3 --- 9.9.8rc1 released ---
5 4193. [bug] Handle broken servers that return BADVERS incorrectly.
8 4192. [bug] The default rrset-order of random was not always being
11 4191. [protocol] Accept DNS-SD non LDH PTR records in reverse zones
12 as per RFC 6763. [RT #37889]
14 4190. [protocol] Accept Active Diretory gc._msdcs.<forest> name as
15 valid with check-names. <forest> still needs to be
18 4189. [cleanup] Don't exit on overly long tokens in named.conf.
21 4188. [bug] Support HTTP/1.0 client properly on the statistics
24 4187. [func] When any RR type implementation doesn't
25 implement totext() for the RDATA's wire
26 representation and returns ISC_R_NOTIMPLEMENTED,
27 such RDATA is now printed in unknown
28 presentation format (RFC 3597). RR types affected
29 include LOC(29) and APL(42). [RT #40317].
31 4183. [cleanup] Use timing-safe memory comparisons in cryptographic
32 code. Also, the timing-safe comparison functions have
33 been renamed to avoid possible confusion with
34 memcmp(). Thanks to Loganaden Velvindron of
37 4182. [cleanup] Use mnemonics for RR class and type comparisons.
40 4181. [bug] Queued notify messages could be dequeued from the
41 wrong rate limiter queue. [RT #40350]
43 4179. [bug] Fix double frees in getaddrinfo() in libirs.
46 4178. [bug] Fix assertion failure in parsing UNSPEC(103) RR from
49 4177. [bug] Fix assertion failure in parsing NSAP records from
52 4176. [bug] Address race issues with lwresd. [RT #40284]
54 4175. [bug] TKEY with GSS-API keys needed bigger buffers.
57 4174. [bug] "dnssec-coverage -r" didn't handle time unit
58 suffixes correctly. [RT #38444]
60 4173. [bug] dig +sigchase was not properly matching the trusted
63 4172. [bug] Named / named-checkconf didn't handle a view of CLASS0.
66 4171. [bug] Fixed incorrect class checks in TSIG RR
67 implementation. [RT #40287]
69 4170. [security] An incorrect boundary check in the OPENPGPKEY
70 rdatatype could trigger an assertion failure.
71 (CVE-2015-5986) [RT #40286]
73 4169. [test] Added a 'wire_test -d' option to read input as
74 raw binary data, for use as a fuzzing harness.
77 4168. [security] A buffer accounting error could trigger an
78 assertion failure when parsing certain malformed
79 DNSSEC keys. (CVE-2015-5722) [RT #40212]
81 --- 9.9.8b1 released ---
83 4165. [security] A failure to reset a value to NULL in tkey.c could
84 result in an assertion failure. (CVE-2015-5477)
87 4164. [bug] Don't rename slave files and journals on out of memory.
90 4163. [bug] Address compiler warnings. [RT #40024]
92 4162. [bug] httpdmgr->flags was not being initialized. [RT #40017]
94 4159. [cleanup] Alphabetize dig's help output. [RT #39966]
96 4158. [protocol] Support the printing of EDNS COOKIE and EXPIRE options.
99 4154. [bug] A OPT record should be included with the FORMERR
100 response when there is a malformed EDNS option.
103 4153. [bug] Check that non significant ECS bits are zero on
106 4151. [bug] 'rndc flush' could cause a deadlock. [RT #39835]
108 4150. [bug] win32: listen-on-v6 { any; }; was not working. Apply
109 minimal fix. [RT #39667]
111 4149. [bug] Fixed a race condition in the getaddrinfo()
112 implementation in libirs. [RT #39899]
114 4148. [bug] Fix a bug when printing zone names with '/' character
115 in XML and JSON statistics output. [RT #39873]
117 4147. [bug] Filter-aaaa / filter-aaaa-on-v4 / filter-aaaa-on-v6
118 was returning referrals rather than nodata responses
119 when the AAAA records were filtered. [RT #39843]
121 4146. [bug] Address reference leak that could prevent a clean
122 shutdown. [RT #37125]
124 4145. [bug] Not all unassociated adb entries where being printed.
127 4143. [bug] serial-query-rate was not effective for notify.
130 4142. [bug] rndc addzone with view specified saved NZF config
131 that could not be read back by named. This has now
132 been fixed. [RT #39845]
134 4138. [security] An uninitialized value in validator.c could result
135 in an assertion failure. (CVE-2015-4620) [RT #39795]
137 4137. [bug] Make rndc reconfig report configuration errors the
138 same way rndc reload does. [RT #39635]
140 4132. [cleanup] dig: added +rd as a synonym for +recurse,
141 added +class as an unabbreviated alternative
144 4130. [bug] The compatibility shim for *printf() misprinted some
145 large numbers. [RT #39586]
147 4129. [port] Address API changes in OpenSSL 1.1.0. [RT #39532]
149 4128. [bug] Address issues raised by Coverity 7.6. [RT #39537]
151 4127. [protocol] CDS and CDNSKEY need to be signed by the key signing
152 key as per RFC 7344, Section 4.1. [RT #37215]
154 4123. [port] Added %z (size_t) format options to the portable
155 internal printf/sprintf implementation. [RT #39586]
157 4118. [bug] Teach isc-config.sh about irs. [RT #39213]
159 4117. [protocol] Add EMPTY.AS112.ARPA as per RFC 7534.
161 4113. [test] Check for Net::DNS is some system test
162 prerequisites. [RT #39369]
164 4112. [bug] Named failed to load when "root-delegation-only"
165 was used without a list of domains to exclude.
168 4111. [doc] Alphabetize rndc man page. [RT #39360]
170 4110. [bug] Address memory leaks / null pointer dereferences
171 on out of memory. [RT #39310]
173 4109. [port] linux: support reading the local port range from
174 net.ipv4.ip_local_port_range. [RT # 39379]
176 4107. [bug] Address potential deadlock when updating zone content.
179 4106. [port] Improve readline support. [RT #38938]
181 4105. [port] Misc fixes for Microsoft Visual Studio
182 2015 CTP6 in 64 bit mode. [RT #39308]
184 4104. [bug] Address uninitialized elements. [RT #39252]
186 4102. [bug] Fix a use after free bug introduced in change
189 4101. [bug] dig: the +split option didn't work with +short.
192 4100. [bug] Inherited owernames on the line immediately following
193 a $INCLUDE were not working. [RT #39268]
195 4099. [port] clang: make unknown commandline options hard errors
196 when determining what options are supported.
199 4098. [bug] Address use-after-free issue when using a
200 predecessor key with dnssec-settime. [RT #39272]
202 4097. [func] Add additional logging about xfrin transfer status.
205 4096. [bug] Fix a use after free of query->sendevent.
208 4094. [bug] A race during shutdown or reconfiguration could
209 cause an assertion in mem.c. [RT #38979]
211 4091. [cleanup] Some cleanups in isc mem code. [RT #38896]
213 4090. [bug] Fix a crash while parsing malformed CAA RRs in
214 presentation format, i.e., from text such as
215 from master files. Thanks to John Van de
216 Meulebrouck Brendgard for discovering and
217 reporting this problem. [RT #39003]
219 4089. [bug] Send notifies immediately for slave zones during
222 4088. [port] Fixed errors when building with libressl. [RT #38899]
224 4087. [bug] Fix a crash due to use-after-free due to sequencing
225 of tasks actions. [RT #38495]
227 4085. [bug] ISC_PLATFORM_HAVEXADDQ could be inconsistently set.
230 4084. [bug] Fix a possible race in updating stats counters.
233 4082. [bug] Incrementally sign large inline zone deltas.
236 4081. [cleanup] Use dns_rdatalist_init consistently. [RT #38759]
238 4077. [test] Add static-stub regression test for DS NXDOMAIN
239 return making the static stub disappear. [RT #38564]
241 4076. [bug] Named could crash on shutdown with outstanding
242 reload / reconfig events. [RT #38622]
244 4075. [bug] Increase nsupdate's input buffer to accomodate
245 very large RRs. [RT #38689]
247 4074. [cleanup] Cleaned up more warnings from gcc -Wshadow. [RT #38708]
249 4073. [cleanup] Add libjson-c version number reporting to
250 "named -V"; normalize version number formatting.
253 4072. [func] Add a --enable-querytrace configure switch for
254 very verbose query trace logging. (This option
255 has a negative performance impact and should be
256 used only for debugging.) [RT #37520]
258 4070. [bug] Fix a segfault in nslookup in a query such as
259 "nslookup isc.org AMS.SNS-PB.ISC.ORG -all".
262 4069. [doc] Reorganize options in the nsupdate man page.
265 4067. [cleanup] Reduce noise from RRL when query logging is
266 disabled. [RT #38648]
268 4066. [doc] Reorganize options in the dig man page. [RT #38516]
270 4064. [contrib] dnssec-keyset.sh: Generates a specified number
271 of DNSSEC keys with timing set to implement a
272 pre-publication key rollover strategy. Thanks
273 to Jeffry A. Spain. [RT #38459]
275 4063. [bug] Asynchronous zone loads were not handled
276 correctly when the zone load was already in
277 progress; this could trigger a crash in zt.c.
280 4062. [bug] Fix an out-of-bounds read in RPZ code. If the
281 read succeeded, it doesn't result in a bug
282 during operation. If the read failed, named
283 could segfault. [RT #38559]
285 3938. [func] Added quotas to be used in recursive resolvers
286 that are under high query load for names in zones
287 whose authoritative servers are nonresponsive or
288 are experiencing a denial of service attack.
290 - "fetches-per-server" limits the number of
291 simultaneous queries that can be sent to any
292 single authoritative server. The configured
293 value is a starting point; it is automatically
294 adjusted downward if the server is partially or
295 completely non-responsive. The algorithm used to
296 adjust the quota can be configured via the
297 "fetch-quota-params" option.
298 - "fetches-per-zone" limits the number of
299 simultaneous queries that can be sent for names
300 within a single domain. (Note: Unlike
301 "fetches-per-server", this value is not
303 - New stats counters have been added to count
304 queries spilled due to these quotas.
306 These options are not available by default;
307 use "configure --enable-fetchlimit" (or
308 --enable-developer) to include them in the build.
310 See the ARM for details of these options. [RT #37125]
312 3937. [func] Added some debug logging to better indicate the
313 conditions causing SERVFAILs when resolving.
316 --- 9.9.7 released ---
318 --- 9.9.7rc2 released ---
320 4061. [bug] Handle timeout in legacy system test. [RT #38573]
322 4060. [bug] dns_rdata_freestruct could be called on a
323 uninitialized structure when handling a error.
326 4059. [bug] Addressed valgrind warnings. [RT #38549]
328 4058. [bug] UDP dispatches could use the wrong pseudorandom
329 number generator context. [RT #38578]
331 4056. [bug] Fixed several small bugs in automatic trust anchor
332 management, including a memory leak and a possible
333 loss of key state information. [RT #38458]
335 4057. [bug] 'dnssec-dsfromkey -T 0' failed to add ttl field.
338 4053. [security] Revoking a managed trust anchor and supplying
339 an untrusted replacement could cause named
340 to crash with an assertion failure.
341 (CVE-2015-1349) [RT #38344]
343 4052. [bug] Fix a leak of query fetchlock. [RT #38454]
345 4050. [bug] RPZ could send spurious SERVFAILs in response
346 to duplicate queries. [RT #38510]
348 4049. [bug] CDS and CDNSKEY had the wrong attributes. [RT #38491]
350 4048. [bug] adb hash table was not being grown. [RT #38470]
352 --- 9.9.7rc1 released ---
354 4047. [cleanup] "named -V" now reports the current running versions
355 of OpenSSL and the libxml2 libraries, in addition to
356 the versions that were in use at build time.
358 4046. [bug] Accounting of "total use" in memory context
359 statistics was not correct. [RT #38370]
361 4045. [bug] Skip to next master on dns_request_createvia4 failure.
364 4044. [bug] Change 3955 was not complete, resulting in an assertion
365 failure if the timing was just right. [RT #38352]
367 4039. [cleanup] Cleaned up warnings from gcc -Wshadow. [RT #37381]
369 4038. [bug] Add 'rpz' flag to node and use it to determine whether
370 to call dns_rpz_delete. This should prevent unbalanced
371 add / delete calls. [RT #36888]
373 4037. [bug] also-notify was ignoring the tsig key when checking
374 for duplicates resulting in some expected notify
375 messages not being sent. [RT #38369]
377 4035. [bug] Close temporary and NZF FILE pointers before moving
378 the former into the latter's place, as required on
381 4032. [bug] Built-in "empty" zones did not correctly inherit the
382 "allow-transfer" ACL from the options or view.
385 4031. [bug] named-checkconf -z failed to report a missing file
386 with a hint zone. [RT #38294]
388 4028. [bug] $GENERATE with a zero step was not being caught as a
389 error. A $GENERATE with a / but no step was not being
390 caught as a error. [RT #38262]
392 3973. [test] Added hooks for Google Performance Tools CPU profiler,
393 including real-time/wall-clock profiling. Use
394 "configure --with-gperftools-profiler" to enable.
397 --- 9.9.7b1 released ---
399 4027. [port] Net::DNS 0.81 compatibility. [RT #38165]
401 4026. [bug] Fix RFC 3658 reference in dig +sigchase. [RT #38173]
403 4025. [port] bsdi: failed to build. [RT #38047]
405 4024. [bug] dns_rdata_opt_first, dns_rdata_opt_next,
406 dns_rdata_opt_current, dns_rdata_txt_first,
407 dns_rdata_txt_next and dns_rdata_txt_current were
408 documented but not implemented. These have now been
411 dns_rdata_spf_first, dns_rdata_spf_next and
412 dns_rdata_spf_current were documented but not
413 implemented. The prototypes for these
414 functions have been removed. [RT #38068]
416 4023. [bug] win32: socket handling with explicit ports and
417 invoking named with -4 was broken for some
418 configurations. [RT #38068]
420 4021. [bug] Adjust max-recursion-queries to accommodate
421 the need for more queries when the cache is
424 4020. [bug] Change 3736 broke nsupdate's SOA MNAME discovery
425 resulting in updates being sent to the wrong server.
428 4019. [func] If named is not configured to validate the answer
429 then allow fallback to plain DNS on timeout even
430 when we know the server supports EDNS. [RT #37978]
432 4018. [bug] Fall back to plain DNS when EDNS queries are being
433 dropped was failing. [RT #37965]
435 4017. [test] Add system test to check lookups to legacy servers
436 with broken DNS behavior. [RT #37965]
438 4016. [bug] Fix a dig segfault due to bad linked list usage.
441 4015. [bug] Nameservers that are skipped due to them being
442 CNAMEs were not being logged. They are now logged
443 to category 'cname' as per BIND 8. [RT #37935]
445 4014. [bug] When including a master file origin_changed was
446 not being properly set leading to a potentially
447 spurious 'inherited owner' warning. [RT #37919]
449 4012. [bug] Check returned status of OpenSSL digest and HMAC
450 functions when they return one. Note this applies
451 only to FIPS capable OpenSSL libraries put in
452 FIPS mode and MD5. [RT #37944]
454 4011. [bug] master's list port inheritance was not properly
455 implemented. [RT #37792]
457 4007. [doc] Remove acl forward reference restriction. [RT #37772]
459 4006. [security] A flaw in delegation handling could be exploited
460 to put named into an infinite loop. This has
461 been addressed by placing limits on the number
462 of levels of recursion named will allow (default 7),
463 and the number of iterative queries that it will
464 send (default 50) before terminating a recursive
465 query (CVE-2014-8500).
467 The recursion depth limit is configured via the
468 "max-recursion-depth" option, and the query limit
469 via the "max-recursion-queries" option. [RT #37580]
471 4004. [bug] When delegations had AAAA glue but not A, a
472 reference could be leaked causing an assertion
473 failure on shutdown. [RT #37796]
475 4000. [bug] NXDOMAIN redirection incorrectly handled NXRRSET
476 from the redirect zone. [RT #37722]
478 3998. [bug] isc_radix_search was returning matches that were
479 too precise. [RT #37680]
481 3997. [protocol] Add OPENGPGKEY record. [RT# 37671]
483 3996. [bug] Address use after free on out of memory error in
484 keyring_add. [RT #37639]
486 3995. [bug] receive_secure_serial holds the zone lock for too
489 3990. [testing] Add tests for unknown DNSSEC algorithm handling.
492 3989. [cleanup] Remove redundant dns_db_resigned calls. [RT #35748]
494 3987. [func] Handle future Visual Studio 14 incompatible changes.
497 3986. [doc] Add the BIND version number to page footers
498 in the ARM. [RT #37398]
500 3985. [doc] Describe how +ndots and +search interact in dig.
503 3982. [doc] Include release notes in product documentation.
506 3981. [bug] Cache DS/NXDOMAIN independently of other query types.
509 3978. [test] Added a unit test for Diffie-Hellman key
510 computation, completing change #3974. [RT #37477]
512 3976. [bug] When refreshing managed-key trust anchors, clear
513 any cached trust so that they will always be
514 revalidated with the current set of secure
517 3974. [bug] Handle DH_compute_key() failure correctly in
518 openssldh_link.c. [RT #37477]
520 3972. [bug] Fix host's usage statement. [RT #37397]
522 3971. [bug] Reduce the cascading failures due to a bad $TTL line
523 in named-checkconf / named-checkzone. [RT #37138]
525 3970. [contrib] Fixed a use after free bug in the SDB LDAP driver.
528 3968. [bug] Silence spurious log messages when using 'named -[46]'.
531 3967. [test] Add test for inlined signed zone in multiple views
532 with different DNSKEY sets. [RT #35759]
534 3966. [bug] Missing dns_db_closeversion call in receive_secure_db.
537 3962. [bug] 'dig +topdown +trace +sigchase' address unhandled error
538 conditions. [RT #34663]
540 3961. [bug] Forwarding of SIG(0) signed UPDATE messages failed with
543 3960. [bug] 'dig +sigchase' could loop forever. [RT #37220]
545 3959. [bug] Updates could be lost if they arrived immediately
546 after a rndc thaw. [RT #37233]
548 3958. [bug] Detect when writeable files have multiple references
549 in named.conf. [RT #37172]
551 3957. [bug] "dnssec-keygen -S" failed for ECCGOST, ECDSAP256SHA256
552 and ECDSAP384SHA384. [RT #37183]
554 3955. [bug] Notify messages due to changes are no longer queued
555 behind startup notify messages. [RT #24454]
557 3954. [bug] Unchecked mutex init in dlz_dlopen_driver.c [RT #37112]
559 3953. [bug] Don't escape semi-colon in TXT fields. [RT #37159]
561 3952. [bug] dns_name_fullcompare failed to set *nlabelsp when the
562 two name pointers were the same. [RT #37176]
564 --- 9.9.6 released ---
566 3950. [port] Changed the bin/python Makefile to work around a
567 bmake bug in FreeBSD 10 and NetBSD 6. [RT #36993]
569 --- 9.9.6rc2 released ---
571 3947. [cleanup] Set the executable bit on libraries when using
574 3946. [cleanup] Improved "configure" search for a python interpreter.
577 3945. [bug] Invalid wildcard expansions could be incorrectly
578 accepted by the validator. [RT #37093]
580 3944. [test] Added a regression test for "server-id". [RT #37057]
582 3942. [bug] Wildcard responses from a optout range should be
583 marked as insecure. [RT #37072]
585 3941. [doc] Include the BIND version number in the ARM. [RT #37067]
587 --- 9.9.6rc1 released ---
589 3933. [bug] Corrected the implementation of dns_rdata_casecompare()
590 for the HIP rdata type. [RT #36911]
592 3932. [test] Improved named-checkconf tests. [RT #36911]
594 3931. [cleanup] Cleanup how dlz grammar is defined. [RT #36879]
596 3929. [bug] 'host -a' needed to clear idnoptions. [RT #36963]
598 3928. [test] Improve rndc system test. [RT #36898]
600 3925. [bug] DS lookup of RFC 1918 empty zones failed. [RT #36917]
602 3924. [bug] Improve 'rndc addzone' error reporting. [RT #35187]
604 3923. [bug] Sanity check the xml2-config output. [RT #22246]
606 3922. [bug] When resigning, dnssec-signzone was removing
607 all signatures from delegation nodes. It now
608 retains DS and (if applicable) NSEC signatures.
611 3921. [bug] AD was inappropriately set on RPZ responses. [RT #36833]
613 3919. [bug] dig: continue to next line if a address lookup fails
614 in batch mode. [RT #36755]
616 3918. [doc] Update check-spf documentation. [RT #36910]
618 3917. [bug] dig, nslookup and host now continue on names that are
619 too long after applying a search list elements.
622 3916. [contrib] zone2sqlite checked wrong result code. Address
623 compiler warnings. [RT #36931]
625 --- 9.9.6b2 released ---
627 3914. [bug] Allow the URI target and CAA value fields to
628 be zero length. [RT #36737]
630 3913. [bug] Address race issue in dispatch. [RT #36731]
632 3910. [bug] Fix races to free event during shutdown. [RT #36720]
634 3909. [bug] When computing the number of elements required for a
635 acl count_acl_elements could have a short count leading
636 to a assertion failure. Also zero out new acl elements
637 in dns_acl_merge. [RT #36675]
639 3908. [bug] rndc now differentiates between a zone in multiple
640 views and a zone that doesn't exist at all. [RT #36691]
642 3907. [cleanup] Alphabetize rndc help. [RT #36683]
644 3906. [protocol] Update URI record format to comply with
645 draft-faltstrom-uri-08. [RT #36642]
647 3905. [bug] Address deadlock between view.c and adb.c. [RT #36341]
649 3904. [func] Add the RPZ SOA to the additional section. [RT36507]
651 3903. [bug] Improve the accuracy of DiG's reported round trip
654 3902. [bug] liblwres wasn't handling link-local addresses in
655 nameserver clauses in resolv.conf. [RT #36039]
657 3901. [protocol] Added support for CAA record type (RFC 6844).
660 3900. [bug] Fix a crash in PostgreSQL DLZ driver. [RT #36637]
662 3899. [bug] "request-ixfr" is only applicable to slave and redirect
665 3898. [bug] Too small a buffer in tohexstr() calls in test code.
668 3894. [bug] Buffers in isc_print_vsnprintf were not properly
669 initialized leading to potential overflows when
670 printing out quad values. [RT #36505]
672 3892. [bug] Setting '-t aaaa' in .digrc had unintended side
675 3891. [bug] Use ${INSTALL_SCRIPT} rather than ${INSTALL_PROGRAM}
676 to install python programs.
678 3890. [bug] RRSIG sets that were not loaded in a single transaction
679 at start up where not being correctly added to
680 re-signing heaps. [RT #36302]
682 3889. [port] hurd: configure fixes as per:
683 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=746540
685 3887. [cleanup] Make all static symbols in rbtdb64 end in "64" so
686 they are easier to use in a debugger. [RT #36373]
688 --- 9.9.6b1 released ---
690 3885. [port] Use 'open()' rather than 'file()' to open files in
693 3884. [protocol] Add CDS and CDNSKEY record types. [RT #36333]
695 3881. [bug] Address memory leak with UPDATE error handling.
698 3880. [test] Update ans.pl to work with new TSIG support in
699 Net::DNS; add additional Net::DNS version prerequisite
702 3879. [func] Add version printing option to various BIND utilities.
705 3878. [bug] Using the incorrect filename for a DLZ module
706 caused a segmentation fault on startup. [RT #36286]
708 3874. [test] Check that only "check-names master" is needed for
709 updates to be accepted.
711 3873. [protocol] Only warn for SPF without TXT spf record. [RT #36210]
713 3872. [bug] Address issues found by static analysis. [RT #36209]
715 3871. [bug] Don't publish an activated key automatically before
716 its publish time. [RT #35063]
722 3868. [bug] isc_mem_setwater incorrectly cleared hi_called
723 potentially leaving over memory cleaner running.
726 3866. [bug] Named could die on disk full in generate_session_key.
729 3864. [bug] RPZ didn't work well when being used as forwarder.
732 3862. [cleanup] Return immediately if we are not going to log the
733 message in ns_client_dumpmessage.
735 3861. [bug] Benign missing isc_buffer_availablelength check in
736 dns_message_pseudosectiontotext. [RT #36078]
738 3860. [bug] ioctl(DP_POLL) array size needs to be determined
739 at run time as it is limited to {OPEN_MAX}.
742 3858. [bug] Disable GCC 4.9 "delete null pointer check".
745 3857. [bug] Make it harder for a incorrect NOEDNS classification
746 to be made. [RT #36020]
748 3855. [bug] Limit smoothed round trip time aging to no more than
749 once a second. [RT #32909]
751 3854. [cleanup] Report unrecognized options, if any, in the final
752 configure summary. [RT #36014]
754 3853. [cleanup] Refactor dns_rdataslab_fromrdataset to separate out
755 the handling of a rdataset with no records. [RT #35968]
757 3849. [doc] Alphabetized dig's +options. [RT #35992]
759 3847. [bug] 'configure --with-dlz-postgres' failed to fail when
760 there is not support available.
762 3846. [bug] "dig +notcp ixfr=<serial>" should result in a UDP
763 ixfr query. [RT #35980]
765 3844. [bug] Use the x64 version of the Microsoft Visual C++
766 Redistributable when built for 64 bit Windows.
769 3843. [protocol] Check EDNS EXPIRE option in dns_rdata_fromwire.
772 3842. [bug] Adjust RRL log-only logging category. [RT #35945]
774 3841. [cleanup] Refactor zone.c:add_opt to use dns_message_buildopt.
777 3840. [port] Check for arc4random_addrandom() before using it;
778 it's been removed from OpenBSD 5.5. [RT #35907]
780 3839. [test] Use only posix-compatible shell in system tests.
783 3838. [protocol] EDNS EXPIRE as been assigned a code point of 9.
785 3836. [bug] Address C++ keyword usage in header file.
787 3834. [bug] The re-signing heaps were not being updated soon enough
788 leading to multiple re-generations of the same RRSIG
789 when a zone transfer was in progress. [RT #35273]
791 3833. [bug] Cross compiling was broken due to calling genrandom at
792 build time. [RT #35869]
794 3827. [contrib] The example DLZ driver (a version of which is
795 also used in the dlzexternal system test) could
796 use absolute names as relative. [RT #35802]
798 3826. [bug] Corrected bad INSIST logic in isc_radix_remove().
801 3825. [bug] Address sign extension bug in isc_regex_validate.
804 3824. [bug] A collision between two flag values could cause
805 problems with cache cleaning. [RT #35858]
807 3822. [bug] Log the correct type of static-stub zones when
808 removing them. [RT #35842]
810 3819. [bug] NSEC3 hashes need to be able to be entered and
811 displayed without padding. This is not a issue for
812 currently defined algorithms but may be for future
813 hash algorithms. [RT #27925]
815 3818. [bug] Stop lying to the optimizer that 'void *arg' is a
816 constant in isc_event_allocate.
818 3815. [doc] Clarify "nsupdate -y" usage in man page. [RT #35808]
820 3809. [doc] Fix NSID documentation.
822 3807. [bug] Fix sign extension bug in dns_name_fromtext when
823 lowercase is set. [RT #35743]
825 3806. [test] Improved system test portability. [RT #35625]
827 3805. [contrib] Added contrib/perftcpdns, a performance testing tool
828 for DNS over TCP. [RT #35710]
830 3804. [bug] Corrected a race condition in dispatch.c in which
831 portentry could be reset leading to an assertion
832 failure in socket_search(). (Change #3708
833 addressed the same issue but was incomplete.)
836 3803. [bug] "named-checkconf -z" incorrectly rejected zones
837 using alternate data sources for not having a "file"
840 3802. [bug] Various header files were not being installed.
842 3801. [port] Fix probing for gssapi support on FreeBSD. [RT #35615]
844 3799. [bug] Improve named's command line error reporting.
847 3796. [bug] Register dns error codes. [RT #35629]
849 3795. [bug] Make named-checkconf detect raw masterfiles for
850 hint zones and reject them. [RT #35268]
852 3794. [maint] Added AAAA for C.ROOT-SERVERS.NET.
854 3793. [bug] zone.c:save_nsec3param() could assert when out of
857 3792. [func] Provide links to the alternate statistics views when
858 displaying in a browser. [RT #35605]
860 3791. [bug] solaris: remove extraneous return. [RT #35589]
862 3787. [bug] The code that checks whether "auto-dnssec" is
863 allowed was ignoring "allow-update" ACLs set at
864 the options or view level. [RT #29536]
866 3780. [bug] $GENERATE handled negative numbers incorrectly.
869 3779. [cleanup] Clarify the error message when using an option
870 that was not enabled at compile time. [RT #35504]
872 3778. [bug] Log a warning when the wrong address family is
873 used in "listen-on" or "listen-on-v6". [RT #17848]
875 3775. [bug] dlz_dlopen driver could return the wrong error
876 code on API version mismatch, leading to a segfault.
879 3773. [func] "host", "nslookup" and "nsupdate" now have
880 options to print the version number and exit.
883 3770. [bug] "dig +trace" could fail with an assertion when it
884 needed to fall back to TCP due to a truncated
885 response. [RT #24660]
887 3769. [doc] Improved documentation of "rndc signing -list".
890 3768. [bug] "dnssec-checkds" was missing the SHA-384 digest
891 algorithm. [RT #34000]
893 3767. [func] Log explicitly when using rndc.key to configure
894 command channel. [RT #35316]
896 3765. [bug] Fixed a bug in "rndc secroots" that could crash
897 named when dumping an empty keynode. [RT #35469]
899 3764. [bug] The dnssec-keygen/settime -S and -i options
900 (to set up a successor key and set the prepublication
901 interval) were missing from dnssec-keyfromlabel.
904 3761. [bug] Address dangling reference bug in dns_keytable_add.
907 3757. [port] Enable Python tools (dnssec-coverage,
908 dnssec-checkds) to run on Windows. [RT #34355]
910 3756. [bug] GSSAPI Kerberos realm checking was broken in
911 check_config leading to spurious messages being
914 3754. [cleanup] win32: Installer now places files in the
915 Program Files area rather than system services.
918 3753. [bug] allow-notify was ignoring keys. [RT #35425]
920 3751. [tuning] The default setting for the -U option (setting
921 the number of UDP listeners per interface) has
922 been adjusted to improve performance. [RT #35417]
924 3747. [bug] A race condition could lead to a core dump when
925 destroying a resolver fetch object. [RT #35385]
927 3743. [bug] delegation-only flag wasn't working in forward zone
928 declarations despite being documented. This is
929 needed to support turning off forwarding and turning
930 on delegation only at the same name. [RT #35392]
932 3742. [port] linux: libcap support: declare curval at start of
935 3740. [contrib] Minor fixes to configure --with-dlz-bdb,
936 --with-dlz-postgres and --with-dlz-odbc. [RT #35340]
938 3737. [bug] 'rndc retransfer' could trigger a assertion failure
939 with inline zones. [RT #35353]
941 3736. [bug] nsupdate: When specifying a server by name,
942 fall back to alternate addresses if the first
943 address for that name is not reachable. [RT #25784]
945 3734. [bug] Improve building with libtool. [RT #35314]
947 3732. [contrib] Fixed a type mismatch causing the ODBC DLZ
948 driver to dump core on 64-bit systems. [RT #35324]
950 3731. [func] Added a "no-case-compress" ACL, which causes
951 named to use case-insensitive compression
952 (disabling change #3645) for specified
953 clients. (This is useful when dealing
954 with broken client implementations that
955 use case-sensitive name comparisons,
956 rejecting responses that fail to match the
957 capitalization of the query that was sent.)
960 3730. [cleanup] Added "never" as a synonym for "none" when
961 configuring key event dates in the dnssec tools.
964 3729. [bug] dnssec-keygen could set the publication date
965 incorrectly when only the activation date was
966 specified on the command line. [RT #35278]
968 3724. [bug] win32: Fixed a bug that prevented dig and
969 host from exiting properly after completing
970 a UDP query. [RT #35288]
972 3720. [bug] Address compiler warnings. [RT #35261]
974 3719. [bug] Address memory leak in in peer.c. [RT #35255]
976 3718. [bug] A missing ISC_LINK_INIT in log.c. [RT #35260]
978 3714. [test] System tests that need to test for cryptography
979 support before running can now use a common
980 "testcrypto.sh" script to do so. [RT #35213]
982 3713. [bug] Save memory by not storing "also-notify" addresses
983 in zone objects that are configured not to send
984 notify requests. [RT #35195]
986 --- 9.9.5 released ---
988 --- 9.9.5rc2 released ---
990 3710. [bug] Address double dns_zone_detach when switching to
991 using automatic empty zones from regular zones.
994 3709. [port] Use built-in versions of strptime() and timegm()
995 on all platforms to avoid portability issues.
998 3708. [bug] Address a portentry locking issue in dispatch.c.
1001 3707. [bug] irs_resconf_load now returns ISC_R_FILENOTFOUND
1002 on a missing resolv.conf file and initializes the
1003 structure as if it had been configured with:
1006 nameserver 127.0.0.1
1008 Note: Callers will need to be updated to treat
1009 ISC_R_FILENOTFOUND as a qualified success or else
1010 they will leak memory. The following code fragment
1011 will work with both old and new versions without
1012 changing the behaviour of the existing code.
1015 result = irs_resconf_load(mctx, "/etc/resolv.conf",
1017 if (result != ISC_SUCCESS) {
1018 if (resconf != NULL)
1019 irs_resconf_destroy(&resconf);
1025 3706. [contrib] queryperf: Fixed a possible integer overflow when
1026 printing results. [RT #35182]
1028 3704. [protocol] Accept integer timestamps in RRSIG records. [RT #35185]
1030 --- 9.9.5rc1 released ---
1032 3701. [func] named-checkconf can now obscure shared secrets
1033 when printing by specifying '-x'. [RT #34465]
1035 3699. [bug] Improvements to statistics channel XSL stylesheet:
1036 the stylesheet can now be cached by the browser;
1037 section headers are omitted from the stats display
1038 when there is no data in those sections to be
1039 displayed; counters are now right-justified for
1040 easier readability. (Only available with
1041 configure --enable-newstats.) [RT #35117]
1043 3698. [cleanup] Replaced all uses of memcpy() with memmove().
1046 3697. [bug] Handle "." as a search list element when IDN support
1047 is enabled. [RT #35133]
1049 3696. [bug] dig failed to handle AXFR style IXFR responses which
1050 span multiple messages. [RT #35137]
1052 3695. [bug] Address a possible race in dispatch.c. [RT #35107]
1054 3694. [bug] Warn when a key-directory is configured for a zone,
1055 but does not exist or is not a directory. [RT #35108]
1057 3693. [security] memcpy was incorrectly called with overlapping
1058 ranges resulting in malformed names being generated
1059 on some platforms. This could cause INSIST failures
1060 when serving NSEC3 signed zones (CVE-2014-0591).
1063 3692. [bug] Two calls to dns_db_getoriginnode were fatal if there
1064 was no data at the node. [RT #35080]
1066 3690. [bug] Iterative responses could be missed when the source
1067 port for an upstream query was the same as the
1068 listener port (53). [RT #34925]
1070 3689. [bug] Fixed a bug causing an insecure delegation from one
1071 static-stub zone to another to fail with a broken
1072 trust chain. [RT #35081]
1074 --- 9.9.5b1 released ---
1076 3688. [bug] loadnode could return a freed node on out of memory.
1079 3687. [bug] Address null pointer dereference in zone_xfrdone.
1082 3686. [func] "dnssec-signzone -Q" drops signatures from keys
1083 that are still published but no longer active.
1086 3685. [bug] "rndc refresh" didn't work correctly with slave
1087 zones using inline-signing. [RT #35105]
1089 3683. [cleanup] Add a more detailed "not found" message to rndc
1090 commands which specify a zone name. [RT #35059]
1092 3682. [bug] Correct the behavior of rndc retransfer to allow
1093 inline-signing slave zones to retain NSEC3 parameters
1094 instead of reverting to NSEC. [RT #34745]
1096 3681. [port] Update the Windows build system to support feature
1097 selection and WIN64 builds. This is a work in
1098 progress. [RT #34160]
1100 3679. [bug] dig could fail to clean up TCP sockets still
1101 waiting on connect(). [RT #35074]
1103 3678. [port] Update config.guess and config.sub. [RT #35060]
1105 3677. [bug] 'nsupdate' leaked memory if 'realm' was used multiple
1108 3676. [bug] "named-checkconf -z" now checks zones of type
1109 hint and redirect as well as master. [RT #35046]
1111 3675. [misc] Provide a place for third parties to add version
1112 information for their extensions in the version
1113 file by setting the EXTENSIONS variable.
1115 3674. [bug] RPZ zeroed ttls if the query type was '*'. [RT #35026]
1117 3672. [func] Local address can now be specified when using
1118 dns_client API. [RT #34811]
1120 3671. [bug] Don't allow dnssec-importkey overwrite a existing
1121 non-imported private key.
1123 3670. [bug] Address read after free in server side of
1124 lwres_getrrsetbyname. [RT #29075]
1126 3669. [port] freebsd: --with-gssapi needs -lhx509. [RT #35001]
1128 3668. [bug] Fix cast in lex.c which could see 0xff treated as eof.
1131 3667. [test] dig: add support to keep the TCP socket open between
1132 successive queries (+[no]keepopen). [RT #34918]
1134 3665. [bug] Failure to release lock on error in receive_secure_db.
1137 3664. [bug] Updated OpenSSL PKCS#11 patches to fix active list
1138 locking and other bugs. [RT #34855]
1140 3663. [bug] Address bugs in dns_rdata_fromstruct and
1141 dns_rdata_tostruct for WKS and ISDN types. [RT #34910]
1143 3662. [bug] 'host' could die if a UDP query timed out. [RT #34870]
1145 3661. [bug] Address lock order reversal deadlock with inline zones.
1148 3660. [cleanup] Changed the name of "isc-config.sh" to "bind9-config".
1151 3659. [port] solaris: don't add explicit dependencies/rules for
1152 python programs as make won't use the implicit rules.
1155 3658. [port] linux: Address platform specific compilation issue
1156 when libcap-devel is installed. [RT #34838]
1158 3657. [port] Some readline clones don't accept NULL pointers when
1159 calling add_history. [RT #34842]
1161 3656. [security] Treat an all zero netmask as invalid when generating
1162 the localnets acl. (The prior behavior could
1163 allow unexpected matches when using some versions
1164 of Winsock: CVE-2013-6320.) [RT #34687]
1166 3655. [cleanup] Simplify TCP message processing when requesting a
1167 zone transfer. [RT #34825]
1169 3654. [bug] Address race condition with manual notify requests.
1172 3653. [func] Create delegations for all "children" of empty zones
1173 except "forward first". [RT #34826]
1175 3651. [tuning] Adjust when a master server is deemed unreachable.
1178 3650. [tuning] Use separate rate limiting queues for refresh and
1179 notify requests. [RT #30589]
1181 3649. [cleanup] Include a comment in .nzf files, giving the name of
1182 the associated view. [RT #34765]
1184 3648. [test] Updated the ATF test framework to version 0.17.
1187 3647. [bug] Address a race condition when shutting down a zone.
1190 3646. [bug] Journal filename string could be set incorrectly,
1191 causing garbage in log messages. [RT #34738]
1193 3645. [protocol] Use case sensitive compression when responding to
1194 queries. [RT #34737]
1196 3644. [protocol] Check that EDNS subnet client options are well formed.
1199 3642. [func] Allow externally generated DNSKEY to be imported
1200 into the DNSKEY management framework. A new tool
1201 dnssec-importkey is used to do this. [RT #34698]
1203 3641. [bug] Handle changes to sig-validity-interval settings
1206 3640. [bug] ndots was not being checked when searching. Only
1207 continue searching on NXDOMAIN responses. Add the
1208 ability to specify ndots to nslookup. [RT #34711]
1210 3639. [bug] Treat type 65533 (KEYDATA) as opaque except when used
1211 in a key zone. [RT #34238]
1213 --- 9.9.4 released ---
1215 3643. [doc] Clarify RRL "slip" documentation.
1217 3638. [cleanup] Add the ability to handle ENOPROTOOPT in case it is
1218 encountered. [RT #34668]
1220 --- 9.9.4rc2 released ---
1222 3637. [bug] 'allow-query-on' was checking the source address
1223 rather than the destination address. [RT #34590]
1225 3636. [bug] Automatic empty zones now behave better with
1226 forward only "zones" beneath them. [RT #34583]
1228 3635. [bug] Signatures were not being removed from a zone with
1229 only KSK keys for a algorithm. [RT #34439]
1231 3634. [func] Report build-id in rndc status. Report build-id
1232 when building from a git repository. [RT #20422]
1234 3633. [cleanup] Refactor OPT processing in named to make it easier
1235 to support new EDNS options. [RT #34414]
1237 3632. [bug] Signature from newly inactive keys were not being
1238 removed. [RT #32178]
1240 3631. [bug] Remove spurious warning about missing signatures when
1241 qtype is SIG. [RT #34600]
1243 3630. [bug] Ensure correct ID computation for MD5 keys. [RT #33033]
1245 3627. [bug] RPZ changes were not effective on slaves. [RT #34450]
1247 3625. [bug] Don't send notify messages to machines outside of the
1250 3623. [bug] zone-statistics was only effective in new statistics.
1253 --- 9.9.4rc1 released ---
1255 3621. [security] Incorrect bounds checking on private type 'keydata'
1256 can lead to a remotely triggerable REQUIRE failure
1257 (CVE-2013-4854). [RT #34238]
1259 3617. [bug] Named was failing to answer queries during
1260 "rndc reload" [RT #34098]
1262 3616. [bug] Change #3613 was incomplete. [RT #34177]
1264 3615. [cleanup] "configure" now finishes by printing a summary
1265 of optional BIND features and whether they are
1266 active or inactive. ("configure --enable-full-report"
1267 increases the verbosity of the summary.) [RT #31777]
1269 3614. [port] Check for <linux/types.h>. [RT #34162]
1271 3613. [bug] named could crash when deleting inline-signing
1272 zones with "rndc delzone". [RT #34066]
1274 3611. [bug] Improved resistance to a theoretical authentication
1275 attack based on differential timing. [RT #33939]
1277 3610. [cleanup] win32: Some executables had been omitted from the
1278 installer. [RT #34116]
1280 3608. [port] win32: added todos.pl script to ensure all text files
1281 the win32 build depends on are converted to DOS
1282 newline format. [RT #22067]
1284 3607. [bug] dnssec-keygen had broken 'Invalid keyfile' error
1285 message. [RT #34045]
1287 --- 9.9.4b1 released ---
1289 3605. [port] win32: Addressed several compatibility issues
1290 with newer versions of Visual Studio. [RT #33916]
1292 3603. [bug] Install <isc/stat.h>. [RT #33956]
1294 3601. [bug] Added to PKCS#11 openssl patches a value len
1295 attribute in DH derive key. [RT #33928]
1297 3600. [cleanup] dig: Fixed a typo in the warning output when receiving
1298 an oversized response. [RT #33910]
1300 3599. [tuning] Check for pointer equivalence in name comparisons.
1303 3596. [port] Updated win32 build documentation, added
1304 dnssec-verify. [RT #22067]
1306 3594. [maint] Update config.guess and config.sub. [RT #33816]
1308 3592. [doc] Moved documentation of rndc command options to the
1309 rndc man page. [RT #33506]
1311 3590. [bug] When using RRL on recursive servers, defer
1312 rate-limiting until after recursion is complete;
1313 also, use correct rcode for slipped NXDOMAIN
1314 responses. [RT #33604]
1316 3588. [bug] dig: addressed a memory leak in the sigchase code
1317 that could cause a shutdown crash. [RT #33733]
1319 3587. [func] 'named -g' now checks the logging configuration but
1320 does not use it. [RT #33473]
1322 3586. [bug] Handle errors in xmlDocDumpFormatMemoryEnc. [RT #33706]
1324 3584. [security] Caching data from an incompletely signed zone could
1325 trigger an assertion failure in resolver.c
1326 (CVE-2013-3919). [RT #33690]
1328 3583. [bug] Address memory leak in GSS-API processing [RT #33574]
1330 3582. [bug] Silence false positive warning regarding missing file
1331 directive for inline slave zones. [RT #33662]
1333 3581. [bug] Changed the tcp-listen-queue default to 10. [RT #33029]
1335 3580. [bug] Addressed a possible race in acache.c [RT #33602]
1337 3579. [maint] Updates to PKCS#11 openssl patches, supporting
1338 versions 0.9.8y, 1.0.0k, 1.0.1e [RT #33463]
1340 3578. [bug] 'rndc -c file' now fails if 'file' does not exist.
1343 3577. [bug] Handle zero TTL values better. [RT #33411]
1345 3576. [bug] Address a shutdown race when validating. [RT #33573]
1347 3575. [func] Changed the logging category for RRL events from
1348 'queries' to 'query-errors'. [RT #33540]
1350 3574. [doc] The 'hostname' keyword was missing from server-id
1351 description in the named.conf man page. [RT #33476]
1353 3573. [bug] "rndc addzone" and "rndc delzone" incorrectly handled
1354 zone names containing punctuation marks and other
1355 nonstandard characters. [RT #33419]
1357 3571. [bug] Address race condition in dns_client_startresolve().
1360 3566. [func] Log when forwarding updates to master. [RT #33240]
1362 3554. [bug] RRL failed to correctly rate-limit upward
1363 referrals and failed to count dropped error
1364 responses in the statistics. [RT #33225]
1366 3545. [bug] RRL slip behavior was incorrect when set to 1.
1369 3518. [bug] Increase the size of dns_rrl_key.s.rtype by one bit
1370 so that all dns_rrl_rtype_t enum values fit regardless
1371 of whether it is teated as signed or unsigned by
1372 the compiler. [RT #32792]
1374 3494. [func] DNS RRL: Blunt the impact of DNS reflection and
1375 amplification attacks by rate-limiting substantially-
1376 identical responses. To enable, use "configure
1377 --enable-rrl". [RT #28130]
1379 --- 9.9.3 released ---
1381 3568. [cleanup] Add a product description line to the version file,
1382 to be reported by named -v/-V. [RT #33366]
1384 3567. [bug] Silence clang static analyzer warnings. [RT #33365]
1386 3563. [contrib] zone2sqlite failed with some table names. [RT #33375]
1388 3561. [bug] dig: issue a warning if an EDNS query returns FORMERR
1389 or NOTIMP. Adjust usage message. [RT #33363]
1391 --- 9.9.3rc2 released ---
1393 3560. [bug] isc-config.sh did not honor includedir and libdir
1394 when set via configure. [RT #33345]
1396 3559. [func] Check that both forms of Sender Policy Framework
1397 records exist or do not exist. [RT #33355]
1399 3558. [bug] IXFR of a DLZ stored zone was broken. [RT #33331]
1401 3557. [bug] Reloading redirect zones was broken. [RT #33292]
1403 3556. [maint] Added AAAA for D.ROOT-SERVERS.NET.
1405 3555. [bug] Address theoretical race conditions in acache.c
1406 (change #3553 was incomplete). [RT #33252]
1408 3553. [bug] Address suspected double free in acache. [RT #33252]
1410 3552. [bug] Wrong getopt option string for 'nsupdate -r'.
1413 3549. [doc] Documentation for "request-nsid" was missing.
1416 3548. [bug] The NSID request code in resolver.c was broken
1417 resulting in invalid EDNS options being sent.
1420 3547. [bug] Some malformed unknown rdata records were not properly
1421 detected and rejected. [RT #33129]
1423 --- 9.9.3rc1 released ---
1425 3546. [func] Add EUI48 and EUI64 types. [RT #33082]
1427 3544. [contrib] check5011.pl: Script to report the status of
1428 managed keys as recorded in managed-keys.bind.
1429 Contributed by Tony Finch <dot@dotat.at>
1431 3543. [bug] Update socket structure before attaching to socket
1432 manager after accept. [RT #33084]
1434 3541. [bug] Parts of libdns were not properly initialized when
1435 built in libexport mode. [RT #33028]
1437 3540. [test] libt_api: t_info and t_assert were not thread safe.
1439 3539. [port] win32: timestamp format didn't match other platforms.
1441 3538. [test] Running "make test" now requires loopback interfaces
1442 to be set up. [RT #32452]
1444 3537. [tuning] Slave zones, when updated, now send NOTIFY messages
1445 to peers before being dumped to disk rather than
1448 3535. [bug] Minor win32 cleanups. [RT #32962]
1450 3534. [bug] Extra text after an embedded NULL was ignored when
1451 parsing zone files. [RT #32699]
1453 3533. [contrib] query-loc-0.4.0: memory leaks. [RT #32960]
1455 3532. [contrib] zkt: fixed buffer overrun, resource leaks. [RT #32960]
1457 3531. [bug] win32: A uninitialized value could be returned on out
1458 of memory. [RT #32960]
1460 3530. [contrib] Better RTT tracking in queryperf. [RT #30128]
1462 3528. [func] New "dnssec-coverage" command scans the timing
1463 metadata for a set of DNSSEC keys and reports if a
1464 lapse in signing coverage has been scheduled
1465 inadvertently. (Note: This tool depends on python;
1466 it will not be built or installed on systems that
1467 do not have a python interpreter.) [RT #28098]
1469 3527. [compat] Add a URI to allow applications to explicitly
1470 request a particular XML schema from the statistics
1471 channel, returning 404 if not supported. [RT #32481]
1473 3526. [cleanup] Set up dependencies for unit tests correctly during
1476 3521. [bug] Address memory leak in opensslecdsa_link.c. [RT #32249]
1478 3520. [bug] 'mctx' was not being referenced counted in some places
1479 where it should have been. [RT #32794]
1481 --- 9.9.3b2 released ---
1483 3517. [bug] Reorder destruction to avoid shutdown race. [RT #32777]
1485 3515. [port] '%T' is not portable in strftime(). [RT #32763]
1487 3514. [bug] The ranges for valid key sizes in ddns-confgen and
1488 rndc-confgen were too constrained. Keys up to 512
1489 bits are now allowed for most algorithms, and up
1490 to 1024 bits for hmac-sha384 and hmac-sha512.
1493 3511. [doc] Improve documentation of redirect zones. [RT #32756]
1495 3509. [cleanup] Added a product line to version file to allow for
1496 easy naming of different products (BIND
1497 vs BIND ESV, for example). [RT #32755]
1499 3508. [contrib] queryperf was incorrectly rejecting the -T option.
1502 3507. [bug] Statistics channel XSL (when built with
1503 --enable-newstats) had a glitch when attempting
1504 to chart query data before any queries had been
1505 received. [RT #32620]
1507 3505. [bug] When setting "max-cache-size" and "max-acache-size",
1508 larger values than 4 gigabytes could not be set
1509 explicitly, though larger sizes were available
1510 when setting cache size to 0. This has been
1511 corrected; the full range is now available.
1514 3503. [doc] Clarify size_spec syntax. [RT #32449]
1516 3501. [func] zone-statistics now takes three options: full,
1517 terse, and none. "yes" and "no" are retained as
1518 synonyms for full and terse, respectively. [RT #29165]
1520 3500. [security] Support NAPTR regular expression validation on
1521 all platforms without using libregex, which
1522 can be vulnerable to memory exhaustion attack
1523 (CVE-2013-2266). [RT #32688]
1525 3499. [doc] Corrected ARM documentation of built-in zones.
1528 3498. [bug] zone statistics for zones which matched a potential
1529 empty zone could have their zone-statistics setting
1532 3496. [func] Improvements to RPZ performance. The "response-policy"
1533 syntax now includes a "min-ns-dots" clause, with
1534 default 1, to exclude top-level domains from
1535 NSIP and NSDNAME checking. --enable-rpz-nsip and
1536 --enable-rpz-nsdname are now the default. [RT #32251]
1538 3493. [contrib] Added BDBHPT dynamically-lodable DLZ module,
1539 contributed by Mark Goldfinch. [RT #32549]
1541 3492. [bug] Fixed a regression in zone loading performance
1542 due to lock contention. [RT #30399]
1544 3491. [bug] Slave zones using inline-signing must specify a
1545 file name. [RT #31946]
1547 3489. [bug] --enable-developer now turns on ISC_LIST_CHECKINIT.
1548 When cloning a rdataset do not copy the link contents.
1551 3488. [bug] Use after free error with DH generated keys. [RT #32649]
1553 3487. [bug] Change 3444 was not complete. There was a additional
1554 place where the NOQNAME proof needed to be saved.
1557 3486. [bug] named could crash when using TKEY-negotiated keys
1558 that had been deleted and then recreated. [RT #32506]
1560 3485. [cleanup] Only compile openssl_gostlink.c if we support GOST.
1562 3483. [bug] Corrected XSL code in use with --enable-newstats.
1565 3481. [cleanup] Removed use of const const in atf.
1567 3480. [bug] Silence logging noise when setting up zone
1568 statistics. [RT #32525]
1570 3479. [bug] Address potential memory leaks in gssapi support
1573 3478. [port] Fix a build failure in strict C99 environments
1576 3474. [bug] nsupdate could assert when the local and remote
1577 address families didn't match. [RT #22897]
1579 3473. [bug] dnssec-signzone/verify could incorrectly report
1580 an error condition due to an empty node above an
1581 opt-out delegation lacking an NSEC3. [RT #32072]
1583 3471. [bug] The number of UDP dispatches now defaults to
1584 the number of CPUs even if -n has been set to
1585 a higher value. [RT #30964]
1587 3470. [bug] Slave zones could fail to dump when successfully
1588 refreshing after an initial failure. [RT #31276]
1590 --- 9.9.3b1 released ---
1592 3468. [security] RPZ rules to generate A records (but not AAAA records)
1593 could trigger an assertion failure when used in
1594 conjunction with DNS64 (CVE-2012-5689). [RT #32141]
1596 3467. [bug] Added checks in dnssec-keygen and dnssec-settime
1597 to check for delete date < inactive date. [RT #31719]
1599 3466. [contrib] Corrected the DNS_CLIENTINFOMETHODS_VERSION check
1600 in DLZ example driver. [RT #32275]
1602 3465. [bug] Handle isolated reserved ports. [RT #31778]
1604 3464. [maint] Updates to PKCS#11 openssl patches, supporting
1605 versions 0.9.8x, 1.0.0j, 1.0.1c [RT #29749]
1607 3463. [doc] Clarify managed-keys syntax in ARM. [RT #32232]
1609 3462. [doc] Clarify server selection behavior of dig when using
1610 -4 or -6 options. [RT #32181]
1612 3461. [bug] Negative responses could incorrectly have AD=1
1615 3460. [bug] Only link against readline where needed. [RT #29810]
1617 3458. [bug] Return FORMERR when presented with a overly long
1618 domain named in a request. [RT #29682]
1620 3457. [protocol] Add ILNP records (NID, LP, L32, L64). [RT #31836]
1622 3456. [port] g++47: ATF failed to compile. [RT #32012]
1624 3455. [contrib] queryperf: fix getopt option list. [RT #32338]
1626 3454. [port] sparc64: improve atomic support. [RT #25182]
1628 3453. [bug] 'rndc addzone' of a zone with 'inline-signing yes;'
1631 3452. [bug] Accept duplicate singleton records. [RT #32329]
1633 3451. [port] Increase per thread stack size from 64K to 1M.
