1 4006. [security] A flaw in delegation handling could be exploited
2 to put named into an infinite loop. This has
3 been addressed by placing limits on the number
4 of levels of recursion named will allow (default 7),
5 and the number of iterative queries that it will
6 send (default 50) before terminating a recursive
9 The recursion depth limit is configured via the
10 "max-recursion-depth" option, and the query limit
11 via the "max-recursion-queries" option. [RT #37580]
13 --- 9.8.7 released ---
15 --- 9.8.7rc2 released ---
17 3710. [bug] Address double dns_zone_detach when switching to
18 using automatic empty zones from regular zones.
21 3707. [bug] irs_resconf_load now returns ISC_R_FILENOTFOUND
22 on a missing resolv.conf file and initializes the
23 structure as if it had been configured with:
28 Note: Callers will need to be updated to treat
29 ISC_R_FILENOTFOUND as a qualified success or else
30 they will leak memory. The following code fragment
31 will work with both old and new versions without
32 changing the behaviour of the existing code.
35 result = irs_resconf_load(mctx, "/etc/resolv.conf",
37 if (result != ISC_SUCCESS) {
39 irs_resconf_destroy(&resconf);
45 3706. [contrib] queryperf: Fixed a possible integer overflow when
46 printing results. [RT #35182]
48 3704. [protocol] Accept integer timestamps in RRSIG records. [RT #35185]
50 --- 9.8.7rc1 released ---
52 3701. [func] named-checkconf can now suppress the printing of
53 shared secrets by specifying '-x'. [RT #34465]
55 3698. [cleanup] Replaced all uses of memcpy() with memmove().
58 3697. [bug] Handle "." as a search list element when IDN support
59 is enabled. [RT #35133]
61 3696. [bug] dig failed to handle AXFR style IXFR responses which
62 span multiple messages. [RT #35137]
64 3695. [bug] Address a possible race in dispatch.c. [RT #35107]
66 3694. [bug] Warn when a key-directory is configured for a zone,
67 but does not exist or is not a directory. [RT #35108]
69 3693. [security] memcpy was incorrectly called with overlapping
70 ranges resulting in malformed names being generated
71 on some platforms. This could cause INSIST failures
72 when serving NSEC3 signed zones (CVE-2014-0591).
75 3692. [bug] Two calls to dns_db_getoriginnode were fatal if there
76 was no data at the node. [RT #35080]
78 3689. [bug] Fixed a bug causing an insecure delegation from one
79 static-stub zone to another to fail with a broken
80 trust chain. [RT #35081]
82 --- 9.8.7b1 released ---
84 3688. [bug] loadnode could return a freed node on out of memory.
87 3683. [cleanup] Add a more detailed "not found" message to rndc
88 commands which specify a zone name. [RT #35059]
90 3681. [port] Update the Windows build system to support feature
91 selection and WIN64 builds. This is a work in
94 3679. [bug] dig could fail to clean up TCP sockets still
95 waiting on connect(). [RT #35074]
97 3678. [port] Update config.guess and config.sub. [RT #35060]
99 3677. [bug] 'nsupdate' leaked memory if 'realm' was used multiple
102 3676. [bug] "named-checkconf -z" now checks zones of type
103 hint as well as master. [RT #35046]
105 3675. [misc] Provide a place for third parties to add version
106 information for their extensions in the version
107 file by setting the EXTENSIONS variable.
109 3670. [bug] Address read after free in server side of
110 lwres_getrrsetbyname. [RT #29075]
112 3669. [port] freebsd: --with-gssapi needs -lhx509. [RT #35001]
114 3668. [bug] Fix cast in lex.c which could see 0xff treated as eof.
116 3667. [test] dig: add support to keep the TCP socket open between
117 successive queries (+[no]keepopen). [RT #34918]
119 3664. [bug] Updated OpenSSL PKCS#11 patches to fix active list
120 locking and other bugs. [RT #34855]
122 3663. [bug] Address bugs in dns_rdata_fromstruct and
123 dns_rdata_tostruct for WKS and ISDN types. [RT #34910]
125 3662. [bug] 'host' could die if a UDP query timed out. [RT #34870]
127 3660. [cleanup] Changed the name of "isc-config.sh" to "bind9-config".
130 3658. [port] linux: Address platform specific compilation issue
131 when libcap-devel is installed. [RT #34838]
133 3656. [security] Treat an all zero netmask as invalid when generating
134 the localnets acl. (The prior behavior could
135 allow unexpected matches when using some versions
136 of Winsock: CVE-2013-6320.) [RT #34687]
138 3655. [cleanup] Simplify TCP message processing when requesting a
139 zone transfer. [RT #34825]
141 3654. [bug] Address race condition with manual notify requests.
144 3653. [func] Create delegations for all "children" of empty zones
145 except "forward first". [RT #34826]
147 3651. [tuning] Adjust when a master server is deemed unreachable.
150 3650. [tuning] Use separate rate limiting queues for refresh and
151 notify requests. [RT #30589]
153 3649. [cleanup] Include a comment in .nzf files, giving the name of
154 the associated view. [RT #34765]
156 3648. [test] Updated the ATF test framework to version 0.17.
159 3646. [bug] Journal filename string could be set incorrectly,
160 causing garbage in log messages. [RT #34738]
162 3645. [protocol] Use case sensitive compression when responding to
165 3644. [protocol] Check that EDNS subnet client options are well formed.
168 3641. [bug] Handle changes to sig-validity-interval settings
171 3640. [bug] ndots was not being checked when searching. Only
172 continue searching on NXDOMAIN responses. Add the
173 ability to specify ndots to nslookup. [RT #34711]
175 3639. [bug] Treat type 65533 (KEYDATA) as opaque except when used
176 in a key zone. [RT #34238]
178 --- 9.8.6 released ---
180 3638. [cleanup] Add the ability to handle ENOPROTOOPT in case it is
181 encountered. [RT #34668]
183 --- 9.8.6rc2 released ---
185 3637. [bug] 'allow-query-on' was checking the source address
186 rather than the destination address. [RT #34590]
188 3636. [bug] Automatic empty zones now behave better with
189 forward only "zones" beneath them. [RT #34583]
191 3635. [bug] Signatures were not being removed from a zone with
192 only KSK keys for a algorithm. [RT #34439]
194 3634. [func] Report build-id in rndc status. Report build-id
195 when building from a git repository. [RT #20422]
197 3633. [cleanup] Refactor OPT processing in named to make it easier
198 to support new EDNS options. [RT #34414]
200 3632. [bug] Signature from newly inactive keys were not being
203 3631. [bug] Remove spurious warning about missing signatures when
204 qtype is SIG. [RT #34600]
206 3630. [bug] Ensure correct ID computation for MD5 keys. [RT #33033]
208 3627. [bug] RPZ changes were not effective on slaves. [RT #34450]
210 3625. [bug] Don't send notify messages to machines outside of the
213 --- 9.8.6rc1 released ---
215 3621. [security] Incorrect bounds checking on private type 'keydata'
216 can lead to a remotely triggerable REQUIRE failure
217 (CVE-2013-4854). [RT #34238]
219 3615. [cleanup] "configure" now finishes by printing a summary
220 of optional BIND features and whether they are
221 active or inactive. ("configure --enable-full-report"
222 increases the verbosity of the summary.) [RT #31777]
224 3614. [port] Check for <linux/types.h>. [RT #34162]
226 3611. [bug] Improved resistance to a theoretical authentication
227 attack based on differential timing. [RT #33939]
229 3610. [cleanup] win32: Some executables had been omitted from the
230 installer. [RT #34116]
232 3608. [port] win32: added todos.pl script to ensure all text files
233 the win32 build depends on are converted to DOS
234 newline format. [RT #22067]
236 3607. [bug] dnssec-keygen had broken 'Invalid keyfile' error
239 --- 9.8.6b1 released ---
241 3605. [port] win32: Addressed several compatibility issues
242 with newer versions of Visual Studio. [RT #33916]
244 3603. [bug] Install <isc/stat.h>. [RT #33956]
246 3601. [bug] Added to PKCS#11 openssl patches a value len
247 attribute in DH derive key. [RT #33928]
249 3600. [cleanup] dig: Fixed a typo in the warning output when receiving
250 an oversized response. [RT #33910]
252 3599. [tuning] Check for pointer equivalence in name comparisons.
255 3594. [maint] Update config.guess and config.sub. [RT #33816]
257 3592. [doc] Moved documentation of rndc command options to the
258 rndc man page. [RT #33506]
260 3588. [bug] dig: addressed a memory leak in the sigchase code
261 that could cause a shutdown crash. [RT #33733]
263 3587. [func] 'named -g' now checks the logging configuration but
264 does not use it. [RT #33473]
266 3586. [bug] Handle errors in xmlDocDumpFormatMemoryEnc. [RT #33706]
268 3584. [security] Caching data from an incompletely signed zone could
269 trigger an assertion failure in resolver.c
270 (CVE-2013-3919). [RT #33690]
272 3583. [bug] Address memory leak in GSS-API processing [RT #33574]
274 3581. [bug] Changed the tcp-listen-queue default to 10. [RT #33029]
276 3580. [bug] Addressed a possible race in acache.c [RT #33602]
278 3579. [maint] Updates to PKCS#11 openssl patches, supporting
279 versions 0.9.8y, 1.0.0k, 1.0.1e [RT #33463]
281 3578. [bug] 'rndc -c file' now fails if 'file' does not exist.
284 3577. [bug] Handle zero TTL values better. [RT #33411]
286 3576. [bug] Address a shutdown race when validating. [RT #33573]
288 3574. [doc] The 'hostname' keyword was missing from server-id
289 description in the named.conf man page. [RT #33476]
291 3573. [bug] "rndc addzone" and "rndc delzone" incorrectly handled
292 zone names containing punctuation marks and other
293 nonstandard characters. [RT #33419]
295 3571. [bug] Address race condition in dns_client_startresolve().
298 3566. [func] Log when forwarding updates to master. [RT #33240]
300 --- 9.8.5 released ---
302 3568. [cleanup] Add a product description line to the version file,
303 to be reported by named -v/-V. [RT #33366]
305 3567. [bug] Silence clang static analyzer warnings. [RT #33365]
307 3563. [contrib] zone2sqlite failed with some table names. [RT #33375]
309 3561. [bug] dig: issue a warning if an EDNS query returns FORMERR
310 or NOTIMP. Adjust usage message. [RT #33363]
312 --- 9.8.5rc1 released ---
314 3560. [bug] isc-config.sh did not honor includedir and libdir
315 when set via configure. [RT #33345]
317 3559. [func] Check that both forms of Sender Policy Framework
318 records exist or do not exist. [RT #33355]
320 3558. [bug] IXFR of a DLZ stored zone was broken. [RT #33331]
322 3556. [maint] Added AAAA for D.ROOT-SERVERS.NET.
324 3555. [bug] Address theoretical race conditions in acache.c
325 (change #3553 was incomplete). [RT #33252]
327 3553. [bug] Address suspected double free in acache. [RT #33252]
329 3552. [bug] Wrong getopt option string for 'nsupdate -r'.
332 3549. [doc] Documentation for "request-nsid" was missing.
335 3548. [bug] The NSID request code in resolver.c was broken
336 resulting in invalid EDNS options being sent.
339 3547. [bug] Some malformed unknown rdata records were not properly
340 detected and rejected. [RT #33129]
342 3056. [func] Added support for URI resource record. [RT #23386]
344 --- 9.8.5rc1 released ---
346 3546. [func] Add EUI48 and EUI64 types. [RT #33082]
348 3544. [contrib] check5011.pl: Script to report the status of
349 managed keys as recorded in managed-keys.bind.
350 Contributed by Tony Finch <dot@dotat.at>
352 3543. [bug] Update socket structure before attaching to socket
353 manager after accept. [RT #33084]
355 3542. [bug] masterformat system test was broken. [RT #33086]
357 3541. [bug] Parts of libdns were not properly initialized when
358 built in libexport mode. [RT #33028]
360 3540. [test] libt_api: t_info and t_assert were not thread safe.
362 3539. [port] win32: timestamp format didn't match other platforms.
364 3538. [test] Running "make test" now requires loopback interfaces
365 to be set up. [RT #32452]
367 3537. [tuning] Slave zones, when updated, now send NOTIFY messages
368 to peers before being dumped to disk rather than
371 3535. [bug] Minor win32 cleanups. [RT #32962]
373 3534. [bug] Extra text after an embedded NULL was ignored when
374 parsing zone files. [RT #32699]
376 3533. [contrib] query-loc-0.4.0: memory leaks. [RT #32960]
378 3532. [contrib] zkt: fixed buffer overrun, resource leaks. [RT #32960]
380 3531. [bug] win32: A uninitialized value could be returned on out
381 of memory. [RT #32960]
383 3530. [contrib] Better RTT tracking in queryperf. [RT #30128]
385 3526. [cleanup] Set up dependencies for unit tests correctly during
388 3521. [bug] Address memory leak in opensslecdsa_link.c. [RT #32249]
390 3520. [bug] 'mctx' was not being referenced counted in some places
391 where it should have been. [RT #32794]
393 --- 9.8.5b2 released ---
395 3517. [bug] Reorder destruction to avoid shutdown race. [RT #32777]
397 3515. [port] '%T' is not portable in strftime(). [RT #32763]
399 3514. [bug] The ranges for valid key sizes in ddns-confgen and
400 rndc-confgen were too constrained. Keys up to 512
401 bits are now allowed for most algorithms, and up
402 to 1024 bits for hmac-sha384 and hmac-sha512.
405 3509. [cleanup] Added a product line to version file to allow for
406 easy naming of different products (BIND
407 vs BIND ESV, for example). [RT #32755]
409 3508. [contrib] queryperf was incorrectly rejecting the -T option.
412 3503. [doc] Clarify size_spec syntax. [RT #32449]
414 3500. [security] Support NAPTR regular expression validation on
415 all platforms without using libregex, which
416 can be vulnerable to memory exhaustion attack
417 (CVE-2013-2266). [RT #32688]
419 3499. [doc] Corrected ARM documentation of built-in zones.
422 3498. [bug] zone statistics for zones which matched a potential
423 empty zone could have their zone-statistics setting
426 3496. [func] Improvements to RPZ performance. The "response-policy"
427 syntax now includes a "min-ns-dots" clause, with
428 default 1, to exclude top-level domains from
429 NSIP and NSDNAME checking. --enable-rpz-nsip and
430 --enable-rpz-nsdname are now the default. [RT #32251]
432 3489. [bug] --enable-developer now turns on ISC_LIST_CHECKINIT.
433 When cloning a rdataset do not copy the link contents.
436 3488. [bug] Use after free error with DH generated keys. [RT #32649]
438 3487. [bug] Change 3444 was not complete. There was a additional
439 place where the NOQNAME proof needed to be saved.
442 3486. [bug] named could crash when using TKEY-negotiated keys
443 that had been deleted and then recreated. [RT #32506]
445 3485. [cleanup] Only compile openssl_gostlink.c if we support GOST.
447 3481. [cleanup] Removed use of const const in atf.
449 3479. [bug] Address potential memory leaks in gssapi support
452 3478. [port] Fix a build failure in strict C99 environments
455 3474. [bug] nsupdate could assert when the local and remote
456 address families didn't match. [RT #22897]
458 3470. [bug] Slave zones could fail to dump when successfully
459 refreshing after an initial failure. [RT #31276]
461 --- 9.8.5b1 released ---
463 3468. [security] RPZ rules to generate A records (but not AAAA records)
464 could trigger an assertion failure when used in
465 conjunction with DNS64 (CVE-2012-5689). [RT #32141]
467 3467. [bug] Added checks in dnssec-keygen and dnssec-settime
468 to check for delete date < inactive date. [RT #31719]
470 3465. [bug] Handle isolated reserved ports. [RT #31778]
472 3464. [maint] Updates to PKCS#11 openssl patches, supporting
473 versions 0.9.8x, 1.0.0j, 1.0.1c [RT #29749]
475 3463. [doc] Clarify managed-keys syntax in ARM. [RT #32232]
477 3462. [doc] Clarify server selection behavior of dig when using
478 -4 or -6 options. [RT #32181]
480 3461. [bug] Negative responses could incorrectly have AD=1
483 3458. [bug] Return FORMERR when presented with a overly long
484 domain named in a request. [RT #29682]
486 3457. [protocol] Add ILNP records (NID, LP, L32, L64). [RT #31836]
488 3456. [port] g++47: ATF failed to compile. [RT #32012]
490 3455. [contrib] queryperf: fix getopt option list. [RT #32338]
492 3454. [port] sparc64: improve atomic support. [RT #25182]
494 3452. [bug] Accept duplicate singleton records. [RT #32329]
496 3451. [port] Increase per thread stack size from 64K to 1M.
499 3450. [bug] Stop logfileconfig system test spam system logs.
502 3449. [bug] gen.c: use the pre-processor to construct format
503 strings so that compiler can perform sanity checks;
504 check the snprintf results. [RT #17576]
506 3448. [bug] The allow-query-on ACL was not processed correctly.
509 3447. [port] Add support for libxml2-2.9.x [RT #32231]
511 3446. [port] win32: Add source ID (see change #3400) to build.
514 3445. [bug] Warn about zone files with blank owner names
515 immediately after $ORIGIN directives. [RT #31848]
517 3444. [bug] The NOQNAME proof was not being returned from cached
518 insecure responses. [RT #21409]
520 3443. [bug] ddns-confgen: Some TSIG algorithms were incorrectly
521 rejected when generating keys. [RT #31927]
523 3442. [port] Net::DNS 0.69 introduced a non backwards compatible
526 3441. [maint] D.ROOT-SERVERS.NET is now 199.7.91.13.
528 3440. [bug] Reorder get_key_struct to not trigger a assertion when
529 cleaning up due to out of memory error. [RT #32131]
531 3439. [bug] contrib/dlz error checking fixes. [RT #32102]
533 3438. [bug] Don't accept unknown data escape in quotes. [RT #32031]
535 3437. [bug] isc_buffer_init -> isc_buffer_constinit to initialize
536 buffers with constant data. [RT #32064]
538 3436. [bug] Check malloc/calloc return values. [RT #32088]
540 3435. [bug] Cross compilation support in configure was broken.
543 3431. [bug] ddns-confgen: Some valid key algorithms were
544 not accepted. [RT #31927]
546 3430. [bug] win32: isc_time_formatISO8601 was missing the
547 'T' between the date and time. [RT #32044]
549 3429. [bug] dns_zone_getserial2 could a return success without
550 returning a valid serial. [RT #32007]
552 3428. [cleanup] dig: Add timezone to date output. [RT #2269]
554 3427. [bug] dig +trace incorrectly displayed name server
555 addresses instead of names. [RT #31641]
557 3425. [bug] "acacheentry" reference counting was broken resulting
558 in use after free. [RT #31908]
560 3422. [bug] Added a clear error message for when the SOA does not
561 match the referral. [RT #31281]
563 3421. [bug] Named loops when re-signing if all keys are offline.
566 3420. [bug] Address VPATH compilation issues. [RT #31879]
568 3419. [bug] Memory leak on validation cancel. [RT #31869]
570 3415. [bug] named could die with a REQUIRE failure if a validation
571 was canceled. [RT #31804]
573 3412. [bug] Copy timeval structure from control message data.
576 3411. [tuning] Use IPV6_USE_MIN_MTU or equivalent with TCP in addition
579 3410. [bug] Addressed Coverity warnings. [RT #31626]
581 3409. [contrib] contrib/dane/mkdane.sh: Tool to generate TLSA RR's
582 from X.509 certificates, for use with DANE
583 (DNS-based Authentication of Named Entities).
586 3406. [bug] mem.c: Fix compilation errors when building with
587 ISC_MEM_TRACKLINES or ISC_MEMPOOL_NAMES disabled.
588 Also, ISC_MEM_DEBUG is no longer optional. [RT #31559]
590 3405. [bug] Handle time going backwards in acache. [RT #31253]
592 3404. [bug] dnssec-signzone: When re-signing a zone, remove
593 RRSIG and NSEC records from nodes that used to be
594 in-zone but are now below a zone cut. [RT #31556]
596 3403. [bug] Silence noisy OpenSSL logging. [RT #31497]
598 3402. [test] The IPv6 interface numbers used for system
599 tests were incorrect on some platforms. [RT #25085]
601 3401. [bug] Addressed Coverity warnings. [RT #31484]
603 3400. [cleanup] "named -V" can now report a source ID string, defined
604 in the "srcid" file in the build tree and normally set
605 to the most recent git hash. [RT #31494]
607 3397. [bug] dig crashed when using +nssearch with +tcp. [RT #25298]
609 3396. [bug] OPT records were incorrectly removed from signed,
610 truncated responses. [RT #31439]
612 3395. [protocol] Add RFC 6598 reverse zones to built in empty zones
613 list, 64.100.IN-ADDR.ARPA ... 127.100.IN-ADDR.ARPA.
616 3394. [bug] Adjust 'successfully validated after lower casing
617 signer' log level and category. [RT #31414]
619 3393. [bug] 'host -C' could core dump if REFUSED was received.
622 3391. [bug] A DNSKEY lookup that encountered a CNAME failed.
625 3390. [bug] Silence clang compiler warnings. [RT #30417]
627 3389. [bug] Always return NOERROR (not 0) in TSIG. [RT #31275]
629 3388. [bug] Fixed several Coverity warnings.
630 Note: This change includes a fix for a bug that
631 was subsequently determined to be an exploitable
632 security vulnerability, CVE-2012-5688: named could
633 die on specific queries with dns64 enabled.
636 3386. [bug] Address locking violation when generating new NSEC /
637 NSEC3 chains. [RT #31224]
639 3384. [bug] Improved logging of crypto errors. [RT #30963]
641 3383. [security] A certain combination of records in the RBT could
642 cause named to hang while populating the additional
643 section of a response. [RT #31090]
645 3382. [bug] SOA query from slave used use-v6-udp-ports range,
646 if set, regardless of the address family in use.
649 3381. [contrib] Update queryperf to support more RR types.
652 3380. [bug] named could die if a nonexistent master list was
653 referenced in a also-notify. [RT #31004]
655 3379. [bug] isc_interval_zero and isc_time_epoch should be
656 "const (type)* const". [RT #31069]
658 3378. [bug] Handle missing 'managed-keys-directory' better.
661 3376. [bug] Lack of EDNS support was being recorded without a
662 successful response. [RT #30811]
664 3375. [func] Check that 'rndc dumpdb' works on a empty cache.
667 3374. [bug] isc_parse_uint32 failed to return a range error on
668 systems with 64 bit longs. [RT #30232]
670 3372. [bug] Silence spurious "deleted from unreachable cache"
671 messages. [RT #30501]
673 3371. [bug] AD=1 should behave like DO=1 when deciding whether to
674 add NS RRsets to the additional section or not.
677 --- 9.8.4 released ---
679 3373. [bug] win32: open raw files in binary mode. [RT #30944]
681 3364. [security] Named could die on specially crafted record.
684 --- 9.8.4rc1 released ---
686 3369. [bug] nsupdate terminated unexpectedly in interactive mode
687 if built with readline support. [RT #29550]
689 3368. [bug] <dns/iptable.h> and <dns/zone.h> were not C++ safe.
691 3367. [bug] dns_dnsseckey_create() result was not being checked.
694 3366. [bug] Fixed Read-After-Write dependency violation for IA64
695 atomic operations. [RT #25181]
697 3365. [bug] Removed spurious newlines from log messages in
700 3363. [bug] Need to allow "forward" and "fowarders" options
701 in static-stub zones; this had been overlooked.
704 3362. [bug] Setting some option values to 0 in named.conf
705 could trigger an assertion failure on startup.
708 3360. [bug] 'host -w' could die. [RT #18723]
710 3359. [bug] An improperly-formed TSIG secret could cause a
711 memory leak. [RT #30607]
713 3357. [port] Add support for libxml2-2.8.x [RT #30440]
715 3356. [bug] Cap the TTL of signed RRsets when RRSIGs are
716 approaching their expiry, so they don't remain
717 in caches after expiry. [RT #26429]
719 --- 9.8.4b1 released ---
721 3354. [func] Improve OpenSSL error logging. [RT #29932]
723 3353. [bug] Use a single task for task exclusive operations.
726 3352. [bug] Ensure that learned server attributes timeout of the
727 adb cache. [RT #29856]
729 3351. [bug] isc_mem_put and isc_mem_putanddetach didn't report
730 caller if either ISC_MEM_DEBUGSIZE or ISC_MEM_DEBUGCTX
731 memory debugging flags are set. [RT #30243]
733 3350. [bug] Memory read overrun in isc___mem_reallocate if
734 ISC_MEM_DEBUGCTX memory debugging flag is set.
737 3348. [bug] Prevent RRSIG data from being cached if a negative
738 record matching the covering type exists at a higher
739 trust level. Such data already can't be retrieved from
740 the cache since change 3218 -- this prevents it
741 being inserted into the cache as well. [RT #26809]
743 3347. [bug] dnssec-settime: Issue a warning when writing a new
744 private key file would cause a change in the
745 permissions of the existing file. [RT #27724]
747 3346. [security] Bad-cache data could be used before it was
748 initialized, causing an assert. [RT #30025]
750 3342. [bug] Change #3314 broke saving of stub zones to disk
751 resulting in excessive cpu usage in some cases.
754 3337. [bug] Change #3294 broke support for the multiple keys
755 in controls. [RT #29694]
757 3335. [func] nslookup: return a nonzero exit code when unable
758 to get an answer. [RT #29492]
760 3333. [bug] Setting resolver-query-timeout too low can cause
761 named to not recover if it loses connectivity.
764 3332. [bug] Re-use cached DS rrsets if possible. [RT #29446]
766 3331. [security] dns_rdataslab_fromrdataset could produce bad
767 rdataslabs. [RT #29644]
769 3330. [func] Fix missing signatures on NOERROR results despite
771 - add optional "recursive-only yes|no" to the
772 response-policy statement
773 - add optional "max-policy-ttl" to the response-policy
774 statement to limit the false data that
775 "recursive-only no" can introduce into
777 - add a RPZ performance test to bin/tests/system/rpz
778 when queryperf is available.
779 - the encoding of PASSTHRU action to "rpz-passthru".
780 (The old encoding is still accepted.)
784 3329. [bug] Handle RRSIG signer-name case consistently: We
785 generate RRSIG records with the signer-name in
786 lower case. We accept them with any case, but if
787 they fail to validate, we try again in lower case.
790 3328. [bug] Fixed inconsistent data checking in dst_parse.c.
793 3317. [func] Add ECDSA support (RFC 6605). [RT #21918]
795 --- 9.8.3 released ---
797 3318. [tuning] Reduce the amount of work performed while holding a
798 bucket lock when finished with a fetch context.
801 3314. [bug] The masters list could be updated while stub_callback
802 or refresh_callback were using it. [RT #26732]
804 3313. [protocol] Add TLSA record type. [RT #28989]
806 3312. [bug] named-checkconf didn't detect a bad dns64 clients acl.
809 3311. [bug] Abort the zone dump if zone->db is NULL in
810 zone.c:zone_gotwritehandle. [RT #29028]
812 3310. [test] Increase table size for mutex profiling. [RT #28809]
814 3309. [bug] resolver.c:fctx_finddone() was not thread safe.
817 3307. [bug] Add missing ISC_LANG_BEGINDECLS and ISC_LANG_ENDDECLS.
820 3306. [bug] Improve DNS64 reverse zone performance. [RT #28563]
822 3305. [func] Add wire format lookup method to sdb. [RT #28563]
824 3304. [bug] Use hmctx, not mctx when freeing rbtdb->heaps.
827 3302. [bug] dns_dnssec_findmatchingkeys could fail to find
828 keys if the zone name contained character that
829 required special mappings. [RT #28600]
831 3301. [contrib] Update queryperf to build on darwin. Add -R flag
832 for non-recursive queries. [RT #28565]
834 3300. [bug] Named could die if gssapi was enabled in named.conf
835 but was not compiled in. [RT #28338]
837 3299. [bug] Make SDB handle errors from database drivers better.
840 3232. [bug] Zero zone->curmaster before return in
841 dns_zone_setmasterswithkeys(). [RT #26732]
843 3183. [bug] Added RTLD_GLOBAL flag to dlopen call. [RT #26301]
845 3197. [bug] Don't try to log the filename and line number when
846 the config parser can't open a file. [RT #22263]
848 --- 9.8.2 released ---
850 3298. [bug] Named could dereference a NULL pointer in
851 zmgr_start_xfrin_ifquota if the zone was being removed.
854 3297. [bug] Named could die on a malformed master file. [RT #28467]
856 3295. [bug] Adjust isc_time_secondsastimet range check to be more
857 portable. [RT # 26542]
859 3294. [bug] isccc/cc.c:table_fromwire failed to free alist on
862 3291. [port] Fixed a build error on systems without ENOTSUP.
