1 --- 9.9.8-P3 released ---
3 4288. [bug] Fixed a regression in resolver.c:possibly_mark()
4 which caused known-bogus servers to be queried
7 4285. [security] Specific APL data could trigger a INSIST.
8 (CVE-2015-8704) [RT #41396]
10 --- 9.9.8-P2 released ---
12 4270. [security] Update allowed OpenSSL versions as named is
13 potentially vulnerable to CVE-2015-3193.
15 4261. [maint] H.ROOT-SERVERS.NET is 198.97.190.53 and 2001:500:1::53.
18 4260. [security] Insufficient testing when parsing a message allowed
19 records with an incorrect class to be be accepted,
20 triggering a REQUIRE failure when those records
21 were subsequently cached. (CVE-2015-8000) [RT #40987]
23 4253. [security] Address fetch context reference count handling error
24 on socket error. (CVE-2015-8461) [RT#40945]
26 --- 9.9.8-P1 (withdrawn) ---
28 --- 9.9.8 released ---
30 --- 9.9.8rc1 released ---
32 4193. [bug] Handle broken servers that return BADVERS incorrectly.
35 4192. [bug] The default rrset-order of random was not always being
38 4191. [protocol] Accept DNS-SD non LDH PTR records in reverse zones
39 as per RFC 6763. [RT #37889]
41 4190. [protocol] Accept Active Diretory gc._msdcs.<forest> name as
42 valid with check-names. <forest> still needs to be
45 4189. [cleanup] Don't exit on overly long tokens in named.conf.
48 4188. [bug] Support HTTP/1.0 client properly on the statistics
51 4187. [func] When any RR type implementation doesn't
52 implement totext() for the RDATA's wire
53 representation and returns ISC_R_NOTIMPLEMENTED,
54 such RDATA is now printed in unknown
55 presentation format (RFC 3597). RR types affected
56 include LOC(29) and APL(42). [RT #40317].
58 4183. [cleanup] Use timing-safe memory comparisons in cryptographic
59 code. Also, the timing-safe comparison functions have
60 been renamed to avoid possible confusion with
61 memcmp(). Thanks to Loganaden Velvindron of
64 4182. [cleanup] Use mnemonics for RR class and type comparisons.
67 4181. [bug] Queued notify messages could be dequeued from the
68 wrong rate limiter queue. [RT #40350]
70 4179. [bug] Fix double frees in getaddrinfo() in libirs.
73 4178. [bug] Fix assertion failure in parsing UNSPEC(103) RR from
76 4177. [bug] Fix assertion failure in parsing NSAP records from
79 4176. [bug] Address race issues with lwresd. [RT #40284]
81 4175. [bug] TKEY with GSS-API keys needed bigger buffers.
84 4174. [bug] "dnssec-coverage -r" didn't handle time unit
85 suffixes correctly. [RT #38444]
87 4173. [bug] dig +sigchase was not properly matching the trusted
90 4172. [bug] Named / named-checkconf didn't handle a view of CLASS0.
93 4171. [bug] Fixed incorrect class checks in TSIG RR
94 implementation. [RT #40287]
96 4170. [security] An incorrect boundary check in the OPENPGPKEY
97 rdatatype could trigger an assertion failure.
98 (CVE-2015-5986) [RT #40286]
100 4169. [test] Added a 'wire_test -d' option to read input as
101 raw binary data, for use as a fuzzing harness.
104 4168. [security] A buffer accounting error could trigger an
105 assertion failure when parsing certain malformed
106 DNSSEC keys. (CVE-2015-5722) [RT #40212]
108 --- 9.9.8b1 released ---
110 4165. [security] A failure to reset a value to NULL in tkey.c could
111 result in an assertion failure. (CVE-2015-5477)
114 4164. [bug] Don't rename slave files and journals on out of memory.
117 4163. [bug] Address compiler warnings. [RT #40024]
119 4162. [bug] httpdmgr->flags was not being initialized. [RT #40017]
121 4159. [cleanup] Alphabetize dig's help output. [RT #39966]
123 4158. [protocol] Support the printing of EDNS COOKIE and EXPIRE options.
126 4154. [bug] A OPT record should be included with the FORMERR
127 response when there is a malformed EDNS option.
130 4153. [bug] Check that non significant ECS bits are zero on
133 4151. [bug] 'rndc flush' could cause a deadlock. [RT #39835]
135 4150. [bug] win32: listen-on-v6 { any; }; was not working. Apply
136 minimal fix. [RT #39667]
138 4149. [bug] Fixed a race condition in the getaddrinfo()
139 implementation in libirs. [RT #39899]
141 4148. [bug] Fix a bug when printing zone names with '/' character
142 in XML and JSON statistics output. [RT #39873]
144 4147. [bug] Filter-aaaa / filter-aaaa-on-v4 / filter-aaaa-on-v6
145 was returning referrals rather than nodata responses
146 when the AAAA records were filtered. [RT #39843]
148 4146. [bug] Address reference leak that could prevent a clean
149 shutdown. [RT #37125]
151 4145. [bug] Not all unassociated adb entries where being printed.
154 4143. [bug] serial-query-rate was not effective for notify.
157 4142. [bug] rndc addzone with view specified saved NZF config
158 that could not be read back by named. This has now
159 been fixed. [RT #39845]
161 4138. [security] An uninitialized value in validator.c could result
162 in an assertion failure. (CVE-2015-4620) [RT #39795]
164 4137. [bug] Make rndc reconfig report configuration errors the
165 same way rndc reload does. [RT #39635]
167 4132. [cleanup] dig: added +rd as a synonym for +recurse,
168 added +class as an unabbreviated alternative
171 4130. [bug] The compatibility shim for *printf() misprinted some
172 large numbers. [RT #39586]
174 4129. [port] Address API changes in OpenSSL 1.1.0. [RT #39532]
176 4128. [bug] Address issues raised by Coverity 7.6. [RT #39537]
178 4127. [protocol] CDS and CDNSKEY need to be signed by the key signing
179 key as per RFC 7344, Section 4.1. [RT #37215]
181 4123. [port] Added %z (size_t) format options to the portable
182 internal printf/sprintf implementation. [RT #39586]
184 4118. [bug] Teach isc-config.sh about irs. [RT #39213]
186 4117. [protocol] Add EMPTY.AS112.ARPA as per RFC 7534.
188 4113. [test] Check for Net::DNS is some system test
189 prerequisites. [RT #39369]
191 4112. [bug] Named failed to load when "root-delegation-only"
192 was used without a list of domains to exclude.
195 4111. [doc] Alphabetize rndc man page. [RT #39360]
197 4110. [bug] Address memory leaks / null pointer dereferences
198 on out of memory. [RT #39310]
200 4109. [port] linux: support reading the local port range from
201 net.ipv4.ip_local_port_range. [RT # 39379]
203 4107. [bug] Address potential deadlock when updating zone content.
206 4106. [port] Improve readline support. [RT #38938]
208 4105. [port] Misc fixes for Microsoft Visual Studio
209 2015 CTP6 in 64 bit mode. [RT #39308]
211 4104. [bug] Address uninitialized elements. [RT #39252]
213 4102. [bug] Fix a use after free bug introduced in change
216 4101. [bug] dig: the +split option didn't work with +short.
219 4100. [bug] Inherited owernames on the line immediately following
220 a $INCLUDE were not working. [RT #39268]
222 4099. [port] clang: make unknown commandline options hard errors
223 when determining what options are supported.
226 4098. [bug] Address use-after-free issue when using a
227 predecessor key with dnssec-settime. [RT #39272]
229 4097. [func] Add additional logging about xfrin transfer status.
232 4096. [bug] Fix a use after free of query->sendevent.
235 4094. [bug] A race during shutdown or reconfiguration could
236 cause an assertion in mem.c. [RT #38979]
238 4091. [cleanup] Some cleanups in isc mem code. [RT #38896]
240 4090. [bug] Fix a crash while parsing malformed CAA RRs in
241 presentation format, i.e., from text such as
242 from master files. Thanks to John Van de
243 Meulebrouck Brendgard for discovering and
244 reporting this problem. [RT #39003]
246 4089. [bug] Send notifies immediately for slave zones during
249 4088. [port] Fixed errors when building with libressl. [RT #38899]
251 4087. [bug] Fix a crash due to use-after-free due to sequencing
252 of tasks actions. [RT #38495]
254 4085. [bug] ISC_PLATFORM_HAVEXADDQ could be inconsistently set.
257 4084. [bug] Fix a possible race in updating stats counters.
260 4082. [bug] Incrementally sign large inline zone deltas.
263 4081. [cleanup] Use dns_rdatalist_init consistently. [RT #38759]
265 4077. [test] Add static-stub regression test for DS NXDOMAIN
266 return making the static stub disappear. [RT #38564]
268 4076. [bug] Named could crash on shutdown with outstanding
269 reload / reconfig events. [RT #38622]
271 4075. [bug] Increase nsupdate's input buffer to accomodate
272 very large RRs. [RT #38689]
274 4074. [cleanup] Cleaned up more warnings from gcc -Wshadow. [RT #38708]
276 4073. [cleanup] Add libjson-c version number reporting to
277 "named -V"; normalize version number formatting.
280 4072. [func] Add a --enable-querytrace configure switch for
281 very verbose query trace logging. (This option
282 has a negative performance impact and should be
283 used only for debugging.) [RT #37520]
285 4070. [bug] Fix a segfault in nslookup in a query such as
286 "nslookup isc.org AMS.SNS-PB.ISC.ORG -all".
289 4069. [doc] Reorganize options in the nsupdate man page.
292 4067. [cleanup] Reduce noise from RRL when query logging is
293 disabled. [RT #38648]
295 4066. [doc] Reorganize options in the dig man page. [RT #38516]
297 4064. [contrib] dnssec-keyset.sh: Generates a specified number
298 of DNSSEC keys with timing set to implement a
299 pre-publication key rollover strategy. Thanks
300 to Jeffry A. Spain. [RT #38459]
302 4063. [bug] Asynchronous zone loads were not handled
303 correctly when the zone load was already in
304 progress; this could trigger a crash in zt.c.
307 4062. [bug] Fix an out-of-bounds read in RPZ code. If the
308 read succeeded, it doesn't result in a bug
309 during operation. If the read failed, named
310 could segfault. [RT #38559]
312 3938. [func] Added quotas to be used in recursive resolvers
313 that are under high query load for names in zones
314 whose authoritative servers are nonresponsive or
315 are experiencing a denial of service attack.
317 - "fetches-per-server" limits the number of
318 simultaneous queries that can be sent to any
319 single authoritative server. The configured
320 value is a starting point; it is automatically
321 adjusted downward if the server is partially or
322 completely non-responsive. The algorithm used to
323 adjust the quota can be configured via the
324 "fetch-quota-params" option.
325 - "fetches-per-zone" limits the number of
326 simultaneous queries that can be sent for names
327 within a single domain. (Note: Unlike
328 "fetches-per-server", this value is not
330 - New stats counters have been added to count
331 queries spilled due to these quotas.
333 These options are not available by default;
334 use "configure --enable-fetchlimit" (or
335 --enable-developer) to include them in the build.
337 See the ARM for details of these options. [RT #37125]
339 3937. [func] Added some debug logging to better indicate the
340 conditions causing SERVFAILs when resolving.
343 --- 9.9.7 released ---
345 --- 9.9.7rc2 released ---
347 4061. [bug] Handle timeout in legacy system test. [RT #38573]
349 4060. [bug] dns_rdata_freestruct could be called on a
350 uninitialized structure when handling a error.
353 4059. [bug] Addressed valgrind warnings. [RT #38549]
355 4058. [bug] UDP dispatches could use the wrong pseudorandom
356 number generator context. [RT #38578]
358 4056. [bug] Fixed several small bugs in automatic trust anchor
359 management, including a memory leak and a possible
360 loss of key state information. [RT #38458]
362 4057. [bug] 'dnssec-dsfromkey -T 0' failed to add ttl field.
365 4053. [security] Revoking a managed trust anchor and supplying
366 an untrusted replacement could cause named
367 to crash with an assertion failure.
368 (CVE-2015-1349) [RT #38344]
370 4052. [bug] Fix a leak of query fetchlock. [RT #38454]
372 4050. [bug] RPZ could send spurious SERVFAILs in response
373 to duplicate queries. [RT #38510]
375 4049. [bug] CDS and CDNSKEY had the wrong attributes. [RT #38491]
377 4048. [bug] adb hash table was not being grown. [RT #38470]
379 --- 9.9.7rc1 released ---
381 4047. [cleanup] "named -V" now reports the current running versions
382 of OpenSSL and the libxml2 libraries, in addition to
383 the versions that were in use at build time.
385 4046. [bug] Accounting of "total use" in memory context
386 statistics was not correct. [RT #38370]
388 4045. [bug] Skip to next master on dns_request_createvia4 failure.
391 4044. [bug] Change 3955 was not complete, resulting in an assertion
392 failure if the timing was just right. [RT #38352]
394 4039. [cleanup] Cleaned up warnings from gcc -Wshadow. [RT #37381]
396 4038. [bug] Add 'rpz' flag to node and use it to determine whether
397 to call dns_rpz_delete. This should prevent unbalanced
398 add / delete calls. [RT #36888]
400 4037. [bug] also-notify was ignoring the tsig key when checking
401 for duplicates resulting in some expected notify
402 messages not being sent. [RT #38369]
404 4035. [bug] Close temporary and NZF FILE pointers before moving
405 the former into the latter's place, as required on
408 4032. [bug] Built-in "empty" zones did not correctly inherit the
409 "allow-transfer" ACL from the options or view.
412 4031. [bug] named-checkconf -z failed to report a missing file
413 with a hint zone. [RT #38294]
415 4028. [bug] $GENERATE with a zero step was not being caught as a
416 error. A $GENERATE with a / but no step was not being
417 caught as a error. [RT #38262]
419 3973. [test] Added hooks for Google Performance Tools CPU profiler,
420 including real-time/wall-clock profiling. Use
421 "configure --with-gperftools-profiler" to enable.
424 --- 9.9.7b1 released ---
426 4027. [port] Net::DNS 0.81 compatibility. [RT #38165]
428 4026. [bug] Fix RFC 3658 reference in dig +sigchase. [RT #38173]
430 4025. [port] bsdi: failed to build. [RT #38047]
432 4024. [bug] dns_rdata_opt_first, dns_rdata_opt_next,
433 dns_rdata_opt_current, dns_rdata_txt_first,
434 dns_rdata_txt_next and dns_rdata_txt_current were
435 documented but not implemented. These have now been
438 dns_rdata_spf_first, dns_rdata_spf_next and
439 dns_rdata_spf_current were documented but not
440 implemented. The prototypes for these
441 functions have been removed. [RT #38068]
443 4023. [bug] win32: socket handling with explicit ports and
444 invoking named with -4 was broken for some
445 configurations. [RT #38068]
447 4021. [bug] Adjust max-recursion-queries to accommodate
448 the need for more queries when the cache is
451 4020. [bug] Change 3736 broke nsupdate's SOA MNAME discovery
452 resulting in updates being sent to the wrong server.
455 4019. [func] If named is not configured to validate the answer
456 then allow fallback to plain DNS on timeout even
457 when we know the server supports EDNS. [RT #37978]
459 4018. [bug] Fall back to plain DNS when EDNS queries are being
460 dropped was failing. [RT #37965]
462 4017. [test] Add system test to check lookups to legacy servers
463 with broken DNS behavior. [RT #37965]
465 4016. [bug] Fix a dig segfault due to bad linked list usage.
468 4015. [bug] Nameservers that are skipped due to them being
469 CNAMEs were not being logged. They are now logged
470 to category 'cname' as per BIND 8. [RT #37935]
472 4014. [bug] When including a master file origin_changed was
473 not being properly set leading to a potentially
474 spurious 'inherited owner' warning. [RT #37919]
476 4012. [bug] Check returned status of OpenSSL digest and HMAC
477 functions when they return one. Note this applies
478 only to FIPS capable OpenSSL libraries put in
479 FIPS mode and MD5. [RT #37944]
481 4011. [bug] master's list port inheritance was not properly
482 implemented. [RT #37792]
484 4007. [doc] Remove acl forward reference restriction. [RT #37772]
486 4006. [security] A flaw in delegation handling could be exploited
487 to put named into an infinite loop. This has
488 been addressed by placing limits on the number
489 of levels of recursion named will allow (default 7),
490 and the number of iterative queries that it will
491 send (default 50) before terminating a recursive
492 query (CVE-2014-8500).
494 The recursion depth limit is configured via the
495 "max-recursion-depth" option, and the query limit
496 via the "max-recursion-queries" option. [RT #37580]
498 4004. [bug] When delegations had AAAA glue but not A, a
499 reference could be leaked causing an assertion
500 failure on shutdown. [RT #37796]
502 4000. [bug] NXDOMAIN redirection incorrectly handled NXRRSET
503 from the redirect zone. [RT #37722]
505 3998. [bug] isc_radix_search was returning matches that were
506 too precise. [RT #37680]
508 3997. [protocol] Add OPENGPGKEY record. [RT# 37671]
510 3996. [bug] Address use after free on out of memory error in
511 keyring_add. [RT #37639]
513 3995. [bug] receive_secure_serial holds the zone lock for too
516 3990. [testing] Add tests for unknown DNSSEC algorithm handling.
519 3989. [cleanup] Remove redundant dns_db_resigned calls. [RT #35748]
521 3987. [func] Handle future Visual Studio 14 incompatible changes.
524 3986. [doc] Add the BIND version number to page footers
525 in the ARM. [RT #37398]
527 3985. [doc] Describe how +ndots and +search interact in dig.
530 3982. [doc] Include release notes in product documentation.
533 3981. [bug] Cache DS/NXDOMAIN independently of other query types.
536 3978. [test] Added a unit test for Diffie-Hellman key
537 computation, completing change #3974. [RT #37477]
539 3976. [bug] When refreshing managed-key trust anchors, clear
540 any cached trust so that they will always be
541 revalidated with the current set of secure
544 3974. [bug] Handle DH_compute_key() failure correctly in
545 openssldh_link.c. [RT #37477]
547 3972. [bug] Fix host's usage statement. [RT #37397]
549 3971. [bug] Reduce the cascading failures due to a bad $TTL line
550 in named-checkconf / named-checkzone. [RT #37138]
552 3970. [contrib] Fixed a use after free bug in the SDB LDAP driver.
555 3968. [bug] Silence spurious log messages when using 'named -[46]'.
558 3967. [test] Add test for inlined signed zone in multiple views
559 with different DNSKEY sets. [RT #35759]
561 3966. [bug] Missing dns_db_closeversion call in receive_secure_db.
564 3962. [bug] 'dig +topdown +trace +sigchase' address unhandled error
565 conditions. [RT #34663]
567 3961. [bug] Forwarding of SIG(0) signed UPDATE messages failed with
570 3960. [bug] 'dig +sigchase' could loop forever. [RT #37220]
572 3959. [bug] Updates could be lost if they arrived immediately
573 after a rndc thaw. [RT #37233]
575 3958. [bug] Detect when writeable files have multiple references
576 in named.conf. [RT #37172]
578 3957. [bug] "dnssec-keygen -S" failed for ECCGOST, ECDSAP256SHA256
579 and ECDSAP384SHA384. [RT #37183]
581 3955. [bug] Notify messages due to changes are no longer queued
582 behind startup notify messages. [RT #24454]
584 3954. [bug] Unchecked mutex init in dlz_dlopen_driver.c [RT #37112]
586 3953. [bug] Don't escape semi-colon in TXT fields. [RT #37159]
588 3952. [bug] dns_name_fullcompare failed to set *nlabelsp when the
589 two name pointers were the same. [RT #37176]
591 --- 9.9.6 released ---
593 3950. [port] Changed the bin/python Makefile to work around a
594 bmake bug in FreeBSD 10 and NetBSD 6. [RT #36993]
596 --- 9.9.6rc2 released ---
598 3947. [cleanup] Set the executable bit on libraries when using
601 3946. [cleanup] Improved "configure" search for a python interpreter.
604 3945. [bug] Invalid wildcard expansions could be incorrectly
605 accepted by the validator. [RT #37093]
607 3944. [test] Added a regression test for "server-id". [RT #37057]
609 3942. [bug] Wildcard responses from a optout range should be
610 marked as insecure. [RT #37072]
612 3941. [doc] Include the BIND version number in the ARM. [RT #37067]
614 --- 9.9.6rc1 released ---
616 3933. [bug] Corrected the implementation of dns_rdata_casecompare()
617 for the HIP rdata type. [RT #36911]
619 3932. [test] Improved named-checkconf tests. [RT #36911]
621 3931. [cleanup] Cleanup how dlz grammar is defined. [RT #36879]
623 3929. [bug] 'host -a' needed to clear idnoptions. [RT #36963]
625 3928. [test] Improve rndc system test. [RT #36898]
627 3925. [bug] DS lookup of RFC 1918 empty zones failed. [RT #36917]
629 3924. [bug] Improve 'rndc addzone' error reporting. [RT #35187]
631 3923. [bug] Sanity check the xml2-config output. [RT #22246]
633 3922. [bug] When resigning, dnssec-signzone was removing
634 all signatures from delegation nodes. It now
635 retains DS and (if applicable) NSEC signatures.
638 3921. [bug] AD was inappropriately set on RPZ responses. [RT #36833]
640 3919. [bug] dig: continue to next line if a address lookup fails
641 in batch mode. [RT #36755]
643 3918. [doc] Update check-spf documentation. [RT #36910]
645 3917. [bug] dig, nslookup and host now continue on names that are
646 too long after applying a search list elements.
649 3916. [contrib] zone2sqlite checked wrong result code. Address
650 compiler warnings. [RT #36931]
652 --- 9.9.6b2 released ---
654 3914. [bug] Allow the URI target and CAA value fields to
655 be zero length. [RT #36737]
657 3913. [bug] Address race issue in dispatch. [RT #36731]
659 3910. [bug] Fix races to free event during shutdown. [RT #36720]
661 3909. [bug] When computing the number of elements required for a
662 acl count_acl_elements could have a short count leading
663 to a assertion failure. Also zero out new acl elements
664 in dns_acl_merge. [RT #36675]
666 3908. [bug] rndc now differentiates between a zone in multiple
667 views and a zone that doesn't exist at all. [RT #36691]
669 3907. [cleanup] Alphabetize rndc help. [RT #36683]
671 3906. [protocol] Update URI record format to comply with
672 draft-faltstrom-uri-08. [RT #36642]
674 3905. [bug] Address deadlock between view.c and adb.c. [RT #36341]
676 3904. [func] Add the RPZ SOA to the additional section. [RT36507]
678 3903. [bug] Improve the accuracy of DiG's reported round trip
681 3902. [bug] liblwres wasn't handling link-local addresses in
682 nameserver clauses in resolv.conf. [RT #36039]
684 3901. [protocol] Added support for CAA record type (RFC 6844).
687 3900. [bug] Fix a crash in PostgreSQL DLZ driver. [RT #36637]
689 3899. [bug] "request-ixfr" is only applicable to slave and redirect
692 3898. [bug] Too small a buffer in tohexstr() calls in test code.
695 3894. [bug] Buffers in isc_print_vsnprintf were not properly
696 initialized leading to potential overflows when
697 printing out quad values. [RT #36505]
699 3892. [bug] Setting '-t aaaa' in .digrc had unintended side
702 3891. [bug] Use ${INSTALL_SCRIPT} rather than ${INSTALL_PROGRAM}
703 to install python programs.
705 3890. [bug] RRSIG sets that were not loaded in a single transaction
706 at start up where not being correctly added to
707 re-signing heaps. [RT #36302]
709 3889. [port] hurd: configure fixes as per:
710 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=746540
712 3887. [cleanup] Make all static symbols in rbtdb64 end in "64" so
713 they are easier to use in a debugger. [RT #36373]
715 --- 9.9.6b1 released ---
717 3885. [port] Use 'open()' rather than 'file()' to open files in
720 3884. [protocol] Add CDS and CDNSKEY record types. [RT #36333]
722 3881. [bug] Address memory leak with UPDATE error handling.
725 3880. [test] Update ans.pl to work with new TSIG support in
726 Net::DNS; add additional Net::DNS version prerequisite
729 3879. [func] Add version printing option to various BIND utilities.
732 3878. [bug] Using the incorrect filename for a DLZ module
733 caused a segmentation fault on startup. [RT #36286]
735 3874. [test] Check that only "check-names master" is needed for
736 updates to be accepted.
738 3873. [protocol] Only warn for SPF without TXT spf record. [RT #36210]
740 3872. [bug] Address issues found by static analysis. [RT #36209]
742 3871. [bug] Don't publish an activated key automatically before
743 its publish time. [RT #35063]
749 3868. [bug] isc_mem_setwater incorrectly cleared hi_called
750 potentially leaving over memory cleaner running.
753 3866. [bug] Named could die on disk full in generate_session_key.
756 3864. [bug] RPZ didn't work well when being used as forwarder.
759 3862. [cleanup] Return immediately if we are not going to log the
760 message in ns_client_dumpmessage.
762 3861. [bug] Benign missing isc_buffer_availablelength check in
763 dns_message_pseudosectiontotext. [RT #36078]
765 3860. [bug] ioctl(DP_POLL) array size needs to be determined
766 at run time as it is limited to {OPEN_MAX}.
769 3858. [bug] Disable GCC 4.9 "delete null pointer check".
772 3857. [bug] Make it harder for a incorrect NOEDNS classification
773 to be made. [RT #36020]
775 3855. [bug] Limit smoothed round trip time aging to no more than
776 once a second. [RT #32909]
778 3854. [cleanup] Report unrecognized options, if any, in the final
779 configure summary. [RT #36014]
781 3853. [cleanup] Refactor dns_rdataslab_fromrdataset to separate out
782 the handling of a rdataset with no records. [RT #35968]
784 3849. [doc] Alphabetized dig's +options. [RT #35992]
786 3847. [bug] 'configure --with-dlz-postgres' failed to fail when
787 there is not support available.
789 3846. [bug] "dig +notcp ixfr=<serial>" should result in a UDP
790 ixfr query. [RT #35980]
792 3844. [bug] Use the x64 version of the Microsoft Visual C++
793 Redistributable when built for 64 bit Windows.
796 3843. [protocol] Check EDNS EXPIRE option in dns_rdata_fromwire.
799 3842. [bug] Adjust RRL log-only logging category. [RT #35945]
801 3841. [cleanup] Refactor zone.c:add_opt to use dns_message_buildopt.
804 3840. [port] Check for arc4random_addrandom() before using it;
805 it's been removed from OpenBSD 5.5. [RT #35907]
807 3839. [test] Use only posix-compatible shell in system tests.
810 3838. [protocol] EDNS EXPIRE as been assigned a code point of 9.
812 3836. [bug] Address C++ keyword usage in header file.
814 3834. [bug] The re-signing heaps were not being updated soon enough
815 leading to multiple re-generations of the same RRSIG
816 when a zone transfer was in progress. [RT #35273]
818 3833. [bug] Cross compiling was broken due to calling genrandom at
819 build time. [RT #35869]
821 3827. [contrib] The example DLZ driver (a version of which is
822 also used in the dlzexternal system test) could
823 use absolute names as relative. [RT #35802]
825 3826. [bug] Corrected bad INSIST logic in isc_radix_remove().
828 3825. [bug] Address sign extension bug in isc_regex_validate.
831 3824. [bug] A collision between two flag values could cause
832 problems with cache cleaning. [RT #35858]
834 3822. [bug] Log the correct type of static-stub zones when
835 removing them. [RT #35842]
837 3819. [bug] NSEC3 hashes need to be able to be entered and
838 displayed without padding. This is not a issue for
839 currently defined algorithms but may be for future
840 hash algorithms. [RT #27925]
842 3818. [bug] Stop lying to the optimizer that 'void *arg' is a
843 constant in isc_event_allocate.
845 3815. [doc] Clarify "nsupdate -y" usage in man page. [RT #35808]
847 3809. [doc] Fix NSID documentation.
849 3807. [bug] Fix sign extension bug in dns_name_fromtext when
850 lowercase is set. [RT #35743]
852 3806. [test] Improved system test portability. [RT #35625]
854 3805. [contrib] Added contrib/perftcpdns, a performance testing tool
855 for DNS over TCP. [RT #35710]
857 3804. [bug] Corrected a race condition in dispatch.c in which
858 portentry could be reset leading to an assertion
859 failure in socket_search(). (Change #3708
860 addressed the same issue but was incomplete.)
863 3803. [bug] "named-checkconf -z" incorrectly rejected zones
864 using alternate data sources for not having a "file"
867 3802. [bug] Various header files were not being installed.
869 3801. [port] Fix probing for gssapi support on FreeBSD. [RT #35615]
871 3799. [bug] Improve named's command line error reporting.
874 3796. [bug] Register dns error codes. [RT #35629]
876 3795. [bug] Make named-checkconf detect raw masterfiles for
877 hint zones and reject them. [RT #35268]
879 3794. [maint] Added AAAA for C.ROOT-SERVERS.NET.
881 3793. [bug] zone.c:save_nsec3param() could assert when out of
884 3792. [func] Provide links to the alternate statistics views when
885 displaying in a browser. [RT #35605]
887 3791. [bug] solaris: remove extraneous return. [RT #35589]
889 3787. [bug] The code that checks whether "auto-dnssec" is
890 allowed was ignoring "allow-update" ACLs set at
891 the options or view level. [RT #29536]
893 3780. [bug] $GENERATE handled negative numbers incorrectly.
896 3779. [cleanup] Clarify the error message when using an option
897 that was not enabled at compile time. [RT #35504]
899 3778. [bug] Log a warning when the wrong address family is
900 used in "listen-on" or "listen-on-v6". [RT #17848]
902 3775. [bug] dlz_dlopen driver could return the wrong error
903 code on API version mismatch, leading to a segfault.
906 3773. [func] "host", "nslookup" and "nsupdate" now have
907 options to print the version number and exit.
910 3770. [bug] "dig +trace" could fail with an assertion when it
911 needed to fall back to TCP due to a truncated
912 response. [RT #24660]
914 3769. [doc] Improved documentation of "rndc signing -list".
917 3768. [bug] "dnssec-checkds" was missing the SHA-384 digest
918 algorithm. [RT #34000]
920 3767. [func] Log explicitly when using rndc.key to configure
921 command channel. [RT #35316]
923 3765. [bug] Fixed a bug in "rndc secroots" that could crash
924 named when dumping an empty keynode. [RT #35469]
926 3764. [bug] The dnssec-keygen/settime -S and -i options
927 (to set up a successor key and set the prepublication
928 interval) were missing from dnssec-keyfromlabel.
931 3761. [bug] Address dangling reference bug in dns_keytable_add.
934 3757. [port] Enable Python tools (dnssec-coverage,
935 dnssec-checkds) to run on Windows. [RT #34355]
937 3756. [bug] GSSAPI Kerberos realm checking was broken in
938 check_config leading to spurious messages being
941 3754. [cleanup] win32: Installer now places files in the
942 Program Files area rather than system services.
945 3753. [bug] allow-notify was ignoring keys. [RT #35425]
947 3751. [tuning] The default setting for the -U option (setting
948 the number of UDP listeners per interface) has
949 been adjusted to improve performance. [RT #35417]
951 3747. [bug] A race condition could lead to a core dump when
952 destroying a resolver fetch object. [RT #35385]
954 3743. [bug] delegation-only flag wasn't working in forward zone
955 declarations despite being documented. This is
956 needed to support turning off forwarding and turning
957 on delegation only at the same name. [RT #35392]
959 3742. [port] linux: libcap support: declare curval at start of
962 3740. [contrib] Minor fixes to configure --with-dlz-bdb,
963 --with-dlz-postgres and --with-dlz-odbc. [RT #35340]
965 3737. [bug] 'rndc retransfer' could trigger a assertion failure
966 with inline zones. [RT #35353]
968 3736. [bug] nsupdate: When specifying a server by name,
969 fall back to alternate addresses if the first
970 address for that name is not reachable. [RT #25784]
972 3734. [bug] Improve building with libtool. [RT #35314]
974 3732. [contrib] Fixed a type mismatch causing the ODBC DLZ
975 driver to dump core on 64-bit systems. [RT #35324]
977 3731. [func] Added a "no-case-compress" ACL, which causes
978 named to use case-insensitive compression
979 (disabling change #3645) for specified
980 clients. (This is useful when dealing
981 with broken client implementations that
982 use case-sensitive name comparisons,
983 rejecting responses that fail to match the
984 capitalization of the query that was sent.)
987 3730. [cleanup] Added "never" as a synonym for "none" when
988 configuring key event dates in the dnssec tools.
991 3729. [bug] dnssec-keygen could set the publication date
992 incorrectly when only the activation date was
993 specified on the command line. [RT #35278]
995 3724. [bug] win32: Fixed a bug that prevented dig and
996 host from exiting properly after completing
997 a UDP query. [RT #35288]
999 3720. [bug] Address compiler warnings. [RT #35261]
1001 3719. [bug] Address memory leak in in peer.c. [RT #35255]
1003 3718. [bug] A missing ISC_LINK_INIT in log.c. [RT #35260]
1005 3714. [test] System tests that need to test for cryptography
1006 support before running can now use a common
1007 "testcrypto.sh" script to do so. [RT #35213]
1009 3713. [bug] Save memory by not storing "also-notify" addresses
1010 in zone objects that are configured not to send
1011 notify requests. [RT #35195]
1013 --- 9.9.5 released ---
1015 --- 9.9.5rc2 released ---
1017 3710. [bug] Address double dns_zone_detach when switching to
1018 using automatic empty zones from regular zones.
1021 3709. [port] Use built-in versions of strptime() and timegm()
1022 on all platforms to avoid portability issues.
1025 3708. [bug] Address a portentry locking issue in dispatch.c.
1028 3707. [bug] irs_resconf_load now returns ISC_R_FILENOTFOUND
1029 on a missing resolv.conf file and initializes the
1030 structure as if it had been configured with:
1033 nameserver 127.0.0.1
1035 Note: Callers will need to be updated to treat
1036 ISC_R_FILENOTFOUND as a qualified success or else
1037 they will leak memory. The following code fragment
1038 will work with both old and new versions without
1039 changing the behaviour of the existing code.
1042 result = irs_resconf_load(mctx, "/etc/resolv.conf",
1044 if (result != ISC_SUCCESS) {
1045 if (resconf != NULL)
1046 irs_resconf_destroy(&resconf);
1052 3706. [contrib] queryperf: Fixed a possible integer overflow when
1053 printing results. [RT #35182]
1055 3704. [protocol] Accept integer timestamps in RRSIG records. [RT #35185]
1057 --- 9.9.5rc1 released ---
1059 3701. [func] named-checkconf can now obscure shared secrets
1060 when printing by specifying '-x'. [RT #34465]
1062 3699. [bug] Improvements to statistics channel XSL stylesheet:
1063 the stylesheet can now be cached by the browser;
1064 section headers are omitted from the stats display
1065 when there is no data in those sections to be
1066 displayed; counters are now right-justified for
1067 easier readability. (Only available with
1068 configure --enable-newstats.) [RT #35117]
1070 3698. [cleanup] Replaced all uses of memcpy() with memmove().
1073 3697. [bug] Handle "." as a search list element when IDN support
1074 is enabled. [RT #35133]
1076 3696. [bug] dig failed to handle AXFR style IXFR responses which
1077 span multiple messages. [RT #35137]
1079 3695. [bug] Address a possible race in dispatch.c. [RT #35107]
1081 3694. [bug] Warn when a key-directory is configured for a zone,
1082 but does not exist or is not a directory. [RT #35108]
1084 3693. [security] memcpy was incorrectly called with overlapping
1085 ranges resulting in malformed names being generated
1086 on some platforms. This could cause INSIST failures
1087 when serving NSEC3 signed zones (CVE-2014-0591).
1090 3692. [bug] Two calls to dns_db_getoriginnode were fatal if there
1091 was no data at the node. [RT #35080]
1093 3690. [bug] Iterative responses could be missed when the source
1094 port for an upstream query was the same as the
1095 listener port (53). [RT #34925]
1097 3689. [bug] Fixed a bug causing an insecure delegation from one
1098 static-stub zone to another to fail with a broken
1099 trust chain. [RT #35081]
1101 --- 9.9.5b1 released ---
1103 3688. [bug] loadnode could return a freed node on out of memory.
1106 3687. [bug] Address null pointer dereference in zone_xfrdone.
1109 3686. [func] "dnssec-signzone -Q" drops signatures from keys
1110 that are still published but no longer active.
1113 3685. [bug] "rndc refresh" didn't work correctly with slave
1114 zones using inline-signing. [RT #35105]
1116 3683. [cleanup] Add a more detailed "not found" message to rndc
1117 commands which specify a zone name. [RT #35059]
1119 3682. [bug] Correct the behavior of rndc retransfer to allow
1120 inline-signing slave zones to retain NSEC3 parameters
1121 instead of reverting to NSEC. [RT #34745]
1123 3681. [port] Update the Windows build system to support feature
1124 selection and WIN64 builds. This is a work in
1125 progress. [RT #34160]
1127 3679. [bug] dig could fail to clean up TCP sockets still
1128 waiting on connect(). [RT #35074]
1130 3678. [port] Update config.guess and config.sub. [RT #35060]
1132 3677. [bug] 'nsupdate' leaked memory if 'realm' was used multiple
1135 3676. [bug] "named-checkconf -z" now checks zones of type
1136 hint and redirect as well as master. [RT #35046]
1138 3675. [misc] Provide a place for third parties to add version
1139 information for their extensions in the version
1140 file by setting the EXTENSIONS variable.
1142 3674. [bug] RPZ zeroed ttls if the query type was '*'. [RT #35026]
1144 3672. [func] Local address can now be specified when using
1145 dns_client API. [RT #34811]
1147 3671. [bug] Don't allow dnssec-importkey overwrite a existing
1148 non-imported private key.
1150 3670. [bug] Address read after free in server side of
1151 lwres_getrrsetbyname. [RT #29075]
1153 3669. [port] freebsd: --with-gssapi needs -lhx509. [RT #35001]
1155 3668. [bug] Fix cast in lex.c which could see 0xff treated as eof.
1158 3667. [test] dig: add support to keep the TCP socket open between
1159 successive queries (+[no]keepopen). [RT #34918]
1161 3665. [bug] Failure to release lock on error in receive_secure_db.
1164 3664. [bug] Updated OpenSSL PKCS#11 patches to fix active list
1165 locking and other bugs. [RT #34855]
1167 3663. [bug] Address bugs in dns_rdata_fromstruct and
1168 dns_rdata_tostruct for WKS and ISDN types. [RT #34910]
1170 3662. [bug] 'host' could die if a UDP query timed out. [RT #34870]
1172 3661. [bug] Address lock order reversal deadlock with inline zones.
1175 3660. [cleanup] Changed the name of "isc-config.sh" to "bind9-config".
1178 3659. [port] solaris: don't add explicit dependencies/rules for
1179 python programs as make won't use the implicit rules.
1182 3658. [port] linux: Address platform specific compilation issue
1183 when libcap-devel is installed. [RT #34838]
1185 3657. [port] Some readline clones don't accept NULL pointers when
1186 calling add_history. [RT #34842]
1188 3656. [security] Treat an all zero netmask as invalid when generating
1189 the localnets acl. (The prior behavior could
1190 allow unexpected matches when using some versions
1191 of Winsock: CVE-2013-6320.) [RT #34687]
1193 3655. [cleanup] Simplify TCP message processing when requesting a
1194 zone transfer. [RT #34825]
1196 3654. [bug] Address race condition with manual notify requests.
1199 3653. [func] Create delegations for all "children" of empty zones
1200 except "forward first". [RT #34826]
1202 3651. [tuning] Adjust when a master server is deemed unreachable.
1205 3650. [tuning] Use separate rate limiting queues for refresh and
1206 notify requests. [RT #30589]
1208 3649. [cleanup] Include a comment in .nzf files, giving the name of
1209 the associated view. [RT #34765]
1211 3648. [test] Updated the ATF test framework to version 0.17.
1214 3647. [bug] Address a race condition when shutting down a zone.
1217 3646. [bug] Journal filename string could be set incorrectly,
1218 causing garbage in log messages. [RT #34738]
1220 3645. [protocol] Use case sensitive compression when responding to
1221 queries. [RT #34737]
1223 3644. [protocol] Check that EDNS subnet client options are well formed.
1226 3642. [func] Allow externally generated DNSKEY to be imported
1227 into the DNSKEY management framework. A new tool
1228 dnssec-importkey is used to do this. [RT #34698]
1230 3641. [bug] Handle changes to sig-validity-interval settings
1233 3640. [bug] ndots was not being checked when searching. Only
1234 continue searching on NXDOMAIN responses. Add the
1235 ability to specify ndots to nslookup. [RT #34711]
1237 3639. [bug] Treat type 65533 (KEYDATA) as opaque except when used
1238 in a key zone. [RT #34238]
1240 --- 9.9.4 released ---
1242 3643. [doc] Clarify RRL "slip" documentation.
1244 3638. [cleanup] Add the ability to handle ENOPROTOOPT in case it is
1245 encountered. [RT #34668]
1247 --- 9.9.4rc2 released ---
1249 3637. [bug] 'allow-query-on' was checking the source address
1250 rather than the destination address. [RT #34590]
1252 3636. [bug] Automatic empty zones now behave better with
1253 forward only "zones" beneath them. [RT #34583]
1255 3635. [bug] Signatures were not being removed from a zone with
1256 only KSK keys for a algorithm. [RT #34439]
1258 3634. [func] Report build-id in rndc status. Report build-id
1259 when building from a git repository. [RT #20422]
1261 3633. [cleanup] Refactor OPT processing in named to make it easier
1262 to support new EDNS options. [RT #34414]
1264 3632. [bug] Signature from newly inactive keys were not being
1265 removed. [RT #32178]
1267 3631. [bug] Remove spurious warning about missing signatures when
1268 qtype is SIG. [RT #34600]
1270 3630. [bug] Ensure correct ID computation for MD5 keys. [RT #33033]
1272 3627. [bug] RPZ changes were not effective on slaves. [RT #34450]
1274 3625. [bug] Don't send notify messages to machines outside of the
1277 3623. [bug] zone-statistics was only effective in new statistics.
1280 --- 9.9.4rc1 released ---
1282 3621. [security] Incorrect bounds checking on private type 'keydata'
1283 can lead to a remotely triggerable REQUIRE failure
1284 (CVE-2013-4854). [RT #34238]
1286 3617. [bug] Named was failing to answer queries during
1287 "rndc reload" [RT #34098]
1289 3616. [bug] Change #3613 was incomplete. [RT #34177]
1291 3615. [cleanup] "configure" now finishes by printing a summary
1292 of optional BIND features and whether they are
1293 active or inactive. ("configure --enable-full-report"
1294 increases the verbosity of the summary.) [RT #31777]
1296 3614. [port] Check for <linux/types.h>. [RT #34162]
1298 3613. [bug] named could crash when deleting inline-signing
1299 zones with "rndc delzone". [RT #34066]
1301 3611. [bug] Improved resistance to a theoretical authentication
1302 attack based on differential timing. [RT #33939]
1304 3610. [cleanup] win32: Some executables had been omitted from the
1305 installer. [RT #34116]
1307 3608. [port] win32: added todos.pl script to ensure all text files
1308 the win32 build depends on are converted to DOS
1309 newline format. [RT #22067]
1311 3607. [bug] dnssec-keygen had broken 'Invalid keyfile' error
1312 message. [RT #34045]
1314 --- 9.9.4b1 released ---
1316 3605. [port] win32: Addressed several compatibility issues
1317 with newer versions of Visual Studio. [RT #33916]
1319 3603. [bug] Install <isc/stat.h>. [RT #33956]
1321 3601. [bug] Added to PKCS#11 openssl patches a value len
1322 attribute in DH derive key. [RT #33928]
1324 3600. [cleanup] dig: Fixed a typo in the warning output when receiving
1325 an oversized response. [RT #33910]
1327 3599. [tuning] Check for pointer equivalence in name comparisons.
1330 3596. [port] Updated win32 build documentation, added
1331 dnssec-verify. [RT #22067]
1333 3594. [maint] Update config.guess and config.sub. [RT #33816]
1335 3592. [doc] Moved documentation of rndc command options to the
1336 rndc man page. [RT #33506]
1338 3590. [bug] When using RRL on recursive servers, defer
1339 rate-limiting until after recursion is complete;
1340 also, use correct rcode for slipped NXDOMAIN
1341 responses. [RT #33604]
1343 3588. [bug] dig: addressed a memory leak in the sigchase code
1344 that could cause a shutdown crash. [RT #33733]
1346 3587. [func] 'named -g' now checks the logging configuration but
1347 does not use it. [RT #33473]
1349 3586. [bug] Handle errors in xmlDocDumpFormatMemoryEnc. [RT #33706]
1351 3584. [security] Caching data from an incompletely signed zone could
1352 trigger an assertion failure in resolver.c
1353 (CVE-2013-3919). [RT #33690]
1355 3583. [bug] Address memory leak in GSS-API processing [RT #33574]
1357 3582. [bug] Silence false positive warning regarding missing file
1358 directive for inline slave zones. [RT #33662]
1360 3581. [bug] Changed the tcp-listen-queue default to 10. [RT #33029]
1362 3580. [bug] Addressed a possible race in acache.c [RT #33602]
1364 3579. [maint] Updates to PKCS#11 openssl patches, supporting
1365 versions 0.9.8y, 1.0.0k, 1.0.1e [RT #33463]
1367 3578. [bug] 'rndc -c file' now fails if 'file' does not exist.
1370 3577. [bug] Handle zero TTL values better. [RT #33411]
1372 3576. [bug] Address a shutdown race when validating. [RT #33573]
1374 3575. [func] Changed the logging category for RRL events from
1375 'queries' to 'query-errors'. [RT #33540]
1377 3574. [doc] The 'hostname' keyword was missing from server-id
1378 description in the named.conf man page. [RT #33476]
1380 3573. [bug] "rndc addzone" and "rndc delzone" incorrectly handled
1381 zone names containing punctuation marks and other
1382 nonstandard characters. [RT #33419]
1384 3571. [bug] Address race condition in dns_client_startresolve().
1387 3566. [func] Log when forwarding updates to master. [RT #33240]
1389 3554. [bug] RRL failed to correctly rate-limit upward
1390 referrals and failed to count dropped error
1391 responses in the statistics. [RT #33225]
1393 3545. [bug] RRL slip behavior was incorrect when set to 1.
1396 3518. [bug] Increase the size of dns_rrl_key.s.rtype by one bit
1397 so that all dns_rrl_rtype_t enum values fit regardless
1398 of whether it is teated as signed or unsigned by
1399 the compiler. [RT #32792]
1401 3494. [func] DNS RRL: Blunt the impact of DNS reflection and
1402 amplification attacks by rate-limiting substantially-
1403 identical responses. To enable, use "configure
1404 --enable-rrl". [RT #28130]
1406 --- 9.9.3 released ---
1408 3568. [cleanup] Add a product description line to the version file,
1409 to be reported by named -v/-V. [RT #33366]
1411 3567. [bug] Silence clang static analyzer warnings. [RT #33365]
1413 3563. [contrib] zone2sqlite failed with some table names. [RT #33375]
1415 3561. [bug] dig: issue a warning if an EDNS query returns FORMERR
1416 or NOTIMP. Adjust usage message. [RT #33363]
1418 --- 9.9.3rc2 released ---
1420 3560. [bug] isc-config.sh did not honor includedir and libdir
1421 when set via configure. [RT #33345]
1423 3559. [func] Check that both forms of Sender Policy Framework
1424 records exist or do not exist. [RT #33355]
1426 3558. [bug] IXFR of a DLZ stored zone was broken. [RT #33331]
1428 3557. [bug] Reloading redirect zones was broken. [RT #33292]
1430 3556. [maint] Added AAAA for D.ROOT-SERVERS.NET.
1432 3555. [bug] Address theoretical race conditions in acache.c
1433 (change #3553 was incomplete). [RT #33252]
1435 3553. [bug] Address suspected double free in acache. [RT #33252]
1437 3552. [bug] Wrong getopt option string for 'nsupdate -r'.
1440 3549. [doc] Documentation for "request-nsid" was missing.
1443 3548. [bug] The NSID request code in resolver.c was broken
1444 resulting in invalid EDNS options being sent.
1447 3547. [bug] Some malformed unknown rdata records were not properly
1448 detected and rejected. [RT #33129]
1450 --- 9.9.3rc1 released ---
1452 3546. [func] Add EUI48 and EUI64 types. [RT #33082]
1454 3544. [contrib] check5011.pl: Script to report the status of
1455 managed keys as recorded in managed-keys.bind.
1456 Contributed by Tony Finch <dot@dotat.at>
1458 3543. [bug] Update socket structure before attaching to socket
1459 manager after accept. [RT #33084]
1461 3541. [bug] Parts of libdns were not properly initialized when
1462 built in libexport mode. [RT #33028]
1464 3540. [test] libt_api: t_info and t_assert were not thread safe.
1466 3539. [port] win32: timestamp format didn't match other platforms.
1468 3538. [test] Running "make test" now requires loopback interfaces
1469 to be set up. [RT #32452]
1471 3537. [tuning] Slave zones, when updated, now send NOTIFY messages
1472 to peers before being dumped to disk rather than
1475 3535. [bug] Minor win32 cleanups. [RT #32962]
1477 3534. [bug] Extra text after an embedded NULL was ignored when
1478 parsing zone files. [RT #32699]
1480 3533. [contrib] query-loc-0.4.0: memory leaks. [RT #32960]
1482 3532. [contrib] zkt: fixed buffer overrun, resource leaks. [RT #32960]
1484 3531. [bug] win32: A uninitialized value could be returned on out
1485 of memory. [RT #32960]
1487 3530. [contrib] Better RTT tracking in queryperf. [RT #30128]
1489 3528. [func] New "dnssec-coverage" command scans the timing
1490 metadata for a set of DNSSEC keys and reports if a
1491 lapse in signing coverage has been scheduled
1492 inadvertently. (Note: This tool depends on python;
1493 it will not be built or installed on systems that
1494 do not have a python interpreter.) [RT #28098]
1496 3527. [compat] Add a URI to allow applications to explicitly
1497 request a particular XML schema from the statistics
1498 channel, returning 404 if not supported. [RT #32481]
1500 3526. [cleanup] Set up dependencies for unit tests correctly during
1503 3521. [bug] Address memory leak in opensslecdsa_link.c. [RT #32249]
1505 3520. [bug] 'mctx' was not being referenced counted in some places
1506 where it should have been. [RT #32794]
1508 --- 9.9.3b2 released ---
1510 3517. [bug] Reorder destruction to avoid shutdown race. [RT #32777]
1512 3515. [port] '%T' is not portable in strftime(). [RT #32763]
1514 3514. [bug] The ranges for valid key sizes in ddns-confgen and
1515 rndc-confgen were too constrained. Keys up to 512
1516 bits are now allowed for most algorithms, and up
1517 to 1024 bits for hmac-sha384 and hmac-sha512.
1520 3511. [doc] Improve documentation of redirect zones. [RT #32756]
1522 3509. [cleanup] Added a product line to version file to allow for
1523 easy naming of different products (BIND
1524 vs BIND ESV, for example). [RT #32755]
1526 3508. [contrib] queryperf was incorrectly rejecting the -T option.
1529 3507. [bug] Statistics channel XSL (when built with
1530 --enable-newstats) had a glitch when attempting
1531 to chart query data before any queries had been
1532 received. [RT #32620]
1534 3505. [bug] When setting "max-cache-size" and "max-acache-size",
1535 larger values than 4 gigabytes could not be set
1536 explicitly, though larger sizes were available
1537 when setting cache size to 0. This has been
1538 corrected; the full range is now available.
1541 3503. [doc] Clarify size_spec syntax. [RT #32449]
1543 3501. [func] zone-statistics now takes three options: full,
1544 terse, and none. "yes" and "no" are retained as
1545 synonyms for full and terse, respectively. [RT #29165]
1547 3500. [security] Support NAPTR regular expression validation on
1548 all platforms without using libregex, which
1549 can be vulnerable to memory exhaustion attack
1550 (CVE-2013-2266). [RT #32688]
1552 3499. [doc] Corrected ARM documentation of built-in zones.
1555 3498. [bug] zone statistics for zones which matched a potential
1556 empty zone could have their zone-statistics setting
1559 3496. [func] Improvements to RPZ performance. The "response-policy"
1560 syntax now includes a "min-ns-dots" clause, with
1561 default 1, to exclude top-level domains from
1562 NSIP and NSDNAME checking. --enable-rpz-nsip and
1563 --enable-rpz-nsdname are now the default. [RT #32251]
1565 3493. [contrib] Added BDBHPT dynamically-lodable DLZ module,
1566 contributed by Mark Goldfinch. [RT #32549]
1568 3492. [bug] Fixed a regression in zone loading performance
1569 due to lock contention. [RT #30399]
1571 3491. [bug] Slave zones using inline-signing must specify a
1572 file name. [RT #31946]
1574 3489. [bug] --enable-developer now turns on ISC_LIST_CHECKINIT.
1575 When cloning a rdataset do not copy the link contents.
1578 3488. [bug] Use after free error with DH generated keys. [RT #32649]
1580 3487. [bug] Change 3444 was not complete. There was a additional
1581 place where the NOQNAME proof needed to be saved.
1584 3486. [bug] named could crash when using TKEY-negotiated keys
1585 that had been deleted and then recreated. [RT #32506]
1587 3485. [cleanup] Only compile openssl_gostlink.c if we support GOST.
1589 3483. [bug] Corrected XSL code in use with --enable-newstats.
1592 3481. [cleanup] Removed use of const const in atf.
1594 3480. [bug] Silence logging noise when setting up zone
1595 statistics. [RT #32525]
1597 3479. [bug] Address potential memory leaks in gssapi support
1600 3478. [port] Fix a build failure in strict C99 environments
1603 3474. [bug] nsupdate could assert when the local and remote
1604 address families didn't match. [RT #22897]
1606 3473. [bug] dnssec-signzone/verify could incorrectly report
1607 an error condition due to an empty node above an
1608 opt-out delegation lacking an NSEC3. [RT #32072]
1610 3471. [bug] The number of UDP dispatches now defaults to
1611 the number of CPUs even if -n has been set to
1612 a higher value. [RT #30964]
1614 3470. [bug] Slave zones could fail to dump when successfully
1615 refreshing after an initial failure. [RT #31276]
1617 --- 9.9.3b1 released ---
1619 3468. [security] RPZ rules to generate A records (but not AAAA records)
1620 could trigger an assertion failure when used in
1621 conjunction with DNS64 (CVE-2012-5689). [RT #32141]
1623 3467. [bug] Added checks in dnssec-keygen and dnssec-settime
1624 to check for delete date < inactive date. [RT #31719]
1626 3466. [contrib] Corrected the DNS_CLIENTINFOMETHODS_VERSION check
1627 in DLZ example driver. [RT #32275]
1629 3465. [bug] Handle isolated reserved ports. [RT #31778]
1631 3464. [maint] Updates to PKCS#11 openssl patches, supporting
1632 versions 0.9.8x, 1.0.0j, 1.0.1c [RT #29749]
1634 3463. [doc] Clarify managed-keys syntax in ARM. [RT #32232]
1636 3462. [doc] Clarify server selection behavior of dig when using
1637 -4 or -6 options. [RT #32181]
1639 3461. [bug] Negative responses could incorrectly have AD=1
1642 3460. [bug] Only link against readline where needed. [RT #29810]
1644 3458. [bug] Return FORMERR when presented with a overly long
1645 domain named in a request. [RT #29682]
1647 3457. [protocol] Add ILNP records (NID, LP, L32, L64). [RT #31836]
1649 3456. [port] g++47: ATF failed to compile. [RT #32012]
1651 3455. [contrib] queryperf: fix getopt option list. [RT #32338]
1653 3454. [port] sparc64: improve atomic support. [RT #25182]
1655 3453. [bug] 'rndc addzone' of a zone with 'inline-signing yes;'
1658 3452. [bug] Accept duplicate singleton records. [RT #32329]
1660 3451. [port] Increase per thread stack size from 64K to 1M.