1636 3450. [bug] Stop logfileconfig system test spam system logs.
1639 3449. [bug] gen.c: use the pre-processor to construct format
1640 strings so that compiler can perform sanity checks;
1641 check the snprintf results. [RT #17576]
1643 3448. [bug] The allow-query-on ACL was not processed correctly.
1646 3447. [port] Add support for libxml2-2.9.x [RT #32231]
1648 3446. [port] win32: Add source ID (see change #3400) to build.
1651 3445. [bug] Warn about zone files with blank owner names
1652 immediately after $ORIGIN directives. [RT #31848]
1654 3444. [bug] The NOQNAME proof was not being returned from cached
1655 insecure responses. [RT #21409]
1657 3443. [bug] ddns-confgen: Some TSIG algorithms were incorrectly
1658 rejected when generating keys. [RT #31927]
1660 3442. [port] Net::DNS 0.69 introduced a non backwards compatible
1663 3441. [maint] D.ROOT-SERVERS.NET is now 199.7.91.13.
1665 3440. [bug] Reorder get_key_struct to not trigger a assertion when
1666 cleaning up due to out of memory error. [RT #32131]
1668 3439. [bug] contrib/dlz error checking fixes. [RT #32102]
1670 3438. [bug] Don't accept unknown data escape in quotes. [RT #32031]
1672 3437. [bug] isc_buffer_init -> isc_buffer_constinit to initialize
1673 buffers with constant data. [RT #32064]
1675 3436. [bug] Check malloc/calloc return values. [RT #32088]
1677 3435. [bug] Cross compilation support in configure was broken.
1680 3431. [bug] ddns-confgen: Some valid key algorithms were
1681 not accepted. [RT #31927]
1683 3430. [bug] win32: isc_time_formatISO8601 was missing the
1684 'T' between the date and time. [RT #32044]
1686 3429. [bug] dns_zone_getserial2 could a return success without
1687 returning a valid serial. [RT #32007]
1689 3428. [cleanup] dig: Add timezone to date output. [RT #2269]
1691 3427. [bug] dig +trace incorrectly displayed name server
1692 addresses instead of names. [RT #31641]
1694 3426. [bug] dnssec-checkds: Clearer output when records are not
1697 3425. [bug] "acacheentry" reference counting was broken resulting
1698 in use after free. [RT #31908]
1700 3424. [func] dnssec-dsfromkey now emits the hash without spaces.
1703 3423. [bug] "rndc signing -nsec3param" didn't accept the full
1704 range of possible values. Address portability issues.
1707 3422. [bug] Added a clear error message for when the SOA does not
1708 match the referral. [RT #31281]
1710 3421. [bug] Named loops when re-signing if all keys are offline.
1713 3420. [bug] Address VPATH compilation issues. [RT #31879]
1715 3419. [bug] Memory leak on validation cancel. [RT #31869]
1717 3417. [func] Optional new XML schema (version 3.0) for the
1718 statistics channel adds query type statistics at the
1719 zone level, and flattens the XML tree and uses
1720 compressed format to optimize parsing. Includes new XSL
1721 that permits charting via the Google Charts API on
1722 browsers that support javascript in XSL. To enable,
1723 build with "configure --enable-newstats". [RT #30023]
1725 3416. [bug] Named could die on shutdown if running with 128 UDP
1726 dispatches per interface. [RT #31743]
1728 3415. [bug] named could die with a REQUIRE failure if a validation
1729 was canceled. [RT #31804]
1731 3414. [bug] Address locking issues found by Coverity. [RT #31626]
1733 3412. [bug] Copy timeval structure from control message data.
1736 3411. [tuning] Use IPV6_USE_MIN_MTU or equivalent with TCP in addition
1739 3410. [bug] Addressed Coverity warnings. [RT #31626]
1741 3409. [contrib] contrib/dane/mkdane.sh: Tool to generate TLSA RR's
1742 from X.509 certificates, for use with DANE
1743 (DNS-based Authentication of Named Entities).
1746 3408. [bug] Some DNSSEC-related options (update-check-ksk,
1747 dnssec-loadkeys-interval, dnssec-dnskey-kskonly)
1748 are now legal in slave zones as long as
1749 inline-signing is in use. [RT #31078]
1751 3406. [bug] mem.c: Fix compilation errors when building with
1752 ISC_MEM_TRACKLINES or ISC_MEMPOOL_NAMES disabled.
1753 Also, ISC_MEM_DEBUG is no longer optional. [RT #31559]
1755 3405. [bug] Handle time going backwards in acache. [RT #31253]
1757 3404. [bug] dnssec-signzone: When re-signing a zone, remove
1758 RRSIG and NSEC records from nodes that used to be
1759 in-zone but are now below a zone cut. [RT #31556]
1761 3403. [bug] Silence noisy OpenSSL logging. [RT #31497]
1763 3402. [test] The IPv6 interface numbers used for system
1764 tests were incorrect on some platforms. [RT #25085]
1766 3401. [bug] Addressed Coverity warnings. [RT #31484]
1768 3400. [cleanup] "named -V" can now report a source ID string, defined
1769 in the "srcid" file in the build tree and normally set
1770 to the most recent git hash. [RT #31494]
1772 3399. [port] netbsd: rename 'bool' parameter to avoid namespace
1775 3398. [bug] SOA parameters were not being updated with inline
1776 signed zones if the zone was modified while the
1777 server was offline. [RT #29272]
1779 3397. [bug] dig crashed when using +nssearch with +tcp. [RT #25298]
1781 3396. [bug] OPT records were incorrectly removed from signed,
1782 truncated responses. [RT #31439]
1784 3395. [protocol] Add RFC 6598 reverse zones to built in empty zones
1785 list, 64.100.IN-ADDR.ARPA ... 127.100.IN-ADDR.ARPA.
1788 3394. [bug] Adjust 'successfully validated after lower casing
1789 signer' log level and category. [RT #31414]
1791 3393. [bug] 'host -C' could core dump if REFUSED was received.
1794 3391. [bug] A DNSKEY lookup that encountered a CNAME failed.
1797 3390. [bug] Silence clang compiler warnings. [RT #30417]
1799 3389. [bug] Always return NOERROR (not 0) in TSIG. [RT #31275]
1801 3388. [bug] Fixed several Coverity warnings.
1802 Note: This change includes a fix for a bug that
1803 was subsequently determined to be an exploitable
1804 security vulnerability, CVE-2012-5688: named could
1805 die on specific queries with dns64 enabled.
1808 3386. [bug] Address locking violation when generating new NSEC /
1809 NSEC3 chains. [RT #31224]
1811 3385. [bug] named-checkconf didn't detect missing master lists
1812 in also-notify clauses. [RT #30810]
1814 3384. [bug] Improved logging of crypto errors. [RT #30963]
1816 3382. [bug] SOA query from slave used use-v6-udp-ports range,
1817 if set, regardless of the address family in use.
1820 3381. [contrib] Update queryperf to support more RR types.
1823 3380. [bug] named could die if a nonexistent master list was
1824 referenced in a also-notify. [RT #31004]
1826 3379. [bug] isc_interval_zero and isc_time_epoch should be
1827 "const (type)* const". [RT #31069]
1829 3378. [bug] Handle missing 'managed-keys-directory' better.
1832 3377. [bug] Removed spurious newline from NSEC3 multiline
1835 3376. [bug] Lack of EDNS support was being recorded without a
1836 successful response. [RT #30811]
1838 3375. [func] Check that 'rndc dumpdb' works on a empty cache.
1841 3374. [bug] isc_parse_uint32 failed to return a range error on
1842 systems with 64 bit longs. [RT #30232]
1844 3372. [bug] Silence spurious "deleted from unreachable cache"
1845 messages. [RT #30501]
1847 3371. [bug] AD=1 should behave like DO=1 when deciding whether to
1848 add NS RRsets to the additional section or not.
1851 3316. [tuning] Improved locking performance when recursing.
1854 3315. [tuning] Use multiple dispatch objects for sending upstream
1855 queries; this can improve performance on busy
1856 multiprocessor systems by reducing lock contention.
1859 --- 9.9.2 released ---
1861 3383. [security] A certain combination of records in the RBT could
1862 cause named to hang while populating the additional
1863 section of a response. [RT #31090]
1865 3373. [bug] win32: open raw files in binary mode. [RT #30944]
1867 3364. [security] Named could die on specially crafted record.
1870 --- 9.9.2rc1 released ---
1872 3370. [bug] Address use after free while shutting down. [RT #30241]
1874 3369. [bug] nsupdate terminated unexpectedly in interactive mode
1875 if built with readline support. [RT #29550]
1877 3368. [bug] <dns/iptable.h>, <dns/private.h> and <dns/zone.h>
1880 3367. [bug] dns_dnsseckey_create() result was not being checked.
1883 3366. [bug] Fixed Read-After-Write dependency violation for IA64
1884 atomic operations. [RT #25181]
1886 3365. [bug] Removed spurious newlines from log messages in
1889 3363. [bug] Need to allow "forward" and "fowarders" options
1890 in static-stub zones; this had been overlooked.
1893 3362. [bug] Setting some option values to 0 in named.conf
1894 could trigger an assertion failure on startup.
1897 3361. [bug] "rndc signing -nsec3param" didn't work correctly
1898 when salt was set to '-' (no salt). [RT #30099]
1900 3360. [bug] 'host -w' could die. [RT #18723]
1902 3359. [bug] An improperly-formed TSIG secret could cause a
1903 memory leak. [RT #30607]
1905 3357. [port] Add support for libxml2-2.8.x [RT #30440]
1907 3356. [bug] Cap the TTL of signed RRsets when RRSIGs are
1908 approaching their expiry, so they don't remain
1909 in caches after expiry. [RT #26429]
1911 3355. [port] Use more portable awk in verify system test.
1913 3354. [func] Improve OpenSSL error logging. [RT #29932]
1915 --- 9.9.2b1 released ---
1917 3353. [bug] Use a single task for task exclusive operations.
1920 3352. [bug] Ensure that learned server attributes timeout of the
1921 adb cache. [RT #29856]
1923 3351. [bug] isc_mem_put and isc_mem_putanddetach didn't report
1924 caller if either ISC_MEM_DEBUGSIZE or ISC_MEM_DEBUGCTX
1925 memory debugging flags are set. [RT #30243]
1927 3350. [bug] Memory read overrun in isc___mem_reallocate if
1928 ISC_MEM_DEBUGCTX memory debugging flag is set.
1931 3349. [bug] Change #3345 was incomplete. [RT #30233]
1933 3348. [bug] Prevent RRSIG data from being cached if a negative
1934 record matching the covering type exists at a higher
1935 trust level. Such data already can't be retrieved from
1936 the cache since change 3218 -- this prevents it
1937 being inserted into the cache as well. [RT #26809]
1939 3347. [bug] dnssec-settime: Issue a warning when writing a new
1940 private key file would cause a change in the
1941 permissions of the existing file. [RT #27724]
1943 3346. [security] Bad-cache data could be used before it was
1944 initialized, causing an assert. [RT #30025]
1946 3345. [bug] Addressed race condition when removing the last item
1947 or inserting the first item in an ISC_QUEUE.
1950 3344. [func] New "dnssec-checkds" command checks a zone to
1951 determine which DS records should be published
1952 in the parent zone, or which DLV records should be
1953 published in a DLV zone, and queries the DNS to
1954 ensure that it exists. (Note: This tool depends
1955 on python; it will not be built or installed on
1956 systems that do not have a python interpreter.)
1959 3342. [bug] Change #3314 broke saving of stub zones to disk
1960 resulting in excessive cpu usage in some cases.
1963 3341. [func] New "dnssec-verify" command checks a signed zone
1964 to ensure correctness of signatures and of NSEC/NSEC3
1967 3339. [func] Allow the maximum supported rsa exponent size to be
1968 specified: "max-rsa-exponent-size <value>;" [RT #29228]
1970 3338. [bug] Address race condition in units tests: asyncload_zone
1971 and asyncload_zt. [RT #26100]
1973 3337. [bug] Change #3294 broke support for the multiple keys
1974 in controls. [RT #29694]
1976 3335. [func] nslookup: return a nonzero exit code when unable
1977 to get an answer. [RT #29492]
1979 3334. [bug] Hold a zone table reference while performing a
1980 asynchronous load of a zone. [RT #28326]
1982 3333. [bug] Setting resolver-query-timeout too low can cause
1983 named to not recover if it loses connectivity.
1986 3332. [bug] Re-use cached DS rrsets if possible. [RT #29446]
1988 3331. [security] dns_rdataslab_fromrdataset could produce bad
1989 rdataslabs. [RT #29644]
1991 3330. [func] Fix missing signatures on NOERROR results despite
1993 - add optional "recursive-only yes|no" to the
1994 response-policy statement
1995 - add optional "max-policy-ttl" to the response-policy
1996 statement to limit the false data that
1997 "recursive-only no" can introduce into
1999 - add a RPZ performance test to bin/tests/system/rpz
2000 when queryperf is available.
2001 - the encoding of PASSTHRU action to "rpz-passthru".
2002 (The old encoding is still accepted.)
2006 3329. [bug] Handle RRSIG signer-name case consistently: We
2007 generate RRSIG records with the signer-name in
2008 lower case. We accept them with any case, but if
2009 they fail to validate, we try again in lower case.
2012 3328. [bug] Fixed inconsistent data checking in dst_parse.c.
2015 3317. [func] Add ECDSA support (RFC 6605). [RT #21918]
2017 --- 9.9.1 released ---
2019 3318. [tuning] Reduce the amount of work performed while holding a
2020 bucket lock when finished with a fetch context.
2023 3314. [bug] The masters list could be updated while stub_callback
2024 or refresh_callback were using it. [RT #26732]
2026 3313. [protocol] Add TLSA record type. [RT #28989]
2028 3312. [bug] named-checkconf didn't detect a bad dns64 clients acl.
2031 3311. [bug] Abort the zone dump if zone->db is NULL in
2032 zone.c:zone_gotwritehandle. [RT #29028]
2034 3310. [test] Increase table size for mutex profiling. [RT #28809]
2036 3309. [bug] resolver.c:fctx_finddone() was not thread safe.
2039 3307. [bug] Add missing ISC_LANG_BEGINDECLS and ISC_LANG_ENDDECLS.
2042 3306. [bug] Improve DNS64 reverse zone performance. [RT #28563]
2044 3305. [func] Add wire format lookup method to sdb. [RT #28563]
2046 3304. [bug] Use hmctx, not mctx when freeing rbtdb->heaps.
2049 3303. [bug] named could die when reloading. [RT #28606]
2051 3302. [bug] dns_dnssec_findmatchingkeys could fail to find
2052 keys if the zone name contained character that
2053 required special mappings. [RT #28600]
2055 3301. [contrib] Update queryperf to build on darwin. Add -R flag
2056 for non-recursive queries. [RT #28565]
2058 3300. [bug] Named could die if gssapi was enabled in named.conf
2059 but was not compiled in. [RT #28338]
2061 3299. [bug] Make SDB handle errors from database drivers better.
2064 3298. [bug] Named could dereference a NULL pointer in
2065 zmgr_start_xfrin_ifquota if the zone was being removed.
2068 3297. [bug] Named could die on a malformed master file. [RT #28467]
2070 3296. [bug] Named could die with a INSIST failure in
2071 client.c:exit_check. [RT #28346]
2073 3295. [bug] Adjust isc_time_secondsastimet range check to be more
2074 portable. [RT # 26542]
2076 3294. [bug] isccc/cc.c:table_fromwire failed to free alist on
2079 3291. [port] Fixed a build error on systems without ENOTSUP.
2082 3290. [bug] <isc/hmacsha.h> was not being installed. [RT #28169]
2084 3273. [bug] AAAA responses could be returned in the additional
2085 section even when filter-aaaa-on-v4 was in use.
2088 --- 9.9.0 released ---
2090 --- 9.9.0rc4 released ---
2092 3289. [bug] 'rndc retransfer' failed for inline zones. [RT #28036]
2094 3288. [bug] dlz_destroy() function wasn't correctly registered
2095 by the DLZ dlopen driver. [RT #28056]
2097 3287. [port] Update ans.pl to work with Net::DNS 0.68. [RT #28028]
2099 3286. [bug] Managed key maintenance timer could fail to start
2100 after 'rndc reconfig'. [RT #26786]
2102 --- 9.9.0rc3 released ---
2104 3285. [bug] val-frdataset was incorrectly disassociated in
2105 proveunsecure after calling startfinddlvsep.
2108 3284. [bug] Address race conditions with the handling of
2109 rbtnode.deadlink. [RT #27738]
2111 3283. [bug] Raw zones with with more than 512 records in a RRset
2112 failed to load. [RT #27863]
2114 3282. [bug] Restrict the TTL of NS RRset to no more than that
2115 of the old NS RRset when replacing it.
2116 [RT #27792] [RT #27884]
2118 3281. [bug] SOA refresh queries could be treated as cancelled
2119 despite succeeding over the loopback interface.
2122 3280. [bug] Potential double free of a rdataset on out of memory
2123 with DNS64. [RT #27762]
2125 3279. [bug] Hold a internal reference to the zone while performing
2126 a asynchronous load. Address potential memory leak
2127 if the asynchronous is cancelled. [RT #27750]
2129 3278. [bug] Make sure automatic key maintenance is started
2130 when "auto-dnssec maintain" is turned on during
2131 "rndc reconfig". [RT #26805]
2133 3277. [bug] win32: isc_socket_dup is not implemented. [RT #27696]
2135 3276. [bug] win32: ns_os_openfile failed to return NULL on
2136 safe_open failure. [RT #27696]
2138 3275. [bug] Corrected rndc -h output; the 'rndc sync -clean'
2139 option had been misspelled as '-clear'. (To avoid
2140 future confusion, both options now work.) [RT #27173]
2142 3271. [port] darwin: mksymtbl is not always stable, loop several
2143 times before giving up. mksymtbl was using non
2144 portable perl to covert 64 bit hex strings. [RT #27653]
2146 --- 9.9.0rc2 released ---
2148 3270. [bug] "rndc reload" didn't reuse existing zones correctly
2149 when inline-signing was in use. [RT #27650]
2151 3269. [port] darwin 11 and later now built threaded by default.
2153 3268. [bug] Convert RRSIG expiry times to 64 timestamps to work
2154 out the earliest expiry time. [RT #23311]
2156 3267. [bug] Memory allocation failures could be mis-reported as
2157 unexpected error. New ISC_R_UNSET result code.
2160 3266. [bug] The maximum number of NSEC3 iterations for a
2161 DNSKEY RRset was not being properly computed.
2164 3265. [bug] Corrected a problem with lock ordering in the
2165 inline-signing code. [RT #27557]
2167 3264. [bug] Automatic regeneration of signatures in an
2168 inline-signing zone could stall when the server
2169 was restarted. [RT #27344]
2171 3263. [bug] "rndc sync" did not affect the unsigned side of an
2172 inline-signing zone. [RT #27337]
2174 3262. [bug] Signed responses were handled incorrectly by RPZ.
2177 3261. [func] RRset ordering now defaults to random. [RT #27174]
2179 3260. [bug] "rrset-order cyclic" could appear not to rotate
2180 for some query patterns. [RT #27170/27185]
2182 --- 9.9.0rc1 released ---
2184 3259. [bug] named-compilezone: Suppress "dump zone to <file>"
2185 message when writing to stdout. [RT #27109]
2187 3258. [test] Add "forcing full sign with unreadable keys" test.
2190 3257. [bug] Do not generate a error message when calling fsync()
2191 in a pipe or socket. [RT #27109]
2193 3256. [bug] Disable empty zones for lwresd -C. [RT #27139]
2195 3255. [func] No longer require that a empty zones be explicitly
2196 enabled or that a empty zone is disabled for
2197 RFC 1918 empty zones to be configured. [RT #27139]
2199 3254. [bug] Set isc_socket_ipv6only() on the IPv6 control channels.
2202 3253. [bug] Return DNS_R_SYNTAX when the input to a text field is
2203 too long. [RT #26956]
2205 3252. [bug] When master zones using inline-signing were
2206 updated while the server was offline, the source
2207 zone could fall out of sync with the signed
2208 copy. They can now resynchronize. [RT #26676]
2210 3251. [bug] Enforce a upper bound (65535 bytes) on the amount of
2211 memory dns_sdlz_putrr() can allocate per record to
2212 prevent run away memory consumption on ISC_R_NOSPACE.
2215 3250. [func] 'configure --enable-developer'; turn on various
2216 configure options, normally off by default, that
2217 we want developers to build and test with. [RT #27103]
2219 3249. [bug] Update log message when saving slave zones files for
2220 analysis after load failures. [RT #27087]
2222 3248. [bug] Configure options --enable-fixed-rrset and
2223 --enable-exportlib were incompatible with each
2226 3247. [bug] 'raw' format zones failed to preserve load order
2227 breaking 'fixed' sort order. [RT #27087]
2229 3246. [bug] Named failed to start with a empty also-notify list.
2232 3245. [bug] Don't report a error unchanged serials unless there
2233 were other changes when thawing a zone with
2234 ixfr-fromdifferences. [RT #26845]
2236 3244. [func] Added readline support to nslookup and nsupdate.
2237 Also simplified nsupdate syntax to make "update"
2238 and "prereq" optional. [RT #24659]
2240 3243. [port] freebsd,netbsd,bsdi: the thread defaults were not
2243 3242. [func] Extended the header of raw-format master files to
2244 include the serial number of the zone from which
2245 they were generated, if different (as in the case
2246 of inline-signing zones). This is to be used in
2247 inline-signing zones, to track changes between the
2248 unsigned and signed versions of the zone, which may
2249 have different serial numbers.
2251 (Note: raw zonefiles generated by this version of
2252 BIND are no longer compatible with prior versions.
2253 To generate a backward-compatible raw zonefile
2254 using dnssec-signzone or named-compilezone, specify
2255 output format "raw=0" instead of simply "raw".)
2258 3241. [bug] Address race conditions in the resolver code.
2261 3240. [bug] DNSKEY state change events could be missed. [RT #26874]
2263 3239. [bug] dns_dnssec_findmatchingkeys needs to use a consistent
2264 timestamp. [RT #26883]
2266 3238. [bug] keyrdata was not being reinitialized in
2267 lib/dns/rbtdb.c:iszonesecure. [RT #26913]
2269 3237. [bug] dig -6 didn't work with +trace. [RT #26906]
2271 3236. [bug] Backed out changes #3182 and #3202, related to
2272 EDNS(0) fallback behavior. [RT #26416]
2274 3235. [func] dns_db_diffx, a extended dns_db_diff which returns
2275 the generated diff and optionally writes it to a
2276 journal. [RT #26386]
2278 3234. [bug] 'make depend' produced invalid makefiles. [RT #26830]
2280 3233. [bug] 'rndc freeze/thaw' didn't work for inline zones.
2283 3232. [bug] Zero zone->curmaster before return in
2284 dns_zone_setmasterswithkeys(). [RT #26732]
2286 3231. [bug] named could fail to send a incompressible zone.
2289 3230. [bug] 'dig axfr' failed to properly handle a multi-message
2290 axfr with a serial of 0. [RT #26796]
2292 3229. [bug] Fix local variable to struct var assignment
2293 found by CLANG warning.
2295 3228. [tuning] Dynamically grow symbol table to improve zone
2296 loading performance. [RT #26523]
2298 3227. [bug] Interim fix to make WKS's use of getprotobyname()
2299 and getservbyname() self thread safe. [RT #26232]
2301 3226. [bug] Address minor resource leakages. [RT #26624]
2303 3225. [bug] Silence spurious "setsockopt(517, IPV6_V6ONLY) failed"
2304 messages. [RT #26507]
2306 3224. [bug] 'rndc signing' argument parsing was broken. [RT #26684]
2308 3223. [bug] 'task_test privilege_drop' generated false positives.
2311 3222. [cleanup] Replace dns_journal_{get,set}_bitws with
2312 dns_journal_{get,set}_sourceserial. [RT #26634]
2314 3221. [bug] Fixed a potential core dump on shutdown due to
2315 referencing fetch context after it's been freed.
2318 --- 9.9.0b2 released ---
2320 3220. [bug] Change #3186 was incomplete; dns_db_rpz_findips()
2321 could fail to set the database version correctly,
2322 causing an assertion failure. [RT #26180]
2324 3219. [bug] Disable NOEDNS caching following a timeout.
2326 3218. [security] Cache lookup could return RRSIG data associated with
2327 nonexistent records, leading to an assertion
2328 failure. [RT #26590]
2330 3217. [cleanup] Fix build problem with --disable-static. [RT #26476]
2332 3216. [bug] resolver.c:validated() was not thread-safe. [RT #26478]
2334 3215. [bug] 'rndc recursing' could cause a core dump. [RT #26495]
2336 3214. [func] Add 'named -U' option to set the number of UDP
2337 listener threads per interface. [RT #26485]
2339 3213. [doc] Clarify ixfr-from-differences behavior. [RT #25188]
2341 3212. [bug] rbtdb.c: failed to remove a node from the deadnodes
2342 list prior to adding a reference to it leading a
2343 possible assertion failure. [RT #23219]
2345 3211. [func] dnssec-signzone: "-f -" prints to stdout; "-O full"
2346 option prints in single-line-per-record format.
2349 3210. [bug] Canceling the oldest query due to recursive-client
2350 overload could trigger an assertion failure. [RT #26463]
2352 3209. [func] Add "dnssec-lookaside 'no'". [RT #24858]
2354 3208. [bug] 'dig -y' handle unknown tsig algorithm better.
2357 3207. [contrib] Fixed build error in Berkeley DB DLZ module. [RT #26444]
2359 3206. [cleanup] Add ISC information to log at start time. [RT #25484]
2361 3205. [func] Upgrade dig's defaults to better reflect modern
2362 nameserver behavior. Enable "dig +adflag" and
2363 "dig +edns=0" by default. Enable "+dnssec" when
2364 running "dig +trace". [RT #23497]
2366 3204. [bug] When a master server that has been marked as
2367 unreachable sends a NOTIFY, mark it reachable
2370 3203. [bug] Increase log level to 'info' for validation failures
2371 from expired or not-yet-valid RRSIGs. [RT #21796]
2373 3202. [bug] NOEDNS caching on timeout was too aggressive.
2376 3201. [func] 'rndc querylog' can now be given an on/off parameter
2377 instead of only being used as a toggle. [RT #18351]
2379 3200. [doc] Some rndc functions were undocumented or were
2380 missing from 'rndc -h' output. [RT #25555]
2382 3199. [func] When logging client information, include the name
2383 being queried. [RT #25944]
2385 3198. [doc] Clarified that dnssec-settime can alter keyfile
2386 permissions. [RT #24866]
2388 3197. [bug] Don't try to log the filename and line number when
2389 the config parser can't open a file. [RT #22263]
2391 3196. [bug] nsupdate: return nonzero exit code when target zone
2392 doesn't exist. [RT #25783]
2394 3195. [cleanup] Silence "file not found" warnings when loading
2395 managed-keys zone. [RT #26340]
2397 3194. [doc] Updated RFC references in the 'empty-zones-enable'
2398 documentation. [RT #25203]
2400 3193. [cleanup] Changed MAXZONEKEYS to DNS_MAXZONEKEYS, moved to
2401 dnssec.h. [RT #26415]
2403 3192. [bug] A query structure could be used after being freed.
2406 3191. [bug] Print NULL records using "unknown" format. [RT #26392]
2408 3190. [bug] Underflow in error handling in isc_mutexblock_init.
2411 3189. [test] Added a summary report after system tests. [RT #25517]
2413 3188. [bug] zone.c:zone_refreshkeys() could fail to detach
2414 references correctly when errors occurred, causing
2415 a hang on shutdown. [RT #26372]
2417 3187. [port] win32: support for Visual Studio 2008. [RT #26356]
2419 --- 9.9.0b1 released ---
2421 3186. [bug] Version/db mis-match in rpz code. [RT #26180]
2423 3185. [func] New 'rndc signing' option for auto-dnssec zones:
2424 - 'rndc signing -list' displays the current
2425 state of signing operations
2426 - 'rndc signing -clear' clears the signing state
2427 records for keys that have fully signed the zone
2428 - 'rndc signing -nsec3param' sets the NSEC3
2429 parameters for the zone
2430 The 'rndc keydone' syntax is removed. [RT #23729]
2432 3184. [bug] named had excessive cpu usage when a redirect zone was
2433 configured. [RT #26013]
2435 3183. [bug] Added RTLD_GLOBAL flag to dlopen call. [RT #26301]
2437 3182. [bug] Auth servers behind firewalls which block packets
2438 greater than 512 bytes may cause other servers to
2439 perform poorly. Now, adb retains edns information
2440 and caches noedns servers. [RT #23392/24964]
2442 3181. [func] Inline-signing is now supported for master zones.
2445 3180. [func] Local copies of slave zones are now saved in raw
2446 format by default, to improve startup performance.
2447 'masterfile-format text;' can be used to override
2448 the default, if desired. [RT #25867]
2450 3179. [port] kfreebsd: build issues. [RT #26273]
2452 3178. [bug] A race condition introduced by change #3163 could
2453 cause an assertion failure on shutdown. [RT #26271]
2455 3177. [func] 'rndc keydone', remove the indicator record that
2456 named has finished signing the zone with the
2457 corresponding key. [RT #26206]
2459 3176. [doc] Corrected example code and added a README to the
2460 sample external DLZ module in contrib/dlz/example.
2463 3175. [bug] Fix how DNSSEC positive wildcard responses from a
2464 NSEC3 signed zone are validated. Stop sending a
2465 unnecessary NSEC3 record when generating such
2466 responses. [RT #26200]
2468 3174. [bug] Always compute to revoked key tag from scratch.
2471 3173. [port] Correctly validate root DS responses. [RT #25726]
2473 3172. [port] darwin 10.* and freebsd [89] are now built threaded by
2476 3171. [bug] Exclusively lock the task when adding a zone using
2477 'rndc addzone'. [RT #25600]
2479 --- 9.9.0a3 released ---
2481 3170. [func] RPZ update:
2482 - fix precedence among competing rules
2483 - improve ARM text including documenting rule precedence
2484 - try to rewrite CNAME chains until first hit
2485 - new "rpz" logging channel
2486 - RDATA for CNAME rules can include wildcards
2487 - replace "NO-OP" named.conf policy override with
2488 "PASSTHRU" and add "DISABLED" override ("NO-OP"
2489 is still recognized)
2492 3169. [func] Catch db/version mis-matches when calling dns_db_*().
2495 3168. [bug] Nxdomain redirection could trigger an assert with
2496 a ANY query. [RT #26017]
2498 3167. [bug] Negative answers from forwarders were not being
2499 correctly tagged making them appear to not be cached.
2502 3166. [bug] Upgrading a zone to support inline-signing failed.
2505 3165. [bug] dnssec-signzone could generate new signatures when
2506 resigning, even when valid signatures were already
2507 present. [RT #26025]
2509 3164. [func] Enable DLZ modules to retrieve client information,
2510 so that responses can be changed depending on the
2511 source address of the query. [RT #25768]
2513 3163. [bug] Use finer-grained locking in client.c to address
2514 concurrency problems with large numbers of threads.
2517 3162. [test] start.pl: modified to allow for "named.args" in
2518 ns*/ subdirectory to override stock arguments to
2519 named. Largely from RT #26044, but no separate ticket.
2521 3161. [bug] zone.c:del_sigs failed to always reset rdata leading
2522 assertion failures. [RT #25880]
2524 3160. [bug] When printing out a NSEC3 record in multiline form
2525 the newline was not being printed causing type codes
2526 to be run together. [RT #25873]
2528 3159. [bug] On some platforms, named could assert on startup
2529 when running in a chrooted environment without
2532 3158. [bug] Recursive servers would prefer a particular UDP
2533 socket instead of using all available sockets.
2536 3157. [tuning] Reduce the time spent in "rndc reconfig" by parsing
2537 the config file before pausing the server. [RT #21373]
2541 --- 9.9.0a2 released ---
2543 3155. [bug] Fixed a build failure when using contrib DLZ
2544 drivers (e.g., mysql, postgresql, etc). [RT #25710]
2546 3154. [bug] Attempting to print an empty rdataset could trigger
2547 an assert. [RT #25452]
2549 3153. [func] Extend request-ixfr to zone level and remove the
2550 side effect of forcing an AXFR. [RT #25156]
2552 3152. [cleanup] Some versions of gcc and clang failed due to
2553 incorrect use of __builtin_expect. [RT #25183]
2555 3151. [bug] Queries for type RRSIG or SIG could be handled
2556 incorrectly. [RT #21050]
2558 3150. [func] Improved startup and reconfiguration time by
2559 enabling zones to load in multiple threads. [RT #25333]
2563 3148. [bug] Processing of normal queries could be stalled when
2564 forwarding a UPDATE message. [RT #24711]
2566 3147. [func] Initial inline signing support. [RT #23657]
2568 --- 9.9.0a1 released ---
2570 3146. [test] Fixed gcc4.6.0 errors in ATF. [RT #25598]
2572 3145. [test] Capture output of ATF unit tests in "./atf.out" if
2573 there were any errors while running them. [RT #25527]
2575 3144. [bug] dns_dbiterator_seek() could trigger an assert when
2576 used with a nonexistent database node. [RT #25358]
2578 3143. [bug] Silence clang compiler warnings. [RT #25174]
2580 3142. [bug] NAPTR is class agnostic. [RT #25429]
2582 3141. [bug] Silence spurious "zone serial (0) unchanged" messages
2583 associated with empty zones. [RT #25079]
2585 3140. [func] New command "rndc flushtree <name>" clears the
2586 specified name from the server cache along with
2587 all names under it. [RT #19970]
2589 3139. [test] Added tests from RFC 6234, RFC 2202, and RFC 1321
2590 for the hashing algorithms (md5, sha1 - sha512, and
2591 their hmac counterparts). [RT #25067]
2593 3138. [bug] Address memory leaks and out-of-order operations when
2594 shutting named down. [RT #25210]
2596 3137. [func] Improve hardware scalability by allowing multiple
2597 worker threads to process incoming UDP packets.
2598 This can significantly increase query throughput
2599 on some systems. [RT #22992]
2601 3136. [func] Add RFC 1918 reverse zones to the list of built-in
2602 empty zones switched on by the 'empty-zones-enable'
2605 3135. [port] FreeBSD: workaround broken IPV6_USE_MIN_MTU processing.
2606 See http://www.freebsd.org/cgi/query-pr.cgi?pr=158307
2609 3134. [bug] Improve the accuracy of dnssec-signzone's signing
2610 statistics. [RT #16030]
2612 3133. [bug] Change #3114 was incomplete. [RT #24577]
2616 3131. [tuning] Improve scalability by allocating one zone task
2617 per 100 zones at startup time, rather than using a
2618 fixed-size task table. [RT #24406]
2620 3130. [func] Support alternate methods for managing a dynamic
2621 zone's serial number. Two methods are currently
2622 defined using serial-update-method, "increment"
2623 (default) and "unixtime". [RT #23849]
2625 3129. [bug] Named could crash on 'rndc reconfig' when
2626 allow-new-zones was set to yes and named ACLs
2627 were used. [RT #22739]
2629 3128. [func] Inserting an NSEC3PARAM via dynamic update in an
2630 auto-dnssec zone that has not been signed yet
2631 will cause it to be signed with the specified NSEC3
2632 parameters when keys are activated. The
2633 NSEC3PARAM record will not appear in the zone until
2634 it is signed, but the parameters will be stored.
2637 3127. [bug] 'rndc thaw' will now remove a zone's journal file
2638 if the zone serial number has been changed and
2639 ixfr-from-differences is not in use. [RT #24687]
2641 3126. [security] Using DNAME record to generate replacements caused
2642 RPZ to exit with a assertion failure. [RT #24766]
2644 3125. [security] Using wildcard CNAME records as a replacement with
2645 RPZ caused named to exit with a assertion failure.
2648 3124. [bug] Use an rdataset attribute flag to indicate
2649 negative-cache records rather than using rrtype 0;
2650 this will prevent problems when that rrtype is
2651 used in actual DNS packets. [RT #24777]
2653 3123. [security] Change #2912 exposed a latent flaw in
2654 dns_rdataset_totext() that could cause named to
2655 crash with an assertion failure. [RT #24777]
2657 3122. [cleanup] dnssec-settime: corrected usage message. [RT #24664]
2659 3121. [security] An authoritative name server sending a negative
2660 response containing a very large RRset could
2661 trigger an off-by-one error in the ncache code
2662 and crash named. [RT #24650]
2664 3120. [bug] Named could fail to validate zones listed in a DLV
2665 that validated insecure without using DLV and had
2666 DS records in the parent zone. [RT #24631]
2668 3119. [bug] When rolling to a new DNSSEC key, a private-type
2669 record could be created and never marked complete.
2672 3118. [bug] nsupdate could dump core on shutdown when using
2673 SIG(0) keys. [RT #24604]
2675 3117. [cleanup] Remove doc and parser references to the
2676 never-implemented 'auto-dnssec create' option.
2679 3116. [func] New 'dnssec-update-mode' option controls updates
2680 of DNSSEC records in signed dynamic zones. Set to
2681 'no-resign' to disable automatic RRSIG regeneration
2682 while retaining the ability to sign new or changed
2685 3115. [bug] Named could fail to return requested data when
2686 following a CNAME that points into the same zone.
2689 3114. [bug] Retain expired RRSIGs in dynamic zones if key is
2690 inactive and there is no replacement key. [RT #23136]
2692 3113. [doc] Document the relationship between serial-query-rate
2693 and NOTIFY messages.
2695 3112. [doc] Add missing descriptions of the update policy name
2696 types "ms-self", "ms-subdomain", "krb5-self" and
2697 "krb5-subdomain", which allow machines to update
2698 their own records, to the BIND 9 ARM.
2700 3111. [bug] Improved consistency checks for dnssec-enable and
2701 dnssec-validation, added test cases to the
2702 checkconf system test. [RT #24398]
2704 3110. [bug] dnssec-signzone: Wrong error message could appear
2705 when attempting to sign with no KSK. [RT #24369]
2707 3109. [func] The also-notify option now uses the same syntax
2708 as a zone's masters clause. This means it is
2709 now possible to specify a TSIG key to use when
2710 sending notifies to a given server, or to include
2711 an explicit named masters list in an also-notfiy
2712 statement. [RT #23508]
2714 3108. [cleanup] dnssec-signzone: Clarified some error and
2715 warning messages; removed #ifdef ALLOW_KSKLESS_ZONES
2716 code (use -P instead). [RT #20852]
2718 3107. [bug] dnssec-signzone: Report the correct number of ZSKs
2719 when using -x. [RT #20852]
2721 3106. [func] When logging client requests, include the name of
2722 the TSIG key if any. [RT #23619]
2724 3105. [bug] GOST support can be suppressed by "configure
2725 --without-gost" [RT #24367]
2727 3104. [bug] Better support for cross-compiling. [RT #24367]
2729 3103. [bug] Configuring 'dnssec-validation auto' in a view
2730 instead of in the options statement could trigger
2731 an assertion failure in named-checkconf. [RT #24382]
2733 3102. [func] New 'dnssec-loadkeys-interval' option configures
2734 how often, in minutes, to check the key repository
2735 for updates when using automatic key maintenance.
2736 Default is every 60 minutes (formerly hard-coded
2737 to 12 hours). [RT #23744]
2739 3101. [bug] Zones using automatic key maintenance could fail
2740 to check the key repository for updates. [RT #23744]
2742 3100. [security] Certain response policy zone configurations could
2743 trigger an INSIST when receiving a query of type
2746 3099. [test] "dlz" system test now runs but gives R:SKIPPED if
2747 not compiled with --with-dlz-filesystem. [RT #24146]
2749 3098. [bug] DLZ zones were answering without setting the AA bit.
2752 3097. [test] Add a tool to test handling of malformed packets.
2755 3096. [bug] Set KRB5_KTNAME before calling log_cred() in
2756 dst_gssapi_acceptctx(). [RT #24004]
2758 3095. [bug] Handle isolated reserved ports in the port range.
2761 3094. [doc] Expand dns64 documentation.
2763 3093. [bug] Fix gssapi/kerberos dependencies [RT #23836]
2765 3092. [bug] Signatures for records at the zone apex could go
2766 stale due to an incorrect timer setting. [RT #23769]
2768 3091. [bug] Fixed a bug in which zone keys that were published
2769 and then subsequently activated could fail to trigger
2770 automatic signing. [RT #22911]
2772 3090. [func] Make --with-gssapi default [RT #23738]
2774 3089. [func] dnssec-dsfromkey now supports reading keys from
2775 standard input "dnssec-dsfromkey -f -". [RT #20662]
2777 3088. [bug] Remove bin/tests/system/logfileconfig/ns1/named.conf
2778 and add setup.sh in order to resolve changing
2779 named.conf issue. [RT #23687]
2781 3087. [bug] DDNS updates using SIG(0) with update-policy match
2782 type "external" could cause a crash. [RT #23735]
2784 3086. [bug] Running dnssec-settime -f on an old-style key will
2785 now force an update to the new key format even if no
2786 other change has been specified, using "-P now -A now"
2787 as default values. [RT #22474]
2789 3085. [func] New '-R' option in dnssec-signzone forces removal
2790 of signatures which have not yet expired but
2791 were generated by a key that no longer exists.
2794 3084. [func] A new command "rndc sync" dumps pending changes in
2795 a dynamic zone to disk; "rndc sync -clean" also
2796 removes the journal file after syncing. Also,
2797 "rndc freeze" no longer removes journal files.
2800 3083. [bug] NOTIFY messages were not being sent when generating
2801 a NSEC3 chain incrementally. [RT #23702]
2803 3082. [port] strtok_r is threads only. [RT #23747]
2805 3081. [bug] Failure of DNAME substitution did not return
2806 YXDOMAIN. [RT #23591]
2808 3080. [cleanup] Replaced compile time constant by STDTIME_ON_32BITS.
2811 3079. [bug] Handle isc_event_allocate failures in t_tasks.
2814 3078. [func] Added a new include file with function typedefs
2815 for the DLZ "dlopen" driver. [RT #23629]
2817 3077. [bug] zone.c:zone_refreshkeys() incorrectly called
2818 dns_zone_attach(), use zone->irefs instead. [RT #23303]
2820 3076. [func] New '-L' option in dnssec-keygen, dnsset-settime, and
2821 dnssec-keyfromlabel sets the default TTL of the
2822 key. When possible, automatic signing will use that
2823 TTL when the key is published. [RT #23304]
2825 3075. [bug] dns_dnssec_findzonekeys{2} used a inconsistent
2826 timestamp when determining which keys are active.
2829 3074. [bug] Make the adb cache read through for zone data and
2830 glue learn for zone named is authoritative for.
2833 3073. [bug] managed-keys changes were not properly being recorded.
2836 3072. [bug] dns_dns64_aaaaok() potential NULL pointer dereference.
2839 3071. [bug] has_nsec could be used uninitialized in
2840 update.c:next_active. [RT #20256]
2842 3070. [bug] dnssec-signzone potential NULL pointer dereference.
2845 3069. [cleanup] Silence warnings messages from clang static analysis.
2848 3068. [bug] Named failed to build with a OpenSSL without engine
2849 support. [RT #23473]
2851 3067. [bug] ixfr-from-differences {master|slave}; failed to
2852 select the master/slave zones. [RT #23580]
2854 3066. [func] The DLZ "dlopen" driver is now built by default,
2855 no longer requiring a configure option. To
2856 disable it, use "configure --without-dlopen".
2857 Driver also supported on win32. [RT #23467]
2859 3065. [bug] RRSIG could have time stamps too far in the future.
2862 3064. [bug] powerpc: add sync instructions to the end of atomic
2863 operations. [RT #23469]
2865 3063. [contrib] More verbose error reporting from DLZ LDAP. [RT #23402]
2867 3062. [func] Made several changes to enhance human readability
2868 of DNSSEC data in dig output and in generated
2870 - DNSKEY record comments are more verbose, no
2871 longer used in multiline mode only
2872 - multiline RRSIG records reformatted
2873 - multiline output mode for NSEC3PARAM records
2874 - "dig +norrcomments" suppresses DNSKEY comments
2875 - "dig +split=X" breaks hex/base64 records into
2876 fields of width X; "dig +nosplit" disables this.
2879 3061. [func] New option "dnssec-signzone -D", only write out
2880 generated DNSSEC records. [RT #22896]
2882 3060. [func] New option "dnssec-signzone -X <date>" allows
2883 specification of a separate expiration date
2884 for DNSKEY RRSIGs and other RRSIGs. [RT #22141]
2886 3059. [test] Added a regression test for change #3023.
2888 3058. [bug] Cause named to terminate at startup or rndc reconfig/
2889 reload to fail, if a log file specified in the conf
2890 file isn't a plain file. [RT #22771]
2892 3057. [bug] "rndc secroots" would abort after the first error
2893 and so could miss some views. [RT #23488]
2895 3056. [func] Added support for URI resource record. [RT #23386]
2899 3054. [bug] Added elliptic curve support check in
2900 GOST OpenSSL engine detection. [RT #23485]
2902 3053. [bug] Under a sustained high query load with a finite
2903 max-cache-size, it was possible for cache memory
2904 to be exhausted and not recovered. [RT #23371]
2906 3052. [test] Fixed last autosign test report. [RT #23256]
2908 3051. [bug] NS records obscure DNAME records at the bottom of the
2909 zone if both are present. [RT #23035]
2911 3050. [bug] The autosign system test was timing dependent.
2912 Wait for the initial autosigning to complete
2913 before running the rest of the test. [RT #23035]
2915 3049. [bug] Save and restore the gid when creating creating
2916 named.pid at startup. [RT #23290]
2918 3048. [bug] Fully separate view key management. [RT #23419]
2920 3047. [bug] DNSKEY NODATA responses not cached fixed in
2921 validator.c. Tests added to dnssec system test.
2924 3046. [bug] Use RRSIG original TTL to compute validated RRset
2925 and RRSIG TTL. [RT #23332]
2927 3045. [removed] Replaced by change #3050.
2929 3044. [bug] Hold the socket manager lock while freeing the socket.
2932 3043. [test] Merged in the NetBSD ATF test framework (currently
2933 version 0.12) for development of future unit tests.
2934 Use configure --with-atf to build ATF internally
2935 or configure --with-atf=prefix to use an external
2938 3042. [bug] dig +trace could fail attempting to use IPv6
2939 addresses on systems with only IPv4 connectivity.
2942 3041. [bug] dnssec-signzone failed to generate new signatures on
2943 ttl changes. [RT #23330]
2945 3040. [bug] Named failed to validate insecure zones where a node
2946 with a CNAME existed between the trust anchor and the
2947 top of the zone. [RT #23338]
2949 3039. [func] Redirect on NXDOMAIN support. [RT #23146]
2951 3038. [bug] Install <dns/rpz.h>. [RT #23342]
2953 3037. [doc] Update COPYRIGHT to contain all the individual
2954 copyright notices that cover various parts.
2956 3036. [bug] Check built-in zone arguments to see if the zone
2957 is re-usable or not. [RT #21914]
2959 3035. [cleanup] Simplify by using strlcpy. [RT #22521]
2961 3034. [cleanup] nslookup: use strlcpy instead of safecopy. [RT #22521]
2963 3033. [cleanup] Add two INSIST(bucket != DNS_ADB_INVALIDBUCKET).
2966 3032. [bug] rdatalist.c: add missing REQUIREs. [RT #22521]
2968 3031. [bug] dns_rdataclass_format() handle a zero sized buffer.
2971 3030. [bug] dns_rdatatype_format() handle a zero sized buffer.
2974 3029. [bug] isc_netaddr_format() handle a zero sized buffer.
2977 3028. [bug] isc_sockaddr_format() handle a zero sized buffer.
2980 3027. [bug] Add documented REQUIREs to cfg_obj_asnetprefix() to
2981 catch NULL pointer dereferences before they happen.
2984 3026. [bug] lib/isc/httpd.c: check that we have enough space
2985 after calling grow_headerspace() and if not
2986 re-call grow_headerspace() until we do. [RT #22521]
2988 3025. [bug] Fixed a possible deadlock due to zone resigning.
2991 3024. [func] RTT Banding removed due to minor security increase
2992 but major impact on resolver latency. [RT #23310]
2994 3023. [bug] Named could be left in an inconsistent state when
2995 receiving multiple AXFR response messages that were
2996 not all TSIG-signed. [RT #23254]
2998 3022. [bug] Fixed rpz SERVFAILs after failed zone transfers
3001 3021. [bug] Change #3010 was incomplete. [RT #22296]
3003 3020. [bug] auto-dnssec failed to correctly update the zone when
3004 changing the DNSKEY RRset. [RT #23232]
3006 3019. [test] Test: check apex NSEC3 records after adding DNSKEY
3007 record via UPDATE. [RT #23229]
3009 3018. [bug] Named failed to check for the "none;" acl when deciding
3010 if a zone may need to be re-signed. [RT #23120]
3012 3017. [doc] dnssec-keyfromlabel -I was not properly documented.
3015 3016. [bug] rndc usage missing '-b'. [RT #22937]
3017 3015. [port] win32: fix IN6_IS_ADDR_LINKLOCAL and
3018 IN6_IS_ADDR_SITELOCAL macros. [RT #22724]
3022 3013. [bug] The DNS64 ttl was not always being set as expected.
3025 3012. [bug] Remove DNSKEY TTL change pairs before generating
3026 signing records for any remaining DNSKEY changes.
3029 3011. [func] Change the default query timeout from 30 seconds
3030 to 10. Allow setting this in named.conf using the new
3031 'resolver-query-timeout' option, which specifies a max
3032 time in seconds. 0 means 'default' and anything longer
3033 than 30 will be silently set to 30. [RT #22852]
3035 3010. [bug] Fixed a bug where "rndc reconfig" stopped the timer
3036 for refreshing managed-keys. [RT #22296]
3038 3009. [bug] clients-per-query code didn't work as expected with
3039 particular query patterns. [RT #22972]
3041 --- 9.8.0b1 released ---
3043 3008. [func] Response policy zones (RPZ) support. [RT #21726]
3045 3007. [bug] Named failed to preserve the case of domain names in
3046 rdata which is not compressible when writing master
3049 3006. [func] Allow dynamically generated TSIG keys to be preserved
3050 across restarts of named. Initially this is for
3051 TSIG keys generated using GSSAPI. [RT #22639]
3053 3005. [port] Solaris: Work around the lack of
3054 gsskrb5_register_acceptor_identity() by setting
3055 the KRB5_KTNAME environment variable to the
3056 contents of tkey-gssapi-keytab. Also fixed
3057 test errors on MacOSX. [RT #22853]
3059 3004. [func] DNS64 reverse support. [RT #22769]
3061 3003. [experimental] Added update-policy match type "external",
3062 enabling named to defer the decision of whether to
3063 allow a dynamic update to an external daemon.
3064 (Contributed by Andrew Tridgell.) [RT #22758]
3066 3002. [bug] isc_mutex_init_errcheck() failed to destroy attr.
3069 3001. [func] Added a default trust anchor for the root zone, which
3070 can be switched on by setting "dnssec-validation auto;"
3071 in the named.conf options. [RT #21727]
3073 3000. [bug] More TKEY/GSS fixes:
3074 - nsupdate can now get the default realm from
3075 the user's Kerberos principal
3076 - corrected gsstest compilation flags
3077 - improved documentation
3078 - fixed some NULL dereferences
3081 2999. [func] Add GOST support (RFC 5933). [RT #20639]
3083 2998. [func] Add isc_task_beginexclusive and isc_task_endexclusive
3084 to the task api. [RT #22776]
3086 2997. [func] named -V now reports the OpenSSL and libxml2 verions
3087 it was compiled against. [RT #22687]
3089 2996. [security] Temporarily disable SO_ACCEPTFILTER support.
3092 2995. [bug] The Kerberos realm was not being correctly extracted
3093 from the signer's identity. [RT #22770]
3095 2994. [port] NetBSD: use pthreads by default on NetBSD >= 5.0, and
3096 do not use threads on earlier versions. Also kill
3097 the unproven-pthreads, mit-pthreads, and ptl2 support.
3099 2993. [func] Dynamically grow adb hash tables. [RT #21186]
3101 2992. [contrib] contrib/check-secure-delegation.pl: A simple tool
3102 for looking at a secure delegation. [RT #22059]
3104 2991. [contrib] contrib/zone-edit.sh: A simple zone editing tool for
3105 dynamic zones. [RT #22365]
3107 2990. [bug] 'dnssec-settime -S' no longer tests prepublication
3108 interval validity when the interval is set to 0.
3111 2989. [func] Added support for writable DLZ zones. (Contributed
3112 by Andrew Tridgell of the Samba project.) [RT #22629]
3114 2988. [experimental] Added a "dlopen" DLZ driver, allowing the creation
3115 of external DLZ drivers that can be loaded as
3116 shared objects at runtime rather than linked with
3117 named. Currently this is switched on via a
3118 compile-time option, "configure --with-dlz-dlopen".
3119 Note: the syntax for configuring DLZ zones
3120 is likely to be refined in future releases.
3121 (Contributed by Andrew Tridgell of the Samba
3122 project.) [RT #22629]
3124 2987. [func] Improve ease of configuring TKEY/GSS updates by
3125 adding a "tkey-gssapi-keytab" option. If set,
3126 updates will be allowed with any key matching
3127 a principal in the specified keytab file.
3128 "tkey-gssapi-credential" is no longer required
3129 and is expected to be deprecated. (Contributed
3130 by Andrew Tridgell of the Samba project.)
3133 2986. [func] Add new zone type "static-stub". It's like a stub
3134 zone, but the nameserver names and/or their IP
3135 addresses are statically configured. [RT #21474]
3137 2985. [bug] Add a regression test for change #2896. [RT #21324]
3139 2984. [bug] Don't run MX checks when the target of the MX record
3142 2983. [bug] Include "loadkeys" in rndc help output. [RT #22493]
3144 --- 9.8.0a1 released ---
3146 2982. [bug] Reference count dst keys. dst_key_attach() can be used
3147 increment the reference count.
3149 Note: dns_tsigkey_createfromkey() callers should now
3150 always call dst_key_free() rather than setting it
3151 to NULL on success. [RT #22672]
3153 2981. [func] Partial DNS64 support (AAAA synthesis). [RT #21991]
3155 2980. [bug] named didn't properly handle UPDATES that changed the
3156 TTL of the NSEC3PARAM RRset. [RT #22363]
3158 2979. [bug] named could deadlock during shutdown if two
3159 "rndc stop" commands were issued at the same
3162 2978. [port] hpux: look for <devpoll.h> [RT #21919]
3164 2977. [bug] 'nsupdate -l' report if the session key is missing.
3167 2976. [bug] named could die on exit after negotiating a GSS-TSIG
3170 2975. [bug] rbtdb.c:cleanup_dead_nodes_callback() acquired the
3171 wrong lock which could lead to server deadlock.