865 3290. [bug] <isc/hmacsha.h> was not being installed. [RT #28169]
867 3288. [bug] dlz_destroy() function wasn't correctly registered
868 by the DLZ dlopen driver. [RT #28056]
870 3287. [port] Update ans.pl to work with Net::DNS 0.68. [RT #28028]
872 3286. [bug] Managed key maintenance timer could fail to start
873 after 'rndc reconfig'. [RT #26786]
875 --- 9.8.2rc2 released ---
877 3285. [bug] val-frdataset was incorrectly disassociated in
878 proveunsecure after calling startfinddlvsep.
881 3284. [bug] Address race conditions with the handling of
882 rbtnode.deadlink. [RT #27738]
884 3283. [bug] Raw zones with with more than 512 records in a RRset
885 failed to load. [RT #27863]
887 3282. [bug] Restrict the TTL of NS RRset to no more than that
888 of the old NS RRset when replacing it.
889 [RT #27792] [RT #27884]
891 3281. [bug] SOA refresh queries could be treated as cancelled
892 despite succeeding over the loopback interface.
895 3280. [bug] Potential double free of a rdataset on out of memory
896 with DNS64. [RT #27762]
898 3278. [bug] Make sure automatic key maintenance is started
899 when "auto-dnssec maintain" is turned on during
900 "rndc reconfig". [RT #26805]
902 3276. [bug] win32: ns_os_openfile failed to return NULL on
903 safe_open failure. [RT #27696]
905 3274. [bug] Log when a zone is not reusable. Only set loadtime
906 on successful loads. [RT #27650]
908 3273. [bug] AAAA responses could be returned in the additional
909 section even when filter-aaaa-on-v4 was in use.
912 3271. [port] darwin: mksymtbl is not always stable, loop several
913 times before giving up. mksymtbl was using non
914 portable perl to covert 64 bit hex strings. [RT #27653]
916 3268. [bug] Convert RRSIG expiry times to 64 timestamps to work
917 out the earliest expiry time. [RT #23311]
919 3267. [bug] Memory allocation failures could be mis-reported as
920 unexpected error. New ISC_R_UNSET result code.
923 3266. [bug] The maximum number of NSEC3 iterations for a
924 DNSKEY RRset was not being properly computed.
927 3262. [bug] Signed responses were handled incorrectly by RPZ.
930 --- 9.8.2rc1 released ---
932 3260. [bug] "rrset-order cyclic" could appear not to rotate
933 for some query patterns. [RT #27170/27185]
935 3259. [bug] named-compilezone: Suppress "dump zone to <file>"
936 message when writing to stdout. [RT #27109]
938 3258. [test] Add "forcing full sign with unreadable keys" test.
941 3257. [bug] Do not generate a error message when calling fsync()
942 in a pipe or socket. [RT #27109]
944 3256. [bug] Disable empty zones for lwresd -C. [RT #27139]
946 3254. [bug] Set isc_socket_ipv6only() on the IPv6 control channels.
949 3253. [bug] Return DNS_R_SYNTAX when the input to a text field is
950 too long. [RT #26956]
952 3251. [bug] Enforce a upper bound (65535 bytes) on the amount of
953 memory dns_sdlz_putrr() can allocate per record to
954 prevent run away memory consumption on ISC_R_NOSPACE.
957 3250. [func] 'configure --enable-developer'; turn on various
958 configure options, normally off by default, that
959 we want developers to build and test with. [RT #27103]
961 3249. [bug] Update log message when saving slave zones files for
962 analysis after load failures. [RT #27087]
964 3248. [bug] Configure options --enable-fixed-rrset and
965 --enable-exportlib were incompatible with each
968 3247. [bug] 'raw' format zones failed to preserve load order
969 breaking 'fixed' sort order. [RT #27087]
971 3243. [port] netbsd,bsdi: the thread defaults were not being
974 3241. [bug] Address race conditions in the resolver code.
977 3240. [bug] DNSKEY state change events could be missed. [RT #26874]
979 3239. [bug] dns_dnssec_findmatchingkeys needs to use a consistent
980 timestamp. [RT #26883]
982 3238. [bug] keyrdata was not being reinitialized in
983 lib/dns/rbtdb.c:iszonesecure. [RT#26913]
985 3237. [bug] dig -6 didn't work with +trace. [RT #26906]
987 --- 9.8.2b1 released ---
989 3234. [bug] 'make depend' produced invalid makefiles. [RT #26830]
991 3231. [bug] named could fail to send a incompressible zone.
994 3230. [bug] 'dig axfr' failed to properly handle a multi-message
995 axfr with a serial of 0. [RT #26796]
997 3229. [bug] Fix local variable to struct var assignment
998 found by CLANG warning.
1000 3228. [tuning] Dynamically grow symbol table to improve zone
1001 loading performance. [RT #26523]
1003 3227. [bug] Interim fix to make WKS's use of getprotobyname()
1004 and getservbyname() self thread safe. [RT #26232]
1006 3226. [bug] Address minor resource leakages. [RT #26624]
1008 3221. [bug] Fixed a potential core dump on shutdown due to
1009 referencing fetch context after it's been freed.
1012 3220. [bug] Change #3186 was incomplete; dns_db_rpz_findips()
1013 could fail to set the database version correctly,
1014 causing an assertion failure. [RT #26180]
1016 3218. [security] Cache lookup could return RRSIG data associated with
1017 nonexistent records, leading to an assertion
1018 failure. [RT #26590]
1020 3217. [cleanup] Fix build problem with --disable-static. [RT #26476]
1022 3216. [bug] resolver.c:validated() was not thread-safe. [RT #26478]
1024 3213. [doc] Clarify ixfr-from-differences behavior. [RT #25188]
1026 3212. [bug] rbtdb.c: failed to remove a node from the deadnodes
1027 list prior to adding a reference to it leading a
1028 possible assertion failure. [RT #23219]
1030 3209. [func] Add "dnssec-lookaside 'no'". [RT #24858]
1032 3208. [bug] 'dig -y' handle unknown tsig algorithm better.
1035 3207. [contrib] Fixed build error in Berkeley DB DLZ module. [RT #26444]
1037 3206. [cleanup] Add ISC information to log at start time. [RT #25484]
1039 3204. [bug] When a master server that has been marked as
1040 unreachable sends a NOTIFY, mark it reachable
1043 3203. [bug] Increase log level to 'info' for validation failures
1044 from expired or not-yet-valid RRSIGs. [RT #21796]
1046 3200. [doc] Some rndc functions were undocumented or were
1047 missing from 'rndc -h' output. [RT #25555]
1049 3198. [doc] Clarified that dnssec-settime can alter keyfile
1050 permissions. [RT #24866]
1052 3196. [bug] nsupdate: return nonzero exit code when target zone
1053 doesn't exist. [RT #25783]
1055 3195. [cleanup] Silence "file not found" warnings when loading
1056 managed-keys zone. [RT #26340]
1058 3194. [doc] Updated RFC references in the 'empty-zones-enable'
1059 documentation. [RT #25203]
1061 3193. [cleanup] Changed MAXZONEKEYS to DNS_MAXZONEKEYS, moved to
1062 dnssec.h. [RT #26415]
1064 3192. [bug] A query structure could be used after being freed.
1067 3191. [bug] Print NULL records using "unknown" format. [RT #26392]
1069 3190. [bug] Underflow in error handling in isc_mutexblock_init.
1072 3189. [test] Added a summary report after system tests. [RT #25517]
1074 3188. [bug] zone.c:zone_refreshkeys() could fail to detach
1075 references correctly when errors occurred, causing
1076 a hang on shutdown. [RT #26372]
1078 3187. [port] win32: support for Visual Studio 2008. [RT #26356]
1080 3186. [bug] Version/db mis-match in rpz code. [RT #26180]
1082 3179. [port] kfreebsd: build issues. [RT #26273]
1084 3175. [bug] Fix how DNSSEC positive wildcard responses from a
1085 NSEC3 signed zone are validated. Stop sending a
1086 unnecessary NSEC3 record when generating such
1087 responses. [RT #26200]
1089 3174. [bug] Always compute to revoked key tag from scratch.
1092 3173. [port] Correctly validate root DS responses. [RT #25726]
1094 3171. [bug] Exclusively lock the task when adding a zone using
1095 'rndc addzone'. [RT #25600]
1097 3170. [func] RPZ update:
1098 - fix precedence among competing rules
1099 - improve ARM text including documenting rule precedence
1100 - try to rewrite CNAME chains until first hit
1101 - new "rpz" logging channel
1102 - RDATA for CNAME rules can include wildcards
1103 - replace "NO-OP" named.conf policy override with
1104 "PASSTHRU" and add "DISABLED" override ("NO-OP"
1105 is still recognized)
1108 3169. [func] Catch db/version mis-matches when calling dns_db_*().
1111 3167. [bug] Negative answers from forwarders were not being
1112 correctly tagged making them appear to not be cached.
1115 3162. [test] start.pl: modified to allow for "named.args" in
1116 ns*/ subdirectory to override stock arguments to
1117 named. Largely from RT#26044, but no separate ticket.
1119 3161. [bug] zone.c:del_sigs failed to always reset rdata leading
1120 assertion failures. [RT #25880]
1122 3157. [tuning] Reduce the time spent in "rndc reconfig" by parsing
1123 the config file before pausing the server. [RT #21373]
1125 3155. [bug] Fixed a build failure when using contrib DLZ
1126 drivers (e.g., mysql, postgresql, etc). [RT #25710]
1128 3154. [bug] Attempting to print an empty rdataset could trigger
1129 an assert. [RT #25452]
1131 3152. [cleanup] Some versions of gcc and clang failed due to
1132 incorrect use of __builtin_expect. [RT #25183]
1134 3151. [bug] Queries for type RRSIG or SIG could be handled
1135 incorrectly. [RT #21050]
1137 3148. [bug] Processing of normal queries could be stalled when
1138 forwarding a UPDATE message. [RT #24711]
1140 3146. [test] Fixed gcc4.6.0 errors in ATF. [RT #25598]
1142 3145. [test] Capture output of ATF unit tests in "./atf.out" if
1143 there were any errors while running them. [RT #25527]
1145 3144. [bug] dns_dbiterator_seek() could trigger an assert when
1146 used with a nonexistent database node. [RT #25358]
1148 3143. [bug] Silence clang compiler warnings. [RT #25174]
1150 3139. [test] Added tests from RFC 6234, RFC 2202, and RFC 1321
1151 for the hashing algorithms (md5, sha1 - sha512, and
1152 their hmac counterparts). [RT #25067]
1154 --- 9.8.1 released ---
1156 --- 9.8.1rc1 released ---
1158 3141. [bug] Silence spurious "zone serial (0) unchanged" messages
1159 associated with empty zones. [RT #25079]
1161 3138. [bug] Address memory leaks and out-of-order operations when
1162 shutting named down. [RT #25210]
1164 3136. [func] Add RFC 1918 reverse zones to the list of built-in
1165 empty zones switched on by the 'empty-zones-enable'
1168 Note: empty-zones-enable must be "yes;" or a empty
1169 zone needs to be disabled in named.conf for RFC 1918
1170 zones to be activated. This requirement may be
1171 removed in future releases.
1173 3135. [port] FreeBSD: workaround broken IPV6_USE_MIN_MTU processing.
1174 See http://www.freebsd.org/cgi/query-pr.cgi?pr=158307
1177 3134. [bug] Improve the accuracy of dnssec-signzone's signing
1178 statistics. [RT #16030]
1180 --- 9.8.1b3 released ---
1182 3133. [bug] Change #3114 was incomplete. [RT #24577]
1184 3131. [tuning] Improve scalability by allocating one zone task
1185 per 100 zones at startup time, rather than using a
1186 fixed-size task table. [RT #24406]
1188 3129. [bug] Named could crash on 'rndc reconfig' when
1189 allow-new-zones was set to yes and named ACLs
1190 were used. [RT #22739]
1192 --- 9.8.1b2 released ---
1194 3126. [security] Using DNAME record to generate replacements caused
1195 RPZ to exit with a assertion failure. [RT #24766]
1197 3125. [security] Using wildcard CNAME records as a replacement with
1198 RPZ caused named to exit with a assertion failure.
1201 3124. [bug] Use an rdataset attribute flag to indicate
1202 negative-cache records rather than using rrtype 0;
1203 this will prevent problems when that rrtype is
1204 used in actual DNS packets. [RT #24777]
1206 3123. [security] Change #2912 exposed a latent flaw in
1207 dns_rdataset_totext() that could cause named to
1208 crash with an assertion failure. [RT #24777]
1210 3122. [cleanup] dnssec-settime: corrected usage message. [RT #24664]
1212 3121. [security] An authoritative name server sending a negative
1213 response containing a very large RRset could
1214 trigger an off-by-one error in the ncache code
1215 and crash named. [RT #24650]
1217 3120. [bug] Named could fail to validate zones listed in a DLV
1218 that validated insecure without using DLV and had
1219 DS records in the parent zone. [RT #24631]
1221 3119. [bug] When rolling to a new DNSSEC key, a private-type
1222 record could be created and never marked complete.
1225 3118. [bug] nsupdate could dump core on shutdown when using
1226 SIG(0) keys. [RT #24604]
1228 3117. [cleanup] Remove doc and parser references to the
1229 never-implemented 'auto-dnssec create' option.
1232 3115. [bug] Named could fail to return requested data when
1233 following a CNAME that points into the same zone.
1236 3114. [bug] Retain expired RRSIGs in dynamic zones if key is
1237 inactive and there is no replacement key. [RT #23136]
1239 3113. [doc] Document the relationship between serial-query-rate
1240 and NOTIFY messages.
1242 --- 9.8.1b1 released ---
1244 3112. [doc] Add missing descriptions of the update policy name
1245 types "ms-self", "ms-subdomain", "krb5-self" and
1246 "krb5-subdomain", which allow machines to update
1247 their own records, to the BIND 9 ARM.
1249 3111. [bug] Improved consistency checks for dnssec-enable and
1250 dnssec-validation, added test cases to the
1251 checkconf system test. [RT #24398]
1253 3110. [bug] dnssec-signzone: Wrong error message could appear
1254 when attempting to sign with no KSK. [RT #24369]
1256 3107. [bug] dnssec-signzone: Report the correct number of ZSKs
1257 when using -x. [RT #20852]
1259 3105. [bug] GOST support can be suppressed by "configure
1260 --without-gost" [RT #24367]
1262 3104. [bug] Better support for cross-compiling. [RT #24367]
1264 3103. [bug] Configuring 'dnssec-validation auto' in a view
1265 instead of in the options statement could trigger
1266 an assertion failure in named-checkconf. [RT #24382]
1268 3101. [bug] Zones using automatic key maintenance could fail
1269 to check the key repository for updates. [RT #23744]
1271 3100. [security] Certain response policy zone configurations could
1272 trigger an INSIST when receiving a query of type
1275 3099. [test] "dlz" system test now runs but gives R:SKIPPED if
1276 not compiled with --with-dlz-filesystem. [RT #24146]
1278 3098. [bug] DLZ zones were answering without setting the AA bit.
1281 3097. [test] Add a tool to test handling of malformed packets.
1284 3096. [bug] Set KRB5_KTNAME before calling log_cred() in
1285 dst_gssapi_acceptctx(). [RT #24004]
1287 3095. [bug] Handle isolated reserved ports in the port range.
1290 3094. [doc] Expand dns64 documentation.
1292 3093. [bug] Fix gssapi/kerberos dependencies [RT #23836]
1294 3092. [bug] Signatures for records at the zone apex could go
1295 stale due to an incorrect timer setting. [RT #23769]
1297 3091. [bug] Fixed a bug in which zone keys that were published
1298 and then subsequently activated could fail to trigger
1299 automatic signing. [RT #22911]
1301 3090. [func] Make --with-gssapi default [RT #23738]
1303 3088. [bug] Remove bin/tests/system/logfileconfig/ns1/named.conf
1304 and add setup.sh in order to resolve changing
1305 named.conf issue. [RT #23687]
1307 3087. [bug] DDNS updates using SIG(0) with update-policy match
1308 type "external" could cause a crash. [RT #23735]
1310 3086. [bug] Running dnssec-settime -f on an old-style key will
1311 now force an update to the new key format even if no
1312 other change has been specified, using "-P now -A now"
1313 as default values. [RT #22474]
1315 3083. [bug] NOTIFY messages were not being sent when generating
1316 a NSEC3 chain incrementally. [RT #23702]
1318 3082. [port] strtok_r is threads only. [RT #23747]
1320 3081. [bug] Failure of DNAME substitution did not return
1321 YXDOMAIN. [RT #23591]
1323 3080. [cleanup] Replaced compile time constant by STDTIME_ON_32BITS.
1326 3079. [bug] Handle isc_event_allocate failures in t_tasks.
1329 3078. [func] Added a new include file with function typedefs
1330 for the DLZ "dlopen" driver. [RT #23629]
1332 3077. [bug] zone.c:zone_refreshkeys() incorrectly called
1333 dns_zone_attach(), use zone->irefs instead. [RT #23303]
1335 3075. [bug] dns_dnssec_findzonekeys{2} used a inconsistent
1336 timestamp when determining which keys are active.
1339 3074. [bug] Make the adb cache read through for zone data and
1340 glue learn for zone named is authoritative for.
1343 3073. [bug] managed-keys changes were not properly being recorded.
1346 3072. [bug] dns_dns64_aaaaok() potential NULL pointer dereference.
1349 3071. [bug] has_nsec could be used uninitialized in
1350 update.c:next_active. [RT #20256]
1352 3070. [bug] dnssec-signzone potential NULL pointer dereference.
1355 3069. [cleanup] Silence warnings messages from clang static analysis.
1358 3068. [bug] Named failed to build with a OpenSSL without engine
1359 support. [RT #23473]
1361 3067. [bug] ixfr-from-differences {master|slave}; failed to
1362 select the master/slave zones. [RT #23580]
1364 3066. [func] The DLZ "dlopen" driver is now built by default,
1365 no longer requiring a configure option. To
1366 disable it, use "configure --without-dlopen".
1367 (Note: driver not supported on win32.) [RT #23467]
1369 3065. [bug] RRSIG could have time stamps too far in the future.
1372 3064. [bug] powerpc: add sync instructions to the end of atomic
1373 operations. [RT #23469]
1375 3063. [contrib] More verbose error reporting from DLZ LDAP. [RT #23402]
1377 3059. [test] Added a regression test for change #3023.
1379 3058. [bug] Cause named to terminate at startup or rndc reconfig/
1380 reload to fail, if a log file specified in the conf
1381 file isn't a plain file. [RT #22771]
1383 3057. [bug] "rndc secroots" would abort after the first error
1384 and so could miss some views. [RT #23488]
1386 3054. [bug] Added elliptic curve support check in
1387 GOST OpenSSL engine detection. [RT #23485]
1389 3053. [bug] Under a sustained high query load with a finite
1390 max-cache-size, it was possible for cache memory
1391 to be exhausted and not recovered. [RT #23371]
1393 3052. [test] Fixed last autosign test report. [RT #23256]
1395 3051. [bug] NS records obscure DNAME records at the bottom of the
1396 zone if both are present. [RT #23035]
1398 3050. [bug] The autosign system test was timing dependent.
1399 Wait for the initial autosigning to complete
1400 before running the rest of the test. [RT #23035]
1402 3049. [bug] Save and restore the gid when creating creating
1403 named.pid at startup. [RT #23290]
1405 3048. [bug] Fully separate view key management. [RT #23419]
1407 3047. [bug] DNSKEY NODATA responses not cached fixed in
1408 validator.c. Tests added to dnssec system test.
1411 3046. [bug] Use RRSIG original TTL to compute validated RRset
1412 and RRSIG TTL. [RT #23332]
1414 3044. [bug] Hold the socket manager lock while freeing the socket.
1417 3043. [test] Merged in the NetBSD ATF test framework (currently
1418 version 0.12) for development of future unit tests.
1419 Use configure --with-atf to build ATF internally
1420 or configure --with-atf=prefix to use an external
1423 3042. [bug] dig +trace could fail attempting to use IPv6
1424 addresses on systems with only IPv4 connectivity.
1427 3041. [bug] dnssec-signzone failed to generate new signatures on
1428 ttl changes. [RT #23330]
1430 3040. [bug] Named failed to validate insecure zones where a node
1431 with a CNAME existed between the trust anchor and the
1432 top of the zone. [RT #23338]
1434 3038. [bug] Install <dns/rpz.h>. [RT #23342]
1436 3037. [doc] Update COPYRIGHT to contain all the individual
1437 copyright notices that cover various parts.
1439 3036. [bug] Check built-in zone arguments to see if the zone
1440 is re-usable or not. [RT #21914]
1442 3035. [cleanup] Simplify by using strlcpy. [RT #22521]
1444 3034. [cleanup] nslookup: use strlcpy instead of safecopy. [RT #22521]
1446 3033. [cleanup] Add two INSIST(bucket != DNS_ADB_INVALIDBUCKET).
1449 3032. [bug] rdatalist.c: add missing REQUIREs. [RT #22521]
1451 3031. [bug] dns_rdataclass_format() handle a zero sized buffer.
1454 3030. [bug] dns_rdatatype_format() handle a zero sized buffer.
1457 3029. [bug] isc_netaddr_format() handle a zero sized buffer.
1460 3028. [bug] isc_sockaddr_format() handle a zero sized buffer.
1463 3027. [bug] Add documented REQUIREs to cfg_obj_asnetprefix() to
1464 catch NULL pointer dereferences before they happen.
1467 3026. [bug] lib/isc/httpd.c: check that we have enough space
1468 after calling grow_headerspace() and if not
1469 re-call grow_headerspace() until we do. [RT #22521]
1471 --- 9.8.0 released ---
1473 3025. [bug] Fixed a possible deadlock due to zone resigning.
1476 3024. [func] RTT Banding removed due to minor security increase
1477 but major impact on resolver latency. [RT #23310]
1479 3023. [bug] Named could be left in an inconsistent state when
1480 receiving multiple AXFR response messages that were
1481 not all TSIG-signed. [RT #23254]
1483 3022. [bug] Fixed rpz SERVFAILs after failed zone transfers
1486 3021. [bug] Change #3010 was incomplete. [RT #22296]
1488 3020. [bug] auto-dnssec failed to correctly update the zone when
1489 changing the DNSKEY RRset. [RT #23232]
1491 3019. [test] Test: check apex NSEC3 records after adding DNSKEY
1492 record via UPDATE. [RT #23229]
1494 --- 9.8.0rc1 released ---
1496 3018. [bug] Named failed to check for the "none;" acl when deciding
1497 if a zone may need to be re-signed. [RT #23120]
1499 3017. [doc] dnssec-keyfromlabel -I was not properly documented.
1502 3016. [bug] rndc usage missing '-b'. [RT #22937]
1504 3015. [port] win32: fix IN6_IS_ADDR_LINKLOCAL and
1505 IN6_IS_ADDR_SITELOCAL macros. [RT #22724]
1507 3013. [bug] The DNS64 ttl was not always being set as expected.
1510 3012. [bug] Remove DNSKEY TTL change pairs before generating
1511 signing records for any remaining DNSKEY changes.
1514 3011. [func] Allow setting this in named.conf using the new
1515 'resolver-query-timeout' option, which specifies a max
1516 time in seconds. 0 means 'default' and anything longer
1517 than 30 will be silently set to 30. [RT #22852]
1519 3010. [bug] Fixed a bug where "rndc reconfig" stopped the timer
1520 for refreshing managed-keys. [RT #22296]
1522 3009. [bug] clients-per-query code didn't work as expected with
1523 particular query patterns. [RT #22972]
1525 --- 9.8.0b1 released ---
1527 3008. [func] Response policy zones (RPZ) support. [RT #21726]
1529 3007. [bug] Named failed to preserve the case of domain names in
1530 rdata which is not compressible when writing master
1533 3006. [func] Allow dynamically generated TSIG keys to be preserved
1534 across restarts of named. Initially this is for
1535 TSIG keys generated using GSSAPI. [RT #22639]
1537 3005. [port] Solaris: Work around the lack of
1538 gsskrb5_register_acceptor_identity() by setting
1539 the KRB5_KTNAME environment variable to the
1540 contents of tkey-gssapi-keytab. Also fixed
1541 test errors on MacOSX. [RT #22853]
1543 3004. [func] DNS64 reverse support. [RT #22769]
1545 3003. [experimental] Added update-policy match type "external",
1546 enabling named to defer the decision of whether to
1547 allow a dynamic update to an external daemon.
1548 (Contributed by Andrew Tridgell.) [RT #22758]
1550 3002. [bug] isc_mutex_init_errcheck() failed to destroy attr.
1553 3001. [func] Added a default trust anchor for the root zone, which
1554 can be switched on by setting "dnssec-validation auto;"
1555 in the named.conf options. [RT #21727]
1557 3000. [bug] More TKEY/GSS fixes:
1558 - nsupdate can now get the default realm from
1559 the user's Kerberos principal
1560 - corrected gsstest compilation flags
1561 - improved documentation
1562 - fixed some NULL dereferences
1565 2999. [func] Add GOST support (RFC 5933). [RT #20639]
1567 2998. [func] Add isc_task_beginexclusive and isc_task_endexclusive
1568 to the task api. [RT #22776]
1570 2997. [func] named -V now reports the OpenSSL and libxml2 verions
1571 it was compiled against. [RT #22687]
1573 2996. [security] Temporarily disable SO_ACCEPTFILTER support.
1576 2995. [bug] The Kerberos realm was not being correctly extracted
1577 from the signer's identity. [RT #22770]
1579 2994. [port] NetBSD: use pthreads by default on NetBSD >= 5.0, and
1580 do not use threads on earlier versions. Also kill
1581 the unproven-pthreads, mit-pthreads, and ptl2 support.
1583 2993. [func] Dynamically grow adb hash tables. [RT #21186]
1585 2992. [contrib] contrib/check-secure-delegation.pl: A simple tool
1586 for looking at a secure delegation. [RT #22059]
1588 2991. [contrib] contrib/zone-edit.sh: A simple zone editing tool for
1589 dynamic zones. [RT #22365]
1591 2990. [bug] 'dnssec-settime -S' no longer tests prepublication
1592 interval validity when the interval is set to 0.
1595 2989. [func] Added support for writable DLZ zones. (Contributed
1596 by Andrew Tridgell of the Samba project.) [RT #22629]
1598 2988. [experimental] Added a "dlopen" DLZ driver, allowing the creation
1599 of external DLZ drivers that can be loaded as
1600 shared objects at runtime rather than linked with
1601 named. Currently this is switched on via a
1602 compile-time option, "configure --with-dlz-dlopen".
1603 Note: the syntax for configuring DLZ zones
1604 is likely to be refined in future releases.
1605 (Contributed by Andrew Tridgell of the Samba
1606 project.) [RT #22629]
1608 2987. [func] Improve ease of configuring TKEY/GSS updates by
1609 adding a "tkey-gssapi-keytab" option. If set,
1610 updates will be allowed with any key matching
1611 a principal in the specified keytab file.
1612 "tkey-gssapi-credential" is no longer required
1613 and is expected to be deprecated. (Contributed
1614 by Andrew Tridgell of the Samba project.)
1617 2986. [func] Add new zone type "static-stub". It's like a stub
1618 zone, but the nameserver names and/or their IP
1619 addresses are statically configured. [RT #21474]
1621 2985. [bug] Add a regression test for change #2896. [RT #21324]
1623 2984. [bug] Don't run MX checks when the target of the MX record
1626 2983. [bug] Include "loadkeys" in rndc help output. [RT #22493]
1628 --- 9.8.0a1 released ---
1630 2982. [bug] Reference count dst keys. dst_key_attach() can be used
1631 increment the reference count.
1633 Note: dns_tsigkey_createfromkey() callers should now
1634 always call dst_key_free() rather than setting it
1635 to NULL on success. [RT #22672]
1637 2981. [func] Partial DNS64 support (AAAA synthesis). [RT #21991]
1639 2980. [bug] named didn't properly handle UPDATES that changed the
1640 TTL of the NSEC3PARAM RRset. [RT #22363]
1642 2979. [bug] named could deadlock during shutdown if two
1643 "rndc stop" commands were issued at the same
1646 2978. [port] hpux: look for <devpoll.h> [RT #21919]
1648 2977. [bug] 'nsupdate -l' report if the session key is missing.
1651 2976. [bug] named could die on exit after negotiating a GSS-TSIG
1654 2975. [bug] rbtdb.c:cleanup_dead_nodes_callback() acquired the
1655 wrong lock which could lead to server deadlock.
1658 2974. [bug] Some valid UPDATE requests could fail due to a
1659 consistency check examining the existing version
1660 of the zone rather than the new version resulting
1661 from the UPDATE. [RT #22413]
1663 2973. [bug] bind.keys.h was being removed by the "make clean"
1664 at the end of configure resulting in build failures
1665 where there is very old version of perl installed.