1663 3450. [bug] Stop logfileconfig system test spam system logs.
1666 3449. [bug] gen.c: use the pre-processor to construct format
1667 strings so that compiler can perform sanity checks;
1668 check the snprintf results. [RT #17576]
1670 3448. [bug] The allow-query-on ACL was not processed correctly.
1673 3447. [port] Add support for libxml2-2.9.x [RT #32231]
1675 3446. [port] win32: Add source ID (see change #3400) to build.
1678 3445. [bug] Warn about zone files with blank owner names
1679 immediately after $ORIGIN directives. [RT #31848]
1681 3444. [bug] The NOQNAME proof was not being returned from cached
1682 insecure responses. [RT #21409]
1684 3443. [bug] ddns-confgen: Some TSIG algorithms were incorrectly
1685 rejected when generating keys. [RT #31927]
1687 3442. [port] Net::DNS 0.69 introduced a non backwards compatible
1690 3441. [maint] D.ROOT-SERVERS.NET is now 199.7.91.13.
1692 3440. [bug] Reorder get_key_struct to not trigger a assertion when
1693 cleaning up due to out of memory error. [RT #32131]
1695 3439. [bug] contrib/dlz error checking fixes. [RT #32102]
1697 3438. [bug] Don't accept unknown data escape in quotes. [RT #32031]
1699 3437. [bug] isc_buffer_init -> isc_buffer_constinit to initialize
1700 buffers with constant data. [RT #32064]
1702 3436. [bug] Check malloc/calloc return values. [RT #32088]
1704 3435. [bug] Cross compilation support in configure was broken.
1707 3431. [bug] ddns-confgen: Some valid key algorithms were
1708 not accepted. [RT #31927]
1710 3430. [bug] win32: isc_time_formatISO8601 was missing the
1711 'T' between the date and time. [RT #32044]
1713 3429. [bug] dns_zone_getserial2 could a return success without
1714 returning a valid serial. [RT #32007]
1716 3428. [cleanup] dig: Add timezone to date output. [RT #2269]
1718 3427. [bug] dig +trace incorrectly displayed name server
1719 addresses instead of names. [RT #31641]
1721 3426. [bug] dnssec-checkds: Clearer output when records are not
1724 3425. [bug] "acacheentry" reference counting was broken resulting
1725 in use after free. [RT #31908]
1727 3424. [func] dnssec-dsfromkey now emits the hash without spaces.
1730 3423. [bug] "rndc signing -nsec3param" didn't accept the full
1731 range of possible values. Address portability issues.
1734 3422. [bug] Added a clear error message for when the SOA does not
1735 match the referral. [RT #31281]
1737 3421. [bug] Named loops when re-signing if all keys are offline.
1740 3420. [bug] Address VPATH compilation issues. [RT #31879]
1742 3419. [bug] Memory leak on validation cancel. [RT #31869]
1744 3417. [func] Optional new XML schema (version 3.0) for the
1745 statistics channel adds query type statistics at the
1746 zone level, and flattens the XML tree and uses
1747 compressed format to optimize parsing. Includes new XSL
1748 that permits charting via the Google Charts API on
1749 browsers that support javascript in XSL. To enable,
1750 build with "configure --enable-newstats". [RT #30023]
1752 3416. [bug] Named could die on shutdown if running with 128 UDP
1753 dispatches per interface. [RT #31743]
1755 3415. [bug] named could die with a REQUIRE failure if a validation
1756 was canceled. [RT #31804]
1758 3414. [bug] Address locking issues found by Coverity. [RT #31626]
1760 3412. [bug] Copy timeval structure from control message data.
1763 3411. [tuning] Use IPV6_USE_MIN_MTU or equivalent with TCP in addition
1766 3410. [bug] Addressed Coverity warnings. [RT #31626]
1768 3409. [contrib] contrib/dane/mkdane.sh: Tool to generate TLSA RR's
1769 from X.509 certificates, for use with DANE
1770 (DNS-based Authentication of Named Entities).
1773 3408. [bug] Some DNSSEC-related options (update-check-ksk,
1774 dnssec-loadkeys-interval, dnssec-dnskey-kskonly)
1775 are now legal in slave zones as long as
1776 inline-signing is in use. [RT #31078]
1778 3406. [bug] mem.c: Fix compilation errors when building with
1779 ISC_MEM_TRACKLINES or ISC_MEMPOOL_NAMES disabled.
1780 Also, ISC_MEM_DEBUG is no longer optional. [RT #31559]
1782 3405. [bug] Handle time going backwards in acache. [RT #31253]
1784 3404. [bug] dnssec-signzone: When re-signing a zone, remove
1785 RRSIG and NSEC records from nodes that used to be
1786 in-zone but are now below a zone cut. [RT #31556]
1788 3403. [bug] Silence noisy OpenSSL logging. [RT #31497]
1790 3402. [test] The IPv6 interface numbers used for system
1791 tests were incorrect on some platforms. [RT #25085]
1793 3401. [bug] Addressed Coverity warnings. [RT #31484]
1795 3400. [cleanup] "named -V" can now report a source ID string, defined
1796 in the "srcid" file in the build tree and normally set
1797 to the most recent git hash. [RT #31494]
1799 3399. [port] netbsd: rename 'bool' parameter to avoid namespace
1802 3398. [bug] SOA parameters were not being updated with inline
1803 signed zones if the zone was modified while the
1804 server was offline. [RT #29272]
1806 3397. [bug] dig crashed when using +nssearch with +tcp. [RT #25298]
1808 3396. [bug] OPT records were incorrectly removed from signed,
1809 truncated responses. [RT #31439]
1811 3395. [protocol] Add RFC 6598 reverse zones to built in empty zones
1812 list, 64.100.IN-ADDR.ARPA ... 127.100.IN-ADDR.ARPA.
1815 3394. [bug] Adjust 'successfully validated after lower casing
1816 signer' log level and category. [RT #31414]
1818 3393. [bug] 'host -C' could core dump if REFUSED was received.
1821 3391. [bug] A DNSKEY lookup that encountered a CNAME failed.
1824 3390. [bug] Silence clang compiler warnings. [RT #30417]
1826 3389. [bug] Always return NOERROR (not 0) in TSIG. [RT #31275]
1828 3388. [bug] Fixed several Coverity warnings.
1829 Note: This change includes a fix for a bug that
1830 was subsequently determined to be an exploitable
1831 security vulnerability, CVE-2012-5688: named could
1832 die on specific queries with dns64 enabled.
1835 3386. [bug] Address locking violation when generating new NSEC /
1836 NSEC3 chains. [RT #31224]
1838 3385. [bug] named-checkconf didn't detect missing master lists
1839 in also-notify clauses. [RT #30810]
1841 3384. [bug] Improved logging of crypto errors. [RT #30963]
1843 3382. [bug] SOA query from slave used use-v6-udp-ports range,
1844 if set, regardless of the address family in use.
1847 3381. [contrib] Update queryperf to support more RR types.
1850 3380. [bug] named could die if a nonexistent master list was
1851 referenced in a also-notify. [RT #31004]
1853 3379. [bug] isc_interval_zero and isc_time_epoch should be
1854 "const (type)* const". [RT #31069]
1856 3378. [bug] Handle missing 'managed-keys-directory' better.
1859 3377. [bug] Removed spurious newline from NSEC3 multiline
1862 3376. [bug] Lack of EDNS support was being recorded without a
1863 successful response. [RT #30811]
1865 3375. [func] Check that 'rndc dumpdb' works on a empty cache.
1868 3374. [bug] isc_parse_uint32 failed to return a range error on
1869 systems with 64 bit longs. [RT #30232]
1871 3372. [bug] Silence spurious "deleted from unreachable cache"
1872 messages. [RT #30501]
1874 3371. [bug] AD=1 should behave like DO=1 when deciding whether to
1875 add NS RRsets to the additional section or not.
1878 3316. [tuning] Improved locking performance when recursing.
1881 3315. [tuning] Use multiple dispatch objects for sending upstream
1882 queries; this can improve performance on busy
1883 multiprocessor systems by reducing lock contention.
1886 --- 9.9.2 released ---
1888 3383. [security] A certain combination of records in the RBT could
1889 cause named to hang while populating the additional
1890 section of a response. [RT #31090]
1892 3373. [bug] win32: open raw files in binary mode. [RT #30944]
1894 3364. [security] Named could die on specially crafted record.
1897 --- 9.9.2rc1 released ---
1899 3370. [bug] Address use after free while shutting down. [RT #30241]
1901 3369. [bug] nsupdate terminated unexpectedly in interactive mode
1902 if built with readline support. [RT #29550]
1904 3368. [bug] <dns/iptable.h>, <dns/private.h> and <dns/zone.h>
1907 3367. [bug] dns_dnsseckey_create() result was not being checked.
1910 3366. [bug] Fixed Read-After-Write dependency violation for IA64
1911 atomic operations. [RT #25181]
1913 3365. [bug] Removed spurious newlines from log messages in
1916 3363. [bug] Need to allow "forward" and "fowarders" options
1917 in static-stub zones; this had been overlooked.
1920 3362. [bug] Setting some option values to 0 in named.conf
1921 could trigger an assertion failure on startup.
1924 3361. [bug] "rndc signing -nsec3param" didn't work correctly
1925 when salt was set to '-' (no salt). [RT #30099]
1927 3360. [bug] 'host -w' could die. [RT #18723]
1929 3359. [bug] An improperly-formed TSIG secret could cause a
1930 memory leak. [RT #30607]
1932 3357. [port] Add support for libxml2-2.8.x [RT #30440]
1934 3356. [bug] Cap the TTL of signed RRsets when RRSIGs are
1935 approaching their expiry, so they don't remain
1936 in caches after expiry. [RT #26429]
1938 3355. [port] Use more portable awk in verify system test.
1940 3354. [func] Improve OpenSSL error logging. [RT #29932]
1942 --- 9.9.2b1 released ---
1944 3353. [bug] Use a single task for task exclusive operations.
1947 3352. [bug] Ensure that learned server attributes timeout of the
1948 adb cache. [RT #29856]
1950 3351. [bug] isc_mem_put and isc_mem_putanddetach didn't report
1951 caller if either ISC_MEM_DEBUGSIZE or ISC_MEM_DEBUGCTX
1952 memory debugging flags are set. [RT #30243]
1954 3350. [bug] Memory read overrun in isc___mem_reallocate if
1955 ISC_MEM_DEBUGCTX memory debugging flag is set.
1958 3349. [bug] Change #3345 was incomplete. [RT #30233]
1960 3348. [bug] Prevent RRSIG data from being cached if a negative
1961 record matching the covering type exists at a higher
1962 trust level. Such data already can't be retrieved from
1963 the cache since change 3218 -- this prevents it
1964 being inserted into the cache as well. [RT #26809]
1966 3347. [bug] dnssec-settime: Issue a warning when writing a new
1967 private key file would cause a change in the
1968 permissions of the existing file. [RT #27724]
1970 3346. [security] Bad-cache data could be used before it was
1971 initialized, causing an assert. [RT #30025]
1973 3345. [bug] Addressed race condition when removing the last item
1974 or inserting the first item in an ISC_QUEUE.
1977 3344. [func] New "dnssec-checkds" command checks a zone to
1978 determine which DS records should be published
1979 in the parent zone, or which DLV records should be
1980 published in a DLV zone, and queries the DNS to
1981 ensure that it exists. (Note: This tool depends
1982 on python; it will not be built or installed on
1983 systems that do not have a python interpreter.)
1986 3342. [bug] Change #3314 broke saving of stub zones to disk
1987 resulting in excessive cpu usage in some cases.
1990 3341. [func] New "dnssec-verify" command checks a signed zone
1991 to ensure correctness of signatures and of NSEC/NSEC3
1994 3339. [func] Allow the maximum supported rsa exponent size to be
1995 specified: "max-rsa-exponent-size <value>;" [RT #29228]
1997 3338. [bug] Address race condition in units tests: asyncload_zone
1998 and asyncload_zt. [RT #26100]
2000 3337. [bug] Change #3294 broke support for the multiple keys
2001 in controls. [RT #29694]
2003 3335. [func] nslookup: return a nonzero exit code when unable
2004 to get an answer. [RT #29492]
2006 3334. [bug] Hold a zone table reference while performing a
2007 asynchronous load of a zone. [RT #28326]
2009 3333. [bug] Setting resolver-query-timeout too low can cause
2010 named to not recover if it loses connectivity.
2013 3332. [bug] Re-use cached DS rrsets if possible. [RT #29446]
2015 3331. [security] dns_rdataslab_fromrdataset could produce bad
2016 rdataslabs. [RT #29644]
2018 3330. [func] Fix missing signatures on NOERROR results despite
2020 - add optional "recursive-only yes|no" to the
2021 response-policy statement
2022 - add optional "max-policy-ttl" to the response-policy
2023 statement to limit the false data that
2024 "recursive-only no" can introduce into
2026 - add a RPZ performance test to bin/tests/system/rpz
2027 when queryperf is available.
2028 - the encoding of PASSTHRU action to "rpz-passthru".
2029 (The old encoding is still accepted.)
2033 3329. [bug] Handle RRSIG signer-name case consistently: We
2034 generate RRSIG records with the signer-name in
2035 lower case. We accept them with any case, but if
2036 they fail to validate, we try again in lower case.
2039 3328. [bug] Fixed inconsistent data checking in dst_parse.c.
2042 3317. [func] Add ECDSA support (RFC 6605). [RT #21918]
2044 --- 9.9.1 released ---
2046 3318. [tuning] Reduce the amount of work performed while holding a
2047 bucket lock when finished with a fetch context.
2050 3314. [bug] The masters list could be updated while stub_callback
2051 or refresh_callback were using it. [RT #26732]
2053 3313. [protocol] Add TLSA record type. [RT #28989]
2055 3312. [bug] named-checkconf didn't detect a bad dns64 clients acl.
2058 3311. [bug] Abort the zone dump if zone->db is NULL in
2059 zone.c:zone_gotwritehandle. [RT #29028]
2061 3310. [test] Increase table size for mutex profiling. [RT #28809]
2063 3309. [bug] resolver.c:fctx_finddone() was not thread safe.
2066 3307. [bug] Add missing ISC_LANG_BEGINDECLS and ISC_LANG_ENDDECLS.
2069 3306. [bug] Improve DNS64 reverse zone performance. [RT #28563]
2071 3305. [func] Add wire format lookup method to sdb. [RT #28563]
2073 3304. [bug] Use hmctx, not mctx when freeing rbtdb->heaps.
2076 3303. [bug] named could die when reloading. [RT #28606]
2078 3302. [bug] dns_dnssec_findmatchingkeys could fail to find
2079 keys if the zone name contained character that
2080 required special mappings. [RT #28600]
2082 3301. [contrib] Update queryperf to build on darwin. Add -R flag
2083 for non-recursive queries. [RT #28565]
2085 3300. [bug] Named could die if gssapi was enabled in named.conf
2086 but was not compiled in. [RT #28338]
2088 3299. [bug] Make SDB handle errors from database drivers better.
2091 3298. [bug] Named could dereference a NULL pointer in
2092 zmgr_start_xfrin_ifquota if the zone was being removed.
2095 3297. [bug] Named could die on a malformed master file. [RT #28467]
2097 3296. [bug] Named could die with a INSIST failure in
2098 client.c:exit_check. [RT #28346]
2100 3295. [bug] Adjust isc_time_secondsastimet range check to be more
2101 portable. [RT # 26542]
2103 3294. [bug] isccc/cc.c:table_fromwire failed to free alist on
2106 3291. [port] Fixed a build error on systems without ENOTSUP.
2109 3290. [bug] <isc/hmacsha.h> was not being installed. [RT #28169]
2111 3273. [bug] AAAA responses could be returned in the additional
2112 section even when filter-aaaa-on-v4 was in use.
2115 --- 9.9.0 released ---
2117 --- 9.9.0rc4 released ---
2119 3289. [bug] 'rndc retransfer' failed for inline zones. [RT #28036]
2121 3288. [bug] dlz_destroy() function wasn't correctly registered
2122 by the DLZ dlopen driver. [RT #28056]
2124 3287. [port] Update ans.pl to work with Net::DNS 0.68. [RT #28028]
2126 3286. [bug] Managed key maintenance timer could fail to start
2127 after 'rndc reconfig'. [RT #26786]
2129 --- 9.9.0rc3 released ---
2131 3285. [bug] val-frdataset was incorrectly disassociated in
2132 proveunsecure after calling startfinddlvsep.
2135 3284. [bug] Address race conditions with the handling of
2136 rbtnode.deadlink. [RT #27738]
2138 3283. [bug] Raw zones with with more than 512 records in a RRset
2139 failed to load. [RT #27863]
2141 3282. [bug] Restrict the TTL of NS RRset to no more than that
2142 of the old NS RRset when replacing it.
2143 [RT #27792] [RT #27884]
2145 3281. [bug] SOA refresh queries could be treated as cancelled
2146 despite succeeding over the loopback interface.
2149 3280. [bug] Potential double free of a rdataset on out of memory
2150 with DNS64. [RT #27762]
2152 3279. [bug] Hold a internal reference to the zone while performing
2153 a asynchronous load. Address potential memory leak
2154 if the asynchronous is cancelled. [RT #27750]
2156 3278. [bug] Make sure automatic key maintenance is started
2157 when "auto-dnssec maintain" is turned on during
2158 "rndc reconfig". [RT #26805]
2160 3277. [bug] win32: isc_socket_dup is not implemented. [RT #27696]
2162 3276. [bug] win32: ns_os_openfile failed to return NULL on
2163 safe_open failure. [RT #27696]
2165 3275. [bug] Corrected rndc -h output; the 'rndc sync -clean'
2166 option had been misspelled as '-clear'. (To avoid
2167 future confusion, both options now work.) [RT #27173]
2169 3271. [port] darwin: mksymtbl is not always stable, loop several
2170 times before giving up. mksymtbl was using non
2171 portable perl to covert 64 bit hex strings. [RT #27653]
2173 --- 9.9.0rc2 released ---
2175 3270. [bug] "rndc reload" didn't reuse existing zones correctly
2176 when inline-signing was in use. [RT #27650]
2178 3269. [port] darwin 11 and later now built threaded by default.
2180 3268. [bug] Convert RRSIG expiry times to 64 timestamps to work
2181 out the earliest expiry time. [RT #23311]
2183 3267. [bug] Memory allocation failures could be mis-reported as
2184 unexpected error. New ISC_R_UNSET result code.
2187 3266. [bug] The maximum number of NSEC3 iterations for a
2188 DNSKEY RRset was not being properly computed.
2191 3265. [bug] Corrected a problem with lock ordering in the
2192 inline-signing code. [RT #27557]
2194 3264. [bug] Automatic regeneration of signatures in an
2195 inline-signing zone could stall when the server
2196 was restarted. [RT #27344]
2198 3263. [bug] "rndc sync" did not affect the unsigned side of an
2199 inline-signing zone. [RT #27337]
2201 3262. [bug] Signed responses were handled incorrectly by RPZ.
2204 3261. [func] RRset ordering now defaults to random. [RT #27174]
2206 3260. [bug] "rrset-order cyclic" could appear not to rotate
2207 for some query patterns. [RT #27170/27185]
2209 --- 9.9.0rc1 released ---
2211 3259. [bug] named-compilezone: Suppress "dump zone to <file>"
2212 message when writing to stdout. [RT #27109]
2214 3258. [test] Add "forcing full sign with unreadable keys" test.
2217 3257. [bug] Do not generate a error message when calling fsync()
2218 in a pipe or socket. [RT #27109]
2220 3256. [bug] Disable empty zones for lwresd -C. [RT #27139]
2222 3255. [func] No longer require that a empty zones be explicitly
2223 enabled or that a empty zone is disabled for
2224 RFC 1918 empty zones to be configured. [RT #27139]
2226 3254. [bug] Set isc_socket_ipv6only() on the IPv6 control channels.
2229 3253. [bug] Return DNS_R_SYNTAX when the input to a text field is
2230 too long. [RT #26956]
2232 3252. [bug] When master zones using inline-signing were
2233 updated while the server was offline, the source
2234 zone could fall out of sync with the signed
2235 copy. They can now resynchronize. [RT #26676]
2237 3251. [bug] Enforce a upper bound (65535 bytes) on the amount of
2238 memory dns_sdlz_putrr() can allocate per record to
2239 prevent run away memory consumption on ISC_R_NOSPACE.
2242 3250. [func] 'configure --enable-developer'; turn on various
2243 configure options, normally off by default, that
2244 we want developers to build and test with. [RT #27103]
2246 3249. [bug] Update log message when saving slave zones files for
2247 analysis after load failures. [RT #27087]
2249 3248. [bug] Configure options --enable-fixed-rrset and
2250 --enable-exportlib were incompatible with each
2253 3247. [bug] 'raw' format zones failed to preserve load order
2254 breaking 'fixed' sort order. [RT #27087]
2256 3246. [bug] Named failed to start with a empty also-notify list.
2259 3245. [bug] Don't report a error unchanged serials unless there
2260 were other changes when thawing a zone with
2261 ixfr-fromdifferences. [RT #26845]
2263 3244. [func] Added readline support to nslookup and nsupdate.
2264 Also simplified nsupdate syntax to make "update"
2265 and "prereq" optional. [RT #24659]
2267 3243. [port] freebsd,netbsd,bsdi: the thread defaults were not
2270 3242. [func] Extended the header of raw-format master files to
2271 include the serial number of the zone from which
2272 they were generated, if different (as in the case
2273 of inline-signing zones). This is to be used in
2274 inline-signing zones, to track changes between the
2275 unsigned and signed versions of the zone, which may
2276 have different serial numbers.
2278 (Note: raw zonefiles generated by this version of
2279 BIND are no longer compatible with prior versions.
2280 To generate a backward-compatible raw zonefile
2281 using dnssec-signzone or named-compilezone, specify
2282 output format "raw=0" instead of simply "raw".)
2285 3241. [bug] Address race conditions in the resolver code.
2288 3240. [bug] DNSKEY state change events could be missed. [RT #26874]
2290 3239. [bug] dns_dnssec_findmatchingkeys needs to use a consistent
2291 timestamp. [RT #26883]
2293 3238. [bug] keyrdata was not being reinitialized in
2294 lib/dns/rbtdb.c:iszonesecure. [RT #26913]
2296 3237. [bug] dig -6 didn't work with +trace. [RT #26906]
2298 3236. [bug] Backed out changes #3182 and #3202, related to
2299 EDNS(0) fallback behavior. [RT #26416]
2301 3235. [func] dns_db_diffx, a extended dns_db_diff which returns
2302 the generated diff and optionally writes it to a
2303 journal. [RT #26386]
2305 3234. [bug] 'make depend' produced invalid makefiles. [RT #26830]
2307 3233. [bug] 'rndc freeze/thaw' didn't work for inline zones.
2310 3232. [bug] Zero zone->curmaster before return in
2311 dns_zone_setmasterswithkeys(). [RT #26732]
2313 3231. [bug] named could fail to send a incompressible zone.
2316 3230. [bug] 'dig axfr' failed to properly handle a multi-message
2317 axfr with a serial of 0. [RT #26796]
2319 3229. [bug] Fix local variable to struct var assignment
2320 found by CLANG warning.
2322 3228. [tuning] Dynamically grow symbol table to improve zone
2323 loading performance. [RT #26523]
2325 3227. [bug] Interim fix to make WKS's use of getprotobyname()
2326 and getservbyname() self thread safe. [RT #26232]
2328 3226. [bug] Address minor resource leakages. [RT #26624]
2330 3225. [bug] Silence spurious "setsockopt(517, IPV6_V6ONLY) failed"
2331 messages. [RT #26507]
2333 3224. [bug] 'rndc signing' argument parsing was broken. [RT #26684]
2335 3223. [bug] 'task_test privilege_drop' generated false positives.
2338 3222. [cleanup] Replace dns_journal_{get,set}_bitws with
2339 dns_journal_{get,set}_sourceserial. [RT #26634]
2341 3221. [bug] Fixed a potential core dump on shutdown due to
2342 referencing fetch context after it's been freed.
2345 --- 9.9.0b2 released ---
2347 3220. [bug] Change #3186 was incomplete; dns_db_rpz_findips()
2348 could fail to set the database version correctly,
2349 causing an assertion failure. [RT #26180]
2351 3219. [bug] Disable NOEDNS caching following a timeout.
2353 3218. [security] Cache lookup could return RRSIG data associated with
2354 nonexistent records, leading to an assertion
2355 failure. [RT #26590]
2357 3217. [cleanup] Fix build problem with --disable-static. [RT #26476]
2359 3216. [bug] resolver.c:validated() was not thread-safe. [RT #26478]
2361 3215. [bug] 'rndc recursing' could cause a core dump. [RT #26495]
2363 3214. [func] Add 'named -U' option to set the number of UDP
2364 listener threads per interface. [RT #26485]
2366 3213. [doc] Clarify ixfr-from-differences behavior. [RT #25188]
2368 3212. [bug] rbtdb.c: failed to remove a node from the deadnodes
2369 list prior to adding a reference to it leading a
2370 possible assertion failure. [RT #23219]
2372 3211. [func] dnssec-signzone: "-f -" prints to stdout; "-O full"
2373 option prints in single-line-per-record format.
2376 3210. [bug] Canceling the oldest query due to recursive-client
2377 overload could trigger an assertion failure. [RT #26463]
2379 3209. [func] Add "dnssec-lookaside 'no'". [RT #24858]
2381 3208. [bug] 'dig -y' handle unknown tsig algorithm better.
2384 3207. [contrib] Fixed build error in Berkeley DB DLZ module. [RT #26444]
2386 3206. [cleanup] Add ISC information to log at start time. [RT #25484]
2388 3205. [func] Upgrade dig's defaults to better reflect modern
2389 nameserver behavior. Enable "dig +adflag" and
2390 "dig +edns=0" by default. Enable "+dnssec" when
2391 running "dig +trace". [RT #23497]
2393 3204. [bug] When a master server that has been marked as
2394 unreachable sends a NOTIFY, mark it reachable
2397 3203. [bug] Increase log level to 'info' for validation failures
2398 from expired or not-yet-valid RRSIGs. [RT #21796]
2400 3202. [bug] NOEDNS caching on timeout was too aggressive.
2403 3201. [func] 'rndc querylog' can now be given an on/off parameter
2404 instead of only being used as a toggle. [RT #18351]
2406 3200. [doc] Some rndc functions were undocumented or were
2407 missing from 'rndc -h' output. [RT #25555]
2409 3199. [func] When logging client information, include the name
2410 being queried. [RT #25944]
2412 3198. [doc] Clarified that dnssec-settime can alter keyfile
2413 permissions. [RT #24866]
2415 3197. [bug] Don't try to log the filename and line number when
2416 the config parser can't open a file. [RT #22263]
2418 3196. [bug] nsupdate: return nonzero exit code when target zone
2419 doesn't exist. [RT #25783]
2421 3195. [cleanup] Silence "file not found" warnings when loading
2422 managed-keys zone. [RT #26340]
2424 3194. [doc] Updated RFC references in the 'empty-zones-enable'
2425 documentation. [RT #25203]
2427 3193. [cleanup] Changed MAXZONEKEYS to DNS_MAXZONEKEYS, moved to
2428 dnssec.h. [RT #26415]
2430 3192. [bug] A query structure could be used after being freed.
2433 3191. [bug] Print NULL records using "unknown" format. [RT #26392]
2435 3190. [bug] Underflow in error handling in isc_mutexblock_init.
2438 3189. [test] Added a summary report after system tests. [RT #25517]
2440 3188. [bug] zone.c:zone_refreshkeys() could fail to detach
2441 references correctly when errors occurred, causing
2442 a hang on shutdown. [RT #26372]
2444 3187. [port] win32: support for Visual Studio 2008. [RT #26356]
2446 --- 9.9.0b1 released ---
2448 3186. [bug] Version/db mis-match in rpz code. [RT #26180]
2450 3185. [func] New 'rndc signing' option for auto-dnssec zones:
2451 - 'rndc signing -list' displays the current
2452 state of signing operations
2453 - 'rndc signing -clear' clears the signing state
2454 records for keys that have fully signed the zone
2455 - 'rndc signing -nsec3param' sets the NSEC3
2456 parameters for the zone
2457 The 'rndc keydone' syntax is removed. [RT #23729]
2459 3184. [bug] named had excessive cpu usage when a redirect zone was
2460 configured. [RT #26013]
2462 3183. [bug] Added RTLD_GLOBAL flag to dlopen call. [RT #26301]
2464 3182. [bug] Auth servers behind firewalls which block packets
2465 greater than 512 bytes may cause other servers to
2466 perform poorly. Now, adb retains edns information
2467 and caches noedns servers. [RT #23392/24964]
2469 3181. [func] Inline-signing is now supported for master zones.
2472 3180. [func] Local copies of slave zones are now saved in raw
2473 format by default, to improve startup performance.
2474 'masterfile-format text;' can be used to override
2475 the default, if desired. [RT #25867]
2477 3179. [port] kfreebsd: build issues. [RT #26273]
2479 3178. [bug] A race condition introduced by change #3163 could
2480 cause an assertion failure on shutdown. [RT #26271]
2482 3177. [func] 'rndc keydone', remove the indicator record that
2483 named has finished signing the zone with the
2484 corresponding key. [RT #26206]
2486 3176. [doc] Corrected example code and added a README to the
2487 sample external DLZ module in contrib/dlz/example.
2490 3175. [bug] Fix how DNSSEC positive wildcard responses from a
2491 NSEC3 signed zone are validated. Stop sending a
2492 unnecessary NSEC3 record when generating such
2493 responses. [RT #26200]
2495 3174. [bug] Always compute to revoked key tag from scratch.
2498 3173. [port] Correctly validate root DS responses. [RT #25726]
2500 3172. [port] darwin 10.* and freebsd [89] are now built threaded by
2503 3171. [bug] Exclusively lock the task when adding a zone using
2504 'rndc addzone'. [RT #25600]
2506 --- 9.9.0a3 released ---
2508 3170. [func] RPZ update:
2509 - fix precedence among competing rules
2510 - improve ARM text including documenting rule precedence
2511 - try to rewrite CNAME chains until first hit
2512 - new "rpz" logging channel
2513 - RDATA for CNAME rules can include wildcards
2514 - replace "NO-OP" named.conf policy override with
2515 "PASSTHRU" and add "DISABLED" override ("NO-OP"
2516 is still recognized)
2519 3169. [func] Catch db/version mis-matches when calling dns_db_*().
2522 3168. [bug] Nxdomain redirection could trigger an assert with
2523 a ANY query. [RT #26017]
2525 3167. [bug] Negative answers from forwarders were not being
2526 correctly tagged making them appear to not be cached.
2529 3166. [bug] Upgrading a zone to support inline-signing failed.
2532 3165. [bug] dnssec-signzone could generate new signatures when
2533 resigning, even when valid signatures were already
2534 present. [RT #26025]
2536 3164. [func] Enable DLZ modules to retrieve client information,
2537 so that responses can be changed depending on the
2538 source address of the query. [RT #25768]
2540 3163. [bug] Use finer-grained locking in client.c to address
2541 concurrency problems with large numbers of threads.
2544 3162. [test] start.pl: modified to allow for "named.args" in
2545 ns*/ subdirectory to override stock arguments to
2546 named. Largely from RT #26044, but no separate ticket.
2548 3161. [bug] zone.c:del_sigs failed to always reset rdata leading
2549 assertion failures. [RT #25880]
2551 3160. [bug] When printing out a NSEC3 record in multiline form
2552 the newline was not being printed causing type codes
2553 to be run together. [RT #25873]
2555 3159. [bug] On some platforms, named could assert on startup
2556 when running in a chrooted environment without
2559 3158. [bug] Recursive servers would prefer a particular UDP
2560 socket instead of using all available sockets.
2563 3157. [tuning] Reduce the time spent in "rndc reconfig" by parsing
2564 the config file before pausing the server. [RT #21373]
2568 --- 9.9.0a2 released ---
2570 3155. [bug] Fixed a build failure when using contrib DLZ
2571 drivers (e.g., mysql, postgresql, etc). [RT #25710]
2573 3154. [bug] Attempting to print an empty rdataset could trigger
2574 an assert. [RT #25452]
2576 3153. [func] Extend request-ixfr to zone level and remove the
2577 side effect of forcing an AXFR. [RT #25156]
2579 3152. [cleanup] Some versions of gcc and clang failed due to
2580 incorrect use of __builtin_expect. [RT #25183]
2582 3151. [bug] Queries for type RRSIG or SIG could be handled
2583 incorrectly. [RT #21050]
2585 3150. [func] Improved startup and reconfiguration time by
2586 enabling zones to load in multiple threads. [RT #25333]
2590 3148. [bug] Processing of normal queries could be stalled when
2591 forwarding a UPDATE message. [RT #24711]
2593 3147. [func] Initial inline signing support. [RT #23657]
2595 --- 9.9.0a1 released ---
2597 3146. [test] Fixed gcc4.6.0 errors in ATF. [RT #25598]
2599 3145. [test] Capture output of ATF unit tests in "./atf.out" if
2600 there were any errors while running them. [RT #25527]
2602 3144. [bug] dns_dbiterator_seek() could trigger an assert when
2603 used with a nonexistent database node. [RT #25358]
2605 3143. [bug] Silence clang compiler warnings. [RT #25174]
2607 3142. [bug] NAPTR is class agnostic. [RT #25429]
2609 3141. [bug] Silence spurious "zone serial (0) unchanged" messages
2610 associated with empty zones. [RT #25079]
2612 3140. [func] New command "rndc flushtree <name>" clears the
2613 specified name from the server cache along with
2614 all names under it. [RT #19970]
2616 3139. [test] Added tests from RFC 6234, RFC 2202, and RFC 1321
2617 for the hashing algorithms (md5, sha1 - sha512, and
2618 their hmac counterparts). [RT #25067]
2620 3138. [bug] Address memory leaks and out-of-order operations when
2621 shutting named down. [RT #25210]
2623 3137. [func] Improve hardware scalability by allowing multiple
2624 worker threads to process incoming UDP packets.
2625 This can significantly increase query throughput
2626 on some systems. [RT #22992]
2628 3136. [func] Add RFC 1918 reverse zones to the list of built-in
2629 empty zones switched on by the 'empty-zones-enable'
2632 3135. [port] FreeBSD: workaround broken IPV6_USE_MIN_MTU processing.
2633 See http://www.freebsd.org/cgi/query-pr.cgi?pr=158307
2636 3134. [bug] Improve the accuracy of dnssec-signzone's signing
2637 statistics. [RT #16030]
2639 3133. [bug] Change #3114 was incomplete. [RT #24577]
2643 3131. [tuning] Improve scalability by allocating one zone task
2644 per 100 zones at startup time, rather than using a
2645 fixed-size task table. [RT #24406]
2647 3130. [func] Support alternate methods for managing a dynamic
2648 zone's serial number. Two methods are currently
2649 defined using serial-update-method, "increment"
2650 (default) and "unixtime". [RT #23849]
2652 3129. [bug] Named could crash on 'rndc reconfig' when
2653 allow-new-zones was set to yes and named ACLs
2654 were used. [RT #22739]
2656 3128. [func] Inserting an NSEC3PARAM via dynamic update in an
2657 auto-dnssec zone that has not been signed yet
2658 will cause it to be signed with the specified NSEC3
2659 parameters when keys are activated. The
2660 NSEC3PARAM record will not appear in the zone until
2661 it is signed, but the parameters will be stored.
2664 3127. [bug] 'rndc thaw' will now remove a zone's journal file
2665 if the zone serial number has been changed and
2666 ixfr-from-differences is not in use. [RT #24687]
2668 3126. [security] Using DNAME record to generate replacements caused
2669 RPZ to exit with a assertion failure. [RT #24766]
2671 3125. [security] Using wildcard CNAME records as a replacement with
2672 RPZ caused named to exit with a assertion failure.
2675 3124. [bug] Use an rdataset attribute flag to indicate
2676 negative-cache records rather than using rrtype 0;
2677 this will prevent problems when that rrtype is
2678 used in actual DNS packets. [RT #24777]
2680 3123. [security] Change #2912 exposed a latent flaw in
2681 dns_rdataset_totext() that could cause named to
2682 crash with an assertion failure. [RT #24777]
2684 3122. [cleanup] dnssec-settime: corrected usage message. [RT #24664]
2686 3121. [security] An authoritative name server sending a negative
2687 response containing a very large RRset could
2688 trigger an off-by-one error in the ncache code
2689 and crash named. [RT #24650]
2691 3120. [bug] Named could fail to validate zones listed in a DLV
2692 that validated insecure without using DLV and had
2693 DS records in the parent zone. [RT #24631]
2695 3119. [bug] When rolling to a new DNSSEC key, a private-type
2696 record could be created and never marked complete.
2699 3118. [bug] nsupdate could dump core on shutdown when using
2700 SIG(0) keys. [RT #24604]
2702 3117. [cleanup] Remove doc and parser references to the
2703 never-implemented 'auto-dnssec create' option.
2706 3116. [func] New 'dnssec-update-mode' option controls updates
2707 of DNSSEC records in signed dynamic zones. Set to
2708 'no-resign' to disable automatic RRSIG regeneration
2709 while retaining the ability to sign new or changed
2712 3115. [bug] Named could fail to return requested data when
2713 following a CNAME that points into the same zone.
2716 3114. [bug] Retain expired RRSIGs in dynamic zones if key is
2717 inactive and there is no replacement key. [RT #23136]
2719 3113. [doc] Document the relationship between serial-query-rate
2720 and NOTIFY messages.
2722 3112. [doc] Add missing descriptions of the update policy name
2723 types "ms-self", "ms-subdomain", "krb5-self" and
2724 "krb5-subdomain", which allow machines to update
2725 their own records, to the BIND 9 ARM.
2727 3111. [bug] Improved consistency checks for dnssec-enable and
2728 dnssec-validation, added test cases to the
2729 checkconf system test. [RT #24398]
2731 3110. [bug] dnssec-signzone: Wrong error message could appear
2732 when attempting to sign with no KSK. [RT #24369]
2734 3109. [func] The also-notify option now uses the same syntax
2735 as a zone's masters clause. This means it is
2736 now possible to specify a TSIG key to use when
2737 sending notifies to a given server, or to include
2738 an explicit named masters list in an also-notfiy
2739 statement. [RT #23508]
2741 3108. [cleanup] dnssec-signzone: Clarified some error and
2742 warning messages; removed #ifdef ALLOW_KSKLESS_ZONES
2743 code (use -P instead). [RT #20852]
2745 3107. [bug] dnssec-signzone: Report the correct number of ZSKs
2746 when using -x. [RT #20852]
2748 3106. [func] When logging client requests, include the name of
2749 the TSIG key if any. [RT #23619]
2751 3105. [bug] GOST support can be suppressed by "configure
2752 --without-gost" [RT #24367]
2754 3104. [bug] Better support for cross-compiling. [RT #24367]
2756 3103. [bug] Configuring 'dnssec-validation auto' in a view
2757 instead of in the options statement could trigger
2758 an assertion failure in named-checkconf. [RT #24382]
2760 3102. [func] New 'dnssec-loadkeys-interval' option configures
2761 how often, in minutes, to check the key repository
2762 for updates when using automatic key maintenance.
2763 Default is every 60 minutes (formerly hard-coded
2764 to 12 hours). [RT #23744]
2766 3101. [bug] Zones using automatic key maintenance could fail
2767 to check the key repository for updates. [RT #23744]
2769 3100. [security] Certain response policy zone configurations could
2770 trigger an INSIST when receiving a query of type
2773 3099. [test] "dlz" system test now runs but gives R:SKIPPED if
2774 not compiled with --with-dlz-filesystem. [RT #24146]
2776 3098. [bug] DLZ zones were answering without setting the AA bit.
2779 3097. [test] Add a tool to test handling of malformed packets.
2782 3096. [bug] Set KRB5_KTNAME before calling log_cred() in
2783 dst_gssapi_acceptctx(). [RT #24004]
2785 3095. [bug] Handle isolated reserved ports in the port range.
2788 3094. [doc] Expand dns64 documentation.
2790 3093. [bug] Fix gssapi/kerberos dependencies [RT #23836]
2792 3092. [bug] Signatures for records at the zone apex could go
2793 stale due to an incorrect timer setting. [RT #23769]
2795 3091. [bug] Fixed a bug in which zone keys that were published
2796 and then subsequently activated could fail to trigger
2797 automatic signing. [RT #22911]
2799 3090. [func] Make --with-gssapi default [RT #23738]
2801 3089. [func] dnssec-dsfromkey now supports reading keys from
2802 standard input "dnssec-dsfromkey -f -". [RT #20662]
2804 3088. [bug] Remove bin/tests/system/logfileconfig/ns1/named.conf
2805 and add setup.sh in order to resolve changing
2806 named.conf issue. [RT #23687]
2808 3087. [bug] DDNS updates using SIG(0) with update-policy match
2809 type "external" could cause a crash. [RT #23735]
2811 3086. [bug] Running dnssec-settime -f on an old-style key will
2812 now force an update to the new key format even if no
2813 other change has been specified, using "-P now -A now"
2814 as default values. [RT #22474]
2816 3085. [func] New '-R' option in dnssec-signzone forces removal
2817 of signatures which have not yet expired but
2818 were generated by a key that no longer exists.
2821 3084. [func] A new command "rndc sync" dumps pending changes in
2822 a dynamic zone to disk; "rndc sync -clean" also
2823 removes the journal file after syncing. Also,
2824 "rndc freeze" no longer removes journal files.
2827 3083. [bug] NOTIFY messages were not being sent when generating
2828 a NSEC3 chain incrementally. [RT #23702]
2830 3082. [port] strtok_r is threads only. [RT #23747]
2832 3081. [bug] Failure of DNAME substitution did not return
2833 YXDOMAIN. [RT #23591]
2835 3080. [cleanup] Replaced compile time constant by STDTIME_ON_32BITS.
2838 3079. [bug] Handle isc_event_allocate failures in t_tasks.
2841 3078. [func] Added a new include file with function typedefs
2842 for the DLZ "dlopen" driver. [RT #23629]
2844 3077. [bug] zone.c:zone_refreshkeys() incorrectly called
2845 dns_zone_attach(), use zone->irefs instead. [RT #23303]
2847 3076. [func] New '-L' option in dnssec-keygen, dnsset-settime, and
2848 dnssec-keyfromlabel sets the default TTL of the
2849 key. When possible, automatic signing will use that
2850 TTL when the key is published. [RT #23304]
2852 3075. [bug] dns_dnssec_findzonekeys{2} used a inconsistent
2853 timestamp when determining which keys are active.
2856 3074. [bug] Make the adb cache read through for zone data and
2857 glue learn for zone named is authoritative for.
2860 3073. [bug] managed-keys changes were not properly being recorded.
2863 3072. [bug] dns_dns64_aaaaok() potential NULL pointer dereference.
2866 3071. [bug] has_nsec could be used uninitialized in
2867 update.c:next_active. [RT #20256]
2869 3070. [bug] dnssec-signzone potential NULL pointer dereference.
2872 3069. [cleanup] Silence warnings messages from clang static analysis.
2875 3068. [bug] Named failed to build with a OpenSSL without engine
2876 support. [RT #23473]
2878 3067. [bug] ixfr-from-differences {master|slave}; failed to
2879 select the master/slave zones. [RT #23580]
2881 3066. [func] The DLZ "dlopen" driver is now built by default,
2882 no longer requiring a configure option. To
2883 disable it, use "configure --without-dlopen".
2884 Driver also supported on win32. [RT #23467]
2886 3065. [bug] RRSIG could have time stamps too far in the future.
2889 3064. [bug] powerpc: add sync instructions to the end of atomic
2890 operations. [RT #23469]
2892 3063. [contrib] More verbose error reporting from DLZ LDAP. [RT #23402]
2894 3062. [func] Made several changes to enhance human readability
2895 of DNSSEC data in dig output and in generated
2897 - DNSKEY record comments are more verbose, no
2898 longer used in multiline mode only
2899 - multiline RRSIG records reformatted
2900 - multiline output mode for NSEC3PARAM records
2901 - "dig +norrcomments" suppresses DNSKEY comments
2902 - "dig +split=X" breaks hex/base64 records into
2903 fields of width X; "dig +nosplit" disables this.
2906 3061. [func] New option "dnssec-signzone -D", only write out
2907 generated DNSSEC records. [RT #22896]
2909 3060. [func] New option "dnssec-signzone -X <date>" allows
2910 specification of a separate expiration date
2911 for DNSKEY RRSIGs and other RRSIGs. [RT #22141]
2913 3059. [test] Added a regression test for change #3023.
2915 3058. [bug] Cause named to terminate at startup or rndc reconfig/
2916 reload to fail, if a log file specified in the conf
2917 file isn't a plain file. [RT #22771]
2919 3057. [bug] "rndc secroots" would abort after the first error
2920 and so could miss some views. [RT #23488]
2922 3056. [func] Added support for URI resource record. [RT #23386]
2926 3054. [bug] Added elliptic curve support check in
2927 GOST OpenSSL engine detection. [RT #23485]
2929 3053. [bug] Under a sustained high query load with a finite
2930 max-cache-size, it was possible for cache memory
2931 to be exhausted and not recovered. [RT #23371]
2933 3052. [test] Fixed last autosign test report. [RT #23256]
2935 3051. [bug] NS records obscure DNAME records at the bottom of the
2936 zone if both are present. [RT #23035]
2938 3050. [bug] The autosign system test was timing dependent.
2939 Wait for the initial autosigning to complete
2940 before running the rest of the test. [RT #23035]
2942 3049. [bug] Save and restore the gid when creating creating
2943 named.pid at startup. [RT #23290]
2945 3048. [bug] Fully separate view key management. [RT #23419]
2947 3047. [bug] DNSKEY NODATA responses not cached fixed in
2948 validator.c. Tests added to dnssec system test.
2951 3046. [bug] Use RRSIG original TTL to compute validated RRset
2952 and RRSIG TTL. [RT #23332]
2954 3045. [removed] Replaced by change #3050.
2956 3044. [bug] Hold the socket manager lock while freeing the socket.
2959 3043. [test] Merged in the NetBSD ATF test framework (currently
2960 version 0.12) for development of future unit tests.
2961 Use configure --with-atf to build ATF internally
2962 or configure --with-atf=prefix to use an external
2965 3042. [bug] dig +trace could fail attempting to use IPv6
2966 addresses on systems with only IPv4 connectivity.
2969 3041. [bug] dnssec-signzone failed to generate new signatures on
2970 ttl changes. [RT #23330]
2972 3040. [bug] Named failed to validate insecure zones where a node
2973 with a CNAME existed between the trust anchor and the
2974 top of the zone. [RT #23338]
2976 3039. [func] Redirect on NXDOMAIN support. [RT #23146]
2978 3038. [bug] Install <dns/rpz.h>. [RT #23342]
2980 3037. [doc] Update COPYRIGHT to contain all the individual
2981 copyright notices that cover various parts.
2983 3036. [bug] Check built-in zone arguments to see if the zone
2984 is re-usable or not. [RT #21914]
2986 3035. [cleanup] Simplify by using strlcpy. [RT #22521]
2988 3034. [cleanup] nslookup: use strlcpy instead of safecopy. [RT #22521]
2990 3033. [cleanup] Add two INSIST(bucket != DNS_ADB_INVALIDBUCKET).
2993 3032. [bug] rdatalist.c: add missing REQUIREs. [RT #22521]
2995 3031. [bug] dns_rdataclass_format() handle a zero sized buffer.
2998 3030. [bug] dns_rdatatype_format() handle a zero sized buffer.
3001 3029. [bug] isc_netaddr_format() handle a zero sized buffer.
3004 3028. [bug] isc_sockaddr_format() handle a zero sized buffer.
3007 3027. [bug] Add documented REQUIREs to cfg_obj_asnetprefix() to
3008 catch NULL pointer dereferences before they happen.
3011 3026. [bug] lib/isc/httpd.c: check that we have enough space
3012 after calling grow_headerspace() and if not
3013 re-call grow_headerspace() until we do. [RT #22521]
3015 3025. [bug] Fixed a possible deadlock due to zone resigning.
3018 3024. [func] RTT Banding removed due to minor security increase
3019 but major impact on resolver latency. [RT #23310]
3021 3023. [bug] Named could be left in an inconsistent state when
3022 receiving multiple AXFR response messages that were
3023 not all TSIG-signed. [RT #23254]
3025 3022. [bug] Fixed rpz SERVFAILs after failed zone transfers
3028 3021. [bug] Change #3010 was incomplete. [RT #22296]
3030 3020. [bug] auto-dnssec failed to correctly update the zone when
3031 changing the DNSKEY RRset. [RT #23232]
3033 3019. [test] Test: check apex NSEC3 records after adding DNSKEY
3034 record via UPDATE. [RT #23229]
3036 3018. [bug] Named failed to check for the "none;" acl when deciding
3037 if a zone may need to be re-signed. [RT #23120]
3039 3017. [doc] dnssec-keyfromlabel -I was not properly documented.
3042 3016. [bug] rndc usage missing '-b'. [RT #22937]
3044 3015. [port] win32: fix IN6_IS_ADDR_LINKLOCAL and
3045 IN6_IS_ADDR_SITELOCAL macros. [RT #22724]
3049 3013. [bug] The DNS64 ttl was not always being set as expected.
3052 3012. [bug] Remove DNSKEY TTL change pairs before generating
3053 signing records for any remaining DNSKEY changes.
3056 3011. [func] Change the default query timeout from 30 seconds
3057 to 10. Allow setting this in named.conf using the new
3058 'resolver-query-timeout' option, which specifies a max
3059 time in seconds. 0 means 'default' and anything longer
3060 than 30 will be silently set to 30. [RT #22852]
3062 3010. [bug] Fixed a bug where "rndc reconfig" stopped the timer
3063 for refreshing managed-keys. [RT #22296]
3065 3009. [bug] clients-per-query code didn't work as expected with
3066 particular query patterns. [RT #22972]
3068 --- 9.8.0b1 released ---
3070 3008. [func] Response policy zones (RPZ) support. [RT #21726]
3072 3007. [bug] Named failed to preserve the case of domain names in
3073 rdata which is not compressible when writing master
3076 3006. [func] Allow dynamically generated TSIG keys to be preserved
3077 across restarts of named. Initially this is for
3078 TSIG keys generated using GSSAPI. [RT #22639]
3080 3005. [port] Solaris: Work around the lack of
3081 gsskrb5_register_acceptor_identity() by setting
3082 the KRB5_KTNAME environment variable to the
3083 contents of tkey-gssapi-keytab. Also fixed
3084 test errors on MacOSX. [RT #22853]
3086 3004. [func] DNS64 reverse support. [RT #22769]
3088 3003. [experimental] Added update-policy match type "external",
3089 enabling named to defer the decision of whether to
3090 allow a dynamic update to an external daemon.
3091 (Contributed by Andrew Tridgell.) [RT #22758]
3093 3002. [bug] isc_mutex_init_errcheck() failed to destroy attr.
3096 3001. [func] Added a default trust anchor for the root zone, which
3097 can be switched on by setting "dnssec-validation auto;"
3098 in the named.conf options. [RT #21727]
3100 3000. [bug] More TKEY/GSS fixes:
3101 - nsupdate can now get the default realm from
3102 the user's Kerberos principal
3103 - corrected gsstest compilation flags
3104 - improved documentation
3105 - fixed some NULL dereferences
3108 2999. [func] Add GOST support (RFC 5933). [RT #20639]
3110 2998. [func] Add isc_task_beginexclusive and isc_task_endexclusive
3111 to the task api. [RT #22776]
3113 2997. [func] named -V now reports the OpenSSL and libxml2 verions
3114 it was compiled against. [RT #22687]
3116 2996. [security] Temporarily disable SO_ACCEPTFILTER support.
3119 2995. [bug] The Kerberos realm was not being correctly extracted
3120 from the signer's identity. [RT #22770]
3122 2994. [port] NetBSD: use pthreads by default on NetBSD >= 5.0, and
3123 do not use threads on earlier versions. Also kill
3124 the unproven-pthreads, mit-pthreads, and ptl2 support.
3126 2993. [func] Dynamically grow adb hash tables. [RT #21186]
3128 2992. [contrib] contrib/check-secure-delegation.pl: A simple tool
3129 for looking at a secure delegation. [RT #22059]
3131 2991. [contrib] contrib/zone-edit.sh: A simple zone editing tool for
3132 dynamic zones. [RT #22365]
3134 2990. [bug] 'dnssec-settime -S' no longer tests prepublication
3135 interval validity when the interval is set to 0.
3138 2989. [func] Added support for writable DLZ zones. (Contributed
3139 by Andrew Tridgell of the Samba project.) [RT #22629]
3141 2988. [experimental] Added a "dlopen" DLZ driver, allowing the creation
3142 of external DLZ drivers that can be loaded as
3143 shared objects at runtime rather than linked with
3144 named. Currently this is switched on via a
3145 compile-time option, "configure --with-dlz-dlopen".
3146 Note: the syntax for configuring DLZ zones
3147 is likely to be refined in future releases.
3148 (Contributed by Andrew Tridgell of the Samba
3149 project.) [RT #22629]
3151 2987. [func] Improve ease of configuring TKEY/GSS updates by
3152 adding a "tkey-gssapi-keytab" option. If set,
3153 updates will be allowed with any key matching
3154 a principal in the specified keytab file.
3155 "tkey-gssapi-credential" is no longer required
3156 and is expected to be deprecated. (Contributed
3157 by Andrew Tridgell of the Samba project.)
3160 2986. [func] Add new zone type "static-stub". It's like a stub
3161 zone, but the nameserver names and/or their IP
3162 addresses are statically configured. [RT #21474]
3164 2985. [bug] Add a regression test for change #2896. [RT #21324]
3166 2984. [bug] Don't run MX checks when the target of the MX record
3169 2983. [bug] Include "loadkeys" in rndc help output. [RT #22493]
3171 --- 9.8.0a1 released ---
3173 2982. [bug] Reference count dst keys. dst_key_attach() can be used
3174 increment the reference count.