3174 2974. [bug] Some valid UPDATE requests could fail due to a
3175 consistency check examining the existing version
3176 of the zone rather than the new version resulting
3177 from the UPDATE. [RT #22413]
3179 2973. [bug] bind.keys.h was being removed by the "make clean"
3180 at the end of configure resulting in build failures
3181 where there is very old version of perl installed.
3182 Move it to "make maintainer-clean". [RT #22230]
3184 2972. [bug] win32: address windows socket errors. [RT #21906]
3186 2971. [bug] Fixed a bug that caused journal files not to be
3187 compacted on Windows systems as a result of
3188 non-POSIX-compliant rename() semantics. [RT #22434]
3190 2970. [security] Adding a NO DATA negative cache entry failed to clear
3191 any matching RRSIG records. A subsequent lookup of
3192 of NO DATA cache entry could trigger a INSIST when the
3193 unexpected RRSIG was also returned with the NO DATA
3196 CVE-2010-3613, VU#706148. [RT #22288]
3198 2969. [security] Fix acl type processing so that allow-query works
3199 in options and view statements. Also add a new
3200 set of tests to verify proper functioning.
3202 CVE-2010-3615, VU#510208. [RT #22418]
3204 2968. [security] Named could fail to prove a data set was insecure
3205 before marking it as insecure. One set of conditions
3206 that can trigger this occurs naturally when rolling
3209 CVE-2010-3614, VU#837744. [RT #22309]
3211 2967. [bug] 'host -D' now turns on debugging messages earlier.
3214 2966. [bug] isc_print_vsnprintf() failed to check if there was
3215 space available in the buffer when adding a left
3216 justified character with a non zero width,
3217 (e.g. "%-1c"). [RT #22270]
3219 2965. [func] Test HMAC functions using test data from RFC 2104 and
3220 RFC 4634. [RT #21702]
3224 2963. [security] The allow-query acl was being applied instead of the
3225 allow-query-cache acl to cache lookups. [RT #22114]
3227 2962. [port] win32: add more dependencies to BINDBuild.dsw.
3230 2961. [bug] Be still more selective about the non-authoritative
3231 answers we apply change 2748 to. [RT #22074]
3233 2960. [func] Check that named accepts non-authoritative answers.
3236 2959. [func] Check that named starts with a missing masterfile.
3239 2958. [bug] named failed to start with a missing master file.
3242 2957. [bug] entropy_get() and entropy_getpseudo() failed to match
3243 the API for RAND_bytes() and RAND_pseudo_bytes()
3244 respectively. [RT #21962]
3246 2956. [port] Enable atomic operations on the PowerPC64. [RT #21899]
3248 2955. [func] Provide more detail in the recursing log. [RT #22043]
3250 2954. [bug] contrib: dlz_mysql_driver.c bad error handling on
3251 build_sqldbinstance failure. [RT #21623]
3253 2953. [bug] Silence spurious "expected covering NSEC3, got an
3254 exact match" message when returning a wildcard
3255 no data response. [RT #21744]
3257 2952. [port] win32: named-checkzone and named-checkconf failed
3258 to initialize winsock. [RT #21932]
3260 2951. [bug] named failed to generate a correct signed response
3261 in a optout, delegation only zone with no secure
3262 delegations. [RT #22007]
3264 2950. [bug] named failed to perform a SOA up to date check when
3265 falling back to TCP on UDP timeouts when
3266 ixfr-from-differences was set. [RT #21595]
3268 2949. [bug] dns_view_setnewzones() contained a memory leak if
3269 it was called multiple times. [RT #21942]
3271 2948. [port] MacOS: provide a mechanism to configure the test
3272 interfaces at reboot. See bin/tests/system/README
3277 2946. [doc] Document the default values for the minimum and maximum
3278 zone refresh and retry values in the ARM. [RT #21886]
3280 2945. [doc] Update empty-zones list in ARM. [RT #21772]
3282 2944. [maint] Remove ORCHID prefix from built in empty zones.
3285 2943. [func] Add support to load new keys into managed zones
3286 without signing immediately with "rndc loadkeys".
3287 Add support to link keys with "dnssec-keygen -S"
3288 and "dnssec-settime -S". [RT #21351]
3290 2942. [contrib] zone2sqlite failed to setup the entropy sources.
3293 2941. [bug] sdb and sdlz (dlz's zone database) failed to support
3294 DNAME at the zone apex. [RT #21610]
3296 2940. [port] Remove connection aborted error message on
3297 Windows. [RT #21549]
3299 2939. [func] Check that named successfully skips NSEC3 records
3300 that fail to match the NSEC3PARAM record currently
3303 2938. [bug] When generating signed responses, from a signed zone
3304 that uses NSEC3, named would use a uninitialized
3305 pointer if it needed to skip a NSEC3 record because
3306 it didn't match the selected NSEC3PARAM record for
3309 2937. [bug] Worked around an apparent race condition in over
3310 memory conditions. Without this fix a DNS cache DB or
3311 ADB could incorrectly stay in an over memory state,
3312 effectively refusing further caching, which
3313 subsequently made a BIND 9 caching server unworkable.
3314 This fix prevents this problem from happening by
3315 polling the state of the memory context, rather than
3316 making a copy of the state, which appeared to cause
3317 a race. This is a "workaround" in that it doesn't
3318 solve the possible race per se, but several experiments
3319 proved this change solves the symptom. Also, the
3320 polling overhead hasn't been reported to be an issue.
3321 This bug should only affect a caching server that
3322 specifies a finite max-cache-size. It's also quite
3323 likely that the bug happens only when enabling threads,
3324 but it's not confirmed yet. [RT #21818]
3326 2936. [func] Improved configuration syntax and multiple-view
3327 support for addzone/delzone feature (see change
3328 #2930). Removed "new-zone-file" option, replaced
3329 with "allow-new-zones (yes|no)". The new-zone-file
3330 for each view is now created automatically, with
3331 a filename generated from a hash of the view name.
3332 It is no longer necessary to "include" the
3333 new-zone-file in named.conf; this happens
3334 automatically. Zones that were not added via
3335 "rndc addzone" can no longer be removed with
3336 "rndc delzone". [RT #19447]
3338 2935. [bug] nsupdate: improve 'file not found' error message.
3341 2934. [bug] Use ANSI C compliant shift range in lib/isc/entropy.c.
3344 2933. [bug] 'dig +nsid' used stack memory after it went out of
3345 scope. This could potentially result in a unknown,
3346 potentially malformed, EDNS option being sent instead
3347 of the desired NSID option. [RT #21781]
3349 2932. [cleanup] Corrected a numbering error in the "dnssec" test.
3352 2931. [bug] Temporarily and partially disable change 2864
3353 because it would cause infinite attempts of RRSIG
3354 queries. This is an urgent care fix; we'll
3355 revisit the issue and complete the fix later.
3358 2930. [experimental] New "rndc addzone" and "rndc delzone" commands
3359 allow dynamic addition and deletion of zones.
3360 To enable this feature, specify a "new-zone-file"
3361 option at the view or options level in named.conf.
3362 Zone configuration information for the new zones
3363 will be written into that file. To make the new
3364 zones persist after a restart, "include" the file
3365 into named.conf in the appropriate view. (Note:
3366 This feature is not yet documented, and its syntax
3367 is expected to change.) [RT #19447]
3369 2929. [bug] Improved handling of GSS security contexts:
3370 - added LRU expiration for generated TSIGs
3371 - added the ability to use a non-default realm
3372 - added new "realm" keyword in nsupdate
3373 - limited lifetime of generated keys to 1 hour
3374 or the lifetime of the context (whichever is
3378 2928. [bug] Be more selective about the non-authoritative
3379 answer we apply change 2748 to. [RT #21594]
3385 2925. [bug] Named failed to accept uncachable negative responses
3386 from insecure zones. [RT #21555]
3388 2924. [func] 'rndc secroots' dump a combined summary of the
3389 current managed keys combined with trusted keys.
3392 2923. [bug] 'dig +trace' could drop core after "connection
3393 timeout". [RT #21514]
3395 2922. [contrib] Update zkt to version 1.0.
3397 2921. [bug] The resolver could attempt to destroy a fetch context
3398 too soon. [RT #19878]
3400 2920. [func] Allow 'filter-aaaa-on-v4' to be applied selectively
3401 to IPv4 clients. New acl 'filter-aaaa' (default any).
3403 2919. [func] Add autosign-ksk and autosign-zsk virtual time tests.
3406 2918. [maint] Add AAAA address for I.ROOT-SERVERS.NET.
3408 2917. [func] Virtual time test framework. [RT #20801]
3410 2916. [func] Add framework to use IPv6 in tests.
3411 fd92:7065:b8e:ffff::1 ... fd92:7065:b8e:ffff::7
3413 2915. [cleanup] Be smarter about which objects we attempt to compile
3414 based on configure options. [RT #21444]
3416 2914. [bug] Make the "autosign" system test more portable.
3419 2913. [func] Add pkcs#11 system tests. [RT #20784]
3421 2912. [func] Windows clients don't like UPDATE responses that clear
3422 the zone section. [RT #20986]
3424 2911. [bug] dnssec-signzone didn't handle out of zone records well.
3427 2910. [func] Sanity check Kerberos credentials. [RT #20986]
3429 2909. [bug] named-checkconf -p could die if "update-policy local;"
3430 was specified in named.conf. [RT #21416]
3432 2908. [bug] It was possible for re-signing to stop after removing
3433 a DNSKEY. [RT #21384]
3435 2907. [bug] The export version of libdns had undefined references.
3438 2906. [bug] Address RFC 5011 implementation issues. [RT #20903]
3440 2905. [port] aix: set use_atomic=yes with native compiler.
3443 2904. [bug] When using DLV, sub-zones of the zones in the DLV,
3444 could be incorrectly marked as insecure instead of
3445 secure leading to negative proofs failing. This was
3446 a unintended outcome from change 2890. [RT #21392]
3448 2903. [bug] managed-keys-directory missing from namedconf.c.
3451 2902. [func] Add regression test for change 2897. [RT #21040]
3453 2901. [port] Use AC_C_FLEXIBLE_ARRAY_MEMBER. [RT #21316]
3455 2900. [bug] The placeholder negative caching element was not
3456 properly constructed triggering a INSIST in
3457 dns_ncache_towire(). [RT #21346]
3459 2899. [port] win32: Support linking against OpenSSL 1.0.0.
3461 2898. [bug] nslookup leaked memory when -domain=value was
3462 specified. [RT #21301]
3464 2897. [bug] NSEC3 chains could be left behind when transitioning
3465 to insecure. [RT #21040]
3467 2896. [bug] "rndc sign" failed to properly update the zone
3468 when adding a DNSKEY for publication only. [RT #21045]
3470 2895. [func] genrandom: add support for the generation of multiple
3473 2894. [contrib] DLZ LDAP support now use '$' not '%'. [RT #21294]
3475 2893. [bug] Improve managed keys support. New named.conf option
3476 managed-keys-directory. [RT #20924]
3478 2892. [bug] Handle REVOKED keys better. [RT #20961]
3480 2891. [maint] Update empty-zones list to match
3481 draft-ietf-dnsop-default-local-zones-13. [RT #21099]
3483 2890. [bug] Handle the introduction of new trusted-keys and
3484 DS, DLV RRsets better. [RT #21097]
3486 2889. [bug] Elements of the grammar where not properly reported.
3489 2888. [bug] Only the first EDNS option was displayed. [RT #21273]
3491 2887. [bug] Report the keytag times in UTC in the .key file,
3492 local time is presented as a comment within the
3493 comment. [RT #21223]
3495 2886. [bug] ctime() is not thread safe. [RT #21223]
3497 2885. [bug] Improve -fno-strict-aliasing support probing in
3498 configure. [RT #21080]
3500 2884. [bug] Insufficient validation in dns_name_getlabelsequence().
3503 2883. [bug] 'dig +short' failed to handle really large datasets.
3506 2882. [bug] Remove memory context from list of active contexts
3507 before clearing 'magic'. [RT #21274]
3509 2881. [bug] Reduce the amount of time the rbtdb write lock
3510 is held when closing a version. [RT #21198]
3512 2880. [cleanup] Make the output of dnssec-keygen and dnssec-revoke
3513 consistent. [RT #21078]
3515 2879. [contrib] DLZ bdbhpt driver fails to close correct cursor.
3518 2878. [func] Incrementally write the master file after performing
3521 2877. [bug] The validator failed to skip obviously mismatching
3524 2876. [bug] Named could return SERVFAIL for negative responses
3525 from unsigned zones. [RT #21131]
3527 2875. [bug] dns_time64_fromtext() could accept non digits.
3530 2874. [bug] Cache lack of EDNS support only after the server
3531 successfully responds to the query using plain DNS.
3534 2873. [bug] Canceling a dynamic update via the dns/client module
3535 could trigger an assertion failure. [RT #21133]
3537 2872. [bug] Modify dns/client.c:dns_client_createx() to only
3538 require one of IPv4 or IPv6 rather than both.
3541 2871. [bug] Type mismatch in mem_api.c between the definition and
3542 the header file, causing build failure with
3543 --enable-exportlib. [RT #21138]
3545 2870. [maint] Add AAAA address for L.ROOT-SERVERS.NET.
3547 2869. [bug] Fix arguments to dns_keytable_findnextkeynode() call.
3550 2868. [cleanup] Run "make clean" at the end of configure to ensure
3551 any changes made by configure are integrated.
3552 Use --with-make-clean=no to disable. [RT #20994]
3554 2867. [bug] Don't set GSS_C_SEQUENCE_FLAG as Windows DNS servers
3555 don't like it. [RT #20986]
3557 2866. [bug] Windows does not like the TSIG name being compressed.
3560 2865. [bug] memset to zero event.data. [RT #20986]
3562 2864. [bug] Direct SIG/RRSIG queries were not handled correctly.
3565 2863. [port] linux: disable IPv6 PMTUD and use network minimum MTU.
3568 2862. [bug] nsupdate didn't default to the parent zone when
3569 updating DS records. [RT #20896]
3571 2861. [doc] dnssec-settime man pages didn't correctly document the
3572 inactivation time. [RT #21039]
3574 2860. [bug] named-checkconf's usage was out of date. [RT #21039]
3576 2859. [bug] When canceling validation it was possible to leak
3579 2858. [bug] RTT estimates were not being adjusted on ICMP errors.
3582 2857. [bug] named-checkconf did not fail on a bad trusted key.
3585 2856. [bug] The size of a memory allocation was not always properly
3586 recorded. [RT #20927]
3588 2855. [func] nsupdate will now preserve the entered case of domain
3589 names in update requests it sends. [RT #20928]
3591 2854. [func] dig: allow the final soa record in a axfr response to
3592 be suppressed, dig +onesoa. [RT #20929]
3594 2853. [bug] add_sigs() could run out of scratch space. [RT #21015]
3596 2852. [bug] Handle broken DNSSEC trust chains better. [RT #15619]
3598 2851. [doc] nslookup.1, removed <informalexample> from the docbook
3599 source as it produced bad nroff. [RT #21007]
3601 2850. [bug] If isc_heap_insert() failed due to memory shortage
3602 the heap would have corrupted entries. [RT #20951]
3604 2849. [bug] Don't treat errors from the xml2 library as fatal.
3607 2848. [doc] Moved README.dnssec, README.libdns, README.pkcs11 and
3608 README.rfc5011 into the ARM. [RT #20899]
3610 2847. [cleanup] Corrected usage message in dnssec-settime. [RT #20921]
3612 2846. [bug] EOF on unix domain sockets was not being handled
3613 correctly. [RT #20731]
3615 2845. [bug] RFC 5011 client could crash on shutdown. [RT #20903]
3617 2844. [doc] notify-delay default in ARM was wrong. It should have
3618 been five (5) seconds.
3620 2843. [func] Prevent dnssec-keygen and dnssec-keyfromlabel from
3621 creating key files if there is a chance that the new
3622 key ID will collide with an existing one after
3623 either of the keys has been revoked. (To override
3624 this in the case of dnssec-keyfromlabel, use the -y
3625 option. dnssec-keygen will simply create a
3626 different, non-colliding key, so an override is
3627 not necessary.) [RT #20838]
3629 2842. [func] Added "smartsign" and improved "autosign" and
3630 "dnssec" regression tests. [RT #20865]
3632 2841. [bug] Change 2836 was not complete. [RT #20883]
3634 2840. [bug] Temporary fixed pkcs11-destroy usage check.
3637 2839. [bug] A KSK revoked by named could not be deleted.
3642 2837. [port] Prevent Linux spurious warnings about fwrite().
3645 2836. [bug] Keys that were scheduled to become active could
3646 be delayed. [RT #20874]
3648 2835. [bug] Key inactivity dates were inadvertently stored in
3649 the private key file with the outdated tag
3650 "Unpublish" rather than "Inactive". This has been
3651 fixed; however, any existing keys that had Inactive
3652 dates set will now need to have them reset, using
3653 'dnssec-settime -I'. [RT #20868]
3655 2834. [bug] HMAC-SHA* keys that were longer than the algorithm
3656 digest length were used incorrectly, leading to
3657 interoperability problems with other DNS
3658 implementations. This has been corrected.
3659 (Note: If an oversize key is in use, and
3660 compatibility is needed with an older release of
3661 BIND, the new tool "isc-hmac-fixup" can convert
3662 the key secret to a form that will work with all
3663 versions.) [RT #20751]
3665 2833. [cleanup] Fix usage messages in dnssec-keygen and dnssec-settime.
3668 2832. [bug] Modify "struct stat" in lib/export/samples/nsprobe.c
3669 to avoid redefinition in some OSs [RT 20831]
3671 2831. [security] Do not attempt to validate or cache
3672 out-of-bailiwick data returned with a secure
3673 answer; it must be re-fetched from its original
3674 source and validated in that context. [RT #20819]
3676 2830. [bug] Changing the OPTOUT setting could take multiple
3679 2829. [bug] Fixed potential node inconsistency in rbtdb.c.
3682 2828. [security] Cached CNAME or DNAME RR could be returned to clients
3683 without DNSSEC validation. [RT #20737]
3685 2827. [security] Bogus NXDOMAIN could be cached as if valid. [RT #20712]
3687 2826. [bug] NSEC3->NSEC transitions could fail due to a lock not
3688 being released. [RT #20740]
3690 2825. [bug] Changing the setting of OPTOUT in a NSEC3 chain that
3691 was in the process of being created was not properly
3692 recorded in the zone. [RT #20786]
3694 2824. [bug] "rndc sign" was not being run by the correct task.
3697 2823. [bug] rbtdb.c:getsigningtime() was missing locks. [RT #20781]
3699 2822. [bug] rbtdb.c:loadnode() could return the wrong result.
3702 2821. [doc] Add note that named-checkconf doesn't automatically
3703 read rndc.key and bind.keys [RT #20758]
3705 2820. [func] Handle read access failure of OpenSSL configuration
3706 file more user friendly (PKCS#11 engine patch).
3709 2819. [cleanup] Removed unnecessary DNS_POINTER_MAXHOPS define.
3712 2818. [cleanup] rndc could return an incorrect error code
3713 when a zone was not found. [RT #20767]
3715 2817. [cleanup] Removed unnecessary isc_task_endexclusive() calls.
3718 2816. [bug] previous_closest_nsec() could fail to return
3719 data for NSEC3 nodes [RT #29730]
3721 2815. [bug] Exclusively lock the task when freezing a zone.
3724 2814. [func] Provide a definitive error message when a master
3725 zone is not loaded. [RT #20757]
3727 2813. [bug] Better handling of unreadable DNSSEC key files.
3730 2812. [bug] Make sure updates can't result in a zone with
3731 NSEC-only keys and NSEC3 records. [RT #20748]
3733 2811. [cleanup] Add "rndc sign" to list of commands in rndc usage
3736 2810. [doc] Clarified the process of transitioning an NSEC3 zone
3737 to insecure. [RT #20746]
3739 2809. [cleanup] Restored accidentally-deleted text in usage output
3740 in dnssec-settime and dnssec-revoke [RT #20739]
3742 2808. [bug] Remove the attempt to install atomic.h from lib/isc.
3743 atomic.h is correctly installed by the architecture
3744 specific subdirectories. [RT #20722]
3746 2807. [bug] Fixed a possible ASSERT when reconfiguring zone
3749 --- 9.7.0rc1 released ---
3751 2806. [bug] "rdnc sign" could delay re-signing the DNSKEY
3752 when it had changed. [RT #20703]
3754 2805. [bug] Fixed namespace problems encountered when building
3755 external programs using non-exported BIND9 libraries
3756 (i.e., built without --enable-exportlib). [RT #20679]
3758 2804. [bug] Send notifies when a zone is signed with "rndc sign"
3759 or as a result of a scheduled key change. [RT #20700]
3761 2803. [port] win32: Install named-journalprint, nsec3hash, arpaname
3762 and genrandom under windows. [RT #20670]
3764 2802. [cleanup] Rename journalprint to named-journalprint. [RT #20670]
3766 2801. [func] Detect and report records that are different according
3767 to DNSSEC but are semantically equal according to plain
3768 DNS. Apply plain DNS comparisons rather than DNSSEC
3769 comparisons when processing UPDATE requests.
3770 dnssec-signzone now removes such semantically duplicate
3771 records prior to signing the RRset.
3773 named-checkzone -r {ignore|warn|fail} (default warn)
3774 named-compilezone -r {ignore|warn|fail} (default warn)
3776 named.conf: check-dup-records {ignore|warn|fail};
3778 2800. [func] Reject zones which have NS records which refer to
3779 CNAMEs, DNAMEs or don't have address record (class IN
3780 only). Reject UPDATEs which would cause the zone
3781 to fail the above checks if committed. [RT #20678]
3783 2799. [cleanup] Changed the "secure-to-insecure" option to
3784 "dnssec-secure-to-insecure", and "dnskey-ksk-only"
3785 to "dnssec-dnskey-kskonly", for clarity. [RT #20586]
3787 2798. [bug] Addressed bugs in managed-keys initialization
3788 and rollover. [RT #20683]
3790 2797. [bug] Don't decrement the dispatch manager's maxbuffers.
3793 2796. [bug] Missing dns_rdataset_disassociate() call in
3794 dns_nsec3_delnsec3sx(). [RT #20681]
3796 2795. [cleanup] Add text to differentiate "update with no effect"
3797 log messages. [RT #18889]
3799 2794. [bug] Install <isc/namespace.h>. [RT #20677]
3801 2793. [func] Add "autosign" and "metadata" tests to the
3802 automatic tests. [RT #19946]
3804 2792. [func] "filter-aaaa-on-v4" can now be set in view
3805 options (if compiled in). [RT #20635]
3807 2791. [bug] The installation of isc-config.sh was broken.
3810 2790. [bug] Handle DS queries to stub zones. [RT #20440]
3812 2789. [bug] Fixed an INSIST in dispatch.c [RT #20576]
3814 2788. [bug] dnssec-signzone could sign with keys that were
3815 not requested [RT #20625]
3817 2787. [bug] Spurious log message when zone keys were
3818 dynamically reconfigured. [RT #20659]
3820 2786. [bug] Additional could be promoted to answer. [RT #20663]
3822 --- 9.7.0b3 released ---
3824 2785. [bug] Revoked keys could fail to self-sign [RT #20652]
3826 2784. [bug] TC was not always being set when required glue was
3827 dropped. [RT #20655]
3829 2783. [func] Return minimal responses to EDNS/UDP queries with a UDP
3830 buffer size of 512 or less. [RT #20654]
3832 2782. [port] win32: use getaddrinfo() for hostname lookups.
3835 2781. [bug] Inactive keys could be used for signing. [RT #20649]
3837 2780. [bug] dnssec-keygen -A none didn't properly unset the
3838 activation date in all cases. [RT #20648]
3840 2779. [bug] Dynamic key revocation could fail. [RT #20644]
3842 2778. [bug] dnssec-signzone could fail when a key was revoked
3843 without deleting the unrevoked version. [RT #20638]
3845 2777. [contrib] DLZ MYSQL auto reconnect support discovery was wrong.
3847 2776. [bug] Change #2762 was not correct. [RT #20647]
3849 2775. [bug] Accept RSASHA256 and RSASHA512 as NSEC3 compatible
3850 in dnssec-keyfromlabel. [RT #20643]
3852 2774. [bug] Existing cache DB wasn't being reused after
3853 reconfiguration. [RT #20629]
3855 2773. [bug] In autosigned zones, the SOA could be signed
3856 with the KSK. [RT #20628]
3858 2772. [security] When validating, track whether pending data was from
3859 the additional section or not and only return it if
3860 validates as secure. [RT #20438]
3862 2771. [bug] dnssec-signzone: DNSKEY records could be
3863 corrupted when importing from key files [RT #20624]
3865 2770. [cleanup] Add log messages to resolver.c to indicate events
3866 causing FORMERR responses. [RT #20526]
3868 2769. [cleanup] Change #2742 was incomplete. [RT #19589]
3870 2768. [bug] dnssec-signzone: -S no longer implies -g [RT #20568]
3872 2767. [bug] named could crash on startup if a zone was
3873 configured with auto-dnssec and there was no
3874 key-directory. [RT #20615]
3876 2766. [bug] isc_socket_fdwatchpoke() should only update the
3877 socketmgr state if the socket is not pending on a
3878 read or write. [RT #20603]
3880 2765. [bug] Skip masters for which the TSIG key cannot be found.
3883 2764. [bug] "rndc-confgen -a" could trigger a REQUIRE. [RT #20610]
3885 2763. [bug] "rndc sign" didn't create an NSEC chain. [RT #20591]
3887 2762. [bug] DLV validation failed with a local slave DLV zone.
3890 2761. [cleanup] Enable internal symbol table for backtrace only for
3891 systems that are known to work. Currently, BSD
3892 variants, Linux and Solaris are supported. [RT #20202]
3894 2760. [cleanup] Corrected named-compilezone usage summary. [RT #20533]
3896 2759. [doc] Add information about .jbk/.jnw files to
3897 the ARM. [RT #20303]
3899 2758. [bug] win32: Added a workaround for a windows 2008 bug
3900 that could cause the UDP client handler to shut
3903 2757. [bug] dig: assertion failure could occur in connect
3904 timeout. [RT #20599]
3906 2756. [bug] Fixed corrupt logfile message in update.c. [RT #20597]
3910 2754. [bug] Secure-to-insecure transitions failed when zone
3911 was signed with NSEC3. [RT #20587]
3913 2753. [bug] Removed an unnecessary warning that could appear when
3914 building an NSEC chain. [RT #20589]
3916 2752. [bug] Locking violation. [RT #20587]
3918 2751. [bug] Fixed a memory leak in dnssec-keyfromlabel. [RT #20588]
3920 2750. [bug] dig: assertion failure could occur when a server
3921 didn't have an address. [RT #20579]
3923 2749. [bug] ixfr-from-differences generated a non-minimal ixfr
3924 for NSEC3 signed zones. [RT #20452]
3926 2748. [func] Identify bad answers from GTLD servers and treat them
3927 as referrals. [RT #18884]
3929 2747. [bug] Journal roll forwards failed to set the re-signing
3930 time of RRSIGs correctly. [RT #20541]
3932 2746. [port] hpux: address signed/unsigned expansion mismatch of
3933 dns_rbtnode_t.nsec. [RT #20542]
3935 2745. [bug] configure script didn't probe the return type of
3936 gai_strerror(3) correctly. [RT #20573]
3938 2744. [func] Log if a query was over TCP. [RT #19961]
3940 2743. [bug] RRSIG could be incorrectly set in the NSEC3 record
3941 for a insecure delegation.
3943 --- 9.7.0b2 released ---
3945 2742. [cleanup] Clarify some DNSSEC-related log messages in
3946 validator.c. [RT #19589]
3948 2741. [func] Allow the dnssec-keygen progress messages to be
3949 suppressed (dnssec-keygen -q). Automatically
3950 suppress the progress messages when stdin is not
3955 2739. [cleanup] Clean up API for initializing and clearing trust
3956 anchors for a view. [RT #20211]
3958 2738. [func] Add RSASHA256 and RSASHA512 tests to the dnssec system
3961 2737. [func] UPDATE requests can leak existence information.
3964 2736. [func] Improve the performance of NSEC signed zones with
3965 more than a normal amount of glue below a delegation.
3968 2735. [bug] dnssec-signzone could fail to read keys
3969 that were specified on the command line with
3970 full paths, but weren't in the current
3971 directory. [RT #20421]
3973 2734. [port] cygwin: arpaname did not compile. [RT #20473]
3975 2733. [cleanup] Clean up coding style in pkcs11-* tools. [RT #20355]
3977 2732. [func] Add optional filter-aaaa-on-v4 option, available
3978 if built with './configure --enable-filter-aaaa'.
3979 Filters out AAAA answers to clients connecting
3980 via IPv4. (This is NOT recommended for general
3983 2731. [func] Additional work on change 2709. The key parser
3984 will now ignore unrecognized fields when the
3985 minor version number of the private key format
3986 has been increased. It will reject any key with
3987 the major version number increased. [RT #20310]
3989 2730. [func] Have dnssec-keygen display a progress indication
3990 a la 'openssl genrsa' on standard error. Note
3991 when the first '.' is followed by a long stop
3992 one has the choice between slow generation vs.
3993 poor random quality, i.e., '-r /dev/urandom'.
3996 2729. [func] When constructing a CNAME from a DNAME use the DNAME
3999 2728. [bug] dnssec-keygen, dnssec-keyfromlabel and
4000 dnssec-signzone now warn immediately if asked to
4001 write into a nonexistent directory. [RT #20278]
4003 2727. [func] The 'key-directory' option can now specify a relative
4006 2726. [func] Added support for SHA-2 DNSSEC algorithms,
4007 RSASHA256 and RSASHA512. [RT #20023]
4009 2725. [doc] Added information about the file "managed-keys.bind"
4010 to the ARM. [RT #20235]
4012 2724. [bug] Updates to a existing node in secure zone using NSEC
4013 were failing. [RT #20448]
4015 2723. [bug] isc_base32_totext(), isc_base32hex_totext(), and
4016 isc_base64_totext(), didn't always mark regions of
4017 memory as fully consumed after conversion. [RT #20445]
4019 2722. [bug] Ensure that the memory associated with the name of
4020 a node in a rbt tree is not altered during the life
4021 of the node. [RT #20431]
4023 2721. [port] Have dst__entropy_status() prime the random number
4024 generator. [RT #20369]
4026 2720. [bug] RFC 5011 trust anchor updates could trigger an
4027 assert if the DNSKEY record was unsigned. [RT #20406]
4029 2719. [func] Skip trusted/managed keys for unsupported algorithms.
4032 2718. [bug] The space calculations in opensslrsa_todns() were
4033 incorrect. [RT #20394]
4035 2717. [bug] named failed to update the NSEC/NSEC3 record when
4036 the last private type record was removed as a result
4037 of completing the signing the zone with a key.
4040 2716. [bug] nslookup debug mode didn't return the ttl. [RT #20414]
4042 --- 9.7.0b1 released ---
4044 2715. [bug] Require OpenSSL support to be explicitly disabled.
4047 2714. [port] aix/powerpc: 'asm("ics");' needs non standard assembler
4050 2713. [bug] powerpc: atomic operations missing asm("ics") /
4053 2712. [func] New 'auto-dnssec' zone option allows zone signing
4054 to be fully automated in zones configured for
4055 dynamic DNS. 'auto-dnssec allow;' permits a zone
4056 to be signed by creating keys for it in the
4057 key-directory and using 'rndc sign <zone>'.
4058 'auto-dnssec maintain;' allows that too, plus it
4059 also keeps the zone's DNSSEC keys up to date
4060 according to their timing metadata. [RT #19943]
4062 2711. [port] win32: Add the bin/pkcs11 tools into the full
4065 2710. [func] New 'dnssec-signzone -x' flag and 'dnskey-ksk-only'
4066 zone option cause a zone to be signed with only KSKs
4067 signing the DNSKEY RRset, not ZSKs. This reduces
4068 the size of a DNSKEY answer. [RT #20340]
4070 2709. [func] Added some data fields, currently unused, to the
4071 private key file format, to allow implementation
4072 of explicit key rollover in a future release
4073 without impairing backward or forward compatibility.
4076 2708. [func] Insecure to secure and NSEC3 parameter changes via
4077 update are now fully supported and no longer require
4078 defines to enable. We now no longer overload the
4079 NSEC3PARAM flag field, nor the NSEC OPT bit at the
4080 apex. Secure to insecure changes are controlled by
4081 by the named.conf option 'secure-to-insecure'.
4083 Warning: If you had previously enabled support by
4084 adding defines at compile time to BIND 9.6 you should
4085 ensure that all changes that are in progress have
4086 completed prior to upgrading to BIND 9.7. BIND 9.7
4087 is not backwards compatible.
4089 2707. [func] dnssec-keyfromlabel no longer require engine name
4090 to be specified in the label if there is a default
4091 engine or the -E option has been used. Also, it
4092 now uses default algorithms as dnssec-keygen does
4093 (i.e., RSASHA1, or NSEC3RSASHA1 if -3 is used).
4096 2706. [bug] Loading a zone with a very large NSEC3 salt could
4097 trigger an assert. [RT #20368]
4101 2704. [bug] Serial of dynamic and stub zones could be inconsistent
4102 with their SOA serial. [RT #19387]
4104 2703. [func] Introduce an OpenSSL "engine" argument with -E
4105 for all binaries which can take benefit of
4106 crypto hardware. [RT #20230]
4108 2702. [func] Update PKCS#11 tools (bin/pkcs11) [RT #20225 & all]
4110 2701. [doc] Correction to ARM: hmac-md5 is no longer the only
4111 supported TSIG key algorithm. [RT #18046]
4113 2700. [doc] The match-mapped-addresses option is discouraged.
4116 2699. [bug] Missing lock in rbtdb.c. [RT #20037]
4120 2697. [port] win32: ensure that S_IFMT, S_IFDIR, S_IFCHR and
4121 S_IFREG are defined after including <isc/stat.h>.
4124 2696. [bug] named failed to successfully process some valid
4125 acl constructs. [RT #20308]
4127 2695. [func] DHCP/DDNS - update fdwatch code for use by
4128 DHCP. Modify the api to isc_sockfdwatch_t (the
4129 callback function for isc_socket_fdwatchcreate)
4130 to include information about the direction (read
4131 or write) and add isc_socket_fdwatchpoke.
4134 2694. [bug] Reduce default NSEC3 iterations from 100 to 10.
4137 2693. [port] Add some noreturn attributes. [RT #20257]
4139 2692. [port] win32: 32/64 bit cleanups. [RT #20335]
4141 2691. [func] dnssec-signzone: retain the existing NSEC or NSEC3
4142 chain when re-signing a previously-signed zone.
4143 Use -u to modify NSEC3 parameters or switch
4144 between NSEC and NSEC3. [RT #20304]
4146 2690. [bug] win32: fix isc_thread_key_getspecific() prototype.
4149 2689. [bug] Correctly handle snprintf result. [RT #20306]
4151 2688. [bug] Use INTERFACE_F_POINTTOPOINT, not IFF_POINTOPOINT,
4152 to decide to fetch the destination address. [RT #20305]
4154 2687. [bug] Fixed dnssec-signzone -S handling of revoked keys.
4155 Also, added warnings when revoking a ZSK, as this is
4156 not defined by protocol (but is legal). [RT #19943]
4158 2686. [bug] dnssec-signzone should clean the old NSEC chain when
4159 signing with NSEC3 and vice versa. [RT #20301]
4161 2685. [contrib] Update contrib/zkt to version 0.99c. [RT #20054]
4163 2684. [cleanup] dig: formalize +ad and +cd as synonyms for
4164 +adflag and +cdflag. [RT #19305]
4166 2683. [bug] dnssec-signzone should clean out old NSEC3 chains when
4167 the NSEC3 parameters used to sign the zone change.
4170 2682. [bug] "configure --enable-symtable=all" failed to
4173 2681. [bug] IPSECKEY RR of gateway type 3 was not correctly
4174 decoded. [RT #20269]
4176 2680. [func] Move contrib/pkcs11-keygen to bin/pkcs11. [RT #20067]
4178 2679. [func] dig -k can now accept TSIG keys in named.conf
4181 2678. [func] Treat DS queries as if "minimal-response yes;"
4182 was set. [RT #20258]
4184 2677. [func] Changes to key metadata behavior:
4185 - Keys without "publish" or "active" dates set will
4186 no longer be used for smart signing. However,
4187 those dates will be set to "now" by default when
4188 a key is created; to generate a key but not use
4189 it yet, use dnssec-keygen -G.
4190 - New "inactive" date (dnssec-keygen/settime -I)
4191 sets the time when a key is no longer used for
4192 signing but is still published.
4193 - The "unpublished" date (-U) is deprecated in
4194 favor of "deleted" (-D).
4197 2676. [bug] --with-export-installdir should have been
4198 --with-export-includedir. [RT #20252]
4200 2675. [bug] dnssec-signzone could crash if the key directory
4201 did not exist. [RT #20232]
4203 --- 9.7.0a3 released ---
4205 2674. [bug] "dnssec-lookaside auto;" crashed if named was built
4206 without openssl. [RT #20231]
4208 2673. [bug] The managed-keys.bind zone file could fail to
4209 load due to a spurious result from sync_keyzone()
4212 2672. [bug] Don't enable searching in 'host' when doing reverse
4213 lookups. [RT #20218]
4215 2671. [bug] Add support for PKCS#11 providers not returning
4216 the public exponent in RSA private keys
4217 (OpenCryptoki for instance) in
4218 dnssec-keyfromlabel. [RT #19294]
4220 2670. [bug] Unexpected connect failures failed to log enough
4221 information to be useful. [RT #20205]
4223 2669. [func] Update PKCS#11 support to support Keyper HSM.
4224 Update PKCS#11 patch to be against openssl-0.9.8i.
4226 2668. [func] Several improvements to dnssec-* tools, including:
4227 - dnssec-keygen and dnssec-settime can now set key
4228 metadata fields 0 (to unset a value, use "none")
4229 - dnssec-revoke sets the revocation date in
4230 addition to the revoke bit
4231 - dnssec-settime can now print individual metadata
4232 fields instead of always printing all of them,
4233 and can print them in unix epoch time format for
4237 2667. [func] Add support for logging stack backtrace on assertion
4238 failure (not available for all platforms). [RT #19780]
4240 2666. [func] Added an 'options' argument to dns_name_fromstring()
4241 (API change from 9.7.0a2). [RT #20196]
4243 2665. [func] Clarify syntax for managed-keys {} statement, add
4244 ARM documentation about RFC 5011 support. [RT #19874]
4246 2664. [bug] create_keydata() and minimal_update() in zone.c
4247 didn't properly check return values for some
4248 functions. [RT #19956]
4250 2663. [func] win32: allow named to run as a service using
4251 "NT AUTHORITY\LocalService" as the account. [RT #19977]
4253 2662. [bug] lwres_getipnodebyname() and lwres_getipnodebyaddr()
4254 returned a misleading error code when lwresd was
4257 2661. [bug] Check whether socket fd exceeds FD_SETSIZE when
4258 creating lwres context. [RT #20029]
4260 2660. [func] Add a new set of DNS libraries for non-BIND9
4261 applications. See README.libdns. [RT #19369]
4263 2659. [doc] Clarify dnssec-keygen doc: key name must match zone
4264 name for DNSSEC keys. [RT #19938]
4266 2658. [bug] dnssec-settime and dnssec-revoke didn't process
4267 key file paths correctly. [RT #20078]
4269 2657. [cleanup] Lower "journal file <path> does not exist, creating it"
4270 log level to debug 1. [RT #20058]
4272 2656. [func] win32: add a "tools only" check box to the installer
4273 which causes it to only install dig, host, nslookup,
4274 nsupdate and relevant DLLs. [RT #19998]
4276 2655. [doc] Document that key-directory does not affect
4277 bind.keys, rndc.key or session.key. [RT #20155]
4279 2654. [bug] Improve error reporting on duplicated names for
4280 deny-answer-xxx. [RT #20164]
4282 2653. [bug] Treat ENGINE_load_private_key() failures as key
4283 not found rather than out of memory. [RT #18033]
4285 2652. [func] Provide more detail about what record is being
4286 deleted. [RT #20061]
4288 2651. [bug] Dates could print incorrectly in K*.key files on
4289 64-bit systems. [RT #20076]
4291 2650. [bug] Assertion failure in dnssec-signzone when trying
4292 to read keyset-* files. [RT #20075]
4294 2649. [bug] Set the domain for forward only zones. [RT #19944]
4296 2648. [port] win32: isc_time_seconds() was broken. [RT #19900]
4298 2647. [bug] Remove unnecessary SOA updates when a new KSK is
4301 2646. [bug] Incorrect cleanup on error in socket.c. [RT #19987]
4303 2645. [port] "gcc -m32" didn't work on amd64 and x86_64 platforms
4304 which default to 64 bits. [RT #19927]
4306 --- 9.7.0a2 released ---
4308 2644. [bug] Change #2628 caused a regression on some systems;
4309 named was unable to write the PID file and would
4310 fail on startup. [RT #20001]
4312 2643. [bug] Stub zones interacted badly with NSEC3 support.
4315 2642. [bug] nsupdate could dump core on solaris when reading
4316 improperly formatted key files. [RT #20015]
4318 2641. [bug] Fixed an error in parsing update-policy syntax,
4319 added a regression test to check it. [RT #20007]
4321 2640. [security] A specially crafted update packet will cause named
4322 to exit. [RT #20000]
4324 2639. [bug] Silence compiler warnings in gssapi code. [RT #19954]
4326 2638. [bug] Install arpaname. [RT #19957]
4328 2637. [func] Rationalize dnssec-signzone's signwithkey() calling.
4331 2636. [func] Simplify zone signing and key maintenance with the
4332 dnssec-* tools. Major changes:
4333 - all dnssec-* tools now take a -K option to
4334 specify a directory in which key files will be
4336 - DNSSEC can now store metadata indicating when
4337 they are scheduled to be published, activated,
4338 revoked or removed; these values can be set by
4339 dnssec-keygen or overwritten by the new
4340 dnssec-settime command
4341 - dnssec-signzone -S (for "smart") option reads key
4342 metadata and uses it to determine automatically
4343 which keys to publish to the zone, use for
4344 signing, revoke, or remove from the zone
4347 2635. [bug] isc_inet_ntop() incorrectly handled 0.0/16 addresses.
4350 2634. [port] win32: Add support for libxml2, enable
4351 statschannel. [RT #19773]
4353 2633. [bug] Handle 15 bit rand() functions. [RT #19783]
4355 2632. [func] util/kit.sh: warn if documentation appears to be out of
4358 2631. [bug] Handle "//", "/./" and "/../" in mkdirpath().
4361 2630. [func] Improved syntax for DDNS autoconfiguration: use
4362 "update-policy local;" to switch on local DDNS in a
4363 zone. (The "ddns-autoconf" option has been removed.)
4366 2629. [port] Check for seteuid()/setegid(), use setresuid()/
4367 setresgid() if not present. [RT #19932]
4369 2628. [port] linux: Allow /var/run/named/named.pid to be opened
4370 at startup with reduced capabilities in operation.
4373 2627. [bug] Named aborted if the same key was included in
4374 trusted-keys more than once. [RT #19918]
4376 2626. [bug] Multiple trusted-keys could trigger an assertion
4377 failure. [RT #19914]
4379 2625. [bug] Missing UNLOCK in rbtdb.c. [RT #19865]
4381 2624. [func] 'named-checkconf -p' will print out the parsed
4382 configuration. [RT #18871]
4384 2623. [bug] Named started searches for DS non-optimally. [RT #19915]
4386 2622. [bug] Printing of named.conf grammar was broken. [RT #19919]
4388 2621. [doc] Made copyright boilerplate consistent. [RT #19833]
4390 2620. [bug] Delay thawing the zone until the reload of it has
4391 completed successfully. [RT #19750]
4393 2619. [func] Add support for RFC 5011, automatic trust anchor
4394 maintenance. The new "managed-keys" statement can
4395 be used in place of "trusted-keys" for zones which
4396 support this protocol. (Note: this syntax is
4397 expected to change prior to 9.7.0 final.) [RT #19248]
4399 2618. [bug] The sdb and sdlz db_interator_seek() methods could
4400 loop infinitely. [RT #19847]
4402 2617. [bug] ifconfig.sh failed to emit an error message when
4403 run from the wrong location. [RT #19375]
4405 2616. [bug] 'host' used the nameservers from resolv.conf even
4406 when a explicit nameserver was specified. [RT #19852]
4408 2615. [bug] "__attribute__((unused))" was in the wrong place
4409 for ia64 gcc builds. [RT #19854]
4411 2614. [port] win32: 'named -v' should automatically be executed
4412 in the foreground. [RT #19844]
4416 --- 9.7.0a1 released ---
4418 2612. [func] Add default values for the arguments to
4419 dnssec-keygen. Without arguments, it will now
4420 generate a 1024-bit RSASHA1 zone-signing key,
4421 or with the -f KSK option, a 2048-bit RSASHA1
4422 key-signing key. [RT #19300]
4424 2611. [func] Add -l option to dnssec-dsfromkey to generate
4425 DLV records instead of DS records. [RT #19300]
4427 2610. [port] sunos: Change #2363 was not complete. [RT #19796]
4429 2609. [func] Simplify the configuration of dynamic zones:
4430 - add ddns-confgen command to generate
4431 configuration text for named.conf
4432 - add zone option "ddns-autoconf yes;", which
4433 causes named to generate a TSIG session key
4434 and allow updates to the zone using that key
4435 - add '-l' (localhost) option to nsupdate, which
4436 causes nsupdate to connect to a locally-running
4437 named process using the session key generated
4441 2608. [func] Perform post signing verification checks in
4442 dnssec-signzone. These can be disabled with -P.
4444 The post sign verification test ensures that for each
4445 algorithm in use there is at least one non revoked
4446 self signed KSK key. That all revoked KSK keys are
4447 self signed. That all records in the zone are signed
4448 by the algorithm. [RT #19653]
4450 2607. [bug] named could incorrectly delete NSEC3 records for
4451 empty nodes when processing a update request.
4454 2606. [bug] "delegation-only" was not being accepted in
4455 delegation-only type zones. [RT #19717]
4457 2605. [bug] Accept DS responses from delegation only zones.
4460 2604. [func] Add support for DNS rebinding attack prevention through
4461 new options, deny-answer-addresses and
4462 deny-answer-aliases. Based on contributed code from
4463 JD Nurmi, Google. [RT #18192]
4465 2603. [port] win32: handle .exe extension of named-checkzone and
4466 named-comilezone argv[0] names under windows.
4469 2602. [port] win32: fix debugging command line build of libisccfg.
4472 2601. [doc] Mention file creation mode mask in the
4475 2600. [doc] ARM: miscellaneous reformatting for different
4476 page widths. [RT #19574]
4478 2599. [bug] Address rapid memory growth when validation fails.
4481 2598. [func] Reserve the -F flag. [RT #19657]
4483 2597. [bug] Handle a validation failure with a insecure delegation
4484 from a NSEC3 signed master/slave zone. [RT #19464]
4486 2596. [bug] Stale tree nodes of cache/dynamic rbtdb could stay
4487 long, leading to inefficient memory usage or rejecting
4488 newer cache entries in the worst case. [RT #19563]
4490 2595. [bug] Fix unknown extended rcodes in dig. [RT #19625]
4492 2594. [func] Have rndc warn if using its default configuration
4493 file when the key file also exists. [RT #19424]
4495 2593. [bug] Improve a corner source of SERVFAILs [RT #19632]
4497 2592. [bug] Treat "any" as a type in nsupdate. [RT #19455]
4499 2591. [bug] named could die when processing a update in
4500 removed_orphaned_ds(). [RT #19507]
4502 2590. [func] Report zone/class of "update with no effect".
4505 2589. [bug] dns_db_unregister() failed to clear '*dbimp'.
4508 2588. [bug] SO_REUSEADDR could be set unconditionally after failure
4509 of bind(2) call. This should be rare and mostly
4510 harmless, but may cause interference with other
4511 processes that happen to use the same port. [RT #19642]
4513 2587. [func] Improve logging by reporting serial numbers for
4514 when zone serial has gone backwards or unchanged.
4517 2586. [bug] Missing cleanup of SIG rdataset in searching a DLZ DB
4520 2585. [bug] Uninitialized socket name could be referenced via a
4521 statistics channel, triggering an assertion failure in
4522 XML rendering. [RT #19427]
4524 2584. [bug] alpha: gcc optimization could break atomic operations.
4527 2583. [port] netbsd: provide a control to not add the compile
4528 date to the version string, -DNO_VERSION_DATE.
4530 2582. [bug] Don't emit warning log message when we attempt to
4531 remove non-existent journal. [RT #19516]
4533 2581. [contrib] dlz/mysql set MYSQL_OPT_RECONNECT option on connection.
4534 Requires MySQL 5.0.19 or later. [RT #19084]
4536 2580. [bug] UpdateRej statistics counter could be incremented twice
4537 for one rejection. [RT #19476]
4539 2579. [bug] DNSSEC lookaside validation failed to handle unknown
4540 algorithms. [RT #19479]
4542 2578. [bug] Changed default sig-signing-type to 65534, because
4543 65535 turns out to be reserved. [RT #19477]
4545 2577. [doc] Clarified some statistics counters. [RT #19454]
4547 2576. [bug] NSEC record were not being correctly signed when
4548 a zone transitions from insecure to secure.
4549 Handle such incorrectly signed zones. [RT #19114]
4551 2575. [func] New functions dns_name_fromstring() and
4552 dns_name_tostring(), to simplify conversion
4553 of a string to a dns_name structure and vice
4556 2574. [doc] Document nsupdate -g and -o. [RT #19351]
4558 2573. [bug] Replacing a non-CNAME record with a CNAME record in a
4559 single transaction in a signed zone failed. [RT #19397]
4561 2572. [func] Simplify DLV configuration, with a new option
4562 "dnssec-lookaside auto;" This is the equivalent
4563 of "dnssec-lookaside . trust-anchor dlv.isc.org;"
4564 plus setting a trusted-key for dlv.isc.org.
4566 Note: The trusted key is hard-coded into named,
4567 but is also stored in (and can be overridden
4568 by) $sysconfdir/bind.keys. As the ISC DLV key
4569 rolls over it can be kept up to date by replacing
4570 the bind.keys file with a key downloaded from
4571 https://www.isc.org/solutions/dlv. [RT #18685]
4573 2571. [func] Add a new tool "arpaname" which translates IP addresses
4574 to the corresponding IN-ADDR.ARPA or IP6.ARPA name.
4577 2570. [func] Log the destination address the query was sent to.
4580 2569. [func] Move journalprint, nsec3hash, and genrandom
4581 commands from bin/tests into bin/tools;
4582 "make install" will put them in $sbindir. [RT #19301]
4584 2568. [bug] Report when the write to indicate a otherwise
4585 successful start fails. [RT #19360]
4587 2567. [bug] dst__privstruct_writefile() could miss write errors.
4588 write_public_key() could miss write errors.
4589 dnssec-dsfromkey could miss write errors.
4592 2566. [cleanup] Clarify logged message when an insecure DNSSEC
4593 response arrives from a zone thought to be secure:
4594 "insecurity proof failed" instead of "not
4595 insecure". [RT #19400]
4597 2565. [func] Add support for HIP record. Includes new functions
4598 dns_rdata_hip_first(), dns_rdata_hip_next()
4599 and dns_rdata_hip_current(). [RT #19384]
4601 2564. [bug] Only take EDNS fallback steps when processing timeouts.
4604 2563. [bug] Dig could leak a socket causing it to wait forever
4605 to exit. [RT #19359]
4607 2562. [doc] ARM: miscellaneous improvements, reorganization,
4608 and some new content.
4610 2561. [doc] Add isc-config.sh(1) man page. [RT #16378]
4612 2560. [bug] Add #include <config.h> to iptable.c. [RT #18258]
4614 2559. [bug] dnssec-dsfromkey could compute bad DS records when
4615 reading from a K* files. [RT #19357]
4617 2558. [func] Set the ownership of missing directories created
4618 for pid-file if -u has been specified on the command
4621 2557. [cleanup] PCI compliance:
4622 * new libisc log module file
4623 * isc_dir_chroot() now also changes the working
4625 * additional INSISTs
4626 * additional logging when files can't be removed.
4628 2556. [port] Solaris: mkdir(2) on tmpfs filesystems does not do the
4629 error checks in the correct order resulting in the
4630 wrong error code sometimes being returned. [RT #19249]
4632 2555. [func] dig: when emitting a hex dump also display the
4633 corresponding characters. [RT #19258]
4635 2554. [bug] Validation of uppercase queries from NSEC3 zones could
4638 2553. [bug] Reference leak on DNSSEC validation errors. [RT #19291]
4640 2552. [bug] zero-no-soa-ttl-cache was not being honored.
4643 2551. [bug] Potential Reference leak on return. [RT #19341]
4645 2550. [bug] Check --with-openssl=<path> finds <openssl/opensslv.h>.
4648 2549. [port] linux: define NR_OPEN if not currently defined.
4651 2548. [bug] Install iterated_hash.h. [RT #19335]
4653 2547. [bug] openssl_link.c:mem_realloc() could reference an
4654 out-of-range area of the source buffer. New public
4655 function isc_mem_reallocate() was introduced to address
4656 this bug. [RT #19313]
4658 2546. [func] Add --enable-openssl-hash configure flag to use
4659 OpenSSL (in place of internal routine) for hash
4660 functions (MD5, SHA[12] and HMAC). [RT #18815]
4662 2545. [doc] ARM: Legal hostname checking (check-names) is
4663 for SRV RDATA too. [RT #19304]
4665 2544. [cleanup] Removed unused structure members in adb.c. [RT #19225]
4667 2543. [contrib] Update contrib/zkt to version 0.98. [RT #19113]
4669 2542. [doc] Update the description of dig +adflag. [RT #19290]
4671 2541. [bug] Conditionally update dispatch manager statistics.
4674 2540. [func] Add a nibble mode to $GENERATE. [RT #18872]
4676 2539. [security] Update the interaction between recursion, allow-query,
4677 allow-query-cache and allow-recursion. [RT #19198]
4679 2538. [bug] cache/ADB memory could grow over max-cache-size,
4680 especially with threads and smaller max-cache-size
4683 2537. [func] Added more statistics counters including those on socket
4684 I/O events and query RTT histograms. [RT #18802]
4686 2536. [cleanup] Silence some warnings when -Werror=format-security is
4687 specified. [RT #19083]
4689 2535. [bug] dig +showsearch and +trace interacted badly. [RT #19091]
4691 2534. [func] Check NAPTR records regular expressions and
4692 replacement strings to ensure they are syntactically
4693 valid and consistent. [RT #18168]
4695 2533. [doc] ARM: document @ (at-sign). [RT #17144]
4697 2532. [bug] dig: check the question section of the response to
4698 see if it matches the asked question. [RT #18495]
4700 2531. [bug] Change #2207 was incomplete. [RT #19098]
4702 2530. [bug] named failed to reject insecure to secure transitions
4703 via UPDATE. [RT #19101]
4705 2529. [cleanup] Upgrade libtool to silence complaints from recent
4706 version of autoconf. [RT #18657]
4708 2528. [cleanup] Silence spurious configure warning about
4709 --datarootdir [RT #19096]
4713 2526. [func] New named option "attach-cache" that allows multiple
4714 views to share a single cache to save memory and
4715 improve lookup efficiency. Based on contributed code
4716 from Barclay Osborn, Google. [RT #18905]
4718 2525. [func] New logging category "query-errors" to provide detailed
4719 internal information about query failures, especially
4720 about server failures. [RT #19027]
4722 2524. [port] sunos: dnssec-signzone needs strtoul(). [RT #19129]
4724 2523. [bug] Random type rdata freed by dns_nsec_typepresent().
