3 --- 9.9.5rc2 released ---
5 3710. [bug] Address double dns_zone_detach when switching to
6 using automatic empty zones from regular zones.
9 3709. [port] Use built-in versions of strptime() and timegm()
10 on all platforms to avoid portability issues.
13 3708. [bug] Address a portentry locking issue in dispatch.c.
16 3707. [bug] irs_resconf_load now returns ISC_R_FILENOTFOUND
17 on a missing resolv.conf file and initializes the
18 structure as if it had been configured with:
23 Note: Callers will need to be updated to treat
24 ISC_R_FILENOTFOUND as a qualified success or else
25 they will leak memory. The following code fragment
26 will work with both old and new versions without
27 changing the behaviour of the existing code.
30 result = irs_resconf_load(mctx, "/etc/resolv.conf",
32 if (result != ISC_SUCCESS) {
34 irs_resconf_destroy(&resconf);
40 3706. [contrib] queryperf: Fixed a possible integer overflow when
41 printing results. [RT #35182]
43 3704. [protocol] Accept integer timestamps in RRSIG records. [RT #35185]
45 --- 9.9.5rc1 released ---
47 3701. [func] named-checkconf can now obscure shared secrets
48 when printing by specifying '-x'. [RT #34465]
50 3699. [bug] Improvements to statistics channel XSL stylesheet:
51 the stylesheet can now be cached by the browser;
52 section headers are omitted from the stats display
53 when there is no data in those sections to be
54 displayed; counters are now right-justified for
55 easier readability. (Only available with
56 configure --enable-newstats.) [RT #35117]
58 3698. [cleanup] Replaced all uses of memcpy() with memmove().
61 3697. [bug] Handle "." as a search list element when IDN support
62 is enabled. [RT #35133]
64 3696. [bug] dig failed to handle AXFR style IXFR responses which
65 span multiple messages. [RT #35137]
67 3695. [bug] Address a possible race in dispatch.c. [RT #35107]
69 3694. [bug] Warn when a key-directory is configured for a zone,
70 but does not exist or is not a directory. [RT #35108]
72 3693. [security] memcpy was incorrectly called with overlapping
73 ranges resulting in malformed names being generated
74 on some platforms. This could cause INSIST failures
75 when serving NSEC3 signed zones (CVE-2014-0591).
78 3692. [bug] Two calls to dns_db_getoriginnode were fatal if there
79 was no data at the node. [RT #35080]
81 3690. [bug] Iterative responses could be missed when the source
82 port for an upstream query was the same as the
83 listener port (53). [RT #34925]
85 3689. [bug] Fixed a bug causing an insecure delegation from one
86 static-stub zone to another to fail with a broken
87 trust chain. [RT #35081]
89 --- 9.9.5b1 released ---
91 3688. [bug] loadnode could return a freed node on out of memory.
94 3687. [bug] Address null pointer dereference in zone_xfrdone.
97 3686. [func] "dnssec-signzone -Q" drops signatures from keys
98 that are still published but no longer active.
101 3685. [bug] "rndc refresh" didn't work correctly with slave
102 zones using inline-signing. [RT #35105]
104 3683. [cleanup] Add a more detailed "not found" message to rndc
105 commands which specify a zone name. [RT #35059]
107 3682. [bug] Correct the behavior of rndc retransfer to allow
108 inline-signing slave zones to retain NSEC3 parameters
109 instead of reverting to NSEC. [RT #34745]
111 3681. [port] Update the Windows build system to support feature
112 selection and WIN64 builds. This is a work in
113 progress. [RT #34160]
115 3679. [bug] dig could fail to clean up TCP sockets still
116 waiting on connect(). [RT #35074]
118 3678. [port] Update config.guess and config.sub. [RT #35060]
120 3677. [bug] 'nsupdate' leaked memory if 'realm' was used multiple
123 3676. [bug] "named-checkconf -z" now checks zones of type
124 hint and redirect as well as master. [RT #35046]
126 3675. [misc] Provide a place for third parties to add version
127 information for their extensions in the version
128 file by setting the EXTENSIONS variable.
130 3674. [bug] RPZ zeroed ttls if the query type was '*'. [RT #35026]
132 3672. [func] Local address can now be specified when using
133 dns_client API. [RT #34811]
135 3671. [bug] Don't allow dnssec-importkey overwrite a existing
136 non-imported private key.
138 3670. [bug] Address read after free in server side of
139 lwres_getrrsetbyname. [RT #29075]
141 3669. [port] freebsd: --with-gssapi needs -lhx509. [RT #35001]
143 3668. [bug] Fix cast in lex.c which could see 0xff treated as eof.
146 3667. [test] dig: add support to keep the TCP socket open between
147 successive queries (+[no]keepopen). [RT #34918]
149 3665. [bug] Failure to release lock on error in receive_secure_db.
152 3664. [bug] Updated OpenSSL PKCS#11 patches to fix active list
153 locking and other bugs. [RT #34855]
155 3663. [bug] Address bugs in dns_rdata_fromstruct and
156 dns_rdata_tostruct for WKS and ISDN types. [RT #34910]
158 3662. [bug] 'host' could die if a UDP query timed out. [RT #34870]
160 3661. [bug] Address lock order reversal deadlock with inline zones.
163 3660. [cleanup] Changed the name of "isc-config.sh" to "bind9-config".
166 3659. [port] solaris: don't add explict dependancies/rules for
167 python programs as make won't use the implicit rules.
170 3658. [port] linux: Address platform specific compilation issue
171 when libcap-devel is installed. [RT #34838]
173 3657. [port] Some readline clones don't accept NULL pointers when
174 calling add_history. [RT #34842]
176 3656. [security] Treat an all zero netmask as invalid when generating
177 the localnets acl. (The prior behavior could
178 allow unexpected matches when using some versions
179 of Winsock: CVE-2013-6320.) [RT #34687]
181 3655. [cleanup] Simplify TCP message processing when requesting a
182 zone transfer. [RT #34825]
184 3654. [bug] Address race condition with manual notify requests.
187 3653. [func] Create delegations for all "children" of empty zones
188 except "forward first". [RT #34826]
190 3651. [tuning] Adjust when a master server is deemed unreachable.
193 3650. [tuning] Use separate rate limiting queues for refresh and
194 notify requests. [RT #30589]
196 3649. [cleanup] Include a comment in .nzf files, giving the name of
197 the associated view. [RT #34765]
199 3648. [test] Updated the ATF test framework to version 0.17.
202 3647. [bug] Address a race condition when shutting down a zone.
205 3646. [bug] Journal filename string could be set incorrectly,
206 causing garbage in log messages. [RT #34738]
208 3645. [protocol] Use case sensitive compression when responding to
211 3644. [protocol] Check that EDNS subnet client options are well formed.
214 3642. [func] Allow externally generated DNSKEY to be imported
215 into the DNSKEY management framework. A new tool
216 dnssec-importkey is used to do this. [RT #34698]
218 3641. [bug] Handle changes to sig-validity-interval settings
221 3640. [bug] ndots was not being checked when searching. Only
222 continue searching on NXDOMAIN responses. Add the
223 ability to specify ndots to nslookup. [RT #34711]
225 3639. [bug] Treat type 65533 (KEYDATA) as opaque except when used
226 in a key zone. [RT #34238]
228 --- 9.9.4 released ---
230 3643. [doc] Clarify RRL "slip" documentation.
232 3638. [cleanup] Add the ability to handle ENOPROTOOPT in case it is
233 encountered. [RT #34668]
235 --- 9.9.4rc2 released ---
237 3637. [bug] 'allow-query-on' was checking the source address
238 rather than the destination address. [RT #34590]
240 3636. [bug] Automatic empty zones now behave better with
241 forward only "zones" beneath them. [RT #34583]
243 3635. [bug] Signatures were not being removed from a zone with
244 only KSK keys for a algorithm. [RT #34439]
246 3634. [func] Report build-id in rndc status. Report build-id
247 when building from a git repository. [RT #20422]
249 3633. [cleanup] Refactor OPT processing in named to make it easier
250 to support new EDNS options. [RT #34414]
252 3632. [bug] Signature from newly inactive keys were not being
255 3631. [bug] Remove spurious warning about missing signatures when
256 qtype is SIG. [RT #34600]
258 3630. [bug] Ensure correct ID computation for MD5 keys. [RT #33033]
260 3627. [bug] RPZ changes were not effective on slaves. [RT #34450]
262 3625. [bug] Don't send notify messages to machines outside of the
265 3623. [bug] zone-statistics was only effective in new statistics.
268 --- 9.9.4rc1 released ---
270 3621. [security] Incorrect bounds checking on private type 'keydata'
271 can lead to a remotely triggerable REQUIRE failure
272 (CVE-2013-4854). [RT #34238]
274 3617. [bug] Named was failing to answer queries during
275 "rndc reload" [RT #34098]
277 3616. [bug] Change #3613 was incomplete. [RT #34177]
279 3615. [cleanup] "configure" now finishes by printing a summary
280 of optional BIND features and whether they are
281 active or inactive. ("configure --enable-full-report"
282 increases the verbosity of the summary.) [RT #31777]
284 3614. [port] Check for <linux/types.h>. [RT #34162]
286 3613. [bug] named could crash when deleting inline-signing
287 zones with "rndc delzone". [RT #34066]
289 3611. [bug] Improved resistance to a theoretical authentication
290 attack based on differential timing. [RT #33939]
292 3610. [cleanup] win32: Some executables had been omitted from the
293 installer. [RT #34116]
295 3608. [port] win32: added todos.pl script to ensure all text files
296 the win32 build depends on are converted to DOS
297 newline format. [RT #22067]
299 3607. [bug] dnssec-keygen had broken 'Invalid keyfile' error
302 --- 9.9.4b1 released ---
304 3605. [port] win32: Addressed several compatibility issues
305 with newer versions of Visual Studio. [RT #33916]
307 3603. [bug] Install <isc/stat.h>. [RT #33956]
309 3601. [bug] Added to PKCS#11 openssl patches a value len
310 attribute in DH derive key. [RT #33928]
312 3600. [cleanup] dig: Fixed a typo in the warning output when receiving
313 an oversized response. [RT #33910]
315 3599. [tuning] Check for pointer equivalence in name comparisons.
318 3596. [port] Updated win32 build documentation, added
319 dnssec-verify. [RT #22067]
321 3594. [maint] Update config.guess and config.sub. [RT #33816]
323 3592. [doc] Moved documentation of rndc command options to the
324 rndc man page. [RT #33506]
326 3590. [bug] When using RRL on recursive servers, defer
327 rate-limiting until after recursion is complete;
328 also, use correct rcode for slipped NXDOMAIN
329 responses. [RT #33604]
331 3588. [bug] dig: addressed a memory leak in the sigchase code
332 that could cause a shutdown crash. [RT #33733]
334 3587. [func] 'named -g' now checks the logging configuration but
335 does not use it. [RT #33473]
337 3586. [bug] Handle errors in xmlDocDumpFormatMemoryEnc. [RT #33706]
339 3584. [security] Caching data from an incompletely signed zone could
340 trigger an assertion failure in resolver.c
341 (CVE-2013-3919). [RT #33690]
343 3583. [bug] Address memory leak in GSS-API processing [RT #33574]
345 3582. [bug] Silence false positive warning regarding missing file
346 directive for inline slave zones. [RT #33662]
348 3581. [bug] Changed the tcp-listen-queue default to 10. [RT #33029]
350 3580. [bug] Addressed a possible race in acache.c [RT #33602]
352 3579. [maint] Updates to PKCS#11 openssl patches, supporting
353 versions 0.9.8y, 1.0.0k, 1.0.1e [RT #33463]
355 3578. [bug] 'rndc -c file' now fails if 'file' does not exist.
358 3577. [bug] Handle zero TTL values better. [RT #33411]
360 3576. [bug] Address a shutdown race when validating. [RT #33573]
362 3575. [func] Changed the logging category for RRL events from
363 'queries' to 'query-errors'. [RT #33540]
365 3574. [doc] The 'hostname' keyword was missing from server-id
366 description in the named.conf man page. [RT #33476]
368 3573. [bug] "rndc addzone" and "rndc delzone" incorrectly handled
369 zone names containing punctuation marks and other
370 nonstandard characters. [RT #33419]
372 3571. [bug] Address race condition in dns_client_startresolve().
375 3566. [func] Log when forwarding updates to master. [RT #33240]
377 3554. [bug] RRL failed to correctly rate-limit upward
378 referrals and failed to count dropped error
379 responses in the statistics. [RT #33225]
381 3545. [bug] RRL slip behavior was incorrect when set to 1.
384 3518. [bug] Increase the size of dns_rrl_key.s.rtype by one bit
385 so that all dns_rrl_rtype_t enum values fit regardless
386 of whether it is teated as signed or unsigned by
387 the compiler. [RT #32792]
389 3494. [func] DNS RRL: Blunt the impact of DNS reflection and
390 amplification attacks by rate-limiting substantially-
391 identical responses. To enable, use "configure
392 --enable-rrl". [RT #28130]
394 --- 9.9.3 released ---
396 3568. [cleanup] Add a product description line to the version file,
397 to be reported by named -v/-V. [RT #33366]
399 3567. [bug] Silence clang static analyzer warnings. [RT #33365]
401 3563. [contrib] zone2sqlite failed with some table names. [RT #33375]
403 3561. [bug] dig: issue a warning if an EDNS query returns FORMERR
404 or NOTIMP. Adjust usage message. [RT #33363]
406 --- 9.9.3rc2 released ---
408 3560. [bug] isc-config.sh did not honor includedir and libdir
409 when set via configure. [RT #33345]
411 3559. [func] Check that both forms of Sender Policy Framework
412 records exist or do not exist. [RT #33355]
414 3558. [bug] IXFR of a DLZ stored zone was broken. [RT #33331]
416 3557. [bug] Reloading redirect zones was broken. [RT #33292]
418 3556. [maint] Added AAAA for D.ROOT-SERVERS.NET.
420 3555. [bug] Address theoretical race conditions in acache.c
421 (change #3553 was incomplete). [RT #33252]
423 3553. [bug] Address suspected double free in acache. [RT #33252]
425 3552. [bug] Wrong getopt option string for 'nsupdate -r'.
428 3549. [doc] Documentation for "request-nsid" was missing.
431 3548. [bug] The NSID request code in resolver.c was broken
432 resulting in invalid EDNS options being sent.
435 3547. [bug] Some malformed unknown rdata records were not properly
436 detected and rejected. [RT #33129]
438 --- 9.9.3rc1 released ---
440 3546. [func] Add EUI48 and EUI64 types. [RT #33082]
442 3544. [contrib] check5011.pl: Script to report the status of
443 managed keys as recorded in managed-keys.bind.
444 Contributed by Tony Finch <dot@dotat.at>
446 3543. [bug] Update socket structure before attaching to socket
447 manager after accept. [RT #33084]
449 3541. [bug] Parts of libdns were not properly initialized when
450 built in libexport mode. [RT #33028]
452 3540. [test] libt_api: t_info and t_assert were not thread safe.
454 3539. [port] win32: timestamp format didn't match other platforms.
456 3538. [test] Running "make test" now requires loopback interfaces
457 to be set up. [RT #32452]
459 3537. [tuning] Slave zones, when updated, now send NOTIFY messages
460 to peers before being dumped to disk rather than
463 3535. [bug] Minor win32 cleanups. [RT #32962]
465 3534. [bug] Extra text after an embedded NULL was ignored when
466 parsing zone files. [RT #32699]
468 3533. [contrib] query-loc-0.4.0: memory leaks. [RT #32960]
470 3532. [contrib] zkt: fixed buffer overrun, resource leaks. [RT #32960]
472 3531. [bug] win32: A uninitialized value could be returned on out
473 of memory. [RT #32960]
475 3530. [contrib] Better RTT tracking in queryperf. [RT #30128]
477 3528. [func] New "dnssec-coverage" command scans the timing
478 metadata for a set of DNSSEC keys and reports if a
479 lapse in signing coverage has been scheduled
480 inadvertently. (Note: This tool depends on python;
481 it will not be built or installed on systems that
482 do not have a python interpreter.) [RT #28098]
484 3527. [compat] Add a URI to allow applications to explicitly
485 request a particular XML schema from the statistics
486 channel, returning 404 if not supported. [RT #32481]
488 3526. [cleanup] Set up dependencies for unit tests correctly during
491 3521. [bug] Address memory leak in opensslecdsa_link.c. [RT #32249]
493 3520. [bug] 'mctx' was not being referenced counted in some places
494 where it should have been. [RT #32794]
496 --- 9.9.3b2 released ---
498 3517. [bug] Reorder destruction to avoid shutdown race. [RT #32777]
500 3515. [port] '%T' is not portable in strftime(). [RT #32763]
502 3514. [bug] The ranges for valid key sizes in ddns-confgen and
503 rndc-confgen were too constrained. Keys up to 512
504 bits are now allowed for most algorithms, and up
505 to 1024 bits for hmac-sha384 and hmac-sha512.
508 3511. [doc] Improve documentation of redirect zones. [RT #32756]
510 3509. [cleanup] Added a product line to version file to allow for
511 easy naming of different products (BIND
512 vs BIND ESV, for example). [RT #32755]
514 3508. [contrib] queryperf was incorrectly rejecting the -T option.
517 3507. [bug] Statistics channel XSL (when built with
518 --enable-newstats) had a glitch when attempting
519 to chart query data before any queries had been
520 received. [RT #32620]
522 3505. [bug] When setting "max-cache-size" and "max-acache-size",
523 larger values than 4 gigabytes could not be set
524 explicitly, though larger sizes were available
525 when setting cache size to 0. This has been
526 corrected; the full range is now available.
529 3503. [doc] Clarify size_spec syntax. [RT #32449]
531 3501. [func] zone-statistics now takes three options: full,
532 terse, and none. "yes" and "no" are retained as
533 synonyms for full and terse, respectively. [RT #29165]
535 3500. [security] Support NAPTR regular expression validation on
536 all platforms without using libregex, which
537 can be vulnerable to memory exhaustion attack
538 (CVE-2013-2266). [RT #32688]
540 3499. [doc] Corrected ARM documentation of built-in zones.
543 3498. [bug] zone statistics for zones which matched a potential
544 empty zone could have their zone-statistics setting
547 3496. [func] Improvements to RPZ performance. The "response-policy"
548 syntax now includes a "min-ns-dots" clause, with
549 default 1, to exclude top-level domains from
550 NSIP and NSDNAME checking. --enable-rpz-nsip and
551 --enable-rpz-nsdname are now the default. [RT #32251]
553 3493. [contrib] Added BDBHPT dynamically-lodable DLZ module,
554 contributed by Mark Goldfinch. [RT #32549]
556 3492. [bug] Fixed a regression in zone loading performance
557 due to lock contention. [RT #30399]
559 3491. [bug] Slave zones using inline-signing must specify a
560 file name. [RT #31946]
562 3489. [bug] --enable-developer now turns on ISC_LIST_CHECKINIT.
563 When cloning a rdataset do not copy the link contents.
566 3488. [bug] Use after free error with DH generated keys. [RT #32649]
568 3487. [bug] Change 3444 was not complete. There was a additional
569 place where the NOQNAME proof needed to be saved.
572 3486. [bug] named could crash when using TKEY-negotiated keys
573 that had been deleted and then recreated. [RT #32506]
575 3485. [cleanup] Only compile openssl_gostlink.c if we support GOST.
577 3483. [bug] Corrected XSL code in use with --enable-newstats.
580 3481. [cleanup] Removed use of const const in atf.
582 3480. [bug] Silence logging noise when setting up zone
583 statistics. [RT #32525]
585 3479. [bug] Address potential memory leaks in gssapi support
588 3478. [port] Fix a build failure in strict C99 environments
591 3474. [bug] nsupdate could assert when the local and remote
592 address families didn't match. [RT #22897]
594 3473. [bug] dnssec-signzone/verify could incorrectly report
595 an error condition due to an empty node above an
596 opt-out delegation lacking an NSEC3. [RT #32072]
598 3471. [bug] The number of UDP dispatches now defaults to
599 the number of CPUs even if -n has been set to
600 a higher value. [RT #30964]
602 3470. [bug] Slave zones could fail to dump when successfully
603 refreshing after an initial failure. [RT #31276]
605 --- 9.9.3b1 released ---
607 3468. [security] RPZ rules to generate A records (but not AAAA records)
608 could trigger an assertion failure when used in
609 conjunction with DNS64 (CVE-2012-5689). [RT #32141]
611 3467. [bug] Added checks in dnssec-keygen and dnssec-settime
612 to check for delete date < inactive date. [RT #31719]
614 3466. [contrib] Corrected the DNS_CLIENTINFOMETHODS_VERSION check
615 in DLZ example driver. [RT #32275]
617 3465. [bug] Handle isolated reserved ports. [RT #31778]
619 3464. [maint] Updates to PKCS#11 openssl patches, supporting
620 versions 0.9.8x, 1.0.0j, 1.0.1c [RT #29749]
622 3463. [doc] Clarify managed-keys syntax in ARM. [RT #32232]
624 3462. [doc] Clarify server selection behavior of dig when using
625 -4 or -6 options. [RT #32181]
627 3461. [bug] Negative responses could incorrectly have AD=1
630 3460. [bug] Only link against readline where needed. [RT #29810]
632 3458. [bug] Return FORMERR when presented with a overly long
633 domain named in a request. [RT #29682]
635 3457. [protocol] Add ILNP records (NID, LP, L32, L64). [RT #31836]
637 3456. [port] g++47: ATF failed to compile. [RT #32012]
639 3455. [contrib] queryperf: fix getopt option list. [RT #32338]
641 3454. [port] sparc64: improve atomic support. [RT #25182]
643 3453. [bug] 'rndc addzone' of a zone with 'inline-signing yes;'
646 3452. [bug] Accept duplicate singleton records. [RT #32329]
648 3451. [port] Increase per thread stack size from 64K to 1M.
651 3450. [bug] Stop logfileconfig system test spam system logs.
654 3449. [bug] gen.c: use the pre-processor to construct format
655 strings so that compiler can perform sanity checks;
656 check the snprintf results. [RT #17576]
658 3448. [bug] The allow-query-on ACL was not processed correctly.
661 3447. [port] Add support for libxml2-2.9.x [RT #32231]
663 3446. [port] win32: Add source ID (see change #3400) to build.
666 3445. [bug] Warn about zone files with blank owner names
667 immediately after $ORIGIN directives. [RT #31848]
669 3444. [bug] The NOQNAME proof was not being returned from cached
670 insecure responses. [RT #21409]
672 3443. [bug] ddns-confgen: Some TSIG algorithms were incorrectly
673 rejected when generating keys. [RT #31927]
675 3442. [port] Net::DNS 0.69 introduced a non backwards compatible
678 3441. [maint] D.ROOT-SERVERS.NET is now 199.7.91.13.
680 3440. [bug] Reorder get_key_struct to not trigger a assertion when
681 cleaning up due to out of memory error. [RT #32131]
683 3439. [bug] contrib/dlz error checking fixes. [RT #32102]
685 3438. [bug] Don't accept unknown data escape in quotes. [RT #32031]
687 3437. [bug] isc_buffer_init -> isc_buffer_constinit to initialize
688 buffers with constant data. [RT #32064]
690 3436. [bug] Check malloc/calloc return values. [RT #32088]
692 3435. [bug] Cross compilation support in configure was broken.
695 3431. [bug] ddns-confgen: Some valid key algorithms were
696 not accepted. [RT #31927]
698 3430. [bug] win32: isc_time_formatISO8601 was missing the
699 'T' between the date and time. [RT #32044]
701 3429. [bug] dns_zone_getserial2 could a return success without
702 returning a valid serial. [RT #32007]
704 3428. [cleanup] dig: Add timezone to date output. [RT #2269]
706 3427. [bug] dig +trace incorrectly displayed name server
707 addresses instead of names. [RT #31641]
709 3426. [bug] dnssec-checkds: Clearer output when records are not
712 3425. [bug] "acacheentry" reference counting was broken resulting
713 in use after free. [RT #31908]
715 3424. [func] dnssec-dsfromkey now emits the hash without spaces.
718 3423. [bug] "rndc signing -nsec3param" didn't accept the full
719 range of possible values. Address portability issues.
722 3422. [bug] Added a clear error message for when the SOA does not
723 match the referral. [RT #31281]
725 3421. [bug] Named loops when re-signing if all keys are offline.
728 3420. [bug] Address VPATH compilation issues. [RT #31879]
730 3419. [bug] Memory leak on validation cancel. [RT #31869]
732 3417. [func] Optional new XML schema (version 3.0) for the
733 statistics channel adds query type statistics at the
734 zone level, and flattens the XML tree and uses
735 compressed format to optimize parsing. Includes new XSL
736 that permits charting via the Google Charts API on
737 browsers that support javascript in XSL. To enable,
738 build with "configure --enable-newstats". [RT #30023]
740 3416. [bug] Named could die on shutdown if running with 128 UDP
741 dispatches per interface. [RT #31743]
743 3415. [bug] named could die with a REQUIRE failure if a validation
744 was canceled. [RT #31804]
746 3414. [bug] Address locking issues found by Coverity. [RT #31626]
748 3412. [bug] Copy timeval structure from control message data.
751 3411. [tuning] Use IPV6_USE_MIN_MTU or equivalent with TCP in addition
754 3410. [bug] Addressed Coverity warnings. [RT #31626]
756 3409. [contrib] contrib/dane/mkdane.sh: Tool to generate TLSA RR's
757 from X.509 certificates, for use with DANE
758 (DNS-based Authentication of Named Entities).
761 3408. [bug] Some DNSSEC-related options (update-check-ksk,
762 dnssec-loadkeys-interval, dnssec-dnskey-kskonly)
763 are now legal in slave zones as long as
764 inline-signing is in use. [RT #31078]
766 3406. [bug] mem.c: Fix compilation errors when building with
767 ISC_MEM_TRACKLINES or ISC_MEMPOOL_NAMES disabled.
768 Also, ISC_MEM_DEBUG is no longer optional. [RT #31559]
770 3405. [bug] Handle time going backwards in acache. [RT #31253]
772 3404. [bug] dnssec-signzone: When re-signing a zone, remove
773 RRSIG and NSEC records from nodes that used to be
774 in-zone but are now below a zone cut. [RT #31556]
776 3403. [bug] Silence noisy OpenSSL logging. [RT #31497]
778 3402. [test] The IPv6 interface numbers used for system
779 tests were incorrect on some platforms. [RT #25085]
781 3401. [bug] Addressed Coverity warnings. [RT #31484]
783 3400. [cleanup] "named -V" can now report a source ID string, defined
784 in the "srcid" file in the build tree and normally set
785 to the most recent git hash. [RT #31494]
787 3399. [port] netbsd: rename 'bool' parameter to avoid namespace
790 3398. [bug] SOA parameters were not being updated with inline
791 signed zones if the zone was modified while the
792 server was offline. [RT #29272]
794 3397. [bug] dig crashed when using +nssearch with +tcp. [RT #25298]
796 3396. [bug] OPT records were incorrectly removed from signed,
797 truncated responses. [RT #31439]
799 3395. [protocol] Add RFC 6598 reverse zones to built in empty zones
800 list, 64.100.IN-ADDR.ARPA ... 127.100.IN-ADDR.ARPA.
803 3394. [bug] Adjust 'successfully validated after lower casing
804 signer' log level and category. [RT #31414]
806 3393. [bug] 'host -C' could core dump if REFUSED was received.
809 3391. [bug] A DNSKEY lookup that encountered a CNAME failed.
812 3390. [bug] Silence clang compiler warnings. [RT #30417]
814 3389. [bug] Always return NOERROR (not 0) in TSIG. [RT #31275]
816 3388. [bug] Fixed several Coverity warnings.
817 Note: This change includes a fix for a bug that
818 was subsequently determined to be an exploitable
819 security vulnerability, CVE-2012-5688: named could
820 die on specific queries with dns64 enabled.
823 3386. [bug] Address locking violation when generating new NSEC /
824 NSEC3 chains. [RT #31224]
826 3385. [bug] named-checkconf didn't detect missing master lists
827 in also-notify clauses. [RT #30810]
829 3384. [bug] Improved logging of crypto errors. [RT #30963]
831 3382. [bug] SOA query from slave used use-v6-udp-ports range,
832 if set, regardless of the address family in use.
835 3381. [contrib] Update queryperf to support more RR types.
838 3380. [bug] named could die if a nonexistent master list was
839 referenced in a also-notify. [RT #31004]
841 3379. [bug] isc_interval_zero and isc_time_epoch should be
842 "const (type)* const". [RT #31069]
844 3378. [bug] Handle missing 'managed-keys-directory' better.
847 3377. [bug] Removed spurious newline from NSEC3 multiline
850 3376. [bug] Lack of EDNS support was being recorded without a
851 successful response. [RT #30811]
853 3375. [func] Check that 'rndc dumpdb' works on a empty cache.
856 3374. [bug] isc_parse_uint32 failed to return a range error on
857 systems with 64 bit longs. [RT #30232]
859 3372. [bug] Silence spurious "deleted from unreachable cache"
860 messages. [RT #30501]
862 3371. [bug] AD=1 should behave like DO=1 when deciding whether to
863 add NS RRsets to the additional section or not.
866 3316. [tuning] Improved locking performance when recursing.
869 3315. [tuning] Use multiple dispatch objects for sending upstream
870 queries; this can improve performance on busy
871 multiprocessor systems by reducing lock contention.
874 --- 9.9.2 released ---
876 3383. [security] A certain combination of records in the RBT could
877 cause named to hang while populating the additional
878 section of a response. [RT #31090]
880 3373. [bug] win32: open raw files in binary mode. [RT #30944]
882 3364. [security] Named could die on specially crafted record.
885 --- 9.9.2rc1 released ---
887 3370. [bug] Address use after free while shutting down. [RT #30241]
889 3369. [bug] nsupdate terminated unexpectedly in interactive mode
890 if built with readline support. [RT #29550]
892 3368. [bug] <dns/iptable.h>, <dns/private.h> and <dns/zone.h>
895 3367. [bug] dns_dnsseckey_create() result was not being checked.
898 3366. [bug] Fixed Read-After-Write dependency violation for IA64
899 atomic operations. [RT #25181]
901 3365. [bug] Removed spurious newlines from log messages in
904 3363. [bug] Need to allow "forward" and "fowarders" options
905 in static-stub zones; this had been overlooked.
908 3362. [bug] Setting some option values to 0 in named.conf
909 could trigger an assertion failure on startup.
912 3361. [bug] "rndc signing -nsec3param" didn't work correctly
913 when salt was set to '-' (no salt). [RT #30099]
915 3360. [bug] 'host -w' could die. [RT #18723]
917 3359. [bug] An improperly-formed TSIG secret could cause a
918 memory leak. [RT #30607]
920 3357. [port] Add support for libxml2-2.8.x [RT #30440]
922 3356. [bug] Cap the TTL of signed RRsets when RRSIGs are
923 approaching their expiry, so they don't remain
924 in caches after expiry. [RT #26429]
926 3355. [port] Use more portable awk in verify system test.
928 3354. [func] Improve OpenSSL error logging. [RT #29932]
930 --- 9.9.2b1 released ---
932 3353. [bug] Use a single task for task exclusive operations.
935 3352. [bug] Ensure that learned server attributes timeout of the
936 adb cache. [RT #29856]
938 3351. [bug] isc_mem_put and isc_mem_putanddetach didn't report
939 caller if either ISC_MEM_DEBUGSIZE or ISC_MEM_DEBUGCTX
940 memory debugging flags are set. [RT #30243]
942 3350. [bug] Memory read overrun in isc___mem_reallocate if
943 ISC_MEM_DEBUGCTX memory debugging flag is set.
946 3349. [bug] Change #3345 was incomplete. [RT #30233]
948 3348. [bug] Prevent RRSIG data from being cached if a negative
949 record matching the covering type exists at a higher
950 trust level. Such data already can't be retrieved from
951 the cache since change 3218 -- this prevents it
952 being inserted into the cache as well. [RT #26809]
954 3347. [bug] dnssec-settime: Issue a warning when writing a new
955 private key file would cause a change in the
956 permissions of the existing file. [RT #27724]
958 3346. [security] Bad-cache data could be used before it was
959 initialized, causing an assert. [RT #30025]
961 3345. [bug] Addressed race condition when removing the last item
962 or inserting the first item in an ISC_QUEUE.
965 3344. [func] New "dnssec-checkds" command checks a zone to
966 determine which DS records should be published
967 in the parent zone, or which DLV records should be
968 published in a DLV zone, and queries the DNS to
969 ensure that it exists. (Note: This tool depends
970 on python; it will not be built or installed on
971 systems that do not have a python interpreter.)
974 3342. [bug] Change #3314 broke saving of stub zones to disk
975 resulting in excessive cpu usage in some cases.
978 3341. [func] New "dnssec-verify" command checks a signed zone
979 to ensure correctness of signatures and of NSEC/NSEC3
982 3339. [func] Allow the maximum supported rsa exponent size to be
983 specified: "max-rsa-exponent-size <value>;" [RT #29228]
985 3338. [bug] Address race condition in units tests: asyncload_zone
986 and asyncload_zt. [RT #26100]
988 3337. [bug] Change #3294 broke support for the multiple keys
989 in controls. [RT #29694]
991 3335. [func] nslookup: return a nonzero exit code when unable
992 to get an answer. [RT #29492]
994 3334. [bug] Hold a zone table reference while performing a
995 asynchronous load of a zone. [RT #28326]
997 3333. [bug] Setting resolver-query-timeout too low can cause
998 named to not recover if it loses connectivity.
1001 3332. [bug] Re-use cached DS rrsets if possible. [RT #29446]
1003 3331. [security] dns_rdataslab_fromrdataset could produce bad
1004 rdataslabs. [RT #29644]
1006 3330. [func] Fix missing signatures on NOERROR results despite
1008 - add optional "recursive-only yes|no" to the
1009 response-policy statement
1010 - add optional "max-policy-ttl" to the response-policy
1011 statement to limit the false data that
1012 "recursive-only no" can introduce into
1014 - add a RPZ performance test to bin/tests/system/rpz
1015 when queryperf is available.
1016 - the encoding of PASSTHRU action to "rpz-passthru".
1017 (The old encoding is still accepted.)
1021 3329. [bug] Handle RRSIG signer-name case consistently: We
1022 generate RRSIG records with the signer-name in
1023 lower case. We accept them with any case, but if
1024 they fail to validate, we try again in lower case.
1027 3328. [bug] Fixed inconsistent data checking in dst_parse.c.
1030 3317. [func] Add ECDSA support (RFC 6605). [RT #21918]
1032 --- 9.9.1 released ---
1034 3318. [tuning] Reduce the amount of work performed while holding a
1035 bucket lock when finished with a fetch context.
1038 3314. [bug] The masters list could be updated while stub_callback
1039 or refresh_callback were using it. [RT #26732]
1041 3313. [protocol] Add TLSA record type. [RT #28989]
1043 3312. [bug] named-checkconf didn't detect a bad dns64 clients acl.
1046 3311. [bug] Abort the zone dump if zone->db is NULL in
1047 zone.c:zone_gotwritehandle. [RT #29028]
1049 3310. [test] Increase table size for mutex profiling. [RT #28809]
1051 3309. [bug] resolver.c:fctx_finddone() was not thread safe.
1054 3307. [bug] Add missing ISC_LANG_BEGINDECLS and ISC_LANG_ENDDECLS.
1057 3306. [bug] Improve DNS64 reverse zone performance. [RT #28563]
1059 3305. [func] Add wire format lookup method to sdb. [RT #28563]
1061 3304. [bug] Use hmctx, not mctx when freeing rbtdb->heaps.
1064 3303. [bug] named could die when reloading. [RT #28606]
1066 3302. [bug] dns_dnssec_findmatchingkeys could fail to find
1067 keys if the zone name contained character that
1068 required special mappings. [RT #28600]
1070 3301. [contrib] Update queryperf to build on darwin. Add -R flag
1071 for non-recursive queries. [RT #28565]
1073 3300. [bug] Named could die if gssapi was enabled in named.conf
1074 but was not compiled in. [RT #28338]
1076 3299. [bug] Make SDB handle errors from database drivers better.
1079 3298. [bug] Named could dereference a NULL pointer in
1080 zmgr_start_xfrin_ifquota if the zone was being removed.
1083 3297. [bug] Named could die on a malformed master file. [RT #28467]
1085 3296. [bug] Named could die with a INSIST failure in
1086 client.c:exit_check. [RT #28346]
1088 3295. [bug] Adjust isc_time_secondsastimet range check to be more
1089 portable. [RT # 26542]
1091 3294. [bug] isccc/cc.c:table_fromwire failed to free alist on
1094 3291. [port] Fixed a build error on systems without ENOTSUP.
1097 3290. [bug] <isc/hmacsha.h> was not being installed. [RT #28169]
1099 3273. [bug] AAAA responses could be returned in the additional
1100 section even when filter-aaaa-on-v4 was in use.
1103 --- 9.9.0 released ---
1105 --- 9.9.0rc4 released ---
1107 3289. [bug] 'rndc retransfer' failed for inline zones. [RT #28036]
1109 3288. [bug] dlz_destroy() function wasn't correctly registered
1110 by the DLZ dlopen driver. [RT #28056]
1112 3287. [port] Update ans.pl to work with Net::DNS 0.68. [RT #28028]
1114 3286. [bug] Managed key maintenance timer could fail to start
1115 after 'rndc reconfig'. [RT #26786]
1117 --- 9.9.0rc3 released ---
1119 3285. [bug] val-frdataset was incorrectly disassociated in
1120 proveunsecure after calling startfinddlvsep.
1123 3284. [bug] Address race conditions with the handling of
1124 rbtnode.deadlink. [RT #27738]
1126 3283. [bug] Raw zones with with more than 512 records in a RRset
1127 failed to load. [RT #27863]
1129 3282. [bug] Restrict the TTL of NS RRset to no more than that
1130 of the old NS RRset when replacing it.
1131 [RT #27792] [RT #27884]
1133 3281. [bug] SOA refresh queries could be treated as cancelled
1134 despite succeeding over the loopback interface.
1137 3280. [bug] Potential double free of a rdataset on out of memory
1138 with DNS64. [RT #27762]
1140 3279. [bug] Hold a internal reference to the zone while performing
1141 a asynchronous load. Address potential memory leak
1142 if the asynchronous is cancelled. [RT #27750]
1144 3278. [bug] Make sure automatic key maintenance is started
1145 when "auto-dnssec maintain" is turned on during
1146 "rndc reconfig". [RT #26805]
1148 3277. [bug] win32: isc_socket_dup is not implemented. [RT #27696]
1150 3276. [bug] win32: ns_os_openfile failed to return NULL on
1151 safe_open failure. [RT #27696]
1153 3275. [bug] Corrected rndc -h output; the 'rndc sync -clean'
1154 option had been misspelled as '-clear'. (To avoid
1155 future confusion, both options now work.) [RT #27173]
1157 3271. [port] darwin: mksymtbl is not always stable, loop several
1158 times before giving up. mksymtbl was using non
1159 portable perl to covert 64 bit hex strings. [RT #27653]
1161 --- 9.9.0rc2 released ---
1163 3270. [bug] "rndc reload" didn't reuse existing zones correctly
1164 when inline-signing was in use. [RT #27650]
1166 3269. [port] darwin 11 and later now built threaded by default.
1168 3268. [bug] Convert RRSIG expiry times to 64 timestamps to work
1169 out the earliest expiry time. [RT #23311]
1171 3267. [bug] Memory allocation failures could be mis-reported as
1172 unexpected error. New ISC_R_UNSET result code.
1175 3266. [bug] The maximum number of NSEC3 iterations for a
1176 DNSKEY RRset was not being properly computed.
1179 3265. [bug] Corrected a problem with lock ordering in the
1180 inline-signing code. [RT #27557]
1182 3264. [bug] Automatic regeneration of signatures in an
1183 inline-signing zone could stall when the server
1184 was restarted. [RT #27344]
1186 3263. [bug] "rndc sync" did not affect the unsigned side of an
1187 inline-signing zone. [RT #27337]
1189 3262. [bug] Signed responses were handled incorrectly by RPZ.
1192 3261. [func] RRset ordering now defaults to random. [RT #27174]
1194 3260. [bug] "rrset-order cyclic" could appear not to rotate
1195 for some query patterns. [RT #27170/27185]
1197 --- 9.9.0rc1 released ---
1199 3259. [bug] named-compilezone: Suppress "dump zone to <file>"
1200 message when writing to stdout. [RT #27109]
1202 3258. [test] Add "forcing full sign with unreadable keys" test.
1205 3257. [bug] Do not generate a error message when calling fsync()
1206 in a pipe or socket. [RT #27109]
1208 3256. [bug] Disable empty zones for lwresd -C. [RT #27139]
1210 3255. [func] No longer require that a empty zones be explicitly
1211 enabled or that a empty zone is disabled for
1212 RFC 1918 empty zones to be configured. [RT #27139]
1214 3254. [bug] Set isc_socket_ipv6only() on the IPv6 control channels.
1217 3253. [bug] Return DNS_R_SYNTAX when the input to a text field is
1218 too long. [RT #26956]
1220 3252. [bug] When master zones using inline-signing were
1221 updated while the server was offline, the source
1222 zone could fall out of sync with the signed
1223 copy. They can now resynchronize. [RT #26676]
1225 3251. [bug] Enforce a upper bound (65535 bytes) on the amount of
1226 memory dns_sdlz_putrr() can allocate per record to
1227 prevent run away memory consumption on ISC_R_NOSPACE.
1230 3250. [func] 'configure --enable-developer'; turn on various
1231 configure options, normally off by default, that
1232 we want developers to build and test with. [RT #27103]
1234 3249. [bug] Update log message when saving slave zones files for
1235 analysis after load failures. [RT #27087]
1237 3248. [bug] Configure options --enable-fixed-rrset and
1238 --enable-exportlib were incompatible with each
1241 3247. [bug] 'raw' format zones failed to preserve load order
1242 breaking 'fixed' sort order. [RT #27087]
1244 3246. [bug] Named failed to start with a empty also-notify list.
1247 3245. [bug] Don't report a error unchanged serials unless there
1248 were other changes when thawing a zone with
1249 ixfr-fromdifferences. [RT #26845]
1251 3244. [func] Added readline support to nslookup and nsupdate.
1252 Also simplified nsupdate syntax to make "update"
1253 and "prereq" optional. [RT #24659]
1255 3243. [port] freebsd,netbsd,bsdi: the thread defaults were not
1258 3242. [func] Extended the header of raw-format master files to
1259 include the serial number of the zone from which
1260 they were generated, if different (as in the case
1261 of inline-signing zones). This is to be used in
1262 inline-signing zones, to track changes between the
1263 unsigned and signed versions of the zone, which may
1264 have different serial numbers.
1266 (Note: raw zonefiles generated by this version of
1267 BIND are no longer compatible with prior versions.
1268 To generate a backward-compatible raw zonefile
1269 using dnssec-signzone or named-compilezone, specify
1270 output format "raw=0" instead of simply "raw".)
1273 3241. [bug] Address race conditions in the resolver code.
1276 3240. [bug] DNSKEY state change events could be missed. [RT #26874]
1278 3239. [bug] dns_dnssec_findmatchingkeys needs to use a consistent
1279 timestamp. [RT #26883]
1281 3238. [bug] keyrdata was not being reinitialized in
1282 lib/dns/rbtdb.c:iszonesecure. [RT#26913]
1284 3237. [bug] dig -6 didn't work with +trace. [RT #26906]
1286 3236. [bug] Backed out changes #3182 and #3202, related to
1287 EDNS(0) fallback behavior. [RT #26416]
1289 3235. [func] dns_db_diffx, a extended dns_db_diff which returns
1290 the generated diff and optionally writes it to a
1291 journal. [RT #26386]
1293 3234. [bug] 'make depend' produced invalid makefiles. [RT #26830]
1295 3233. [bug] 'rndc freeze/thaw' didn't work for inline zones.
1298 3232. [bug] Zero zone->curmaster before return in
1299 dns_zone_setmasterswithkeys(). [RT #26732]
1301 3231. [bug] named could fail to send a incompressible zone.
1304 3230. [bug] 'dig axfr' failed to properly handle a multi-message
1305 axfr with a serial of 0. [RT #26796]
1307 3229. [bug] Fix local variable to struct var assignment
1308 found by CLANG warning.
1310 3228. [tuning] Dynamically grow symbol table to improve zone
1311 loading performance. [RT #26523]
1313 3227. [bug] Interim fix to make WKS's use of getprotobyname()
1314 and getservbyname() self thread safe. [RT #26232]
1316 3226. [bug] Address minor resource leakages. [RT #26624]
1318 3225. [bug] Silence spurious "setsockopt(517, IPV6_V6ONLY) failed"
1319 messages. [RT #26507]
1321 3224. [bug] 'rndc signing' argument parsing was broken. [RT #26684]
1323 3223. [bug] 'task_test privilege_drop' generated false positives.
1326 3222. [cleanup] Replace dns_journal_{get,set}_bitws with
1327 dns_journal_{get,set}_sourceserial. [RT #26634]
1329 3221. [bug] Fixed a potential core dump on shutdown due to
1330 referencing fetch context after it's been freed.
1333 --- 9.9.0b2 released ---
1335 3220. [bug] Change #3186 was incomplete; dns_db_rpz_findips()
1336 could fail to set the database version correctly,
1337 causing an assertion failure. [RT #26180]
1339 3219. [bug] Disable NOEDNS caching following a timeout.
1341 3218. [security] Cache lookup could return RRSIG data associated with
1342 nonexistent records, leading to an assertion
1343 failure. [RT #26590]
1345 3217. [cleanup] Fix build problem with --disable-static. [RT #26476]
1347 3216. [bug] resolver.c:validated() was not thread-safe. [RT #26478]
1349 3215. [bug] 'rndc recursing' could cause a core dump. [RT #26495]
1351 3214. [func] Add 'named -U' option to set the number of UDP
1352 listener threads per interface. [RT #26485]
1354 3213. [doc] Clarify ixfr-from-differences behavior. [RT #25188]
1356 3212. [bug] rbtdb.c: failed to remove a node from the deadnodes
1357 list prior to adding a reference to it leading a
1358 possible assertion failure. [RT #23219]
1360 3211. [func] dnssec-signzone: "-f -" prints to stdout; "-O full"
1361 option prints in single-line-per-record format.
1364 3210. [bug] Canceling the oldest query due to recursive-client
1365 overload could trigger an assertion failure. [RT #26463]
1367 3209. [func] Add "dnssec-lookaside 'no'". [RT #24858]
1369 3208. [bug] 'dig -y' handle unknown tsig algorithm better.
1372 3207. [contrib] Fixed build error in Berkeley DB DLZ module. [RT #26444]
1374 3206. [cleanup] Add ISC information to log at start time. [RT #25484]
1376 3205. [func] Upgrade dig's defaults to better reflect modern
1377 nameserver behavior. Enable "dig +adflag" and
1378 "dig +edns=0" by default. Enable "+dnssec" when
1379 running "dig +trace". [RT #23497]
1381 3204. [bug] When a master server that has been marked as
1382 unreachable sends a NOTIFY, mark it reachable
1385 3203. [bug] Increase log level to 'info' for validation failures
1386 from expired or not-yet-valid RRSIGs. [RT #21796]
1388 3202. [bug] NOEDNS caching on timeout was too aggressive.
1391 3201. [func] 'rndc querylog' can now be given an on/off parameter
1392 instead of only being used as a toggle. [RT #18351]
1394 3200. [doc] Some rndc functions were undocumented or were
1395 missing from 'rndc -h' output. [RT #25555]
1397 3199. [func] When logging client information, include the name
1398 being queried. [RT #25944]
1400 3198. [doc] Clarified that dnssec-settime can alter keyfile
1401 permissions. [RT #24866]
1403 3197. [bug] Don't try to log the filename and line number when
1404 the config parser can't open a file. [RT #22263]
1406 3196. [bug] nsupdate: return nonzero exit code when target zone
1407 doesn't exist. [RT #25783]
1409 3195. [cleanup] Silence "file not found" warnings when loading
1410 managed-keys zone. [RT #26340]
1412 3194. [doc] Updated RFC references in the 'empty-zones-enable'
1413 documentation. [RT #25203]
1415 3193. [cleanup] Changed MAXZONEKEYS to DNS_MAXZONEKEYS, moved to
1416 dnssec.h. [RT #26415]
1418 3192. [bug] A query structure could be used after being freed.
1421 3191. [bug] Print NULL records using "unknown" format. [RT #26392]
1423 3190. [bug] Underflow in error handling in isc_mutexblock_init.
1426 3189. [test] Added a summary report after system tests. [RT #25517]
1428 3188. [bug] zone.c:zone_refreshkeys() could fail to detach
1429 references correctly when errors occurred, causing
1430 a hang on shutdown. [RT #26372]
1432 3187. [port] win32: support for Visual Studio 2008. [RT #26356]
1434 --- 9.9.0b1 released ---
1436 3186. [bug] Version/db mis-match in rpz code. [RT #26180]
1438 3185. [func] New 'rndc signing' option for auto-dnssec zones:
1439 - 'rndc signing -list' displays the current
1440 state of signing operations
1441 - 'rndc signing -clear' clears the signing state
1442 records for keys that have fully signed the zone
1443 - 'rndc signing -nsec3param' sets the NSEC3
1444 parameters for the zone
1445 The 'rndc keydone' syntax is removed. [RT #23729]
1447 3184. [bug] named had excessive cpu usage when a redirect zone was
1448 configured. [RT #26013]
1450 3183. [bug] Added RTLD_GLOBAL flag to dlopen call. [RT #26301]
1452 3182. [bug] Auth servers behind firewalls which block packets
1453 greater than 512 bytes may cause other servers to
1454 perform poorly. Now, adb retains edns information
1455 and caches noedns servers. [RT #23392/24964]
1457 3181. [func] Inline-signing is now supported for master zones.
1460 3180. [func] Local copies of slave zones are now saved in raw
1461 format by default, to improve startup performance.
1462 'masterfile-format text;' can be used to override
1463 the default, if desired. [RT #25867]
1465 3179. [port] kfreebsd: build issues. [RT #26273]
1467 3178. [bug] A race condition introduced by change #3163 could
1468 cause an assertion failure on shutdown. [RT #26271]
1470 3177. [func] 'rndc keydone', remove the indicator record that
1471 named has finished signing the zone with the
1472 corresponding key. [RT #26206]
1474 3176. [doc] Corrected example code and added a README to the
1475 sample external DLZ module in contrib/dlz/example.
1478 3175. [bug] Fix how DNSSEC positive wildcard responses from a
1479 NSEC3 signed zone are validated. Stop sending a
1480 unnecessary NSEC3 record when generating such
1481 responses. [RT #26200]
1483 3174. [bug] Always compute to revoked key tag from scratch.