3176 Note: dns_tsigkey_createfromkey() callers should now
3177 always call dst_key_free() rather than setting it
3178 to NULL on success. [RT #22672]
3180 2981. [func] Partial DNS64 support (AAAA synthesis). [RT #21991]
3182 2980. [bug] named didn't properly handle UPDATES that changed the
3183 TTL of the NSEC3PARAM RRset. [RT #22363]
3185 2979. [bug] named could deadlock during shutdown if two
3186 "rndc stop" commands were issued at the same
3189 2978. [port] hpux: look for <devpoll.h> [RT #21919]
3191 2977. [bug] 'nsupdate -l' report if the session key is missing.
3194 2976. [bug] named could die on exit after negotiating a GSS-TSIG
3197 2975. [bug] rbtdb.c:cleanup_dead_nodes_callback() acquired the
3198 wrong lock which could lead to server deadlock.
3201 2974. [bug] Some valid UPDATE requests could fail due to a
3202 consistency check examining the existing version
3203 of the zone rather than the new version resulting
3204 from the UPDATE. [RT #22413]
3206 2973. [bug] bind.keys.h was being removed by the "make clean"
3207 at the end of configure resulting in build failures
3208 where there is very old version of perl installed.
3209 Move it to "make maintainer-clean". [RT #22230]
3211 2972. [bug] win32: address windows socket errors. [RT #21906]
3213 2971. [bug] Fixed a bug that caused journal files not to be
3214 compacted on Windows systems as a result of
3215 non-POSIX-compliant rename() semantics. [RT #22434]
3217 2970. [security] Adding a NO DATA negative cache entry failed to clear
3218 any matching RRSIG records. A subsequent lookup of
3219 of NO DATA cache entry could trigger a INSIST when the
3220 unexpected RRSIG was also returned with the NO DATA
3223 CVE-2010-3613, VU#706148. [RT #22288]
3225 2969. [security] Fix acl type processing so that allow-query works
3226 in options and view statements. Also add a new
3227 set of tests to verify proper functioning.
3229 CVE-2010-3615, VU#510208. [RT #22418]
3231 2968. [security] Named could fail to prove a data set was insecure
3232 before marking it as insecure. One set of conditions
3233 that can trigger this occurs naturally when rolling
3236 CVE-2010-3614, VU#837744. [RT #22309]
3238 2967. [bug] 'host -D' now turns on debugging messages earlier.
3241 2966. [bug] isc_print_vsnprintf() failed to check if there was
3242 space available in the buffer when adding a left
3243 justified character with a non zero width,
3244 (e.g. "%-1c"). [RT #22270]
3246 2965. [func] Test HMAC functions using test data from RFC 2104 and
3247 RFC 4634. [RT #21702]
3251 2963. [security] The allow-query acl was being applied instead of the
3252 allow-query-cache acl to cache lookups. [RT #22114]
3254 2962. [port] win32: add more dependencies to BINDBuild.dsw.
3257 2961. [bug] Be still more selective about the non-authoritative
3258 answers we apply change 2748 to. [RT #22074]
3260 2960. [func] Check that named accepts non-authoritative answers.
3263 2959. [func] Check that named starts with a missing masterfile.
3266 2958. [bug] named failed to start with a missing master file.
3269 2957. [bug] entropy_get() and entropy_getpseudo() failed to match
3270 the API for RAND_bytes() and RAND_pseudo_bytes()
3271 respectively. [RT #21962]
3273 2956. [port] Enable atomic operations on the PowerPC64. [RT #21899]
3275 2955. [func] Provide more detail in the recursing log. [RT #22043]
3277 2954. [bug] contrib: dlz_mysql_driver.c bad error handling on
3278 build_sqldbinstance failure. [RT #21623]
3280 2953. [bug] Silence spurious "expected covering NSEC3, got an
3281 exact match" message when returning a wildcard
3282 no data response. [RT #21744]
3284 2952. [port] win32: named-checkzone and named-checkconf failed
3285 to initialize winsock. [RT #21932]
3287 2951. [bug] named failed to generate a correct signed response
3288 in a optout, delegation only zone with no secure
3289 delegations. [RT #22007]
3291 2950. [bug] named failed to perform a SOA up to date check when
3292 falling back to TCP on UDP timeouts when
3293 ixfr-from-differences was set. [RT #21595]
3295 2949. [bug] dns_view_setnewzones() contained a memory leak if
3296 it was called multiple times. [RT #21942]
3298 2948. [port] MacOS: provide a mechanism to configure the test
3299 interfaces at reboot. See bin/tests/system/README
3304 2946. [doc] Document the default values for the minimum and maximum
3305 zone refresh and retry values in the ARM. [RT #21886]
3307 2945. [doc] Update empty-zones list in ARM. [RT #21772]
3309 2944. [maint] Remove ORCHID prefix from built in empty zones.
3312 2943. [func] Add support to load new keys into managed zones
3313 without signing immediately with "rndc loadkeys".
3314 Add support to link keys with "dnssec-keygen -S"
3315 and "dnssec-settime -S". [RT #21351]
3317 2942. [contrib] zone2sqlite failed to setup the entropy sources.
3320 2941. [bug] sdb and sdlz (dlz's zone database) failed to support
3321 DNAME at the zone apex. [RT #21610]
3323 2940. [port] Remove connection aborted error message on
3324 Windows. [RT #21549]
3326 2939. [func] Check that named successfully skips NSEC3 records
3327 that fail to match the NSEC3PARAM record currently
3330 2938. [bug] When generating signed responses, from a signed zone
3331 that uses NSEC3, named would use a uninitialized
3332 pointer if it needed to skip a NSEC3 record because
3333 it didn't match the selected NSEC3PARAM record for
3336 2937. [bug] Worked around an apparent race condition in over
3337 memory conditions. Without this fix a DNS cache DB or
3338 ADB could incorrectly stay in an over memory state,
3339 effectively refusing further caching, which
3340 subsequently made a BIND 9 caching server unworkable.
3341 This fix prevents this problem from happening by
3342 polling the state of the memory context, rather than
3343 making a copy of the state, which appeared to cause
3344 a race. This is a "workaround" in that it doesn't
3345 solve the possible race per se, but several experiments
3346 proved this change solves the symptom. Also, the
3347 polling overhead hasn't been reported to be an issue.
3348 This bug should only affect a caching server that
3349 specifies a finite max-cache-size. It's also quite
3350 likely that the bug happens only when enabling threads,
3351 but it's not confirmed yet. [RT #21818]
3353 2936. [func] Improved configuration syntax and multiple-view
3354 support for addzone/delzone feature (see change
3355 #2930). Removed "new-zone-file" option, replaced
3356 with "allow-new-zones (yes|no)". The new-zone-file
3357 for each view is now created automatically, with
3358 a filename generated from a hash of the view name.
3359 It is no longer necessary to "include" the
3360 new-zone-file in named.conf; this happens
3361 automatically. Zones that were not added via
3362 "rndc addzone" can no longer be removed with
3363 "rndc delzone". [RT #19447]
3365 2935. [bug] nsupdate: improve 'file not found' error message.
3368 2934. [bug] Use ANSI C compliant shift range in lib/isc/entropy.c.
3371 2933. [bug] 'dig +nsid' used stack memory after it went out of
3372 scope. This could potentially result in a unknown,
3373 potentially malformed, EDNS option being sent instead
3374 of the desired NSID option. [RT #21781]
3376 2932. [cleanup] Corrected a numbering error in the "dnssec" test.
3379 2931. [bug] Temporarily and partially disable change 2864
3380 because it would cause infinite attempts of RRSIG
3381 queries. This is an urgent care fix; we'll
3382 revisit the issue and complete the fix later.
3385 2930. [experimental] New "rndc addzone" and "rndc delzone" commands
3386 allow dynamic addition and deletion of zones.
3387 To enable this feature, specify a "new-zone-file"
3388 option at the view or options level in named.conf.
3389 Zone configuration information for the new zones
3390 will be written into that file. To make the new
3391 zones persist after a restart, "include" the file
3392 into named.conf in the appropriate view. (Note:
3393 This feature is not yet documented, and its syntax
3394 is expected to change.) [RT #19447]
3396 2929. [bug] Improved handling of GSS security contexts:
3397 - added LRU expiration for generated TSIGs
3398 - added the ability to use a non-default realm
3399 - added new "realm" keyword in nsupdate
3400 - limited lifetime of generated keys to 1 hour
3401 or the lifetime of the context (whichever is
3405 2928. [bug] Be more selective about the non-authoritative
3406 answer we apply change 2748 to. [RT #21594]
3412 2925. [bug] Named failed to accept uncachable negative responses
3413 from insecure zones. [RT #21555]
3415 2924. [func] 'rndc secroots' dump a combined summary of the
3416 current managed keys combined with trusted keys.
3419 2923. [bug] 'dig +trace' could drop core after "connection
3420 timeout". [RT #21514]
3422 2922. [contrib] Update zkt to version 1.0.
3424 2921. [bug] The resolver could attempt to destroy a fetch context
3425 too soon. [RT #19878]
3427 2920. [func] Allow 'filter-aaaa-on-v4' to be applied selectively
3428 to IPv4 clients. New acl 'filter-aaaa' (default any).
3430 2919. [func] Add autosign-ksk and autosign-zsk virtual time tests.
3433 2918. [maint] Add AAAA address for I.ROOT-SERVERS.NET.
3435 2917. [func] Virtual time test framework. [RT #20801]
3437 2916. [func] Add framework to use IPv6 in tests.
3438 fd92:7065:b8e:ffff::1 ... fd92:7065:b8e:ffff::7
3440 2915. [cleanup] Be smarter about which objects we attempt to compile
3441 based on configure options. [RT #21444]
3443 2914. [bug] Make the "autosign" system test more portable.
3446 2913. [func] Add pkcs#11 system tests. [RT #20784]
3448 2912. [func] Windows clients don't like UPDATE responses that clear
3449 the zone section. [RT #20986]
3451 2911. [bug] dnssec-signzone didn't handle out of zone records well.
3454 2910. [func] Sanity check Kerberos credentials. [RT #20986]
3456 2909. [bug] named-checkconf -p could die if "update-policy local;"
3457 was specified in named.conf. [RT #21416]
3459 2908. [bug] It was possible for re-signing to stop after removing
3460 a DNSKEY. [RT #21384]
3462 2907. [bug] The export version of libdns had undefined references.
3465 2906. [bug] Address RFC 5011 implementation issues. [RT #20903]
3467 2905. [port] aix: set use_atomic=yes with native compiler.
3470 2904. [bug] When using DLV, sub-zones of the zones in the DLV,
3471 could be incorrectly marked as insecure instead of
3472 secure leading to negative proofs failing. This was
3473 a unintended outcome from change 2890. [RT #21392]
3475 2903. [bug] managed-keys-directory missing from namedconf.c.
3478 2902. [func] Add regression test for change 2897. [RT #21040]
3480 2901. [port] Use AC_C_FLEXIBLE_ARRAY_MEMBER. [RT #21316]
3482 2900. [bug] The placeholder negative caching element was not
3483 properly constructed triggering a INSIST in
3484 dns_ncache_towire(). [RT #21346]
3486 2899. [port] win32: Support linking against OpenSSL 1.0.0.
3488 2898. [bug] nslookup leaked memory when -domain=value was
3489 specified. [RT #21301]
3491 2897. [bug] NSEC3 chains could be left behind when transitioning
3492 to insecure. [RT #21040]
3494 2896. [bug] "rndc sign" failed to properly update the zone
3495 when adding a DNSKEY for publication only. [RT #21045]
3497 2895. [func] genrandom: add support for the generation of multiple
3500 2894. [contrib] DLZ LDAP support now use '$' not '%'. [RT #21294]
3502 2893. [bug] Improve managed keys support. New named.conf option
3503 managed-keys-directory. [RT #20924]
3505 2892. [bug] Handle REVOKED keys better. [RT #20961]
3507 2891. [maint] Update empty-zones list to match
3508 draft-ietf-dnsop-default-local-zones-13. [RT #21099]
3510 2890. [bug] Handle the introduction of new trusted-keys and
3511 DS, DLV RRsets better. [RT #21097]
3513 2889. [bug] Elements of the grammar where not properly reported.
3516 2888. [bug] Only the first EDNS option was displayed. [RT #21273]
3518 2887. [bug] Report the keytag times in UTC in the .key file,
3519 local time is presented as a comment within the
3520 comment. [RT #21223]
3522 2886. [bug] ctime() is not thread safe. [RT #21223]
3524 2885. [bug] Improve -fno-strict-aliasing support probing in
3525 configure. [RT #21080]
3527 2884. [bug] Insufficient validation in dns_name_getlabelsequence().
3530 2883. [bug] 'dig +short' failed to handle really large datasets.
3533 2882. [bug] Remove memory context from list of active contexts
3534 before clearing 'magic'. [RT #21274]
3536 2881. [bug] Reduce the amount of time the rbtdb write lock
3537 is held when closing a version. [RT #21198]
3539 2880. [cleanup] Make the output of dnssec-keygen and dnssec-revoke
3540 consistent. [RT #21078]
3542 2879. [contrib] DLZ bdbhpt driver fails to close correct cursor.
3545 2878. [func] Incrementally write the master file after performing
3548 2877. [bug] The validator failed to skip obviously mismatching
3551 2876. [bug] Named could return SERVFAIL for negative responses
3552 from unsigned zones. [RT #21131]
3554 2875. [bug] dns_time64_fromtext() could accept non digits.
3557 2874. [bug] Cache lack of EDNS support only after the server
3558 successfully responds to the query using plain DNS.
3561 2873. [bug] Canceling a dynamic update via the dns/client module
3562 could trigger an assertion failure. [RT #21133]
3564 2872. [bug] Modify dns/client.c:dns_client_createx() to only
3565 require one of IPv4 or IPv6 rather than both.
3568 2871. [bug] Type mismatch in mem_api.c between the definition and
3569 the header file, causing build failure with
3570 --enable-exportlib. [RT #21138]
3572 2870. [maint] Add AAAA address for L.ROOT-SERVERS.NET.
3574 2869. [bug] Fix arguments to dns_keytable_findnextkeynode() call.
3577 2868. [cleanup] Run "make clean" at the end of configure to ensure
3578 any changes made by configure are integrated.
3579 Use --with-make-clean=no to disable. [RT #20994]
3581 2867. [bug] Don't set GSS_C_SEQUENCE_FLAG as Windows DNS servers
3582 don't like it. [RT #20986]
3584 2866. [bug] Windows does not like the TSIG name being compressed.
3587 2865. [bug] memset to zero event.data. [RT #20986]
3589 2864. [bug] Direct SIG/RRSIG queries were not handled correctly.
3592 2863. [port] linux: disable IPv6 PMTUD and use network minimum MTU.
3595 2862. [bug] nsupdate didn't default to the parent zone when
3596 updating DS records. [RT #20896]
3598 2861. [doc] dnssec-settime man pages didn't correctly document the
3599 inactivation time. [RT #21039]
3601 2860. [bug] named-checkconf's usage was out of date. [RT #21039]
3603 2859. [bug] When canceling validation it was possible to leak
3606 2858. [bug] RTT estimates were not being adjusted on ICMP errors.
3609 2857. [bug] named-checkconf did not fail on a bad trusted key.
3612 2856. [bug] The size of a memory allocation was not always properly
3613 recorded. [RT #20927]
3615 2855. [func] nsupdate will now preserve the entered case of domain
3616 names in update requests it sends. [RT #20928]
3618 2854. [func] dig: allow the final soa record in a axfr response to
3619 be suppressed, dig +onesoa. [RT #20929]
3621 2853. [bug] add_sigs() could run out of scratch space. [RT #21015]
3623 2852. [bug] Handle broken DNSSEC trust chains better. [RT #15619]
3625 2851. [doc] nslookup.1, removed <informalexample> from the docbook
3626 source as it produced bad nroff. [RT #21007]
3628 2850. [bug] If isc_heap_insert() failed due to memory shortage
3629 the heap would have corrupted entries. [RT #20951]
3631 2849. [bug] Don't treat errors from the xml2 library as fatal.
3634 2848. [doc] Moved README.dnssec, README.libdns, README.pkcs11 and
3635 README.rfc5011 into the ARM. [RT #20899]
3637 2847. [cleanup] Corrected usage message in dnssec-settime. [RT #20921]
3639 2846. [bug] EOF on unix domain sockets was not being handled
3640 correctly. [RT #20731]
3642 2845. [bug] RFC 5011 client could crash on shutdown. [RT #20903]
3644 2844. [doc] notify-delay default in ARM was wrong. It should have
3645 been five (5) seconds.
3647 2843. [func] Prevent dnssec-keygen and dnssec-keyfromlabel from
3648 creating key files if there is a chance that the new
3649 key ID will collide with an existing one after
3650 either of the keys has been revoked. (To override
3651 this in the case of dnssec-keyfromlabel, use the -y
3652 option. dnssec-keygen will simply create a
3653 different, non-colliding key, so an override is
3654 not necessary.) [RT #20838]
3656 2842. [func] Added "smartsign" and improved "autosign" and
3657 "dnssec" regression tests. [RT #20865]
3659 2841. [bug] Change 2836 was not complete. [RT #20883]
3661 2840. [bug] Temporary fixed pkcs11-destroy usage check.
3664 2839. [bug] A KSK revoked by named could not be deleted.
3669 2837. [port] Prevent Linux spurious warnings about fwrite().
3672 2836. [bug] Keys that were scheduled to become active could
3673 be delayed. [RT #20874]
3675 2835. [bug] Key inactivity dates were inadvertently stored in
3676 the private key file with the outdated tag
3677 "Unpublish" rather than "Inactive". This has been
3678 fixed; however, any existing keys that had Inactive
3679 dates set will now need to have them reset, using
3680 'dnssec-settime -I'. [RT #20868]
3682 2834. [bug] HMAC-SHA* keys that were longer than the algorithm
3683 digest length were used incorrectly, leading to
3684 interoperability problems with other DNS
3685 implementations. This has been corrected.
3686 (Note: If an oversize key is in use, and
3687 compatibility is needed with an older release of
3688 BIND, the new tool "isc-hmac-fixup" can convert
3689 the key secret to a form that will work with all
3690 versions.) [RT #20751]
3692 2833. [cleanup] Fix usage messages in dnssec-keygen and dnssec-settime.
3695 2832. [bug] Modify "struct stat" in lib/export/samples/nsprobe.c
3696 to avoid redefinition in some OSs [RT 20831]
3698 2831. [security] Do not attempt to validate or cache
3699 out-of-bailiwick data returned with a secure
3700 answer; it must be re-fetched from its original
3701 source and validated in that context. [RT #20819]
3703 2830. [bug] Changing the OPTOUT setting could take multiple
3706 2829. [bug] Fixed potential node inconsistency in rbtdb.c.
3709 2828. [security] Cached CNAME or DNAME RR could be returned to clients
3710 without DNSSEC validation. [RT #20737]
3712 2827. [security] Bogus NXDOMAIN could be cached as if valid. [RT #20712]
3714 2826. [bug] NSEC3->NSEC transitions could fail due to a lock not
3715 being released. [RT #20740]
3717 2825. [bug] Changing the setting of OPTOUT in a NSEC3 chain that
3718 was in the process of being created was not properly
3719 recorded in the zone. [RT #20786]
3721 2824. [bug] "rndc sign" was not being run by the correct task.
3724 2823. [bug] rbtdb.c:getsigningtime() was missing locks. [RT #20781]
3726 2822. [bug] rbtdb.c:loadnode() could return the wrong result.
3729 2821. [doc] Add note that named-checkconf doesn't automatically
3730 read rndc.key and bind.keys [RT #20758]
3732 2820. [func] Handle read access failure of OpenSSL configuration
3733 file more user friendly (PKCS#11 engine patch).
3736 2819. [cleanup] Removed unnecessary DNS_POINTER_MAXHOPS define.
3739 2818. [cleanup] rndc could return an incorrect error code
3740 when a zone was not found. [RT #20767]
3742 2817. [cleanup] Removed unnecessary isc_task_endexclusive() calls.
3745 2816. [bug] previous_closest_nsec() could fail to return
3746 data for NSEC3 nodes [RT #29730]
3748 2815. [bug] Exclusively lock the task when freezing a zone.
3751 2814. [func] Provide a definitive error message when a master
3752 zone is not loaded. [RT #20757]
3754 2813. [bug] Better handling of unreadable DNSSEC key files.
3757 2812. [bug] Make sure updates can't result in a zone with
3758 NSEC-only keys and NSEC3 records. [RT #20748]
3760 2811. [cleanup] Add "rndc sign" to list of commands in rndc usage
3763 2810. [doc] Clarified the process of transitioning an NSEC3 zone
3764 to insecure. [RT #20746]
3766 2809. [cleanup] Restored accidentally-deleted text in usage output
3767 in dnssec-settime and dnssec-revoke [RT #20739]
3769 2808. [bug] Remove the attempt to install atomic.h from lib/isc.
3770 atomic.h is correctly installed by the architecture
3771 specific subdirectories. [RT #20722]
3773 2807. [bug] Fixed a possible ASSERT when reconfiguring zone
3776 --- 9.7.0rc1 released ---
3778 2806. [bug] "rdnc sign" could delay re-signing the DNSKEY
3779 when it had changed. [RT #20703]
3781 2805. [bug] Fixed namespace problems encountered when building
3782 external programs using non-exported BIND9 libraries
3783 (i.e., built without --enable-exportlib). [RT #20679]
3785 2804. [bug] Send notifies when a zone is signed with "rndc sign"
3786 or as a result of a scheduled key change. [RT #20700]
3788 2803. [port] win32: Install named-journalprint, nsec3hash, arpaname
3789 and genrandom under windows. [RT #20670]
3791 2802. [cleanup] Rename journalprint to named-journalprint. [RT #20670]
3793 2801. [func] Detect and report records that are different according
3794 to DNSSEC but are semantically equal according to plain
3795 DNS. Apply plain DNS comparisons rather than DNSSEC
3796 comparisons when processing UPDATE requests.
3797 dnssec-signzone now removes such semantically duplicate
3798 records prior to signing the RRset.
3800 named-checkzone -r {ignore|warn|fail} (default warn)
3801 named-compilezone -r {ignore|warn|fail} (default warn)
3803 named.conf: check-dup-records {ignore|warn|fail};
3805 2800. [func] Reject zones which have NS records which refer to
3806 CNAMEs, DNAMEs or don't have address record (class IN
3807 only). Reject UPDATEs which would cause the zone
3808 to fail the above checks if committed. [RT #20678]
3810 2799. [cleanup] Changed the "secure-to-insecure" option to
3811 "dnssec-secure-to-insecure", and "dnskey-ksk-only"
3812 to "dnssec-dnskey-kskonly", for clarity. [RT #20586]
3814 2798. [bug] Addressed bugs in managed-keys initialization
3815 and rollover. [RT #20683]
3817 2797. [bug] Don't decrement the dispatch manager's maxbuffers.
3820 2796. [bug] Missing dns_rdataset_disassociate() call in
3821 dns_nsec3_delnsec3sx(). [RT #20681]
3823 2795. [cleanup] Add text to differentiate "update with no effect"
3824 log messages. [RT #18889]
3826 2794. [bug] Install <isc/namespace.h>. [RT #20677]
3828 2793. [func] Add "autosign" and "metadata" tests to the
3829 automatic tests. [RT #19946]
3831 2792. [func] "filter-aaaa-on-v4" can now be set in view
3832 options (if compiled in). [RT #20635]
3834 2791. [bug] The installation of isc-config.sh was broken.
3837 2790. [bug] Handle DS queries to stub zones. [RT #20440]
3839 2789. [bug] Fixed an INSIST in dispatch.c [RT #20576]
3841 2788. [bug] dnssec-signzone could sign with keys that were
3842 not requested [RT #20625]
3844 2787. [bug] Spurious log message when zone keys were
3845 dynamically reconfigured. [RT #20659]
3847 2786. [bug] Additional could be promoted to answer. [RT #20663]
3849 --- 9.7.0b3 released ---
3851 2785. [bug] Revoked keys could fail to self-sign [RT #20652]
3853 2784. [bug] TC was not always being set when required glue was
3854 dropped. [RT #20655]
3856 2783. [func] Return minimal responses to EDNS/UDP queries with a UDP
3857 buffer size of 512 or less. [RT #20654]
3859 2782. [port] win32: use getaddrinfo() for hostname lookups.
3862 2781. [bug] Inactive keys could be used for signing. [RT #20649]
3864 2780. [bug] dnssec-keygen -A none didn't properly unset the
3865 activation date in all cases. [RT #20648]
3867 2779. [bug] Dynamic key revocation could fail. [RT #20644]
3869 2778. [bug] dnssec-signzone could fail when a key was revoked
3870 without deleting the unrevoked version. [RT #20638]
3872 2777. [contrib] DLZ MYSQL auto reconnect support discovery was wrong.
3874 2776. [bug] Change #2762 was not correct. [RT #20647]
3876 2775. [bug] Accept RSASHA256 and RSASHA512 as NSEC3 compatible
3877 in dnssec-keyfromlabel. [RT #20643]
3879 2774. [bug] Existing cache DB wasn't being reused after
3880 reconfiguration. [RT #20629]
3882 2773. [bug] In autosigned zones, the SOA could be signed
3883 with the KSK. [RT #20628]
3885 2772. [security] When validating, track whether pending data was from
3886 the additional section or not and only return it if
3887 validates as secure. [RT #20438]
3889 2771. [bug] dnssec-signzone: DNSKEY records could be
3890 corrupted when importing from key files [RT #20624]
3892 2770. [cleanup] Add log messages to resolver.c to indicate events
3893 causing FORMERR responses. [RT #20526]
3895 2769. [cleanup] Change #2742 was incomplete. [RT #19589]
3897 2768. [bug] dnssec-signzone: -S no longer implies -g [RT #20568]
3899 2767. [bug] named could crash on startup if a zone was
3900 configured with auto-dnssec and there was no
3901 key-directory. [RT #20615]
3903 2766. [bug] isc_socket_fdwatchpoke() should only update the
3904 socketmgr state if the socket is not pending on a
3905 read or write. [RT #20603]
3907 2765. [bug] Skip masters for which the TSIG key cannot be found.
3910 2764. [bug] "rndc-confgen -a" could trigger a REQUIRE. [RT #20610]
3912 2763. [bug] "rndc sign" didn't create an NSEC chain. [RT #20591]
3914 2762. [bug] DLV validation failed with a local slave DLV zone.
3917 2761. [cleanup] Enable internal symbol table for backtrace only for
3918 systems that are known to work. Currently, BSD
3919 variants, Linux and Solaris are supported. [RT #20202]
3921 2760. [cleanup] Corrected named-compilezone usage summary. [RT #20533]
3923 2759. [doc] Add information about .jbk/.jnw files to
3924 the ARM. [RT #20303]
3926 2758. [bug] win32: Added a workaround for a windows 2008 bug
3927 that could cause the UDP client handler to shut
3930 2757. [bug] dig: assertion failure could occur in connect
3931 timeout. [RT #20599]
3933 2756. [bug] Fixed corrupt logfile message in update.c. [RT #20597]
3937 2754. [bug] Secure-to-insecure transitions failed when zone
3938 was signed with NSEC3. [RT #20587]
3940 2753. [bug] Removed an unnecessary warning that could appear when
3941 building an NSEC chain. [RT #20589]
3943 2752. [bug] Locking violation. [RT #20587]
3945 2751. [bug] Fixed a memory leak in dnssec-keyfromlabel. [RT #20588]
3947 2750. [bug] dig: assertion failure could occur when a server
3948 didn't have an address. [RT #20579]
3950 2749. [bug] ixfr-from-differences generated a non-minimal ixfr
3951 for NSEC3 signed zones. [RT #20452]
3953 2748. [func] Identify bad answers from GTLD servers and treat them
3954 as referrals. [RT #18884]
3956 2747. [bug] Journal roll forwards failed to set the re-signing
3957 time of RRSIGs correctly. [RT #20541]
3959 2746. [port] hpux: address signed/unsigned expansion mismatch of
3960 dns_rbtnode_t.nsec. [RT #20542]
3962 2745. [bug] configure script didn't probe the return type of
3963 gai_strerror(3) correctly. [RT #20573]
3965 2744. [func] Log if a query was over TCP. [RT #19961]
3967 2743. [bug] RRSIG could be incorrectly set in the NSEC3 record
3968 for a insecure delegation.
3970 --- 9.7.0b2 released ---
3972 2742. [cleanup] Clarify some DNSSEC-related log messages in
3973 validator.c. [RT #19589]
3975 2741. [func] Allow the dnssec-keygen progress messages to be
3976 suppressed (dnssec-keygen -q). Automatically
3977 suppress the progress messages when stdin is not
3982 2739. [cleanup] Clean up API for initializing and clearing trust
3983 anchors for a view. [RT #20211]
3985 2738. [func] Add RSASHA256 and RSASHA512 tests to the dnssec system
3988 2737. [func] UPDATE requests can leak existence information.
3991 2736. [func] Improve the performance of NSEC signed zones with
3992 more than a normal amount of glue below a delegation.
3995 2735. [bug] dnssec-signzone could fail to read keys
3996 that were specified on the command line with
3997 full paths, but weren't in the current
3998 directory. [RT #20421]
4000 2734. [port] cygwin: arpaname did not compile. [RT #20473]
4002 2733. [cleanup] Clean up coding style in pkcs11-* tools. [RT #20355]
4004 2732. [func] Add optional filter-aaaa-on-v4 option, available
4005 if built with './configure --enable-filter-aaaa'.
4006 Filters out AAAA answers to clients connecting
4007 via IPv4. (This is NOT recommended for general
4010 2731. [func] Additional work on change 2709. The key parser
4011 will now ignore unrecognized fields when the
4012 minor version number of the private key format
4013 has been increased. It will reject any key with
4014 the major version number increased. [RT #20310]
4016 2730. [func] Have dnssec-keygen display a progress indication
4017 a la 'openssl genrsa' on standard error. Note
4018 when the first '.' is followed by a long stop
4019 one has the choice between slow generation vs.
4020 poor random quality, i.e., '-r /dev/urandom'.
4023 2729. [func] When constructing a CNAME from a DNAME use the DNAME
4026 2728. [bug] dnssec-keygen, dnssec-keyfromlabel and
4027 dnssec-signzone now warn immediately if asked to
4028 write into a nonexistent directory. [RT #20278]
4030 2727. [func] The 'key-directory' option can now specify a relative
4033 2726. [func] Added support for SHA-2 DNSSEC algorithms,
4034 RSASHA256 and RSASHA512. [RT #20023]
4036 2725. [doc] Added information about the file "managed-keys.bind"
4037 to the ARM. [RT #20235]
4039 2724. [bug] Updates to a existing node in secure zone using NSEC
4040 were failing. [RT #20448]
4042 2723. [bug] isc_base32_totext(), isc_base32hex_totext(), and
4043 isc_base64_totext(), didn't always mark regions of
4044 memory as fully consumed after conversion. [RT #20445]
4046 2722. [bug] Ensure that the memory associated with the name of
4047 a node in a rbt tree is not altered during the life
4048 of the node. [RT #20431]
4050 2721. [port] Have dst__entropy_status() prime the random number
4051 generator. [RT #20369]
4053 2720. [bug] RFC 5011 trust anchor updates could trigger an
4054 assert if the DNSKEY record was unsigned. [RT #20406]
4056 2719. [func] Skip trusted/managed keys for unsupported algorithms.
4059 2718. [bug] The space calculations in opensslrsa_todns() were
4060 incorrect. [RT #20394]
4062 2717. [bug] named failed to update the NSEC/NSEC3 record when
4063 the last private type record was removed as a result
4064 of completing the signing the zone with a key.
4067 2716. [bug] nslookup debug mode didn't return the ttl. [RT #20414]
4069 --- 9.7.0b1 released ---
4071 2715. [bug] Require OpenSSL support to be explicitly disabled.
4074 2714. [port] aix/powerpc: 'asm("ics");' needs non standard assembler
4077 2713. [bug] powerpc: atomic operations missing asm("ics") /
4080 2712. [func] New 'auto-dnssec' zone option allows zone signing
4081 to be fully automated in zones configured for
4082 dynamic DNS. 'auto-dnssec allow;' permits a zone
4083 to be signed by creating keys for it in the
4084 key-directory and using 'rndc sign <zone>'.
4085 'auto-dnssec maintain;' allows that too, plus it
4086 also keeps the zone's DNSSEC keys up to date
4087 according to their timing metadata. [RT #19943]
4089 2711. [port] win32: Add the bin/pkcs11 tools into the full
4092 2710. [func] New 'dnssec-signzone -x' flag and 'dnskey-ksk-only'
4093 zone option cause a zone to be signed with only KSKs
4094 signing the DNSKEY RRset, not ZSKs. This reduces
4095 the size of a DNSKEY answer. [RT #20340]
4097 2709. [func] Added some data fields, currently unused, to the
4098 private key file format, to allow implementation
4099 of explicit key rollover in a future release
4100 without impairing backward or forward compatibility.
4103 2708. [func] Insecure to secure and NSEC3 parameter changes via
4104 update are now fully supported and no longer require
4105 defines to enable. We now no longer overload the
4106 NSEC3PARAM flag field, nor the NSEC OPT bit at the
4107 apex. Secure to insecure changes are controlled by
4108 by the named.conf option 'secure-to-insecure'.
4110 Warning: If you had previously enabled support by
4111 adding defines at compile time to BIND 9.6 you should
4112 ensure that all changes that are in progress have
4113 completed prior to upgrading to BIND 9.7. BIND 9.7
4114 is not backwards compatible.
4116 2707. [func] dnssec-keyfromlabel no longer require engine name
4117 to be specified in the label if there is a default
4118 engine or the -E option has been used. Also, it
4119 now uses default algorithms as dnssec-keygen does
4120 (i.e., RSASHA1, or NSEC3RSASHA1 if -3 is used).
4123 2706. [bug] Loading a zone with a very large NSEC3 salt could
4124 trigger an assert. [RT #20368]
4128 2704. [bug] Serial of dynamic and stub zones could be inconsistent
4129 with their SOA serial. [RT #19387]
4131 2703. [func] Introduce an OpenSSL "engine" argument with -E
4132 for all binaries which can take benefit of
4133 crypto hardware. [RT #20230]
4135 2702. [func] Update PKCS#11 tools (bin/pkcs11) [RT #20225 & all]
4137 2701. [doc] Correction to ARM: hmac-md5 is no longer the only
4138 supported TSIG key algorithm. [RT #18046]
4140 2700. [doc] The match-mapped-addresses option is discouraged.
4143 2699. [bug] Missing lock in rbtdb.c. [RT #20037]
4147 2697. [port] win32: ensure that S_IFMT, S_IFDIR, S_IFCHR and
4148 S_IFREG are defined after including <isc/stat.h>.
4151 2696. [bug] named failed to successfully process some valid
4152 acl constructs. [RT #20308]
4154 2695. [func] DHCP/DDNS - update fdwatch code for use by
4155 DHCP. Modify the api to isc_sockfdwatch_t (the
4156 callback function for isc_socket_fdwatchcreate)
4157 to include information about the direction (read
4158 or write) and add isc_socket_fdwatchpoke.
4161 2694. [bug] Reduce default NSEC3 iterations from 100 to 10.
4164 2693. [port] Add some noreturn attributes. [RT #20257]
4166 2692. [port] win32: 32/64 bit cleanups. [RT #20335]
4168 2691. [func] dnssec-signzone: retain the existing NSEC or NSEC3
4169 chain when re-signing a previously-signed zone.
4170 Use -u to modify NSEC3 parameters or switch
4171 between NSEC and NSEC3. [RT #20304]
4173 2690. [bug] win32: fix isc_thread_key_getspecific() prototype.
4176 2689. [bug] Correctly handle snprintf result. [RT #20306]
4178 2688. [bug] Use INTERFACE_F_POINTTOPOINT, not IFF_POINTOPOINT,
4179 to decide to fetch the destination address. [RT #20305]
4181 2687. [bug] Fixed dnssec-signzone -S handling of revoked keys.
4182 Also, added warnings when revoking a ZSK, as this is
4183 not defined by protocol (but is legal). [RT #19943]
4185 2686. [bug] dnssec-signzone should clean the old NSEC chain when
4186 signing with NSEC3 and vice versa. [RT #20301]
4188 2685. [contrib] Update contrib/zkt to version 0.99c. [RT #20054]
4190 2684. [cleanup] dig: formalize +ad and +cd as synonyms for
4191 +adflag and +cdflag. [RT #19305]
4193 2683. [bug] dnssec-signzone should clean out old NSEC3 chains when
4194 the NSEC3 parameters used to sign the zone change.
4197 2682. [bug] "configure --enable-symtable=all" failed to
4200 2681. [bug] IPSECKEY RR of gateway type 3 was not correctly
4201 decoded. [RT #20269]
4203 2680. [func] Move contrib/pkcs11-keygen to bin/pkcs11. [RT #20067]
4205 2679. [func] dig -k can now accept TSIG keys in named.conf
4208 2678. [func] Treat DS queries as if "minimal-response yes;"
4209 was set. [RT #20258]
4211 2677. [func] Changes to key metadata behavior:
4212 - Keys without "publish" or "active" dates set will
4213 no longer be used for smart signing. However,
4214 those dates will be set to "now" by default when
4215 a key is created; to generate a key but not use
4216 it yet, use dnssec-keygen -G.
4217 - New "inactive" date (dnssec-keygen/settime -I)
4218 sets the time when a key is no longer used for
4219 signing but is still published.
4220 - The "unpublished" date (-U) is deprecated in
4221 favor of "deleted" (-D).
4224 2676. [bug] --with-export-installdir should have been
4225 --with-export-includedir. [RT #20252]
4227 2675. [bug] dnssec-signzone could crash if the key directory
4228 did not exist. [RT #20232]
4230 --- 9.7.0a3 released ---
4232 2674. [bug] "dnssec-lookaside auto;" crashed if named was built
4233 without openssl. [RT #20231]
4235 2673. [bug] The managed-keys.bind zone file could fail to
4236 load due to a spurious result from sync_keyzone()
4239 2672. [bug] Don't enable searching in 'host' when doing reverse
4240 lookups. [RT #20218]
4242 2671. [bug] Add support for PKCS#11 providers not returning
4243 the public exponent in RSA private keys
4244 (OpenCryptoki for instance) in
4245 dnssec-keyfromlabel. [RT #19294]
4247 2670. [bug] Unexpected connect failures failed to log enough
4248 information to be useful. [RT #20205]
4250 2669. [func] Update PKCS#11 support to support Keyper HSM.
4251 Update PKCS#11 patch to be against openssl-0.9.8i.
4253 2668. [func] Several improvements to dnssec-* tools, including:
4254 - dnssec-keygen and dnssec-settime can now set key
4255 metadata fields 0 (to unset a value, use "none")
4256 - dnssec-revoke sets the revocation date in
4257 addition to the revoke bit
4258 - dnssec-settime can now print individual metadata
4259 fields instead of always printing all of them,
4260 and can print them in unix epoch time format for
4264 2667. [func] Add support for logging stack backtrace on assertion
4265 failure (not available for all platforms). [RT #19780]
4267 2666. [func] Added an 'options' argument to dns_name_fromstring()
4268 (API change from 9.7.0a2). [RT #20196]
4270 2665. [func] Clarify syntax for managed-keys {} statement, add
4271 ARM documentation about RFC 5011 support. [RT #19874]
4273 2664. [bug] create_keydata() and minimal_update() in zone.c
4274 didn't properly check return values for some
4275 functions. [RT #19956]
4277 2663. [func] win32: allow named to run as a service using
4278 "NT AUTHORITY\LocalService" as the account. [RT #19977]
4280 2662. [bug] lwres_getipnodebyname() and lwres_getipnodebyaddr()
4281 returned a misleading error code when lwresd was
4284 2661. [bug] Check whether socket fd exceeds FD_SETSIZE when
4285 creating lwres context. [RT #20029]
4287 2660. [func] Add a new set of DNS libraries for non-BIND9
4288 applications. See README.libdns. [RT #19369]
4290 2659. [doc] Clarify dnssec-keygen doc: key name must match zone
4291 name for DNSSEC keys. [RT #19938]
4293 2658. [bug] dnssec-settime and dnssec-revoke didn't process
4294 key file paths correctly. [RT #20078]
4296 2657. [cleanup] Lower "journal file <path> does not exist, creating it"
4297 log level to debug 1. [RT #20058]
4299 2656. [func] win32: add a "tools only" check box to the installer
4300 which causes it to only install dig, host, nslookup,
4301 nsupdate and relevant DLLs. [RT #19998]
4303 2655. [doc] Document that key-directory does not affect
4304 bind.keys, rndc.key or session.key. [RT #20155]
4306 2654. [bug] Improve error reporting on duplicated names for
4307 deny-answer-xxx. [RT #20164]
4309 2653. [bug] Treat ENGINE_load_private_key() failures as key
4310 not found rather than out of memory. [RT #18033]
4312 2652. [func] Provide more detail about what record is being
4313 deleted. [RT #20061]
4315 2651. [bug] Dates could print incorrectly in K*.key files on
4316 64-bit systems. [RT #20076]
4318 2650. [bug] Assertion failure in dnssec-signzone when trying
4319 to read keyset-* files. [RT #20075]
4321 2649. [bug] Set the domain for forward only zones. [RT #19944]
4323 2648. [port] win32: isc_time_seconds() was broken. [RT #19900]
4325 2647. [bug] Remove unnecessary SOA updates when a new KSK is
4328 2646. [bug] Incorrect cleanup on error in socket.c. [RT #19987]
4330 2645. [port] "gcc -m32" didn't work on amd64 and x86_64 platforms
4331 which default to 64 bits. [RT #19927]
4333 --- 9.7.0a2 released ---
4335 2644. [bug] Change #2628 caused a regression on some systems;
4336 named was unable to write the PID file and would
4337 fail on startup. [RT #20001]
4339 2643. [bug] Stub zones interacted badly with NSEC3 support.
4342 2642. [bug] nsupdate could dump core on solaris when reading
4343 improperly formatted key files. [RT #20015]
4345 2641. [bug] Fixed an error in parsing update-policy syntax,
4346 added a regression test to check it. [RT #20007]
4348 2640. [security] A specially crafted update packet will cause named
4349 to exit. [RT #20000]
4351 2639. [bug] Silence compiler warnings in gssapi code. [RT #19954]
4353 2638. [bug] Install arpaname. [RT #19957]
4355 2637. [func] Rationalize dnssec-signzone's signwithkey() calling.
4358 2636. [func] Simplify zone signing and key maintenance with the
4359 dnssec-* tools. Major changes:
4360 - all dnssec-* tools now take a -K option to
4361 specify a directory in which key files will be
4363 - DNSSEC can now store metadata indicating when
4364 they are scheduled to be published, activated,
4365 revoked or removed; these values can be set by
4366 dnssec-keygen or overwritten by the new
4367 dnssec-settime command
4368 - dnssec-signzone -S (for "smart") option reads key
4369 metadata and uses it to determine automatically
4370 which keys to publish to the zone, use for
4371 signing, revoke, or remove from the zone
4374 2635. [bug] isc_inet_ntop() incorrectly handled 0.0/16 addresses.
4377 2634. [port] win32: Add support for libxml2, enable
4378 statschannel. [RT #19773]
4380 2633. [bug] Handle 15 bit rand() functions. [RT #19783]
4382 2632. [func] util/kit.sh: warn if documentation appears to be out of
4385 2631. [bug] Handle "//", "/./" and "/../" in mkdirpath().
4388 2630. [func] Improved syntax for DDNS autoconfiguration: use
4389 "update-policy local;" to switch on local DDNS in a
4390 zone. (The "ddns-autoconf" option has been removed.)
4393 2629. [port] Check for seteuid()/setegid(), use setresuid()/
4394 setresgid() if not present. [RT #19932]
4396 2628. [port] linux: Allow /var/run/named/named.pid to be opened
4397 at startup with reduced capabilities in operation.
4400 2627. [bug] Named aborted if the same key was included in
4401 trusted-keys more than once. [RT #19918]
4403 2626. [bug] Multiple trusted-keys could trigger an assertion
4404 failure. [RT #19914]
4406 2625. [bug] Missing UNLOCK in rbtdb.c. [RT #19865]
4408 2624. [func] 'named-checkconf -p' will print out the parsed
4409 configuration. [RT #18871]
4411 2623. [bug] Named started searches for DS non-optimally. [RT #19915]
4413 2622. [bug] Printing of named.conf grammar was broken. [RT #19919]
4415 2621. [doc] Made copyright boilerplate consistent. [RT #19833]
4417 2620. [bug] Delay thawing the zone until the reload of it has
4418 completed successfully. [RT #19750]
4420 2619. [func] Add support for RFC 5011, automatic trust anchor
4421 maintenance. The new "managed-keys" statement can
4422 be used in place of "trusted-keys" for zones which
4423 support this protocol. (Note: this syntax is
4424 expected to change prior to 9.7.0 final.) [RT #19248]
4426 2618. [bug] The sdb and sdlz db_interator_seek() methods could
4427 loop infinitely. [RT #19847]
4429 2617. [bug] ifconfig.sh failed to emit an error message when
4430 run from the wrong location. [RT #19375]
4432 2616. [bug] 'host' used the nameservers from resolv.conf even
4433 when a explicit nameserver was specified. [RT #19852]
4435 2615. [bug] "__attribute__((unused))" was in the wrong place
4436 for ia64 gcc builds. [RT #19854]
4438 2614. [port] win32: 'named -v' should automatically be executed
4439 in the foreground. [RT #19844]
4443 --- 9.7.0a1 released ---
4445 2612. [func] Add default values for the arguments to
4446 dnssec-keygen. Without arguments, it will now
4447 generate a 1024-bit RSASHA1 zone-signing key,
4448 or with the -f KSK option, a 2048-bit RSASHA1
4449 key-signing key. [RT #19300]
4451 2611. [func] Add -l option to dnssec-dsfromkey to generate
4452 DLV records instead of DS records. [RT #19300]
4454 2610. [port] sunos: Change #2363 was not complete. [RT #19796]
4456 2609. [func] Simplify the configuration of dynamic zones:
4457 - add ddns-confgen command to generate
4458 configuration text for named.conf
4459 - add zone option "ddns-autoconf yes;", which
4460 causes named to generate a TSIG session key
4461 and allow updates to the zone using that key
4462 - add '-l' (localhost) option to nsupdate, which
4463 causes nsupdate to connect to a locally-running
4464 named process using the session key generated
4468 2608. [func] Perform post signing verification checks in
4469 dnssec-signzone. These can be disabled with -P.
4471 The post sign verification test ensures that for each
4472 algorithm in use there is at least one non revoked
4473 self signed KSK key. That all revoked KSK keys are
4474 self signed. That all records in the zone are signed
4475 by the algorithm. [RT #19653]
4477 2607. [bug] named could incorrectly delete NSEC3 records for
4478 empty nodes when processing a update request.
4481 2606. [bug] "delegation-only" was not being accepted in
4482 delegation-only type zones. [RT #19717]
4484 2605. [bug] Accept DS responses from delegation only zones.
4487 2604. [func] Add support for DNS rebinding attack prevention through
4488 new options, deny-answer-addresses and
4489 deny-answer-aliases. Based on contributed code from
4490 JD Nurmi, Google. [RT #18192]
4492 2603. [port] win32: handle .exe extension of named-checkzone and
4493 named-comilezone argv[0] names under windows.
4496 2602. [port] win32: fix debugging command line build of libisccfg.
4499 2601. [doc] Mention file creation mode mask in the
4502 2600. [doc] ARM: miscellaneous reformatting for different
4503 page widths. [RT #19574]
4505 2599. [bug] Address rapid memory growth when validation fails.
4508 2598. [func] Reserve the -F flag. [RT #19657]
4510 2597. [bug] Handle a validation failure with a insecure delegation
4511 from a NSEC3 signed master/slave zone. [RT #19464]
4513 2596. [bug] Stale tree nodes of cache/dynamic rbtdb could stay
4514 long, leading to inefficient memory usage or rejecting
4515 newer cache entries in the worst case. [RT #19563]
4517 2595. [bug] Fix unknown extended rcodes in dig. [RT #19625]
4519 2594. [func] Have rndc warn if using its default configuration
4520 file when the key file also exists. [RT #19424]
4522 2593. [bug] Improve a corner source of SERVFAILs [RT #19632]
4524 2592. [bug] Treat "any" as a type in nsupdate. [RT #19455]
4526 2591. [bug] named could die when processing a update in
4527 removed_orphaned_ds(). [RT #19507]
4529 2590. [func] Report zone/class of "update with no effect".
4532 2589. [bug] dns_db_unregister() failed to clear '*dbimp'.
4535 2588. [bug] SO_REUSEADDR could be set unconditionally after failure
4536 of bind(2) call. This should be rare and mostly
4537 harmless, but may cause interference with other
4538 processes that happen to use the same port. [RT #19642]
4540 2587. [func] Improve logging by reporting serial numbers for
4541 when zone serial has gone backwards or unchanged.
4544 2586. [bug] Missing cleanup of SIG rdataset in searching a DLZ DB
4547 2585. [bug] Uninitialized socket name could be referenced via a
4548 statistics channel, triggering an assertion failure in
4549 XML rendering. [RT #19427]
4551 2584. [bug] alpha: gcc optimization could break atomic operations.
4554 2583. [port] netbsd: provide a control to not add the compile
4555 date to the version string, -DNO_VERSION_DATE.
4557 2582. [bug] Don't emit warning log message when we attempt to
4558 remove non-existent journal. [RT #19516]
4560 2581. [contrib] dlz/mysql set MYSQL_OPT_RECONNECT option on connection.
4561 Requires MySQL 5.0.19 or later. [RT #19084]
4563 2580. [bug] UpdateRej statistics counter could be incremented twice
4564 for one rejection. [RT #19476]
4566 2579. [bug] DNSSEC lookaside validation failed to handle unknown
4567 algorithms. [RT #19479]
4569 2578. [bug] Changed default sig-signing-type to 65534, because
4570 65535 turns out to be reserved. [RT #19477]
4572 2577. [doc] Clarified some statistics counters. [RT #19454]
4574 2576. [bug] NSEC record were not being correctly signed when
4575 a zone transitions from insecure to secure.
4576 Handle such incorrectly signed zones. [RT #19114]
4578 2575. [func] New functions dns_name_fromstring() and
4579 dns_name_tostring(), to simplify conversion
4580 of a string to a dns_name structure and vice
4583 2574. [doc] Document nsupdate -g and -o. [RT #19351]
4585 2573. [bug] Replacing a non-CNAME record with a CNAME record in a
4586 single transaction in a signed zone failed. [RT #19397]
4588 2572. [func] Simplify DLV configuration, with a new option
4589 "dnssec-lookaside auto;" This is the equivalent
4590 of "dnssec-lookaside . trust-anchor dlv.isc.org;"
4591 plus setting a trusted-key for dlv.isc.org.
4593 Note: The trusted key is hard-coded into named,
4594 but is also stored in (and can be overridden
4595 by) $sysconfdir/bind.keys. As the ISC DLV key
4596 rolls over it can be kept up to date by replacing
4597 the bind.keys file with a key downloaded from
4598 https://www.isc.org/solutions/dlv. [RT #18685]
4600 2571. [func] Add a new tool "arpaname" which translates IP addresses
4601 to the corresponding IN-ADDR.ARPA or IP6.ARPA name.
4604 2570. [func] Log the destination address the query was sent to.
4607 2569. [func] Move journalprint, nsec3hash, and genrandom
4608 commands from bin/tests into bin/tools;
4609 "make install" will put them in $sbindir. [RT #19301]
4611 2568. [bug] Report when the write to indicate a otherwise
4612 successful start fails. [RT #19360]
4614 2567. [bug] dst__privstruct_writefile() could miss write errors.
4615 write_public_key() could miss write errors.
4616 dnssec-dsfromkey could miss write errors.
4619 2566. [cleanup] Clarify logged message when an insecure DNSSEC
4620 response arrives from a zone thought to be secure:
4621 "insecurity proof failed" instead of "not
4622 insecure". [RT #19400]
4624 2565. [func] Add support for HIP record. Includes new functions
4625 dns_rdata_hip_first(), dns_rdata_hip_next()
4626 and dns_rdata_hip_current(). [RT #19384]
4628 2564. [bug] Only take EDNS fallback steps when processing timeouts.
4631 2563. [bug] Dig could leak a socket causing it to wait forever
4632 to exit. [RT #19359]
4634 2562. [doc] ARM: miscellaneous improvements, reorganization,
4635 and some new content.
4637 2561. [doc] Add isc-config.sh(1) man page. [RT #16378]
4639 2560. [bug] Add #include <config.h> to iptable.c. [RT #18258]
4641 2559. [bug] dnssec-dsfromkey could compute bad DS records when
4642 reading from a K* files. [RT #19357]
4644 2558. [func] Set the ownership of missing directories created
4645 for pid-file if -u has been specified on the command
4648 2557. [cleanup] PCI compliance:
4649 * new libisc log module file
4650 * isc_dir_chroot() now also changes the working
4652 * additional INSISTs
4653 * additional logging when files can't be removed.
4655 2556. [port] Solaris: mkdir(2) on tmpfs filesystems does not do the
4656 error checks in the correct order resulting in the
4657 wrong error code sometimes being returned. [RT #19249]
4659 2555. [func] dig: when emitting a hex dump also display the
4660 corresponding characters. [RT #19258]
4662 2554. [bug] Validation of uppercase queries from NSEC3 zones could
4665 2553. [bug] Reference leak on DNSSEC validation errors. [RT #19291]
4667 2552. [bug] zero-no-soa-ttl-cache was not being honored.
4670 2551. [bug] Potential Reference leak on return. [RT #19341]
4672 2550. [bug] Check --with-openssl=<path> finds <openssl/opensslv.h>.
4675 2549. [port] linux: define NR_OPEN if not currently defined.
4678 2548. [bug] Install iterated_hash.h. [RT #19335]
4680 2547. [bug] openssl_link.c:mem_realloc() could reference an
4681 out-of-range area of the source buffer. New public
4682 function isc_mem_reallocate() was introduced to address
4683 this bug. [RT #19313]
4685 2546. [func] Add --enable-openssl-hash configure flag to use
4686 OpenSSL (in place of internal routine) for hash
4687 functions (MD5, SHA[12] and HMAC). [RT #18815]
4689 2545. [doc] ARM: Legal hostname checking (check-names) is
4690 for SRV RDATA too. [RT #19304]
4692 2544. [cleanup] Removed unused structure members in adb.c. [RT #19225]
4694 2543. [contrib] Update contrib/zkt to version 0.98. [RT #19113]
4696 2542. [doc] Update the description of dig +adflag. [RT #19290]
4698 2541. [bug] Conditionally update dispatch manager statistics.