1666 Move it to "make maintainer-clean". [RT #22230]
1668 2972. [bug] win32: address windows socket errors. [RT #21906]
1670 2971. [bug] Fixed a bug that caused journal files not to be
1671 compacted on Windows systems as a result of
1672 non-POSIX-compliant rename() semantics. [RT #22434]
1674 2970. [security] Adding a NO DATA negative cache entry failed to clear
1675 any matching RRSIG records. A subsequent lookup of
1676 of NO DATA cache entry could trigger a INSIST when the
1677 unexpected RRSIG was also returned with the NO DATA
1680 CVE-2010-3613, VU#706148. [RT #22288]
1682 2969. [security] Fix acl type processing so that allow-query works
1683 in options and view statements. Also add a new
1684 set of tests to verify proper functioning.
1686 CVE-2010-3615, VU#510208. [RT #22418]
1688 2968. [security] Named could fail to prove a data set was insecure
1689 before marking it as insecure. One set of conditions
1690 that can trigger this occurs naturally when rolling
1693 CVE-2010-3614, VU#837744. [RT #22309]
1695 2967. [bug] 'host -D' now turns on debugging messages earlier.
1698 2966. [bug] isc_print_vsnprintf() failed to check if there was
1699 space available in the buffer when adding a left
1700 justified character with a non zero width,
1701 (e.g. "%-1c"). [RT #22270]
1703 2965. [func] Test HMAC functions using test data from RFC 2104 and
1704 RFC 4634. [RT #21702]
1708 2963. [security] The allow-query acl was being applied instead of the
1709 allow-query-cache acl to cache lookups. [RT #22114]
1711 2962. [port] win32: add more dependencies to BINDBuild.dsw.
1714 2961. [bug] Be still more selective about the non-authoritative
1715 answers we apply change 2748 to. [RT #22074]
1717 2960. [func] Check that named accepts non-authoritative answers.
1720 2959. [func] Check that named starts with a missing masterfile.
1723 2958. [bug] named failed to start with a missing master file.
1726 2957. [bug] entropy_get() and entropy_getpseudo() failed to match
1727 the API for RAND_bytes() and RAND_pseudo_bytes()
1728 respectively. [RT #21962]
1730 2956. [port] Enable atomic operations on the PowerPC64. [RT #21899]
1732 2955. [func] Provide more detail in the recursing log. [RT #22043]
1734 2954. [bug] contrib: dlz_mysql_driver.c bad error handling on
1735 build_sqldbinstance failure. [RT #21623]
1737 2953. [bug] Silence spurious "expected covering NSEC3, got an
1738 exact match" message when returning a wildcard
1739 no data response. [RT #21744]
1741 2952. [port] win32: named-checkzone and named-checkconf failed
1742 to initialize winsock. [RT #21932]
1744 2951. [bug] named failed to generate a correct signed response
1745 in a optout, delegation only zone with no secure
1746 delegations. [RT #22007]
1748 2950. [bug] named failed to perform a SOA up to date check when
1749 falling back to TCP on UDP timeouts when
1750 ixfr-from-differences was set. [RT #21595]
1752 2949. [bug] dns_view_setnewzones() contained a memory leak if
1753 it was called multiple times. [RT #21942]
1755 2948. [port] MacOS: provide a mechanism to configure the test
1756 interfaces at reboot. See bin/tests/system/README
1761 2946. [doc] Document the default values for the minimum and maximum
1762 zone refresh and retry values in the ARM. [RT #21886]
1764 2945. [doc] Update empty-zones list in ARM. [RT #21772]
1766 2944. [maint] Remove ORCHID prefix from built in empty zones.
1769 2943. [func] Add support to load new keys into managed zones
1770 without signing immediately with "rndc loadkeys".
1771 Add support to link keys with "dnssec-keygen -S"
1772 and "dnssec-settime -S". [RT #21351]
1774 2942. [contrib] zone2sqlite failed to setup the entropy sources.
1777 2941. [bug] sdb and sdlz (dlz's zone database) failed to support
1778 DNAME at the zone apex. [RT #21610]
1780 2940. [port] Remove connection aborted error message on
1781 Windows. [RT #21549]
1783 2939. [func] Check that named successfully skips NSEC3 records
1784 that fail to match the NSEC3PARAM record currently
1787 2938. [bug] When generating signed responses, from a signed zone
1788 that uses NSEC3, named would use a uninitialized
1789 pointer if it needed to skip a NSEC3 record because
1790 it didn't match the selected NSEC3PARAM record for
1793 2937. [bug] Worked around an apparent race condition in over
1794 memory conditions. Without this fix a DNS cache DB or
1795 ADB could incorrectly stay in an over memory state,
1796 effectively refusing further caching, which
1797 subsequently made a BIND 9 caching server unworkable.
1798 This fix prevents this problem from happening by
1799 polling the state of the memory context, rather than
1800 making a copy of the state, which appeared to cause
1801 a race. This is a "workaround" in that it doesn't
1802 solve the possible race per se, but several experiments
1803 proved this change solves the symptom. Also, the
1804 polling overhead hasn't been reported to be an issue.
1805 This bug should only affect a caching server that
1806 specifies a finite max-cache-size. It's also quite
1807 likely that the bug happens only when enabling threads,
1808 but it's not confirmed yet. [RT #21818]
1810 2936. [func] Improved configuration syntax and multiple-view
1811 support for addzone/delzone feature (see change
1812 #2930). Removed "new-zone-file" option, replaced
1813 with "allow-new-zones (yes|no)". The new-zone-file
1814 for each view is now created automatically, with
1815 a filename generated from a hash of the view name.
1816 It is no longer necessary to "include" the
1817 new-zone-file in named.conf; this happens
1818 automatically. Zones that were not added via
1819 "rndc addzone" can no longer be removed with
1820 "rndc delzone". [RT #19447]
1822 2935. [bug] nsupdate: improve 'file not found' error message.
1825 2934. [bug] Use ANSI C compliant shift range in lib/isc/entropy.c.
1828 2933. [bug] 'dig +nsid' used stack memory after it went out of
1829 scope. This could potentially result in a unknown,
1830 potentially malformed, EDNS option being sent instead
1831 of the desired NSID option. [RT #21781]
1833 2932. [cleanup] Corrected a numbering error in the "dnssec" test.
1836 2931. [bug] Temporarily and partially disable change 2864
1837 because it would cause infinite attempts of RRSIG
1838 queries. This is an urgent care fix; we'll
1839 revisit the issue and complete the fix later.
1842 2930. [experimental] New "rndc addzone" and "rndc delzone" commands
1843 allow dynamic addition and deletion of zones.
1844 To enable this feature, specify a "new-zone-file"
1845 option at the view or options level in named.conf.
1846 Zone configuration information for the new zones
1847 will be written into that file. To make the new
1848 zones persist after a restart, "include" the file
1849 into named.conf in the appropriate view. (Note:
1850 This feature is not yet documented, and its syntax
1851 is expected to change.) [RT #19447]
1853 2929. [bug] Improved handling of GSS security contexts:
1854 - added LRU expiration for generated TSIGs
1855 - added the ability to use a non-default realm
1856 - added new "realm" keyword in nsupdate
1857 - limited lifetime of generated keys to 1 hour
1858 or the lifetime of the context (whichever is
1862 2928. [bug] Be more selective about the non-authoritative
1863 answer we apply change 2748 to. [RT #21594]
1869 2925. [bug] Named failed to accept uncachable negative responses
1870 from insecure zones. [RT# 21555]
1872 2924. [func] 'rndc secroots' dump a combined summary of the
1873 current managed keys combined with trusted keys.
1876 2923. [bug] 'dig +trace' could drop core after "connection
1877 timeout". [RT #21514]
1879 2922. [contrib] Update zkt to version 1.0.
1881 2921. [bug] The resolver could attempt to destroy a fetch context
1882 too soon. [RT #19878]
1884 2920. [func] Allow 'filter-aaaa-on-v4' to be applied selectively
1885 to IPv4 clients. New acl 'filter-aaaa' (default any).
1887 2919. [func] Add autosign-ksk and autosign-zsk virtual time tests.
1890 2918. [maint] Add AAAA address for I.ROOT-SERVERS.NET.
1892 2917. [func] Virtual time test framework. [RT #20801]
1894 2916. [func] Add framework to use IPv6 in tests.
1895 fd92:7065:b8e:ffff::1 ... fd92:7065:b8e:ffff::7
1897 2915. [cleanup] Be smarter about which objects we attempt to compile
1898 based on configure options. [RT #21444]
1900 2914. [bug] Make the "autosign" system test more portable.
1903 2913. [func] Add pkcs#11 system tests. [RT #20784]
1905 2912. [func] Windows clients don't like UPDATE responses that clear
1906 the zone section. [RT #20986]
1908 2911. [bug] dnssec-signzone didn't handle out of zone records well.
1911 2910. [func] Sanity check Kerberos credentials. [RT #20986]
1913 2909. [bug] named-checkconf -p could die if "update-policy local;"
1914 was specified in named.conf. [RT #21416]
1916 2908. [bug] It was possible for re-signing to stop after removing
1917 a DNSKEY. [RT #21384]
1919 2907. [bug] The export version of libdns had undefined references.
1922 2906. [bug] Address RFC 5011 implementation issues. [RT #20903]
1924 2905. [port] aix: set use_atomic=yes with native compiler.
1927 2904. [bug] When using DLV, sub-zones of the zones in the DLV,
1928 could be incorrectly marked as insecure instead of
1929 secure leading to negative proofs failing. This was
1930 a unintended outcome from change 2890. [RT# 21392]
1932 2903. [bug] managed-keys-directory missing from namedconf.c.
1935 2902. [func] Add regression test for change 2897. [RT #21040]
1937 2901. [port] Use AC_C_FLEXIBLE_ARRAY_MEMBER. [RT #21316]
1939 2900. [bug] The placeholder negative caching element was not
1940 properly constructed triggering a INSIST in
1941 dns_ncache_towire(). [RT #21346]
1943 2899. [port] win32: Support linking against OpenSSL 1.0.0.
1945 2898. [bug] nslookup leaked memory when -domain=value was
1946 specified. [RT #21301]
1948 2897. [bug] NSEC3 chains could be left behind when transitioning
1949 to insecure. [RT #21040]
1951 2896. [bug] "rndc sign" failed to properly update the zone
1952 when adding a DNSKEY for publication only. [RT #21045]
1954 2895. [func] genrandom: add support for the generation of multiple
1957 2894. [contrib] DLZ LDAP support now use '$' not '%'. [RT #21294]
1959 2893. [bug] Improve managed keys support. New named.conf option
1960 managed-keys-directory. [RT #20924]
1962 2892. [bug] Handle REVOKED keys better. [RT #20961]
1964 2891. [maint] Update empty-zones list to match
1965 draft-ietf-dnsop-default-local-zones-13. [RT# 21099]
1967 2890. [bug] Handle the introduction of new trusted-keys and
1968 DS, DLV RRsets better. [RT #21097]
1970 2889. [bug] Elements of the grammar where not properly reported.
1973 2888. [bug] Only the first EDNS option was displayed. [RT #21273]
1975 2887. [bug] Report the keytag times in UTC in the .key file,
1976 local time is presented as a comment within the
1977 comment. [RT #21223]
1979 2886. [bug] ctime() is not thread safe. [RT #21223]
1981 2885. [bug] Improve -fno-strict-aliasing support probing in
1982 configure. [RT #21080]
1984 2884. [bug] Insufficient validation in dns_name_getlabelsequence().
1987 2883. [bug] 'dig +short' failed to handle really large datasets.
1990 2882. [bug] Remove memory context from list of active contexts
1991 before clearing 'magic'. [RT #21274]
1993 2881. [bug] Reduce the amount of time the rbtdb write lock
1994 is held when closing a version. [RT #21198]
1996 2880. [cleanup] Make the output of dnssec-keygen and dnssec-revoke
1997 consistent. [RT #21078]
1999 2879. [contrib] DLZ bdbhpt driver fails to close correct cursor.
2002 2878. [func] Incrementally write the master file after performing
2005 2877. [bug] The validator failed to skip obviously mismatching
2008 2876. [bug] Named could return SERVFAIL for negative responses
2009 from unsigned zones. [RT #21131]
2011 2875. [bug] dns_time64_fromtext() could accept non digits.
2014 2874. [bug] Cache lack of EDNS support only after the server
2015 successfully responds to the query using plain DNS.
2018 2873. [bug] Canceling a dynamic update via the dns/client module
2019 could trigger an assertion failure. [RT #21133]
2021 2872. [bug] Modify dns/client.c:dns_client_createx() to only
2022 require one of IPv4 or IPv6 rather than both.
2025 2871. [bug] Type mismatch in mem_api.c between the definition and
2026 the header file, causing build failure with
2027 --enable-exportlib. [RT #21138]
2029 2870. [maint] Add AAAA address for L.ROOT-SERVERS.NET.
2031 2869. [bug] Fix arguments to dns_keytable_findnextkeynode() call.
2034 2868. [cleanup] Run "make clean" at the end of configure to ensure
2035 any changes made by configure are integrated.
2036 Use --with-make-clean=no to disable. [RT #20994]
2038 2867. [bug] Don't set GSS_C_SEQUENCE_FLAG as Windows DNS servers
2039 don't like it. [RT #20986]
2041 2866. [bug] Windows does not like the TSIG name being compressed.
2044 2865. [bug] memset to zero event.data. [RT #20986]
2046 2864. [bug] Direct SIG/RRSIG queries were not handled correctly.
2049 2863. [port] linux: disable IPv6 PMTUD and use network minimum MTU.
2052 2862. [bug] nsupdate didn't default to the parent zone when
2053 updating DS records. [RT #20896]
2055 2861. [doc] dnssec-settime man pages didn't correctly document the
2056 inactivation time. [RT #21039]
2058 2860. [bug] named-checkconf's usage was out of date. [RT #21039]
2060 2859. [bug] When canceling validation it was possible to leak
2063 2858. [bug] RTT estimates were not being adjusted on ICMP errors.
2066 2857. [bug] named-checkconf did not fail on a bad trusted key.
2069 2856. [bug] The size of a memory allocation was not always properly
2070 recorded. [RT #20927]
2072 2855. [func] nsupdate will now preserve the entered case of domain
2073 names in update requests it sends. [RT #20928]
2075 2854. [func] dig: allow the final soa record in a axfr response to
2076 be suppressed, dig +onesoa. [RT #20929]
2078 2853. [bug] add_sigs() could run out of scratch space. [RT #21015]
2080 2852. [bug] Handle broken DNSSEC trust chains better. [RT #15619]
2082 2851. [doc] nslookup.1, removed <informalexample> from the docbook
2083 source as it produced bad nroff. [RT #21007]
2085 2850. [bug] If isc_heap_insert() failed due to memory shortage
2086 the heap would have corrupted entries. [RT #20951]
2088 2849. [bug] Don't treat errors from the xml2 library as fatal.
2091 2848. [doc] Moved README.dnssec, README.libdns, README.pkcs11 and
2092 README.rfc5011 into the ARM. [RT #20899]
2094 2847. [cleanup] Corrected usage message in dnssec-settime. [RT #20921]
2096 2846. [bug] EOF on unix domain sockets was not being handled
2097 correctly. [RT #20731]
2099 2845. [bug] RFC 5011 client could crash on shutdown. [RT #20903]
2101 2844. [doc] notify-delay default in ARM was wrong. It should have
2102 been five (5) seconds.
2104 2843. [func] Prevent dnssec-keygen and dnssec-keyfromlabel from
2105 creating key files if there is a chance that the new
2106 key ID will collide with an existing one after
2107 either of the keys has been revoked. (To override
2108 this in the case of dnssec-keyfromlabel, use the -y
2109 option. dnssec-keygen will simply create a
2110 different, non-colliding key, so an override is
2111 not necessary.) [RT #20838]
2113 2842. [func] Added "smartsign" and improved "autosign" and
2114 "dnssec" regression tests. [RT #20865]
2116 2841. [bug] Change 2836 was not complete. [RT #20883]
2118 2840. [bug] Temporary fixed pkcs11-destroy usage check.
2121 2839. [bug] A KSK revoked by named could not be deleted.
2126 2837. [port] Prevent Linux spurious warnings about fwrite().
2129 2836. [bug] Keys that were scheduled to become active could
2130 be delayed. [RT #20874]
2132 2835. [bug] Key inactivity dates were inadvertently stored in
2133 the private key file with the outdated tag
2134 "Unpublish" rather than "Inactive". This has been
2135 fixed; however, any existing keys that had Inactive
2136 dates set will now need to have them reset, using
2137 'dnssec-settime -I'. [RT #20868]
2139 2834. [bug] HMAC-SHA* keys that were longer than the algorithm
2140 digest length were used incorrectly, leading to
2141 interoperability problems with other DNS
2142 implementations. This has been corrected.
2143 (Note: If an oversize key is in use, and
2144 compatibility is needed with an older release of
2145 BIND, the new tool "isc-hmac-fixup" can convert
2146 the key secret to a form that will work with all
2147 versions.) [RT #20751]
2149 2833. [cleanup] Fix usage messages in dnssec-keygen and dnssec-settime.
2152 2832. [bug] Modify "struct stat" in lib/export/samples/nsprobe.c
2153 to avoid redefinition in some OSs [RT 20831]
2155 2831. [security] Do not attempt to validate or cache
2156 out-of-bailiwick data returned with a secure
2157 answer; it must be re-fetched from its original
2158 source and validated in that context. [RT #20819]
2160 2830. [bug] Changing the OPTOUT setting could take multiple
2163 2829. [bug] Fixed potential node inconsistency in rbtdb.c.
2166 2828. [security] Cached CNAME or DNAME RR could be returned to clients
2167 without DNSSEC validation. [RT #20737]
2169 2827. [security] Bogus NXDOMAIN could be cached as if valid. [RT #20712]
2171 2826. [bug] NSEC3->NSEC transitions could fail due to a lock not
2172 being released. [RT #20740]
2174 2825. [bug] Changing the setting of OPTOUT in a NSEC3 chain that
2175 was in the process of being created was not properly
2176 recorded in the zone. [RT #20786]
2178 2824. [bug] "rndc sign" was not being run by the correct task.
2181 2823. [bug] rbtdb.c:getsigningtime() was missing locks. [RT #20781]
2183 2822. [bug] rbtdb.c:loadnode() could return the wrong result.
2186 2821. [doc] Add note that named-checkconf doesn't automatically
2187 read rndc.key and bind.keys [RT #20758]
2189 2820. [func] Handle read access failure of OpenSSL configuration
2190 file more user friendly (PKCS#11 engine patch).
2193 2819. [cleanup] Removed unnecessary DNS_POINTER_MAXHOPS define.
2196 2818. [cleanup] rndc could return an incorrect error code
2197 when a zone was not found. [RT #20767]
2199 2817. [cleanup] Removed unnecessary isc_task_endexclusive() calls.
2202 2816. [bug] previous_closest_nsec() could fail to return
2203 data for NSEC3 nodes [RT #29730]
2205 2815. [bug] Exclusively lock the task when freezing a zone.
2208 2814. [func] Provide a definitive error message when a master
2209 zone is not loaded. [RT #20757]
2211 2813. [bug] Better handling of unreadable DNSSEC key files.
2214 2812. [bug] Make sure updates can't result in a zone with
2215 NSEC-only keys and NSEC3 records. [RT #20748]
2217 2811. [cleanup] Add "rndc sign" to list of commands in rndc usage
2220 2810. [doc] Clarified the process of transitioning an NSEC3 zone
2221 to insecure. [RT #20746]
2223 2809. [cleanup] Restored accidentally-deleted text in usage output
2224 in dnssec-settime and dnssec-revoke [RT #20739]
2226 2808. [bug] Remove the attempt to install atomic.h from lib/isc.
2227 atomic.h is correctly installed by the architecture
2228 specific subdirectories. [RT #20722]
2230 2807. [bug] Fixed a possible ASSERT when reconfiguring zone
2233 --- 9.7.0rc1 released ---
2235 2806. [bug] "rdnc sign" could delay re-signing the DNSKEY
2236 when it had changed. [RT #20703]
2238 2805. [bug] Fixed namespace problems encountered when building
2239 external programs using non-exported BIND9 libraries
2240 (i.e., built without --enable-exportlib). [RT #20679]
2242 2804. [bug] Send notifies when a zone is signed with "rndc sign"
2243 or as a result of a scheduled key change. [RT #20700]
2245 2803. [port] win32: Install named-journalprint, nsec3hash, arpaname
2246 and genrandom under windows. [RT #20670]
2248 2802. [cleanup] Rename journalprint to named-journalprint. [RT #20670]
2250 2801. [func] Detect and report records that are different according
2251 to DNSSEC but are semantically equal according to plain
2252 DNS. Apply plain DNS comparisons rather than DNSSEC
2253 comparisons when processing UPDATE requests.
2254 dnssec-signzone now removes such semantically duplicate
2255 records prior to signing the RRset.
2257 named-checkzone -r {ignore|warn|fail} (default warn)
2258 named-compilezone -r {ignore|warn|fail} (default warn)
2260 named.conf: check-dup-records {ignore|warn|fail};
2262 2800. [func] Reject zones which have NS records which refer to
2263 CNAMEs, DNAMEs or don't have address record (class IN
2264 only). Reject UPDATEs which would cause the zone
2265 to fail the above checks if committed. [RT #20678]
2267 2799. [cleanup] Changed the "secure-to-insecure" option to
2268 "dnssec-secure-to-insecure", and "dnskey-ksk-only"
2269 to "dnssec-dnskey-kskonly", for clarity. [RT #20586]
2271 2798. [bug] Addressed bugs in managed-keys initialization
2272 and rollover. [RT #20683]
2274 2797. [bug] Don't decrement the dispatch manager's maxbuffers.
2277 2796. [bug] Missing dns_rdataset_disassociate() call in
2278 dns_nsec3_delnsec3sx(). [RT #20681]
2280 2795. [cleanup] Add text to differentiate "update with no effect"
2281 log messages. [RT #18889]
2283 2794. [bug] Install <isc/namespace.h>. [RT #20677]
2285 2793. [func] Add "autosign" and "metadata" tests to the
2286 automatic tests. [RT #19946]
2288 2792. [func] "filter-aaaa-on-v4" can now be set in view
2289 options (if compiled in). [RT #20635]
2291 2791. [bug] The installation of isc-config.sh was broken.
2294 2790. [bug] Handle DS queries to stub zones. [RT #20440]
2296 2789. [bug] Fixed an INSIST in dispatch.c [RT #20576]
2298 2788. [bug] dnssec-signzone could sign with keys that were
2299 not requested [RT #20625]
2301 2787. [bug] Spurious log message when zone keys were
2302 dynamically reconfigured. [RT #20659]
2304 2786. [bug] Additional could be promoted to answer. [RT #20663]
2306 --- 9.7.0b3 released ---
2308 2785. [bug] Revoked keys could fail to self-sign [RT #20652]
2310 2784. [bug] TC was not always being set when required glue was
2311 dropped. [RT #20655]
2313 2783. [func] Return minimal responses to EDNS/UDP queries with a UDP
2314 buffer size of 512 or less. [RT #20654]
2316 2782. [port] win32: use getaddrinfo() for hostname lookups.
2319 2781. [bug] Inactive keys could be used for signing. [RT #20649]
2321 2780. [bug] dnssec-keygen -A none didn't properly unset the
2322 activation date in all cases. [RT #20648]
2324 2779. [bug] Dynamic key revocation could fail. [RT #20644]
2326 2778. [bug] dnssec-signzone could fail when a key was revoked
2327 without deleting the unrevoked version. [RT #20638]
2329 2777. [contrib] DLZ MYSQL auto reconnect support discovery was wrong.
2331 2776. [bug] Change #2762 was not correct. [RT #20647]
2333 2775. [bug] Accept RSASHA256 and RSASHA512 as NSEC3 compatible
2334 in dnssec-keyfromlabel. [RT #20643]
2336 2774. [bug] Existing cache DB wasn't being reused after
2337 reconfiguration. [RT #20629]
2339 2773. [bug] In autosigned zones, the SOA could be signed
2340 with the KSK. [RT #20628]
2342 2772. [security] When validating, track whether pending data was from
2343 the additional section or not and only return it if
2344 validates as secure. [RT #20438]
2346 2771. [bug] dnssec-signzone: DNSKEY records could be
2347 corrupted when importing from key files [RT #20624]
2349 2770. [cleanup] Add log messages to resolver.c to indicate events
2350 causing FORMERR responses. [RT #20526]
2352 2769. [cleanup] Change #2742 was incomplete. [RT #19589]
2354 2768. [bug] dnssec-signzone: -S no longer implies -g [RT #20568]
2356 2767. [bug] named could crash on startup if a zone was
2357 configured with auto-dnssec and there was no
2358 key-directory. [RT #20615]
2360 2766. [bug] isc_socket_fdwatchpoke() should only update the
2361 socketmgr state if the socket is not pending on a
2362 read or write. [RT #20603]
2364 2765. [bug] Skip masters for which the TSIG key cannot be found.
2367 2764. [bug] "rndc-confgen -a" could trigger a REQUIRE. [RT #20610]
2369 2763. [bug] "rndc sign" didn't create an NSEC chain. [RT #20591]
2371 2762. [bug] DLV validation failed with a local slave DLV zone.
2374 2761. [cleanup] Enable internal symbol table for backtrace only for
2375 systems that are known to work. Currently, BSD
2376 variants, Linux and Solaris are supported. [RT# 20202]
2378 2760. [cleanup] Corrected named-compilezone usage summary. [RT #20533]
2380 2759. [doc] Add information about .jbk/.jnw files to
2381 the ARM. [RT #20303]
2383 2758. [bug] win32: Added a workaround for a windows 2008 bug
2384 that could cause the UDP client handler to shut
2387 2757. [bug] dig: assertion failure could occur in connect
2388 timeout. [RT #20599]
2390 2756. [bug] Fixed corrupt logfile message in update.c. [RT# 20597]
2394 2754. [bug] Secure-to-insecure transitions failed when zone
2395 was signed with NSEC3. [RT #20587]
2397 2753. [bug] Removed an unnecessary warning that could appear when
2398 building an NSEC chain. [RT #20589]
2400 2752. [bug] Locking violation. [RT #20587]
2402 2751. [bug] Fixed a memory leak in dnssec-keyfromlabel. [RT #20588]
2404 2750. [bug] dig: assertion failure could occur when a server
2405 didn't have an address. [RT #20579]
2407 2749. [bug] ixfr-from-differences generated a non-minimal ixfr
2408 for NSEC3 signed zones. [RT #20452]
2410 2748. [func] Identify bad answers from GTLD servers and treat them
2411 as referrals. [RT #18884]
2413 2747. [bug] Journal roll forwards failed to set the re-signing
2414 time of RRSIGs correctly. [RT #20541]
2416 2746. [port] hpux: address signed/unsigned expansion mismatch of
2417 dns_rbtnode_t.nsec. [RT #20542]
2419 2745. [bug] configure script didn't probe the return type of
2420 gai_strerror(3) correctly. [RT #20573]
2422 2744. [func] Log if a query was over TCP. [RT #19961]
2424 2743. [bug] RRSIG could be incorrectly set in the NSEC3 record
2425 for a insecure delegation.
2427 --- 9.7.0b2 released ---
2429 2742. [cleanup] Clarify some DNSSEC-related log messages in
2430 validator.c. [RT #19589]
2432 2741. [func] Allow the dnssec-keygen progress messages to be
2433 suppressed (dnssec-keygen -q). Automatically
2434 suppress the progress messages when stdin is not
2439 2739. [cleanup] Clean up API for initializing and clearing trust
2440 anchors for a view. [RT #20211]
2442 2738. [func] Add RSASHA256 and RSASHA512 tests to the dnssec system
2445 2737. [func] UPDATE requests can leak existence information.
2448 2736. [func] Improve the performance of NSEC signed zones with
2449 more than a normal amount of glue below a delegation.
2452 2735. [bug] dnssec-signzone could fail to read keys
2453 that were specified on the command line with
2454 full paths, but weren't in the current
2455 directory. [RT #20421]
2457 2734. [port] cygwin: arpaname did not compile. [RT #20473]
2459 2733. [cleanup] Clean up coding style in pkcs11-* tools. [RT #20355]
2461 2732. [func] Add optional filter-aaaa-on-v4 option, available
2462 if built with './configure --enable-filter-aaaa'.
2463 Filters out AAAA answers to clients connecting
2464 via IPv4. (This is NOT recommended for general
2467 2731. [func] Additional work on change 2709. The key parser
2468 will now ignore unrecognized fields when the
2469 minor version number of the private key format
2470 has been increased. It will reject any key with
2471 the major version number increased. [RT #20310]
2473 2730. [func] Have dnssec-keygen display a progress indication
2474 a la 'openssl genrsa' on standard error. Note
2475 when the first '.' is followed by a long stop
2476 one has the choice between slow generation vs.