4727 2522. [security] Handle -1 from DSA_do_verify() and EVP_VerifyFinal().
4729 2521. [bug] Improve epoll cross compilation support. [RT #19047]
4731 2520. [bug] Update xml statistics version number to 2.0 as change
4732 #2388 made the schema incompatible to the previous
4733 version. [RT #19080]
4735 2519. [bug] dig/host with -4 or -6 didn't work if more than two
4736 nameserver addresses of the excluded address family
4737 preceded in resolv.conf. [RT #19081]
4739 2518. [func] Add support for the new CERT types from RFC 4398.
4742 2517. [bug] dig +trace with -4 or -6 failed when it chose a
4743 nameserver address of the excluded address type.
4746 2516. [bug] glue sort for responses was performed even when not
4749 2515. [port] win32: build dnssec-dsfromkey and dnssec-keyfromlabel.
4752 2514. [bug] dig/host failed with -4 or -6 when resolv.conf contains
4753 a nameserver of the excluded address family.
4756 2513. [bug] Fix windows cli build. [RT #19062]
4758 2512. [func] Print a summary of the cached records which make up
4759 the negative response. [RT #18885]
4761 2511. [cleanup] dns_rdata_tofmttext() add const to linebreak.
4764 2510. [bug] "dig +sigchase" could trigger REQUIRE failures.
4767 2509. [bug] Specifying a fixed query source port was broken.
4772 2507. [func] Log the recursion quota values when killing the
4773 oldest query or refusing to recurse due to quota.
4776 2506. [port] solaris: Check at configure time if
4777 hack_shutup_pthreadonceinit is needed. [RT #19037]
4779 2505. [port] Treat amd64 similarly to x86_64 when determining
4780 atomic operation support. [RT #19031]
4782 2504. [bug] Address race condition in the socket code. [RT #18899]
4784 2503. [port] linux: improve compatibility with Linux Standard
4787 2502. [cleanup] isc_radix: Improve compliance with coding style,
4788 document function in <isc/radix.h>. [RT #18534]
4790 2501. [func] $GENERATE now supports all rdata types. Multi-field
4791 rdata types need to be quoted. See the ARM for
4792 details. [RT #18368]
4794 2500. [contrib] contrib/sdb/pgsql/zonetodb.c called non-existent
4795 function. [RT #18582]
4797 2499. [port] solaris: lib/lwres/getaddrinfo.c namespace clash.
4800 --- 9.6.0rc1 released ---
4802 2498. [bug] Removed a bogus function argument used with
4803 ISC_SOCKET_USE_POLLWATCH: it could cause compiler
4804 warning or crash named with the debug 1 level
4805 of logging. [RT #18917]
4807 2497. [bug] Don't add RRSIG bit to NSEC3 bit map for insecure
4810 2496. [bug] Add sanity length checks to NSID option. [RT #18813]
4812 2495. [bug] Tighten RRSIG checks. [RT #18795]
4814 2494. [bug] isc/radix.h, dns/sdlz.h and dns/dlz.h were not being
4815 installed. [RT #18826]
4817 2493. [bug] The linux capabilities code was not correctly cleaning
4818 up after itself. [RT #18767]
4820 2492. [func] Rndc status now reports the number of cpus discovered
4821 and the number of worker threads when running
4822 multi-threaded. [RT #18273]
4824 2491. [func] Attempt to re-use a local port if we are already using
4825 the port. [RT #18548]
4827 2490. [port] aix: work around a kernel bug where IPV6_RECVPKTINFO
4828 is cleared when IPV6_V6ONLY is set. [RT #18785]
4830 2489. [port] solaris: Workaround Solaris's kernel bug about
4832 http://bugs.opensolaris.org/view_bug.do?bug_id=6724237
4833 Define ISC_SOCKET_USE_POLLWATCH at build time to enable
4834 this workaround. [RT #18870]
4836 2488. [func] Added a tool, dnssec-dsfromkey, to generate DS records
4837 from keyset and .key files. [RT #18694]
4839 2487. [bug] Give TCP connections longer to complete. [RT #18675]
4841 2486. [func] The default locations for named.pid and lwresd.pid
4842 are now /var/run/named/named.pid and
4843 /var/run/lwresd/lwresd.pid respectively.
4845 This allows the owner of the containing directory
4846 to be set, for "named -u" support, and allows there
4847 to be a permanent symbolic link in the path, for
4848 "named -t" support. [RT #18306]
4850 2485. [bug] Change update's the handling of obscured RRSIG
4851 records. Not all orphaned DS records were being
4852 removed. [RT #18828]
4854 2484. [bug] It was possible to trigger a REQUIRE failure when
4855 adding NSEC3 proofs to the response in
4856 query_addwildcardproof(). [RT #18828]
4858 2483. [port] win32: chroot() is not supported. [RT #18805]
4860 2482. [port] libxml2: support versions 2.7.* in addition
4861 to 2.6.*. [RT #18806]
4863 --- 9.6.0b1 released ---
4865 2481. [bug] rbtdb.c:matchparams() failed to handle NSEC3 chain
4866 collisions. [RT #18812]
4868 2480. [bug] named could fail to emit all the required NSEC3
4869 records. [RT #18812]
4871 2479. [bug] xfrout:covers was not properly initialized. [RT #18801]
4873 2478. [bug] 'addresses' could be used uninitialized in
4874 configure_forward(). [RT #18800]
4876 2477. [bug] dig: the global option to print the command line is
4877 +cmd not print_cmd. Update the output to reflect
4880 2476. [doc] ARM: improve documentation for max-journal-size and
4881 ixfr-from-differences. [RT #15909] [RT #18541]
4883 2475. [bug] LRU cache cleanup under overmem condition could purge
4884 particular entries more aggressively. [RT #17628]
4886 2474. [bug] ACL structures could be allocated with insufficient
4887 space, causing an array overrun. [RT #18765]
4889 2473. [port] linux: raise the limit on open files to the possible
4890 maximum value before spawning threads; 'files'
4891 specified in named.conf doesn't seem to work with
4892 threads as expected. [RT #18784]
4894 2472. [port] linux: check the number of available cpu's before
4895 calling chroot as it depends on "/proc". [RT #16923]
4897 2471. [bug] named-checkzone was not reporting missing mandatory
4898 glue when sibling checks were disabled. [RT #18768]
4900 2470. [bug] Elements of the isc_radix_node_t could be incorrectly
4901 overwritten. [RT #18719]
4903 2469. [port] solaris: Work around Solaris's select() limitations.
4906 2468. [bug] Resolver could try unreachable servers multiple times.
4909 2467. [bug] Failure of fcntl(F_DUPFD) wasn't logged. [RT #18740]
4911 2466. [doc] ARM: explain max-cache-ttl 0 SERVFAIL issue.
4914 2465. [bug] Adb's handling of lame addresses was different
4915 for IPv4 and IPv6. [RT #18738]
4917 2464. [port] linux: check that a capability is present before
4918 trying to set it. [RT #18135]
4920 2463. [port] linux: POSIX doesn't include the IPv6 Advanced Socket
4921 API and glibc hides parts of the IPv6 Advanced Socket
4922 API as a result. This is stupid as it breaks how the
4923 two halves (Basic and Advanced) of the IPv6 Socket API
4924 were designed to be used but we have to live with it.
4925 Define _GNU_SOURCE to pull in the IPv6 Advanced Socket
4928 2462. [doc] Document -m (enable memory usage debugging)
4929 option for dig. [RT #18757]
4931 2461. [port] sunos: Change #2363 was not complete. [RT #17513]
4933 --- 9.6.0a1 released ---
4935 2460. [bug] Don't call dns_db_getnsec3parameters() on the cache.
4938 2459. [contrib] Import dnssec-zkt to contrib/zkt. [RT #18448]
4940 2458. [doc] ARM: update and correction for max-cache-size.
4943 2457. [tuning] max-cache-size is reverted to 0, the previous
4944 default. It should be safe because expired cache
4945 entries are also purged. [RT #18684]
4947 2456. [bug] In ACLs, ::/0 and 0.0.0.0/0 would both match any
4948 address, regardless of family. They now correctly
4949 distinguish IPv4 from IPv6. [RT #18559]
4951 2455. [bug] Stop metadata being transferred via axfr/ixfr.
4954 2454. [func] nsupdate: you can now set a default ttl. [RT #18317]
4956 2453. [bug] Remove NULL pointer dereference in dns_journal_print().
4959 2452. [func] Improve bin/test/journalprint. [RT #18316]
4961 2451. [port] solaris: handle runtime linking better. [RT #18356]
4963 2450. [doc] Fix lwresd docbook problem for manual page.
4968 2448. [func] Add NSEC3 support. [RT #15452]
4970 2447. [cleanup] libbind has been split out as a separate product.
4972 2446. [func] Add a new log message about build options on startup.
4973 A new command-line option '-V' for named is also
4974 provided to show this information. [RT #18645]
4976 2445. [doc] ARM out-of-date on empty reverse zones (list includes
4977 RFC1918 address, but these are not yet compiled in).
4980 2444. [port] Linux, FreeBSD, AIX: Turn off path mtu discovery
4981 (clear DF) for UDP responses and requests.
4983 2443. [bug] win32: UDP connect() would not generate an event,
4984 and so connected UDP sockets would never clean up.
4985 Fix this by doing an immediate WSAConnect() rather
4986 than an io completion port type for UDP.
4988 2442. [bug] A lock could be destroyed twice. [RT #18626]
4990 2441. [bug] isc_radix_insert() could copy radix tree nodes
4991 incompletely. [RT #18573]
4993 2440. [bug] named-checkconf used an incorrect test to determine
4994 if an ACL was set to none.
4996 2439. [bug] Potential NULL dereference in dns_acl_isanyornone().
4999 2438. [bug] Timeouts could be logged incorrectly under win32.
5001 2437. [bug] Sockets could be closed too early, leading to
5002 inconsistent states in the socket module. [RT #18298]
5004 2436. [security] win32: UDP client handler can be shutdown. [RT #18576]
5006 2435. [bug] Fixed an ACL memory leak affecting win32.
5008 2434. [bug] Fixed a minor error-reporting bug in
5009 lib/isc/win32/socket.c.
5011 2433. [tuning] Set initial timeout to 800ms.
5013 2432. [bug] More Windows socket handling improvements. Stop
5014 using I/O events and use IO Completion Ports
5015 throughout. Rewrite the receive path logic to make
5016 it easier to support multiple simultaneous
5017 requesters in the future. Add stricter consistency
5018 checking as a compile-time option (define
5019 ISC_SOCKET_CONSISTENCY_CHECKS; defaults to off).
5021 2431. [bug] Acl processing could leak memory. [RT #18323]
5023 2430. [bug] win32: isc_interval_set() could round down to
5024 zero if the input was less than NS_INTERVAL
5025 nanoseconds. Round up instead. [RT #18549]
5027 2429. [doc] nsupdate should be in section 1 of the man pages.
5030 2428. [bug] dns_iptable_merge() mishandled merges of negative
5033 2427. [func] Treat DNSKEY queries as if "minimal-response yes;"
5034 was set. [RT #18528]
5036 2426. [bug] libbind: inet_net_pton() can sometimes return the
5037 wrong value if excessively large net masks are
5038 supplied. [RT #18512]
5040 2425. [bug] named didn't detect unavailable query source addresses
5041 at load time. [RT #18536]
5043 2424. [port] configure now probes for a working epoll
5044 implementation. Allow the use of kqueue,
5045 epoll and /dev/poll to be selected at compile
5048 2423. [security] Randomize server selection on queries, so as to
5049 make forgery a little more difficult. Instead of
5050 always preferring the server with the lowest RTT,
5051 pick a server with RTT within the same 128
5052 millisecond band. [RT #18441]
5054 2422. [bug] Handle the special return value of a empty node as
5055 if it was a NXRRSET in the validator. [RT #18447]
5057 2421. [func] Add new command line option '-S' for named to specify
5058 the max number of sockets. [RT #18493]
5059 Use caution: this option may not work for some
5060 operating systems without rebuilding named.
5062 2420. [bug] Windows socket handling cleanup. Let the io
5063 completion event send out canceled read/write
5064 done events, which keeps us from writing to memory
5065 we no longer have ownership of. Add debugging
5066 socket_log() function. Rework TCP socket handling
5067 to not leak sockets.
5069 2419. [cleanup] Document that isc_socket_create() and isc_socket_open()
5070 should not be used for isc_sockettype_fdwatch sockets.
5073 2418. [bug] AXFR request on a DLZ could trigger a REQUIRE failure
5076 2417. [bug] Connecting UDP sockets for outgoing queries could
5077 unexpectedly fail with an 'address already in use'
5080 2416. [func] Log file descriptors that cause exceeding the
5081 internal maximum. [RT #18460]
5083 2415. [bug] 'rndc dumpdb' could trigger various assertion failures
5084 in rbtdb.c. [RT #18455]
5086 2414. [bug] A masterdump context held the database lock too long,
5087 causing various troubles such as dead lock and
5088 recursive lock acquisition. [RT #18311, #18456]
5090 2413. [bug] Fixed an unreachable code path in socket.c. [RT #18442]
5092 2412. [bug] win32: address a resource leak. [RT #18374]
5094 2411. [bug] Allow using a larger number of sockets than FD_SETSIZE
5095 for select(). To enable this, set ISC_SOCKET_MAXSOCKETS
5096 at compilation time. [RT #18433]
5098 Note: with changes #2469 and #2421 above, there is no
5099 need to tweak ISC_SOCKET_MAXSOCKETS at compilation time
5102 2410. [bug] Correctly delete m_versionInfo. [RT #18432]
5104 2409. [bug] Only log that we disabled EDNS processing if we were
5105 subsequently successful. [RT #18029]
5107 2408. [bug] A duplicate TCP dispatch event could be sent, which
5108 could then trigger an assertion failure in
5109 resquery_response(). [RT #18275]
5111 2407. [port] hpux: test for sys/dyntune.h. [RT #18421]
5115 2405. [cleanup] The default value for dnssec-validation was changed to
5116 "yes" in 9.5.0-P1 and all subsequent releases; this
5117 was inadvertently omitted from CHANGES at the time.
5119 2404. [port] hpux: files unlimited support.
5121 2403. [bug] TSIG context leak. [RT #18341]
5123 2402. [port] Support Solaris 2.11 and over. [RT #18362]
5125 2401. [bug] Expect to get E[MN]FILE errno internal_accept()
5126 (from accept() or fcntl() system calls). [RT #18358]
5128 2400. [bug] Log if kqueue()/epoll_create()/open(/dev/poll) fails.
5133 2398. [bug] Improve file descriptor management. New,
5134 temporary, named.conf option reserved-sockets,
5135 default 512. [RT #18344]
5137 2397. [bug] gssapi_functions had too many elements. [RT #18355]
5139 2396. [bug] Don't set SO_REUSEADDR for randomized ports.
5142 2395. [port] Avoid warning and no effect from "files unlimited"
5143 on Linux when running as root. [RT #18335]
5145 2394. [bug] Default configuration options set the limit for
5146 open files to 'unlimited' as described in the
5147 documentation. [RT #18331]
5149 2393. [bug] nested acls containing keys could trigger an
5150 assertion in acl.c. [RT #18166]
5152 2392. [bug] remove 'grep -q' from acl test script, some platforms
5153 don't support it. [RT #18253]
5155 2391. [port] hpux: cover additional recvmsg() error codes.
5158 2390. [bug] dispatch.c could make a false warning on 'odd socket'.
5161 2389. [bug] Move the "working directory writable" check to after
5162 the ns_os_changeuser() call. [RT #18326]
5164 2388. [bug] Avoid using tables for layout purposes in
5165 statistics XSL [RT #18159].
5167 2387. [bug] Silence compiler warnings in lib/isc/radix.c.
5168 [RT #18147] [RT #18258]
5170 2386. [func] Add warning about too small 'open files' limit.
5173 2385. [bug] A condition variable in socket.c could leak in
5174 rare error handling [RT #17968].
5176 2384. [security] Fully randomize UDP query ports to improve
5177 forgery resilience. [RT #17949, #18098]
5179 2383. [bug] named could double queries when they resulted in
5180 SERVFAIL due to overkilling EDNS0 failure detection.
5183 2382. [doc] Add descriptions of DHCID, IPSECKEY, SPF and SSHFP
5186 2381. [port] dlz/mysql: support multiple install layouts for
5187 mysql. <prefix>/include/{,mysql/}mysql.h and
5188 <prefix>/lib/{,mysql/}. [RT #18152]
5190 2380. [bug] dns_view_find() was not returning NXDOMAIN/NXRRSET
5191 proofs which, in turn, caused validation failures
5192 for insecure zones immediately below a secure zone
5193 the server was authoritative for. [RT #18112]
5195 2379. [contrib] queryperf/gen-data-queryperf.py: removed redundant
5196 TLDs and supported RRs with TTLs [RT #17972]
5198 2378. [bug] gssapi_functions{} had a redundant member in BIND 9.5.
5201 2377. [bug] Address race condition in dnssec-signzone. [RT #18142]
5203 2376. [bug] Change #2144 was not complete.
5207 2374. [bug] "blackhole" ACLs could cause named to segfault due
5208 to some uninitialized memory. [RT #18095]
5210 2373. [bug] Default values of zone ACLs were re-parsed each time a
5211 new zone was configured, causing an overconsumption
5212 of memory. [RT #18092]
5214 2372. [bug] Fixed incorrect TAG_HMACSHA256_BITS value [RT #18047]
5216 2371. [doc] Add +nsid option to dig man page. [RT #18039]
5218 2370. [bug] "rndc freeze" could trigger an assertion in named
5219 when called on a nonexistent zone. [RT #18050]
5221 2369. [bug] libbind: Array bounds overrun on read in bitncmp().
5224 2368. [port] Linux: use libcap for capability management if
5225 possible. [RT #18026]
5227 2367. [bug] Improve counting of dns_resstatscounter_retry
5230 2366. [bug] Adb shutdown race. [RT #18021]
5232 2365. [bug] Fix a bug that caused dns_acl_isany() to return
5233 spurious results. [RT #18000]
5235 2364. [bug] named could trigger a assertion when serving a
5236 malformed signed zone. [RT #17828]
5238 2363. [port] sunos: pre-set "lt_cv_sys_max_cmd_len=4096;".
5241 2362. [cleanup] Make "rrset-order fixed" a compile-time option.
5242 settable by "./configure --enable-fixed-rrset".
5243 Disabled by default. [RT #17977]
5245 2361. [bug] "recursion" statistics counter could be counted
5246 multiple times for a single query. [RT #17990]
5248 2360. [bug] Fix a condition where we release a database version
5249 (which may acquire a lock) while holding the lock.
5251 2359. [bug] Fix NSID bug. [RT #17942]
5253 2358. [doc] Update host's default query description. [RT #17934]
5255 2357. [port] Don't use OpenSSL's engine support in versions before
5256 OpenSSL 0.9.7f. [RT #17922]
5258 2356. [bug] Built in mutex profiler was not scalable enough.
5261 2355. [func] Extend the number statistics counters available.
5264 2354. [bug] Failed to initialize some rdatasetheader_t elements.
5267 2353. [func] Add support for Name Server ID (RFC 5001).
5268 'dig +nsid' requests NSID from server.
5269 'request-nsid yes;' causes recursive server to send
5270 NSID requests to upstream servers. Server responds
5271 to NSID requests with the string configured by
5272 'server-id' option. [RT #17091]
5274 2352. [bug] Various GSS_API fixups. [RT #17729]
5276 2351. [bug] convertxsl.pl generated very long lines. [RT #17906]
5278 2350. [port] win32: IPv6 support. [RT #17797]
5280 2349. [func] Provide incremental re-signing support for secure
5281 dynamic zones. [RT #1091]
5283 2348. [func] Use the EVP interface to OpenSSL. Add PKCS#11 support.
5284 Documentation is in the new README.pkcs11 file.
5285 New tool, dnssec-keyfromlabel, which takes the
5286 label of a key pair in a HSM and constructs a DNS
5287 key pair for use by named and dnssec-signzone.
5290 2347. [bug] Delete now traverses the RB tree in the canonical
5293 2346. [func] Memory statistics now cover all active memory contexts
5294 in increased detail. [RT #17580]
5296 2345. [bug] named-checkconf failed to detect when forwarders
5297 were set at both the options/view level and in
5298 a root zone. [RT #17671]
5300 2344. [bug] Improve "logging{ file ...; };" documentation.
5303 2343. [bug] (Seemingly) duplicate IPv6 entries could be
5304 created in ADB. [RT #17837]
5306 2342. [func] Use getifaddrs() if available under Linux. [RT #17224]
5308 2341. [bug] libbind: add missing -I../include for off source
5309 tree builds. [RT #17606]
5311 2340. [port] openbsd: interface configuration. [RT #17700]
5313 2339. [port] tru64: support for libbind. [RT #17589]
5315 2338. [bug] check_ds() could be called with a non DS rdataset.
5318 2337. [bug] BUILD_LDFLAGS was not being correctly set. [RT #17614]
5320 2336. [func] If "named -6" is specified then listen on all IPv6
5321 interfaces if there are not listen-on-v6 clauses in
5322 named.conf. [RT #17581]
5324 2335. [port] sunos: libbind and *printf() support for long long.
5327 2334. [bug] Bad REQUIRES in fromstruct_in_naptr(), off by one
5328 bug in fromstruct_txt(). [RT #17609]
5330 2333. [bug] Fix off by one error in isc_time_nowplusinterval().
5333 2332. [contrib] query-loc-0.4.0. [RT #17602]
5335 2331. [bug] Failure to regenerate any signatures was not being
5336 reported nor being past back to the UPDATE client.
5339 2330. [bug] Remove potential race condition when handling
5340 over memory events. [RT #17572]
5342 WARNING: API CHANGE: over memory callback
5343 function now needs to call isc_mem_waterack().
5344 See <isc/mem.h> for details.
5346 2329. [bug] Clearer help text for dig's '-x' and '-i' options.
5348 2328. [maint] Add AAAA addresses for A.ROOT-SERVERS.NET,
5349 F.ROOT-SERVERS.NET, H.ROOT-SERVERS.NET,
5350 J.ROOT-SERVERS.NET, K.ROOT-SERVERS.NET and
5353 2327. [bug] It was possible to dereference a NULL pointer in
5354 rbtdb.c. Implement dead node processing in zones as
5355 we do for caches. [RT #17312]
5357 2326. [bug] It was possible to trigger a INSIST in the acache
5360 2325. [port] Linux: use capset() function if available. [RT #17557]
5362 2324. [bug] Fix IPv6 matching against "any;". [RT #17533]
5364 2323. [port] tru64: namespace clash. [RT #17547]
5366 2322. [port] MacOS: work around the limitation of setrlimit()
5367 for RLIMIT_NOFILE. [RT #17526]
5371 2320. [func] Make statistics counters thread-safe for platforms
5372 that support certain atomic operations. [RT #17466]
5374 2319. [bug] Silence Coverity warnings in
5375 lib/dns/rdata/in_1/apl_42.c. [RT #17469]
5377 2318. [port] sunos fixes for libbind. [RT #17514]
5379 2317. [bug] "make distclean" removed bind9.xsl.h. [RT #17518]
5381 2316. [port] Missing #include <isc/print.h> in lib/dns/gssapictx.c.
5384 2315. [bug] Used incorrect address family for mapped IPv4
5385 addresses in acl.c. [RT #17519]
5387 2314. [bug] Uninitialized memory use on error path in
5388 bin/named/lwdnoop.c. [RT #17476]
5390 2313. [cleanup] Silence Coverity warnings. Handle private stacks.
5391 [RT #17447] [RT #17478]
5393 2312. [cleanup] Silence Coverity warning in lib/isc/unix/socket.c.
5396 2311. [bug] IPv6 addresses could match IPv4 ACL entries and
5397 vice versa. [RT #17462]
5399 2310. [bug] dig, host, nslookup: flush stdout before emitting
5400 debug/fatal messages. [RT #17501]
5402 2309. [cleanup] Fix Coverity warnings in lib/dns/acl.c and iptable.c.
5405 2308. [cleanup] Silence Coverity warning in bin/named/controlconf.c.
5408 2307. [bug] Remove infinite loop from lib/dns/sdb.c. [RT #17496]
5410 2306. [bug] Remove potential race from lib/dns/resolver.c.
5413 2305. [security] inet_network() buffer overflow. CVE-2008-0122.
5415 2304. [bug] Check returns from all dns_rdata_tostruct() calls.
5418 2303. [bug] Remove unnecessary code from bin/named/lwdgnba.c.
5421 2302. [bug] Fix memset() calls in lib/tests/t_api.c. [RT #17472]
5423 2301. [bug] Remove resource leak and fix error messages in
5424 bin/tests/system/lwresd/lwtest.c. [RT #17474]
5426 2300. [bug] Fixed failure to close open file in
5427 bin/tests/names/t_names.c. [RT #17473]
5429 2299. [bug] Remove unnecessary NULL check in
5430 bin/nsupdate/nsupdate.c. [RT #17475]
5432 2298. [bug] isc_mutex_lock() failure not caught in
5433 bin/tests/timers/t_timers.c. [RT #17468]
5435 2297. [bug] isc_entropy_createfilesource() failure not caught in
5436 bin/tests/dst/t_dst.c. [RT #17467]
5438 2296. [port] Allow docbook stylesheet location to be specified to
5439 configure. [RT #17457]
5441 2295. [bug] Silence static overrun error in bin/named/lwaddr.c.
5444 2294. [func] Allow the experimental statistics channels to have
5445 multiple connections and ACL.
5446 Note: the stats-server and stats-server-v6 options
5447 available in the previous beta releases are replaced
5448 with the generic statistics-channels statement.
5450 2293. [func] Add ACL regression test. [RT #17375]
5452 2292. [bug] Log if the working directory is not writable.
5455 2291. [bug] PR_SET_DUMPABLE may be set too late. Also report
5456 failure to set PR_SET_DUMPABLE. [RT #17312]
5458 2290. [bug] Let AD in the query signal that the client wants AD
5459 set in the response. [RT #17301]
5461 2289. [func] named-checkzone now reports the out-of-zone CNAME
5464 2288. [port] win32: mark service as running when we have finished
5465 loading. [RT #17441]
5467 2287. [bug] Use 'volatile' if the compiler supports it. [RT #17413]
5469 2286. [func] Allow a TCP connection to be used as a weak
5470 authentication method for reverse zones.
5471 New update-policy methods tcp-self and 6to4-self.
5474 2285. [func] Test framework for client memory context management.
5477 2284. [bug] Memory leak in UPDATE prerequisite processing.
5480 2283. [bug] TSIG keys were not attaching to the memory
5481 context. TSIG keys should use the rings
5482 memory context rather than the clients memory
5483 context. [RT #17377]
5485 2282. [bug] Acl code fixups. [RT #17346] [RT #17374]
5487 2281. [bug] Attempts to use undefined acls were not being logged.
5490 2280. [func] Allow the experimental http server to be reached
5491 over IPv6 as well as IPv4. [RT #17332]
5493 2279. [bug] Use setsockopt(SO_NOSIGPIPE), when available,
5494 to protect applications from receiving spurious
5495 SIGPIPE signals when using the resolver.
5497 2278. [bug] win32: handle the case where Windows returns no
5498 search list or DNS suffix. [RT #17354]
5500 2277. [bug] Empty zone names were not correctly being caught at
5501 in the post parse checks. [RT #17357]
5503 2276. [bug] Install <dst/gssapi.h>. [RT #17359]
5505 2275. [func] Add support to dig to perform IXFR queries over UDP.
5508 2274. [func] Log zone transfer statistics. [RT #17336]
5510 2273. [bug] Adjust log level to WARNING when saving inconsistent
5511 stub/slave master and journal files. [RT #17279]
5513 2272. [bug] Handle illegal dnssec-lookaside trust-anchor names.
5516 2271. [bug] Fix a memory leak in http server code [RT #17100]
5518 2270. [bug] dns_db_closeversion() version->writer could be reset
5519 before it is tested. [RT #17290]
5521 2269. [contrib] dbus memory leaks and missing va_end calls. [RT #17232]
5523 2268. [bug] 0.IN-ADDR.ARPA was missing from the empty zones
5526 --- 9.5.0b1 released ---
5528 2267. [bug] Radix tree node_num value could be set incorrectly,
5529 causing positive ACL matches to look like negative
5532 2266. [bug] client.c:get_clientmctx() returned the same mctx
5533 once the pool of mctx's was filled. [RT #17218]
5535 2265. [bug] Test that the memory context's basic_table is non NULL
5536 before freeing. [RT #17265]
5538 2264. [bug] Server prefix length was being ignored. [RT #17308]
5540 2263. [bug] "named-checkconf -z" failed to set default value
5541 for "check-integrity". [RT #17306]
5543 2262. [bug] Error status from all but the last view could be
5546 2261. [bug] Fix memory leak with "any" and "none" ACLs [RT #17272]
5548 2260. [bug] Reported wrong clients-per-query when increasing the
5553 --- 9.5.0a7 released ---
5555 2258. [bug] Fallback from IXFR/TSIG to SOA/AXFR/TSIG broken.
5558 2257. [bug] win32: Use the full path to vcredist_x86.exe when
5559 calling it. [RT #17222]
5561 2256. [bug] win32: Correctly register the installation location of
5562 bindevt.dll. [RT #17159]
5564 2255. [maint] L.ROOT-SERVERS.NET is now 199.7.83.42.
5566 2254. [bug] timer.c:dispatch() failed to lock timer->lock
5567 when reading timer->idle allowing it to see
5568 intermediate values as timer->idle was reset by
5569 isc_timer_touch(). [RT #17243]
5571 2253. [func] "max-cache-size" defaults to 32M.
5572 "max-acache-size" defaults to 16M.
5574 2252. [bug] Fixed errors in sortlist code [RT #17216]
5578 2250. [func] New flag 'memstatistics' to state whether the
5579 memory statistics file should be written or not.
5580 Additionally named's -m option will cause the
5581 statistics file to be written. [RT #17113]
5583 2249. [bug] Only set Authentic Data bit if client requested
5584 DNSSEC, per RFC 3655 [RT #17175]
5586 2248. [cleanup] Fix several errors reported by Coverity. [RT #17160]
5588 2247. [doc] Sort doc/misc/options. [RT #17067]
5590 2246. [bug] Make the startup of test servers (ans.pl) more
5593 2245. [bug] Validating lack of DS records at trust anchors wasn't
5594 working. [RT #17151]
5596 2244. [func] Allow the check of nameserver names against the
5597 SOA MNAME field to be disabled by specifying
5598 'notify-to-soa yes;'. [RT #17073]
5600 2243. [func] Configuration files without a newline at the end now
5601 parse without error. [RT #17120]
5603 2242. [bug] nsupdate: GSS-TSIG support using the Heimdal Kerberos
5604 library could require a source of random data.
5607 2241. [func] nsupdate: add a interactive 'help' command. [RT #17099]
5609 2240. [bug] Cleanup nsupdates GSS-TSIG support. Convert
5610 a number of INSIST()s into plain fatal() errors
5611 which report the triggering result code.
5612 The 'key' command wasn't disabling GSS-TSIG.
5615 2239. [func] Ship a pre built bin/named/bind9.xsl.h. [RT #17114]
5617 2238. [bug] It was possible to trigger a REQUIRE when a
5618 validation was canceled. [RT #17106]
5620 2237. [bug] libbind: res_init() was not thread aware. [RT #17123]
5622 2236. [bug] dnssec-signzone failed to preserve the case of
5623 of wildcard owner names. [RT #17085]
5625 2235. [bug] <isc/atomic.h> was not being installed. [RT #17135]
5627 2234. [port] Correct some compiler warnings on SCO OSr5 [RT #17134]
5629 2233. [func] Add support for O(1) ACL processing, based on
5630 radix tree code originally written by Kevin
5631 Brintnall. [RT #16288]
5633 2232. [bug] dns_adb_findaddrinfo() could fail and return
5634 ISC_R_SUCCESS. [RT #17137]
5636 2231. [bug] Building dlzbdb (contrib/dlz/bin/dlzbdb) was broken.
5639 2230. [bug] We could INSIST reading a corrupted journal.
5642 2229. [bug] Null pointer dereference on query pool creation
5643 failure. [RT #17133]
5645 2228. [contrib] contrib: Change 2188 was incomplete.
5647 2227. [cleanup] Tidied up the FAQ. [RT #17121]
5651 2225. [bug] More support for systems with no IPv4 addresses.
5654 2224. [bug] Defer journal compaction if a xfrin is in progress.
5657 2223. [bug] Make a new journal when compacting. [RT #17119]
5659 2222. [func] named-checkconf now checks server key references.
5662 2221. [bug] Set the event result code to reflect the actual
5663 record turned to caller when a cache update is
5664 rejected due to a more credible answer existing.
5667 2220. [bug] win32: Address a race condition in final shutdown of
5668 the Windows socket code. [RT #17028]
5670 2219. [bug] Apply zone consistency checks to additions, not
5671 removals, when updating. [RT #17049]
5673 2218. [bug] Remove unnecessary REQUIRE from dns_validator_create().
5676 2217. [func] Adjust update log levels. [RT #17092]
5678 2216. [cleanup] Fix a number of errors reported by Coverity.
5681 2215. [bug] Bad REQUIRE check isc_hmacsha1_verify(). [RT #17094]
5683 2214. [bug] Deregister OpenSSL lock callback when cleaning
5684 up. Reorder OpenSSL cleanup so that RAND_cleanup()
5685 is called before the locks are destroyed. [RT #17098]
5687 2213. [bug] SIG0 diagnostic failure messages were looking at the
5688 wrong status code. [RT #17101]
5690 2212. [func] 'host -m' now causes memory statistics and active
5691 memory to be printed at exit. [RT 17028]
5693 2211. [func] Update "dynamic update temporarily disabled" message.
5696 2210. [bug] Deleting class specific records via UPDATE could
5699 2209. [port] osx: linking against user supplied static OpenSSL
5700 libraries failed as the system ones were still being
5703 2208. [port] win32: make sure both build methods produce the
5704 same output. [RT #17058]
5706 2207. [port] Some implementations of getaddrinfo() fail to set
5707 ai_canonname correctly. [RT #17061]
5709 --- 9.5.0a6 released ---
5711 2206. [security] "allow-query-cache" and "allow-recursion" now
5712 cross inherit from each other.
5714 If allow-query-cache is not set in named.conf then
5715 allow-recursion is used if set, otherwise allow-query
5716 is used if set, otherwise the default (localnets;
5717 localhost;) is used.
5719 If allow-recursion is not set in named.conf then
5720 allow-query-cache is used if set, otherwise allow-query
5721 is used if set, otherwise the default (localnets;
5722 localhost;) is used.
5726 2205. [bug] libbind: change #2119 broke thread support. [RT #16982]
5728 2204. [bug] "rndc flushanme name unknown-view" caused named
5729 to crash. [RT #16984]
5731 2203. [security] Query id generation was cryptographically weak.
5734 2202. [security] The default acls for allow-query-cache and
5735 allow-recursion were not being applied. [RT #16960]
5737 2201. [bug] The build failed in a separate object directory.
5740 2200. [bug] The search for cached NSEC records was stopping to
5741 early leading to excessive DLV queries. [RT #16930]
5743 2199. [bug] win32: don't call WSAStartup() while loading dlls.
5746 2198. [bug] win32: RegCloseKey() could be called when
5747 RegOpenKeyEx() failed. [RT #16911]
5749 2197. [bug] Add INSIST to catch negative responses which are
5750 not setting the event result code appropriately.
5753 2196. [port] win32: yield processor while waiting for once to
5754 to complete. [RT #16958]
5756 2195. [func] dnssec-keygen now defaults to nametype "ZONE"
5757 when generating DNSKEYs. [RT #16954]
5759 2194. [bug] Close journal before calling 'done' in xfrin.c.
5761 --- 9.5.0a5 released ---
5763 2193. [port] win32: BINDInstall.exe is now linked statically.
5766 2192. [port] win32: use vcredist_x86.exe to install Visual
5767 Studio's redistributable dlls if building with
5768 Visual Stdio 2005 or later.
5770 2191. [func] named-checkzone now allows dumping to stdout (-).
5771 named-checkconf now has -h for help.
5772 named-checkzone now has -h for help.
5773 rndc now has -h for help.
5774 Better handling of '-?' for usage summaries.
5777 2190. [func] Make fallback to plain DNS from EDNS due to timeouts
5778 more visible. New logging category "edns-disabled".
5781 2189. [bug] Handle socket() returning EINTR. [RT #15949]
5783 2188. [contrib] queryperf: autoconf changes to make the search for
5784 libresolv or libbind more robust. [RT #16299]
5786 2187. [bug] query_addds(), query_addwildcardproof() and
5787 query_addnxrrsetnsec() should take a version
5788 argument. [RT #16368]
5790 2186. [port] cygwin: libbind: check for struct sockaddr_storage
5791 independently of IPv6. [RT #16482]
5793 2185. [port] sunos: libbind: check for ssize_t, memmove() and
5794 memchr(). [RT #16463]
5796 2184. [bug] bind9.xsl.h didn't build out of the source tree.
5799 2183. [bug] dnssec-signzone didn't handle offline private keys
5802 2182. [bug] dns_dispatch_createtcp() and dispatch_createudp()
5803 could return ISC_R_SUCCESS when they ran out of
5806 2181. [port] sunos: libbind: add paths.h from BIND 8. [RT #16462]
5808 2180. [cleanup] Remove bit test from 'compress_test' as they
5809 are no longer needed. [RT #16497]
5811 2179. [func] 'rndc command zone' will now find 'zone' if it is
5812 unique to all the views. [RT #16821]
5814 2178. [bug] 'rndc reload' of a slave or stub zone resulted in
5815 a reference leak. [RT #16867]
5817 2177. [bug] Array bounds overrun on read (rcodetext) at
5818 debug level 10+. [RT #16798]
5820 2176. [contrib] dbus update to handle race condition during
5821 initialization (Bugzilla 235809). [RT #16842]
5823 2175. [bug] win32: windows broadcast condition variable support
5824 was broken. [RT #16592]
5826 2174. [bug] I/O errors should always be fatal when reading
5827 master files. [RT #16825]
5829 2173. [port] win32: When compiling with MSVS 2005 SP1 we also
5830 need to ship Microsoft.VC80.MFCLOC.
5832 --- 9.5.0a4 released ---
5834 2172. [bug] query_addsoa() was being called with a non zone db.
5837 2171. [bug] Handle breaks in DNSSEC trust chains where the parent
5838 servers are not DS aware (DS queries to the parent
5839 return a referral to the child).
5841 2170. [func] Add acache processing to test suite. [RT #16711]
5843 2169. [bug] host, nslookup: when reporting NXDOMAIN report the
5844 given name and not the last name searched for.
5847 2168. [bug] nsupdate: in non-interactive mode treat syntax errors
5848 as fatal errors. [RT #16785]
5850 2167. [bug] When re-using a automatic zone named failed to
5851 attach it to the new view. [RT #16786]
5853 --- 9.5.0a3 released ---
5855 2166. [bug] When running in batch mode, dig could misinterpret
5856 a server address as a name to be looked up, causing
5857 unexpected output. [RT #16743]
5859 2165. [func] Allow the destination address of a query to determine
5860 if we will answer the query or recurse.
5861 allow-query-on, allow-recursion-on and
5862 allow-query-cache-on. [RT #16291]
5864 2164. [bug] The code to determine how named-checkzone /
5865 named-compilezone was called failed under windows.
5868 2163. [bug] If only one of query-source and query-source-v6
5869 specified a port the query pools code broke (change
5872 2162. [func] Allow "rrset-order fixed" to be disabled at compile
5875 2161. [bug] Fix which log messages are emitted for 'rndc flush'.
5878 2160. [bug] libisc wasn't handling NULL ifa_addr pointers returned
5879 from getifaddrs(). [RT #16708]
5881 --- 9.5.0a2 released ---
5883 2159. [bug] Array bounds overrun in acache processing. [RT #16710]
5885 2158. [bug] ns_client_isself() failed to initialize key
5886 leading to a REQUIRE failure. [RT #16688]
5888 2157. [func] dns_db_transfernode() created. [RT #16685]
5890 2156. [bug] Fix node reference leaks in lookup.c:lookup_find(),
5891 resolver.c:validated() and resolver.c:cache_name().
5892 Fix a memory leak in rbtdb.c:free_noqname().
5893 Make lookup.c:lookup_find() robust against
5894 event leaks. [RT #16685]
5896 2155. [contrib] SQLite sdb module from jaboydjr@netwalk.com.
5899 2154. [func] Scoped (e.g. IPv6 link-local) addresses may now be
5900 matched in acls by omitting the scope. [RT #16599]
5902 2153. [bug] nsupdate could leak memory. [RT #16691]
5904 2152. [cleanup] Use sizeof(buf) instead of fixed number in
5905 dighost.c:get_trusted_key(). [RT #16678]
5907 2151. [bug] Missing newline in usage message for journalprint.
5910 2150. [bug] 'rrset-order cyclic' uniformly distribute the
5911 starting point for the first response for a given
5914 2149. [bug] isc_mem_checkdestroyed() failed to abort on
5915 if there were still active memory contexts.
5918 2148. [func] Add positive logging for rndc commands. [RT #14623]
5920 2147. [bug] libbind: remove potential buffer overflow from
5921 hmac_link.c. [RT #16437]
5923 2146. [cleanup] Silence Linux's spurious "obsolete setsockopt
5924 SO_BSDCOMPAT" message. [RT #16641]
5926 2145. [bug] Check DS/DLV digest lengths for known digests.
5929 2144. [cleanup] Suppress logging of SERVFAIL from forwarders.
5932 2143. [bug] We failed to restart the IPv6 client when the
5933 kernel failed to return the destination the
5934 packet was sent to. [RT #16613]
5936 2142. [bug] Handle master files with a modification time that
5937 matches the epoch. [RT #16612]
5939 2141. [bug] dig/host should not be setting IDN_ASCCHECK (IDN
5940 equivalent of LDH checks). [RT #16609]
5942 2140. [bug] libbind: missing unlock on pthread_key_create()
5943 failures. [RT #16654]
5945 2139. [bug] dns_view_find() was being called with wrong type
5946 in adb.c. [RT #16670]
5948 2138. [bug] Lock order reversal in resolver.c. [RT #16653]
5950 2137. [port] Mips little endian and/or mips 64 bit are now
5951 supported for atomic operations. [RT #16648]
5953 2136. [bug] nslookup/host looped if there was no search list
5954 and the host didn't exist. [RT #16657]
5956 2135. [bug] Uninitialized rdataset in sdlz.c. [RT #16656]
5958 2134. [func] Additional statistics support. [RT #16666]
5960 2133. [port] powerpc: Support both IBM and MacOS Power PC
5961 assembler syntaxes. [RT #16647]
5963 2132. [bug] Missing unlock on out of memory in
5964 dns_dispatchmgr_setudp().
5966 2131. [contrib] dlz/mysql: AXFR was broken. [RT #16630]
5968 2130. [func] Log if CD or DO were set. [RT #16640]
5970 2129. [func] Provide a pool of UDP sockets for queries to be
5971 made over. See use-queryport-pool, queryport-pool-ports
5972 and queryport-pool-updateinterval. [RT #16415]
5974 2128. [doc] xsltproc --nonet, update DTD versions. [RT #16635]
5976 2127. [port] Improved OpenSSL 0.9.8 support. [RT #16563]
5978 2126. [security] Serialize validation of type ANY responses. [RT #16555]
5980 2125. [bug] dns_zone_getzeronosoattl() REQUIRE failure if DLZ
5981 was defined. [RT #16574]
5983 2124. [security] It was possible to dereference a freed fetch
5984 context. [RT #16584]
5986 --- 9.5.0a1 released ---
5988 2123. [func] Use Doxygen to generate internal documentation.
5991 2122. [func] Experimental http server and statistics support
5994 2121. [func] Add a 10 slot dead masters cache (LRU) with a 600
5995 second timeout. [RT #16553]
5997 2120. [doc] Fix markup on nsupdate man page. [RT #16556]
5999 2119. [compat] libbind: allow res_init() to succeed enough to
6000 return the default domain even if it was unable
6003 2118. [bug] Handle response with long chains of domain name
6004 compression pointers which point to other compression
6005 pointers. [RT #16427]
6007 2117. [bug] DNSSEC fixes: named could fail to cache NSEC records
6008 which could lead to validation failures. named didn't
6009 handle negative DS responses that were in the process
6010 of being validated. Check CNAME bit before accepting
6011 NODATA proof. To be able to ignore a child NSEC there
6012 must be SOA (and NS) set in the bitmap. [RT #16399]
6014 2116. [bug] 'rndc reload' could cause the cache to continually
6015 be cleaned. [RT #16401]
6017 2115. [bug] 'rndc reconfig' could trigger a INSIST if the
6018 number of masters for a zone was reduced. [RT #16444]
6020 2114. [bug] dig/host/nslookup: searches for names with multiple
6021 labels were failing. [RT #16447]
6023 2113. [bug] nsupdate: if a zone is specified it should be used
6024 for server discover. [RT #16455]
6026 2112. [security] Warn if weak RSA exponent is used. [RT #16460]
6028 2111. [bug] Fix a number of errors reported by Coverity.
6031 2110. [bug] "minimal-responses yes;" interacted badly with BIND 8
6032 priming queries. [RT #16491]
6034 2109. [port] libbind: silence aix 5.3 compiler warnings. [RT #16502]
6036 2108. [func] DHCID support. [RT #16456]
6038 2107. [bug] dighost.c: more cleanup of buffers. [RT #16499]
6040 2106. [func] 'rndc status' now reports named's version. [RT #16426]
6042 2105. [func] GSS-TSIG support (RFC 3645).
6044 2104. [port] Fix Solaris SMF error message.
6046 2103. [port] Add /usr/sfw to list of locations for OpenSSL
6049 2102. [port] Silence Solaris 10 warnings.
6051 2101. [bug] OpenSSL version checks were not quite right.
6054 2100. [port] win32: copy libeay32.dll to Build\Debug.
6055 Copy Debug\named-checkzone to Debug\named-compilezone.
6057 2099. [port] win32: more manifest issues.
6059 2098. [bug] Race in rbtdb.c:no_references(), which occasionally
6060 triggered an INSIST failure about the node lock
6061 reference. [RT #16411]
6063 2097. [bug] named could reference a destroyed memory context
6064 after being reloaded / reconfigured. [RT #16428]
6066 2096. [bug] libbind: handle applications that fail to detect
6067 res_init() failures better.
6069 2095. [port] libbind: alway prototype inet_cidr_ntop_ipv6() and
6070 net_cidr_ntop_ipv6(). [RT #16388]
6072 2094. [contrib] Update named-bootconf. [RT #16404]
6074 2093. [bug] named-checkzone -s was broken.
6076 2092. [bug] win32: dig, host, nslookup. Use registry config
6077 if resolv.conf does not exist or no nameservers
6080 2091. [port] dighost.c: race condition on cleanup. [RT #16417]
6082 2090. [port] win32: Visual C++ 2005 command line manifest support.
6085 2089. [security] Raise the minimum safe OpenSSL versions to
6086 OpenSSL 0.9.7l and OpenSSL 0.9.8d. Versions
6087 prior to these have known security flaws which
6088 are (potentially) exploitable in named. [RT #16391]
6090 2088. [security] Change the default RSA exponent from 3 to 65537.
6093 2087. [port] libisc failed to compile on OS's w/o a vsnprintf.
6096 2086. [port] libbind: FreeBSD now has get*by*_r() functions.
6099 2085. [doc] win32: added index.html and README to zip. [RT #16201]
6101 2084. [contrib] dbus update for 9.3.3rc2.
6103 2083. [port] win32: Visual C++ 2005 support.
6105 2082. [doc] Document 'cache-file' as a test only option.
6107 2081. [port] libbind: minor 64-bit portability fix in memcluster.c.
6110 2080. [port] libbind: res_init.c did not compile on older versions
6111 of Solaris. [RT #16363]
6113 2079. [bug] The lame cache was not handling multiple types
6114 correctly. [RT #16361]
6116 2078. [bug] dnssec-checkzone output style "default" was badly
6117 named. It is now called "relative". [RT #16326]
6119 2077. [bug] 'dnssec-signzone -O raw' wasn't outputting the
6120 complete signed zone. [RT #16326]
6122 2076. [bug] Several files were missing #include <config.h>
6123 causing build failures on OSF. [RT #16341]
6125 2075. [bug] The spillat timer event hander could leak memory.
6128 2074. [bug] dns_request_createvia2(), dns_request_createvia3(),
6129 dns_request_createraw2() and dns_request_createraw3()
6130 failed to send multiple UDP requests. [RT #16349]
6132 2073. [bug] Incorrect semantics check for update policy "wildcard".
6135 2072. [bug] We were not generating valid HMAC SHA digests.
6138 2071. [port] Test whether gcc accepts -fno-strict-aliasing.
6141 2070. [bug] The remote address was not always displayed when
6142 reporting dispatch failures. [RT #16315]
6144 2069. [bug] Cross compiling was not working. [RT #16330]
6146 2068. [cleanup] Lower incremental tuning message to debug 1.
6149 2067. [bug] 'rndc' could close the socket too early triggering
6150 a INSIST under Windows. [RT #16317]
6152 2066. [security] Handle SIG queries gracefully. [RT #16300]
6154 2065. [bug] libbind: probe for HPUX prototypes for
6155 endprotoent_r() and endservent_r(). [RT 16313]
6157 2064. [bug] libbind: silence AIX compiler warnings. [RT #16218]
6159 2063. [bug] Change #1955 introduced a bug which caused the first
6160 'rndc flush' call to not free memory. [RT #16244]
6162 2062. [bug] 'dig +nssearch' was reusing a buffer before it had
6163 been returned by the socket code. [RT #16307]
6165 2061. [bug] Accept expired wildcard message reversed. [RT #16296]
6167 2060. [bug] Enabling DLZ support could leave views partially
6168 configured. [RT #16295]
6170 2059. [bug] Search into cache rbtdb could trigger an INSIST
6171 failure while cleaning up a stale rdataset.
6174 2058. [bug] Adjust how we calculate rtt estimates in the presence
6175 of authoritative servers that drop EDNS and/or CD
6176 requests. Also fallback to EDNS/512 and plain DNS
6177 faster for zones with less than 3 servers. [RT #16187]
6179 2057. [bug] Make setting "ra" dependent on both allow-query-cache
6180 and allow-recursion. [RT #16290]
6182 2056. [bug] dig: ixfr= was not being treated case insensitively
6183 at all times. [RT #15955]
6185 2055. [bug] Missing goto after dropping multicast query.
6188 2054. [port] freebsd: do not explicitly link against -lpthread.
6191 2053. [port] netbsd:libbind: silence compiler warnings. [RT #16220]
6193 2052. [bug] 'rndc' improve connect failed message to report
6194 the failing address. [RT #15978]
6196 2051. [port] More strtol() fixes. [RT #16249]
6198 2050. [bug] Parsing of NSAP records was not case insensitive.
6201 2049. [bug] Restore SOA before AXFR when falling back from
6202 a attempted IXFR when transferring in a zone.
6203 Allow a initial SOA query before attempting
6204 a AXFR to be requested. [RT #16156]
6206 2048. [bug] It was possible to loop forever when using
6207 avoid-v4-udp-ports / avoid-v6-udp-ports when
6208 the OS always returned the same local port.
6211 2047. [bug] Failed to initialize the interface flags to zero.
6214 2046. [bug] rbtdb.c:rdataset_setadditional() could cause duplicate
6215 cleanup [RT #16247].
6217 2045. [func] Use lock buckets for acache entries to limit memory
6218 consumption. [RT #16183]
6220 2044. [port] Add support for atomic operations for Itanium.
6223 2043. [port] nsupdate/nslookup: Force the flushing of the prompt
6224 for interactive sessions. [RT #16148]
6226 2042. [bug] named-checkconf was incorrectly rejecting the
6227 logging category "config". [RT #16117]
6229 2041. [bug] "configure --with-dlz-bdb=yes" produced a bad
6230 set of libraries to be linked. [RT #16129]
6232 2040. [bug] rbtdb no_references() could trigger an INSIST
6233 failure with --enable-atomic. [RT #16022]
6235 2039. [func] Check that all buffers passed to the socket code
6236 have been retrieved when the socket event is freed.
6239 2038. [bug] dig/nslookup/host was unlinking from wrong list
6240 when handling errors. [RT #16122]
6242 2037. [func] When unlinking the first or last element in a list
6243 check that the list head points to the element to
6244 be unlinked. [RT #15959]
6246 2036. [bug] 'rndc recursing' could cause trigger a REQUIRE.
6249 2035. [func] Make falling back to TCP on UDP refresh failure
6250 optional. Default "try-tcp-refresh yes;" for BIND 8
6251 compatibility. [RT #16123]
6253 2034. [bug] gcc: set -fno-strict-aliasing. [RT #16124]
6255 2033. [bug] We weren't creating multiple client memory contexts
6256 on demand as expected. [RT #16095]
6258 2032. [bug] Remove a INSIST in query_addadditional2(). [RT #16074]
6260 2031. [bug] Emit a error message when "rndc refresh" is called on
6261 a non slave/stub zone. [RT # 16073]
6263 2030. [bug] We were being overly conservative when disabling
6264 openssl engine support. [RT #16030]
6266 2029. [bug] host printed out the server multiple times when
6267 specified on the command line. [RT #15992]
6269 2028. [port] linux: socket.c compatibility for old systems.
6272 2027. [port] libbind: Solaris x86 support. [RT #16020]
6274 2026. [bug] Rate limit the two recursive client exceeded messages.
6277 2025. [func] Update "zone serial unchanged" message. [RT #16026]
6279 2024. [bug] named emitted spurious "zone serial unchanged"
6280 messages on reload. [RT #16027]
6282 2023. [bug] "make install" should create ${localstatedir}/run and
6283 ${sysconfdir} if they do not exist. [RT #16033]
6285 2022. [bug] If dnssec validation is disabled only assert CD if
6286 CD was requested. [RT #16037]
6288 2021. [bug] dnssec-enable no; triggered a REQUIRE. [RT #16037]
6290 2020. [bug] rdataset_setadditional() could leak memory. [RT #16034]
6292 2019. [tuning] Reduce the amount of work performed per quantum
6293 when cleaning the cache. [RT #15986]
6295 2018. [bug] Checking if the HMAC MD5 private file was broken.