4701 2540. [func] Add a nibble mode to $GENERATE. [RT #18872]
4703 2539. [security] Update the interaction between recursion, allow-query,
4704 allow-query-cache and allow-recursion. [RT #19198]
4706 2538. [bug] cache/ADB memory could grow over max-cache-size,
4707 especially with threads and smaller max-cache-size
4710 2537. [func] Added more statistics counters including those on socket
4711 I/O events and query RTT histograms. [RT #18802]
4713 2536. [cleanup] Silence some warnings when -Werror=format-security is
4714 specified. [RT #19083]
4716 2535. [bug] dig +showsearch and +trace interacted badly. [RT #19091]
4718 2534. [func] Check NAPTR records regular expressions and
4719 replacement strings to ensure they are syntactically
4720 valid and consistent. [RT #18168]
4722 2533. [doc] ARM: document @ (at-sign). [RT #17144]
4724 2532. [bug] dig: check the question section of the response to
4725 see if it matches the asked question. [RT #18495]
4727 2531. [bug] Change #2207 was incomplete. [RT #19098]
4729 2530. [bug] named failed to reject insecure to secure transitions
4730 via UPDATE. [RT #19101]
4732 2529. [cleanup] Upgrade libtool to silence complaints from recent
4733 version of autoconf. [RT #18657]
4735 2528. [cleanup] Silence spurious configure warning about
4736 --datarootdir [RT #19096]
4740 2526. [func] New named option "attach-cache" that allows multiple
4741 views to share a single cache to save memory and
4742 improve lookup efficiency. Based on contributed code
4743 from Barclay Osborn, Google. [RT #18905]
4745 2525. [func] New logging category "query-errors" to provide detailed
4746 internal information about query failures, especially
4747 about server failures. [RT #19027]
4749 2524. [port] sunos: dnssec-signzone needs strtoul(). [RT #19129]
4751 2523. [bug] Random type rdata freed by dns_nsec_typepresent().
4754 2522. [security] Handle -1 from DSA_do_verify() and EVP_VerifyFinal().
4756 2521. [bug] Improve epoll cross compilation support. [RT #19047]
4758 2520. [bug] Update xml statistics version number to 2.0 as change
4759 #2388 made the schema incompatible to the previous
4760 version. [RT #19080]
4762 2519. [bug] dig/host with -4 or -6 didn't work if more than two
4763 nameserver addresses of the excluded address family
4764 preceded in resolv.conf. [RT #19081]
4766 2518. [func] Add support for the new CERT types from RFC 4398.
4769 2517. [bug] dig +trace with -4 or -6 failed when it chose a
4770 nameserver address of the excluded address type.
4773 2516. [bug] glue sort for responses was performed even when not
4776 2515. [port] win32: build dnssec-dsfromkey and dnssec-keyfromlabel.
4779 2514. [bug] dig/host failed with -4 or -6 when resolv.conf contains
4780 a nameserver of the excluded address family.
4783 2513. [bug] Fix windows cli build. [RT #19062]
4785 2512. [func] Print a summary of the cached records which make up
4786 the negative response. [RT #18885]
4788 2511. [cleanup] dns_rdata_tofmttext() add const to linebreak.
4791 2510. [bug] "dig +sigchase" could trigger REQUIRE failures.
4794 2509. [bug] Specifying a fixed query source port was broken.
4799 2507. [func] Log the recursion quota values when killing the
4800 oldest query or refusing to recurse due to quota.
4803 2506. [port] solaris: Check at configure time if
4804 hack_shutup_pthreadonceinit is needed. [RT #19037]
4806 2505. [port] Treat amd64 similarly to x86_64 when determining
4807 atomic operation support. [RT #19031]
4809 2504. [bug] Address race condition in the socket code. [RT #18899]
4811 2503. [port] linux: improve compatibility with Linux Standard
4814 2502. [cleanup] isc_radix: Improve compliance with coding style,
4815 document function in <isc/radix.h>. [RT #18534]
4817 2501. [func] $GENERATE now supports all rdata types. Multi-field
4818 rdata types need to be quoted. See the ARM for
4819 details. [RT #18368]
4821 2500. [contrib] contrib/sdb/pgsql/zonetodb.c called non-existent
4822 function. [RT #18582]
4824 2499. [port] solaris: lib/lwres/getaddrinfo.c namespace clash.
4827 --- 9.6.0rc1 released ---
4829 2498. [bug] Removed a bogus function argument used with
4830 ISC_SOCKET_USE_POLLWATCH: it could cause compiler
4831 warning or crash named with the debug 1 level
4832 of logging. [RT #18917]
4834 2497. [bug] Don't add RRSIG bit to NSEC3 bit map for insecure
4837 2496. [bug] Add sanity length checks to NSID option. [RT #18813]
4839 2495. [bug] Tighten RRSIG checks. [RT #18795]
4841 2494. [bug] isc/radix.h, dns/sdlz.h and dns/dlz.h were not being
4842 installed. [RT #18826]
4844 2493. [bug] The linux capabilities code was not correctly cleaning
4845 up after itself. [RT #18767]
4847 2492. [func] Rndc status now reports the number of cpus discovered
4848 and the number of worker threads when running
4849 multi-threaded. [RT #18273]
4851 2491. [func] Attempt to re-use a local port if we are already using
4852 the port. [RT #18548]
4854 2490. [port] aix: work around a kernel bug where IPV6_RECVPKTINFO
4855 is cleared when IPV6_V6ONLY is set. [RT #18785]
4857 2489. [port] solaris: Workaround Solaris's kernel bug about
4859 http://bugs.opensolaris.org/view_bug.do?bug_id=6724237
4860 Define ISC_SOCKET_USE_POLLWATCH at build time to enable
4861 this workaround. [RT #18870]
4863 2488. [func] Added a tool, dnssec-dsfromkey, to generate DS records
4864 from keyset and .key files. [RT #18694]
4866 2487. [bug] Give TCP connections longer to complete. [RT #18675]
4868 2486. [func] The default locations for named.pid and lwresd.pid
4869 are now /var/run/named/named.pid and
4870 /var/run/lwresd/lwresd.pid respectively.
4872 This allows the owner of the containing directory
4873 to be set, for "named -u" support, and allows there
4874 to be a permanent symbolic link in the path, for
4875 "named -t" support. [RT #18306]
4877 2485. [bug] Change update's the handling of obscured RRSIG
4878 records. Not all orphaned DS records were being
4879 removed. [RT #18828]
4881 2484. [bug] It was possible to trigger a REQUIRE failure when
4882 adding NSEC3 proofs to the response in
4883 query_addwildcardproof(). [RT #18828]
4885 2483. [port] win32: chroot() is not supported. [RT #18805]
4887 2482. [port] libxml2: support versions 2.7.* in addition
4888 to 2.6.*. [RT #18806]
4890 --- 9.6.0b1 released ---
4892 2481. [bug] rbtdb.c:matchparams() failed to handle NSEC3 chain
4893 collisions. [RT #18812]
4895 2480. [bug] named could fail to emit all the required NSEC3
4896 records. [RT #18812]
4898 2479. [bug] xfrout:covers was not properly initialized. [RT #18801]
4900 2478. [bug] 'addresses' could be used uninitialized in
4901 configure_forward(). [RT #18800]
4903 2477. [bug] dig: the global option to print the command line is
4904 +cmd not print_cmd. Update the output to reflect
4907 2476. [doc] ARM: improve documentation for max-journal-size and
4908 ixfr-from-differences. [RT #15909] [RT #18541]
4910 2475. [bug] LRU cache cleanup under overmem condition could purge
4911 particular entries more aggressively. [RT #17628]
4913 2474. [bug] ACL structures could be allocated with insufficient
4914 space, causing an array overrun. [RT #18765]
4916 2473. [port] linux: raise the limit on open files to the possible
4917 maximum value before spawning threads; 'files'
4918 specified in named.conf doesn't seem to work with
4919 threads as expected. [RT #18784]
4921 2472. [port] linux: check the number of available cpu's before
4922 calling chroot as it depends on "/proc". [RT #16923]
4924 2471. [bug] named-checkzone was not reporting missing mandatory
4925 glue when sibling checks were disabled. [RT #18768]
4927 2470. [bug] Elements of the isc_radix_node_t could be incorrectly
4928 overwritten. [RT #18719]
4930 2469. [port] solaris: Work around Solaris's select() limitations.
4933 2468. [bug] Resolver could try unreachable servers multiple times.
4936 2467. [bug] Failure of fcntl(F_DUPFD) wasn't logged. [RT #18740]
4938 2466. [doc] ARM: explain max-cache-ttl 0 SERVFAIL issue.
4941 2465. [bug] Adb's handling of lame addresses was different
4942 for IPv4 and IPv6. [RT #18738]
4944 2464. [port] linux: check that a capability is present before
4945 trying to set it. [RT #18135]
4947 2463. [port] linux: POSIX doesn't include the IPv6 Advanced Socket
4948 API and glibc hides parts of the IPv6 Advanced Socket
4949 API as a result. This is stupid as it breaks how the
4950 two halves (Basic and Advanced) of the IPv6 Socket API
4951 were designed to be used but we have to live with it.
4952 Define _GNU_SOURCE to pull in the IPv6 Advanced Socket
4955 2462. [doc] Document -m (enable memory usage debugging)
4956 option for dig. [RT #18757]
4958 2461. [port] sunos: Change #2363 was not complete. [RT #17513]
4960 --- 9.6.0a1 released ---
4962 2460. [bug] Don't call dns_db_getnsec3parameters() on the cache.
4965 2459. [contrib] Import dnssec-zkt to contrib/zkt. [RT #18448]
4967 2458. [doc] ARM: update and correction for max-cache-size.
4970 2457. [tuning] max-cache-size is reverted to 0, the previous
4971 default. It should be safe because expired cache
4972 entries are also purged. [RT #18684]
4974 2456. [bug] In ACLs, ::/0 and 0.0.0.0/0 would both match any
4975 address, regardless of family. They now correctly
4976 distinguish IPv4 from IPv6. [RT #18559]
4978 2455. [bug] Stop metadata being transferred via axfr/ixfr.
4981 2454. [func] nsupdate: you can now set a default ttl. [RT #18317]
4983 2453. [bug] Remove NULL pointer dereference in dns_journal_print().
4986 2452. [func] Improve bin/test/journalprint. [RT #18316]
4988 2451. [port] solaris: handle runtime linking better. [RT #18356]
4990 2450. [doc] Fix lwresd docbook problem for manual page.
4995 2448. [func] Add NSEC3 support. [RT #15452]
4997 2447. [cleanup] libbind has been split out as a separate product.
4999 2446. [func] Add a new log message about build options on startup.
5000 A new command-line option '-V' for named is also
5001 provided to show this information. [RT #18645]
5003 2445. [doc] ARM out-of-date on empty reverse zones (list includes
5004 RFC1918 address, but these are not yet compiled in).
5007 2444. [port] Linux, FreeBSD, AIX: Turn off path mtu discovery
5008 (clear DF) for UDP responses and requests.
5010 2443. [bug] win32: UDP connect() would not generate an event,
5011 and so connected UDP sockets would never clean up.
5012 Fix this by doing an immediate WSAConnect() rather
5013 than an io completion port type for UDP.
5015 2442. [bug] A lock could be destroyed twice. [RT #18626]
5017 2441. [bug] isc_radix_insert() could copy radix tree nodes
5018 incompletely. [RT #18573]
5020 2440. [bug] named-checkconf used an incorrect test to determine
5021 if an ACL was set to none.
5023 2439. [bug] Potential NULL dereference in dns_acl_isanyornone().
5026 2438. [bug] Timeouts could be logged incorrectly under win32.
5028 2437. [bug] Sockets could be closed too early, leading to
5029 inconsistent states in the socket module. [RT #18298]
5031 2436. [security] win32: UDP client handler can be shutdown. [RT #18576]
5033 2435. [bug] Fixed an ACL memory leak affecting win32.
5035 2434. [bug] Fixed a minor error-reporting bug in
5036 lib/isc/win32/socket.c.
5038 2433. [tuning] Set initial timeout to 800ms.
5040 2432. [bug] More Windows socket handling improvements. Stop
5041 using I/O events and use IO Completion Ports
5042 throughout. Rewrite the receive path logic to make
5043 it easier to support multiple simultaneous
5044 requesters in the future. Add stricter consistency
5045 checking as a compile-time option (define
5046 ISC_SOCKET_CONSISTENCY_CHECKS; defaults to off).
5048 2431. [bug] Acl processing could leak memory. [RT #18323]
5050 2430. [bug] win32: isc_interval_set() could round down to
5051 zero if the input was less than NS_INTERVAL
5052 nanoseconds. Round up instead. [RT #18549]
5054 2429. [doc] nsupdate should be in section 1 of the man pages.
5057 2428. [bug] dns_iptable_merge() mishandled merges of negative
5060 2427. [func] Treat DNSKEY queries as if "minimal-response yes;"
5061 was set. [RT #18528]
5063 2426. [bug] libbind: inet_net_pton() can sometimes return the
5064 wrong value if excessively large net masks are
5065 supplied. [RT #18512]
5067 2425. [bug] named didn't detect unavailable query source addresses
5068 at load time. [RT #18536]
5070 2424. [port] configure now probes for a working epoll
5071 implementation. Allow the use of kqueue,
5072 epoll and /dev/poll to be selected at compile
5075 2423. [security] Randomize server selection on queries, so as to
5076 make forgery a little more difficult. Instead of
5077 always preferring the server with the lowest RTT,
5078 pick a server with RTT within the same 128
5079 millisecond band. [RT #18441]
5081 2422. [bug] Handle the special return value of a empty node as
5082 if it was a NXRRSET in the validator. [RT #18447]
5084 2421. [func] Add new command line option '-S' for named to specify
5085 the max number of sockets. [RT #18493]
5086 Use caution: this option may not work for some
5087 operating systems without rebuilding named.
5089 2420. [bug] Windows socket handling cleanup. Let the io
5090 completion event send out canceled read/write
5091 done events, which keeps us from writing to memory
5092 we no longer have ownership of. Add debugging
5093 socket_log() function. Rework TCP socket handling
5094 to not leak sockets.
5096 2419. [cleanup] Document that isc_socket_create() and isc_socket_open()
5097 should not be used for isc_sockettype_fdwatch sockets.
5100 2418. [bug] AXFR request on a DLZ could trigger a REQUIRE failure
5103 2417. [bug] Connecting UDP sockets for outgoing queries could
5104 unexpectedly fail with an 'address already in use'
5107 2416. [func] Log file descriptors that cause exceeding the
5108 internal maximum. [RT #18460]
5110 2415. [bug] 'rndc dumpdb' could trigger various assertion failures
5111 in rbtdb.c. [RT #18455]
5113 2414. [bug] A masterdump context held the database lock too long,
5114 causing various troubles such as dead lock and
5115 recursive lock acquisition. [RT #18311, #18456]
5117 2413. [bug] Fixed an unreachable code path in socket.c. [RT #18442]
5119 2412. [bug] win32: address a resource leak. [RT #18374]
5121 2411. [bug] Allow using a larger number of sockets than FD_SETSIZE
5122 for select(). To enable this, set ISC_SOCKET_MAXSOCKETS
5123 at compilation time. [RT #18433]
5125 Note: with changes #2469 and #2421 above, there is no
5126 need to tweak ISC_SOCKET_MAXSOCKETS at compilation time
5129 2410. [bug] Correctly delete m_versionInfo. [RT #18432]
5131 2409. [bug] Only log that we disabled EDNS processing if we were
5132 subsequently successful. [RT #18029]
5134 2408. [bug] A duplicate TCP dispatch event could be sent, which
5135 could then trigger an assertion failure in
5136 resquery_response(). [RT #18275]
5138 2407. [port] hpux: test for sys/dyntune.h. [RT #18421]
5142 2405. [cleanup] The default value for dnssec-validation was changed to
5143 "yes" in 9.5.0-P1 and all subsequent releases; this
5144 was inadvertently omitted from CHANGES at the time.
5146 2404. [port] hpux: files unlimited support.
5148 2403. [bug] TSIG context leak. [RT #18341]
5150 2402. [port] Support Solaris 2.11 and over. [RT #18362]
5152 2401. [bug] Expect to get E[MN]FILE errno internal_accept()
5153 (from accept() or fcntl() system calls). [RT #18358]
5155 2400. [bug] Log if kqueue()/epoll_create()/open(/dev/poll) fails.
5160 2398. [bug] Improve file descriptor management. New,
5161 temporary, named.conf option reserved-sockets,
5162 default 512. [RT #18344]
5164 2397. [bug] gssapi_functions had too many elements. [RT #18355]
5166 2396. [bug] Don't set SO_REUSEADDR for randomized ports.
5169 2395. [port] Avoid warning and no effect from "files unlimited"
5170 on Linux when running as root. [RT #18335]
5172 2394. [bug] Default configuration options set the limit for
5173 open files to 'unlimited' as described in the
5174 documentation. [RT #18331]
5176 2393. [bug] nested acls containing keys could trigger an
5177 assertion in acl.c. [RT #18166]
5179 2392. [bug] remove 'grep -q' from acl test script, some platforms
5180 don't support it. [RT #18253]
5182 2391. [port] hpux: cover additional recvmsg() error codes.
5185 2390. [bug] dispatch.c could make a false warning on 'odd socket'.
5188 2389. [bug] Move the "working directory writable" check to after
5189 the ns_os_changeuser() call. [RT #18326]
5191 2388. [bug] Avoid using tables for layout purposes in
5192 statistics XSL [RT #18159].
5194 2387. [bug] Silence compiler warnings in lib/isc/radix.c.
5195 [RT #18147] [RT #18258]
5197 2386. [func] Add warning about too small 'open files' limit.
5200 2385. [bug] A condition variable in socket.c could leak in
5201 rare error handling [RT #17968].
5203 2384. [security] Fully randomize UDP query ports to improve
5204 forgery resilience. [RT #17949, #18098]
5206 2383. [bug] named could double queries when they resulted in
5207 SERVFAIL due to overkilling EDNS0 failure detection.
5210 2382. [doc] Add descriptions of DHCID, IPSECKEY, SPF and SSHFP
5213 2381. [port] dlz/mysql: support multiple install layouts for
5214 mysql. <prefix>/include/{,mysql/}mysql.h and
5215 <prefix>/lib/{,mysql/}. [RT #18152]
5217 2380. [bug] dns_view_find() was not returning NXDOMAIN/NXRRSET
5218 proofs which, in turn, caused validation failures
5219 for insecure zones immediately below a secure zone
5220 the server was authoritative for. [RT #18112]
5222 2379. [contrib] queryperf/gen-data-queryperf.py: removed redundant
5223 TLDs and supported RRs with TTLs [RT #17972]
5225 2378. [bug] gssapi_functions{} had a redundant member in BIND 9.5.
5228 2377. [bug] Address race condition in dnssec-signzone. [RT #18142]
5230 2376. [bug] Change #2144 was not complete.
5234 2374. [bug] "blackhole" ACLs could cause named to segfault due
5235 to some uninitialized memory. [RT #18095]
5237 2373. [bug] Default values of zone ACLs were re-parsed each time a
5238 new zone was configured, causing an overconsumption
5239 of memory. [RT #18092]
5241 2372. [bug] Fixed incorrect TAG_HMACSHA256_BITS value [RT #18047]
5243 2371. [doc] Add +nsid option to dig man page. [RT #18039]
5245 2370. [bug] "rndc freeze" could trigger an assertion in named
5246 when called on a nonexistent zone. [RT #18050]
5248 2369. [bug] libbind: Array bounds overrun on read in bitncmp().
5251 2368. [port] Linux: use libcap for capability management if
5252 possible. [RT #18026]
5254 2367. [bug] Improve counting of dns_resstatscounter_retry
5257 2366. [bug] Adb shutdown race. [RT #18021]
5259 2365. [bug] Fix a bug that caused dns_acl_isany() to return
5260 spurious results. [RT #18000]
5262 2364. [bug] named could trigger a assertion when serving a
5263 malformed signed zone. [RT #17828]
5265 2363. [port] sunos: pre-set "lt_cv_sys_max_cmd_len=4096;".
5268 2362. [cleanup] Make "rrset-order fixed" a compile-time option.
5269 settable by "./configure --enable-fixed-rrset".
5270 Disabled by default. [RT #17977]
5272 2361. [bug] "recursion" statistics counter could be counted
5273 multiple times for a single query. [RT #17990]
5275 2360. [bug] Fix a condition where we release a database version
5276 (which may acquire a lock) while holding the lock.
5278 2359. [bug] Fix NSID bug. [RT #17942]
5280 2358. [doc] Update host's default query description. [RT #17934]
5282 2357. [port] Don't use OpenSSL's engine support in versions before
5283 OpenSSL 0.9.7f. [RT #17922]
5285 2356. [bug] Built in mutex profiler was not scalable enough.
5288 2355. [func] Extend the number statistics counters available.
5291 2354. [bug] Failed to initialize some rdatasetheader_t elements.
5294 2353. [func] Add support for Name Server ID (RFC 5001).
5295 'dig +nsid' requests NSID from server.
5296 'request-nsid yes;' causes recursive server to send
5297 NSID requests to upstream servers. Server responds
5298 to NSID requests with the string configured by
5299 'server-id' option. [RT #17091]
5301 2352. [bug] Various GSS_API fixups. [RT #17729]
5303 2351. [bug] convertxsl.pl generated very long lines. [RT #17906]
5305 2350. [port] win32: IPv6 support. [RT #17797]
5307 2349. [func] Provide incremental re-signing support for secure
5308 dynamic zones. [RT #1091]
5310 2348. [func] Use the EVP interface to OpenSSL. Add PKCS#11 support.
5311 Documentation is in the new README.pkcs11 file.
5312 New tool, dnssec-keyfromlabel, which takes the
5313 label of a key pair in a HSM and constructs a DNS
5314 key pair for use by named and dnssec-signzone.
5317 2347. [bug] Delete now traverses the RB tree in the canonical
5320 2346. [func] Memory statistics now cover all active memory contexts
5321 in increased detail. [RT #17580]
5323 2345. [bug] named-checkconf failed to detect when forwarders
5324 were set at both the options/view level and in
5325 a root zone. [RT #17671]
5327 2344. [bug] Improve "logging{ file ...; };" documentation.
5330 2343. [bug] (Seemingly) duplicate IPv6 entries could be
5331 created in ADB. [RT #17837]
5333 2342. [func] Use getifaddrs() if available under Linux. [RT #17224]
5335 2341. [bug] libbind: add missing -I../include for off source
5336 tree builds. [RT #17606]
5338 2340. [port] openbsd: interface configuration. [RT #17700]
5340 2339. [port] tru64: support for libbind. [RT #17589]
5342 2338. [bug] check_ds() could be called with a non DS rdataset.
5345 2337. [bug] BUILD_LDFLAGS was not being correctly set. [RT #17614]
5347 2336. [func] If "named -6" is specified then listen on all IPv6
5348 interfaces if there are not listen-on-v6 clauses in
5349 named.conf. [RT #17581]
5351 2335. [port] sunos: libbind and *printf() support for long long.
5354 2334. [bug] Bad REQUIRES in fromstruct_in_naptr(), off by one
5355 bug in fromstruct_txt(). [RT #17609]
5357 2333. [bug] Fix off by one error in isc_time_nowplusinterval().
5360 2332. [contrib] query-loc-0.4.0. [RT #17602]
5362 2331. [bug] Failure to regenerate any signatures was not being
5363 reported nor being past back to the UPDATE client.
5366 2330. [bug] Remove potential race condition when handling
5367 over memory events. [RT #17572]
5369 WARNING: API CHANGE: over memory callback
5370 function now needs to call isc_mem_waterack().
5371 See <isc/mem.h> for details.
5373 2329. [bug] Clearer help text for dig's '-x' and '-i' options.
5375 2328. [maint] Add AAAA addresses for A.ROOT-SERVERS.NET,
5376 F.ROOT-SERVERS.NET, H.ROOT-SERVERS.NET,
5377 J.ROOT-SERVERS.NET, K.ROOT-SERVERS.NET and
5380 2327. [bug] It was possible to dereference a NULL pointer in
5381 rbtdb.c. Implement dead node processing in zones as
5382 we do for caches. [RT #17312]
5384 2326. [bug] It was possible to trigger a INSIST in the acache
5387 2325. [port] Linux: use capset() function if available. [RT #17557]
5389 2324. [bug] Fix IPv6 matching against "any;". [RT #17533]
5391 2323. [port] tru64: namespace clash. [RT #17547]
5393 2322. [port] MacOS: work around the limitation of setrlimit()
5394 for RLIMIT_NOFILE. [RT #17526]
5398 2320. [func] Make statistics counters thread-safe for platforms
5399 that support certain atomic operations. [RT #17466]
5401 2319. [bug] Silence Coverity warnings in
5402 lib/dns/rdata/in_1/apl_42.c. [RT #17469]
5404 2318. [port] sunos fixes for libbind. [RT #17514]
5406 2317. [bug] "make distclean" removed bind9.xsl.h. [RT #17518]
5408 2316. [port] Missing #include <isc/print.h> in lib/dns/gssapictx.c.
5411 2315. [bug] Used incorrect address family for mapped IPv4
5412 addresses in acl.c. [RT #17519]
5414 2314. [bug] Uninitialized memory use on error path in
5415 bin/named/lwdnoop.c. [RT #17476]
5417 2313. [cleanup] Silence Coverity warnings. Handle private stacks.
5418 [RT #17447] [RT #17478]
5420 2312. [cleanup] Silence Coverity warning in lib/isc/unix/socket.c.
5423 2311. [bug] IPv6 addresses could match IPv4 ACL entries and
5424 vice versa. [RT #17462]
5426 2310. [bug] dig, host, nslookup: flush stdout before emitting
5427 debug/fatal messages. [RT #17501]
5429 2309. [cleanup] Fix Coverity warnings in lib/dns/acl.c and iptable.c.
5432 2308. [cleanup] Silence Coverity warning in bin/named/controlconf.c.
5435 2307. [bug] Remove infinite loop from lib/dns/sdb.c. [RT #17496]
5437 2306. [bug] Remove potential race from lib/dns/resolver.c.
5440 2305. [security] inet_network() buffer overflow. CVE-2008-0122.
5442 2304. [bug] Check returns from all dns_rdata_tostruct() calls.
5445 2303. [bug] Remove unnecessary code from bin/named/lwdgnba.c.
5448 2302. [bug] Fix memset() calls in lib/tests/t_api.c. [RT #17472]
5450 2301. [bug] Remove resource leak and fix error messages in
5451 bin/tests/system/lwresd/lwtest.c. [RT #17474]
5453 2300. [bug] Fixed failure to close open file in
5454 bin/tests/names/t_names.c. [RT #17473]
5456 2299. [bug] Remove unnecessary NULL check in
5457 bin/nsupdate/nsupdate.c. [RT #17475]
5459 2298. [bug] isc_mutex_lock() failure not caught in
5460 bin/tests/timers/t_timers.c. [RT #17468]
5462 2297. [bug] isc_entropy_createfilesource() failure not caught in
5463 bin/tests/dst/t_dst.c. [RT #17467]
5465 2296. [port] Allow docbook stylesheet location to be specified to
5466 configure. [RT #17457]
5468 2295. [bug] Silence static overrun error in bin/named/lwaddr.c.
5471 2294. [func] Allow the experimental statistics channels to have
5472 multiple connections and ACL.
5473 Note: the stats-server and stats-server-v6 options
5474 available in the previous beta releases are replaced
5475 with the generic statistics-channels statement.
5477 2293. [func] Add ACL regression test. [RT #17375]
5479 2292. [bug] Log if the working directory is not writable.
5482 2291. [bug] PR_SET_DUMPABLE may be set too late. Also report
5483 failure to set PR_SET_DUMPABLE. [RT #17312]
5485 2290. [bug] Let AD in the query signal that the client wants AD
5486 set in the response. [RT #17301]
5488 2289. [func] named-checkzone now reports the out-of-zone CNAME
5491 2288. [port] win32: mark service as running when we have finished
5492 loading. [RT #17441]
5494 2287. [bug] Use 'volatile' if the compiler supports it. [RT #17413]
5496 2286. [func] Allow a TCP connection to be used as a weak
5497 authentication method for reverse zones.
5498 New update-policy methods tcp-self and 6to4-self.
5501 2285. [func] Test framework for client memory context management.
5504 2284. [bug] Memory leak in UPDATE prerequisite processing.
5507 2283. [bug] TSIG keys were not attaching to the memory
5508 context. TSIG keys should use the rings
5509 memory context rather than the clients memory
5510 context. [RT #17377]
5512 2282. [bug] Acl code fixups. [RT #17346] [RT #17374]
5514 2281. [bug] Attempts to use undefined acls were not being logged.
5517 2280. [func] Allow the experimental http server to be reached
5518 over IPv6 as well as IPv4. [RT #17332]
5520 2279. [bug] Use setsockopt(SO_NOSIGPIPE), when available,
5521 to protect applications from receiving spurious
5522 SIGPIPE signals when using the resolver.
5524 2278. [bug] win32: handle the case where Windows returns no
5525 search list or DNS suffix. [RT #17354]
5527 2277. [bug] Empty zone names were not correctly being caught at
5528 in the post parse checks. [RT #17357]
5530 2276. [bug] Install <dst/gssapi.h>. [RT #17359]
5532 2275. [func] Add support to dig to perform IXFR queries over UDP.
5535 2274. [func] Log zone transfer statistics. [RT #17336]
5537 2273. [bug] Adjust log level to WARNING when saving inconsistent
5538 stub/slave master and journal files. [RT #17279]
5540 2272. [bug] Handle illegal dnssec-lookaside trust-anchor names.
5543 2271. [bug] Fix a memory leak in http server code [RT #17100]
5545 2270. [bug] dns_db_closeversion() version->writer could be reset
5546 before it is tested. [RT #17290]
5548 2269. [contrib] dbus memory leaks and missing va_end calls. [RT #17232]
5550 2268. [bug] 0.IN-ADDR.ARPA was missing from the empty zones
5553 --- 9.5.0b1 released ---
5555 2267. [bug] Radix tree node_num value could be set incorrectly,
5556 causing positive ACL matches to look like negative
5559 2266. [bug] client.c:get_clientmctx() returned the same mctx
5560 once the pool of mctx's was filled. [RT #17218]
5562 2265. [bug] Test that the memory context's basic_table is non NULL
5563 before freeing. [RT #17265]
5565 2264. [bug] Server prefix length was being ignored. [RT #17308]
5567 2263. [bug] "named-checkconf -z" failed to set default value
5568 for "check-integrity". [RT #17306]
5570 2262. [bug] Error status from all but the last view could be
5573 2261. [bug] Fix memory leak with "any" and "none" ACLs [RT #17272]
5575 2260. [bug] Reported wrong clients-per-query when increasing the
5580 --- 9.5.0a7 released ---
5582 2258. [bug] Fallback from IXFR/TSIG to SOA/AXFR/TSIG broken.
5585 2257. [bug] win32: Use the full path to vcredist_x86.exe when
5586 calling it. [RT #17222]
5588 2256. [bug] win32: Correctly register the installation location of
5589 bindevt.dll. [RT #17159]
5591 2255. [maint] L.ROOT-SERVERS.NET is now 199.7.83.42.
5593 2254. [bug] timer.c:dispatch() failed to lock timer->lock
5594 when reading timer->idle allowing it to see
5595 intermediate values as timer->idle was reset by
5596 isc_timer_touch(). [RT #17243]
5598 2253. [func] "max-cache-size" defaults to 32M.
5599 "max-acache-size" defaults to 16M.
5601 2252. [bug] Fixed errors in sortlist code [RT #17216]
5605 2250. [func] New flag 'memstatistics' to state whether the
5606 memory statistics file should be written or not.
5607 Additionally named's -m option will cause the
5608 statistics file to be written. [RT #17113]
5610 2249. [bug] Only set Authentic Data bit if client requested
5611 DNSSEC, per RFC 3655 [RT #17175]
5613 2248. [cleanup] Fix several errors reported by Coverity. [RT #17160]
5615 2247. [doc] Sort doc/misc/options. [RT #17067]
5617 2246. [bug] Make the startup of test servers (ans.pl) more
5620 2245. [bug] Validating lack of DS records at trust anchors wasn't
5621 working. [RT #17151]
5623 2244. [func] Allow the check of nameserver names against the
5624 SOA MNAME field to be disabled by specifying
5625 'notify-to-soa yes;'. [RT #17073]
5627 2243. [func] Configuration files without a newline at the end now
5628 parse without error. [RT #17120]
5630 2242. [bug] nsupdate: GSS-TSIG support using the Heimdal Kerberos
5631 library could require a source of random data.
5634 2241. [func] nsupdate: add a interactive 'help' command. [RT #17099]
5636 2240. [bug] Cleanup nsupdates GSS-TSIG support. Convert
5637 a number of INSIST()s into plain fatal() errors
5638 which report the triggering result code.
5639 The 'key' command wasn't disabling GSS-TSIG.
5642 2239. [func] Ship a pre built bin/named/bind9.xsl.h. [RT #17114]
5644 2238. [bug] It was possible to trigger a REQUIRE when a
5645 validation was canceled. [RT #17106]
5647 2237. [bug] libbind: res_init() was not thread aware. [RT #17123]
5649 2236. [bug] dnssec-signzone failed to preserve the case of
5650 of wildcard owner names. [RT #17085]
5652 2235. [bug] <isc/atomic.h> was not being installed. [RT #17135]
5654 2234. [port] Correct some compiler warnings on SCO OSr5 [RT #17134]
5656 2233. [func] Add support for O(1) ACL processing, based on
5657 radix tree code originally written by Kevin
5658 Brintnall. [RT #16288]
5660 2232. [bug] dns_adb_findaddrinfo() could fail and return
5661 ISC_R_SUCCESS. [RT #17137]
5663 2231. [bug] Building dlzbdb (contrib/dlz/bin/dlzbdb) was broken.
5666 2230. [bug] We could INSIST reading a corrupted journal.
5669 2229. [bug] Null pointer dereference on query pool creation
5670 failure. [RT #17133]
5672 2228. [contrib] contrib: Change 2188 was incomplete.
5674 2227. [cleanup] Tidied up the FAQ. [RT #17121]
5678 2225. [bug] More support for systems with no IPv4 addresses.
5681 2224. [bug] Defer journal compaction if a xfrin is in progress.
5684 2223. [bug] Make a new journal when compacting. [RT #17119]
5686 2222. [func] named-checkconf now checks server key references.
5689 2221. [bug] Set the event result code to reflect the actual
5690 record turned to caller when a cache update is
5691 rejected due to a more credible answer existing.
5694 2220. [bug] win32: Address a race condition in final shutdown of
5695 the Windows socket code. [RT #17028]
5697 2219. [bug] Apply zone consistency checks to additions, not
5698 removals, when updating. [RT #17049]
5700 2218. [bug] Remove unnecessary REQUIRE from dns_validator_create().
5703 2217. [func] Adjust update log levels. [RT #17092]
5705 2216. [cleanup] Fix a number of errors reported by Coverity.
5708 2215. [bug] Bad REQUIRE check isc_hmacsha1_verify(). [RT #17094]
5710 2214. [bug] Deregister OpenSSL lock callback when cleaning
5711 up. Reorder OpenSSL cleanup so that RAND_cleanup()
5712 is called before the locks are destroyed. [RT #17098]
5714 2213. [bug] SIG0 diagnostic failure messages were looking at the
5715 wrong status code. [RT #17101]
5717 2212. [func] 'host -m' now causes memory statistics and active
5718 memory to be printed at exit. [RT 17028]
5720 2211. [func] Update "dynamic update temporarily disabled" message.
5723 2210. [bug] Deleting class specific records via UPDATE could
5726 2209. [port] osx: linking against user supplied static OpenSSL
5727 libraries failed as the system ones were still being
5730 2208. [port] win32: make sure both build methods produce the
5731 same output. [RT #17058]
5733 2207. [port] Some implementations of getaddrinfo() fail to set
5734 ai_canonname correctly. [RT #17061]
5736 --- 9.5.0a6 released ---
5738 2206. [security] "allow-query-cache" and "allow-recursion" now
5739 cross inherit from each other.
5741 If allow-query-cache is not set in named.conf then
5742 allow-recursion is used if set, otherwise allow-query
5743 is used if set, otherwise the default (localnets;
5744 localhost;) is used.
5746 If allow-recursion is not set in named.conf then
5747 allow-query-cache is used if set, otherwise allow-query
5748 is used if set, otherwise the default (localnets;
5749 localhost;) is used.
5753 2205. [bug] libbind: change #2119 broke thread support. [RT #16982]
5755 2204. [bug] "rndc flushanme name unknown-view" caused named
5756 to crash. [RT #16984]
5758 2203. [security] Query id generation was cryptographically weak.
5761 2202. [security] The default acls for allow-query-cache and
5762 allow-recursion were not being applied. [RT #16960]
5764 2201. [bug] The build failed in a separate object directory.
5767 2200. [bug] The search for cached NSEC records was stopping to
5768 early leading to excessive DLV queries. [RT #16930]
5770 2199. [bug] win32: don't call WSAStartup() while loading dlls.
5773 2198. [bug] win32: RegCloseKey() could be called when
5774 RegOpenKeyEx() failed. [RT #16911]
5776 2197. [bug] Add INSIST to catch negative responses which are
5777 not setting the event result code appropriately.
5780 2196. [port] win32: yield processor while waiting for once to
5781 to complete. [RT #16958]
5783 2195. [func] dnssec-keygen now defaults to nametype "ZONE"
5784 when generating DNSKEYs. [RT #16954]
5786 2194. [bug] Close journal before calling 'done' in xfrin.c.
5788 --- 9.5.0a5 released ---
5790 2193. [port] win32: BINDInstall.exe is now linked statically.
5793 2192. [port] win32: use vcredist_x86.exe to install Visual
5794 Studio's redistributable dlls if building with
5795 Visual Stdio 2005 or later.
5797 2191. [func] named-checkzone now allows dumping to stdout (-).
5798 named-checkconf now has -h for help.
5799 named-checkzone now has -h for help.
5800 rndc now has -h for help.
5801 Better handling of '-?' for usage summaries.
5804 2190. [func] Make fallback to plain DNS from EDNS due to timeouts
5805 more visible. New logging category "edns-disabled".
5808 2189. [bug] Handle socket() returning EINTR. [RT #15949]
5810 2188. [contrib] queryperf: autoconf changes to make the search for
5811 libresolv or libbind more robust. [RT #16299]
5813 2187. [bug] query_addds(), query_addwildcardproof() and
5814 query_addnxrrsetnsec() should take a version
5815 argument. [RT #16368]
5817 2186. [port] cygwin: libbind: check for struct sockaddr_storage
5818 independently of IPv6. [RT #16482]
5820 2185. [port] sunos: libbind: check for ssize_t, memmove() and
5821 memchr(). [RT #16463]
5823 2184. [bug] bind9.xsl.h didn't build out of the source tree.
5826 2183. [bug] dnssec-signzone didn't handle offline private keys
5829 2182. [bug] dns_dispatch_createtcp() and dispatch_createudp()
5830 could return ISC_R_SUCCESS when they ran out of
5833 2181. [port] sunos: libbind: add paths.h from BIND 8. [RT #16462]
5835 2180. [cleanup] Remove bit test from 'compress_test' as they
5836 are no longer needed. [RT #16497]
5838 2179. [func] 'rndc command zone' will now find 'zone' if it is
5839 unique to all the views. [RT #16821]
5841 2178. [bug] 'rndc reload' of a slave or stub zone resulted in
5842 a reference leak. [RT #16867]
5844 2177. [bug] Array bounds overrun on read (rcodetext) at
5845 debug level 10+. [RT #16798]
5847 2176. [contrib] dbus update to handle race condition during
5848 initialization (Bugzilla 235809). [RT #16842]
5850 2175. [bug] win32: windows broadcast condition variable support
5851 was broken. [RT #16592]
5853 2174. [bug] I/O errors should always be fatal when reading
5854 master files. [RT #16825]
5856 2173. [port] win32: When compiling with MSVS 2005 SP1 we also
5857 need to ship Microsoft.VC80.MFCLOC.
5859 --- 9.5.0a4 released ---
5861 2172. [bug] query_addsoa() was being called with a non zone db.
5864 2171. [bug] Handle breaks in DNSSEC trust chains where the parent
5865 servers are not DS aware (DS queries to the parent
5866 return a referral to the child).
5868 2170. [func] Add acache processing to test suite. [RT #16711]
5870 2169. [bug] host, nslookup: when reporting NXDOMAIN report the
5871 given name and not the last name searched for.
5874 2168. [bug] nsupdate: in non-interactive mode treat syntax errors
5875 as fatal errors. [RT #16785]
5877 2167. [bug] When re-using a automatic zone named failed to
5878 attach it to the new view. [RT #16786]
5880 --- 9.5.0a3 released ---
5882 2166. [bug] When running in batch mode, dig could misinterpret
5883 a server address as a name to be looked up, causing
5884 unexpected output. [RT #16743]
5886 2165. [func] Allow the destination address of a query to determine
5887 if we will answer the query or recurse.
5888 allow-query-on, allow-recursion-on and
5889 allow-query-cache-on. [RT #16291]
5891 2164. [bug] The code to determine how named-checkzone /
5892 named-compilezone was called failed under windows.
5895 2163. [bug] If only one of query-source and query-source-v6
5896 specified a port the query pools code broke (change
5899 2162. [func] Allow "rrset-order fixed" to be disabled at compile
5902 2161. [bug] Fix which log messages are emitted for 'rndc flush'.
5905 2160. [bug] libisc wasn't handling NULL ifa_addr pointers returned
5906 from getifaddrs(). [RT #16708]
5908 --- 9.5.0a2 released ---
5910 2159. [bug] Array bounds overrun in acache processing. [RT #16710]
5912 2158. [bug] ns_client_isself() failed to initialize key
5913 leading to a REQUIRE failure. [RT #16688]
5915 2157. [func] dns_db_transfernode() created. [RT #16685]
5917 2156. [bug] Fix node reference leaks in lookup.c:lookup_find(),
5918 resolver.c:validated() and resolver.c:cache_name().
5919 Fix a memory leak in rbtdb.c:free_noqname().
5920 Make lookup.c:lookup_find() robust against
5921 event leaks. [RT #16685]
5923 2155. [contrib] SQLite sdb module from jaboydjr@netwalk.com.
5926 2154. [func] Scoped (e.g. IPv6 link-local) addresses may now be
5927 matched in acls by omitting the scope. [RT #16599]
5929 2153. [bug] nsupdate could leak memory. [RT #16691]
5931 2152. [cleanup] Use sizeof(buf) instead of fixed number in
5932 dighost.c:get_trusted_key(). [RT #16678]
5934 2151. [bug] Missing newline in usage message for journalprint.
5937 2150. [bug] 'rrset-order cyclic' uniformly distribute the
5938 starting point for the first response for a given
5941 2149. [bug] isc_mem_checkdestroyed() failed to abort on
5942 if there were still active memory contexts.
5945 2148. [func] Add positive logging for rndc commands. [RT #14623]
5947 2147. [bug] libbind: remove potential buffer overflow from
5948 hmac_link.c. [RT #16437]
5950 2146. [cleanup] Silence Linux's spurious "obsolete setsockopt
5951 SO_BSDCOMPAT" message. [RT #16641]
5953 2145. [bug] Check DS/DLV digest lengths for known digests.
5956 2144. [cleanup] Suppress logging of SERVFAIL from forwarders.
5959 2143. [bug] We failed to restart the IPv6 client when the
5960 kernel failed to return the destination the
5961 packet was sent to. [RT #16613]
5963 2142. [bug] Handle master files with a modification time that
5964 matches the epoch. [RT #16612]
5966 2141. [bug] dig/host should not be setting IDN_ASCCHECK (IDN
5967 equivalent of LDH checks). [RT #16609]
5969 2140. [bug] libbind: missing unlock on pthread_key_create()
5970 failures. [RT #16654]
5972 2139. [bug] dns_view_find() was being called with wrong type
5973 in adb.c. [RT #16670]
5975 2138. [bug] Lock order reversal in resolver.c. [RT #16653]
5977 2137. [port] Mips little endian and/or mips 64 bit are now
5978 supported for atomic operations. [RT #16648]
5980 2136. [bug] nslookup/host looped if there was no search list
5981 and the host didn't exist. [RT #16657]
5983 2135. [bug] Uninitialized rdataset in sdlz.c. [RT #16656]
5985 2134. [func] Additional statistics support. [RT #16666]
5987 2133. [port] powerpc: Support both IBM and MacOS Power PC
5988 assembler syntaxes. [RT #16647]
5990 2132. [bug] Missing unlock on out of memory in
5991 dns_dispatchmgr_setudp().
5993 2131. [contrib] dlz/mysql: AXFR was broken. [RT #16630]
5995 2130. [func] Log if CD or DO were set. [RT #16640]
5997 2129. [func] Provide a pool of UDP sockets for queries to be
5998 made over. See use-queryport-pool, queryport-pool-ports
5999 and queryport-pool-updateinterval. [RT #16415]
6001 2128. [doc] xsltproc --nonet, update DTD versions. [RT #16635]
6003 2127. [port] Improved OpenSSL 0.9.8 support. [RT #16563]
6005 2126. [security] Serialize validation of type ANY responses. [RT #16555]
6007 2125. [bug] dns_zone_getzeronosoattl() REQUIRE failure if DLZ
6008 was defined. [RT #16574]
6010 2124. [security] It was possible to dereference a freed fetch
6011 context. [RT #16584]
6013 --- 9.5.0a1 released ---
6015 2123. [func] Use Doxygen to generate internal documentation.
6018 2122. [func] Experimental http server and statistics support
6021 2121. [func] Add a 10 slot dead masters cache (LRU) with a 600
6022 second timeout. [RT #16553]
6024 2120. [doc] Fix markup on nsupdate man page. [RT #16556]
6026 2119. [compat] libbind: allow res_init() to succeed enough to
6027 return the default domain even if it was unable
6030 2118. [bug] Handle response with long chains of domain name
6031 compression pointers which point to other compression
6032 pointers. [RT #16427]
6034 2117. [bug] DNSSEC fixes: named could fail to cache NSEC records
6035 which could lead to validation failures. named didn't
6036 handle negative DS responses that were in the process
6037 of being validated. Check CNAME bit before accepting
6038 NODATA proof. To be able to ignore a child NSEC there
6039 must be SOA (and NS) set in the bitmap. [RT #16399]
6041 2116. [bug] 'rndc reload' could cause the cache to continually
6042 be cleaned. [RT #16401]
6044 2115. [bug] 'rndc reconfig' could trigger a INSIST if the
6045 number of masters for a zone was reduced. [RT #16444]
6047 2114. [bug] dig/host/nslookup: searches for names with multiple
6048 labels were failing. [RT #16447]
6050 2113. [bug] nsupdate: if a zone is specified it should be used
6051 for server discover. [RT #16455]
6053 2112. [security] Warn if weak RSA exponent is used. [RT #16460]
6055 2111. [bug] Fix a number of errors reported by Coverity.
6058 2110. [bug] "minimal-responses yes;" interacted badly with BIND 8
6059 priming queries. [RT #16491]
6061 2109. [port] libbind: silence aix 5.3 compiler warnings. [RT #16502]
6063 2108. [func] DHCID support. [RT #16456]
6065 2107. [bug] dighost.c: more cleanup of buffers. [RT #16499]
6067 2106. [func] 'rndc status' now reports named's version. [RT #16426]
6069 2105. [func] GSS-TSIG support (RFC 3645).
6071 2104. [port] Fix Solaris SMF error message.
6073 2103. [port] Add /usr/sfw to list of locations for OpenSSL
6076 2102. [port] Silence Solaris 10 warnings.
6078 2101. [bug] OpenSSL version checks were not quite right.
6081 2100. [port] win32: copy libeay32.dll to Build\Debug.
6082 Copy Debug\named-checkzone to Debug\named-compilezone.
6084 2099. [port] win32: more manifest issues.
6086 2098. [bug] Race in rbtdb.c:no_references(), which occasionally
6087 triggered an INSIST failure about the node lock
6088 reference. [RT #16411]
6090 2097. [bug] named could reference a destroyed memory context
6091 after being reloaded / reconfigured. [RT #16428]
6093 2096. [bug] libbind: handle applications that fail to detect
6094 res_init() failures better.
6096 2095. [port] libbind: alway prototype inet_cidr_ntop_ipv6() and
6097 net_cidr_ntop_ipv6(). [RT #16388]
6099 2094. [contrib] Update named-bootconf. [RT #16404]
6101 2093. [bug] named-checkzone -s was broken.
6103 2092. [bug] win32: dig, host, nslookup. Use registry config
6104 if resolv.conf does not exist or no nameservers
6107 2091. [port] dighost.c: race condition on cleanup. [RT #16417]
6109 2090. [port] win32: Visual C++ 2005 command line manifest support.
6112 2089. [security] Raise the minimum safe OpenSSL versions to
6113 OpenSSL 0.9.7l and OpenSSL 0.9.8d. Versions
6114 prior to these have known security flaws which
6115 are (potentially) exploitable in named. [RT #16391]
6117 2088. [security] Change the default RSA exponent from 3 to 65537.
6120 2087. [port] libisc failed to compile on OS's w/o a vsnprintf.
6123 2086. [port] libbind: FreeBSD now has get*by*_r() functions.
6126 2085. [doc] win32: added index.html and README to zip. [RT #16201]
6128 2084. [contrib] dbus update for 9.3.3rc2.
6130 2083. [port] win32: Visual C++ 2005 support.
6132 2082. [doc] Document 'cache-file' as a test only option.
6134 2081. [port] libbind: minor 64-bit portability fix in memcluster.c.
6137 2080. [port] libbind: res_init.c did not compile on older versions
6138 of Solaris. [RT #16363]
6140 2079. [bug] The lame cache was not handling multiple types
6141 correctly. [RT #16361]
6143 2078. [bug] dnssec-checkzone output style "default" was badly
6144 named. It is now called "relative". [RT #16326]
6146 2077. [bug] 'dnssec-signzone -O raw' wasn't outputting the
6147 complete signed zone. [RT #16326]
6149 2076. [bug] Several files were missing #include <config.h>
6150 causing build failures on OSF. [RT #16341]
6152 2075. [bug] The spillat timer event hander could leak memory.
6155 2074. [bug] dns_request_createvia2(), dns_request_createvia3(),
6156 dns_request_createraw2() and dns_request_createraw3()
6157 failed to send multiple UDP requests. [RT #16349]
6159 2073. [bug] Incorrect semantics check for update policy "wildcard".
6162 2072. [bug] We were not generating valid HMAC SHA digests.
6165 2071. [port] Test whether gcc accepts -fno-strict-aliasing.
6168 2070. [bug] The remote address was not always displayed when
6169 reporting dispatch failures. [RT #16315]
6171 2069. [bug] Cross compiling was not working. [RT #16330]
6173 2068. [cleanup] Lower incremental tuning message to debug 1.
6176 2067. [bug] 'rndc' could close the socket too early triggering
6177 a INSIST under Windows. [RT #16317]
6179 2066. [security] Handle SIG queries gracefully. [RT #16300]
6181 2065. [bug] libbind: probe for HPUX prototypes for
6182 endprotoent_r() and endservent_r(). [RT 16313]
6184 2064. [bug] libbind: silence AIX compiler warnings. [RT #16218]
6186 2063. [bug] Change #1955 introduced a bug which caused the first
6187 'rndc flush' call to not free memory. [RT #16244]
6189 2062. [bug] 'dig +nssearch' was reusing a buffer before it had
6190 been returned by the socket code. [RT #16307]
6192 2061. [bug] Accept expired wildcard message reversed. [RT #16296]
6194 2060. [bug] Enabling DLZ support could leave views partially
6195 configured. [RT #16295]
6197 2059. [bug] Search into cache rbtdb could trigger an INSIST
6198 failure while cleaning up a stale rdataset.
6201 2058. [bug] Adjust how we calculate rtt estimates in the presence
6202 of authoritative servers that drop EDNS and/or CD
6203 requests. Also fallback to EDNS/512 and plain DNS
6204 faster for zones with less than 3 servers. [RT #16187]
6206 2057. [bug] Make setting "ra" dependent on both allow-query-cache
6207 and allow-recursion. [RT #16290]
6209 2056. [bug] dig: ixfr= was not being treated case insensitively
6210 at all times. [RT #15955]
6212 2055. [bug] Missing goto after dropping multicast query.
6215 2054. [port] freebsd: do not explicitly link against -lpthread.
6218 2053. [port] netbsd:libbind: silence compiler warnings. [RT #16220]
6220 2052. [bug] 'rndc' improve connect failed message to report
6221 the failing address. [RT #15978]
6223 2051. [port] More strtol() fixes. [RT #16249]
6225 2050. [bug] Parsing of NSAP records was not case insensitive.
6228 2049. [bug] Restore SOA before AXFR when falling back from
6229 a attempted IXFR when transferring in a zone.
6230 Allow a initial SOA query before attempting
6231 a AXFR to be requested. [RT #16156]
6233 2048. [bug] It was possible to loop forever when using
6234 avoid-v4-udp-ports / avoid-v6-udp-ports when
6235 the OS always returned the same local port.
6238 2047. [bug] Failed to initialize the interface flags to zero.
6241 2046. [bug] rbtdb.c:rdataset_setadditional() could cause duplicate
6242 cleanup [RT #16247].
6244 2045. [func] Use lock buckets for acache entries to limit memory
6245 consumption. [RT #16183]
6247 2044. [port] Add support for atomic operations for Itanium.
6250 2043. [port] nsupdate/nslookup: Force the flushing of the prompt
6251 for interactive sessions. [RT #16148]
6253 2042. [bug] named-checkconf was incorrectly rejecting the
6254 logging category "config". [RT #16117]
6256 2041. [bug] "configure --with-dlz-bdb=yes" produced a bad
6257 set of libraries to be linked. [RT #16129]
6259 2040. [bug] rbtdb no_references() could trigger an INSIST
6260 failure with --enable-atomic. [RT #16022]
6262 2039. [func] Check that all buffers passed to the socket code
6263 have been retrieved when the socket event is freed.
6266 2038. [bug] dig/nslookup/host was unlinking from wrong list
6267 when handling errors. [RT #16122]
6269 2037. [func] When unlinking the first or last element in a list
6270 check that the list head points to the element to
6271 be unlinked. [RT #15959]
6273 2036. [bug] 'rndc recursing' could cause trigger a REQUIRE.
6276 2035. [func] Make falling back to TCP on UDP refresh failure
6277 optional. Default "try-tcp-refresh yes;" for BIND 8
6278 compatibility. [RT #16123]
6280 2034. [bug] gcc: set -fno-strict-aliasing. [RT #16124]
6282 2033. [bug] We weren't creating multiple client memory contexts
6283 on demand as expected. [RT #16095]
6285 2032. [bug] Remove a INSIST in query_addadditional2(). [RT #16074]
6287 2031. [bug] Emit a error message when "rndc refresh" is called on
6288 a non slave/stub zone. [RT # 16073]
6290 2030. [bug] We were being overly conservative when disabling
6291 openssl engine support. [RT #16030]
6293 2029. [bug] host printed out the server multiple times when
6294 specified on the command line. [RT #15992]
6296 2028. [port] linux: socket.c compatibility for old systems.