1486 3173. [port] Correctly validate root DS responses. [RT #25726]
1488 3172. [port] darwin 10.* and freebsd [89] are now built threaded by
1491 3171. [bug] Exclusively lock the task when adding a zone using
1492 'rndc addzone'. [RT #25600]
1494 --- 9.9.0a3 released ---
1496 3170. [func] RPZ update:
1497 - fix precedence among competing rules
1498 - improve ARM text including documenting rule precedence
1499 - try to rewrite CNAME chains until first hit
1500 - new "rpz" logging channel
1501 - RDATA for CNAME rules can include wildcards
1502 - replace "NO-OP" named.conf policy override with
1503 "PASSTHRU" and add "DISABLED" override ("NO-OP"
1504 is still recognized)
1507 3169. [func] Catch db/version mis-matches when calling dns_db_*().
1510 3168. [bug] Nxdomain redirection could trigger an assert with
1511 a ANY query. [RT #26017]
1513 3167. [bug] Negative answers from forwarders were not being
1514 correctly tagged making them appear to not be cached.
1517 3166. [bug] Upgrading a zone to support inline-signing failed.
1520 3165. [bug] dnssec-signzone could generate new signatures when
1521 resigning, even when valid signatures were already
1522 present. [RT #26025]
1524 3164. [func] Enable DLZ modules to retrieve client information,
1525 so that responses can be changed depending on the
1526 source address of the query. [RT #25768]
1528 3163. [bug] Use finer-grained locking in client.c to address
1529 concurrency problems with large numbers of threads.
1532 3162. [test] start.pl: modified to allow for "named.args" in
1533 ns*/ subdirectory to override stock arguments to
1534 named. Largely from RT#26044, but no separate ticket.
1536 3161. [bug] zone.c:del_sigs failed to always reset rdata leading
1537 assertion failures. [RT #25880]
1539 3160. [bug] When printing out a NSEC3 record in multiline form
1540 the newline was not being printed causing type codes
1541 to be run together. [RT #25873]
1543 3159. [bug] On some platforms, named could assert on startup
1544 when running in a chrooted environment without
1547 3158. [bug] Recursive servers would prefer a particular UDP
1548 socket instead of using all available sockets.
1551 3157. [tuning] Reduce the time spent in "rndc reconfig" by parsing
1552 the config file before pausing the server. [RT #21373]
1556 --- 9.9.0a2 released ---
1558 3155. [bug] Fixed a build failure when using contrib DLZ
1559 drivers (e.g., mysql, postgresql, etc). [RT #25710]
1561 3154. [bug] Attempting to print an empty rdataset could trigger
1562 an assert. [RT #25452]
1564 3153. [func] Extend request-ixfr to zone level and remove the
1565 side effect of forcing an AXFR. [RT #25156]
1567 3152. [cleanup] Some versions of gcc and clang failed due to
1568 incorrect use of __builtin_expect. [RT #25183]
1570 3151. [bug] Queries for type RRSIG or SIG could be handled
1571 incorrectly. [RT #21050]
1573 3150. [func] Improved startup and reconfiguration time by
1574 enabling zones to load in multiple threads. [RT #25333]
1578 3148. [bug] Processing of normal queries could be stalled when
1579 forwarding a UPDATE message. [RT #24711]
1581 3147. [func] Initial inline signing support. [RT #23657]
1583 --- 9.9.0a1 released ---
1585 3146. [test] Fixed gcc4.6.0 errors in ATF. [RT #25598]
1587 3145. [test] Capture output of ATF unit tests in "./atf.out" if
1588 there were any errors while running them. [RT #25527]
1590 3144. [bug] dns_dbiterator_seek() could trigger an assert when
1591 used with a nonexistent database node. [RT #25358]
1593 3143. [bug] Silence clang compiler warnings. [RT #25174]
1595 3142. [bug] NAPTR is class agnostic. [RT #25429]
1597 3141. [bug] Silence spurious "zone serial (0) unchanged" messages
1598 associated with empty zones. [RT #25079]
1600 3140. [func] New command "rndc flushtree <name>" clears the
1601 specified name from the server cache along with
1602 all names under it. [RT #19970]
1604 3139. [test] Added tests from RFC 6234, RFC 2202, and RFC 1321
1605 for the hashing algorithms (md5, sha1 - sha512, and
1606 their hmac counterparts). [RT #25067]
1608 3138. [bug] Address memory leaks and out-of-order operations when
1609 shutting named down. [RT #25210]
1611 3137. [func] Improve hardware scalability by allowing multiple
1612 worker threads to process incoming UDP packets.
1613 This can significantly increase query throughput
1614 on some systems. [RT #22992]
1616 3136. [func] Add RFC 1918 reverse zones to the list of built-in
1617 empty zones switched on by the 'empty-zones-enable'
1620 3135. [port] FreeBSD: workaround broken IPV6_USE_MIN_MTU processing.
1621 See http://www.freebsd.org/cgi/query-pr.cgi?pr=158307
1624 3134. [bug] Improve the accuracy of dnssec-signzone's signing
1625 statistics. [RT #16030]
1627 3133. [bug] Change #3114 was incomplete. [RT #24577]
1631 3131. [tuning] Improve scalability by allocating one zone task
1632 per 100 zones at startup time, rather than using a
1633 fixed-size task table. [RT #24406]
1635 3130. [func] Support alternate methods for managing a dynamic
1636 zone's serial number. Two methods are currently
1637 defined using serial-update-method, "increment"
1638 (default) and "unixtime". [RT #23849]
1640 3129. [bug] Named could crash on 'rndc reconfig' when
1641 allow-new-zones was set to yes and named ACLs
1642 were used. [RT #22739]
1644 3128. [func] Inserting an NSEC3PARAM via dynamic update in an
1645 auto-dnssec zone that has not been signed yet
1646 will cause it to be signed with the specified NSEC3
1647 parameters when keys are activated. The
1648 NSEC3PARAM record will not appear in the zone until
1649 it is signed, but the parameters will be stored.
1652 3127. [bug] 'rndc thaw' will now remove a zone's journal file
1653 if the zone serial number has been changed and
1654 ixfr-from-differences is not in use. [RT #24687]
1656 3126. [security] Using DNAME record to generate replacements caused
1657 RPZ to exit with a assertion failure. [RT #24766]
1659 3125. [security] Using wildcard CNAME records as a replacement with
1660 RPZ caused named to exit with a assertion failure.
1663 3124. [bug] Use an rdataset attribute flag to indicate
1664 negative-cache records rather than using rrtype 0;
1665 this will prevent problems when that rrtype is
1666 used in actual DNS packets. [RT #24777]
1668 3123. [security] Change #2912 exposed a latent flaw in
1669 dns_rdataset_totext() that could cause named to
1670 crash with an assertion failure. [RT #24777]
1672 3122. [cleanup] dnssec-settime: corrected usage message. [RT #24664]
1674 3121. [security] An authoritative name server sending a negative
1675 response containing a very large RRset could
1676 trigger an off-by-one error in the ncache code
1677 and crash named. [RT #24650]
1679 3120. [bug] Named could fail to validate zones listed in a DLV
1680 that validated insecure without using DLV and had
1681 DS records in the parent zone. [RT #24631]
1683 3119. [bug] When rolling to a new DNSSEC key, a private-type
1684 record could be created and never marked complete.
1687 3118. [bug] nsupdate could dump core on shutdown when using
1688 SIG(0) keys. [RT #24604]
1690 3117. [cleanup] Remove doc and parser references to the
1691 never-implemented 'auto-dnssec create' option.
1694 3116. [func] New 'dnssec-update-mode' option controls updates
1695 of DNSSEC records in signed dynamic zones. Set to
1696 'no-resign' to disable automatic RRSIG regeneration
1697 while retaining the ability to sign new or changed
1700 3115. [bug] Named could fail to return requested data when
1701 following a CNAME that points into the same zone.
1704 3114. [bug] Retain expired RRSIGs in dynamic zones if key is
1705 inactive and there is no replacement key. [RT #23136]
1707 3113. [doc] Document the relationship between serial-query-rate
1708 and NOTIFY messages.
1710 3112. [doc] Add missing descriptions of the update policy name
1711 types "ms-self", "ms-subdomain", "krb5-self" and
1712 "krb5-subdomain", which allow machines to update
1713 their own records, to the BIND 9 ARM.
1715 3111. [bug] Improved consistency checks for dnssec-enable and
1716 dnssec-validation, added test cases to the
1717 checkconf system test. [RT #24398]
1719 3110. [bug] dnssec-signzone: Wrong error message could appear
1720 when attempting to sign with no KSK. [RT #24369]
1722 3109. [func] The also-notify option now uses the same syntax
1723 as a zone's masters clause. This means it is
1724 now possible to specify a TSIG key to use when
1725 sending notifies to a given server, or to include
1726 an explicit named masters list in an also-notfiy
1727 statement. [RT #23508]
1729 3108. [cleanup] dnssec-signzone: Clarified some error and
1730 warning messages; removed #ifdef ALLOW_KSKLESS_ZONES
1731 code (use -P instead). [RT #20852]
1733 3107. [bug] dnssec-signzone: Report the correct number of ZSKs
1734 when using -x. [RT #20852]
1736 3106. [func] When logging client requests, include the name of
1737 the TSIG key if any. [RT #23619]
1739 3105. [bug] GOST support can be suppressed by "configure
1740 --without-gost" [RT #24367]
1742 3104. [bug] Better support for cross-compiling. [RT #24367]
1744 3103. [bug] Configuring 'dnssec-validation auto' in a view
1745 instead of in the options statement could trigger
1746 an assertion failure in named-checkconf. [RT #24382]
1748 3102. [func] New 'dnssec-loadkeys-interval' option configures
1749 how often, in minutes, to check the key repository
1750 for updates when using automatic key maintenance.
1751 Default is every 60 minutes (formerly hard-coded
1752 to 12 hours). [RT #23744]
1754 3101. [bug] Zones using automatic key maintenance could fail
1755 to check the key repository for updates. [RT #23744]
1757 3100. [security] Certain response policy zone configurations could
1758 trigger an INSIST when receiving a query of type
1761 3099. [test] "dlz" system test now runs but gives R:SKIPPED if
1762 not compiled with --with-dlz-filesystem. [RT #24146]
1764 3098. [bug] DLZ zones were answering without setting the AA bit.
1767 3097. [test] Add a tool to test handling of malformed packets.
1770 3096. [bug] Set KRB5_KTNAME before calling log_cred() in
1771 dst_gssapi_acceptctx(). [RT #24004]
1773 3095. [bug] Handle isolated reserved ports in the port range.
1776 3094. [doc] Expand dns64 documentation.
1778 3093. [bug] Fix gssapi/kerberos dependencies [RT #23836]
1780 3092. [bug] Signatures for records at the zone apex could go
1781 stale due to an incorrect timer setting. [RT #23769]
1783 3091. [bug] Fixed a bug in which zone keys that were published
1784 and then subsequently activated could fail to trigger
1785 automatic signing. [RT #22911]
1787 3090. [func] Make --with-gssapi default [RT #23738]
1789 3089. [func] dnssec-dsfromkey now supports reading keys from
1790 standard input "dnssec-dsfromkey -f -". [RT# 20662]
1792 3088. [bug] Remove bin/tests/system/logfileconfig/ns1/named.conf
1793 and add setup.sh in order to resolve changing
1794 named.conf issue. [RT #23687]
1796 3087. [bug] DDNS updates using SIG(0) with update-policy match
1797 type "external" could cause a crash. [RT #23735]
1799 3086. [bug] Running dnssec-settime -f on an old-style key will
1800 now force an update to the new key format even if no
1801 other change has been specified, using "-P now -A now"
1802 as default values. [RT #22474]
1804 3085. [func] New '-R' option in dnssec-signzone forces removal
1805 of signatures which have not yet expired but
1806 were generated by a key that no longer exists.
1809 3084. [func] A new command "rndc sync" dumps pending changes in
1810 a dynamic zone to disk; "rndc sync -clean" also
1811 removes the journal file after syncing. Also,
1812 "rndc freeze" no longer removes journal files.
1815 3083. [bug] NOTIFY messages were not being sent when generating
1816 a NSEC3 chain incrementally. [RT #23702]
1818 3082. [port] strtok_r is threads only. [RT #23747]
1820 3081. [bug] Failure of DNAME substitution did not return
1821 YXDOMAIN. [RT #23591]
1823 3080. [cleanup] Replaced compile time constant by STDTIME_ON_32BITS.
1826 3079. [bug] Handle isc_event_allocate failures in t_tasks.
1829 3078. [func] Added a new include file with function typedefs
1830 for the DLZ "dlopen" driver. [RT #23629]
1832 3077. [bug] zone.c:zone_refreshkeys() incorrectly called
1833 dns_zone_attach(), use zone->irefs instead. [RT #23303]
1835 3076. [func] New '-L' option in dnssec-keygen, dnsset-settime, and
1836 dnssec-keyfromlabel sets the default TTL of the
1837 key. When possible, automatic signing will use that
1838 TTL when the key is published. [RT #23304]
1840 3075. [bug] dns_dnssec_findzonekeys{2} used a inconsistent
1841 timestamp when determining which keys are active.
1844 3074. [bug] Make the adb cache read through for zone data and
1845 glue learn for zone named is authoritative for.
1848 3073. [bug] managed-keys changes were not properly being recorded.
1851 3072. [bug] dns_dns64_aaaaok() potential NULL pointer dereference.
1854 3071. [bug] has_nsec could be used uninitialized in
1855 update.c:next_active. [RT #20256]
1857 3070. [bug] dnssec-signzone potential NULL pointer dereference.
1860 3069. [cleanup] Silence warnings messages from clang static analysis.
1863 3068. [bug] Named failed to build with a OpenSSL without engine
1864 support. [RT #23473]
1866 3067. [bug] ixfr-from-differences {master|slave}; failed to
1867 select the master/slave zones. [RT #23580]
1869 3066. [func] The DLZ "dlopen" driver is now built by default,
1870 no longer requiring a configure option. To
1871 disable it, use "configure --without-dlopen".
1872 Driver also supported on win32. [RT #23467]
1874 3065. [bug] RRSIG could have time stamps too far in the future.
1877 3064. [bug] powerpc: add sync instructions to the end of atomic
1878 operations. [RT #23469]
1880 3063. [contrib] More verbose error reporting from DLZ LDAP. [RT #23402]
1882 3062. [func] Made several changes to enhance human readability
1883 of DNSSEC data in dig output and in generated
1885 - DNSKEY record comments are more verbose, no
1886 longer used in multiline mode only
1887 - multiline RRSIG records reformatted
1888 - multiline output mode for NSEC3PARAM records
1889 - "dig +norrcomments" suppresses DNSKEY comments
1890 - "dig +split=X" breaks hex/base64 records into
1891 fields of width X; "dig +nosplit" disables this.
1894 3061. [func] New option "dnssec-signzone -D", only write out
1895 generated DNSSEC records. [RT #22896]
1897 3060. [func] New option "dnssec-signzone -X <date>" allows
1898 specification of a separate expiration date
1899 for DNSKEY RRSIGs and other RRSIGs. [RT #22141]
1901 3059. [test] Added a regression test for change #3023.
1903 3058. [bug] Cause named to terminate at startup or rndc reconfig/
1904 reload to fail, if a log file specified in the conf
1905 file isn't a plain file. [RT #22771]
1907 3057. [bug] "rndc secroots" would abort after the first error
1908 and so could miss some views. [RT #23488]
1910 3056. [func] Added support for URI resource record. [RT #23386]
1914 3054. [bug] Added elliptic curve support check in
1915 GOST OpenSSL engine detection. [RT #23485]
1917 3053. [bug] Under a sustained high query load with a finite
1918 max-cache-size, it was possible for cache memory
1919 to be exhausted and not recovered. [RT #23371]
1921 3052. [test] Fixed last autosign test report. [RT #23256]
1923 3051. [bug] NS records obscure DNAME records at the bottom of the
1924 zone if both are present. [RT #23035]
1926 3050. [bug] The autosign system test was timing dependent.
1927 Wait for the initial autosigning to complete
1928 before running the rest of the test. [RT #23035]
1930 3049. [bug] Save and restore the gid when creating creating
1931 named.pid at startup. [RT #23290]
1933 3048. [bug] Fully separate view key management. [RT #23419]
1935 3047. [bug] DNSKEY NODATA responses not cached fixed in
1936 validator.c. Tests added to dnssec system test.
1939 3046. [bug] Use RRSIG original TTL to compute validated RRset
1940 and RRSIG TTL. [RT #23332]
1942 3045. [removed] Replaced by change #3050.
1944 3044. [bug] Hold the socket manager lock while freeing the socket.
1947 3043. [test] Merged in the NetBSD ATF test framework (currently
1948 version 0.12) for development of future unit tests.
1949 Use configure --with-atf to build ATF internally
1950 or configure --with-atf=prefix to use an external
1953 3042. [bug] dig +trace could fail attempting to use IPv6
1954 addresses on systems with only IPv4 connectivity.
1957 3041. [bug] dnssec-signzone failed to generate new signatures on
1958 ttl changes. [RT #23330]
1960 3040. [bug] Named failed to validate insecure zones where a node
1961 with a CNAME existed between the trust anchor and the
1962 top of the zone. [RT #23338]
1964 3039. [func] Redirect on NXDOMAIN support. [RT #23146]
1966 3038. [bug] Install <dns/rpz.h>. [RT #23342]
1968 3037. [doc] Update COPYRIGHT to contain all the individual
1969 copyright notices that cover various parts.
1971 3036. [bug] Check built-in zone arguments to see if the zone
1972 is re-usable or not. [RT #21914]
1974 3035. [cleanup] Simplify by using strlcpy. [RT #22521]
1976 3034. [cleanup] nslookup: use strlcpy instead of safecopy. [RT #22521]
1978 3033. [cleanup] Add two INSIST(bucket != DNS_ADB_INVALIDBUCKET).
1981 3032. [bug] rdatalist.c: add missing REQUIREs. [RT #22521]
1983 3031. [bug] dns_rdataclass_format() handle a zero sized buffer.
1986 3030. [bug] dns_rdatatype_format() handle a zero sized buffer.
1989 3029. [bug] isc_netaddr_format() handle a zero sized buffer.
1992 3028. [bug] isc_sockaddr_format() handle a zero sized buffer.
1995 3027. [bug] Add documented REQUIREs to cfg_obj_asnetprefix() to
1996 catch NULL pointer dereferences before they happen.
1999 3026. [bug] lib/isc/httpd.c: check that we have enough space
2000 after calling grow_headerspace() and if not
2001 re-call grow_headerspace() until we do. [RT #22521]
2003 3025. [bug] Fixed a possible deadlock due to zone resigning.
2006 3024. [func] RTT Banding removed due to minor security increase
2007 but major impact on resolver latency. [RT #23310]
2009 3023. [bug] Named could be left in an inconsistent state when
2010 receiving multiple AXFR response messages that were
2011 not all TSIG-signed. [RT #23254]
2013 3022. [bug] Fixed rpz SERVFAILs after failed zone transfers
2016 3021. [bug] Change #3010 was incomplete. [RT #22296]
2018 3020. [bug] auto-dnssec failed to correctly update the zone when
2019 changing the DNSKEY RRset. [RT #23232]
2021 3019. [test] Test: check apex NSEC3 records after adding DNSKEY
2022 record via UPDATE. [RT #23229]
2024 3018. [bug] Named failed to check for the "none;" acl when deciding
2025 if a zone may need to be re-signed. [RT #23120]
2027 3017. [doc] dnssec-keyfromlabel -I was not properly documented.
2030 3016. [bug] rndc usage missing '-b'. [RT #22937]
2032 3015. [port] win32: fix IN6_IS_ADDR_LINKLOCAL and
2033 IN6_IS_ADDR_SITELOCAL macros. [RT #22724]
2037 3013. [bug] The DNS64 ttl was not always being set as expected.
2040 3012. [bug] Remove DNSKEY TTL change pairs before generating
2041 signing records for any remaining DNSKEY changes.
2044 3011. [func] Change the default query timeout from 30 seconds
2045 to 10. Allow setting this in named.conf using the new
2046 'resolver-query-timeout' option, which specifies a max
2047 time in seconds. 0 means 'default' and anything longer
2048 than 30 will be silently set to 30. [RT #22852]
2050 3010. [bug] Fixed a bug where "rndc reconfig" stopped the timer
2051 for refreshing managed-keys. [RT #22296]
2053 3009. [bug] clients-per-query code didn't work as expected with
2054 particular query patterns. [RT #22972]
2056 --- 9.8.0b1 released ---
2058 3008. [func] Response policy zones (RPZ) support. [RT #21726]
2060 3007. [bug] Named failed to preserve the case of domain names in
2061 rdata which is not compressible when writing master
2064 3006. [func] Allow dynamically generated TSIG keys to be preserved
2065 across restarts of named. Initially this is for
2066 TSIG keys generated using GSSAPI. [RT #22639]
2068 3005. [port] Solaris: Work around the lack of
2069 gsskrb5_register_acceptor_identity() by setting
2070 the KRB5_KTNAME environment variable to the
2071 contents of tkey-gssapi-keytab. Also fixed
2072 test errors on MacOSX. [RT #22853]
2074 3004. [func] DNS64 reverse support. [RT #22769]
2076 3003. [experimental] Added update-policy match type "external",
2077 enabling named to defer the decision of whether to
2078 allow a dynamic update to an external daemon.
2079 (Contributed by Andrew Tridgell.) [RT #22758]
2081 3002. [bug] isc_mutex_init_errcheck() failed to destroy attr.
2084 3001. [func] Added a default trust anchor for the root zone, which
2085 can be switched on by setting "dnssec-validation auto;"
2086 in the named.conf options. [RT #21727]
2088 3000. [bug] More TKEY/GSS fixes:
2089 - nsupdate can now get the default realm from
2090 the user's Kerberos principal
2091 - corrected gsstest compilation flags
2092 - improved documentation
2093 - fixed some NULL dereferences
2096 2999. [func] Add GOST support (RFC 5933). [RT #20639]
2098 2998. [func] Add isc_task_beginexclusive and isc_task_endexclusive
2099 to the task api. [RT #22776]
2101 2997. [func] named -V now reports the OpenSSL and libxml2 verions
2102 it was compiled against. [RT #22687]
2104 2996. [security] Temporarily disable SO_ACCEPTFILTER support.
2107 2995. [bug] The Kerberos realm was not being correctly extracted
2108 from the signer's identity. [RT #22770]
2110 2994. [port] NetBSD: use pthreads by default on NetBSD >= 5.0, and
2111 do not use threads on earlier versions. Also kill
2112 the unproven-pthreads, mit-pthreads, and ptl2 support.
2114 2993. [func] Dynamically grow adb hash tables. [RT #21186]
2116 2992. [contrib] contrib/check-secure-delegation.pl: A simple tool
2117 for looking at a secure delegation. [RT #22059]
2119 2991. [contrib] contrib/zone-edit.sh: A simple zone editing tool for
2120 dynamic zones. [RT #22365]
2122 2990. [bug] 'dnssec-settime -S' no longer tests prepublication
2123 interval validity when the interval is set to 0.
2126 2989. [func] Added support for writable DLZ zones. (Contributed
2127 by Andrew Tridgell of the Samba project.) [RT #22629]
2129 2988. [experimental] Added a "dlopen" DLZ driver, allowing the creation
2130 of external DLZ drivers that can be loaded as
2131 shared objects at runtime rather than linked with
2132 named. Currently this is switched on via a
2133 compile-time option, "configure --with-dlz-dlopen".
2134 Note: the syntax for configuring DLZ zones
2135 is likely to be refined in future releases.
2136 (Contributed by Andrew Tridgell of the Samba
2137 project.) [RT #22629]
2139 2987. [func] Improve ease of configuring TKEY/GSS updates by
2140 adding a "tkey-gssapi-keytab" option. If set,
2141 updates will be allowed with any key matching
2142 a principal in the specified keytab file.
2143 "tkey-gssapi-credential" is no longer required
2144 and is expected to be deprecated. (Contributed
2145 by Andrew Tridgell of the Samba project.)
2148 2986. [func] Add new zone type "static-stub". It's like a stub
2149 zone, but the nameserver names and/or their IP
2150 addresses are statically configured. [RT #21474]
2152 2985. [bug] Add a regression test for change #2896. [RT #21324]
2154 2984. [bug] Don't run MX checks when the target of the MX record
2157 2983. [bug] Include "loadkeys" in rndc help output. [RT #22493]
2159 --- 9.8.0a1 released ---
2161 2982. [bug] Reference count dst keys. dst_key_attach() can be used
2162 increment the reference count.
2164 Note: dns_tsigkey_createfromkey() callers should now
2165 always call dst_key_free() rather than setting it
2166 to NULL on success. [RT #22672]
2168 2981. [func] Partial DNS64 support (AAAA synthesis). [RT #21991]
2170 2980. [bug] named didn't properly handle UPDATES that changed the
2171 TTL of the NSEC3PARAM RRset. [RT #22363]
2173 2979. [bug] named could deadlock during shutdown if two
2174 "rndc stop" commands were issued at the same
2177 2978. [port] hpux: look for <devpoll.h> [RT #21919]
2179 2977. [bug] 'nsupdate -l' report if the session key is missing.
2182 2976. [bug] named could die on exit after negotiating a GSS-TSIG
2185 2975. [bug] rbtdb.c:cleanup_dead_nodes_callback() acquired the
2186 wrong lock which could lead to server deadlock.
2189 2974. [bug] Some valid UPDATE requests could fail due to a
2190 consistency check examining the existing version
2191 of the zone rather than the new version resulting
2192 from the UPDATE. [RT #22413]
2194 2973. [bug] bind.keys.h was being removed by the "make clean"
2195 at the end of configure resulting in build failures
2196 where there is very old version of perl installed.
2197 Move it to "make maintainer-clean". [RT #22230]
2199 2972. [bug] win32: address windows socket errors. [RT #21906]
2201 2971. [bug] Fixed a bug that caused journal files not to be
2202 compacted on Windows systems as a result of
2203 non-POSIX-compliant rename() semantics. [RT #22434]
2205 2970. [security] Adding a NO DATA negative cache entry failed to clear
2206 any matching RRSIG records. A subsequent lookup of
2207 of NO DATA cache entry could trigger a INSIST when the
2208 unexpected RRSIG was also returned with the NO DATA
2211 CVE-2010-3613, VU#706148. [RT #22288]
2213 2969. [security] Fix acl type processing so that allow-query works
2214 in options and view statements. Also add a new
2215 set of tests to verify proper functioning.
2217 CVE-2010-3615, VU#510208. [RT #22418]
2219 2968. [security] Named could fail to prove a data set was insecure
2220 before marking it as insecure. One set of conditions
2221 that can trigger this occurs naturally when rolling
2224 CVE-2010-3614, VU#837744. [RT #22309]
2226 2967. [bug] 'host -D' now turns on debugging messages earlier.
2229 2966. [bug] isc_print_vsnprintf() failed to check if there was
2230 space available in the buffer when adding a left
2231 justified character with a non zero width,
2232 (e.g. "%-1c"). [RT #22270]
2234 2965. [func] Test HMAC functions using test data from RFC 2104 and
2235 RFC 4634. [RT #21702]
2239 2963. [security] The allow-query acl was being applied instead of the
2240 allow-query-cache acl to cache lookups. [RT #22114]
2242 2962. [port] win32: add more dependencies to BINDBuild.dsw.
2245 2961. [bug] Be still more selective about the non-authoritative
2246 answers we apply change 2748 to. [RT #22074]
2248 2960. [func] Check that named accepts non-authoritative answers.
2251 2959. [func] Check that named starts with a missing masterfile.
2254 2958. [bug] named failed to start with a missing master file.
2257 2957. [bug] entropy_get() and entropy_getpseudo() failed to match
2258 the API for RAND_bytes() and RAND_pseudo_bytes()
2259 respectively. [RT #21962]
2261 2956. [port] Enable atomic operations on the PowerPC64. [RT #21899]
2263 2955. [func] Provide more detail in the recursing log. [RT #22043]
2265 2954. [bug] contrib: dlz_mysql_driver.c bad error handling on
2266 build_sqldbinstance failure. [RT #21623]
2268 2953. [bug] Silence spurious "expected covering NSEC3, got an
2269 exact match" message when returning a wildcard
2270 no data response. [RT #21744]
2272 2952. [port] win32: named-checkzone and named-checkconf failed
2273 to initialize winsock. [RT #21932]
2275 2951. [bug] named failed to generate a correct signed response
2276 in a optout, delegation only zone with no secure
2277 delegations. [RT #22007]
2279 2950. [bug] named failed to perform a SOA up to date check when
2280 falling back to TCP on UDP timeouts when
2281 ixfr-from-differences was set. [RT #21595]
2283 2949. [bug] dns_view_setnewzones() contained a memory leak if
2284 it was called multiple times. [RT #21942]
2286 2948. [port] MacOS: provide a mechanism to configure the test
2287 interfaces at reboot. See bin/tests/system/README
2292 2946. [doc] Document the default values for the minimum and maximum
2293 zone refresh and retry values in the ARM. [RT #21886]
2295 2945. [doc] Update empty-zones list in ARM. [RT #21772]
2297 2944. [maint] Remove ORCHID prefix from built in empty zones.
2300 2943. [func] Add support to load new keys into managed zones
2301 without signing immediately with "rndc loadkeys".
2302 Add support to link keys with "dnssec-keygen -S"
2303 and "dnssec-settime -S". [RT #21351]
2305 2942. [contrib] zone2sqlite failed to setup the entropy sources.
2308 2941. [bug] sdb and sdlz (dlz's zone database) failed to support
2309 DNAME at the zone apex. [RT #21610]
2311 2940. [port] Remove connection aborted error message on
2312 Windows. [RT #21549]
2314 2939. [func] Check that named successfully skips NSEC3 records
2315 that fail to match the NSEC3PARAM record currently
2318 2938. [bug] When generating signed responses, from a signed zone
2319 that uses NSEC3, named would use a uninitialized
2320 pointer if it needed to skip a NSEC3 record because
2321 it didn't match the selected NSEC3PARAM record for
2324 2937. [bug] Worked around an apparent race condition in over
2325 memory conditions. Without this fix a DNS cache DB or
2326 ADB could incorrectly stay in an over memory state,
2327 effectively refusing further caching, which
2328 subsequently made a BIND 9 caching server unworkable.
2329 This fix prevents this problem from happening by
2330 polling the state of the memory context, rather than
2331 making a copy of the state, which appeared to cause
2332 a race. This is a "workaround" in that it doesn't
2333 solve the possible race per se, but several experiments
2334 proved this change solves the symptom. Also, the
2335 polling overhead hasn't been reported to be an issue.
2336 This bug should only affect a caching server that
2337 specifies a finite max-cache-size. It's also quite
2338 likely that the bug happens only when enabling threads,
2339 but it's not confirmed yet. [RT #21818]
2341 2936. [func] Improved configuration syntax and multiple-view
2342 support for addzone/delzone feature (see change
2343 #2930). Removed "new-zone-file" option, replaced
2344 with "allow-new-zones (yes|no)". The new-zone-file
2345 for each view is now created automatically, with
2346 a filename generated from a hash of the view name.
2347 It is no longer necessary to "include" the
2348 new-zone-file in named.conf; this happens
2349 automatically. Zones that were not added via
2350 "rndc addzone" can no longer be removed with
2351 "rndc delzone". [RT #19447]
2353 2935. [bug] nsupdate: improve 'file not found' error message.
2356 2934. [bug] Use ANSI C compliant shift range in lib/isc/entropy.c.
2359 2933. [bug] 'dig +nsid' used stack memory after it went out of
2360 scope. This could potentially result in a unknown,
2361 potentially malformed, EDNS option being sent instead
2362 of the desired NSID option. [RT #21781]
2364 2932. [cleanup] Corrected a numbering error in the "dnssec" test.
2367 2931. [bug] Temporarily and partially disable change 2864
2368 because it would cause infinite attempts of RRSIG
2369 queries. This is an urgent care fix; we'll
2370 revisit the issue and complete the fix later.
2373 2930. [experimental] New "rndc addzone" and "rndc delzone" commands
2374 allow dynamic addition and deletion of zones.
2375 To enable this feature, specify a "new-zone-file"
2376 option at the view or options level in named.conf.
2377 Zone configuration information for the new zones
2378 will be written into that file. To make the new
2379 zones persist after a restart, "include" the file
2380 into named.conf in the appropriate view. (Note:
2381 This feature is not yet documented, and its syntax
2382 is expected to change.) [RT #19447]
2384 2929. [bug] Improved handling of GSS security contexts:
2385 - added LRU expiration for generated TSIGs
2386 - added the ability to use a non-default realm
2387 - added new "realm" keyword in nsupdate
2388 - limited lifetime of generated keys to 1 hour
2389 or the lifetime of the context (whichever is
2393 2928. [bug] Be more selective about the non-authoritative
2394 answer we apply change 2748 to. [RT #21594]
2400 2925. [bug] Named failed to accept uncachable negative responses
2401 from insecure zones. [RT# 21555]
2403 2924. [func] 'rndc secroots' dump a combined summary of the
2404 current managed keys combined with trusted keys.
2407 2923. [bug] 'dig +trace' could drop core after "connection
2408 timeout". [RT #21514]
2410 2922. [contrib] Update zkt to version 1.0.
2412 2921. [bug] The resolver could attempt to destroy a fetch context
2413 too soon. [RT #19878]
2415 2920. [func] Allow 'filter-aaaa-on-v4' to be applied selectively
2416 to IPv4 clients. New acl 'filter-aaaa' (default any).
2418 2919. [func] Add autosign-ksk and autosign-zsk virtual time tests.
2421 2918. [maint] Add AAAA address for I.ROOT-SERVERS.NET.
2423 2917. [func] Virtual time test framework. [RT #20801]
2425 2916. [func] Add framework to use IPv6 in tests.
2426 fd92:7065:b8e:ffff::1 ... fd92:7065:b8e:ffff::7
2428 2915. [cleanup] Be smarter about which objects we attempt to compile
2429 based on configure options. [RT #21444]
2431 2914. [bug] Make the "autosign" system test more portable.
2434 2913. [func] Add pkcs#11 system tests. [RT #20784]
2436 2912. [func] Windows clients don't like UPDATE responses that clear
2437 the zone section. [RT #20986]
2439 2911. [bug] dnssec-signzone didn't handle out of zone records well.
2442 2910. [func] Sanity check Kerberos credentials. [RT #20986]
2444 2909. [bug] named-checkconf -p could die if "update-policy local;"
2445 was specified in named.conf. [RT #21416]
2447 2908. [bug] It was possible for re-signing to stop after removing
2448 a DNSKEY. [RT #21384]
2450 2907. [bug] The export version of libdns had undefined references.
2453 2906. [bug] Address RFC 5011 implementation issues. [RT #20903]
2455 2905. [port] aix: set use_atomic=yes with native compiler.
2458 2904. [bug] When using DLV, sub-zones of the zones in the DLV,
2459 could be incorrectly marked as insecure instead of
2460 secure leading to negative proofs failing. This was
2461 a unintended outcome from change 2890. [RT# 21392]
2463 2903. [bug] managed-keys-directory missing from namedconf.c.
2466 2902. [func] Add regression test for change 2897. [RT #21040]
2468 2901. [port] Use AC_C_FLEXIBLE_ARRAY_MEMBER. [RT #21316]
2470 2900. [bug] The placeholder negative caching element was not
2471 properly constructed triggering a INSIST in
2472 dns_ncache_towire(). [RT #21346]
2474 2899. [port] win32: Support linking against OpenSSL 1.0.0.
2476 2898. [bug] nslookup leaked memory when -domain=value was
2477 specified. [RT #21301]
2479 2897. [bug] NSEC3 chains could be left behind when transitioning
2480 to insecure. [RT #21040]
2482 2896. [bug] "rndc sign" failed to properly update the zone
2483 when adding a DNSKEY for publication only. [RT #21045]
2485 2895. [func] genrandom: add support for the generation of multiple
2488 2894. [contrib] DLZ LDAP support now use '$' not '%'. [RT #21294]
2490 2893. [bug] Improve managed keys support. New named.conf option
2491 managed-keys-directory. [RT #20924]
2493 2892. [bug] Handle REVOKED keys better. [RT #20961]
2495 2891. [maint] Update empty-zones list to match
2496 draft-ietf-dnsop-default-local-zones-13. [RT# 21099]
2498 2890. [bug] Handle the introduction of new trusted-keys and
2499 DS, DLV RRsets better. [RT #21097]
2501 2889. [bug] Elements of the grammar where not properly reported.
2504 2888. [bug] Only the first EDNS option was displayed. [RT #21273]
2506 2887. [bug] Report the keytag times in UTC in the .key file,
2507 local time is presented as a comment within the
2508 comment. [RT #21223]
2510 2886. [bug] ctime() is not thread safe. [RT #21223]
2512 2885. [bug] Improve -fno-strict-aliasing support probing in
2513 configure. [RT #21080]
2515 2884. [bug] Insufficient validation in dns_name_getlabelsequence().
2518 2883. [bug] 'dig +short' failed to handle really large datasets.
2521 2882. [bug] Remove memory context from list of active contexts
2522 before clearing 'magic'. [RT #21274]
2524 2881. [bug] Reduce the amount of time the rbtdb write lock
2525 is held when closing a version. [RT #21198]
2527 2880. [cleanup] Make the output of dnssec-keygen and dnssec-revoke
2528 consistent. [RT #21078]
2530 2879. [contrib] DLZ bdbhpt driver fails to close correct cursor.
2533 2878. [func] Incrementally write the master file after performing
2536 2877. [bug] The validator failed to skip obviously mismatching
2539 2876. [bug] Named could return SERVFAIL for negative responses
2540 from unsigned zones. [RT #21131]
2542 2875. [bug] dns_time64_fromtext() could accept non digits.
2545 2874. [bug] Cache lack of EDNS support only after the server
2546 successfully responds to the query using plain DNS.
2549 2873. [bug] Canceling a dynamic update via the dns/client module
2550 could trigger an assertion failure. [RT #21133]
2552 2872. [bug] Modify dns/client.c:dns_client_createx() to only
2553 require one of IPv4 or IPv6 rather than both.
2556 2871. [bug] Type mismatch in mem_api.c between the definition and
2557 the header file, causing build failure with
2558 --enable-exportlib. [RT #21138]
2560 2870. [maint] Add AAAA address for L.ROOT-SERVERS.NET.
2562 2869. [bug] Fix arguments to dns_keytable_findnextkeynode() call.
2565 2868. [cleanup] Run "make clean" at the end of configure to ensure
2566 any changes made by configure are integrated.
2567 Use --with-make-clean=no to disable. [RT #20994]
2569 2867. [bug] Don't set GSS_C_SEQUENCE_FLAG as Windows DNS servers
2570 don't like it. [RT #20986]
2572 2866. [bug] Windows does not like the TSIG name being compressed.
2575 2865. [bug] memset to zero event.data. [RT #20986]
2577 2864. [bug] Direct SIG/RRSIG queries were not handled correctly.
2580 2863. [port] linux: disable IPv6 PMTUD and use network minimum MTU.
2583 2862. [bug] nsupdate didn't default to the parent zone when
2584 updating DS records. [RT #20896]
2586 2861. [doc] dnssec-settime man pages didn't correctly document the
2587 inactivation time. [RT #21039]
2589 2860. [bug] named-checkconf's usage was out of date. [RT #21039]
2591 2859. [bug] When canceling validation it was possible to leak
2594 2858. [bug] RTT estimates were not being adjusted on ICMP errors.
2597 2857. [bug] named-checkconf did not fail on a bad trusted key.
2600 2856. [bug] The size of a memory allocation was not always properly
2601 recorded. [RT #20927]
2603 2855. [func] nsupdate will now preserve the entered case of domain
2604 names in update requests it sends. [RT #20928]
2606 2854. [func] dig: allow the final soa record in a axfr response to
2607 be suppressed, dig +onesoa. [RT #20929]
2609 2853. [bug] add_sigs() could run out of scratch space. [RT #21015]
2611 2852. [bug] Handle broken DNSSEC trust chains better. [RT #15619]
2613 2851. [doc] nslookup.1, removed <informalexample> from the docbook
2614 source as it produced bad nroff. [RT #21007]
2616 2850. [bug] If isc_heap_insert() failed due to memory shortage
2617 the heap would have corrupted entries. [RT #20951]
2619 2849. [bug] Don't treat errors from the xml2 library as fatal.
2622 2848. [doc] Moved README.dnssec, README.libdns, README.pkcs11 and
2623 README.rfc5011 into the ARM. [RT #20899]
2625 2847. [cleanup] Corrected usage message in dnssec-settime. [RT #20921]
2627 2846. [bug] EOF on unix domain sockets was not being handled
2628 correctly. [RT #20731]
2630 2845. [bug] RFC 5011 client could crash on shutdown. [RT #20903]
2632 2844. [doc] notify-delay default in ARM was wrong. It should have
2633 been five (5) seconds.
2635 2843. [func] Prevent dnssec-keygen and dnssec-keyfromlabel from
2636 creating key files if there is a chance that the new
2637 key ID will collide with an existing one after
2638 either of the keys has been revoked. (To override
2639 this in the case of dnssec-keyfromlabel, use the -y
2640 option. dnssec-keygen will simply create a
2641 different, non-colliding key, so an override is
2642 not necessary.) [RT #20838]
2644 2842. [func] Added "smartsign" and improved "autosign" and
2645 "dnssec" regression tests. [RT #20865]
2647 2841. [bug] Change 2836 was not complete. [RT #20883]
2649 2840. [bug] Temporary fixed pkcs11-destroy usage check.
2652 2839. [bug] A KSK revoked by named could not be deleted.
2657 2837. [port] Prevent Linux spurious warnings about fwrite().
2660 2836. [bug] Keys that were scheduled to become active could
2661 be delayed. [RT #20874]
2663 2835. [bug] Key inactivity dates were inadvertently stored in
2664 the private key file with the outdated tag
2665 "Unpublish" rather than "Inactive". This has been
2666 fixed; however, any existing keys that had Inactive
2667 dates set will now need to have them reset, using
2668 'dnssec-settime -I'. [RT #20868]
2670 2834. [bug] HMAC-SHA* keys that were longer than the algorithm
2671 digest length were used incorrectly, leading to
2672 interoperability problems with other DNS
2673 implementations. This has been corrected.
2674 (Note: If an oversize key is in use, and
2675 compatibility is needed with an older release of
2676 BIND, the new tool "isc-hmac-fixup" can convert
2677 the key secret to a form that will work with all
2678 versions.) [RT #20751]
2680 2833. [cleanup] Fix usage messages in dnssec-keygen and dnssec-settime.
2683 2832. [bug] Modify "struct stat" in lib/export/samples/nsprobe.c
2684 to avoid redefinition in some OSs [RT 20831]
2686 2831. [security] Do not attempt to validate or cache
2687 out-of-bailiwick data returned with a secure
2688 answer; it must be re-fetched from its original
2689 source and validated in that context. [RT #20819]
2691 2830. [bug] Changing the OPTOUT setting could take multiple
2694 2829. [bug] Fixed potential node inconsistency in rbtdb.c.
2697 2828. [security] Cached CNAME or DNAME RR could be returned to clients
2698 without DNSSEC validation. [RT #20737]
2700 2827. [security] Bogus NXDOMAIN could be cached as if valid. [RT #20712]
2702 2826. [bug] NSEC3->NSEC transitions could fail due to a lock not
2703 being released. [RT #20740]
2705 2825. [bug] Changing the setting of OPTOUT in a NSEC3 chain that
2706 was in the process of being created was not properly
2707 recorded in the zone. [RT #20786]
2709 2824. [bug] "rndc sign" was not being run by the correct task.
2712 2823. [bug] rbtdb.c:getsigningtime() was missing locks. [RT #20781]
2714 2822. [bug] rbtdb.c:loadnode() could return the wrong result.
2717 2821. [doc] Add note that named-checkconf doesn't automatically
2718 read rndc.key and bind.keys [RT #20758]
2720 2820. [func] Handle read access failure of OpenSSL configuration
2721 file more user friendly (PKCS#11 engine patch).
2724 2819. [cleanup] Removed unnecessary DNS_POINTER_MAXHOPS define.
2727 2818. [cleanup] rndc could return an incorrect error code
2728 when a zone was not found. [RT #20767]
2730 2817. [cleanup] Removed unnecessary isc_task_endexclusive() calls.
2733 2816. [bug] previous_closest_nsec() could fail to return
2734 data for NSEC3 nodes [RT #29730]
2736 2815. [bug] Exclusively lock the task when freezing a zone.
2739 2814. [func] Provide a definitive error message when a master
2740 zone is not loaded. [RT #20757]
2742 2813. [bug] Better handling of unreadable DNSSEC key files.
2745 2812. [bug] Make sure updates can't result in a zone with
2746 NSEC-only keys and NSEC3 records. [RT #20748]
2748 2811. [cleanup] Add "rndc sign" to list of commands in rndc usage
2751 2810. [doc] Clarified the process of transitioning an NSEC3 zone
2752 to insecure. [RT #20746]
2754 2809. [cleanup] Restored accidentally-deleted text in usage output
2755 in dnssec-settime and dnssec-revoke [RT #20739]
2757 2808. [bug] Remove the attempt to install atomic.h from lib/isc.
2758 atomic.h is correctly installed by the architecture
2759 specific subdirectories. [RT #20722]
2761 2807. [bug] Fixed a possible ASSERT when reconfiguring zone
2764 --- 9.7.0rc1 released ---
2766 2806. [bug] "rdnc sign" could delay re-signing the DNSKEY
2767 when it had changed. [RT #20703]
2769 2805. [bug] Fixed namespace problems encountered when building
2770 external programs using non-exported BIND9 libraries
2771 (i.e., built without --enable-exportlib). [RT #20679]
2773 2804. [bug] Send notifies when a zone is signed with "rndc sign"
2774 or as a result of a scheduled key change. [RT #20700]
2776 2803. [port] win32: Install named-journalprint, nsec3hash, arpaname
2777 and genrandom under windows. [RT #20670]
2779 2802. [cleanup] Rename journalprint to named-journalprint. [RT #20670]
2781 2801. [func] Detect and report records that are different according
2782 to DNSSEC but are semantically equal according to plain
2783 DNS. Apply plain DNS comparisons rather than DNSSEC
2784 comparisons when processing UPDATE requests.
2785 dnssec-signzone now removes such semantically duplicate
2786 records prior to signing the RRset.
2788 named-checkzone -r {ignore|warn|fail} (default warn)
2789 named-compilezone -r {ignore|warn|fail} (default warn)
2791 named.conf: check-dup-records {ignore|warn|fail};
2793 2800. [func] Reject zones which have NS records which refer to
2794 CNAMEs, DNAMEs or don't have address record (class IN
2795 only). Reject UPDATEs which would cause the zone
2796 to fail the above checks if committed. [RT #20678]
2798 2799. [cleanup] Changed the "secure-to-insecure" option to
2799 "dnssec-secure-to-insecure", and "dnskey-ksk-only"
2800 to "dnssec-dnskey-kskonly", for clarity. [RT #20586]
2802 2798. [bug] Addressed bugs in managed-keys initialization
2803 and rollover. [RT #20683]
2805 2797. [bug] Don't decrement the dispatch manager's maxbuffers.
2808 2796. [bug] Missing dns_rdataset_disassociate() call in
2809 dns_nsec3_delnsec3sx(). [RT #20681]
2811 2795. [cleanup] Add text to differentiate "update with no effect"
2812 log messages. [RT #18889]
2814 2794. [bug] Install <isc/namespace.h>. [RT #20677]
2816 2793. [func] Add "autosign" and "metadata" tests to the
2817 automatic tests. [RT #19946]
2819 2792. [func] "filter-aaaa-on-v4" can now be set in view
2820 options (if compiled in). [RT #20635]
2822 2791. [bug] The installation of isc-config.sh was broken.
2825 2790. [bug] Handle DS queries to stub zones. [RT #20440]
2827 2789. [bug] Fixed an INSIST in dispatch.c [RT #20576]
2829 2788. [bug] dnssec-signzone could sign with keys that were
2830 not requested [RT #20625]
2832 2787. [bug] Spurious log message when zone keys were
2833 dynamically reconfigured. [RT #20659]
2835 2786. [bug] Additional could be promoted to answer. [RT #20663]
2837 --- 9.7.0b3 released ---
2839 2785. [bug] Revoked keys could fail to self-sign [RT #20652]
2841 2784. [bug] TC was not always being set when required glue was
2842 dropped. [RT #20655]
2844 2783. [func] Return minimal responses to EDNS/UDP queries with a UDP
2845 buffer size of 512 or less. [RT #20654]
2847 2782. [port] win32: use getaddrinfo() for hostname lookups.
2850 2781. [bug] Inactive keys could be used for signing. [RT #20649]
2852 2780. [bug] dnssec-keygen -A none didn't properly unset the
2853 activation date in all cases. [RT #20648]
2855 2779. [bug] Dynamic key revocation could fail. [RT #20644]
2857 2778. [bug] dnssec-signzone could fail when a key was revoked
2858 without deleting the unrevoked version. [RT #20638]
2860 2777. [contrib] DLZ MYSQL auto reconnect support discovery was wrong.
2862 2776. [bug] Change #2762 was not correct. [RT #20647]
2864 2775. [bug] Accept RSASHA256 and RSASHA512 as NSEC3 compatible
2865 in dnssec-keyfromlabel. [RT #20643]
2867 2774. [bug] Existing cache DB wasn't being reused after
2868 reconfiguration. [RT #20629]
2870 2773. [bug] In autosigned zones, the SOA could be signed
2871 with the KSK. [RT #20628]
2873 2772. [security] When validating, track whether pending data was from
2874 the additional section or not and only return it if
2875 validates as secure. [RT #20438]
2877 2771. [bug] dnssec-signzone: DNSKEY records could be
2878 corrupted when importing from key files [RT #20624]
2880 2770. [cleanup] Add log messages to resolver.c to indicate events
2881 causing FORMERR responses. [RT #20526]
2883 2769. [cleanup] Change #2742 was incomplete. [RT #19589]
2885 2768. [bug] dnssec-signzone: -S no longer implies -g [RT #20568]
2887 2767. [bug] named could crash on startup if a zone was
2888 configured with auto-dnssec and there was no
2889 key-directory. [RT #20615]
2891 2766. [bug] isc_socket_fdwatchpoke() should only update the
2892 socketmgr state if the socket is not pending on a
2893 read or write. [RT #20603]
2895 2765. [bug] Skip masters for which the TSIG key cannot be found.