6298 2017. [bug] allow-query default was not correct. [RT #15946]
6300 2016. [bug] Return a partial answer if recursion is not
6301 allowed but requested and we had the answer
6302 to the original qname. [RT #15945]
6304 2015. [cleanup] use-additional-cache is now acache-enable for
6305 consistency. Default acache-enable off in BIND 9.4
6306 as it requires memory usage to be configured.
6307 It may be enabled by default in BIND 9.5 once we
6308 have more experience with it.
6310 2014. [func] Statistics about acache now recorded and sent
6313 2013. [bug] Handle unexpected TSIGs on unsigned AXFR/IXFR
6314 responses more gracefully. [RT #15941]
6316 2012. [func] Don't insert new acache entries if acache is full.
6319 2011. [func] dnssec-signzone can now update the SOA record of
6320 the signed zone, either as an increment or as the
6321 system time(). [RT #15633]
6323 2010. [placeholder] rt15958
6325 2009. [bug] libbind: Coverity fixes. [RT #15808]
6327 2008. [func] It is now possible to enable/disable DNSSEC
6328 validation from rndc. This is useful for the
6329 mobile hosts where the current connection point
6330 breaks DNSSEC (firewall/proxy). [RT #15592]
6332 rndc validation newstate [view]
6334 2007. [func] It is now possible to explicitly enable DNSSEC
6335 validation. default dnssec-validation no; to
6336 be changed to yes in 9.5.0. [RT #15674]
6338 2006. [security] Allow-query-cache and allow-recursion now default
6339 to the built in acls "localnets" and "localhost".
6341 This is being done to make caching servers less
6342 attractive as reflective amplifying targets for
6343 spoofed traffic. This still leave authoritative
6346 The best fix is for full BCP 38 deployment to
6347 remove spoofed traffic.
6349 2005. [bug] libbind: Retransmission timeouts should be
6350 based on which attempt it is to the nameserver
6351 and not the nameserver itself. [RT #13548]
6353 2004. [bug] dns_tsig_sign() could pass a NULL pointer to
6354 dst_context_destroy() when cleaning up after a
6357 2003. [bug] libbind: The DNS name/address lookup functions could
6358 occasionally follow a random pointer due to
6359 structures not being completely zeroed. [RT #15806]
6361 2002. [bug] libbind: tighten the constraints on when
6362 struct addrinfo._ai_pad exists. [RT #15783]
6364 2001. [func] Check the KSK flag when updating a secure dynamic zone.
6365 New zone option "update-check-ksk yes;". [RT #15817]
6367 2000. [bug] memmove()/strtol() fix was incomplete. [RT #15812]
6369 1999. [func] Implement "rrset-order fixed". [RT #13662]
6371 1998. [bug] Restrict handling of fifos as sockets to just SunOS.
6372 This allows named to connect to entropy gathering
6373 daemons that use fifos instead of sockets. [RT #15840]
6375 1997. [bug] Named was failing to replace negative cache entries
6376 when a positive one for the type was learnt.
6379 1996. [bug] nsupdate: if a zone has been specified it should
6380 appear in the output of 'show'. [RT #15797]
6382 1995. [bug] 'host' was reporting multiple "is an alias" messages.
6385 1994. [port] OpenSSL 0.9.8 support. [RT #15694]
6387 1993. [bug] Log messages, via syslog, were missing the space
6388 after the timestamp if "print-time yes" was specified.
6391 1992. [bug] Not all incoming zone transfer messages included the
6394 1991. [cleanup] The configuration data, once read, should be treated
6395 as read only. Expand the use of const to enforce this
6396 at compile time. [RT #15813]
6398 1990. [bug] libbind: isc's override of broken gettimeofday()
6399 implementations was not always effective.
6402 1989. [bug] win32: don't check the service password when
6403 re-installing. [RT #15882]
6405 1988. [bug] Remove a bus error from the SHA256/SHA512 support.
6408 1987. [func] DS/DLV SHA256 digest algorithm support. [RT #15608]
6410 1986. [func] Report when a zone is removed. [RT #15849]
6412 1985. [protocol] DLV has now been assigned a official type code of
6415 Note: care should be taken to ensure you upgrade
6416 both named and dnssec-signzone at the same time for
6417 zones with DLV records where named is the master
6418 server for the zone. Also any zones that contain
6419 DLV records should be removed when upgrading a slave
6420 zone. You do not however have to upgrade all
6421 servers for a zone with DLV records simultaneously.
6423 1984. [func] dig, nslookup and host now advertise a 4096 byte
6424 EDNS UDP buffer size by default. [RT #15855]
6426 1983. [func] Two new update policies. "selfsub" and "selfwild".
6429 1982. [bug] DNSKEY was being accepted on the parent side of
6430 a delegation. KEY is still accepted there for
6431 RFC 3007 validated updates. [RT #15620]
6433 1981. [bug] win32: condition.c:wait() could fail to reattain
6436 1980. [func] dnssec-signzone: output the SOA record as the
6437 first record in the signed zone. [RT #15758]
6439 1979. [port] linux: allow named to drop core after changing
6440 user ids. [RT #15753]
6442 1978. [port] Handle systems which have a broken recvmsg().
6445 1977. [bug] Silence noisy log message. [RT #15704]
6447 1976. [bug] Handle systems with no IPv4 addresses. [RT #15695]
6449 1975. [bug] libbind: isc_gethexstring() could misparse multi-line
6450 hex strings with comments. [RT #15814]
6452 1974. [doc] List each of the zone types and associated zone
6453 options separately in the ARM.
6455 1973. [func] TSIG HMACSHA1, HMACSHA224, HMACSHA256, HMACSHA384 and
6456 HMACSHA512 support. [RT #13606]
6458 1972. [contrib] DBUS dynamic forwarders integration from
6459 Jason Vas Dias <jvdias@redhat.com>.
6461 1971. [port] linux: make detection of missing IF_NAMESIZE more
6464 1970. [bug] nsupdate: adjust UDP timeout when falling back to
6465 unsigned SOA query. [RT #15775]
6467 1969. [bug] win32: the socket code was freeing the socket
6468 structure too early. [RT #15776]
6470 1968. [bug] Missing lock in resolver.c:validated(). [RT #15739]
6472 1967. [func] dig/nslookup/host: warn about missing "QR". [RT #15779]
6474 1966. [bug] Don't set CD when we have fallen back to plain DNS.
6477 1965. [func] Suppress spurious "recursion requested but not
6478 available" warning with 'dig +qr'. [RT #15780].
6480 1964. [func] Separate out MX and SRV to CNAME checks. [RT #15723]
6482 1963. [port] Tru64 4.0E doesn't support send() and recv().
6485 1962. [bug] Named failed to clear old update-policy when it
6486 was removed. [RT #15491]
6488 1961. [bug] Check the port and address of responses forwarded
6489 to dispatch. [RT #15474]
6491 1960. [bug] Update code should set NSEC ttls from SOA MINIMUM.
6494 1959. [func] Control the zeroing of the negative response TTL to
6495 a soa query. Defaults "zero-no-soa-ttl yes;" and
6496 "zero-no-soa-ttl-cache no;". [RT #15460]
6498 1958. [bug] Named failed to update the zone's secure state
6499 until the zone was reloaded. [RT #15412]
6501 1957. [bug] Dig mishandled responses to class ANY queries.
6504 1956. [bug] Improve cross compile support, 'gen' is now built
6505 by native compiler. See README for additional
6506 cross compile support information. [RT #15148]
6508 1955. [bug] Pre-allocate the cache cleaning iterator. [RT #14998]
6510 1954. [func] Named now falls back to advertising EDNS with a
6511 512 byte receive buffer if the initial EDNS queries
6514 1953. [func] The maximum EDNS UDP response named will send can
6515 now be set in named.conf (max-udp-size). This is
6516 independent of the advertised receive buffer
6517 (edns-udp-size). [RT #14852]
6519 1952. [port] hpux: tell the linker to build a runtime link
6520 path "-Wl,+b:". [RT #14816].
6522 1951. [security] Drop queries from particular well known ports.
6523 Don't return FORMERR to queries from particular
6524 well known ports. [RT #15636]
6526 1950. [port] Solaris 2.5.1 and earlier cannot bind() then connect()
6527 a TCP socket. This prevents the source address being
6528 set for TCP connections. [RT #15628]
6530 1949. [func] Addition memory leakage checks. [RT #15544]
6532 1948. [bug] If was possible to trigger a REQUIRE failure in
6533 xfrin.c:maybe_free() if named ran out of memory.
6536 1947. [func] It is now possible to configure named to accept
6537 expired RRSIGs. Default "dnssec-accept-expired no;".
6538 Setting "dnssec-accept-expired yes;" leaves named
6539 vulnerable to replay attacks. [RT #14685]
6541 1946. [bug] resume_dslookup() could trigger a REQUIRE failure
6542 when using forwarders. [RT #15549]
6544 1945. [cleanup] dnssec-keygen: RSA (RSAMD5) is no longer recommended.
6545 To generate a RSAMD5 key you must explicitly request
6548 1944. [cleanup] isc_hash_create() does not need a read/write lock.
6551 1943. [bug] Set the loadtime after rolling forward the journal.
6554 1942. [bug] If the name of a DNSKEY match that of one in
6555 trusted-keys do not attempt to validate the DNSKEY
6556 using the parents DS RRset. [RT #15649]
6558 1941. [bug] ncache_adderesult() should set eresult even if no
6559 rdataset is passed to it. [RT #15642]
6561 1940. [bug] Fixed a number of error conditions reported by
6564 1939. [bug] The resolver could dereference a null pointer after
6565 validation if all the queries have timed out.
6568 1938. [bug] The validator was not correctly handling unsecure
6569 negative responses at or below a SEP. [RT #15528]
6571 1937. [bug] sdlz doesn't handle RRSIG records. [RT #15564]
6573 1936. [bug] The validator could leak memory. [RT #15544]
6575 1935. [bug] 'acache' was DO sensitive. [RT #15430]
6577 1934. [func] Validate pending NS RRsets, in the authority section,
6578 prior to returning them if it can be done without
6579 requiring DNSKEYs to be fetched. [RT #15430]
6581 1933. [bug] dump_rdataset_raw() had a incorrect INSIST. [RT #15534]
6583 1932. [bug] hpux: LDFLAGS was getting corrupted. [RT #15530]
6585 1931. [bug] Per-client mctx could require a huge amount of memory,
6586 particularly for a busy caching server. [RT #15519]
6588 1930. [port] HPUX: ia64 support. [RT #15473]
6590 1929. [port] FreeBSD: extend use of PTHREAD_SCOPE_SYSTEM.
6592 1928. [bug] Race in rbtdb.c:currentversion(). [RT #15517]
6594 1927. [bug] Access to soanode or nsnode in rbtdb violated the
6595 lock order rule and could cause a dead lock.
6598 1926. [bug] The Windows installer did not check for empty
6599 passwords. BINDinstall was being installed in
6600 the wrong place. [RT #15483]
6602 1925. [port] All outer level AC_TRY_RUNs need cross compiling
6603 defaults. [RT #15469]
6605 1924. [port] libbind: hpux ia64 support. [RT #15473]
6607 1923. [bug] ns_client_detach() called too early. [RT #15499]
6609 1922. [bug] check-tool.c:setup_logging() missing call to
6610 dns_log_setcontext().
6612 1921. [bug] Client memory contexts were not using internal
6615 1920. [bug] The cache rbtdb lock array was too small to
6616 have the desired performance characteristics.
6619 1919. [contrib] queryperf: a set of new features: collecting/printing
6620 response delays, printing intermediate results, and
6621 adjusting query rate for the "target" qps.
6623 1918. [bug] Memory leak when checking acls. [RT #15391]
6625 1917. [doc] funcsynopsisinfo wasn't being treated as verbatim
6626 when generating man pages. [RT #15385]
6628 1916. [func] Integrate contributed IDN code from JPNIC. [RT #15383]
6630 1915. [bug] dig +ndots was broken. [RT #15215]
6632 1914. [protocol] DS is required to accept mnemonic algorithms
6633 (RFC 4034). Still emit numeric algorithms for
6634 compatibility with RFC 3658. [RT #15354]
6636 1913. [func] Integrate contributed DLZ code into named. [RT #11382]
6638 1912. [port] aix: atomic locking for powerpc. [RT #15020]
6640 1911. [bug] Update windows socket code. [RT #14965]
6642 1910. [bug] dig's +sigchase code overhauled. [RT #14933]
6644 1909. [bug] The DLV code has been re-worked to make no longer
6645 query order sensitive. [RT #14933]
6647 1908. [func] dig now warns if 'RA' is not set in the answer when
6648 'RD' was set in the query. host/nslookup skip servers
6649 that fail to set 'RA' when 'RD' is set unless a server
6650 is explicitly set. [RT #15005]
6652 1907. [func] host/nslookup now continue (default)/fail on SERVFAIL.
6655 1906. [func] dig now has a '-q queryname' and '+showsearch' options.
6658 1905. [bug] Strings returned from cfg_obj_asstring() should be
6659 treated as read-only. The prototype for
6660 cfg_obj_asstring() has been updated to reflect this.
6663 1904. [func] Automatic empty zone creation for D.F.IP6.ARPA and
6664 friends. Note: RFC 1918 zones are not yet covered by
6665 this but are likely to be in a future release.
6667 New options: empty-server, empty-contact,
6668 empty-zones-enable and disable-empty-zone.
6670 1903. [func] ISC string copy API.
6672 1902. [func] Attempt to make the amount of work performed in a
6673 iteration self tuning. The covers nodes clean from
6674 the cache per iteration, nodes written to disk when
6675 rewriting a master file and nodes destroyed per
6676 iteration when destroying a zone or a cache.
6679 1901. [cleanup] Don't add DNSKEY records to the additional section.
6681 1900. [bug] ixfr-from-differences failed to ensure that the
6682 serial number increased. [RT #15036]
6684 1899. [func] named-checkconf now validates update-policy entries.
6687 1898. [bug] Extend ISC_SOCKADDR_FORMATSIZE and
6688 ISC_NETADDR_FORMATSIZE to allow for scope details.
6690 1897. [func] x86 and x86_64 now have separate atomic locking
6693 1896. [bug] Recursive clients soft quota support wasn't working
6694 as expected. [RT #15103]
6696 1895. [bug] A escaped character is, potentially, converted to
6697 the output character set too early. [RT #14666]
6699 1894. [doc] Review ARM for BIND 9.4.
6701 1893. [port] Use uintptr_t if available. [RT #14606]
6703 1892. [func] Support for SPF rdata type. [RT #15033]
6705 1891. [port] freebsd: pthread_mutex_init can fail if it runs out
6706 of memory. [RT #14995]
6708 1890. [func] Raise the UDP receive buffer size to 32k if it is
6709 less than 32k. [RT #14953]
6711 1889. [port] sunos: non blocking i/o support. [RT #14951]
6713 1888. [func] Support for IPSECKEY rdata type. [RT #14967]
6715 1887. [bug] The cache could delete expired records too fast for
6716 clients with a virtual time in the past. [RT #14991]
6718 1886. [bug] fctx_create() could return success even though it
6721 1885. [func] dig: report the number of extra bytes still left in
6722 the packet after processing all the records.
6724 1884. [cleanup] dighost.c: move external declarations into <dig/dig.h>.
6726 1883. [bug] dnssec-signzone, dnssec-keygen: handle negative debug
6729 1882. [func] Limit the number of recursive clients that can be
6730 waiting for a single query (<qname,qtype,qclass>) to
6731 resolve. New options clients-per-query and
6732 max-clients-per-query.
6734 1881. [func] Add a system test for named-checkconf. [RT #14931]
6736 1880. [func] The lame cache is now done on a <qname,qclass,qtype>
6737 basis as some servers only appear to be lame for
6738 certain query types. [RT #14916]
6740 1879. [func] "USE INTERNAL MALLOC" is now runtime selectable.
6743 1878. [func] Detect duplicates of UDP queries we are recursing on
6744 and drop them. New stats category "duplicate".
6747 1877. [bug] Fix unreasonably low quantum on call to
6748 dns_rbt_destroy2(). Remove unnecessary unhash_node()
6751 1876. [func] Additional memory debugging support to track size
6752 and mctx arguments. [RT #14814]
6754 1875. [bug] process_dhtkey() was using the wrong memory context
6755 to free some memory. [RT #14890]
6757 1874. [port] sunos: portability fixes. [RT #14814]
6759 1873. [port] win32: isc__errno2result() now reports its caller.
6762 1872. [port] win32: Handle ERROR_NETNAME_DELETED. [RT #13753]
6766 1870. [func] Added framework for handling multiple EDNS versions.
6769 1869. [func] dig can now specify the EDNS version when making
6770 a query. [RT #14873]
6772 1868. [func] edns-udp-size can now be overridden on a per
6773 server basis. [RT #14851]
6775 1867. [bug] It was possible to trigger a INSIST in
6776 dlv_validatezonekey(). [RT #14846]
6778 1866. [bug] resolv.conf parse errors were being ignored by
6779 dig/host/nslookup. [RT #14841]
6781 1865. [bug] Silently ignore nameservers in /etc/resolv.conf with
6782 bad addresses. [RT #14841]
6784 1864. [bug] Don't try the alternative transfer source if you
6785 got a answer / transfer with the main source
6786 address. [RT #14802]
6788 1863. [bug] rrset-order "fixed" error messages not complete.
6790 1862. [func] Add additional zone data constancy checks.
6791 named-checkzone has extended checking of NS, MX and
6792 SRV record and the hosts they reference.
6793 named has extended post zone load checks.
6794 New zone options: check-mx and integrity-check.
6797 1861. [bug] dig could trigger a INSIST on certain malformed
6798 responses. [RT #14801]
6800 1860. [port] solaris 2.8: hack_shutup_pthreadmutexinit was
6801 incorrectly set. [RT #14775]
6803 1859. [func] Add support for CH A record. [RT #14695]
6805 1858. [bug] The flush-zones-on-shutdown option wasn't being
6808 1857. [bug] named could trigger a INSIST() if reconfigured /
6809 reloaded too fast. [RT #14673]
6811 1856. [doc] Switch Docbook toolchain from DSSSL to XSL.
6814 1855. [bug] ixfr-from-differences was failing to detect changes
6815 of ttl due to dns_diff_subtract() was ignoring the ttl
6816 of records. [RT #14616]
6818 1854. [bug] lwres also needs to know the print format for
6819 (long long). [RT #13754]
6821 1853. [bug] Rework how DLV interacts with proveunsecure().
6824 1852. [cleanup] Remove last vestiges of dnssec-signkey and
6825 dnssec-makekeyset (removed from Makefile years ago).
6827 1851. [doc] Doxygen comment markup. [RT #11398]
6829 1850. [bug] Memory leak in lwres_getipnodebyaddr(). [RT #14591]
6831 1849. [doc] All forms of the man pages (docbook, man, html) should
6832 have consistent copyright dates.
6834 1848. [bug] Improve SMF integration. [RT #13238]
6836 1847. [bug] isc_ondestroy_init() is called too late in
6837 dns_rbtdb_create()/dns_rbtdb64_create().
6840 1846. [contrib] query-loc-0.3.0 from Stephane Bortzmeyer
6841 <bortzmeyer@nic.fr>.
6843 1845. [bug] Improve error reporting to distinguish between
6844 accept()/fcntl() and socket()/fcntl() errors.
6847 1844. [bug] inet_pton() accepted more that 4 hexadecimal digits
6848 for each 16 bit piece of the IPv6 address. The text
6849 representation of a IPv6 address has been tightened
6850 to disallow this (draft-ietf-ipv6-addr-arch-v4-02.txt).
6853 1843. [cleanup] CINCLUDES takes precedence over CFLAGS. This helps
6854 when CFLAGS contains "-I /usr/local/include"
6855 resulting in old header files being used.
6857 1842. [port] cmsg_len() could produce incorrect results on
6858 some platform. [RT #13744]
6860 1841. [bug] "dig +nssearch" now makes a recursive query to
6861 find the list of nameservers to query. [RT #13694]
6863 1840. [func] dnssec-signzone can now randomize signature end times
6864 (dnssec-signzone -j jitter). [RT #13609]
6866 1839. [bug] <isc/hash.h> was not being installed.
6868 1838. [cleanup] Don't allow Linux capabilities to be inherited.
6871 1837. [bug] Compile time option ISC_FACILITY was not effective
6872 for 'named -u <user>'. [RT #13714]
6874 1836. [cleanup] Silence compiler warnings in hash_test.c.
6876 1835. [bug] Update dnssec-signzone's usage message. [RT #13657]
6878 1834. [bug] Bad memset in rdata_test.c. [RT #13658]
6880 1833. [bug] Race condition in isc_mutex_lock_profile(). [RT #13660]
6882 1832. [bug] named fails to return BADKEY on unknown TSIG algorithm.
6885 1831. [doc] Update named-checkzone documentation. [RT #13604]
6887 1830. [bug] adb lame cache has sence of test reversed. [RT #13600]
6889 1829. [bug] win32: "pid-file none;" broken. [RT #13563]
6891 1828. [bug] isc_rwlock_init() failed to properly cleanup if it
6892 encountered a error. [RT #13549]
6894 1827. [bug] host: update usage message for '-a'. [RT #37116]
6896 1826. [bug] Missing DESTROYLOCK() in isc_mem_createx() on out
6897 of memory error. [RT #13537]
6899 1825. [bug] Missing UNLOCK() on out of memory error from in
6900 rbtdb.c:subtractrdataset(). [RT #13519]
6902 1824. [bug] Memory leak on dns_zone_setdbtype() failure.
6905 1823. [bug] Wrong macro used to check for point to point interface.
6908 1822. [bug] check-names test for RT was reversed. [RT #13382]
6912 1820. [bug] Gracefully handle acl loops. [RT #13659]
6914 1819. [bug] The validator needed to check both the algorithm and
6915 digest types of the DS to determine if it could be
6916 used to introduce a secure zone. [RT #13593]
6918 1818. [bug] 'named-checkconf -z' triggered an INSIST. [RT #13599]
6920 1817. [func] Add support for additional zone file formats for
6921 improving loading performance. The masterfile-format
6922 option in named.conf can be used to specify a
6923 non-default format. A separate command
6924 named-compilezone was provided to generate zone files
6925 in the new format. Additionally, the -I and -O options
6926 for dnssec-signzone specify the input and output
6929 1816. [port] UnixWare: failed to compile lib/isc/unix/net.c.
6932 1815. [bug] nsupdate triggered a REQUIRE if the server was set
6933 without also setting the zone and it encountered
6934 a CNAME and was using TSIG. [RT #13086]
6936 1814. [func] UNIX domain controls are now supported.
6938 1813. [func] Restructured the data locking framework using
6939 architecture dependent atomic operations (when
6940 available), improving response performance on
6941 multi-processor machines significantly.
6942 x86, x86_64, alpha, powerpc, and mips are currently
6945 1812. [port] win32: IN6_IS_ADDR_UNSPECIFIED macro is incorrect.
6948 1811. [func] Preserve the case of domain names in rdata during
6949 zone transfers. [RT #13547]
6951 1810. [bug] configure, lib/bind/configure make different default
6952 decisions about whether to do a threaded build.
6955 1809. [bug] "make distclean" failed for libbind if the platform
6958 1808. [bug] zone.c:notify_zone() contained a race condition,
6959 zone->db could change underneath it. [RT #13511]
6961 1807. [bug] When forwarding (forward only) set the active domain
6962 from the forward zone name. [RT #13526]
6964 1806. [bug] The resolver returned the wrong result when a CNAME /
6965 DNAME was encountered when fetching glue from a
6966 secure namespace. [RT #13501]
6968 1805. [bug] Pending status was not being cleared when DLV was
6971 1804. [bug] Ensure that if we are queried for glue that it fits
6972 in the additional section or TC is set to tell the
6973 client to retry using TCP. [RT #10114]
6975 1803. [bug] dnssec-signzone sometimes failed to remove old
6978 1802. [bug] Handle connection resets better. [RT #11280]
6980 1801. [func] Report differences between hints and real NS rrset
6981 and associated address records.
6983 1800. [bug] Changes #1719 allowed a INSIST to be triggered.
6986 1799. [bug] 'rndc flushname' failed to flush negative cache
6987 entries. [RT #13438]
6989 1798. [func] The server syntax has been extended to support a
6990 range of servers. [RT #11132]
6992 1797. [func] named-checkconf now check acls to verify that they
6993 only refer to existing acls. [RT #13101]
6995 1796. [func] "rndc freeze/thaw" now freezes/thaws all zones.
6997 1795. [bug] "rndc dumpdb" was not fully documented. Minor
6998 formating issues with "rndc dumpdb -all". [RT #13396]
7000 1794. [func] Named and named-checkzone can now both check for
7001 non-terminal wildcard records.
7003 1793. [func] Extend adjusting TTL warning messages. [RT #13378]
7005 1792. [func] New zone option "notify-delay". Specify a minimum
7006 delay between sets of NOTIFY messages.
7008 1791. [bug] 'host -t a' still printed out AAAA and MX records.
7011 1790. [cleanup] Move lib/dns/sec/dst up into lib/dns. This should
7012 allow parallel make to succeed.
7014 1789. [bug] Prerequisite test for tkey and dnssec could fail
7015 with "configure --with-libtool".
7017 1788. [bug] libbind9.la/libbind9.so needs to link against
7018 libisccfg.la/libisccfg.so.
7020 1787. [port] HPUX: both "cc" and "gcc" need -Wl,+vnocompatwarnings.
7022 1786. [port] AIX: libt_api needs to be taught to look for
7023 T_testlist in the main executable (--with-libtool).
7026 1785. [bug] libbind9.la/libbind9.so needs to link against
7027 libisc.la/libisc.so.
7029 1784. [cleanup] "libtool -allow-undefined" is the default.
7030 Leave hooks in configure to allow it to be set
7031 if needed in the future.
7033 1783. [cleanup] We only need one copy of libtool.m4, ltmain.sh in the
7036 1782. [port] OSX: --with-libtool + --enable-libbind broke on
7037 __evOptMonoTime. [RT #13219]
7039 1781. [port] FreeBSD 5.3: set PTHREAD_SCOPE_SYSTEM. [RT #12810]
7041 1780. [bug] Update libtool to 1.5.10.
7043 1779. [port] OSF 5.1: libtool didn't handle -pthread correctly.
7045 1778. [port] HUX 11.11: fix broken IN6ADDR_ANY_INIT and
7046 IN6ADDR_LOOPBACK_INIT macros.
7048 1777. [port] OSF 5.1: fix broken IN6ADDR_ANY_INIT and
7049 IN6ADDR_LOOPBACK_INIT macros.
7051 1776. [port] Solaris 2.9: fix broken IN6ADDR_ANY_INIT and
7052 IN6ADDR_LOOPBACK_INIT macros.
7054 1775. [bug] Only compile getnetent_r.c when threaded. [RT #13205]
7056 1774. [port] Aix: Silence compiler warnings / build failures.
7059 1773. [bug] Fast retry on host / net unreachable. [RT #13153]
7065 1770. [bug] named-checkconf failed to report missing a missing
7066 file clause for rbt{64} master/hint zones. [RT #13009]
7068 1769. [port] win32: change compiler flags /MTd ==> /MDd,
7071 1768. [bug] nsecnoexistnodata() could be called with a non-NSEC
7072 rdataset. [RT #12907]
7074 1767. [port] Builds on IPv6 platforms without IPv6 Advanced API
7075 support for (struct in6_pktinfo) failed. [RT #13077]
7077 1766. [bug] Update the master file timestamp on successful refresh
7078 as well as the journal's timestamp. [RT #13062]
7080 1765. [bug] configure --with-openssl=auto failed. [RT #12937]
7082 1764. [bug] dns_zone_replacedb failed to emit a error message
7083 if there was no SOA record in the replacement db.
7086 1763. [func] Perform sanity checks on NS records which refer to
7087 'in zone' names. [RT #13002]
7089 1762. [bug] isc_interfaceiter_create() could return ISC_R_SUCCESS
7090 even when it failed. [RT #12995]
7092 1761. [bug] 'rndc dumpdb' didn't report unassociated entries.
7095 1760. [bug] Host / net unreachable was not penalising rtt
7096 estimates. [RT #12970]
7098 1759. [bug] Named failed to startup if the OS supported IPv6
7099 but had no IPv6 interfaces configured. [RT #12942]
7101 1758. [func] Don't send notify messages to self. [RT #12933]
7103 1757. [func] host now can turn on memory debugging flags with '-m'.
7105 1756. [func] named-checkconf now checks the logging configuration.
7108 1755. [func] allow-update is now settable at the options / view
7111 1754. [bug] We weren't always attempting to query the parent
7112 server for the DS records at the zone cut.
7115 1753. [bug] Don't serve a slave zone which has no NS records.
7118 1752. [port] Move isc_app_start() to after ns_os_daemonise()
7119 as some fork() implementations unblock the signals
7120 that are blocked by isc_app_start(). [RT #12810]
7122 1751. [bug] --enable-getifaddrs failed under linux. [RT #12867]
7124 1750. [port] lib/bind/make/rules.in:subdirs was not bash friendly.
7127 1749. [bug] 'check-names response ignore;' failed to ignore.
7130 1748. [func] dig now returns the byte count for axfr/ixfr.
7132 1747. [bug] BIND 8 compatibility: named/named-checkconf failed
7133 to parse "host-statistics-max" in named.conf.
7135 1746. [func] Make public the function to read a key file,
7136 dst_key_read_public(). [RT #12450]
7138 1745. [bug] Dig/host/nslookup accept replies from link locals
7139 regardless of scope if no scope was specified when
7140 query was sent. [RT #12745]
7142 1744. [bug] If tuple2msgname() failed to convert a tuple to
7143 a name a REQUIRE could be triggered. [RT #12796]
7145 1743. [bug] If isc_taskmgr_create() was not able to create the
7146 requested number of worker threads then destruction
7147 of the manager would trigger an INSIST() failure.
7150 1742. [bug] Deleting all records at a node then adding a
7151 previously existing record, in a single UPDATE
7152 transaction, failed to leave / regenerate the
7153 associated RRSIG records. [RT #12788]
7155 1741. [bug] Deleting all records at a node in a secure zone
7156 using a update-policy grant failed. [RT #12787]
7158 1740. [bug] Replace rbt's hash algorithm as it performed badly
7159 with certain zones. [RT #12729]
7161 NOTE: a hash context now needs to be established
7162 via isc_hash_create() if the application was not
7165 1739. [bug] dns_rbt_deletetree() could incorrectly return
7166 ISC_R_QUOTA. [RT #12695]
7168 1738. [bug] Enable overrun checking by default. [RT #12695]
7170 1737. [bug] named failed if more than 16 masters were specified.
7173 1736. [bug] dst_key_fromnamedfile() could fail to read a
7174 public key. [RT #12687]
7176 1735. [bug] 'dig +sigtrace' could die with a REQUIRE failure.
7179 1734. [cleanup] 'rndc-confgen -a -t' remove extra '/' in path.
7182 1733. [bug] Return non-zero exit status on initial load failure.
7185 1732. [bug] 'rrset-order name "*"' wasn't being applied to ".".
7188 1731. [port] darwin: relax version test in ifconfig.sh.
7191 1730. [port] Determine the length type used by the socket API.
7194 1729. [func] Improve check-names error messages.
7196 1728. [doc] Update check-names documentation.
7198 1727. [bug] named-checkzone: check-names support didn't match
7201 1726. [port] aix5: add support for aix5.
7203 1725. [port] linux: update error message on interaction of threads,
7204 capabilities and setuid support (named -u). [RT #12541]
7206 1724. [bug] Look for DNSKEY records with "dig +sigtrace".
7209 1723. [cleanup] Silence compiler warnings from t_tasks.c. [RT #12493]
7211 1722. [bug] Don't commit the journal on malformed ixfr streams.
7214 1721. [bug] Error message from the journal processing were not
7215 always identifying the relevant journal. [RT #12519]
7217 1720. [bug] 'dig +chase' did not terminate on a RFC 2308 Type 1
7218 negative response. [RT #12506]
7220 1719. [bug] named was not correctly caching a RFC 2308 Type 1
7221 negative response. [RT #12506]
7223 1718. [bug] nsupdate was not handling RFC 2308 Type 3 negative
7224 responses when looking for the zone / master server.
7227 1717. [port] solaris: ifconfig.sh did not support Solaris 10.
7228 "ifconfig.sh down" didn't work for Solaris 9.
7230 1716. [doc] named.conf(5) was being installed in the wrong
7231 location. [RT #12441]
7233 1715. [func] 'dig +trace' now randomly selects the next servers
7234 to try. Report if there is a bad delegation.
7236 1714. [bug] dig/host/nslookup were only trying the first
7237 address when a nameserver was specified by name.
7240 1713. [port] linux: extend capset failure message to say:
7241 please ensure that the capset kernel module is
7242 loaded. see insmod(8)
7244 1712. [bug] Missing FULLCHECK for "trusted-key" in dig.
7246 1711. [func] 'rndc unfreeze' has been deprecated by 'rndc thaw'.
7248 1710. [func] 'rndc notify zone [class [view]]' resend the NOTIFY
7249 messages for the specified zone. [RT #9479]
7251 1709. [port] solaris: add SMF support from Sun.
7253 1708. [cleanup] Replaced dns_fullname_hash() with dns_name_fullhash()
7254 for conformance to the name space convention. Binary
7255 backward compatibility to the old function name is
7256 provided. [RT #12376]
7258 1707. [contrib] sdb/ldap updated to version 1.0-beta.
7260 1706. [bug] 'rndc stop' failed to cause zones to be flushed
7261 sometimes. [RT #12328]
7263 1705. [func] Allow the journal's name to be changed via named.conf.
7265 1704. [port] lwres needed a snprintf() implementation for
7266 platforms without snprintf(). Add missing
7267 "#include <isc/print.h>". [RT #12321]
7269 1703. [bug] named would loop sending NOTIFY messages when it
7270 failed to receive a response. [RT #12322]
7272 1702. [bug] also-notify should not be applied to built in zones.
7275 1701. [doc] A minimal named.conf man page.
7277 1700. [func] nslookup is no longer to be treated as deprecated.
7278 Remove "deprecated" warning message. Add man page.
7280 1699. [bug] dnssec-signzone can generate "not exact" errors
7281 when resigning. [RT #12281]
7283 1698. [doc] Use reserved IPv6 documentation prefix.
7285 1697. [bug] xxx-source{,-v6} was not effective when it
7286 specified one of listening addresses and a
7287 different port than the listening port. [RT #12257]
7289 1696. [bug] dnssec-signzone failed to clean out nodes that
7290 consisted of only NSEC and RRSIG records.
7293 1695. [bug] DS records when forwarding require special handling.
7296 1694. [bug] Report if the builtin views of "_default" / "_bind"
7297 are defined in named.conf. [RT #12023]
7299 1693. [bug] max-journal-size was not effective for master zones
7300 with ixfr-from-differences set. [RT #12024]
7302 1692. [bug] Don't set -I, -L and -R flags when libcrypto is in
7303 /usr/lib. [RT #11971]
7305 1691. [bug] sdb's attachversion was not complete. [RT #11990]
7307 1690. [bug] Delay detaching view from the client until UPDATE
7308 processing completes when shutting down. [RT #11714]
7310 1689. [bug] DNS_NAME_TOREGION() and DNS_NAME_SPLIT() macros
7311 contained gratuitous semicolons. [RT #11707]
7313 1688. [bug] LDFLAGS was not supported.
7315 1687. [bug] Race condition in dispatch. [RT #10272]
7317 1686. [bug] Named sent a extraneous NOTIFY when it received a
7318 redundant UPDATE request. [RT #11943]
7320 1685. [bug] Change #1679 loop tests weren't quite right.
7322 1684. [func] ixfr-from-differences now takes master and slave in
7323 addition to yes and no at the options and view levels.
7325 1683. [bug] dig +sigchase could leak memory. [RT #11445]
7327 1682. [port] Update configure test for (long long) printf format.
7330 1681. [bug] Only set SO_REUSEADDR when a port is specified in
7331 isc_socket_bind(). [RT #11742]
7333 1680. [func] rndc: the source address can now be specified.
7335 1679. [bug] When there was a single nameserver with multiple
7336 addresses for a zone not all addresses were tried.
7339 1678. [bug] RRSIG should use TYPEXXXXX for unknown types.
7341 1677. [bug] dig: +aaonly didn't work, +aaflag undocumented.
7343 1676. [func] New option "allow-query-cache". This lets
7344 allow-query be used to specify the default zone
7345 access level rather than having to have every
7346 zone override the global value. allow-query-cache
7347 can be set at both the options and view levels.
7348 If allow-query-cache is not set allow-query applies.
7350 1675. [bug] named would sometimes add extra NSEC records to
7351 the authority section.
7353 1674. [port] linux: increase buffer size used to scan
7356 1673. [port] linux: issue a error messages if IPv6 interface
7359 1672. [cleanup] Tests which only function in a threaded build
7360 now return R:THREADONLY (rather than R:UNTESTED)
7361 in a non-threaded build.
7363 1671. [contrib] queryperf: add NAPTR to the list of known types.
7365 1670. [func] Log UPDATE requests to slave zones without an acl as
7366 "disabled" at debug level 3. [RT #11657]
7370 1668. [bug] DIG_SIGCHASE was making bin/dig/host dump core.
7372 1667. [port] linux: not all versions have IF_NAMESIZE.
7374 1666. [bug] The optional port on hostnames in dual-stack-servers
7377 1665. [func] rndc now allows addresses to be set in the
7380 1664. [bug] nsupdate needed KEY for SIG(0), not DNSKEY.
7382 1663. [func] Look for OpenSSL by default.
7384 1662. [bug] Change #1658 failed to change one use of 'type'
7387 1661. [bug] Restore dns_name_concatenate() call in
7388 adb.c:set_target(). [RT #11582]
7390 1660. [bug] win32: connection_reset_fix() was being called
7391 unconditionally. [RT #11595]
7393 1659. [cleanup] Cleanup some messages that were referring to KEY vs
7394 DNSKEY, NXT vs NSEC and SIG vs RRSIG.
7396 1658. [func] Update dnssec-keygen to default to KEY for HMAC-MD5
7397 and DH. Tighten which options apply to KEY and
7400 1657. [doc] ARM: document query log output.
7402 1656. [doc] Update DNSSEC description in ARM to cover DS, NSEC
7403 DNSKEY and RRSIG. [RT #11542]
7405 1655. [bug] Logging multiple versions w/o a size was broken.
7408 1654. [bug] isc_result_totext() contained array bounds read
7411 1653. [func] Add key type checking to dst_key_fromfilename(),
7412 DST_TYPE_KEY should be used to read TSIG, TKEY and
7415 1652. [bug] TKEY still uses KEY.
7417 1651. [bug] dig: process multiple dash options.
7419 1650. [bug] dig, nslookup: flush standard out after each command.
7421 1649. [bug] Silence "unexpected non-minimal diff" message.
7424 1648. [func] Update dnssec-lookaside named.conf syntax to support
7425 multiple dnssec-lookaside namespaces (not yet
7428 1647. [bug] It was possible trigger a INSIST when chasing a DS
7429 record that required walking back over a empty node.
7432 1646. [bug] win32: logging file versions didn't work with
7433 non-UNC filenames. [RT #11486]
7435 1645. [bug] named could trigger a REQUIRE failure if multiple
7436 masters with keys are specified.
7438 1644. [bug] Update the journal modification time after a
7439 successful refresh query. [RT #11436]
7441 1643. [bug] dns_db_closeversion() could leak memory / node
7442 references. [RT #11163]
7444 1642. [port] Support OpenSSL implementations which don't have
7445 DSA support. [RT #11360]
7447 1641. [bug] Update the check-names description in ARM. [RT #11389]
7449 1640. [bug] win32: isc_socket_cancel(ISC_SOCKCANCEL_ACCEPT) was
7450 incorrectly closing the socket. [RT #11291]
7452 1639. [func] Initial dlv system test.
7454 1638. [bug] "ixfr-from-differences" could generate a REQUIRE
7455 failure if the journal open failed. [RT #11347]
7457 1637. [bug] Node reference leak on error in addnoqname().
7459 1636. [bug] The dump done callback could get ISC_R_SUCCESS even if
7460 a error had occurred. The database version no longer
7461 matched the version of the database that was dumped.
7463 1635. [bug] Memory leak on error in query_addds().
7465 1634. [bug] named didn't supply a useful error message when it
7466 detected duplicate views. [RT #11208]
7468 1633. [bug] named should return NOTIMP to update requests to a
7469 slaves without a allow-update-forwarding acl specified.
7472 1632. [bug] nsupdate failed to send prerequisite only UPDATE
7473 messages. [RT #11288]
7475 1631. [bug] dns_journal_compact() could sometimes corrupt the
7476 journal. [RT #11124]
7478 1630. [contrib] queryperf: add support for IPv6 transport.
7480 1629. [func] dig now supports IPv6 scoped addresses with the
7481 extended format in the local-server part. [RT #8753]
7483 1628. [bug] Typo in Compaq Trucluster support. [RT #11264]
7485 1627. [bug] win32: sockets were not being closed when the
7486 last external reference was removed. [RT #11179]
7488 1626. [bug] --enable-getifaddrs was broken. [RT #11259]
7490 1625. [bug] named failed to load/transfer RFC2535 signed zones
7491 which contained CNAMES. [RT #11237]
7493 1624. [bug] zonemgr_putio() call should be locked. [RT #11163]
7495 1623. [bug] A serial number of zero was being displayed in the
7496 "sending notifies" log message when also-notify was
7499 1622. [func] probe the system to see if IPV6_(RECV)PKTINFO is
7500 available, and suppress wildcard binding if not.
7502 1621. [bug] match-destinations did not work for IPv6 TCP queries.
7505 1620. [func] When loading a zone report if it is signed. [RT #11149]
7507 1619. [bug] Missing ISC_LIST_UNLINK in end_reserved_dispatches().
7510 1618. [bug] Fencepost errors in dns_name_ishostname() and
7511 dns_name_ismailbox() could trigger a INSIST().
7513 1617. [port] win32: VC++ 6.0 support.
7515 1616. [compat] Ensure that named's version is visible in the core
7518 1615. [port] Define ISC_SOCKADDR_LEN_T based on _BSD_SOCKLEN_T_ if
7521 1614. [port] win32: silence resource limit messages. [RT #11101]
7523 1613. [bug] Builds would fail on machines w/o a if_nametoindex().
7524 Missing #ifdef ISC_PLATFORM_HAVEIFNAMETOINDEX/#endif.
7527 1612. [bug] check-names at the option/view level could trigger
7528 an INSIST. [RT #11116]
7530 1611. [bug] solaris: IPv6 interface scanning failed to cope with
7531 no active IPv6 interfaces.
7533 1610. [bug] On dual stack machines "dig -b" failed to set the
7534 address type to be looked up with "@server".
7537 1609. [func] dig now has support to chase DNSSEC signature chains.
7538 Requires -DDIG_SIGCHASE=1 to be set in STD_CDEFINES.
7540 DNSSEC validation code in dig coded by Olivier Courtay
7541 (olivier.courtay@irisa.fr) for the IDsA project
7542 (http://idsa.irisa.fr).
7544 1608. [func] dig and host now accept -4/-6 to select IP transport
7545 to use when making queries.
7547 1607. [bug] dig, host and nslookup were still using random()
7548 to generate query ids. [RT #11013]
7550 1606. [bug] DLV insecurity proof was failing.
7552 1605. [func] New dns_db_find() option DNS_DBFIND_COVERINGNSEC.
7554 1604. [bug] A xfrout_ctx_create() failure would result in
7555 xfrout_ctx_destroy() being called with a
7556 partially initialized structure.
7558 1603. [bug] nsupdate: set interactive based on isatty().
7561 1602. [bug] Logging to a file failed unless a size was specified.
7564 1601. [bug] Silence spurious warning 'both "recursion no;" and
7565 "allow-recursion" active' warning from view "_bind".
7568 1600. [bug] Duplicate zone pre-load checks were not case
7571 1599. [bug] Fix memory leak on error path when checking named.conf.
7573 1598. [func] Specify that certain parts of the namespace must
7574 be secure (dnssec-must-be-secure).
7576 1597. [func] Allow notify-source and query-source to be specified
7577 on a per server basis similar to transfer-source.
7580 1596. [func] Accept 'notify-source' style syntax for query-source.
7582 1595. [func] New notify type 'master-only'. Enable notify for
7585 1594. [bug] 'rndc dumpdb' could prevent named from answering
7586 queries while the dump was in progress. [RT #10565]
7588 1593. [bug] rndc should return "unknown command" to unknown
7589 commands. [RT #10642]
7591 1592. [bug] configure_view() could leak a dispatch. [RT #10675]
7593 1591. [bug] libbind: updated to BIND 8.4.5.
7595 1590. [port] netbsd: update thread support.
7597 1589. [func] DNSSEC lookaside validation.
7599 1588. [bug] win32: TCP sockets could become blocked. [RT #10115]
7601 1587. [bug] dns_message_settsigkey() failed to clear existing key.
7604 1586. [func] "check-names" is now implemented.
7608 1584. [bug] "make test" failed with a read only source tree.
7611 1583. [bug] Records add via UPDATE failed to get the correct trust
7614 1582. [bug] rrset-order failed to work on RRsets with more
7615 than 32 elements. [RT #10381]
7617 1581. [func] Disable DNSSEC support by default. To enable
7618 DNSSEC specify "dnssec-enable yes;" in named.conf.
7620 1580. [bug] Zone destruction on final detach takes a long time.
7623 1579. [bug] Multiple task managers could not be created.
7625 1578. [bug] Don't use CLASS E IPv4 addresses when resolving.
7628 1577. [bug] Use isc_uint32_t in ultrasparc optimizer bug
7629 workaround code. [RT #10331]
7631 1576. [bug] Race condition in dns_dispatch_addresponse().
7634 1575. [func] Log TSIG name on TSIG verify failure. [RT #4404]
7636 1574. [bug] Don't attempt to open the controls socket(s) when
7637 running tests. [RT #9091]
7639 1573. [port] linux: update to libtool 1.5.2 so that
7640 "make install DESTDIR=/xx" works with
7641 "configure --with-libtool". [RT #9941]
7643 1572. [bug] nsupdate: sign the soa query to find the enclosing
7644 zone if the server is specified. [RT #10148]
7646 1571. [bug] rbt:hash_node() could fail leaving the hash table
7647 in an inconsistent state. [RT #10208]
7649 1570. [bug] nsupdate failed to handle classes other than IN.
7650 New keyword 'class' which sets the default class.
7653 1569. [func] nsupdate new command 'answer' which displays the
7654 complete answer message to the last update.
7656 1568. [bug] nsupdate now reports that the update failed in
7657 interactive mode. [RT #10236]
7659 1567. [maint] B.ROOT-SERVERS.NET is now 192.228.79.201.
7661 1566. [port] Support for the cmsg framework on Solaris and HP/UX.
7662 This also solved the problem that match-destinations
7663 for IPv6 addresses did not work on these systems.
7666 1565. [bug] CD flag should be copied to outgoing queries unless
7667 the query is under a secure entry point in which case
7670 1564. [func] Attempt to provide a fallback entropy source to be
7671 used if named is running chrooted and named is unable
7672 to open entropy source within the chroot area.
7675 1563. [bug] Gracefully fail when unable to obtain neither an IPv4
7676 nor an IPv6 dispatch. [RT #10230]
7678 1562. [bug] isc_socket_create() and isc_socket_accept() could
7679 leak memory under error conditions. [RT #10230]
7681 1561. [bug] It was possible to release the same name twice if
7682 named ran out of memory. [RT #10197]
7684 1560. [port] FreeBSD: work around FreeBSD 5.2 mapping EAI_NODATA
7685 and EAI_NONAME to the same value.
7687 1559. [port] named should ignore SIGFSZ.
7689 1558. [func] New DNSSEC 'disable-algorithms'. Support entry into
7690 child zones for which we don't have a supported
7691 algorithm. Such child zones are treated as unsigned.
7693 1557. [func] Implement missing DNSSEC tests for
7694 * NOQNAME proof with wildcard answers.
7695 * NOWILDARD proof with NXDOMAIN.
7696 Cache and return NOQNAME with wildcard answers.
7698 1556. [bug] nsupdate now treats all names as fully qualified.
7701 1555. [func] 'rrset-order cyclic' no longer has a random starting
7702 point per query. [RT #7572]
7704 1554. [bug] dig, host, nslookup failed when no nameservers
7705 were specified in /etc/resolv.conf. [RT #8232]
7707 1553. [bug] The windows socket code could stop accepting
7708 connections. [RT #10115]
7710 1552. [bug] Accept NOTIFY requests from mapped masters if
7711 matched-mapped is set. [RT #10049]
7713 1551. [port] Open "/dev/null" before calling chroot().
7715 1550. [port] Call tzset(), if available, before calling chroot().
7717 1549. [func] named-checkzone can now write out the zone contents
7718 in a easily parsable format (-D and -o).
7720 1548. [bug] When parsing APL records it was possible to silently
7721 accept out of range ADDRESSFAMILY values. [RT #9979]
7723 1547. [bug] Named wasted memory recording duplicate lame zone
7726 1546. [bug] We were rejecting valid secure CNAME to negative
7729 1545. [bug] It was possible to leak memory if named was unable to
7730 bind to the specified transfer source and TSIG was
7731 being used. [RT #10120]
7733 1544. [bug] Named would logged a single entry to a file despite it
7734 being over the specified size limit.
7736 1543. [bug] Logging using "versions unlimited" did not work.
7740 1541. [func] NSEC now uses new bitmap format.
7742 1540. [bug] "rndc reload <dynamiczone>" was silently accepted.
7745 1539. [bug] Open UDP sockets for notify-source and transfer-source
7746 that use reserved ports at startup. [RT #9475]
7748 1538. [placeholder] rt9997
7750 1537. [func] New option "querylog". If set specify whether query
7751 logging is to be enabled or disabled at startup.
7753 1536. [bug] Windows socket code failed to log a error description
7754 when returning ISC_R_UNEXPECTED. [RT #9998]
7758 1534. [bug] Race condition when priming cache. [RT #9940]
7760 1533. [func] Warn if both "recursion no;" and "allow-recursion"
7761 are active. [RT #4389]
7763 1532. [port] netbsd: the configure test for <sys/sysctl.h>
7764 requires <sys/param.h>.
7766 1531. [port] AIX more libtool fixes.
7768 1530. [bug] It was possible to trigger a INSIST() failure if a
7769 slave master file was removed at just the correct
7772 1529. [bug] "notify explicit;" failed to log that NOTIFY messages
7773 were being sent for the zone. [RT #9442]
7775 1528. [cleanup] Simplify some dns_name_ functions based on the
7776 deprecation of bitstring labels.
7778 1527. [cleanup] Reduce the number of gettimeofday() calls without
7779 losing necessary timer granularity.
7781 1526. [func] Implemented "additional section caching (or acache)",
7782 an internal cache framework for additional section
7783 content to improve response performance. Several
7784 configuration options were provided to control the
7787 1525. [bug] dns_cache_create() could trigger a REQUIRE
7788 failure in isc_mem_put() during error cleanup.
7791 1524. [port] AIX needs to be able to resolve all symbols when
7792 creating shared libraries (--with-libtool).
7794 1523. [bug] Fix race condition in rbtdb. [RT #9189]
7796 1522. [bug] dns_db_findnode() relax the requirements on 'name'.
7799 1521. [bug] dns_view_createresolver() failed to check the
7800 result from isc_mem_create(). [RT #9294]
7802 1520. [protocol] Add SSHFP (SSH Finger Print) type.
7804 1519. [bug] dnssec-signzone:nsec_setbit() computed the wrong
7805 length of the new bitmap.
7807 1518. [bug] dns_nsec_buildrdata(), and hence dns_nsec_build(),
7808 contained a off-by-one error when working out the
7809 number of octets in the bitmap.
7811 1517. [port] Support for IPv6 interface scanning on HP/UX and
7814 1516. [func] Roll the DNSSEC types to RRSIG, NSEC and DNSKEY.
7816 1515. [func] Allow transfer source to be set in a server statement.
7819 1514. [bug] named: isc_hash_destroy() was being called too early.
7822 1513. [doc] Add "US" to root-delegation-only exclude list.
7824 1512. [bug] Extend the delegation-only logging to return query
7825 type, class and responding nameserver.
7827 1511. [bug] delegation-only was generating false positives
7828 on negative answers from sub-zones.
7830 1510. [func] New view option "root-delegation-only". Apply
7831 delegation-only check to all TLDs and root.
7832 Note there are some TLDs that are NOT delegation
7833 only (e.g. DE, LV, US and MUSEUM) these can be excluded
7834 from the checks by using exclude.
7836 root-delegation-only exclude {
7837 "DE"; "LV"; "US"; "MUSEUM";
7840 1509. [bug] Hint zones should accept delegation-only. Forward
7841 zone should not accept delegation-only.
7843 1508. [bug] Don't apply delegation-only checks to answers from
7846 1507. [bug] Handle BIND 8 style returns to NS queries to parents
7847 when making delegation-only checks.
7849 1506. [bug] Wrong return type for dns_view_isdelegationonly().
7851 1505. [bug] Uninitialized rdataset in sdb. [RT #8750]
7853 1504. [func] New zone type "delegation-only".
7855 1503. [port] win32: install libeay32.dll outside of system32.
7857 1502. [bug] nsupdate: adjust timeouts for UPDATE requests over TCP.
7859 1501. [func] Allow TCP queue length to be specified via
7860 named.conf, tcp-listen-queue.
7862 1500. [bug] host failed to lookup MX records. Also look up
7865 1499. [bug] isc_random need to be seeded better if arc4random()
7868 1498. [port] bsdos: 5.x support.
7872 1496. [port] test for pthread_attr_setstacksize().
7874 1495. [cleanup] Replace hash functions with universal hash.
7876 1494. [security] Turn on RSA BLINDING as a precaution.
7880 1492. [cleanup] Preserve rwlock quota context when upgrading /
7881 downgrading. [RT #5599]
7883 1491. [bug] dns_master_dump*() would produce extraneous $ORIGIN
7886 1490. [bug] Accept reading state as well as working state in
7887 ns_client_next(). [RT #6813]
7889 1489. [compat] Treat 'allow-update' on slave zones as a warning.
7892 1488. [bug] Don't override trust levels for glue addresses.
7895 1487. [bug] A REQUIRE() failure could be triggered if a zone was
7896 queued for transfer and the zone was then removed.
7899 1486. [bug] isc_print_snprintf() '%%' consumed one too many format
7900 characters. [RT #8230]
7902 1485. [bug] gen failed to handle high type values. [RT #6225]
7904 1484. [bug] The number of records reported after a AXFR was wrong.