6299 2027. [port] libbind: Solaris x86 support. [RT #16020]
6301 2026. [bug] Rate limit the two recursive client exceeded messages.
6304 2025. [func] Update "zone serial unchanged" message. [RT #16026]
6306 2024. [bug] named emitted spurious "zone serial unchanged"
6307 messages on reload. [RT #16027]
6309 2023. [bug] "make install" should create ${localstatedir}/run and
6310 ${sysconfdir} if they do not exist. [RT #16033]
6312 2022. [bug] If dnssec validation is disabled only assert CD if
6313 CD was requested. [RT #16037]
6315 2021. [bug] dnssec-enable no; triggered a REQUIRE. [RT #16037]
6317 2020. [bug] rdataset_setadditional() could leak memory. [RT #16034]
6319 2019. [tuning] Reduce the amount of work performed per quantum
6320 when cleaning the cache. [RT #15986]
6322 2018. [bug] Checking if the HMAC MD5 private file was broken.
6325 2017. [bug] allow-query default was not correct. [RT #15946]
6327 2016. [bug] Return a partial answer if recursion is not
6328 allowed but requested and we had the answer
6329 to the original qname. [RT #15945]
6331 2015. [cleanup] use-additional-cache is now acache-enable for
6332 consistency. Default acache-enable off in BIND 9.4
6333 as it requires memory usage to be configured.
6334 It may be enabled by default in BIND 9.5 once we
6335 have more experience with it.
6337 2014. [func] Statistics about acache now recorded and sent
6340 2013. [bug] Handle unexpected TSIGs on unsigned AXFR/IXFR
6341 responses more gracefully. [RT #15941]
6343 2012. [func] Don't insert new acache entries if acache is full.
6346 2011. [func] dnssec-signzone can now update the SOA record of
6347 the signed zone, either as an increment or as the
6348 system time(). [RT #15633]
6350 2010. [placeholder] rt15958
6352 2009. [bug] libbind: Coverity fixes. [RT #15808]
6354 2008. [func] It is now possible to enable/disable DNSSEC
6355 validation from rndc. This is useful for the
6356 mobile hosts where the current connection point
6357 breaks DNSSEC (firewall/proxy). [RT #15592]
6359 rndc validation newstate [view]
6361 2007. [func] It is now possible to explicitly enable DNSSEC
6362 validation. default dnssec-validation no; to
6363 be changed to yes in 9.5.0. [RT #15674]
6365 2006. [security] Allow-query-cache and allow-recursion now default
6366 to the built in acls "localnets" and "localhost".
6368 This is being done to make caching servers less
6369 attractive as reflective amplifying targets for
6370 spoofed traffic. This still leave authoritative
6373 The best fix is for full BCP 38 deployment to
6374 remove spoofed traffic.
6376 2005. [bug] libbind: Retransmission timeouts should be
6377 based on which attempt it is to the nameserver
6378 and not the nameserver itself. [RT #13548]
6380 2004. [bug] dns_tsig_sign() could pass a NULL pointer to
6381 dst_context_destroy() when cleaning up after a
6384 2003. [bug] libbind: The DNS name/address lookup functions could
6385 occasionally follow a random pointer due to
6386 structures not being completely zeroed. [RT #15806]
6388 2002. [bug] libbind: tighten the constraints on when
6389 struct addrinfo._ai_pad exists. [RT #15783]
6391 2001. [func] Check the KSK flag when updating a secure dynamic zone.
6392 New zone option "update-check-ksk yes;". [RT #15817]
6394 2000. [bug] memmove()/strtol() fix was incomplete. [RT #15812]
6396 1999. [func] Implement "rrset-order fixed". [RT #13662]
6398 1998. [bug] Restrict handling of fifos as sockets to just SunOS.
6399 This allows named to connect to entropy gathering
6400 daemons that use fifos instead of sockets. [RT #15840]
6402 1997. [bug] Named was failing to replace negative cache entries
6403 when a positive one for the type was learnt.
6406 1996. [bug] nsupdate: if a zone has been specified it should
6407 appear in the output of 'show'. [RT #15797]
6409 1995. [bug] 'host' was reporting multiple "is an alias" messages.
6412 1994. [port] OpenSSL 0.9.8 support. [RT #15694]
6414 1993. [bug] Log messages, via syslog, were missing the space
6415 after the timestamp if "print-time yes" was specified.
6418 1992. [bug] Not all incoming zone transfer messages included the
6421 1991. [cleanup] The configuration data, once read, should be treated
6422 as read only. Expand the use of const to enforce this
6423 at compile time. [RT #15813]
6425 1990. [bug] libbind: isc's override of broken gettimeofday()
6426 implementations was not always effective.
6429 1989. [bug] win32: don't check the service password when
6430 re-installing. [RT #15882]
6432 1988. [bug] Remove a bus error from the SHA256/SHA512 support.
6435 1987. [func] DS/DLV SHA256 digest algorithm support. [RT #15608]
6437 1986. [func] Report when a zone is removed. [RT #15849]
6439 1985. [protocol] DLV has now been assigned a official type code of
6442 Note: care should be taken to ensure you upgrade
6443 both named and dnssec-signzone at the same time for
6444 zones with DLV records where named is the master
6445 server for the zone. Also any zones that contain
6446 DLV records should be removed when upgrading a slave
6447 zone. You do not however have to upgrade all
6448 servers for a zone with DLV records simultaneously.
6450 1984. [func] dig, nslookup and host now advertise a 4096 byte
6451 EDNS UDP buffer size by default. [RT #15855]
6453 1983. [func] Two new update policies. "selfsub" and "selfwild".
6456 1982. [bug] DNSKEY was being accepted on the parent side of
6457 a delegation. KEY is still accepted there for
6458 RFC 3007 validated updates. [RT #15620]
6460 1981. [bug] win32: condition.c:wait() could fail to reattain
6463 1980. [func] dnssec-signzone: output the SOA record as the
6464 first record in the signed zone. [RT #15758]
6466 1979. [port] linux: allow named to drop core after changing
6467 user ids. [RT #15753]
6469 1978. [port] Handle systems which have a broken recvmsg().
6472 1977. [bug] Silence noisy log message. [RT #15704]
6474 1976. [bug] Handle systems with no IPv4 addresses. [RT #15695]
6476 1975. [bug] libbind: isc_gethexstring() could misparse multi-line
6477 hex strings with comments. [RT #15814]
6479 1974. [doc] List each of the zone types and associated zone
6480 options separately in the ARM.
6482 1973. [func] TSIG HMACSHA1, HMACSHA224, HMACSHA256, HMACSHA384 and
6483 HMACSHA512 support. [RT #13606]
6485 1972. [contrib] DBUS dynamic forwarders integration from
6486 Jason Vas Dias <jvdias@redhat.com>.
6488 1971. [port] linux: make detection of missing IF_NAMESIZE more
6491 1970. [bug] nsupdate: adjust UDP timeout when falling back to
6492 unsigned SOA query. [RT #15775]
6494 1969. [bug] win32: the socket code was freeing the socket
6495 structure too early. [RT #15776]
6497 1968. [bug] Missing lock in resolver.c:validated(). [RT #15739]
6499 1967. [func] dig/nslookup/host: warn about missing "QR". [RT #15779]
6501 1966. [bug] Don't set CD when we have fallen back to plain DNS.
6504 1965. [func] Suppress spurious "recursion requested but not
6505 available" warning with 'dig +qr'. [RT #15780].
6507 1964. [func] Separate out MX and SRV to CNAME checks. [RT #15723]
6509 1963. [port] Tru64 4.0E doesn't support send() and recv().
6512 1962. [bug] Named failed to clear old update-policy when it
6513 was removed. [RT #15491]
6515 1961. [bug] Check the port and address of responses forwarded
6516 to dispatch. [RT #15474]
6518 1960. [bug] Update code should set NSEC ttls from SOA MINIMUM.
6521 1959. [func] Control the zeroing of the negative response TTL to
6522 a soa query. Defaults "zero-no-soa-ttl yes;" and
6523 "zero-no-soa-ttl-cache no;". [RT #15460]
6525 1958. [bug] Named failed to update the zone's secure state
6526 until the zone was reloaded. [RT #15412]
6528 1957. [bug] Dig mishandled responses to class ANY queries.
6531 1956. [bug] Improve cross compile support, 'gen' is now built
6532 by native compiler. See README for additional
6533 cross compile support information. [RT #15148]
6535 1955. [bug] Pre-allocate the cache cleaning iterator. [RT #14998]
6537 1954. [func] Named now falls back to advertising EDNS with a
6538 512 byte receive buffer if the initial EDNS queries
6541 1953. [func] The maximum EDNS UDP response named will send can
6542 now be set in named.conf (max-udp-size). This is
6543 independent of the advertised receive buffer
6544 (edns-udp-size). [RT #14852]
6546 1952. [port] hpux: tell the linker to build a runtime link
6547 path "-Wl,+b:". [RT #14816].
6549 1951. [security] Drop queries from particular well known ports.
6550 Don't return FORMERR to queries from particular
6551 well known ports. [RT #15636]
6553 1950. [port] Solaris 2.5.1 and earlier cannot bind() then connect()
6554 a TCP socket. This prevents the source address being
6555 set for TCP connections. [RT #15628]
6557 1949. [func] Addition memory leakage checks. [RT #15544]
6559 1948. [bug] If was possible to trigger a REQUIRE failure in
6560 xfrin.c:maybe_free() if named ran out of memory.
6563 1947. [func] It is now possible to configure named to accept
6564 expired RRSIGs. Default "dnssec-accept-expired no;".
6565 Setting "dnssec-accept-expired yes;" leaves named
6566 vulnerable to replay attacks. [RT #14685]
6568 1946. [bug] resume_dslookup() could trigger a REQUIRE failure
6569 when using forwarders. [RT #15549]
6571 1945. [cleanup] dnssec-keygen: RSA (RSAMD5) is no longer recommended.
6572 To generate a RSAMD5 key you must explicitly request
6575 1944. [cleanup] isc_hash_create() does not need a read/write lock.
6578 1943. [bug] Set the loadtime after rolling forward the journal.
6581 1942. [bug] If the name of a DNSKEY match that of one in
6582 trusted-keys do not attempt to validate the DNSKEY
6583 using the parents DS RRset. [RT #15649]
6585 1941. [bug] ncache_adderesult() should set eresult even if no
6586 rdataset is passed to it. [RT #15642]
6588 1940. [bug] Fixed a number of error conditions reported by
6591 1939. [bug] The resolver could dereference a null pointer after
6592 validation if all the queries have timed out.
6595 1938. [bug] The validator was not correctly handling unsecure
6596 negative responses at or below a SEP. [RT #15528]
6598 1937. [bug] sdlz doesn't handle RRSIG records. [RT #15564]
6600 1936. [bug] The validator could leak memory. [RT #15544]
6602 1935. [bug] 'acache' was DO sensitive. [RT #15430]
6604 1934. [func] Validate pending NS RRsets, in the authority section,
6605 prior to returning them if it can be done without
6606 requiring DNSKEYs to be fetched. [RT #15430]
6608 1933. [bug] dump_rdataset_raw() had a incorrect INSIST. [RT #15534]
6610 1932. [bug] hpux: LDFLAGS was getting corrupted. [RT #15530]
6612 1931. [bug] Per-client mctx could require a huge amount of memory,
6613 particularly for a busy caching server. [RT #15519]
6615 1930. [port] HPUX: ia64 support. [RT #15473]
6617 1929. [port] FreeBSD: extend use of PTHREAD_SCOPE_SYSTEM.
6619 1928. [bug] Race in rbtdb.c:currentversion(). [RT #15517]
6621 1927. [bug] Access to soanode or nsnode in rbtdb violated the
6622 lock order rule and could cause a dead lock.
6625 1926. [bug] The Windows installer did not check for empty
6626 passwords. BINDinstall was being installed in
6627 the wrong place. [RT #15483]
6629 1925. [port] All outer level AC_TRY_RUNs need cross compiling
6630 defaults. [RT #15469]
6632 1924. [port] libbind: hpux ia64 support. [RT #15473]
6634 1923. [bug] ns_client_detach() called too early. [RT #15499]
6636 1922. [bug] check-tool.c:setup_logging() missing call to
6637 dns_log_setcontext().
6639 1921. [bug] Client memory contexts were not using internal
6642 1920. [bug] The cache rbtdb lock array was too small to
6643 have the desired performance characteristics.
6646 1919. [contrib] queryperf: a set of new features: collecting/printing
6647 response delays, printing intermediate results, and
6648 adjusting query rate for the "target" qps.
6650 1918. [bug] Memory leak when checking acls. [RT #15391]
6652 1917. [doc] funcsynopsisinfo wasn't being treated as verbatim
6653 when generating man pages. [RT #15385]
6655 1916. [func] Integrate contributed IDN code from JPNIC. [RT #15383]
6657 1915. [bug] dig +ndots was broken. [RT #15215]
6659 1914. [protocol] DS is required to accept mnemonic algorithms
6660 (RFC 4034). Still emit numeric algorithms for
6661 compatibility with RFC 3658. [RT #15354]
6663 1913. [func] Integrate contributed DLZ code into named. [RT #11382]
6665 1912. [port] aix: atomic locking for powerpc. [RT #15020]
6667 1911. [bug] Update windows socket code. [RT #14965]
6669 1910. [bug] dig's +sigchase code overhauled. [RT #14933]
6671 1909. [bug] The DLV code has been re-worked to make no longer
6672 query order sensitive. [RT #14933]
6674 1908. [func] dig now warns if 'RA' is not set in the answer when
6675 'RD' was set in the query. host/nslookup skip servers
6676 that fail to set 'RA' when 'RD' is set unless a server
6677 is explicitly set. [RT #15005]
6679 1907. [func] host/nslookup now continue (default)/fail on SERVFAIL.
6682 1906. [func] dig now has a '-q queryname' and '+showsearch' options.
6685 1905. [bug] Strings returned from cfg_obj_asstring() should be
6686 treated as read-only. The prototype for
6687 cfg_obj_asstring() has been updated to reflect this.
6690 1904. [func] Automatic empty zone creation for D.F.IP6.ARPA and
6691 friends. Note: RFC 1918 zones are not yet covered by
6692 this but are likely to be in a future release.
6694 New options: empty-server, empty-contact,
6695 empty-zones-enable and disable-empty-zone.
6697 1903. [func] ISC string copy API.
6699 1902. [func] Attempt to make the amount of work performed in a
6700 iteration self tuning. The covers nodes clean from
6701 the cache per iteration, nodes written to disk when
6702 rewriting a master file and nodes destroyed per
6703 iteration when destroying a zone or a cache.
6706 1901. [cleanup] Don't add DNSKEY records to the additional section.
6708 1900. [bug] ixfr-from-differences failed to ensure that the
6709 serial number increased. [RT #15036]
6711 1899. [func] named-checkconf now validates update-policy entries.
6714 1898. [bug] Extend ISC_SOCKADDR_FORMATSIZE and
6715 ISC_NETADDR_FORMATSIZE to allow for scope details.
6717 1897. [func] x86 and x86_64 now have separate atomic locking
6720 1896. [bug] Recursive clients soft quota support wasn't working
6721 as expected. [RT #15103]
6723 1895. [bug] A escaped character is, potentially, converted to
6724 the output character set too early. [RT #14666]
6726 1894. [doc] Review ARM for BIND 9.4.
6728 1893. [port] Use uintptr_t if available. [RT #14606]
6730 1892. [func] Support for SPF rdata type. [RT #15033]
6732 1891. [port] freebsd: pthread_mutex_init can fail if it runs out
6733 of memory. [RT #14995]
6735 1890. [func] Raise the UDP receive buffer size to 32k if it is
6736 less than 32k. [RT #14953]
6738 1889. [port] sunos: non blocking i/o support. [RT #14951]
6740 1888. [func] Support for IPSECKEY rdata type. [RT #14967]
6742 1887. [bug] The cache could delete expired records too fast for
6743 clients with a virtual time in the past. [RT #14991]
6745 1886. [bug] fctx_create() could return success even though it
6748 1885. [func] dig: report the number of extra bytes still left in
6749 the packet after processing all the records.
6751 1884. [cleanup] dighost.c: move external declarations into <dig/dig.h>.
6753 1883. [bug] dnssec-signzone, dnssec-keygen: handle negative debug
6756 1882. [func] Limit the number of recursive clients that can be
6757 waiting for a single query (<qname,qtype,qclass>) to
6758 resolve. New options clients-per-query and
6759 max-clients-per-query.
6761 1881. [func] Add a system test for named-checkconf. [RT #14931]
6763 1880. [func] The lame cache is now done on a <qname,qclass,qtype>
6764 basis as some servers only appear to be lame for
6765 certain query types. [RT #14916]
6767 1879. [func] "USE INTERNAL MALLOC" is now runtime selectable.
6770 1878. [func] Detect duplicates of UDP queries we are recursing on
6771 and drop them. New stats category "duplicate".
6774 1877. [bug] Fix unreasonably low quantum on call to
6775 dns_rbt_destroy2(). Remove unnecessary unhash_node()
6778 1876. [func] Additional memory debugging support to track size
6779 and mctx arguments. [RT #14814]
6781 1875. [bug] process_dhtkey() was using the wrong memory context
6782 to free some memory. [RT #14890]
6784 1874. [port] sunos: portability fixes. [RT #14814]
6786 1873. [port] win32: isc__errno2result() now reports its caller.
6789 1872. [port] win32: Handle ERROR_NETNAME_DELETED. [RT #13753]
6793 1870. [func] Added framework for handling multiple EDNS versions.
6796 1869. [func] dig can now specify the EDNS version when making
6797 a query. [RT #14873]
6799 1868. [func] edns-udp-size can now be overridden on a per
6800 server basis. [RT #14851]
6802 1867. [bug] It was possible to trigger a INSIST in
6803 dlv_validatezonekey(). [RT #14846]
6805 1866. [bug] resolv.conf parse errors were being ignored by
6806 dig/host/nslookup. [RT #14841]
6808 1865. [bug] Silently ignore nameservers in /etc/resolv.conf with
6809 bad addresses. [RT #14841]
6811 1864. [bug] Don't try the alternative transfer source if you
6812 got a answer / transfer with the main source
6813 address. [RT #14802]
6815 1863. [bug] rrset-order "fixed" error messages not complete.
6817 1862. [func] Add additional zone data constancy checks.
6818 named-checkzone has extended checking of NS, MX and
6819 SRV record and the hosts they reference.
6820 named has extended post zone load checks.
6821 New zone options: check-mx and integrity-check.
6824 1861. [bug] dig could trigger a INSIST on certain malformed
6825 responses. [RT #14801]
6827 1860. [port] solaris 2.8: hack_shutup_pthreadmutexinit was
6828 incorrectly set. [RT #14775]
6830 1859. [func] Add support for CH A record. [RT #14695]
6832 1858. [bug] The flush-zones-on-shutdown option wasn't being
6835 1857. [bug] named could trigger a INSIST() if reconfigured /
6836 reloaded too fast. [RT #14673]
6838 1856. [doc] Switch Docbook toolchain from DSSSL to XSL.
6841 1855. [bug] ixfr-from-differences was failing to detect changes
6842 of ttl due to dns_diff_subtract() was ignoring the ttl
6843 of records. [RT #14616]
6845 1854. [bug] lwres also needs to know the print format for
6846 (long long). [RT #13754]
6848 1853. [bug] Rework how DLV interacts with proveunsecure().
6851 1852. [cleanup] Remove last vestiges of dnssec-signkey and
6852 dnssec-makekeyset (removed from Makefile years ago).
6854 1851. [doc] Doxygen comment markup. [RT #11398]
6856 1850. [bug] Memory leak in lwres_getipnodebyaddr(). [RT #14591]
6858 1849. [doc] All forms of the man pages (docbook, man, html) should
6859 have consistent copyright dates.
6861 1848. [bug] Improve SMF integration. [RT #13238]
6863 1847. [bug] isc_ondestroy_init() is called too late in
6864 dns_rbtdb_create()/dns_rbtdb64_create().
6867 1846. [contrib] query-loc-0.3.0 from Stephane Bortzmeyer
6868 <bortzmeyer@nic.fr>.
6870 1845. [bug] Improve error reporting to distinguish between
6871 accept()/fcntl() and socket()/fcntl() errors.
6874 1844. [bug] inet_pton() accepted more that 4 hexadecimal digits
6875 for each 16 bit piece of the IPv6 address. The text
6876 representation of a IPv6 address has been tightened
6877 to disallow this (draft-ietf-ipv6-addr-arch-v4-02.txt).
6880 1843. [cleanup] CINCLUDES takes precedence over CFLAGS. This helps
6881 when CFLAGS contains "-I /usr/local/include"
6882 resulting in old header files being used.
6884 1842. [port] cmsg_len() could produce incorrect results on
6885 some platform. [RT #13744]
6887 1841. [bug] "dig +nssearch" now makes a recursive query to
6888 find the list of nameservers to query. [RT #13694]
6890 1840. [func] dnssec-signzone can now randomize signature end times
6891 (dnssec-signzone -j jitter). [RT #13609]
6893 1839. [bug] <isc/hash.h> was not being installed.
6895 1838. [cleanup] Don't allow Linux capabilities to be inherited.
6898 1837. [bug] Compile time option ISC_FACILITY was not effective
6899 for 'named -u <user>'. [RT #13714]
6901 1836. [cleanup] Silence compiler warnings in hash_test.c.
6903 1835. [bug] Update dnssec-signzone's usage message. [RT #13657]
6905 1834. [bug] Bad memset in rdata_test.c. [RT #13658]
6907 1833. [bug] Race condition in isc_mutex_lock_profile(). [RT #13660]
6909 1832. [bug] named fails to return BADKEY on unknown TSIG algorithm.
6912 1831. [doc] Update named-checkzone documentation. [RT #13604]
6914 1830. [bug] adb lame cache has sence of test reversed. [RT #13600]
6916 1829. [bug] win32: "pid-file none;" broken. [RT #13563]
6918 1828. [bug] isc_rwlock_init() failed to properly cleanup if it
6919 encountered a error. [RT #13549]
6921 1827. [bug] host: update usage message for '-a'. [RT #37116]
6923 1826. [bug] Missing DESTROYLOCK() in isc_mem_createx() on out
6924 of memory error. [RT #13537]
6926 1825. [bug] Missing UNLOCK() on out of memory error from in
6927 rbtdb.c:subtractrdataset(). [RT #13519]
6929 1824. [bug] Memory leak on dns_zone_setdbtype() failure.
6932 1823. [bug] Wrong macro used to check for point to point interface.
6935 1822. [bug] check-names test for RT was reversed. [RT #13382]
6939 1820. [bug] Gracefully handle acl loops. [RT #13659]
6941 1819. [bug] The validator needed to check both the algorithm and
6942 digest types of the DS to determine if it could be
6943 used to introduce a secure zone. [RT #13593]
6945 1818. [bug] 'named-checkconf -z' triggered an INSIST. [RT #13599]
6947 1817. [func] Add support for additional zone file formats for
6948 improving loading performance. The masterfile-format
6949 option in named.conf can be used to specify a
6950 non-default format. A separate command
6951 named-compilezone was provided to generate zone files
6952 in the new format. Additionally, the -I and -O options
6953 for dnssec-signzone specify the input and output
6956 1816. [port] UnixWare: failed to compile lib/isc/unix/net.c.
6959 1815. [bug] nsupdate triggered a REQUIRE if the server was set
6960 without also setting the zone and it encountered
6961 a CNAME and was using TSIG. [RT #13086]
6963 1814. [func] UNIX domain controls are now supported.
6965 1813. [func] Restructured the data locking framework using
6966 architecture dependent atomic operations (when
6967 available), improving response performance on
6968 multi-processor machines significantly.
6969 x86, x86_64, alpha, powerpc, and mips are currently
6972 1812. [port] win32: IN6_IS_ADDR_UNSPECIFIED macro is incorrect.
6975 1811. [func] Preserve the case of domain names in rdata during
6976 zone transfers. [RT #13547]
6978 1810. [bug] configure, lib/bind/configure make different default
6979 decisions about whether to do a threaded build.
6982 1809. [bug] "make distclean" failed for libbind if the platform
6985 1808. [bug] zone.c:notify_zone() contained a race condition,
6986 zone->db could change underneath it. [RT #13511]
6988 1807. [bug] When forwarding (forward only) set the active domain
6989 from the forward zone name. [RT #13526]
6991 1806. [bug] The resolver returned the wrong result when a CNAME /
6992 DNAME was encountered when fetching glue from a
6993 secure namespace. [RT #13501]
6995 1805. [bug] Pending status was not being cleared when DLV was
6998 1804. [bug] Ensure that if we are queried for glue that it fits
6999 in the additional section or TC is set to tell the
7000 client to retry using TCP. [RT #10114]
7002 1803. [bug] dnssec-signzone sometimes failed to remove old
7005 1802. [bug] Handle connection resets better. [RT #11280]
7007 1801. [func] Report differences between hints and real NS rrset
7008 and associated address records.
7010 1800. [bug] Changes #1719 allowed a INSIST to be triggered.
7013 1799. [bug] 'rndc flushname' failed to flush negative cache
7014 entries. [RT #13438]
7016 1798. [func] The server syntax has been extended to support a
7017 range of servers. [RT #11132]
7019 1797. [func] named-checkconf now check acls to verify that they
7020 only refer to existing acls. [RT #13101]
7022 1796. [func] "rndc freeze/thaw" now freezes/thaws all zones.
7024 1795. [bug] "rndc dumpdb" was not fully documented. Minor
7025 formating issues with "rndc dumpdb -all". [RT #13396]
7027 1794. [func] Named and named-checkzone can now both check for
7028 non-terminal wildcard records.
7030 1793. [func] Extend adjusting TTL warning messages. [RT #13378]
7032 1792. [func] New zone option "notify-delay". Specify a minimum
7033 delay between sets of NOTIFY messages.
7035 1791. [bug] 'host -t a' still printed out AAAA and MX records.
7038 1790. [cleanup] Move lib/dns/sec/dst up into lib/dns. This should
7039 allow parallel make to succeed.
7041 1789. [bug] Prerequisite test for tkey and dnssec could fail
7042 with "configure --with-libtool".
7044 1788. [bug] libbind9.la/libbind9.so needs to link against
7045 libisccfg.la/libisccfg.so.
7047 1787. [port] HPUX: both "cc" and "gcc" need -Wl,+vnocompatwarnings.
7049 1786. [port] AIX: libt_api needs to be taught to look for
7050 T_testlist in the main executable (--with-libtool).
7053 1785. [bug] libbind9.la/libbind9.so needs to link against
7054 libisc.la/libisc.so.
7056 1784. [cleanup] "libtool -allow-undefined" is the default.
7057 Leave hooks in configure to allow it to be set
7058 if needed in the future.
7060 1783. [cleanup] We only need one copy of libtool.m4, ltmain.sh in the
7063 1782. [port] OSX: --with-libtool + --enable-libbind broke on
7064 __evOptMonoTime. [RT #13219]
7066 1781. [port] FreeBSD 5.3: set PTHREAD_SCOPE_SYSTEM. [RT #12810]
7068 1780. [bug] Update libtool to 1.5.10.
7070 1779. [port] OSF 5.1: libtool didn't handle -pthread correctly.
7072 1778. [port] HUX 11.11: fix broken IN6ADDR_ANY_INIT and
7073 IN6ADDR_LOOPBACK_INIT macros.
7075 1777. [port] OSF 5.1: fix broken IN6ADDR_ANY_INIT and
7076 IN6ADDR_LOOPBACK_INIT macros.
7078 1776. [port] Solaris 2.9: fix broken IN6ADDR_ANY_INIT and
7079 IN6ADDR_LOOPBACK_INIT macros.
7081 1775. [bug] Only compile getnetent_r.c when threaded. [RT #13205]
7083 1774. [port] Aix: Silence compiler warnings / build failures.
7086 1773. [bug] Fast retry on host / net unreachable. [RT #13153]
7092 1770. [bug] named-checkconf failed to report missing a missing
7093 file clause for rbt{64} master/hint zones. [RT #13009]
7095 1769. [port] win32: change compiler flags /MTd ==> /MDd,
7098 1768. [bug] nsecnoexistnodata() could be called with a non-NSEC
7099 rdataset. [RT #12907]
7101 1767. [port] Builds on IPv6 platforms without IPv6 Advanced API
7102 support for (struct in6_pktinfo) failed. [RT #13077]
7104 1766. [bug] Update the master file timestamp on successful refresh
7105 as well as the journal's timestamp. [RT #13062]
7107 1765. [bug] configure --with-openssl=auto failed. [RT #12937]
7109 1764. [bug] dns_zone_replacedb failed to emit a error message
7110 if there was no SOA record in the replacement db.
7113 1763. [func] Perform sanity checks on NS records which refer to
7114 'in zone' names. [RT #13002]
7116 1762. [bug] isc_interfaceiter_create() could return ISC_R_SUCCESS
7117 even when it failed. [RT #12995]
7119 1761. [bug] 'rndc dumpdb' didn't report unassociated entries.
7122 1760. [bug] Host / net unreachable was not penalising rtt
7123 estimates. [RT #12970]
7125 1759. [bug] Named failed to startup if the OS supported IPv6
7126 but had no IPv6 interfaces configured. [RT #12942]
7128 1758. [func] Don't send notify messages to self. [RT #12933]
7130 1757. [func] host now can turn on memory debugging flags with '-m'.
7132 1756. [func] named-checkconf now checks the logging configuration.
7135 1755. [func] allow-update is now settable at the options / view
7138 1754. [bug] We weren't always attempting to query the parent
7139 server for the DS records at the zone cut.
7142 1753. [bug] Don't serve a slave zone which has no NS records.
7145 1752. [port] Move isc_app_start() to after ns_os_daemonise()
7146 as some fork() implementations unblock the signals
7147 that are blocked by isc_app_start(). [RT #12810]
7149 1751. [bug] --enable-getifaddrs failed under linux. [RT #12867]
7151 1750. [port] lib/bind/make/rules.in:subdirs was not bash friendly.
7154 1749. [bug] 'check-names response ignore;' failed to ignore.
7157 1748. [func] dig now returns the byte count for axfr/ixfr.
7159 1747. [bug] BIND 8 compatibility: named/named-checkconf failed
7160 to parse "host-statistics-max" in named.conf.
7162 1746. [func] Make public the function to read a key file,
7163 dst_key_read_public(). [RT #12450]
7165 1745. [bug] Dig/host/nslookup accept replies from link locals
7166 regardless of scope if no scope was specified when
7167 query was sent. [RT #12745]
7169 1744. [bug] If tuple2msgname() failed to convert a tuple to
7170 a name a REQUIRE could be triggered. [RT #12796]
7172 1743. [bug] If isc_taskmgr_create() was not able to create the
7173 requested number of worker threads then destruction
7174 of the manager would trigger an INSIST() failure.
7177 1742. [bug] Deleting all records at a node then adding a
7178 previously existing record, in a single UPDATE
7179 transaction, failed to leave / regenerate the
7180 associated RRSIG records. [RT #12788]
7182 1741. [bug] Deleting all records at a node in a secure zone
7183 using a update-policy grant failed. [RT #12787]
7185 1740. [bug] Replace rbt's hash algorithm as it performed badly
7186 with certain zones. [RT #12729]
7188 NOTE: a hash context now needs to be established
7189 via isc_hash_create() if the application was not
7192 1739. [bug] dns_rbt_deletetree() could incorrectly return
7193 ISC_R_QUOTA. [RT #12695]
7195 1738. [bug] Enable overrun checking by default. [RT #12695]
7197 1737. [bug] named failed if more than 16 masters were specified.
7200 1736. [bug] dst_key_fromnamedfile() could fail to read a
7201 public key. [RT #12687]
7203 1735. [bug] 'dig +sigtrace' could die with a REQUIRE failure.
7206 1734. [cleanup] 'rndc-confgen -a -t' remove extra '/' in path.
7209 1733. [bug] Return non-zero exit status on initial load failure.
7212 1732. [bug] 'rrset-order name "*"' wasn't being applied to ".".
7215 1731. [port] darwin: relax version test in ifconfig.sh.
7218 1730. [port] Determine the length type used by the socket API.
7221 1729. [func] Improve check-names error messages.
7223 1728. [doc] Update check-names documentation.
7225 1727. [bug] named-checkzone: check-names support didn't match
7228 1726. [port] aix5: add support for aix5.
7230 1725. [port] linux: update error message on interaction of threads,
7231 capabilities and setuid support (named -u). [RT #12541]
7233 1724. [bug] Look for DNSKEY records with "dig +sigtrace".
7236 1723. [cleanup] Silence compiler warnings from t_tasks.c. [RT #12493]
7238 1722. [bug] Don't commit the journal on malformed ixfr streams.
7241 1721. [bug] Error message from the journal processing were not
7242 always identifying the relevant journal. [RT #12519]
7244 1720. [bug] 'dig +chase' did not terminate on a RFC 2308 Type 1
7245 negative response. [RT #12506]
7247 1719. [bug] named was not correctly caching a RFC 2308 Type 1
7248 negative response. [RT #12506]
7250 1718. [bug] nsupdate was not handling RFC 2308 Type 3 negative
7251 responses when looking for the zone / master server.
7254 1717. [port] solaris: ifconfig.sh did not support Solaris 10.
7255 "ifconfig.sh down" didn't work for Solaris 9.
7257 1716. [doc] named.conf(5) was being installed in the wrong
7258 location. [RT #12441]
7260 1715. [func] 'dig +trace' now randomly selects the next servers
7261 to try. Report if there is a bad delegation.
7263 1714. [bug] dig/host/nslookup were only trying the first
7264 address when a nameserver was specified by name.
7267 1713. [port] linux: extend capset failure message to say:
7268 please ensure that the capset kernel module is
7269 loaded. see insmod(8)
7271 1712. [bug] Missing FULLCHECK for "trusted-key" in dig.
7273 1711. [func] 'rndc unfreeze' has been deprecated by 'rndc thaw'.
7275 1710. [func] 'rndc notify zone [class [view]]' resend the NOTIFY
7276 messages for the specified zone. [RT #9479]
7278 1709. [port] solaris: add SMF support from Sun.
7280 1708. [cleanup] Replaced dns_fullname_hash() with dns_name_fullhash()
7281 for conformance to the name space convention. Binary
7282 backward compatibility to the old function name is
7283 provided. [RT #12376]
7285 1707. [contrib] sdb/ldap updated to version 1.0-beta.
7287 1706. [bug] 'rndc stop' failed to cause zones to be flushed
7288 sometimes. [RT #12328]
7290 1705. [func] Allow the journal's name to be changed via named.conf.
7292 1704. [port] lwres needed a snprintf() implementation for
7293 platforms without snprintf(). Add missing
7294 "#include <isc/print.h>". [RT #12321]
7296 1703. [bug] named would loop sending NOTIFY messages when it
7297 failed to receive a response. [RT #12322]
7299 1702. [bug] also-notify should not be applied to built in zones.
7302 1701. [doc] A minimal named.conf man page.
7304 1700. [func] nslookup is no longer to be treated as deprecated.
7305 Remove "deprecated" warning message. Add man page.
7307 1699. [bug] dnssec-signzone can generate "not exact" errors
7308 when resigning. [RT #12281]
7310 1698. [doc] Use reserved IPv6 documentation prefix.
7312 1697. [bug] xxx-source{,-v6} was not effective when it
7313 specified one of listening addresses and a
7314 different port than the listening port. [RT #12257]
7316 1696. [bug] dnssec-signzone failed to clean out nodes that
7317 consisted of only NSEC and RRSIG records.
7320 1695. [bug] DS records when forwarding require special handling.
7323 1694. [bug] Report if the builtin views of "_default" / "_bind"
7324 are defined in named.conf. [RT #12023]
7326 1693. [bug] max-journal-size was not effective for master zones
7327 with ixfr-from-differences set. [RT #12024]
7329 1692. [bug] Don't set -I, -L and -R flags when libcrypto is in
7330 /usr/lib. [RT #11971]
7332 1691. [bug] sdb's attachversion was not complete. [RT #11990]
7334 1690. [bug] Delay detaching view from the client until UPDATE
7335 processing completes when shutting down. [RT #11714]
7337 1689. [bug] DNS_NAME_TOREGION() and DNS_NAME_SPLIT() macros
7338 contained gratuitous semicolons. [RT #11707]
7340 1688. [bug] LDFLAGS was not supported.
7342 1687. [bug] Race condition in dispatch. [RT #10272]
7344 1686. [bug] Named sent a extraneous NOTIFY when it received a
7345 redundant UPDATE request. [RT #11943]
7347 1685. [bug] Change #1679 loop tests weren't quite right.
7349 1684. [func] ixfr-from-differences now takes master and slave in
7350 addition to yes and no at the options and view levels.
7352 1683. [bug] dig +sigchase could leak memory. [RT #11445]
7354 1682. [port] Update configure test for (long long) printf format.
7357 1681. [bug] Only set SO_REUSEADDR when a port is specified in
7358 isc_socket_bind(). [RT #11742]
7360 1680. [func] rndc: the source address can now be specified.
7362 1679. [bug] When there was a single nameserver with multiple
7363 addresses for a zone not all addresses were tried.
7366 1678. [bug] RRSIG should use TYPEXXXXX for unknown types.
7368 1677. [bug] dig: +aaonly didn't work, +aaflag undocumented.
7370 1676. [func] New option "allow-query-cache". This lets
7371 allow-query be used to specify the default zone
7372 access level rather than having to have every
7373 zone override the global value. allow-query-cache
7374 can be set at both the options and view levels.
7375 If allow-query-cache is not set allow-query applies.
7377 1675. [bug] named would sometimes add extra NSEC records to
7378 the authority section.
7380 1674. [port] linux: increase buffer size used to scan
7383 1673. [port] linux: issue a error messages if IPv6 interface
7386 1672. [cleanup] Tests which only function in a threaded build
7387 now return R:THREADONLY (rather than R:UNTESTED)
7388 in a non-threaded build.
7390 1671. [contrib] queryperf: add NAPTR to the list of known types.
7392 1670. [func] Log UPDATE requests to slave zones without an acl as
7393 "disabled" at debug level 3. [RT #11657]
7397 1668. [bug] DIG_SIGCHASE was making bin/dig/host dump core.
7399 1667. [port] linux: not all versions have IF_NAMESIZE.
7401 1666. [bug] The optional port on hostnames in dual-stack-servers
7404 1665. [func] rndc now allows addresses to be set in the
7407 1664. [bug] nsupdate needed KEY for SIG(0), not DNSKEY.
7409 1663. [func] Look for OpenSSL by default.
7411 1662. [bug] Change #1658 failed to change one use of 'type'
7414 1661. [bug] Restore dns_name_concatenate() call in
7415 adb.c:set_target(). [RT #11582]
7417 1660. [bug] win32: connection_reset_fix() was being called
7418 unconditionally. [RT #11595]
7420 1659. [cleanup] Cleanup some messages that were referring to KEY vs
7421 DNSKEY, NXT vs NSEC and SIG vs RRSIG.
7423 1658. [func] Update dnssec-keygen to default to KEY for HMAC-MD5
7424 and DH. Tighten which options apply to KEY and
7427 1657. [doc] ARM: document query log output.
7429 1656. [doc] Update DNSSEC description in ARM to cover DS, NSEC
7430 DNSKEY and RRSIG. [RT #11542]
7432 1655. [bug] Logging multiple versions w/o a size was broken.
7435 1654. [bug] isc_result_totext() contained array bounds read
7438 1653. [func] Add key type checking to dst_key_fromfilename(),
7439 DST_TYPE_KEY should be used to read TSIG, TKEY and
7442 1652. [bug] TKEY still uses KEY.
7444 1651. [bug] dig: process multiple dash options.
7446 1650. [bug] dig, nslookup: flush standard out after each command.
7448 1649. [bug] Silence "unexpected non-minimal diff" message.
7451 1648. [func] Update dnssec-lookaside named.conf syntax to support
7452 multiple dnssec-lookaside namespaces (not yet
7455 1647. [bug] It was possible trigger a INSIST when chasing a DS
7456 record that required walking back over a empty node.
7459 1646. [bug] win32: logging file versions didn't work with
7460 non-UNC filenames. [RT #11486]
7462 1645. [bug] named could trigger a REQUIRE failure if multiple
7463 masters with keys are specified.
7465 1644. [bug] Update the journal modification time after a
7466 successful refresh query. [RT #11436]
7468 1643. [bug] dns_db_closeversion() could leak memory / node
7469 references. [RT #11163]
7471 1642. [port] Support OpenSSL implementations which don't have
7472 DSA support. [RT #11360]
7474 1641. [bug] Update the check-names description in ARM. [RT #11389]
7476 1640. [bug] win32: isc_socket_cancel(ISC_SOCKCANCEL_ACCEPT) was
7477 incorrectly closing the socket. [RT #11291]
7479 1639. [func] Initial dlv system test.
7481 1638. [bug] "ixfr-from-differences" could generate a REQUIRE
7482 failure if the journal open failed. [RT #11347]
7484 1637. [bug] Node reference leak on error in addnoqname().
7486 1636. [bug] The dump done callback could get ISC_R_SUCCESS even if
7487 a error had occurred. The database version no longer
7488 matched the version of the database that was dumped.
7490 1635. [bug] Memory leak on error in query_addds().
7492 1634. [bug] named didn't supply a useful error message when it
7493 detected duplicate views. [RT #11208]
7495 1633. [bug] named should return NOTIMP to update requests to a
7496 slaves without a allow-update-forwarding acl specified.
7499 1632. [bug] nsupdate failed to send prerequisite only UPDATE
7500 messages. [RT #11288]
7502 1631. [bug] dns_journal_compact() could sometimes corrupt the
7503 journal. [RT #11124]
7505 1630. [contrib] queryperf: add support for IPv6 transport.
7507 1629. [func] dig now supports IPv6 scoped addresses with the
7508 extended format in the local-server part. [RT #8753]
7510 1628. [bug] Typo in Compaq Trucluster support. [RT #11264]
7512 1627. [bug] win32: sockets were not being closed when the
7513 last external reference was removed. [RT #11179]
7515 1626. [bug] --enable-getifaddrs was broken. [RT #11259]
7517 1625. [bug] named failed to load/transfer RFC2535 signed zones
7518 which contained CNAMES. [RT #11237]
7520 1624. [bug] zonemgr_putio() call should be locked. [RT #11163]
7522 1623. [bug] A serial number of zero was being displayed in the
7523 "sending notifies" log message when also-notify was
7526 1622. [func] probe the system to see if IPV6_(RECV)PKTINFO is
7527 available, and suppress wildcard binding if not.
7529 1621. [bug] match-destinations did not work for IPv6 TCP queries.
7532 1620. [func] When loading a zone report if it is signed. [RT #11149]
7534 1619. [bug] Missing ISC_LIST_UNLINK in end_reserved_dispatches().
7537 1618. [bug] Fencepost errors in dns_name_ishostname() and
7538 dns_name_ismailbox() could trigger a INSIST().
7540 1617. [port] win32: VC++ 6.0 support.
7542 1616. [compat] Ensure that named's version is visible in the core
7545 1615. [port] Define ISC_SOCKADDR_LEN_T based on _BSD_SOCKLEN_T_ if
7548 1614. [port] win32: silence resource limit messages. [RT #11101]
7550 1613. [bug] Builds would fail on machines w/o a if_nametoindex().
7551 Missing #ifdef ISC_PLATFORM_HAVEIFNAMETOINDEX/#endif.
7554 1612. [bug] check-names at the option/view level could trigger
7555 an INSIST. [RT #11116]
7557 1611. [bug] solaris: IPv6 interface scanning failed to cope with
7558 no active IPv6 interfaces.
7560 1610. [bug] On dual stack machines "dig -b" failed to set the
7561 address type to be looked up with "@server".
7564 1609. [func] dig now has support to chase DNSSEC signature chains.
7565 Requires -DDIG_SIGCHASE=1 to be set in STD_CDEFINES.
7567 DNSSEC validation code in dig coded by Olivier Courtay
7568 (olivier.courtay@irisa.fr) for the IDsA project
7569 (http://idsa.irisa.fr).
7571 1608. [func] dig and host now accept -4/-6 to select IP transport
7572 to use when making queries.
7574 1607. [bug] dig, host and nslookup were still using random()
7575 to generate query ids. [RT #11013]
7577 1606. [bug] DLV insecurity proof was failing.
7579 1605. [func] New dns_db_find() option DNS_DBFIND_COVERINGNSEC.
7581 1604. [bug] A xfrout_ctx_create() failure would result in
7582 xfrout_ctx_destroy() being called with a
7583 partially initialized structure.
7585 1603. [bug] nsupdate: set interactive based on isatty().
7588 1602. [bug] Logging to a file failed unless a size was specified.
7591 1601. [bug] Silence spurious warning 'both "recursion no;" and
7592 "allow-recursion" active' warning from view "_bind".
7595 1600. [bug] Duplicate zone pre-load checks were not case
7598 1599. [bug] Fix memory leak on error path when checking named.conf.
7600 1598. [func] Specify that certain parts of the namespace must
7601 be secure (dnssec-must-be-secure).
7603 1597. [func] Allow notify-source and query-source to be specified
7604 on a per server basis similar to transfer-source.
7607 1596. [func] Accept 'notify-source' style syntax for query-source.
7609 1595. [func] New notify type 'master-only'. Enable notify for
7612 1594. [bug] 'rndc dumpdb' could prevent named from answering
7613 queries while the dump was in progress. [RT #10565]
7615 1593. [bug] rndc should return "unknown command" to unknown
7616 commands. [RT #10642]
7618 1592. [bug] configure_view() could leak a dispatch. [RT #10675]
7620 1591. [bug] libbind: updated to BIND 8.4.5.
7622 1590. [port] netbsd: update thread support.
7624 1589. [func] DNSSEC lookaside validation.
7626 1588. [bug] win32: TCP sockets could become blocked. [RT #10115]
7628 1587. [bug] dns_message_settsigkey() failed to clear existing key.
7631 1586. [func] "check-names" is now implemented.
7635 1584. [bug] "make test" failed with a read only source tree.
7638 1583. [bug] Records add via UPDATE failed to get the correct trust
7641 1582. [bug] rrset-order failed to work on RRsets with more
7642 than 32 elements. [RT #10381]
7644 1581. [func] Disable DNSSEC support by default. To enable
7645 DNSSEC specify "dnssec-enable yes;" in named.conf.
7647 1580. [bug] Zone destruction on final detach takes a long time.
7650 1579. [bug] Multiple task managers could not be created.
7652 1578. [bug] Don't use CLASS E IPv4 addresses when resolving.
7655 1577. [bug] Use isc_uint32_t in ultrasparc optimizer bug
7656 workaround code. [RT #10331]
7658 1576. [bug] Race condition in dns_dispatch_addresponse().
7661 1575. [func] Log TSIG name on TSIG verify failure. [RT #4404]
7663 1574. [bug] Don't attempt to open the controls socket(s) when
7664 running tests. [RT #9091]
7666 1573. [port] linux: update to libtool 1.5.2 so that
7667 "make install DESTDIR=/xx" works with
7668 "configure --with-libtool". [RT #9941]
7670 1572. [bug] nsupdate: sign the soa query to find the enclosing
7671 zone if the server is specified. [RT #10148]
7673 1571. [bug] rbt:hash_node() could fail leaving the hash table
7674 in an inconsistent state. [RT #10208]
7676 1570. [bug] nsupdate failed to handle classes other than IN.
7677 New keyword 'class' which sets the default class.
7680 1569. [func] nsupdate new command 'answer' which displays the
7681 complete answer message to the last update.
7683 1568. [bug] nsupdate now reports that the update failed in
7684 interactive mode. [RT #10236]
7686 1567. [maint] B.ROOT-SERVERS.NET is now 192.228.79.201.
7688 1566. [port] Support for the cmsg framework on Solaris and HP/UX.
7689 This also solved the problem that match-destinations
7690 for IPv6 addresses did not work on these systems.
7693 1565. [bug] CD flag should be copied to outgoing queries unless
7694 the query is under a secure entry point in which case
7697 1564. [func] Attempt to provide a fallback entropy source to be
7698 used if named is running chrooted and named is unable
7699 to open entropy source within the chroot area.
7702 1563. [bug] Gracefully fail when unable to obtain neither an IPv4
7703 nor an IPv6 dispatch. [RT #10230]
7705 1562. [bug] isc_socket_create() and isc_socket_accept() could
7706 leak memory under error conditions. [RT #10230]
7708 1561. [bug] It was possible to release the same name twice if
7709 named ran out of memory. [RT #10197]
7711 1560. [port] FreeBSD: work around FreeBSD 5.2 mapping EAI_NODATA
7712 and EAI_NONAME to the same value.
7714 1559. [port] named should ignore SIGFSZ.
7716 1558. [func] New DNSSEC 'disable-algorithms'. Support entry into
7717 child zones for which we don't have a supported
7718 algorithm. Such child zones are treated as unsigned.
7720 1557. [func] Implement missing DNSSEC tests for
7721 * NOQNAME proof with wildcard answers.
7722 * NOWILDARD proof with NXDOMAIN.
7723 Cache and return NOQNAME with wildcard answers.
7725 1556. [bug] nsupdate now treats all names as fully qualified.
7728 1555. [func] 'rrset-order cyclic' no longer has a random starting
7729 point per query. [RT #7572]
7731 1554. [bug] dig, host, nslookup failed when no nameservers
7732 were specified in /etc/resolv.conf. [RT #8232]
7734 1553. [bug] The windows socket code could stop accepting
7735 connections. [RT #10115]
7737 1552. [bug] Accept NOTIFY requests from mapped masters if
7738 matched-mapped is set. [RT #10049]
7740 1551. [port] Open "/dev/null" before calling chroot().
7742 1550. [port] Call tzset(), if available, before calling chroot().
7744 1549. [func] named-checkzone can now write out the zone contents
7745 in a easily parsable format (-D and -o).
7747 1548. [bug] When parsing APL records it was possible to silently
7748 accept out of range ADDRESSFAMILY values. [RT #9979]
7750 1547. [bug] Named wasted memory recording duplicate lame zone
7753 1546. [bug] We were rejecting valid secure CNAME to negative
7756 1545. [bug] It was possible to leak memory if named was unable to
7757 bind to the specified transfer source and TSIG was
7758 being used. [RT #10120]
7760 1544. [bug] Named would logged a single entry to a file despite it
7761 being over the specified size limit.
7763 1543. [bug] Logging using "versions unlimited" did not work.
7767 1541. [func] NSEC now uses new bitmap format.
7769 1540. [bug] "rndc reload <dynamiczone>" was silently accepted.
7772 1539. [bug] Open UDP sockets for notify-source and transfer-source
7773 that use reserved ports at startup. [RT #9475]
7775 1538. [placeholder] rt9997
7777 1537. [func] New option "querylog". If set specify whether query
7778 logging is to be enabled or disabled at startup.
7780 1536. [bug] Windows socket code failed to log a error description
7781 when returning ISC_R_UNEXPECTED. [RT #9998]
7785 1534. [bug] Race condition when priming cache. [RT #9940]
7787 1533. [func] Warn if both "recursion no;" and "allow-recursion"
7788 are active. [RT #4389]
7790 1532. [port] netbsd: the configure test for <sys/sysctl.h>
7791 requires <sys/param.h>.
7793 1531. [port] AIX more libtool fixes.
7795 1530. [bug] It was possible to trigger a INSIST() failure if a
7796 slave master file was removed at just the correct
7799 1529. [bug] "notify explicit;" failed to log that NOTIFY messages
7800 were being sent for the zone. [RT #9442]
7802 1528. [cleanup] Simplify some dns_name_ functions based on the
7803 deprecation of bitstring labels.
7805 1527. [cleanup] Reduce the number of gettimeofday() calls without
7806 losing necessary timer granularity.
7808 1526. [func] Implemented "additional section caching (or acache)",
7809 an internal cache framework for additional section
7810 content to improve response performance. Several
7811 configuration options were provided to control the
7814 1525. [bug] dns_cache_create() could trigger a REQUIRE
7815 failure in isc_mem_put() during error cleanup.
7818 1524. [port] AIX needs to be able to resolve all symbols when
7819 creating shared libraries (--with-libtool).
7821 1523. [bug] Fix race condition in rbtdb. [RT #9189]
7823 1522. [bug] dns_db_findnode() relax the requirements on 'name'.
7826 1521. [bug] dns_view_createresolver() failed to check the
7827 result from isc_mem_create(). [RT #9294]
7829 1520. [protocol] Add SSHFP (SSH Finger Print) type.
7831 1519. [bug] dnssec-signzone:nsec_setbit() computed the wrong
7832 length of the new bitmap.
7834 1518. [bug] dns_nsec_buildrdata(), and hence dns_nsec_build(),
7835 contained a off-by-one error when working out the
7836 number of octets in the bitmap.
7838 1517. [port] Support for IPv6 interface scanning on HP/UX and
7841 1516. [func] Roll the DNSSEC types to RRSIG, NSEC and DNSKEY.
7843 1515. [func] Allow transfer source to be set in a server statement.
7846 1514. [bug] named: isc_hash_destroy() was being called too early.
7849 1513. [doc] Add "US" to root-delegation-only exclude list.
7851 1512. [bug] Extend the delegation-only logging to return query
7852 type, class and responding nameserver.
7854 1511. [bug] delegation-only was generating false positives
7855 on negative answers from sub-zones.
7857 1510. [func] New view option "root-delegation-only". Apply
7858 delegation-only check to all TLDs and root.
7859 Note there are some TLDs that are NOT delegation
7860 only (e.g. DE, LV, US and MUSEUM) these can be excluded
7861 from the checks by using exclude.
7863 root-delegation-only exclude {
7864 "DE"; "LV"; "US"; "MUSEUM";
7867 1509. [bug] Hint zones should accept delegation-only. Forward
7868 zone should not accept delegation-only.
7870 1508. [bug] Don't apply delegation-only checks to answers from
7873 1507. [bug] Handle BIND 8 style returns to NS queries to parents
7874 when making delegation-only checks.
7876 1506. [bug] Wrong return type for dns_view_isdelegationonly().
7878 1505. [bug] Uninitialized rdataset in sdb. [RT #8750]
7880 1504. [func] New zone type "delegation-only".
7882 1503. [port] win32: install libeay32.dll outside of system32.
7884 1502. [bug] nsupdate: adjust timeouts for UPDATE requests over TCP.
7886 1501. [func] Allow TCP queue length to be specified via
7887 named.conf, tcp-listen-queue.
7889 1500. [bug] host failed to lookup MX records. Also look up
7892 1499. [bug] isc_random need to be seeded better if arc4random()
7895 1498. [port] bsdos: 5.x support.
7899 1496. [port] test for pthread_attr_setstacksize().
7901 1495. [cleanup] Replace hash functions with universal hash.
7903 1494. [security] Turn on RSA BLINDING as a precaution.
7907 1492. [cleanup] Preserve rwlock quota context when upgrading /
7908 downgrading. [RT #5599]
7910 1491. [bug] dns_master_dump*() would produce extraneous $ORIGIN
7913 1490. [bug] Accept reading state as well as working state in
7914 ns_client_next(). [RT #6813]
7916 1489. [compat] Treat 'allow-update' on slave zones as a warning.