2898 2764. [bug] "rndc-confgen -a" could trigger a REQUIRE. [RT #20610]
2900 2763. [bug] "rndc sign" didn't create an NSEC chain. [RT #20591]
2902 2762. [bug] DLV validation failed with a local slave DLV zone.
2905 2761. [cleanup] Enable internal symbol table for backtrace only for
2906 systems that are known to work. Currently, BSD
2907 variants, Linux and Solaris are supported. [RT# 20202]
2909 2760. [cleanup] Corrected named-compilezone usage summary. [RT #20533]
2911 2759. [doc] Add information about .jbk/.jnw files to
2912 the ARM. [RT #20303]
2914 2758. [bug] win32: Added a workaround for a windows 2008 bug
2915 that could cause the UDP client handler to shut
2918 2757. [bug] dig: assertion failure could occur in connect
2919 timeout. [RT #20599]
2921 2756. [bug] Fixed corrupt logfile message in update.c. [RT# 20597]
2925 2754. [bug] Secure-to-insecure transitions failed when zone
2926 was signed with NSEC3. [RT #20587]
2928 2753. [bug] Removed an unnecessary warning that could appear when
2929 building an NSEC chain. [RT #20589]
2931 2752. [bug] Locking violation. [RT #20587]
2933 2751. [bug] Fixed a memory leak in dnssec-keyfromlabel. [RT #20588]
2935 2750. [bug] dig: assertion failure could occur when a server
2936 didn't have an address. [RT #20579]
2938 2749. [bug] ixfr-from-differences generated a non-minimal ixfr
2939 for NSEC3 signed zones. [RT #20452]
2941 2748. [func] Identify bad answers from GTLD servers and treat them
2942 as referrals. [RT #18884]
2944 2747. [bug] Journal roll forwards failed to set the re-signing
2945 time of RRSIGs correctly. [RT #20541]
2947 2746. [port] hpux: address signed/unsigned expansion mismatch of
2948 dns_rbtnode_t.nsec. [RT #20542]
2950 2745. [bug] configure script didn't probe the return type of
2951 gai_strerror(3) correctly. [RT #20573]
2953 2744. [func] Log if a query was over TCP. [RT #19961]
2955 2743. [bug] RRSIG could be incorrectly set in the NSEC3 record
2956 for a insecure delegation.
2958 --- 9.7.0b2 released ---
2960 2742. [cleanup] Clarify some DNSSEC-related log messages in
2961 validator.c. [RT #19589]
2963 2741. [func] Allow the dnssec-keygen progress messages to be
2964 suppressed (dnssec-keygen -q). Automatically
2965 suppress the progress messages when stdin is not
2970 2739. [cleanup] Clean up API for initializing and clearing trust
2971 anchors for a view. [RT #20211]
2973 2738. [func] Add RSASHA256 and RSASHA512 tests to the dnssec system
2976 2737. [func] UPDATE requests can leak existence information.
2979 2736. [func] Improve the performance of NSEC signed zones with
2980 more than a normal amount of glue below a delegation.
2983 2735. [bug] dnssec-signzone could fail to read keys
2984 that were specified on the command line with
2985 full paths, but weren't in the current
2986 directory. [RT #20421]
2988 2734. [port] cygwin: arpaname did not compile. [RT #20473]
2990 2733. [cleanup] Clean up coding style in pkcs11-* tools. [RT #20355]
2992 2732. [func] Add optional filter-aaaa-on-v4 option, available
2993 if built with './configure --enable-filter-aaaa'.
2994 Filters out AAAA answers to clients connecting
2995 via IPv4. (This is NOT recommended for general
2998 2731. [func] Additional work on change 2709. The key parser
2999 will now ignore unrecognized fields when the
3000 minor version number of the private key format
3001 has been increased. It will reject any key with
3002 the major version number increased. [RT #20310]
3004 2730. [func] Have dnssec-keygen display a progress indication
3005 a la 'openssl genrsa' on standard error. Note
3006 when the first '.' is followed by a long stop
3007 one has the choice between slow generation vs.
3008 poor random quality, i.e., '-r /dev/urandom'.
3011 2729. [func] When constructing a CNAME from a DNAME use the DNAME
3014 2728. [bug] dnssec-keygen, dnssec-keyfromlabel and
3015 dnssec-signzone now warn immediately if asked to
3016 write into a nonexistent directory. [RT #20278]
3018 2727. [func] The 'key-directory' option can now specify a relative
3021 2726. [func] Added support for SHA-2 DNSSEC algorithms,
3022 RSASHA256 and RSASHA512. [RT #20023]
3024 2725. [doc] Added information about the file "managed-keys.bind"
3025 to the ARM. [RT #20235]
3027 2724. [bug] Updates to a existing node in secure zone using NSEC
3028 were failing. [RT #20448]
3030 2723. [bug] isc_base32_totext(), isc_base32hex_totext(), and
3031 isc_base64_totext(), didn't always mark regions of
3032 memory as fully consumed after conversion. [RT #20445]
3034 2722. [bug] Ensure that the memory associated with the name of
3035 a node in a rbt tree is not altered during the life
3036 of the node. [RT #20431]
3038 2721. [port] Have dst__entropy_status() prime the random number
3039 generator. [RT #20369]
3041 2720. [bug] RFC 5011 trust anchor updates could trigger an
3042 assert if the DNSKEY record was unsigned. [RT #20406]
3044 2719. [func] Skip trusted/managed keys for unsupported algorithms.
3047 2718. [bug] The space calculations in opensslrsa_todns() were
3048 incorrect. [RT #20394]
3050 2717. [bug] named failed to update the NSEC/NSEC3 record when
3051 the last private type record was removed as a result
3052 of completing the signing the zone with a key.
3055 2716. [bug] nslookup debug mode didn't return the ttl. [RT #20414]
3057 --- 9.7.0b1 released ---
3059 2715. [bug] Require OpenSSL support to be explicitly disabled.
3062 2714. [port] aix/powerpc: 'asm("ics");' needs non standard assembler
3065 2713. [bug] powerpc: atomic operations missing asm("ics") /
3068 2712. [func] New 'auto-dnssec' zone option allows zone signing
3069 to be fully automated in zones configured for
3070 dynamic DNS. 'auto-dnssec allow;' permits a zone
3071 to be signed by creating keys for it in the
3072 key-directory and using 'rndc sign <zone>'.
3073 'auto-dnssec maintain;' allows that too, plus it
3074 also keeps the zone's DNSSEC keys up to date
3075 according to their timing metadata. [RT #19943]
3077 2711. [port] win32: Add the bin/pkcs11 tools into the full
3080 2710. [func] New 'dnssec-signzone -x' flag and 'dnskey-ksk-only'
3081 zone option cause a zone to be signed with only KSKs
3082 signing the DNSKEY RRset, not ZSKs. This reduces
3083 the size of a DNSKEY answer. [RT #20340]
3085 2709. [func] Added some data fields, currently unused, to the
3086 private key file format, to allow implementation
3087 of explicit key rollover in a future release
3088 without impairing backward or forward compatibility.
3091 2708. [func] Insecure to secure and NSEC3 parameter changes via
3092 update are now fully supported and no longer require
3093 defines to enable. We now no longer overload the
3094 NSEC3PARAM flag field, nor the NSEC OPT bit at the
3095 apex. Secure to insecure changes are controlled by
3096 by the named.conf option 'secure-to-insecure'.
3098 Warning: If you had previously enabled support by
3099 adding defines at compile time to BIND 9.6 you should
3100 ensure that all changes that are in progress have
3101 completed prior to upgrading to BIND 9.7. BIND 9.7
3102 is not backwards compatible.
3104 2707. [func] dnssec-keyfromlabel no longer require engine name
3105 to be specified in the label if there is a default
3106 engine or the -E option has been used. Also, it
3107 now uses default algorithms as dnssec-keygen does
3108 (i.e., RSASHA1, or NSEC3RSASHA1 if -3 is used).
3111 2706. [bug] Loading a zone with a very large NSEC3 salt could
3112 trigger an assert. [RT #20368]
3116 2704. [bug] Serial of dynamic and stub zones could be inconsistent
3117 with their SOA serial. [RT #19387]
3119 2703. [func] Introduce an OpenSSL "engine" argument with -E
3120 for all binaries which can take benefit of
3121 crypto hardware. [RT #20230]
3123 2702. [func] Update PKCS#11 tools (bin/pkcs11) [RT #20225 & all]
3125 2701. [doc] Correction to ARM: hmac-md5 is no longer the only
3126 supported TSIG key algorithm. [RT #18046]
3128 2700. [doc] The match-mapped-addresses option is discouraged.
3131 2699. [bug] Missing lock in rbtdb.c. [RT #20037]
3135 2697. [port] win32: ensure that S_IFMT, S_IFDIR, S_IFCHR and
3136 S_IFREG are defined after including <isc/stat.h>.
3139 2696. [bug] named failed to successfully process some valid
3140 acl constructs. [RT #20308]
3142 2695. [func] DHCP/DDNS - update fdwatch code for use by
3143 DHCP. Modify the api to isc_sockfdwatch_t (the
3144 callback function for isc_socket_fdwatchcreate)
3145 to include information about the direction (read
3146 or write) and add isc_socket_fdwatchpoke.
3149 2694. [bug] Reduce default NSEC3 iterations from 100 to 10.
3152 2693. [port] Add some noreturn attributes. [RT #20257]
3154 2692. [port] win32: 32/64 bit cleanups. [RT #20335]
3156 2691. [func] dnssec-signzone: retain the existing NSEC or NSEC3
3157 chain when re-signing a previously-signed zone.
3158 Use -u to modify NSEC3 parameters or switch
3159 between NSEC and NSEC3. [RT #20304]
3161 2690. [bug] win32: fix isc_thread_key_getspecific() prototype.
3164 2689. [bug] Correctly handle snprintf result. [RT #20306]
3166 2688. [bug] Use INTERFACE_F_POINTTOPOINT, not IFF_POINTOPOINT,
3167 to decide to fetch the destination address. [RT #20305]
3169 2687. [bug] Fixed dnssec-signzone -S handling of revoked keys.
3170 Also, added warnings when revoking a ZSK, as this is
3171 not defined by protocol (but is legal). [RT #19943]
3173 2686. [bug] dnssec-signzone should clean the old NSEC chain when
3174 signing with NSEC3 and vice versa. [RT #20301]
3176 2685. [contrib] Update contrib/zkt to version 0.99c. [RT #20054]
3178 2684. [cleanup] dig: formalize +ad and +cd as synonyms for
3179 +adflag and +cdflag. [RT #19305]
3181 2683. [bug] dnssec-signzone should clean out old NSEC3 chains when
3182 the NSEC3 parameters used to sign the zone change.
3185 2682. [bug] "configure --enable-symtable=all" failed to
3188 2681. [bug] IPSECKEY RR of gateway type 3 was not correctly
3189 decoded. [RT #20269]
3191 2680. [func] Move contrib/pkcs11-keygen to bin/pkcs11. [RT #20067]
3193 2679. [func] dig -k can now accept TSIG keys in named.conf
3196 2678. [func] Treat DS queries as if "minimal-response yes;"
3197 was set. [RT #20258]
3199 2677. [func] Changes to key metadata behavior:
3200 - Keys without "publish" or "active" dates set will
3201 no longer be used for smart signing. However,
3202 those dates will be set to "now" by default when
3203 a key is created; to generate a key but not use
3204 it yet, use dnssec-keygen -G.
3205 - New "inactive" date (dnssec-keygen/settime -I)
3206 sets the time when a key is no longer used for
3207 signing but is still published.
3208 - The "unpublished" date (-U) is deprecated in
3209 favor of "deleted" (-D).
3212 2676. [bug] --with-export-installdir should have been
3213 --with-export-includedir. [RT #20252]
3215 2675. [bug] dnssec-signzone could crash if the key directory
3216 did not exist. [RT #20232]
3218 --- 9.7.0a3 released ---
3220 2674. [bug] "dnssec-lookaside auto;" crashed if named was built
3221 without openssl. [RT #20231]
3223 2673. [bug] The managed-keys.bind zone file could fail to
3224 load due to a spurious result from sync_keyzone()
3227 2672. [bug] Don't enable searching in 'host' when doing reverse
3228 lookups. [RT #20218]
3230 2671. [bug] Add support for PKCS#11 providers not returning
3231 the public exponent in RSA private keys
3232 (OpenCryptoki for instance) in
3233 dnssec-keyfromlabel. [RT #19294]
3235 2670. [bug] Unexpected connect failures failed to log enough
3236 information to be useful. [RT #20205]
3238 2669. [func] Update PKCS#11 support to support Keyper HSM.
3239 Update PKCS#11 patch to be against openssl-0.9.8i.
3241 2668. [func] Several improvements to dnssec-* tools, including:
3242 - dnssec-keygen and dnssec-settime can now set key
3243 metadata fields 0 (to unset a value, use "none")
3244 - dnssec-revoke sets the revocation date in
3245 addition to the revoke bit
3246 - dnssec-settime can now print individual metadata
3247 fields instead of always printing all of them,
3248 and can print them in unix epoch time format for
3252 2667. [func] Add support for logging stack backtrace on assertion
3253 failure (not available for all platforms). [RT #19780]
3255 2666. [func] Added an 'options' argument to dns_name_fromstring()
3256 (API change from 9.7.0a2). [RT #20196]
3258 2665. [func] Clarify syntax for managed-keys {} statement, add
3259 ARM documentation about RFC 5011 support. [RT #19874]
3261 2664. [bug] create_keydata() and minimal_update() in zone.c
3262 didn't properly check return values for some
3263 functions. [RT #19956]
3265 2663. [func] win32: allow named to run as a service using
3266 "NT AUTHORITY\LocalService" as the account. [RT #19977]
3268 2662. [bug] lwres_getipnodebyname() and lwres_getipnodebyaddr()
3269 returned a misleading error code when lwresd was
3272 2661. [bug] Check whether socket fd exceeds FD_SETSIZE when
3273 creating lwres context. [RT #20029]
3275 2660. [func] Add a new set of DNS libraries for non-BIND9
3276 applications. See README.libdns. [RT #19369]
3278 2659. [doc] Clarify dnssec-keygen doc: key name must match zone
3279 name for DNSSEC keys. [RT #19938]
3281 2658. [bug] dnssec-settime and dnssec-revoke didn't process
3282 key file paths correctly. [RT #20078]
3284 2657. [cleanup] Lower "journal file <path> does not exist, creating it"
3285 log level to debug 1. [RT #20058]
3287 2656. [func] win32: add a "tools only" check box to the installer
3288 which causes it to only install dig, host, nslookup,
3289 nsupdate and relevant DLLs. [RT #19998]
3291 2655. [doc] Document that key-directory does not affect
3292 bind.keys, rndc.key or session.key. [RT #20155]
3294 2654. [bug] Improve error reporting on duplicated names for
3295 deny-answer-xxx. [RT #20164]
3297 2653. [bug] Treat ENGINE_load_private_key() failures as key
3298 not found rather than out of memory. [RT #18033]
3300 2652. [func] Provide more detail about what record is being
3301 deleted. [RT #20061]
3303 2651. [bug] Dates could print incorrectly in K*.key files on
3304 64-bit systems. [RT #20076]
3306 2650. [bug] Assertion failure in dnssec-signzone when trying
3307 to read keyset-* files. [RT #20075]
3309 2649. [bug] Set the domain for forward only zones. [RT #19944]
3311 2648. [port] win32: isc_time_seconds() was broken. [RT #19900]
3313 2647. [bug] Remove unnecessary SOA updates when a new KSK is
3316 2646. [bug] Incorrect cleanup on error in socket.c. [RT #19987]
3318 2645. [port] "gcc -m32" didn't work on amd64 and x86_64 platforms
3319 which default to 64 bits. [RT #19927]
3321 --- 9.7.0a2 released ---
3323 2644. [bug] Change #2628 caused a regression on some systems;
3324 named was unable to write the PID file and would
3325 fail on startup. [RT #20001]
3327 2643. [bug] Stub zones interacted badly with NSEC3 support.
3330 2642. [bug] nsupdate could dump core on solaris when reading
3331 improperly formatted key files. [RT #20015]
3333 2641. [bug] Fixed an error in parsing update-policy syntax,
3334 added a regression test to check it. [RT #20007]
3336 2640. [security] A specially crafted update packet will cause named
3337 to exit. [RT #20000]
3339 2639. [bug] Silence compiler warnings in gssapi code. [RT #19954]
3341 2638. [bug] Install arpaname. [RT #19957]
3343 2637. [func] Rationalize dnssec-signzone's signwithkey() calling.
3346 2636. [func] Simplify zone signing and key maintenance with the
3347 dnssec-* tools. Major changes:
3348 - all dnssec-* tools now take a -K option to
3349 specify a directory in which key files will be
3351 - DNSSEC can now store metadata indicating when
3352 they are scheduled to be published, activated,
3353 revoked or removed; these values can be set by
3354 dnssec-keygen or overwritten by the new
3355 dnssec-settime command
3356 - dnssec-signzone -S (for "smart") option reads key
3357 metadata and uses it to determine automatically
3358 which keys to publish to the zone, use for
3359 signing, revoke, or remove from the zone
3362 2635. [bug] isc_inet_ntop() incorrectly handled 0.0/16 addresses.
3365 2634. [port] win32: Add support for libxml2, enable
3366 statschannel. [RT #19773]
3368 2633. [bug] Handle 15 bit rand() functions. [RT #19783]
3370 2632. [func] util/kit.sh: warn if documentation appears to be out of
3373 2631. [bug] Handle "//", "/./" and "/../" in mkdirpath().
3376 2630. [func] Improved syntax for DDNS autoconfiguration: use
3377 "update-policy local;" to switch on local DDNS in a
3378 zone. (The "ddns-autoconf" option has been removed.)
3381 2629. [port] Check for seteuid()/setegid(), use setresuid()/
3382 setresgid() if not present. [RT #19932]
3384 2628. [port] linux: Allow /var/run/named/named.pid to be opened
3385 at startup with reduced capabilities in operation.
3388 2627. [bug] Named aborted if the same key was included in
3389 trusted-keys more than once. [RT #19918]
3391 2626. [bug] Multiple trusted-keys could trigger an assertion
3392 failure. [RT #19914]
3394 2625. [bug] Missing UNLOCK in rbtdb.c. [RT #19865]
3396 2624. [func] 'named-checkconf -p' will print out the parsed
3397 configuration. [RT #18871]
3399 2623. [bug] Named started searches for DS non-optimally. [RT #19915]
3401 2622. [bug] Printing of named.conf grammar was broken. [RT #19919]
3403 2621. [doc] Made copyright boilerplate consistent. [RT #19833]
3405 2620. [bug] Delay thawing the zone until the reload of it has
3406 completed successfully. [RT #19750]
3408 2619. [func] Add support for RFC 5011, automatic trust anchor
3409 maintenance. The new "managed-keys" statement can
3410 be used in place of "trusted-keys" for zones which
3411 support this protocol. (Note: this syntax is
3412 expected to change prior to 9.7.0 final.) [RT #19248]
3414 2618. [bug] The sdb and sdlz db_interator_seek() methods could
3415 loop infinitely. [RT #19847]
3417 2617. [bug] ifconfig.sh failed to emit an error message when
3418 run from the wrong location. [RT #19375]
3420 2616. [bug] 'host' used the nameservers from resolv.conf even
3421 when a explicit nameserver was specified. [RT #19852]
3423 2615. [bug] "__attribute__((unused))" was in the wrong place
3424 for ia64 gcc builds. [RT #19854]
3426 2614. [port] win32: 'named -v' should automatically be executed
3427 in the foreground. [RT #19844]
3431 --- 9.7.0a1 released ---
3433 2612. [func] Add default values for the arguments to
3434 dnssec-keygen. Without arguments, it will now
3435 generate a 1024-bit RSASHA1 zone-signing key,
3436 or with the -f KSK option, a 2048-bit RSASHA1
3437 key-signing key. [RT #19300]
3439 2611. [func] Add -l option to dnssec-dsfromkey to generate
3440 DLV records instead of DS records. [RT #19300]
3442 2610. [port] sunos: Change #2363 was not complete. [RT #19796]
3444 2609. [func] Simplify the configuration of dynamic zones:
3445 - add ddns-confgen command to generate
3446 configuration text for named.conf
3447 - add zone option "ddns-autoconf yes;", which
3448 causes named to generate a TSIG session key
3449 and allow updates to the zone using that key
3450 - add '-l' (localhost) option to nsupdate, which
3451 causes nsupdate to connect to a locally-running
3452 named process using the session key generated
3456 2608. [func] Perform post signing verification checks in
3457 dnssec-signzone. These can be disabled with -P.
3459 The post sign verification test ensures that for each
3460 algorithm in use there is at least one non revoked
3461 self signed KSK key. That all revoked KSK keys are
3462 self signed. That all records in the zone are signed
3463 by the algorithm. [RT #19653]
3465 2607. [bug] named could incorrectly delete NSEC3 records for
3466 empty nodes when processing a update request.
3469 2606. [bug] "delegation-only" was not being accepted in
3470 delegation-only type zones. [RT #19717]
3472 2605. [bug] Accept DS responses from delegation only zones.
3475 2604. [func] Add support for DNS rebinding attack prevention through
3476 new options, deny-answer-addresses and
3477 deny-answer-aliases. Based on contributed code from
3478 JD Nurmi, Google. [RT #18192]
3480 2603. [port] win32: handle .exe extension of named-checkzone and
3481 named-comilezone argv[0] names under windows.
3484 2602. [port] win32: fix debugging command line build of libisccfg.
3487 2601. [doc] Mention file creation mode mask in the
3490 2600. [doc] ARM: miscellaneous reformatting for different
3491 page widths. [RT #19574]
3493 2599. [bug] Address rapid memory growth when validation fails.
3496 2598. [func] Reserve the -F flag. [RT #19657]
3498 2597. [bug] Handle a validation failure with a insecure delegation
3499 from a NSEC3 signed master/slave zone. [RT #19464]
3501 2596. [bug] Stale tree nodes of cache/dynamic rbtdb could stay
3502 long, leading to inefficient memory usage or rejecting
3503 newer cache entries in the worst case. [RT #19563]
3505 2595. [bug] Fix unknown extended rcodes in dig. [RT #19625]
3507 2594. [func] Have rndc warn if using its default configuration
3508 file when the key file also exists. [RT #19424]
3510 2593. [bug] Improve a corner source of SERVFAILs [RT #19632]
3512 2592. [bug] Treat "any" as a type in nsupdate. [RT #19455]
3514 2591. [bug] named could die when processing a update in
3515 removed_orphaned_ds(). [RT #19507]
3517 2590. [func] Report zone/class of "update with no effect".
3520 2589. [bug] dns_db_unregister() failed to clear '*dbimp'.
3523 2588. [bug] SO_REUSEADDR could be set unconditionally after failure
3524 of bind(2) call. This should be rare and mostly
3525 harmless, but may cause interference with other
3526 processes that happen to use the same port. [RT #19642]
3528 2587. [func] Improve logging by reporting serial numbers for
3529 when zone serial has gone backwards or unchanged.
3532 2586. [bug] Missing cleanup of SIG rdataset in searching a DLZ DB
3535 2585. [bug] Uninitialized socket name could be referenced via a
3536 statistics channel, triggering an assertion failure in
3537 XML rendering. [RT #19427]
3539 2584. [bug] alpha: gcc optimization could break atomic operations.
3542 2583. [port] netbsd: provide a control to not add the compile
3543 date to the version string, -DNO_VERSION_DATE.
3545 2582. [bug] Don't emit warning log message when we attempt to
3546 remove non-existent journal. [RT #19516]
3548 2581. [contrib] dlz/mysql set MYSQL_OPT_RECONNECT option on connection.
3549 Requires MySQL 5.0.19 or later. [RT #19084]
3551 2580. [bug] UpdateRej statistics counter could be incremented twice
3552 for one rejection. [RT #19476]
3554 2579. [bug] DNSSEC lookaside validation failed to handle unknown
3555 algorithms. [RT #19479]
3557 2578. [bug] Changed default sig-signing-type to 65534, because
3558 65535 turns out to be reserved. [RT #19477]
3560 2577. [doc] Clarified some statistics counters. [RT #19454]
3562 2576. [bug] NSEC record were not being correctly signed when
3563 a zone transitions from insecure to secure.
3564 Handle such incorrectly signed zones. [RT #19114]
3566 2575. [func] New functions dns_name_fromstring() and
3567 dns_name_tostring(), to simplify conversion
3568 of a string to a dns_name structure and vice
3571 2574. [doc] Document nsupdate -g and -o. [RT #19351]
3573 2573. [bug] Replacing a non-CNAME record with a CNAME record in a
3574 single transaction in a signed zone failed. [RT #19397]
3576 2572. [func] Simplify DLV configuration, with a new option
3577 "dnssec-lookaside auto;" This is the equivalent
3578 of "dnssec-lookaside . trust-anchor dlv.isc.org;"
3579 plus setting a trusted-key for dlv.isc.org.
3581 Note: The trusted key is hard-coded into named,
3582 but is also stored in (and can be overridden
3583 by) $sysconfdir/bind.keys. As the ISC DLV key
3584 rolls over it can be kept up to date by replacing
3585 the bind.keys file with a key downloaded from
3586 https://www.isc.org/solutions/dlv. [RT #18685]
3588 2571. [func] Add a new tool "arpaname" which translates IP addresses
3589 to the corresponding IN-ADDR.ARPA or IP6.ARPA name.
3592 2570. [func] Log the destination address the query was sent to.
3595 2569. [func] Move journalprint, nsec3hash, and genrandom
3596 commands from bin/tests into bin/tools;
3597 "make install" will put them in $sbindir. [RT #19301]
3599 2568. [bug] Report when the write to indicate a otherwise
3600 successful start fails. [RT #19360]
3602 2567. [bug] dst__privstruct_writefile() could miss write errors.
3603 write_public_key() could miss write errors.
3604 dnssec-dsfromkey could miss write errors.
3607 2566. [cleanup] Clarify logged message when an insecure DNSSEC
3608 response arrives from a zone thought to be secure:
3609 "insecurity proof failed" instead of "not
3610 insecure". [RT #19400]
3612 2565. [func] Add support for HIP record. Includes new functions
3613 dns_rdata_hip_first(), dns_rdata_hip_next()
3614 and dns_rdata_hip_current(). [RT #19384]
3616 2564. [bug] Only take EDNS fallback steps when processing timeouts.
3619 2563. [bug] Dig could leak a socket causing it to wait forever
3620 to exit. [RT #19359]
3622 2562. [doc] ARM: miscellaneous improvements, reorganization,
3623 and some new content.
3625 2561. [doc] Add isc-config.sh(1) man page. [RT #16378]
3627 2560. [bug] Add #include <config.h> to iptable.c. [RT #18258]
3629 2559. [bug] dnssec-dsfromkey could compute bad DS records when
3630 reading from a K* files. [RT #19357]
3632 2558. [func] Set the ownership of missing directories created
3633 for pid-file if -u has been specified on the command
3636 2557. [cleanup] PCI compliance:
3637 * new libisc log module file
3638 * isc_dir_chroot() now also changes the working
3640 * additional INSISTs
3641 * additional logging when files can't be removed.
3643 2556. [port] Solaris: mkdir(2) on tmpfs filesystems does not do the
3644 error checks in the correct order resulting in the
3645 wrong error code sometimes being returned. [RT #19249]
3647 2555. [func] dig: when emitting a hex dump also display the
3648 corresponding characters. [RT #19258]
3650 2554. [bug] Validation of uppercase queries from NSEC3 zones could
3653 2553. [bug] Reference leak on DNSSEC validation errors. [RT #19291]
3655 2552. [bug] zero-no-soa-ttl-cache was not being honored.
3658 2551. [bug] Potential Reference leak on return. [RT #19341]
3660 2550. [bug] Check --with-openssl=<path> finds <openssl/opensslv.h>.
3663 2549. [port] linux: define NR_OPEN if not currently defined.
3666 2548. [bug] Install iterated_hash.h. [RT #19335]
3668 2547. [bug] openssl_link.c:mem_realloc() could reference an
3669 out-of-range area of the source buffer. New public
3670 function isc_mem_reallocate() was introduced to address
3671 this bug. [RT #19313]
3673 2546. [func] Add --enable-openssl-hash configure flag to use
3674 OpenSSL (in place of internal routine) for hash
3675 functions (MD5, SHA[12] and HMAC). [RT #18815]
3677 2545. [doc] ARM: Legal hostname checking (check-names) is
3678 for SRV RDATA too. [RT #19304]
3680 2544. [cleanup] Removed unused structure members in adb.c. [RT #19225]
3682 2543. [contrib] Update contrib/zkt to version 0.98. [RT #19113]
3684 2542. [doc] Update the description of dig +adflag. [RT #19290]
3686 2541. [bug] Conditionally update dispatch manager statistics.
3689 2540. [func] Add a nibble mode to $GENERATE. [RT #18872]
3691 2539. [security] Update the interaction between recursion, allow-query,
3692 allow-query-cache and allow-recursion. [RT #19198]
3694 2538. [bug] cache/ADB memory could grow over max-cache-size,
3695 especially with threads and smaller max-cache-size
3698 2537. [func] Added more statistics counters including those on socket
3699 I/O events and query RTT histograms. [RT #18802]
3701 2536. [cleanup] Silence some warnings when -Werror=format-security is
3702 specified. [RT #19083]
3704 2535. [bug] dig +showsearch and +trace interacted badly. [RT #19091]
3706 2534. [func] Check NAPTR records regular expressions and
3707 replacement strings to ensure they are syntactically
3708 valid and consistent. [RT #18168]
3710 2533. [doc] ARM: document @ (at-sign). [RT #17144]
3712 2532. [bug] dig: check the question section of the response to
3713 see if it matches the asked question. [RT #18495]
3715 2531. [bug] Change #2207 was incomplete. [RT #19098]
3717 2530. [bug] named failed to reject insecure to secure transitions
3718 via UPDATE. [RT #19101]
3720 2529. [cleanup] Upgrade libtool to silence complaints from recent
3721 version of autoconf. [RT #18657]
3723 2528. [cleanup] Silence spurious configure warning about
3724 --datarootdir [RT #19096]
3728 2526. [func] New named option "attach-cache" that allows multiple
3729 views to share a single cache to save memory and
3730 improve lookup efficiency. Based on contributed code
3731 from Barclay Osborn, Google. [RT #18905]
3733 2525. [func] New logging category "query-errors" to provide detailed
3734 internal information about query failures, especially
3735 about server failures. [RT #19027]
3737 2524. [port] sunos: dnssec-signzone needs strtoul(). [RT #19129]
3739 2523. [bug] Random type rdata freed by dns_nsec_typepresent().
3742 2522. [security] Handle -1 from DSA_do_verify() and EVP_VerifyFinal().
3744 2521. [bug] Improve epoll cross compilation support. [RT #19047]
3746 2520. [bug] Update xml statistics version number to 2.0 as change
3747 #2388 made the schema incompatible to the previous
3748 version. [RT #19080]
3750 2519. [bug] dig/host with -4 or -6 didn't work if more than two
3751 nameserver addresses of the excluded address family
3752 preceded in resolv.conf. [RT #19081]
3754 2518. [func] Add support for the new CERT types from RFC 4398.
3757 2517. [bug] dig +trace with -4 or -6 failed when it chose a
3758 nameserver address of the excluded address type.
3761 2516. [bug] glue sort for responses was performed even when not
3764 2515. [port] win32: build dnssec-dsfromkey and dnssec-keyfromlabel.
3767 2514. [bug] dig/host failed with -4 or -6 when resolv.conf contains
3768 a nameserver of the excluded address family.
3771 2513. [bug] Fix windows cli build. [RT #19062]
3773 2512. [func] Print a summary of the cached records which make up
3774 the negative response. [RT #18885]
3776 2511. [cleanup] dns_rdata_tofmttext() add const to linebreak.
3779 2510. [bug] "dig +sigchase" could trigger REQUIRE failures.
3782 2509. [bug] Specifying a fixed query source port was broken.
3787 2507. [func] Log the recursion quota values when killing the
3788 oldest query or refusing to recurse due to quota.
3791 2506. [port] solaris: Check at configure time if
3792 hack_shutup_pthreadonceinit is needed. [RT #19037]
3794 2505. [port] Treat amd64 similarly to x86_64 when determining
3795 atomic operation support. [RT #19031]
3797 2504. [bug] Address race condition in the socket code. [RT #18899]
3799 2503. [port] linux: improve compatibility with Linux Standard
3802 2502. [cleanup] isc_radix: Improve compliance with coding style,
3803 document function in <isc/radix.h>. [RT #18534]
3805 2501. [func] $GENERATE now supports all rdata types. Multi-field
3806 rdata types need to be quoted. See the ARM for
3807 details. [RT #18368]
3809 2500. [contrib] contrib/sdb/pgsql/zonetodb.c called non-existent
3810 function. [RT #18582]
3812 2499. [port] solaris: lib/lwres/getaddrinfo.c namespace clash.
3815 --- 9.6.0rc1 released ---
3817 2498. [bug] Removed a bogus function argument used with
3818 ISC_SOCKET_USE_POLLWATCH: it could cause compiler
3819 warning or crash named with the debug 1 level
3820 of logging. [RT #18917]
3822 2497. [bug] Don't add RRSIG bit to NSEC3 bit map for insecure
3825 2496. [bug] Add sanity length checks to NSID option. [RT #18813]
3827 2495. [bug] Tighten RRSIG checks. [RT #18795]
3829 2494. [bug] isc/radix.h, dns/sdlz.h and dns/dlz.h were not being
3830 installed. [RT #18826]
3832 2493. [bug] The linux capabilities code was not correctly cleaning
3833 up after itself. [RT #18767]
3835 2492. [func] Rndc status now reports the number of cpus discovered
3836 and the number of worker threads when running
3837 multi-threaded. [RT #18273]
3839 2491. [func] Attempt to re-use a local port if we are already using
3840 the port. [RT #18548]
3842 2490. [port] aix: work around a kernel bug where IPV6_RECVPKTINFO
3843 is cleared when IPV6_V6ONLY is set. [RT #18785]
3845 2489. [port] solaris: Workaround Solaris's kernel bug about
3847 http://bugs.opensolaris.org/view_bug.do?bug_id=6724237
3848 Define ISC_SOCKET_USE_POLLWATCH at build time to enable
3849 this workaround. [RT #18870]
3851 2488. [func] Added a tool, dnssec-dsfromkey, to generate DS records
3852 from keyset and .key files. [RT #18694]
3854 2487. [bug] Give TCP connections longer to complete. [RT #18675]
3856 2486. [func] The default locations for named.pid and lwresd.pid
3857 are now /var/run/named/named.pid and
3858 /var/run/lwresd/lwresd.pid respectively.
3860 This allows the owner of the containing directory
3861 to be set, for "named -u" support, and allows there
3862 to be a permanent symbolic link in the path, for
3863 "named -t" support. [RT #18306]
3865 2485. [bug] Change update's the handling of obscured RRSIG
3866 records. Not all orphaned DS records were being
3867 removed. [RT #18828]
3869 2484. [bug] It was possible to trigger a REQUIRE failure when
3870 adding NSEC3 proofs to the response in
3871 query_addwildcardproof(). [RT #18828]
3873 2483. [port] win32: chroot() is not supported. [RT #18805]
3875 2482. [port] libxml2: support versions 2.7.* in addition
3876 to 2.6.*. [RT #18806]
3878 --- 9.6.0b1 released ---
3880 2481. [bug] rbtdb.c:matchparams() failed to handle NSEC3 chain
3881 collisions. [RT #18812]
3883 2480. [bug] named could fail to emit all the required NSEC3
3884 records. [RT #18812]
3886 2479. [bug] xfrout:covers was not properly initialized. [RT #18801]
3888 2478. [bug] 'addresses' could be used uninitialized in
3889 configure_forward(). [RT #18800]
3891 2477. [bug] dig: the global option to print the command line is
3892 +cmd not print_cmd. Update the output to reflect
3895 2476. [doc] ARM: improve documentation for max-journal-size and
3896 ixfr-from-differences. [RT #15909] [RT #18541]
3898 2475. [bug] LRU cache cleanup under overmem condition could purge
3899 particular entries more aggressively. [RT #17628]
3901 2474. [bug] ACL structures could be allocated with insufficient
3902 space, causing an array overrun. [RT #18765]
3904 2473. [port] linux: raise the limit on open files to the possible
3905 maximum value before spawning threads; 'files'
3906 specified in named.conf doesn't seem to work with
3907 threads as expected. [RT #18784]
3909 2472. [port] linux: check the number of available cpu's before
3910 calling chroot as it depends on "/proc". [RT #16923]
3912 2471. [bug] named-checkzone was not reporting missing mandatory
3913 glue when sibling checks were disabled. [RT #18768]
3915 2470. [bug] Elements of the isc_radix_node_t could be incorrectly
3916 overwritten. [RT# 18719]
3918 2469. [port] solaris: Work around Solaris's select() limitations.
3921 2468. [bug] Resolver could try unreachable servers multiple times.
3924 2467. [bug] Failure of fcntl(F_DUPFD) wasn't logged. [RT #18740]
3926 2466. [doc] ARM: explain max-cache-ttl 0 SERVFAIL issue.
3929 2465. [bug] Adb's handling of lame addresses was different
3930 for IPv4 and IPv6. [RT #18738]
3932 2464. [port] linux: check that a capability is present before
3933 trying to set it. [RT #18135]
3935 2463. [port] linux: POSIX doesn't include the IPv6 Advanced Socket
3936 API and glibc hides parts of the IPv6 Advanced Socket
3937 API as a result. This is stupid as it breaks how the
3938 two halves (Basic and Advanced) of the IPv6 Socket API
3939 were designed to be used but we have to live with it.
3940 Define _GNU_SOURCE to pull in the IPv6 Advanced Socket
3943 2462. [doc] Document -m (enable memory usage debugging)
3944 option for dig. [RT #18757]
3946 2461. [port] sunos: Change #2363 was not complete. [RT #17513]
3948 --- 9.6.0a1 released ---
3950 2460. [bug] Don't call dns_db_getnsec3parameters() on the cache.
3953 2459. [contrib] Import dnssec-zkt to contrib/zkt. [RT #18448]
3955 2458. [doc] ARM: update and correction for max-cache-size.
3958 2457. [tuning] max-cache-size is reverted to 0, the previous
3959 default. It should be safe because expired cache
3960 entries are also purged. [RT #18684]
3962 2456. [bug] In ACLs, ::/0 and 0.0.0.0/0 would both match any
3963 address, regardless of family. They now correctly
3964 distinguish IPv4 from IPv6. [RT #18559]
3966 2455. [bug] Stop metadata being transferred via axfr/ixfr.
3969 2454. [func] nsupdate: you can now set a default ttl. [RT #18317]
3971 2453. [bug] Remove NULL pointer dereference in dns_journal_print().
3974 2452. [func] Improve bin/test/journalprint. [RT #18316]
3976 2451. [port] solaris: handle runtime linking better. [RT #18356]
3978 2450. [doc] Fix lwresd docbook problem for manual page.
3983 2448. [func] Add NSEC3 support. [RT #15452]
3985 2447. [cleanup] libbind has been split out as a separate product.
3987 2446. [func] Add a new log message about build options on startup.
3988 A new command-line option '-V' for named is also
3989 provided to show this information. [RT# 18645]
3991 2445. [doc] ARM out-of-date on empty reverse zones (list includes
3992 RFC1918 address, but these are not yet compiled in).
3995 2444. [port] Linux, FreeBSD, AIX: Turn off path mtu discovery
3996 (clear DF) for UDP responses and requests.
3998 2443. [bug] win32: UDP connect() would not generate an event,
3999 and so connected UDP sockets would never clean up.
4000 Fix this by doing an immediate WSAConnect() rather
4001 than an io completion port type for UDP.
4003 2442. [bug] A lock could be destroyed twice. [RT# 18626]
4005 2441. [bug] isc_radix_insert() could copy radix tree nodes
4006 incompletely. [RT #18573]
4008 2440. [bug] named-checkconf used an incorrect test to determine
4009 if an ACL was set to none.
4011 2439. [bug] Potential NULL dereference in dns_acl_isanyornone().
4014 2438. [bug] Timeouts could be logged incorrectly under win32.
4016 2437. [bug] Sockets could be closed too early, leading to
4017 inconsistent states in the socket module. [RT #18298]
4019 2436. [security] win32: UDP client handler can be shutdown. [RT #18576]
4021 2435. [bug] Fixed an ACL memory leak affecting win32.
4023 2434. [bug] Fixed a minor error-reporting bug in
4024 lib/isc/win32/socket.c.
4026 2433. [tuning] Set initial timeout to 800ms.
4028 2432. [bug] More Windows socket handling improvements. Stop
4029 using I/O events and use IO Completion Ports
4030 throughout. Rewrite the receive path logic to make
4031 it easier to support multiple simultaneous
4032 requesters in the future. Add stricter consistency
4033 checking as a compile-time option (define
4034 ISC_SOCKET_CONSISTENCY_CHECKS; defaults to off).
4036 2431. [bug] Acl processing could leak memory. [RT #18323]
4038 2430. [bug] win32: isc_interval_set() could round down to
4039 zero if the input was less than NS_INTERVAL
4040 nanoseconds. Round up instead. [RT #18549]
4042 2429. [doc] nsupdate should be in section 1 of the man pages.
4045 2428. [bug] dns_iptable_merge() mishandled merges of negative
4048 2427. [func] Treat DNSKEY queries as if "minimal-response yes;"
4049 was set. [RT #18528]
4051 2426. [bug] libbind: inet_net_pton() can sometimes return the
4052 wrong value if excessively large net masks are
4053 supplied. [RT #18512]
4055 2425. [bug] named didn't detect unavailable query source addresses
4056 at load time. [RT #18536]
4058 2424. [port] configure now probes for a working epoll
4059 implementation. Allow the use of kqueue,
4060 epoll and /dev/poll to be selected at compile
4063 2423. [security] Randomize server selection on queries, so as to
4064 make forgery a little more difficult. Instead of
4065 always preferring the server with the lowest RTT,
4066 pick a server with RTT within the same 128
4067 millisecond band. [RT #18441]
4069 2422. [bug] Handle the special return value of a empty node as
4070 if it was a NXRRSET in the validator. [RT #18447]
4072 2421. [func] Add new command line option '-S' for named to specify
4073 the max number of sockets. [RT #18493]
4074 Use caution: this option may not work for some
4075 operating systems without rebuilding named.
4077 2420. [bug] Windows socket handling cleanup. Let the io
4078 completion event send out canceled read/write
4079 done events, which keeps us from writing to memory
4080 we no longer have ownership of. Add debugging
4081 socket_log() function. Rework TCP socket handling
4082 to not leak sockets.
4084 2419. [cleanup] Document that isc_socket_create() and isc_socket_open()
4085 should not be used for isc_sockettype_fdwatch sockets.
4088 2418. [bug] AXFR request on a DLZ could trigger a REQUIRE failure
4091 2417. [bug] Connecting UDP sockets for outgoing queries could
4092 unexpectedly fail with an 'address already in use'
4095 2416. [func] Log file descriptors that cause exceeding the
4096 internal maximum. [RT #18460]
4098 2415. [bug] 'rndc dumpdb' could trigger various assertion failures
4099 in rbtdb.c. [RT #18455]
4101 2414. [bug] A masterdump context held the database lock too long,
4102 causing various troubles such as dead lock and
4103 recursive lock acquisition. [RT #18311, #18456]
4105 2413. [bug] Fixed an unreachable code path in socket.c. [RT #18442]
4107 2412. [bug] win32: address a resource leak. [RT #18374]
4109 2411. [bug] Allow using a larger number of sockets than FD_SETSIZE
4110 for select(). To enable this, set ISC_SOCKET_MAXSOCKETS
4111 at compilation time. [RT #18433]
4113 Note: with changes #2469 and #2421 above, there is no
4114 need to tweak ISC_SOCKET_MAXSOCKETS at compilation time
4117 2410. [bug] Correctly delete m_versionInfo. [RT #18432]
4119 2409. [bug] Only log that we disabled EDNS processing if we were
4120 subsequently successful. [RT #18029]
4122 2408. [bug] A duplicate TCP dispatch event could be sent, which
4123 could then trigger an assertion failure in
4124 resquery_response(). [RT #18275]
4126 2407. [port] hpux: test for sys/dyntune.h. [RT #18421]
4130 2405. [cleanup] The default value for dnssec-validation was changed to
4131 "yes" in 9.5.0-P1 and all subsequent releases; this
4132 was inadvertently omitted from CHANGES at the time.
4134 2404. [port] hpux: files unlimited support.
4136 2403. [bug] TSIG context leak. [RT #18341]
4138 2402. [port] Support Solaris 2.11 and over. [RT #18362]
4140 2401. [bug] Expect to get E[MN]FILE errno internal_accept()
4141 (from accept() or fcntl() system calls). [RT #18358]
4143 2400. [bug] Log if kqueue()/epoll_create()/open(/dev/poll) fails.
4148 2398. [bug] Improve file descriptor management. New,
4149 temporary, named.conf option reserved-sockets,
4150 default 512. [RT #18344]
4152 2397. [bug] gssapi_functions had too many elements. [RT #18355]
4154 2396. [bug] Don't set SO_REUSEADDR for randomized ports.
4157 2395. [port] Avoid warning and no effect from "files unlimited"
4158 on Linux when running as root. [RT #18335]
4160 2394. [bug] Default configuration options set the limit for
4161 open files to 'unlimited' as described in the
4162 documentation. [RT #18331]
4164 2393. [bug] nested acls containing keys could trigger an
4165 assertion in acl.c. [RT #18166]
4167 2392. [bug] remove 'grep -q' from acl test script, some platforms
4168 don't support it. [RT #18253]
4170 2391. [port] hpux: cover additional recvmsg() error codes.
4173 2390. [bug] dispatch.c could make a false warning on 'odd socket'.
4176 2389. [bug] Move the "working directory writable" check to after
4177 the ns_os_changeuser() call. [RT #18326]
4179 2388. [bug] Avoid using tables for layout purposes in
4180 statistics XSL [RT #18159].
4182 2387. [bug] Silence compiler warnings in lib/isc/radix.c.
4183 [RT #18147] [RT #18258]
4185 2386. [func] Add warning about too small 'open files' limit.
4188 2385. [bug] A condition variable in socket.c could leak in
4189 rare error handling [RT #17968].
4191 2384. [security] Fully randomize UDP query ports to improve
4192 forgery resilience. [RT #17949, #18098]
4194 2383. [bug] named could double queries when they resulted in
4195 SERVFAIL due to overkilling EDNS0 failure detection.
4198 2382. [doc] Add descriptions of DHCID, IPSECKEY, SPF and SSHFP
4201 2381. [port] dlz/mysql: support multiple install layouts for
4202 mysql. <prefix>/include/{,mysql/}mysql.h and
4203 <prefix>/lib/{,mysql/}. [RT #18152]
4205 2380. [bug] dns_view_find() was not returning NXDOMAIN/NXRRSET
4206 proofs which, in turn, caused validation failures
4207 for insecure zones immediately below a secure zone
4208 the server was authoritative for. [RT #18112]
4210 2379. [contrib] queryperf/gen-data-queryperf.py: removed redundant
4211 TLDs and supported RRs with TTLs [RT #17972]
4213 2378. [bug] gssapi_functions{} had a redundant member in BIND 9.5.
4216 2377. [bug] Address race condition in dnssec-signzone. [RT #18142]
4218 2376. [bug] Change #2144 was not complete.
4222 2374. [bug] "blackhole" ACLs could cause named to segfault due
4223 to some uninitialized memory. [RT #18095]
4225 2373. [bug] Default values of zone ACLs were re-parsed each time a
4226 new zone was configured, causing an overconsumption
4227 of memory. [RT #18092]
4229 2372. [bug] Fixed incorrect TAG_HMACSHA256_BITS value [RT #18047]
4231 2371. [doc] Add +nsid option to dig man page. [RT #18039]
4233 2370. [bug] "rndc freeze" could trigger an assertion in named
4234 when called on a nonexistent zone. [RT #18050]
4236 2369. [bug] libbind: Array bounds overrun on read in bitncmp().
4239 2368. [port] Linux: use libcap for capability management if
4240 possible. [RT# 18026]
4242 2367. [bug] Improve counting of dns_resstatscounter_retry
4245 2366. [bug] Adb shutdown race. [RT #18021]
4247 2365. [bug] Fix a bug that caused dns_acl_isany() to return
4248 spurious results. [RT #18000]
4250 2364. [bug] named could trigger a assertion when serving a
4251 malformed signed zone. [RT #17828]
4253 2363. [port] sunos: pre-set "lt_cv_sys_max_cmd_len=4096;".
4256 2362. [cleanup] Make "rrset-order fixed" a compile-time option.
4257 settable by "./configure --enable-fixed-rrset".
4258 Disabled by default. [RT #17977]
4260 2361. [bug] "recursion" statistics counter could be counted
4261 multiple times for a single query. [RT #17990]
4263 2360. [bug] Fix a condition where we release a database version
4264 (which may acquire a lock) while holding the lock.
4266 2359. [bug] Fix NSID bug. [RT #17942]
4268 2358. [doc] Update host's default query description. [RT #17934]
4270 2357. [port] Don't use OpenSSL's engine support in versions before
4271 OpenSSL 0.9.7f. [RT #17922]
4273 2356. [bug] Built in mutex profiler was not scalable enough.
4276 2355. [func] Extend the number statistics counters available.
4279 2354. [bug] Failed to initialize some rdatasetheader_t elements.
4282 2353. [func] Add support for Name Server ID (RFC 5001).
4283 'dig +nsid' requests NSID from server.
4284 'request-nsid yes;' causes recursive server to send
4285 NSID requests to upstream servers. Server responds
4286 to NSID requests with the string configured by
4287 'server-id' option. [RT #17091]
4289 2352. [bug] Various GSS_API fixups. [RT #17729]
4291 2351. [bug] convertxsl.pl generated very long lines. [RT #17906]
4293 2350. [port] win32: IPv6 support. [RT #17797]
4295 2349. [func] Provide incremental re-signing support for secure
4296 dynamic zones. [RT #1091]
4298 2348. [func] Use the EVP interface to OpenSSL. Add PKCS#11 support.
4299 Documentation is in the new README.pkcs11 file.
4300 New tool, dnssec-keyfromlabel, which takes the
4301 label of a key pair in a HSM and constructs a DNS
4302 key pair for use by named and dnssec-signzone.
4305 2347. [bug] Delete now traverses the RB tree in the canonical
4308 2346. [func] Memory statistics now cover all active memory contexts
4309 in increased detail. [RT #17580]
4311 2345. [bug] named-checkconf failed to detect when forwarders
4312 were set at both the options/view level and in
4313 a root zone. [RT #17671]
4315 2344. [bug] Improve "logging{ file ...; };" documentation.