7907 1483. [bug] dig axfr failed if the message id in the answer failed
7908 to match that in the request. Only the id in the first
7909 message is required to match. [RT #8138]
7911 1482. [bug] named could fail to start if the kernel supports
7912 IPv6 but no interfaces are configured. Similarly
7913 for IPv4. [RT #6229]
7915 1481. [bug] Refresh and stub queries failed to use masters keys
7916 if specified. [RT #7391]
7918 1480. [bug] Provide replay protection for rndc commands. Full
7919 replay protection requires both rndc and named to
7920 be updated. Partial replay protection (limited
7921 exposure after restart) is provided if just named
7924 1479. [bug] cfg_create_tuple() failed to handle out of
7925 memory cleanup. parse_list() would leak memory
7928 1478. [port] ifconfig.sh didn't account for other virtual
7929 interfaces. It now takes a optional argument
7930 to specify the first interface number. [RT #3907]
7932 1477. [bug] memory leak using stub zones and TSIG.
7936 1475. [port] Probe for old sprintf().
7938 1474. [port] Provide strtoul() and memmove() for platforms
7941 1473. [bug] create_map() and create_string() failed to handle out
7942 of memory cleanup. [RT #6813]
7944 1472. [contrib] idnkit-1.0 from JPNIC, replaces mdnkit.
7946 1471. [bug] libbind: updated to BIND 8.4.0.
7948 1470. [bug] Incorrect length passed to snprintf. [RT #5966]
7950 1469. [func] Log end of outgoing zone transfer at same level
7951 as the start of transfer is logged. [RT #4441]
7953 1468. [func] Internal zones are no longer counted for
7954 'rndc status'. [RT #4706]
7956 1467. [func] $GENERATES now supports optional class and ttl.
7958 1466. [bug] lwresd configuration errors resulted in memory
7959 and lock leaks. [RT #5228]
7961 1465. [bug] isc_base64_decodestring() and isc_base64_tobuffer()
7962 failed to check that trailing bits were zero allowing
7963 some invalid base64 strings to be accepted. [RT #5397]
7965 1464. [bug] Preserve "out of zone" data for outgoing zone
7966 transfers. [RT #5192]
7968 1463. [bug] dns_rdata_from{wire,struct}() failed to catch bad
7969 NXT bit maps. [RT #5577]
7971 1462. [bug] parse_sizeval() failed to check the token type.
7974 1461. [bug] Remove deadlock from rbtdb code. [RT #5599]
7976 1460. [bug] inet_pton() failed to reject certain malformed
7981 1458. [cleanup] sprintf() -> snprintf().
7983 1457. [port] Provide strlcat() and strlcpy() for platforms without
7986 1456. [contrib] gen-data-queryperf.py from Stephane Bortzmeyer.
7988 1455. [bug] <netaddr> missing from server grammar in
7989 doc/misc/options. [RT #5616]
7991 1454. [port] Use getifaddrs() if available for interface scanning.
7992 --disable-getifaddrs to override. Glibc currently
7993 has a getifaddrs() that does not support IPv6.
7994 Use --enable-getifaddrs=glibc to force the use of
7995 this version under linux machines.
7997 1453. [doc] ARM: $GENERATE example wasn't accurate. [RT #5298]
8001 1451. [bug] rndc-confgen didn't exit with a error code for all
8002 failures. [RT #5209]
8004 1450. [bug] Fetching expired glue failed under certain
8005 circumstances. [RT #5124]
8007 1449. [bug] query_addbestns() didn't handle running out of memory
8010 1448. [bug] Handle empty wildcards labels.
8012 1447. [bug] We were casting (unsigned int) to and from (void *).
8013 rdataset->private4 is now rdataset->privateuint4
8014 to reflect a type change.
8016 1446. [func] Implemented undocumented alternate transfer sources
8017 from BIND 8. See use-alt-transfer-source,
8018 alt-transfer-source and alt-transfer-source-v6.
8020 SECURITY: use-alt-transfer-source is ENABLED unless
8021 you are using views. This may cause a security risk
8022 resulting in accidental disclosure of wrong zone
8023 content if the master supplying different source
8024 content based on IP address. If you are not certain
8025 ISC recommends setting use-alt-transfer-source no;
8027 1445. [bug] DNS_ADBFIND_STARTATROOT broke stub zones. This has
8028 been replaced with DNS_ADBFIND_STARTATZONE which
8029 causes the search to start using the closest zone.
8031 1444. [func] dns_view_findzonecut2() allows you to specify if the
8032 cache should be searched for zone cuts.
8034 1443. [func] Masters lists can now be specified and referenced
8035 in zone masters clauses and other masters lists.
8037 1442. [func] New functions for manipulating port lists:
8038 dns_portlist_create(), dns_portlist_add(),
8039 dns_portlist_remove(), dns_portlist_match(),
8040 dns_portlist_attach() and dns_portlist_detach().
8042 1441. [func] It is now possible to tell dig to bind to a specific
8045 1440. [func] It is now possible to tell named to avoid using
8046 certain source ports (avoid-v4-udp-ports,
8047 avoid-v6-udp-ports).
8049 1439. [bug] Named could return NOERROR with certain NOTIFY
8050 failures. Return NOTAUTH if the NOTIFY zone is
8053 1438. [func] Log TSIG (if any) when logging NOTIFY requests.
8055 1437. [bug] Leave space for stdio to work in. [RT #5033]
8057 1436. [func] dns_zonemgr_resumexfrs() can be used to restart
8060 1435. [bug] zmgr_resume_xfrs() was being called read locked
8061 rather than write locked. zmgr_resume_xfrs()
8062 was not being called if the zone was being
8065 1434. [bug] "rndc reconfig" failed to initiate the initial
8066 zone transfer of new slave zones.
8068 1433. [bug] named could trigger a REQUIRE failure if it could
8069 not get a file descriptor when attempting to write
8070 a master file. [RT #4347]
8072 1432. [func] The advertised EDNS UDP buffer size can now be set
8073 via named.conf (edns-udp-size).
8075 1431. [bug] isc_print_snprintf() "%s" with precision could walk off
8076 end of argument. [RT #5191]
8078 1430. [port] linux: IPv6 interface scanning support.
8080 1429. [bug] Prevent the cache getting locked to old servers.
8084 1427. [bug] Race condition in adb with threaded build.
8088 1425. [port] linux/libbind: define __USE_MISC when testing *_r()
8089 function prototypes in netdb.h. [RT #4921]
8091 1424. [bug] EDNS version not being correctly printed.
8093 1423. [contrib] queryperf: added A6 and SRV.
8095 1422. [func] Log name/type/class when denying a query. [RT #4663]
8097 1421. [func] Differentiate updates that don't succeed due to
8098 prerequisites (unsuccessful) vs other reasons
8101 1420. [port] solaris: work around gcc optimizer bug.
8103 1419. [port] openbsd: use /dev/arandom. [RT #4950]
8105 1418. [bug] 'rndc reconfig' did not cause new slaves to load.
8107 1417. [func] ID.SERVER/CHAOS is now a built in zone.
8108 See "server-id" for how to configure.
8110 1416. [bug] Empty node should return NOERROR NODATA, not NXDOMAIN.
8113 1415. [func] DS TTL now derived from NS ttl. NXT TTL now derived
8116 1414. [func] Support for KSK flag.
8118 1413. [func] Explicitly request the (re-)generation of DS records
8119 from keysets (dnssec-signzone -g).
8121 1412. [func] You can now specify servers to be tried if a nameserver
8122 has IPv6 address and you only support IPv4 or the
8123 reverse. See dual-stack-servers.
8125 1411. [bug] empty nodes should stop wildcard matches. [RT #4802]
8127 1410. [func] Handle records that live in the parent zone, e.g. DS.
8129 1409. [bug] DS should have attribute DNS_RDATATYPEATTR_DNSSEC.
8131 1408. [bug] "make distclean" was not complete. [RT #4700]
8133 1407. [bug] lfsr incorrectly implements the shift register.
8136 1406. [bug] dispatch initializes one of the LFSR's with a incorrect
8137 polynomial. [RT #4617]
8139 1405. [func] Use arc4random() if available.
8141 1404. [bug] libbind: ns_name_ntol() could overwrite a zero length
8144 1403. [func] dnssec-signzone, dnssec-keygen, dnssec-makekeyset
8145 dnssec-signkey now report their version in the
8148 1402. [cleanup] A6 has been moved to experimental and is no longer
8151 1401. [bug] adb wasn't clearing state when the timer expired.
8153 1400. [bug] Block the addition of wildcard NS records by IXFR
8154 or UPDATE. [RT #3502]
8156 1399. [bug] Use serial number arithmetic when testing SIG
8157 timestamps. [RT #4268]
8159 1398. [doc] ARM: notify-also should have been also-notify.
8162 1397. [maint] J.ROOT-SERVERS.NET is now 192.58.128.30.
8164 1396. [func] dnssec-signzone: adjust the default signing time by
8165 1 hour to allow for clock skew.
8167 1395. [port] OpenSSL 0.9.7 defines CRYPTO_LOCK_ENGINE but doesn't
8168 have a working implementation. [RT #4079]
8170 1394. [func] It is now possible to check if a particular element is
8171 in a acl. Remove duplicate entries from the localnets
8174 1393. [port] Bind to individual IPv6 interfaces if IPV6_IPV6ONLY
8175 is not available in the kernel to prevent accidently
8176 listening on IPv4 interfaces.
8178 1392. [bug] named-checkzone: update usage.
8180 1391. [func] Add support for IPv6 scoped addresses in named.
8182 1390. [func] host now supports ixfr.
8184 1389. [bug] named could fail to rotate long log files. [RT #3666]
8186 1388. [port] irix: check for sys/sysctl.h and NET_RT_IFLIST before
8187 defining HAVE_IFLIST_SYSCTL. [RT #3770]
8189 1387. [bug] named could crash due to an access to invalid memory
8190 space (which caused an assertion failure) in
8191 incremental cleaning. [RT #3588]
8193 1386. [bug] named-checkzone -z stopped on errors in a zone.
8196 1385. [bug] Setting serial-query-rate to 10 would trigger a
8199 1384. [bug] host was incompatible with BIND 8 in its exit code and
8200 in the output with the -l option. [RT #3536]
8202 1383. [func] Track the serial number in a IXFR response and log if
8203 a mismatch occurs. This is a more specific error than
8204 "not exact". [RT #3445]
8206 1382. [bug] make install failed with --enable-libbind. [RT #3656]
8208 1381. [bug] named failed to correctly process answers that
8209 contained DNAME records where the resulting CNAME
8210 resulted in a negative answer.
8212 1380. [func] 'rndc recursing' dump recursing queries to
8213 'recursing-file = "named.recursing";'.
8215 1379. [func] 'rndc status' now reports tcp and recursion quota
8218 1378. [func] Improved positive feedback for 'rndc {reload|refresh}.
8220 1377. [func] dns_zone_load{new}() now reports if the zone was
8221 loaded, queued for loading to up to date.
8223 1376. [func] New function dns_zone_logc() to log to specified
8226 1375. [func] 'rndc dumpdb' now dumps the adb cache along with the
8229 1374. [func] dns_adb_dump() now logs the lame zones associated
8232 1373. [bug] Recovery from expired glue failed under certain
8235 1372. [bug] named crashes with an assertion failure on exit when
8236 sharing the same port for listening and querying, and
8237 changing listening addresses several times. [RT #3509]
8239 1371. [bug] notify-source-v6, transfer-source-v6 and
8240 query-source-v6 with explicit addresses and using the
8241 same ports as named was listening on could interfere
8242 with named's ability to answer queries sent to those
8245 1370. [bug] dig '+[no]recurse' was incorrectly documented.
8247 1369. [bug] Adding an NS record as the lexicographically last
8248 record in a secure zone didn't work.
8250 1368. [func] remove support for bitstring labels.
8252 1367. [func] Use response times to select forwarders.
8254 1366. [contrib] queryperf usage was incomplete. Add '-h' for help.
8256 1365. [func] "localhost" and "localnets" acls now include IPv6
8257 addresses / prefixes.
8259 1364. [func] Log file name when unable to open memory statistics
8260 and dump database files. [RT #3437]
8262 1363. [func] Listen-on-v6 now supports specific addresses.
8264 1362. [bug] remove IFF_RUNNING test when scanning interfaces.
8266 1361. [func] log the reason for rejecting a server when resolving
8269 1360. [bug] --enable-libbind would fail when not built in the
8270 source tree for certain OS's.
8272 1359. [security] Support patches OpenSSL libraries.
8273 http://www.cert.org/advisories/CA-2002-23.html
8275 1358. [bug] It was possible to trigger a INSIST when debugging
8276 large dynamic updates. [RT #3390]
8278 1357. [bug] nsupdate was extremely wasteful of memory.
8280 1356. [tuning] Reduce the number of events / quantum for zone tasks.
8282 1355. [bug] Fix DNSSEC wildcard proof for CNAME/DNAME.
8284 1354. [doc] lwres man pages had illegal nroff.
8286 1353. [contrib] sdb/ldap to version 0.9.
8288 1352. [bug] dig, host, nslookup when falling back to TCP use the
8289 current search entry (if any). [RT #3374]
8291 1351. [bug] lwres_getipnodebyname() returned the wrong name
8292 when given a IPv4 literal, af=AF_INET6 and AI_MAPPED
8295 1350. [bug] dns_name_fromtext() failed to handle too many labels
8298 1349. [security] Minimum OpenSSL version now 0.9.6e (was 0.9.5a).
8299 http://www.cert.org/advisories/CA-2002-23.html
8301 1348. [port] win32: Rewrote code to use I/O Completion Ports
8302 in socket.c and eliminating a host of socket
8303 errors. Performance is enhanced.
8309 1345. [port] Use a explicit -Wformat with gcc. Not all versions
8310 include it in -Wall.
8312 1344. [func] Log if the serial number on the master has gone
8314 If you have multiple machines specified in the masters
8315 clause you may want to set 'multi-master yes;' to
8316 suppress this warning.
8318 1343. [func] Log successful notifies received (info). Adjust log
8319 level for failed notifies to notice.
8321 1342. [func] Log remote address with TCP dispatch failures.
8323 1341. [func] Allow a rate limiter to be stalled.
8325 1340. [bug] Delay and spread out the startup refresh load.
8327 1339. [func] dig, host and nslookup now use IP6.ARPA for nibble
8328 lookups. Bit string lookups are no longer attempted.
8334 1336. [func] Nibble lookups under IP6.ARPA are now supported by
8335 dns_byaddr_create(). dns_byaddr_createptrname() is
8336 deprecated, use dns_byaddr_createptrname2() instead.
8338 1335. [bug] When performing a nonexistence proof, the validator
8339 should discard parent NXTs from higher in the DNS.
8341 1334. [bug] When signing/verifying rdatasets, duplicate rdatas
8342 need to be suppressed.
8344 1333. [contrib] queryperf now reports a summary of returned
8345 rcodes (-c), rcodes are printed in mnemonic form (-v).
8347 1332. [func] Report the current serial with periodic commits when
8348 rolling forward the journal.
8350 1331. [func] Generate DNSSEC wildcard proofs.
8352 1330. [bug] When processing events (non-threaded) only allow
8353 the task one chance to use to use its quantum.
8355 1329. [func] named-checkzone will now check if nameservers that
8356 appear to be IP addresses. Available modes "fail",
8357 "warn" (default) and "ignore" the results of the
8360 1328. [bug] The validator could incorrectly verify an invalid
8363 1327. [bug] The validator would incorrectly mark data as insecure
8364 when seeing a bogus signature before a correct
8367 1326. [bug] DNAME/CNAME signatures were not being cached when
8368 validation was not being performed. [RT #3284]
8370 1325. [bug] If the tcpquota was exhausted it was possible to
8371 to trigger a INSIST() failure.
8373 1324. [port] darwin: ifconfig.sh now supports darwin.
8375 1323. [port] linux: Slackware 4.0 needs <asm/unistd.h>. [RT #3205]
8377 1322. [bug] dnssec-signzone usage message was misleading.
8379 1321. [bug] If the last RRset in a zone is glue, dnssec-signzone
8380 would incorrectly duplicate its output and sign it.
8382 1320. [doc] query-source-v6 was missing from options section.
8385 1319. [func] libbind: log attempts to exploit #1318.
8387 1318. [bug] libbind: Remote buffer overrun.
8389 1317. [port] libbind: TrueUNIX 5.1 does not like __align as a
8392 1316. [bug] libbind: gethostans() could get out of sync parsing
8393 the response if there was a very long CNAME chain.
8395 1315. [bug] Options should apply to the internal _bind view.
8397 1314. [port] Handle ECONNRESET from sendmsg() [unix].
8399 1313. [func] Query log now says if the query was signed (S) or
8400 if EDNS was used (E).
8402 1312. [func] Log TSIG key used w/ outgoing zone transfers.
8404 1311. [bug] lwres_getrrsetbyname leaked memory. [RT #3159]
8406 1310. [bug] 'rndc stop' failed to cause zones to be flushed
8407 sometimes. [RT #3157]
8409 1309. [func] Log that a zone transfer was covered by a TSIG.
8411 1308. [func] DS (delegation signer) support.
8413 1307. [bug] nsupdate: allow white space base64 key data.
8415 1306. [bug] Badly encoded LOC record when the size, horizontal
8416 precision or vertical precision was 0.1m.
8418 1305. [bug] Document that internal zones are included in the
8419 rndc status results.
8421 1304. [func] New function: dns_zone_name().
8423 1303. [func] Option 'flush-zones-on-shutdown <boolean>;'.
8425 1302. [func] Extended rndc dumpdb to support dumping of zones and
8426 view selection: 'dumpdb [-all|-zones|-cache] [view]'.
8428 1301. [func] New category 'update-security'.
8430 1300. [port] Compaq Trucluster support.
8432 1299. [bug] Set AI_ADDRCONFIG when looking up addresses
8433 via getaddrinfo() (affects dig, host, nslookup, rndc
8436 1298. [bug] The CINCLUDES macro in lib/dns/sec/dst/Makefile
8437 could be left with a trailing "\" after configure
8440 1297. [port] linux: make handling EINVAL from socket() no longer
8441 conditional on #ifdef LINUX.
8443 1296. [bug] isc_log_closefilelogs() needed to lock the log
8446 1295. [bug] isc_log_setdebuglevel() needed to lock the log
8449 1294. [func] libbind: no longer attempts bit string labels for
8450 IPv6 reverse resolution. Try IP6.ARPA then IP6.INT
8451 for nibble style resolution.
8453 1293. [func] Entropy can now be retrieved from EGDs. [RT #2438]
8455 1292. [func] Enable IPv6 support when using ioctl style interface
8456 scanning and OS supports SIOCGLIFADDR using struct
8459 1291. [func] Enable IPv6 support when using sysctl style interface
8462 1290. [func] "dig axfr" now reports the number of messages
8463 as well as the number of records.
8465 1289. [port] See if -ldl is required for OpenSSL? [RT #2672]
8467 1288. [bug] Adjusted REQUIRE's in lib/dns/name.c to better
8468 reflect written requirements.
8470 1287. [bug] REQUIRE that DNS_DBADD_MERGE only be set when adding
8471 a rdataset to a zone db in the rbtdb implementation of
8474 1286. [bug] dns_name_downcase() enforce requirement that
8475 target != NULL or name->buffer != NULL.
8477 1285. [func] lwres: probe the system to see what address families
8478 are currently in use.
8480 1284. [bug] The RTT estimate on unused servers was not aged.
8483 1283. [func] Use "dataready" accept filter if available.
8485 1282. [port] libbind: hpux 11.11 interface scanning.
8487 1281. [func] Log zone when unable to get private keys to update
8488 zone. Log zone when NXT records are missing from
8491 1280. [bug] libbind: escape '(' and ')' when converting to
8494 1279. [port] Darwin uses (unsigned long) for size_t. [RT #2590]
8496 1278. [func] dig: now supports +[no]cl +[no]ttlid.
8498 1277. [func] You can now create your own customized printing
8499 styles: dns_master_stylecreate() and
8500 dns_master_styledestroy().
8502 1276. [bug] libbind: const pointer conflicts in res_debug.c.
8504 1275. [port] libbind: hpux: treat all hpux systems as BIG_ENDIAN.
8506 1274. [bug] Memory leak in lwres_gnbarequest_parse().
8508 1273. [port] libbind: solaris: 64 bit binary compatibility.
8510 1272. [contrib] Berkeley DB 4.0 sdb implementation from
8511 Nuno Miguel Rodrigues <nmr@co.sapo.pt>.
8513 1271. [bug] "recursion available: {denied,approved}" was too
8516 1270. [bug] Check that system inet_pton() and inet_ntop() support
8519 1269. [port] Openserver: ifconfig.sh support.
8521 1268. [port] Openserver: the value FD_SETSIZE depends on whether
8522 <sys/param.h> is included or not. Be consistent.
8524 1267. [func] isc_file_openunique() now creates file using mode
8525 0666 rather than 0600.
8527 1266. [bug] ISC_LINK_INIT, ISC_LINK_UNLINK, ISC_LIST_DEQUEUE,
8528 __ISC_LINK_UNLINKUNSAFE and __ISC_LIST_DEQUEUEUNSAFE
8529 are not C++ compatible, use *_TYPE versions instead.
8531 1265. [bug] libbind: LINK_INIT and UNLINK were not compatible with
8532 C++, use LINK_INIT_TYPE and UNLINK_TYPE instead.
8536 1263. [bug] Reference after free error if dns_dispatchmgr_create()
8539 1262. [bug] ns_server_destroy() failed to set *serverp to NULL.
8541 1261. [func] libbind: ns_sign2() and ns_sign_tcp() now provide
8542 support for compressed TSIG owner names.
8544 1260. [func] libbind: res_update can now update IPv6 servers,
8545 new function res_findzonecut2().
8547 1259. [bug] libbind: get_salen() IPv6 support was broken for OSs
8550 1258. [bug] libbind: res_nametotype() and res_nametoclass() were
8553 1257. [bug] Failure to write pid-file should not be fatal on
8556 1256. [contrib] 'queryperf' now has EDNS (-e) + DNSSEC DO (-D) support.
8558 1255. [bug] When verifying that an NXT proves nonexistence, check
8559 the rcode of the message and only do the matching NXT
8560 check. That is, for NXDOMAIN responses, check that
8561 the name is in the range between the NXT owner and
8562 next name, and for NOERROR NODATA responses, check
8563 that the type is not present in the NXT bitmap.
8565 1254. [func] preferred-glue option from BIND 8.3.
8567 1253. [bug] The dnssec system test failed to remove the correct
8570 1252. [bug] Dig, host and nslookup were not checking the address
8571 the answer was coming from against the address it was
8574 1251. [port] win32: a make file contained absolute version specific
8577 1250. [func] Nsupdate will report the address the update was
8580 1249. [bug] Missing masters clause was not handled gracefully.
8583 1248. [bug] DESTDIR was not being propagated between makes.
8585 1247. [bug] Don't reset the interface index for link/site local
8586 addresses. [RT #2576]
8588 1246. [func] New functions isc_sockaddr_issitelocal(),
8589 isc_sockaddr_islinklocal(), isc_netaddr_issitelocal()
8590 and isc_netaddr_islinklocal().
8592 1245. [bug] Treat ENOBUFS, ENOMEM and ENFILE as soft errors for
8595 1244. [bug] Receiving a TCP message from a blackhole address would
8596 prevent further messages being received over that
8599 1243. [bug] It was possible to trigger a REQUIRE() in
8600 dns_message_findtype(). [RT #2659]
8602 1242. [bug] named-checkzone failed if a journal existed. [RT #2657]
8604 1241. [bug] Drop received UDP messages with a zero source port
8605 as these are invariably forged. [RT #2621]
8607 1240. [bug] It was possible to leak zone references by
8608 specifying an incorrect zone to rndc.
8610 1239. [bug] Under certain circumstances named could continue to
8611 use a name after it had been freed triggering
8612 INSIST() failures. [RT #2614]
8614 1238. [bug] It is possible to lockup the server when shutting down
8615 if notifies were being processed. [RT #2591]
8617 1237. [bug] nslookup: "set q=type" failed.
8619 1236. [bug] dns_rdata{class,type}_fromtext() didn't handle non
8620 NULL terminated text regions. [RT #2588]
8622 1235. [func] Report 'out of memory' errors from openssl.
8624 1234. [bug] contrib/sdb: 'zonetodb' failed to call
8625 dns_result_register(). DNS_R_SEENINCLUDE should not
8628 1233. [bug] The flags field of a KEY record can be expressed in
8629 hex as well as decimal.
8631 1232. [bug] unix/errno2result() didn't handle EADDRNOTAVAIL.
8633 1231. [port] HPUX 11.11 recvmsg() can return spurious EADDRNOTAVAIL.
8635 1230. [bug] isccc_cc_isreply() and isccc_cc_isack() were broken.
8637 1229. [bug] named would crash if it received a TSIG signed
8638 query as part of an AXFR response. [RT #2570]
8640 1228. [bug] 'make install' did not depend on 'make all'. [RT #2559]
8642 1227. [bug] dns_lex_getmastertoken() now returns ISC_R_BADNUMBER
8643 if a number was expected and some other token was
8646 1226. [func] Use EDNS for zone refresh queries. [RT #2551]
8648 1225. [func] dns_message_setopt() no longer requires that
8649 dns_message_renderbegin() to have been called.
8651 1224. [bug] 'rrset-order' and 'sortlist' should be additive
8654 1223. [func] 'rrset-order' partially works 'cyclic' and 'random'
8657 1222. [bug] Specifying 'port *' did not always result in a system
8658 selected (non-reserved) port being used. [RT #2537]
8660 1221. [bug] Zone types 'master', 'slave' and 'stub' were not being
8661 compared case insensitively. [RT #2542]
8663 1220. [func] Support for APL rdata type.
8665 1219. [func] Named now reports the TSIG extended error code when
8666 signature verification fails. [RT #1651]
8668 1218. [bug] Named incorrectly returned SERVFAIL rather than
8669 NOTAUTH when there was a TSIG BADTIME error. [RT #2519]
8671 1217. [func] Report locations of previous key definition when a
8672 duplicate is detected.
8674 1216. [bug] Multiple server clauses for the same server were not
8675 reported. [RT #2514]
8677 1215. [port] solaris: add support to ifconfig.sh for x86 2.5.1
8679 1214. [bug] Win32: isc_file_renameunique() could leave zero length
8682 1213. [func] Report view associated with client if it is not a
8683 standard view (_default or _bind).
8685 1212. [port] libbind: 64k answer buffers were causing stack space
8686 to be exceeded for certain OS. Use heap space instead.
8688 1211. [bug] dns_name_fromtext() incorrectly handled certain
8689 valid octal bitlabels. [RT #2483]
8691 1210. [bug] libbind: getnameinfo() failed to lookup IPv4 mapped /
8692 compatible addresses. [RT #2461]
8694 1209. [bug] Dig, host, nslookup were not checking the message ids
8695 on the responses. [RT #2454]
8697 1208. [bug] dns_master_load*() failed to log a error message if
8698 an error was detected when parsing the owner name of
8699 a record. [RT #2448]
8701 1207. [bug] libbind: getaddrinfo() could call freeaddrinfo() with
8704 1206. [bug] SERVFAIL and NOTIMP responses to an EDNS query should
8705 trigger a non-EDNS retry.
8707 1205. [bug] OPT, TSIG and TKEY cannot be used to set the "class"
8708 of the message. [RT #2449]
8710 1204. [bug] libbind: res_nupdate() failed to update the name
8711 server addresses before sending the update.
8713 1203. [func] Report locations of previous acl and zone definitions
8714 when a duplicate is detected.
8716 1202. [func] New functions: cfg_obj_line() and cfg_obj_file().
8718 1201. [bug] Require that if 'callbacks' is passed to
8719 dns_rdata_fromtext(), callbacks->error and
8720 callbacks->warn are initialized.
8722 1200. [bug] Log 'errno' that we are unable to convert to
8723 isc_result_t. [RT #2404]
8725 1199. [doc] ARM reference to RFC 2157 should have been RFC 1918.
8728 1198. [bug] OPT printing style was not consistent with the way the
8729 header fields are printed. The DO bit was not reported
8730 if set. Report if any of the MBZ bits are set.
8732 1197. [bug] Attempts to define the same acl multiple times were not
8735 1196. [contrib] update mdnkit to 2.2.3.
8737 1195. [bug] Attempts to redefine builtin acls should be caught.
8740 1194. [bug] Not all duplicate zone definitions were being detected
8741 at the named.conf checking stage. [RT #2431]
8743 1193. [bug] dig +besteffort parsing didn't handle packet
8744 truncation. dns_message_parse() has new flag
8745 DNS_MESSAGE_IGNORETRUNCATION.
8747 1192. [bug] The seconds fields in LOC records were restricted
8748 to three decimal places. More decimal places should
8749 be allowed but warned about.
8751 1191. [bug] A dynamic update removing the last non-apex name in
8752 a secure zone would fail. [RT #2399]
8754 1190. [func] Add the "rndc freeze" and "rndc unfreeze" commands.
8757 1189. [bug] On some systems, malloc(0) returns NULL, which
8758 could cause the caller to report an out of memory
8761 1188. [bug] Dynamic updates of a signed zone would fail if
8762 some of the zone private keys were unavailable.
8764 1187. [bug] named was incorrectly returning DNSSEC records
8765 in negative responses when the DO bit was not set.
8767 1186. [bug] isc_hex_tobuffer(,,length = 0) failed to unget the
8768 EOL token when reading to end of line.
8770 1185. [bug] libbind: don't assume statp->_u._ext.ext is valid
8771 unless RES_INIT is set when calling res_*init().
8773 1184. [bug] libbind: call res_ndestroy() if RES_INIT is set
8774 when res_*init() is called.
8776 1183. [bug] Handle ENOSR error when writing to the internal
8777 control pipe. [RT #2395]
8779 1182. [bug] The server could throw an assertion failure when
8780 constructing a negative response packet.
8782 1181. [func] Add the "key-directory" configuration statement,
8783 which allows the server to look for online signing
8784 keys in alternate directories.
8786 1180. [func] dnssec-keygen should always generate keys with
8787 protocol 3 (DNSSEC), since it's less confusing
8790 1179. [func] Add SIG(0) support to nsupdate.
8792 1178. [bug] Follow and cache (if appropriate) A6 and other
8793 data chains to completion in the additional section.
8795 1177. [func] Report view when loading zones if it is not a
8796 standard view (_default or _bind). [RT #2270]
8798 1176. [doc] Document that allow-v6-synthesis is only performed
8799 for clients that are supplied recursive service.
8802 1175. [bug] named-checkzone and named-checkconf failed to call
8803 dns_result_register() at startup which could
8804 result in runtime exceptions when printing
8805 "out of memory" errors. [RT #2335]
8807 1174. [bug] Win32: add WSAECONNRESET to the expected errors
8808 from connect(). [RT #2308]
8810 1173. [bug] Potential memory leaks in isc_log_create() and
8811 isc_log_settag(). [RT #2336]
8813 1172. [doc] Add CERT, GPOS, KX, NAPTR, NSAP, PX and TXT to
8814 table of RR types in ARM.
8816 1171. [func] Added function isc_region_compare(), updated files in
8817 lib/dns to use this function instead of local one.
8819 1170. [bug] Don't attempt to print the token when a I/O error
8820 occurs when parsing named.conf. [RT #2275]
8822 1169. [func] Identify recursive queries in the query log.
8824 1168. [bug] Empty also-notify clauses were not handled. [RT #2309]
8826 1167. [contrib] nslint-2.1a3 (from author).
8828 1166. [bug] "Not Implemented" should be reported as NOTIMP,
8829 not NOTIMPL. [RT #2281]
8831 1165. [bug] We were rejecting notify-source{-v6} in zone clauses.
8833 1164. [bug] Empty masters clauses in slave / stub zones were not
8834 handled gracefully. [RT #2262]
8836 1163. [func] isc_time_formattimestamp() now includes the year.
8838 1162. [bug] The allow-notify option was not accepted in slave
8841 1161. [bug] named-checkzone looped on unbalanced brackets.
8844 1160. [bug] Generating Diffie-Hellman keys longer than 1024
8845 bits could fail. [RT #2241]
8847 1159. [bug] MD and MF are not permitted to be loaded by RFC1123.
8849 1158. [func] Report the client's address when logging notify
8852 1157. [func] match-clients and match-destinations now accept
8855 1156. [port] The configure test for strsep() incorrectly
8856 succeeded on certain patched versions of
8857 AIX 4.3.3. [RT #2190]
8859 1155. [func] Recover from master files being removed from under
8862 1154. [bug] Don't attempt to obtain the netmask of a interface
8863 if there is no address configured. [RT #2176]
8865 1153. [func] 'rndc {stop|halt} -p' now reports the process id
8866 of the instance of named being shutdown.
8868 1152. [bug] libbind: read buffer overflows.
8870 1151. [bug] nslookup failed to check that the arguments to
8871 the port, timeout, and retry options were
8872 valid integers and in range. [RT #2099]
8874 1150. [bug] named incorrectly accepted TTL values
8875 containing plus or minus signs, such as
8878 1149. [func] New function isc_parse_uint32().
8880 1148. [func] 'rndc-confgen -a' now provides positive feedback.
8882 1147. [func] Set IPV6_V6ONLY on IPv6 sockets if supported by
8883 the OS. listen-on-v6 { any; }; should no longer
8884 result in IPv4 queries be accepted. Similarly
8885 control { inet :: ... }; should no longer result
8886 in IPv4 connections being accepted. This can be
8887 overridden at compile time by defining
8890 1146. [func] Allow IPV6_IPV6ONLY to be set/cleared on a socket if
8891 supported by the OS by a new function
8892 isc_socket_ipv6only().
8894 1145. [func] "host" no longer reports a NOERROR/NODATA response
8895 by printing nothing. [RT #2065]
8897 1144. [bug] rndc-confgen would crash if both the -a and -t
8898 options were specified. [RT #2159]
8900 1143. [bug] When a trusted-keys statement was present and named
8901 was built without crypto support, it would leak memory.
8903 1142. [bug] dnssec-signzone would fail to delete temporary files
8904 in some failure cases. [RT #2144]
8906 1141. [bug] When named rejected a control message, it would
8907 leak a file descriptor and memory. It would also
8908 fail to respond, causing rndc to hang.
8911 1140. [bug] rndc-confgen did not accept IPv6 addresses as arguments
8912 to the -s option. [RT #2138]
8914 1139. [func] It is now possible to flush a given name from the
8915 cache(s) via 'rndc flushname name [view]'. [RT #2051]
8917 1138. [func] It is now possible to flush a given name from the
8918 cache by calling the new function
8919 dns_cache_flushname().
8921 1137. [func] It is now possible to flush a given name from the
8922 ADB by calling the new function dns_adb_flushname().
8924 1136. [bug] CNAME records synthesized from DNAMEs did not
8925 have a TTL of zero as required by RFC2672.
8928 1135. [func] You can now override the default syslog() facility for
8929 named/lwresd at compile time. [RT #1982]
8931 1134. [bug] Multi-threaded servers could deadlock in ferror()
8932 when reloading zone files. [RT #1951, #1998]
8934 1133. [bug] IN6_IS_ADDR_LOOPBACK was not portably defined on
8935 platforms without IN6_IS_ADDR_LOOPBACK. [RT #2106]
8937 1132. [func] Improve UPDATE prerequisite failure diagnostic messages.
8939 1131. [bug] The match-destinations view option did not work with
8940 IPv6 destinations. [RT #2073, #2074]
8942 1130. [bug] Log messages reporting an out-of-range serial number
8943 did not include the out-of-range number but the
8944 following token. [RT #2076]
8946 1129. [bug] Multi-threaded servers could crash under heavy
8947 resolution load due to a race condition. [RT #2018]
8949 1128. [func] sdb drivers can now provide RR data in either text
8950 or wire format, the latter using the new functions
8951 dns_sdb_putrdata() and dns_sdb_putnamedrdata().
8953 1127. [func] rndc: If the server to contact has multiple addresses,
8956 1126. [bug] The server could access a freed event if shut
8957 down while a client start event was pending
8958 delivery. [RT #2061]
8960 1125. [bug] rndc: -k option was missing from usage message.
8963 1124. [doc] dig: +[no]dnssec, +[no]besteffort and +[no]fail
8964 are now documented. [RT #2052]
8966 1123. [bug] dig +[no]fail did not match description. [RT #2052]
8968 1122. [tuning] Resolution timeout reduced from 90 to 30 seconds.
8971 1121. [bug] The server could attempt to access a NULL zone
8972 table if shut down while resolving.
8975 1120. [bug] Errors in options were not fatal. [RT #2002]
8977 1119. [func] Added support in Win32 for NTFS file/directory ACL's
8980 1118. [bug] On multi-threaded servers, a race condition
8981 could cause an assertion failure in resolver.c
8982 during resolver shutdown. [RT #2029]
8984 1117. [port] The configure check for in6addr_loopback incorrectly
8985 succeeded on AIX 4.3 when compiling with -O2
8986 because the test code was optimized away.
8989 1116. [bug] Setting transfers in a server clause, transfers-in,
8990 or transfers-per-ns to a value greater than
8991 2147483647 disabled transfers. [RT #2002]
8993 1115. [func] Set maximum values for cleaning-interval,
8994 heartbeat-interval, interface-interval,
8995 max-transfer-idle-in, max-transfer-idle-out,
8996 max-transfer-time-in, max-transfer-time-out,
8997 statistics-interval of 28 days and
8998 sig-validity-interval of 3660 days. [RT #2002]
9000 1114. [port] Ignore more accept() errors. [RT #2021]
9002 1113. [bug] The allow-update-forwarding option was ignored
9003 when specified in a view. [RT #2014]
9007 1111. [bug] Multi-threaded servers could deadlock processing
9008 recursive queries due to a locking hierarchy
9009 violation in adb.c. [RT #2017]
9011 1110. [bug] dig should only accept valid abbreviations of +options.
9014 1109. [bug] nsupdate accepted illegal ttl values.
9016 1108. [bug] On Win32, rndc was hanging when named was not running
9017 due to failure to select for exceptional conditions
9018 in select(). [RT #1870]
9020 1107. [bug] nsupdate could catch an assertion failure if an
9021 invalid domain name was given as the argument to
9024 1106. [bug] After seeing an out of range TTL, nsupdate would
9025 treat all TTLs as out of range. [RT #2001]
9027 1105. [port] OpenUNIX 8 enable threads by default. [RT #1970]
9029 1104. [bug] Invalid arguments to the transfer-format option
9030 could cause an assertion failure. [RT #1995]
9032 1103. [port] OpenUNIX 8 support (ifconfig.sh). [RT #1970]
9034 1102. [doc] Note that query logging is enabled by directing the
9035 queries category to a channel.
9037 1101. [bug] Array bounds read error in lwres_gai_strerror.
9039 1100. [bug] libbind: DNSSEC key ids were computed incorrectly.
9041 1099. [cleanup] libbind: defining REPORT_ERRORS in lib/bind/dst caused
9042 compile time errors.
9044 1098. [bug] libbind: HMAC-MD5 key files are now mode 0600.
9046 1097. [func] libbind: RES_PRF_TRUNC for dig.
9048 1096. [func] libbind: "DNSSEC OK" (DO) support.
9050 1095. [func] libbind: resolver option: no-tld-query. disables
9051 trying unqualified as a tld. no_tld_query is also
9052 supported for FreeBSD compatibility.
9054 1094. [func] libbind: add support gcc's format string checking.
9056 1093. [doc] libbind: miscellaneous nroff fixes.
9058 1092. [bug] libbind: get*by*() failed to check if res_init() had
9061 1091. [bug] libbind: misplaced va_end().
9063 1090. [bug] libbind: dns_ho.c:add_hostent() was not returning
9064 the amount of memory consumed resulting in garbage
9065 address being returned. Alignment calculations were
9066 wasting space. We weren't suppressing duplicate
9069 1089. [func] libbind: inet_{cidr,net}_{pton,ntop}() now have IPv6
9072 1088. [port] libbind: MPE/iX C.70 (incomplete)
9074 1087. [bug] libbind: struct __res_state too large on 64 bit arch.
9076 1086. [port] libbind: sunos: old sprintf.
9078 1085. [port] libbind: solaris: sys_nerr and sys_errlist do not
9079 exist when compiling in 64 bit mode.
9081 1084. [cleanup] libbind: gai_strerror() rewritten.
9083 1083. [bug] The default control channel listened on the
9084 wildcard address, not the loopback as documented.
9087 1082. [bug] The -g option to named incorrectly caused logging
9088 to be sent to syslog in addition to stderr.
9091 1081. [bug] Multicast queries were incorrectly identified
9092 based on the source address, not the destination
9095 1080. [bug] BIND 8 compatibility: accept bare IP prefixes
9096 as the second element of a two-element top level
9097 sort list statement. [RT #1964]
9099 1079. [bug] BIND 8 compatibility: accept bare elements at top
9100 level of sort list treating them as if they were
9101 a single element list. [RT #1963]
9103 1078. [bug] We failed to correct bad tv_usec values in one case.
9106 1077. [func] Do not accept further recursive clients when
9107 the total number of recursive lookups being
9108 processed exceeds max-recursive-clients, even
9109 if some of the lookups are internally generated.
9112 1076. [bug] A badly defined global key could trigger an assertion
9113 on load/reload if views were used. [RT #1947]
9115 1075. [bug] Out-of-range network prefix lengths were not
9116 reported. [RT #1954]
9118 1074. [bug] Running out of memory in dump_rdataset() could
9119 cause an assertion failure. [RT #1946]
9121 1073. [bug] The ADB cache cleaning should also be space driven.
9124 1072. [bug] The TCP client quota could be exceeded when
9125 recursion occurred. [RT #1937]
9127 1071. [bug] Sockets listening for TCP DNS connections
9128 specified an excessive listen backlog. [RT #1937]
9130 1070. [bug] Copy DNSSEC OK (DO) to response as specified by
9131 draft-ietf-dnsext-dnssec-okbit-03.txt.
9135 1068. [bug] errno could be overwritten by catgets(). [RT #1921]
9137 1067. [func] Allow quotas to be soft, isc_quota_soft().
9139 1066. [bug] Provide a thread safe wrapper for strerror().
9142 1065. [func] Runtime support to select new / old style interface
9143 scanning using ioctls.
9145 1064. [bug] Do not shut down active network interfaces if we
9146 are unable to scan the interface list. [RT #1921]
9148 1063. [bug] libbind: "make install" was failing on IRIX.
9151 1062. [bug] If the control channel listener socket was shut
9152 down before server exit, the listener object could
9153 be freed twice. [RT #1916]
9155 1061. [bug] If periodic cache cleaning happened to start
9156 while cleaning due to reaching the configured
9157 maximum cache size was in progress, the server
9158 could catch an assertion failure. [RT #1912]
9160 1060. [func] Move refresh, stub and notify UDP retry processing
9163 1059. [func] dns_request now support will now retry UDP queries,
9164 dns_request_createvia2() and dns_request_createraw2().
9166 1058. [func] Limited lifetime ticker timers are now available,
9167 isc_timertype_limited.
9169 1057. [bug] Reloading the server after adding a "file" clause
9170 to a zone statement could cause the server to
9171 crash due to a typo in change 1016.
9173 1056. [bug] Rndc could catch an assertion failure on SIGINT due
9174 to an uninitialized variable. [RT #1908]
9176 1055. [func] Version and hostname queries can now be disabled
9177 using "version none;" and "hostname none;",
9180 1054. [bug] On Win32, cfg_categories and cfg_modules need to be
9181 exported from the libisccfg DLL.
9183 1053. [bug] Dig did not increase its timeout when receiving
9184 AXFRs unless the +time option was used. [RT #1904]
9186 1052. [bug] Journals were not being created in binary mode
9187 resulting in "journal format not recognized" error
9188 under Win32. [RT #1889]
9190 1051. [bug] Do not ignore a network interface completely just
9191 because it has a noncontiguous netmask. Instead,
9192 omit it from the localnets ACL and issue a warning.
9195 1050. [bug] Log messages reporting malformed IP addresses in
9196 address lists such as that of the forwarders option
9197 failed to include the correct error code, file
9198 name, and line number. [RT #1890]
9200 1049. [func] "pid-file none;" will disable writing a pid file.
9203 1048. [bug] Servers built with -DISC_MEM_USE_INTERNAL_MALLOC=1
9206 1047. [bug] named was incorrectly refusing all requests signed
9207 with a TSIG key derived from an unsigned TKEY
9208 negotiation with a NOERROR response. [RT #1886]
9210 1046. [bug] The help message for the --with-openssl configure
9211 option was inaccurate. [RT #1880]
9213 1045. [bug] It was possible to skip saving glue for a nameserver
9216 1044. [bug] Specifying allow-transfer, notify-source, or
9217 notify-source-v6 in a stub zone was not treated
9220 1043. [bug] Specifying a transfer-source or transfer-source-v6
9221 option in the zone statement for a master zone was
9222 not treated as an error. [RT #1876]
9224 1042. [bug] The "config" logging category did not work properly.
9227 1041. [bug] Dig/host/nslookup could catch an assertion failure
9228 on SIGINT due to an uninitialized variable. [RT #1867]
9230 1040. [bug] Multiple listen-on-v6 options with different ports
9231 were not accepted. [RT #1875]
9233 1039. [bug] Negative responses with CNAMEs in the answer section
9234 were cached incorrectly. [RT #1862]
9236 1038. [bug] In servers configured with a tkey-domain option,
9237 TKEY queries with an owner name other than the root
9238 could cause an assertion failure. [RT #1866, #1869]
9240 1037. [bug] Negative responses whose authority section contain
9241 SOA or NS records whose owner names are not equal
9242 equal to or parents of the query name should be
9243 rejected. [RT #1862]
9245 1036. [func] Silently drop requests received via multicast as
9246 long as there is no final multicast DNS standard.
9248 1035. [bug] If we respond to multicast queries (which we
9249 currently do not), respond from a unicast address
9250 as specified in RFC 1123. [RT #137]
9252 1034. [bug] Ignore the RD bit on multicast queries as specified
9253 in RFC 1123. [RT #137]
9255 1033. [bug] Always respond to requests with an unsupported opcode
9256 with NOTIMP, even if we don't have a matching view
9257 or cannot determine the class.
9259 1032. [func] hostname.bind/txt/chaos now returns the name of
9260 the machine hosting the nameserver. This is useful
9261 in diagnosing problems with anycast servers.
9263 1031. [bug] libbind.a: isc__gettimeofday() infinite recursion.
9266 1030. [bug] On systems with no resolv.conf file, nsupdate
9267 exited with an error rather than defaulting
9268 to using the loopback address. [RT #1836]
9270 1029. [bug] Some named.conf errors did not cause the loading
9271 of the configuration file to return a failure
9272 status even though they were logged. [RT #1847]
9274 1028. [bug] On Win32, dig/host/nslookup looked for resolv.conf
9275 in the wrong directory. [RT #1833]
9277 1027. [bug] RRs having the reserved type 0 should be rejected.
9282 1025. [bug] Don't use multicast addresses to resolve iterative
9285 1024. [port] Compilation failed on HP-UX 11.11 due to
9286 incompatible use of the SIOCGLIFCONF macro
9289 1023. [func] Accept hints without TTLs.
9291 1022. [bug] Don't report empty root hints as "extra data".
9294 1021. [bug] On Win32, log message timestamps were one month
9295 later than they should have been, and the server
9296 would exhibit unspecified behavior in December.
9298 1020. [bug] IXFR log messages did not distinguish between
9299 true IXFRs, AXFR-style IXFRs, and mere version
9302 1019. [bug] The value of the lame-ttl option was limited to 18000
9303 seconds, not 1800 seconds as documented. [RT #1803]
9305 1018. [bug] The default log channel was not always initialized
9306 correctly. [RT #1813]
9308 1017. [bug] When specifying TSIG keys to dig and nsupdate using
9309 the -k option, they must be HMAC-MD5 keys. [RT #1810]
9311 1016. [bug] Slave zones with no backup file were re-transferred
9312 on every server reload.
9314 1015. [bug] Log channels that had a "versions" option but no
9315 "size" option failed to create numbered log
9318 1014. [bug] Some queries would cause statistics counters to
9319 increment more than once or not at all. [RT #1321]
9321 1013. [bug] It was possible to cancel a query twice when marking
9322 a server as bogus or by having a blackhole acl.
9325 1012. [bug] The -p option to named did not behave as documented.
9327 1011. [cleanup] Removed isc_dir_current().
9329 1010. [bug] The server could attempt to execute a command channel
9330 command after initiating server shutdown, causing
9331 an assertion failure. [RT #1766]
9333 1009. [port] OpenUNIX 8 support. [RT #1728]
9335 1008. [port] libtool.m4, ltmain.sh from libtool-1.4.2.
9337 1007. [port] config.guess, config.sub from autoconf-2.52.
9339 1006. [bug] If a KEY RR was found missing during DNSSEC validation,
9340 an assertion failure could subsequently be triggered
9341 in the resolver. [RT #1763]
9343 1005. [bug] Don't copy nonzero RCODEs from request to response.
9346 1004. [port] Deal with recvfrom() returning EHOSTDOWN. [RT #1770]
9348 1003. [func] Add the +retry option to dig.
9350 1002. [bug] When reporting an unknown class name in named.conf,
9351 including the file name and line number. [RT #1759]
9353 1001. [bug] win32 socket code doio_recv was not catching a
9354 WSACONNRESET error when a client was timing out
9355 the request and closing its socket. [RT #1745]
9357 1000. [bug] BIND 8 compatibility: accept "HESIOD" as an alias
9358 for class "HS". [RT #1759]
9360 999. [func] "rndc retransfer zone [class [view]]" added.
9363 998. [func] named-checkzone now has arguments to specify the
9364 chroot directory (-t) and working directory (-w).
9367 997. [func] Add support for RSA-SHA1 keys (RFC3110).
9369 996. [func] Issue warning if the configuration filename contains
9372 995. [bug] dig, host, nslookup: using a raw IPv6 address as a
9373 target address should be fatal on a IPv4 only system.
9375 994. [func] Treat non-authoritative responses to queries for type
9376 NS as referrals even if the NS records are in the
9377 answer section, because BIND 8 servers incorrectly
9378 send them that way. This is necessary for DNSSEC
9379 validation of the NS records of a secure zone to
9380 succeed when the parent is a BIND 8 server. [RT #1706]
9382 993. [func] dig: -v now reports the version.
9384 992. [doc] dig: ~/.digrc is now documented.
9386 991. [func] Lower UDP refresh timeout messages to level
9389 990. [bug] The rndc-confgen man page was not installed.
9391 989. [bug] Report filename if $INCLUDE fails for file related
9394 988. [bug] 'additional-from-auth no;' did not work reliably
9395 in the case of queries answered from the cache.
9398 987. [bug] "dig -help" didn't show "+[no]stats".
9400 986. [bug] "dig +noall" failed to clear stats and command
9403 985. [func] Consider network interfaces to be up iff they have
9404 a nonzero IP address rather than based on the
9405 IFF_UP flag. [RT #1160]
9407 984. [bug] Multi-threading should be enabled by default on
9408 Solaris 2.7 and newer, but it wasn't.
9410 983. [func] The server now supports generating IXFR difference
9411 sequences for non-dynamic zones by comparing zone
9412 versions, when enabled using the new config
9413 option "ixfr-from-differences". [RT #1727]
9415 982. [func] If "memstatistics-file" is set in options the memory
9416 statistics will be written to it.
9418 981. [func] The dnssec tools can now take multiple '-r randomfile'
9421 980. [bug] Incoming zone transfers restarting after an error
9422 could trigger an assertion failure. [RT #1692]
9424 979. [func] Incremental master file dumping. dns_master_dumpinc(),
9425 dns_master_dumptostreaminc(), dns_dumpctx_attach(),
9426 dns_dumpctx_detach(), dns_dumpctx_cancel(),
9427 dns_dumpctx_db() and dns_dumpctx_version().
9429 978. [bug] dns_db_attachversion() had an invalid REQUIRE()
9432 977. [bug] Improve "not at top of zone" error message.
9434 976. [func] named-checkconf can now test load master zones
9435 (named-checkconf -z). [RT #1468]
9437 975. [bug] "max-cache-size default;" as a view option
9438 caused an assertion failure.
9440 974. [bug] "max-cache-size unlimited;" as a global option
9443 973. [bug] Failed to log the question name when logging:
9444 "bad zone transfer request: non-authoritative zone
9447 972. [bug] The file modification time code in zone.c was using the
9448 wrong epoch. [RT #1667]
9452 970. [func] 'max-journal-size' can now be used to set a target
9455 969. [func] dig now supports the undocumented dig 8 feature
9456 of allowing arbitrary labels, not just dotted
9457 decimal quads, with the -x option. This can be
9458 used to conveniently look up RFC2317 names as in
9459 "dig -x 10.0.0.0-127". [RT #827, #1576, #1598]
9461 968. [bug] On win32, the isc_time_now() function was unnecessarily
9462 calling strtime(). [RT #1671]
9464 967. [bug] On win32, the link for bindevt was not including the
9465 required resource file to enable the event viewer
9466 to interpret the error messages in the event log,
9471 965. [bug] Including data other than root server NS and A
9472 records in the root hint file could cause a rbtdb
9473 node reference leak. [RT #1581, #1618]
9475 964. [func] Warn if data other than root server NS and A records
9476 are found in the root hint file. [RT #1581, #1618]
9478 963. [bug] Bad ISC_LANG_ENDDECLS. [RT #1645]
9480 962. [bug] libbind: bad "#undef", don't attempt to install
9481 non-existent nlist.h. [RT #1640]
9483 961. [bug] Tried to use a IPV6 feature when ISC_PLATFORM_HAVEIPV6
9484 was not defined. [RT #1482]
9486 960. [port] liblwres failed to build on systems with support for
9487 getrrsetbyname() in the OS. [RT #1592]
9489 959. [port] On FreeBSD, determine the number of CPUs by calling
9490 sysctlbyname(). [RT #1584]
9492 958. [port] ssize_t is not available on all platforms. [RT #1607]
9494 957. [bug] sys/select.h inclusion was broken on older platforms.
9497 956. [bug] ns_g_autorndcfile changed to ns_g_keyfile
9498 in named/win32/os.c due to code changes in
9499 change #953. win32 .make file for rndc-confgen
9500 updated to add include path for os.h header.
9502 --- 9.2.0rc1 released ---
9504 955. [bug] When using views, the zone's class was not being
9505 inherited from the view's class. [RT #1583]
9507 954. [bug] When requesting AXFRs or IXFRs using dig, host, or
9508 nslookup, the RD bit should not be set as zone
9509 transfers are inherently non-recursive. [RT #1575]
9511 953. [func] The /var/run/named.key file from change #843
9512 has been replaced by /etc/rndc.key. Both
9513 named and rndc will look for this file and use
9514 it to configure a default control channel key
9515 if not already configured using a different
9516 method (rndc.conf / controls). Unlike
9517 named.key, rndc.key is not created automatically;
9518 it must be created by manually running
9521 952. [bug] The server required manual intervention to serve the
9522 affected zones if it died between creating a journal
9523 and committing the first change to it.