7919 1488. [bug] Don't override trust levels for glue addresses.
7922 1487. [bug] A REQUIRE() failure could be triggered if a zone was
7923 queued for transfer and the zone was then removed.
7926 1486. [bug] isc_print_snprintf() '%%' consumed one too many format
7927 characters. [RT #8230]
7929 1485. [bug] gen failed to handle high type values. [RT #6225]
7931 1484. [bug] The number of records reported after a AXFR was wrong.
7934 1483. [bug] dig axfr failed if the message id in the answer failed
7935 to match that in the request. Only the id in the first
7936 message is required to match. [RT #8138]
7938 1482. [bug] named could fail to start if the kernel supports
7939 IPv6 but no interfaces are configured. Similarly
7940 for IPv4. [RT #6229]
7942 1481. [bug] Refresh and stub queries failed to use masters keys
7943 if specified. [RT #7391]
7945 1480. [bug] Provide replay protection for rndc commands. Full
7946 replay protection requires both rndc and named to
7947 be updated. Partial replay protection (limited
7948 exposure after restart) is provided if just named
7951 1479. [bug] cfg_create_tuple() failed to handle out of
7952 memory cleanup. parse_list() would leak memory
7955 1478. [port] ifconfig.sh didn't account for other virtual
7956 interfaces. It now takes a optional argument
7957 to specify the first interface number. [RT #3907]
7959 1477. [bug] memory leak using stub zones and TSIG.
7963 1475. [port] Probe for old sprintf().
7965 1474. [port] Provide strtoul() and memmove() for platforms
7968 1473. [bug] create_map() and create_string() failed to handle out
7969 of memory cleanup. [RT #6813]
7971 1472. [contrib] idnkit-1.0 from JPNIC, replaces mdnkit.
7973 1471. [bug] libbind: updated to BIND 8.4.0.
7975 1470. [bug] Incorrect length passed to snprintf. [RT #5966]
7977 1469. [func] Log end of outgoing zone transfer at same level
7978 as the start of transfer is logged. [RT #4441]
7980 1468. [func] Internal zones are no longer counted for
7981 'rndc status'. [RT #4706]
7983 1467. [func] $GENERATES now supports optional class and ttl.
7985 1466. [bug] lwresd configuration errors resulted in memory
7986 and lock leaks. [RT #5228]
7988 1465. [bug] isc_base64_decodestring() and isc_base64_tobuffer()
7989 failed to check that trailing bits were zero allowing
7990 some invalid base64 strings to be accepted. [RT #5397]
7992 1464. [bug] Preserve "out of zone" data for outgoing zone
7993 transfers. [RT #5192]
7995 1463. [bug] dns_rdata_from{wire,struct}() failed to catch bad
7996 NXT bit maps. [RT #5577]
7998 1462. [bug] parse_sizeval() failed to check the token type.
8001 1461. [bug] Remove deadlock from rbtdb code. [RT #5599]
8003 1460. [bug] inet_pton() failed to reject certain malformed
8008 1458. [cleanup] sprintf() -> snprintf().
8010 1457. [port] Provide strlcat() and strlcpy() for platforms without
8013 1456. [contrib] gen-data-queryperf.py from Stephane Bortzmeyer.
8015 1455. [bug] <netaddr> missing from server grammar in
8016 doc/misc/options. [RT #5616]
8018 1454. [port] Use getifaddrs() if available for interface scanning.
8019 --disable-getifaddrs to override. Glibc currently
8020 has a getifaddrs() that does not support IPv6.
8021 Use --enable-getifaddrs=glibc to force the use of
8022 this version under linux machines.
8024 1453. [doc] ARM: $GENERATE example wasn't accurate. [RT #5298]
8028 1451. [bug] rndc-confgen didn't exit with a error code for all
8029 failures. [RT #5209]
8031 1450. [bug] Fetching expired glue failed under certain
8032 circumstances. [RT #5124]
8034 1449. [bug] query_addbestns() didn't handle running out of memory
8037 1448. [bug] Handle empty wildcards labels.
8039 1447. [bug] We were casting (unsigned int) to and from (void *).
8040 rdataset->private4 is now rdataset->privateuint4
8041 to reflect a type change.
8043 1446. [func] Implemented undocumented alternate transfer sources
8044 from BIND 8. See use-alt-transfer-source,
8045 alt-transfer-source and alt-transfer-source-v6.
8047 SECURITY: use-alt-transfer-source is ENABLED unless
8048 you are using views. This may cause a security risk
8049 resulting in accidental disclosure of wrong zone
8050 content if the master supplying different source
8051 content based on IP address. If you are not certain
8052 ISC recommends setting use-alt-transfer-source no;
8054 1445. [bug] DNS_ADBFIND_STARTATROOT broke stub zones. This has
8055 been replaced with DNS_ADBFIND_STARTATZONE which
8056 causes the search to start using the closest zone.
8058 1444. [func] dns_view_findzonecut2() allows you to specify if the
8059 cache should be searched for zone cuts.
8061 1443. [func] Masters lists can now be specified and referenced
8062 in zone masters clauses and other masters lists.
8064 1442. [func] New functions for manipulating port lists:
8065 dns_portlist_create(), dns_portlist_add(),
8066 dns_portlist_remove(), dns_portlist_match(),
8067 dns_portlist_attach() and dns_portlist_detach().
8069 1441. [func] It is now possible to tell dig to bind to a specific
8072 1440. [func] It is now possible to tell named to avoid using
8073 certain source ports (avoid-v4-udp-ports,
8074 avoid-v6-udp-ports).
8076 1439. [bug] Named could return NOERROR with certain NOTIFY
8077 failures. Return NOTAUTH if the NOTIFY zone is
8080 1438. [func] Log TSIG (if any) when logging NOTIFY requests.
8082 1437. [bug] Leave space for stdio to work in. [RT #5033]
8084 1436. [func] dns_zonemgr_resumexfrs() can be used to restart
8087 1435. [bug] zmgr_resume_xfrs() was being called read locked
8088 rather than write locked. zmgr_resume_xfrs()
8089 was not being called if the zone was being
8092 1434. [bug] "rndc reconfig" failed to initiate the initial
8093 zone transfer of new slave zones.
8095 1433. [bug] named could trigger a REQUIRE failure if it could
8096 not get a file descriptor when attempting to write
8097 a master file. [RT #4347]
8099 1432. [func] The advertised EDNS UDP buffer size can now be set
8100 via named.conf (edns-udp-size).
8102 1431. [bug] isc_print_snprintf() "%s" with precision could walk off
8103 end of argument. [RT #5191]
8105 1430. [port] linux: IPv6 interface scanning support.
8107 1429. [bug] Prevent the cache getting locked to old servers.
8111 1427. [bug] Race condition in adb with threaded build.
8115 1425. [port] linux/libbind: define __USE_MISC when testing *_r()
8116 function prototypes in netdb.h. [RT #4921]
8118 1424. [bug] EDNS version not being correctly printed.
8120 1423. [contrib] queryperf: added A6 and SRV.
8122 1422. [func] Log name/type/class when denying a query. [RT #4663]
8124 1421. [func] Differentiate updates that don't succeed due to
8125 prerequisites (unsuccessful) vs other reasons
8128 1420. [port] solaris: work around gcc optimizer bug.
8130 1419. [port] openbsd: use /dev/arandom. [RT #4950]
8132 1418. [bug] 'rndc reconfig' did not cause new slaves to load.
8134 1417. [func] ID.SERVER/CHAOS is now a built in zone.
8135 See "server-id" for how to configure.
8137 1416. [bug] Empty node should return NOERROR NODATA, not NXDOMAIN.
8140 1415. [func] DS TTL now derived from NS ttl. NXT TTL now derived
8143 1414. [func] Support for KSK flag.
8145 1413. [func] Explicitly request the (re-)generation of DS records
8146 from keysets (dnssec-signzone -g).
8148 1412. [func] You can now specify servers to be tried if a nameserver
8149 has IPv6 address and you only support IPv4 or the
8150 reverse. See dual-stack-servers.
8152 1411. [bug] empty nodes should stop wildcard matches. [RT #4802]
8154 1410. [func] Handle records that live in the parent zone, e.g. DS.
8156 1409. [bug] DS should have attribute DNS_RDATATYPEATTR_DNSSEC.
8158 1408. [bug] "make distclean" was not complete. [RT #4700]
8160 1407. [bug] lfsr incorrectly implements the shift register.
8163 1406. [bug] dispatch initializes one of the LFSR's with a incorrect
8164 polynomial. [RT #4617]
8166 1405. [func] Use arc4random() if available.
8168 1404. [bug] libbind: ns_name_ntol() could overwrite a zero length
8171 1403. [func] dnssec-signzone, dnssec-keygen, dnssec-makekeyset
8172 dnssec-signkey now report their version in the
8175 1402. [cleanup] A6 has been moved to experimental and is no longer
8178 1401. [bug] adb wasn't clearing state when the timer expired.
8180 1400. [bug] Block the addition of wildcard NS records by IXFR
8181 or UPDATE. [RT #3502]
8183 1399. [bug] Use serial number arithmetic when testing SIG
8184 timestamps. [RT #4268]
8186 1398. [doc] ARM: notify-also should have been also-notify.
8189 1397. [maint] J.ROOT-SERVERS.NET is now 192.58.128.30.
8191 1396. [func] dnssec-signzone: adjust the default signing time by
8192 1 hour to allow for clock skew.
8194 1395. [port] OpenSSL 0.9.7 defines CRYPTO_LOCK_ENGINE but doesn't
8195 have a working implementation. [RT #4079]
8197 1394. [func] It is now possible to check if a particular element is
8198 in a acl. Remove duplicate entries from the localnets
8201 1393. [port] Bind to individual IPv6 interfaces if IPV6_IPV6ONLY
8202 is not available in the kernel to prevent accidently
8203 listening on IPv4 interfaces.
8205 1392. [bug] named-checkzone: update usage.
8207 1391. [func] Add support for IPv6 scoped addresses in named.
8209 1390. [func] host now supports ixfr.
8211 1389. [bug] named could fail to rotate long log files. [RT #3666]
8213 1388. [port] irix: check for sys/sysctl.h and NET_RT_IFLIST before
8214 defining HAVE_IFLIST_SYSCTL. [RT #3770]
8216 1387. [bug] named could crash due to an access to invalid memory
8217 space (which caused an assertion failure) in
8218 incremental cleaning. [RT #3588]
8220 1386. [bug] named-checkzone -z stopped on errors in a zone.
8223 1385. [bug] Setting serial-query-rate to 10 would trigger a
8226 1384. [bug] host was incompatible with BIND 8 in its exit code and
8227 in the output with the -l option. [RT #3536]
8229 1383. [func] Track the serial number in a IXFR response and log if
8230 a mismatch occurs. This is a more specific error than
8231 "not exact". [RT #3445]
8233 1382. [bug] make install failed with --enable-libbind. [RT #3656]
8235 1381. [bug] named failed to correctly process answers that
8236 contained DNAME records where the resulting CNAME
8237 resulted in a negative answer.
8239 1380. [func] 'rndc recursing' dump recursing queries to
8240 'recursing-file = "named.recursing";'.
8242 1379. [func] 'rndc status' now reports tcp and recursion quota
8245 1378. [func] Improved positive feedback for 'rndc {reload|refresh}.
8247 1377. [func] dns_zone_load{new}() now reports if the zone was
8248 loaded, queued for loading to up to date.
8250 1376. [func] New function dns_zone_logc() to log to specified
8253 1375. [func] 'rndc dumpdb' now dumps the adb cache along with the
8256 1374. [func] dns_adb_dump() now logs the lame zones associated
8259 1373. [bug] Recovery from expired glue failed under certain
8262 1372. [bug] named crashes with an assertion failure on exit when
8263 sharing the same port for listening and querying, and
8264 changing listening addresses several times. [RT #3509]
8266 1371. [bug] notify-source-v6, transfer-source-v6 and
8267 query-source-v6 with explicit addresses and using the
8268 same ports as named was listening on could interfere
8269 with named's ability to answer queries sent to those
8272 1370. [bug] dig '+[no]recurse' was incorrectly documented.
8274 1369. [bug] Adding an NS record as the lexicographically last
8275 record in a secure zone didn't work.
8277 1368. [func] remove support for bitstring labels.
8279 1367. [func] Use response times to select forwarders.
8281 1366. [contrib] queryperf usage was incomplete. Add '-h' for help.
8283 1365. [func] "localhost" and "localnets" acls now include IPv6
8284 addresses / prefixes.
8286 1364. [func] Log file name when unable to open memory statistics
8287 and dump database files. [RT #3437]
8289 1363. [func] Listen-on-v6 now supports specific addresses.
8291 1362. [bug] remove IFF_RUNNING test when scanning interfaces.
8293 1361. [func] log the reason for rejecting a server when resolving
8296 1360. [bug] --enable-libbind would fail when not built in the
8297 source tree for certain OS's.
8299 1359. [security] Support patches OpenSSL libraries.
8300 http://www.cert.org/advisories/CA-2002-23.html
8302 1358. [bug] It was possible to trigger a INSIST when debugging
8303 large dynamic updates. [RT #3390]
8305 1357. [bug] nsupdate was extremely wasteful of memory.
8307 1356. [tuning] Reduce the number of events / quantum for zone tasks.
8309 1355. [bug] Fix DNSSEC wildcard proof for CNAME/DNAME.
8311 1354. [doc] lwres man pages had illegal nroff.
8313 1353. [contrib] sdb/ldap to version 0.9.
8315 1352. [bug] dig, host, nslookup when falling back to TCP use the
8316 current search entry (if any). [RT #3374]
8318 1351. [bug] lwres_getipnodebyname() returned the wrong name
8319 when given a IPv4 literal, af=AF_INET6 and AI_MAPPED
8322 1350. [bug] dns_name_fromtext() failed to handle too many labels
8325 1349. [security] Minimum OpenSSL version now 0.9.6e (was 0.9.5a).
8326 http://www.cert.org/advisories/CA-2002-23.html
8328 1348. [port] win32: Rewrote code to use I/O Completion Ports
8329 in socket.c and eliminating a host of socket
8330 errors. Performance is enhanced.
8336 1345. [port] Use a explicit -Wformat with gcc. Not all versions
8337 include it in -Wall.
8339 1344. [func] Log if the serial number on the master has gone
8341 If you have multiple machines specified in the masters
8342 clause you may want to set 'multi-master yes;' to
8343 suppress this warning.
8345 1343. [func] Log successful notifies received (info). Adjust log
8346 level for failed notifies to notice.
8348 1342. [func] Log remote address with TCP dispatch failures.
8350 1341. [func] Allow a rate limiter to be stalled.
8352 1340. [bug] Delay and spread out the startup refresh load.
8354 1339. [func] dig, host and nslookup now use IP6.ARPA for nibble
8355 lookups. Bit string lookups are no longer attempted.
8361 1336. [func] Nibble lookups under IP6.ARPA are now supported by
8362 dns_byaddr_create(). dns_byaddr_createptrname() is
8363 deprecated, use dns_byaddr_createptrname2() instead.
8365 1335. [bug] When performing a nonexistence proof, the validator
8366 should discard parent NXTs from higher in the DNS.
8368 1334. [bug] When signing/verifying rdatasets, duplicate rdatas
8369 need to be suppressed.
8371 1333. [contrib] queryperf now reports a summary of returned
8372 rcodes (-c), rcodes are printed in mnemonic form (-v).
8374 1332. [func] Report the current serial with periodic commits when
8375 rolling forward the journal.
8377 1331. [func] Generate DNSSEC wildcard proofs.
8379 1330. [bug] When processing events (non-threaded) only allow
8380 the task one chance to use to use its quantum.
8382 1329. [func] named-checkzone will now check if nameservers that
8383 appear to be IP addresses. Available modes "fail",
8384 "warn" (default) and "ignore" the results of the
8387 1328. [bug] The validator could incorrectly verify an invalid
8390 1327. [bug] The validator would incorrectly mark data as insecure
8391 when seeing a bogus signature before a correct
8394 1326. [bug] DNAME/CNAME signatures were not being cached when
8395 validation was not being performed. [RT #3284]
8397 1325. [bug] If the tcpquota was exhausted it was possible to
8398 to trigger a INSIST() failure.
8400 1324. [port] darwin: ifconfig.sh now supports darwin.
8402 1323. [port] linux: Slackware 4.0 needs <asm/unistd.h>. [RT #3205]
8404 1322. [bug] dnssec-signzone usage message was misleading.
8406 1321. [bug] If the last RRset in a zone is glue, dnssec-signzone
8407 would incorrectly duplicate its output and sign it.
8409 1320. [doc] query-source-v6 was missing from options section.
8412 1319. [func] libbind: log attempts to exploit #1318.
8414 1318. [bug] libbind: Remote buffer overrun.
8416 1317. [port] libbind: TrueUNIX 5.1 does not like __align as a
8419 1316. [bug] libbind: gethostans() could get out of sync parsing
8420 the response if there was a very long CNAME chain.
8422 1315. [bug] Options should apply to the internal _bind view.
8424 1314. [port] Handle ECONNRESET from sendmsg() [unix].
8426 1313. [func] Query log now says if the query was signed (S) or
8427 if EDNS was used (E).
8429 1312. [func] Log TSIG key used w/ outgoing zone transfers.
8431 1311. [bug] lwres_getrrsetbyname leaked memory. [RT #3159]
8433 1310. [bug] 'rndc stop' failed to cause zones to be flushed
8434 sometimes. [RT #3157]
8436 1309. [func] Log that a zone transfer was covered by a TSIG.
8438 1308. [func] DS (delegation signer) support.
8440 1307. [bug] nsupdate: allow white space base64 key data.
8442 1306. [bug] Badly encoded LOC record when the size, horizontal
8443 precision or vertical precision was 0.1m.
8445 1305. [bug] Document that internal zones are included in the
8446 rndc status results.
8448 1304. [func] New function: dns_zone_name().
8450 1303. [func] Option 'flush-zones-on-shutdown <boolean>;'.
8452 1302. [func] Extended rndc dumpdb to support dumping of zones and
8453 view selection: 'dumpdb [-all|-zones|-cache] [view]'.
8455 1301. [func] New category 'update-security'.
8457 1300. [port] Compaq Trucluster support.
8459 1299. [bug] Set AI_ADDRCONFIG when looking up addresses
8460 via getaddrinfo() (affects dig, host, nslookup, rndc
8463 1298. [bug] The CINCLUDES macro in lib/dns/sec/dst/Makefile
8464 could be left with a trailing "\" after configure
8467 1297. [port] linux: make handling EINVAL from socket() no longer
8468 conditional on #ifdef LINUX.
8470 1296. [bug] isc_log_closefilelogs() needed to lock the log
8473 1295. [bug] isc_log_setdebuglevel() needed to lock the log
8476 1294. [func] libbind: no longer attempts bit string labels for
8477 IPv6 reverse resolution. Try IP6.ARPA then IP6.INT
8478 for nibble style resolution.
8480 1293. [func] Entropy can now be retrieved from EGDs. [RT #2438]
8482 1292. [func] Enable IPv6 support when using ioctl style interface
8483 scanning and OS supports SIOCGLIFADDR using struct
8486 1291. [func] Enable IPv6 support when using sysctl style interface
8489 1290. [func] "dig axfr" now reports the number of messages
8490 as well as the number of records.
8492 1289. [port] See if -ldl is required for OpenSSL? [RT #2672]
8494 1288. [bug] Adjusted REQUIRE's in lib/dns/name.c to better
8495 reflect written requirements.
8497 1287. [bug] REQUIRE that DNS_DBADD_MERGE only be set when adding
8498 a rdataset to a zone db in the rbtdb implementation of
8501 1286. [bug] dns_name_downcase() enforce requirement that
8502 target != NULL or name->buffer != NULL.
8504 1285. [func] lwres: probe the system to see what address families
8505 are currently in use.
8507 1284. [bug] The RTT estimate on unused servers was not aged.
8510 1283. [func] Use "dataready" accept filter if available.
8512 1282. [port] libbind: hpux 11.11 interface scanning.
8514 1281. [func] Log zone when unable to get private keys to update
8515 zone. Log zone when NXT records are missing from
8518 1280. [bug] libbind: escape '(' and ')' when converting to
8521 1279. [port] Darwin uses (unsigned long) for size_t. [RT #2590]
8523 1278. [func] dig: now supports +[no]cl +[no]ttlid.
8525 1277. [func] You can now create your own customized printing
8526 styles: dns_master_stylecreate() and
8527 dns_master_styledestroy().
8529 1276. [bug] libbind: const pointer conflicts in res_debug.c.
8531 1275. [port] libbind: hpux: treat all hpux systems as BIG_ENDIAN.
8533 1274. [bug] Memory leak in lwres_gnbarequest_parse().
8535 1273. [port] libbind: solaris: 64 bit binary compatibility.
8537 1272. [contrib] Berkeley DB 4.0 sdb implementation from
8538 Nuno Miguel Rodrigues <nmr@co.sapo.pt>.
8540 1271. [bug] "recursion available: {denied,approved}" was too
8543 1270. [bug] Check that system inet_pton() and inet_ntop() support
8546 1269. [port] Openserver: ifconfig.sh support.
8548 1268. [port] Openserver: the value FD_SETSIZE depends on whether
8549 <sys/param.h> is included or not. Be consistent.
8551 1267. [func] isc_file_openunique() now creates file using mode
8552 0666 rather than 0600.
8554 1266. [bug] ISC_LINK_INIT, ISC_LINK_UNLINK, ISC_LIST_DEQUEUE,
8555 __ISC_LINK_UNLINKUNSAFE and __ISC_LIST_DEQUEUEUNSAFE
8556 are not C++ compatible, use *_TYPE versions instead.
8558 1265. [bug] libbind: LINK_INIT and UNLINK were not compatible with
8559 C++, use LINK_INIT_TYPE and UNLINK_TYPE instead.
8563 1263. [bug] Reference after free error if dns_dispatchmgr_create()
8566 1262. [bug] ns_server_destroy() failed to set *serverp to NULL.
8568 1261. [func] libbind: ns_sign2() and ns_sign_tcp() now provide
8569 support for compressed TSIG owner names.
8571 1260. [func] libbind: res_update can now update IPv6 servers,
8572 new function res_findzonecut2().
8574 1259. [bug] libbind: get_salen() IPv6 support was broken for OSs
8577 1258. [bug] libbind: res_nametotype() and res_nametoclass() were
8580 1257. [bug] Failure to write pid-file should not be fatal on
8583 1256. [contrib] 'queryperf' now has EDNS (-e) + DNSSEC DO (-D) support.
8585 1255. [bug] When verifying that an NXT proves nonexistence, check
8586 the rcode of the message and only do the matching NXT
8587 check. That is, for NXDOMAIN responses, check that
8588 the name is in the range between the NXT owner and
8589 next name, and for NOERROR NODATA responses, check
8590 that the type is not present in the NXT bitmap.
8592 1254. [func] preferred-glue option from BIND 8.3.
8594 1253. [bug] The dnssec system test failed to remove the correct
8597 1252. [bug] Dig, host and nslookup were not checking the address
8598 the answer was coming from against the address it was
8601 1251. [port] win32: a make file contained absolute version specific
8604 1250. [func] Nsupdate will report the address the update was
8607 1249. [bug] Missing masters clause was not handled gracefully.
8610 1248. [bug] DESTDIR was not being propagated between makes.
8612 1247. [bug] Don't reset the interface index for link/site local
8613 addresses. [RT #2576]
8615 1246. [func] New functions isc_sockaddr_issitelocal(),
8616 isc_sockaddr_islinklocal(), isc_netaddr_issitelocal()
8617 and isc_netaddr_islinklocal().
8619 1245. [bug] Treat ENOBUFS, ENOMEM and ENFILE as soft errors for
8622 1244. [bug] Receiving a TCP message from a blackhole address would
8623 prevent further messages being received over that
8626 1243. [bug] It was possible to trigger a REQUIRE() in
8627 dns_message_findtype(). [RT #2659]
8629 1242. [bug] named-checkzone failed if a journal existed. [RT #2657]
8631 1241. [bug] Drop received UDP messages with a zero source port
8632 as these are invariably forged. [RT #2621]
8634 1240. [bug] It was possible to leak zone references by
8635 specifying an incorrect zone to rndc.
8637 1239. [bug] Under certain circumstances named could continue to
8638 use a name after it had been freed triggering
8639 INSIST() failures. [RT #2614]
8641 1238. [bug] It is possible to lockup the server when shutting down
8642 if notifies were being processed. [RT #2591]
8644 1237. [bug] nslookup: "set q=type" failed.
8646 1236. [bug] dns_rdata{class,type}_fromtext() didn't handle non
8647 NULL terminated text regions. [RT #2588]
8649 1235. [func] Report 'out of memory' errors from openssl.
8651 1234. [bug] contrib/sdb: 'zonetodb' failed to call
8652 dns_result_register(). DNS_R_SEENINCLUDE should not
8655 1233. [bug] The flags field of a KEY record can be expressed in
8656 hex as well as decimal.
8658 1232. [bug] unix/errno2result() didn't handle EADDRNOTAVAIL.
8660 1231. [port] HPUX 11.11 recvmsg() can return spurious EADDRNOTAVAIL.
8662 1230. [bug] isccc_cc_isreply() and isccc_cc_isack() were broken.
8664 1229. [bug] named would crash if it received a TSIG signed
8665 query as part of an AXFR response. [RT #2570]
8667 1228. [bug] 'make install' did not depend on 'make all'. [RT #2559]
8669 1227. [bug] dns_lex_getmastertoken() now returns ISC_R_BADNUMBER
8670 if a number was expected and some other token was
8673 1226. [func] Use EDNS for zone refresh queries. [RT #2551]
8675 1225. [func] dns_message_setopt() no longer requires that
8676 dns_message_renderbegin() to have been called.
8678 1224. [bug] 'rrset-order' and 'sortlist' should be additive
8681 1223. [func] 'rrset-order' partially works 'cyclic' and 'random'
8684 1222. [bug] Specifying 'port *' did not always result in a system
8685 selected (non-reserved) port being used. [RT #2537]
8687 1221. [bug] Zone types 'master', 'slave' and 'stub' were not being
8688 compared case insensitively. [RT #2542]
8690 1220. [func] Support for APL rdata type.
8692 1219. [func] Named now reports the TSIG extended error code when
8693 signature verification fails. [RT #1651]
8695 1218. [bug] Named incorrectly returned SERVFAIL rather than
8696 NOTAUTH when there was a TSIG BADTIME error. [RT #2519]
8698 1217. [func] Report locations of previous key definition when a
8699 duplicate is detected.
8701 1216. [bug] Multiple server clauses for the same server were not
8702 reported. [RT #2514]
8704 1215. [port] solaris: add support to ifconfig.sh for x86 2.5.1
8706 1214. [bug] Win32: isc_file_renameunique() could leave zero length
8709 1213. [func] Report view associated with client if it is not a
8710 standard view (_default or _bind).
8712 1212. [port] libbind: 64k answer buffers were causing stack space
8713 to be exceeded for certain OS. Use heap space instead.
8715 1211. [bug] dns_name_fromtext() incorrectly handled certain
8716 valid octal bitlabels. [RT #2483]
8718 1210. [bug] libbind: getnameinfo() failed to lookup IPv4 mapped /
8719 compatible addresses. [RT #2461]
8721 1209. [bug] Dig, host, nslookup were not checking the message ids
8722 on the responses. [RT #2454]
8724 1208. [bug] dns_master_load*() failed to log a error message if
8725 an error was detected when parsing the owner name of
8726 a record. [RT #2448]
8728 1207. [bug] libbind: getaddrinfo() could call freeaddrinfo() with
8731 1206. [bug] SERVFAIL and NOTIMP responses to an EDNS query should
8732 trigger a non-EDNS retry.
8734 1205. [bug] OPT, TSIG and TKEY cannot be used to set the "class"
8735 of the message. [RT #2449]
8737 1204. [bug] libbind: res_nupdate() failed to update the name
8738 server addresses before sending the update.
8740 1203. [func] Report locations of previous acl and zone definitions
8741 when a duplicate is detected.
8743 1202. [func] New functions: cfg_obj_line() and cfg_obj_file().
8745 1201. [bug] Require that if 'callbacks' is passed to
8746 dns_rdata_fromtext(), callbacks->error and
8747 callbacks->warn are initialized.
8749 1200. [bug] Log 'errno' that we are unable to convert to
8750 isc_result_t. [RT #2404]
8752 1199. [doc] ARM reference to RFC 2157 should have been RFC 1918.
8755 1198. [bug] OPT printing style was not consistent with the way the
8756 header fields are printed. The DO bit was not reported
8757 if set. Report if any of the MBZ bits are set.
8759 1197. [bug] Attempts to define the same acl multiple times were not
8762 1196. [contrib] update mdnkit to 2.2.3.
8764 1195. [bug] Attempts to redefine builtin acls should be caught.
8767 1194. [bug] Not all duplicate zone definitions were being detected
8768 at the named.conf checking stage. [RT #2431]
8770 1193. [bug] dig +besteffort parsing didn't handle packet
8771 truncation. dns_message_parse() has new flag
8772 DNS_MESSAGE_IGNORETRUNCATION.
8774 1192. [bug] The seconds fields in LOC records were restricted
8775 to three decimal places. More decimal places should
8776 be allowed but warned about.
8778 1191. [bug] A dynamic update removing the last non-apex name in
8779 a secure zone would fail. [RT #2399]
8781 1190. [func] Add the "rndc freeze" and "rndc unfreeze" commands.
8784 1189. [bug] On some systems, malloc(0) returns NULL, which
8785 could cause the caller to report an out of memory
8788 1188. [bug] Dynamic updates of a signed zone would fail if
8789 some of the zone private keys were unavailable.
8791 1187. [bug] named was incorrectly returning DNSSEC records
8792 in negative responses when the DO bit was not set.
8794 1186. [bug] isc_hex_tobuffer(,,length = 0) failed to unget the
8795 EOL token when reading to end of line.
8797 1185. [bug] libbind: don't assume statp->_u._ext.ext is valid
8798 unless RES_INIT is set when calling res_*init().
8800 1184. [bug] libbind: call res_ndestroy() if RES_INIT is set
8801 when res_*init() is called.
8803 1183. [bug] Handle ENOSR error when writing to the internal
8804 control pipe. [RT #2395]
8806 1182. [bug] The server could throw an assertion failure when
8807 constructing a negative response packet.
8809 1181. [func] Add the "key-directory" configuration statement,
8810 which allows the server to look for online signing
8811 keys in alternate directories.
8813 1180. [func] dnssec-keygen should always generate keys with
8814 protocol 3 (DNSSEC), since it's less confusing
8817 1179. [func] Add SIG(0) support to nsupdate.
8819 1178. [bug] Follow and cache (if appropriate) A6 and other
8820 data chains to completion in the additional section.
8822 1177. [func] Report view when loading zones if it is not a
8823 standard view (_default or _bind). [RT #2270]
8825 1176. [doc] Document that allow-v6-synthesis is only performed
8826 for clients that are supplied recursive service.
8829 1175. [bug] named-checkzone and named-checkconf failed to call
8830 dns_result_register() at startup which could
8831 result in runtime exceptions when printing
8832 "out of memory" errors. [RT #2335]
8834 1174. [bug] Win32: add WSAECONNRESET to the expected errors
8835 from connect(). [RT #2308]
8837 1173. [bug] Potential memory leaks in isc_log_create() and
8838 isc_log_settag(). [RT #2336]
8840 1172. [doc] Add CERT, GPOS, KX, NAPTR, NSAP, PX and TXT to
8841 table of RR types in ARM.
8843 1171. [func] Added function isc_region_compare(), updated files in
8844 lib/dns to use this function instead of local one.
8846 1170. [bug] Don't attempt to print the token when a I/O error
8847 occurs when parsing named.conf. [RT #2275]
8849 1169. [func] Identify recursive queries in the query log.
8851 1168. [bug] Empty also-notify clauses were not handled. [RT #2309]
8853 1167. [contrib] nslint-2.1a3 (from author).
8855 1166. [bug] "Not Implemented" should be reported as NOTIMP,
8856 not NOTIMPL. [RT #2281]
8858 1165. [bug] We were rejecting notify-source{-v6} in zone clauses.
8860 1164. [bug] Empty masters clauses in slave / stub zones were not
8861 handled gracefully. [RT #2262]
8863 1163. [func] isc_time_formattimestamp() now includes the year.
8865 1162. [bug] The allow-notify option was not accepted in slave
8868 1161. [bug] named-checkzone looped on unbalanced brackets.
8871 1160. [bug] Generating Diffie-Hellman keys longer than 1024
8872 bits could fail. [RT #2241]
8874 1159. [bug] MD and MF are not permitted to be loaded by RFC1123.
8876 1158. [func] Report the client's address when logging notify
8879 1157. [func] match-clients and match-destinations now accept
8882 1156. [port] The configure test for strsep() incorrectly
8883 succeeded on certain patched versions of
8884 AIX 4.3.3. [RT #2190]
8886 1155. [func] Recover from master files being removed from under
8889 1154. [bug] Don't attempt to obtain the netmask of a interface
8890 if there is no address configured. [RT #2176]
8892 1153. [func] 'rndc {stop|halt} -p' now reports the process id
8893 of the instance of named being shutdown.
8895 1152. [bug] libbind: read buffer overflows.
8897 1151. [bug] nslookup failed to check that the arguments to
8898 the port, timeout, and retry options were
8899 valid integers and in range. [RT #2099]
8901 1150. [bug] named incorrectly accepted TTL values
8902 containing plus or minus signs, such as
8905 1149. [func] New function isc_parse_uint32().
8907 1148. [func] 'rndc-confgen -a' now provides positive feedback.
8909 1147. [func] Set IPV6_V6ONLY on IPv6 sockets if supported by
8910 the OS. listen-on-v6 { any; }; should no longer
8911 result in IPv4 queries be accepted. Similarly
8912 control { inet :: ... }; should no longer result
8913 in IPv4 connections being accepted. This can be
8914 overridden at compile time by defining
8917 1146. [func] Allow IPV6_IPV6ONLY to be set/cleared on a socket if
8918 supported by the OS by a new function
8919 isc_socket_ipv6only().
8921 1145. [func] "host" no longer reports a NOERROR/NODATA response
8922 by printing nothing. [RT #2065]
8924 1144. [bug] rndc-confgen would crash if both the -a and -t
8925 options were specified. [RT #2159]
8927 1143. [bug] When a trusted-keys statement was present and named
8928 was built without crypto support, it would leak memory.
8930 1142. [bug] dnssec-signzone would fail to delete temporary files
8931 in some failure cases. [RT #2144]
8933 1141. [bug] When named rejected a control message, it would
8934 leak a file descriptor and memory. It would also
8935 fail to respond, causing rndc to hang.
8938 1140. [bug] rndc-confgen did not accept IPv6 addresses as arguments
8939 to the -s option. [RT #2138]
8941 1139. [func] It is now possible to flush a given name from the
8942 cache(s) via 'rndc flushname name [view]'. [RT #2051]
8944 1138. [func] It is now possible to flush a given name from the
8945 cache by calling the new function
8946 dns_cache_flushname().
8948 1137. [func] It is now possible to flush a given name from the
8949 ADB by calling the new function dns_adb_flushname().
8951 1136. [bug] CNAME records synthesized from DNAMEs did not
8952 have a TTL of zero as required by RFC2672.
8955 1135. [func] You can now override the default syslog() facility for
8956 named/lwresd at compile time. [RT #1982]
8958 1134. [bug] Multi-threaded servers could deadlock in ferror()
8959 when reloading zone files. [RT #1951, #1998]
8961 1133. [bug] IN6_IS_ADDR_LOOPBACK was not portably defined on
8962 platforms without IN6_IS_ADDR_LOOPBACK. [RT #2106]
8964 1132. [func] Improve UPDATE prerequisite failure diagnostic messages.
8966 1131. [bug] The match-destinations view option did not work with
8967 IPv6 destinations. [RT #2073, #2074]
8969 1130. [bug] Log messages reporting an out-of-range serial number
8970 did not include the out-of-range number but the
8971 following token. [RT #2076]
8973 1129. [bug] Multi-threaded servers could crash under heavy
8974 resolution load due to a race condition. [RT #2018]
8976 1128. [func] sdb drivers can now provide RR data in either text
8977 or wire format, the latter using the new functions
8978 dns_sdb_putrdata() and dns_sdb_putnamedrdata().
8980 1127. [func] rndc: If the server to contact has multiple addresses,
8983 1126. [bug] The server could access a freed event if shut
8984 down while a client start event was pending
8985 delivery. [RT #2061]
8987 1125. [bug] rndc: -k option was missing from usage message.
8990 1124. [doc] dig: +[no]dnssec, +[no]besteffort and +[no]fail
8991 are now documented. [RT #2052]
8993 1123. [bug] dig +[no]fail did not match description. [RT #2052]
8995 1122. [tuning] Resolution timeout reduced from 90 to 30 seconds.
8998 1121. [bug] The server could attempt to access a NULL zone
8999 table if shut down while resolving.
9002 1120. [bug] Errors in options were not fatal. [RT #2002]
9004 1119. [func] Added support in Win32 for NTFS file/directory ACL's
9007 1118. [bug] On multi-threaded servers, a race condition
9008 could cause an assertion failure in resolver.c
9009 during resolver shutdown. [RT #2029]
9011 1117. [port] The configure check for in6addr_loopback incorrectly
9012 succeeded on AIX 4.3 when compiling with -O2
9013 because the test code was optimized away.
9016 1116. [bug] Setting transfers in a server clause, transfers-in,
9017 or transfers-per-ns to a value greater than
9018 2147483647 disabled transfers. [RT #2002]
9020 1115. [func] Set maximum values for cleaning-interval,
9021 heartbeat-interval, interface-interval,
9022 max-transfer-idle-in, max-transfer-idle-out,
9023 max-transfer-time-in, max-transfer-time-out,
9024 statistics-interval of 28 days and
9025 sig-validity-interval of 3660 days. [RT #2002]
9027 1114. [port] Ignore more accept() errors. [RT #2021]
9029 1113. [bug] The allow-update-forwarding option was ignored
9030 when specified in a view. [RT #2014]
9034 1111. [bug] Multi-threaded servers could deadlock processing
9035 recursive queries due to a locking hierarchy
9036 violation in adb.c. [RT #2017]
9038 1110. [bug] dig should only accept valid abbreviations of +options.
9041 1109. [bug] nsupdate accepted illegal ttl values.
9043 1108. [bug] On Win32, rndc was hanging when named was not running
9044 due to failure to select for exceptional conditions
9045 in select(). [RT #1870]
9047 1107. [bug] nsupdate could catch an assertion failure if an
9048 invalid domain name was given as the argument to
9051 1106. [bug] After seeing an out of range TTL, nsupdate would
9052 treat all TTLs as out of range. [RT #2001]
9054 1105. [port] OpenUNIX 8 enable threads by default. [RT #1970]
9056 1104. [bug] Invalid arguments to the transfer-format option
9057 could cause an assertion failure. [RT #1995]
9059 1103. [port] OpenUNIX 8 support (ifconfig.sh). [RT #1970]
9061 1102. [doc] Note that query logging is enabled by directing the
9062 queries category to a channel.
9064 1101. [bug] Array bounds read error in lwres_gai_strerror.
9066 1100. [bug] libbind: DNSSEC key ids were computed incorrectly.
9068 1099. [cleanup] libbind: defining REPORT_ERRORS in lib/bind/dst caused
9069 compile time errors.
9071 1098. [bug] libbind: HMAC-MD5 key files are now mode 0600.
9073 1097. [func] libbind: RES_PRF_TRUNC for dig.
9075 1096. [func] libbind: "DNSSEC OK" (DO) support.
9077 1095. [func] libbind: resolver option: no-tld-query. disables
9078 trying unqualified as a tld. no_tld_query is also
9079 supported for FreeBSD compatibility.
9081 1094. [func] libbind: add support gcc's format string checking.
9083 1093. [doc] libbind: miscellaneous nroff fixes.
9085 1092. [bug] libbind: get*by*() failed to check if res_init() had
9088 1091. [bug] libbind: misplaced va_end().
9090 1090. [bug] libbind: dns_ho.c:add_hostent() was not returning
9091 the amount of memory consumed resulting in garbage
9092 address being returned. Alignment calculations were
9093 wasting space. We weren't suppressing duplicate
9096 1089. [func] libbind: inet_{cidr,net}_{pton,ntop}() now have IPv6
9099 1088. [port] libbind: MPE/iX C.70 (incomplete)
9101 1087. [bug] libbind: struct __res_state too large on 64 bit arch.
9103 1086. [port] libbind: sunos: old sprintf.
9105 1085. [port] libbind: solaris: sys_nerr and sys_errlist do not
9106 exist when compiling in 64 bit mode.
9108 1084. [cleanup] libbind: gai_strerror() rewritten.
9110 1083. [bug] The default control channel listened on the
9111 wildcard address, not the loopback as documented.
9114 1082. [bug] The -g option to named incorrectly caused logging
9115 to be sent to syslog in addition to stderr.
9118 1081. [bug] Multicast queries were incorrectly identified
9119 based on the source address, not the destination
9122 1080. [bug] BIND 8 compatibility: accept bare IP prefixes
9123 as the second element of a two-element top level
9124 sort list statement. [RT #1964]
9126 1079. [bug] BIND 8 compatibility: accept bare elements at top
9127 level of sort list treating them as if they were
9128 a single element list. [RT #1963]
9130 1078. [bug] We failed to correct bad tv_usec values in one case.
9133 1077. [func] Do not accept further recursive clients when
9134 the total number of recursive lookups being
9135 processed exceeds max-recursive-clients, even
9136 if some of the lookups are internally generated.
9139 1076. [bug] A badly defined global key could trigger an assertion
9140 on load/reload if views were used. [RT #1947]
9142 1075. [bug] Out-of-range network prefix lengths were not
9143 reported. [RT #1954]
9145 1074. [bug] Running out of memory in dump_rdataset() could
9146 cause an assertion failure. [RT #1946]
9148 1073. [bug] The ADB cache cleaning should also be space driven.
9151 1072. [bug] The TCP client quota could be exceeded when
9152 recursion occurred. [RT #1937]
9154 1071. [bug] Sockets listening for TCP DNS connections
9155 specified an excessive listen backlog. [RT #1937]
9157 1070. [bug] Copy DNSSEC OK (DO) to response as specified by
9158 draft-ietf-dnsext-dnssec-okbit-03.txt.
9162 1068. [bug] errno could be overwritten by catgets(). [RT #1921]
9164 1067. [func] Allow quotas to be soft, isc_quota_soft().
9166 1066. [bug] Provide a thread safe wrapper for strerror().
9169 1065. [func] Runtime support to select new / old style interface
9170 scanning using ioctls.
9172 1064. [bug] Do not shut down active network interfaces if we
9173 are unable to scan the interface list. [RT #1921]
9175 1063. [bug] libbind: "make install" was failing on IRIX.
9178 1062. [bug] If the control channel listener socket was shut
9179 down before server exit, the listener object could
9180 be freed twice. [RT #1916]
9182 1061. [bug] If periodic cache cleaning happened to start
9183 while cleaning due to reaching the configured
9184 maximum cache size was in progress, the server
9185 could catch an assertion failure. [RT #1912]
9187 1060. [func] Move refresh, stub and notify UDP retry processing
9190 1059. [func] dns_request now support will now retry UDP queries,
9191 dns_request_createvia2() and dns_request_createraw2().
9193 1058. [func] Limited lifetime ticker timers are now available,
9194 isc_timertype_limited.
9196 1057. [bug] Reloading the server after adding a "file" clause
9197 to a zone statement could cause the server to
9198 crash due to a typo in change 1016.
9200 1056. [bug] Rndc could catch an assertion failure on SIGINT due
9201 to an uninitialized variable. [RT #1908]
9203 1055. [func] Version and hostname queries can now be disabled
9204 using "version none;" and "hostname none;",
9207 1054. [bug] On Win32, cfg_categories and cfg_modules need to be
9208 exported from the libisccfg DLL.
9210 1053. [bug] Dig did not increase its timeout when receiving
9211 AXFRs unless the +time option was used. [RT #1904]
9213 1052. [bug] Journals were not being created in binary mode
9214 resulting in "journal format not recognized" error
9215 under Win32. [RT #1889]
9217 1051. [bug] Do not ignore a network interface completely just
9218 because it has a noncontiguous netmask. Instead,
9219 omit it from the localnets ACL and issue a warning.
9222 1050. [bug] Log messages reporting malformed IP addresses in
9223 address lists such as that of the forwarders option
9224 failed to include the correct error code, file
9225 name, and line number. [RT #1890]
9227 1049. [func] "pid-file none;" will disable writing a pid file.
9230 1048. [bug] Servers built with -DISC_MEM_USE_INTERNAL_MALLOC=1
9233 1047. [bug] named was incorrectly refusing all requests signed
9234 with a TSIG key derived from an unsigned TKEY
9235 negotiation with a NOERROR response. [RT #1886]
9237 1046. [bug] The help message for the --with-openssl configure
9238 option was inaccurate. [RT #1880]
9240 1045. [bug] It was possible to skip saving glue for a nameserver
9243 1044. [bug] Specifying allow-transfer, notify-source, or
9244 notify-source-v6 in a stub zone was not treated
9247 1043. [bug] Specifying a transfer-source or transfer-source-v6
9248 option in the zone statement for a master zone was
9249 not treated as an error. [RT #1876]
9251 1042. [bug] The "config" logging category did not work properly.
9254 1041. [bug] Dig/host/nslookup could catch an assertion failure
9255 on SIGINT due to an uninitialized variable. [RT #1867]
9257 1040. [bug] Multiple listen-on-v6 options with different ports
9258 were not accepted. [RT #1875]
9260 1039. [bug] Negative responses with CNAMEs in the answer section
9261 were cached incorrectly. [RT #1862]
9263 1038. [bug] In servers configured with a tkey-domain option,
9264 TKEY queries with an owner name other than the root
9265 could cause an assertion failure. [RT #1866, #1869]
9267 1037. [bug] Negative responses whose authority section contain
9268 SOA or NS records whose owner names are not equal
9269 equal to or parents of the query name should be
9270 rejected. [RT #1862]
9272 1036. [func] Silently drop requests received via multicast as
9273 long as there is no final multicast DNS standard.
9275 1035. [bug] If we respond to multicast queries (which we
9276 currently do not), respond from a unicast address
9277 as specified in RFC 1123. [RT #137]
9279 1034. [bug] Ignore the RD bit on multicast queries as specified
9280 in RFC 1123. [RT #137]
9282 1033. [bug] Always respond to requests with an unsupported opcode
9283 with NOTIMP, even if we don't have a matching view
9284 or cannot determine the class.
9286 1032. [func] hostname.bind/txt/chaos now returns the name of
9287 the machine hosting the nameserver. This is useful
9288 in diagnosing problems with anycast servers.
9290 1031. [bug] libbind.a: isc__gettimeofday() infinite recursion.
9293 1030. [bug] On systems with no resolv.conf file, nsupdate
9294 exited with an error rather than defaulting
9295 to using the loopback address. [RT #1836]
9297 1029. [bug] Some named.conf errors did not cause the loading
9298 of the configuration file to return a failure
9299 status even though they were logged. [RT #1847]
9301 1028. [bug] On Win32, dig/host/nslookup looked for resolv.conf
9302 in the wrong directory. [RT #1833]
9304 1027. [bug] RRs having the reserved type 0 should be rejected.
9309 1025. [bug] Don't use multicast addresses to resolve iterative
9312 1024. [port] Compilation failed on HP-UX 11.11 due to
9313 incompatible use of the SIOCGLIFCONF macro
9316 1023. [func] Accept hints without TTLs.
9318 1022. [bug] Don't report empty root hints as "extra data".
9321 1021. [bug] On Win32, log message timestamps were one month
9322 later than they should have been, and the server
9323 would exhibit unspecified behavior in December.
9325 1020. [bug] IXFR log messages did not distinguish between
9326 true IXFRs, AXFR-style IXFRs, and mere version
9329 1019. [bug] The value of the lame-ttl option was limited to 18000
9330 seconds, not 1800 seconds as documented. [RT #1803]
9332 1018. [bug] The default log channel was not always initialized
9333 correctly. [RT #1813]
9335 1017. [bug] When specifying TSIG keys to dig and nsupdate using
9336 the -k option, they must be HMAC-MD5 keys. [RT #1810]
9338 1016. [bug] Slave zones with no backup file were re-transferred
9339 on every server reload.
9341 1015. [bug] Log channels that had a "versions" option but no
9342 "size" option failed to create numbered log
9345 1014. [bug] Some queries would cause statistics counters to
9346 increment more than once or not at all. [RT #1321]
9348 1013. [bug] It was possible to cancel a query twice when marking
9349 a server as bogus or by having a blackhole acl.
9352 1012. [bug] The -p option to named did not behave as documented.
9354 1011. [cleanup] Removed isc_dir_current().
9356 1010. [bug] The server could attempt to execute a command channel
9357 command after initiating server shutdown, causing
9358 an assertion failure. [RT #1766]
9360 1009. [port] OpenUNIX 8 support. [RT #1728]
9362 1008. [port] libtool.m4, ltmain.sh from libtool-1.4.2.
9364 1007. [port] config.guess, config.sub from autoconf-2.52.
9366 1006. [bug] If a KEY RR was found missing during DNSSEC validation,
9367 an assertion failure could subsequently be triggered
9368 in the resolver. [RT #1763]
9370 1005. [bug] Don't copy nonzero RCODEs from request to response.
9373 1004. [port] Deal with recvfrom() returning EHOSTDOWN. [RT #1770]
9375 1003. [func] Add the +retry option to dig.
9377 1002. [bug] When reporting an unknown class name in named.conf,
9378 including the file name and line number. [RT #1759]
9380 1001. [bug] win32 socket code doio_recv was not catching a
9381 WSACONNRESET error when a client was timing out
9382 the request and closing its socket. [RT #1745]
9384 1000. [bug] BIND 8 compatibility: accept "HESIOD" as an alias
9385 for class "HS". [RT #1759]
9387 999. [func] "rndc retransfer zone [class [view]]" added.
9390 998. [func] named-checkzone now has arguments to specify the
9391 chroot directory (-t) and working directory (-w).
9394 997. [func] Add support for RSA-SHA1 keys (RFC3110).
9396 996. [func] Issue warning if the configuration filename contains
9399 995. [bug] dig, host, nslookup: using a raw IPv6 address as a
9400 target address should be fatal on a IPv4 only system.
9402 994. [func] Treat non-authoritative responses to queries for type
9403 NS as referrals even if the NS records are in the
9404 answer section, because BIND 8 servers incorrectly
9405 send them that way. This is necessary for DNSSEC
9406 validation of the NS records of a secure zone to
9407 succeed when the parent is a BIND 8 server. [RT #1706]
9409 993. [func] dig: -v now reports the version.
9411 992. [doc] dig: ~/.digrc is now documented.
9413 991. [func] Lower UDP refresh timeout messages to level
9416 990. [bug] The rndc-confgen man page was not installed.
9418 989. [bug] Report filename if $INCLUDE fails for file related
9421 988. [bug] 'additional-from-auth no;' did not work reliably
9422 in the case of queries answered from the cache.
9425 987. [bug] "dig -help" didn't show "+[no]stats".
9427 986. [bug] "dig +noall" failed to clear stats and command
9430 985. [func] Consider network interfaces to be up iff they have
9431 a nonzero IP address rather than based on the
9432 IFF_UP flag. [RT #1160]
9434 984. [bug] Multi-threading should be enabled by default on
9435 Solaris 2.7 and newer, but it wasn't.
9437 983. [func] The server now supports generating IXFR difference
9438 sequences for non-dynamic zones by comparing zone
9439 versions, when enabled using the new config
9440 option "ixfr-from-differences". [RT #1727]
9442 982. [func] If "memstatistics-file" is set in options the memory
9443 statistics will be written to it.
9445 981. [func] The dnssec tools can now take multiple '-r randomfile'
9448 980. [bug] Incoming zone transfers restarting after an error
9449 could trigger an assertion failure. [RT #1692]
9451 979. [func] Incremental master file dumping. dns_master_dumpinc(),
9452 dns_master_dumptostreaminc(), dns_dumpctx_attach(),
9453 dns_dumpctx_detach(), dns_dumpctx_cancel(),
9454 dns_dumpctx_db() and dns_dumpctx_version().
9456 978. [bug] dns_db_attachversion() had an invalid REQUIRE()
9459 977. [bug] Improve "not at top of zone" error message.
9461 976. [func] named-checkconf can now test load master zones
9462 (named-checkconf -z). [RT #1468]
9464 975. [bug] "max-cache-size default;" as a view option
9465 caused an assertion failure.
9467 974. [bug] "max-cache-size unlimited;" as a global option
9470 973. [bug] Failed to log the question name when logging:
9471 "bad zone transfer request: non-authoritative zone
9474 972. [bug] The file modification time code in zone.c was using the
9475 wrong epoch. [RT #1667]
9479 970. [func] 'max-journal-size' can now be used to set a target
9482 969. [func] dig now supports the undocumented dig 8 feature
9483 of allowing arbitrary labels, not just dotted
9484 decimal quads, with the -x option. This can be
9485 used to conveniently look up RFC2317 names as in
9486 "dig -x 10.0.0.0-127". [RT #827, #1576, #1598]
9488 968. [bug] On win32, the isc_time_now() function was unnecessarily
9489 calling strtime(). [RT #1671]
9491 967. [bug] On win32, the link for bindevt was not including the
9492 required resource file to enable the event viewer
9493 to interpret the error messages in the event log,
9498 965. [bug] Including data other than root server NS and A
9499 records in the root hint file could cause a rbtdb
9500 node reference leak. [RT #1581, #1618]
9502 964. [func] Warn if data other than root server NS and A records
9503 are found in the root hint file. [RT #1581, #1618]
9505 963. [bug] Bad ISC_LANG_ENDDECLS. [RT #1645]
9507 962. [bug] libbind: bad "#undef", don't attempt to install
9508 non-existent nlist.h. [RT #1640]
9510 961. [bug] Tried to use a IPV6 feature when ISC_PLATFORM_HAVEIPV6
9511 was not defined. [RT #1482]
9513 960. [port] liblwres failed to build on systems with support for
9514 getrrsetbyname() in the OS. [RT #1592]
9516 959. [port] On FreeBSD, determine the number of CPUs by calling
9517 sysctlbyname(). [RT #1584]
9519 958. [port] ssize_t is not available on all platforms. [RT #1607]
9521 957. [bug] sys/select.h inclusion was broken on older platforms.
9524 956. [bug] ns_g_autorndcfile changed to ns_g_keyfile
9525 in named/win32/os.c due to code changes in
9526 change #953. win32 .make file for rndc-confgen
9527 updated to add include path for os.h header.