4318 2343. [bug] (Seemingly) duplicate IPv6 entries could be
4319 created in ADB. [RT #17837]
4321 2342. [func] Use getifaddrs() if available under Linux. [RT #17224]
4323 2341. [bug] libbind: add missing -I../include for off source
4324 tree builds. [RT #17606]
4326 2340. [port] openbsd: interface configuration. [RT #17700]
4328 2339. [port] tru64: support for libbind. [RT #17589]
4330 2338. [bug] check_ds() could be called with a non DS rdataset.
4333 2337. [bug] BUILD_LDFLAGS was not being correctly set. [RT #17614]
4335 2336. [func] If "named -6" is specified then listen on all IPv6
4336 interfaces if there are not listen-on-v6 clauses in
4337 named.conf. [RT #17581]
4339 2335. [port] sunos: libbind and *printf() support for long long.
4342 2334. [bug] Bad REQUIRES in fromstruct_in_naptr(), off by one
4343 bug in fromstruct_txt(). [RT #17609]
4345 2333. [bug] Fix off by one error in isc_time_nowplusinterval().
4348 2332. [contrib] query-loc-0.4.0. [RT #17602]
4350 2331. [bug] Failure to regenerate any signatures was not being
4351 reported nor being past back to the UPDATE client.
4354 2330. [bug] Remove potential race condition when handling
4355 over memory events. [RT #17572]
4357 WARNING: API CHANGE: over memory callback
4358 function now needs to call isc_mem_waterack().
4359 See <isc/mem.h> for details.
4361 2329. [bug] Clearer help text for dig's '-x' and '-i' options.
4363 2328. [maint] Add AAAA addresses for A.ROOT-SERVERS.NET,
4364 F.ROOT-SERVERS.NET, H.ROOT-SERVERS.NET,
4365 J.ROOT-SERVERS.NET, K.ROOT-SERVERS.NET and
4368 2327. [bug] It was possible to dereference a NULL pointer in
4369 rbtdb.c. Implement dead node processing in zones as
4370 we do for caches. [RT #17312]
4372 2326. [bug] It was possible to trigger a INSIST in the acache
4375 2325. [port] Linux: use capset() function if available. [RT #17557]
4377 2324. [bug] Fix IPv6 matching against "any;". [RT #17533]
4379 2323. [port] tru64: namespace clash. [RT #17547]
4381 2322. [port] MacOS: work around the limitation of setrlimit()
4382 for RLIMIT_NOFILE. [RT #17526]
4386 2320. [func] Make statistics counters thread-safe for platforms
4387 that support certain atomic operations. [RT #17466]
4389 2319. [bug] Silence Coverity warnings in
4390 lib/dns/rdata/in_1/apl_42.c. [RT #17469]
4392 2318. [port] sunos fixes for libbind. [RT #17514]
4394 2317. [bug] "make distclean" removed bind9.xsl.h. [RT #17518]
4396 2316. [port] Missing #include <isc/print.h> in lib/dns/gssapictx.c.
4399 2315. [bug] Used incorrect address family for mapped IPv4
4400 addresses in acl.c. [RT #17519]
4402 2314. [bug] Uninitialized memory use on error path in
4403 bin/named/lwdnoop.c. [RT #17476]
4405 2313. [cleanup] Silence Coverity warnings. Handle private stacks.
4406 [RT #17447] [RT #17478]
4408 2312. [cleanup] Silence Coverity warning in lib/isc/unix/socket.c.
4411 2311. [bug] IPv6 addresses could match IPv4 ACL entries and
4412 vice versa. [RT #17462]
4414 2310. [bug] dig, host, nslookup: flush stdout before emitting
4415 debug/fatal messages. [RT #17501]
4417 2309. [cleanup] Fix Coverity warnings in lib/dns/acl.c and iptable.c.
4420 2308. [cleanup] Silence Coverity warning in bin/named/controlconf.c.
4423 2307. [bug] Remove infinite loop from lib/dns/sdb.c. [RT #17496]
4425 2306. [bug] Remove potential race from lib/dns/resolver.c.
4428 2305. [security] inet_network() buffer overflow. CVE-2008-0122.
4430 2304. [bug] Check returns from all dns_rdata_tostruct() calls.
4433 2303. [bug] Remove unnecessary code from bin/named/lwdgnba.c.
4436 2302. [bug] Fix memset() calls in lib/tests/t_api.c. [RT #17472]
4438 2301. [bug] Remove resource leak and fix error messages in
4439 bin/tests/system/lwresd/lwtest.c. [RT #17474]
4441 2300. [bug] Fixed failure to close open file in
4442 bin/tests/names/t_names.c. [RT #17473]
4444 2299. [bug] Remove unnecessary NULL check in
4445 bin/nsupdate/nsupdate.c. [RT #17475]
4447 2298. [bug] isc_mutex_lock() failure not caught in
4448 bin/tests/timers/t_timers.c. [RT #17468]
4450 2297. [bug] isc_entropy_createfilesource() failure not caught in
4451 bin/tests/dst/t_dst.c. [RT #17467]
4453 2296. [port] Allow docbook stylesheet location to be specified to
4454 configure. [RT #17457]
4456 2295. [bug] Silence static overrun error in bin/named/lwaddr.c.
4459 2294. [func] Allow the experimental statistics channels to have
4460 multiple connections and ACL.
4461 Note: the stats-server and stats-server-v6 options
4462 available in the previous beta releases are replaced
4463 with the generic statistics-channels statement.
4465 2293. [func] Add ACL regression test. [RT #17375]
4467 2292. [bug] Log if the working directory is not writable.
4470 2291. [bug] PR_SET_DUMPABLE may be set too late. Also report
4471 failure to set PR_SET_DUMPABLE. [RT #17312]
4473 2290. [bug] Let AD in the query signal that the client wants AD
4474 set in the response. [RT #17301]
4476 2289. [func] named-checkzone now reports the out-of-zone CNAME
4479 2288. [port] win32: mark service as running when we have finished
4480 loading. [RT #17441]
4482 2287. [bug] Use 'volatile' if the compiler supports it. [RT #17413]
4484 2286. [func] Allow a TCP connection to be used as a weak
4485 authentication method for reverse zones.
4486 New update-policy methods tcp-self and 6to4-self.
4489 2285. [func] Test framework for client memory context management.
4492 2284. [bug] Memory leak in UPDATE prerequisite processing.
4495 2283. [bug] TSIG keys were not attaching to the memory
4496 context. TSIG keys should use the rings
4497 memory context rather than the clients memory
4498 context. [RT #17377]
4500 2282. [bug] Acl code fixups. [RT #17346] [RT #17374]
4502 2281. [bug] Attempts to use undefined acls were not being logged.
4505 2280. [func] Allow the experimental http server to be reached
4506 over IPv6 as well as IPv4. [RT #17332]
4508 2279. [bug] Use setsockopt(SO_NOSIGPIPE), when available,
4509 to protect applications from receiving spurious
4510 SIGPIPE signals when using the resolver.
4512 2278. [bug] win32: handle the case where Windows returns no
4513 search list or DNS suffix. [RT #17354]
4515 2277. [bug] Empty zone names were not correctly being caught at
4516 in the post parse checks. [RT #17357]
4518 2276. [bug] Install <dst/gssapi.h>. [RT# 17359]
4520 2275. [func] Add support to dig to perform IXFR queries over UDP.
4523 2274. [func] Log zone transfer statistics. [RT #17336]
4525 2273. [bug] Adjust log level to WARNING when saving inconsistent
4526 stub/slave master and journal files. [RT# 17279]
4528 2272. [bug] Handle illegal dnssec-lookaside trust-anchor names.
4531 2271. [bug] Fix a memory leak in http server code [RT #17100]
4533 2270. [bug] dns_db_closeversion() version->writer could be reset
4534 before it is tested. [RT #17290]
4536 2269. [contrib] dbus memory leaks and missing va_end calls. [RT #17232]
4538 2268. [bug] 0.IN-ADDR.ARPA was missing from the empty zones
4541 --- 9.5.0b1 released ---
4543 2267. [bug] Radix tree node_num value could be set incorrectly,
4544 causing positive ACL matches to look like negative
4547 2266. [bug] client.c:get_clientmctx() returned the same mctx
4548 once the pool of mctx's was filled. [RT #17218]
4550 2265. [bug] Test that the memory context's basic_table is non NULL
4551 before freeing. [RT #17265]
4553 2264. [bug] Server prefix length was being ignored. [RT #17308]
4555 2263. [bug] "named-checkconf -z" failed to set default value
4556 for "check-integrity". [RT #17306]
4558 2262. [bug] Error status from all but the last view could be
4561 2261. [bug] Fix memory leak with "any" and "none" ACLs [RT #17272]
4563 2260. [bug] Reported wrong clients-per-query when increasing the
4568 --- 9.5.0a7 released ---
4570 2258. [bug] Fallback from IXFR/TSIG to SOA/AXFR/TSIG broken.
4573 2257. [bug] win32: Use the full path to vcredist_x86.exe when
4574 calling it. [RT #17222]
4576 2256. [bug] win32: Correctly register the installation location of
4577 bindevt.dll. [RT #17159]
4579 2255. [maint] L.ROOT-SERVERS.NET is now 199.7.83.42.
4581 2254. [bug] timer.c:dispatch() failed to lock timer->lock
4582 when reading timer->idle allowing it to see
4583 intermediate values as timer->idle was reset by
4584 isc_timer_touch(). [RT #17243]
4586 2253. [func] "max-cache-size" defaults to 32M.
4587 "max-acache-size" defaults to 16M.
4589 2252. [bug] Fixed errors in sortlist code [RT #17216]
4593 2250. [func] New flag 'memstatistics' to state whether the
4594 memory statistics file should be written or not.
4595 Additionally named's -m option will cause the
4596 statistics file to be written. [RT #17113]
4598 2249. [bug] Only set Authentic Data bit if client requested
4599 DNSSEC, per RFC 3655 [RT #17175]
4601 2248. [cleanup] Fix several errors reported by Coverity. [RT #17160]
4603 2247. [doc] Sort doc/misc/options. [RT #17067]
4605 2246. [bug] Make the startup of test servers (ans.pl) more
4608 2245. [bug] Validating lack of DS records at trust anchors wasn't
4609 working. [RT #17151]
4611 2244. [func] Allow the check of nameserver names against the
4612 SOA MNAME field to be disabled by specifying
4613 'notify-to-soa yes;'. [RT #17073]
4615 2243. [func] Configuration files without a newline at the end now
4616 parse without error. [RT #17120]
4618 2242. [bug] nsupdate: GSS-TSIG support using the Heimdal Kerberos
4619 library could require a source of random data.
4622 2241. [func] nsupdate: add a interactive 'help' command. [RT #17099]
4624 2240. [bug] Cleanup nsupdates GSS-TSIG support. Convert
4625 a number of INSIST()s into plain fatal() errors
4626 which report the triggering result code.
4627 The 'key' command wasn't disabling GSS-TSIG.
4630 2239. [func] Ship a pre built bin/named/bind9.xsl.h. [RT #17114]
4632 2238. [bug] It was possible to trigger a REQUIRE when a
4633 validation was canceled. [RT #17106]
4635 2237. [bug] libbind: res_init() was not thread aware. [RT #17123]
4637 2236. [bug] dnssec-signzone failed to preserve the case of
4638 of wildcard owner names. [RT #17085]
4640 2235. [bug] <isc/atomic.h> was not being installed. [RT #17135]
4642 2234. [port] Correct some compiler warnings on SCO OSr5 [RT #17134]
4644 2233. [func] Add support for O(1) ACL processing, based on
4645 radix tree code originally written by Kevin
4646 Brintnall. [RT #16288]
4648 2232. [bug] dns_adb_findaddrinfo() could fail and return
4649 ISC_R_SUCCESS. [RT #17137]
4651 2231. [bug] Building dlzbdb (contrib/dlz/bin/dlzbdb) was broken.
4654 2230. [bug] We could INSIST reading a corrupted journal.
4657 2229. [bug] Null pointer dereference on query pool creation
4658 failure. [RT #17133]
4660 2228. [contrib] contrib: Change 2188 was incomplete.
4662 2227. [cleanup] Tidied up the FAQ. [RT #17121]
4666 2225. [bug] More support for systems with no IPv4 addresses.
4669 2224. [bug] Defer journal compaction if a xfrin is in progress.
4672 2223. [bug] Make a new journal when compacting. [RT #17119]
4674 2222. [func] named-checkconf now checks server key references.
4677 2221. [bug] Set the event result code to reflect the actual
4678 record turned to caller when a cache update is
4679 rejected due to a more credible answer existing.
4682 2220. [bug] win32: Address a race condition in final shutdown of
4683 the Windows socket code. [RT #17028]
4685 2219. [bug] Apply zone consistency checks to additions, not
4686 removals, when updating. [RT #17049]
4688 2218. [bug] Remove unnecessary REQUIRE from dns_validator_create().
4691 2217. [func] Adjust update log levels. [RT #17092]
4693 2216. [cleanup] Fix a number of errors reported by Coverity.
4696 2215. [bug] Bad REQUIRE check isc_hmacsha1_verify(). [RT #17094]
4698 2214. [bug] Deregister OpenSSL lock callback when cleaning
4699 up. Reorder OpenSSL cleanup so that RAND_cleanup()
4700 is called before the locks are destroyed. [RT #17098]
4702 2213. [bug] SIG0 diagnostic failure messages were looking at the
4703 wrong status code. [RT #17101]
4705 2212. [func] 'host -m' now causes memory statistics and active
4706 memory to be printed at exit. [RT 17028]
4708 2211. [func] Update "dynamic update temporarily disabled" message.
4711 2210. [bug] Deleting class specific records via UPDATE could
4714 2209. [port] osx: linking against user supplied static OpenSSL
4715 libraries failed as the system ones were still being
4718 2208. [port] win32: make sure both build methods produce the
4719 same output. [RT #17058]
4721 2207. [port] Some implementations of getaddrinfo() fail to set
4722 ai_canonname correctly. [RT #17061]
4724 --- 9.5.0a6 released ---
4726 2206. [security] "allow-query-cache" and "allow-recursion" now
4727 cross inherit from each other.
4729 If allow-query-cache is not set in named.conf then
4730 allow-recursion is used if set, otherwise allow-query
4731 is used if set, otherwise the default (localnets;
4732 localhost;) is used.
4734 If allow-recursion is not set in named.conf then
4735 allow-query-cache is used if set, otherwise allow-query
4736 is used if set, otherwise the default (localnets;
4737 localhost;) is used.
4741 2205. [bug] libbind: change #2119 broke thread support. [RT #16982]
4743 2204. [bug] "rndc flushanme name unknown-view" caused named
4744 to crash. [RT #16984]
4746 2203. [security] Query id generation was cryptographically weak.
4749 2202. [security] The default acls for allow-query-cache and
4750 allow-recursion were not being applied. [RT #16960]
4752 2201. [bug] The build failed in a separate object directory.
4755 2200. [bug] The search for cached NSEC records was stopping to
4756 early leading to excessive DLV queries. [RT #16930]
4758 2199. [bug] win32: don't call WSAStartup() while loading dlls.
4761 2198. [bug] win32: RegCloseKey() could be called when
4762 RegOpenKeyEx() failed. [RT #16911]
4764 2197. [bug] Add INSIST to catch negative responses which are
4765 not setting the event result code appropriately.
4768 2196. [port] win32: yield processor while waiting for once to
4769 to complete. [RT #16958]
4771 2195. [func] dnssec-keygen now defaults to nametype "ZONE"
4772 when generating DNSKEYs. [RT #16954]
4774 2194. [bug] Close journal before calling 'done' in xfrin.c.
4776 --- 9.5.0a5 released ---
4778 2193. [port] win32: BINDInstall.exe is now linked statically.
4781 2192. [port] win32: use vcredist_x86.exe to install Visual
4782 Studio's redistributable dlls if building with
4783 Visual Stdio 2005 or later.
4785 2191. [func] named-checkzone now allows dumping to stdout (-).
4786 named-checkconf now has -h for help.
4787 named-checkzone now has -h for help.
4788 rndc now has -h for help.
4789 Better handling of '-?' for usage summaries.
4792 2190. [func] Make fallback to plain DNS from EDNS due to timeouts
4793 more visible. New logging category "edns-disabled".
4796 2189. [bug] Handle socket() returning EINTR. [RT #15949]
4798 2188. [contrib] queryperf: autoconf changes to make the search for
4799 libresolv or libbind more robust. [RT #16299]
4801 2187. [bug] query_addds(), query_addwildcardproof() and
4802 query_addnxrrsetnsec() should take a version
4803 argument. [RT #16368]
4805 2186. [port] cygwin: libbind: check for struct sockaddr_storage
4806 independently of IPv6. [RT #16482]
4808 2185. [port] sunos: libbind: check for ssize_t, memmove() and
4809 memchr(). [RT #16463]
4811 2184. [bug] bind9.xsl.h didn't build out of the source tree.
4814 2183. [bug] dnssec-signzone didn't handle offline private keys
4817 2182. [bug] dns_dispatch_createtcp() and dispatch_createudp()
4818 could return ISC_R_SUCCESS when they ran out of
4821 2181. [port] sunos: libbind: add paths.h from BIND 8. [RT #16462]
4823 2180. [cleanup] Remove bit test from 'compress_test' as they
4824 are no longer needed. [RT #16497]
4826 2179. [func] 'rndc command zone' will now find 'zone' if it is
4827 unique to all the views. [RT #16821]
4829 2178. [bug] 'rndc reload' of a slave or stub zone resulted in
4830 a reference leak. [RT #16867]
4832 2177. [bug] Array bounds overrun on read (rcodetext) at
4833 debug level 10+. [RT #16798]
4835 2176. [contrib] dbus update to handle race condition during
4836 initialization (Bugzilla 235809). [RT #16842]
4838 2175. [bug] win32: windows broadcast condition variable support
4839 was broken. [RT #16592]
4841 2174. [bug] I/O errors should always be fatal when reading
4842 master files. [RT #16825]
4844 2173. [port] win32: When compiling with MSVS 2005 SP1 we also
4845 need to ship Microsoft.VC80.MFCLOC.
4847 --- 9.5.0a4 released ---
4849 2172. [bug] query_addsoa() was being called with a non zone db.
4852 2171. [bug] Handle breaks in DNSSEC trust chains where the parent
4853 servers are not DS aware (DS queries to the parent
4854 return a referral to the child).
4856 2170. [func] Add acache processing to test suite. [RT #16711]
4858 2169. [bug] host, nslookup: when reporting NXDOMAIN report the
4859 given name and not the last name searched for.
4862 2168. [bug] nsupdate: in non-interactive mode treat syntax errors
4863 as fatal errors. [RT #16785]
4865 2167. [bug] When re-using a automatic zone named failed to
4866 attach it to the new view. [RT #16786]
4868 --- 9.5.0a3 released ---
4870 2166. [bug] When running in batch mode, dig could misinterpret
4871 a server address as a name to be looked up, causing
4872 unexpected output. [RT #16743]
4874 2165. [func] Allow the destination address of a query to determine
4875 if we will answer the query or recurse.
4876 allow-query-on, allow-recursion-on and
4877 allow-query-cache-on. [RT #16291]
4879 2164. [bug] The code to determine how named-checkzone /
4880 named-compilezone was called failed under windows.
4883 2163. [bug] If only one of query-source and query-source-v6
4884 specified a port the query pools code broke (change
4887 2162. [func] Allow "rrset-order fixed" to be disabled at compile
4890 2161. [bug] Fix which log messages are emitted for 'rndc flush'.
4893 2160. [bug] libisc wasn't handling NULL ifa_addr pointers returned
4894 from getifaddrs(). [RT #16708]
4896 --- 9.5.0a2 released ---
4898 2159. [bug] Array bounds overrun in acache processing. [RT #16710]
4900 2158. [bug] ns_client_isself() failed to initialize key
4901 leading to a REQUIRE failure. [RT #16688]
4903 2157. [func] dns_db_transfernode() created. [RT #16685]
4905 2156. [bug] Fix node reference leaks in lookup.c:lookup_find(),
4906 resolver.c:validated() and resolver.c:cache_name().
4907 Fix a memory leak in rbtdb.c:free_noqname().
4908 Make lookup.c:lookup_find() robust against
4909 event leaks. [RT #16685]
4911 2155. [contrib] SQLite sdb module from jaboydjr@netwalk.com.
4914 2154. [func] Scoped (e.g. IPv6 link-local) addresses may now be
4915 matched in acls by omitting the scope. [RT #16599]
4917 2153. [bug] nsupdate could leak memory. [RT #16691]
4919 2152. [cleanup] Use sizeof(buf) instead of fixed number in
4920 dighost.c:get_trusted_key(). [RT #16678]
4922 2151. [bug] Missing newline in usage message for journalprint.
4925 2150. [bug] 'rrset-order cyclic' uniformly distribute the
4926 starting point for the first response for a given
4929 2149. [bug] isc_mem_checkdestroyed() failed to abort on
4930 if there were still active memory contexts.
4933 2148. [func] Add positive logging for rndc commands. [RT #14623]
4935 2147. [bug] libbind: remove potential buffer overflow from
4936 hmac_link.c. [RT #16437]
4938 2146. [cleanup] Silence Linux's spurious "obsolete setsockopt
4939 SO_BSDCOMPAT" message. [RT #16641]
4941 2145. [bug] Check DS/DLV digest lengths for known digests.
4944 2144. [cleanup] Suppress logging of SERVFAIL from forwarders.
4947 2143. [bug] We failed to restart the IPv6 client when the
4948 kernel failed to return the destination the
4949 packet was sent to. [RT #16613]
4951 2142. [bug] Handle master files with a modification time that
4952 matches the epoch. [RT# 16612]
4954 2141. [bug] dig/host should not be setting IDN_ASCCHECK (IDN
4955 equivalent of LDH checks). [RT #16609]
4957 2140. [bug] libbind: missing unlock on pthread_key_create()
4958 failures. [RT #16654]
4960 2139. [bug] dns_view_find() was being called with wrong type
4961 in adb.c. [RT #16670]
4963 2138. [bug] Lock order reversal in resolver.c. [RT #16653]
4965 2137. [port] Mips little endian and/or mips 64 bit are now
4966 supported for atomic operations. [RT#16648]
4968 2136. [bug] nslookup/host looped if there was no search list
4969 and the host didn't exist. [RT #16657]
4971 2135. [bug] Uninitialized rdataset in sdlz.c. [RT# 16656]
4973 2134. [func] Additional statistics support. [RT #16666]
4975 2133. [port] powerpc: Support both IBM and MacOS Power PC
4976 assembler syntaxes. [RT #16647]
4978 2132. [bug] Missing unlock on out of memory in
4979 dns_dispatchmgr_setudp().
4981 2131. [contrib] dlz/mysql: AXFR was broken. [RT #16630]
4983 2130. [func] Log if CD or DO were set. [RT #16640]
4985 2129. [func] Provide a pool of UDP sockets for queries to be
4986 made over. See use-queryport-pool, queryport-pool-ports
4987 and queryport-pool-updateinterval. [RT #16415]
4989 2128. [doc] xsltproc --nonet, update DTD versions. [RT #16635]
4991 2127. [port] Improved OpenSSL 0.9.8 support. [RT #16563]
4993 2126. [security] Serialize validation of type ANY responses. [RT #16555]
4995 2125. [bug] dns_zone_getzeronosoattl() REQUIRE failure if DLZ
4996 was defined. [RT #16574]
4998 2124. [security] It was possible to dereference a freed fetch
4999 context. [RT #16584]
5001 --- 9.5.0a1 released ---
5003 2123. [func] Use Doxygen to generate internal documentation.
5006 2122. [func] Experimental http server and statistics support
5009 2121. [func] Add a 10 slot dead masters cache (LRU) with a 600
5010 second timeout. [RT #16553]
5012 2120. [doc] Fix markup on nsupdate man page. [RT #16556]
5014 2119. [compat] libbind: allow res_init() to succeed enough to
5015 return the default domain even if it was unable
5018 2118. [bug] Handle response with long chains of domain name
5019 compression pointers which point to other compression
5020 pointers. [RT #16427]
5022 2117. [bug] DNSSEC fixes: named could fail to cache NSEC records
5023 which could lead to validation failures. named didn't
5024 handle negative DS responses that were in the process
5025 of being validated. Check CNAME bit before accepting
5026 NODATA proof. To be able to ignore a child NSEC there
5027 must be SOA (and NS) set in the bitmap. [RT #16399]
5029 2116. [bug] 'rndc reload' could cause the cache to continually
5030 be cleaned. [RT #16401]
5032 2115. [bug] 'rndc reconfig' could trigger a INSIST if the
5033 number of masters for a zone was reduced. [RT #16444]
5035 2114. [bug] dig/host/nslookup: searches for names with multiple
5036 labels were failing. [RT #16447]
5038 2113. [bug] nsupdate: if a zone is specified it should be used
5039 for server discover. [RT# 16455]
5041 2112. [security] Warn if weak RSA exponent is used. [RT #16460]
5043 2111. [bug] Fix a number of errors reported by Coverity.
5046 2110. [bug] "minimal-responses yes;" interacted badly with BIND 8
5047 priming queries. [RT #16491]
5049 2109. [port] libbind: silence aix 5.3 compiler warnings. [RT #16502]
5051 2108. [func] DHCID support. [RT #16456]
5053 2107. [bug] dighost.c: more cleanup of buffers. [RT #16499]
5055 2106. [func] 'rndc status' now reports named's version. [RT #16426]
5057 2105. [func] GSS-TSIG support (RFC 3645).
5059 2104. [port] Fix Solaris SMF error message.
5061 2103. [port] Add /usr/sfw to list of locations for OpenSSL
5064 2102. [port] Silence Solaris 10 warnings.
5066 2101. [bug] OpenSSL version checks were not quite right.
5069 2100. [port] win32: copy libeay32.dll to Build\Debug.
5070 Copy Debug\named-checkzone to Debug\named-compilezone.
5072 2099. [port] win32: more manifest issues.
5074 2098. [bug] Race in rbtdb.c:no_references(), which occasionally
5075 triggered an INSIST failure about the node lock
5076 reference. [RT #16411]
5078 2097. [bug] named could reference a destroyed memory context
5079 after being reloaded / reconfigured. [RT #16428]
5081 2096. [bug] libbind: handle applications that fail to detect
5082 res_init() failures better.
5084 2095. [port] libbind: alway prototype inet_cidr_ntop_ipv6() and
5085 net_cidr_ntop_ipv6(). [RT #16388]
5087 2094. [contrib] Update named-bootconf. [RT# 16404]
5089 2093. [bug] named-checkzone -s was broken.
5091 2092. [bug] win32: dig, host, nslookup. Use registry config
5092 if resolv.conf does not exist or no nameservers
5095 2091. [port] dighost.c: race condition on cleanup. [RT #16417]
5097 2090. [port] win32: Visual C++ 2005 command line manifest support.
5100 2089. [security] Raise the minimum safe OpenSSL versions to
5101 OpenSSL 0.9.7l and OpenSSL 0.9.8d. Versions
5102 prior to these have known security flaws which
5103 are (potentially) exploitable in named. [RT #16391]
5105 2088. [security] Change the default RSA exponent from 3 to 65537.
5108 2087. [port] libisc failed to compile on OS's w/o a vsnprintf.
5111 2086. [port] libbind: FreeBSD now has get*by*_r() functions.
5114 2085. [doc] win32: added index.html and README to zip. [RT #16201]
5116 2084. [contrib] dbus update for 9.3.3rc2.
5118 2083. [port] win32: Visual C++ 2005 support.
5120 2082. [doc] Document 'cache-file' as a test only option.
5122 2081. [port] libbind: minor 64-bit portability fix in memcluster.c.
5125 2080. [port] libbind: res_init.c did not compile on older versions
5126 of Solaris. [RT #16363]
5128 2079. [bug] The lame cache was not handling multiple types
5129 correctly. [RT #16361]
5131 2078. [bug] dnssec-checkzone output style "default" was badly
5132 named. It is now called "relative". [RT #16326]
5134 2077. [bug] 'dnssec-signzone -O raw' wasn't outputting the
5135 complete signed zone. [RT #16326]
5137 2076. [bug] Several files were missing #include <config.h>
5138 causing build failures on OSF. [RT #16341]
5140 2075. [bug] The spillat timer event hander could leak memory.
5143 2074. [bug] dns_request_createvia2(), dns_request_createvia3(),
5144 dns_request_createraw2() and dns_request_createraw3()
5145 failed to send multiple UDP requests. [RT #16349]
5147 2073. [bug] Incorrect semantics check for update policy "wildcard".
5150 2072. [bug] We were not generating valid HMAC SHA digests.
5153 2071. [port] Test whether gcc accepts -fno-strict-aliasing.
5156 2070. [bug] The remote address was not always displayed when
5157 reporting dispatch failures. [RT #16315]
5159 2069. [bug] Cross compiling was not working. [RT #16330]
5161 2068. [cleanup] Lower incremental tuning message to debug 1.
5164 2067. [bug] 'rndc' could close the socket too early triggering
5165 a INSIST under Windows. [RT #16317]
5167 2066. [security] Handle SIG queries gracefully. [RT #16300]
5169 2065. [bug] libbind: probe for HPUX prototypes for
5170 endprotoent_r() and endservent_r(). [RT 16313]
5172 2064. [bug] libbind: silence AIX compiler warnings. [RT #16218]
5174 2063. [bug] Change #1955 introduced a bug which caused the first
5175 'rndc flush' call to not free memory. [RT #16244]
5177 2062. [bug] 'dig +nssearch' was reusing a buffer before it had
5178 been returned by the socket code. [RT #16307]
5180 2061. [bug] Accept expired wildcard message reversed. [RT #16296]
5182 2060. [bug] Enabling DLZ support could leave views partially
5183 configured. [RT #16295]
5185 2059. [bug] Search into cache rbtdb could trigger an INSIST
5186 failure while cleaning up a stale rdataset.
5189 2058. [bug] Adjust how we calculate rtt estimates in the presence
5190 of authoritative servers that drop EDNS and/or CD
5191 requests. Also fallback to EDNS/512 and plain DNS
5192 faster for zones with less than 3 servers. [RT #16187]
5194 2057. [bug] Make setting "ra" dependent on both allow-query-cache
5195 and allow-recursion. [RT #16290]
5197 2056. [bug] dig: ixfr= was not being treated case insensitively
5198 at all times. [RT #15955]
5200 2055. [bug] Missing goto after dropping multicast query.
5203 2054. [port] freebsd: do not explicitly link against -lpthread.
5206 2053. [port] netbsd:libbind: silence compiler warnings. [RT #16220]
5208 2052. [bug] 'rndc' improve connect failed message to report
5209 the failing address. [RT #15978]
5211 2051. [port] More strtol() fixes. [RT #16249]
5213 2050. [bug] Parsing of NSAP records was not case insensitive.
5216 2049. [bug] Restore SOA before AXFR when falling back from
5217 a attempted IXFR when transferring in a zone.
5218 Allow a initial SOA query before attempting
5219 a AXFR to be requested. [RT #16156]
5221 2048. [bug] It was possible to loop forever when using
5222 avoid-v4-udp-ports / avoid-v6-udp-ports when
5223 the OS always returned the same local port.
5226 2047. [bug] Failed to initialize the interface flags to zero.
5229 2046. [bug] rbtdb.c:rdataset_setadditional() could cause duplicate
5230 cleanup [RT #16247].
5232 2045. [func] Use lock buckets for acache entries to limit memory
5233 consumption. [RT #16183]
5235 2044. [port] Add support for atomic operations for Itanium.
5238 2043. [port] nsupdate/nslookup: Force the flushing of the prompt
5239 for interactive sessions. [RT#16148]
5241 2042. [bug] named-checkconf was incorrectly rejecting the
5242 logging category "config". [RT #16117]
5244 2041. [bug] "configure --with-dlz-bdb=yes" produced a bad
5245 set of libraries to be linked. [RT #16129]
5247 2040. [bug] rbtdb no_references() could trigger an INSIST
5248 failure with --enable-atomic. [RT #16022]
5250 2039. [func] Check that all buffers passed to the socket code
5251 have been retrieved when the socket event is freed.
5254 2038. [bug] dig/nslookup/host was unlinking from wrong list
5255 when handling errors. [RT #16122]
5257 2037. [func] When unlinking the first or last element in a list
5258 check that the list head points to the element to
5259 be unlinked. [RT #15959]
5261 2036. [bug] 'rndc recursing' could cause trigger a REQUIRE.
5264 2035. [func] Make falling back to TCP on UDP refresh failure
5265 optional. Default "try-tcp-refresh yes;" for BIND 8
5266 compatibility. [RT #16123]
5268 2034. [bug] gcc: set -fno-strict-aliasing. [RT #16124]
5270 2033. [bug] We weren't creating multiple client memory contexts
5271 on demand as expected. [RT #16095]
5273 2032. [bug] Remove a INSIST in query_addadditional2(). [RT #16074]
5275 2031. [bug] Emit a error message when "rndc refresh" is called on
5276 a non slave/stub zone. [RT # 16073]
5278 2030. [bug] We were being overly conservative when disabling
5279 openssl engine support. [RT #16030]
5281 2029. [bug] host printed out the server multiple times when
5282 specified on the command line. [RT #15992]
5284 2028. [port] linux: socket.c compatibility for old systems.
5287 2027. [port] libbind: Solaris x86 support. [RT #16020]
5289 2026. [bug] Rate limit the two recursive client exceeded messages.
5292 2025. [func] Update "zone serial unchanged" message. [RT #16026]
5294 2024. [bug] named emitted spurious "zone serial unchanged"
5295 messages on reload. [RT #16027]
5297 2023. [bug] "make install" should create ${localstatedir}/run and
5298 ${sysconfdir} if they do not exist. [RT #16033]
5300 2022. [bug] If dnssec validation is disabled only assert CD if
5301 CD was requested. [RT #16037]
5303 2021. [bug] dnssec-enable no; triggered a REQUIRE. [RT #16037]
5305 2020. [bug] rdataset_setadditional() could leak memory. [RT #16034]
5307 2019. [tuning] Reduce the amount of work performed per quantum
5308 when cleaning the cache. [RT #15986]
5310 2018. [bug] Checking if the HMAC MD5 private file was broken.
5313 2017. [bug] allow-query default was not correct. [RT #15946]
5315 2016. [bug] Return a partial answer if recursion is not
5316 allowed but requested and we had the answer
5317 to the original qname. [RT #15945]
5319 2015. [cleanup] use-additional-cache is now acache-enable for
5320 consistency. Default acache-enable off in BIND 9.4
5321 as it requires memory usage to be configured.
5322 It may be enabled by default in BIND 9.5 once we
5323 have more experience with it.
5325 2014. [func] Statistics about acache now recorded and sent
5328 2013. [bug] Handle unexpected TSIGs on unsigned AXFR/IXFR
5329 responses more gracefully. [RT #15941]
5331 2012. [func] Don't insert new acache entries if acache is full.
5334 2011. [func] dnssec-signzone can now update the SOA record of
5335 the signed zone, either as an increment or as the
5336 system time(). [RT #15633]
5338 2010. [placeholder] rt15958
5340 2009. [bug] libbind: Coverity fixes. [RT #15808]
5342 2008. [func] It is now possible to enable/disable DNSSEC
5343 validation from rndc. This is useful for the
5344 mobile hosts where the current connection point
5345 breaks DNSSEC (firewall/proxy). [RT #15592]
5347 rndc validation newstate [view]
5349 2007. [func] It is now possible to explicitly enable DNSSEC
5350 validation. default dnssec-validation no; to
5351 be changed to yes in 9.5.0. [RT #15674]
5353 2006. [security] Allow-query-cache and allow-recursion now default
5354 to the built in acls "localnets" and "localhost".
5356 This is being done to make caching servers less
5357 attractive as reflective amplifying targets for
5358 spoofed traffic. This still leave authoritative
5361 The best fix is for full BCP 38 deployment to
5362 remove spoofed traffic.
5364 2005. [bug] libbind: Retransmission timeouts should be
5365 based on which attempt it is to the nameserver
5366 and not the nameserver itself. [RT #13548]
5368 2004. [bug] dns_tsig_sign() could pass a NULL pointer to
5369 dst_context_destroy() when cleaning up after a
5372 2003. [bug] libbind: The DNS name/address lookup functions could
5373 occasionally follow a random pointer due to
5374 structures not being completely zeroed. [RT #15806]
5376 2002. [bug] libbind: tighten the constraints on when
5377 struct addrinfo._ai_pad exists. [RT #15783]
5379 2001. [func] Check the KSK flag when updating a secure dynamic zone.
5380 New zone option "update-check-ksk yes;". [RT #15817]
5382 2000. [bug] memmove()/strtol() fix was incomplete. [RT #15812]
5384 1999. [func] Implement "rrset-order fixed". [RT #13662]
5386 1998. [bug] Restrict handling of fifos as sockets to just SunOS.
5387 This allows named to connect to entropy gathering
5388 daemons that use fifos instead of sockets. [RT #15840]
5390 1997. [bug] Named was failing to replace negative cache entries
5391 when a positive one for the type was learnt.
5394 1996. [bug] nsupdate: if a zone has been specified it should
5395 appear in the output of 'show'. [RT #15797]
5397 1995. [bug] 'host' was reporting multiple "is an alias" messages.
5400 1994. [port] OpenSSL 0.9.8 support. [RT #15694]
5402 1993. [bug] Log messages, via syslog, were missing the space
5403 after the timestamp if "print-time yes" was specified.
5406 1992. [bug] Not all incoming zone transfer messages included the
5409 1991. [cleanup] The configuration data, once read, should be treated
5410 as read only. Expand the use of const to enforce this
5411 at compile time. [RT #15813]
5413 1990. [bug] libbind: isc's override of broken gettimeofday()
5414 implementations was not always effective.
5417 1989. [bug] win32: don't check the service password when
5418 re-installing. [RT #15882]
5420 1988. [bug] Remove a bus error from the SHA256/SHA512 support.
5423 1987. [func] DS/DLV SHA256 digest algorithm support. [RT #15608]
5425 1986. [func] Report when a zone is removed. [RT #15849]
5427 1985. [protocol] DLV has now been assigned a official type code of
5430 Note: care should be taken to ensure you upgrade
5431 both named and dnssec-signzone at the same time for
5432 zones with DLV records where named is the master
5433 server for the zone. Also any zones that contain
5434 DLV records should be removed when upgrading a slave
5435 zone. You do not however have to upgrade all
5436 servers for a zone with DLV records simultaneously.
5438 1984. [func] dig, nslookup and host now advertise a 4096 byte
5439 EDNS UDP buffer size by default. [RT #15855]
5441 1983. [func] Two new update policies. "selfsub" and "selfwild".
5444 1982. [bug] DNSKEY was being accepted on the parent side of
5445 a delegation. KEY is still accepted there for
5446 RFC 3007 validated updates. [RT #15620]
5448 1981. [bug] win32: condition.c:wait() could fail to reattain
5451 1980. [func] dnssec-signzone: output the SOA record as the
5452 first record in the signed zone. [RT #15758]
5454 1979. [port] linux: allow named to drop core after changing
5455 user ids. [RT #15753]
5457 1978. [port] Handle systems which have a broken recvmsg().
5460 1977. [bug] Silence noisy log message. [RT #15704]
5462 1976. [bug] Handle systems with no IPv4 addresses. [RT #15695]
5464 1975. [bug] libbind: isc_gethexstring() could misparse multi-line
5465 hex strings with comments. [RT #15814]
5467 1974. [doc] List each of the zone types and associated zone
5468 options separately in the ARM.
5470 1973. [func] TSIG HMACSHA1, HMACSHA224, HMACSHA256, HMACSHA384 and
5471 HMACSHA512 support. [RT #13606]
5473 1972. [contrib] DBUS dynamic forwarders integration from
5474 Jason Vas Dias <jvdias@redhat.com>.
5476 1971. [port] linux: make detection of missing IF_NAMESIZE more
5479 1970. [bug] nsupdate: adjust UDP timeout when falling back to
5480 unsigned SOA query. [RT #15775]
5482 1969. [bug] win32: the socket code was freeing the socket
5483 structure too early. [RT #15776]
5485 1968. [bug] Missing lock in resolver.c:validated(). [RT #15739]
5487 1967. [func] dig/nslookup/host: warn about missing "QR". [RT #15779]
5489 1966. [bug] Don't set CD when we have fallen back to plain DNS.
5492 1965. [func] Suppress spurious "recursion requested but not
5493 available" warning with 'dig +qr'. [RT #15780].
5495 1964. [func] Separate out MX and SRV to CNAME checks. [RT #15723]
5497 1963. [port] Tru64 4.0E doesn't support send() and recv().
5500 1962. [bug] Named failed to clear old update-policy when it
5501 was removed. [RT #15491]
5503 1961. [bug] Check the port and address of responses forwarded
5504 to dispatch. [RT #15474]
5506 1960. [bug] Update code should set NSEC ttls from SOA MINIMUM.
5509 1959. [func] Control the zeroing of the negative response TTL to
5510 a soa query. Defaults "zero-no-soa-ttl yes;" and
5511 "zero-no-soa-ttl-cache no;". [RT #15460]
5513 1958. [bug] Named failed to update the zone's secure state
5514 until the zone was reloaded. [RT #15412]
5516 1957. [bug] Dig mishandled responses to class ANY queries.
5519 1956. [bug] Improve cross compile support, 'gen' is now built
5520 by native compiler. See README for additional
5521 cross compile support information. [RT #15148]
5523 1955. [bug] Pre-allocate the cache cleaning iterator. [RT #14998]
5525 1954. [func] Named now falls back to advertising EDNS with a
5526 512 byte receive buffer if the initial EDNS queries
5529 1953. [func] The maximum EDNS UDP response named will send can
5530 now be set in named.conf (max-udp-size). This is
5531 independent of the advertised receive buffer
5532 (edns-udp-size). [RT #14852]
5534 1952. [port] hpux: tell the linker to build a runtime link
5535 path "-Wl,+b:". [RT #14816].
5537 1951. [security] Drop queries from particular well known ports.
5538 Don't return FORMERR to queries from particular
5539 well known ports. [RT #15636]
5541 1950. [port] Solaris 2.5.1 and earlier cannot bind() then connect()
5542 a TCP socket. This prevents the source address being
5543 set for TCP connections. [RT #15628]
5545 1949. [func] Addition memory leakage checks. [RT #15544]
5547 1948. [bug] If was possible to trigger a REQUIRE failure in
5548 xfrin.c:maybe_free() if named ran out of memory.
5551 1947. [func] It is now possible to configure named to accept
5552 expired RRSIGs. Default "dnssec-accept-expired no;".
5553 Setting "dnssec-accept-expired yes;" leaves named
5554 vulnerable to replay attacks. [RT #14685]
5556 1946. [bug] resume_dslookup() could trigger a REQUIRE failure
5557 when using forwarders. [RT #15549]
5559 1945. [cleanup] dnssec-keygen: RSA (RSAMD5) is no longer recommended.
5560 To generate a RSAMD5 key you must explicitly request
5563 1944. [cleanup] isc_hash_create() does not need a read/write lock.
5566 1943. [bug] Set the loadtime after rolling forward the journal.
5569 1942. [bug] If the name of a DNSKEY match that of one in
5570 trusted-keys do not attempt to validate the DNSKEY
5571 using the parents DS RRset. [RT #15649]
5573 1941. [bug] ncache_adderesult() should set eresult even if no
5574 rdataset is passed to it. [RT #15642]
5576 1940. [bug] Fixed a number of error conditions reported by
5579 1939. [bug] The resolver could dereference a null pointer after
5580 validation if all the queries have timed out.
5583 1938. [bug] The validator was not correctly handling unsecure
5584 negative responses at or below a SEP. [RT #15528]
5586 1937. [bug] sdlz doesn't handle RRSIG records. [RT #15564]
5588 1936. [bug] The validator could leak memory. [RT #15544]
5590 1935. [bug] 'acache' was DO sensitive. [RT #15430]
5592 1934. [func] Validate pending NS RRsets, in the authority section,
5593 prior to returning them if it can be done without
5594 requiring DNSKEYs to be fetched. [RT #15430]
5596 1933. [bug] dump_rdataset_raw() had a incorrect INSIST. [RT #15534]
5598 1932. [bug] hpux: LDFLAGS was getting corrupted. [RT #15530]
5600 1931. [bug] Per-client mctx could require a huge amount of memory,
5601 particularly for a busy caching server. [RT #15519]
5603 1930. [port] HPUX: ia64 support. [RT #15473]
5605 1929. [port] FreeBSD: extend use of PTHREAD_SCOPE_SYSTEM.
5607 1928. [bug] Race in rbtdb.c:currentversion(). [RT #15517]
5609 1927. [bug] Access to soanode or nsnode in rbtdb violated the
5610 lock order rule and could cause a dead lock.
5613 1926. [bug] The Windows installer did not check for empty
5614 passwords. BINDinstall was being installed in
5615 the wrong place. [RT #15483]
5617 1925. [port] All outer level AC_TRY_RUNs need cross compiling
5618 defaults. [RT #15469]
5620 1924. [port] libbind: hpux ia64 support. [RT #15473]
5622 1923. [bug] ns_client_detach() called too early. [RT #15499]
5624 1922. [bug] check-tool.c:setup_logging() missing call to
5625 dns_log_setcontext().
5627 1921. [bug] Client memory contexts were not using internal
5630 1920. [bug] The cache rbtdb lock array was too small to
5631 have the desired performance characteristics.
5634 1919. [contrib] queryperf: a set of new features: collecting/printing
5635 response delays, printing intermediate results, and
5636 adjusting query rate for the "target" qps.
5638 1918. [bug] Memory leak when checking acls. [RT #15391]
5640 1917. [doc] funcsynopsisinfo wasn't being treated as verbatim
5641 when generating man pages. [RT #15385]
5643 1916. [func] Integrate contributed IDN code from JPNIC. [RT #15383]
5645 1915. [bug] dig +ndots was broken. [RT #15215]
5647 1914. [protocol] DS is required to accept mnemonic algorithms
5648 (RFC 4034). Still emit numeric algorithms for
5649 compatibility with RFC 3658. [RT #15354]
5651 1913. [func] Integrate contributed DLZ code into named. [RT #11382]
5653 1912. [port] aix: atomic locking for powerpc. [RT #15020]
5655 1911. [bug] Update windows socket code. [RT #14965]
5657 1910. [bug] dig's +sigchase code overhauled. [RT #14933]
5659 1909. [bug] The DLV code has been re-worked to make no longer
5660 query order sensitive. [RT #14933]
5662 1908. [func] dig now warns if 'RA' is not set in the answer when
5663 'RD' was set in the query. host/nslookup skip servers
5664 that fail to set 'RA' when 'RD' is set unless a server
5665 is explicitly set. [RT #15005]
5667 1907. [func] host/nslookup now continue (default)/fail on SERVFAIL.
5670 1906. [func] dig now has a '-q queryname' and '+showsearch' options.
5673 1905. [bug] Strings returned from cfg_obj_asstring() should be
5674 treated as read-only. The prototype for
5675 cfg_obj_asstring() has been updated to reflect this.
5678 1904. [func] Automatic empty zone creation for D.F.IP6.ARPA and
5679 friends. Note: RFC 1918 zones are not yet covered by
5680 this but are likely to be in a future release.
5682 New options: empty-server, empty-contact,
5683 empty-zones-enable and disable-empty-zone.
5685 1903. [func] ISC string copy API.
5687 1902. [func] Attempt to make the amount of work performed in a
5688 iteration self tuning. The covers nodes clean from
5689 the cache per iteration, nodes written to disk when
5690 rewriting a master file and nodes destroyed per
5691 iteration when destroying a zone or a cache.
5694 1901. [cleanup] Don't add DNSKEY records to the additional section.
5696 1900. [bug] ixfr-from-differences failed to ensure that the
5697 serial number increased. [RT #15036]
5699 1899. [func] named-checkconf now validates update-policy entries.
5702 1898. [bug] Extend ISC_SOCKADDR_FORMATSIZE and
5703 ISC_NETADDR_FORMATSIZE to allow for scope details.
5705 1897. [func] x86 and x86_64 now have separate atomic locking
5708 1896. [bug] Recursive clients soft quota support wasn't working
5709 as expected. [RT #15103]
5711 1895. [bug] A escaped character is, potentially, converted to
5712 the output character set too early. [RT #14666]
5714 1894. [doc] Review ARM for BIND 9.4.
5716 1893. [port] Use uintptr_t if available. [RT #14606]
5718 1892. [func] Support for SPF rdata type. [RT #15033]
5720 1891. [port] freebsd: pthread_mutex_init can fail if it runs out
5721 of memory. [RT #14995]
5723 1890. [func] Raise the UDP receive buffer size to 32k if it is
5724 less than 32k. [RT #14953]
5726 1889. [port] sunos: non blocking i/o support. [RT #14951]
5728 1888. [func] Support for IPSECKEY rdata type. [RT #14967]
5730 1887. [bug] The cache could delete expired records too fast for
5731 clients with a virtual time in the past. [RT #14991]
5733 1886. [bug] fctx_create() could return success even though it
5736 1885. [func] dig: report the number of extra bytes still left in
5737 the packet after processing all the records.
5739 1884. [cleanup] dighost.c: move external declarations into <dig/dig.h>.
5741 1883. [bug] dnssec-signzone, dnssec-keygen: handle negative debug
5744 1882. [func] Limit the number of recursive clients that can be
5745 waiting for a single query (<qname,qtype,qclass>) to
5746 resolve. New options clients-per-query and
5747 max-clients-per-query.
5749 1881. [func] Add a system test for named-checkconf. [RT #14931]
5751 1880. [func] The lame cache is now done on a <qname,qclass,qtype>
5752 basis as some servers only appear to be lame for
5753 certain query types. [RT #14916]
5755 1879. [func] "USE INTERNAL MALLOC" is now runtime selectable.
5758 1878. [func] Detect duplicates of UDP queries we are recursing on
5759 and drop them. New stats category "duplicate".
5762 1877. [bug] Fix unreasonably low quantum on call to
5763 dns_rbt_destroy2(). Remove unnecessary unhash_node()
5766 1876. [func] Additional memory debugging support to track size
5767 and mctx arguments. [RT #14814]
5769 1875. [bug] process_dhtkey() was using the wrong memory context
5770 to free some memory. [RT #14890]
5772 1874. [port] sunos: portability fixes. [RT #14814]
5774 1873. [port] win32: isc__errno2result() now reports its caller.
5777 1872. [port] win32: Handle ERROR_NETNAME_DELETED. [RT #13753]
5781 1870. [func] Added framework for handling multiple EDNS versions.
