous close routine. [GL #1700]

920 921 922
5369.	[func]		Add the ability to specify whether to wait for
			nameserver domain names to be looked up, with a new RPZ
			modifying directive 'nsdname-wait-recurse'. [GL #1138]
Diego Fronza's avatar
Diego Fronza committed
923

Mark Andrews's avatar
Mark Andrews committed
924 925 926
5368.	[bug]		Named failed to restart if 'rndc addzone' names
			contained special characters (e.g. '/'). [GL #1655]

Evan Hunt's avatar
Evan Hunt committed
927 928
5367.	[placeholder]

Tinderbox User's avatar
Tinderbox User committed
929 930
	--- 9.17.0 released ---

931 932 933 934
5366.	[bug]		Fix a race condition with the keymgr when the same
			zone plus dnssec-policy is configured in multiple
			views. [GL #1653]

Matthijs Mekking's avatar
Matthijs Mekking committed
935 936
5365.	[bug]		Algorithm rollover was stuck on submitting DS
			because keymgr thought it would move to an invalid
Tinderbox User's avatar
Tinderbox User committed
937 938
			state.  Fixed by checking the current key against
			the desired state, not the existing state. [GL #1626]
Matthijs Mekking's avatar
Matthijs Mekking committed
939 940 941

5364.	[bug]		Algorithm rollover waited too long before introducing
			zone signatures.  It waited to make sure all signatures
Tinderbox User's avatar
Tinderbox User committed
942 943
			were regenerated, but when introducing a new algorithm,
			all signatures are regenerated immediately.  Only
Matthijs Mekking's avatar
Matthijs Mekking committed
944 945 946 947 948 949 950
			add the sign delay if there is a predecessor key.
			[GL #1625]

5363.	[bug]		When changing a dnssec-policy, existing keys with
			properties that no longer match were not being retired.
			[GL #1624]

Evan Hunt's avatar
Evan Hunt committed
951 952 953 954 955 956 957
5362.	[func]		Limit the size of IXFR responses so that AXFR will
			be used instead if it would be smaller. This is
			controlled by the "max-ixfr-ratio" option, which
			is a percentage representing the ratio of IXFR size
			to the size of the entire zone. This value cannot
			exceed 100%, which is the default. [GL #1515]

Witold Krecicki's avatar
Witold Krecicki committed
958 959 960
5361.	[bug]		named might not accept new connections after
			hitting tcp-clients quota. [GL #1643]

Evan Hunt's avatar
CHANGES  
Evan Hunt committed
961 962 963
5360.	[bug]		delv could fail to load trust anchors in DNSKEY
			format. [GL #1647]

964 965 966 967 968
5359.	[func]		"rndc nta -d" and "rndc secroots" now include
			"validate-except" entries when listing negative
			trust anchors. These are indicated by the keyword
			"permanent" in place of an expiry date. [GL #1532]

Mark Andrews's avatar
Mark Andrews committed
969 970 971 972
5358.	[bug]		Inline master zones whose master files were touched
			but otherwise unchanged and were subsequently reloaded
			may have stopped re-signing. [GL !3135]

Mark Andrews's avatar
Mark Andrews committed
973 974
5357.	[bug]		Newly added RRSIG records with expiry times before
			the previous earliest expiry times might not be
Tinderbox User's avatar
Tinderbox User committed
975 976
			re-signed in time.  This was a side effect of 5315.
			[GL !3137]
Mark Andrews's avatar
Mark Andrews committed
977

Matthijs Mekking's avatar
Matthijs Mekking committed
978 979 980 981 982
5356.	[func]		Update dnssec-policy configuration statements:
			- Rename "zone-max-ttl" dnssec-policy option to
			  "max-zone-ttl" for consistency with the existing
			  zone option.
			- Allow for "lifetime unlimited" as a synonym for