9529 --- 9.2.0rc1 released ---
9531 955. [bug] When using views, the zone's class was not being
9532 inherited from the view's class. [RT #1583]
9534 954. [bug] When requesting AXFRs or IXFRs using dig, host, or
9535 nslookup, the RD bit should not be set as zone
9536 transfers are inherently non-recursive. [RT #1575]
9538 953. [func] The /var/run/named.key file from change #843
9539 has been replaced by /etc/rndc.key. Both
9540 named and rndc will look for this file and use
9541 it to configure a default control channel key
9542 if not already configured using a different
9543 method (rndc.conf / controls). Unlike
9544 named.key, rndc.key is not created automatically;
9545 it must be created by manually running
9548 952. [bug] The server required manual intervention to serve the
9549 affected zones if it died between creating a journal
9550 and committing the first change to it.
9552 951. [bug] CFLAGS was not passed to the linker when
9553 linking some of the test programs under
9554 bin/tests. [RT #1555].
9556 950. [bug] Explicit TTLs did not properly override $TTL
9557 due to a bug in change 834. [RT #1558]
9559 949. [bug] host was unable to print records larger than 512
9562 --- 9.2.0b2 released ---
9564 948. [port] Integrated support for building on Windows NT /
9567 947. [bug] dns_rdata_soa_t had a badly named element "mname" which
9568 was really the RNAME field from RFC1035. To avoid
9569 confusion and silent errors that would occur it the
9570 "origin" and "mname" elements were given their correct
9571 names "mname" and "rname" respectively, the "mname"
9572 element is renamed to "contact".
9574 946. [cleanup] doc/misc/options is now machine-generated from the
9575 configuration parser syntax tables, and therefore
9576 more likely to be correct.
9578 945. [func] Add the new view-specific options
9579 "match-destinations" and "match-recursive-only".
9581 944. [func] Check for expired signatures on load.
9583 943. [bug] The server could crash when receiving a command
9584 via rndc if the configuration file listed only
9585 nonexistent keys in the controls statement. [RT #1530]
9587 942. [port] libbind: GETNETBYADDR_ADDR_T was not correctly
9588 defined on some platforms.
9590 941. [bug] The configuration checker crashed if a slave
9591 zone didn't contain a masters statement. [RT #1514]
9593 940. [bug] Double zone locking failure on error path. [RT #1510]
9595 --- 9.2.0b1 released ---
9597 939. [port] Add the --disable-linux-caps option to configure for
9598 systems that manage capabilities outside of named.
9603 937. [bug] A race when shutting down a zone could trigger a
9604 INSIST() failure. [RT #1034]
9606 936. [func] Warn about IPv4 addresses that are not complete
9607 dotted quads. [RT #1084]
9609 935. [bug] inet_pton failed to reject leading zeros.
9611 934. [port] Deal with systems where accept() spuriously returns
9614 933. [bug] configure failed doing libbind on platforms not
9615 supported by BIND 8. [RT #1496]
9617 --- 9.2.0a3 released ---
9619 932. [bug] Use INSTALL_SCRIPT, not INSTALL_PROGRAM,
9620 when installing isc-config.sh.
9623 931. [bug] The controls statement only attempted to verify
9624 messages using the first key in the key list.
9627 930. [func] Query performance testing tool added as
9632 928. [bug] nsupdate would send empty update packets if the
9633 send (or empty line) command was run after
9634 another send but before any new updates or
9635 prerequisites were specified. It should simply
9636 ignore this command.
9638 927. [bug] Don't hold the zone lock for the entire dump to disk.
9641 926. [bug] The resolver could deadlock with the ADB when
9642 shutting down (multi-threaded builds only).
9645 925. [cleanup] Remove openssl from the distribution; require that
9646 --with-openssl be specified if DNSSEC is needed.
9648 924. [port] Extend support for pre-RFC2133 IPv6 implementation.
9651 923. [bug] Multiline TSIG secrets (and other multiline strings)
9652 were not accepted in named.conf. [RT #1469]
9654 922. [func] Added two new lwres_getrrsetbyname() result codes,
9655 ERR_NONAME and ERR_NODATA.
9657 921. [bug] lwres returned an incorrect error code if it received
9658 a truncated message.
9660 920. [func] Increase the lwres receive buffer size to 16K.
9665 918. [func] In nsupdate, TSIG errors are no longer treated as
9668 917. [func] New nsupdate command 'key', allowing TSIG keys to
9669 be specified in the nsupdate command stream rather
9670 than the command line.
9672 916. [bug] Specifying type ixfr to dig without specifying
9673 a serial number failed in unexpected ways.
9675 915. [func] The named-checkconf and named-checkzone programs
9676 now have a '-v' option for printing their version.
9679 914. [bug] Global 'server' statements were rejected when
9680 using views, even though they were accepted
9683 913. [bug] Cache cleaning was not sufficiently aggressive.
9686 912. [bug] Attempts to set the 'additional-from-cache' or
9687 'additional-from-auth' option to 'no' in a
9688 server with recursion enabled will now
9689 be ignored and cause a warning message.
9694 910. [port] Some pre-RFC2133 IPv6 implementations do not define
9695 IN6ADDR_ANY_INIT. [RT #1416]
9699 908. [func] New program, rndc-confgen, to simplify setting up rndc.
9701 907. [func] The ability to get entropy from either the
9702 random device, a user-provided file or from
9703 the keyboard was migrated from the DNSSEC tools
9704 to libisc as isc_entropy_usebestsource().
9706 906. [port] Separated the system independent portion of
9707 lib/isc/unix/entropy.c into lib/isc/entropy.c
9708 and added lib/isc/win32/entropy.c.
9710 905. [bug] Configuring a forward "zone" for the root domain
9711 did not work. [RT #1418]
9713 904. [bug] The server would leak memory if attempting to use
9714 an expired TSIG key. [RT #1406]
9716 903. [bug] dig should not crash when receiving a TCP packet
9719 902. [bug] The -d option was ignored if both -t and -g were also
9724 900. [bug] A config.guess update changed the system identification
9725 string of FreeBSD systems; configure and
9726 bin/tests/system/ifconfig.sh now recognize the new
9729 --- 9.2.0a2 released ---
9731 899. [bug] lib/dns/soa.c failed to compile on many platforms
9732 due to inappropriate use of a void value.
9733 [RT #1372, #1373, #1386, #1387, #1395]
9735 898. [bug] "dig" failed to set a nonzero exit status
9736 on UDP query timeout. [RT #1323]
9738 897. [bug] A config.guess update changed the system identification
9739 string of UnixWare systems; configure now recognizes
9742 896. [bug] If a configuration file is set on named's command line
9743 and it has a relative pathname, the current directory
9744 (after any possible jailing resulting from named -t)
9745 will be prepended to it so that reloading works
9746 properly even when a directory option is present.
9748 895. [func] New function, isc_dir_current(), akin to POSIX's
9751 894. [bug] When using the DNSSEC tools, a message intended to warn
9752 when the keyboard was being used because of the lack
9753 of a suitable random device was not being printed.
9755 893. [func] Removed isc_file_test() and added isc_file_exists()
9756 for the basic functionality that was being added
9757 with isc_file_test().
9761 891. [bug] Return an error when a SIG(0) signed response to
9762 an unsigned query is seen. This should actually
9763 do the verification, but it's not currently
9764 possible. [RT #1391]
9766 890. [cleanup] The man pages no longer require the mandoc macros
9767 and should now format cleanly using most versions of
9768 nroff, and HTML versions of the man pages have been
9769 added. Both are generated from DocBook source.
9771 889. [port] Eliminated blank lines before .TH in nroff man
9772 pages since they cause problems with some versions
9773 of nroff. [RT #1390]
9775 888. [bug] Don't die when using TKEY to delete a nonexistent
9776 TSIG key. [RT #1392]
9778 887. [port] Detect broken compilers that can't call static
9779 functions from inline functions. [RT #1212]
9821 866. [func] Close debug only file channels when debug is set to
9824 865. [bug] The new configuration parser did not allow
9825 the optional debug level in a "severity debug"
9826 clause of a logging channel to be omitted.
9827 This is now allowed and treated as "severity
9828 debug 1;" like it does in BIND 8.2.4, not as
9829 "severity debug 0;" like it did in BIND 9.1.
9832 864. [cleanup] Multi-threading is now enabled by default on
9833 OSF1, Solaris 2.7 and newer, AIX, IRIX, and HP-UX.
9835 863. [bug] If an error occurred while an outgoing zone transfer
9836 was starting up, the server could access a domain
9837 name that had already been freed when logging a
9838 message saying that the transfer was starting.
9841 862. [bug] Use after realloc(), non portable pointer arithmetic in
9844 861. [port] Add support for Mac OS X, by making it equivalent
9845 to Darwin. This was derived from the config.guess
9846 file shipped with Mac OS X. [RT #1355]
9848 860. [func] Drop cross class glue in zone transfers.
9850 859. [bug] Cache cleaning now won't swamp the CPU if there
9851 is a persistent over limit condition.
9853 858. [func] isc_mem_setwater() no longer requires that when the
9854 callback function is non-NULL then its hi_water
9855 argument must be greater than its lo_water argument
9856 (they can now be equal) or that they be non-zero.
9858 857. [cleanup] Use ISC_MAGIC() to define all magic numbers for
9859 structs, for our friends in EBCDIC-land.
9861 856. [func] Allow partial rdatasets to be returned in answer and
9862 authority sections to help non-TCP capable clients
9863 recover from truncation. [RT #1301]
9865 855. [bug] Stop spurious "using RFC 1035 TTL semantics" warnings.
9867 854. [bug] The config parser didn't properly handle config
9868 options that were specified in units of time other
9869 than seconds. [RT #1372]
9871 853. [bug] configure_view_acl() failed to detach existing acls.
9874 852. [bug] Handle responses from servers which do not know
9877 851. [cleanup] The obsolete support-ixfr option was not properly
9880 --- 9.2.0a1 released ---
9882 850. [bug] dns_rbt_findnode() would not find nodes that were
9883 split on a bitstring label somewhere other than in
9884 the last label of the node. [RT #1351]
9886 849. [func] <isc/net.h> will ensure INADDR_LOOPBACK is defined.
9888 848. [func] A minimum max-cache-size of two megabytes is enforced
9889 by the cache cleaner.
9891 847. [func] Added isc_file_test(), which currently only has
9892 some very basic functionality to test for the
9893 existence of a file, whether a pathname is absolute,
9894 or whether a pathname is the fundamental representation
9895 of the current directory. It is intended that this
9896 function can be expanded to test other things a
9897 programmer might want to know about a file.
9899 846. [func] A non-zero 'param' to dst_key_generate() when making an
9900 hmac-md5 key means that good entropy is not required.
9902 845. [bug] The access rights on the public file of a symmetric
9903 key are now restricted as soon as the file is opened,
9904 rather than after it has been written and closed.
9906 844. [func] <isc/net.h> will ensure INADDR_LOOPBACK is defined,
9907 just as <lwres/net.h> does.
9909 843. [func] If no controls statement is present in named.conf,
9910 or if any inet phrase of a controls statement is
9911 lacking a keys clause, then a key will be automatically
9912 generated by named and an rndc.conf-style file
9913 named named.key will be written that uses it. rndc
9914 will use this file only if its normal configuration
9915 file, or one provided on the command line, does not
9918 842. [func] 'rndc flush' now takes an optional view.
9920 841. [bug] When sdb modules were not declared threadsafe, their
9921 create and destroy functions were not serialized.
9923 840. [bug] The config file parser could print the wrong file
9924 name if an error was detected after an included file
9925 was parsed. [RT #1353]
9927 839. [func] Dump packets for which there was no view or that the
9928 class could not be determined to category "unmatched".
9930 838. [port] UnixWare 7.x.x is now suported by
9931 bin/tests/system/ifconfig.sh.
9933 837. [cleanup] Multi-threading is now enabled by default only on
9934 OSF1, Solaris 2.7 and newer, and AIX.
9936 836. [func] Upgraded libtool to 1.4.
9938 835. [bug] The dispatcher could enter a busy loop if
9939 it got an I/O error receiving on a UDP socket.
9942 834. [func] Accept (but warn about) master files beginning with
9943 an SOA record without an explicit TTL field and
9944 lacking a $TTL directive, by using the SOA MINTTL
9945 as a default TTL. This is for backwards compatibility
9946 with old versions of BIND 8, which accepted such
9947 files without warning although they are illegal
9948 according to RFC1035.
9950 833. [cleanup] Moved dns_soa_*() from <dns/journal.h> to
9951 <dns/soa.h>, and extended them to support
9952 all the integer-valued fields of the SOA RR.
9954 832. [bug] The default location for named.conf in named-checkconf
9955 should depend on --sysconfdir like it does in named.
9960 830. [func] Implement 'rndc status'.
9962 829. [bug] The DNS_R_ZONECUT result code should only be returned
9963 when an ANY query is made with DNS_DBFIND_GLUEOK set.
9964 In all other ANY query cases, returning the delegation
9967 828. [bug] The errno value from recvfrom() could be overwritten
9968 by logging code. [RT #1293]
9970 827. [bug] When an IXFR protocol error occurs, the slave
9971 should retry with AXFR.
9973 826. [bug] Some IXFR protocol errors were not detected.
9975 825. [bug] zone.c:ns_query() detached from the wrong zone
9976 reference. [RT #1264]
9978 824. [bug] Correct line numbers reported by dns_master_load().
9981 823. [func] The output of "dig -h" now goes to stdout so that it
9982 can easily be piped through "more". [RT #1254]
9984 822. [bug] Sending nxrrset prerequisites would crash nsupdate.
9987 821. [bug] The program name used when logging to syslog should
9988 be stripped of leading path components.
9991 820. [bug] Name server address lookups failed to follow
9992 A6 chains into the glue of local authoritative
9995 819. [bug] In certain cases, the resolver's attempts to
9996 restart an address lookup at the root could cause
9997 the fetch to deadlock (with itself) instead of
9998 restarting. [RT #1225]
10000 818. [bug] Certain pathological responses to ANY queries could
10001 cause an assertion failure. [RT #1218]
10003 817. [func] Adjust timeouts for dialup zone queries.
10005 816. [bug] Report potential problems with log file accessibility
10006 at configuration time, since such problems can't
10007 reliably be reported at the time they actually occur.
10009 815. [bug] If a log file was specified with a path separator
10010 character (i.e. "/") in its name and the directory
10011 did not exist, the log file's name was treated as
10012 though it were the directory name. [RT #1189]
10014 814. [bug] Socket objects left over from accept() failures
10015 were incorrectly destroyed, causing corruption
10016 of socket manager data structures.
10018 813. [bug] File descriptors exceeding FD_SETSIZE were handled
10021 812. [bug] dig sometimes printed incomplete IXFR responses
10022 due to an uninitialized variable. [RT #1188]
10024 811. [bug] Parentheses were not quoted in zone dumps. [RT #1194]
10026 810. [bug] The signer name in SIG records was not properly
10027 down-cased when signing/verifying records. [RT #1186]
10029 809. [bug] Configuring a non-local address as a transfer-source
10030 could cause an assertion failure during load.
10032 808. [func] Add 'rndc flush' to flush the server's cache.
10034 807. [bug] When setting up TCP connections for incoming zone
10035 transfers, the transfer-source port was not
10036 ignored like it should be.
10038 806. [bug] DNS_R_SEENINCLUDE was failing to propagate back up
10039 the calling stack to the zone maintenance level,
10040 causing zones to not reload when an included file was
10041 touched but the top-level zone file was not.
10043 805. [bug] When using "forward only", missing root hints should
10044 not cause queries to fail. [RT #1143]
10046 804. [bug] Attempting to obtain entropy could fail in some
10047 situations. This would be most common on systems
10048 with user-space threads. [RT #1131]
10050 803. [bug] Treat all SIG queries as if they have the CD bit set,
10051 otherwise no data will be returned [RT #749]
10053 802. [bug] DNSSEC key tags were computed incorrectly in almost
10054 all cases. [RT #1146]
10056 801. [bug] nsupdate should treat lines beginning with ';' as
10057 comments. [RT #1139]
10059 800. [bug] dnssec-signzone produced incorrect statistics for
10060 large zones. [RT #1133]
10062 799. [bug] The ADB didn't find AAAA glue in a zone unless A6
10063 glue was also present.
10065 798. [bug] nsupdate should be able to reject bad input lines
10066 and continue. [RT #1130]
10068 797. [func] Issue a warning if the 'directory' option contains
10069 a relative path. [RT #269]
10071 796. [func] When a size limit is associated with a log file,
10072 only roll it when the size is reached, not every
10073 time the log file is opened. [RT #1096]
10075 795. [func] Add the +multiline option to dig. [RT #1095]
10077 794. [func] Implement the "port" and "default-port" statements
10080 793. [cleanup] The DNSSEC tools could create filenames that were
10081 illegal or contained shell meta-characters. They
10082 now use a different text encoding of names that
10083 doesn't have these problems. [RT #1101]
10085 792. [cleanup] Replace the OMAPI command channel protocol with a
10088 791. [bug] The command channel now works over IPv6.
10090 790. [bug] Wildcards created using dynamic update or IXFR
10091 could fail to match. [RT #1111]
10093 789. [bug] The "localhost" and "localnets" ACLs did not match
10094 when used as the second element of a two-element
10097 788. [func] Add the "match-mapped-addresses" option, which
10098 causes IPv6 v4mapped addresses to be treated as
10099 IPv4 addresses for the purpose of acl matching.
10101 787. [bug] The DNSSEC tools failed to downcase domain
10102 names when mapping them into file names.
10104 786. [bug] When DNSSEC signing/verifying data, owner names were
10105 not properly down-cased.
10107 785. [bug] A race condition in the resolver could cause
10108 an assertion failure. [RT #673, #872, #1048]
10110 784. [bug] nsupdate and other programs would not quit properly
10111 if some signals were blocked by the caller. [RT #1081]
10113 783. [bug] Following CNAMEs could cause an assertion failure
10114 when either using an sdb database or under very
10117 782. [func] Implement the "serial-query-rate" option.
10119 781. [func] Avoid error packet loops by dropping duplicate FORMERR
10120 responses. [RT #1006]
10122 780. [bug] Error handling code dealing with out of memory or
10123 other rare errors could lead to assertion failures
10124 by calling functions on uninitialized names. [RT #1065]
10126 779. [func] Added the "minimal-responses" option.
10128 778. [bug] When starting cache cleaning, cleaning_timer_action()
10129 returned without first pausing the iterator, which
10130 could cause deadlock. [RT #998]
10132 777. [bug] An empty forwarders list in a zone failed to override
10133 global forwarders. [RT #995]
10135 776. [func] Improved error reporting in denied messages. [RT #252]
10139 774. [func] max-cache-size is implemented.
10141 773. [func] Added isc_rwlock_trylock() to attempt to lock without
10144 772. [bug] Owner names could be incorrectly omitted from cache
10145 dumps in the presence of negative caching entries.
10148 771. [cleanup] TSIG errors related to unsynchronized clocks
10149 are logged better. [RT #919]
10151 770. [func] Add the "edns yes_or_no" statement to the server
10154 769. [func] Improved error reporting when parsing rdata. [RT #740]
10156 768. [bug] The server did not emit an SOA when a CNAME
10157 or DNAME chain ended in NXDOMAIN in an
10158 authoritative zone.
10162 766. [bug] A few cases in query_find() could leak fname.
10163 This would trigger the mpctx->allocated == 0
10164 assertion when the server exited.
10165 [RT #739, #776, #798, #812, #818, #821, #845,
10168 765. [func] ACL names are once again case insensitive, like
10169 in BIND 8. [RT #252]
10171 764. [func] Configuration files now allow "include" directives
10172 in more places, such as inside the "view" statement.
10173 [RT #377, #728, #860]
10175 763. [func] Configuration files no longer have reserved words.
10178 762. [cleanup] The named.conf and rndc.conf file parsers have
10179 been completely rewritten.
10181 761. [bug] _REENTRANT was still defined when building with
10184 760. [contrib] Significant enhancements to the pgsql sdb driver.
10186 759. [bug] The resolver didn't turn off "avoid fetches" mode
10187 when restarting, possibly causing resolution
10188 to fail when it should not. This bug only affected
10189 platforms which support both IPv4 and IPv6. [RT #927]
10191 758. [bug] The "avoid fetches" code did not treat negative
10192 cache entries correctly, causing fetches that would
10193 be useful to be avoided. This bug only affected
10194 platforms which support both IPv4 and IPv6. [RT #927]
10196 757. [func] Log zone transfers.
10198 756. [bug] dns_zone_load() could "return" success when no master
10199 file was configured.
10201 755. [bug] Fix incorrectly formatted log messages in zone.c.
10203 754. [bug] Certain failure conditions sending UDP packets
10204 could cause the server to retry the transmission
10205 indefinitely. [RT #902]
10207 753. [bug] dig, host, and nslookup would fail to contact a
10208 remote server if getaddrinfo() returned an IPv6
10209 address on a system that doesn't support IPv6.
10212 752. [func] Correct bad tv_usec elements returned by
10215 751. [func] Log successful zone loads / transfers. [RT #898]
10217 750. [bug] A query should not match a DNAME whose trust level
10218 is pending. [RT #916]
10220 749. [bug] When a query matched a DNAME in a secure zone, the
10221 server did not return the signature of the DNAME.
10224 748. [doc] List supported RFCs in doc/misc/rfc-compliance.
10227 747. [bug] The code to determine whether an IXFR was possible
10228 did not properly check for a database that could
10229 not have a journal. [RT #865, #908]
10231 746. [bug] The sdb didn't clone rdatasets properly, causing
10232 a crash when the server followed delegations. [RT #905]
10234 745. [func] Report the owner name of records that fail
10235 semantic checks while loading.
10237 744. [bug] When returning DNS_R_CNAME or DNS_R_DNAME as the
10238 result of an ANY or SIG query, the resolver failed
10239 to setup the return event's rdatasets, causing an
10240 assertion failure in the query code. [RT #881]
10242 743. [bug] Receiving a large number of certain malformed
10243 answers could cause named to stop responding.
10248 741. [port] Support openssl-engine. [RT #709]
10250 740. [port] Handle openssl library mismatches slightly better.
10252 739. [port] Look for /dev/random in configure, rather than
10253 assuming it will be there for only a predefined
10256 738. [bug] If a non-threadsafe sdb driver supported AXFR and
10257 received an AXFR request, it would deadlock or die
10258 with an assertion failure. [RT #852]
10260 737. [port] stdtime.c failed to compile on certain platforms.
10262 736. [func] New functions isc_task_{begin,end}exclusive().
10264 735. [doc] Add BIND 4 migration notes.
10266 734. [bug] An attempt to re-lock the zone lock could occur if
10267 the server was shutdown during a zone transfer.
10270 733. [bug] Reference counts of dns_acl_t objects need to be
10271 locked but were not. [RT #801, #821]
10273 732. [bug] Glue with 0 TTL could also cause SERVFAIL. [RT #828]
10275 731. [bug] Certain zone errors could cause named-checkzone to
10276 fail ungracefully. [RT #819]
10278 730. [bug] lwres_getaddrinfo() returns the correct result when
10279 it fails to contact a server. [RT #768]
10281 729. [port] pthread_setconcurrency() needs to be called on Solaris.
10283 728. [bug] Fix comment processing on master file directives.
10286 727. [port] Work around OS bug where accept() succeeds but
10287 fails to fill in the peer address of the accepted
10288 connection, by treating it as an error rather than
10289 an assertion failure. [RT #809]
10291 726. [func] Implement the "trace" and "notrace" commands in rndc.
10293 725. [bug] Installing man pages could fail.
10295 724. [func] New libisc functions isc_netaddr_any(),
10296 isc_netaddr_any6().
10298 723. [bug] Referrals whose NS RRs had a 0 TTL caused the resolver
10299 to return DNS_R_SERVFAIL. [RT #783]
10301 722. [func] Allow incremental loads to be canceled.
10303 721. [cleanup] Load manager and dns_master_loadfilequota() are no
10306 720. [bug] Server could enter infinite loop in
10307 dispatch.c:do_cancel(). [RT #733]
10309 719. [bug] Rapid reloads could trigger an assertion failure.
10312 718. [cleanup] "internal" is no longer a reserved word in named.conf.
10315 717. [bug] Certain TKEY processing failure modes could
10316 reference an uninitialized variable, causing the
10317 server to crash. [RT #750]
10319 716. [bug] The first line of a $INCLUDE master file was lost if
10320 an origin was specified. [RT #744]
10322 715. [bug] Resolving some A6 chains could cause an assertion
10323 failure in adb.c. [RT #738]
10325 714. [bug] Preserve interval timers across reloads unless changed.
10328 713. [func] named-checkconf takes '-t directory' similar to named.
10331 712. [bug] Sending a large signed update message caused an
10332 assertion failure. [RT #718]
10334 711. [bug] The libisc and liblwres implementations of
10335 inet_ntop contained an off by one error.
10337 710. [func] The forwarders statement now takes an optional
10340 709. [bug] ANY or SIG queries for data with a TTL of 0
10341 would return SERVFAIL. [RT #620]
10343 708. [bug] When building with --with-openssl, the openssl headers
10344 included with BIND 9 should not be used. [RT #702]
10346 707. [func] The "filename" argument to named-checkzone is no
10347 longer optional, to reduce confusion. [RT #612]
10349 706. [bug] Zones with an explicit "allow-update { none; };"
10350 were considered dynamic and therefore not reloaded
10351 on SIGHUP or "rndc reload".
10353 705. [port] Work out resource limit type for use where rlim_t is
10354 not available. [RT #695]
10356 704. [port] RLIMIT_NOFILE is not available on all platforms.
10359 703. [port] sys/select.h is needed on older platforms. [RT #695]
10361 702. [func] If the address 0.0.0.0 is seen in resolv.conf,
10362 use 127.0.0.1 instead. [RT #693]
10364 701. [func] Root hints are now fully optional. Class IN
10365 views use compiled-in hints by default, as
10366 before. Non-IN views with no root hints now
10367 provide authoritative service but not recursion.
10368 A warning is logged if a view has neither root
10369 hints nor authoritative data for the root. [RT #696]
10371 700. [bug] $GENERATE range check was wrong. [RT #688]
10373 699. [bug] The lexer mishandled empty quoted strings. [RT #694]
10375 698. [bug] Aborting nsupdate with ^C would lead to several
10378 697. [bug] nsupdate was not compatible with the undocumented
10379 BIND 8 behavior of ignoring TTLs in "update delete"
10380 commands. [RT #693]
10382 696. [bug] lwresd would die with an assertion failure when passed
10383 a zero-length name. [RT #692]
10385 695. [bug] If the resolver attempted to query a blackholed or
10386 bogus server, the resolution would fail immediately.
10388 694. [bug] $GENERATE did not produce the last entry.
10391 693. [bug] An empty lwres statement in named.conf caused
10392 the server to crash while loading.
10394 692. [bug] Deal with systems that have getaddrinfo() but not
10395 gai_strerror(). [RT #679]
10397 691. [bug] Configuring per-view forwarders caused an assertion
10398 failure. [RT #675, #734]
10400 690. [func] $GENERATE now supports DNAME. [RT #654]
10402 689. [doc] man pages are now installed. [RT #210]
10404 688. [func] "make tags" now works on systems with the
10405 "Exuberant Ctags" etags.
10407 687. [bug] Only say we have IPv6, with sufficient functionality,
10408 if it has actually been tested. [RT #586]
10410 686. [bug] dig and nslookup can now be properly aborted during
10411 blocking operations. [RT #568]
10413 685. [bug] nslookup should use the search list/domain options
10414 from resolv.conf by default. [RT #405, #630]
10416 684. [bug] Memory leak with view forwarders. [RT #656]
10418 683. [bug] File descriptor leak in isc_lex_openfile().
10420 682. [bug] nslookup displayed SOA records incorrectly. [RT #665]
10422 681. [bug] $GENERATE specifying output format was broken. [RT #653]
10424 680. [bug] dns_rdata_fromstruct() mishandled options bigger
10427 679. [bug] $INCLUDE could leak memory and file descriptors on
10430 678. [bug] "transfer-format one-answer;" could trigger an assertion
10433 677. [bug] dnssec-signzone would occasionally use the wrong ttl
10434 for database operations and fail. [RT #643]
10436 676. [bug] Log messages about lame servers to category
10437 'lame-servers' rather than 'resolver', so as not
10438 to be gratuitously incompatible with BIND 8.
10440 675. [bug] TKEY queries could cause the server to leak
10443 674. [func] Allow messages to be TSIG signed / verified using
10444 a offset from the current time.
10446 673. [func] The server can now convert RFC1886-style recursive
10447 lookup requests into RFC2874-style lookups, when
10448 enabled using the new option "allow-v6-synthesis".
10450 672. [bug] The wrong time was in the "time signed" field when
10451 replying with BADTIME error.
10453 671. [bug] The message code was failing to parse a message with
10454 no question section and a TSIG record. [RT #628]
10456 670. [bug] The lwres replacements for getaddrinfo and
10457 getipnodebyname didn't properly check for the
10458 existence of the sockaddr sa_len field.
10460 669. [bug] dnssec-keygen now makes the public key file
10461 non-world-readable for symmetric keys. [RT #403]
10463 668. [func] named-checkzone now reports multiple errors in master
10466 667. [bug] On Linux, running named with the -u option and a
10467 non-world-readable configuration file didn't work.
10470 666. [bug] If a request sent by dig is longer than 512 bytes,
10473 665. [bug] Signed responses were not sent when the size of the
10474 TSIG + question exceeded the maximum message size.
10477 664. [bug] The t_tasks and t_timers module tests are now skipped
10478 when building without threads, since they require
10481 663. [func] Accept a size_spec, not just an integer, in the
10482 (unimplemented and ignored) max-ixfr-log-size option
10483 for compatibility with recent versions of BIND 8.
10486 662. [bug] dns_rdata_fromtext() failed to log certain errors.
10488 661. [bug] Certain UDP IXFR requests caused an assertion failure
10489 (mpctx->allocated == 0). [RT #355, #394, #623]
10491 660. [port] Detect multiple CPUs on HP-UX and IRIX.
10493 659. [performance] Rewrite the name compression code to be much faster.
10495 658. [cleanup] Remove all vestiges of 16 bit global compression.
10497 657. [bug] When a listen-on statement in an lwres block does not
10498 specify a port, use 921, not 53. Also update the
10499 listen-on documentation. [RT #616]
10501 656. [func] Treat an unescaped newline in a quoted string as
10502 an error. This means that TXT records with missing
10503 close quotes should have meaningful errors printed.
10505 655. [bug] Improve error reporting on unexpected eof when loading
10508 654. [bug] Origin was being forgotten in TCP retries in dig.
10511 653. [bug] +defname option in dig was reversed in sense.
10514 652. [bug] zone_saveunique() did not report the new name.
10516 651. [func] The AD bit in responses now has the meaning
10517 specified in <draft-ietf-dnsext-ad-is-secure>.
10519 650. [bug] SIG(0) records were being generated and verified
10520 incorrectly. [RT #606]
10522 649. [bug] It was possible to join to an already running fctx
10523 after it had "cloned" its events, but before it sent
10524 them. In this case, the event of the newly joined
10525 fetch would not contain the answer, and would
10526 trigger the INSIST() in fctx_sendevents(). In
10527 BIND 9.0, this bug did not trigger an INSIST(), but
10528 caused the fetch to fail with a SERVFAIL result.
10529 [RT #588, #597, #605, #607]
10531 648. [port] Add support for pre-RFC2133 IPv6 implementations.
10533 647. [bug] Resolver queries sent after following multiple
10534 referrals had excessively long retransmission
10535 timeouts due to incorrectly counting the referrals
10538 646. [bug] The UnixWare ISC_PLATFORM_FIXIN6INADDR fix in isc/net.h
10539 didn't _cleanly_ fix the problem it was trying to fix.
10541 645. [port] BSD/OS 3.0 needs pthread_init(). [RT #603]
10543 644. [bug] #622 needed more work. [RT #562]
10545 643. [bug] xfrin error messages made more verbose, added class
10546 of the zone. [RT #599]
10548 642. [bug] Break the exit_check() race in the zone module.
10551 --- 9.1.0b2 released ---
10553 641. [bug] $GENERATE caused a uninitialized link to be used.
10556 640. [bug] Memory leak in error path could cause
10557 "mpctx->allocated == 0" failure. [RT #584]
10559 639. [bug] Reading entropy from the keyboard would sometimes fail.
10562 638. [port] lib/isc/random.c needed to explicitly include time.h
10563 to get a prototype for time() when pthreads was not
10564 being used. [RT #592]
10566 637. [port] Use isc_u?int64_t instead of (unsigned) long long in
10567 lib/isc/print.c. Also allow lib/isc/print.c to
10568 be compiled even if the platform does not need it.
10571 636. [port] Shut up MSVC++ about a possible loss of precision
10572 in the ISC__BUFFER_PUTUINT*() macros. [RT #592]
10574 635. [bug] Reloading a server with a configured blackhole list
10575 would cause an assertion. [RT #590]
10577 634. [bug] A log file will completely stop being written when
10578 it reaches the maximum size in all cases, not just
10579 when versioning is also enabled. [RT #570]
10581 633. [port] Cope with rlim_t missing on BSD/OS systems. [RT #575]
10583 632. [bug] The index array of the journal file was
10584 corrupted as it was written to disk.
10586 631. [port] Build without thread support on systems without
10589 630. [bug] Locking failure in zone code. [RT #582]
10591 629. [bug] 9.1.0b1 dereferenced a null pointer and crashed
10592 when responding to a UDP IXFR request.
10594 628. [bug] If the root hints contained only AAAA addresses,
10595 named would be unable to perform resolution.
10597 627. [bug] The EDNS0 blackhole detection code of change 324
10598 waited for three retransmissions to each server,
10599 which takes much too long when a domain has many
10600 name servers and all of them drop EDNS0 queries.
10601 Now we retry without EDNS0 after three consecutive
10602 timeouts, even if they are all from different
10605 626. [bug] The lightweight resolver daemon no longer crashes
10606 when asked for a SIG rrset. [RT #558]
10608 625. [func] Zones now inherit their class from the enclosing view.
10610 624. [bug] The zone object could get timer events after it had
10611 been destroyed, causing a server crash. [RT #571]
10613 623. [func] Added "named-checkconf" and "named-checkzone" program
10614 for syntax checking named.conf files and zone files,
10617 622. [bug] A canceled request could be destroyed before
10618 dns_request_destroy() was called. [RT #562]
10620 621. [port] Disable IPv6 at runtime if IPv6 sockets are unusable.
10621 This mostly affects Red Hat Linux 7.0, which has
10622 conflicts between libc and the kernel.
10624 620. [bug] dns_master_load*inc() now require 'task' and 'load'
10625 to be non-null. Also 'done' will not be called if
10626 dns_master_load*inc() fails immediately. [RT #565]
10630 618. [bug] Queries to a signed zone could sometimes cause
10631 an assertion failure.
10633 617. [bug] When using dynamic update to add a new RR to an
10634 existing RRset with a different TTL, the journal
10635 entries generated from the update did not include
10636 explicit deletions and re-additions of the existing
10637 RRs to update their TTL to the new value.
10639 616. [func] dnssec-signzone -t output now includes performance
10642 615. [bug] dnssec-signzone did not like child keysets signed
10645 614. [bug] Checks for uninitialized link fields were prone
10646 to false positives, causing assertion failures.
10647 The checks are now disabled by default and may
10648 be re-enabled by defining ISC_LIST_CHECKINIT.
10650 613. [bug] "rndc reload zone" now reloads primary zones.
10651 It previously only updated slave and stub zones,
10652 if an SOA query indicated an out of date serial.
10654 612. [cleanup] Shutup a ridiculously noisy HP-UX compiler that
10655 complains relentlessly about how its treatment
10656 of 'const' has changed as well as how casting
10657 sometimes tightens alignment constraints.
10659 611. [func] allow-notify can be used to permit processing of
10660 notify messages from hosts other than a slave's
10663 610. [func] rndc dumpdb is now supported.
10665 609. [bug] getrrsetbyname() would crash lwresd if the server
10666 found more SIGs than answers. [RT #554]
10668 608. [func] dnssec-signzone now adds a comment to the zone
10669 with the time the file was signed.
10671 607. [bug] nsupdate would fail if it encountered a CNAME or
10672 DNAME in a response to an SOA query. [RT #515]
10674 606. [bug] Compiling with --disable-threads failed due
10675 to isc_thread_self() being incorrectly defined
10676 as an integer rather than a function.
10678 605. [func] New function isc_lex_getlasttokentext().
10680 604. [bug] The named.conf parser could print incorrect line
10681 numbers when long comments were present.
10683 603. [bug] Make dig handle multiple types or classes on the same
10684 query more correctly.
10686 602. [func] Cope automatically with UnixWare's broken
10687 IN6_IS_ADDR_* macros. [RT #539]
10689 601. [func] Return a non-zero exit code if an update fails
10692 600. [bug] Reverse lookups sometimes failed in dig, etc...
10694 599. [func] Added four new functions to the libisc log API to
10695 support i18n messages. isc_log_iwrite(),
10696 isc_log_ivwrite(), isc_log_iwrite1() and
10697 isc_log_ivwrite1() were added.
10699 598. [bug] An update-policy statement would cause the server
10700 to assert while loading. [RT #536]
10702 597. [func] dnssec-signzone is now multi-threaded.
10704 596. [bug] DNS_RDATASLAB_FORCE and DNS_RDATASLAB_EXACT are
10705 not mutually exclusive.
10707 595. [port] On Linux 2.2, socket() returns EINVAL when it
10708 should return EAFNOSUPPORT. Work around this.
10711 594. [func] sdb drivers are now assumed to not be thread-safe
10712 unless the DNS_SDBFLAG_THREADSAFE flag is supplied.
10714 593. [bug] If a secure zone was missing all its NXTs and
10715 a dynamic update was attempted, the server entered
10718 592. [bug] The sig-validity-interval option now specifies a
10719 number of days, not seconds. This matches the
10720 documentation. [RT #529]
10722 --- 9.1.0b1 released ---
10724 591. [bug] Work around non-reentrancy in openssl by disabling
10725 pre-computation in keys.
10727 590. [doc] There are now man pages for the lwres library in
10730 589. [bug] The server could deadlock if a zone was updated
10731 while being transferred out.
10733 588. [bug] ctx->in_use was not being correctly initialized when
10734 when pushing a file for $INCLUDE. [RT #523]
10736 587. [func] A warning is now printed if the "allow-update"
10737 option allows updates based on the source IP
10738 address, to alert users to the fact that this
10739 is insecure and becoming increasingly so as
10740 servers capable of update forwarding are being
10743 586. [bug] multiple views with the same name were fatal. [RT #516]
10745 585. [func] dns_db_addrdataset() and and dns_rdataslab_merge()
10746 now support 'exact' additions in a similar manner to
10747 dns_db_subtractrdataset() and dns_rdataslab_subtract().
10749 584. [func] You can now say 'notify explicit'; to suppress
10750 notification of the servers listed in NS records
10751 and notify only those servers listed in the
10752 'also-notify' option.
10754 583. [func] "rndc querylog" will now toggle logging of
10755 queries, like "ndc querylog" in BIND 8.
10757 582. [bug] dns_zone_idetach() failed to lock the zone.
10760 581. [bug] log severity was not being correctly processed.
10763 580. [func] Ignore trailing garbage on incoming DNS packets,
10764 for interoperability with broken server
10765 implementations. [RT #491]
10767 579. [bug] nsupdate did not take a filename to read update from.
10770 578. [func] New config option "notify-source", to specify the
10771 source address for notify messages.
10773 577. [func] Log illegal RDATA combinations. e.g. multiple
10774 singleton types, cname and other data.
10776 576. [doc] isc_log_create() description did not match reality.
10778 575. [bug] isc_log_create() was not setting internal state
10779 correctly to reflect the default channels created.
10781 574. [bug] TSIG signed queries sent by the resolver would fail to
10782 have their responses validated and would leak memory.
10784 573. [bug] The journal files of IXFRed slave zones were
10785 inadvertently discarded on server reload, causing
10786 "journal out of sync with zone" errors on subsequent
10789 572. [bug] Quoted strings were not accepted as key names in
10790 address match lists.
10792 571. [bug] It was possible to create an rdataset of singleton
10793 type which had more than one rdata. [RT #154]
10796 570. [bug] rbtdb.c allowed zones containing nodes which had
10797 both a CNAME and "other data". [RT #154]
10799 569. [func] The DNSSEC AD bit will not be set on queries which
10800 have not requested a DNSSEC response.
10802 568. [func] Add sample simple database drivers in contrib/sdb.
10804 567. [bug] Setting the zone transfer timeout to zero caused an
10805 assertion failure. [RT #302]
10807 566. [func] New public function dns_timer_setidle().
10809 565. [func] Log queries more like BIND 8: query logging is now
10810 done to category "queries", level "info". [RT #169]
10812 564. [func] Add sortlist support to lwresd.
10814 563. [func] New public functions dns_rdatatype_format() and
10815 dns_rdataclass_format(), for convenient formatting
10816 of rdata type/class mnemonics in log messages.
10818 562. [cleanup] Moved lib/dns/*conf.c to bin/named where they belong.
10820 561. [func] The 'datasize', 'stacksize', 'coresize' and 'files'
10821 clauses of the options{} statement are now implemented.
10823 560. [bug] dns_name_split did not properly the resulting prefix
10824 when a maximal length bitstring label was split which
10825 was preceded by another bitstring label. [RT #429]
10827 559. [bug] dns_name_split did not properly create the suffix
10828 when splitting within a maximal length bitstring label.
10830 558. [func] New functions, isc_resource_getlimit and
10831 isc_resource_setlimit.
10833 557. [func] Symbolic constants for libisc integral types.
10835 556. [func] The DNSSEC OK bit in the EDNS extended flags
10836 is now implemented. Responses to queries without
10837 this bit set will not contain any DNSSEC records.
10839 555. [bug] A slave server attempting a zone transfer could
10840 crash with an assertion failure on certain
10841 malformed responses from the master. [RT #457]
10843 554. [bug] In some cases, not all of the dnssec tools were
10844 properly installed.
10846 553. [bug] Incoming zone transfers deferred due to quota
10847 were not started when quota was increased but
10848 only when a transfer in progress finished. [RT #456]
10850 552. [bug] We were not correctly detecting the end of all c-style
10851 comments. [RT #455]
10853 551. [func] Implemented the 'sortlist' option.
10855 550. [func] Support unknown rdata types and classes.
10857 549. [bug] "make" did not immediately abort the build when a
10858 subdirectory make failed [RT #450].
10860 548. [func] The lexer now ungets tokens more correctly.
10864 546. [func] Option 'lame-ttl' is now implemented.
10866 545. [func] Name limit and counting options removed from dig;
10867 they didn't work properly, and cannot be correctly
10868 implemented without significant changes.
10870 544. [func] Add statistics option, enable statistics-file option,
10871 add RNDC option "dump-statistics" to write out a
10872 query statistics file.
10874 543. [doc] The 'port' option is now documented.
10876 542. [func] Add support for update forwarding as required for
10877 full compliance with RFC2136. It is turned off
10878 by default and can be enabled using the
10879 'allow-update-forwarding' option.
10881 541. [func] Add bogus server support.
10883 540. [func] Add dialup support.
10885 539. [func] Support the blackhole option.
10887 538. [bug] fix buffer overruns by 1 in lwres_getnameinfo().
10891 536. [func] Use transfer-source{-v6} when sending refresh queries.
10892 Transfer-source{-v6} now take a optional port
10893 parameter for setting the UDP source port. The port
10894 parameter is ignored for TCP.
10896 535. [func] Use transfer-source{-v6} when forwarding update
10899 534. [func] Ancestors have been removed from RBT chains. Ancestor
10900 information can be discerned via node parent pointers.
10902 533. [func] Incorporated name hashing into the RBT database to
10903 improve search speed.
10905 532. [func] Implement DNS UPDATE pseudo records using
10906 DNS_RDATA_UPDATE flag.
10908 531. [func] Rdata really should be initialized before being assigned
10909 to (dns_rdata_fromwire(), dns_rdata_fromtext(),
10910 dns_rdata_clone(), dns_rdata_fromregion()),
10913 530. [func] New function dns_rdata_invalidate().
10915 529. [bug] 521 contained a bug which caused zones to always
10918 528. [func] The ISC_LIST_XXXX macros now perform sanity checks
10919 on their arguments. ISC_LIST_XXXXUNSAFE can be use
10920 to skip the checks however use with caution.
10922 527. [func] New function dns_rdata_clone().
10924 526. [bug] nsupdate incorrectly refused to add RRs with a TTL
10927 525. [func] New arguments 'options' for dns_db_subtractrdataset(),
10928 and 'flags' for dns_rdataslab_subtract() allowing you
10929 to request that the RR's must exist prior to deletion.
10930 DNS_R_NOTEXACT is returned if the condition is not met.
10932 524. [func] The 'forward' and 'forwarders' statement in
10933 non-forward zones should work now.
10935 523. [doc] The source to the Administrator Reference Manual is
10936 now an XML file using the DocBook DTD, and is included
10937 in the distribution. The plain text version of the
10938 ARM is temporarily unavailable while we figure out
10939 how to generate readable plain text from the XML.
10941 522. [func] The lightweight resolver daemon can now use
10942 a real configuration file, and its functionality
10943 can be provided by a name server. Also, the -p and -P
10944 options to lwresd have been reversed.
10946 521. [bug] Detect master files which contain $INCLUDE and always
10949 520. [bug] Upgraded libtool to 1.3.5, which makes shared
10950 library builds almost work on AIX (and possibly
10953 519. [bug] dns_name_split() would improperly split some bitstring
10954 labels, zeroing a few of the least significant bits in
10955 the prefix part. When such an improperly created
10956 prefix was returned to the RBT database, the bogus
10957 label was dutifully stored, corrupting the tree.
10960 518. [bug] The resolver did not realize that a DNAME which was
10961 "the answer" to the client's query was "the answer",
10962 and such queries would fail. [RT #399]
10964 517. [bug] The resolver's DNAME code would trigger an assertion
10965 if there was more than one DNAME in the chain.
10968 516. [bug] Cache lookups which had a NULL node pointer, e.g.
10969 those by dns_view_find(), and which would match a
10970 DNAME, would trigger an INSIST(!search.need_cleanup)
10971 assertion. [RT #399]
10973 515. [bug] The ssu table was not being attached / detached
10974 by dns_zone_[sg]etssutable. [RT #397]
10976 514. [func] Retry refresh and notify queries if they timeout.
10979 513. [func] New functionality added to rdnc and server to allow
10980 individual zones to be refreshed or reloaded.
10982 512. [bug] The zone transfer code could throw an exception with
10983 an invalid IXFR stream.
10985 511. [bug] The message code could throw an assertion on an
10986 out of memory failure. [RT #392]
10988 510. [bug] Remove spurious view notify warning. [RT #376]
10990 509. [func] Add support for write of zone files on shutdown.
10992 508. [func] dns_message_parse() can now do a best-effort
10993 attempt, which should allow dig to print more invalid
10996 507. [func] New functions dns_zone_flush(), dns_zt_flushanddetach()
10997 and dns_view_flushanddetach().
10999 506. [func] Do not fail to start on errors in zone files.
11001 505. [bug] nsupdate was printing "unknown result code". [RT #373]
11003 504. [bug] The zone was not being marked as dirty when updated via
11006 503. [bug] dumptime was not being set along with
11007 DNS_ZONEFLG_NEEDDUMP.
11009 502. [func] On a SERVFAIL reply, DiG will now try the next server
11010 in the list, unless the +fail option is specified.
11012 501. [bug] Incorrect port numbers were being displayed by
11013 nslookup. [RT #352]
11015 500. [func] Nearly useless +details option removed from DiG.
11017 499. [func] In DiG, specifying a class with -c or type with -t
11018 changes command-line parsing so that classes and
11019 types are only recognized if following -c or -t.
11020 This allows hosts with the same name as a class or
11021 type to be looked up.
11023 498. [doc] There is now a man page for "dig"
11024 in doc/man/bin/dig.1.
11026 497. [bug] The error messages printed when an IP match list
11027 contained a network address with a nonzero host
11028 part where not sufficiently detailed. [RT #365]
11030 496. [bug] named didn't sanity check numeric parameters. [RT #361]
11032 495. [bug] nsupdate was unable to handle large records. [RT #368]
11034 494. [func] Do not cache NXDOMAIN responses for SOA queries.
11036 493. [func] Return non-cachable (ttl = 0) NXDOMAIN responses
11037 for SOA queries. This makes it easier to locate
11038 the containing zone without polluting intermediate
11041 492. [bug] attempting to reload a zone caused the server fail
11042 to shutdown cleanly. [RT #360]
11044 491. [bug] nsupdate would segfault when sending certain
11045 prerequisites with empty RDATA. [RT #356]
11047 490. [func] When a slave/stub zone has not yet successfully
11048 obtained an SOA containing the zone's configured
11049 retry time, perform the SOA query retries using
11050 exponential backoff. [RT #337]
11052 489. [func] The zone manager now has a "i/o" queue.
11054 488. [bug] Locks weren't properly destroyed in some cases.
11056 487. [port] flockfile() is not defined on all systems.
11058 486. [bug] nslookup: "set all" and "server" commands showed
11059 the incorrect port number if a port other than 53
11060 was specified. [RT #352]
11062 485. [func] When dig had more than one server to query, it would
11063 send all of the messages at the same time. Add
11064 rate limiting of the transmitted messages.
11066 484. [bug] When the server was reloaded after removing addresses
11067 from the named.conf "listen-on" statement, sockets
11068 were still listening on the removed addresses due
11069 to reference count loops. [RT #325]
11071 483. [bug] nslookup: "set all" showed a "search" option but it
11074 482. [bug] nslookup: a plain "server" or "lserver" should be
11075 treated as a lookup.
11077 481. [bug] nslookup:get_next_command() stack size could exceed
11080 480. [bug] strtok() is not thread safe. [RT #349]
11082 479. [func] The test suite can now be run by typing "make check"
11083 or "make test" at the top level.
11085 478. [bug] "make install" failed if the directory specified with
11086 --prefix did not already exist.
11088 477. [bug] The the isc-config.sh script could be installed before
11089 its directory was created. [RT #324]
11091 476. [bug] A zone could expire while a zone transfer was in
11092 progress triggering a INSIST failure. [RT #329]
11094 475. [bug] query_getzonedb() sometimes returned a non-null version
11095 on failure. This caused assertion failures when
11096 generating query responses where names subject to
11097 additional section processing pointed to a zone
11098 to which access had been denied by means of the
11099 allow-query option. [RT #336]
11101 474. [bug] The mnemonic of the CHAOS class is CH according to
11102 RFC1035, but it was printed and read only as CHAOS.
11103 We now accept both forms as input, and print it
11106 473. [bug] nsupdate overran the end of the list of name servers
11107 when no servers could be reached, typically causing
11108 it to print the error message "dns_request_create:
11111 472. [bug] Off-by-one error caused isc_time_add() to sometimes
11112 produce invalid time values.
11114 471. [bug] nsupdate didn't compile on HP/UX 10.20
11116 470. [func] $GENERATE is now supported. See also
11117 doc/misc/migration.
11119 469. [bug] "query-source address * port 53;" now works.
11121 468. [bug] dns_master_load*() failed to report file and line
11122 number in certain error conditions.
11124 467. [bug] dns_master_load*() failed to log an error if
11127 466. [bug] dns_master_load*() could return success when it failed.
11129 465. [cleanup] Allow 0 to be set as an omapi_value_t value by
11130 omapi_value_storeint().
11132 464. [cleanup] Build with openssl's RSA code instead of dnssafe.
11134 463. [bug] nsupdate sent malformed SOA queries to the second
11135 and subsequent name servers in resolv.conf if the
11136 query sent to the first one failed.
11138 462. [bug] --disable-ipv6 should work now.
11140 461. [bug] Specifying an unknown key in the "keys" clause of the
11141 "controls" statement caused a NULL pointer dereference.
11144 460. [bug] Much of the DNSSEC code only worked with class IN.
11146 459. [bug] Nslookup processed the "set" command incorrectly.
11148 458. [bug] Nslookup didn't properly check class and type values.
11151 457. [bug] Dig/host/hslookup didn't properly handle connect
11152 timeouts in certain situations, causing an
11153 unnecessary warning message to be printed.
11155 456. [bug] Stub zones were not resetting the refresh and expire
11156 counters, loadtime or clearing the DNS_ZONE_REFRESH
11157 (refresh in progress) flag upon successful update.
11158 This disabled further refreshing of the stub zone,
11159 causing it to eventually expire. [RT #300]
11161 455. [doc] Document IPv4 prefix notation does not require a
11162 dotted decimal quad but may be just dotted decimal.
11164 454. [bug] Enforce dotted decimal and dotted decimal quad where
11165 documented as such in named.conf. [RT #304, RT #311]
11167 453. [bug] Warn if the obsolete option "maintain-ixfr-base"
11168 is specified in named.conf. [RT #306]
11170 452. [bug] Warn if the unimplemented option "statistics-file"
11171 is specified in named.conf. [RT #301]
11173 451. [func] Update forwarding implemented.
11175 450. [func] New function ns_client_sendraw().
11177 449. [bug] isc_bitstring_copy() only works correctly if the
11178 two bitstrings have the same lsb0 value, but this
11179 requirement was not documented, nor was there a
11182 448. [bug] Host output formatting change, to match v8. [RT #255]
11184 447. [bug] Dig didn't properly retry in TCP mode after
11185 a truncated reply. [RT #277]
11187 446. [bug] Confusing notify log message. [RT #298]
11189 445. [bug] Doing a 0 bit isc_bitstring_copy() of an lsb0
11190 bitstring triggered a REQUIRE statement. The REQUIRE
11191 statement was incorrect. [RT #297]
11193 444. [func] "recursion denied" messages are always logged at
11194 debug level 1, now, rather than sometimes at ERROR.
11195 This silences these warnings in the usual case, where
11196 some clients set the RD bit in all queries.
11198 443. [bug] When loading a master file failed because of an
11199 unrecognized RR type name, the error message
11200 did not include the file name and line number.
11203 442. [bug] TSIG signed messages that did not match any view
11204 crashed the server. [RT #290]
11206 441. [bug] Nodes obscured by a DNAME were inaccessible even
11207 when DNS_DBFIND_GLUEOK was set.
11209 440. [func] New function dns_zone_forwardupdate().
11211 439. [func] New function dns_request_createraw().
11213 438. [func] New function dns_message_getrawmessage().
11215 437. [func] Log NOTIFY activity to the notify channel.
11217 436. [bug] If recvmsg() returned EHOSTUNREACH or ENETUNREACH,
11218 which sometimes happens on Linux, named would enter
11219 a busy loop. Also, unexpected socket errors were
11220 not logged at a high enough logging level to be
11221 useful in diagnosing this situation. [RT #275]
11223 435. [bug] dns_zone_dump() overwrote existing zone files
11224 rather than writing to a temporary file and
11225 renaming. This could lead to empty or partial
11226 zone files being left around in certain error
11227 conditions involving the initial transfer of a
11228 slave zone, interfering with subsequent server
11231 434. [func] New function isc_file_isabsolute().