2477 poor random quality, i.e., '-r /dev/urandom'.
2480 2729. [func] When constructing a CNAME from a DNAME use the DNAME
2483 2728. [bug] dnssec-keygen, dnssec-keyfromlabel and
2484 dnssec-signzone now warn immediately if asked to
2485 write into a nonexistent directory. [RT #20278]
2487 2727. [func] The 'key-directory' option can now specify a relative
2490 2726. [func] Added support for SHA-2 DNSSEC algorithms,
2491 RSASHA256 and RSASHA512. [RT #20023]
2493 2725. [doc] Added information about the file "managed-keys.bind"
2494 to the ARM. [RT #20235]
2496 2724. [bug] Updates to a existing node in secure zone using NSEC
2497 were failing. [RT #20448]
2499 2723. [bug] isc_base32_totext(), isc_base32hex_totext(), and
2500 isc_base64_totext(), didn't always mark regions of
2501 memory as fully consumed after conversion. [RT #20445]
2503 2722. [bug] Ensure that the memory associated with the name of
2504 a node in a rbt tree is not altered during the life
2505 of the node. [RT #20431]
2507 2721. [port] Have dst__entropy_status() prime the random number
2508 generator. [RT #20369]
2510 2720. [bug] RFC 5011 trust anchor updates could trigger an
2511 assert if the DNSKEY record was unsigned. [RT #20406]
2513 2719. [func] Skip trusted/managed keys for unsupported algorithms.
2516 2718. [bug] The space calculations in opensslrsa_todns() were
2517 incorrect. [RT #20394]
2519 2717. [bug] named failed to update the NSEC/NSEC3 record when
2520 the last private type record was removed as a result
2521 of completing the signing the zone with a key.
2524 2716. [bug] nslookup debug mode didn't return the ttl. [RT #20414]
2526 --- 9.7.0b1 released ---
2528 2715. [bug] Require OpenSSL support to be explicitly disabled.
2531 2714. [port] aix/powerpc: 'asm("ics");' needs non standard assembler
2534 2713. [bug] powerpc: atomic operations missing asm("ics") /
2537 2712. [func] New 'auto-dnssec' zone option allows zone signing
2538 to be fully automated in zones configured for
2539 dynamic DNS. 'auto-dnssec allow;' permits a zone
2540 to be signed by creating keys for it in the
2541 key-directory and using 'rndc sign <zone>'.
2542 'auto-dnssec maintain;' allows that too, plus it
2543 also keeps the zone's DNSSEC keys up to date
2544 according to their timing metadata. [RT #19943]
2546 2711. [port] win32: Add the bin/pkcs11 tools into the full
2549 2710. [func] New 'dnssec-signzone -x' flag and 'dnskey-ksk-only'
2550 zone option cause a zone to be signed with only KSKs
2551 signing the DNSKEY RRset, not ZSKs. This reduces
2552 the size of a DNSKEY answer. [RT #20340]
2554 2709. [func] Added some data fields, currently unused, to the
2555 private key file format, to allow implementation
2556 of explicit key rollover in a future release
2557 without impairing backward or forward compatibility.
2560 2708. [func] Insecure to secure and NSEC3 parameter changes via
2561 update are now fully supported and no longer require
2562 defines to enable. We now no longer overload the
2563 NSEC3PARAM flag field, nor the NSEC OPT bit at the
2564 apex. Secure to insecure changes are controlled by
2565 by the named.conf option 'secure-to-insecure'.
2567 Warning: If you had previously enabled support by
2568 adding defines at compile time to BIND 9.6 you should
2569 ensure that all changes that are in progress have
2570 completed prior to upgrading to BIND 9.7. BIND 9.7
2571 is not backwards compatible.
2573 2707. [func] dnssec-keyfromlabel no longer require engine name
2574 to be specified in the label if there is a default
2575 engine or the -E option has been used. Also, it
2576 now uses default algorithms as dnssec-keygen does
2577 (i.e., RSASHA1, or NSEC3RSASHA1 if -3 is used).
2580 2706. [bug] Loading a zone with a very large NSEC3 salt could
2581 trigger an assert. [RT #20368]
2585 2704. [bug] Serial of dynamic and stub zones could be inconsistent
2586 with their SOA serial. [RT #19387]
2588 2703. [func] Introduce an OpenSSL "engine" argument with -E
2589 for all binaries which can take benefit of
2590 crypto hardware. [RT #20230]
2592 2702. [func] Update PKCS#11 tools (bin/pkcs11) [RT #20225 & all]
2594 2701. [doc] Correction to ARM: hmac-md5 is no longer the only
2595 supported TSIG key algorithm. [RT #18046]
2597 2700. [doc] The match-mapped-addresses option is discouraged.
2600 2699. [bug] Missing lock in rbtdb.c. [RT #20037]
2604 2697. [port] win32: ensure that S_IFMT, S_IFDIR, S_IFCHR and
2605 S_IFREG are defined after including <isc/stat.h>.
2608 2696. [bug] named failed to successfully process some valid
2609 acl constructs. [RT #20308]
2611 2695. [func] DHCP/DDNS - update fdwatch code for use by
2612 DHCP. Modify the api to isc_sockfdwatch_t (the
2613 callback function for isc_socket_fdwatchcreate)
2614 to include information about the direction (read
2615 or write) and add isc_socket_fdwatchpoke.
2618 2694. [bug] Reduce default NSEC3 iterations from 100 to 10.
2621 2693. [port] Add some noreturn attributes. [RT #20257]
2623 2692. [port] win32: 32/64 bit cleanups. [RT #20335]
2625 2691. [func] dnssec-signzone: retain the existing NSEC or NSEC3
2626 chain when re-signing a previously-signed zone.
2627 Use -u to modify NSEC3 parameters or switch
2628 between NSEC and NSEC3. [RT #20304]
2630 2690. [bug] win32: fix isc_thread_key_getspecific() prototype.
2633 2689. [bug] Correctly handle snprintf result. [RT #20306]
2635 2688. [bug] Use INTERFACE_F_POINTTOPOINT, not IFF_POINTOPOINT,
2636 to decide to fetch the destination address. [RT #20305]
2638 2687. [bug] Fixed dnssec-signzone -S handling of revoked keys.
2639 Also, added warnings when revoking a ZSK, as this is
2640 not defined by protocol (but is legal). [RT #19943]
2642 2686. [bug] dnssec-signzone should clean the old NSEC chain when
2643 signing with NSEC3 and vice versa. [RT #20301]
2645 2685. [contrib] Update contrib/zkt to version 0.99c. [RT #20054]
2647 2684. [cleanup] dig: formalize +ad and +cd as synonyms for
2648 +adflag and +cdflag. [RT #19305]
2650 2683. [bug] dnssec-signzone should clean out old NSEC3 chains when
2651 the NSEC3 parameters used to sign the zone change.
2654 2682. [bug] "configure --enable-symtable=all" failed to
2657 2681. [bug] IPSECKEY RR of gateway type 3 was not correctly
2658 decoded. [RT #20269]
2660 2680. [func] Move contrib/pkcs11-keygen to bin/pkcs11. [RT #20067]
2662 2679. [func] dig -k can now accept TSIG keys in named.conf
2665 2678. [func] Treat DS queries as if "minimal-response yes;"
2666 was set. [RT #20258]
2668 2677. [func] Changes to key metadata behavior:
2669 - Keys without "publish" or "active" dates set will
2670 no longer be used for smart signing. However,
2671 those dates will be set to "now" by default when
2672 a key is created; to generate a key but not use
2673 it yet, use dnssec-keygen -G.
2674 - New "inactive" date (dnssec-keygen/settime -I)
2675 sets the time when a key is no longer used for
2676 signing but is still published.
2677 - The "unpublished" date (-U) is deprecated in
2678 favor of "deleted" (-D).
2681 2676. [bug] --with-export-installdir should have been
2682 --with-export-includedir. [RT #20252]
2684 2675. [bug] dnssec-signzone could crash if the key directory
2685 did not exist. [RT #20232]
2687 --- 9.7.0a3 released ---
2689 2674. [bug] "dnssec-lookaside auto;" crashed if named was built
2690 without openssl. [RT #20231]
2692 2673. [bug] The managed-keys.bind zone file could fail to
2693 load due to a spurious result from sync_keyzone()
2696 2672. [bug] Don't enable searching in 'host' when doing reverse
2697 lookups. [RT #20218]
2699 2671. [bug] Add support for PKCS#11 providers not returning
2700 the public exponent in RSA private keys
2701 (OpenCryptoki for instance) in
2702 dnssec-keyfromlabel. [RT #19294]
2704 2670. [bug] Unexpected connect failures failed to log enough
2705 information to be useful. [RT #20205]
2707 2669. [func] Update PKCS#11 support to support Keyper HSM.
2708 Update PKCS#11 patch to be against openssl-0.9.8i.
2710 2668. [func] Several improvements to dnssec-* tools, including:
2711 - dnssec-keygen and dnssec-settime can now set key
2712 metadata fields 0 (to unset a value, use "none")
2713 - dnssec-revoke sets the revocation date in
2714 addition to the revoke bit
2715 - dnssec-settime can now print individual metadata
2716 fields instead of always printing all of them,
2717 and can print them in unix epoch time format for
2721 2667. [func] Add support for logging stack backtrace on assertion
2722 failure (not available for all platforms). [RT #19780]
2724 2666. [func] Added an 'options' argument to dns_name_fromstring()
2725 (API change from 9.7.0a2). [RT #20196]
2727 2665. [func] Clarify syntax for managed-keys {} statement, add
2728 ARM documentation about RFC 5011 support. [RT #19874]
2730 2664. [bug] create_keydata() and minimal_update() in zone.c
2731 didn't properly check return values for some
2732 functions. [RT #19956]
2734 2663. [func] win32: allow named to run as a service using
2735 "NT AUTHORITY\LocalService" as the account. [RT #19977]
2737 2662. [bug] lwres_getipnodebyname() and lwres_getipnodebyaddr()
2738 returned a misleading error code when lwresd was
2741 2661. [bug] Check whether socket fd exceeds FD_SETSIZE when
2742 creating lwres context. [RT #20029]
2744 2660. [func] Add a new set of DNS libraries for non-BIND9
2745 applications. See README.libdns. [RT #19369]
2747 2659. [doc] Clarify dnssec-keygen doc: key name must match zone
2748 name for DNSSEC keys. [RT #19938]
2750 2658. [bug] dnssec-settime and dnssec-revoke didn't process
2751 key file paths correctly. [RT #20078]
2753 2657. [cleanup] Lower "journal file <path> does not exist, creating it"
2754 log level to debug 1. [RT #20058]
2756 2656. [func] win32: add a "tools only" check box to the installer
2757 which causes it to only install dig, host, nslookup,
2758 nsupdate and relevant DLLs. [RT #19998]
2760 2655. [doc] Document that key-directory does not affect
2761 bind.keys, rndc.key or session.key. [RT #20155]
2763 2654. [bug] Improve error reporting on duplicated names for
2764 deny-answer-xxx. [RT #20164]
2766 2653. [bug] Treat ENGINE_load_private_key() failures as key
2767 not found rather than out of memory. [RT #18033]
2769 2652. [func] Provide more detail about what record is being
2770 deleted. [RT #20061]
2772 2651. [bug] Dates could print incorrectly in K*.key files on
2773 64-bit systems. [RT #20076]
2775 2650. [bug] Assertion failure in dnssec-signzone when trying
2776 to read keyset-* files. [RT #20075]
2778 2649. [bug] Set the domain for forward only zones. [RT #19944]
2780 2648. [port] win32: isc_time_seconds() was broken. [RT #19900]
2782 2647. [bug] Remove unnecessary SOA updates when a new KSK is
2785 2646. [bug] Incorrect cleanup on error in socket.c. [RT #19987]
2787 2645. [port] "gcc -m32" didn't work on amd64 and x86_64 platforms
2788 which default to 64 bits. [RT #19927]
2790 --- 9.7.0a2 released ---
2792 2644. [bug] Change #2628 caused a regression on some systems;
2793 named was unable to write the PID file and would
2794 fail on startup. [RT #20001]
2796 2643. [bug] Stub zones interacted badly with NSEC3 support.
2799 2642. [bug] nsupdate could dump core on solaris when reading
2800 improperly formatted key files. [RT #20015]
2802 2641. [bug] Fixed an error in parsing update-policy syntax,
2803 added a regression test to check it. [RT #20007]
2805 2640. [security] A specially crafted update packet will cause named
2806 to exit. [RT #20000]
2808 2639. [bug] Silence compiler warnings in gssapi code. [RT #19954]
2810 2638. [bug] Install arpaname. [RT #19957]
2812 2637. [func] Rationalize dnssec-signzone's signwithkey() calling.
2815 2636. [func] Simplify zone signing and key maintenance with the
2816 dnssec-* tools. Major changes:
2817 - all dnssec-* tools now take a -K option to
2818 specify a directory in which key files will be
2820 - DNSSEC can now store metadata indicating when
2821 they are scheduled to be published, activated,
2822 revoked or removed; these values can be set by
2823 dnssec-keygen or overwritten by the new
2824 dnssec-settime command
2825 - dnssec-signzone -S (for "smart") option reads key
2826 metadata and uses it to determine automatically
2827 which keys to publish to the zone, use for
2828 signing, revoke, or remove from the zone
2831 2635. [bug] isc_inet_ntop() incorrectly handled 0.0/16 addresses.
2834 2634. [port] win32: Add support for libxml2, enable
2835 statschannel. [RT #19773]
2837 2633. [bug] Handle 15 bit rand() functions. [RT #19783]
2839 2632. [func] util/kit.sh: warn if documentation appears to be out of
2842 2631. [bug] Handle "//", "/./" and "/../" in mkdirpath().
2845 2630. [func] Improved syntax for DDNS autoconfiguration: use
2846 "update-policy local;" to switch on local DDNS in a
2847 zone. (The "ddns-autoconf" option has been removed.)
2850 2629. [port] Check for seteuid()/setegid(), use setresuid()/
2851 setresgid() if not present. [RT #19932]
2853 2628. [port] linux: Allow /var/run/named/named.pid to be opened
2854 at startup with reduced capabilities in operation.
2857 2627. [bug] Named aborted if the same key was included in
2858 trusted-keys more than once. [RT #19918]
2860 2626. [bug] Multiple trusted-keys could trigger an assertion
2861 failure. [RT #19914]
2863 2625. [bug] Missing UNLOCK in rbtdb.c. [RT #19865]
2865 2624. [func] 'named-checkconf -p' will print out the parsed
2866 configuration. [RT #18871]
2868 2623. [bug] Named started searches for DS non-optimally. [RT #19915]
2870 2622. [bug] Printing of named.conf grammar was broken. [RT #19919]
2872 2621. [doc] Made copyright boilerplate consistent. [RT #19833]
2874 2620. [bug] Delay thawing the zone until the reload of it has
2875 completed successfully. [RT #19750]
2877 2619. [func] Add support for RFC 5011, automatic trust anchor
2878 maintenance. The new "managed-keys" statement can
2879 be used in place of "trusted-keys" for zones which
2880 support this protocol. (Note: this syntax is
2881 expected to change prior to 9.7.0 final.) [RT #19248]
2883 2618. [bug] The sdb and sdlz db_interator_seek() methods could
2884 loop infinitely. [RT #19847]
2886 2617. [bug] ifconfig.sh failed to emit an error message when
2887 run from the wrong location. [RT #19375]
2889 2616. [bug] 'host' used the nameservers from resolv.conf even
2890 when a explicit nameserver was specified. [RT #19852]
2892 2615. [bug] "__attribute__((unused))" was in the wrong place
2893 for ia64 gcc builds. [RT #19854]
2895 2614. [port] win32: 'named -v' should automatically be executed
2896 in the foreground. [RT #19844]
2900 --- 9.7.0a1 released ---
2902 2612. [func] Add default values for the arguments to
2903 dnssec-keygen. Without arguments, it will now
2904 generate a 1024-bit RSASHA1 zone-signing key,
2905 or with the -f KSK option, a 2048-bit RSASHA1
2906 key-signing key. [RT #19300]
2908 2611. [func] Add -l option to dnssec-dsfromkey to generate
2909 DLV records instead of DS records. [RT #19300]
2911 2610. [port] sunos: Change #2363 was not complete. [RT #19796]
2913 2609. [func] Simplify the configuration of dynamic zones:
2914 - add ddns-confgen command to generate
2915 configuration text for named.conf
2916 - add zone option "ddns-autoconf yes;", which
2917 causes named to generate a TSIG session key
2918 and allow updates to the zone using that key
2919 - add '-l' (localhost) option to nsupdate, which
2920 causes nsupdate to connect to a locally-running
2921 named process using the session key generated
2925 2608. [func] Perform post signing verification checks in
2926 dnssec-signzone. These can be disabled with -P.
2928 The post sign verification test ensures that for each
2929 algorithm in use there is at least one non revoked
2930 self signed KSK key. That all revoked KSK keys are
2931 self signed. That all records in the zone are signed
2932 by the algorithm. [RT #19653]
2934 2607. [bug] named could incorrectly delete NSEC3 records for
2935 empty nodes when processing a update request.
2938 2606. [bug] "delegation-only" was not being accepted in
2939 delegation-only type zones. [RT #19717]
2941 2605. [bug] Accept DS responses from delegation only zones.
2944 2604. [func] Add support for DNS rebinding attack prevention through
2945 new options, deny-answer-addresses and
2946 deny-answer-aliases. Based on contributed code from
2947 JD Nurmi, Google. [RT #18192]
2949 2603. [port] win32: handle .exe extension of named-checkzone and
2950 named-comilezone argv[0] names under windows.
2953 2602. [port] win32: fix debugging command line build of libisccfg.
2956 2601. [doc] Mention file creation mode mask in the
2959 2600. [doc] ARM: miscellaneous reformatting for different
2960 page widths. [RT #19574]
2962 2599. [bug] Address rapid memory growth when validation fails.
2965 2598. [func] Reserve the -F flag. [RT #19657]
2967 2597. [bug] Handle a validation failure with a insecure delegation
2968 from a NSEC3 signed master/slave zone. [RT #19464]
2970 2596. [bug] Stale tree nodes of cache/dynamic rbtdb could stay
2971 long, leading to inefficient memory usage or rejecting
2972 newer cache entries in the worst case. [RT #19563]
2974 2595. [bug] Fix unknown extended rcodes in dig. [RT #19625]
2976 2594. [func] Have rndc warn if using its default configuration
2977 file when the key file also exists. [RT #19424]
2979 2593. [bug] Improve a corner source of SERVFAILs [RT #19632]
2981 2592. [bug] Treat "any" as a type in nsupdate. [RT #19455]
2983 2591. [bug] named could die when processing a update in
2984 removed_orphaned_ds(). [RT #19507]
2986 2590. [func] Report zone/class of "update with no effect".
2989 2589. [bug] dns_db_unregister() failed to clear '*dbimp'.
2992 2588. [bug] SO_REUSEADDR could be set unconditionally after failure
2993 of bind(2) call. This should be rare and mostly
2994 harmless, but may cause interference with other
2995 processes that happen to use the same port. [RT #19642]
2997 2587. [func] Improve logging by reporting serial numbers for
2998 when zone serial has gone backwards or unchanged.
3001 2586. [bug] Missing cleanup of SIG rdataset in searching a DLZ DB
3004 2585. [bug] Uninitialized socket name could be referenced via a
3005 statistics channel, triggering an assertion failure in
3006 XML rendering. [RT #19427]
3008 2584. [bug] alpha: gcc optimization could break atomic operations.
3011 2583. [port] netbsd: provide a control to not add the compile
3012 date to the version string, -DNO_VERSION_DATE.
3014 2582. [bug] Don't emit warning log message when we attempt to
3015 remove non-existent journal. [RT #19516]
3017 2581. [contrib] dlz/mysql set MYSQL_OPT_RECONNECT option on connection.
3018 Requires MySQL 5.0.19 or later. [RT #19084]
3020 2580. [bug] UpdateRej statistics counter could be incremented twice
3021 for one rejection. [RT #19476]
3023 2579. [bug] DNSSEC lookaside validation failed to handle unknown
3024 algorithms. [RT #19479]
3026 2578. [bug] Changed default sig-signing-type to 65534, because
3027 65535 turns out to be reserved. [RT #19477]
3029 2577. [doc] Clarified some statistics counters. [RT #19454]
3031 2576. [bug] NSEC record were not being correctly signed when
3032 a zone transitions from insecure to secure.
3033 Handle such incorrectly signed zones. [RT #19114]
3035 2575. [func] New functions dns_name_fromstring() and
3036 dns_name_tostring(), to simplify conversion
3037 of a string to a dns_name structure and vice
3040 2574. [doc] Document nsupdate -g and -o. [RT #19351]
3042 2573. [bug] Replacing a non-CNAME record with a CNAME record in a
3043 single transaction in a signed zone failed. [RT #19397]
3045 2572. [func] Simplify DLV configuration, with a new option
3046 "dnssec-lookaside auto;" This is the equivalent
3047 of "dnssec-lookaside . trust-anchor dlv.isc.org;"
3048 plus setting a trusted-key for dlv.isc.org.
3050 Note: The trusted key is hard-coded into named,
3051 but is also stored in (and can be overridden
3052 by) $sysconfdir/bind.keys. As the ISC DLV key
3053 rolls over it can be kept up to date by replacing
3054 the bind.keys file with a key downloaded from
3055 https://www.isc.org/solutions/dlv. [RT #18685]
3057 2571. [func] Add a new tool "arpaname" which translates IP addresses
3058 to the corresponding IN-ADDR.ARPA or IP6.ARPA name.
3061 2570. [func] Log the destination address the query was sent to.
3064 2569. [func] Move journalprint, nsec3hash, and genrandom
3065 commands from bin/tests into bin/tools;
3066 "make install" will put them in $sbindir. [RT #19301]
3068 2568. [bug] Report when the write to indicate a otherwise
3069 successful start fails. [RT #19360]
3071 2567. [bug] dst__privstruct_writefile() could miss write errors.
3072 write_public_key() could miss write errors.
3073 dnssec-dsfromkey could miss write errors.
3076 2566. [cleanup] Clarify logged message when an insecure DNSSEC
3077 response arrives from a zone thought to be secure:
3078 "insecurity proof failed" instead of "not
3079 insecure". [RT #19400]
3081 2565. [func] Add support for HIP record. Includes new functions
3082 dns_rdata_hip_first(), dns_rdata_hip_next()
3083 and dns_rdata_hip_current(). [RT #19384]
3085 2564. [bug] Only take EDNS fallback steps when processing timeouts.
3088 2563. [bug] Dig could leak a socket causing it to wait forever
3089 to exit. [RT #19359]
3091 2562. [doc] ARM: miscellaneous improvements, reorganization,
3092 and some new content.
3094 2561. [doc] Add isc-config.sh(1) man page. [RT #16378]
3096 2560. [bug] Add #include <config.h> to iptable.c. [RT #18258]
3098 2559. [bug] dnssec-dsfromkey could compute bad DS records when
3099 reading from a K* files. [RT #19357]
3101 2558. [func] Set the ownership of missing directories created
3102 for pid-file if -u has been specified on the command
3105 2557. [cleanup] PCI compliance:
3106 * new libisc log module file
3107 * isc_dir_chroot() now also changes the working
3109 * additional INSISTs
3110 * additional logging when files can't be removed.
3112 2556. [port] Solaris: mkdir(2) on tmpfs filesystems does not do the
3113 error checks in the correct order resulting in the
3114 wrong error code sometimes being returned. [RT #19249]
3116 2555. [func] dig: when emitting a hex dump also display the
3117 corresponding characters. [RT #19258]
3119 2554. [bug] Validation of uppercase queries from NSEC3 zones could
3122 2553. [bug] Reference leak on DNSSEC validation errors. [RT #19291]
3124 2552. [bug] zero-no-soa-ttl-cache was not being honored.
3127 2551. [bug] Potential Reference leak on return. [RT #19341]
3129 2550. [bug] Check --with-openssl=<path> finds <openssl/opensslv.h>.
3132 2549. [port] linux: define NR_OPEN if not currently defined.
3135 2548. [bug] Install iterated_hash.h. [RT #19335]
3137 2547. [bug] openssl_link.c:mem_realloc() could reference an
3138 out-of-range area of the source buffer. New public
3139 function isc_mem_reallocate() was introduced to address
3140 this bug. [RT #19313]
3142 2546. [func] Add --enable-openssl-hash configure flag to use
3143 OpenSSL (in place of internal routine) for hash
3144 functions (MD5, SHA[12] and HMAC). [RT #18815]
3146 2545. [doc] ARM: Legal hostname checking (check-names) is
3147 for SRV RDATA too. [RT #19304]
3149 2544. [cleanup] Removed unused structure members in adb.c. [RT #19225]
3151 2543. [contrib] Update contrib/zkt to version 0.98. [RT #19113]
3153 2542. [doc] Update the description of dig +adflag. [RT #19290]
3155 2541. [bug] Conditionally update dispatch manager statistics.
3158 2540. [func] Add a nibble mode to $GENERATE. [RT #18872]
3160 2539. [security] Update the interaction between recursion, allow-query,
3161 allow-query-cache and allow-recursion. [RT #19198]
3163 2538. [bug] cache/ADB memory could grow over max-cache-size,
3164 especially with threads and smaller max-cache-size
3167 2537. [func] Added more statistics counters including those on socket
3168 I/O events and query RTT histograms. [RT #18802]
3170 2536. [cleanup] Silence some warnings when -Werror=format-security is
3171 specified. [RT #19083]
3173 2535. [bug] dig +showsearch and +trace interacted badly. [RT #19091]
3175 2534. [func] Check NAPTR records regular expressions and
3176 replacement strings to ensure they are syntactically
3177 valid and consistent. [RT #18168]
3179 2533. [doc] ARM: document @ (at-sign). [RT #17144]
3181 2532. [bug] dig: check the question section of the response to
3182 see if it matches the asked question. [RT #18495]
3184 2531. [bug] Change #2207 was incomplete. [RT #19098]
3186 2530. [bug] named failed to reject insecure to secure transitions
3187 via UPDATE. [RT #19101]
3189 2529. [cleanup] Upgrade libtool to silence complaints from recent
3190 version of autoconf. [RT #18657]
3192 2528. [cleanup] Silence spurious configure warning about
3193 --datarootdir [RT #19096]
3197 2526. [func] New named option "attach-cache" that allows multiple
3198 views to share a single cache to save memory and
3199 improve lookup efficiency. Based on contributed code
3200 from Barclay Osborn, Google. [RT #18905]
3202 2525. [func] New logging category "query-errors" to provide detailed
3203 internal information about query failures, especially
3204 about server failures. [RT #19027]
3206 2524. [port] sunos: dnssec-signzone needs strtoul(). [RT #19129]
3208 2523. [bug] Random type rdata freed by dns_nsec_typepresent().
3211 2522. [security] Handle -1 from DSA_do_verify() and EVP_VerifyFinal().
3213 2521. [bug] Improve epoll cross compilation support. [RT #19047]
3215 2520. [bug] Update xml statistics version number to 2.0 as change
3216 #2388 made the schema incompatible to the previous
3217 version. [RT #19080]
3219 2519. [bug] dig/host with -4 or -6 didn't work if more than two
3220 nameserver addresses of the excluded address family
3221 preceded in resolv.conf. [RT #19081]
3223 2518. [func] Add support for the new CERT types from RFC 4398.
3226 2517. [bug] dig +trace with -4 or -6 failed when it chose a
3227 nameserver address of the excluded address type.
3230 2516. [bug] glue sort for responses was performed even when not
3233 2515. [port] win32: build dnssec-dsfromkey and dnssec-keyfromlabel.
3236 2514. [bug] dig/host failed with -4 or -6 when resolv.conf contains
3237 a nameserver of the excluded address family.
3240 2513. [bug] Fix windows cli build. [RT #19062]
3242 2512. [func] Print a summary of the cached records which make up
3243 the negative response. [RT #18885]
3245 2511. [cleanup] dns_rdata_tofmttext() add const to linebreak.
3248 2510. [bug] "dig +sigchase" could trigger REQUIRE failures.
3251 2509. [bug] Specifying a fixed query source port was broken.
3256 2507. [func] Log the recursion quota values when killing the
3257 oldest query or refusing to recurse due to quota.
3260 2506. [port] solaris: Check at configure time if
3261 hack_shutup_pthreadonceinit is needed. [RT #19037]
3263 2505. [port] Treat amd64 similarly to x86_64 when determining
3264 atomic operation support. [RT #19031]
3266 2504. [bug] Address race condition in the socket code. [RT #18899]
3268 2503. [port] linux: improve compatibility with Linux Standard
3271 2502. [cleanup] isc_radix: Improve compliance with coding style,
3272 document function in <isc/radix.h>. [RT #18534]
3274 2501. [func] $GENERATE now supports all rdata types. Multi-field
3275 rdata types need to be quoted. See the ARM for
3276 details. [RT #18368]
3278 2500. [contrib] contrib/sdb/pgsql/zonetodb.c called non-existent
3279 function. [RT #18582]
3281 2499. [port] solaris: lib/lwres/getaddrinfo.c namespace clash.