9525 951. [bug] CFLAGS was not passed to the linker when
9526 linking some of the test programs under
9527 bin/tests. [RT #1555].
9529 950. [bug] Explicit TTLs did not properly override $TTL
9530 due to a bug in change 834. [RT #1558]
9532 949. [bug] host was unable to print records larger than 512
9535 --- 9.2.0b2 released ---
9537 948. [port] Integrated support for building on Windows NT /
9540 947. [bug] dns_rdata_soa_t had a badly named element "mname" which
9541 was really the RNAME field from RFC1035. To avoid
9542 confusion and silent errors that would occur it the
9543 "origin" and "mname" elements were given their correct
9544 names "mname" and "rname" respectively, the "mname"
9545 element is renamed to "contact".
9547 946. [cleanup] doc/misc/options is now machine-generated from the
9548 configuration parser syntax tables, and therefore
9549 more likely to be correct.
9551 945. [func] Add the new view-specific options
9552 "match-destinations" and "match-recursive-only".
9554 944. [func] Check for expired signatures on load.
9556 943. [bug] The server could crash when receiving a command
9557 via rndc if the configuration file listed only
9558 nonexistent keys in the controls statement. [RT #1530]
9560 942. [port] libbind: GETNETBYADDR_ADDR_T was not correctly
9561 defined on some platforms.
9563 941. [bug] The configuration checker crashed if a slave
9564 zone didn't contain a masters statement. [RT #1514]
9566 940. [bug] Double zone locking failure on error path. [RT #1510]
9568 --- 9.2.0b1 released ---
9570 939. [port] Add the --disable-linux-caps option to configure for
9571 systems that manage capabilities outside of named.
9576 937. [bug] A race when shutting down a zone could trigger a
9577 INSIST() failure. [RT #1034]
9579 936. [func] Warn about IPv4 addresses that are not complete
9580 dotted quads. [RT #1084]
9582 935. [bug] inet_pton failed to reject leading zeros.
9584 934. [port] Deal with systems where accept() spuriously returns
9587 933. [bug] configure failed doing libbind on platforms not
9588 supported by BIND 8. [RT #1496]
9590 --- 9.2.0a3 released ---
9592 932. [bug] Use INSTALL_SCRIPT, not INSTALL_PROGRAM,
9593 when installing isc-config.sh.
9596 931. [bug] The controls statement only attempted to verify
9597 messages using the first key in the key list.
9600 930. [func] Query performance testing tool added as
9605 928. [bug] nsupdate would send empty update packets if the
9606 send (or empty line) command was run after
9607 another send but before any new updates or
9608 prerequisites were specified. It should simply
9609 ignore this command.
9611 927. [bug] Don't hold the zone lock for the entire dump to disk.
9614 926. [bug] The resolver could deadlock with the ADB when
9615 shutting down (multi-threaded builds only).
9618 925. [cleanup] Remove openssl from the distribution; require that
9619 --with-openssl be specified if DNSSEC is needed.
9621 924. [port] Extend support for pre-RFC2133 IPv6 implementation.
9624 923. [bug] Multiline TSIG secrets (and other multiline strings)
9625 were not accepted in named.conf. [RT #1469]
9627 922. [func] Added two new lwres_getrrsetbyname() result codes,
9628 ERR_NONAME and ERR_NODATA.
9630 921. [bug] lwres returned an incorrect error code if it received
9631 a truncated message.
9633 920. [func] Increase the lwres receive buffer size to 16K.
9638 918. [func] In nsupdate, TSIG errors are no longer treated as
9641 917. [func] New nsupdate command 'key', allowing TSIG keys to
9642 be specified in the nsupdate command stream rather
9643 than the command line.
9645 916. [bug] Specifying type ixfr to dig without specifying
9646 a serial number failed in unexpected ways.
9648 915. [func] The named-checkconf and named-checkzone programs
9649 now have a '-v' option for printing their version.
9652 914. [bug] Global 'server' statements were rejected when
9653 using views, even though they were accepted
9656 913. [bug] Cache cleaning was not sufficiently aggressive.
9659 912. [bug] Attempts to set the 'additional-from-cache' or
9660 'additional-from-auth' option to 'no' in a
9661 server with recursion enabled will now
9662 be ignored and cause a warning message.
9667 910. [port] Some pre-RFC2133 IPv6 implementations do not define
9668 IN6ADDR_ANY_INIT. [RT #1416]
9672 908. [func] New program, rndc-confgen, to simplify setting up rndc.
9674 907. [func] The ability to get entropy from either the
9675 random device, a user-provided file or from
9676 the keyboard was migrated from the DNSSEC tools
9677 to libisc as isc_entropy_usebestsource().
9679 906. [port] Separated the system independent portion of
9680 lib/isc/unix/entropy.c into lib/isc/entropy.c
9681 and added lib/isc/win32/entropy.c.
9683 905. [bug] Configuring a forward "zone" for the root domain
9684 did not work. [RT #1418]
9686 904. [bug] The server would leak memory if attempting to use
9687 an expired TSIG key. [RT #1406]
9689 903. [bug] dig should not crash when receiving a TCP packet
9692 902. [bug] The -d option was ignored if both -t and -g were also
9697 900. [bug] A config.guess update changed the system identification
9698 string of FreeBSD systems; configure and
9699 bin/tests/system/ifconfig.sh now recognize the new
9702 --- 9.2.0a2 released ---
9704 899. [bug] lib/dns/soa.c failed to compile on many platforms
9705 due to inappropriate use of a void value.
9706 [RT #1372, #1373, #1386, #1387, #1395]
9708 898. [bug] "dig" failed to set a nonzero exit status
9709 on UDP query timeout. [RT #1323]
9711 897. [bug] A config.guess update changed the system identification
9712 string of UnixWare systems; configure now recognizes
9715 896. [bug] If a configuration file is set on named's command line
9716 and it has a relative pathname, the current directory
9717 (after any possible jailing resulting from named -t)
9718 will be prepended to it so that reloading works
9719 properly even when a directory option is present.
9721 895. [func] New function, isc_dir_current(), akin to POSIX's
9724 894. [bug] When using the DNSSEC tools, a message intended to warn
9725 when the keyboard was being used because of the lack
9726 of a suitable random device was not being printed.
9728 893. [func] Removed isc_file_test() and added isc_file_exists()
9729 for the basic functionality that was being added
9730 with isc_file_test().
9734 891. [bug] Return an error when a SIG(0) signed response to
9735 an unsigned query is seen. This should actually
9736 do the verification, but it's not currently
9737 possible. [RT #1391]
9739 890. [cleanup] The man pages no longer require the mandoc macros
9740 and should now format cleanly using most versions of
9741 nroff, and HTML versions of the man pages have been
9742 added. Both are generated from DocBook source.
9744 889. [port] Eliminated blank lines before .TH in nroff man
9745 pages since they cause problems with some versions
9746 of nroff. [RT #1390]
9748 888. [bug] Don't die when using TKEY to delete a nonexistent
9749 TSIG key. [RT #1392]
9751 887. [port] Detect broken compilers that can't call static
9752 functions from inline functions. [RT #1212]
9794 866. [func] Close debug only file channels when debug is set to
9797 865. [bug] The new configuration parser did not allow
9798 the optional debug level in a "severity debug"
9799 clause of a logging channel to be omitted.
9800 This is now allowed and treated as "severity
9801 debug 1;" like it does in BIND 8.2.4, not as
9802 "severity debug 0;" like it did in BIND 9.1.
9805 864. [cleanup] Multi-threading is now enabled by default on
9806 OSF1, Solaris 2.7 and newer, AIX, IRIX, and HP-UX.
9808 863. [bug] If an error occurred while an outgoing zone transfer
9809 was starting up, the server could access a domain
9810 name that had already been freed when logging a
9811 message saying that the transfer was starting.
9814 862. [bug] Use after realloc(), non portable pointer arithmetic in
9817 861. [port] Add support for Mac OS X, by making it equivalent
9818 to Darwin. This was derived from the config.guess
9819 file shipped with Mac OS X. [RT #1355]
9821 860. [func] Drop cross class glue in zone transfers.
9823 859. [bug] Cache cleaning now won't swamp the CPU if there
9824 is a persistent over limit condition.
9826 858. [func] isc_mem_setwater() no longer requires that when the
9827 callback function is non-NULL then its hi_water
9828 argument must be greater than its lo_water argument
9829 (they can now be equal) or that they be non-zero.
9831 857. [cleanup] Use ISC_MAGIC() to define all magic numbers for
9832 structs, for our friends in EBCDIC-land.
9834 856. [func] Allow partial rdatasets to be returned in answer and
9835 authority sections to help non-TCP capable clients
9836 recover from truncation. [RT #1301]
9838 855. [bug] Stop spurious "using RFC 1035 TTL semantics" warnings.
9840 854. [bug] The config parser didn't properly handle config
9841 options that were specified in units of time other
9842 than seconds. [RT #1372]
9844 853. [bug] configure_view_acl() failed to detach existing acls.
9847 852. [bug] Handle responses from servers which do not know
9850 851. [cleanup] The obsolete support-ixfr option was not properly
9853 --- 9.2.0a1 released ---
9855 850. [bug] dns_rbt_findnode() would not find nodes that were
9856 split on a bitstring label somewhere other than in
9857 the last label of the node. [RT #1351]
9859 849. [func] <isc/net.h> will ensure INADDR_LOOPBACK is defined.
9861 848. [func] A minimum max-cache-size of two megabytes is enforced
9862 by the cache cleaner.
9864 847. [func] Added isc_file_test(), which currently only has
9865 some very basic functionality to test for the
9866 existence of a file, whether a pathname is absolute,
9867 or whether a pathname is the fundamental representation
9868 of the current directory. It is intended that this
9869 function can be expanded to test other things a
9870 programmer might want to know about a file.
9872 846. [func] A non-zero 'param' to dst_key_generate() when making an
9873 hmac-md5 key means that good entropy is not required.
9875 845. [bug] The access rights on the public file of a symmetric
9876 key are now restricted as soon as the file is opened,
9877 rather than after it has been written and closed.
9879 844. [func] <isc/net.h> will ensure INADDR_LOOPBACK is defined,
9880 just as <lwres/net.h> does.
9882 843. [func] If no controls statement is present in named.conf,
9883 or if any inet phrase of a controls statement is
9884 lacking a keys clause, then a key will be automatically
9885 generated by named and an rndc.conf-style file
9886 named named.key will be written that uses it. rndc
9887 will use this file only if its normal configuration
9888 file, or one provided on the command line, does not
9891 842. [func] 'rndc flush' now takes an optional view.
9893 841. [bug] When sdb modules were not declared threadsafe, their
9894 create and destroy functions were not serialized.
9896 840. [bug] The config file parser could print the wrong file
9897 name if an error was detected after an included file
9898 was parsed. [RT #1353]
9900 839. [func] Dump packets for which there was no view or that the
9901 class could not be determined to category "unmatched".
9903 838. [port] UnixWare 7.x.x is now suported by
9904 bin/tests/system/ifconfig.sh.
9906 837. [cleanup] Multi-threading is now enabled by default only on
9907 OSF1, Solaris 2.7 and newer, and AIX.
9909 836. [func] Upgraded libtool to 1.4.
9911 835. [bug] The dispatcher could enter a busy loop if
9912 it got an I/O error receiving on a UDP socket.
9915 834. [func] Accept (but warn about) master files beginning with
9916 an SOA record without an explicit TTL field and
9917 lacking a $TTL directive, by using the SOA MINTTL
9918 as a default TTL. This is for backwards compatibility
9919 with old versions of BIND 8, which accepted such
9920 files without warning although they are illegal
9921 according to RFC1035.
9923 833. [cleanup] Moved dns_soa_*() from <dns/journal.h> to
9924 <dns/soa.h>, and extended them to support
9925 all the integer-valued fields of the SOA RR.
9927 832. [bug] The default location for named.conf in named-checkconf
9928 should depend on --sysconfdir like it does in named.
9933 830. [func] Implement 'rndc status'.
9935 829. [bug] The DNS_R_ZONECUT result code should only be returned
9936 when an ANY query is made with DNS_DBFIND_GLUEOK set.
9937 In all other ANY query cases, returning the delegation
9940 828. [bug] The errno value from recvfrom() could be overwritten
9941 by logging code. [RT #1293]
9943 827. [bug] When an IXFR protocol error occurs, the slave
9944 should retry with AXFR.
9946 826. [bug] Some IXFR protocol errors were not detected.
9948 825. [bug] zone.c:ns_query() detached from the wrong zone
9949 reference. [RT #1264]
9951 824. [bug] Correct line numbers reported by dns_master_load().
9954 823. [func] The output of "dig -h" now goes to stdout so that it
9955 can easily be piped through "more". [RT #1254]
9957 822. [bug] Sending nxrrset prerequisites would crash nsupdate.
9960 821. [bug] The program name used when logging to syslog should
9961 be stripped of leading path components.
9964 820. [bug] Name server address lookups failed to follow
9965 A6 chains into the glue of local authoritative
9968 819. [bug] In certain cases, the resolver's attempts to
9969 restart an address lookup at the root could cause
9970 the fetch to deadlock (with itself) instead of
9971 restarting. [RT #1225]
9973 818. [bug] Certain pathological responses to ANY queries could
9974 cause an assertion failure. [RT #1218]
9976 817. [func] Adjust timeouts for dialup zone queries.
9978 816. [bug] Report potential problems with log file accessibility
9979 at configuration time, since such problems can't
9980 reliably be reported at the time they actually occur.
9982 815. [bug] If a log file was specified with a path separator
9983 character (i.e. "/") in its name and the directory
9984 did not exist, the log file's name was treated as
9985 though it were the directory name. [RT #1189]
9987 814. [bug] Socket objects left over from accept() failures
9988 were incorrectly destroyed, causing corruption
9989 of socket manager data structures.
9991 813. [bug] File descriptors exceeding FD_SETSIZE were handled
9994 812. [bug] dig sometimes printed incomplete IXFR responses
9995 due to an uninitialized variable. [RT #1188]
9997 811. [bug] Parentheses were not quoted in zone dumps. [RT #1194]
9999 810. [bug] The signer name in SIG records was not properly
10000 down-cased when signing/verifying records. [RT #1186]
10002 809. [bug] Configuring a non-local address as a transfer-source
10003 could cause an assertion failure during load.
10005 808. [func] Add 'rndc flush' to flush the server's cache.
10007 807. [bug] When setting up TCP connections for incoming zone
10008 transfers, the transfer-source port was not
10009 ignored like it should be.
10011 806. [bug] DNS_R_SEENINCLUDE was failing to propagate back up
10012 the calling stack to the zone maintenance level,
10013 causing zones to not reload when an included file was
10014 touched but the top-level zone file was not.
10016 805. [bug] When using "forward only", missing root hints should
10017 not cause queries to fail. [RT #1143]
10019 804. [bug] Attempting to obtain entropy could fail in some
10020 situations. This would be most common on systems
10021 with user-space threads. [RT #1131]
10023 803. [bug] Treat all SIG queries as if they have the CD bit set,
10024 otherwise no data will be returned [RT #749]
10026 802. [bug] DNSSEC key tags were computed incorrectly in almost
10027 all cases. [RT #1146]
10029 801. [bug] nsupdate should treat lines beginning with ';' as
10030 comments. [RT #1139]
10032 800. [bug] dnssec-signzone produced incorrect statistics for
10033 large zones. [RT #1133]
10035 799. [bug] The ADB didn't find AAAA glue in a zone unless A6
10036 glue was also present.
10038 798. [bug] nsupdate should be able to reject bad input lines
10039 and continue. [RT #1130]
10041 797. [func] Issue a warning if the 'directory' option contains
10042 a relative path. [RT #269]
10044 796. [func] When a size limit is associated with a log file,
10045 only roll it when the size is reached, not every
10046 time the log file is opened. [RT #1096]
10048 795. [func] Add the +multiline option to dig. [RT #1095]
10050 794. [func] Implement the "port" and "default-port" statements
10053 793. [cleanup] The DNSSEC tools could create filenames that were
10054 illegal or contained shell meta-characters. They
10055 now use a different text encoding of names that
10056 doesn't have these problems. [RT #1101]
10058 792. [cleanup] Replace the OMAPI command channel protocol with a
10061 791. [bug] The command channel now works over IPv6.
10063 790. [bug] Wildcards created using dynamic update or IXFR
10064 could fail to match. [RT #1111]
10066 789. [bug] The "localhost" and "localnets" ACLs did not match
10067 when used as the second element of a two-element
10070 788. [func] Add the "match-mapped-addresses" option, which
10071 causes IPv6 v4mapped addresses to be treated as
10072 IPv4 addresses for the purpose of acl matching.
10074 787. [bug] The DNSSEC tools failed to downcase domain
10075 names when mapping them into file names.
10077 786. [bug] When DNSSEC signing/verifying data, owner names were
10078 not properly down-cased.
10080 785. [bug] A race condition in the resolver could cause
10081 an assertion failure. [RT #673, #872, #1048]
10083 784. [bug] nsupdate and other programs would not quit properly
10084 if some signals were blocked by the caller. [RT #1081]
10086 783. [bug] Following CNAMEs could cause an assertion failure
10087 when either using an sdb database or under very
10090 782. [func] Implement the "serial-query-rate" option.
10092 781. [func] Avoid error packet loops by dropping duplicate FORMERR
10093 responses. [RT #1006]
10095 780. [bug] Error handling code dealing with out of memory or
10096 other rare errors could lead to assertion failures
10097 by calling functions on uninitialized names. [RT #1065]
10099 779. [func] Added the "minimal-responses" option.
10101 778. [bug] When starting cache cleaning, cleaning_timer_action()
10102 returned without first pausing the iterator, which
10103 could cause deadlock. [RT #998]
10105 777. [bug] An empty forwarders list in a zone failed to override
10106 global forwarders. [RT #995]
10108 776. [func] Improved error reporting in denied messages. [RT #252]
10112 774. [func] max-cache-size is implemented.
10114 773. [func] Added isc_rwlock_trylock() to attempt to lock without
10117 772. [bug] Owner names could be incorrectly omitted from cache
10118 dumps in the presence of negative caching entries.
10121 771. [cleanup] TSIG errors related to unsynchronized clocks
10122 are logged better. [RT #919]
10124 770. [func] Add the "edns yes_or_no" statement to the server
10127 769. [func] Improved error reporting when parsing rdata. [RT #740]
10129 768. [bug] The server did not emit an SOA when a CNAME
10130 or DNAME chain ended in NXDOMAIN in an
10131 authoritative zone.
10135 766. [bug] A few cases in query_find() could leak fname.
10136 This would trigger the mpctx->allocated == 0
10137 assertion when the server exited.
10138 [RT #739, #776, #798, #812, #818, #821, #845,
10141 765. [func] ACL names are once again case insensitive, like
10142 in BIND 8. [RT #252]
10144 764. [func] Configuration files now allow "include" directives
10145 in more places, such as inside the "view" statement.
10146 [RT #377, #728, #860]
10148 763. [func] Configuration files no longer have reserved words.
10151 762. [cleanup] The named.conf and rndc.conf file parsers have
10152 been completely rewritten.
10154 761. [bug] _REENTRANT was still defined when building with
10157 760. [contrib] Significant enhancements to the pgsql sdb driver.
10159 759. [bug] The resolver didn't turn off "avoid fetches" mode
10160 when restarting, possibly causing resolution
10161 to fail when it should not. This bug only affected
10162 platforms which support both IPv4 and IPv6. [RT #927]
10164 758. [bug] The "avoid fetches" code did not treat negative
10165 cache entries correctly, causing fetches that would
10166 be useful to be avoided. This bug only affected
10167 platforms which support both IPv4 and IPv6. [RT #927]
10169 757. [func] Log zone transfers.
10171 756. [bug] dns_zone_load() could "return" success when no master
10172 file was configured.
10174 755. [bug] Fix incorrectly formatted log messages in zone.c.
10176 754. [bug] Certain failure conditions sending UDP packets
10177 could cause the server to retry the transmission
10178 indefinitely. [RT #902]
10180 753. [bug] dig, host, and nslookup would fail to contact a
10181 remote server if getaddrinfo() returned an IPv6
10182 address on a system that doesn't support IPv6.
10185 752. [func] Correct bad tv_usec elements returned by
10188 751. [func] Log successful zone loads / transfers. [RT #898]
10190 750. [bug] A query should not match a DNAME whose trust level
10191 is pending. [RT #916]
10193 749. [bug] When a query matched a DNAME in a secure zone, the
10194 server did not return the signature of the DNAME.
10197 748. [doc] List supported RFCs in doc/misc/rfc-compliance.
10200 747. [bug] The code to determine whether an IXFR was possible
10201 did not properly check for a database that could
10202 not have a journal. [RT #865, #908]
10204 746. [bug] The sdb didn't clone rdatasets properly, causing
10205 a crash when the server followed delegations. [RT #905]
10207 745. [func] Report the owner name of records that fail
10208 semantic checks while loading.
10210 744. [bug] When returning DNS_R_CNAME or DNS_R_DNAME as the
10211 result of an ANY or SIG query, the resolver failed
10212 to setup the return event's rdatasets, causing an
10213 assertion failure in the query code. [RT #881]
10215 743. [bug] Receiving a large number of certain malformed
10216 answers could cause named to stop responding.
10221 741. [port] Support openssl-engine. [RT #709]
10223 740. [port] Handle openssl library mismatches slightly better.
10225 739. [port] Look for /dev/random in configure, rather than
10226 assuming it will be there for only a predefined
10229 738. [bug] If a non-threadsafe sdb driver supported AXFR and
10230 received an AXFR request, it would deadlock or die
10231 with an assertion failure. [RT #852]
10233 737. [port] stdtime.c failed to compile on certain platforms.
10235 736. [func] New functions isc_task_{begin,end}exclusive().
10237 735. [doc] Add BIND 4 migration notes.
10239 734. [bug] An attempt to re-lock the zone lock could occur if
10240 the server was shutdown during a zone transfer.
10243 733. [bug] Reference counts of dns_acl_t objects need to be
10244 locked but were not. [RT #801, #821]
10246 732. [bug] Glue with 0 TTL could also cause SERVFAIL. [RT #828]
10248 731. [bug] Certain zone errors could cause named-checkzone to
10249 fail ungracefully. [RT #819]
10251 730. [bug] lwres_getaddrinfo() returns the correct result when
10252 it fails to contact a server. [RT #768]
10254 729. [port] pthread_setconcurrency() needs to be called on Solaris.
10256 728. [bug] Fix comment processing on master file directives.
10259 727. [port] Work around OS bug where accept() succeeds but
10260 fails to fill in the peer address of the accepted
10261 connection, by treating it as an error rather than
10262 an assertion failure. [RT #809]
10264 726. [func] Implement the "trace" and "notrace" commands in rndc.
10266 725. [bug] Installing man pages could fail.
10268 724. [func] New libisc functions isc_netaddr_any(),
10269 isc_netaddr_any6().
10271 723. [bug] Referrals whose NS RRs had a 0 TTL caused the resolver
10272 to return DNS_R_SERVFAIL. [RT #783]
10274 722. [func] Allow incremental loads to be canceled.
10276 721. [cleanup] Load manager and dns_master_loadfilequota() are no
10279 720. [bug] Server could enter infinite loop in
10280 dispatch.c:do_cancel(). [RT #733]
10282 719. [bug] Rapid reloads could trigger an assertion failure.
10285 718. [cleanup] "internal" is no longer a reserved word in named.conf.
10288 717. [bug] Certain TKEY processing failure modes could
10289 reference an uninitialized variable, causing the
10290 server to crash. [RT #750]
10292 716. [bug] The first line of a $INCLUDE master file was lost if
10293 an origin was specified. [RT #744]
10295 715. [bug] Resolving some A6 chains could cause an assertion
10296 failure in adb.c. [RT #738]
10298 714. [bug] Preserve interval timers across reloads unless changed.
10301 713. [func] named-checkconf takes '-t directory' similar to named.
10304 712. [bug] Sending a large signed update message caused an
10305 assertion failure. [RT #718]
10307 711. [bug] The libisc and liblwres implementations of
10308 inet_ntop contained an off by one error.
10310 710. [func] The forwarders statement now takes an optional
10313 709. [bug] ANY or SIG queries for data with a TTL of 0
10314 would return SERVFAIL. [RT #620]
10316 708. [bug] When building with --with-openssl, the openssl headers
10317 included with BIND 9 should not be used. [RT #702]
10319 707. [func] The "filename" argument to named-checkzone is no
10320 longer optional, to reduce confusion. [RT #612]
10322 706. [bug] Zones with an explicit "allow-update { none; };"
10323 were considered dynamic and therefore not reloaded
10324 on SIGHUP or "rndc reload".
10326 705. [port] Work out resource limit type for use where rlim_t is
10327 not available. [RT #695]
10329 704. [port] RLIMIT_NOFILE is not available on all platforms.
10332 703. [port] sys/select.h is needed on older platforms. [RT #695]
10334 702. [func] If the address 0.0.0.0 is seen in resolv.conf,
10335 use 127.0.0.1 instead. [RT #693]
10337 701. [func] Root hints are now fully optional. Class IN
10338 views use compiled-in hints by default, as
10339 before. Non-IN views with no root hints now
10340 provide authoritative service but not recursion.
10341 A warning is logged if a view has neither root
10342 hints nor authoritative data for the root. [RT #696]
10344 700. [bug] $GENERATE range check was wrong. [RT #688]
10346 699. [bug] The lexer mishandled empty quoted strings. [RT #694]
10348 698. [bug] Aborting nsupdate with ^C would lead to several
10351 697. [bug] nsupdate was not compatible with the undocumented
10352 BIND 8 behavior of ignoring TTLs in "update delete"
10353 commands. [RT #693]
10355 696. [bug] lwresd would die with an assertion failure when passed
10356 a zero-length name. [RT #692]
10358 695. [bug] If the resolver attempted to query a blackholed or
10359 bogus server, the resolution would fail immediately.
10361 694. [bug] $GENERATE did not produce the last entry.
10364 693. [bug] An empty lwres statement in named.conf caused
10365 the server to crash while loading.
10367 692. [bug] Deal with systems that have getaddrinfo() but not
10368 gai_strerror(). [RT #679]
10370 691. [bug] Configuring per-view forwarders caused an assertion
10371 failure. [RT #675, #734]
10373 690. [func] $GENERATE now supports DNAME. [RT #654]
10375 689. [doc] man pages are now installed. [RT #210]
10377 688. [func] "make tags" now works on systems with the
10378 "Exuberant Ctags" etags.
10380 687. [bug] Only say we have IPv6, with sufficient functionality,
10381 if it has actually been tested. [RT #586]
10383 686. [bug] dig and nslookup can now be properly aborted during
10384 blocking operations. [RT #568]
10386 685. [bug] nslookup should use the search list/domain options
10387 from resolv.conf by default. [RT #405, #630]
10389 684. [bug] Memory leak with view forwarders. [RT #656]
10391 683. [bug] File descriptor leak in isc_lex_openfile().
10393 682. [bug] nslookup displayed SOA records incorrectly. [RT #665]
10395 681. [bug] $GENERATE specifying output format was broken. [RT #653]
10397 680. [bug] dns_rdata_fromstruct() mishandled options bigger
10400 679. [bug] $INCLUDE could leak memory and file descriptors on
10403 678. [bug] "transfer-format one-answer;" could trigger an assertion
10406 677. [bug] dnssec-signzone would occasionally use the wrong ttl
10407 for database operations and fail. [RT #643]
10409 676. [bug] Log messages about lame servers to category
10410 'lame-servers' rather than 'resolver', so as not
10411 to be gratuitously incompatible with BIND 8.
10413 675. [bug] TKEY queries could cause the server to leak
10416 674. [func] Allow messages to be TSIG signed / verified using
10417 a offset from the current time.
10419 673. [func] The server can now convert RFC1886-style recursive
10420 lookup requests into RFC2874-style lookups, when
10421 enabled using the new option "allow-v6-synthesis".
10423 672. [bug] The wrong time was in the "time signed" field when
10424 replying with BADTIME error.
10426 671. [bug] The message code was failing to parse a message with
10427 no question section and a TSIG record. [RT #628]
10429 670. [bug] The lwres replacements for getaddrinfo and
10430 getipnodebyname didn't properly check for the
10431 existence of the sockaddr sa_len field.
10433 669. [bug] dnssec-keygen now makes the public key file
10434 non-world-readable for symmetric keys. [RT #403]
10436 668. [func] named-checkzone now reports multiple errors in master
10439 667. [bug] On Linux, running named with the -u option and a
10440 non-world-readable configuration file didn't work.
10443 666. [bug] If a request sent by dig is longer than 512 bytes,
10446 665. [bug] Signed responses were not sent when the size of the
10447 TSIG + question exceeded the maximum message size.
10450 664. [bug] The t_tasks and t_timers module tests are now skipped
10451 when building without threads, since they require
10454 663. [func] Accept a size_spec, not just an integer, in the
10455 (unimplemented and ignored) max-ixfr-log-size option
10456 for compatibility with recent versions of BIND 8.
10459 662. [bug] dns_rdata_fromtext() failed to log certain errors.
10461 661. [bug] Certain UDP IXFR requests caused an assertion failure
10462 (mpctx->allocated == 0). [RT #355, #394, #623]
10464 660. [port] Detect multiple CPUs on HP-UX and IRIX.
10466 659. [performance] Rewrite the name compression code to be much faster.
10468 658. [cleanup] Remove all vestiges of 16 bit global compression.
10470 657. [bug] When a listen-on statement in an lwres block does not
10471 specify a port, use 921, not 53. Also update the
10472 listen-on documentation. [RT #616]
10474 656. [func] Treat an unescaped newline in a quoted string as
10475 an error. This means that TXT records with missing
10476 close quotes should have meaningful errors printed.
10478 655. [bug] Improve error reporting on unexpected eof when loading
10481 654. [bug] Origin was being forgotten in TCP retries in dig.
10484 653. [bug] +defname option in dig was reversed in sense.
10487 652. [bug] zone_saveunique() did not report the new name.
10489 651. [func] The AD bit in responses now has the meaning
10490 specified in <draft-ietf-dnsext-ad-is-secure>.
10492 650. [bug] SIG(0) records were being generated and verified
10493 incorrectly. [RT #606]
10495 649. [bug] It was possible to join to an already running fctx
10496 after it had "cloned" its events, but before it sent
10497 them. In this case, the event of the newly joined
10498 fetch would not contain the answer, and would
10499 trigger the INSIST() in fctx_sendevents(). In
10500 BIND 9.0, this bug did not trigger an INSIST(), but
10501 caused the fetch to fail with a SERVFAIL result.
10502 [RT #588, #597, #605, #607]
10504 648. [port] Add support for pre-RFC2133 IPv6 implementations.
10506 647. [bug] Resolver queries sent after following multiple
10507 referrals had excessively long retransmission
10508 timeouts due to incorrectly counting the referrals
10511 646. [bug] The UnixWare ISC_PLATFORM_FIXIN6INADDR fix in isc/net.h
10512 didn't _cleanly_ fix the problem it was trying to fix.
10514 645. [port] BSD/OS 3.0 needs pthread_init(). [RT #603]
10516 644. [bug] #622 needed more work. [RT #562]
10518 643. [bug] xfrin error messages made more verbose, added class
10519 of the zone. [RT #599]
10521 642. [bug] Break the exit_check() race in the zone module.
10524 --- 9.1.0b2 released ---
10526 641. [bug] $GENERATE caused a uninitialized link to be used.
10529 640. [bug] Memory leak in error path could cause
10530 "mpctx->allocated == 0" failure. [RT #584]
10532 639. [bug] Reading entropy from the keyboard would sometimes fail.
10535 638. [port] lib/isc/random.c needed to explicitly include time.h
10536 to get a prototype for time() when pthreads was not
10537 being used. [RT #592]
10539 637. [port] Use isc_u?int64_t instead of (unsigned) long long in
10540 lib/isc/print.c. Also allow lib/isc/print.c to
10541 be compiled even if the platform does not need it.
10544 636. [port] Shut up MSVC++ about a possible loss of precision
10545 in the ISC__BUFFER_PUTUINT*() macros. [RT #592]
10547 635. [bug] Reloading a server with a configured blackhole list
10548 would cause an assertion. [RT #590]
10550 634. [bug] A log file will completely stop being written when
10551 it reaches the maximum size in all cases, not just
10552 when versioning is also enabled. [RT #570]
10554 633. [port] Cope with rlim_t missing on BSD/OS systems. [RT #575]
10556 632. [bug] The index array of the journal file was
10557 corrupted as it was written to disk.
10559 631. [port] Build without thread support on systems without
10562 630. [bug] Locking failure in zone code. [RT #582]
10564 629. [bug] 9.1.0b1 dereferenced a null pointer and crashed
10565 when responding to a UDP IXFR request.
10567 628. [bug] If the root hints contained only AAAA addresses,
10568 named would be unable to perform resolution.
10570 627. [bug] The EDNS0 blackhole detection code of change 324
10571 waited for three retransmissions to each server,
10572 which takes much too long when a domain has many
10573 name servers and all of them drop EDNS0 queries.
10574 Now we retry without EDNS0 after three consecutive
10575 timeouts, even if they are all from different
10578 626. [bug] The lightweight resolver daemon no longer crashes
10579 when asked for a SIG rrset. [RT #558]
10581 625. [func] Zones now inherit their class from the enclosing view.
10583 624. [bug] The zone object could get timer events after it had
10584 been destroyed, causing a server crash. [RT #571]
10586 623. [func] Added "named-checkconf" and "named-checkzone" program
10587 for syntax checking named.conf files and zone files,
10590 622. [bug] A canceled request could be destroyed before
10591 dns_request_destroy() was called. [RT #562]
10593 621. [port] Disable IPv6 at runtime if IPv6 sockets are unusable.
10594 This mostly affects Red Hat Linux 7.0, which has
10595 conflicts between libc and the kernel.
10597 620. [bug] dns_master_load*inc() now require 'task' and 'load'
10598 to be non-null. Also 'done' will not be called if
10599 dns_master_load*inc() fails immediately. [RT #565]
10603 618. [bug] Queries to a signed zone could sometimes cause
10604 an assertion failure.
10606 617. [bug] When using dynamic update to add a new RR to an
10607 existing RRset with a different TTL, the journal
10608 entries generated from the update did not include
10609 explicit deletions and re-additions of the existing
10610 RRs to update their TTL to the new value.
10612 616. [func] dnssec-signzone -t output now includes performance
10615 615. [bug] dnssec-signzone did not like child keysets signed
10618 614. [bug] Checks for uninitialized link fields were prone
10619 to false positives, causing assertion failures.
10620 The checks are now disabled by default and may
10621 be re-enabled by defining ISC_LIST_CHECKINIT.
10623 613. [bug] "rndc reload zone" now reloads primary zones.
10624 It previously only updated slave and stub zones,
10625 if an SOA query indicated an out of date serial.
10627 612. [cleanup] Shutup a ridiculously noisy HP-UX compiler that
10628 complains relentlessly about how its treatment
10629 of 'const' has changed as well as how casting
10630 sometimes tightens alignment constraints.
10632 611. [func] allow-notify can be used to permit processing of
10633 notify messages from hosts other than a slave's
10636 610. [func] rndc dumpdb is now supported.
10638 609. [bug] getrrsetbyname() would crash lwresd if the server
10639 found more SIGs than answers. [RT #554]
10641 608. [func] dnssec-signzone now adds a comment to the zone
10642 with the time the file was signed.
10644 607. [bug] nsupdate would fail if it encountered a CNAME or
10645 DNAME in a response to an SOA query. [RT #515]
10647 606. [bug] Compiling with --disable-threads failed due
10648 to isc_thread_self() being incorrectly defined
10649 as an integer rather than a function.
10651 605. [func] New function isc_lex_getlasttokentext().
10653 604. [bug] The named.conf parser could print incorrect line
10654 numbers when long comments were present.
10656 603. [bug] Make dig handle multiple types or classes on the same
10657 query more correctly.
10659 602. [func] Cope automatically with UnixWare's broken
10660 IN6_IS_ADDR_* macros. [RT #539]
10662 601. [func] Return a non-zero exit code if an update fails
10665 600. [bug] Reverse lookups sometimes failed in dig, etc...
10667 599. [func] Added four new functions to the libisc log API to
10668 support i18n messages. isc_log_iwrite(),
10669 isc_log_ivwrite(), isc_log_iwrite1() and
10670 isc_log_ivwrite1() were added.
10672 598. [bug] An update-policy statement would cause the server
10673 to assert while loading. [RT #536]
10675 597. [func] dnssec-signzone is now multi-threaded.
10677 596. [bug] DNS_RDATASLAB_FORCE and DNS_RDATASLAB_EXACT are
10678 not mutually exclusive.
10680 595. [port] On Linux 2.2, socket() returns EINVAL when it
10681 should return EAFNOSUPPORT. Work around this.
10684 594. [func] sdb drivers are now assumed to not be thread-safe
10685 unless the DNS_SDBFLAG_THREADSAFE flag is supplied.
10687 593. [bug] If a secure zone was missing all its NXTs and
10688 a dynamic update was attempted, the server entered
10691 592. [bug] The sig-validity-interval option now specifies a
10692 number of days, not seconds. This matches the
10693 documentation. [RT #529]
10695 --- 9.1.0b1 released ---
10697 591. [bug] Work around non-reentrancy in openssl by disabling
10698 pre-computation in keys.
10700 590. [doc] There are now man pages for the lwres library in
10703 589. [bug] The server could deadlock if a zone was updated
10704 while being transferred out.
10706 588. [bug] ctx->in_use was not being correctly initialized when
10707 when pushing a file for $INCLUDE. [RT #523]
10709 587. [func] A warning is now printed if the "allow-update"
10710 option allows updates based on the source IP
10711 address, to alert users to the fact that this
10712 is insecure and becoming increasingly so as
10713 servers capable of update forwarding are being
10716 586. [bug] multiple views with the same name were fatal. [RT #516]
10718 585. [func] dns_db_addrdataset() and and dns_rdataslab_merge()
10719 now support 'exact' additions in a similar manner to
10720 dns_db_subtractrdataset() and dns_rdataslab_subtract().
10722 584. [func] You can now say 'notify explicit'; to suppress
10723 notification of the servers listed in NS records
10724 and notify only those servers listed in the
10725 'also-notify' option.
10727 583. [func] "rndc querylog" will now toggle logging of
10728 queries, like "ndc querylog" in BIND 8.
10730 582. [bug] dns_zone_idetach() failed to lock the zone.
10733 581. [bug] log severity was not being correctly processed.
10736 580. [func] Ignore trailing garbage on incoming DNS packets,
10737 for interoperability with broken server
10738 implementations. [RT #491]
10740 579. [bug] nsupdate did not take a filename to read update from.
10743 578. [func] New config option "notify-source", to specify the
10744 source address for notify messages.
10746 577. [func] Log illegal RDATA combinations. e.g. multiple
10747 singleton types, cname and other data.
10749 576. [doc] isc_log_create() description did not match reality.
10751 575. [bug] isc_log_create() was not setting internal state
10752 correctly to reflect the default channels created.
10754 574. [bug] TSIG signed queries sent by the resolver would fail to
10755 have their responses validated and would leak memory.
10757 573. [bug] The journal files of IXFRed slave zones were
10758 inadvertently discarded on server reload, causing
10759 "journal out of sync with zone" errors on subsequent
10762 572. [bug] Quoted strings were not accepted as key names in
10763 address match lists.
10765 571. [bug] It was possible to create an rdataset of singleton
10766 type which had more than one rdata. [RT #154]
10769 570. [bug] rbtdb.c allowed zones containing nodes which had
10770 both a CNAME and "other data". [RT #154]
10772 569. [func] The DNSSEC AD bit will not be set on queries which
10773 have not requested a DNSSEC response.
10775 568. [func] Add sample simple database drivers in contrib/sdb.
10777 567. [bug] Setting the zone transfer timeout to zero caused an
10778 assertion failure. [RT #302]
10780 566. [func] New public function dns_timer_setidle().
10782 565. [func] Log queries more like BIND 8: query logging is now
10783 done to category "queries", level "info". [RT #169]
10785 564. [func] Add sortlist support to lwresd.
10787 563. [func] New public functions dns_rdatatype_format() and
10788 dns_rdataclass_format(), for convenient formatting
10789 of rdata type/class mnemonics in log messages.
10791 562. [cleanup] Moved lib/dns/*conf.c to bin/named where they belong.
10793 561. [func] The 'datasize', 'stacksize', 'coresize' and 'files'
10794 clauses of the options{} statement are now implemented.
10796 560. [bug] dns_name_split did not properly the resulting prefix
10797 when a maximal length bitstring label was split which
10798 was preceded by another bitstring label. [RT #429]
10800 559. [bug] dns_name_split did not properly create the suffix
10801 when splitting within a maximal length bitstring label.
10803 558. [func] New functions, isc_resource_getlimit and
10804 isc_resource_setlimit.
10806 557. [func] Symbolic constants for libisc integral types.
10808 556. [func] The DNSSEC OK bit in the EDNS extended flags
10809 is now implemented. Responses to queries without
10810 this bit set will not contain any DNSSEC records.
10812 555. [bug] A slave server attempting a zone transfer could
10813 crash with an assertion failure on certain
10814 malformed responses from the master. [RT #457]
10816 554. [bug] In some cases, not all of the dnssec tools were
10817 properly installed.
10819 553. [bug] Incoming zone transfers deferred due to quota
10820 were not started when quota was increased but
10821 only when a transfer in progress finished. [RT #456]
10823 552. [bug] We were not correctly detecting the end of all c-style
10824 comments. [RT #455]
10826 551. [func] Implemented the 'sortlist' option.
10828 550. [func] Support unknown rdata types and classes.
10830 549. [bug] "make" did not immediately abort the build when a
10831 subdirectory make failed [RT #450].
10833 548. [func] The lexer now ungets tokens more correctly.
10837 546. [func] Option 'lame-ttl' is now implemented.
10839 545. [func] Name limit and counting options removed from dig;
10840 they didn't work properly, and cannot be correctly
10841 implemented without significant changes.
10843 544. [func] Add statistics option, enable statistics-file option,
10844 add RNDC option "dump-statistics" to write out a
10845 query statistics file.
10847 543. [doc] The 'port' option is now documented.
10849 542. [func] Add support for update forwarding as required for
10850 full compliance with RFC2136. It is turned off
10851 by default and can be enabled using the
10852 'allow-update-forwarding' option.
10854 541. [func] Add bogus server support.
10856 540. [func] Add dialup support.
10858 539. [func] Support the blackhole option.
10860 538. [bug] fix buffer overruns by 1 in lwres_getnameinfo().
10864 536. [func] Use transfer-source{-v6} when sending refresh queries.
10865 Transfer-source{-v6} now take a optional port
10866 parameter for setting the UDP source port. The port
10867 parameter is ignored for TCP.
10869 535. [func] Use transfer-source{-v6} when forwarding update
10872 534. [func] Ancestors have been removed from RBT chains. Ancestor
10873 information can be discerned via node parent pointers.
10875 533. [func] Incorporated name hashing into the RBT database to
10876 improve search speed.
10878 532. [func] Implement DNS UPDATE pseudo records using
10879 DNS_RDATA_UPDATE flag.
10881 531. [func] Rdata really should be initialized before being assigned
10882 to (dns_rdata_fromwire(), dns_rdata_fromtext(),
10883 dns_rdata_clone(), dns_rdata_fromregion()),
10886 530. [func] New function dns_rdata_invalidate().
10888 529. [bug] 521 contained a bug which caused zones to always
10891 528. [func] The ISC_LIST_XXXX macros now perform sanity checks
10892 on their arguments. ISC_LIST_XXXXUNSAFE can be use
10893 to skip the checks however use with caution.
10895 527. [func] New function dns_rdata_clone().
10897 526. [bug] nsupdate incorrectly refused to add RRs with a TTL
10900 525. [func] New arguments 'options' for dns_db_subtractrdataset(),
10901 and 'flags' for dns_rdataslab_subtract() allowing you
10902 to request that the RR's must exist prior to deletion.
10903 DNS_R_NOTEXACT is returned if the condition is not met.
10905 524. [func] The 'forward' and 'forwarders' statement in
10906 non-forward zones should work now.
10908 523. [doc] The source to the Administrator Reference Manual is
10909 now an XML file using the DocBook DTD, and is included
10910 in the distribution. The plain text version of the
10911 ARM is temporarily unavailable while we figure out
10912 how to generate readable plain text from the XML.
10914 522. [func] The lightweight resolver daemon can now use
10915 a real configuration file, and its functionality
10916 can be provided by a name server. Also, the -p and -P
10917 options to lwresd have been reversed.
10919 521. [bug] Detect master files which contain $INCLUDE and always
10922 520. [bug] Upgraded libtool to 1.3.5, which makes shared
10923 library builds almost work on AIX (and possibly
10926 519. [bug] dns_name_split() would improperly split some bitstring
10927 labels, zeroing a few of the least significant bits in
10928 the prefix part. When such an improperly created
10929 prefix was returned to the RBT database, the bogus
10930 label was dutifully stored, corrupting the tree.
10933 518. [bug] The resolver did not realize that a DNAME which was
10934 "the answer" to the client's query was "the answer",
10935 and such queries would fail. [RT #399]
10937 517. [bug] The resolver's DNAME code would trigger an assertion
10938 if there was more than one DNAME in the chain.
10941 516. [bug] Cache lookups which had a NULL node pointer, e.g.
10942 those by dns_view_find(), and which would match a
10943 DNAME, would trigger an INSIST(!search.need_cleanup)
10944 assertion. [RT #399]
10946 515. [bug] The ssu table was not being attached / detached
10947 by dns_zone_[sg]etssutable. [RT #397]
10949 514. [func] Retry refresh and notify queries if they timeout.
10952 513. [func] New functionality added to rdnc and server to allow
10953 individual zones to be refreshed or reloaded.
10955 512. [bug] The zone transfer code could throw an exception with
10956 an invalid IXFR stream.
10958 511. [bug] The message code could throw an assertion on an
10959 out of memory failure. [RT #392]
10961 510. [bug] Remove spurious view notify warning. [RT #376]
10963 509. [func] Add support for write of zone files on shutdown.
10965 508. [func] dns_message_parse() can now do a best-effort
10966 attempt, which should allow dig to print more invalid
10969 507. [func] New functions dns_zone_flush(), dns_zt_flushanddetach()
10970 and dns_view_flushanddetach().
10972 506. [func] Do not fail to start on errors in zone files.
10974 505. [bug] nsupdate was printing "unknown result code". [RT #373]
10976 504. [bug] The zone was not being marked as dirty when updated via
10979 503. [bug] dumptime was not being set along with
10980 DNS_ZONEFLG_NEEDDUMP.
10982 502. [func] On a SERVFAIL reply, DiG will now try the next server
10983 in the list, unless the +fail option is specified.
10985 501. [bug] Incorrect port numbers were being displayed by
10986 nslookup. [RT #352]
10988 500. [func] Nearly useless +details option removed from DiG.
10990 499. [func] In DiG, specifying a class with -c or type with -t
10991 changes command-line parsing so that classes and
10992 types are only recognized if following -c or -t.
10993 This allows hosts with the same name as a class or
10994 type to be looked up.
10996 498. [doc] There is now a man page for "dig"
10997 in doc/man/bin/dig.1.
10999 497. [bug] The error messages printed when an IP match list
11000 contained a network address with a nonzero host
11001 part where not sufficiently detailed. [RT #365]
11003 496. [bug] named didn't sanity check numeric parameters. [RT #361]
11005 495. [bug] nsupdate was unable to handle large records. [RT #368]
11007 494. [func] Do not cache NXDOMAIN responses for SOA queries.
11009 493. [func] Return non-cachable (ttl = 0) NXDOMAIN responses
11010 for SOA queries. This makes it easier to locate
11011 the containing zone without polluting intermediate
11014 492. [bug] attempting to reload a zone caused the server fail
11015 to shutdown cleanly. [RT #360]
11017 491. [bug] nsupdate would segfault when sending certain
11018 prerequisites with empty RDATA. [RT #356]
11020 490. [func] When a slave/stub zone has not yet successfully
11021 obtained an SOA containing the zone's configured
11022 retry time, perform the SOA query retries using
11023 exponential backoff. [RT #337]
11025 489. [func] The zone manager now has a "i/o" queue.
11027 488. [bug] Locks weren't properly destroyed in some cases.
11029 487. [port] flockfile() is not defined on all systems.
11031 486. [bug] nslookup: "set all" and "server" commands showed
11032 the incorrect port number if a port other than 53
11033 was specified. [RT #352]
11035 485. [func] When dig had more than one server to query, it would
11036 send all of the messages at the same time. Add
11037 rate limiting of the transmitted messages.
11039 484. [bug] When the server was reloaded after removing addresses
11040 from the named.conf "listen-on" statement, sockets
11041 were still listening on the removed addresses due
11042 to reference count loops. [RT #325]
11044 483. [bug] nslookup: "set all" showed a "search" option but it
11047 482. [bug] nslookup: a plain "server" or "lserver" should be
11048 treated as a lookup.
11050 481. [bug] nslookup:get_next_command() stack size could exceed
11053 480. [bug] strtok() is not thread safe. [RT #349]
11055 479. [func] The test suite can now be run by typing "make check"
11056 or "make test" at the top level.
11058 478. [bug] "make install" failed if the directory specified with
11059 --prefix did not already exist.
11061 477. [bug] The the isc-config.sh script could be installed before
11062 its directory was created. [RT #324]
11064 476. [bug] A zone could expire while a zone transfer was in
11065 progress triggering a INSIST failure. [RT #329]
11067 475. [bug] query_getzonedb() sometimes returned a non-null version
11068 on failure. This caused assertion failures when
11069 generating query responses where names subject to
11070 additional section processing pointed to a zone
11071 to which access had been denied by means of the
11072 allow-query option. [RT #336]
11074 474. [bug] The mnemonic of the CHAOS class is CH according to
11075 RFC1035, but it was printed and read only as CHAOS.
11076 We now accept both forms as input, and print it
11079 473. [bug] nsupdate overran the end of the list of name servers
11080 when no servers could be reached, typically causing
11081 it to print the error message "dns_request_create:
11084 472. [bug] Off-by-one error caused isc_time_add() to sometimes
11085 produce invalid time values.
11087 471. [bug] nsupdate didn't compile on HP/UX 10.20
11089 470. [func] $GENERATE is now supported. See also
11090 doc/misc/migration.
11092 469. [bug] "query-source address * port 53;" now works.
11094 468. [bug] dns_master_load*() failed to report file and line
11095 number in certain error conditions.
11097 467. [bug] dns_master_load*() failed to log an error if
11100 466. [bug] dns_master_load*() could return success when it failed.
11102 465. [cleanup] Allow 0 to be set as an omapi_value_t value by
11103 omapi_value_storeint().
11105 464. [cleanup] Build with openssl's RSA code instead of dnssafe.
11107 463. [bug] nsupdate sent malformed SOA queries to the second
11108 and subsequent name servers in resolv.conf if the
11109 query sent to the first one failed.
11111 462. [bug] --disable-ipv6 should work now.
11113 461. [bug] Specifying an unknown key in the "keys" clause of the
11114 "controls" statement caused a NULL pointer dereference.
11117 460. [bug] Much of the DNSSEC code only worked with class IN.
11119 459. [bug] Nslookup processed the "set" command incorrectly.
11121 458. [bug] Nslookup didn't properly check class and type values.
11124 457. [bug] Dig/host/hslookup didn't properly handle connect
11125 timeouts in certain situations, causing an
11126 unnecessary warning message to be printed.
11128 456. [bug] Stub zones were not resetting the refresh and expire
11129 counters, loadtime or clearing the DNS_ZONE_REFRESH
11130 (refresh in progress) flag upon successful update.
11131 This disabled further refreshing of the stub zone,
11132 causing it to eventually expire. [RT #300]
11134 455. [doc] Document IPv4 prefix notation does not require a
11135 dotted decimal quad but may be just dotted decimal.
11137 454. [bug] Enforce dotted decimal and dotted decimal quad where
11138 documented as such in named.conf. [RT #304, RT #311]
11140 453. [bug] Warn if the obsolete option "maintain-ixfr-base"
11141 is specified in named.conf. [RT #306]
11143 452. [bug] Warn if the unimplemented option "statistics-file"
11144 is specified in named.conf. [RT #301]
11146 451. [func] Update forwarding implemented.
11148 450. [func] New function ns_client_sendraw().
11150 449. [bug] isc_bitstring_copy() only works correctly if the
11151 two bitstrings have the same lsb0 value, but this
11152 requirement was not documented, nor was there a
11155 448. [bug] Host output formatting change, to match v8. [RT #255]
11157 447. [bug] Dig didn't properly retry in TCP mode after
11158 a truncated reply. [RT #277]
11160 446. [bug] Confusing notify log message. [RT #298]
11162 445. [bug] Doing a 0 bit isc_bitstring_copy() of an lsb0
11163 bitstring triggered a REQUIRE statement. The REQUIRE
11164 statement was incorrect. [RT #297]
11166 444. [func] "recursion denied" messages are always logged at
11167 debug level 1, now, rather than sometimes at ERROR.
11168 This silences these warnings in the usual case, where
11169 some clients set the RD bit in all queries.
11171 443. [bug] When loading a master file failed because of an
11172 unrecognized RR type name, the error message
11173 did not include the file name and line number.
11176 442. [bug] TSIG signed messages that did not match any view
11177 crashed the server. [RT #290]
11179 441. [bug] Nodes obscured by a DNAME were inaccessible even
11180 when DNS_DBFIND_GLUEOK was set.
11182 440. [func] New function dns_zone_forwardupdate().
11184 439. [func] New function dns_request_createraw().
11186 438. [func] New function dns_message_getrawmessage().
11188 437. [func] Log NOTIFY activity to the notify channel.
11190 436. [bug] If recvmsg() returned EHOSTUNREACH or ENETUNREACH,
11191 which sometimes happens on Linux, named would enter
11192 a busy loop. Also, unexpected socket errors were
11193 not logged at a high enough logging level to be
11194 useful in diagnosing this situation. [RT #275]
11196 435. [bug] dns_zone_dump() overwrote existing zone files
11197 rather than writing to a temporary file and
11198 renaming. This could lead to empty or partial
11199 zone files being left around in certain error
11200 conditions involving the initial transfer of a
11201 slave zone, interfering with subsequent server
11204 434. [func] New function isc_file_isabsolute().
11206 433. [func] isc_base64_decodestring() now accepts newlines
11207 within the base64 data. This makes it possible
11208 to break up the key data in a "trusted-keys"
11209 statement into multiple lines. [RT #284]
11211 432. [func] Added refresh/retry jitter. The actual refresh/
11212 retry time is now a random value between 75% and
11213 100% of the configured value.