11233 433. [func] isc_base64_decodestring() now accepts newlines
11234 within the base64 data. This makes it possible
11235 to break up the key data in a "trusted-keys"
11236 statement into multiple lines. [RT #284]
11238 432. [func] Added refresh/retry jitter. The actual refresh/
11239 retry time is now a random value between 75% and
11240 100% of the configured value.
11242 431. [func] Log at ISC_LOG_INFO when a zone is successfully
11245 430. [bug] Rewrote the lightweight resolver client management
11246 code to handle shutdown correctly and general
11249 429. [bug] The space reserved for a TSIG record in a response
11250 was 2 bytes too short, leading to message
11251 generation failures.
11253 428. [bug] rbtdb.c:find_closest_nxt() erroneously returned
11254 DNS_R_BADDB for nodes which had neither NXT nor SIG NXT
11255 (e.g. glue). This could cause SERVFAILs when
11256 generating negative responses in a secure zone.
11258 427. [bug] Avoid going into an infinite loop when the validator
11259 gets a negative response to a key query where the
11260 records are signed by the missing key.
11262 426. [bug] Attempting to generate an oversized RSA key could
11263 cause dnssec-keygen to dump core.
11265 425. [bug] Warn about the auth-nxdomain default value change
11266 if there is no auth-nxdomain statement in the
11267 config file. [RT #287]
11269 424. [bug] notify_createmessage() could trigger an assertion
11270 failure when creating the notify message failed,
11271 e.g. due to corrupt zones with multiple SOA records.
11274 423. [bug] When responding to a recursive query, errors that occur
11275 after following a CNAME should cause the query to fail.
11278 422. [func] get rid of isc_random_t, and make isc_random_get()
11279 and isc_random_jitter() use rand() internally
11280 instead of local state. Note that isc_random_*()
11281 functions are only for weak, non-critical "randomness"
11282 such as timing jitter and such.
11284 421. [bug] nslookup would exit when given a blank line as input.
11286 420. [bug] nslookup failed to implement the "exit" command.
11288 419. [bug] The certificate type PKIX was misspelled as SKIX.
11290 418. [bug] At debug levels >= 10, getting an unexpected
11291 socket receive error would crash the server
11292 while trying to log the error message.
11294 417. [func] Add isc_app_block() and isc_app_unblock(), which
11295 allow an application to handle signals while
11298 416. [bug] Slave zones with no master file tried to use a
11299 NULL pointer for a journal file name when they
11300 received an IXFR. [RT #273]
11302 415. [bug] The logging code leaked file descriptors.
11304 414. [bug] Server did not shut down until all incoming zone
11305 transfers were finished.
11307 413. [bug] Notify could attempt to use the zone database after
11308 it had been unloaded. [RT #267]
11310 412. [bug] named -v didn't print the version.
11312 411. [bug] A typo in the HS A code caused an assertion failure.
11314 410. [bug] lwres_gethostbyname() and company set lwres_h_errno
11315 to a random value on success.
11317 409. [bug] If named was shut down early in the startup
11318 process, ns_omapi_shutdown() would attempt to lock
11319 an uninitialized mutex. [RT #262]
11321 408. [bug] stub zones could leak memory and reference counts if
11322 all the masters were unreachable.
11324 407. [bug] isc_rwlock_lock() would needlessly block
11325 readers when it reached the read quota even
11326 if no writers were waiting.
11328 406. [bug] Log messages were occasionally lost or corrupted
11329 due to a race condition in isc_log_doit().
11331 405. [func] Add support for selective forwarding (forward zones)
11333 404. [bug] The request library didn't completely work with IPv6.
11335 403. [bug] "host" did not use the search list.
11337 402. [bug] Treat undefined acls as errors, rather than
11338 warning and then later throwing an assertion.
11341 401. [func] Added simple database API.
11343 400. [bug] SIG(0) signing and verifying was done incorrectly.
11346 399. [bug] When reloading the server with a config file
11347 containing a syntax error, it could catch an
11348 assertion failure trying to perform zone
11349 maintenance on, or sending notifies from,
11350 tentatively created zones whose views were
11351 never fully configured and lacked an address
11352 database and request manager.
11354 398. [bug] "dig" sometimes caught an assertion failure when
11355 using TSIG, depending on the key length.
11357 397. [func] Added utility functions dns_view_gettsig() and
11358 dns_view_getpeertsig().
11360 396. [doc] There is now a man page for "nsupdate"
11361 in doc/man/bin/nsupdate.8.
11363 395. [bug] nslookup printed incorrect RR type mnemonics
11364 for RRs of type >= 21 [RT #237].
11366 394. [bug] Current name was not propagated via $INCLUDE.
11368 393. [func] Initial answer while loading (awl) support.
11369 Entry points: dns_master_loadfileinc(),
11370 dns_master_loadstreaminc(), dns_master_loadbufferinc().
11371 Note: calls to dns_master_load*inc() should be rate
11372 be rate limited so as to not use up all file
11375 392. [func] Add ISC_R_FAMILYNOSUPPORT. Returned when OS does
11376 not support the given address family requested.
11378 391. [clarity] ISC_R_FAMILY -> ISC_R_FAMILYMISMATCH.
11380 390. [func] The function dns_zone_setdbtype() now takes
11381 an argc/argv style vector of words and sets
11382 both the zone database type and its arguments,
11383 making the functions dns_zone_adddbarg()
11384 and dns_zone_cleardbargs() unnecessary.
11386 389. [bug] Attempting to send a request over IPv6 using
11387 dns_request_create() on a system without IPv6
11388 support caused an assertion failure [RT #235].
11390 388. [func] dig and host can now do reverse ipv6 lookups.
11392 387. [func] Add dns_byaddr_createptrname(), which converts
11393 an address into the name used by a PTR query.
11395 386. [bug] Missing strdup() of ACL name caused random
11396 ACL matching failures [RT #228].
11398 385. [cleanup] Removed functions dns_zone_equal(), dns_zone_print(),
11399 and dns_zt_print().
11401 384. [bug] nsupdate was incorrectly limiting TTLs to 65535 instead
11404 383. [func] When writing a master file, print the SOA and NS
11405 records (and their SIGs) before other records.
11407 382. [bug] named -u failed on many Linux systems where the
11408 libc provided kernel headers do not match
11409 the current kernel.
11411 381. [bug] Check for IPV6_RECVPKTINFO and use it instead of
11412 IPV6_PKTINFO if found. [RT #229]
11414 380. [bug] nsupdate didn't work with IPv6.
11416 379. [func] New library function isc_sockaddr_anyofpf().
11418 378. [func] named and lwresd will log the command line arguments
11419 they were started with in the "starting ..." message.
11421 377. [bug] When additional data lookups were refused due to
11422 "allow-query", the databases were still being
11423 attached causing reference leaks.
11425 376. [bug] The server should always use good entropy when
11426 performing cryptographic functions needing entropy.
11428 375. [bug] Per-zone "allow-query" did not properly override the
11429 view/global one for CNAME targets and additional
11432 374. [bug] SOA in authoritative negative responses had wrong TTL.
11434 373. [func] nslookup is now installed by "make install".
11436 372. [bug] Deal with Microsoft DNS servers appending two bytes of
11437 garbage to zone transfer requests.
11439 371. [bug] At high debug levels, doing an outgoing zone transfer
11440 of a very large RRset could cause an assertion failure
11443 370. [bug] The error messages for roll-forward failures were
11446 369. [func] Support new named.conf options, view and zone
11449 max-retry-time, min-retry-time,
11450 max-refresh-time, min-refresh-time.
11452 368. [func] Restructure the internal ".bind" view so that more
11453 zones can be added to it.
11455 367. [bug] Allow proper selection of server on nslookup command
11458 366. [func] Allow use of '-' batch file in dig for stdin.
11460 365. [bug] nsupdate -k leaked memory.
11462 364. [func] Added additional-from-{cache,auth}
11466 362. [bug] rndc no longer aborts if the configuration file is
11467 missing an options statement. [RT #209]
11469 361. [func] When the RBT find or chain functions set the name and
11470 origin for a node that stores the root label
11471 the name is now set to an empty name, instead of ".",
11472 to simplify later use of the name and origin by
11473 dns_name_concatenate(), dns_name_totext() or
11476 360. [func] dns_name_totext() and dns_name_format() now allow
11477 an empty name to be passed, which is formatted as "@".
11479 359. [bug] dnssec-signzone occasionally signed glue records.
11481 358. [cleanup] Rename the intermediate files used by the dnssec
11484 357. [bug] The zone file parser crashed if the argument
11485 to $INCLUDE was a quoted string.
11487 356. [cleanup] isc_task_send no longer requires event->sender to
11490 355. [func] Added isc_dir_createunique(), similar to mkdtemp().
11492 354. [doc] Man pages for the dnssec tools are now included in
11493 the distribution, in doc/man/dnssec.
11495 353. [bug] double increment in lwres/gethost.c:copytobuf().
11498 352. [bug] Race condition in dns_client_t startup could cause
11499 an assertion failure.
11501 351. [bug] Constructing a response with rcode SERVFAIL to a TSIG
11502 signed query could crash the server.
11504 350. [bug] Also-notify lists specified in the global options
11505 block were not correctly reference counted, causing
11508 349. [bug] Processing a query with the CD bit set now works
11511 348. [func] New boolean named.conf options 'additional-from-auth'
11512 and 'additional-from-cache' now supported in view and
11513 global options statement.
11515 347. [bug] Don't crash if an argument is left off options in dig.
11519 345. [bug] Large-scale changes/cleanups to dig:
11520 * Significantly improve structure handling
11521 * Don't pre-load entire batch files
11522 * Add name/rr counting/limiting
11523 * Fix SIGINT handling
11524 * Shorten timeouts to match v8's behavior
11526 344. [bug] When shutting down, lwresd sometimes tried
11527 to shut down its client tasks twice,
11528 triggering an assertion.
11530 343. [bug] Although zone maintenance SOA queries and
11531 notify requests were signed with TSIG keys
11532 when configured for the server in case,
11533 the TSIG was not verified on the response.
11535 342. [bug] The wrong name was being passed to
11536 dns_name_dup() when generating a TSIG
11539 341. [func] Support 'key' clause in named.conf zone masters
11540 statement to allow authentication via TSIG keys:
11543 10.0.0.1 port 5353 key "foo";
11547 340. [bug] The top-level COPYRIGHT file was missing from
11550 339. [bug] DNSSEC validation of the response to an ANY
11551 query at a name with a CNAME RR in a secure
11552 zone triggered an assertion failure.
11554 338. [bug] lwresd logged to syslog as named, not lwresd.
11556 337. [bug] "dig" did not recognize "nsap-ptr" as an RR type
11557 on the command line.
11559 336. [bug] "dig -f" used 64 k of memory for each line in
11560 the file. It now uses much less, though still
11561 proportionally to the file size.
11563 335. [bug] named would occasionally attempt recursion when
11564 it was disallowed or undesired.
11566 334. [func] Added hmac-md5 to libisc.
11568 333. [bug] The resolver incorrectly accepted referrals to
11569 domains that were not parents of the query name,
11570 causing assertion failures.
11572 332. [func] New function dns_name_reset().
11574 331. [bug] Only log "recursion denied" if RD is set. [RT #178]
11576 330. [bug] Many debugging messages were partially formatted
11577 even when debugging was turned off, causing a
11578 significant decrease in query performance.
11580 329. [func] omapi_auth_register() now takes a size_t argument for
11581 the length of a key's secret data. Previously
11582 OMAPI only stored secrets up to the first NUL byte.
11584 328. [func] Added isc_base64_decodestring().
11586 327. [bug] rndc.conf parser wasn't correctly recognizing an IP
11587 address where a host specification was required.
11589 326. [func] 'keys' in an 'inet' control statement is now
11590 required and must have at least one item in it.
11591 A "not supported" warning is now issued if a 'unix'
11592 control channel is defined.
11594 325. [bug] isc_lex_gettoken was processing octal strings when
11595 ISC_LEXOPT_CNUMBER was not set.
11597 324. [func] In the resolver, turn EDNS0 off if there is no
11598 response after a number of retransmissions.
11599 This is to allow queries some chance of succeeding
11600 even if all the authoritative servers of a zone
11601 silently discard EDNS0 requests instead of
11602 sending an error response like they ought to.
11604 323. [bug] dns_rbt_findname() did not ignore empty rbt nodes.
11605 Because of this, servers authoritative for a parent
11606 and grandchild zone but not authoritative for the
11607 intervening child zone did not correctly issue
11608 referrals to the servers of the child zone.
11610 322. [bug] Queries for KEY RRs are now sent to the parent
11611 server before the authoritative one, making
11612 DNSSEC insecurity proofs work in many cases
11613 where they previously didn't.
11615 321. [bug] When synthesizing a CNAME RR for a DNAME
11616 response, query_addcname() failed to initialize
11617 the type and class of the CNAME dns_rdata_t,
11618 causing random failures.
11620 320. [func] Multiple rndc changes: parses an rndc.conf file,
11621 uses authentication to talk to named, command
11622 line syntax changed. This will all be described
11625 319. [func] The named.conf "controls" statement is now used
11626 to configure the OMAPI command channel.
11628 318. [func] dns_c_ndcctx_destroy() could never return anything
11629 except ISC_R_SUCCESS; made it have void return instead.
11631 317. [func] Use callbacks from libomapi to determine if a
11632 new connection is valid, and if a key requested
11633 to be used with that connection is valid.
11635 316. [bug] Generate a warning if we detect an unexpected <eof>
11636 but treat as <eol><eof>.
11638 315. [bug] Handle non-empty blanks lines. [RT #163]
11640 314. [func] The named.conf controls statement can now have
11641 more than one key specified for the inet clause.
11643 313. [bug] When parsing resolv.conf, don't terminate on an
11644 error. Instead, parse as much as possible, but
11645 still return an error if one was found.
11647 312. [bug] Increase the number of allowed elements in the
11648 resolv.conf search path from 6 to 8. If there
11649 are more than this, ignore the remainder rather
11650 than returning a failure in lwres_conf_parse.
11652 311. [bug] lwres_conf_parse failed when the first line of
11653 resolv.conf was empty or a comment.
11655 310. [func] Changes to named.conf "controls" statement (inet
11658 - support "keys" clause
11662 allow { any; } keys { "foo"; }
11665 - allow "port xxx" to be left out of statement,
11666 in which case it defaults to omapi's default port
11669 309. [bug] When sending a referral, the server did not look
11670 for name server addresses as glue in the zone
11671 holding the NS RRset in the case where this zone
11672 was not the same as the one where it looked for
11673 name server addresses as authoritative data.
11675 308. [bug] Treat a SOA record not at top of zone as an error
11676 when loading a zone. [RT #154]
11678 307. [bug] When canceling a query, the resolver didn't check for
11679 isc_socket_sendto() calls that did not yet have their
11680 completion events posted, so it could (rarely) end up
11681 destroying the query context and then want to use
11682 it again when the send event posted, triggering an
11683 assertion as it tried to cancel an already-canceled
11686 306. [bug] Reading HMAC-MD5 private key files didn't work.
11688 305. [bug] When reloading the server with a config file
11689 containing a syntax error, it could catch an
11690 assertion failure trying to perform zone
11691 maintenance on tentatively created zones whose
11692 views were never fully configured and lacked
11693 an address database.
11695 304. [bug] If more than LWRES_CONFMAXNAMESERVERS servers
11696 are listed in resolv.conf, silently ignore them
11697 instead of returning failure.
11699 303. [bug] Add additional sanity checks to differentiate a AXFR
11700 response vs a IXFR response. [RT #157]
11702 302. [bug] In dig, host, and nslookup, MXNAME should be large
11703 enough to hold any legal domain name in presentation
11704 format + terminating NULL.
11706 301. [bug] Uninitialized pointer in host:printmessage(). [RT #159]
11708 300. [bug] Using both <isc/net.h> and <lwres/net.h> didn't work
11709 on platforms lacking IPv6 because each included their
11710 own ipv6 header file for the missing definitions. Now
11711 each library's ipv6.h defines the wrapper symbol of
11712 the other (ISC_IPV6_H and LWRES_IPV6_H).
11714 299. [cleanup] Get the user and group information before changing the
11715 root directory, so the administrator does not need to
11716 keep a copy of the user and group databases in the
11717 chroot'ed environment. Suggested by Hakan Olsson.
11719 298. [bug] A mutex deadlock occurred during shutdown of the
11720 interface manager under certain conditions.
11721 Digital Unix systems were the most affected.
11723 297. [bug] Specifying a key name that wasn't fully qualified
11724 in certain parts of the config file could cause
11725 an assertion failure.
11727 296. [bug] "make install" from a separate build directory
11728 failed unless configure had been run in the source
11731 295. [bug] When invoked with type==CNAME and a message
11732 not constructed by dns_message_parse(),
11733 dns_message_findname() failed to find anything
11734 due to checking for attribute bits that are set
11735 only in dns_message_parse(). This caused an
11736 infinite loop when constructing the response to
11737 an ANY query at a CNAME in a secure zone.
11739 294. [bug] If we run out of space in while processing glue
11740 when reading a master file and commit "current name"
11741 reverts to "name_current" instead of staying as
11744 293. [port] Add support for FreeBSD 4.0 system tests.
11746 292. [bug] Due to problems with the way some operating systems
11747 handle simultaneous listening on IPv4 and IPv6
11748 addresses, the server no longer listens on IPv6
11749 addresses by default. To revert to the previous
11750 behavior, specify "listen-on-v6 { any; };" in
11753 291. [func] Caching servers no longer send outgoing queries
11754 over TCP just because the incoming recursive query
11757 290. [cleanup] +twiddle option to dig (for testing only) removed.
11759 289. [cleanup] dig is now installed in $bindir instead of $sbindir.
11760 host is now installed in $bindir. (Be sure to remove
11761 any $sbindir/dig from a previous release.)
11763 288. [func] rndc is now installed by "make install" into $sbindir.
11765 287. [bug] rndc now works again as "rndc 127.1 reload" (for
11766 only that task). Parsing its configuration file and
11767 using digital signatures for authentication has been
11768 disabled until named supports the "controls" statement,
11771 286. [bug] On Solaris 2, when named inherited a signal state
11772 where SIGHUP had the SIG_IGN action, SIGHUP would
11773 be ignored rather than causing the server to reload
11776 285. [bug] A change made to the dst API for beta4 inadvertently
11777 broke OMAPI's creation of a dst key from an incoming
11778 message, causing an assertion to be triggered. Fixed.
11780 284. [func] The DNSSEC key generation and signing tools now
11781 generate randomness from keyboard input on systems
11782 that lack /dev/random.
11784 283. [cleanup] The 'lwresd' program is now a link to 'named'.
11786 282. [bug] The lexer now returns ISC_R_RANGE if parsed integer is
11787 too big for an unsigned long.
11789 281. [bug] Fixed list of recognized config file category names.
11791 280. [func] Add isc-config.sh, which can be used to more
11792 easily build applications that link with
11795 279. [bug] Private omapi function symbols shared between
11796 two or more files in libomapi.a were not namespace
11797 protected using the ISC convention of starting with
11798 the library name and two underscores ("omapi__"...)
11800 278. [bug] bin/named/logconf.c:category_fromconf() didn't take
11801 note of when isc_log_categorybyname() wasn't able
11802 to find the category name and would then apply the
11803 channel list of the unknown category to all categories.
11805 277. [bug] isc_log_categorybyname() and isc_log_modulebyname()
11806 would fail to find the first member of any category
11807 or module array apart from the internal defaults.
11808 Thus, for example, the "notify" category was improperly
11809 configured by named.
11811 276. [bug] dig now supports maximum sized TCP messages.
11813 275. [bug] The definition of lwres_gai_strerror() was missing
11816 274. [bug] TSIG AXFR verify failed when talking to a BIND 8
11819 273. [func] The default for the 'transfer-format' option is
11820 now 'many-answers'. This will break zone transfers
11821 to BIND 4.9.5 and older unless there is an explicit
11822 'one-answer' configuration.
11824 272. [bug] The sending of large TCP responses was canceled
11825 in mid-transmission due to a race condition
11826 caused by the failure to set the client object's
11827 "newstate" variable correctly when transitioning
11828 to the "working" state.
11830 271. [func] Attempt to probe the number of cpus in named
11831 if unspecified rather than defaulting to 1.
11833 270. [func] Allow maximum sized TCP answers.
11835 269. [bug] Failed DNSSEC validations could cause an assertion
11836 failure by causing clone_results() to be called with
11837 with hevent->node == NULL.
11839 268. [doc] A plain text version of the Administrator
11840 Reference Manual is now included in the distribution,
11841 as doc/arm/Bv9ARM.txt.
11843 267. [func] Nsupdate is now provided in the distribution.
11845 266. [bug] zone.c:save_nsrrset() node was not initialized.
11847 265. [bug] dns_request_create() now works for TCP.
11849 264. [func] Dispatch can not take TCP sockets in connecting
11850 state. Set DNS_DISPATCHATTR_CONNECTED when calling
11851 dns_dispatch_createtcp() for connected TCP sockets
11852 or call dns_dispatch_starttcp() when the socket is
11855 263. [func] New logging channel type 'stderr'
11857 channel some-name {
11862 262. [bug] 'master' was not initialized in zone.c:stub_callback().
11864 261. [func] Add dns_zone_markdirty().
11866 260. [bug] Running named as a non-root user failed on Linux
11867 kernels new enough to support retaining capabilities
11870 259. [func] New random-device and random-seed-file statements
11871 for global options block of named.conf. Both accept
11872 a single string argument.
11874 258. [bug] Fixed printing of lwres_addr_t.address field.
11876 257. [bug] The server detached the last zone manager reference
11877 too early, while it could still be in use by queries.
11878 This manifested itself as assertion failures during the
11879 shutdown process for busy name servers. [RT #133]
11881 256. [func] isc_ratelimiter_t now has attach/detach semantics, and
11882 isc_ratelimiter_shutdown guarantees that the rate
11883 limiter is detached from its task.
11885 255. [func] New function dns_zonemgr_attach().
11887 254. [bug] Suppress "query denied" messages on additional data
11890 --- 9.0.0b4 released ---
11892 253. [func] resolv.conf parser now recognizes ';' and '#' as
11893 comments (anywhere in line, not just as the beginning).
11895 252. [bug] resolv.conf parser mishandled masks on sortlists.
11896 It also aborted when an unrecognized keyword was seen,
11897 now it silently ignores the entire line.
11899 251. [bug] lwresd caught an assertion failure on startup.
11901 250. [bug] fixed handling of size+unit when value would be too
11902 large for internal representation.
11904 249. [cleanup] max-cache-size config option now takes a size-spec
11905 like 'datasize', except 'default' is not allowed.
11907 248. [bug] global lame-ttl option was not being printed when
11908 config structures were written out.
11910 247. [cleanup] Rename cache-size config option to max-cache-size.
11912 246. [func] Rename global option cachesize to cache-size and
11913 add corresponding option to view statement.
11915 245. [bug] If an uncompressed name will take more than 255
11916 bytes and the buffer is sufficiently long,
11917 dns_name_fromwire should return DNS_R_FORMERR,
11918 not ISC_R_NOSPACE. This bug caused cause the
11919 server to catch an assertion failure when it
11920 received a query for a name longer than 255
11923 244. [bug] empty named.conf file and empty options statement are
11924 now parsed properly.
11926 243. [func] new cachesize option for named.conf
11928 242. [cleanup] fixed incorrect warning about auth-nxdomain usage.
11930 241. [cleanup] nscount and soacount have been removed from the
11931 dns_master_*() argument lists.
11933 240. [func] databases now come in three flavours: zone, cache
11936 239. [func] If ISC_MEM_DEBUG is enabled, the variable
11937 isc_mem_debugging controls whether messages
11938 are printed or not.
11940 238. [cleanup] A few more compilation warnings have been quieted:
11941 + missing sigwait prototype on BSD/OS 4.0/4.0.1.
11942 + PTHREAD_ONCE_INIT unbraced initializer warnings on
11944 + IN6ADDR_ANY_INIT unbraced initializer warnings on
11945 BSD/OS 4.*, Linux and Solaris 2.8.
11947 237. [bug] If connect() returned ENOBUFS when the resolver was
11948 initiating a TCP query, the socket didn't get
11949 destroyed, and the server did not shut down cleanly.
11951 236. [func] Added new listen-on-v6 config file statement.
11953 235. [func] Consider it a config file error if a listen-on
11954 statement has an IPv6 address in it, or a
11955 listen-on-v6 statement has an IPv4 address in it.
11957 234. [bug] Allow a trusted-key's first field (domain-name) be
11958 either a quoted or an unquoted string, instead of
11959 requiring a quoted string.
11961 233. [cleanup] Convert all config structure integer values to unsigned
11962 integer (isc_uint32_t) to match grammar.
11964 232. [bug] Allow slave zones to not have a file.
11966 231. [func] Support new 'port' clause in config file options
11967 section. Causes 'listen-on', 'masters' and
11968 'also-notify' statements to use its value instead of
11971 230. [func] Replace the dst sign/verify API with a cleaner one.
11973 229. [func] Support config file sig-validity-interval statement
11974 in options, views and zone statements (master
11977 228. [cleanup] Logging messages in config module stripped of
11980 227. [cleanup] The enumerated identifiers dns_rdataclass_*,
11981 dns_rcode_*, dns_opcode_*, and dns_trust_* are
11982 also now cast to their appropriate types, as with
11983 dns_rdatatype_* in item number 225 below.
11985 226. [func] dns_name_totext() now always prints the root name as
11986 '.', even when omit_final_dot is true.
11988 225. [cleanup] The enumerated dns_rdatatype_* identifiers are now
11989 cast to dns_rdatatype_t via macros of their same name
11990 so that they are of the proper integral type wherever
11991 a dns_rdatatype_t is needed.
11993 224. [cleanup] The entire project builds cleanly with gcc's
11994 -Wcast-qual and -Wwrite-strings warnings enabled,
11995 which is now the default when using gcc. (Warnings
11996 from confparser.c, because of yacc's code, are
11997 unfortunately to be expected.)
11999 223. [func] Several functions were re-prototyped to qualify one
12000 or more of their arguments with "const". Similarly,
12001 several functions that return pointers now have
12002 those pointers qualified with const.
12004 222. [bug] The global 'also-notify' option was ignored.
12006 221. [bug] An uninitialized variable was sometimes passed to
12007 dns_rdata_freestruct() when loading a zone, causing
12008 an assertion failure.
12010 220. [cleanup] Set the default outgoing port in the view, and
12011 set it in sockaddrs returned from the ADB.
12012 [31-May-2000 explorer]
12014 219. [bug] Signed truncated messages more correctly follow
12015 the respective specs.
12017 218. [func] When an rdataset is signed, its ttl is normalized
12018 based on the signature validity period.
12020 217. [func] Also-notify and trusted-keys can now be used in
12021 the 'view' statement.
12023 216. [func] The 'max-cache-ttl' and 'max-ncache-ttl' options
12026 215. [bug] Failures at certain points in request processing
12027 could cause the assertion INSIST(client->lockview
12028 == NULL) to be triggered.
12030 214. [func] New public function isc_netaddr_format(), for
12031 formatting network addresses in log messages.
12033 213. [bug] Don't leak memory when reloading the zone if
12034 an update-policy clause was present in the old zone.
12036 212. [func] Added dns_message_get/settsigkey, to make TSIG
12037 key management reasonable.
12039 211. [func] The 'key' and 'server' statements can now occur
12040 inside 'view' statements.
12042 210. [bug] The 'allow-transfer' option was ignored for slave
12043 zones, and the 'transfers-per-ns' option was
12044 was ignored for all zones.
12046 209. [cleanup] Upgraded openssl files to new version 0.9.5a
12048 208. [func] Added ISC_OFFSET_MAXIMUM for the maximum value
12049 of an isc_offset_t.
12051 207. [func] The dnssec tools properly use the logging subsystem.
12053 206. [cleanup] dst now stores the key name as a dns_name_t, not
12056 205. [cleanup] On IRIX, turn off the mostly harmless warnings 1692
12057 ("prototyped function redeclared without prototype")
12058 and 1552 ("variable ... set but not used") when
12059 compiling in the lib/dns/sec/{dnssafe,openssl}
12060 directories, which contain code imported from outside
12063 204. [cleanup] On HP/UX, pass +vnocompatwarnings to the linker
12064 to quiet the warnings that "The linked output may not
12065 run on a PA 1.x system."
12067 203. [func] notify and zone soa queries are now tsig signed when
12070 202. [func] isc_lex_getsourceline() changed from returning int
12071 to returning unsigned long, the type of its underlying
12074 201. [cleanup] Removed the test/sdig program, it has been
12075 replaced by bin/dig/dig.
12077 --- 9.0.0b3 released ---
12079 200. [bug] Failures in sending query responses to clients
12080 (e.g., running out of network buffers) were
12083 199. [bug] isc_heap_delete() sometimes violated the heap
12084 invariant, causing timer events not to be posted
12087 198. [func] Dispatch managers hold memory pools which
12088 any managed dispatcher may use. This allows
12089 us to avoid dipping into the memory context for
12090 most allocations. [19-May-2000 explorer]
12092 197. [bug] When an incoming AXFR or IXFR completes, the
12093 zone's internal state is refreshed from the
12094 SOA data. [19-May-2000 explorer]
12096 196. [func] Dispatchers can be shared easily between views
12097 and/or interfaces. [19-May-2000 explorer]
12099 195. [bug] Including the NXT record of the root domain
12100 in a negative response caused an assertion
12103 194. [doc] The PDF version of the Administrator's Reference
12104 Manual is no longer included in the ISC BIND9
12107 193. [func] changed dst_key_free() prototype.
12109 192. [bug] Zone configuration validation is now done at end
12110 of config file parsing, and before loading
12113 191. [func] Patched to compile on UnixWare 7.x. This platform
12114 is not directly supported by the ISC.
12116 190. [cleanup] The DNSSEC tools have been moved to a separate
12117 directory dnssec/ and given the following new,
12118 more descriptive names:
12125 Their command line arguments have also been changed to
12126 be more consistent. dnssec-keygen now prints the
12127 name of the generated key files (sans extension)
12128 on standard output to simplify its use in automated
12131 189. [func] isc_time_secondsastimet(), a new function, will ensure
12132 that the number of seconds in an isc_time_t does not
12133 exceed the range of a time_t, or return ISC_R_RANGE.
12134 Similarly, isc_time_now(), isc_time_nowplusinterval(),
12135 isc_time_add() and isc_time_subtract() now check the
12136 range for overflow/underflow. In the case of
12137 isc_time_subtract, this changed a calling requirement
12138 (ie, something that could generate an assertion)
12139 into merely a condition that returns an error result.
12140 isc_time_add() and isc_time_subtract() were void-
12141 valued before but now return isc_result_t.
12143 188. [func] Log a warning message when an incoming zone transfer
12144 contains out-of-zone data.
12146 187. [func] isc_ratelimiter_enqueue() has an additional argument
12149 186. [func] dns_request_getresponse() has an additional argument
12152 185. [bug] Fixed up handling of ISC_MEMCLUSTER_LEGACY. Several
12153 public functions did not have an isc__ prefix, and
12154 referred to functions that had previously been
12157 184. [cleanup] Variables/functions which began with two leading
12158 underscores were made to conform to the ANSI/ISO
12159 standard, which says that such names are reserved.
12161 183. [func] ISC_LOG_PRINTTAG option for log channels. Useful
12162 for logging the program name or other identifier.
12164 182. [cleanup] New command-line parameters for dnssec tools
12166 181. [func] Added dst_key_buildfilename and dst_key_parsefilename
12168 180. [func] New isc_result_t ISC_R_RANGE. Supersedes DNS_R_RANGE.
12170 179. [func] options named.conf statement *must* now come
12171 before any zone or view statements.
12173 178. [func] Post-load of named.conf check verifies a slave zone
12174 has non-empty list of masters defined.
12176 177. [func] New per-zone boolean:
12178 enable-zone yes | no ;
12180 intended to let a zone be disabled without having
12181 to comment out the entire zone statement.
12183 176. [func] New global and per-view option:
12185 max-cache-ttl number
12187 175. [func] New global and per-view option:
12189 additional-data internal | minimal | maximal;
12191 174. [func] New public function isc_sockaddr_format(), for
12192 formatting socket addresses in log messages.
12194 173. [func] Keep a queue of zones waiting for zone transfer
12195 quota so that a new transfer can be dispatched
12196 immediately whenever quota becomes available.
12198 172. [bug] $TTL directive was sometimes missing from dumped
12199 master files because totext_ctx_init() failed to
12200 initialize ctx->current_ttl_valid.
12202 171. [cleanup] On NetBSD systems, the mit-pthreads or
12203 unproven-pthreads library is now always used
12204 unless --with-ptl2 is explicitly specified on
12205 the configure command line. The
12206 --with-mit-pthreads option is no longer needed
12207 and has been removed.
12209 170. [cleanup] Remove inter server consistency checks from zone,
12210 these should return as a separate module in 9.1.
12211 dns_zone_checkservers(), dns_zone_checkparents(),
12212 dns_zone_checkchildren(), dns_zone_checkglue().
12214 Remove dns_zone_setadb(), dns_zone_setresolver(),
12215 dns_zone_setrequestmgr() these should now be found
12218 169. [func] ratelimiter can now process N events per interval.
12220 168. [bug] include statements in named.conf caused syntax errors
12221 due to not consuming the semicolon ending the include
12222 statement before switching input streams.
12224 167. [bug] Make lack of masters for a slave zone a soft error.
12226 166. [bug] Keygen was overwriting existing keys if key_id
12227 conflicted, now it will retry, and non-null keys
12228 with key_id == 0 are not generated anymore. Key
12229 was not able to generate NOAUTHCONF DSA key,
12230 increased RSA key size to 2048 bits.
12232 165. [cleanup] Silence "end-of-loop condition not reached" warnings
12233 from Solaris compiler.
12235 164. [func] Added functions isc_stdio_open(), isc_stdio_close(),
12236 isc_stdio_seek(), isc_stdio_read(), isc_stdio_write(),
12237 isc_stdio_flush(), isc_stdio_sync(), isc_file_remove()
12238 to encapsulate nonportable usage of errno and sync.
12240 163. [func] Added result codes ISC_R_FILENOTFOUND and
12243 162. [bug] Ensure proper range for arguments to ctype.h functions.
12245 161. [cleanup] error in yyparse prototype that only HPUX caught.
12247 160. [cleanup] getnet*() are not going to be implemented at this
12250 159. [func] Redefinition of config file elements is now an
12251 error (instead of a warning).
12253 158. [bug] Log channel and category list copy routines
12254 weren't assigning properly to output parameter.
12256 157. [port] Fix missing prototype for getopt().
12258 156. [func] Support new 'database' statement in zone.
12260 database "quoted-string";
12262 155. [bug] ns_notify_start() was not detaching the found zone.
12264 154. [func] The signer now logs libdns warnings to stderr even when
12265 not verbose, and in a nicer format.
12267 153. [func] dns_rdata_tostruct() 'mctx' is now optional. If 'mctx'
12268 is NULL then you need to preserve the 'rdata' until
12269 you have finished using the structure as there may be
12270 references to the associated memory. If 'mctx' is
12271 non-NULL it is guaranteed that there are no references
12272 to memory associated with 'rdata'.
12274 dns_rdata_freestruct() must be called if 'mctx' was
12275 non-NULL and may safely be called if 'mctx' was NULL.
12277 152. [bug] keygen dumped core if domain name argument was omitted
12280 151. [func] Support 'disabled' statement in zone config (causes
12281 zone to be parsed and then ignored). Currently must
12282 come after the 'type' clause.
12284 150. [func] Support optional ports in masters and also-notify
12287 masters [ port xxx ] { y.y.y.y [ port zzz ] ; }
12289 149. [cleanup] Removed unused argument 'olist' from
12290 dns_c_view_unsetordering().
12292 148. [cleanup] Stop issuing some warnings about some configuration
12293 file statements that were not implemented, but now are.
12295 147. [bug] Changed yacc union size to be smaller for yaccs that
12296 put yacc-stack on the real stack.
12298 146. [cleanup] More general redundant header file cleanup. Rather
12299 than continuing to itemize every header which changed,
12300 this changelog entry just notes that if a header file
12301 did not need another header file that it was including
12302 in order to provide its advertised functionality, the
12303 inclusion of the other header file was removed. See
12304 util/check-includes for how this was tested.
12306 145. [cleanup] Added <isc/lang.h> and ISC_LANG_BEGINDECLS/
12307 ISC_LANG_ENDDECLS to header files that had function
12308 prototypes, and removed it from those that did not.
12310 144. [cleanup] libdns header files too numerous to name were made
12311 to conform to the same style for multiple inclusion
12314 143. [func] Added function dns_rdatatype_isknown().
12316 142. [cleanup] <isc/stdtime.h> does not need <time.h> or
12319 141. [bug] Corrupt requests with multiple questions could
12320 cause an assertion failure.
12322 140. [cleanup] <isc/time.h> does not need <time.h> or <isc/result.h>.
12324 139. [cleanup] <isc/net.h> now includes <isc/types.h> instead of
12325 <isc/int.h> and <isc/result.h>.
12327 138. [cleanup] isc_strtouq moved from str.[ch] to string.[ch] and
12328 renamed isc_string_touint64. isc_strsep moved from
12329 strsep.c to string.c and renamed isc_string_separate.
12331 137. [cleanup] <isc/commandline.h>, <isc/mem.h>, <isc/print.h>
12332 <isc/serial.h>, <isc/string.h> and <isc/offset.h>
12333 made to conform to the same style for multiple
12334 inclusion protection.
12336 136. [cleanup] <isc/commandline.h>, <isc/interfaceiter.h>,
12337 <isc/net.h> and Win32's <isc/thread.h> needed
12338 ISC_LANG_BEGINDECLS/ISC_LANG_ENDDECLS.
12340 135. [cleanup] Win32's <isc/condition.h> did not need <isc/result.h>
12341 or <isc/boolean.h>, now uses <isc/types.h> in place
12342 of <isc/time.h>, and needed ISC_LANG_BEGINDECLS
12343 and ISC_LANG_ENDDECLS.
12345 134. [cleanup] <isc/dir.h> does not need <limits.h>.
12347 133. [cleanup] <isc/ipv6.h> needs <isc/platform.h>.
12349 132. [cleanup] <isc/app.h> does not need <isc/task.h>, but does
12350 need <isc/eventclass.h>.
12352 131. [cleanup] <isc/mutex.h> and <isc/util.h> need <isc/result.h>
12353 for ISC_R_* codes used in macros.
12355 130. [cleanup] <isc/condition.h> does not need <pthread.h> or
12356 <isc/boolean.h>, and now includes <isc/types.h>
12357 instead of <isc/time.h>.
12359 129. [bug] The 'default_debug' log channel was not set up when
12360 'category default' was present in the config file
12362 128. [cleanup] <isc/dir.h> had ISC_LANG_BEGINDECLS instead of
12363 ISC_LANG_ENDDECLS at end of header.
12365 127. [cleanup] The contracts for the comparison routines
12366 dns_name_fullcompare(), dns_name_compare(),
12367 dns_name_rdatacompare(), and dns_rdata_compare() now
12368 specify that the order value returned is < 0, 0, or > 0
12369 instead of -1, 0, or 1.
12371 126. [cleanup] <isc/quota.h> and <isc/taskpool.h> need <isc/lang.h>.
12373 125. [cleanup] <isc/eventclass.h>, <isc/ipv6.h>, <isc/magic.h>,
12374 <isc/mutex.h>, <isc/once.h>, <isc/region.h>, and
12375 <isc/resultclass.h> do not need <isc/lang.h>.
12377 124. [func] signer now imports parent's zone key signature
12378 and creates null keys/sets zone status bit for
12379 children when necessary
12381 123. [cleanup] <isc/event.h> does not need <stddef.h>.
12383 122. [cleanup] <isc/task.h> does not need <isc/mem.h> or
12386 121. [cleanup] <isc/symtab.h> does not need <isc/mem.h> or
12387 <isc/result.h>. Multiple inclusion protection
12388 symbol fixed from ISC_SYMBOL_H to ISC_SYMTAB_H.
12389 isc_symtab_t moved to <isc/types.h>.
12391 120. [cleanup] <isc/socket.h> does not need <isc/boolean.h>,
12392 <isc/bufferlist.h>, <isc/task.h>, <isc/mem.h> or
12395 119. [cleanup] structure definitions for generic rdata structures do
12396 not have _generic_ in their names.
12398 118. [cleanup] libdns.a is now namespace-clean, on NetBSD, excepting
12399 YACC crust (yyparse, etc) [2000-apr-27 explorer]
12401 117. [cleanup] libdns.a changes:
12402 dns_zone_clearnotify() and dns_zone_addnotify()
12403 are replaced by dns_zone_setnotifyalso().
12404 dns_zone_clearmasters() and dns_zone_addmaster()
12405 are replaced by dns_zone_setmasters().
12407 116. [func] Added <isc/offset.h> for isc_offset_t (aka off_t
12410 115. [port] Shut up the -Wmissing-declarations warning about
12411 <stdio.h>'s __sputaux on BSD/OS pre-4.1.
12413 114. [cleanup] <isc/sockaddr.h> does not need <isc/buffer.h> or
12416 113. [func] Utility programs dig and host added.
12418 112. [cleanup] <isc/serial.h> does not need <isc/boolean.h>.
12420 111. [cleanup] <isc/rwlock.h> does not need <isc/result.h> or
12423 110. [cleanup] <isc/result.h> does not need <isc/boolean.h> or
12426 109. [bug] "make depend" did nothing for
12427 bin/tests/{db,mem,sockaddr,tasks,timers}/.
12429 108. [cleanup] DNS_SETBIT/DNS_GETBIT/DNS_CLEARBIT moved from
12430 <dns/types.h> to <dns/bit.h> and renamed to
12431 DNS_BIT_SET/DNS_BIT_GET/DNS_BIT_CLEAR.
12433 107. [func] Add keysigner and keysettool.
12435 106. [func] Allow dnssec verifications to ignore the validity
12436 period. Used by several of the dnssec tools.
12438 105. [doc] doc/dev/coding.html expanded with other
12439 implicit conventions the developers have used.
12441 104. [bug] Made compress_add and compress_find static to
12442 lib/dns/compress.c.
12444 103. [func] libisc buffer API changes for <isc/buffer.h>:
12446 isc_buffer_base(b) (pointer)
12447 isc_buffer_current(b) (pointer)
12448 isc_buffer_active(b) (pointer)
12449 isc_buffer_used(b) (pointer)
12450 isc_buffer_length(b) (int)
12451 isc_buffer_usedlength(b) (int)
12452 isc_buffer_consumedlength(b) (int)
12453 isc_buffer_remaininglength(b) (int)
12454 isc_buffer_activelength(b) (int)
12455 isc_buffer_availablelength(b) (int)
12457 ISC_BUFFER_USEDCOUNT(b)
12458 ISC_BUFFER_AVAILABLECOUNT(b)
12461 isc_buffer_used(b, r) ->
12462 isc_buffer_usedregion(b, r)
12463 isc_buffer_available(b, r) ->
12464 isc_buffer_available_region(b, r)
12465 isc_buffer_consumed(b, r) ->
12466 isc_buffer_consumedregion(b, r)
12467 isc_buffer_active(b, r) ->
12468 isc_buffer_activeregion(b, r)
12469 isc_buffer_remaining(b, r) ->
12470 isc_buffer_remainingregion(b, r)
12472 Buffer types were removed, so the ISC_BUFFERTYPE_*
12473 macros are no more, and the type argument to
12474 isc_buffer_init and isc_buffer_allocate were removed.
12475 isc_buffer_putstr is now void (instead of isc_result_t)
12476 and requires that the caller ensure that there
12477 is enough available buffer space for the string.
12479 102. [port] Correctly detect inet_aton, inet_pton and inet_ptop
12482 101. [cleanup] Quieted EGCS warnings from lib/isc/print.c.
12484 100. [cleanup] <isc/random.h> does not need <isc/int.h> or
12485 <isc/mutex.h>. isc_random_t moved to <isc/types.h>.
12487 99. [cleanup] Rate limiter now has separate shutdown() and
12488 destroy() functions, and it guarantees that all
12489 queued events are delivered even in the shutdown case.
12491 98. [cleanup] <isc/print.h> does not need <stdarg.h> or <stddef.h>
12492 unless ISC_PLATFORM_NEEDVSNPRINTF is defined.
12494 97. [cleanup] <isc/ondestroy.h> does not need <stddef.h> or
12497 96. [cleanup] <isc/mutex.h> does not need <isc/result.h>.
12499 95. [cleanup] <isc/mutexblock.h> does not need <isc/result.h>.
12501 94. [cleanup] Some installed header files did not compile as C++.
12503 93. [cleanup] <isc/msgcat.h> does not need <isc/result.h>.
12505 92. [cleanup] <isc/mem.h> does not need <stddef.h>, <isc/boolean.h>,
12508 91. [cleanup] <isc/log.h> does not need <sys/types.h> or
12511 90. [cleanup] Removed unneeded ISC_LANG_BEGINDECLS/ISC_LANG_ENDDECLS
12512 from <named/listenlist.h>.
12514 89. [cleanup] <isc/lex.h> does not need <stddef.h>.
12516 88. [cleanup] <isc/interfaceiter.h> does not need <isc/result.h> or
12517 <isc/mem.h>. isc_interface_t and isc_interfaceiter_t
12518 moved to <isc/types.h>.
12520 87. [cleanup] <isc/heap.h> does not need <isc/boolean.h>,
12521 <isc/mem.h> or <isc/result.h>.
12523 86. [cleanup] isc_bufferlist_t moved from <isc/bufferlist.h> to
12526 85. [cleanup] <isc/bufferlist.h> does not need <isc/buffer.h>,
12527 <isc/list.h>, <isc/mem.h>, <isc/region.h> or
12530 84. [func] allow-query ACL checks now apply to all data
12531 added to a response.
12533 83. [func] If the server is authoritative for both a
12534 delegating zone and its (nonsecure) delegatee, and
12535 a query is made for a KEY RR at the top of the
12536 delegatee, then the server will look for a KEY
12537 in the delegator if it is not found in the delegatee.
12539 82. [cleanup] <isc/buffer.h> does not need <isc/list.h>.
12541 81. [cleanup] <isc/int.h> and <isc/boolean.h> do not need
12544 80. [cleanup] <isc/print.h> does not need <stdio.h> or <stdlib.h>.
12546 79. [cleanup] <dns/callbacks.h> does not need <stdio.h>.
12548 78. [cleanup] lwres_conftest renamed to lwresconf_test for
12549 consistency with other *_test programs.
12551 77. [cleanup] typedef of isc_time_t and isc_interval_t moved from
12552 <isc/time.h> to <isc/types.h>.
12554 76. [cleanup] Rewrote keygen.
12556 75. [func] Don't load a zone if its database file is older
12557 than the last time the zone was loaded.
12559 74. [cleanup] Removed mktemplate.o and ufile.o from libisc.a,
12560 subsumed by file.o.
12562 73. [func] New "file" API in libisc, including new function
12563 isc_file_getmodtime, isc_mktemplate renamed to
12564 isc_file_mktemplate and isc_ufile renamed to
12565 isc_file_openunique. By no means an exhaustive API,
12566 it is just what's needed for now.
12568 72. [func] DNS_RBTFIND_NOPREDECESSOR and DNS_RBTFIND_NOOPTIONS
12569 added for dns_rbt_findnode, the former to disable the
12570 setting of the chain to the predecessor, and the
12571 latter to make clear when no options are set.
12573 71. [cleanup] Made explicit the implicit REQUIREs of
12574 isc_time_seconds, isc_time_nanoseconds, and
12577 70. [func] isc_time_set() added.
12579 69. [bug] The zone object's master and also-notify lists grew
12580 longer with each server reload.
12582 68. [func] Partial support for SIG(0) on incoming messages.
12584 67. [performance] Allow use of alternate (compile-time supplied)
12585 OpenSSL libraries/headers.
12587 66. [func] Data in authoritative zones should have a trust level
12590 65. [cleanup] Removed obsolete typedef of dns_zone_callbackarg_t
12591 from <dns/types.h>.
12593 64. [func] The RBT, DB, and zone table APIs now allow the
12594 caller find the most-enclosing superdomain of
12597 63. [func] Generate NOTIFY messages.
12599 62. [func] Add UDP refresh support.
12601 61. [cleanup] Use single quotes consistently in log messages.
12603 60. [func] Catch and disallow singleton types on message
12606 59. [bug] Cause net/host unreachable to be a hard error
12607 when sending and receiving.
12609 58. [bug] bin/named/query.c could sometimes trigger the
12610 (client->query.attributes & NS_QUERYATTR_NAMEBUFUSED)
12611 == 0 assertion in query_newname().
12613 57. [func] Added dns_nxt_typepresent()
12615 56. [bug] SIG records were not properly returned in cached
12618 55. [bug] Responses containing multiple names in the authority
12619 section were not negatively cached.
12621 54. [bug] If a fetch with sigrdataset==NULL joined one with
12622 sigrdataset!=NULL or vice versa, the resolver
12623 could catch an assertion or lose signature data,
12626 53. [port] freebsd 4.0: lib/isc/unix/socket.c requires
12629 52. [bug] rndc: taskmgr and socketmgr were not initialized
12632 51. [cleanup] dns/compress.h and dns/zt.h did not need to include
12633 dns/rbt.h; it was needed only by compress.c and zt.c.
12635 50. [func] RBT deletion no longer requires a valid chain to work,
12636 and dns_rbt_deletenode was added.
12638 49. [func] Each cache now has its own mctx.
12640 48. [func] isc_task_create() no longer takes an mctx.
12641 isc_task_mem() has been eliminated.
12643 47. [func] A number of modules now use memory context reference
12646 46. [func] Memory contexts are now reference counted.
12647 Added isc_mem_inuse() and isc_mem_preallocate().
12648 Renamed isc_mem_destroy_check() to
12649 isc_mem_setdestroycheck().
12651 45. [bug] The trusted-key statement incorrectly loaded keys.
12653 44. [bug] Don't include authority data if it would force us
12654 to unset the AD bit in the message.
12656 43. [bug] DNSSEC verification of cached rdatasets was failing.
12658 42. [cleanup] Simplified logging of messages with embedded domain
12659 names by introducing a new convenience function
12662 41. [func] Use PR_SET_KEEPCAPS on Linux 2.3.99-pre3 and later
12663 to allow 'named' to run as a non-root user while
12664 retaining the ability to bind() to privileged
12667 40. [func] Introduced new logging category "dnssec" and
12668 logging module "dns/validator".
12670 39. [cleanup] Moved the typedefs for isc_region_t, isc_textregion_t,
12671 and isc_lex_t to <isc/types.h>.
12673 38. [bug] TSIG signed incoming zone transfers work now.
12675 37. [bug] If the first RR in an incoming zone transfer was
12676 not an SOA, the server died with an assertion failure
12677 instead of just reporting an error.
12679 36. [cleanup] Change DNS_R_SUCCESS (and others) to ISC_R_SUCCESS
12681 35. [performance] Log messages which are of a level too high to be
12682 logged by any channel in the logging configuration
12683 will not cause the log mutex to be locked.
12685 34. [bug] Recursion was allowed even with 'recursion no'.
12687 33. [func] The RBT now maintains a parent pointer at each node.
12689 32. [cleanup] bin/lwresd/client.c needs <string.h> for memset()
12692 31. [bug] Use ${LIBTOOL} to compile bin/named/main.@O@.
12694 30. [func] config file grammar change to support optional
12695 class type for a view.
12697 29. [func] support new config file view options:
12699 auth-nxdomain recursion query-source
12700 query-source-v6 transfer-source
12701 transfer-source-v6 max-transfer-time-out
12702 max-transfer-idle-out transfer-format
12703 request-ixfr provide-ixfr cleaning-interval
12704 fetch-glue notify rfc2308-type1 lame-ttl
12705 max-ncache-ttl min-roots
12707 28. [func] support lame-ttl, min-roots and serial-queries
12708 config global options.
12710 27. [bug] Only include <netinet6/in6.h> on BSD/OS 4.[01]*.
12711 Including it on other platforms (eg, NetBSD) can
12712 cause a forced #error from the C preprocessor.
12714 26. [func] new match-clients statement in config file view.
12716 25. [bug] make install failed to install <isc/log.h> and
12719 24. [cleanup] Eliminate some unnecessary #includes of header
12720 files from header files.
12722 23. [cleanup] Provide more context in log messages about client
12723 requests, using a new function ns_client_log().
12725 22. [bug] SIGs weren't returned in the answer section when
12726 the query resulted in a fetch.
12728 21. [port] Look at STD_CINCLUDES after CINCLUDES during
12729 compilation, so additional system include directories
12730 can be searched but header files in the bind9 source
12731 tree with conflicting names take precedence. This
12732 avoids issues with installed versions of dnssafe and
12735 20. [func] Configuration file post-load validation of zones
12736 failed if there were no zones.
12738 19. [bug] dns_zone_notifyreceive() failed to unlock the zone
12739 lock in certain error cases.
12741 18. [bug] Use AC_TRY_LINK rather than AC_TRY_COMPILE in
12742 configure.in to check for presence of in6addr_any.
12744 17. [func] Do configuration file post-load validation of zones.
12746 16. [bug] put quotes around key names on config file
12747 output to avoid possible keyword clashes.
12749 15. [func] Add dns_name_dupwithoffsets(). This function is
12750 improves comparison performance for duped names.
12752 14. [bug] free_rbtdb() could have 'put' unallocated memory in
12753 an unlikely error path.
12755 13. [bug] lib/dns/master.c and lib/dns/xfrin.c didn't ignore
12758 12. [bug] Fixed possible uninitialized variable error.
12760 11. [bug] axfr_rrstream_first() didn't check the result code of
12761 db_rr_iterator_first(), possibly causing an assertion
12762 to be triggered later.
12764 10. [bug] A bug in the code which makes EDNS0 OPT records in
12765 bin/named/client.c and lib/dns/resolver.c could
12766 trigger an assertion.
12768 9. [cleanup] replaced bit-setting code in confctx.c and replaced
12769 repeated code with macro calls.
12771 8. [bug] Shutdown of incoming zone transfer accessed
12774 7. [cleanup] removed 'listen-on' from view statement.
12776 6. [bug] quote RR names when generating config file to
12777 prevent possible clash with config file keywords
12780 5. [func] syntax change to named.conf file: new ssu grant/deny
12781 statements must now be enclosed by an 'update-policy'
12784 4. [port] bin/named/unix/os.c didn't compile on systems with
12785 linux 2.3 kernel includes due to conflicts between
12786 C library includes and the kernel includes. We now
12787 get only what we need from <linux/capability.h>, and
12788 avoid pulling in other linux kernel .h files.
12790 3. [bug] TKEYs go in the answer section of responses, not
12791 the additional section.
12793 2. [bug] Generating cryptographic randomness failed on
12794 systems without /dev/random.
12796 1. [bug] The installdirs rule in
12797 lib/isc/unix/include/isc/Makefile.in had a typo which
12798 prevented the isc directory from being created if it
12801 --- 9.0.0b2 released ---
12803 # This tells Emacs to use hard tabs in this file.
12805 # indent-tabs-mode: t