3284 --- 9.6.0rc1 released ---
3286 2498. [bug] Removed a bogus function argument used with
3287 ISC_SOCKET_USE_POLLWATCH: it could cause compiler
3288 warning or crash named with the debug 1 level
3289 of logging. [RT #18917]
3291 2497. [bug] Don't add RRSIG bit to NSEC3 bit map for insecure
3294 2496. [bug] Add sanity length checks to NSID option. [RT #18813]
3296 2495. [bug] Tighten RRSIG checks. [RT #18795]
3298 2494. [bug] isc/radix.h, dns/sdlz.h and dns/dlz.h were not being
3299 installed. [RT #18826]
3301 2493. [bug] The linux capabilities code was not correctly cleaning
3302 up after itself. [RT #18767]
3304 2492. [func] Rndc status now reports the number of cpus discovered
3305 and the number of worker threads when running
3306 multi-threaded. [RT #18273]
3308 2491. [func] Attempt to re-use a local port if we are already using
3309 the port. [RT #18548]
3311 2490. [port] aix: work around a kernel bug where IPV6_RECVPKTINFO
3312 is cleared when IPV6_V6ONLY is set. [RT #18785]
3314 2489. [port] solaris: Workaround Solaris's kernel bug about
3316 http://bugs.opensolaris.org/view_bug.do?bug_id=6724237
3317 Define ISC_SOCKET_USE_POLLWATCH at build time to enable
3318 this workaround. [RT #18870]
3320 2488. [func] Added a tool, dnssec-dsfromkey, to generate DS records
3321 from keyset and .key files. [RT #18694]
3323 2487. [bug] Give TCP connections longer to complete. [RT #18675]
3325 2486. [func] The default locations for named.pid and lwresd.pid
3326 are now /var/run/named/named.pid and
3327 /var/run/lwresd/lwresd.pid respectively.
3329 This allows the owner of the containing directory
3330 to be set, for "named -u" support, and allows there
3331 to be a permanent symbolic link in the path, for
3332 "named -t" support. [RT #18306]
3334 2485. [bug] Change update's the handling of obscured RRSIG
3335 records. Not all orphaned DS records were being
3336 removed. [RT #18828]
3338 2484. [bug] It was possible to trigger a REQUIRE failure when
3339 adding NSEC3 proofs to the response in
3340 query_addwildcardproof(). [RT #18828]
3342 2483. [port] win32: chroot() is not supported. [RT #18805]
3344 2482. [port] libxml2: support versions 2.7.* in addition
3345 to 2.6.*. [RT #18806]
3347 --- 9.6.0b1 released ---
3349 2481. [bug] rbtdb.c:matchparams() failed to handle NSEC3 chain
3350 collisions. [RT #18812]
3352 2480. [bug] named could fail to emit all the required NSEC3
3353 records. [RT #18812]
3355 2479. [bug] xfrout:covers was not properly initialized. [RT #18801]
3357 2478. [bug] 'addresses' could be used uninitialized in
3358 configure_forward(). [RT #18800]
3360 2477. [bug] dig: the global option to print the command line is
3361 +cmd not print_cmd. Update the output to reflect
3364 2476. [doc] ARM: improve documentation for max-journal-size and
3365 ixfr-from-differences. [RT #15909] [RT #18541]
3367 2475. [bug] LRU cache cleanup under overmem condition could purge
3368 particular entries more aggressively. [RT #17628]
3370 2474. [bug] ACL structures could be allocated with insufficient
3371 space, causing an array overrun. [RT #18765]
3373 2473. [port] linux: raise the limit on open files to the possible
3374 maximum value before spawning threads; 'files'
3375 specified in named.conf doesn't seem to work with
3376 threads as expected. [RT #18784]
3378 2472. [port] linux: check the number of available cpu's before
3379 calling chroot as it depends on "/proc". [RT #16923]
3381 2471. [bug] named-checkzone was not reporting missing mandatory
3382 glue when sibling checks were disabled. [RT #18768]
3384 2470. [bug] Elements of the isc_radix_node_t could be incorrectly
3385 overwritten. [RT# 18719]
3387 2469. [port] solaris: Work around Solaris's select() limitations.
3390 2468. [bug] Resolver could try unreachable servers multiple times.
3393 2467. [bug] Failure of fcntl(F_DUPFD) wasn't logged. [RT #18740]
3395 2466. [doc] ARM: explain max-cache-ttl 0 SERVFAIL issue.
3398 2465. [bug] Adb's handling of lame addresses was different
3399 for IPv4 and IPv6. [RT #18738]
3401 2464. [port] linux: check that a capability is present before
3402 trying to set it. [RT #18135]
3404 2463. [port] linux: POSIX doesn't include the IPv6 Advanced Socket
3405 API and glibc hides parts of the IPv6 Advanced Socket
3406 API as a result. This is stupid as it breaks how the
3407 two halves (Basic and Advanced) of the IPv6 Socket API
3408 were designed to be used but we have to live with it.
3409 Define _GNU_SOURCE to pull in the IPv6 Advanced Socket
3412 2462. [doc] Document -m (enable memory usage debugging)
3413 option for dig. [RT #18757]
3415 2461. [port] sunos: Change #2363 was not complete. [RT #17513]
3417 --- 9.6.0a1 released ---
3419 2460. [bug] Don't call dns_db_getnsec3parameters() on the cache.
3422 2459. [contrib] Import dnssec-zkt to contrib/zkt. [RT #18448]
3424 2458. [doc] ARM: update and correction for max-cache-size.
3427 2457. [tuning] max-cache-size is reverted to 0, the previous
3428 default. It should be safe because expired cache
3429 entries are also purged. [RT #18684]
3431 2456. [bug] In ACLs, ::/0 and 0.0.0.0/0 would both match any
3432 address, regardless of family. They now correctly
3433 distinguish IPv4 from IPv6. [RT #18559]
3435 2455. [bug] Stop metadata being transferred via axfr/ixfr.
3438 2454. [func] nsupdate: you can now set a default ttl. [RT #18317]
3440 2453. [bug] Remove NULL pointer dereference in dns_journal_print().
3443 2452. [func] Improve bin/test/journalprint. [RT #18316]
3445 2451. [port] solaris: handle runtime linking better. [RT #18356]
3447 2450. [doc] Fix lwresd docbook problem for manual page.
3452 2448. [func] Add NSEC3 support. [RT #15452]
3454 2447. [cleanup] libbind has been split out as a separate product.
3456 2446. [func] Add a new log message about build options on startup.
3457 A new command-line option '-V' for named is also
3458 provided to show this information. [RT# 18645]
3460 2445. [doc] ARM out-of-date on empty reverse zones (list includes
3461 RFC1918 address, but these are not yet compiled in).
3464 2444. [port] Linux, FreeBSD, AIX: Turn off path mtu discovery
3465 (clear DF) for UDP responses and requests.
3467 2443. [bug] win32: UDP connect() would not generate an event,
3468 and so connected UDP sockets would never clean up.
3469 Fix this by doing an immediate WSAConnect() rather
3470 than an io completion port type for UDP.
3472 2442. [bug] A lock could be destroyed twice. [RT# 18626]
3474 2441. [bug] isc_radix_insert() could copy radix tree nodes
3475 incompletely. [RT #18573]
3477 2440. [bug] named-checkconf used an incorrect test to determine
3478 if an ACL was set to none.
3480 2439. [bug] Potential NULL dereference in dns_acl_isanyornone().
3483 2438. [bug] Timeouts could be logged incorrectly under win32.
3485 2437. [bug] Sockets could be closed too early, leading to
3486 inconsistent states in the socket module. [RT #18298]
3488 2436. [security] win32: UDP client handler can be shutdown. [RT #18576]
3490 2435. [bug] Fixed an ACL memory leak affecting win32.
3492 2434. [bug] Fixed a minor error-reporting bug in
3493 lib/isc/win32/socket.c.
3495 2433. [tuning] Set initial timeout to 800ms.
3497 2432. [bug] More Windows socket handling improvements. Stop
3498 using I/O events and use IO Completion Ports
3499 throughout. Rewrite the receive path logic to make
3500 it easier to support multiple simultaneous
3501 requesters in the future. Add stricter consistency
3502 checking as a compile-time option (define
3503 ISC_SOCKET_CONSISTENCY_CHECKS; defaults to off).
3505 2431. [bug] Acl processing could leak memory. [RT #18323]
3507 2430. [bug] win32: isc_interval_set() could round down to
3508 zero if the input was less than NS_INTERVAL
3509 nanoseconds. Round up instead. [RT #18549]
3511 2429. [doc] nsupdate should be in section 1 of the man pages.
3514 2428. [bug] dns_iptable_merge() mishandled merges of negative
3517 2427. [func] Treat DNSKEY queries as if "minimal-response yes;"
3518 was set. [RT #18528]
3520 2426. [bug] libbind: inet_net_pton() can sometimes return the
3521 wrong value if excessively large net masks are
3522 supplied. [RT #18512]
3524 2425. [bug] named didn't detect unavailable query source addresses
3525 at load time. [RT #18536]
3527 2424. [port] configure now probes for a working epoll
3528 implementation. Allow the use of kqueue,
3529 epoll and /dev/poll to be selected at compile
3532 2423. [security] Randomize server selection on queries, so as to
3533 make forgery a little more difficult. Instead of
3534 always preferring the server with the lowest RTT,
3535 pick a server with RTT within the same 128
3536 millisecond band. [RT #18441]
3538 2422. [bug] Handle the special return value of a empty node as
3539 if it was a NXRRSET in the validator. [RT #18447]
3541 2421. [func] Add new command line option '-S' for named to specify
3542 the max number of sockets. [RT #18493]
3543 Use caution: this option may not work for some
3544 operating systems without rebuilding named.
3546 2420. [bug] Windows socket handling cleanup. Let the io
3547 completion event send out canceled read/write
3548 done events, which keeps us from writing to memory
3549 we no longer have ownership of. Add debugging
3550 socket_log() function. Rework TCP socket handling
3551 to not leak sockets.
3553 2419. [cleanup] Document that isc_socket_create() and isc_socket_open()
3554 should not be used for isc_sockettype_fdwatch sockets.
3557 2418. [bug] AXFR request on a DLZ could trigger a REQUIRE failure
3560 2417. [bug] Connecting UDP sockets for outgoing queries could
3561 unexpectedly fail with an 'address already in use'
3564 2416. [func] Log file descriptors that cause exceeding the
3565 internal maximum. [RT #18460]
3567 2415. [bug] 'rndc dumpdb' could trigger various assertion failures
3568 in rbtdb.c. [RT #18455]
3570 2414. [bug] A masterdump context held the database lock too long,
3571 causing various troubles such as dead lock and
3572 recursive lock acquisition. [RT #18311, #18456]
3574 2413. [bug] Fixed an unreachable code path in socket.c. [RT #18442]
3576 2412. [bug] win32: address a resource leak. [RT #18374]
3578 2411. [bug] Allow using a larger number of sockets than FD_SETSIZE
3579 for select(). To enable this, set ISC_SOCKET_MAXSOCKETS
3580 at compilation time. [RT #18433]
3582 Note: with changes #2469 and #2421 above, there is no
3583 need to tweak ISC_SOCKET_MAXSOCKETS at compilation time
3586 2410. [bug] Correctly delete m_versionInfo. [RT #18432]
3588 2409. [bug] Only log that we disabled EDNS processing if we were
3589 subsequently successful. [RT #18029]
3591 2408. [bug] A duplicate TCP dispatch event could be sent, which
3592 could then trigger an assertion failure in
3593 resquery_response(). [RT #18275]
3595 2407. [port] hpux: test for sys/dyntune.h. [RT #18421]
3599 2405. [cleanup] The default value for dnssec-validation was changed to
3600 "yes" in 9.5.0-P1 and all subsequent releases; this
3601 was inadvertently omitted from CHANGES at the time.
3603 2404. [port] hpux: files unlimited support.
3605 2403. [bug] TSIG context leak. [RT #18341]
3607 2402. [port] Support Solaris 2.11 and over. [RT #18362]
3609 2401. [bug] Expect to get E[MN]FILE errno internal_accept()
3610 (from accept() or fcntl() system calls). [RT #18358]
3612 2400. [bug] Log if kqueue()/epoll_create()/open(/dev/poll) fails.
3617 2398. [bug] Improve file descriptor management. New,
3618 temporary, named.conf option reserved-sockets,
3619 default 512. [RT #18344]
3621 2397. [bug] gssapi_functions had too many elements. [RT #18355]
3623 2396. [bug] Don't set SO_REUSEADDR for randomized ports.
3626 2395. [port] Avoid warning and no effect from "files unlimited"
3627 on Linux when running as root. [RT #18335]
3629 2394. [bug] Default configuration options set the limit for
3630 open files to 'unlimited' as described in the
3631 documentation. [RT #18331]
3633 2393. [bug] nested acls containing keys could trigger an
3634 assertion in acl.c. [RT #18166]
3636 2392. [bug] remove 'grep -q' from acl test script, some platforms
3637 don't support it. [RT #18253]
3639 2391. [port] hpux: cover additional recvmsg() error codes.
3642 2390. [bug] dispatch.c could make a false warning on 'odd socket'.
3645 2389. [bug] Move the "working directory writable" check to after
3646 the ns_os_changeuser() call. [RT #18326]
3648 2388. [bug] Avoid using tables for layout purposes in
3649 statistics XSL [RT #18159].
3651 2387. [bug] Silence compiler warnings in lib/isc/radix.c.
3652 [RT #18147] [RT #18258]
3654 2386. [func] Add warning about too small 'open files' limit.
3657 2385. [bug] A condition variable in socket.c could leak in
3658 rare error handling [RT #17968].
3660 2384. [security] Fully randomize UDP query ports to improve
3661 forgery resilience. [RT #17949, #18098]
3663 2383. [bug] named could double queries when they resulted in
3664 SERVFAIL due to overkilling EDNS0 failure detection.
3667 2382. [doc] Add descriptions of DHCID, IPSECKEY, SPF and SSHFP
3670 2381. [port] dlz/mysql: support multiple install layouts for
3671 mysql. <prefix>/include/{,mysql/}mysql.h and
3672 <prefix>/lib/{,mysql/}. [RT #18152]
3674 2380. [bug] dns_view_find() was not returning NXDOMAIN/NXRRSET
3675 proofs which, in turn, caused validation failures
3676 for insecure zones immediately below a secure zone
3677 the server was authoritative for. [RT #18112]
3679 2379. [contrib] queryperf/gen-data-queryperf.py: removed redundant
3680 TLDs and supported RRs with TTLs [RT #17972]
3682 2378. [bug] gssapi_functions{} had a redundant member in BIND 9.5.
3685 2377. [bug] Address race condition in dnssec-signzone. [RT #18142]
3687 2376. [bug] Change #2144 was not complete.
3691 2374. [bug] "blackhole" ACLs could cause named to segfault due
3692 to some uninitialized memory. [RT #18095]
3694 2373. [bug] Default values of zone ACLs were re-parsed each time a
3695 new zone was configured, causing an overconsumption
3696 of memory. [RT #18092]
3698 2372. [bug] Fixed incorrect TAG_HMACSHA256_BITS value [RT #18047]
3700 2371. [doc] Add +nsid option to dig man page. [RT #18039]
3702 2370. [bug] "rndc freeze" could trigger an assertion in named
3703 when called on a nonexistent zone. [RT #18050]
3705 2369. [bug] libbind: Array bounds overrun on read in bitncmp().
3708 2368. [port] Linux: use libcap for capability management if
3709 possible. [RT# 18026]
3711 2367. [bug] Improve counting of dns_resstatscounter_retry
3714 2366. [bug] Adb shutdown race. [RT #18021]
3716 2365. [bug] Fix a bug that caused dns_acl_isany() to return
3717 spurious results. [RT #18000]
3719 2364. [bug] named could trigger a assertion when serving a
3720 malformed signed zone. [RT #17828]
3722 2363. [port] sunos: pre-set "lt_cv_sys_max_cmd_len=4096;".
3725 2362. [cleanup] Make "rrset-order fixed" a compile-time option.
3726 settable by "./configure --enable-fixed-rrset".
3727 Disabled by default. [RT #17977]
3729 2361. [bug] "recursion" statistics counter could be counted
3730 multiple times for a single query. [RT #17990]
3732 2360. [bug] Fix a condition where we release a database version
3733 (which may acquire a lock) while holding the lock.
3735 2359. [bug] Fix NSID bug. [RT #17942]
3737 2358. [doc] Update host's default query description. [RT #17934]
3739 2357. [port] Don't use OpenSSL's engine support in versions before
3740 OpenSSL 0.9.7f. [RT #17922]
3742 2356. [bug] Built in mutex profiler was not scalable enough.
3745 2355. [func] Extend the number statistics counters available.
3748 2354. [bug] Failed to initialize some rdatasetheader_t elements.
3751 2353. [func] Add support for Name Server ID (RFC 5001).
3752 'dig +nsid' requests NSID from server.
3753 'request-nsid yes;' causes recursive server to send
3754 NSID requests to upstream servers. Server responds
3755 to NSID requests with the string configured by
3756 'server-id' option. [RT #17091]
3758 2352. [bug] Various GSS_API fixups. [RT #17729]
3760 2351. [bug] convertxsl.pl generated very long lines. [RT #17906]
3762 2350. [port] win32: IPv6 support. [RT #17797]
3764 2349. [func] Provide incremental re-signing support for secure
3765 dynamic zones. [RT #1091]
3767 2348. [func] Use the EVP interface to OpenSSL. Add PKCS#11 support.
3768 Documentation is in the new README.pkcs11 file.
3769 New tool, dnssec-keyfromlabel, which takes the
3770 label of a key pair in a HSM and constructs a DNS
3771 key pair for use by named and dnssec-signzone.
3774 2347. [bug] Delete now traverses the RB tree in the canonical
3777 2346. [func] Memory statistics now cover all active memory contexts
3778 in increased detail. [RT #17580]
3780 2345. [bug] named-checkconf failed to detect when forwarders
3781 were set at both the options/view level and in
3782 a root zone. [RT #17671]
3784 2344. [bug] Improve "logging{ file ...; };" documentation.
3787 2343. [bug] (Seemingly) duplicate IPv6 entries could be
3788 created in ADB. [RT #17837]
3790 2342. [func] Use getifaddrs() if available under Linux. [RT #17224]
3792 2341. [bug] libbind: add missing -I../include for off source
3793 tree builds. [RT #17606]
3795 2340. [port] openbsd: interface configuration. [RT #17700]
3797 2339. [port] tru64: support for libbind. [RT #17589]
3799 2338. [bug] check_ds() could be called with a non DS rdataset.
3802 2337. [bug] BUILD_LDFLAGS was not being correctly set. [RT #17614]
3804 2336. [func] If "named -6" is specified then listen on all IPv6
3805 interfaces if there are not listen-on-v6 clauses in
3806 named.conf. [RT #17581]
3808 2335. [port] sunos: libbind and *printf() support for long long.
3811 2334. [bug] Bad REQUIRES in fromstruct_in_naptr(), off by one
3812 bug in fromstruct_txt(). [RT #17609]
3814 2333. [bug] Fix off by one error in isc_time_nowplusinterval().
3817 2332. [contrib] query-loc-0.4.0. [RT #17602]
3819 2331. [bug] Failure to regenerate any signatures was not being
3820 reported nor being past back to the UPDATE client.
3823 2330. [bug] Remove potential race condition when handling
3824 over memory events. [RT #17572]
3826 WARNING: API CHANGE: over memory callback
3827 function now needs to call isc_mem_waterack().
3828 See <isc/mem.h> for details.
3830 2329. [bug] Clearer help text for dig's '-x' and '-i' options.
3832 2328. [maint] Add AAAA addresses for A.ROOT-SERVERS.NET,
3833 F.ROOT-SERVERS.NET, H.ROOT-SERVERS.NET,
3834 J.ROOT-SERVERS.NET, K.ROOT-SERVERS.NET and
3837 2327. [bug] It was possible to dereference a NULL pointer in
3838 rbtdb.c. Implement dead node processing in zones as
3839 we do for caches. [RT #17312]
3841 2326. [bug] It was possible to trigger a INSIST in the acache
3844 2325. [port] Linux: use capset() function if available. [RT #17557]
3846 2324. [bug] Fix IPv6 matching against "any;". [RT #17533]
3848 2323. [port] tru64: namespace clash. [RT #17547]
3850 2322. [port] MacOS: work around the limitation of setrlimit()
3851 for RLIMIT_NOFILE. [RT #17526]
3855 2320. [func] Make statistics counters thread-safe for platforms
3856 that support certain atomic operations. [RT #17466]
3858 2319. [bug] Silence Coverity warnings in
3859 lib/dns/rdata/in_1/apl_42.c. [RT #17469]
3861 2318. [port] sunos fixes for libbind. [RT #17514]
3863 2317. [bug] "make distclean" removed bind9.xsl.h. [RT #17518]
3865 2316. [port] Missing #include <isc/print.h> in lib/dns/gssapictx.c.
3868 2315. [bug] Used incorrect address family for mapped IPv4
3869 addresses in acl.c. [RT #17519]
3871 2314. [bug] Uninitialized memory use on error path in
3872 bin/named/lwdnoop.c. [RT #17476]
3874 2313. [cleanup] Silence Coverity warnings. Handle private stacks.
3875 [RT #17447] [RT #17478]
3877 2312. [cleanup] Silence Coverity warning in lib/isc/unix/socket.c.
3880 2311. [bug] IPv6 addresses could match IPv4 ACL entries and
3881 vice versa. [RT #17462]
3883 2310. [bug] dig, host, nslookup: flush stdout before emitting
3884 debug/fatal messages. [RT #17501]
3886 2309. [cleanup] Fix Coverity warnings in lib/dns/acl.c and iptable.c.
3889 2308. [cleanup] Silence Coverity warning in bin/named/controlconf.c.
3892 2307. [bug] Remove infinite loop from lib/dns/sdb.c. [RT #17496]
3894 2306. [bug] Remove potential race from lib/dns/resolver.c.
3897 2305. [security] inet_network() buffer overflow. CVE-2008-0122.
3899 2304. [bug] Check returns from all dns_rdata_tostruct() calls.
3902 2303. [bug] Remove unnecessary code from bin/named/lwdgnba.c.
3905 2302. [bug] Fix memset() calls in lib/tests/t_api.c. [RT #17472]
3907 2301. [bug] Remove resource leak and fix error messages in
3908 bin/tests/system/lwresd/lwtest.c. [RT #17474]
3910 2300. [bug] Fixed failure to close open file in
3911 bin/tests/names/t_names.c. [RT #17473]
3913 2299. [bug] Remove unnecessary NULL check in
3914 bin/nsupdate/nsupdate.c. [RT #17475]
3916 2298. [bug] isc_mutex_lock() failure not caught in
3917 bin/tests/timers/t_timers.c. [RT #17468]
3919 2297. [bug] isc_entropy_createfilesource() failure not caught in
3920 bin/tests/dst/t_dst.c. [RT #17467]
3922 2296. [port] Allow docbook stylesheet location to be specified to
3923 configure. [RT #17457]
3925 2295. [bug] Silence static overrun error in bin/named/lwaddr.c.
3928 2294. [func] Allow the experimental statistics channels to have
3929 multiple connections and ACL.
3930 Note: the stats-server and stats-server-v6 options
3931 available in the previous beta releases are replaced
3932 with the generic statistics-channels statement.
3934 2293. [func] Add ACL regression test. [RT #17375]
3936 2292. [bug] Log if the working directory is not writable.
3939 2291. [bug] PR_SET_DUMPABLE may be set too late. Also report
3940 failure to set PR_SET_DUMPABLE. [RT #17312]
3942 2290. [bug] Let AD in the query signal that the client wants AD
3943 set in the response. [RT #17301]
3945 2289. [func] named-checkzone now reports the out-of-zone CNAME
3948 2288. [port] win32: mark service as running when we have finished
3949 loading. [RT #17441]
3951 2287. [bug] Use 'volatile' if the compiler supports it. [RT #17413]
3953 2286. [func] Allow a TCP connection to be used as a weak
3954 authentication method for reverse zones.
3955 New update-policy methods tcp-self and 6to4-self.
3958 2285. [func] Test framework for client memory context management.
3961 2284. [bug] Memory leak in UPDATE prerequisite processing.
3964 2283. [bug] TSIG keys were not attaching to the memory
3965 context. TSIG keys should use the rings
3966 memory context rather than the clients memory
3967 context. [RT #17377]
3969 2282. [bug] Acl code fixups. [RT #17346] [RT #17374]
3971 2281. [bug] Attempts to use undefined acls were not being logged.
3974 2280. [func] Allow the experimental http server to be reached
3975 over IPv6 as well as IPv4. [RT #17332]
3977 2279. [bug] Use setsockopt(SO_NOSIGPIPE), when available,
3978 to protect applications from receiving spurious
3979 SIGPIPE signals when using the resolver.
3981 2278. [bug] win32: handle the case where Windows returns no
3982 search list or DNS suffix. [RT #17354]
3984 2277. [bug] Empty zone names were not correctly being caught at
3985 in the post parse checks. [RT #17357]
3987 2276. [bug] Install <dst/gssapi.h>. [RT# 17359]
3989 2275. [func] Add support to dig to perform IXFR queries over UDP.
3992 2274. [func] Log zone transfer statistics. [RT #17336]
3994 2273. [bug] Adjust log level to WARNING when saving inconsistent
3995 stub/slave master and journal files. [RT# 17279]
3997 2272. [bug] Handle illegal dnssec-lookaside trust-anchor names.
4000 2271. [bug] Fix a memory leak in http server code [RT #17100]
4002 2270. [bug] dns_db_closeversion() version->writer could be reset
4003 before it is tested. [RT #17290]
4005 2269. [contrib] dbus memory leaks and missing va_end calls. [RT #17232]
4007 2268. [bug] 0.IN-ADDR.ARPA was missing from the empty zones
4010 --- 9.5.0b1 released ---
4012 2267. [bug] Radix tree node_num value could be set incorrectly,
4013 causing positive ACL matches to look like negative
4016 2266. [bug] client.c:get_clientmctx() returned the same mctx
4017 once the pool of mctx's was filled. [RT #17218]
4019 2265. [bug] Test that the memory context's basic_table is non NULL
4020 before freeing. [RT #17265]
4022 2264. [bug] Server prefix length was being ignored. [RT #17308]
4024 2263. [bug] "named-checkconf -z" failed to set default value
4025 for "check-integrity". [RT #17306]
4027 2262. [bug] Error status from all but the last view could be
4030 2261. [bug] Fix memory leak with "any" and "none" ACLs [RT #17272]
4032 2260. [bug] Reported wrong clients-per-query when increasing the
4037 --- 9.5.0a7 released ---
4039 2258. [bug] Fallback from IXFR/TSIG to SOA/AXFR/TSIG broken.
4042 2257. [bug] win32: Use the full path to vcredist_x86.exe when
4043 calling it. [RT #17222]
4045 2256. [bug] win32: Correctly register the installation location of
4046 bindevt.dll. [RT #17159]
4048 2255. [maint] L.ROOT-SERVERS.NET is now 199.7.83.42.
4050 2254. [bug] timer.c:dispatch() failed to lock timer->lock
4051 when reading timer->idle allowing it to see
4052 intermediate values as timer->idle was reset by
4053 isc_timer_touch(). [RT #17243]
4055 2253. [func] "max-cache-size" defaults to 32M.
4056 "max-acache-size" defaults to 16M.
4058 2252. [bug] Fixed errors in sortlist code [RT #17216]
4062 2250. [func] New flag 'memstatistics' to state whether the
4063 memory statistics file should be written or not.
4064 Additionally named's -m option will cause the
4065 statistics file to be written. [RT #17113]
4067 2249. [bug] Only set Authentic Data bit if client requested
4068 DNSSEC, per RFC 3655 [RT #17175]
4070 2248. [cleanup] Fix several errors reported by Coverity. [RT #17160]
4072 2247. [doc] Sort doc/misc/options. [RT #17067]
4074 2246. [bug] Make the startup of test servers (ans.pl) more
4077 2245. [bug] Validating lack of DS records at trust anchors wasn't
4078 working. [RT #17151]
4080 2244. [func] Allow the check of nameserver names against the
4081 SOA MNAME field to be disabled by specifying
4082 'notify-to-soa yes;'. [RT #17073]
4084 2243. [func] Configuration files without a newline at the end now
4085 parse without error. [RT #17120]
4087 2242. [bug] nsupdate: GSS-TSIG support using the Heimdal Kerberos
4088 library could require a source of random data.