5784 1869. [func] dig can now specify the EDNS version when making
5785 a query. [RT #14873]
5787 1868. [func] edns-udp-size can now be overridden on a per
5788 server basis. [RT #14851]
5790 1867. [bug] It was possible to trigger a INSIST in
5791 dlv_validatezonekey(). [RT #14846]
5793 1866. [bug] resolv.conf parse errors were being ignored by
5794 dig/host/nslookup. [RT #14841]
5796 1865. [bug] Silently ignore nameservers in /etc/resolv.conf with
5797 bad addresses. [RT #14841]
5799 1864. [bug] Don't try the alternative transfer source if you
5800 got a answer / transfer with the main source
5801 address. [RT #14802]
5803 1863. [bug] rrset-order "fixed" error messages not complete.
5805 1862. [func] Add additional zone data constancy checks.
5806 named-checkzone has extended checking of NS, MX and
5807 SRV record and the hosts they reference.
5808 named has extended post zone load checks.
5809 New zone options: check-mx and integrity-check.
5812 1861. [bug] dig could trigger a INSIST on certain malformed
5813 responses. [RT #14801]
5815 1860. [port] solaris 2.8: hack_shutup_pthreadmutexinit was
5816 incorrectly set. [RT #14775]
5818 1859. [func] Add support for CH A record. [RT #14695]
5820 1858. [bug] The flush-zones-on-shutdown option wasn't being
5823 1857. [bug] named could trigger a INSIST() if reconfigured /
5824 reloaded too fast. [RT #14673]
5826 1856. [doc] Switch Docbook toolchain from DSSSL to XSL.
5829 1855. [bug] ixfr-from-differences was failing to detect changes
5830 of ttl due to dns_diff_subtract() was ignoring the ttl
5831 of records. [RT #14616]
5833 1854. [bug] lwres also needs to know the print format for
5834 (long long). [RT #13754]
5836 1853. [bug] Rework how DLV interacts with proveunsecure().
5839 1852. [cleanup] Remove last vestiges of dnssec-signkey and
5840 dnssec-makekeyset (removed from Makefile years ago).
5842 1851. [doc] Doxygen comment markup. [RT #11398]
5844 1850. [bug] Memory leak in lwres_getipnodebyaddr(). [RT #14591]
5846 1849. [doc] All forms of the man pages (docbook, man, html) should
5847 have consistent copyright dates.
5849 1848. [bug] Improve SMF integration. [RT #13238]
5851 1847. [bug] isc_ondestroy_init() is called too late in
5852 dns_rbtdb_create()/dns_rbtdb64_create().
5855 1846. [contrib] query-loc-0.3.0 from Stephane Bortzmeyer
5856 <bortzmeyer@nic.fr>.
5858 1845. [bug] Improve error reporting to distinguish between
5859 accept()/fcntl() and socket()/fcntl() errors.
5862 1844. [bug] inet_pton() accepted more that 4 hexadecimal digits
5863 for each 16 bit piece of the IPv6 address. The text
5864 representation of a IPv6 address has been tightened
5865 to disallow this (draft-ietf-ipv6-addr-arch-v4-02.txt).
5868 1843. [cleanup] CINCLUDES takes precedence over CFLAGS. This helps
5869 when CFLAGS contains "-I /usr/local/include"
5870 resulting in old header files being used.
5872 1842. [port] cmsg_len() could produce incorrect results on
5873 some platform. [RT #13744]
5875 1841. [bug] "dig +nssearch" now makes a recursive query to
5876 find the list of nameservers to query. [RT #13694]
5878 1840. [func] dnssec-signzone can now randomize signature end times
5879 (dnssec-signzone -j jitter). [RT #13609]
5881 1839. [bug] <isc/hash.h> was not being installed.
5883 1838. [cleanup] Don't allow Linux capabilities to be inherited.
5886 1837. [bug] Compile time option ISC_FACILITY was not effective
5887 for 'named -u <user>'. [RT #13714]
5889 1836. [cleanup] Silence compiler warnings in hash_test.c.
5891 1835. [bug] Update dnssec-signzone's usage message. [RT #13657]
5893 1834. [bug] Bad memset in rdata_test.c. [RT #13658]
5895 1833. [bug] Race condition in isc_mutex_lock_profile(). [RT #13660]
5897 1832. [bug] named fails to return BADKEY on unknown TSIG algorithm.
5900 1831. [doc] Update named-checkzone documentation. [RT#13604]
5902 1830. [bug] adb lame cache has sence of test reversed. [RT #13600]
5904 1829. [bug] win32: "pid-file none;" broken. [RT #13563]
5906 1828. [bug] isc_rwlock_init() failed to properly cleanup if it
5907 encountered a error. [RT #13549]
5909 1827. [bug] host: update usage message for '-a'. [RT #37116]
5911 1826. [bug] Missing DESTROYLOCK() in isc_mem_createx() on out
5912 of memory error. [RT #13537]
5914 1825. [bug] Missing UNLOCK() on out of memory error from in
5915 rbtdb.c:subtractrdataset(). [RT #13519]
5917 1824. [bug] Memory leak on dns_zone_setdbtype() failure.
5920 1823. [bug] Wrong macro used to check for point to point interface.
5923 1822. [bug] check-names test for RT was reversed. [RT #13382]
5927 1820. [bug] Gracefully handle acl loops. [RT #13659]
5929 1819. [bug] The validator needed to check both the algorithm and
5930 digest types of the DS to determine if it could be
5931 used to introduce a secure zone. [RT #13593]
5933 1818. [bug] 'named-checkconf -z' triggered an INSIST. [RT #13599]
5935 1817. [func] Add support for additional zone file formats for
5936 improving loading performance. The masterfile-format
5937 option in named.conf can be used to specify a
5938 non-default format. A separate command
5939 named-compilezone was provided to generate zone files
5940 in the new format. Additionally, the -I and -O options
5941 for dnssec-signzone specify the input and output
5944 1816. [port] UnixWare: failed to compile lib/isc/unix/net.c.
5947 1815. [bug] nsupdate triggered a REQUIRE if the server was set
5948 without also setting the zone and it encountered
5949 a CNAME and was using TSIG. [RT #13086]
5951 1814. [func] UNIX domain controls are now supported.
5953 1813. [func] Restructured the data locking framework using
5954 architecture dependent atomic operations (when
5955 available), improving response performance on
5956 multi-processor machines significantly.
5957 x86, x86_64, alpha, powerpc, and mips are currently
5960 1812. [port] win32: IN6_IS_ADDR_UNSPECIFIED macro is incorrect.
5963 1811. [func] Preserve the case of domain names in rdata during
5964 zone transfers. [RT #13547]
5966 1810. [bug] configure, lib/bind/configure make different default
5967 decisions about whether to do a threaded build.
5970 1809. [bug] "make distclean" failed for libbind if the platform
5973 1808. [bug] zone.c:notify_zone() contained a race condition,
5974 zone->db could change underneath it. [RT #13511]
5976 1807. [bug] When forwarding (forward only) set the active domain
5977 from the forward zone name. [RT #13526]
5979 1806. [bug] The resolver returned the wrong result when a CNAME /
5980 DNAME was encountered when fetching glue from a
5981 secure namespace. [RT #13501]
5983 1805. [bug] Pending status was not being cleared when DLV was
5986 1804. [bug] Ensure that if we are queried for glue that it fits
5987 in the additional section or TC is set to tell the
5988 client to retry using TCP. [RT #10114]
5990 1803. [bug] dnssec-signzone sometimes failed to remove old
5993 1802. [bug] Handle connection resets better. [RT #11280]
5995 1801. [func] Report differences between hints and real NS rrset
5996 and associated address records.
5998 1800. [bug] Changes #1719 allowed a INSIST to be triggered.
6001 1799. [bug] 'rndc flushname' failed to flush negative cache
6002 entries. [RT #13438]
6004 1798. [func] The server syntax has been extended to support a
6005 range of servers. [RT #11132]
6007 1797. [func] named-checkconf now check acls to verify that they
6008 only refer to existing acls. [RT #13101]
6010 1796. [func] "rndc freeze/thaw" now freezes/thaws all zones.
6012 1795. [bug] "rndc dumpdb" was not fully documented. Minor
6013 formating issues with "rndc dumpdb -all". [RT #13396]
6015 1794. [func] Named and named-checkzone can now both check for
6016 non-terminal wildcard records.
6018 1793. [func] Extend adjusting TTL warning messages. [RT #13378]
6020 1792. [func] New zone option "notify-delay". Specify a minimum
6021 delay between sets of NOTIFY messages.
6023 1791. [bug] 'host -t a' still printed out AAAA and MX records.
6026 1790. [cleanup] Move lib/dns/sec/dst up into lib/dns. This should
6027 allow parallel make to succeed.
6029 1789. [bug] Prerequisite test for tkey and dnssec could fail
6030 with "configure --with-libtool".
6032 1788. [bug] libbind9.la/libbind9.so needs to link against
6033 libisccfg.la/libisccfg.so.
6035 1787. [port] HPUX: both "cc" and "gcc" need -Wl,+vnocompatwarnings.
6037 1786. [port] AIX: libt_api needs to be taught to look for
6038 T_testlist in the main executable (--with-libtool).
6041 1785. [bug] libbind9.la/libbind9.so needs to link against
6042 libisc.la/libisc.so.
6044 1784. [cleanup] "libtool -allow-undefined" is the default.
6045 Leave hooks in configure to allow it to be set
6046 if needed in the future.
6048 1783. [cleanup] We only need one copy of libtool.m4, ltmain.sh in the
6051 1782. [port] OSX: --with-libtool + --enable-libbind broke on
6052 __evOptMonoTime. [RT #13219]
6054 1781. [port] FreeBSD 5.3: set PTHREAD_SCOPE_SYSTEM. [RT #12810]
6056 1780. [bug] Update libtool to 1.5.10.
6058 1779. [port] OSF 5.1: libtool didn't handle -pthread correctly.
6060 1778. [port] HUX 11.11: fix broken IN6ADDR_ANY_INIT and
6061 IN6ADDR_LOOPBACK_INIT macros.
6063 1777. [port] OSF 5.1: fix broken IN6ADDR_ANY_INIT and
6064 IN6ADDR_LOOPBACK_INIT macros.
6066 1776. [port] Solaris 2.9: fix broken IN6ADDR_ANY_INIT and
6067 IN6ADDR_LOOPBACK_INIT macros.
6069 1775. [bug] Only compile getnetent_r.c when threaded. [RT #13205]
6071 1774. [port] Aix: Silence compiler warnings / build failures.
6074 1773. [bug] Fast retry on host / net unreachable. [RT #13153]
6080 1770. [bug] named-checkconf failed to report missing a missing
6081 file clause for rbt{64} master/hint zones. [RT#13009]
6083 1769. [port] win32: change compiler flags /MTd ==> /MDd,
6086 1768. [bug] nsecnoexistnodata() could be called with a non-NSEC
6087 rdataset. [RT #12907]
6089 1767. [port] Builds on IPv6 platforms without IPv6 Advanced API
6090 support for (struct in6_pktinfo) failed. [RT #13077]
6092 1766. [bug] Update the master file timestamp on successful refresh
6093 as well as the journal's timestamp. [RT# 13062]
6095 1765. [bug] configure --with-openssl=auto failed. [RT #12937]
6097 1764. [bug] dns_zone_replacedb failed to emit a error message
6098 if there was no SOA record in the replacement db.
6101 1763. [func] Perform sanity checks on NS records which refer to
6102 'in zone' names. [RT #13002]
6104 1762. [bug] isc_interfaceiter_create() could return ISC_R_SUCCESS
6105 even when it failed. [RT #12995]
6107 1761. [bug] 'rndc dumpdb' didn't report unassociated entries.
6110 1760. [bug] Host / net unreachable was not penalising rtt
6111 estimates. [RT #12970]
6113 1759. [bug] Named failed to startup if the OS supported IPv6
6114 but had no IPv6 interfaces configured. [RT #12942]
6116 1758. [func] Don't send notify messages to self. [RT #12933]
6118 1757. [func] host now can turn on memory debugging flags with '-m'.
6120 1756. [func] named-checkconf now checks the logging configuration.
6123 1755. [func] allow-update is now settable at the options / view
6126 1754. [bug] We weren't always attempting to query the parent
6127 server for the DS records at the zone cut.
6130 1753. [bug] Don't serve a slave zone which has no NS records.
6133 1752. [port] Move isc_app_start() to after ns_os_daemonise()
6134 as some fork() implementations unblock the signals
6135 that are blocked by isc_app_start(). [RT #12810]
6137 1751. [bug] --enable-getifaddrs failed under linux. [RT #12867]
6139 1750. [port] lib/bind/make/rules.in:subdirs was not bash friendly.
6142 1749. [bug] 'check-names response ignore;' failed to ignore.
6145 1748. [func] dig now returns the byte count for axfr/ixfr.
6147 1747. [bug] BIND 8 compatibility: named/named-checkconf failed
6148 to parse "host-statistics-max" in named.conf.
6150 1746. [func] Make public the function to read a key file,
6151 dst_key_read_public(). [RT #12450]
6153 1745. [bug] Dig/host/nslookup accept replies from link locals
6154 regardless of scope if no scope was specified when
6155 query was sent. [RT #12745]
6157 1744. [bug] If tuple2msgname() failed to convert a tuple to
6158 a name a REQUIRE could be triggered. [RT #12796]
6160 1743. [bug] If isc_taskmgr_create() was not able to create the
6161 requested number of worker threads then destruction
6162 of the manager would trigger an INSIST() failure.
6165 1742. [bug] Deleting all records at a node then adding a
6166 previously existing record, in a single UPDATE
6167 transaction, failed to leave / regenerate the
6168 associated RRSIG records. [RT #12788]
6170 1741. [bug] Deleting all records at a node in a secure zone
6171 using a update-policy grant failed. [RT #12787]
6173 1740. [bug] Replace rbt's hash algorithm as it performed badly
6174 with certain zones. [RT #12729]
6176 NOTE: a hash context now needs to be established
6177 via isc_hash_create() if the application was not
6180 1739. [bug] dns_rbt_deletetree() could incorrectly return
6181 ISC_R_QUOTA. [RT #12695]
6183 1738. [bug] Enable overrun checking by default. [RT #12695]
6185 1737. [bug] named failed if more than 16 masters were specified.
6188 1736. [bug] dst_key_fromnamedfile() could fail to read a
6189 public key. [RT #12687]
6191 1735. [bug] 'dig +sigtrace' could die with a REQUIRE failure.
6194 1734. [cleanup] 'rndc-confgen -a -t' remove extra '/' in path.
6197 1733. [bug] Return non-zero exit status on initial load failure.
6200 1732. [bug] 'rrset-order name "*"' wasn't being applied to ".".
6203 1731. [port] darwin: relax version test in ifconfig.sh.
6206 1730. [port] Determine the length type used by the socket API.
6209 1729. [func] Improve check-names error messages.
6211 1728. [doc] Update check-names documentation.
6213 1727. [bug] named-checkzone: check-names support didn't match
6216 1726. [port] aix5: add support for aix5.
6218 1725. [port] linux: update error message on interaction of threads,
6219 capabilities and setuid support (named -u). [RT #12541]
6221 1724. [bug] Look for DNSKEY records with "dig +sigtrace".
6224 1723. [cleanup] Silence compiler warnings from t_tasks.c. [RT #12493]
6226 1722. [bug] Don't commit the journal on malformed ixfr streams.
6229 1721. [bug] Error message from the journal processing were not
6230 always identifying the relevant journal. [RT #12519]
6232 1720. [bug] 'dig +chase' did not terminate on a RFC 2308 Type 1
6233 negative response. [RT #12506]
6235 1719. [bug] named was not correctly caching a RFC 2308 Type 1
6236 negative response. [RT #12506]
6238 1718. [bug] nsupdate was not handling RFC 2308 Type 3 negative
6239 responses when looking for the zone / master server.
6242 1717. [port] solaris: ifconfig.sh did not support Solaris 10.
6243 "ifconfig.sh down" didn't work for Solaris 9.
6245 1716. [doc] named.conf(5) was being installed in the wrong
6246 location. [RT# 12441]
6248 1715. [func] 'dig +trace' now randomly selects the next servers
6249 to try. Report if there is a bad delegation.
6251 1714. [bug] dig/host/nslookup were only trying the first
6252 address when a nameserver was specified by name.
6255 1713. [port] linux: extend capset failure message to say:
6256 please ensure that the capset kernel module is
6257 loaded. see insmod(8)
6259 1712. [bug] Missing FULLCHECK for "trusted-key" in dig.
6261 1711. [func] 'rndc unfreeze' has been deprecated by 'rndc thaw'.
6263 1710. [func] 'rndc notify zone [class [view]]' resend the NOTIFY
6264 messages for the specified zone. [RT #9479]
6266 1709. [port] solaris: add SMF support from Sun.
6268 1708. [cleanup] Replaced dns_fullname_hash() with dns_name_fullhash()
6269 for conformance to the name space convention. Binary
6270 backward compatibility to the old function name is
6271 provided. [RT #12376]
6273 1707. [contrib] sdb/ldap updated to version 1.0-beta.
6275 1706. [bug] 'rndc stop' failed to cause zones to be flushed
6276 sometimes. [RT #12328]
6278 1705. [func] Allow the journal's name to be changed via named.conf.
6280 1704. [port] lwres needed a snprintf() implementation for
6281 platforms without snprintf(). Add missing
6282 "#include <isc/print.h>". [RT #12321]
6284 1703. [bug] named would loop sending NOTIFY messages when it
6285 failed to receive a response. [RT #12322]
6287 1702. [bug] also-notify should not be applied to built in zones.
6290 1701. [doc] A minimal named.conf man page.
6292 1700. [func] nslookup is no longer to be treated as deprecated.
6293 Remove "deprecated" warning message. Add man page.
6295 1699. [bug] dnssec-signzone can generate "not exact" errors
6296 when resigning. [RT #12281]
6298 1698. [doc] Use reserved IPv6 documentation prefix.
6300 1697. [bug] xxx-source{,-v6} was not effective when it
6301 specified one of listening addresses and a
6302 different port than the listening port. [RT #12257]
6304 1696. [bug] dnssec-signzone failed to clean out nodes that
6305 consisted of only NSEC and RRSIG records.
6308 1695. [bug] DS records when forwarding require special handling.
6311 1694. [bug] Report if the builtin views of "_default" / "_bind"
6312 are defined in named.conf. [RT #12023]
6314 1693. [bug] max-journal-size was not effective for master zones
6315 with ixfr-from-differences set. [RT# 12024]
6317 1692. [bug] Don't set -I, -L and -R flags when libcrypto is in
6318 /usr/lib. [RT #11971]
6320 1691. [bug] sdb's attachversion was not complete. [RT #11990]
6322 1690. [bug] Delay detaching view from the client until UPDATE
6323 processing completes when shutting down. [RT #11714]
6325 1689. [bug] DNS_NAME_TOREGION() and DNS_NAME_SPLIT() macros
6326 contained gratuitous semicolons. [RT #11707]
6328 1688. [bug] LDFLAGS was not supported.
6330 1687. [bug] Race condition in dispatch. [RT #10272]
6332 1686. [bug] Named sent a extraneous NOTIFY when it received a
6333 redundant UPDATE request. [RT #11943]
6335 1685. [bug] Change #1679 loop tests weren't quite right.
6337 1684. [func] ixfr-from-differences now takes master and slave in
6338 addition to yes and no at the options and view levels.
6340 1683. [bug] dig +sigchase could leak memory. [RT #11445]
6342 1682. [port] Update configure test for (long long) printf format.
6345 1681. [bug] Only set SO_REUSEADDR when a port is specified in
6346 isc_socket_bind(). [RT #11742]
6348 1680. [func] rndc: the source address can now be specified.
6350 1679. [bug] When there was a single nameserver with multiple
6351 addresses for a zone not all addresses were tried.
6354 1678. [bug] RRSIG should use TYPEXXXXX for unknown types.
6356 1677. [bug] dig: +aaonly didn't work, +aaflag undocumented.
6358 1676. [func] New option "allow-query-cache". This lets
6359 allow-query be used to specify the default zone
6360 access level rather than having to have every
6361 zone override the global value. allow-query-cache
6362 can be set at both the options and view levels.
6363 If allow-query-cache is not set allow-query applies.
6365 1675. [bug] named would sometimes add extra NSEC records to
6366 the authority section.
6368 1674. [port] linux: increase buffer size used to scan
6371 1673. [port] linux: issue a error messages if IPv6 interface
6374 1672. [cleanup] Tests which only function in a threaded build
6375 now return R:THREADONLY (rather than R:UNTESTED)
6376 in a non-threaded build.
6378 1671. [contrib] queryperf: add NAPTR to the list of known types.
6380 1670. [func] Log UPDATE requests to slave zones without an acl as
6381 "disabled" at debug level 3. [RT# 11657]
6385 1668. [bug] DIG_SIGCHASE was making bin/dig/host dump core.
6387 1667. [port] linux: not all versions have IF_NAMESIZE.
6389 1666. [bug] The optional port on hostnames in dual-stack-servers
6392 1665. [func] rndc now allows addresses to be set in the
6395 1664. [bug] nsupdate needed KEY for SIG(0), not DNSKEY.
6397 1663. [func] Look for OpenSSL by default.
6399 1662. [bug] Change #1658 failed to change one use of 'type'
6402 1661. [bug] Restore dns_name_concatenate() call in
6403 adb.c:set_target(). [RT #11582]
6405 1660. [bug] win32: connection_reset_fix() was being called
6406 unconditionally. [RT #11595]
6408 1659. [cleanup] Cleanup some messages that were referring to KEY vs
6409 DNSKEY, NXT vs NSEC and SIG vs RRSIG.
6411 1658. [func] Update dnssec-keygen to default to KEY for HMAC-MD5
6412 and DH. Tighten which options apply to KEY and
6415 1657. [doc] ARM: document query log output.
6417 1656. [doc] Update DNSSEC description in ARM to cover DS, NSEC
6418 DNSKEY and RRSIG. [RT #11542]
6420 1655. [bug] Logging multiple versions w/o a size was broken.
6423 1654. [bug] isc_result_totext() contained array bounds read
6426 1653. [func] Add key type checking to dst_key_fromfilename(),
6427 DST_TYPE_KEY should be used to read TSIG, TKEY and
6430 1652. [bug] TKEY still uses KEY.
6432 1651. [bug] dig: process multiple dash options.
6434 1650. [bug] dig, nslookup: flush standard out after each command.
6436 1649. [bug] Silence "unexpected non-minimal diff" message.
6439 1648. [func] Update dnssec-lookaside named.conf syntax to support
6440 multiple dnssec-lookaside namespaces (not yet
6443 1647. [bug] It was possible trigger a INSIST when chasing a DS
6444 record that required walking back over a empty node.
6447 1646. [bug] win32: logging file versions didn't work with
6448 non-UNC filenames. [RT#11486]
6450 1645. [bug] named could trigger a REQUIRE failure if multiple
6451 masters with keys are specified.
6453 1644. [bug] Update the journal modification time after a
6454 successful refresh query. [RT #11436]
6456 1643. [bug] dns_db_closeversion() could leak memory / node
6457 references. [RT #11163]
6459 1642. [port] Support OpenSSL implementations which don't have
6460 DSA support. [RT #11360]
6462 1641. [bug] Update the check-names description in ARM. [RT #11389]
6464 1640. [bug] win32: isc_socket_cancel(ISC_SOCKCANCEL_ACCEPT) was
6465 incorrectly closing the socket. [RT #11291]
6467 1639. [func] Initial dlv system test.
6469 1638. [bug] "ixfr-from-differences" could generate a REQUIRE
6470 failure if the journal open failed. [RT #11347]
6472 1637. [bug] Node reference leak on error in addnoqname().
6474 1636. [bug] The dump done callback could get ISC_R_SUCCESS even if
6475 a error had occurred. The database version no longer
6476 matched the version of the database that was dumped.
6478 1635. [bug] Memory leak on error in query_addds().
6480 1634. [bug] named didn't supply a useful error message when it
6481 detected duplicate views. [RT #11208]
6483 1633. [bug] named should return NOTIMP to update requests to a
6484 slaves without a allow-update-forwarding acl specified.
6487 1632. [bug] nsupdate failed to send prerequisite only UPDATE
6488 messages. [RT #11288]
6490 1631. [bug] dns_journal_compact() could sometimes corrupt the
6491 journal. [RT #11124]
6493 1630. [contrib] queryperf: add support for IPv6 transport.
6495 1629. [func] dig now supports IPv6 scoped addresses with the
6496 extended format in the local-server part. [RT #8753]
6498 1628. [bug] Typo in Compaq Trucluster support. [RT# 11264]
6500 1627. [bug] win32: sockets were not being closed when the
6501 last external reference was removed. [RT# 11179]
6503 1626. [bug] --enable-getifaddrs was broken. [RT#11259]
6505 1625. [bug] named failed to load/transfer RFC2535 signed zones
6506 which contained CNAMES. [RT# 11237]
6508 1624. [bug] zonemgr_putio() call should be locked. [RT# 11163]
6510 1623. [bug] A serial number of zero was being displayed in the
6511 "sending notifies" log message when also-notify was
6514 1622. [func] probe the system to see if IPV6_(RECV)PKTINFO is
6515 available, and suppress wildcard binding if not.
6517 1621. [bug] match-destinations did not work for IPv6 TCP queries.
6520 1620. [func] When loading a zone report if it is signed. [RT #11149]
6522 1619. [bug] Missing ISC_LIST_UNLINK in end_reserved_dispatches().
6525 1618. [bug] Fencepost errors in dns_name_ishostname() and
6526 dns_name_ismailbox() could trigger a INSIST().
6528 1617. [port] win32: VC++ 6.0 support.
6530 1616. [compat] Ensure that named's version is visible in the core
6533 1615. [port] Define ISC_SOCKADDR_LEN_T based on _BSD_SOCKLEN_T_ if
6536 1614. [port] win32: silence resource limit messages. [RT# 11101]
6538 1613. [bug] Builds would fail on machines w/o a if_nametoindex().
6539 Missing #ifdef ISC_PLATFORM_HAVEIFNAMETOINDEX/#endif.
6542 1612. [bug] check-names at the option/view level could trigger
6543 an INSIST. [RT# 11116]
6545 1611. [bug] solaris: IPv6 interface scanning failed to cope with
6546 no active IPv6 interfaces.
6548 1610. [bug] On dual stack machines "dig -b" failed to set the
6549 address type to be looked up with "@server".
6552 1609. [func] dig now has support to chase DNSSEC signature chains.
6553 Requires -DDIG_SIGCHASE=1 to be set in STD_CDEFINES.
6555 DNSSEC validation code in dig coded by Olivier Courtay
6556 (olivier.courtay@irisa.fr) for the IDsA project
6557 (http://idsa.irisa.fr).
6559 1608. [func] dig and host now accept -4/-6 to select IP transport
6560 to use when making queries.
6562 1607. [bug] dig, host and nslookup were still using random()
6563 to generate query ids. [RT# 11013]
6565 1606. [bug] DLV insecurity proof was failing.
6567 1605. [func] New dns_db_find() option DNS_DBFIND_COVERINGNSEC.
6569 1604. [bug] A xfrout_ctx_create() failure would result in
6570 xfrout_ctx_destroy() being called with a
6571 partially initialized structure.
6573 1603. [bug] nsupdate: set interactive based on isatty().
6576 1602. [bug] Logging to a file failed unless a size was specified.
6579 1601. [bug] Silence spurious warning 'both "recursion no;" and
6580 "allow-recursion" active' warning from view "_bind".
6583 1600. [bug] Duplicate zone pre-load checks were not case
6586 1599. [bug] Fix memory leak on error path when checking named.conf.
6588 1598. [func] Specify that certain parts of the namespace must
6589 be secure (dnssec-must-be-secure).
6591 1597. [func] Allow notify-source and query-source to be specified
6592 on a per server basis similar to transfer-source.
6595 1596. [func] Accept 'notify-source' style syntax for query-source.
6597 1595. [func] New notify type 'master-only'. Enable notify for
6600 1594. [bug] 'rndc dumpdb' could prevent named from answering
6601 queries while the dump was in progress. [RT #10565]
6603 1593. [bug] rndc should return "unknown command" to unknown
6604 commands. [RT# 10642]
6606 1592. [bug] configure_view() could leak a dispatch. [RT# 10675]
6608 1591. [bug] libbind: updated to BIND 8.4.5.
6610 1590. [port] netbsd: update thread support.
6612 1589. [func] DNSSEC lookaside validation.
6614 1588. [bug] win32: TCP sockets could become blocked. [RT #10115]
6616 1587. [bug] dns_message_settsigkey() failed to clear existing key.
6619 1586. [func] "check-names" is now implemented.
6623 1584. [bug] "make test" failed with a read only source tree.
6626 1583. [bug] Records add via UPDATE failed to get the correct trust
6629 1582. [bug] rrset-order failed to work on RRsets with more
6630 than 32 elements. [RT #10381]
6632 1581. [func] Disable DNSSEC support by default. To enable
6633 DNSSEC specify "dnssec-enable yes;" in named.conf.
6635 1580. [bug] Zone destruction on final detach takes a long time.
6638 1579. [bug] Multiple task managers could not be created.
6640 1578. [bug] Don't use CLASS E IPv4 addresses when resolving.
6643 1577. [bug] Use isc_uint32_t in ultrasparc optimizer bug
6644 workaround code. [RT #10331]
6646 1576. [bug] Race condition in dns_dispatch_addresponse().
6649 1575. [func] Log TSIG name on TSIG verify failure. [RT #4404]
6651 1574. [bug] Don't attempt to open the controls socket(s) when
6652 running tests. [RT #9091]
6654 1573. [port] linux: update to libtool 1.5.2 so that
6655 "make install DESTDIR=/xx" works with
6656 "configure --with-libtool". [RT #9941]
6658 1572. [bug] nsupdate: sign the soa query to find the enclosing
6659 zone if the server is specified. [RT #10148]
6661 1571. [bug] rbt:hash_node() could fail leaving the hash table
6662 in an inconsistent state. [RT #10208]
6664 1570. [bug] nsupdate failed to handle classes other than IN.
6665 New keyword 'class' which sets the default class.
6668 1569. [func] nsupdate new command 'answer' which displays the
6669 complete answer message to the last update.
6671 1568. [bug] nsupdate now reports that the update failed in
6672 interactive mode. [RT# 10236]
6674 1567. [maint] B.ROOT-SERVERS.NET is now 192.228.79.201.
6676 1566. [port] Support for the cmsg framework on Solaris and HP/UX.
6677 This also solved the problem that match-destinations
6678 for IPv6 addresses did not work on these systems.
6681 1565. [bug] CD flag should be copied to outgoing queries unless
6682 the query is under a secure entry point in which case
6685 1564. [func] Attempt to provide a fallback entropy source to be
6686 used if named is running chrooted and named is unable
6687 to open entropy source within the chroot area.
6690 1563. [bug] Gracefully fail when unable to obtain neither an IPv4
6691 nor an IPv6 dispatch. [RT #10230]
6693 1562. [bug] isc_socket_create() and isc_socket_accept() could
6694 leak memory under error conditions. [RT #10230]
6696 1561. [bug] It was possible to release the same name twice if
6697 named ran out of memory. [RT #10197]
6699 1560. [port] FreeBSD: work around FreeBSD 5.2 mapping EAI_NODATA
6700 and EAI_NONAME to the same value.
6702 1559. [port] named should ignore SIGFSZ.
6704 1558. [func] New DNSSEC 'disable-algorithms'. Support entry into
6705 child zones for which we don't have a supported
6706 algorithm. Such child zones are treated as unsigned.
6708 1557. [func] Implement missing DNSSEC tests for
6709 * NOQNAME proof with wildcard answers.
6710 * NOWILDARD proof with NXDOMAIN.
6711 Cache and return NOQNAME with wildcard answers.
6713 1556. [bug] nsupdate now treats all names as fully qualified.
6716 1555. [func] 'rrset-order cyclic' no longer has a random starting
6717 point per query. [RT #7572]
6719 1554. [bug] dig, host, nslookup failed when no nameservers
6720 were specified in /etc/resolv.conf. [RT #8232]
6722 1553. [bug] The windows socket code could stop accepting
6723 connections. [RT#10115]
6725 1552. [bug] Accept NOTIFY requests from mapped masters if
6726 matched-mapped is set. [RT #10049]
6728 1551. [port] Open "/dev/null" before calling chroot().
6730 1550. [port] Call tzset(), if available, before calling chroot().
6732 1549. [func] named-checkzone can now write out the zone contents
6733 in a easily parsable format (-D and -o).
6735 1548. [bug] When parsing APL records it was possible to silently
6736 accept out of range ADDRESSFAMILY values. [RT# 9979]
6738 1547. [bug] Named wasted memory recording duplicate lame zone
6741 1546. [bug] We were rejecting valid secure CNAME to negative
6744 1545. [bug] It was possible to leak memory if named was unable to
6745 bind to the specified transfer source and TSIG was
6746 being used. [RT #10120]
6748 1544. [bug] Named would logged a single entry to a file despite it
6749 being over the specified size limit.
6751 1543. [bug] Logging using "versions unlimited" did not work.
6755 1541. [func] NSEC now uses new bitmap format.
6757 1540. [bug] "rndc reload <dynamiczone>" was silently accepted.
6760 1539. [bug] Open UDP sockets for notify-source and transfer-source
6761 that use reserved ports at startup. [RT #9475]
6763 1538. [placeholder] rt9997
6765 1537. [func] New option "querylog". If set specify whether query
6766 logging is to be enabled or disabled at startup.
6768 1536. [bug] Windows socket code failed to log a error description
6769 when returning ISC_R_UNEXPECTED. [RT #9998]
6773 1534. [bug] Race condition when priming cache. [RT# 9940]
6775 1533. [func] Warn if both "recursion no;" and "allow-recursion"
6776 are active. [RT# 4389]
6778 1532. [port] netbsd: the configure test for <sys/sysctl.h>
6779 requires <sys/param.h>.
6781 1531. [port] AIX more libtool fixes.
6783 1530. [bug] It was possible to trigger a INSIST() failure if a
6784 slave master file was removed at just the correct
6787 1529. [bug] "notify explicit;" failed to log that NOTIFY messages
6788 were being sent for the zone. [RT# 9442]
6790 1528. [cleanup] Simplify some dns_name_ functions based on the
6791 deprecation of bitstring labels.
6793 1527. [cleanup] Reduce the number of gettimeofday() calls without
6794 losing necessary timer granularity.
6796 1526. [func] Implemented "additional section caching (or acache)",
6797 an internal cache framework for additional section
6798 content to improve response performance. Several
6799 configuration options were provided to control the
6802 1525. [bug] dns_cache_create() could trigger a REQUIRE
6803 failure in isc_mem_put() during error cleanup.
6806 1524. [port] AIX needs to be able to resolve all symbols when
6807 creating shared libraries (--with-libtool).
6809 1523. [bug] Fix race condition in rbtdb. [RT# 9189]
6811 1522. [bug] dns_db_findnode() relax the requirements on 'name'.
6814 1521. [bug] dns_view_createresolver() failed to check the
6815 result from isc_mem_create(). [RT# 9294]
6817 1520. [protocol] Add SSHFP (SSH Finger Print) type.
6819 1519. [bug] dnssec-signzone:nsec_setbit() computed the wrong
6820 length of the new bitmap.
6822 1518. [bug] dns_nsec_buildrdata(), and hence dns_nsec_build(),
6823 contained a off-by-one error when working out the
6824 number of octets in the bitmap.
6826 1517. [port] Support for IPv6 interface scanning on HP/UX and
6829 1516. [func] Roll the DNSSEC types to RRSIG, NSEC and DNSKEY.
6831 1515. [func] Allow transfer source to be set in a server statement.
6834 1514. [bug] named: isc_hash_destroy() was being called too early.
6837 1513. [doc] Add "US" to root-delegation-only exclude list.
6839 1512. [bug] Extend the delegation-only logging to return query
6840 type, class and responding nameserver.
6842 1511. [bug] delegation-only was generating false positives
6843 on negative answers from sub-zones.
6845 1510. [func] New view option "root-delegation-only". Apply
6846 delegation-only check to all TLDs and root.
6847 Note there are some TLDs that are NOT delegation
6848 only (e.g. DE, LV, US and MUSEUM) these can be excluded
6849 from the checks by using exclude.
6851 root-delegation-only exclude {
6852 "DE"; "LV"; "US"; "MUSEUM";
6855 1509. [bug] Hint zones should accept delegation-only. Forward
6856 zone should not accept delegation-only.
6858 1508. [bug] Don't apply delegation-only checks to answers from
6861 1507. [bug] Handle BIND 8 style returns to NS queries to parents
6862 when making delegation-only checks.
6864 1506. [bug] Wrong return type for dns_view_isdelegationonly().
6866 1505. [bug] Uninitialized rdataset in sdb. [RT #8750]
6868 1504. [func] New zone type "delegation-only".
6870 1503. [port] win32: install libeay32.dll outside of system32.
6872 1502. [bug] nsupdate: adjust timeouts for UPDATE requests over TCP.
6874 1501. [func] Allow TCP queue length to be specified via
6875 named.conf, tcp-listen-queue.
6877 1500. [bug] host failed to lookup MX records. Also look up
6880 1499. [bug] isc_random need to be seeded better if arc4random()
6883 1498. [port] bsdos: 5.x support.
6887 1496. [port] test for pthread_attr_setstacksize().
6889 1495. [cleanup] Replace hash functions with universal hash.
6891 1494. [security] Turn on RSA BLINDING as a precaution.
6895 1492. [cleanup] Preserve rwlock quota context when upgrading /
6896 downgrading. [RT #5599]
6898 1491. [bug] dns_master_dump*() would produce extraneous $ORIGIN
6901 1490. [bug] Accept reading state as well as working state in
6902 ns_client_next(). [RT #6813]
6904 1489. [compat] Treat 'allow-update' on slave zones as a warning.
6907 1488. [bug] Don't override trust levels for glue addresses.
6910 1487. [bug] A REQUIRE() failure could be triggered if a zone was
6911 queued for transfer and the zone was then removed.
6914 1486. [bug] isc_print_snprintf() '%%' consumed one too many format
6915 characters. [RT# 8230]
6917 1485. [bug] gen failed to handle high type values. [RT #6225]
6919 1484. [bug] The number of records reported after a AXFR was wrong.
6922 1483. [bug] dig axfr failed if the message id in the answer failed
6923 to match that in the request. Only the id in the first
6924 message is required to match. [RT #8138]
6926 1482. [bug] named could fail to start if the kernel supports
6927 IPv6 but no interfaces are configured. Similarly
6928 for IPv4. [RT #6229]
6930 1481. [bug] Refresh and stub queries failed to use masters keys
6931 if specified. [RT #7391]
6933 1480. [bug] Provide replay protection for rndc commands. Full
6934 replay protection requires both rndc and named to
6935 be updated. Partial replay protection (limited
6936 exposure after restart) is provided if just named
6939 1479. [bug] cfg_create_tuple() failed to handle out of
6940 memory cleanup. parse_list() would leak memory
6943 1478. [port] ifconfig.sh didn't account for other virtual
6944 interfaces. It now takes a optional argument
6945 to specify the first interface number. [RT #3907]
6947 1477. [bug] memory leak using stub zones and TSIG.
6951 1475. [port] Probe for old sprintf().
6953 1474. [port] Provide strtoul() and memmove() for platforms
6956 1473. [bug] create_map() and create_string() failed to handle out
6957 of memory cleanup. [RT #6813]
6959 1472. [contrib] idnkit-1.0 from JPNIC, replaces mdnkit.
6961 1471. [bug] libbind: updated to BIND 8.4.0.
6963 1470. [bug] Incorrect length passed to snprintf. [RT #5966]
6965 1469. [func] Log end of outgoing zone transfer at same level
6966 as the start of transfer is logged. [RT #4441]
6968 1468. [func] Internal zones are no longer counted for
6969 'rndc status'. [RT #4706]
6971 1467. [func] $GENERATES now supports optional class and ttl.
6973 1466. [bug] lwresd configuration errors resulted in memory
6974 and lock leaks. [RT #5228]
6976 1465. [bug] isc_base64_decodestring() and isc_base64_tobuffer()
6977 failed to check that trailing bits were zero allowing
6978 some invalid base64 strings to be accepted. [RT #5397]
6980 1464. [bug] Preserve "out of zone" data for outgoing zone
6981 transfers. [RT #5192]
6983 1463. [bug] dns_rdata_from{wire,struct}() failed to catch bad
6984 NXT bit maps. [RT #5577]
6986 1462. [bug] parse_sizeval() failed to check the token type.
6989 1461. [bug] Remove deadlock from rbtdb code. [RT #5599]
6991 1460. [bug] inet_pton() failed to reject certain malformed
6996 1458. [cleanup] sprintf() -> snprintf().
6998 1457. [port] Provide strlcat() and strlcpy() for platforms without
7001 1456. [contrib] gen-data-queryperf.py from Stephane Bortzmeyer.
7003 1455. [bug] <netaddr> missing from server grammar in
7004 doc/misc/options. [RT #5616]
7006 1454. [port] Use getifaddrs() if available for interface scanning.
7007 --disable-getifaddrs to override. Glibc currently
7008 has a getifaddrs() that does not support IPv6.
7009 Use --enable-getifaddrs=glibc to force the use of
7010 this version under linux machines.
7012 1453. [doc] ARM: $GENERATE example wasn't accurate. [RT #5298]
7016 1451. [bug] rndc-confgen didn't exit with a error code for all
7017 failures. [RT #5209]
7019 1450. [bug] Fetching expired glue failed under certain
7020 circumstances. [RT #5124]
7022 1449. [bug] query_addbestns() didn't handle running out of memory
7025 1448. [bug] Handle empty wildcards labels.
7027 1447. [bug] We were casting (unsigned int) to and from (void *).
7028 rdataset->private4 is now rdataset->privateuint4
7029 to reflect a type change.
7031 1446. [func] Implemented undocumented alternate transfer sources
7032 from BIND 8. See use-alt-transfer-source,
7033 alt-transfer-source and alt-transfer-source-v6.
7035 SECURITY: use-alt-transfer-source is ENABLED unless
7036 you are using views. This may cause a security risk
7037 resulting in accidental disclosure of wrong zone
7038 content if the master supplying different source
7039 content based on IP address. If you are not certain
7040 ISC recommends setting use-alt-transfer-source no;
7042 1445. [bug] DNS_ADBFIND_STARTATROOT broke stub zones. This has
7043 been replaced with DNS_ADBFIND_STARTATZONE which
7044 causes the search to start using the closest zone.
7046 1444. [func] dns_view_findzonecut2() allows you to specify if the
7047 cache should be searched for zone cuts.
7049 1443. [func] Masters lists can now be specified and referenced
7050 in zone masters clauses and other masters lists.
7052 1442. [func] New functions for manipulating port lists:
7053 dns_portlist_create(), dns_portlist_add(),
7054 dns_portlist_remove(), dns_portlist_match(),
7055 dns_portlist_attach() and dns_portlist_detach().
7057 1441. [func] It is now possible to tell dig to bind to a specific
7060 1440. [func] It is now possible to tell named to avoid using
7061 certain source ports (avoid-v4-udp-ports,
7062 avoid-v6-udp-ports).
7064 1439. [bug] Named could return NOERROR with certain NOTIFY
7065 failures. Return NOTAUTH if the NOTIFY zone is
7068 1438. [func] Log TSIG (if any) when logging NOTIFY requests.
7070 1437. [bug] Leave space for stdio to work in. [RT #5033]
7072 1436. [func] dns_zonemgr_resumexfrs() can be used to restart
7075 1435. [bug] zmgr_resume_xfrs() was being called read locked
7076 rather than write locked. zmgr_resume_xfrs()
7077 was not being called if the zone was being
7080 1434. [bug] "rndc reconfig" failed to initiate the initial
7081 zone transfer of new slave zones.
7083 1433. [bug] named could trigger a REQUIRE failure if it could
7084 not get a file descriptor when attempting to write
7085 a master file. [RT #4347]
7087 1432. [func] The advertised EDNS UDP buffer size can now be set
7088 via named.conf (edns-udp-size).
7090 1431. [bug] isc_print_snprintf() "%s" with precision could walk off
7091 end of argument. [RT #5191]
7093 1430. [port] linux: IPv6 interface scanning support.
7095 1429. [bug] Prevent the cache getting locked to old servers.
7099 1427. [bug] Race condition in adb with threaded build.
7103 1425. [port] linux/libbind: define __USE_MISC when testing *_r()
7104 function prototypes in netdb.h. [RT #4921]
7106 1424. [bug] EDNS version not being correctly printed.
7108 1423. [contrib] queryperf: added A6 and SRV.
7110 1422. [func] Log name/type/class when denying a query. [RT #4663]
7112 1421. [func] Differentiate updates that don't succeed due to
7113 prerequisites (unsuccessful) vs other reasons
7116 1420. [port] solaris: work around gcc optimizer bug.
7118 1419. [port] openbsd: use /dev/arandom. [RT #4950]
7120 1418. [bug] 'rndc reconfig' did not cause new slaves to load.
7122 1417. [func] ID.SERVER/CHAOS is now a built in zone.
7123 See "server-id" for how to configure.
7125 1416. [bug] Empty node should return NOERROR NODATA, not NXDOMAIN.
7128 1415. [func] DS TTL now derived from NS ttl. NXT TTL now derived
7131 1414. [func] Support for KSK flag.
7133 1413. [func] Explicitly request the (re-)generation of DS records
7134 from keysets (dnssec-signzone -g).
7136 1412. [func] You can now specify servers to be tried if a nameserver
7137 has IPv6 address and you only support IPv4 or the
7138 reverse. See dual-stack-servers.
7140 1411. [bug] empty nodes should stop wildcard matches. [RT #4802]
7142 1410. [func] Handle records that live in the parent zone, e.g. DS.
7144 1409. [bug] DS should have attribute DNS_RDATATYPEATTR_DNSSEC.
7146 1408. [bug] "make distclean" was not complete. [RT #4700]
7148 1407. [bug] lfsr incorrectly implements the shift register.
7151 1406. [bug] dispatch initializes one of the LFSR's with a incorrect
7152 polynomial. [RT #4617]
7154 1405. [func] Use arc4random() if available.
7156 1404. [bug] libbind: ns_name_ntol() could overwrite a zero length
7159 1403. [func] dnssec-signzone, dnssec-keygen, dnssec-makekeyset
7160 dnssec-signkey now report their version in the
7163 1402. [cleanup] A6 has been moved to experimental and is no longer
7166 1401. [bug] adb wasn't clearing state when the timer expired.
7168 1400. [bug] Block the addition of wildcard NS records by IXFR
7169 or UPDATE. [RT #3502]
7171 1399. [bug] Use serial number arithmetic when testing SIG
7172 timestamps. [RT #4268]
7174 1398. [doc] ARM: notify-also should have been also-notify.
7177 1397. [maint] J.ROOT-SERVERS.NET is now 192.58.128.30.
7179 1396. [func] dnssec-signzone: adjust the default signing time by
7180 1 hour to allow for clock skew.
7182 1395. [port] OpenSSL 0.9.7 defines CRYPTO_LOCK_ENGINE but doesn't
7183 have a working implementation. [RT #4079]
7185 1394. [func] It is now possible to check if a particular element is
7186 in a acl. Remove duplicate entries from the localnets
7189 1393. [port] Bind to individual IPv6 interfaces if IPV6_IPV6ONLY
7190 is not available in the kernel to prevent accidently
7191 listening on IPv4 interfaces.
7193 1392. [bug] named-checkzone: update usage.
7195 1391. [func] Add support for IPv6 scoped addresses in named.
7197 1390. [func] host now supports ixfr.
7199 1389. [bug] named could fail to rotate long log files. [RT #3666]
7201 1388. [port] irix: check for sys/sysctl.h and NET_RT_IFLIST before
7202 defining HAVE_IFLIST_SYSCTL. [RT #3770]
7204 1387. [bug] named could crash due to an access to invalid memory
7205 space (which caused an assertion failure) in
7206 incremental cleaning. [RT #3588]
7208 1386. [bug] named-checkzone -z stopped on errors in a zone.
7211 1385. [bug] Setting serial-query-rate to 10 would trigger a
7214 1384. [bug] host was incompatible with BIND 8 in its exit code and
7215 in the output with the -l option. [RT #3536]
7217 1383. [func] Track the serial number in a IXFR response and log if
7218 a mismatch occurs. This is a more specific error than
7219 "not exact". [RT #3445]
7221 1382. [bug] make install failed with --enable-libbind. [RT #3656]
7223 1381. [bug] named failed to correctly process answers that
7224 contained DNAME records where the resulting CNAME
7225 resulted in a negative answer.
7227 1380. [func] 'rndc recursing' dump recursing queries to
7228 'recursing-file = "named.recursing";'.
7230 1379. [func] 'rndc status' now reports tcp and recursion quota
7233 1378. [func] Improved positive feedback for 'rndc {reload|refresh}.
7235 1377. [func] dns_zone_load{new}() now reports if the zone was
7236 loaded, queued for loading to up to date.
7238 1376. [func] New function dns_zone_logc() to log to specified
7241 1375. [func] 'rndc dumpdb' now dumps the adb cache along with the
7244 1374. [func] dns_adb_dump() now logs the lame zones associated
7247 1373. [bug] Recovery from expired glue failed under certain
7250 1372. [bug] named crashes with an assertion failure on exit when
7251 sharing the same port for listening and querying, and
7252 changing listening addresses several times. [RT# 3509]
7254 1371. [bug] notify-source-v6, transfer-source-v6 and
7255 query-source-v6 with explicit addresses and using the
7256 same ports as named was listening on could interfere
7257 with named's ability to answer queries sent to those
7260 1370. [bug] dig '+[no]recurse' was incorrectly documented.
7262 1369. [bug] Adding an NS record as the lexicographically last
7263 record in a secure zone didn't work.
7265 1368. [func] remove support for bitstring labels.
7267 1367. [func] Use response times to select forwarders.
7269 1366. [contrib] queryperf usage was incomplete. Add '-h' for help.
7271 1365. [func] "localhost" and "localnets" acls now include IPv6
7272 addresses / prefixes.
7274 1364. [func] Log file name when unable to open memory statistics
7275 and dump database files. [RT# 3437]
7277 1363. [func] Listen-on-v6 now supports specific addresses.
7279 1362. [bug] remove IFF_RUNNING test when scanning interfaces.
7281 1361. [func] log the reason for rejecting a server when resolving
7284 1360. [bug] --enable-libbind would fail when not built in the
7285 source tree for certain OS's.
7287 1359. [security] Support patches OpenSSL libraries.
7288 http://www.cert.org/advisories/CA-2002-23.html
7290 1358. [bug] It was possible to trigger a INSIST when debugging
7291 large dynamic updates. [RT #3390]
7293 1357. [bug] nsupdate was extremely wasteful of memory.