11215 431. [func] Log at ISC_LOG_INFO when a zone is successfully
11218 430. [bug] Rewrote the lightweight resolver client management
11219 code to handle shutdown correctly and general
11222 429. [bug] The space reserved for a TSIG record in a response
11223 was 2 bytes too short, leading to message
11224 generation failures.
11226 428. [bug] rbtdb.c:find_closest_nxt() erroneously returned
11227 DNS_R_BADDB for nodes which had neither NXT nor SIG NXT
11228 (e.g. glue). This could cause SERVFAILs when
11229 generating negative responses in a secure zone.
11231 427. [bug] Avoid going into an infinite loop when the validator
11232 gets a negative response to a key query where the
11233 records are signed by the missing key.
11235 426. [bug] Attempting to generate an oversized RSA key could
11236 cause dnssec-keygen to dump core.
11238 425. [bug] Warn about the auth-nxdomain default value change
11239 if there is no auth-nxdomain statement in the
11240 config file. [RT #287]
11242 424. [bug] notify_createmessage() could trigger an assertion
11243 failure when creating the notify message failed,
11244 e.g. due to corrupt zones with multiple SOA records.
11247 423. [bug] When responding to a recursive query, errors that occur
11248 after following a CNAME should cause the query to fail.
11251 422. [func] get rid of isc_random_t, and make isc_random_get()
11252 and isc_random_jitter() use rand() internally
11253 instead of local state. Note that isc_random_*()
11254 functions are only for weak, non-critical "randomness"
11255 such as timing jitter and such.
11257 421. [bug] nslookup would exit when given a blank line as input.
11259 420. [bug] nslookup failed to implement the "exit" command.
11261 419. [bug] The certificate type PKIX was misspelled as SKIX.
11263 418. [bug] At debug levels >= 10, getting an unexpected
11264 socket receive error would crash the server
11265 while trying to log the error message.
11267 417. [func] Add isc_app_block() and isc_app_unblock(), which
11268 allow an application to handle signals while
11271 416. [bug] Slave zones with no master file tried to use a
11272 NULL pointer for a journal file name when they
11273 received an IXFR. [RT #273]
11275 415. [bug] The logging code leaked file descriptors.
11277 414. [bug] Server did not shut down until all incoming zone
11278 transfers were finished.
11280 413. [bug] Notify could attempt to use the zone database after
11281 it had been unloaded. [RT #267]
11283 412. [bug] named -v didn't print the version.
11285 411. [bug] A typo in the HS A code caused an assertion failure.
11287 410. [bug] lwres_gethostbyname() and company set lwres_h_errno
11288 to a random value on success.
11290 409. [bug] If named was shut down early in the startup
11291 process, ns_omapi_shutdown() would attempt to lock
11292 an uninitialized mutex. [RT #262]
11294 408. [bug] stub zones could leak memory and reference counts if
11295 all the masters were unreachable.
11297 407. [bug] isc_rwlock_lock() would needlessly block
11298 readers when it reached the read quota even
11299 if no writers were waiting.
11301 406. [bug] Log messages were occasionally lost or corrupted
11302 due to a race condition in isc_log_doit().
11304 405. [func] Add support for selective forwarding (forward zones)
11306 404. [bug] The request library didn't completely work with IPv6.
11308 403. [bug] "host" did not use the search list.
11310 402. [bug] Treat undefined acls as errors, rather than
11311 warning and then later throwing an assertion.
11314 401. [func] Added simple database API.
11316 400. [bug] SIG(0) signing and verifying was done incorrectly.
11319 399. [bug] When reloading the server with a config file
11320 containing a syntax error, it could catch an
11321 assertion failure trying to perform zone
11322 maintenance on, or sending notifies from,
11323 tentatively created zones whose views were
11324 never fully configured and lacked an address
11325 database and request manager.
11327 398. [bug] "dig" sometimes caught an assertion failure when
11328 using TSIG, depending on the key length.
11330 397. [func] Added utility functions dns_view_gettsig() and
11331 dns_view_getpeertsig().
11333 396. [doc] There is now a man page for "nsupdate"
11334 in doc/man/bin/nsupdate.8.
11336 395. [bug] nslookup printed incorrect RR type mnemonics
11337 for RRs of type >= 21 [RT #237].
11339 394. [bug] Current name was not propagated via $INCLUDE.
11341 393. [func] Initial answer while loading (awl) support.
11342 Entry points: dns_master_loadfileinc(),
11343 dns_master_loadstreaminc(), dns_master_loadbufferinc().
11344 Note: calls to dns_master_load*inc() should be rate
11345 be rate limited so as to not use up all file
11348 392. [func] Add ISC_R_FAMILYNOSUPPORT. Returned when OS does
11349 not support the given address family requested.
11351 391. [clarity] ISC_R_FAMILY -> ISC_R_FAMILYMISMATCH.
11353 390. [func] The function dns_zone_setdbtype() now takes
11354 an argc/argv style vector of words and sets
11355 both the zone database type and its arguments,
11356 making the functions dns_zone_adddbarg()
11357 and dns_zone_cleardbargs() unnecessary.
11359 389. [bug] Attempting to send a request over IPv6 using
11360 dns_request_create() on a system without IPv6
11361 support caused an assertion failure [RT #235].
11363 388. [func] dig and host can now do reverse ipv6 lookups.
11365 387. [func] Add dns_byaddr_createptrname(), which converts
11366 an address into the name used by a PTR query.
11368 386. [bug] Missing strdup() of ACL name caused random
11369 ACL matching failures [RT #228].
11371 385. [cleanup] Removed functions dns_zone_equal(), dns_zone_print(),
11372 and dns_zt_print().
11374 384. [bug] nsupdate was incorrectly limiting TTLs to 65535 instead
11377 383. [func] When writing a master file, print the SOA and NS
11378 records (and their SIGs) before other records.
11380 382. [bug] named -u failed on many Linux systems where the
11381 libc provided kernel headers do not match
11382 the current kernel.
11384 381. [bug] Check for IPV6_RECVPKTINFO and use it instead of
11385 IPV6_PKTINFO if found. [RT #229]
11387 380. [bug] nsupdate didn't work with IPv6.
11389 379. [func] New library function isc_sockaddr_anyofpf().
11391 378. [func] named and lwresd will log the command line arguments
11392 they were started with in the "starting ..." message.
11394 377. [bug] When additional data lookups were refused due to
11395 "allow-query", the databases were still being
11396 attached causing reference leaks.
11398 376. [bug] The server should always use good entropy when
11399 performing cryptographic functions needing entropy.
11401 375. [bug] Per-zone "allow-query" did not properly override the
11402 view/global one for CNAME targets and additional
11405 374. [bug] SOA in authoritative negative responses had wrong TTL.
11407 373. [func] nslookup is now installed by "make install".
11409 372. [bug] Deal with Microsoft DNS servers appending two bytes of
11410 garbage to zone transfer requests.
11412 371. [bug] At high debug levels, doing an outgoing zone transfer
11413 of a very large RRset could cause an assertion failure
11416 370. [bug] The error messages for roll-forward failures were
11419 369. [func] Support new named.conf options, view and zone
11422 max-retry-time, min-retry-time,
11423 max-refresh-time, min-refresh-time.
11425 368. [func] Restructure the internal ".bind" view so that more
11426 zones can be added to it.
11428 367. [bug] Allow proper selection of server on nslookup command
11431 366. [func] Allow use of '-' batch file in dig for stdin.
11433 365. [bug] nsupdate -k leaked memory.
11435 364. [func] Added additional-from-{cache,auth}
11439 362. [bug] rndc no longer aborts if the configuration file is
11440 missing an options statement. [RT #209]
11442 361. [func] When the RBT find or chain functions set the name and
11443 origin for a node that stores the root label
11444 the name is now set to an empty name, instead of ".",
11445 to simplify later use of the name and origin by
11446 dns_name_concatenate(), dns_name_totext() or
11449 360. [func] dns_name_totext() and dns_name_format() now allow
11450 an empty name to be passed, which is formatted as "@".
11452 359. [bug] dnssec-signzone occasionally signed glue records.
11454 358. [cleanup] Rename the intermediate files used by the dnssec
11457 357. [bug] The zone file parser crashed if the argument
11458 to $INCLUDE was a quoted string.
11460 356. [cleanup] isc_task_send no longer requires event->sender to
11463 355. [func] Added isc_dir_createunique(), similar to mkdtemp().
11465 354. [doc] Man pages for the dnssec tools are now included in
11466 the distribution, in doc/man/dnssec.
11468 353. [bug] double increment in lwres/gethost.c:copytobuf().
11471 352. [bug] Race condition in dns_client_t startup could cause
11472 an assertion failure.
11474 351. [bug] Constructing a response with rcode SERVFAIL to a TSIG
11475 signed query could crash the server.
11477 350. [bug] Also-notify lists specified in the global options
11478 block were not correctly reference counted, causing
11481 349. [bug] Processing a query with the CD bit set now works
11484 348. [func] New boolean named.conf options 'additional-from-auth'
11485 and 'additional-from-cache' now supported in view and
11486 global options statement.
11488 347. [bug] Don't crash if an argument is left off options in dig.
11492 345. [bug] Large-scale changes/cleanups to dig:
11493 * Significantly improve structure handling
11494 * Don't pre-load entire batch files
11495 * Add name/rr counting/limiting
11496 * Fix SIGINT handling
11497 * Shorten timeouts to match v8's behavior
11499 344. [bug] When shutting down, lwresd sometimes tried
11500 to shut down its client tasks twice,
11501 triggering an assertion.
11503 343. [bug] Although zone maintenance SOA queries and
11504 notify requests were signed with TSIG keys
11505 when configured for the server in case,
11506 the TSIG was not verified on the response.
11508 342. [bug] The wrong name was being passed to
11509 dns_name_dup() when generating a TSIG
11512 341. [func] Support 'key' clause in named.conf zone masters
11513 statement to allow authentication via TSIG keys:
11516 10.0.0.1 port 5353 key "foo";
11520 340. [bug] The top-level COPYRIGHT file was missing from
11523 339. [bug] DNSSEC validation of the response to an ANY
11524 query at a name with a CNAME RR in a secure
11525 zone triggered an assertion failure.
11527 338. [bug] lwresd logged to syslog as named, not lwresd.
11529 337. [bug] "dig" did not recognize "nsap-ptr" as an RR type
11530 on the command line.
11532 336. [bug] "dig -f" used 64 k of memory for each line in
11533 the file. It now uses much less, though still
11534 proportionally to the file size.
11536 335. [bug] named would occasionally attempt recursion when
11537 it was disallowed or undesired.
11539 334. [func] Added hmac-md5 to libisc.
11541 333. [bug] The resolver incorrectly accepted referrals to
11542 domains that were not parents of the query name,
11543 causing assertion failures.
11545 332. [func] New function dns_name_reset().
11547 331. [bug] Only log "recursion denied" if RD is set. [RT #178]
11549 330. [bug] Many debugging messages were partially formatted
11550 even when debugging was turned off, causing a
11551 significant decrease in query performance.
11553 329. [func] omapi_auth_register() now takes a size_t argument for
11554 the length of a key's secret data. Previously
11555 OMAPI only stored secrets up to the first NUL byte.
11557 328. [func] Added isc_base64_decodestring().
11559 327. [bug] rndc.conf parser wasn't correctly recognizing an IP
11560 address where a host specification was required.
11562 326. [func] 'keys' in an 'inet' control statement is now
11563 required and must have at least one item in it.
11564 A "not supported" warning is now issued if a 'unix'
11565 control channel is defined.
11567 325. [bug] isc_lex_gettoken was processing octal strings when
11568 ISC_LEXOPT_CNUMBER was not set.
11570 324. [func] In the resolver, turn EDNS0 off if there is no
11571 response after a number of retransmissions.
11572 This is to allow queries some chance of succeeding
11573 even if all the authoritative servers of a zone
11574 silently discard EDNS0 requests instead of
11575 sending an error response like they ought to.
11577 323. [bug] dns_rbt_findname() did not ignore empty rbt nodes.
11578 Because of this, servers authoritative for a parent
11579 and grandchild zone but not authoritative for the
11580 intervening child zone did not correctly issue
11581 referrals to the servers of the child zone.
11583 322. [bug] Queries for KEY RRs are now sent to the parent
11584 server before the authoritative one, making
11585 DNSSEC insecurity proofs work in many cases
11586 where they previously didn't.
11588 321. [bug] When synthesizing a CNAME RR for a DNAME
11589 response, query_addcname() failed to initialize
11590 the type and class of the CNAME dns_rdata_t,
11591 causing random failures.
11593 320. [func] Multiple rndc changes: parses an rndc.conf file,
11594 uses authentication to talk to named, command
11595 line syntax changed. This will all be described
11598 319. [func] The named.conf "controls" statement is now used
11599 to configure the OMAPI command channel.
11601 318. [func] dns_c_ndcctx_destroy() could never return anything
11602 except ISC_R_SUCCESS; made it have void return instead.
11604 317. [func] Use callbacks from libomapi to determine if a
11605 new connection is valid, and if a key requested
11606 to be used with that connection is valid.
11608 316. [bug] Generate a warning if we detect an unexpected <eof>
11609 but treat as <eol><eof>.
11611 315. [bug] Handle non-empty blanks lines. [RT #163]
11613 314. [func] The named.conf controls statement can now have
11614 more than one key specified for the inet clause.
11616 313. [bug] When parsing resolv.conf, don't terminate on an
11617 error. Instead, parse as much as possible, but
11618 still return an error if one was found.
11620 312. [bug] Increase the number of allowed elements in the
11621 resolv.conf search path from 6 to 8. If there
11622 are more than this, ignore the remainder rather
11623 than returning a failure in lwres_conf_parse.
11625 311. [bug] lwres_conf_parse failed when the first line of
11626 resolv.conf was empty or a comment.
11628 310. [func] Changes to named.conf "controls" statement (inet
11631 - support "keys" clause
11635 allow { any; } keys { "foo"; }
11638 - allow "port xxx" to be left out of statement,
11639 in which case it defaults to omapi's default port
11642 309. [bug] When sending a referral, the server did not look
11643 for name server addresses as glue in the zone
11644 holding the NS RRset in the case where this zone
11645 was not the same as the one where it looked for
11646 name server addresses as authoritative data.
11648 308. [bug] Treat a SOA record not at top of zone as an error
11649 when loading a zone. [RT #154]
11651 307. [bug] When canceling a query, the resolver didn't check for
11652 isc_socket_sendto() calls that did not yet have their
11653 completion events posted, so it could (rarely) end up
11654 destroying the query context and then want to use
11655 it again when the send event posted, triggering an
11656 assertion as it tried to cancel an already-canceled
11659 306. [bug] Reading HMAC-MD5 private key files didn't work.
11661 305. [bug] When reloading the server with a config file
11662 containing a syntax error, it could catch an
11663 assertion failure trying to perform zone
11664 maintenance on tentatively created zones whose
11665 views were never fully configured and lacked
11666 an address database.
11668 304. [bug] If more than LWRES_CONFMAXNAMESERVERS servers
11669 are listed in resolv.conf, silently ignore them
11670 instead of returning failure.
11672 303. [bug] Add additional sanity checks to differentiate a AXFR
11673 response vs a IXFR response. [RT #157]
11675 302. [bug] In dig, host, and nslookup, MXNAME should be large
11676 enough to hold any legal domain name in presentation
11677 format + terminating NULL.
11679 301. [bug] Uninitialized pointer in host:printmessage(). [RT #159]
11681 300. [bug] Using both <isc/net.h> and <lwres/net.h> didn't work
11682 on platforms lacking IPv6 because each included their
11683 own ipv6 header file for the missing definitions. Now
11684 each library's ipv6.h defines the wrapper symbol of
11685 the other (ISC_IPV6_H and LWRES_IPV6_H).
11687 299. [cleanup] Get the user and group information before changing the
11688 root directory, so the administrator does not need to
11689 keep a copy of the user and group databases in the
11690 chroot'ed environment. Suggested by Hakan Olsson.
11692 298. [bug] A mutex deadlock occurred during shutdown of the
11693 interface manager under certain conditions.
11694 Digital Unix systems were the most affected.
11696 297. [bug] Specifying a key name that wasn't fully qualified
11697 in certain parts of the config file could cause
11698 an assertion failure.
11700 296. [bug] "make install" from a separate build directory
11701 failed unless configure had been run in the source
11704 295. [bug] When invoked with type==CNAME and a message
11705 not constructed by dns_message_parse(),
11706 dns_message_findname() failed to find anything
11707 due to checking for attribute bits that are set
11708 only in dns_message_parse(). This caused an
11709 infinite loop when constructing the response to
11710 an ANY query at a CNAME in a secure zone.
11712 294. [bug] If we run out of space in while processing glue
11713 when reading a master file and commit "current name"
11714 reverts to "name_current" instead of staying as
11717 293. [port] Add support for FreeBSD 4.0 system tests.
11719 292. [bug] Due to problems with the way some operating systems
11720 handle simultaneous listening on IPv4 and IPv6
11721 addresses, the server no longer listens on IPv6
11722 addresses by default. To revert to the previous
11723 behavior, specify "listen-on-v6 { any; };" in
11726 291. [func] Caching servers no longer send outgoing queries
11727 over TCP just because the incoming recursive query
11730 290. [cleanup] +twiddle option to dig (for testing only) removed.
11732 289. [cleanup] dig is now installed in $bindir instead of $sbindir.
11733 host is now installed in $bindir. (Be sure to remove
11734 any $sbindir/dig from a previous release.)
11736 288. [func] rndc is now installed by "make install" into $sbindir.
11738 287. [bug] rndc now works again as "rndc 127.1 reload" (for
11739 only that task). Parsing its configuration file and
11740 using digital signatures for authentication has been
11741 disabled until named supports the "controls" statement,
11744 286. [bug] On Solaris 2, when named inherited a signal state
11745 where SIGHUP had the SIG_IGN action, SIGHUP would
11746 be ignored rather than causing the server to reload
11749 285. [bug] A change made to the dst API for beta4 inadvertently
11750 broke OMAPI's creation of a dst key from an incoming
11751 message, causing an assertion to be triggered. Fixed.
11753 284. [func] The DNSSEC key generation and signing tools now
11754 generate randomness from keyboard input on systems
11755 that lack /dev/random.
11757 283. [cleanup] The 'lwresd' program is now a link to 'named'.
11759 282. [bug] The lexer now returns ISC_R_RANGE if parsed integer is
11760 too big for an unsigned long.
11762 281. [bug] Fixed list of recognized config file category names.
11764 280. [func] Add isc-config.sh, which can be used to more
11765 easily build applications that link with
11768 279. [bug] Private omapi function symbols shared between
11769 two or more files in libomapi.a were not namespace
11770 protected using the ISC convention of starting with
11771 the library name and two underscores ("omapi__"...)
11773 278. [bug] bin/named/logconf.c:category_fromconf() didn't take
11774 note of when isc_log_categorybyname() wasn't able
11775 to find the category name and would then apply the
11776 channel list of the unknown category to all categories.
11778 277. [bug] isc_log_categorybyname() and isc_log_modulebyname()
11779 would fail to find the first member of any category
11780 or module array apart from the internal defaults.
11781 Thus, for example, the "notify" category was improperly
11782 configured by named.
11784 276. [bug] dig now supports maximum sized TCP messages.
11786 275. [bug] The definition of lwres_gai_strerror() was missing
11789 274. [bug] TSIG AXFR verify failed when talking to a BIND 8
11792 273. [func] The default for the 'transfer-format' option is
11793 now 'many-answers'. This will break zone transfers
11794 to BIND 4.9.5 and older unless there is an explicit
11795 'one-answer' configuration.
11797 272. [bug] The sending of large TCP responses was canceled
11798 in mid-transmission due to a race condition
11799 caused by the failure to set the client object's
11800 "newstate" variable correctly when transitioning
11801 to the "working" state.
11803 271. [func] Attempt to probe the number of cpus in named
11804 if unspecified rather than defaulting to 1.
11806 270. [func] Allow maximum sized TCP answers.
11808 269. [bug] Failed DNSSEC validations could cause an assertion
11809 failure by causing clone_results() to be called with
11810 with hevent->node == NULL.
11812 268. [doc] A plain text version of the Administrator
11813 Reference Manual is now included in the distribution,
11814 as doc/arm/Bv9ARM.txt.
11816 267. [func] Nsupdate is now provided in the distribution.
11818 266. [bug] zone.c:save_nsrrset() node was not initialized.
11820 265. [bug] dns_request_create() now works for TCP.
11822 264. [func] Dispatch can not take TCP sockets in connecting
11823 state. Set DNS_DISPATCHATTR_CONNECTED when calling
11824 dns_dispatch_createtcp() for connected TCP sockets
11825 or call dns_dispatch_starttcp() when the socket is
11828 263. [func] New logging channel type 'stderr'
11830 channel some-name {
11835 262. [bug] 'master' was not initialized in zone.c:stub_callback().
11837 261. [func] Add dns_zone_markdirty().
11839 260. [bug] Running named as a non-root user failed on Linux
11840 kernels new enough to support retaining capabilities
11843 259. [func] New random-device and random-seed-file statements
11844 for global options block of named.conf. Both accept
11845 a single string argument.
11847 258. [bug] Fixed printing of lwres_addr_t.address field.
11849 257. [bug] The server detached the last zone manager reference
11850 too early, while it could still be in use by queries.
11851 This manifested itself as assertion failures during the
11852 shutdown process for busy name servers. [RT #133]
11854 256. [func] isc_ratelimiter_t now has attach/detach semantics, and
11855 isc_ratelimiter_shutdown guarantees that the rate
11856 limiter is detached from its task.
11858 255. [func] New function dns_zonemgr_attach().
11860 254. [bug] Suppress "query denied" messages on additional data
11863 --- 9.0.0b4 released ---
11865 253. [func] resolv.conf parser now recognizes ';' and '#' as
11866 comments (anywhere in line, not just as the beginning).
11868 252. [bug] resolv.conf parser mishandled masks on sortlists.
11869 It also aborted when an unrecognized keyword was seen,
11870 now it silently ignores the entire line.
11872 251. [bug] lwresd caught an assertion failure on startup.
11874 250. [bug] fixed handling of size+unit when value would be too
11875 large for internal representation.
11877 249. [cleanup] max-cache-size config option now takes a size-spec
11878 like 'datasize', except 'default' is not allowed.
11880 248. [bug] global lame-ttl option was not being printed when
11881 config structures were written out.
11883 247. [cleanup] Rename cache-size config option to max-cache-size.
11885 246. [func] Rename global option cachesize to cache-size and
11886 add corresponding option to view statement.
11888 245. [bug] If an uncompressed name will take more than 255
11889 bytes and the buffer is sufficiently long,
11890 dns_name_fromwire should return DNS_R_FORMERR,
11891 not ISC_R_NOSPACE. This bug caused cause the
11892 server to catch an assertion failure when it
11893 received a query for a name longer than 255
11896 244. [bug] empty named.conf file and empty options statement are
11897 now parsed properly.
11899 243. [func] new cachesize option for named.conf
11901 242. [cleanup] fixed incorrect warning about auth-nxdomain usage.
11903 241. [cleanup] nscount and soacount have been removed from the
11904 dns_master_*() argument lists.
11906 240. [func] databases now come in three flavours: zone, cache
11909 239. [func] If ISC_MEM_DEBUG is enabled, the variable
11910 isc_mem_debugging controls whether messages
11911 are printed or not.
11913 238. [cleanup] A few more compilation warnings have been quieted:
11914 + missing sigwait prototype on BSD/OS 4.0/4.0.1.
11915 + PTHREAD_ONCE_INIT unbraced initializer warnings on
11917 + IN6ADDR_ANY_INIT unbraced initializer warnings on
11918 BSD/OS 4.*, Linux and Solaris 2.8.
11920 237. [bug] If connect() returned ENOBUFS when the resolver was
11921 initiating a TCP query, the socket didn't get
11922 destroyed, and the server did not shut down cleanly.
11924 236. [func] Added new listen-on-v6 config file statement.
11926 235. [func] Consider it a config file error if a listen-on
11927 statement has an IPv6 address in it, or a
11928 listen-on-v6 statement has an IPv4 address in it.
11930 234. [bug] Allow a trusted-key's first field (domain-name) be
11931 either a quoted or an unquoted string, instead of
11932 requiring a quoted string.
11934 233. [cleanup] Convert all config structure integer values to unsigned
11935 integer (isc_uint32_t) to match grammar.
11937 232. [bug] Allow slave zones to not have a file.
11939 231. [func] Support new 'port' clause in config file options
11940 section. Causes 'listen-on', 'masters' and
11941 'also-notify' statements to use its value instead of
11944 230. [func] Replace the dst sign/verify API with a cleaner one.
11946 229. [func] Support config file sig-validity-interval statement
11947 in options, views and zone statements (master
11950 228. [cleanup] Logging messages in config module stripped of
11953 227. [cleanup] The enumerated identifiers dns_rdataclass_*,
11954 dns_rcode_*, dns_opcode_*, and dns_trust_* are
11955 also now cast to their appropriate types, as with
11956 dns_rdatatype_* in item number 225 below.
11958 226. [func] dns_name_totext() now always prints the root name as
11959 '.', even when omit_final_dot is true.
11961 225. [cleanup] The enumerated dns_rdatatype_* identifiers are now
11962 cast to dns_rdatatype_t via macros of their same name
11963 so that they are of the proper integral type wherever
11964 a dns_rdatatype_t is needed.
11966 224. [cleanup] The entire project builds cleanly with gcc's
11967 -Wcast-qual and -Wwrite-strings warnings enabled,
11968 which is now the default when using gcc. (Warnings
11969 from confparser.c, because of yacc's code, are
11970 unfortunately to be expected.)
11972 223. [func] Several functions were re-prototyped to qualify one
11973 or more of their arguments with "const". Similarly,
11974 several functions that return pointers now have
11975 those pointers qualified with const.
11977 222. [bug] The global 'also-notify' option was ignored.
11979 221. [bug] An uninitialized variable was sometimes passed to
11980 dns_rdata_freestruct() when loading a zone, causing
11981 an assertion failure.
11983 220. [cleanup] Set the default outgoing port in the view, and
11984 set it in sockaddrs returned from the ADB.
11985 [31-May-2000 explorer]
11987 219. [bug] Signed truncated messages more correctly follow
11988 the respective specs.
11990 218. [func] When an rdataset is signed, its ttl is normalized
11991 based on the signature validity period.
11993 217. [func] Also-notify and trusted-keys can now be used in
11994 the 'view' statement.
11996 216. [func] The 'max-cache-ttl' and 'max-ncache-ttl' options
11999 215. [bug] Failures at certain points in request processing
12000 could cause the assertion INSIST(client->lockview
12001 == NULL) to be triggered.
12003 214. [func] New public function isc_netaddr_format(), for
12004 formatting network addresses in log messages.
12006 213. [bug] Don't leak memory when reloading the zone if
12007 an update-policy clause was present in the old zone.
12009 212. [func] Added dns_message_get/settsigkey, to make TSIG
12010 key management reasonable.
12012 211. [func] The 'key' and 'server' statements can now occur
12013 inside 'view' statements.
12015 210. [bug] The 'allow-transfer' option was ignored for slave
12016 zones, and the 'transfers-per-ns' option was
12017 was ignored for all zones.
12019 209. [cleanup] Upgraded openssl files to new version 0.9.5a
12021 208. [func] Added ISC_OFFSET_MAXIMUM for the maximum value
12022 of an isc_offset_t.
12024 207. [func] The dnssec tools properly use the logging subsystem.
12026 206. [cleanup] dst now stores the key name as a dns_name_t, not
12029 205. [cleanup] On IRIX, turn off the mostly harmless warnings 1692
12030 ("prototyped function redeclared without prototype")
12031 and 1552 ("variable ... set but not used") when
12032 compiling in the lib/dns/sec/{dnssafe,openssl}
12033 directories, which contain code imported from outside
12036 204. [cleanup] On HP/UX, pass +vnocompatwarnings to the linker
12037 to quiet the warnings that "The linked output may not
12038 run on a PA 1.x system."
12040 203. [func] notify and zone soa queries are now tsig signed when
12043 202. [func] isc_lex_getsourceline() changed from returning int
12044 to returning unsigned long, the type of its underlying
12047 201. [cleanup] Removed the test/sdig program, it has been
12048 replaced by bin/dig/dig.
12050 --- 9.0.0b3 released ---
12052 200. [bug] Failures in sending query responses to clients
12053 (e.g., running out of network buffers) were
12056 199. [bug] isc_heap_delete() sometimes violated the heap
12057 invariant, causing timer events not to be posted
12060 198. [func] Dispatch managers hold memory pools which
12061 any managed dispatcher may use. This allows
12062 us to avoid dipping into the memory context for
12063 most allocations. [19-May-2000 explorer]
12065 197. [bug] When an incoming AXFR or IXFR completes, the
12066 zone's internal state is refreshed from the
12067 SOA data. [19-May-2000 explorer]
12069 196. [func] Dispatchers can be shared easily between views
12070 and/or interfaces. [19-May-2000 explorer]
12072 195. [bug] Including the NXT record of the root domain
12073 in a negative response caused an assertion
12076 194. [doc] The PDF version of the Administrator's Reference
12077 Manual is no longer included in the ISC BIND9
12080 193. [func] changed dst_key_free() prototype.
12082 192. [bug] Zone configuration validation is now done at end
12083 of config file parsing, and before loading
12086 191. [func] Patched to compile on UnixWare 7.x. This platform
12087 is not directly supported by the ISC.
12089 190. [cleanup] The DNSSEC tools have been moved to a separate
12090 directory dnssec/ and given the following new,
12091 more descriptive names:
12098 Their command line arguments have also been changed to
12099 be more consistent. dnssec-keygen now prints the
12100 name of the generated key files (sans extension)
12101 on standard output to simplify its use in automated
12104 189. [func] isc_time_secondsastimet(), a new function, will ensure
12105 that the number of seconds in an isc_time_t does not
12106 exceed the range of a time_t, or return ISC_R_RANGE.
12107 Similarly, isc_time_now(), isc_time_nowplusinterval(),
12108 isc_time_add() and isc_time_subtract() now check the
12109 range for overflow/underflow. In the case of
12110 isc_time_subtract, this changed a calling requirement
12111 (ie, something that could generate an assertion)
12112 into merely a condition that returns an error result.
12113 isc_time_add() and isc_time_subtract() were void-
12114 valued before but now return isc_result_t.
12116 188. [func] Log a warning message when an incoming zone transfer
12117 contains out-of-zone data.
12119 187. [func] isc_ratelimiter_enqueue() has an additional argument
12122 186. [func] dns_request_getresponse() has an additional argument
12125 185. [bug] Fixed up handling of ISC_MEMCLUSTER_LEGACY. Several
12126 public functions did not have an isc__ prefix, and
12127 referred to functions that had previously been
12130 184. [cleanup] Variables/functions which began with two leading
12131 underscores were made to conform to the ANSI/ISO
12132 standard, which says that such names are reserved.
12134 183. [func] ISC_LOG_PRINTTAG option for log channels. Useful
12135 for logging the program name or other identifier.
12137 182. [cleanup] New command-line parameters for dnssec tools
12139 181. [func] Added dst_key_buildfilename and dst_key_parsefilename
12141 180. [func] New isc_result_t ISC_R_RANGE. Supersedes DNS_R_RANGE.
12143 179. [func] options named.conf statement *must* now come
12144 before any zone or view statements.
12146 178. [func] Post-load of named.conf check verifies a slave zone
12147 has non-empty list of masters defined.
12149 177. [func] New per-zone boolean:
12151 enable-zone yes | no ;
12153 intended to let a zone be disabled without having
12154 to comment out the entire zone statement.
12156 176. [func] New global and per-view option:
12158 max-cache-ttl number
12160 175. [func] New global and per-view option:
12162 additional-data internal | minimal | maximal;
12164 174. [func] New public function isc_sockaddr_format(), for
12165 formatting socket addresses in log messages.
12167 173. [func] Keep a queue of zones waiting for zone transfer
12168 quota so that a new transfer can be dispatched
12169 immediately whenever quota becomes available.
12171 172. [bug] $TTL directive was sometimes missing from dumped
12172 master files because totext_ctx_init() failed to
12173 initialize ctx->current_ttl_valid.
12175 171. [cleanup] On NetBSD systems, the mit-pthreads or
12176 unproven-pthreads library is now always used
12177 unless --with-ptl2 is explicitly specified on
12178 the configure command line. The
12179 --with-mit-pthreads option is no longer needed
12180 and has been removed.
12182 170. [cleanup] Remove inter server consistency checks from zone,
12183 these should return as a separate module in 9.1.
12184 dns_zone_checkservers(), dns_zone_checkparents(),
12185 dns_zone_checkchildren(), dns_zone_checkglue().
12187 Remove dns_zone_setadb(), dns_zone_setresolver(),
12188 dns_zone_setrequestmgr() these should now be found
12191 169. [func] ratelimiter can now process N events per interval.
12193 168. [bug] include statements in named.conf caused syntax errors
12194 due to not consuming the semicolon ending the include
12195 statement before switching input streams.
12197 167. [bug] Make lack of masters for a slave zone a soft error.
12199 166. [bug] Keygen was overwriting existing keys if key_id
12200 conflicted, now it will retry, and non-null keys
12201 with key_id == 0 are not generated anymore. Key
12202 was not able to generate NOAUTHCONF DSA key,
12203 increased RSA key size to 2048 bits.
12205 165. [cleanup] Silence "end-of-loop condition not reached" warnings
12206 from Solaris compiler.
12208 164. [func] Added functions isc_stdio_open(), isc_stdio_close(),
12209 isc_stdio_seek(), isc_stdio_read(), isc_stdio_write(),
12210 isc_stdio_flush(), isc_stdio_sync(), isc_file_remove()
12211 to encapsulate nonportable usage of errno and sync.
12213 163. [func] Added result codes ISC_R_FILENOTFOUND and
12216 162. [bug] Ensure proper range for arguments to ctype.h functions.
12218 161. [cleanup] error in yyparse prototype that only HPUX caught.
12220 160. [cleanup] getnet*() are not going to be implemented at this
12223 159. [func] Redefinition of config file elements is now an
12224 error (instead of a warning).
12226 158. [bug] Log channel and category list copy routines
12227 weren't assigning properly to output parameter.
12229 157. [port] Fix missing prototype for getopt().
12231 156. [func] Support new 'database' statement in zone.
12233 database "quoted-string";
12235 155. [bug] ns_notify_start() was not detaching the found zone.
12237 154. [func] The signer now logs libdns warnings to stderr even when
12238 not verbose, and in a nicer format.
12240 153. [func] dns_rdata_tostruct() 'mctx' is now optional. If 'mctx'
12241 is NULL then you need to preserve the 'rdata' until
12242 you have finished using the structure as there may be
12243 references to the associated memory. If 'mctx' is
12244 non-NULL it is guaranteed that there are no references
12245 to memory associated with 'rdata'.
12247 dns_rdata_freestruct() must be called if 'mctx' was
12248 non-NULL and may safely be called if 'mctx' was NULL.
12250 152. [bug] keygen dumped core if domain name argument was omitted
12253 151. [func] Support 'disabled' statement in zone config (causes
12254 zone to be parsed and then ignored). Currently must
12255 come after the 'type' clause.
12257 150. [func] Support optional ports in masters and also-notify
12260 masters [ port xxx ] { y.y.y.y [ port zzz ] ; }
12262 149. [cleanup] Removed unused argument 'olist' from
12263 dns_c_view_unsetordering().
12265 148. [cleanup] Stop issuing some warnings about some configuration
12266 file statements that were not implemented, but now are.
12268 147. [bug] Changed yacc union size to be smaller for yaccs that
12269 put yacc-stack on the real stack.
12271 146. [cleanup] More general redundant header file cleanup. Rather
12272 than continuing to itemize every header which changed,
12273 this changelog entry just notes that if a header file
12274 did not need another header file that it was including
12275 in order to provide its advertised functionality, the
12276 inclusion of the other header file was removed. See
12277 util/check-includes for how this was tested.
12279 145. [cleanup] Added <isc/lang.h> and ISC_LANG_BEGINDECLS/
12280 ISC_LANG_ENDDECLS to header files that had function
12281 prototypes, and removed it from those that did not.
12283 144. [cleanup] libdns header files too numerous to name were made
12284 to conform to the same style for multiple inclusion
12287 143. [func] Added function dns_rdatatype_isknown().
12289 142. [cleanup] <isc/stdtime.h> does not need <time.h> or
12292 141. [bug] Corrupt requests with multiple questions could
12293 cause an assertion failure.
12295 140. [cleanup] <isc/time.h> does not need <time.h> or <isc/result.h>.
12297 139. [cleanup] <isc/net.h> now includes <isc/types.h> instead of
12298 <isc/int.h> and <isc/result.h>.
12300 138. [cleanup] isc_strtouq moved from str.[ch] to string.[ch] and
12301 renamed isc_string_touint64. isc_strsep moved from
12302 strsep.c to string.c and renamed isc_string_separate.
12304 137. [cleanup] <isc/commandline.h>, <isc/mem.h>, <isc/print.h>
12305 <isc/serial.h>, <isc/string.h> and <isc/offset.h>
12306 made to conform to the same style for multiple
12307 inclusion protection.
12309 136. [cleanup] <isc/commandline.h>, <isc/interfaceiter.h>,
12310 <isc/net.h> and Win32's <isc/thread.h> needed
12311 ISC_LANG_BEGINDECLS/ISC_LANG_ENDDECLS.
12313 135. [cleanup] Win32's <isc/condition.h> did not need <isc/result.h>
12314 or <isc/boolean.h>, now uses <isc/types.h> in place
12315 of <isc/time.h>, and needed ISC_LANG_BEGINDECLS
12316 and ISC_LANG_ENDDECLS.
12318 134. [cleanup] <isc/dir.h> does not need <limits.h>.
12320 133. [cleanup] <isc/ipv6.h> needs <isc/platform.h>.
12322 132. [cleanup] <isc/app.h> does not need <isc/task.h>, but does
12323 need <isc/eventclass.h>.
12325 131. [cleanup] <isc/mutex.h> and <isc/util.h> need <isc/result.h>
12326 for ISC_R_* codes used in macros.
12328 130. [cleanup] <isc/condition.h> does not need <pthread.h> or
12329 <isc/boolean.h>, and now includes <isc/types.h>
12330 instead of <isc/time.h>.
12332 129. [bug] The 'default_debug' log channel was not set up when
12333 'category default' was present in the config file
12335 128. [cleanup] <isc/dir.h> had ISC_LANG_BEGINDECLS instead of
12336 ISC_LANG_ENDDECLS at end of header.
12338 127. [cleanup] The contracts for the comparison routines
12339 dns_name_fullcompare(), dns_name_compare(),
12340 dns_name_rdatacompare(), and dns_rdata_compare() now
12341 specify that the order value returned is < 0, 0, or > 0
12342 instead of -1, 0, or 1.
12344 126. [cleanup] <isc/quota.h> and <isc/taskpool.h> need <isc/lang.h>.
12346 125. [cleanup] <isc/eventclass.h>, <isc/ipv6.h>, <isc/magic.h>,
12347 <isc/mutex.h>, <isc/once.h>, <isc/region.h>, and
12348 <isc/resultclass.h> do not need <isc/lang.h>.
12350 124. [func] signer now imports parent's zone key signature
12351 and creates null keys/sets zone status bit for
12352 children when necessary
12354 123. [cleanup] <isc/event.h> does not need <stddef.h>.
12356 122. [cleanup] <isc/task.h> does not need <isc/mem.h> or
12359 121. [cleanup] <isc/symtab.h> does not need <isc/mem.h> or
12360 <isc/result.h>. Multiple inclusion protection
12361 symbol fixed from ISC_SYMBOL_H to ISC_SYMTAB_H.
12362 isc_symtab_t moved to <isc/types.h>.
12364 120. [cleanup] <isc/socket.h> does not need <isc/boolean.h>,
12365 <isc/bufferlist.h>, <isc/task.h>, <isc/mem.h> or
12368 119. [cleanup] structure definitions for generic rdata structures do
12369 not have _generic_ in their names.
12371 118. [cleanup] libdns.a is now namespace-clean, on NetBSD, excepting
12372 YACC crust (yyparse, etc) [2000-apr-27 explorer]
12374 117. [cleanup] libdns.a changes:
12375 dns_zone_clearnotify() and dns_zone_addnotify()
12376 are replaced by dns_zone_setnotifyalso().
12377 dns_zone_clearmasters() and dns_zone_addmaster()
12378 are replaced by dns_zone_setmasters().
12380 116. [func] Added <isc/offset.h> for isc_offset_t (aka off_t
12383 115. [port] Shut up the -Wmissing-declarations warning about
12384 <stdio.h>'s __sputaux on BSD/OS pre-4.1.
12386 114. [cleanup] <isc/sockaddr.h> does not need <isc/buffer.h> or
12389 113. [func] Utility programs dig and host added.
12391 112. [cleanup] <isc/serial.h> does not need <isc/boolean.h>.
12393 111. [cleanup] <isc/rwlock.h> does not need <isc/result.h> or
12396 110. [cleanup] <isc/result.h> does not need <isc/boolean.h> or
12399 109. [bug] "make depend" did nothing for
12400 bin/tests/{db,mem,sockaddr,tasks,timers}/.
12402 108. [cleanup] DNS_SETBIT/DNS_GETBIT/DNS_CLEARBIT moved from
12403 <dns/types.h> to <dns/bit.h> and renamed to
12404 DNS_BIT_SET/DNS_BIT_GET/DNS_BIT_CLEAR.
12406 107. [func] Add keysigner and keysettool.
12408 106. [func] Allow dnssec verifications to ignore the validity
12409 period. Used by several of the dnssec tools.
12411 105. [doc] doc/dev/coding.html expanded with other
12412 implicit conventions the developers have used.
12414 104. [bug] Made compress_add and compress_find static to
12415 lib/dns/compress.c.
12417 103. [func] libisc buffer API changes for <isc/buffer.h>:
12419 isc_buffer_base(b) (pointer)
12420 isc_buffer_current(b) (pointer)
12421 isc_buffer_active(b) (pointer)
12422 isc_buffer_used(b) (pointer)
12423 isc_buffer_length(b) (int)
12424 isc_buffer_usedlength(b) (int)
12425 isc_buffer_consumedlength(b) (int)
12426 isc_buffer_remaininglength(b) (int)
12427 isc_buffer_activelength(b) (int)
12428 isc_buffer_availablelength(b) (int)
12430 ISC_BUFFER_USEDCOUNT(b)
12431 ISC_BUFFER_AVAILABLECOUNT(b)
12434 isc_buffer_used(b, r) ->
12435 isc_buffer_usedregion(b, r)
12436 isc_buffer_available(b, r) ->
12437 isc_buffer_available_region(b, r)
12438 isc_buffer_consumed(b, r) ->
12439 isc_buffer_consumedregion(b, r)
12440 isc_buffer_active(b, r) ->
12441 isc_buffer_activeregion(b, r)
12442 isc_buffer_remaining(b, r) ->
12443 isc_buffer_remainingregion(b, r)
12445 Buffer types were removed, so the ISC_BUFFERTYPE_*
12446 macros are no more, and the type argument to
12447 isc_buffer_init and isc_buffer_allocate were removed.
12448 isc_buffer_putstr is now void (instead of isc_result_t)
12449 and requires that the caller ensure that there
12450 is enough available buffer space for the string.
12452 102. [port] Correctly detect inet_aton, inet_pton and inet_ptop
12455 101. [cleanup] Quieted EGCS warnings from lib/isc/print.c.
12457 100. [cleanup] <isc/random.h> does not need <isc/int.h> or
12458 <isc/mutex.h>. isc_random_t moved to <isc/types.h>.
12460 99. [cleanup] Rate limiter now has separate shutdown() and
12461 destroy() functions, and it guarantees that all
12462 queued events are delivered even in the shutdown case.
12464 98. [cleanup] <isc/print.h> does not need <stdarg.h> or <stddef.h>
12465 unless ISC_PLATFORM_NEEDVSNPRINTF is defined.
12467 97. [cleanup] <isc/ondestroy.h> does not need <stddef.h> or
12470 96. [cleanup] <isc/mutex.h> does not need <isc/result.h>.
12472 95. [cleanup] <isc/mutexblock.h> does not need <isc/result.h>.
12474 94. [cleanup] Some installed header files did not compile as C++.
12476 93. [cleanup] <isc/msgcat.h> does not need <isc/result.h>.
12478 92. [cleanup] <isc/mem.h> does not need <stddef.h>, <isc/boolean.h>,
12481 91. [cleanup] <isc/log.h> does not need <sys/types.h> or
12484 90. [cleanup] Removed unneeded ISC_LANG_BEGINDECLS/ISC_LANG_ENDDECLS
12485 from <named/listenlist.h>.
12487 89. [cleanup] <isc/lex.h> does not need <stddef.h>.
12489 88. [cleanup] <isc/interfaceiter.h> does not need <isc/result.h> or
12490 <isc/mem.h>. isc_interface_t and isc_interfaceiter_t
12491 moved to <isc/types.h>.
12493 87. [cleanup] <isc/heap.h> does not need <isc/boolean.h>,
12494 <isc/mem.h> or <isc/result.h>.
12496 86. [cleanup] isc_bufferlist_t moved from <isc/bufferlist.h> to
12499 85. [cleanup] <isc/bufferlist.h> does not need <isc/buffer.h>,
12500 <isc/list.h>, <isc/mem.h>, <isc/region.h> or
12503 84. [func] allow-query ACL checks now apply to all data
12504 added to a response.
12506 83. [func] If the server is authoritative for both a
12507 delegating zone and its (nonsecure) delegatee, and
12508 a query is made for a KEY RR at the top of the
12509 delegatee, then the server will look for a KEY
12510 in the delegator if it is not found in the delegatee.
12512 82. [cleanup] <isc/buffer.h> does not need <isc/list.h>.
12514 81. [cleanup] <isc/int.h> and <isc/boolean.h> do not need
12517 80. [cleanup] <isc/print.h> does not need <stdio.h> or <stdlib.h>.
12519 79. [cleanup] <dns/callbacks.h> does not need <stdio.h>.
12521 78. [cleanup] lwres_conftest renamed to lwresconf_test for
12522 consistency with other *_test programs.
12524 77. [cleanup] typedef of isc_time_t and isc_interval_t moved from
12525 <isc/time.h> to <isc/types.h>.
12527 76. [cleanup] Rewrote keygen.
12529 75. [func] Don't load a zone if its database file is older
12530 than the last time the zone was loaded.
12532 74. [cleanup] Removed mktemplate.o and ufile.o from libisc.a,
12533 subsumed by file.o.
12535 73. [func] New "file" API in libisc, including new function
12536 isc_file_getmodtime, isc_mktemplate renamed to
12537 isc_file_mktemplate and isc_ufile renamed to
12538 isc_file_openunique. By no means an exhaustive API,
12539 it is just what's needed for now.
12541 72. [func] DNS_RBTFIND_NOPREDECESSOR and DNS_RBTFIND_NOOPTIONS
12542 added for dns_rbt_findnode, the former to disable the
12543 setting of the chain to the predecessor, and the
12544 latter to make clear when no options are set.
12546 71. [cleanup] Made explicit the implicit REQUIREs of
12547 isc_time_seconds, isc_time_nanoseconds, and
12550 70. [func] isc_time_set() added.
12552 69. [bug] The zone object's master and also-notify lists grew
12553 longer with each server reload.
12555 68. [func] Partial support for SIG(0) on incoming messages.
12557 67. [performance] Allow use of alternate (compile-time supplied)
12558 OpenSSL libraries/headers.
12560 66. [func] Data in authoritative zones should have a trust level
12563 65. [cleanup] Removed obsolete typedef of dns_zone_callbackarg_t
12564 from <dns/types.h>.
12566 64. [func] The RBT, DB, and zone table APIs now allow the
12567 caller find the most-enclosing superdomain of
12570 63. [func] Generate NOTIFY messages.
12572 62. [func] Add UDP refresh support.
12574 61. [cleanup] Use single quotes consistently in log messages.
12576 60. [func] Catch and disallow singleton types on message
12579 59. [bug] Cause net/host unreachable to be a hard error
12580 when sending and receiving.
12582 58. [bug] bin/named/query.c could sometimes trigger the
12583 (client->query.attributes & NS_QUERYATTR_NAMEBUFUSED)
12584 == 0 assertion in query_newname().
12586 57. [func] Added dns_nxt_typepresent()
12588 56. [bug] SIG records were not properly returned in cached
12591 55. [bug] Responses containing multiple names in the authority
12592 section were not negatively cached.
12594 54. [bug] If a fetch with sigrdataset==NULL joined one with
12595 sigrdataset!=NULL or vice versa, the resolver
12596 could catch an assertion or lose signature data,
12599 53. [port] freebsd 4.0: lib/isc/unix/socket.c requires
12602 52. [bug] rndc: taskmgr and socketmgr were not initialized
12605 51. [cleanup] dns/compress.h and dns/zt.h did not need to include
12606 dns/rbt.h; it was needed only by compress.c and zt.c.
12608 50. [func] RBT deletion no longer requires a valid chain to work,
12609 and dns_rbt_deletenode was added.
12611 49. [func] Each cache now has its own mctx.
12613 48. [func] isc_task_create() no longer takes an mctx.
12614 isc_task_mem() has been eliminated.
12616 47. [func] A number of modules now use memory context reference
12619 46. [func] Memory contexts are now reference counted.
12620 Added isc_mem_inuse() and isc_mem_preallocate().
12621 Renamed isc_mem_destroy_check() to
12622 isc_mem_setdestroycheck().
12624 45. [bug] The trusted-key statement incorrectly loaded keys.
12626 44. [bug] Don't include authority data if it would force us
12627 to unset the AD bit in the message.
12629 43. [bug] DNSSEC verification of cached rdatasets was failing.
12631 42. [cleanup] Simplified logging of messages with embedded domain
12632 names by introducing a new convenience function
12635 41. [func] Use PR_SET_KEEPCAPS on Linux 2.3.99-pre3 and later
12636 to allow 'named' to run as a non-root user while
12637 retaining the ability to bind() to privileged
12640 40. [func] Introduced new logging category "dnssec" and
12641 logging module "dns/validator".
12643 39. [cleanup] Moved the typedefs for isc_region_t, isc_textregion_t,
12644 and isc_lex_t to <isc/types.h>.
12646 38. [bug] TSIG signed incoming zone transfers work now.
12648 37. [bug] If the first RR in an incoming zone transfer was
12649 not an SOA, the server died with an assertion failure
12650 instead of just reporting an error.
12652 36. [cleanup] Change DNS_R_SUCCESS (and others) to ISC_R_SUCCESS
12654 35. [performance] Log messages which are of a level too high to be
12655 logged by any channel in the logging configuration
12656 will not cause the log mutex to be locked.
12658 34. [bug] Recursion was allowed even with 'recursion no'.
12660 33. [func] The RBT now maintains a parent pointer at each node.
12662 32. [cleanup] bin/lwresd/client.c needs <string.h> for memset()
12665 31. [bug] Use ${LIBTOOL} to compile bin/named/main.@O@.
12667 30. [func] config file grammar change to support optional
12668 class type for a view.
12670 29. [func] support new config file view options:
12672 auth-nxdomain recursion query-source
12673 query-source-v6 transfer-source
12674 transfer-source-v6 max-transfer-time-out
12675 max-transfer-idle-out transfer-format
12676 request-ixfr provide-ixfr cleaning-interval
12677 fetch-glue notify rfc2308-type1 lame-ttl
12678 max-ncache-ttl min-roots
12680 28. [func] support lame-ttl, min-roots and serial-queries
12681 config global options.
12683 27. [bug] Only include <netinet6/in6.h> on BSD/OS 4.[01]*.
12684 Including it on other platforms (eg, NetBSD) can
12685 cause a forced #error from the C preprocessor.
12687 26. [func] new match-clients statement in config file view.
12689 25. [bug] make install failed to install <isc/log.h> and
12692 24. [cleanup] Eliminate some unnecessary #includes of header
12693 files from header files.
12695 23. [cleanup] Provide more context in log messages about client
12696 requests, using a new function ns_client_log().
12698 22. [bug] SIGs weren't returned in the answer section when
12699 the query resulted in a fetch.
12701 21. [port] Look at STD_CINCLUDES after CINCLUDES during
12702 compilation, so additional system include directories
12703 can be searched but header files in the bind9 source
12704 tree with conflicting names take precedence. This
12705 avoids issues with installed versions of dnssafe and
12708 20. [func] Configuration file post-load validation of zones
12709 failed if there were no zones.
12711 19. [bug] dns_zone_notifyreceive() failed to unlock the zone
12712 lock in certain error cases.
12714 18. [bug] Use AC_TRY_LINK rather than AC_TRY_COMPILE in
12715 configure.in to check for presence of in6addr_any.
12717 17. [func] Do configuration file post-load validation of zones.
12719 16. [bug] put quotes around key names on config file
12720 output to avoid possible keyword clashes.
12722 15. [func] Add dns_name_dupwithoffsets(). This function is
12723 improves comparison performance for duped names.
12725 14. [bug] free_rbtdb() could have 'put' unallocated memory in
12726 an unlikely error path.
12728 13. [bug] lib/dns/master.c and lib/dns/xfrin.c didn't ignore
12731 12. [bug] Fixed possible uninitialized variable error.
12733 11. [bug] axfr_rrstream_first() didn't check the result code of
12734 db_rr_iterator_first(), possibly causing an assertion
12735 to be triggered later.
12737 10. [bug] A bug in the code which makes EDNS0 OPT records in
12738 bin/named/client.c and lib/dns/resolver.c could
12739 trigger an assertion.
12741 9. [cleanup] replaced bit-setting code in confctx.c and replaced
12742 repeated code with macro calls.
12744 8. [bug] Shutdown of incoming zone transfer accessed
12747 7. [cleanup] removed 'listen-on' from view statement.
12749 6. [bug] quote RR names when generating config file to
12750 prevent possible clash with config file keywords
12753 5. [func] syntax change to named.conf file: new ssu grant/deny
12754 statements must now be enclosed by an 'update-policy'
12757 4. [port] bin/named/unix/os.c didn't compile on systems with
12758 linux 2.3 kernel includes due to conflicts between
12759 C library includes and the kernel includes. We now
12760 get only what we need from <linux/capability.h>, and
12761 avoid pulling in other linux kernel .h files.
12763 3. [bug] TKEYs go in the answer section of responses, not
12764 the additional section.
12766 2. [bug] Generating cryptographic randomness failed on
12767 systems without /dev/random.
12769 1. [bug] The installdirs rule in
12770 lib/isc/unix/include/isc/Makefile.in had a typo which
12771 prevented the isc directory from being created if it
12774 --- 9.0.0b2 released ---
12776 # This tells Emacs to use hard tabs in this file.
12778 # indent-tabs-mode: t
projects / FreeBSD / stable / 9.git / blob