4091 2241. [func] nsupdate: add a interactive 'help' command. [RT #17099]
4093 2240. [bug] Cleanup nsupdates GSS-TSIG support. Convert
4094 a number of INSIST()s into plain fatal() errors
4095 which report the triggering result code.
4096 The 'key' command wasn't disabling GSS-TSIG.
4099 2239. [func] Ship a pre built bin/named/bind9.xsl.h. [RT #17114]
4101 2238. [bug] It was possible to trigger a REQUIRE when a
4102 validation was canceled. [RT #17106]
4104 2237. [bug] libbind: res_init() was not thread aware. [RT #17123]
4106 2236. [bug] dnssec-signzone failed to preserve the case of
4107 of wildcard owner names. [RT #17085]
4109 2235. [bug] <isc/atomic.h> was not being installed. [RT #17135]
4111 2234. [port] Correct some compiler warnings on SCO OSr5 [RT #17134]
4113 2233. [func] Add support for O(1) ACL processing, based on
4114 radix tree code originally written by Kevin
4115 Brintnall. [RT #16288]
4117 2232. [bug] dns_adb_findaddrinfo() could fail and return
4118 ISC_R_SUCCESS. [RT #17137]
4120 2231. [bug] Building dlzbdb (contrib/dlz/bin/dlzbdb) was broken.
4123 2230. [bug] We could INSIST reading a corrupted journal.
4126 2229. [bug] Null pointer dereference on query pool creation
4127 failure. [RT #17133]
4129 2228. [contrib] contrib: Change 2188 was incomplete.
4131 2227. [cleanup] Tidied up the FAQ. [RT #17121]
4135 2225. [bug] More support for systems with no IPv4 addresses.
4138 2224. [bug] Defer journal compaction if a xfrin is in progress.
4141 2223. [bug] Make a new journal when compacting. [RT #17119]
4143 2222. [func] named-checkconf now checks server key references.
4146 2221. [bug] Set the event result code to reflect the actual
4147 record turned to caller when a cache update is
4148 rejected due to a more credible answer existing.
4151 2220. [bug] win32: Address a race condition in final shutdown of
4152 the Windows socket code. [RT #17028]
4154 2219. [bug] Apply zone consistency checks to additions, not
4155 removals, when updating. [RT #17049]
4157 2218. [bug] Remove unnecessary REQUIRE from dns_validator_create().
4160 2217. [func] Adjust update log levels. [RT #17092]
4162 2216. [cleanup] Fix a number of errors reported by Coverity.
4165 2215. [bug] Bad REQUIRE check isc_hmacsha1_verify(). [RT #17094]
4167 2214. [bug] Deregister OpenSSL lock callback when cleaning
4168 up. Reorder OpenSSL cleanup so that RAND_cleanup()
4169 is called before the locks are destroyed. [RT #17098]
4171 2213. [bug] SIG0 diagnostic failure messages were looking at the
4172 wrong status code. [RT #17101]
4174 2212. [func] 'host -m' now causes memory statistics and active
4175 memory to be printed at exit. [RT 17028]
4177 2211. [func] Update "dynamic update temporarily disabled" message.
4180 2210. [bug] Deleting class specific records via UPDATE could
4183 2209. [port] osx: linking against user supplied static OpenSSL
4184 libraries failed as the system ones were still being
4187 2208. [port] win32: make sure both build methods produce the
4188 same output. [RT #17058]
4190 2207. [port] Some implementations of getaddrinfo() fail to set
4191 ai_canonname correctly. [RT #17061]
4193 --- 9.5.0a6 released ---
4195 2206. [security] "allow-query-cache" and "allow-recursion" now
4196 cross inherit from each other.
4198 If allow-query-cache is not set in named.conf then
4199 allow-recursion is used if set, otherwise allow-query
4200 is used if set, otherwise the default (localnets;
4201 localhost;) is used.
4203 If allow-recursion is not set in named.conf then
4204 allow-query-cache is used if set, otherwise allow-query
4205 is used if set, otherwise the default (localnets;
4206 localhost;) is used.
4210 2205. [bug] libbind: change #2119 broke thread support. [RT #16982]
4212 2204. [bug] "rndc flushanme name unknown-view" caused named
4213 to crash. [RT #16984]
4215 2203. [security] Query id generation was cryptographically weak.
4218 2202. [security] The default acls for allow-query-cache and
4219 allow-recursion were not being applied. [RT #16960]
4221 2201. [bug] The build failed in a separate object directory.
4224 2200. [bug] The search for cached NSEC records was stopping to
4225 early leading to excessive DLV queries. [RT #16930]
4227 2199. [bug] win32: don't call WSAStartup() while loading dlls.
4230 2198. [bug] win32: RegCloseKey() could be called when
4231 RegOpenKeyEx() failed. [RT #16911]
4233 2197. [bug] Add INSIST to catch negative responses which are
4234 not setting the event result code appropriately.
4237 2196. [port] win32: yield processor while waiting for once to
4238 to complete. [RT #16958]
4240 2195. [func] dnssec-keygen now defaults to nametype "ZONE"
4241 when generating DNSKEYs. [RT #16954]
4243 2194. [bug] Close journal before calling 'done' in xfrin.c.
4245 --- 9.5.0a5 released ---
4247 2193. [port] win32: BINDInstall.exe is now linked statically.
4250 2192. [port] win32: use vcredist_x86.exe to install Visual
4251 Studio's redistributable dlls if building with
4252 Visual Stdio 2005 or later.
4254 2191. [func] named-checkzone now allows dumping to stdout (-).
4255 named-checkconf now has -h for help.
4256 named-checkzone now has -h for help.
4257 rndc now has -h for help.
4258 Better handling of '-?' for usage summaries.
4261 2190. [func] Make fallback to plain DNS from EDNS due to timeouts
4262 more visible. New logging category "edns-disabled".
4265 2189. [bug] Handle socket() returning EINTR. [RT #15949]
4267 2188. [contrib] queryperf: autoconf changes to make the search for
4268 libresolv or libbind more robust. [RT #16299]
4270 2187. [bug] query_addds(), query_addwildcardproof() and
4271 query_addnxrrsetnsec() should take a version
4272 argument. [RT #16368]
4274 2186. [port] cygwin: libbind: check for struct sockaddr_storage
4275 independently of IPv6. [RT #16482]
4277 2185. [port] sunos: libbind: check for ssize_t, memmove() and
4278 memchr(). [RT #16463]
4280 2184. [bug] bind9.xsl.h didn't build out of the source tree.
4283 2183. [bug] dnssec-signzone didn't handle offline private keys
4286 2182. [bug] dns_dispatch_createtcp() and dispatch_createudp()
4287 could return ISC_R_SUCCESS when they ran out of
4290 2181. [port] sunos: libbind: add paths.h from BIND 8. [RT #16462]
4292 2180. [cleanup] Remove bit test from 'compress_test' as they
4293 are no longer needed. [RT #16497]
4295 2179. [func] 'rndc command zone' will now find 'zone' if it is
4296 unique to all the views. [RT #16821]
4298 2178. [bug] 'rndc reload' of a slave or stub zone resulted in
4299 a reference leak. [RT #16867]
4301 2177. [bug] Array bounds overrun on read (rcodetext) at
4302 debug level 10+. [RT #16798]
4304 2176. [contrib] dbus update to handle race condition during
4305 initialization (Bugzilla 235809). [RT #16842]
4307 2175. [bug] win32: windows broadcast condition variable support
4308 was broken. [RT #16592]
4310 2174. [bug] I/O errors should always be fatal when reading
4311 master files. [RT #16825]
4313 2173. [port] win32: When compiling with MSVS 2005 SP1 we also
4314 need to ship Microsoft.VC80.MFCLOC.
4316 --- 9.5.0a4 released ---
4318 2172. [bug] query_addsoa() was being called with a non zone db.
4321 2171. [bug] Handle breaks in DNSSEC trust chains where the parent
4322 servers are not DS aware (DS queries to the parent
4323 return a referral to the child).
4325 2170. [func] Add acache processing to test suite. [RT #16711]
4327 2169. [bug] host, nslookup: when reporting NXDOMAIN report the
4328 given name and not the last name searched for.
4331 2168. [bug] nsupdate: in non-interactive mode treat syntax errors
4332 as fatal errors. [RT #16785]
4334 2167. [bug] When re-using a automatic zone named failed to
4335 attach it to the new view. [RT #16786]
4337 --- 9.5.0a3 released ---
4339 2166. [bug] When running in batch mode, dig could misinterpret
4340 a server address as a name to be looked up, causing
4341 unexpected output. [RT #16743]
4343 2165. [func] Allow the destination address of a query to determine
4344 if we will answer the query or recurse.
4345 allow-query-on, allow-recursion-on and
4346 allow-query-cache-on. [RT #16291]
4348 2164. [bug] The code to determine how named-checkzone /
4349 named-compilezone was called failed under windows.
4352 2163. [bug] If only one of query-source and query-source-v6
4353 specified a port the query pools code broke (change
4356 2162. [func] Allow "rrset-order fixed" to be disabled at compile
4359 2161. [bug] Fix which log messages are emitted for 'rndc flush'.
4362 2160. [bug] libisc wasn't handling NULL ifa_addr pointers returned
4363 from getifaddrs(). [RT #16708]
4365 --- 9.5.0a2 released ---
4367 2159. [bug] Array bounds overrun in acache processing. [RT #16710]
4369 2158. [bug] ns_client_isself() failed to initialize key
4370 leading to a REQUIRE failure. [RT #16688]
4372 2157. [func] dns_db_transfernode() created. [RT #16685]
4374 2156. [bug] Fix node reference leaks in lookup.c:lookup_find(),
4375 resolver.c:validated() and resolver.c:cache_name().
4376 Fix a memory leak in rbtdb.c:free_noqname().
4377 Make lookup.c:lookup_find() robust against
4378 event leaks. [RT #16685]
4380 2155. [contrib] SQLite sdb module from jaboydjr@netwalk.com.
4383 2154. [func] Scoped (e.g. IPv6 link-local) addresses may now be
4384 matched in acls by omitting the scope. [RT #16599]
4386 2153. [bug] nsupdate could leak memory. [RT #16691]
4388 2152. [cleanup] Use sizeof(buf) instead of fixed number in
4389 dighost.c:get_trusted_key(). [RT #16678]
4391 2151. [bug] Missing newline in usage message for journalprint.
4394 2150. [bug] 'rrset-order cyclic' uniformly distribute the
4395 starting point for the first response for a given
4398 2149. [bug] isc_mem_checkdestroyed() failed to abort on
4399 if there were still active memory contexts.
4402 2148. [func] Add positive logging for rndc commands. [RT #14623]
4404 2147. [bug] libbind: remove potential buffer overflow from
4405 hmac_link.c. [RT #16437]
4407 2146. [cleanup] Silence Linux's spurious "obsolete setsockopt
4408 SO_BSDCOMPAT" message. [RT #16641]
4410 2145. [bug] Check DS/DLV digest lengths for known digests.
4413 2144. [cleanup] Suppress logging of SERVFAIL from forwarders.
4416 2143. [bug] We failed to restart the IPv6 client when the
4417 kernel failed to return the destination the
4418 packet was sent to. [RT #16613]
4420 2142. [bug] Handle master files with a modification time that
4421 matches the epoch. [RT# 16612]
4423 2141. [bug] dig/host should not be setting IDN_ASCCHECK (IDN
4424 equivalent of LDH checks). [RT #16609]
4426 2140. [bug] libbind: missing unlock on pthread_key_create()
4427 failures. [RT #16654]
4429 2139. [bug] dns_view_find() was being called with wrong type
4430 in adb.c. [RT #16670]
4432 2138. [bug] Lock order reversal in resolver.c. [RT #16653]
4434 2137. [port] Mips little endian and/or mips 64 bit are now
4435 supported for atomic operations. [RT#16648]
4437 2136. [bug] nslookup/host looped if there was no search list
4438 and the host didn't exist. [RT #16657]
4440 2135. [bug] Uninitialized rdataset in sdlz.c. [RT# 16656]
4442 2134. [func] Additional statistics support. [RT #16666]
4444 2133. [port] powerpc: Support both IBM and MacOS Power PC
4445 assembler syntaxes. [RT #16647]
4447 2132. [bug] Missing unlock on out of memory in
4448 dns_dispatchmgr_setudp().
4450 2131. [contrib] dlz/mysql: AXFR was broken. [RT #16630]
4452 2130. [func] Log if CD or DO were set. [RT #16640]
4454 2129. [func] Provide a pool of UDP sockets for queries to be
4455 made over. See use-queryport-pool, queryport-pool-ports
4456 and queryport-pool-updateinterval. [RT #16415]
4458 2128. [doc] xsltproc --nonet, update DTD versions. [RT #16635]
4460 2127. [port] Improved OpenSSL 0.9.8 support. [RT #16563]
4462 2126. [security] Serialize validation of type ANY responses. [RT #16555]
4464 2125. [bug] dns_zone_getzeronosoattl() REQUIRE failure if DLZ
4465 was defined. [RT #16574]
4467 2124. [security] It was possible to dereference a freed fetch
4468 context. [RT #16584]
4470 --- 9.5.0a1 released ---
4472 2123. [func] Use Doxygen to generate internal documentation.
4475 2122. [func] Experimental http server and statistics support
4478 2121. [func] Add a 10 slot dead masters cache (LRU) with a 600
4479 second timeout. [RT #16553]
4481 2120. [doc] Fix markup on nsupdate man page. [RT #16556]
4483 2119. [compat] libbind: allow res_init() to succeed enough to
4484 return the default domain even if it was unable
4487 2118. [bug] Handle response with long chains of domain name
4488 compression pointers which point to other compression
4489 pointers. [RT #16427]
4491 2117. [bug] DNSSEC fixes: named could fail to cache NSEC records
4492 which could lead to validation failures. named didn't
4493 handle negative DS responses that were in the process
4494 of being validated. Check CNAME bit before accepting
4495 NODATA proof. To be able to ignore a child NSEC there
4496 must be SOA (and NS) set in the bitmap. [RT #16399]
4498 2116. [bug] 'rndc reload' could cause the cache to continually
4499 be cleaned. [RT #16401]
4501 2115. [bug] 'rndc reconfig' could trigger a INSIST if the
4502 number of masters for a zone was reduced. [RT #16444]
4504 2114. [bug] dig/host/nslookup: searches for names with multiple
4505 labels were failing. [RT #16447]
4507 2113. [bug] nsupdate: if a zone is specified it should be used
4508 for server discover. [RT# 16455]
4510 2112. [security] Warn if weak RSA exponent is used. [RT #16460]
4512 2111. [bug] Fix a number of errors reported by Coverity.
4515 2110. [bug] "minimal-responses yes;" interacted badly with BIND 8
4516 priming queries. [RT #16491]
4518 2109. [port] libbind: silence aix 5.3 compiler warnings. [RT #16502]
4520 2108. [func] DHCID support. [RT #16456]
4522 2107. [bug] dighost.c: more cleanup of buffers. [RT #16499]
4524 2106. [func] 'rndc status' now reports named's version. [RT #16426]
4526 2105. [func] GSS-TSIG support (RFC 3645).
4528 2104. [port] Fix Solaris SMF error message.
4530 2103. [port] Add /usr/sfw to list of locations for OpenSSL
4533 2102. [port] Silence Solaris 10 warnings.
4535 2101. [bug] OpenSSL version checks were not quite right.
4538 2100. [port] win32: copy libeay32.dll to Build\Debug.
4539 Copy Debug\named-checkzone to Debug\named-compilezone.
4541 2099. [port] win32: more manifest issues.
4543 2098. [bug] Race in rbtdb.c:no_references(), which occasionally
4544 triggered an INSIST failure about the node lock
4545 reference. [RT #16411]
4547 2097. [bug] named could reference a destroyed memory context
4548 after being reloaded / reconfigured. [RT #16428]
4550 2096. [bug] libbind: handle applications that fail to detect
4551 res_init() failures better.
4553 2095. [port] libbind: alway prototype inet_cidr_ntop_ipv6() and
4554 net_cidr_ntop_ipv6(). [RT #16388]
4556 2094. [contrib] Update named-bootconf. [RT# 16404]
4558 2093. [bug] named-checkzone -s was broken.
4560 2092. [bug] win32: dig, host, nslookup. Use registry config
4561 if resolv.conf does not exist or no nameservers
4564 2091. [port] dighost.c: race condition on cleanup. [RT #16417]
4566 2090. [port] win32: Visual C++ 2005 command line manifest support.
4569 2089. [security] Raise the minimum safe OpenSSL versions to
4570 OpenSSL 0.9.7l and OpenSSL 0.9.8d. Versions
4571 prior to these have known security flaws which
4572 are (potentially) exploitable in named. [RT #16391]
4574 2088. [security] Change the default RSA exponent from 3 to 65537.
4577 2087. [port] libisc failed to compile on OS's w/o a vsnprintf.
4580 2086. [port] libbind: FreeBSD now has get*by*_r() functions.
4583 2085. [doc] win32: added index.html and README to zip. [RT #16201]
4585 2084. [contrib] dbus update for 9.3.3rc2.
4587 2083. [port] win32: Visual C++ 2005 support.
4589 2082. [doc] Document 'cache-file' as a test only option.
4591 2081. [port] libbind: minor 64-bit portability fix in memcluster.c.
4594 2080. [port] libbind: res_init.c did not compile on older versions
4595 of Solaris. [RT #16363]
4597 2079. [bug] The lame cache was not handling multiple types
4598 correctly. [RT #16361]
4600 2078. [bug] dnssec-checkzone output style "default" was badly
4601 named. It is now called "relative". [RT #16326]
4603 2077. [bug] 'dnssec-signzone -O raw' wasn't outputting the
4604 complete signed zone. [RT #16326]
4606 2076. [bug] Several files were missing #include <config.h>
4607 causing build failures on OSF. [RT #16341]
4609 2075. [bug] The spillat timer event hander could leak memory.
4612 2074. [bug] dns_request_createvia2(), dns_request_createvia3(),
4613 dns_request_createraw2() and dns_request_createraw3()
4614 failed to send multiple UDP requests. [RT #16349]
4616 2073. [bug] Incorrect semantics check for update policy "wildcard".
4619 2072. [bug] We were not generating valid HMAC SHA digests.
4622 2071. [port] Test whether gcc accepts -fno-strict-aliasing.
4625 2070. [bug] The remote address was not always displayed when
4626 reporting dispatch failures. [RT #16315]
4628 2069. [bug] Cross compiling was not working. [RT #16330]
4630 2068. [cleanup] Lower incremental tuning message to debug 1.
4633 2067. [bug] 'rndc' could close the socket too early triggering
4634 a INSIST under Windows. [RT #16317]
4636 2066. [security] Handle SIG queries gracefully. [RT #16300]
4638 2065. [bug] libbind: probe for HPUX prototypes for
4639 endprotoent_r() and endservent_r(). [RT 16313]
4641 2064. [bug] libbind: silence AIX compiler warnings. [RT #16218]
4643 2063. [bug] Change #1955 introduced a bug which caused the first
4644 'rndc flush' call to not free memory. [RT #16244]
4646 2062. [bug] 'dig +nssearch' was reusing a buffer before it had
4647 been returned by the socket code. [RT #16307]
4649 2061. [bug] Accept expired wildcard message reversed. [RT #16296]
4651 2060. [bug] Enabling DLZ support could leave views partially
4652 configured. [RT #16295]
4654 2059. [bug] Search into cache rbtdb could trigger an INSIST
4655 failure while cleaning up a stale rdataset.
4658 2058. [bug] Adjust how we calculate rtt estimates in the presence
4659 of authoritative servers that drop EDNS and/or CD
4660 requests. Also fallback to EDNS/512 and plain DNS
4661 faster for zones with less than 3 servers. [RT #16187]
4663 2057. [bug] Make setting "ra" dependent on both allow-query-cache
4664 and allow-recursion. [RT #16290]
4666 2056. [bug] dig: ixfr= was not being treated case insensitively
4667 at all times. [RT #15955]
4669 2055. [bug] Missing goto after dropping multicast query.
4672 2054. [port] freebsd: do not explicitly link against -lpthread.
4675 2053. [port] netbsd:libbind: silence compiler warnings. [RT #16220]
4677 2052. [bug] 'rndc' improve connect failed message to report
4678 the failing address. [RT #15978]
4680 2051. [port] More strtol() fixes. [RT #16249]
4682 2050. [bug] Parsing of NSAP records was not case insensitive.
4685 2049. [bug] Restore SOA before AXFR when falling back from
4686 a attempted IXFR when transferring in a zone.
4687 Allow a initial SOA query before attempting
4688 a AXFR to be requested. [RT #16156]
4690 2048. [bug] It was possible to loop forever when using
4691 avoid-v4-udp-ports / avoid-v6-udp-ports when
4692 the OS always returned the same local port.
4695 2047. [bug] Failed to initialize the interface flags to zero.
4698 2046. [bug] rbtdb.c:rdataset_setadditional() could cause duplicate
4699 cleanup [RT #16247].
4701 2045. [func] Use lock buckets for acache entries to limit memory
4702 consumption. [RT #16183]
4704 2044. [port] Add support for atomic operations for Itanium.
4707 2043. [port] nsupdate/nslookup: Force the flushing of the prompt
4708 for interactive sessions. [RT#16148]
4710 2042. [bug] named-checkconf was incorrectly rejecting the
4711 logging category "config". [RT #16117]
4713 2041. [bug] "configure --with-dlz-bdb=yes" produced a bad
4714 set of libraries to be linked. [RT #16129]
4716 2040. [bug] rbtdb no_references() could trigger an INSIST
4717 failure with --enable-atomic. [RT #16022]
4719 2039. [func] Check that all buffers passed to the socket code
4720 have been retrieved when the socket event is freed.
4723 2038. [bug] dig/nslookup/host was unlinking from wrong list
4724 when handling errors. [RT #16122]
4726 2037. [func] When unlinking the first or last element in a list
4727 check that the list head points to the element to
4728 be unlinked. [RT #15959]
4730 2036. [bug] 'rndc recursing' could cause trigger a REQUIRE.
4733 2035. [func] Make falling back to TCP on UDP refresh failure
4734 optional. Default "try-tcp-refresh yes;" for BIND 8
4735 compatibility. [RT #16123]
4737 2034. [bug] gcc: set -fno-strict-aliasing. [RT #16124]
4739 2033. [bug] We weren't creating multiple client memory contexts
4740 on demand as expected. [RT #16095]
4742 2032. [bug] Remove a INSIST in query_addadditional2(). [RT #16074]
4744 2031. [bug] Emit a error message when "rndc refresh" is called on
4745 a non slave/stub zone. [RT # 16073]
4747 2030. [bug] We were being overly conservative when disabling
4748 openssl engine support. [RT #16030]
4750 2029. [bug] host printed out the server multiple times when
4751 specified on the command line. [RT #15992]
4753 2028. [port] linux: socket.c compatibility for old systems.
4756 2027. [port] libbind: Solaris x86 support. [RT #16020]
4758 2026. [bug] Rate limit the two recursive client exceeded messages.
4761 2025. [func] Update "zone serial unchanged" message. [RT #16026]
4763 2024. [bug] named emitted spurious "zone serial unchanged"
4764 messages on reload. [RT #16027]
4766 2023. [bug] "make install" should create ${localstatedir}/run and
4767 ${sysconfdir} if they do not exist. [RT #16033]
4769 2022. [bug] If dnssec validation is disabled only assert CD if
4770 CD was requested. [RT #16037]
4772 2021. [bug] dnssec-enable no; triggered a REQUIRE. [RT #16037]
4774 2020. [bug] rdataset_setadditional() could leak memory. [RT #16034]
4776 2019. [tuning] Reduce the amount of work performed per quantum
4777 when cleaning the cache. [RT #15986]
4779 2018. [bug] Checking if the HMAC MD5 private file was broken.
4782 2017. [bug] allow-query default was not correct. [RT #15946]
4784 2016. [bug] Return a partial answer if recursion is not
4785 allowed but requested and we had the answer
4786 to the original qname. [RT #15945]
4788 2015. [cleanup] use-additional-cache is now acache-enable for
4789 consistency. Default acache-enable off in BIND 9.4
4790 as it requires memory usage to be configured.
4791 It may be enabled by default in BIND 9.5 once we
4792 have more experience with it.
4794 2014. [func] Statistics about acache now recorded and sent
4797 2013. [bug] Handle unexpected TSIGs on unsigned AXFR/IXFR
4798 responses more gracefully. [RT #15941]
4800 2012. [func] Don't insert new acache entries if acache is full.
4803 2011. [func] dnssec-signzone can now update the SOA record of
4804 the signed zone, either as an increment or as the
4805 system time(). [RT #15633]
4807 2010. [placeholder] rt15958
4809 2009. [bug] libbind: Coverity fixes. [RT #15808]
4811 2008. [func] It is now possible to enable/disable DNSSEC
4812 validation from rndc. This is useful for the
4813 mobile hosts where the current connection point
4814 breaks DNSSEC (firewall/proxy). [RT #15592]
4816 rndc validation newstate [view]
4818 2007. [func] It is now possible to explicitly enable DNSSEC
4819 validation. default dnssec-validation no; to
4820 be changed to yes in 9.5.0. [RT #15674]
4822 2006. [security] Allow-query-cache and allow-recursion now default
4823 to the built in acls "localnets" and "localhost".
4825 This is being done to make caching servers less
4826 attractive as reflective amplifying targets for
4827 spoofed traffic. This still leave authoritative
4830 The best fix is for full BCP 38 deployment to
4831 remove spoofed traffic.
4833 2005. [bug] libbind: Retransmission timeouts should be
4834 based on which attempt it is to the nameserver
4835 and not the nameserver itself. [RT #13548]
4837 2004. [bug] dns_tsig_sign() could pass a NULL pointer to
4838 dst_context_destroy() when cleaning up after a
4841 2003. [bug] libbind: The DNS name/address lookup functions could
4842 occasionally follow a random pointer due to
4843 structures not being completely zeroed. [RT #15806]
4845 2002. [bug] libbind: tighten the constraints on when
4846 struct addrinfo._ai_pad exists. [RT #15783]
4848 2001. [func] Check the KSK flag when updating a secure dynamic zone.
4849 New zone option "update-check-ksk yes;". [RT #15817]
4851 2000. [bug] memmove()/strtol() fix was incomplete. [RT #15812]
4853 1999. [func] Implement "rrset-order fixed". [RT #13662]
4855 1998. [bug] Restrict handling of fifos as sockets to just SunOS.
4856 This allows named to connect to entropy gathering
4857 daemons that use fifos instead of sockets. [RT #15840]
4859 1997. [bug] Named was failing to replace negative cache entries
4860 when a positive one for the type was learnt.
4863 1996. [bug] nsupdate: if a zone has been specified it should
4864 appear in the output of 'show'. [RT #15797]
4866 1995. [bug] 'host' was reporting multiple "is an alias" messages.
4869 1994. [port] OpenSSL 0.9.8 support. [RT #15694]
4871 1993. [bug] Log messages, via syslog, were missing the space
4872 after the timestamp if "print-time yes" was specified.
4875 1992. [bug] Not all incoming zone transfer messages included the
4878 1991. [cleanup] The configuration data, once read, should be treated
4879 as read only. Expand the use of const to enforce this
4880 at compile time. [RT #15813]
4882 1990. [bug] libbind: isc's override of broken gettimeofday()
4883 implementations was not always effective.
4886 1989. [bug] win32: don't check the service password when
4887 re-installing. [RT #15882]
4889 1988. [bug] Remove a bus error from the SHA256/SHA512 support.
4892 1987. [func] DS/DLV SHA256 digest algorithm support. [RT #15608]
4894 1986. [func] Report when a zone is removed. [RT #15849]
4896 1985. [protocol] DLV has now been assigned a official type code of
4899 Note: care should be taken to ensure you upgrade
4900 both named and dnssec-signzone at the same time for
4901 zones with DLV records where named is the master
4902 server for the zone. Also any zones that contain
4903 DLV records should be removed when upgrading a slave
4904 zone. You do not however have to upgrade all
4905 servers for a zone with DLV records simultaneously.
4907 1984. [func] dig, nslookup and host now advertise a 4096 byte
4908 EDNS UDP buffer size by default. [RT #15855]
4910 1983. [func] Two new update policies. "selfsub" and "selfwild".
4913 1982. [bug] DNSKEY was being accepted on the parent side of
4914 a delegation. KEY is still accepted there for
4915 RFC 3007 validated updates. [RT #15620]
4917 1981. [bug] win32: condition.c:wait() could fail to reattain
4920 1980. [func] dnssec-signzone: output the SOA record as the
4921 first record in the signed zone. [RT #15758]
4923 1979. [port] linux: allow named to drop core after changing
4924 user ids. [RT #15753]
4926 1978. [port] Handle systems which have a broken recvmsg().