7295 1356. [tuning] Reduce the number of events / quantum for zone tasks.
7297 1355. [bug] Fix DNSSEC wildcard proof for CNAME/DNAME.
7299 1354. [doc] lwres man pages had illegal nroff.
7301 1353. [contrib] sdb/ldap to version 0.9.
7303 1352. [bug] dig, host, nslookup when falling back to TCP use the
7304 current search entry (if any). [RT #3374]
7306 1351. [bug] lwres_getipnodebyname() returned the wrong name
7307 when given a IPv4 literal, af=AF_INET6 and AI_MAPPED
7310 1350. [bug] dns_name_fromtext() failed to handle too many labels
7313 1349. [security] Minimum OpenSSL version now 0.9.6e (was 0.9.5a).
7314 http://www.cert.org/advisories/CA-2002-23.html
7316 1348. [port] win32: Rewrote code to use I/O Completion Ports
7317 in socket.c and eliminating a host of socket
7318 errors. Performance is enhanced.
7324 1345. [port] Use a explicit -Wformat with gcc. Not all versions
7325 include it in -Wall.
7327 1344. [func] Log if the serial number on the master has gone
7329 If you have multiple machines specified in the masters
7330 clause you may want to set 'multi-master yes;' to
7331 suppress this warning.
7333 1343. [func] Log successful notifies received (info). Adjust log
7334 level for failed notifies to notice.
7336 1342. [func] Log remote address with TCP dispatch failures.
7338 1341. [func] Allow a rate limiter to be stalled.
7340 1340. [bug] Delay and spread out the startup refresh load.
7342 1339. [func] dig, host and nslookup now use IP6.ARPA for nibble
7343 lookups. Bit string lookups are no longer attempted.
7349 1336. [func] Nibble lookups under IP6.ARPA are now supported by
7350 dns_byaddr_create(). dns_byaddr_createptrname() is
7351 deprecated, use dns_byaddr_createptrname2() instead.
7353 1335. [bug] When performing a nonexistence proof, the validator
7354 should discard parent NXTs from higher in the DNS.
7356 1334. [bug] When signing/verifying rdatasets, duplicate rdatas
7357 need to be suppressed.
7359 1333. [contrib] queryperf now reports a summary of returned
7360 rcodes (-c), rcodes are printed in mnemonic form (-v).
7362 1332. [func] Report the current serial with periodic commits when
7363 rolling forward the journal.
7365 1331. [func] Generate DNSSEC wildcard proofs.
7367 1330. [bug] When processing events (non-threaded) only allow
7368 the task one chance to use to use its quantum.
7370 1329. [func] named-checkzone will now check if nameservers that
7371 appear to be IP addresses. Available modes "fail",
7372 "warn" (default) and "ignore" the results of the
7375 1328. [bug] The validator could incorrectly verify an invalid
7378 1327. [bug] The validator would incorrectly mark data as insecure
7379 when seeing a bogus signature before a correct
7382 1326. [bug] DNAME/CNAME signatures were not being cached when
7383 validation was not being performed. [RT #3284]
7385 1325. [bug] If the tcpquota was exhausted it was possible to
7386 to trigger a INSIST() failure.
7388 1324. [port] darwin: ifconfig.sh now supports darwin.
7390 1323. [port] linux: Slackware 4.0 needs <asm/unistd.h>. [RT #3205]
7392 1322. [bug] dnssec-signzone usage message was misleading.
7394 1321. [bug] If the last RRset in a zone is glue, dnssec-signzone
7395 would incorrectly duplicate its output and sign it.
7397 1320. [doc] query-source-v6 was missing from options section.
7400 1319. [func] libbind: log attempts to exploit #1318.
7402 1318. [bug] libbind: Remote buffer overrun.
7404 1317. [port] libbind: TrueUNIX 5.1 does not like __align as a
7407 1316. [bug] libbind: gethostans() could get out of sync parsing
7408 the response if there was a very long CNAME chain.
7410 1315. [bug] Options should apply to the internal _bind view.
7412 1314. [port] Handle ECONNRESET from sendmsg() [unix].
7414 1313. [func] Query log now says if the query was signed (S) or
7415 if EDNS was used (E).
7417 1312. [func] Log TSIG key used w/ outgoing zone transfers.
7419 1311. [bug] lwres_getrrsetbyname leaked memory. [RT #3159]
7421 1310. [bug] 'rndc stop' failed to cause zones to be flushed
7422 sometimes. [RT #3157]
7424 1309. [func] Log that a zone transfer was covered by a TSIG.
7426 1308. [func] DS (delegation signer) support.
7428 1307. [bug] nsupdate: allow white space base64 key data.
7430 1306. [bug] Badly encoded LOC record when the size, horizontal
7431 precision or vertical precision was 0.1m.
7433 1305. [bug] Document that internal zones are included in the
7434 rndc status results.
7436 1304. [func] New function: dns_zone_name().
7438 1303. [func] Option 'flush-zones-on-shutdown <boolean>;'.
7440 1302. [func] Extended rndc dumpdb to support dumping of zones and
7441 view selection: 'dumpdb [-all|-zones|-cache] [view]'.
7443 1301. [func] New category 'update-security'.
7445 1300. [port] Compaq Trucluster support.
7447 1299. [bug] Set AI_ADDRCONFIG when looking up addresses
7448 via getaddrinfo() (affects dig, host, nslookup, rndc
7451 1298. [bug] The CINCLUDES macro in lib/dns/sec/dst/Makefile
7452 could be left with a trailing "\" after configure
7455 1297. [port] linux: make handling EINVAL from socket() no longer
7456 conditional on #ifdef LINUX.
7458 1296. [bug] isc_log_closefilelogs() needed to lock the log
7461 1295. [bug] isc_log_setdebuglevel() needed to lock the log
7464 1294. [func] libbind: no longer attempts bit string labels for
7465 IPv6 reverse resolution. Try IP6.ARPA then IP6.INT
7466 for nibble style resolution.
7468 1293. [func] Entropy can now be retrieved from EGDs. [RT #2438]
7470 1292. [func] Enable IPv6 support when using ioctl style interface
7471 scanning and OS supports SIOCGLIFADDR using struct
7474 1291. [func] Enable IPv6 support when using sysctl style interface
7477 1290. [func] "dig axfr" now reports the number of messages
7478 as well as the number of records.
7480 1289. [port] See if -ldl is required for OpenSSL? [RT #2672]
7482 1288. [bug] Adjusted REQUIRE's in lib/dns/name.c to better
7483 reflect written requirements.
7485 1287. [bug] REQUIRE that DNS_DBADD_MERGE only be set when adding
7486 a rdataset to a zone db in the rbtdb implementation of
7489 1286. [bug] dns_name_downcase() enforce requirement that
7490 target != NULL or name->buffer != NULL.
7492 1285. [func] lwres: probe the system to see what address families
7493 are currently in use.
7495 1284. [bug] The RTT estimate on unused servers was not aged.
7498 1283. [func] Use "dataready" accept filter if available.
7500 1282. [port] libbind: hpux 11.11 interface scanning.
7502 1281. [func] Log zone when unable to get private keys to update
7503 zone. Log zone when NXT records are missing from
7506 1280. [bug] libbind: escape '(' and ')' when converting to
7509 1279. [port] Darwin uses (unsigned long) for size_t. [RT #2590]
7511 1278. [func] dig: now supports +[no]cl +[no]ttlid.
7513 1277. [func] You can now create your own customized printing
7514 styles: dns_master_stylecreate() and
7515 dns_master_styledestroy().
7517 1276. [bug] libbind: const pointer conflicts in res_debug.c.
7519 1275. [port] libbind: hpux: treat all hpux systems as BIG_ENDIAN.
7521 1274. [bug] Memory leak in lwres_gnbarequest_parse().
7523 1273. [port] libbind: solaris: 64 bit binary compatibility.
7525 1272. [contrib] Berkeley DB 4.0 sdb implementation from
7526 Nuno Miguel Rodrigues <nmr@co.sapo.pt>.
7528 1271. [bug] "recursion available: {denied,approved}" was too
7531 1270. [bug] Check that system inet_pton() and inet_ntop() support
7534 1269. [port] Openserver: ifconfig.sh support.
7536 1268. [port] Openserver: the value FD_SETSIZE depends on whether
7537 <sys/param.h> is included or not. Be consistent.
7539 1267. [func] isc_file_openunique() now creates file using mode
7540 0666 rather than 0600.
7542 1266. [bug] ISC_LINK_INIT, ISC_LINK_UNLINK, ISC_LIST_DEQUEUE,
7543 __ISC_LINK_UNLINKUNSAFE and __ISC_LIST_DEQUEUEUNSAFE
7544 are not C++ compatible, use *_TYPE versions instead.
7546 1265. [bug] libbind: LINK_INIT and UNLINK were not compatible with
7547 C++, use LINK_INIT_TYPE and UNLINK_TYPE instead.
7551 1263. [bug] Reference after free error if dns_dispatchmgr_create()
7554 1262. [bug] ns_server_destroy() failed to set *serverp to NULL.
7556 1261. [func] libbind: ns_sign2() and ns_sign_tcp() now provide
7557 support for compressed TSIG owner names.
7559 1260. [func] libbind: res_update can now update IPv6 servers,
7560 new function res_findzonecut2().
7562 1259. [bug] libbind: get_salen() IPv6 support was broken for OSs
7565 1258. [bug] libbind: res_nametotype() and res_nametoclass() were
7568 1257. [bug] Failure to write pid-file should not be fatal on
7571 1256. [contrib] 'queryperf' now has EDNS (-e) + DNSSEC DO (-D) support.
7573 1255. [bug] When verifying that an NXT proves nonexistence, check
7574 the rcode of the message and only do the matching NXT
7575 check. That is, for NXDOMAIN responses, check that
7576 the name is in the range between the NXT owner and
7577 next name, and for NOERROR NODATA responses, check
7578 that the type is not present in the NXT bitmap.
7580 1254. [func] preferred-glue option from BIND 8.3.
7582 1253. [bug] The dnssec system test failed to remove the correct
7585 1252. [bug] Dig, host and nslookup were not checking the address
7586 the answer was coming from against the address it was
7589 1251. [port] win32: a make file contained absolute version specific
7592 1250. [func] Nsupdate will report the address the update was
7595 1249. [bug] Missing masters clause was not handled gracefully.
7598 1248. [bug] DESTDIR was not being propagated between makes.
7600 1247. [bug] Don't reset the interface index for link/site local
7601 addresses. [RT #2576]
7603 1246. [func] New functions isc_sockaddr_issitelocal(),
7604 isc_sockaddr_islinklocal(), isc_netaddr_issitelocal()
7605 and isc_netaddr_islinklocal().
7607 1245. [bug] Treat ENOBUFS, ENOMEM and ENFILE as soft errors for
7610 1244. [bug] Receiving a TCP message from a blackhole address would
7611 prevent further messages being received over that
7614 1243. [bug] It was possible to trigger a REQUIRE() in
7615 dns_message_findtype(). [RT #2659]
7617 1242. [bug] named-checkzone failed if a journal existed. [RT #2657]
7619 1241. [bug] Drop received UDP messages with a zero source port
7620 as these are invariably forged. [RT #2621]
7622 1240. [bug] It was possible to leak zone references by
7623 specifying an incorrect zone to rndc.
7625 1239. [bug] Under certain circumstances named could continue to
7626 use a name after it had been freed triggering
7627 INSIST() failures. [RT #2614]
7629 1238. [bug] It is possible to lockup the server when shutting down
7630 if notifies were being processed. [RT #2591]
7632 1237. [bug] nslookup: "set q=type" failed.
7634 1236. [bug] dns_rdata{class,type}_fromtext() didn't handle non
7635 NULL terminated text regions. [RT #2588]
7637 1235. [func] Report 'out of memory' errors from openssl.
7639 1234. [bug] contrib/sdb: 'zonetodb' failed to call
7640 dns_result_register(). DNS_R_SEENINCLUDE should not
7643 1233. [bug] The flags field of a KEY record can be expressed in
7644 hex as well as decimal.
7646 1232. [bug] unix/errno2result() didn't handle EADDRNOTAVAIL.
7648 1231. [port] HPUX 11.11 recvmsg() can return spurious EADDRNOTAVAIL.
7650 1230. [bug] isccc_cc_isreply() and isccc_cc_isack() were broken.
7652 1229. [bug] named would crash if it received a TSIG signed
7653 query as part of an AXFR response. [RT #2570]
7655 1228. [bug] 'make install' did not depend on 'make all'. [RT #2559]
7657 1227. [bug] dns_lex_getmastertoken() now returns ISC_R_BADNUMBER
7658 if a number was expected and some other token was
7661 1226. [func] Use EDNS for zone refresh queries. [RT #2551]
7663 1225. [func] dns_message_setopt() no longer requires that
7664 dns_message_renderbegin() to have been called.
7666 1224. [bug] 'rrset-order' and 'sortlist' should be additive
7669 1223. [func] 'rrset-order' partially works 'cyclic' and 'random'
7672 1222. [bug] Specifying 'port *' did not always result in a system
7673 selected (non-reserved) port being used. [RT #2537]
7675 1221. [bug] Zone types 'master', 'slave' and 'stub' were not being
7676 compared case insensitively. [RT #2542]
7678 1220. [func] Support for APL rdata type.
7680 1219. [func] Named now reports the TSIG extended error code when
7681 signature verification fails. [RT #1651]
7683 1218. [bug] Named incorrectly returned SERVFAIL rather than
7684 NOTAUTH when there was a TSIG BADTIME error. [RT #2519]
7686 1217. [func] Report locations of previous key definition when a
7687 duplicate is detected.
7689 1216. [bug] Multiple server clauses for the same server were not
7690 reported. [RT #2514]
7692 1215. [port] solaris: add support to ifconfig.sh for x86 2.5.1
7694 1214. [bug] Win32: isc_file_renameunique() could leave zero length
7697 1213. [func] Report view associated with client if it is not a
7698 standard view (_default or _bind).
7700 1212. [port] libbind: 64k answer buffers were causing stack space
7701 to be exceeded for certain OS. Use heap space instead.
7703 1211. [bug] dns_name_fromtext() incorrectly handled certain
7704 valid octal bitlabels. [RT #2483]
7706 1210. [bug] libbind: getnameinfo() failed to lookup IPv4 mapped /
7707 compatible addresses. [RT #2461]
7709 1209. [bug] Dig, host, nslookup were not checking the message ids
7710 on the responses. [RT #2454]
7712 1208. [bug] dns_master_load*() failed to log a error message if
7713 an error was detected when parsing the ownername of
7714 a record. [RT #2448]
7716 1207. [bug] libbind: getaddrinfo() could call freeaddrinfo() with
7719 1206. [bug] SERVFAIL and NOTIMP responses to an EDNS query should
7720 trigger a non-EDNS retry.
7722 1205. [bug] OPT, TSIG and TKEY cannot be used to set the "class"
7723 of the message. [RT #2449]
7725 1204. [bug] libbind: res_nupdate() failed to update the name
7726 server addresses before sending the update.
7728 1203. [func] Report locations of previous acl and zone definitions
7729 when a duplicate is detected.
7731 1202. [func] New functions: cfg_obj_line() and cfg_obj_file().
7733 1201. [bug] Require that if 'callbacks' is passed to
7734 dns_rdata_fromtext(), callbacks->error and
7735 callbacks->warn are initialized.
7737 1200. [bug] Log 'errno' that we are unable to convert to
7738 isc_result_t. [RT #2404]
7740 1199. [doc] ARM reference to RFC 2157 should have been RFC 1918.
7743 1198. [bug] OPT printing style was not consistent with the way the
7744 header fields are printed. The DO bit was not reported
7745 if set. Report if any of the MBZ bits are set.
7747 1197. [bug] Attempts to define the same acl multiple times were not
7750 1196. [contrib] update mdnkit to 2.2.3.
7752 1195. [bug] Attempts to redefine builtin acls should be caught.
7755 1194. [bug] Not all duplicate zone definitions were being detected
7756 at the named.conf checking stage. [RT #2431]
7758 1193. [bug] dig +besteffort parsing didn't handle packet
7759 truncation. dns_message_parse() has new flag
7760 DNS_MESSAGE_IGNORETRUNCATION.
7762 1192. [bug] The seconds fields in LOC records were restricted
7763 to three decimal places. More decimal places should
7764 be allowed but warned about.
7766 1191. [bug] A dynamic update removing the last non-apex name in
7767 a secure zone would fail. [RT #2399]
7769 1190. [func] Add the "rndc freeze" and "rndc unfreeze" commands.
7772 1189. [bug] On some systems, malloc(0) returns NULL, which
7773 could cause the caller to report an out of memory
7776 1188. [bug] Dynamic updates of a signed zone would fail if
7777 some of the zone private keys were unavailable.
7779 1187. [bug] named was incorrectly returning DNSSEC records
7780 in negative responses when the DO bit was not set.
7782 1186. [bug] isc_hex_tobuffer(,,length = 0) failed to unget the
7783 EOL token when reading to end of line.
7785 1185. [bug] libbind: don't assume statp->_u._ext.ext is valid
7786 unless RES_INIT is set when calling res_*init().
7788 1184. [bug] libbind: call res_ndestroy() if RES_INIT is set
7789 when res_*init() is called.
7791 1183. [bug] Handle ENOSR error when writing to the internal
7792 control pipe. [RT #2395]
7794 1182. [bug] The server could throw an assertion failure when
7795 constructing a negative response packet.
7797 1181. [func] Add the "key-directory" configuration statement,
7798 which allows the server to look for online signing
7799 keys in alternate directories.
7801 1180. [func] dnssec-keygen should always generate keys with
7802 protocol 3 (DNSSEC), since it's less confusing
7805 1179. [func] Add SIG(0) support to nsupdate.
7807 1178. [bug] Follow and cache (if appropriate) A6 and other
7808 data chains to completion in the additional section.
7810 1177. [func] Report view when loading zones if it is not a
7811 standard view (_default or _bind). [RT #2270]
7813 1176. [doc] Document that allow-v6-synthesis is only performed
7814 for clients that are supplied recursive service.
7817 1175. [bug] named-checkzone and named-checkconf failed to call
7818 dns_result_register() at startup which could
7819 result in runtime exceptions when printing
7820 "out of memory" errors. [RT #2335]
7822 1174. [bug] Win32: add WSAECONNRESET to the expected errors
7823 from connect(). [RT #2308]
7825 1173. [bug] Potential memory leaks in isc_log_create() and
7826 isc_log_settag(). [RT #2336]
7828 1172. [doc] Add CERT, GPOS, KX, NAPTR, NSAP, PX and TXT to
7829 table of RR types in ARM.
7831 1171. [func] Added function isc_region_compare(), updated files in
7832 lib/dns to use this function instead of local one.
7834 1170. [bug] Don't attempt to print the token when a I/O error
7835 occurs when parsing named.conf. [RT #2275]
7837 1169. [func] Identify recursive queries in the query log.
7839 1168. [bug] Empty also-notify clauses were not handled. [RT #2309]
7841 1167. [contrib] nslint-2.1a3 (from author).
7843 1166. [bug] "Not Implemented" should be reported as NOTIMP,
7844 not NOTIMPL. [RT #2281]
7846 1165. [bug] We were rejecting notify-source{-v6} in zone clauses.
7848 1164. [bug] Empty masters clauses in slave / stub zones were not
7849 handled gracefully. [RT #2262]
7851 1163. [func] isc_time_formattimestamp() now includes the year.
7853 1162. [bug] The allow-notify option was not accepted in slave
7856 1161. [bug] named-checkzone looped on unbalanced brackets.
7859 1160. [bug] Generating Diffie-Hellman keys longer than 1024
7860 bits could fail. [RT #2241]
7862 1159. [bug] MD and MF are not permitted to be loaded by RFC1123.
7864 1158. [func] Report the client's address when logging notify
7867 1157. [func] match-clients and match-destinations now accept
7870 1156. [port] The configure test for strsep() incorrectly
7871 succeeded on certain patched versions of
7872 AIX 4.3.3. [RT #2190]
7874 1155. [func] Recover from master files being removed from under
7877 1154. [bug] Don't attempt to obtain the netmask of a interface
7878 if there is no address configured. [RT #2176]
7880 1153. [func] 'rndc {stop|halt} -p' now reports the process id
7881 of the instance of named being shutdown.
7883 1152. [bug] libbind: read buffer overflows.
7885 1151. [bug] nslookup failed to check that the arguments to
7886 the port, timeout, and retry options were
7887 valid integers and in range. [RT #2099]
7889 1150. [bug] named incorrectly accepted TTL values
7890 containing plus or minus signs, such as
7893 1149. [func] New function isc_parse_uint32().
7895 1148. [func] 'rndc-confgen -a' now provides positive feedback.
7897 1147. [func] Set IPV6_V6ONLY on IPv6 sockets if supported by
7898 the OS. listen-on-v6 { any; }; should no longer
7899 result in IPv4 queries be accepted. Similarly
7900 control { inet :: ... }; should no longer result
7901 in IPv4 connections being accepted. This can be
7902 overridden at compile time by defining
7905 1146. [func] Allow IPV6_IPV6ONLY to be set/cleared on a socket if
7906 supported by the OS by a new function
7907 isc_socket_ipv6only().
7909 1145. [func] "host" no longer reports a NOERROR/NODATA response
7910 by printing nothing. [RT #2065]
7912 1144. [bug] rndc-confgen would crash if both the -a and -t
7913 options were specified. [RT #2159]
7915 1143. [bug] When a trusted-keys statement was present and named
7916 was built without crypto support, it would leak memory.
7918 1142. [bug] dnssec-signzone would fail to delete temporary files
7919 in some failure cases. [RT #2144]
7921 1141. [bug] When named rejected a control message, it would
7922 leak a file descriptor and memory. It would also
7923 fail to respond, causing rndc to hang.
7926 1140. [bug] rndc-confgen did not accept IPv6 addresses as arguments
7927 to the -s option. [RT #2138]
7929 1139. [func] It is now possible to flush a given name from the
7930 cache(s) via 'rndc flushname name [view]'. [RT #2051]
7932 1138. [func] It is now possible to flush a given name from the
7933 cache by calling the new function
7934 dns_cache_flushname().
7936 1137. [func] It is now possible to flush a given name from the
7937 ADB by calling the new function dns_adb_flushname().
7939 1136. [bug] CNAME records synthesized from DNAMEs did not
7940 have a TTL of zero as required by RFC2672.
7943 1135. [func] You can now override the default syslog() facility for
7944 named/lwresd at compile time. [RT #1982]
7946 1134. [bug] Multi-threaded servers could deadlock in ferror()
7947 when reloading zone files. [RT #1951, #1998]
7949 1133. [bug] IN6_IS_ADDR_LOOPBACK was not portably defined on
7950 platforms without IN6_IS_ADDR_LOOPBACK. [RT #2106]
7952 1132. [func] Improve UPDATE prerequisite failure diagnostic messages.
7954 1131. [bug] The match-destinations view option did not work with
7955 IPv6 destinations. [RT #2073, #2074]
7957 1130. [bug] Log messages reporting an out-of-range serial number
7958 did not include the out-of-range number but the
7959 following token. [RT #2076]
7961 1129. [bug] Multi-threaded servers could crash under heavy
7962 resolution load due to a race condition. [RT #2018]
7964 1128. [func] sdb drivers can now provide RR data in either text
7965 or wire format, the latter using the new functions
7966 dns_sdb_putrdata() and dns_sdb_putnamedrdata().
7968 1127. [func] rndc: If the server to contact has multiple addresses,
7971 1126. [bug] The server could access a freed event if shut
7972 down while a client start event was pending
7973 delivery. [RT #2061]
7975 1125. [bug] rndc: -k option was missing from usage message.
7978 1124. [doc] dig: +[no]dnssec, +[no]besteffort and +[no]fail
7979 are now documented. [RT #2052]
7981 1123. [bug] dig +[no]fail did not match description. [RT #2052]
7983 1122. [tuning] Resolution timeout reduced from 90 to 30 seconds.
7986 1121. [bug] The server could attempt to access a NULL zone
7987 table if shut down while resolving.
7990 1120. [bug] Errors in options were not fatal. [RT #2002]
7992 1119. [func] Added support in Win32 for NTFS file/directory ACL's
7995 1118. [bug] On multi-threaded servers, a race condition
7996 could cause an assertion failure in resolver.c
7997 during resolver shutdown. [RT #2029]
7999 1117. [port] The configure check for in6addr_loopback incorrectly
8000 succeeded on AIX 4.3 when compiling with -O2
8001 because the test code was optimized away.
8004 1116. [bug] Setting transfers in a server clause, transfers-in,
8005 or transfers-per-ns to a value greater than
8006 2147483647 disabled transfers. [RT #2002]
8008 1115. [func] Set maximum values for cleaning-interval,
8009 heartbeat-interval, interface-interval,
8010 max-transfer-idle-in, max-transfer-idle-out,
8011 max-transfer-time-in, max-transfer-time-out,
8012 statistics-interval of 28 days and
8013 sig-validity-interval of 3660 days. [RT #2002]
8015 1114. [port] Ignore more accept() errors. [RT #2021]
8017 1113. [bug] The allow-update-forwarding option was ignored
8018 when specified in a view. [RT #2014]
8022 1111. [bug] Multi-threaded servers could deadlock processing
8023 recursive queries due to a locking hierarchy
8024 violation in adb.c. [RT #2017]
8026 1110. [bug] dig should only accept valid abbreviations of +options.
8029 1109. [bug] nsupdate accepted illegal ttl values.
8031 1108. [bug] On Win32, rndc was hanging when named was not running
8032 due to failure to select for exceptional conditions
8033 in select(). [RT #1870]
8035 1107. [bug] nsupdate could catch an assertion failure if an
8036 invalid domain name was given as the argument to
8039 1106. [bug] After seeing an out of range TTL, nsupdate would
8040 treat all TTLs as out of range. [RT #2001]
8042 1105. [port] OpenUNIX 8 enable threads by default. [RT #1970]
8044 1104. [bug] Invalid arguments to the transfer-format option
8045 could cause an assertion failure. [RT #1995]
8047 1103. [port] OpenUNIX 8 support (ifconfig.sh). [RT #1970]
8049 1102. [doc] Note that query logging is enabled by directing the
8050 queries category to a channel.
8052 1101. [bug] Array bounds read error in lwres_gai_strerror.
8054 1100. [bug] libbind: DNSSEC key ids were computed incorrectly.
8056 1099. [cleanup] libbind: defining REPORT_ERRORS in lib/bind/dst caused
8057 compile time errors.
8059 1098. [bug] libbind: HMAC-MD5 key files are now mode 0600.
8061 1097. [func] libbind: RES_PRF_TRUNC for dig.
8063 1096. [func] libbind: "DNSSEC OK" (DO) support.
8065 1095. [func] libbind: resolver option: no-tld-query. disables
8066 trying unqualified as a tld. no_tld_query is also
8067 supported for FreeBSD compatibility.
8069 1094. [func] libbind: add support gcc's format string checking.
8071 1093. [doc] libbind: miscellaneous nroff fixes.
8073 1092. [bug] libbind: get*by*() failed to check if res_init() had
8076 1091. [bug] libbind: misplaced va_end().
8078 1090. [bug] libbind: dns_ho.c:add_hostent() was not returning
8079 the amount of memory consumed resulting in garbage
8080 address being returned. Alignment calculations were
8081 wasting space. We weren't suppressing duplicate
8084 1089. [func] libbind: inet_{cidr,net}_{pton,ntop}() now have IPv6
8087 1088. [port] libbind: MPE/iX C.70 (incomplete)
8089 1087. [bug] libbind: struct __res_state too large on 64 bit arch.
8091 1086. [port] libbind: sunos: old sprintf.
8093 1085. [port] libbind: solaris: sys_nerr and sys_errlist do not
8094 exist when compiling in 64 bit mode.
8096 1084. [cleanup] libbind: gai_strerror() rewritten.
8098 1083. [bug] The default control channel listened on the
8099 wildcard address, not the loopback as documented.
8102 1082. [bug] The -g option to named incorrectly caused logging
8103 to be sent to syslog in addition to stderr.
8106 1081. [bug] Multicast queries were incorrectly identified
8107 based on the source address, not the destination
8110 1080. [bug] BIND 8 compatibility: accept bare IP prefixes
8111 as the second element of a two-element top level
8112 sort list statement. [RT #1964]
8114 1079. [bug] BIND 8 compatibility: accept bare elements at top
8115 level of sort list treating them as if they were
8116 a single element list. [RT #1963]
8118 1078. [bug] We failed to correct bad tv_usec values in one case.
8121 1077. [func] Do not accept further recursive clients when
8122 the total number of recursive lookups being
8123 processed exceeds max-recursive-clients, even
8124 if some of the lookups are internally generated.
8127 1076. [bug] A badly defined global key could trigger an assertion
8128 on load/reload if views were used. [RT #1947]
8130 1075. [bug] Out-of-range network prefix lengths were not
8131 reported. [RT #1954]
8133 1074. [bug] Running out of memory in dump_rdataset() could
8134 cause an assertion failure. [RT #1946]
8136 1073. [bug] The ADB cache cleaning should also be space driven.
8139 1072. [bug] The TCP client quota could be exceeded when
8140 recursion occurred. [RT #1937]
8142 1071. [bug] Sockets listening for TCP DNS connections
8143 specified an excessive listen backlog. [RT #1937]
8145 1070. [bug] Copy DNSSEC OK (DO) to response as specified by
8146 draft-ietf-dnsext-dnssec-okbit-03.txt.
8150 1068. [bug] errno could be overwritten by catgets(). [RT #1921]
8152 1067. [func] Allow quotas to be soft, isc_quota_soft().
8154 1066. [bug] Provide a thread safe wrapper for strerror().
8157 1065. [func] Runtime support to select new / old style interface
8158 scanning using ioctls.
8160 1064. [bug] Do not shut down active network interfaces if we
8161 are unable to scan the interface list. [RT #1921]
8163 1063. [bug] libbind: "make install" was failing on IRIX.
8166 1062. [bug] If the control channel listener socket was shut
8167 down before server exit, the listener object could
8168 be freed twice. [RT #1916]
8170 1061. [bug] If periodic cache cleaning happened to start
8171 while cleaning due to reaching the configured
8172 maximum cache size was in progress, the server
8173 could catch an assertion failure. [RT #1912]
8175 1060. [func] Move refresh, stub and notify UDP retry processing
8178 1059. [func] dns_request now support will now retry UDP queries,
8179 dns_request_createvia2() and dns_request_createraw2().
8181 1058. [func] Limited lifetime ticker timers are now available,
8182 isc_timertype_limited.
8184 1057. [bug] Reloading the server after adding a "file" clause
8185 to a zone statement could cause the server to
8186 crash due to a typo in change 1016.
8188 1056. [bug] Rndc could catch an assertion failure on SIGINT due
8189 to an uninitialized variable. [RT #1908]
8191 1055. [func] Version and hostname queries can now be disabled
8192 using "version none;" and "hostname none;",
8195 1054. [bug] On Win32, cfg_categories and cfg_modules need to be
8196 exported from the libisccfg DLL.
8198 1053. [bug] Dig did not increase its timeout when receiving
8199 AXFRs unless the +time option was used. [RT #1904]
8201 1052. [bug] Journals were not being created in binary mode
8202 resulting in "journal format not recognized" error
8203 under Win32. [RT #1889]
8205 1051. [bug] Do not ignore a network interface completely just
8206 because it has a noncontiguous netmask. Instead,
8207 omit it from the localnets ACL and issue a warning.
8210 1050. [bug] Log messages reporting malformed IP addresses in
8211 address lists such as that of the forwarders option
8212 failed to include the correct error code, file
8213 name, and line number. [RT #1890]
8215 1049. [func] "pid-file none;" will disable writing a pid file.
8218 1048. [bug] Servers built with -DISC_MEM_USE_INTERNAL_MALLOC=1
8221 1047. [bug] named was incorrectly refusing all requests signed
8222 with a TSIG key derived from an unsigned TKEY
8223 negotiation with a NOERROR response. [RT #1886]
8225 1046. [bug] The help message for the --with-openssl configure
8226 option was inaccurate. [RT #1880]
8228 1045. [bug] It was possible to skip saving glue for a nameserver
8231 1044. [bug] Specifying allow-transfer, notify-source, or
8232 notify-source-v6 in a stub zone was not treated
8235 1043. [bug] Specifying a transfer-source or transfer-source-v6
8236 option in the zone statement for a master zone was
8237 not treated as an error. [RT #1876]
8239 1042. [bug] The "config" logging category did not work properly.
8242 1041. [bug] Dig/host/nslookup could catch an assertion failure
8243 on SIGINT due to an uninitialized variable. [RT #1867]
8245 1040. [bug] Multiple listen-on-v6 options with different ports
8246 were not accepted. [RT #1875]
8248 1039. [bug] Negative responses with CNAMEs in the answer section
8249 were cached incorrectly. [RT #1862]
8251 1038. [bug] In servers configured with a tkey-domain option,
8252 TKEY queries with an owner name other than the root
8253 could cause an assertion failure. [RT #1866, #1869]
8255 1037. [bug] Negative responses whose authority section contain
8256 SOA or NS records whose owner names are not equal
8257 equal to or parents of the query name should be
8258 rejected. [RT #1862]
8260 1036. [func] Silently drop requests received via multicast as
8261 long as there is no final multicast DNS standard.
8263 1035. [bug] If we respond to multicast queries (which we
8264 currently do not), respond from a unicast address
8265 as specified in RFC 1123. [RT #137]
8267 1034. [bug] Ignore the RD bit on multicast queries as specified
8268 in RFC 1123. [RT #137]
8270 1033. [bug] Always respond to requests with an unsupported opcode
8271 with NOTIMP, even if we don't have a matching view
8272 or cannot determine the class.
8274 1032. [func] hostname.bind/txt/chaos now returns the name of
8275 the machine hosting the nameserver. This is useful
8276 in diagnosing problems with anycast servers.
8278 1031. [bug] libbind.a: isc__gettimeofday() infinite recursion.
8281 1030. [bug] On systems with no resolv.conf file, nsupdate
8282 exited with an error rather than defaulting
8283 to using the loopback address. [RT #1836]
8285 1029. [bug] Some named.conf errors did not cause the loading
8286 of the configuration file to return a failure
8287 status even though they were logged. [RT #1847]
8289 1028. [bug] On Win32, dig/host/nslookup looked for resolv.conf
8290 in the wrong directory. [RT #1833]
8292 1027. [bug] RRs having the reserved type 0 should be rejected.
8297 1025. [bug] Don't use multicast addresses to resolve iterative
8300 1024. [port] Compilation failed on HP-UX 11.11 due to
8301 incompatible use of the SIOCGLIFCONF macro
8304 1023. [func] Accept hints without TTLs.
8306 1022. [bug] Don't report empty root hints as "extra data".
8309 1021. [bug] On Win32, log message timestamps were one month
8310 later than they should have been, and the server
8311 would exhibit unspecified behavior in December.
8313 1020. [bug] IXFR log messages did not distinguish between
8314 true IXFRs, AXFR-style IXFRs, and mere version
8317 1019. [bug] The value of the lame-ttl option was limited to 18000
8318 seconds, not 1800 seconds as documented. [RT #1803]
8320 1018. [bug] The default log channel was not always initialized
8321 correctly. [RT #1813]
8323 1017. [bug] When specifying TSIG keys to dig and nsupdate using
8324 the -k option, they must be HMAC-MD5 keys. [RT #1810]
8326 1016. [bug] Slave zones with no backup file were re-transferred
8327 on every server reload.
8329 1015. [bug] Log channels that had a "versions" option but no
8330 "size" option failed to create numbered log
8333 1014. [bug] Some queries would cause statistics counters to
8334 increment more than once or not at all. [RT #1321]
8336 1013. [bug] It was possible to cancel a query twice when marking
8337 a server as bogus or by having a blackhole acl.
8340 1012. [bug] The -p option to named did not behave as documented.
8342 1011. [cleanup] Removed isc_dir_current().
8344 1010. [bug] The server could attempt to execute a command channel
8345 command after initiating server shutdown, causing
8346 an assertion failure. [RT #1766]
8348 1009. [port] OpenUNIX 8 support. [RT #1728]
8350 1008. [port] libtool.m4, ltmain.sh from libtool-1.4.2.
8352 1007. [port] config.guess, config.sub from autoconf-2.52.
8354 1006. [bug] If a KEY RR was found missing during DNSSEC validation,
8355 an assertion failure could subsequently be triggered
8356 in the resolver. [RT #1763]
8358 1005. [bug] Don't copy nonzero RCODEs from request to response.
8361 1004. [port] Deal with recvfrom() returning EHOSTDOWN. [RT #1770]
8363 1003. [func] Add the +retry option to dig.
8365 1002. [bug] When reporting an unknown class name in named.conf,
8366 including the file name and line number. [RT #1759]
8368 1001. [bug] win32 socket code doio_recv was not catching a
8369 WSACONNRESET error when a client was timing out
8370 the request and closing its socket. [RT #1745]
8372 1000. [bug] BIND 8 compatibility: accept "HESIOD" as an alias
8373 for class "HS". [RT #1759]
8375 999. [func] "rndc retransfer zone [class [view]]" added.
8378 998. [func] named-checkzone now has arguments to specify the
8379 chroot directory (-t) and working directory (-w).
8382 997. [func] Add support for RSA-SHA1 keys (RFC3110).
8384 996. [func] Issue warning if the configuration filename contains
8387 995. [bug] dig, host, nslookup: using a raw IPv6 address as a
8388 target address should be fatal on a IPv4 only system.
8390 994. [func] Treat non-authoritative responses to queries for type
8391 NS as referrals even if the NS records are in the
8392 answer section, because BIND 8 servers incorrectly
8393 send them that way. This is necessary for DNSSEC
8394 validation of the NS records of a secure zone to
8395 succeed when the parent is a BIND 8 server. [RT #1706]
8397 993. [func] dig: -v now reports the version.
8399 992. [doc] dig: ~/.digrc is now documented.
8401 991. [func] Lower UDP refresh timeout messages to level
8404 990. [bug] The rndc-confgen man page was not installed.
8406 989. [bug] Report filename if $INCLUDE fails for file related
8409 988. [bug] 'additional-from-auth no;' did not work reliably
8410 in the case of queries answered from the cache.
8413 987. [bug] "dig -help" didn't show "+[no]stats".
8415 986. [bug] "dig +noall" failed to clear stats and command
8418 985. [func] Consider network interfaces to be up iff they have
8419 a nonzero IP address rather than based on the
8420 IFF_UP flag. [RT #1160]
8422 984. [bug] Multi-threading should be enabled by default on
8423 Solaris 2.7 and newer, but it wasn't.
8425 983. [func] The server now supports generating IXFR difference
8426 sequences for non-dynamic zones by comparing zone
8427 versions, when enabled using the new config
8428 option "ixfr-from-differences". [RT #1727]
8430 982. [func] If "memstatistics-file" is set in options the memory
8431 statistics will be written to it.
8433 981. [func] The dnssec tools can now take multiple '-r randomfile'
8436 980. [bug] Incoming zone transfers restarting after an error
8437 could trigger an assertion failure. [RT #1692]
8439 979. [func] Incremental master file dumping. dns_master_dumpinc(),
8440 dns_master_dumptostreaminc(), dns_dumpctx_attach(),
8441 dns_dumpctx_detach(), dns_dumpctx_cancel(),
8442 dns_dumpctx_db() and dns_dumpctx_version().
8444 978. [bug] dns_db_attachversion() had an invalid REQUIRE()
8447 977. [bug] Improve "not at top of zone" error message.
8449 976. [func] named-checkconf can now test load master zones
8450 (named-checkconf -z). [RT #1468]
8452 975. [bug] "max-cache-size default;" as a view option
8453 caused an assertion failure.
8455 974. [bug] "max-cache-size unlimited;" as a global option
8458 973. [bug] Failed to log the question name when logging:
8459 "bad zone transfer request: non-authoritative zone
8462 972. [bug] The file modification time code in zone.c was using the
8463 wrong epoch. [RT #1667]
8467 970. [func] 'max-journal-size' can now be used to set a target
8470 969. [func] dig now supports the undocumented dig 8 feature
8471 of allowing arbitrary labels, not just dotted
8472 decimal quads, with the -x option. This can be
8473 used to conveniently look up RFC2317 names as in
8474 "dig -x 10.0.0.0-127". [RT #827, #1576, #1598]
8476 968. [bug] On win32, the isc_time_now() function was unnecessarily
8477 calling strtime(). [RT #1671]
8479 967. [bug] On win32, the link for bindevt was not including the
8480 required resource file to enable the event viewer
8481 to interpret the error messages in the event log,
8486 965. [bug] Including data other than root server NS and A
8487 records in the root hint file could cause a rbtdb
8488 node reference leak. [RT #1581, #1618]
8490 964. [func] Warn if data other than root server NS and A records
8491 are found in the root hint file. [RT #1581, #1618]
8493 963. [bug] Bad ISC_LANG_ENDDECLS. [RT #1645]
8495 962. [bug] libbind: bad "#undef", don't attempt to install
8496 non-existent nlist.h. [RT #1640]
8498 961. [bug] Tried to use a IPV6 feature when ISC_PLATFORM_HAVEIPV6
8499 was not defined. [RT #1482]
8501 960. [port] liblwres failed to build on systems with support for
8502 getrrsetbyname() in the OS. [RT #1592]
8504 959. [port] On FreeBSD, determine the number of CPUs by calling
8505 sysctlbyname(). [RT #1584]
8507 958. [port] ssize_t is not available on all platforms. [RT #1607]
8509 957. [bug] sys/select.h inclusion was broken on older platforms.
8512 956. [bug] ns_g_autorndcfile changed to ns_g_keyfile
8513 in named/win32/os.c due to code changes in
8514 change #953. win32 .make file for rndc-confgen
8515 updated to add include path for os.h header.
8517 --- 9.2.0rc1 released ---
8519 955. [bug] When using views, the zone's class was not being
8520 inherited from the view's class. [RT #1583]
8522 954. [bug] When requesting AXFRs or IXFRs using dig, host, or
8523 nslookup, the RD bit should not be set as zone
8524 transfers are inherently non-recursive. [RT #1575]
8526 953. [func] The /var/run/named.key file from change #843
8527 has been replaced by /etc/rndc.key. Both
8528 named and rndc will look for this file and use
8529 it to configure a default control channel key
8530 if not already configured using a different
8531 method (rndc.conf / controls). Unlike
8532 named.key, rndc.key is not created automatically;
8533 it must be created by manually running
8536 952. [bug] The server required manual intervention to serve the
8537 affected zones if it died between creating a journal
8538 and committing the first change to it.
8540 951. [bug] CFLAGS was not passed to the linker when
8541 linking some of the test programs under
8542 bin/tests. [RT #1555].
8544 950. [bug] Explicit TTLs did not properly override $TTL
8545 due to a bug in change 834. [RT #1558]
8547 949. [bug] host was unable to print records larger than 512
8550 --- 9.2.0b2 released ---
8552 948. [port] Integrated support for building on Windows NT /
8555 947. [bug] dns_rdata_soa_t had a badly named element "mname" which
8556 was really the RNAME field from RFC1035. To avoid
8557 confusion and silent errors that would occur it the
8558 "origin" and "mname" elements were given their correct
8559 names "mname" and "rname" respectively, the "mname"
8560 element is renamed to "contact".
8562 946. [cleanup] doc/misc/options is now machine-generated from the
8563 configuration parser syntax tables, and therefore
8564 more likely to be correct.
8566 945. [func] Add the new view-specific options
8567 "match-destinations" and "match-recursive-only".
8569 944. [func] Check for expired signatures on load.
8571 943. [bug] The server could crash when receiving a command
8572 via rndc if the configuration file listed only
8573 nonexistent keys in the controls statement. [RT #1530]
8575 942. [port] libbind: GETNETBYADDR_ADDR_T was not correctly
8576 defined on some platforms.
8578 941. [bug] The configuration checker crashed if a slave
8579 zone didn't contain a masters statement. [RT #1514]
8581 940. [bug] Double zone locking failure on error path. [RT #1510]
8583 --- 9.2.0b1 released ---
8585 939. [port] Add the --disable-linux-caps option to configure for
8586 systems that manage capabilities outside of named.
8591 937. [bug] A race when shutting down a zone could trigger a
8592 INSIST() failure. [RT #1034]
8594 936. [func] Warn about IPv4 addresses that are not complete
8595 dotted quads. [RT #1084]
8597 935. [bug] inet_pton failed to reject leading zeros.
8599 934. [port] Deal with systems where accept() spuriously returns
8602 933. [bug] configure failed doing libbind on platforms not
8603 supported by BIND 8. [RT #1496]
8605 --- 9.2.0a3 released ---
8607 932. [bug] Use INSTALL_SCRIPT, not INSTALL_PROGRAM,
8608 when installing isc-config.sh.
8611 931. [bug] The controls statement only attempted to verify
8612 messages using the first key in the key list.
8615 930. [func] Query performance testing tool added as
8620 928. [bug] nsupdate would send empty update packets if the
8621 send (or empty line) command was run after
8622 another send but before any new updates or
8623 prerequisites were specified. It should simply
8624 ignore this command.
8626 927. [bug] Don't hold the zone lock for the entire dump to disk.
8629 926. [bug] The resolver could deadlock with the ADB when
8630 shutting down (multi-threaded builds only).
8633 925. [cleanup] Remove openssl from the distribution; require that
8634 --with-openssl be specified if DNSSEC is needed.
8636 924. [port] Extend support for pre-RFC2133 IPv6 implementation.
8639 923. [bug] Multiline TSIG secrets (and other multiline strings)
8640 were not accepted in named.conf. [RT #1469]
8642 922. [func] Added two new lwres_getrrsetbyname() result codes,
8643 ERR_NONAME and ERR_NODATA.
8645 921. [bug] lwres returned an incorrect error code if it received
8646 a truncated message.
8648 920. [func] Increase the lwres receive buffer size to 16K.
8653 918. [func] In nsupdate, TSIG errors are no longer treated as
8656 917. [func] New nsupdate command 'key', allowing TSIG keys to
8657 be specified in the nsupdate command stream rather
8658 than the command line.
8660 916. [bug] Specifying type ixfr to dig without specifying
8661 a serial number failed in unexpected ways.
8663 915. [func] The named-checkconf and named-checkzone programs
8664 now have a '-v' option for printing their version.
8667 914. [bug] Global 'server' statements were rejected when
8668 using views, even though they were accepted
8671 913. [bug] Cache cleaning was not sufficiently aggressive.
8674 912. [bug] Attempts to set the 'additional-from-cache' or
8675 'additional-from-auth' option to 'no' in a
8676 server with recursion enabled will now
8677 be ignored and cause a warning message.
8682 910. [port] Some pre-RFC2133 IPv6 implementations do not define
8683 IN6ADDR_ANY_INIT. [RT #1416]
8687 908. [func] New program, rndc-confgen, to simplify setting up rndc.
8689 907. [func] The ability to get entropy from either the
8690 random device, a user-provided file or from
8691 the keyboard was migrated from the DNSSEC tools
8692 to libisc as isc_entropy_usebestsource().
8694 906. [port] Separated the system independent portion of
8695 lib/isc/unix/entropy.c into lib/isc/entropy.c
8696 and added lib/isc/win32/entropy.c.
8698 905. [bug] Configuring a forward "zone" for the root domain
8699 did not work. [RT #1418]
8701 904. [bug] The server would leak memory if attempting to use
8702 an expired TSIG key. [RT #1406]
8704 903. [bug] dig should not crash when receiving a TCP packet
8707 902. [bug] The -d option was ignored if both -t and -g were also
8712 900. [bug] A config.guess update changed the system identification
8713 string of FreeBSD systems; configure and
8714 bin/tests/system/ifconfig.sh now recognize the new
8717 --- 9.2.0a2 released ---
8719 899. [bug] lib/dns/soa.c failed to compile on many platforms
8720 due to inappropriate use of a void value.
8721 [RT #1372, #1373, #1386, #1387, #1395]
8723 898. [bug] "dig" failed to set a nonzero exit status
8724 on UDP query timeout. [RT #1323]
8726 897. [bug] A config.guess update changed the system identification
8727 string of UnixWare systems; configure now recognizes
8730 896. [bug] If a configuration file is set on named's command line
8731 and it has a relative pathname, the current directory
8732 (after any possible jailing resulting from named -t)
8733 will be prepended to it so that reloading works
8734 properly even when a directory option is present.
8736 895. [func] New function, isc_dir_current(), akin to POSIX's
8739 894. [bug] When using the DNSSEC tools, a message intended to warn
8740 when the keyboard was being used because of the lack
8741 of a suitable random device was not being printed.
8743 893. [func] Removed isc_file_test() and added isc_file_exists()
8744 for the basic functionality that was being added
8745 with isc_file_test().
8749 891. [bug] Return an error when a SIG(0) signed response to
8750 an unsigned query is seen. This should actually
8751 do the verification, but it's not currently
8752 possible. [RT #1391]
8754 890. [cleanup] The man pages no longer require the mandoc macros
8755 and should now format cleanly using most versions of
8756 nroff, and HTML versions of the man pages have been
8757 added. Both are generated from DocBook source.
8759 889. [port] Eliminated blank lines before .TH in nroff man
8760 pages since they cause problems with some versions
8761 of nroff. [RT #1390]
8763 888. [bug] Don't die when using TKEY to delete a nonexistent
8764 TSIG key. [RT #1392]
8766 887. [port] Detect broken compilers that can't call static
8767 functions from inline functions. [RT #1212]
8809 866. [func] Close debug only file channels when debug is set to
8812 865. [bug] The new configuration parser did not allow
8813 the optional debug level in a "severity debug"
8814 clause of a logging channel to be omitted.
8815 This is now allowed and treated as "severity
8816 debug 1;" like it does in BIND 8.2.4, not as
8817 "severity debug 0;" like it did in BIND 9.1.
8820 864. [cleanup] Multi-threading is now enabled by default on
8821 OSF1, Solaris 2.7 and newer, AIX, IRIX, and HP-UX.
8823 863. [bug] If an error occurred while an outgoing zone transfer
8824 was starting up, the server could access a domain
8825 name that had already been freed when logging a
8826 message saying that the transfer was starting.
8829 862. [bug] Use after realloc(), non portable pointer arithmetic in
8832 861. [port] Add support for Mac OS X, by making it equivalent
8833 to Darwin. This was derived from the config.guess
8834 file shipped with Mac OS X. [RT #1355]
8836 860. [func] Drop cross class glue in zone transfers.
8838 859. [bug] Cache cleaning now won't swamp the CPU if there
8839 is a persistent over limit condition.