4929 1977. [bug] Silence noisy log message. [RT #15704]
4931 1976. [bug] Handle systems with no IPv4 addresses. [RT #15695]
4933 1975. [bug] libbind: isc_gethexstring() could misparse multi-line
4934 hex strings with comments. [RT #15814]
4936 1974. [doc] List each of the zone types and associated zone
4937 options separately in the ARM.
4939 1973. [func] TSIG HMACSHA1, HMACSHA224, HMACSHA256, HMACSHA384 and
4940 HMACSHA512 support. [RT #13606]
4942 1972. [contrib] DBUS dynamic forwarders integration from
4943 Jason Vas Dias <jvdias@redhat.com>.
4945 1971. [port] linux: make detection of missing IF_NAMESIZE more
4948 1970. [bug] nsupdate: adjust UDP timeout when falling back to
4949 unsigned SOA query. [RT #15775]
4951 1969. [bug] win32: the socket code was freeing the socket
4952 structure too early. [RT #15776]
4954 1968. [bug] Missing lock in resolver.c:validated(). [RT #15739]
4956 1967. [func] dig/nslookup/host: warn about missing "QR". [RT #15779]
4958 1966. [bug] Don't set CD when we have fallen back to plain DNS.
4961 1965. [func] Suppress spurious "recursion requested but not
4962 available" warning with 'dig +qr'. [RT #15780].
4964 1964. [func] Separate out MX and SRV to CNAME checks. [RT #15723]
4966 1963. [port] Tru64 4.0E doesn't support send() and recv().
4969 1962. [bug] Named failed to clear old update-policy when it
4970 was removed. [RT #15491]
4972 1961. [bug] Check the port and address of responses forwarded
4973 to dispatch. [RT #15474]
4975 1960. [bug] Update code should set NSEC ttls from SOA MINIMUM.
4978 1959. [func] Control the zeroing of the negative response TTL to
4979 a soa query. Defaults "zero-no-soa-ttl yes;" and
4980 "zero-no-soa-ttl-cache no;". [RT #15460]
4982 1958. [bug] Named failed to update the zone's secure state
4983 until the zone was reloaded. [RT #15412]
4985 1957. [bug] Dig mishandled responses to class ANY queries.
4988 1956. [bug] Improve cross compile support, 'gen' is now built
4989 by native compiler. See README for additional
4990 cross compile support information. [RT #15148]
4992 1955. [bug] Pre-allocate the cache cleaning iterator. [RT #14998]
4994 1954. [func] Named now falls back to advertising EDNS with a
4995 512 byte receive buffer if the initial EDNS queries
4998 1953. [func] The maximum EDNS UDP response named will send can
4999 now be set in named.conf (max-udp-size). This is
5000 independent of the advertised receive buffer
5001 (edns-udp-size). [RT #14852]
5003 1952. [port] hpux: tell the linker to build a runtime link
5004 path "-Wl,+b:". [RT #14816].
5006 1951. [security] Drop queries from particular well known ports.
5007 Don't return FORMERR to queries from particular
5008 well known ports. [RT #15636]
5010 1950. [port] Solaris 2.5.1 and earlier cannot bind() then connect()
5011 a TCP socket. This prevents the source address being
5012 set for TCP connections. [RT #15628]
5014 1949. [func] Addition memory leakage checks. [RT #15544]
5016 1948. [bug] If was possible to trigger a REQUIRE failure in
5017 xfrin.c:maybe_free() if named ran out of memory.
5020 1947. [func] It is now possible to configure named to accept
5021 expired RRSIGs. Default "dnssec-accept-expired no;".
5022 Setting "dnssec-accept-expired yes;" leaves named
5023 vulnerable to replay attacks. [RT #14685]
5025 1946. [bug] resume_dslookup() could trigger a REQUIRE failure
5026 when using forwarders. [RT #15549]
5028 1945. [cleanup] dnssec-keygen: RSA (RSAMD5) is no longer recommended.
5029 To generate a RSAMD5 key you must explicitly request
5032 1944. [cleanup] isc_hash_create() does not need a read/write lock.
5035 1943. [bug] Set the loadtime after rolling forward the journal.
5038 1942. [bug] If the name of a DNSKEY match that of one in
5039 trusted-keys do not attempt to validate the DNSKEY
5040 using the parents DS RRset. [RT #15649]
5042 1941. [bug] ncache_adderesult() should set eresult even if no
5043 rdataset is passed to it. [RT #15642]
5045 1940. [bug] Fixed a number of error conditions reported by
5048 1939. [bug] The resolver could dereference a null pointer after
5049 validation if all the queries have timed out.
5052 1938. [bug] The validator was not correctly handling unsecure
5053 negative responses at or below a SEP. [RT #15528]
5055 1937. [bug] sdlz doesn't handle RRSIG records. [RT #15564]
5057 1936. [bug] The validator could leak memory. [RT #15544]
5059 1935. [bug] 'acache' was DO sensitive. [RT #15430]
5061 1934. [func] Validate pending NS RRsets, in the authority section,
5062 prior to returning them if it can be done without
5063 requiring DNSKEYs to be fetched. [RT #15430]
5065 1933. [bug] dump_rdataset_raw() had a incorrect INSIST. [RT #15534]
5067 1932. [bug] hpux: LDFLAGS was getting corrupted. [RT #15530]
5069 1931. [bug] Per-client mctx could require a huge amount of memory,
5070 particularly for a busy caching server. [RT #15519]
5072 1930. [port] HPUX: ia64 support. [RT #15473]
5074 1929. [port] FreeBSD: extend use of PTHREAD_SCOPE_SYSTEM.
5076 1928. [bug] Race in rbtdb.c:currentversion(). [RT #15517]
5078 1927. [bug] Access to soanode or nsnode in rbtdb violated the
5079 lock order rule and could cause a dead lock.
5082 1926. [bug] The Windows installer did not check for empty
5083 passwords. BINDinstall was being installed in
5084 the wrong place. [RT #15483]
5086 1925. [port] All outer level AC_TRY_RUNs need cross compiling
5087 defaults. [RT #15469]
5089 1924. [port] libbind: hpux ia64 support. [RT #15473]
5091 1923. [bug] ns_client_detach() called too early. [RT #15499]
5093 1922. [bug] check-tool.c:setup_logging() missing call to
5094 dns_log_setcontext().
5096 1921. [bug] Client memory contexts were not using internal
5099 1920. [bug] The cache rbtdb lock array was too small to
5100 have the desired performance characteristics.
5103 1919. [contrib] queryperf: a set of new features: collecting/printing
5104 response delays, printing intermediate results, and
5105 adjusting query rate for the "target" qps.
5107 1918. [bug] Memory leak when checking acls. [RT #15391]
5109 1917. [doc] funcsynopsisinfo wasn't being treated as verbatim
5110 when generating man pages. [RT #15385]
5112 1916. [func] Integrate contributed IDN code from JPNIC. [RT #15383]
5114 1915. [bug] dig +ndots was broken. [RT #15215]
5116 1914. [protocol] DS is required to accept mnemonic algorithms
5117 (RFC 4034). Still emit numeric algorithms for
5118 compatibility with RFC 3658. [RT #15354]
5120 1913. [func] Integrate contributed DLZ code into named. [RT #11382]
5122 1912. [port] aix: atomic locking for powerpc. [RT #15020]
5124 1911. [bug] Update windows socket code. [RT #14965]
5126 1910. [bug] dig's +sigchase code overhauled. [RT #14933]
5128 1909. [bug] The DLV code has been re-worked to make no longer
5129 query order sensitive. [RT #14933]
5131 1908. [func] dig now warns if 'RA' is not set in the answer when
5132 'RD' was set in the query. host/nslookup skip servers
5133 that fail to set 'RA' when 'RD' is set unless a server
5134 is explicitly set. [RT #15005]
5136 1907. [func] host/nslookup now continue (default)/fail on SERVFAIL.
5139 1906. [func] dig now has a '-q queryname' and '+showsearch' options.
5142 1905. [bug] Strings returned from cfg_obj_asstring() should be
5143 treated as read-only. The prototype for
5144 cfg_obj_asstring() has been updated to reflect this.
5147 1904. [func] Automatic empty zone creation for D.F.IP6.ARPA and
5148 friends. Note: RFC 1918 zones are not yet covered by
5149 this but are likely to be in a future release.
5151 New options: empty-server, empty-contact,
5152 empty-zones-enable and disable-empty-zone.
5154 1903. [func] ISC string copy API.
5156 1902. [func] Attempt to make the amount of work performed in a
5157 iteration self tuning. The covers nodes clean from
5158 the cache per iteration, nodes written to disk when
5159 rewriting a master file and nodes destroyed per
5160 iteration when destroying a zone or a cache.
5163 1901. [cleanup] Don't add DNSKEY records to the additional section.
5165 1900. [bug] ixfr-from-differences failed to ensure that the
5166 serial number increased. [RT #15036]
5168 1899. [func] named-checkconf now validates update-policy entries.
5171 1898. [bug] Extend ISC_SOCKADDR_FORMATSIZE and
5172 ISC_NETADDR_FORMATSIZE to allow for scope details.
5174 1897. [func] x86 and x86_64 now have separate atomic locking
5177 1896. [bug] Recursive clients soft quota support wasn't working
5178 as expected. [RT #15103]
5180 1895. [bug] A escaped character is, potentially, converted to
5181 the output character set too early. [RT #14666]
5183 1894. [doc] Review ARM for BIND 9.4.
5185 1893. [port] Use uintptr_t if available. [RT #14606]
5187 1892. [func] Support for SPF rdata type. [RT #15033]
5189 1891. [port] freebsd: pthread_mutex_init can fail if it runs out
5190 of memory. [RT #14995]
5192 1890. [func] Raise the UDP receive buffer size to 32k if it is
5193 less than 32k. [RT #14953]
5195 1889. [port] sunos: non blocking i/o support. [RT #14951]
5197 1888. [func] Support for IPSECKEY rdata type. [RT #14967]
5199 1887. [bug] The cache could delete expired records too fast for
5200 clients with a virtual time in the past. [RT #14991]
5202 1886. [bug] fctx_create() could return success even though it
5205 1885. [func] dig: report the number of extra bytes still left in
5206 the packet after processing all the records.
5208 1884. [cleanup] dighost.c: move external declarations into <dig/dig.h>.
5210 1883. [bug] dnssec-signzone, dnssec-keygen: handle negative debug
5213 1882. [func] Limit the number of recursive clients that can be
5214 waiting for a single query (<qname,qtype,qclass>) to
5215 resolve. New options clients-per-query and
5216 max-clients-per-query.
5218 1881. [func] Add a system test for named-checkconf. [RT #14931]
5220 1880. [func] The lame cache is now done on a <qname,qclass,qtype>
5221 basis as some servers only appear to be lame for
5222 certain query types. [RT #14916]
5224 1879. [func] "USE INTERNAL MALLOC" is now runtime selectable.
5227 1878. [func] Detect duplicates of UDP queries we are recursing on
5228 and drop them. New stats category "duplicate".
5231 1877. [bug] Fix unreasonably low quantum on call to
5232 dns_rbt_destroy2(). Remove unnecessary unhash_node()
5235 1876. [func] Additional memory debugging support to track size
5236 and mctx arguments. [RT #14814]
5238 1875. [bug] process_dhtkey() was using the wrong memory context
5239 to free some memory. [RT #14890]
5241 1874. [port] sunos: portability fixes. [RT #14814]
5243 1873. [port] win32: isc__errno2result() now reports its caller.
5246 1872. [port] win32: Handle ERROR_NETNAME_DELETED. [RT #13753]
5250 1870. [func] Added framework for handling multiple EDNS versions.
5253 1869. [func] dig can now specify the EDNS version when making
5254 a query. [RT #14873]
5256 1868. [func] edns-udp-size can now be overridden on a per
5257 server basis. [RT #14851]
5259 1867. [bug] It was possible to trigger a INSIST in
5260 dlv_validatezonekey(). [RT #14846]
5262 1866. [bug] resolv.conf parse errors were being ignored by
5263 dig/host/nslookup. [RT #14841]
5265 1865. [bug] Silently ignore nameservers in /etc/resolv.conf with
5266 bad addresses. [RT #14841]
5268 1864. [bug] Don't try the alternative transfer source if you
5269 got a answer / transfer with the main source
5270 address. [RT #14802]
5272 1863. [bug] rrset-order "fixed" error messages not complete.
5274 1862. [func] Add additional zone data constancy checks.
5275 named-checkzone has extended checking of NS, MX and
5276 SRV record and the hosts they reference.
5277 named has extended post zone load checks.
5278 New zone options: check-mx and integrity-check.
5281 1861. [bug] dig could trigger a INSIST on certain malformed
5282 responses. [RT #14801]
5284 1860. [port] solaris 2.8: hack_shutup_pthreadmutexinit was
5285 incorrectly set. [RT #14775]
5287 1859. [func] Add support for CH A record. [RT #14695]
5289 1858. [bug] The flush-zones-on-shutdown option wasn't being
5292 1857. [bug] named could trigger a INSIST() if reconfigured /
5293 reloaded too fast. [RT #14673]
5295 1856. [doc] Switch Docbook toolchain from DSSSL to XSL.
5298 1855. [bug] ixfr-from-differences was failing to detect changes
5299 of ttl due to dns_diff_subtract() was ignoring the ttl
5300 of records. [RT #14616]
5302 1854. [bug] lwres also needs to know the print format for
5303 (long long). [RT #13754]
5305 1853. [bug] Rework how DLV interacts with proveunsecure().
5308 1852. [cleanup] Remove last vestiges of dnssec-signkey and
5309 dnssec-makekeyset (removed from Makefile years ago).
5311 1851. [doc] Doxygen comment markup. [RT #11398]
5313 1850. [bug] Memory leak in lwres_getipnodebyaddr(). [RT #14591]
5315 1849. [doc] All forms of the man pages (docbook, man, html) should
5316 have consistent copyright dates.
5318 1848. [bug] Improve SMF integration. [RT #13238]
5320 1847. [bug] isc_ondestroy_init() is called too late in
5321 dns_rbtdb_create()/dns_rbtdb64_create().
5324 1846. [contrib] query-loc-0.3.0 from Stephane Bortzmeyer
5325 <bortzmeyer@nic.fr>.
5327 1845. [bug] Improve error reporting to distinguish between
5328 accept()/fcntl() and socket()/fcntl() errors.
5331 1844. [bug] inet_pton() accepted more that 4 hexadecimal digits
5332 for each 16 bit piece of the IPv6 address. The text
5333 representation of a IPv6 address has been tightened
5334 to disallow this (draft-ietf-ipv6-addr-arch-v4-02.txt).
5337 1843. [cleanup] CINCLUDES takes precedence over CFLAGS. This helps
5338 when CFLAGS contains "-I /usr/local/include"
5339 resulting in old header files being used.
5341 1842. [port] cmsg_len() could produce incorrect results on
5342 some platform. [RT #13744]
5344 1841. [bug] "dig +nssearch" now makes a recursive query to
5345 find the list of nameservers to query. [RT #13694]
5347 1840. [func] dnssec-signzone can now randomize signature end times
5348 (dnssec-signzone -j jitter). [RT #13609]
5350 1839. [bug] <isc/hash.h> was not being installed.
5352 1838. [cleanup] Don't allow Linux capabilities to be inherited.
5355 1837. [bug] Compile time option ISC_FACILITY was not effective
5356 for 'named -u <user>'. [RT #13714]
5358 1836. [cleanup] Silence compiler warnings in hash_test.c.
5360 1835. [bug] Update dnssec-signzone's usage message. [RT #13657]
5362 1834. [bug] Bad memset in rdata_test.c. [RT #13658]
5364 1833. [bug] Race condition in isc_mutex_lock_profile(). [RT #13660]
5366 1832. [bug] named fails to return BADKEY on unknown TSIG algorithm.
5369 1831. [doc] Update named-checkzone documentation. [RT#13604]
5371 1830. [bug] adb lame cache has sence of test reversed. [RT #13600]
5373 1829. [bug] win32: "pid-file none;" broken. [RT #13563]
5375 1828. [bug] isc_rwlock_init() failed to properly cleanup if it
5376 encountered a error. [RT #13549]
5378 1827. [bug] host: update usage message for '-a'. [RT #37116]
5380 1826. [bug] Missing DESTROYLOCK() in isc_mem_createx() on out
5381 of memory error. [RT #13537]
5383 1825. [bug] Missing UNLOCK() on out of memory error from in
5384 rbtdb.c:subtractrdataset(). [RT #13519]
5386 1824. [bug] Memory leak on dns_zone_setdbtype() failure.
5389 1823. [bug] Wrong macro used to check for point to point interface.
5392 1822. [bug] check-names test for RT was reversed. [RT #13382]
5396 1820. [bug] Gracefully handle acl loops. [RT #13659]
5398 1819. [bug] The validator needed to check both the algorithm and
5399 digest types of the DS to determine if it could be
5400 used to introduce a secure zone. [RT #13593]
5402 1818. [bug] 'named-checkconf -z' triggered an INSIST. [RT #13599]
5404 1817. [func] Add support for additional zone file formats for
5405 improving loading performance. The masterfile-format
5406 option in named.conf can be used to specify a
5407 non-default format. A separate command
5408 named-compilezone was provided to generate zone files
5409 in the new format. Additionally, the -I and -O options
5410 for dnssec-signzone specify the input and output
5413 1816. [port] UnixWare: failed to compile lib/isc/unix/net.c.
5416 1815. [bug] nsupdate triggered a REQUIRE if the server was set
5417 without also setting the zone and it encountered
5418 a CNAME and was using TSIG. [RT #13086]
5420 1814. [func] UNIX domain controls are now supported.
5422 1813. [func] Restructured the data locking framework using
5423 architecture dependent atomic operations (when
5424 available), improving response performance on
5425 multi-processor machines significantly.
5426 x86, x86_64, alpha, powerpc, and mips are currently
5429 1812. [port] win32: IN6_IS_ADDR_UNSPECIFIED macro is incorrect.
5432 1811. [func] Preserve the case of domain names in rdata during
5433 zone transfers. [RT #13547]
5435 1810. [bug] configure, lib/bind/configure make different default
5436 decisions about whether to do a threaded build.
5439 1809. [bug] "make distclean" failed for libbind if the platform
5442 1808. [bug] zone.c:notify_zone() contained a race condition,
5443 zone->db could change underneath it. [RT #13511]
5445 1807. [bug] When forwarding (forward only) set the active domain
5446 from the forward zone name. [RT #13526]
5448 1806. [bug] The resolver returned the wrong result when a CNAME /
5449 DNAME was encountered when fetching glue from a
5450 secure namespace. [RT #13501]
5452 1805. [bug] Pending status was not being cleared when DLV was
5455 1804. [bug] Ensure that if we are queried for glue that it fits
5456 in the additional section or TC is set to tell the
5457 client to retry using TCP. [RT #10114]
5459 1803. [bug] dnssec-signzone sometimes failed to remove old
5462 1802. [bug] Handle connection resets better. [RT #11280]
5464 1801. [func] Report differences between hints and real NS rrset
5465 and associated address records.
5467 1800. [bug] Changes #1719 allowed a INSIST to be triggered.
5470 1799. [bug] 'rndc flushname' failed to flush negative cache
5471 entries. [RT #13438]
5473 1798. [func] The server syntax has been extended to support a
5474 range of servers. [RT #11132]
5476 1797. [func] named-checkconf now check acls to verify that they
5477 only refer to existing acls. [RT #13101]
5479 1796. [func] "rndc freeze/thaw" now freezes/thaws all zones.
5481 1795. [bug] "rndc dumpdb" was not fully documented. Minor
5482 formating issues with "rndc dumpdb -all". [RT #13396]
5484 1794. [func] Named and named-checkzone can now both check for
5485 non-terminal wildcard records.
5487 1793. [func] Extend adjusting TTL warning messages. [RT #13378]
5489 1792. [func] New zone option "notify-delay". Specify a minimum
5490 delay between sets of NOTIFY messages.
5492 1791. [bug] 'host -t a' still printed out AAAA and MX records.
5495 1790. [cleanup] Move lib/dns/sec/dst up into lib/dns. This should
5496 allow parallel make to succeed.
5498 1789. [bug] Prerequisite test for tkey and dnssec could fail
5499 with "configure --with-libtool".
5501 1788. [bug] libbind9.la/libbind9.so needs to link against
5502 libisccfg.la/libisccfg.so.
5504 1787. [port] HPUX: both "cc" and "gcc" need -Wl,+vnocompatwarnings.
5506 1786. [port] AIX: libt_api needs to be taught to look for
5507 T_testlist in the main executable (--with-libtool).
5510 1785. [bug] libbind9.la/libbind9.so needs to link against
5511 libisc.la/libisc.so.
5513 1784. [cleanup] "libtool -allow-undefined" is the default.
5514 Leave hooks in configure to allow it to be set
5515 if needed in the future.
5517 1783. [cleanup] We only need one copy of libtool.m4, ltmain.sh in the
5520 1782. [port] OSX: --with-libtool + --enable-libbind broke on
5521 __evOptMonoTime. [RT #13219]
5523 1781. [port] FreeBSD 5.3: set PTHREAD_SCOPE_SYSTEM. [RT #12810]
5525 1780. [bug] Update libtool to 1.5.10.
5527 1779. [port] OSF 5.1: libtool didn't handle -pthread correctly.
5529 1778. [port] HUX 11.11: fix broken IN6ADDR_ANY_INIT and
5530 IN6ADDR_LOOPBACK_INIT macros.
5532 1777. [port] OSF 5.1: fix broken IN6ADDR_ANY_INIT and
5533 IN6ADDR_LOOPBACK_INIT macros.
5535 1776. [port] Solaris 2.9: fix broken IN6ADDR_ANY_INIT and
5536 IN6ADDR_LOOPBACK_INIT macros.
5538 1775. [bug] Only compile getnetent_r.c when threaded. [RT #13205]
5540 1774. [port] Aix: Silence compiler warnings / build failures.
5543 1773. [bug] Fast retry on host / net unreachable. [RT #13153]
5549 1770. [bug] named-checkconf failed to report missing a missing
5550 file clause for rbt{64} master/hint zones. [RT#13009]
5552 1769. [port] win32: change compiler flags /MTd ==> /MDd,
5555 1768. [bug] nsecnoexistnodata() could be called with a non-NSEC
5556 rdataset. [RT #12907]
5558 1767. [port] Builds on IPv6 platforms without IPv6 Advanced API
5559 support for (struct in6_pktinfo) failed. [RT #13077]
5561 1766. [bug] Update the master file timestamp on successful refresh
5562 as well as the journal's timestamp. [RT# 13062]
5564 1765. [bug] configure --with-openssl=auto failed. [RT #12937]
5566 1764. [bug] dns_zone_replacedb failed to emit a error message
5567 if there was no SOA record in the replacement db.
5570 1763. [func] Perform sanity checks on NS records which refer to
5571 'in zone' names. [RT #13002]
5573 1762. [bug] isc_interfaceiter_create() could return ISC_R_SUCCESS
5574 even when it failed. [RT #12995]
5576 1761. [bug] 'rndc dumpdb' didn't report unassociated entries.
5579 1760. [bug] Host / net unreachable was not penalising rtt
5580 estimates. [RT #12970]
5582 1759. [bug] Named failed to startup if the OS supported IPv6
5583 but had no IPv6 interfaces configured. [RT #12942]
5585 1758. [func] Don't send notify messages to self. [RT #12933]
5587 1757. [func] host now can turn on memory debugging flags with '-m'.
5589 1756. [func] named-checkconf now checks the logging configuration.
5592 1755. [func] allow-update is now settable at the options / view
5595 1754. [bug] We weren't always attempting to query the parent
5596 server for the DS records at the zone cut.
5599 1753. [bug] Don't serve a slave zone which has no NS records.
5602 1752. [port] Move isc_app_start() to after ns_os_daemonise()
5603 as some fork() implementations unblock the signals
5604 that are blocked by isc_app_start(). [RT #12810]
5606 1751. [bug] --enable-getifaddrs failed under linux. [RT #12867]
5608 1750. [port] lib/bind/make/rules.in:subdirs was not bash friendly.
5611 1749. [bug] 'check-names response ignore;' failed to ignore.
5614 1748. [func] dig now returns the byte count for axfr/ixfr.
5616 1747. [bug] BIND 8 compatibility: named/named-checkconf failed
5617 to parse "host-statistics-max" in named.conf.
5619 1746. [func] Make public the function to read a key file,
5620 dst_key_read_public(). [RT #12450]
5622 1745. [bug] Dig/host/nslookup accept replies from link locals
5623 regardless of scope if no scope was specified when
5624 query was sent. [RT #12745]
5626 1744. [bug] If tuple2msgname() failed to convert a tuple to
5627 a name a REQUIRE could be triggered. [RT #12796]
5629 1743. [bug] If isc_taskmgr_create() was not able to create the
5630 requested number of worker threads then destruction
5631 of the manager would trigger an INSIST() failure.
5634 1742. [bug] Deleting all records at a node then adding a
5635 previously existing record, in a single UPDATE
5636 transaction, failed to leave / regenerate the
5637 associated RRSIG records. [RT #12788]
5639 1741. [bug] Deleting all records at a node in a secure zone
5640 using a update-policy grant failed. [RT #12787]
5642 1740. [bug] Replace rbt's hash algorithm as it performed badly
5643 with certain zones. [RT #12729]
5645 NOTE: a hash context now needs to be established
5646 via isc_hash_create() if the application was not
5649 1739. [bug] dns_rbt_deletetree() could incorrectly return
5650 ISC_R_QUOTA. [RT #12695]
5652 1738. [bug] Enable overrun checking by default. [RT #12695]
5654 1737. [bug] named failed if more than 16 masters were specified.
5657 1736. [bug] dst_key_fromnamedfile() could fail to read a
5658 public key. [RT #12687]
5660 1735. [bug] 'dig +sigtrace' could die with a REQUIRE failure.
5663 1734. [cleanup] 'rndc-confgen -a -t' remove extra '/' in path.
5666 1733. [bug] Return non-zero exit status on initial load failure.
5669 1732. [bug] 'rrset-order name "*"' wasn't being applied to ".".
5672 1731. [port] darwin: relax version test in ifconfig.sh.
5675 1730. [port] Determine the length type used by the socket API.
5678 1729. [func] Improve check-names error messages.
5680 1728. [doc] Update check-names documentation.
5682 1727. [bug] named-checkzone: check-names support didn't match
5685 1726. [port] aix5: add support for aix5.
5687 1725. [port] linux: update error message on interaction of threads,
5688 capabilities and setuid support (named -u). [RT #12541]
5690 1724. [bug] Look for DNSKEY records with "dig +sigtrace".
5693 1723. [cleanup] Silence compiler warnings from t_tasks.c. [RT #12493]
5695 1722. [bug] Don't commit the journal on malformed ixfr streams.
5698 1721. [bug] Error message from the journal processing were not
5699 always identifying the relevant journal. [RT #12519]
5701 1720. [bug] 'dig +chase' did not terminate on a RFC 2308 Type 1
5702 negative response. [RT #12506]
5704 1719. [bug] named was not correctly caching a RFC 2308 Type 1
5705 negative response. [RT #12506]
5707 1718. [bug] nsupdate was not handling RFC 2308 Type 3 negative
5708 responses when looking for the zone / master server.
5711 1717. [port] solaris: ifconfig.sh did not support Solaris 10.
5712 "ifconfig.sh down" didn't work for Solaris 9.
5714 1716. [doc] named.conf(5) was being installed in the wrong
5715 location. [RT# 12441]
5717 1715. [func] 'dig +trace' now randomly selects the next servers
5718 to try. Report if there is a bad delegation.
5720 1714. [bug] dig/host/nslookup were only trying the first
5721 address when a nameserver was specified by name.
5724 1713. [port] linux: extend capset failure message to say:
5725 please ensure that the capset kernel module is
5726 loaded. see insmod(8)
5728 1712. [bug] Missing FULLCHECK for "trusted-key" in dig.
5730 1711. [func] 'rndc unfreeze' has been deprecated by 'rndc thaw'.
5732 1710. [func] 'rndc notify zone [class [view]]' resend the NOTIFY
5733 messages for the specified zone. [RT #9479]
5735 1709. [port] solaris: add SMF support from Sun.
5737 1708. [cleanup] Replaced dns_fullname_hash() with dns_name_fullhash()
5738 for conformance to the name space convention. Binary
5739 backward compatibility to the old function name is
5740 provided. [RT #12376]
5742 1707. [contrib] sdb/ldap updated to version 1.0-beta.
5744 1706. [bug] 'rndc stop' failed to cause zones to be flushed
5745 sometimes. [RT #12328]
5747 1705. [func] Allow the journal's name to be changed via named.conf.