8841 858. [func] isc_mem_setwater() no longer requires that when the
8842 callback function is non-NULL then its hi_water
8843 argument must be greater than its lo_water argument
8844 (they can now be equal) or that they be non-zero.
8846 857. [cleanup] Use ISC_MAGIC() to define all magic numbers for
8847 structs, for our friends in EBCDIC-land.
8849 856. [func] Allow partial rdatasets to be returned in answer and
8850 authority sections to help non-TCP capable clients
8851 recover from truncation. [RT #1301]
8853 855. [bug] Stop spurious "using RFC 1035 TTL semantics" warnings.
8855 854. [bug] The config parser didn't properly handle config
8856 options that were specified in units of time other
8857 than seconds. [RT #1372]
8859 853. [bug] configure_view_acl() failed to detach existing acls.
8862 852. [bug] Handle responses from servers which do not know
8865 851. [cleanup] The obsolete support-ixfr option was not properly
8868 --- 9.2.0a1 released ---
8870 850. [bug] dns_rbt_findnode() would not find nodes that were
8871 split on a bitstring label somewhere other than in
8872 the last label of the node. [RT #1351]
8874 849. [func] <isc/net.h> will ensure INADDR_LOOPBACK is defined.
8876 848. [func] A minimum max-cache-size of two megabytes is enforced
8877 by the cache cleaner.
8879 847. [func] Added isc_file_test(), which currently only has
8880 some very basic functionality to test for the
8881 existence of a file, whether a pathname is absolute,
8882 or whether a pathname is the fundamental representation
8883 of the current directory. It is intended that this
8884 function can be expanded to test other things a
8885 programmer might want to know about a file.
8887 846. [func] A non-zero 'param' to dst_key_generate() when making an
8888 hmac-md5 key means that good entropy is not required.
8890 845. [bug] The access rights on the public file of a symmetric
8891 key are now restricted as soon as the file is opened,
8892 rather than after it has been written and closed.
8894 844. [func] <isc/net.h> will ensure INADDR_LOOPBACK is defined,
8895 just as <lwres/net.h> does.
8897 843. [func] If no controls statement is present in named.conf,
8898 or if any inet phrase of a controls statement is
8899 lacking a keys clause, then a key will be automatically
8900 generated by named and an rndc.conf-style file
8901 named named.key will be written that uses it. rndc
8902 will use this file only if its normal configuration
8903 file, or one provided on the command line, does not
8906 842. [func] 'rndc flush' now takes an optional view.
8908 841. [bug] When sdb modules were not declared threadsafe, their
8909 create and destroy functions were not serialized.
8911 840. [bug] The config file parser could print the wrong file
8912 name if an error was detected after an included file
8913 was parsed. [RT #1353]
8915 839. [func] Dump packets for which there was no view or that the
8916 class could not be determined to category "unmatched".
8918 838. [port] UnixWare 7.x.x is now suported by
8919 bin/tests/system/ifconfig.sh.
8921 837. [cleanup] Multi-threading is now enabled by default only on
8922 OSF1, Solaris 2.7 and newer, and AIX.
8924 836. [func] Upgraded libtool to 1.4.
8926 835. [bug] The dispatcher could enter a busy loop if
8927 it got an I/O error receiving on a UDP socket.
8930 834. [func] Accept (but warn about) master files beginning with
8931 an SOA record without an explicit TTL field and
8932 lacking a $TTL directive, by using the SOA MINTTL
8933 as a default TTL. This is for backwards compatibility
8934 with old versions of BIND 8, which accepted such
8935 files without warning although they are illegal
8936 according to RFC1035.
8938 833. [cleanup] Moved dns_soa_*() from <dns/journal.h> to
8939 <dns/soa.h>, and extended them to support
8940 all the integer-valued fields of the SOA RR.
8942 832. [bug] The default location for named.conf in named-checkconf
8943 should depend on --sysconfdir like it does in named.
8948 830. [func] Implement 'rndc status'.
8950 829. [bug] The DNS_R_ZONECUT result code should only be returned
8951 when an ANY query is made with DNS_DBFIND_GLUEOK set.
8952 In all other ANY query cases, returning the delegation
8955 828. [bug] The errno value from recvfrom() could be overwritten
8956 by logging code. [RT #1293]
8958 827. [bug] When an IXFR protocol error occurs, the slave
8959 should retry with AXFR.
8961 826. [bug] Some IXFR protocol errors were not detected.
8963 825. [bug] zone.c:ns_query() detached from the wrong zone
8964 reference. [RT #1264]
8966 824. [bug] Correct line numbers reported by dns_master_load().
8969 823. [func] The output of "dig -h" now goes to stdout so that it
8970 can easily be piped through "more". [RT #1254]
8972 822. [bug] Sending nxrrset prerequisites would crash nsupdate.
8975 821. [bug] The program name used when logging to syslog should
8976 be stripped of leading path components.
8979 820. [bug] Name server address lookups failed to follow
8980 A6 chains into the glue of local authoritative
8983 819. [bug] In certain cases, the resolver's attempts to
8984 restart an address lookup at the root could cause
8985 the fetch to deadlock (with itself) instead of
8986 restarting. [RT #1225]
8988 818. [bug] Certain pathological responses to ANY queries could
8989 cause an assertion failure. [RT #1218]
8991 817. [func] Adjust timeouts for dialup zone queries.
8993 816. [bug] Report potential problems with log file accessibility
8994 at configuration time, since such problems can't
8995 reliably be reported at the time they actually occur.
8997 815. [bug] If a log file was specified with a path separator
8998 character (i.e. "/") in its name and the directory
8999 did not exist, the log file's name was treated as
9000 though it were the directory name. [RT #1189]
9002 814. [bug] Socket objects left over from accept() failures
9003 were incorrectly destroyed, causing corruption
9004 of socket manager data structures.
9006 813. [bug] File descriptors exceeding FD_SETSIZE were handled
9009 812. [bug] dig sometimes printed incomplete IXFR responses
9010 due to an uninitialized variable. [RT #1188]
9012 811. [bug] Parentheses were not quoted in zone dumps. [RT #1194]
9014 810. [bug] The signer name in SIG records was not properly
9015 down-cased when signing/verifying records. [RT #1186]
9017 809. [bug] Configuring a non-local address as a transfer-source
9018 could cause an assertion failure during load.
9020 808. [func] Add 'rndc flush' to flush the server's cache.
9022 807. [bug] When setting up TCP connections for incoming zone
9023 transfers, the transfer-source port was not
9024 ignored like it should be.
9026 806. [bug] DNS_R_SEENINCLUDE was failing to propagate back up
9027 the calling stack to the zone maintenance level,
9028 causing zones to not reload when an included file was
9029 touched but the top-level zone file was not.
9031 805. [bug] When using "forward only", missing root hints should
9032 not cause queries to fail. [RT #1143]
9034 804. [bug] Attempting to obtain entropy could fail in some
9035 situations. This would be most common on systems
9036 with user-space threads. [RT #1131]
9038 803. [bug] Treat all SIG queries as if they have the CD bit set,
9039 otherwise no data will be returned [RT #749]
9041 802. [bug] DNSSEC key tags were computed incorrectly in almost
9042 all cases. [RT #1146]
9044 801. [bug] nsupdate should treat lines beginning with ';' as
9045 comments. [RT #1139]
9047 800. [bug] dnssec-signzone produced incorrect statistics for
9048 large zones. [RT #1133]
9050 799. [bug] The ADB didn't find AAAA glue in a zone unless A6
9051 glue was also present.
9053 798. [bug] nsupdate should be able to reject bad input lines
9054 and continue. [RT #1130]
9056 797. [func] Issue a warning if the 'directory' option contains
9057 a relative path. [RT #269]
9059 796. [func] When a size limit is associated with a log file,
9060 only roll it when the size is reached, not every
9061 time the log file is opened. [RT #1096]
9063 795. [func] Add the +multiline option to dig. [RT #1095]
9065 794. [func] Implement the "port" and "default-port" statements
9068 793. [cleanup] The DNSSEC tools could create filenames that were
9069 illegal or contained shell meta-characters. They
9070 now use a different text encoding of names that
9071 doesn't have these problems. [RT #1101]
9073 792. [cleanup] Replace the OMAPI command channel protocol with a
9076 791. [bug] The command channel now works over IPv6.
9078 790. [bug] Wildcards created using dynamic update or IXFR
9079 could fail to match. [RT #1111]
9081 789. [bug] The "localhost" and "localnets" ACLs did not match
9082 when used as the second element of a two-element
9085 788. [func] Add the "match-mapped-addresses" option, which
9086 causes IPv6 v4mapped addresses to be treated as
9087 IPv4 addresses for the purpose of acl matching.
9089 787. [bug] The DNSSEC tools failed to downcase domain
9090 names when mapping them into file names.
9092 786. [bug] When DNSSEC signing/verifying data, owner names were
9093 not properly down-cased.
9095 785. [bug] A race condition in the resolver could cause
9096 an assertion failure. [RT #673, #872, #1048]
9098 784. [bug] nsupdate and other programs would not quit properly
9099 if some signals were blocked by the caller. [RT #1081]
9101 783. [bug] Following CNAMEs could cause an assertion failure
9102 when either using an sdb database or under very
9105 782. [func] Implement the "serial-query-rate" option.
9107 781. [func] Avoid error packet loops by dropping duplicate FORMERR
9108 responses. [RT #1006]
9110 780. [bug] Error handling code dealing with out of memory or
9111 other rare errors could lead to assertion failures
9112 by calling functions on uninitialized names. [RT #1065]
9114 779. [func] Added the "minimal-responses" option.
9116 778. [bug] When starting cache cleaning, cleaning_timer_action()
9117 returned without first pausing the iterator, which
9118 could cause deadlock. [RT #998]
9120 777. [bug] An empty forwarders list in a zone failed to override
9121 global forwarders. [RT #995]
9123 776. [func] Improved error reporting in denied messages. [RT #252]
9127 774. [func] max-cache-size is implemented.
9129 773. [func] Added isc_rwlock_trylock() to attempt to lock without
9132 772. [bug] Owner names could be incorrectly omitted from cache
9133 dumps in the presence of negative caching entries.
9136 771. [cleanup] TSIG errors related to unsynchronized clocks
9137 are logged better. [RT #919]
9139 770. [func] Add the "edns yes_or_no" statement to the server
9142 769. [func] Improved error reporting when parsing rdata. [RT #740]
9144 768. [bug] The server did not emit an SOA when a CNAME
9145 or DNAME chain ended in NXDOMAIN in an
9150 766. [bug] A few cases in query_find() could leak fname.
9151 This would trigger the mpctx->allocated == 0
9152 assertion when the server exited.
9153 [RT #739, #776, #798, #812, #818, #821, #845,
9156 765. [func] ACL names are once again case insensitive, like
9157 in BIND 8. [RT #252]
9159 764. [func] Configuration files now allow "include" directives
9160 in more places, such as inside the "view" statement.
9161 [RT #377, #728, #860]
9163 763. [func] Configuration files no longer have reserved words.
9166 762. [cleanup] The named.conf and rndc.conf file parsers have
9167 been completely rewritten.
9169 761. [bug] _REENTRANT was still defined when building with
9172 760. [contrib] Significant enhancements to the pgsql sdb driver.
9174 759. [bug] The resolver didn't turn off "avoid fetches" mode
9175 when restarting, possibly causing resolution
9176 to fail when it should not. This bug only affected
9177 platforms which support both IPv4 and IPv6. [RT #927]
9179 758. [bug] The "avoid fetches" code did not treat negative
9180 cache entries correctly, causing fetches that would
9181 be useful to be avoided. This bug only affected
9182 platforms which support both IPv4 and IPv6. [RT #927]
9184 757. [func] Log zone transfers.
9186 756. [bug] dns_zone_load() could "return" success when no master
9187 file was configured.
9189 755. [bug] Fix incorrectly formatted log messages in zone.c.
9191 754. [bug] Certain failure conditions sending UDP packets
9192 could cause the server to retry the transmission
9193 indefinitely. [RT #902]
9195 753. [bug] dig, host, and nslookup would fail to contact a
9196 remote server if getaddrinfo() returned an IPv6
9197 address on a system that doesn't support IPv6.
9200 752. [func] Correct bad tv_usec elements returned by
9203 751. [func] Log successful zone loads / transfers. [RT #898]
9205 750. [bug] A query should not match a DNAME whose trust level
9206 is pending. [RT #916]
9208 749. [bug] When a query matched a DNAME in a secure zone, the
9209 server did not return the signature of the DNAME.
9212 748. [doc] List supported RFCs in doc/misc/rfc-compliance.
9215 747. [bug] The code to determine whether an IXFR was possible
9216 did not properly check for a database that could
9217 not have a journal. [RT #865, #908]
9219 746. [bug] The sdb didn't clone rdatasets properly, causing
9220 a crash when the server followed delegations. [RT #905]
9222 745. [func] Report the owner name of records that fail
9223 semantic checks while loading.
9225 744. [bug] When returning DNS_R_CNAME or DNS_R_DNAME as the
9226 result of an ANY or SIG query, the resolver failed
9227 to setup the return event's rdatasets, causing an
9228 assertion failure in the query code. [RT #881]
9230 743. [bug] Receiving a large number of certain malformed
9231 answers could cause named to stop responding.
9236 741. [port] Support openssl-engine. [RT #709]
9238 740. [port] Handle openssl library mismatches slightly better.
9240 739. [port] Look for /dev/random in configure, rather than
9241 assuming it will be there for only a predefined
9244 738. [bug] If a non-threadsafe sdb driver supported AXFR and
9245 received an AXFR request, it would deadlock or die
9246 with an assertion failure. [RT #852]
9248 737. [port] stdtime.c failed to compile on certain platforms.
9250 736. [func] New functions isc_task_{begin,end}exclusive().
9252 735. [doc] Add BIND 4 migration notes.
9254 734. [bug] An attempt to re-lock the zone lock could occur if
9255 the server was shutdown during a zone transfer.
9258 733. [bug] Reference counts of dns_acl_t objects need to be
9259 locked but were not. [RT #801, #821]
9261 732. [bug] Glue with 0 TTL could also cause SERVFAIL. [RT #828]
9263 731. [bug] Certain zone errors could cause named-checkzone to
9264 fail ungracefully. [RT #819]
9266 730. [bug] lwres_getaddrinfo() returns the correct result when
9267 it fails to contact a server. [RT #768]
9269 729. [port] pthread_setconcurrency() needs to be called on Solaris.
9271 728. [bug] Fix comment processing on master file directives.
9274 727. [port] Work around OS bug where accept() succeeds but
9275 fails to fill in the peer address of the accepted
9276 connection, by treating it as an error rather than
9277 an assertion failure. [RT #809]
9279 726. [func] Implement the "trace" and "notrace" commands in rndc.
9281 725. [bug] Installing man pages could fail.
9283 724. [func] New libisc functions isc_netaddr_any(),
9286 723. [bug] Referrals whose NS RRs had a 0 TTL caused the resolver
9287 to return DNS_R_SERVFAIL. [RT #783]
9289 722. [func] Allow incremental loads to be canceled.
9291 721. [cleanup] Load manager and dns_master_loadfilequota() are no
9294 720. [bug] Server could enter infinite loop in
9295 dispatch.c:do_cancel(). [RT #733]
9297 719. [bug] Rapid reloads could trigger an assertion failure.
9300 718. [cleanup] "internal" is no longer a reserved word in named.conf.
9303 717. [bug] Certain TKEY processing failure modes could
9304 reference an uninitialized variable, causing the
9305 server to crash. [RT #750]
9307 716. [bug] The first line of a $INCLUDE master file was lost if
9308 an origin was specified. [RT #744]
9310 715. [bug] Resolving some A6 chains could cause an assertion
9311 failure in adb.c. [RT #738]
9313 714. [bug] Preserve interval timers across reloads unless changed.
9316 713. [func] named-checkconf takes '-t directory' similar to named.
9319 712. [bug] Sending a large signed update message caused an
9320 assertion failure. [RT #718]
9322 711. [bug] The libisc and liblwres implementations of
9323 inet_ntop contained an off by one error.
9325 710. [func] The forwarders statement now takes an optional
9328 709. [bug] ANY or SIG queries for data with a TTL of 0
9329 would return SERVFAIL. [RT #620]
9331 708. [bug] When building with --with-openssl, the openssl headers
9332 included with BIND 9 should not be used. [RT #702]
9334 707. [func] The "filename" argument to named-checkzone is no
9335 longer optional, to reduce confusion. [RT #612]
9337 706. [bug] Zones with an explicit "allow-update { none; };"
9338 were considered dynamic and therefore not reloaded
9339 on SIGHUP or "rndc reload".
9341 705. [port] Work out resource limit type for use where rlim_t is
9342 not available. [RT #695]
9344 704. [port] RLIMIT_NOFILE is not available on all platforms.
9347 703. [port] sys/select.h is needed on older platforms. [RT #695]
9349 702. [func] If the address 0.0.0.0 is seen in resolv.conf,
9350 use 127.0.0.1 instead. [RT #693]
9352 701. [func] Root hints are now fully optional. Class IN
9353 views use compiled-in hints by default, as
9354 before. Non-IN views with no root hints now
9355 provide authoritative service but not recursion.
9356 A warning is logged if a view has neither root
9357 hints nor authoritative data for the root. [RT #696]
9359 700. [bug] $GENERATE range check was wrong. [RT #688]
9361 699. [bug] The lexer mishandled empty quoted strings. [RT #694]
9363 698. [bug] Aborting nsupdate with ^C would lead to several
9366 697. [bug] nsupdate was not compatible with the undocumented
9367 BIND 8 behavior of ignoring TTLs in "update delete"
9370 696. [bug] lwresd would die with an assertion failure when passed
9371 a zero-length name. [RT #692]
9373 695. [bug] If the resolver attempted to query a blackholed or
9374 bogus server, the resolution would fail immediately.
9376 694. [bug] $GENERATE did not produce the last entry.
9379 693. [bug] An empty lwres statement in named.conf caused
9380 the server to crash while loading.
9382 692. [bug] Deal with systems that have getaddrinfo() but not
9383 gai_strerror(). [RT #679]
9385 691. [bug] Configuring per-view forwarders caused an assertion
9386 failure. [RT #675, #734]
9388 690. [func] $GENERATE now supports DNAME. [RT #654]
9390 689. [doc] man pages are now installed. [RT #210]
9392 688. [func] "make tags" now works on systems with the
9393 "Exuberant Ctags" etags.
9395 687. [bug] Only say we have IPv6, with sufficient functionality,
9396 if it has actually been tested. [RT #586]
9398 686. [bug] dig and nslookup can now be properly aborted during
9399 blocking operations. [RT #568]
9401 685. [bug] nslookup should use the search list/domain options
9402 from resolv.conf by default. [RT #405, #630]
9404 684. [bug] Memory leak with view forwarders. [RT #656]
9406 683. [bug] File descriptor leak in isc_lex_openfile().
9408 682. [bug] nslookup displayed SOA records incorrectly. [RT #665]
9410 681. [bug] $GENERATE specifying output format was broken. [RT #653]
9412 680. [bug] dns_rdata_fromstruct() mishandled options bigger
9415 679. [bug] $INCLUDE could leak memory and file descriptors on
9418 678. [bug] "transfer-format one-answer;" could trigger an assertion
9421 677. [bug] dnssec-signzone would occasionally use the wrong ttl
9422 for database operations and fail. [RT #643]
9424 676. [bug] Log messages about lame servers to category
9425 'lame-servers' rather than 'resolver', so as not
9426 to be gratuitously incompatible with BIND 8.
9428 675. [bug] TKEY queries could cause the server to leak
9431 674. [func] Allow messages to be TSIG signed / verified using
9432 a offset from the current time.
9434 673. [func] The server can now convert RFC1886-style recursive
9435 lookup requests into RFC2874-style lookups, when
9436 enabled using the new option "allow-v6-synthesis".
9438 672. [bug] The wrong time was in the "time signed" field when
9439 replying with BADTIME error.
9441 671. [bug] The message code was failing to parse a message with
9442 no question section and a TSIG record. [RT #628]
9444 670. [bug] The lwres replacements for getaddrinfo and
9445 getipnodebyname didn't properly check for the
9446 existence of the sockaddr sa_len field.
9448 669. [bug] dnssec-keygen now makes the public key file
9449 non-world-readable for symmetric keys. [RT #403]
9451 668. [func] named-checkzone now reports multiple errors in master
9454 667. [bug] On Linux, running named with the -u option and a
9455 non-world-readable configuration file didn't work.
9458 666. [bug] If a request sent by dig is longer than 512 bytes,
9461 665. [bug] Signed responses were not sent when the size of the
9462 TSIG + question exceeded the maximum message size.
9465 664. [bug] The t_tasks and t_timers module tests are now skipped
9466 when building without threads, since they require
9469 663. [func] Accept a size_spec, not just an integer, in the
9470 (unimplemented and ignored) max-ixfr-log-size option
9471 for compatibility with recent versions of BIND 8.
9474 662. [bug] dns_rdata_fromtext() failed to log certain errors.
9476 661. [bug] Certain UDP IXFR requests caused an assertion failure
9477 (mpctx->allocated == 0). [RT #355, #394, #623]
9479 660. [port] Detect multiple CPUs on HP-UX and IRIX.
9481 659. [performance] Rewrite the name compression code to be much faster.
9483 658. [cleanup] Remove all vestiges of 16 bit global compression.
9485 657. [bug] When a listen-on statement in an lwres block does not
9486 specify a port, use 921, not 53. Also update the
9487 listen-on documentation. [RT #616]
9489 656. [func] Treat an unescaped newline in a quoted string as
9490 an error. This means that TXT records with missing
9491 close quotes should have meaningful errors printed.
9493 655. [bug] Improve error reporting on unexpected eof when loading
9496 654. [bug] Origin was being forgotten in TCP retries in dig.
9499 653. [bug] +defname option in dig was reversed in sense.
9502 652. [bug] zone_saveunique() did not report the new name.
9504 651. [func] The AD bit in responses now has the meaning
9505 specified in <draft-ietf-dnsext-ad-is-secure>.
9507 650. [bug] SIG(0) records were being generated and verified
9508 incorrectly. [RT #606]
9510 649. [bug] It was possible to join to an already running fctx
9511 after it had "cloned" its events, but before it sent
9512 them. In this case, the event of the newly joined
9513 fetch would not contain the answer, and would
9514 trigger the INSIST() in fctx_sendevents(). In
9515 BIND 9.0, this bug did not trigger an INSIST(), but
9516 caused the fetch to fail with a SERVFAIL result.
9517 [RT #588, #597, #605, #607]
9519 648. [port] Add support for pre-RFC2133 IPv6 implementations.
9521 647. [bug] Resolver queries sent after following multiple
9522 referrals had excessively long retransmission
9523 timeouts due to incorrectly counting the referrals
9526 646. [bug] The UnixWare ISC_PLATFORM_FIXIN6INADDR fix in isc/net.h
9527 didn't _cleanly_ fix the problem it was trying to fix.
9529 645. [port] BSD/OS 3.0 needs pthread_init(). [RT #603]
9531 644. [bug] #622 needed more work. [RT #562]
9533 643. [bug] xfrin error messages made more verbose, added class
9534 of the zone. [RT# 599]
9536 642. [bug] Break the exit_check() race in the zone module.
9539 --- 9.1.0b2 released ---
9541 641. [bug] $GENERATE caused a uninitialized link to be used.
9544 640. [bug] Memory leak in error path could cause
9545 "mpctx->allocated == 0" failure. [RT #584]
9547 639. [bug] Reading entropy from the keyboard would sometimes fail.
9550 638. [port] lib/isc/random.c needed to explicitly include time.h
9551 to get a prototype for time() when pthreads was not
9552 being used. [RT #592]
9554 637. [port] Use isc_u?int64_t instead of (unsigned) long long in
9555 lib/isc/print.c. Also allow lib/isc/print.c to
9556 be compiled even if the platform does not need it.
9559 636. [port] Shut up MSVC++ about a possible loss of precision
9560 in the ISC__BUFFER_PUTUINT*() macros. [RT #592]
9562 635. [bug] Reloading a server with a configured blackhole list
9563 would cause an assertion. [RT #590]
9565 634. [bug] A log file will completely stop being written when
9566 it reaches the maximum size in all cases, not just
9567 when versioning is also enabled. [RT #570]
9569 633. [port] Cope with rlim_t missing on BSD/OS systems. [RT #575]
9571 632. [bug] The index array of the journal file was
9572 corrupted as it was written to disk.
9574 631. [port] Build without thread support on systems without
9577 630. [bug] Locking failure in zone code. [RT #582]
9579 629. [bug] 9.1.0b1 dereferenced a null pointer and crashed
9580 when responding to a UDP IXFR request.
9582 628. [bug] If the root hints contained only AAAA addresses,
9583 named would be unable to perform resolution.
9585 627. [bug] The EDNS0 blackhole detection code of change 324
9586 waited for three retransmissions to each server,
9587 which takes much too long when a domain has many
9588 name servers and all of them drop EDNS0 queries.
9589 Now we retry without EDNS0 after three consecutive
9590 timeouts, even if they are all from different
9593 626. [bug] The lightweight resolver daemon no longer crashes
9594 when asked for a SIG rrset. [RT #558]
9596 625. [func] Zones now inherit their class from the enclosing view.
9598 624. [bug] The zone object could get timer events after it had
9599 been destroyed, causing a server crash. [RT #571]
9601 623. [func] Added "named-checkconf" and "named-checkzone" program
9602 for syntax checking named.conf files and zone files,
9605 622. [bug] A canceled request could be destroyed before
9606 dns_request_destroy() was called. [RT #562]
9608 621. [port] Disable IPv6 at runtime if IPv6 sockets are unusable.
9609 This mostly affects Red Hat Linux 7.0, which has
9610 conflicts between libc and the kernel.
9612 620. [bug] dns_master_load*inc() now require 'task' and 'load'
9613 to be non-null. Also 'done' will not be called if
9614 dns_master_load*inc() fails immediately. [RT #565]
9618 618. [bug] Queries to a signed zone could sometimes cause
9619 an assertion failure.
9621 617. [bug] When using dynamic update to add a new RR to an
9622 existing RRset with a different TTL, the journal
9623 entries generated from the update did not include
9624 explicit deletions and re-additions of the existing
9625 RRs to update their TTL to the new value.
9627 616. [func] dnssec-signzone -t output now includes performance
9630 615. [bug] dnssec-signzone did not like child keysets signed
9633 614. [bug] Checks for uninitialized link fields were prone
9634 to false positives, causing assertion failures.
9635 The checks are now disabled by default and may
9636 be re-enabled by defining ISC_LIST_CHECKINIT.
9638 613. [bug] "rndc reload zone" now reloads primary zones.
9639 It previously only updated slave and stub zones,
9640 if an SOA query indicated an out of date serial.
9642 612. [cleanup] Shutup a ridiculously noisy HP-UX compiler that
9643 complains relentlessly about how its treatment
9644 of 'const' has changed as well as how casting
9645 sometimes tightens alignment constraints.
9647 611. [func] allow-notify can be used to permit processing of
9648 notify messages from hosts other than a slave's
9651 610. [func] rndc dumpdb is now supported.
9653 609. [bug] getrrsetbyname() would crash lwresd if the server
9654 found more SIGs than answers. [RT #554]
9656 608. [func] dnssec-signzone now adds a comment to the zone
9657 with the time the file was signed.
9659 607. [bug] nsupdate would fail if it encountered a CNAME or
9660 DNAME in a response to an SOA query. [RT #515]
9662 606. [bug] Compiling with --disable-threads failed due
9663 to isc_thread_self() being incorrectly defined
9664 as an integer rather than a function.
9666 605. [func] New function isc_lex_getlasttokentext().
9668 604. [bug] The named.conf parser could print incorrect line
9669 numbers when long comments were present.
9671 603. [bug] Make dig handle multiple types or classes on the same
9672 query more correctly.
9674 602. [func] Cope automatically with UnixWare's broken
9675 IN6_IS_ADDR_* macros. [RT #539]
9677 601. [func] Return a non-zero exit code if an update fails
9680 600. [bug] Reverse lookups sometimes failed in dig, etc...
9682 599. [func] Added four new functions to the libisc log API to
9683 support i18n messages. isc_log_iwrite(),
9684 isc_log_ivwrite(), isc_log_iwrite1() and
9685 isc_log_ivwrite1() were added.
9687 598. [bug] An update-policy statement would cause the server
9688 to assert while loading. [RT #536]
9690 597. [func] dnssec-signzone is now multi-threaded.
9692 596. [bug] DNS_RDATASLAB_FORCE and DNS_RDATASLAB_EXACT are
9693 not mutually exclusive.
9695 595. [port] On Linux 2.2, socket() returns EINVAL when it
9696 should return EAFNOSUPPORT. Work around this.
9699 594. [func] sdb drivers are now assumed to not be thread-safe
9700 unless the DNS_SDBFLAG_THREADSAFE flag is supplied.
9702 593. [bug] If a secure zone was missing all its NXTs and
9703 a dynamic update was attempted, the server entered
9706 592. [bug] The sig-validity-interval option now specifies a
9707 number of days, not seconds. This matches the
9708 documentation. [RT #529]
9710 --- 9.1.0b1 released ---
9712 591. [bug] Work around non-reentrancy in openssl by disabling
9713 pre-computation in keys.
9715 590. [doc] There are now man pages for the lwres library in
9718 589. [bug] The server could deadlock if a zone was updated
9719 while being transferred out.
9721 588. [bug] ctx->in_use was not being correctly initialized when
9722 when pushing a file for $INCLUDE. [RT #523]
9724 587. [func] A warning is now printed if the "allow-update"
9725 option allows updates based on the source IP
9726 address, to alert users to the fact that this
9727 is insecure and becoming increasingly so as
9728 servers capable of update forwarding are being
9731 586. [bug] multiple views with the same name were fatal. [RT #516]
9733 585. [func] dns_db_addrdataset() and and dns_rdataslab_merge()
9734 now support 'exact' additions in a similar manner to
9735 dns_db_subtractrdataset() and dns_rdataslab_subtract().
9737 584. [func] You can now say 'notify explicit'; to suppress
9738 notification of the servers listed in NS records
9739 and notify only those servers listed in the
9740 'also-notify' option.
9742 583. [func] "rndc querylog" will now toggle logging of
9743 queries, like "ndc querylog" in BIND 8.
9745 582. [bug] dns_zone_idetach() failed to lock the zone.
9748 581. [bug] log severity was not being correctly processed.
9751 580. [func] Ignore trailing garbage on incoming DNS packets,
9752 for interoperability with broken server
9753 implementations. [RT #491]
9755 579. [bug] nsupdate did not take a filename to read update from.
9758 578. [func] New config option "notify-source", to specify the
9759 source address for notify messages.
9761 577. [func] Log illegal RDATA combinations. e.g. multiple
9762 singleton types, cname and other data.
9764 576. [doc] isc_log_create() description did not match reality.
9766 575. [bug] isc_log_create() was not setting internal state
9767 correctly to reflect the default channels created.
9769 574. [bug] TSIG signed queries sent by the resolver would fail to
9770 have their responses validated and would leak memory.
9772 573. [bug] The journal files of IXFRed slave zones were
9773 inadvertently discarded on server reload, causing
9774 "journal out of sync with zone" errors on subsequent
9777 572. [bug] Quoted strings were not accepted as key names in
9778 address match lists.
9780 571. [bug] It was possible to create an rdataset of singleton
9781 type which had more than one rdata. [RT #154]
9784 570. [bug] rbtdb.c allowed zones containing nodes which had
9785 both a CNAME and "other data". [RT #154]
9787 569. [func] The DNSSEC AD bit will not be set on queries which
9788 have not requested a DNSSEC response.
9790 568. [func] Add sample simple database drivers in contrib/sdb.
9792 567. [bug] Setting the zone transfer timeout to zero caused an
9793 assertion failure. [RT #302]
9795 566. [func] New public function dns_timer_setidle().
9797 565. [func] Log queries more like BIND 8: query logging is now
9798 done to category "queries", level "info". [RT #169]
9800 564. [func] Add sortlist support to lwresd.
9802 563. [func] New public functions dns_rdatatype_format() and
9803 dns_rdataclass_format(), for convenient formatting
9804 of rdata type/class mnemonics in log messages.
9806 562. [cleanup] Moved lib/dns/*conf.c to bin/named where they belong.
9808 561. [func] The 'datasize', 'stacksize', 'coresize' and 'files'
9809 clauses of the options{} statement are now implemented.
9811 560. [bug] dns_name_split did not properly the resulting prefix
9812 when a maximal length bitstring label was split which
9813 was preceded by another bitstring label. [RT #429]
9815 559. [bug] dns_name_split did not properly create the suffix
9816 when splitting within a maximal length bitstring label.
9818 558. [func] New functions, isc_resource_getlimit and
9819 isc_resource_setlimit.
9821 557. [func] Symbolic constants for libisc integral types.
9823 556. [func] The DNSSEC OK bit in the EDNS extended flags
9824 is now implemented. Responses to queries without
9825 this bit set will not contain any DNSSEC records.
9827 555. [bug] A slave server attempting a zone transfer could
9828 crash with an assertion failure on certain
9829 malformed responses from the master. [RT #457]
9831 554. [bug] In some cases, not all of the dnssec tools were
9834 553. [bug] Incoming zone transfers deferred due to quota
9835 were not started when quota was increased but
9836 only when a transfer in progress finished. [RT #456]
9838 552. [bug] We were not correctly detecting the end of all c-style
9841 551. [func] Implemented the 'sortlist' option.
9843 550. [func] Support unknown rdata types and classes.
9845 549. [bug] "make" did not immediately abort the build when a
9846 subdirectory make failed [RT #450].
9848 548. [func] The lexer now ungets tokens more correctly.
9852 546. [func] Option 'lame-ttl' is now implemented.
9854 545. [func] Name limit and counting options removed from dig;
9855 they didn't work properly, and cannot be correctly
9856 implemented without significant changes.
9858 544. [func] Add statistics option, enable statistics-file option,
9859 add RNDC option "dump-statistics" to write out a
9860 query statistics file.
9862 543. [doc] The 'port' option is now documented.
9864 542. [func] Add support for update forwarding as required for
9865 full compliance with RFC2136. It is turned off
9866 by default and can be enabled using the
9867 'allow-update-forwarding' option.
9869 541. [func] Add bogus server support.
9871 540. [func] Add dialup support.
9873 539. [func] Support the blackhole option.
9875 538. [bug] fix buffer overruns by 1 in lwres_getnameinfo().
9879 536. [func] Use transfer-source{-v6} when sending refresh queries.
9880 Transfer-source{-v6} now take a optional port
9881 parameter for setting the UDP source port. The port
9882 parameter is ignored for TCP.
9884 535. [func] Use transfer-source{-v6} when forwarding update
9887 534. [func] Ancestors have been removed from RBT chains. Ancestor
9888 information can be discerned via node parent pointers.
9890 533. [func] Incorporated name hashing into the RBT database to
9891 improve search speed.
9893 532. [func] Implement DNS UPDATE pseudo records using
9894 DNS_RDATA_UPDATE flag.
9896 531. [func] Rdata really should be initialized before being assigned
9897 to (dns_rdata_fromwire(), dns_rdata_fromtext(),
9898 dns_rdata_clone(), dns_rdata_fromregion()),
9901 530. [func] New function dns_rdata_invalidate().
9903 529. [bug] 521 contained a bug which caused zones to always
9906 528. [func] The ISC_LIST_XXXX macros now perform sanity checks
9907 on their arguments. ISC_LIST_XXXXUNSAFE can be use
9908 to skip the checks however use with caution.
9910 527. [func] New function dns_rdata_clone().
9912 526. [bug] nsupdate incorrectly refused to add RRs with a TTL
9915 525. [func] New arguments 'options' for dns_db_subtractrdataset(),
9916 and 'flags' for dns_rdataslab_subtract() allowing you
9917 to request that the RR's must exist prior to deletion.
9918 DNS_R_NOTEXACT is returned if the condition is not met.
9920 524. [func] The 'forward' and 'forwarders' statement in
9921 non-forward zones should work now.
9923 523. [doc] The source to the Administrator Reference Manual is
9924 now an XML file using the DocBook DTD, and is included
9925 in the distribution. The plain text version of the
9926 ARM is temporarily unavailable while we figure out
9927 how to generate readable plain text from the XML.
9929 522. [func] The lightweight resolver daemon can now use
9930 a real configuration file, and its functionality
9931 can be provided by a name server. Also, the -p and -P
9932 options to lwresd have been reversed.
9934 521. [bug] Detect master files which contain $INCLUDE and always
9937 520. [bug] Upgraded libtool to 1.3.5, which makes shared
9938 library builds almost work on AIX (and possibly
9941 519. [bug] dns_name_split() would improperly split some bitstring
9942 labels, zeroing a few of the least significant bits in
9943 the prefix part. When such an improperly created
9944 prefix was returned to the RBT database, the bogus
9945 label was dutifully stored, corrupting the tree.
9948 518. [bug] The resolver did not realize that a DNAME which was
9949 "the answer" to the client's query was "the answer",
9950 and such queries would fail. [RT #399]
9952 517. [bug] The resolver's DNAME code would trigger an assertion
9953 if there was more than one DNAME in the chain.
9956 516. [bug] Cache lookups which had a NULL node pointer, e.g.
9957 those by dns_view_find(), and which would match a
9958 DNAME, would trigger an INSIST(!search.need_cleanup)
9959 assertion. [RT #399]
9961 515. [bug] The ssu table was not being attached / detached
9962 by dns_zone_[sg]etssutable. [RT#397]
9964 514. [func] Retry refresh and notify queries if they timeout.
9967 513. [func] New functionality added to rdnc and server to allow
9968 individual zones to be refreshed or reloaded.
9970 512. [bug] The zone transfer code could throw an exception with
9971 an invalid IXFR stream.
9973 511. [bug] The message code could throw an assertion on an
9974 out of memory failure. [RT #392]
9976 510. [bug] Remove spurious view notify warning. [RT #376]
9978 509. [func] Add support for write of zone files on shutdown.
9980 508. [func] dns_message_parse() can now do a best-effort
9981 attempt, which should allow dig to print more invalid
9984 507. [func] New functions dns_zone_flush(), dns_zt_flushanddetach()
9985 and dns_view_flushanddetach().
9987 506. [func] Do not fail to start on errors in zone files.
9989 505. [bug] nsupdate was printing "unknown result code". [RT #373]
9991 504. [bug] The zone was not being marked as dirty when updated via
9994 503. [bug] dumptime was not being set along with
9995 DNS_ZONEFLG_NEEDDUMP.
9997 502. [func] On a SERVFAIL reply, DiG will now try the next server
9998 in the list, unless the +fail option is specified.
10000 501. [bug] Incorrect port numbers were being displayed by
10001 nslookup. [RT #352]
10003 500. [func] Nearly useless +details option removed from DiG.
10005 499. [func] In DiG, specifying a class with -c or type with -t
10006 changes command-line parsing so that classes and
10007 types are only recognized if following -c or -t.
10008 This allows hosts with the same name as a class or
10009 type to be looked up.
10011 498. [doc] There is now a man page for "dig"
10012 in doc/man/bin/dig.1.
10014 497. [bug] The error messages printed when an IP match list
10015 contained a network address with a nonzero host
10016 part where not sufficiently detailed. [RT #365]
10018 496. [bug] named didn't sanity check numeric parameters. [RT #361]
10020 495. [bug] nsupdate was unable to handle large records. [RT #368]
10022 494. [func] Do not cache NXDOMAIN responses for SOA queries.
10024 493. [func] Return non-cachable (ttl = 0) NXDOMAIN responses
10025 for SOA queries. This makes it easier to locate
10026 the containing zone without polluting intermediate
10029 492. [bug] attempting to reload a zone caused the server fail
10030 to shutdown cleanly. [RT #360]
10032 491. [bug] nsupdate would segfault when sending certain
10033 prerequisites with empty RDATA. [RT #356]
10035 490. [func] When a slave/stub zone has not yet successfully
10036 obtained an SOA containing the zone's configured
10037 retry time, perform the SOA query retries using
10038 exponential backoff. [RT #337]
10040 489. [func] The zone manager now has a "i/o" queue.
10042 488. [bug] Locks weren't properly destroyed in some cases.
10044 487. [port] flockfile() is not defined on all systems.
10046 486. [bug] nslookup: "set all" and "server" commands showed
10047 the incorrect port number if a port other than 53
10048 was specified. [RT #352]
10050 485. [func] When dig had more than one server to query, it would
10051 send all of the messages at the same time. Add
10052 rate limiting of the transmitted messages.
10054 484. [bug] When the server was reloaded after removing addresses
10055 from the named.conf "listen-on" statement, sockets
10056 were still listening on the removed addresses due
10057 to reference count loops. [RT #325]
10059 483. [bug] nslookup: "set all" showed a "search" option but it
10062 482. [bug] nslookup: a plain "server" or "lserver" should be
10063 treated as a lookup.
10065 481. [bug] nslookup:get_next_command() stack size could exceed
10068 480. [bug] strtok() is not thread safe. [RT #349]
10070 479. [func] The test suite can now be run by typing "make check"
10071 or "make test" at the top level.
10073 478. [bug] "make install" failed if the directory specified with
10074 --prefix did not already exist.
10076 477. [bug] The the isc-config.sh script could be installed before
10077 its directory was created. [RT #324]
10079 476. [bug] A zone could expire while a zone transfer was in
10080 progress triggering a INSIST failure. [RT #329]
10082 475. [bug] query_getzonedb() sometimes returned a non-null version
10083 on failure. This caused assertion failures when
10084 generating query responses where names subject to
10085 additional section processing pointed to a zone
10086 to which access had been denied by means of the
10087 allow-query option. [RT #336]
10089 474. [bug] The mnemonic of the CHAOS class is CH according to
10090 RFC1035, but it was printed and read only as CHAOS.
10091 We now accept both forms as input, and print it
10094 473. [bug] nsupdate overran the end of the list of name servers
10095 when no servers could be reached, typically causing
10096 it to print the error message "dns_request_create:
10099 472. [bug] Off-by-one error caused isc_time_add() to sometimes
10100 produce invalid time values.
10102 471. [bug] nsupdate didn't compile on HP/UX 10.20
10104 470. [func] $GENERATE is now supported. See also
10105 doc/misc/migration.
10107 469. [bug] "query-source address * port 53;" now works.
10109 468. [bug] dns_master_load*() failed to report file and line
10110 number in certain error conditions.
10112 467. [bug] dns_master_load*() failed to log an error if
10115 466. [bug] dns_master_load*() could return success when it failed.
10117 465. [cleanup] Allow 0 to be set as an omapi_value_t value by
10118 omapi_value_storeint().
10120 464. [cleanup] Build with openssl's RSA code instead of dnssafe.
10122 463. [bug] nsupdate sent malformed SOA queries to the second
10123 and subsequent name servers in resolv.conf if the
10124 query sent to the first one failed.
10126 462. [bug] --disable-ipv6 should work now.
10128 461. [bug] Specifying an unknown key in the "keys" clause of the
10129 "controls" statement caused a NULL pointer dereference.
10132 460. [bug] Much of the DNSSEC code only worked with class IN.
10134 459. [bug] Nslookup processed the "set" command incorrectly.
10136 458. [bug] Nslookup didn't properly check class and type values.
10139 457. [bug] Dig/host/hslookup didn't properly handle connect
10140 timeouts in certain situations, causing an
10141 unnecessary warning message to be printed.
10143 456. [bug] Stub zones were not resetting the refresh and expire
10144 counters, loadtime or clearing the DNS_ZONE_REFRESH
10145 (refresh in progress) flag upon successful update.
10146 This disabled further refreshing of the stub zone,
10147 causing it to eventually expire. [RT #300]
10149 455. [doc] Document IPv4 prefix notation does not require a
10150 dotted decimal quad but may be just dotted decimal.
10152 454. [bug] Enforce dotted decimal and dotted decimal quad where
10153 documented as such in named.conf. [RT #304, RT #311]
10155 453. [bug] Warn if the obsolete option "maintain-ixfr-base"
10156 is specified in named.conf. [RT #306]
10158 452. [bug] Warn if the unimplemented option "statistics-file"
10159 is specified in named.conf. [RT #301]
10161 451. [func] Update forwarding implemented.
10163 450. [func] New function ns_client_sendraw().
10165 449. [bug] isc_bitstring_copy() only works correctly if the
10166 two bitstrings have the same lsb0 value, but this
10167 requirement was not documented, nor was there a
10170 448. [bug] Host output formatting change, to match v8. [RT #255]
10172 447. [bug] Dig didn't properly retry in TCP mode after
10173 a truncated reply. [RT #277]
10175 446. [bug] Confusing notify log message. [RT #298]
10177 445. [bug] Doing a 0 bit isc_bitstring_copy() of an lsb0
10178 bitstring triggered a REQUIRE statement. The REQUIRE
10179 statement was incorrect. [RT #297]
10181 444. [func] "recursion denied" messages are always logged at
10182 debug level 1, now, rather than sometimes at ERROR.
10183 This silences these warnings in the usual case, where
10184 some clients set the RD bit in all queries.
10186 443. [bug] When loading a master file failed because of an
10187 unrecognized RR type name, the error message
10188 did not include the file name and line number.
10191 442. [bug] TSIG signed messages that did not match any view
10192 crashed the server. [RT #290]
10194 441. [bug] Nodes obscured by a DNAME were inaccessible even
10195 when DNS_DBFIND_GLUEOK was set.
10197 440. [func] New function dns_zone_forwardupdate().
10199 439. [func] New function dns_request_createraw().
10201 438. [func] New function dns_message_getrawmessage().
10203 437. [func] Log NOTIFY activity to the notify channel.
10205 436. [bug] If recvmsg() returned EHOSTUNREACH or ENETUNREACH,
10206 which sometimes happens on Linux, named would enter
10207 a busy loop. Also, unexpected socket errors were
10208 not logged at a high enough logging level to be
10209 useful in diagnosing this situation. [RT #275]
10211 435. [bug] dns_zone_dump() overwrote existing zone files
10212 rather than writing to a temporary file and
10213 renaming. This could lead to empty or partial
10214 zone files being left around in certain error
10215 conditions involving the initial transfer of a
10216 slave zone, interfering with subsequent server
10219 434. [func] New function isc_file_isabsolute().
10221 433. [func] isc_base64_decodestring() now accepts newlines
10222 within the base64 data. This makes it possible
10223 to break up the key data in a "trusted-keys"
10224 statement into multiple lines. [RT #284]
10226 432. [func] Added refresh/retry jitter. The actual refresh/
10227 retry time is now a random value between 75% and
10228 100% of the configured value.
10230 431. [func] Log at ISC_LOG_INFO when a zone is successfully
10233 430. [bug] Rewrote the lightweight resolver client management
10234 code to handle shutdown correctly and general
10237 429. [bug] The space reserved for a TSIG record in a response
10238 was 2 bytes too short, leading to message
10239 generation failures.
10241 428. [bug] rbtdb.c:find_closest_nxt() erroneously returned
10242 DNS_R_BADDB for nodes which had neither NXT nor SIG NXT
10243 (e.g. glue). This could cause SERVFAILs when
10244 generating negative responses in a secure zone.
10246 427. [bug] Avoid going into an infinite loop when the validator
10247 gets a negative response to a key query where the
10248 records are signed by the missing key.
10250 426. [bug] Attempting to generate an oversized RSA key could
10251 cause dnssec-keygen to dump core.
10253 425. [bug] Warn about the auth-nxdomain default value change
10254 if there is no auth-nxdomain statement in the
10255 config file. [RT #287]
10257 424. [bug] notify_createmessage() could trigger an assertion
10258 failure when creating the notify message failed,
10259 e.g. due to corrupt zones with multiple SOA records.
10262 423. [bug] When responding to a recursive query, errors that occur
10263 after following a CNAME should cause the query to fail.
10266 422. [func] get rid of isc_random_t, and make isc_random_get()
10267 and isc_random_jitter() use rand() internally
10268 instead of local state. Note that isc_random_*()
10269 functions are only for weak, non-critical "randomness"
10270 such as timing jitter and such.
10272 421. [bug] nslookup would exit when given a blank line as input.
10274 420. [bug] nslookup failed to implement the "exit" command.
10276 419. [bug] The certificate type PKIX was misspelled as SKIX.
10278 418. [bug] At debug levels >= 10, getting an unexpected
10279 socket receive error would crash the server
10280 while trying to log the error message.
10282 417. [func] Add isc_app_block() and isc_app_unblock(), which
10283 allow an application to handle signals while
10286 416. [bug] Slave zones with no master file tried to use a
10287 NULL pointer for a journal file name when they
10288 received an IXFR. [RT #273]
10290 415. [bug] The logging code leaked file descriptors.
10292 414. [bug] Server did not shut down until all incoming zone
10293 transfers were finished.
10295 413. [bug] Notify could attempt to use the zone database after
10296 it had been unloaded. [RT#267]
10298 412. [bug] named -v didn't print the version.
10300 411. [bug] A typo in the HS A code caused an assertion failure.
10302 410. [bug] lwres_gethostbyname() and company set lwres_h_errno
10303 to a random value on success.
10305 409. [bug] If named was shut down early in the startup
10306 process, ns_omapi_shutdown() would attempt to lock
10307 an uninitialized mutex. [RT #262]
10309 408. [bug] stub zones could leak memory and reference counts if
10310 all the masters were unreachable.
10312 407. [bug] isc_rwlock_lock() would needlessly block
10313 readers when it reached the read quota even
10314 if no writers were waiting.
10316 406. [bug] Log messages were occasionally lost or corrupted
10317 due to a race condition in isc_log_doit().
10319 405. [func] Add support for selective forwarding (forward zones)
10321 404. [bug] The request library didn't completely work with IPv6.
10323 403. [bug] "host" did not use the search list.
10325 402. [bug] Treat undefined acls as errors, rather than
10326 warning and then later throwing an assertion.
10329 401. [func] Added simple database API.
10331 400. [bug] SIG(0) signing and verifying was done incorrectly.
10334 399. [bug] When reloading the server with a config file
10335 containing a syntax error, it could catch an
10336 assertion failure trying to perform zone
10337 maintenance on, or sending notifies from,
10338 tentatively created zones whose views were
10339 never fully configured and lacked an address
10340 database and request manager.
10342 398. [bug] "dig" sometimes caught an assertion failure when
10343 using TSIG, depending on the key length.
10345 397. [func] Added utility functions dns_view_gettsig() and
10346 dns_view_getpeertsig().
10348 396. [doc] There is now a man page for "nsupdate"
10349 in doc/man/bin/nsupdate.8.
10351 395. [bug] nslookup printed incorrect RR type mnemonics
10352 for RRs of type >= 21 [RT #237].
10354 394. [bug] Current name was not propagated via $INCLUDE.
10356 393. [func] Initial answer while loading (awl) support.
10357 Entry points: dns_master_loadfileinc(),
10358 dns_master_loadstreaminc(), dns_master_loadbufferinc().
10359 Note: calls to dns_master_load*inc() should be rate
10360 be rate limited so as to not use up all file
10363 392. [func] Add ISC_R_FAMILYNOSUPPORT. Returned when OS does
10364 not support the given address family requested.
10366 391. [clarity] ISC_R_FAMILY -> ISC_R_FAMILYMISMATCH.
10368 390. [func] The function dns_zone_setdbtype() now takes
10369 an argc/argv style vector of words and sets
10370 both the zone database type and its arguments,
10371 making the functions dns_zone_adddbarg()
10372 and dns_zone_cleardbargs() unnecessary.
10374 389. [bug] Attempting to send a request over IPv6 using
10375 dns_request_create() on a system without IPv6
10376 support caused an assertion failure [RT #235].
10378 388. [func] dig and host can now do reverse ipv6 lookups.
10380 387. [func] Add dns_byaddr_createptrname(), which converts
10381 an address into the name used by a PTR query.
10383 386. [bug] Missing strdup() of ACL name caused random
10384 ACL matching failures [RT #228].
10386 385. [cleanup] Removed functions dns_zone_equal(), dns_zone_print(),
10387 and dns_zt_print().
10389 384. [bug] nsupdate was incorrectly limiting TTLs to 65535 instead
10392 383. [func] When writing a master file, print the SOA and NS
10393 records (and their SIGs) before other records.
10395 382. [bug] named -u failed on many Linux systems where the
10396 libc provided kernel headers do not match
10397 the current kernel.
10399 381. [bug] Check for IPV6_RECVPKTINFO and use it instead of
10400 IPV6_PKTINFO if found. [RT #229]
10402 380. [bug] nsupdate didn't work with IPv6.
10404 379. [func] New library function isc_sockaddr_anyofpf().
10406 378. [func] named and lwresd will log the command line arguments
10407 they were started with in the "starting ..." message.
10409 377. [bug] When additional data lookups were refused due to
10410 "allow-query", the databases were still being
10411 attached causing reference leaks.
10413 376. [bug] The server should always use good entropy when
10414 performing cryptographic functions needing entropy.
10416 375. [bug] Per-zone "allow-query" did not properly override the
10417 view/global one for CNAME targets and additional
10420 374. [bug] SOA in authoritative negative responses had wrong TTL.
10422 373. [func] nslookup is now installed by "make install".
10424 372. [bug] Deal with Microsoft DNS servers appending two bytes of
10425 garbage to zone transfer requests.
10427 371. [bug] At high debug levels, doing an outgoing zone transfer
10428 of a very large RRset could cause an assertion failure
10431 370. [bug] The error messages for roll-forward failures were
10434 369. [func] Support new named.conf options, view and zone
10437 max-retry-time, min-retry-time,
10438 max-refresh-time, min-refresh-time.
10440 368. [func] Restructure the internal ".bind" view so that more
10441 zones can be added to it.
10443 367. [bug] Allow proper selection of server on nslookup command
10446 366. [func] Allow use of '-' batch file in dig for stdin.
10448 365. [bug] nsupdate -k leaked memory.
10450 364. [func] Added additional-from-{cache,auth}
10454 362. [bug] rndc no longer aborts if the configuration file is
10455 missing an options statement. [RT #209]
10457 361. [func] When the RBT find or chain functions set the name and
10458 origin for a node that stores the root label
10459 the name is now set to an empty name, instead of ".",
10460 to simplify later use of the name and origin by
10461 dns_name_concatenate(), dns_name_totext() or
10464 360. [func] dns_name_totext() and dns_name_format() now allow
10465 an empty name to be passed, which is formatted as "@".
10467 359. [bug] dnssec-signzone occasionally signed glue records.
10469 358. [cleanup] Rename the intermediate files used by the dnssec
10472 357. [bug] The zone file parser crashed if the argument
10473 to $INCLUDE was a quoted string.
10475 356. [cleanup] isc_task_send no longer requires event->sender to
10478 355. [func] Added isc_dir_createunique(), similar to mkdtemp().
10480 354. [doc] Man pages for the dnssec tools are now included in
10481 the distribution, in doc/man/dnssec.
10483 353. [bug] double increment in lwres/gethost.c:copytobuf().
10486 352. [bug] Race condition in dns_client_t startup could cause
10487 an assertion failure.
10489 351. [bug] Constructing a response with rcode SERVFAIL to a TSIG
10490 signed query could crash the server.
10492 350. [bug] Also-notify lists specified in the global options
10493 block were not correctly reference counted, causing
10496 349. [bug] Processing a query with the CD bit set now works
10499 348. [func] New boolean named.conf options 'additional-from-auth'
10500 and 'additional-from-cache' now supported in view and
10501 global options statement.
10503 347. [bug] Don't crash if an argument is left off options in dig.
10507 345. [bug] Large-scale changes/cleanups to dig:
10508 * Significantly improve structure handling
10509 * Don't pre-load entire batch files
10510 * Add name/rr counting/limiting
10511 * Fix SIGINT handling
10512 * Shorten timeouts to match v8's behavior
10514 344. [bug] When shutting down, lwresd sometimes tried
10515 to shut down its client tasks twice,
10516 triggering an assertion.
10518 343. [bug] Although zone maintenance SOA queries and
10519 notify requests were signed with TSIG keys
10520 when configured for the server in case,
10521 the TSIG was not verified on the response.
10523 342. [bug] The wrong name was being passed to
10524 dns_name_dup() when generating a TSIG
10527 341. [func] Support 'key' clause in named.conf zone masters
10528 statement to allow authentication via TSIG keys:
10531 10.0.0.1 port 5353 key "foo";
10535 340. [bug] The top-level COPYRIGHT file was missing from
10538 339. [bug] DNSSEC validation of the response to an ANY
10539 query at a name with a CNAME RR in a secure
10540 zone triggered an assertion failure.
10542 338. [bug] lwresd logged to syslog as named, not lwresd.
10544 337. [bug] "dig" did not recognize "nsap-ptr" as an RR type
10545 on the command line.
10547 336. [bug] "dig -f" used 64 k of memory for each line in
10548 the file. It now uses much less, though still
10549 proportionally to the file size.
10551 335. [bug] named would occasionally attempt recursion when
10552 it was disallowed or undesired.
10554 334. [func] Added hmac-md5 to libisc.
10556 333. [bug] The resolver incorrectly accepted referrals to
10557 domains that were not parents of the query name,
10558 causing assertion failures.
10560 332. [func] New function dns_name_reset().
10562 331. [bug] Only log "recursion denied" if RD is set. [RT #178]
10564 330. [bug] Many debugging messages were partially formatted
10565 even when debugging was turned off, causing a
10566 significant decrease in query performance.
10568 329. [func] omapi_auth_register() now takes a size_t argument for
10569 the length of a key's secret data. Previously
10570 OMAPI only stored secrets up to the first NUL byte.
10572 328. [func] Added isc_base64_decodestring().
10574 327. [bug] rndc.conf parser wasn't correctly recognizing an IP
10575 address where a host specification was required.
10577 326. [func] 'keys' in an 'inet' control statement is now
10578 required and must have at least one item in it.
10579 A "not supported" warning is now issued if a 'unix'
10580 control channel is defined.
10582 325. [bug] isc_lex_gettoken was processing octal strings when
10583 ISC_LEXOPT_CNUMBER was not set.
10585 324. [func] In the resolver, turn EDNS0 off if there is no
10586 response after a number of retransmissions.
10587 This is to allow queries some chance of succeeding
10588 even if all the authoritative servers of a zone
10589 silently discard EDNS0 requests instead of
10590 sending an error response like they ought to.
10592 323. [bug] dns_rbt_findname() did not ignore empty rbt nodes.
10593 Because of this, servers authoritative for a parent
10594 and grandchild zone but not authoritative for the
10595 intervening child zone did not correctly issue
10596 referrals to the servers of the child zone.
10598 322. [bug] Queries for KEY RRs are now sent to the parent
10599 server before the authoritative one, making
10600 DNSSEC insecurity proofs work in many cases
10601 where they previously didn't.
10603 321. [bug] When synthesizing a CNAME RR for a DNAME
10604 response, query_addcname() failed to initialize
10605 the type and class of the CNAME dns_rdata_t,
10606 causing random failures.
10608 320. [func] Multiple rndc changes: parses an rndc.conf file,
10609 uses authentication to talk to named, command
10610 line syntax changed. This will all be described
10613 319. [func] The named.conf "controls" statement is now used
10614 to configure the OMAPI command channel.
10616 318. [func] dns_c_ndcctx_destroy() could never return anything
10617 except ISC_R_SUCCESS; made it have void return instead.
10619 317. [func] Use callbacks from libomapi to determine if a
10620 new connection is valid, and if a key requested
10621 to be used with that connection is valid.
10623 316. [bug] Generate a warning if we detect an unexpected <eof>
10624 but treat as <eol><eof>.
10626 315. [bug] Handle non-empty blanks lines. [RT #163]
10628 314. [func] The named.conf controls statement can now have
10629 more than one key specified for the inet clause.
10631 313. [bug] When parsing resolv.conf, don't terminate on an
10632 error. Instead, parse as much as possible, but
10633 still return an error if one was found.
10635 312. [bug] Increase the number of allowed elements in the
10636 resolv.conf search path from 6 to 8. If there
10637 are more than this, ignore the remainder rather
10638 than returning a failure in lwres_conf_parse.
10640 311. [bug] lwres_conf_parse failed when the first line of
10641 resolv.conf was empty or a comment.
10643 310. [func] Changes to named.conf "controls" statement (inet
10646 - support "keys" clause
10650 allow { any; } keys { "foo"; }
10653 - allow "port xxx" to be left out of statement,
10654 in which case it defaults to omapi's default port
10657 309. [bug] When sending a referral, the server did not look
10658 for name server addresses as glue in the zone
10659 holding the NS RRset in the case where this zone
10660 was not the same as the one where it looked for
10661 name server addresses as authoritative data.
10663 308. [bug] Treat a SOA record not at top of zone as an error
10664 when loading a zone. [RT #154]
10666 307. [bug] When canceling a query, the resolver didn't check for
10667 isc_socket_sendto() calls that did not yet have their
10668 completion events posted, so it could (rarely) end up
10669 destroying the query context and then want to use
10670 it again when the send event posted, triggering an
10671 assertion as it tried to cancel an already-canceled
10674 306. [bug] Reading HMAC-MD5 private key files didn't work.
10676 305. [bug] When reloading the server with a config file
10677 containing a syntax error, it could catch an
10678 assertion failure trying to perform zone
10679 maintenance on tentatively created zones whose
10680 views were never fully configured and lacked
10681 an address database.
10683 304. [bug] If more than LWRES_CONFMAXNAMESERVERS servers
10684 are listed in resolv.conf, silently ignore them
10685 instead of returning failure.
10687 303. [bug] Add additional sanity checks to differentiate a AXFR
10688 response vs a IXFR response. [RT #157]
10690 302. [bug] In dig, host, and nslookup, MXNAME should be large
10691 enough to hold any legal domain name in presentation
10692 format + terminating NULL.
10694 301. [bug] Uninitialized pointer in host:printmessage(). [RT #159]
10696 300. [bug] Using both <isc/net.h> and <lwres/net.h> didn't work
10697 on platforms lacking IPv6 because each included their
10698 own ipv6 header file for the missing definitions. Now
10699 each library's ipv6.h defines the wrapper symbol of
10700 the other (ISC_IPV6_H and LWRES_IPV6_H).
10702 299. [cleanup] Get the user and group information before changing the
10703 root directory, so the administrator does not need to
10704 keep a copy of the user and group databases in the
10705 chroot'ed environment. Suggested by Hakan Olsson.
10707 298. [bug] A mutex deadlock occurred during shutdown of the
10708 interface manager under certain conditions.
10709 Digital Unix systems were the most affected.
10711 297. [bug] Specifying a key name that wasn't fully qualified
10712 in certain parts of the config file could cause
10713 an assertion failure.
10715 296. [bug] "make install" from a separate build directory
10716 failed unless configure had been run in the source
10719 295. [bug] When invoked with type==CNAME and a message
10720 not constructed by dns_message_parse(),
10721 dns_message_findname() failed to find anything
10722 due to checking for attribute bits that are set
10723 only in dns_message_parse(). This caused an
10724 infinite loop when constructing the response to
10725 an ANY query at a CNAME in a secure zone.
10727 294. [bug] If we run out of space in while processing glue
10728 when reading a master file and commit "current name"
10729 reverts to "name_current" instead of staying as
10732 293. [port] Add support for FreeBSD 4.0 system tests.
10734 292. [bug] Due to problems with the way some operating systems
10735 handle simultaneous listening on IPv4 and IPv6
10736 addresses, the server no longer listens on IPv6
10737 addresses by default. To revert to the previous
10738 behavior, specify "listen-on-v6 { any; };" in
10741 291. [func] Caching servers no longer send outgoing queries
10742 over TCP just because the incoming recursive query
10745 290. [cleanup] +twiddle option to dig (for testing only) removed.
10747 289. [cleanup] dig is now installed in $bindir instead of $sbindir.
10748 host is now installed in $bindir. (Be sure to remove
10749 any $sbindir/dig from a previous release.)
10751 288. [func] rndc is now installed by "make install" into $sbindir.
10753 287. [bug] rndc now works again as "rndc 127.1 reload" (for
10754 only that task). Parsing its configuration file and
10755 using digital signatures for authentication has been
10756 disabled until named supports the "controls" statement,
10759 286. [bug] On Solaris 2, when named inherited a signal state
10760 where SIGHUP had the SIG_IGN action, SIGHUP would
10761 be ignored rather than causing the server to reload
10764 285. [bug] A change made to the dst API for beta4 inadvertently
10765 broke OMAPI's creation of a dst key from an incoming
10766 message, causing an assertion to be triggered. Fixed.
10768 284. [func] The DNSSEC key generation and signing tools now
10769 generate randomness from keyboard input on systems
10770 that lack /dev/random.
10772 283. [cleanup] The 'lwresd' program is now a link to 'named'.
10774 282. [bug] The lexer now returns ISC_R_RANGE if parsed integer is
10775 too big for an unsigned long.
10777 281. [bug] Fixed list of recognized config file category names.
10779 280. [func] Add isc-config.sh, which can be used to more
10780 easily build applications that link with
10783 279. [bug] Private omapi function symbols shared between
10784 two or more files in libomapi.a were not namespace
10785 protected using the ISC convention of starting with
10786 the library name and two underscores ("omapi__"...)
10788 278. [bug] bin/named/logconf.c:category_fromconf() didn't take
10789 note of when isc_log_categorybyname() wasn't able
10790 to find the category name and would then apply the
10791 channel list of the unknown category to all categories.
10793 277. [bug] isc_log_categorybyname() and isc_log_modulebyname()
10794 would fail to find the first member of any category
10795 or module array apart from the internal defaults.
10796 Thus, for example, the "notify" category was improperly
10797 configured by named.
10799 276. [bug] dig now supports maximum sized TCP messages.
10801 275. [bug] The definition of lwres_gai_strerror() was missing
10804 274. [bug] TSIG AXFR verify failed when talking to a BIND 8
10807 273. [func] The default for the 'transfer-format' option is
10808 now 'many-answers'. This will break zone transfers
10809 to BIND 4.9.5 and older unless there is an explicit
10810 'one-answer' configuration.
10812 272. [bug] The sending of large TCP responses was canceled
10813 in mid-transmission due to a race condition
10814 caused by the failure to set the client object's
10815 "newstate" variable correctly when transitioning
10816 to the "working" state.
10818 271. [func] Attempt to probe the number of cpus in named
10819 if unspecified rather than defaulting to 1.
10821 270. [func] Allow maximum sized TCP answers.
10823 269. [bug] Failed DNSSEC validations could cause an assertion
10824 failure by causing clone_results() to be called with
10825 with hevent->node == NULL.
10827 268. [doc] A plain text version of the Administrator
10828 Reference Manual is now included in the distribution,
10829 as doc/arm/Bv9ARM.txt.
10831 267. [func] Nsupdate is now provided in the distribution.
10833 266. [bug] zone.c:save_nsrrset() node was not initialized.
10835 265. [bug] dns_request_create() now works for TCP.
10837 264. [func] Dispatch can not take TCP sockets in connecting
10838 state. Set DNS_DISPATCHATTR_CONNECTED when calling
10839 dns_dispatch_createtcp() for connected TCP sockets
10840 or call dns_dispatch_starttcp() when the socket is
10843 263. [func] New logging channel type 'stderr'
10845 channel some-name {
10850 262. [bug] 'master' was not initialized in zone.c:stub_callback().
10852 261. [func] Add dns_zone_markdirty().
10854 260. [bug] Running named as a non-root user failed on Linux
10855 kernels new enough to support retaining capabilities
10858 259. [func] New random-device and random-seed-file statements
10859 for global options block of named.conf. Both accept
10860 a single string argument.
10862 258. [bug] Fixed printing of lwres_addr_t.address field.
10864 257. [bug] The server detached the last zone manager reference
10865 too early, while it could still be in use by queries.
10866 This manifested itself as assertion failures during the
10867 shutdown process for busy name servers. [RT #133]
10869 256. [func] isc_ratelimiter_t now has attach/detach semantics, and
10870 isc_ratelimiter_shutdown guarantees that the rate
10871 limiter is detached from its task.
10873 255. [func] New function dns_zonemgr_attach().
10875 254. [bug] Suppress "query denied" messages on additional data
10878 --- 9.0.0b4 released ---
10880 253. [func] resolv.conf parser now recognizes ';' and '#' as
10881 comments (anywhere in line, not just as the beginning).
10883 252. [bug] resolv.conf parser mishandled masks on sortlists.
10884 It also aborted when an unrecognized keyword was seen,
10885 now it silently ignores the entire line.
10887 251. [bug] lwresd caught an assertion failure on startup.
10889 250. [bug] fixed handling of size+unit when value would be too
10890 large for internal representation.
10892 249. [cleanup] max-cache-size config option now takes a size-spec
10893 like 'datasize', except 'default' is not allowed.
10895 248. [bug] global lame-ttl option was not being printed when
10896 config structures were written out.
10898 247. [cleanup] Rename cache-size config option to max-cache-size.
10900 246. [func] Rename global option cachesize to cache-size and
10901 add corresponding option to view statement.
10903 245. [bug] If an uncompressed name will take more than 255
10904 bytes and the buffer is sufficiently long,
10905 dns_name_fromwire should return DNS_R_FORMERR,
10906 not ISC_R_NOSPACE. This bug caused cause the
10907 server to catch an assertion failure when it
10908 received a query for a name longer than 255
10911 244. [bug] empty named.conf file and empty options statement are
10912 now parsed properly.
10914 243. [func] new cachesize option for named.conf
10916 242. [cleanup] fixed incorrect warning about auth-nxdomain usage.
10918 241. [cleanup] nscount and soacount have been removed from the
10919 dns_master_*() argument lists.
10921 240. [func] databases now come in three flavours: zone, cache
10924 239. [func] If ISC_MEM_DEBUG is enabled, the variable
10925 isc_mem_debugging controls whether messages
10926 are printed or not.
10928 238. [cleanup] A few more compilation warnings have been quieted:
10929 + missing sigwait prototype on BSD/OS 4.0/4.0.1.
10930 + PTHREAD_ONCE_INIT unbraced initializer warnings on
10932 + IN6ADDR_ANY_INIT unbraced initializer warnings on
10933 BSD/OS 4.*, Linux and Solaris 2.8.
10935 237. [bug] If connect() returned ENOBUFS when the resolver was
10936 initiating a TCP query, the socket didn't get
10937 destroyed, and the server did not shut down cleanly.
10939 236. [func] Added new listen-on-v6 config file statement.
10941 235. [func] Consider it a config file error if a listen-on
10942 statement has an IPv6 address in it, or a
10943 listen-on-v6 statement has an IPv4 address in it.
10945 234. [bug] Allow a trusted-key's first field (domain-name) be
10946 either a quoted or an unquoted string, instead of
10947 requiring a quoted string.
10949 233. [cleanup] Convert all config structure integer values to unsigned
10950 integer (isc_uint32_t) to match grammar.
10952 232. [bug] Allow slave zones to not have a file.
10954 231. [func] Support new 'port' clause in config file options
10955 section. Causes 'listen-on', 'masters' and
10956 'also-notify' statements to use its value instead of
10959 230. [func] Replace the dst sign/verify API with a cleaner one.
10961 229. [func] Support config file sig-validity-interval statement
10962 in options, views and zone statements (master
10965 228. [cleanup] Logging messages in config module stripped of
10968 227. [cleanup] The enumerated identifiers dns_rdataclass_*,
10969 dns_rcode_*, dns_opcode_*, and dns_trust_* are
10970 also now cast to their appropriate types, as with
10971 dns_rdatatype_* in item number 225 below.
10973 226. [func] dns_name_totext() now always prints the root name as
10974 '.', even when omit_final_dot is true.
10976 225. [cleanup] The enumerated dns_rdatatype_* identifiers are now
10977 cast to dns_rdatatype_t via macros of their same name
10978 so that they are of the proper integral type wherever
10979 a dns_rdatatype_t is needed.
10981 224. [cleanup] The entire project builds cleanly with gcc's
10982 -Wcast-qual and -Wwrite-strings warnings enabled,
10983 which is now the default when using gcc. (Warnings
10984 from confparser.c, because of yacc's code, are
10985 unfortunately to be expected.)
10987 223. [func] Several functions were re-prototyped to qualify one
10988 or more of their arguments with "const". Similarly,
10989 several functions that return pointers now have
10990 those pointers qualified with const.
10992 222. [bug] The global 'also-notify' option was ignored.
10994 221. [bug] An uninitialized variable was sometimes passed to
10995 dns_rdata_freestruct() when loading a zone, causing
10996 an assertion failure.
10998 220. [cleanup] Set the default outgoing port in the view, and
10999 set it in sockaddrs returned from the ADB.
11000 [31-May-2000 explorer]
11002 219. [bug] Signed truncated messages more correctly follow
11003 the respective specs.
11005 218. [func] When an rdataset is signed, its ttl is normalized
11006 based on the signature validity period.
11008 217. [func] Also-notify and trusted-keys can now be used in
11009 the 'view' statement.
11011 216. [func] The 'max-cache-ttl' and 'max-ncache-ttl' options
11014 215. [bug] Failures at certain points in request processing
11015 could cause the assertion INSIST(client->lockview
11016 == NULL) to be triggered.
11018 214. [func] New public function isc_netaddr_format(), for
11019 formatting network addresses in log messages.
11021 213. [bug] Don't leak memory when reloading the zone if
11022 an update-policy clause was present in the old zone.
11024 212. [func] Added dns_message_get/settsigkey, to make TSIG
11025 key management reasonable.
11027 211. [func] The 'key' and 'server' statements can now occur
11028 inside 'view' statements.
11030 210. [bug] The 'allow-transfer' option was ignored for slave
11031 zones, and the 'transfers-per-ns' option was
11032 was ignored for all zones.
11034 209. [cleanup] Upgraded openssl files to new version 0.9.5a
11036 208. [func] Added ISC_OFFSET_MAXIMUM for the maximum value
11037 of an isc_offset_t.
11039 207. [func] The dnssec tools properly use the logging subsystem.
11041 206. [cleanup] dst now stores the key name as a dns_name_t, not
11044 205. [cleanup] On IRIX, turn off the mostly harmless warnings 1692
11045 ("prototyped function redeclared without prototype")
11046 and 1552 ("variable ... set but not used") when
11047 compiling in the lib/dns/sec/{dnssafe,openssl}
11048 directories, which contain code imported from outside
11051 204. [cleanup] On HP/UX, pass +vnocompatwarnings to the linker
11052 to quiet the warnings that "The linked output may not
11053 run on a PA 1.x system."
11055 203. [func] notify and zone soa queries are now tsig signed when
11058 202. [func] isc_lex_getsourceline() changed from returning int
11059 to returning unsigned long, the type of its underlying
11062 201. [cleanup] Removed the test/sdig program, it has been
11063 replaced by bin/dig/dig.
11065 --- 9.0.0b3 released ---
11067 200. [bug] Failures in sending query responses to clients
11068 (e.g., running out of network buffers) were
11071 199. [bug] isc_heap_delete() sometimes violated the heap
11072 invariant, causing timer events not to be posted
11075 198. [func] Dispatch managers hold memory pools which
11076 any managed dispatcher may use. This allows
11077 us to avoid dipping into the memory context for
11078 most allocations. [19-May-2000 explorer]
11080 197. [bug] When an incoming AXFR or IXFR completes, the
11081 zone's internal state is refreshed from the
11082 SOA data. [19-May-2000 explorer]
11084 196. [func] Dispatchers can be shared easily between views
11085 and/or interfaces. [19-May-2000 explorer]
11087 195. [bug] Including the NXT record of the root domain
11088 in a negative response caused an assertion
11091 194. [doc] The PDF version of the Administrator's Reference
11092 Manual is no longer included in the ISC BIND9
11095 193. [func] changed dst_key_free() prototype.
11097 192. [bug] Zone configuration validation is now done at end
11098 of config file parsing, and before loading
11101 191. [func] Patched to compile on UnixWare 7.x. This platform
11102 is not directly supported by the ISC.
11104 190. [cleanup] The DNSSEC tools have been moved to a separate
11105 directory dnssec/ and given the following new,
11106 more descriptive names:
11113 Their command line arguments have also been changed to
11114 be more consistent. dnssec-keygen now prints the
11115 name of the generated key files (sans extension)
11116 on standard output to simplify its use in automated
11119 189. [func] isc_time_secondsastimet(), a new function, will ensure
11120 that the number of seconds in an isc_time_t does not
11121 exceed the range of a time_t, or return ISC_R_RANGE.
11122 Similarly, isc_time_now(), isc_time_nowplusinterval(),
11123 isc_time_add() and isc_time_subtract() now check the
11124 range for overflow/underflow. In the case of
11125 isc_time_subtract, this changed a calling requirement
11126 (ie, something that could generate an assertion)
11127 into merely a condition that returns an error result.
11128 isc_time_add() and isc_time_subtract() were void-
11129 valued before but now return isc_result_t.
11131 188. [func] Log a warning message when an incoming zone transfer
11132 contains out-of-zone data.
11134 187. [func] isc_ratelimiter_enqueue() has an additional argument
11137 186. [func] dns_request_getresponse() has an additional argument
11140 185. [bug] Fixed up handling of ISC_MEMCLUSTER_LEGACY. Several
11141 public functions did not have an isc__ prefix, and
11142 referred to functions that had previously been
11145 184. [cleanup] Variables/functions which began with two leading
11146 underscores were made to conform to the ANSI/ISO
11147 standard, which says that such names are reserved.
11149 183. [func] ISC_LOG_PRINTTAG option for log channels. Useful
11150 for logging the program name or other identifier.
11152 182. [cleanup] New command-line parameters for dnssec tools
11154 181. [func] Added dst_key_buildfilename and dst_key_parsefilename
11156 180. [func] New isc_result_t ISC_R_RANGE. Supersedes DNS_R_RANGE.
11158 179. [func] options named.conf statement *must* now come
11159 before any zone or view statements.
11161 178. [func] Post-load of named.conf check verifies a slave zone
11162 has non-empty list of masters defined.
11164 177. [func] New per-zone boolean:
11166 enable-zone yes | no ;
11168 intended to let a zone be disabled without having
11169 to comment out the entire zone statement.
11171 176. [func] New global and per-view option:
11173 max-cache-ttl number
11175 175. [func] New global and per-view option:
11177 additional-data internal | minimal | maximal;
11179 174. [func] New public function isc_sockaddr_format(), for
11180 formatting socket addresses in log messages.
11182 173. [func] Keep a queue of zones waiting for zone transfer
11183 quota so that a new transfer can be dispatched
11184 immediately whenever quota becomes available.
11186 172. [bug] $TTL directive was sometimes missing from dumped
11187 master files because totext_ctx_init() failed to
11188 initialize ctx->current_ttl_valid.
11190 171. [cleanup] On NetBSD systems, the mit-pthreads or
11191 unproven-pthreads library is now always used
11192 unless --with-ptl2 is explicitly specified on
11193 the configure command line. The
11194 --with-mit-pthreads option is no longer needed
11195 and has been removed.
11197 170. [cleanup] Remove inter server consistency checks from zone,
11198 these should return as a separate module in 9.1.
11199 dns_zone_checkservers(), dns_zone_checkparents(),
11200 dns_zone_checkchildren(), dns_zone_checkglue().
11202 Remove dns_zone_setadb(), dns_zone_setresolver(),
11203 dns_zone_setrequestmgr() these should now be found
11206 169. [func] ratelimiter can now process N events per interval.
11208 168. [bug] include statements in named.conf caused syntax errors
11209 due to not consuming the semicolon ending the include
11210 statement before switching input streams.
11212 167. [bug] Make lack of masters for a slave zone a soft error.
11214 166. [bug] Keygen was overwriting existing keys if key_id
11215 conflicted, now it will retry, and non-null keys
11216 with key_id == 0 are not generated anymore. Key
11217 was not able to generate NOAUTHCONF DSA key,
11218 increased RSA key size to 2048 bits.
11220 165. [cleanup] Silence "end-of-loop condition not reached" warnings
11221 from Solaris compiler.
11223 164. [func] Added functions isc_stdio_open(), isc_stdio_close(),
11224 isc_stdio_seek(), isc_stdio_read(), isc_stdio_write(),
11225 isc_stdio_flush(), isc_stdio_sync(), isc_file_remove()
11226 to encapsulate nonportable usage of errno and sync.
11228 163. [func] Added result codes ISC_R_FILENOTFOUND and
11231 162. [bug] Ensure proper range for arguments to ctype.h functions.
11233 161. [cleanup] error in yyparse prototype that only HPUX caught.
11235 160. [cleanup] getnet*() are not going to be implemented at this
11238 159. [func] Redefinition of config file elements is now an
11239 error (instead of a warning).
11241 158. [bug] Log channel and category list copy routines
11242 weren't assigning properly to output parameter.
11244 157. [port] Fix missing prototype for getopt().
11246 156. [func] Support new 'database' statement in zone.
11248 database "quoted-string";
11250 155. [bug] ns_notify_start() was not detaching the found zone.
11252 154. [func] The signer now logs libdns warnings to stderr even when
11253 not verbose, and in a nicer format.
11255 153. [func] dns_rdata_tostruct() 'mctx' is now optional. If 'mctx'
11256 is NULL then you need to preserve the 'rdata' until
11257 you have finished using the structure as there may be
11258 references to the associated memory. If 'mctx' is
11259 non-NULL it is guaranteed that there are no references
11260 to memory associated with 'rdata'.
11262 dns_rdata_freestruct() must be called if 'mctx' was
11263 non-NULL and may safely be called if 'mctx' was NULL.
11265 152. [bug] keygen dumped core if domain name argument was omitted
11268 151. [func] Support 'disabled' statement in zone config (causes
11269 zone to be parsed and then ignored). Currently must
11270 come after the 'type' clause.
11272 150. [func] Support optional ports in masters and also-notify
11275 masters [ port xxx ] { y.y.y.y [ port zzz ] ; }
11277 149. [cleanup] Removed unused argument 'olist' from
11278 dns_c_view_unsetordering().
11280 148. [cleanup] Stop issuing some warnings about some configuration
11281 file statements that were not implemented, but now are.
11283 147. [bug] Changed yacc union size to be smaller for yaccs that
11284 put yacc-stack on the real stack.
11286 146. [cleanup] More general redundant header file cleanup. Rather
11287 than continuing to itemize every header which changed,
11288 this changelog entry just notes that if a header file
11289 did not need another header file that it was including
11290 in order to provide its advertised functionality, the
11291 inclusion of the other header file was removed. See
11292 util/check-includes for how this was tested.
11294 145. [cleanup] Added <isc/lang.h> and ISC_LANG_BEGINDECLS/
11295 ISC_LANG_ENDDECLS to header files that had function
11296 prototypes, and removed it from those that did not.
11298 144. [cleanup] libdns header files too numerous to name were made
11299 to conform to the same style for multiple inclusion
11302 143. [func] Added function dns_rdatatype_isknown().
11304 142. [cleanup] <isc/stdtime.h> does not need <time.h> or
11307 141. [bug] Corrupt requests with multiple questions could
11308 cause an assertion failure.
11310 140. [cleanup] <isc/time.h> does not need <time.h> or <isc/result.h>.
11312 139. [cleanup] <isc/net.h> now includes <isc/types.h> instead of
11313 <isc/int.h> and <isc/result.h>.
11315 138. [cleanup] isc_strtouq moved from str.[ch] to string.[ch] and
11316 renamed isc_string_touint64. isc_strsep moved from
11317 strsep.c to string.c and renamed isc_string_separate.
11319 137. [cleanup] <isc/commandline.h>, <isc/mem.h>, <isc/print.h>
11320 <isc/serial.h>, <isc/string.h> and <isc/offset.h>
11321 made to conform to the same style for multiple
11322 inclusion protection.
11324 136. [cleanup] <isc/commandline.h>, <isc/interfaceiter.h>,
11325 <isc/net.h> and Win32's <isc/thread.h> needed
11326 ISC_LANG_BEGINDECLS/ISC_LANG_ENDDECLS.
11328 135. [cleanup] Win32's <isc/condition.h> did not need <isc/result.h>
11329 or <isc/boolean.h>, now uses <isc/types.h> in place
11330 of <isc/time.h>, and needed ISC_LANG_BEGINDECLS
11331 and ISC_LANG_ENDDECLS.
11333 134. [cleanup] <isc/dir.h> does not need <limits.h>.
11335 133. [cleanup] <isc/ipv6.h> needs <isc/platform.h>.
11337 132. [cleanup] <isc/app.h> does not need <isc/task.h>, but does
11338 need <isc/eventclass.h>.
11340 131. [cleanup] <isc/mutex.h> and <isc/util.h> need <isc/result.h>
11341 for ISC_R_* codes used in macros.
11343 130. [cleanup] <isc/condition.h> does not need <pthread.h> or
11344 <isc/boolean.h>, and now includes <isc/types.h>
11345 instead of <isc/time.h>.
11347 129. [bug] The 'default_debug' log channel was not set up when
11348 'category default' was present in the config file
11350 128. [cleanup] <isc/dir.h> had ISC_LANG_BEGINDECLS instead of
11351 ISC_LANG_ENDDECLS at end of header.
11353 127. [cleanup] The contracts for the comparison routines
11354 dns_name_fullcompare(), dns_name_compare(),
11355 dns_name_rdatacompare(), and dns_rdata_compare() now
11356 specify that the order value returned is < 0, 0, or > 0
11357 instead of -1, 0, or 1.
11359 126. [cleanup] <isc/quota.h> and <isc/taskpool.h> need <isc/lang.h>.
11361 125. [cleanup] <isc/eventclass.h>, <isc/ipv6.h>, <isc/magic.h>,
11362 <isc/mutex.h>, <isc/once.h>, <isc/region.h>, and
11363 <isc/resultclass.h> do not need <isc/lang.h>.
11365 124. [func] signer now imports parent's zone key signature
11366 and creates null keys/sets zone status bit for
11367 children when necessary
11369 123. [cleanup] <isc/event.h> does not need <stddef.h>.
11371 122. [cleanup] <isc/task.h> does not need <isc/mem.h> or
11374 121. [cleanup] <isc/symtab.h> does not need <isc/mem.h> or
11375 <isc/result.h>. Multiple inclusion protection
11376 symbol fixed from ISC_SYMBOL_H to ISC_SYMTAB_H.
11377 isc_symtab_t moved to <isc/types.h>.
11379 120. [cleanup] <isc/socket.h> does not need <isc/boolean.h>,
11380 <isc/bufferlist.h>, <isc/task.h>, <isc/mem.h> or
11383 119. [cleanup] structure definitions for generic rdata structures do
11384 not have _generic_ in their names.
11386 118. [cleanup] libdns.a is now namespace-clean, on NetBSD, excepting
11387 YACC crust (yyparse, etc) [2000-apr-27 explorer]
11389 117. [cleanup] libdns.a changes:
11390 dns_zone_clearnotify() and dns_zone_addnotify()
11391 are replaced by dns_zone_setnotifyalso().
11392 dns_zone_clearmasters() and dns_zone_addmaster()
11393 are replaced by dns_zone_setmasters().
11395 116. [func] Added <isc/offset.h> for isc_offset_t (aka off_t
11398 115. [port] Shut up the -Wmissing-declarations warning about
11399 <stdio.h>'s __sputaux on BSD/OS pre-4.1.
11401 114. [cleanup] <isc/sockaddr.h> does not need <isc/buffer.h> or
11404 113. [func] Utility programs dig and host added.
11406 112. [cleanup] <isc/serial.h> does not need <isc/boolean.h>.
11408 111. [cleanup] <isc/rwlock.h> does not need <isc/result.h> or
11411 110. [cleanup] <isc/result.h> does not need <isc/boolean.h> or
11414 109. [bug] "make depend" did nothing for
11415 bin/tests/{db,mem,sockaddr,tasks,timers}/.
11417 108. [cleanup] DNS_SETBIT/DNS_GETBIT/DNS_CLEARBIT moved from
11418 <dns/types.h> to <dns/bit.h> and renamed to
11419 DNS_BIT_SET/DNS_BIT_GET/DNS_BIT_CLEAR.
11421 107. [func] Add keysigner and keysettool.
11423 106. [func] Allow dnssec verifications to ignore the validity
11424 period. Used by several of the dnssec tools.
11426 105. [doc] doc/dev/coding.html expanded with other
11427 implicit conventions the developers have used.
11429 104. [bug] Made compress_add and compress_find static to
11430 lib/dns/compress.c.
11432 103. [func] libisc buffer API changes for <isc/buffer.h>:
11434 isc_buffer_base(b) (pointer)
11435 isc_buffer_current(b) (pointer)
11436 isc_buffer_active(b) (pointer)
11437 isc_buffer_used(b) (pointer)
11438 isc_buffer_length(b) (int)
11439 isc_buffer_usedlength(b) (int)
11440 isc_buffer_consumedlength(b) (int)
11441 isc_buffer_remaininglength(b) (int)
11442 isc_buffer_activelength(b) (int)
11443 isc_buffer_availablelength(b) (int)
11445 ISC_BUFFER_USEDCOUNT(b)
11446 ISC_BUFFER_AVAILABLECOUNT(b)
11449 isc_buffer_used(b, r) ->
11450 isc_buffer_usedregion(b, r)
11451 isc_buffer_available(b, r) ->
11452 isc_buffer_available_region(b, r)
11453 isc_buffer_consumed(b, r) ->
11454 isc_buffer_consumedregion(b, r)
11455 isc_buffer_active(b, r) ->
11456 isc_buffer_activeregion(b, r)
11457 isc_buffer_remaining(b, r) ->
11458 isc_buffer_remainingregion(b, r)
11460 Buffer types were removed, so the ISC_BUFFERTYPE_*
11461 macros are no more, and the type argument to
11462 isc_buffer_init and isc_buffer_allocate were removed.
11463 isc_buffer_putstr is now void (instead of isc_result_t)
11464 and requires that the caller ensure that there
11465 is enough available buffer space for the string.
11467 102. [port] Correctly detect inet_aton, inet_pton and inet_ptop
11470 101. [cleanup] Quieted EGCS warnings from lib/isc/print.c.
11472 100. [cleanup] <isc/random.h> does not need <isc/int.h> or
11473 <isc/mutex.h>. isc_random_t moved to <isc/types.h>.
11475 99. [cleanup] Rate limiter now has separate shutdown() and
11476 destroy() functions, and it guarantees that all
11477 queued events are delivered even in the shutdown case.
11479 98. [cleanup] <isc/print.h> does not need <stdarg.h> or <stddef.h>
11480 unless ISC_PLATFORM_NEEDVSNPRINTF is defined.
11482 97. [cleanup] <isc/ondestroy.h> does not need <stddef.h> or
11485 96. [cleanup] <isc/mutex.h> does not need <isc/result.h>.
11487 95. [cleanup] <isc/mutexblock.h> does not need <isc/result.h>.
11489 94. [cleanup] Some installed header files did not compile as C++.
11491 93. [cleanup] <isc/msgcat.h> does not need <isc/result.h>.
11493 92. [cleanup] <isc/mem.h> does not need <stddef.h>, <isc/boolean.h>,
11496 91. [cleanup] <isc/log.h> does not need <sys/types.h> or
11499 90. [cleanup] Removed unneeded ISC_LANG_BEGINDECLS/ISC_LANG_ENDDECLS
11500 from <named/listenlist.h>.
11502 89. [cleanup] <isc/lex.h> does not need <stddef.h>.
11504 88. [cleanup] <isc/interfaceiter.h> does not need <isc/result.h> or
11505 <isc/mem.h>. isc_interface_t and isc_interfaceiter_t
11506 moved to <isc/types.h>.
11508 87. [cleanup] <isc/heap.h> does not need <isc/boolean.h>,
11509 <isc/mem.h> or <isc/result.h>.
11511 86. [cleanup] isc_bufferlist_t moved from <isc/bufferlist.h> to
11514 85. [cleanup] <isc/bufferlist.h> does not need <isc/buffer.h>,
11515 <isc/list.h>, <isc/mem.h>, <isc/region.h> or
11518 84. [func] allow-query ACL checks now apply to all data
11519 added to a response.
11521 83. [func] If the server is authoritative for both a
11522 delegating zone and its (nonsecure) delegatee, and
11523 a query is made for a KEY RR at the top of the
11524 delegatee, then the server will look for a KEY
11525 in the delegator if it is not found in the delegatee.
11527 82. [cleanup] <isc/buffer.h> does not need <isc/list.h>.
11529 81. [cleanup] <isc/int.h> and <isc/boolean.h> do not need
11532 80. [cleanup] <isc/print.h> does not need <stdio.h> or <stdlib.h>.
11534 79. [cleanup] <dns/callbacks.h> does not need <stdio.h>.
11536 78. [cleanup] lwres_conftest renamed to lwresconf_test for
11537 consistency with other *_test programs.
11539 77. [cleanup] typedef of isc_time_t and isc_interval_t moved from
11540 <isc/time.h> to <isc/types.h>.
11542 76. [cleanup] Rewrote keygen.
11544 75. [func] Don't load a zone if its database file is older
11545 than the last time the zone was loaded.
11547 74. [cleanup] Removed mktemplate.o and ufile.o from libisc.a,
11548 subsumed by file.o.
11550 73. [func] New "file" API in libisc, including new function
11551 isc_file_getmodtime, isc_mktemplate renamed to
11552 isc_file_mktemplate and isc_ufile renamed to
11553 isc_file_openunique. By no means an exhaustive API,
11554 it is just what's needed for now.
11556 72. [func] DNS_RBTFIND_NOPREDECESSOR and DNS_RBTFIND_NOOPTIONS
11557 added for dns_rbt_findnode, the former to disable the
11558 setting of the chain to the predecessor, and the
11559 latter to make clear when no options are set.
11561 71. [cleanup] Made explicit the implicit REQUIREs of
11562 isc_time_seconds, isc_time_nanoseconds, and
11565 70. [func] isc_time_set() added.
11567 69. [bug] The zone object's master and also-notify lists grew
11568 longer with each server reload.
11570 68. [func] Partial support for SIG(0) on incoming messages.
11572 67. [performance] Allow use of alternate (compile-time supplied)
11573 OpenSSL libraries/headers.
11575 66. [func] Data in authoritative zones should have a trust level
11578 65. [cleanup] Removed obsolete typedef of dns_zone_callbackarg_t
11579 from <dns/types.h>.
11581 64. [func] The RBT, DB, and zone table APIs now allow the
11582 caller find the most-enclosing superdomain of
11585 63. [func] Generate NOTIFY messages.
11587 62. [func] Add UDP refresh support.
11589 61. [cleanup] Use single quotes consistently in log messages.
11591 60. [func] Catch and disallow singleton types on message
11594 59. [bug] Cause net/host unreachable to be a hard error
11595 when sending and receiving.
11597 58. [bug] bin/named/query.c could sometimes trigger the
11598 (client->query.attributes & NS_QUERYATTR_NAMEBUFUSED)
11599 == 0 assertion in query_newname().
11601 57. [func] Added dns_nxt_typepresent()
11603 56. [bug] SIG records were not properly returned in cached
11606 55. [bug] Responses containing multiple names in the authority
11607 section were not negatively cached.
11609 54. [bug] If a fetch with sigrdataset==NULL joined one with
11610 sigrdataset!=NULL or vice versa, the resolver
11611 could catch an assertion or lose signature data,
11614 53. [port] freebsd 4.0: lib/isc/unix/socket.c requires
11617 52. [bug] rndc: taskmgr and socketmgr were not initialized
11620 51. [cleanup] dns/compress.h and dns/zt.h did not need to include
11621 dns/rbt.h; it was needed only by compress.c and zt.c.
11623 50. [func] RBT deletion no longer requires a valid chain to work,
11624 and dns_rbt_deletenode was added.
11626 49. [func] Each cache now has its own mctx.
11628 48. [func] isc_task_create() no longer takes an mctx.
11629 isc_task_mem() has been eliminated.
11631 47. [func] A number of modules now use memory context reference
11634 46. [func] Memory contexts are now reference counted.
11635 Added isc_mem_inuse() and isc_mem_preallocate().
11636 Renamed isc_mem_destroy_check() to
11637 isc_mem_setdestroycheck().
11639 45. [bug] The trusted-key statement incorrectly loaded keys.
11641 44. [bug] Don't include authority data if it would force us
11642 to unset the AD bit in the message.
11644 43. [bug] DNSSEC verification of cached rdatasets was failing.
11646 42. [cleanup] Simplified logging of messages with embedded domain
11647 names by introducing a new convenience function
11650 41. [func] Use PR_SET_KEEPCAPS on Linux 2.3.99-pre3 and later
11651 to allow 'named' to run as a non-root user while
11652 retaining the ability to bind() to privileged
11655 40. [func] Introduced new logging category "dnssec" and
11656 logging module "dns/validator".
11658 39. [cleanup] Moved the typedefs for isc_region_t, isc_textregion_t,
11659 and isc_lex_t to <isc/types.h>.
11661 38. [bug] TSIG signed incoming zone transfers work now.
11663 37. [bug] If the first RR in an incoming zone transfer was
11664 not an SOA, the server died with an assertion failure
11665 instead of just reporting an error.
11667 36. [cleanup] Change DNS_R_SUCCESS (and others) to ISC_R_SUCCESS
11669 35. [performance] Log messages which are of a level too high to be
11670 logged by any channel in the logging configuration
11671 will not cause the log mutex to be locked.
11673 34. [bug] Recursion was allowed even with 'recursion no'.
11675 33. [func] The RBT now maintains a parent pointer at each node.
11677 32. [cleanup] bin/lwresd/client.c needs <string.h> for memset()
11680 31. [bug] Use ${LIBTOOL} to compile bin/named/main.@O@.
11682 30. [func] config file grammar change to support optional
11683 class type for a view.
11685 29. [func] support new config file view options:
11687 auth-nxdomain recursion query-source
11688 query-source-v6 transfer-source
11689 transfer-source-v6 max-transfer-time-out
11690 max-transfer-idle-out transfer-format
11691 request-ixfr provide-ixfr cleaning-interval
11692 fetch-glue notify rfc2308-type1 lame-ttl
11693 max-ncache-ttl min-roots
11695 28. [func] support lame-ttl, min-roots and serial-queries
11696 config global options.
11698 27. [bug] Only include <netinet6/in6.h> on BSD/OS 4.[01]*.
11699 Including it on other platforms (eg, NetBSD) can
11700 cause a forced #error from the C preprocessor.
11702 26. [func] new match-clients statement in config file view.
11704 25. [bug] make install failed to install <isc/log.h> and
11707 24. [cleanup] Eliminate some unnecessary #includes of header
11708 files from header files.
11710 23. [cleanup] Provide more context in log messages about client
11711 requests, using a new function ns_client_log().
11713 22. [bug] SIGs weren't returned in the answer section when
11714 the query resulted in a fetch.
11716 21. [port] Look at STD_CINCLUDES after CINCLUDES during
11717 compilation, so additional system include directories
11718 can be searched but header files in the bind9 source
11719 tree with conflicting names take precedence. This
11720 avoids issues with installed versions of dnssafe and
11723 20. [func] Configuration file post-load validation of zones
11724 failed if there were no zones.
11726 19. [bug] dns_zone_notifyreceive() failed to unlock the zone
11727 lock in certain error cases.
11729 18. [bug] Use AC_TRY_LINK rather than AC_TRY_COMPILE in
11730 configure.in to check for presence of in6addr_any.
11732 17. [func] Do configuration file post-load validation of zones.
11734 16. [bug] put quotes around key names on config file
11735 output to avoid possible keyword clashes.
11737 15. [func] Add dns_name_dupwithoffsets(). This function is
11738 improves comparison performance for duped names.
11740 14. [bug] free_rbtdb() could have 'put' unallocated memory in
11741 an unlikely error path.
11743 13. [bug] lib/dns/master.c and lib/dns/xfrin.c didn't ignore
11746 12. [bug] Fixed possible uninitialized variable error.
11748 11. [bug] axfr_rrstream_first() didn't check the result code of
11749 db_rr_iterator_first(), possibly causing an assertion
11750 to be triggered later.
11752 10. [bug] A bug in the code which makes EDNS0 OPT records in
11753 bin/named/client.c and lib/dns/resolver.c could
11754 trigger an assertion.
11756 9. [cleanup] replaced bit-setting code in confctx.c and replaced
11757 repeated code with macro calls.
11759 8. [bug] Shutdown of incoming zone transfer accessed
11762 7. [cleanup] removed 'listen-on' from view statement.
11764 6. [bug] quote RR names when generating config file to
11765 prevent possible clash with config file keywords
11768 5. [func] syntax change to named.conf file: new ssu grant/deny
11769 statements must now be enclosed by an 'update-policy'
11772 4. [port] bin/named/unix/os.c didn't compile on systems with
11773 linux 2.3 kernel includes due to conflicts between
11774 C library includes and the kernel includes. We now
11775 get only what we need from <linux/capability.h>, and
11776 avoid pulling in other linux kernel .h files.
11778 3. [bug] TKEYs go in the answer section of responses, not
11779 the additional section.
11781 2. [bug] Generating cryptographic randomness failed on
11782 systems without /dev/random.
11784 1. [bug] The installdirs rule in
11785 lib/isc/unix/include/isc/Makefile.in had a typo which
11786 prevented the isc directory from being created if it
11789 --- 9.0.0b2 released ---
11791 # This tells Emacs to use hard tabs in this file.
11793 # indent-tabs-mode: t