5749 1704. [port] lwres needed a snprintf() implementation for
5750 platforms without snprintf(). Add missing
5751 "#include <isc/print.h>". [RT #12321]
5753 1703. [bug] named would loop sending NOTIFY messages when it
5754 failed to receive a response. [RT #12322]
5756 1702. [bug] also-notify should not be applied to built in zones.
5759 1701. [doc] A minimal named.conf man page.
5761 1700. [func] nslookup is no longer to be treated as deprecated.
5762 Remove "deprecated" warning message. Add man page.
5764 1699. [bug] dnssec-signzone can generate "not exact" errors
5765 when resigning. [RT #12281]
5767 1698. [doc] Use reserved IPv6 documentation prefix.
5769 1697. [bug] xxx-source{,-v6} was not effective when it
5770 specified one of listening addresses and a
5771 different port than the listening port. [RT #12257]
5773 1696. [bug] dnssec-signzone failed to clean out nodes that
5774 consisted of only NSEC and RRSIG records.
5777 1695. [bug] DS records when forwarding require special handling.
5780 1694. [bug] Report if the builtin views of "_default" / "_bind"
5781 are defined in named.conf. [RT #12023]
5783 1693. [bug] max-journal-size was not effective for master zones
5784 with ixfr-from-differences set. [RT# 12024]
5786 1692. [bug] Don't set -I, -L and -R flags when libcrypto is in
5787 /usr/lib. [RT #11971]
5789 1691. [bug] sdb's attachversion was not complete. [RT #11990]
5791 1690. [bug] Delay detaching view from the client until UPDATE
5792 processing completes when shutting down. [RT #11714]
5794 1689. [bug] DNS_NAME_TOREGION() and DNS_NAME_SPLIT() macros
5795 contained gratuitous semicolons. [RT #11707]
5797 1688. [bug] LDFLAGS was not supported.
5799 1687. [bug] Race condition in dispatch. [RT #10272]
5801 1686. [bug] Named sent a extraneous NOTIFY when it received a
5802 redundant UPDATE request. [RT #11943]
5804 1685. [bug] Change #1679 loop tests weren't quite right.
5806 1684. [func] ixfr-from-differences now takes master and slave in
5807 addition to yes and no at the options and view levels.
5809 1683. [bug] dig +sigchase could leak memory. [RT #11445]
5811 1682. [port] Update configure test for (long long) printf format.
5814 1681. [bug] Only set SO_REUSEADDR when a port is specified in
5815 isc_socket_bind(). [RT #11742]
5817 1680. [func] rndc: the source address can now be specified.
5819 1679. [bug] When there was a single nameserver with multiple
5820 addresses for a zone not all addresses were tried.
5823 1678. [bug] RRSIG should use TYPEXXXXX for unknown types.
5825 1677. [bug] dig: +aaonly didn't work, +aaflag undocumented.
5827 1676. [func] New option "allow-query-cache". This lets
5828 allow-query be used to specify the default zone
5829 access level rather than having to have every
5830 zone override the global value. allow-query-cache
5831 can be set at both the options and view levels.
5832 If allow-query-cache is not set allow-query applies.
5834 1675. [bug] named would sometimes add extra NSEC records to
5835 the authority section.
5837 1674. [port] linux: increase buffer size used to scan
5840 1673. [port] linux: issue a error messages if IPv6 interface
5843 1672. [cleanup] Tests which only function in a threaded build
5844 now return R:THREADONLY (rather than R:UNTESTED)
5845 in a non-threaded build.
5847 1671. [contrib] queryperf: add NAPTR to the list of known types.
5849 1670. [func] Log UPDATE requests to slave zones without an acl as
5850 "disabled" at debug level 3. [RT# 11657]
5854 1668. [bug] DIG_SIGCHASE was making bin/dig/host dump core.
5856 1667. [port] linux: not all versions have IF_NAMESIZE.
5858 1666. [bug] The optional port on hostnames in dual-stack-servers
5861 1665. [func] rndc now allows addresses to be set in the
5864 1664. [bug] nsupdate needed KEY for SIG(0), not DNSKEY.
5866 1663. [func] Look for OpenSSL by default.
5868 1662. [bug] Change #1658 failed to change one use of 'type'
5871 1661. [bug] Restore dns_name_concatenate() call in
5872 adb.c:set_target(). [RT #11582]
5874 1660. [bug] win32: connection_reset_fix() was being called
5875 unconditionally. [RT #11595]
5877 1659. [cleanup] Cleanup some messages that were referring to KEY vs
5878 DNSKEY, NXT vs NSEC and SIG vs RRSIG.
5880 1658. [func] Update dnssec-keygen to default to KEY for HMAC-MD5
5881 and DH. Tighten which options apply to KEY and
5884 1657. [doc] ARM: document query log output.
5886 1656. [doc] Update DNSSEC description in ARM to cover DS, NSEC
5887 DNSKEY and RRSIG. [RT #11542]
5889 1655. [bug] Logging multiple versions w/o a size was broken.
5892 1654. [bug] isc_result_totext() contained array bounds read
5895 1653. [func] Add key type checking to dst_key_fromfilename(),
5896 DST_TYPE_KEY should be used to read TSIG, TKEY and
5899 1652. [bug] TKEY still uses KEY.
5901 1651. [bug] dig: process multiple dash options.
5903 1650. [bug] dig, nslookup: flush standard out after each command.
5905 1649. [bug] Silence "unexpected non-minimal diff" message.
5908 1648. [func] Update dnssec-lookaside named.conf syntax to support
5909 multiple dnssec-lookaside namespaces (not yet
5912 1647. [bug] It was possible trigger a INSIST when chasing a DS
5913 record that required walking back over a empty node.
5916 1646. [bug] win32: logging file versions didn't work with
5917 non-UNC filenames. [RT#11486]
5919 1645. [bug] named could trigger a REQUIRE failure if multiple
5920 masters with keys are specified.
5922 1644. [bug] Update the journal modification time after a
5923 successful refresh query. [RT #11436]
5925 1643. [bug] dns_db_closeversion() could leak memory / node
5926 references. [RT #11163]
5928 1642. [port] Support OpenSSL implementations which don't have
5929 DSA support. [RT #11360]
5931 1641. [bug] Update the check-names description in ARM. [RT #11389]
5933 1640. [bug] win32: isc_socket_cancel(ISC_SOCKCANCEL_ACCEPT) was
5934 incorrectly closing the socket. [RT #11291]
5936 1639. [func] Initial dlv system test.
5938 1638. [bug] "ixfr-from-differences" could generate a REQUIRE
5939 failure if the journal open failed. [RT #11347]
5941 1637. [bug] Node reference leak on error in addnoqname().
5943 1636. [bug] The dump done callback could get ISC_R_SUCCESS even if
5944 a error had occurred. The database version no longer
5945 matched the version of the database that was dumped.
5947 1635. [bug] Memory leak on error in query_addds().
5949 1634. [bug] named didn't supply a useful error message when it
5950 detected duplicate views. [RT #11208]
5952 1633. [bug] named should return NOTIMP to update requests to a
5953 slaves without a allow-update-forwarding acl specified.
5956 1632. [bug] nsupdate failed to send prerequisite only UPDATE
5957 messages. [RT #11288]
5959 1631. [bug] dns_journal_compact() could sometimes corrupt the
5960 journal. [RT #11124]
5962 1630. [contrib] queryperf: add support for IPv6 transport.
5964 1629. [func] dig now supports IPv6 scoped addresses with the
5965 extended format in the local-server part. [RT #8753]
5967 1628. [bug] Typo in Compaq Trucluster support. [RT# 11264]
5969 1627. [bug] win32: sockets were not being closed when the
5970 last external reference was removed. [RT# 11179]
5972 1626. [bug] --enable-getifaddrs was broken. [RT#11259]
5974 1625. [bug] named failed to load/transfer RFC2535 signed zones
5975 which contained CNAMES. [RT# 11237]
5977 1624. [bug] zonemgr_putio() call should be locked. [RT# 11163]
5979 1623. [bug] A serial number of zero was being displayed in the
5980 "sending notifies" log message when also-notify was
5983 1622. [func] probe the system to see if IPV6_(RECV)PKTINFO is
5984 available, and suppress wildcard binding if not.
5986 1621. [bug] match-destinations did not work for IPv6 TCP queries.
5989 1620. [func] When loading a zone report if it is signed. [RT #11149]
5991 1619. [bug] Missing ISC_LIST_UNLINK in end_reserved_dispatches().
5994 1618. [bug] Fencepost errors in dns_name_ishostname() and
5995 dns_name_ismailbox() could trigger a INSIST().
5997 1617. [port] win32: VC++ 6.0 support.
5999 1616. [compat] Ensure that named's version is visible in the core
6002 1615. [port] Define ISC_SOCKADDR_LEN_T based on _BSD_SOCKLEN_T_ if
6005 1614. [port] win32: silence resource limit messages. [RT# 11101]
6007 1613. [bug] Builds would fail on machines w/o a if_nametoindex().
6008 Missing #ifdef ISC_PLATFORM_HAVEIFNAMETOINDEX/#endif.
6011 1612. [bug] check-names at the option/view level could trigger
6012 an INSIST. [RT# 11116]
6014 1611. [bug] solaris: IPv6 interface scanning failed to cope with
6015 no active IPv6 interfaces.
6017 1610. [bug] On dual stack machines "dig -b" failed to set the
6018 address type to be looked up with "@server".
6021 1609. [func] dig now has support to chase DNSSEC signature chains.
6022 Requires -DDIG_SIGCHASE=1 to be set in STD_CDEFINES.
6024 DNSSEC validation code in dig coded by Olivier Courtay
6025 (olivier.courtay@irisa.fr) for the IDsA project
6026 (http://idsa.irisa.fr).
6028 1608. [func] dig and host now accept -4/-6 to select IP transport
6029 to use when making queries.
6031 1607. [bug] dig, host and nslookup were still using random()
6032 to generate query ids. [RT# 11013]
6034 1606. [bug] DLV insecurity proof was failing.
6036 1605. [func] New dns_db_find() option DNS_DBFIND_COVERINGNSEC.
6038 1604. [bug] A xfrout_ctx_create() failure would result in
6039 xfrout_ctx_destroy() being called with a
6040 partially initialized structure.
6042 1603. [bug] nsupdate: set interactive based on isatty().
6045 1602. [bug] Logging to a file failed unless a size was specified.
6048 1601. [bug] Silence spurious warning 'both "recursion no;" and
6049 "allow-recursion" active' warning from view "_bind".
6052 1600. [bug] Duplicate zone pre-load checks were not case
6055 1599. [bug] Fix memory leak on error path when checking named.conf.
6057 1598. [func] Specify that certain parts of the namespace must
6058 be secure (dnssec-must-be-secure).
6060 1597. [func] Allow notify-source and query-source to be specified
6061 on a per server basis similar to transfer-source.
6064 1596. [func] Accept 'notify-source' style syntax for query-source.
6066 1595. [func] New notify type 'master-only'. Enable notify for
6069 1594. [bug] 'rndc dumpdb' could prevent named from answering
6070 queries while the dump was in progress. [RT #10565]
6072 1593. [bug] rndc should return "unknown command" to unknown
6073 commands. [RT# 10642]
6075 1592. [bug] configure_view() could leak a dispatch. [RT# 10675]
6077 1591. [bug] libbind: updated to BIND 8.4.5.
6079 1590. [port] netbsd: update thread support.
6081 1589. [func] DNSSEC lookaside validation.
6083 1588. [bug] win32: TCP sockets could become blocked. [RT #10115]
6085 1587. [bug] dns_message_settsigkey() failed to clear existing key.
6088 1586. [func] "check-names" is now implemented.
6092 1584. [bug] "make test" failed with a read only source tree.
6095 1583. [bug] Records add via UPDATE failed to get the correct trust
6098 1582. [bug] rrset-order failed to work on RRsets with more
6099 than 32 elements. [RT #10381]
6101 1581. [func] Disable DNSSEC support by default. To enable
6102 DNSSEC specify "dnssec-enable yes;" in named.conf.
6104 1580. [bug] Zone destruction on final detach takes a long time.
6107 1579. [bug] Multiple task managers could not be created.
6109 1578. [bug] Don't use CLASS E IPv4 addresses when resolving.
6112 1577. [bug] Use isc_uint32_t in ultrasparc optimizer bug
6113 workaround code. [RT #10331]
6115 1576. [bug] Race condition in dns_dispatch_addresponse().
6118 1575. [func] Log TSIG name on TSIG verify failure. [RT #4404]
6120 1574. [bug] Don't attempt to open the controls socket(s) when
6121 running tests. [RT #9091]
6123 1573. [port] linux: update to libtool 1.5.2 so that
6124 "make install DESTDIR=/xx" works with
6125 "configure --with-libtool". [RT #9941]
6127 1572. [bug] nsupdate: sign the soa query to find the enclosing
6128 zone if the server is specified. [RT #10148]
6130 1571. [bug] rbt:hash_node() could fail leaving the hash table
6131 in an inconsistent state. [RT #10208]
6133 1570. [bug] nsupdate failed to handle classes other than IN.
6134 New keyword 'class' which sets the default class.
6137 1569. [func] nsupdate new command 'answer' which displays the
6138 complete answer message to the last update.
6140 1568. [bug] nsupdate now reports that the update failed in
6141 interactive mode. [RT# 10236]
6143 1567. [maint] B.ROOT-SERVERS.NET is now 192.228.79.201.
6145 1566. [port] Support for the cmsg framework on Solaris and HP/UX.
6146 This also solved the problem that match-destinations
6147 for IPv6 addresses did not work on these systems.
6150 1565. [bug] CD flag should be copied to outgoing queries unless
6151 the query is under a secure entry point in which case
6154 1564. [func] Attempt to provide a fallback entropy source to be
6155 used if named is running chrooted and named is unable
6156 to open entropy source within the chroot area.
6159 1563. [bug] Gracefully fail when unable to obtain neither an IPv4
6160 nor an IPv6 dispatch. [RT #10230]
6162 1562. [bug] isc_socket_create() and isc_socket_accept() could
6163 leak memory under error conditions. [RT #10230]
6165 1561. [bug] It was possible to release the same name twice if
6166 named ran out of memory. [RT #10197]
6168 1560. [port] FreeBSD: work around FreeBSD 5.2 mapping EAI_NODATA
6169 and EAI_NONAME to the same value.
6171 1559. [port] named should ignore SIGFSZ.
6173 1558. [func] New DNSSEC 'disable-algorithms'. Support entry into
6174 child zones for which we don't have a supported
6175 algorithm. Such child zones are treated as unsigned.
6177 1557. [func] Implement missing DNSSEC tests for
6178 * NOQNAME proof with wildcard answers.
6179 * NOWILDARD proof with NXDOMAIN.
6180 Cache and return NOQNAME with wildcard answers.
6182 1556. [bug] nsupdate now treats all names as fully qualified.
6185 1555. [func] 'rrset-order cyclic' no longer has a random starting
6186 point per query. [RT #7572]
6188 1554. [bug] dig, host, nslookup failed when no nameservers
6189 were specified in /etc/resolv.conf. [RT #8232]
6191 1553. [bug] The windows socket code could stop accepting
6192 connections. [RT#10115]
6194 1552. [bug] Accept NOTIFY requests from mapped masters if
6195 matched-mapped is set. [RT #10049]
6197 1551. [port] Open "/dev/null" before calling chroot().
6199 1550. [port] Call tzset(), if available, before calling chroot().
6201 1549. [func] named-checkzone can now write out the zone contents
6202 in a easily parsable format (-D and -o).
6204 1548. [bug] When parsing APL records it was possible to silently
6205 accept out of range ADDRESSFAMILY values. [RT# 9979]
6207 1547. [bug] Named wasted memory recording duplicate lame zone
6210 1546. [bug] We were rejecting valid secure CNAME to negative
6213 1545. [bug] It was possible to leak memory if named was unable to
6214 bind to the specified transfer source and TSIG was
6215 being used. [RT #10120]
6217 1544. [bug] Named would logged a single entry to a file despite it
6218 being over the specified size limit.
6220 1543. [bug] Logging using "versions unlimited" did not work.
6224 1541. [func] NSEC now uses new bitmap format.
6226 1540. [bug] "rndc reload <dynamiczone>" was silently accepted.
6229 1539. [bug] Open UDP sockets for notify-source and transfer-source
6230 that use reserved ports at startup. [RT #9475]
6232 1538. [placeholder] rt9997
6234 1537. [func] New option "querylog". If set specify whether query
6235 logging is to be enabled or disabled at startup.
6237 1536. [bug] Windows socket code failed to log a error description
6238 when returning ISC_R_UNEXPECTED. [RT #9998]
6242 1534. [bug] Race condition when priming cache. [RT# 9940]
6244 1533. [func] Warn if both "recursion no;" and "allow-recursion"
6245 are active. [RT# 4389]
6247 1532. [port] netbsd: the configure test for <sys/sysctl.h>
6248 requires <sys/param.h>.
6250 1531. [port] AIX more libtool fixes.
6252 1530. [bug] It was possible to trigger a INSIST() failure if a
6253 slave master file was removed at just the correct
6256 1529. [bug] "notify explicit;" failed to log that NOTIFY messages
6257 were being sent for the zone. [RT# 9442]
6259 1528. [cleanup] Simplify some dns_name_ functions based on the
6260 deprecation of bitstring labels.
6262 1527. [cleanup] Reduce the number of gettimeofday() calls without
6263 losing necessary timer granularity.
6265 1526. [func] Implemented "additional section caching (or acache)",
6266 an internal cache framework for additional section
6267 content to improve response performance. Several
6268 configuration options were provided to control the
6271 1525. [bug] dns_cache_create() could trigger a REQUIRE
6272 failure in isc_mem_put() during error cleanup.
6275 1524. [port] AIX needs to be able to resolve all symbols when
6276 creating shared libraries (--with-libtool).
6278 1523. [bug] Fix race condition in rbtdb. [RT# 9189]
6280 1522. [bug] dns_db_findnode() relax the requirements on 'name'.
6283 1521. [bug] dns_view_createresolver() failed to check the
6284 result from isc_mem_create(). [RT# 9294]
6286 1520. [protocol] Add SSHFP (SSH Finger Print) type.
6288 1519. [bug] dnssec-signzone:nsec_setbit() computed the wrong
6289 length of the new bitmap.
6291 1518. [bug] dns_nsec_buildrdata(), and hence dns_nsec_build(),
6292 contained a off-by-one error when working out the
6293 number of octets in the bitmap.
6295 1517. [port] Support for IPv6 interface scanning on HP/UX and
6298 1516. [func] Roll the DNSSEC types to RRSIG, NSEC and DNSKEY.
6300 1515. [func] Allow transfer source to be set in a server statement.
6303 1514. [bug] named: isc_hash_destroy() was being called too early.
6306 1513. [doc] Add "US" to root-delegation-only exclude list.
6308 1512. [bug] Extend the delegation-only logging to return query
6309 type, class and responding nameserver.
6311 1511. [bug] delegation-only was generating false positives
6312 on negative answers from sub-zones.
6314 1510. [func] New view option "root-delegation-only". Apply
6315 delegation-only check to all TLDs and root.
6316 Note there are some TLDs that are NOT delegation
6317 only (e.g. DE, LV, US and MUSEUM) these can be excluded
6318 from the checks by using exclude.
6320 root-delegation-only exclude {
6321 "DE"; "LV"; "US"; "MUSEUM";
6324 1509. [bug] Hint zones should accept delegation-only. Forward
6325 zone should not accept delegation-only.
6327 1508. [bug] Don't apply delegation-only checks to answers from
6330 1507. [bug] Handle BIND 8 style returns to NS queries to parents
6331 when making delegation-only checks.
6333 1506. [bug] Wrong return type for dns_view_isdelegationonly().
6335 1505. [bug] Uninitialized rdataset in sdb. [RT #8750]
6337 1504. [func] New zone type "delegation-only".
6339 1503. [port] win32: install libeay32.dll outside of system32.
6341 1502. [bug] nsupdate: adjust timeouts for UPDATE requests over TCP.
6343 1501. [func] Allow TCP queue length to be specified via
6344 named.conf, tcp-listen-queue.
6346 1500. [bug] host failed to lookup MX records. Also look up
6349 1499. [bug] isc_random need to be seeded better if arc4random()
6352 1498. [port] bsdos: 5.x support.
6356 1496. [port] test for pthread_attr_setstacksize().
6358 1495. [cleanup] Replace hash functions with universal hash.
6360 1494. [security] Turn on RSA BLINDING as a precaution.
6364 1492. [cleanup] Preserve rwlock quota context when upgrading /
6365 downgrading. [RT #5599]
6367 1491. [bug] dns_master_dump*() would produce extraneous $ORIGIN
6370 1490. [bug] Accept reading state as well as working state in
6371 ns_client_next(). [RT #6813]
6373 1489. [compat] Treat 'allow-update' on slave zones as a warning.
6376 1488. [bug] Don't override trust levels for glue addresses.
6379 1487. [bug] A REQUIRE() failure could be triggered if a zone was
6380 queued for transfer and the zone was then removed.
6383 1486. [bug] isc_print_snprintf() '%%' consumed one too many format
6384 characters. [RT# 8230]
6386 1485. [bug] gen failed to handle high type values. [RT #6225]
6388 1484. [bug] The number of records reported after a AXFR was wrong.
6391 1483. [bug] dig axfr failed if the message id in the answer failed
6392 to match that in the request. Only the id in the first
6393 message is required to match. [RT #8138]
6395 1482. [bug] named could fail to start if the kernel supports
6396 IPv6 but no interfaces are configured. Similarly
6397 for IPv4. [RT #6229]
6399 1481. [bug] Refresh and stub queries failed to use masters keys
6400 if specified. [RT #7391]
6402 1480. [bug] Provide replay protection for rndc commands. Full
6403 replay protection requires both rndc and named to
6404 be updated. Partial replay protection (limited
6405 exposure after restart) is provided if just named
6408 1479. [bug] cfg_create_tuple() failed to handle out of
6409 memory cleanup. parse_list() would leak memory
6412 1478. [port] ifconfig.sh didn't account for other virtual
6413 interfaces. It now takes a optional argument
6414 to specify the first interface number. [RT #3907]
6416 1477. [bug] memory leak using stub zones and TSIG.
6420 1475. [port] Probe for old sprintf().
6422 1474. [port] Provide strtoul() and memmove() for platforms
6425 1473. [bug] create_map() and create_string() failed to handle out
6426 of memory cleanup. [RT #6813]
6428 1472. [contrib] idnkit-1.0 from JPNIC, replaces mdnkit.
6430 1471. [bug] libbind: updated to BIND 8.4.0.
6432 1470. [bug] Incorrect length passed to snprintf. [RT #5966]
6434 1469. [func] Log end of outgoing zone transfer at same level
6435 as the start of transfer is logged. [RT #4441]
6437 1468. [func] Internal zones are no longer counted for
6438 'rndc status'. [RT #4706]
6440 1467. [func] $GENERATES now supports optional class and ttl.
6442 1466. [bug] lwresd configuration errors resulted in memory
6443 and lock leaks. [RT #5228]
6445 1465. [bug] isc_base64_decodestring() and isc_base64_tobuffer()
6446 failed to check that trailing bits were zero allowing
6447 some invalid base64 strings to be accepted. [RT #5397]
6449 1464. [bug] Preserve "out of zone" data for outgoing zone
6450 transfers. [RT #5192]
6452 1463. [bug] dns_rdata_from{wire,struct}() failed to catch bad
6453 NXT bit maps. [RT #5577]
6455 1462. [bug] parse_sizeval() failed to check the token type.
6458 1461. [bug] Remove deadlock from rbtdb code. [RT #5599]
6460 1460. [bug] inet_pton() failed to reject certain malformed
6465 1458. [cleanup] sprintf() -> snprintf().
6467 1457. [port] Provide strlcat() and strlcpy() for platforms without
6470 1456. [contrib] gen-data-queryperf.py from Stephane Bortzmeyer.
6472 1455. [bug] <netaddr> missing from server grammar in
6473 doc/misc/options. [RT #5616]
6475 1454. [port] Use getifaddrs() if available for interface scanning.
6476 --disable-getifaddrs to override. Glibc currently
6477 has a getifaddrs() that does not support IPv6.
6478 Use --enable-getifaddrs=glibc to force the use of
6479 this version under linux machines.
6481 1453. [doc] ARM: $GENERATE example wasn't accurate. [RT #5298]
6485 1451. [bug] rndc-confgen didn't exit with a error code for all
6486 failures. [RT #5209]
6488 1450. [bug] Fetching expired glue failed under certain
6489 circumstances. [RT #5124]
6491 1449. [bug] query_addbestns() didn't handle running out of memory
6494 1448. [bug] Handle empty wildcards labels.
6496 1447. [bug] We were casting (unsigned int) to and from (void *).
6497 rdataset->private4 is now rdataset->privateuint4
6498 to reflect a type change.
6500 1446. [func] Implemented undocumented alternate transfer sources
6501 from BIND 8. See use-alt-transfer-source,
6502 alt-transfer-source and alt-transfer-source-v6.
6504 SECURITY: use-alt-transfer-source is ENABLED unless
6505 you are using views. This may cause a security risk
6506 resulting in accidental disclosure of wrong zone
6507 content if the master supplying different source
6508 content based on IP address. If you are not certain
6509 ISC recommends setting use-alt-transfer-source no;
6511 1445. [bug] DNS_ADBFIND_STARTATROOT broke stub zones. This has
6512 been replaced with DNS_ADBFIND_STARTATZONE which
6513 causes the search to start using the closest zone.
6515 1444. [func] dns_view_findzonecut2() allows you to specify if the
6516 cache should be searched for zone cuts.
6518 1443. [func] Masters lists can now be specified and referenced
6519 in zone masters clauses and other masters lists.
6521 1442. [func] New functions for manipulating port lists:
6522 dns_portlist_create(), dns_portlist_add(),
6523 dns_portlist_remove(), dns_portlist_match(),
6524 dns_portlist_attach() and dns_portlist_detach().
6526 1441. [func] It is now possible to tell dig to bind to a specific
6529 1440. [func] It is now possible to tell named to avoid using
6530 certain source ports (avoid-v4-udp-ports,
6531 avoid-v6-udp-ports).
6533 1439. [bug] Named could return NOERROR with certain NOTIFY
6534 failures. Return NOTAUTH if the NOTIFY zone is
6537 1438. [func] Log TSIG (if any) when logging NOTIFY requests.
6539 1437. [bug] Leave space for stdio to work in. [RT #5033]
6541 1436. [func] dns_zonemgr_resumexfrs() can be used to restart
6544 1435. [bug] zmgr_resume_xfrs() was being called read locked
6545 rather than write locked. zmgr_resume_xfrs()
6546 was not being called if the zone was being
6549 1434. [bug] "rndc reconfig" failed to initiate the initial
6550 zone transfer of new slave zones.
6552 1433. [bug] named could trigger a REQUIRE failure if it could
6553 not get a file descriptor when attempting to write
6554 a master file. [RT #4347]
6556 1432. [func] The advertised EDNS UDP buffer size can now be set
6557 via named.conf (edns-udp-size).
6559 1431. [bug] isc_print_snprintf() "%s" with precision could walk off
6560 end of argument. [RT #5191]
6562 1430. [port] linux: IPv6 interface scanning support.
6564 1429. [bug] Prevent the cache getting locked to old servers.
6568 1427. [bug] Race condition in adb with threaded build.
6572 1425. [port] linux/libbind: define __USE_MISC when testing *_r()
6573 function prototypes in netdb.h. [RT #4921]
6575 1424. [bug] EDNS version not being correctly printed.
6577 1423. [contrib] queryperf: added A6 and SRV.
6579 1422. [func] Log name/type/class when denying a query. [RT #4663]
6581 1421. [func] Differentiate updates that don't succeed due to
6582 prerequisites (unsuccessful) vs other reasons
6585 1420. [port] solaris: work around gcc optimizer bug.
6587 1419. [port] openbsd: use /dev/arandom. [RT #4950]
6589 1418. [bug] 'rndc reconfig' did not cause new slaves to load.
6591 1417. [func] ID.SERVER/CHAOS is now a built in zone.
6592 See "server-id" for how to configure.
6594 1416. [bug] Empty node should return NOERROR NODATA, not NXDOMAIN.
6597 1415. [func] DS TTL now derived from NS ttl. NXT TTL now derived
6600 1414. [func] Support for KSK flag.
6602 1413. [func] Explicitly request the (re-)generation of DS records
6603 from keysets (dnssec-signzone -g).
6605 1412. [func] You can now specify servers to be tried if a nameserver
6606 has IPv6 address and you only support IPv4 or the
6607 reverse. See dual-stack-servers.
6609 1411. [bug] empty nodes should stop wildcard matches. [RT #4802]
6611 1410. [func] Handle records that live in the parent zone, e.g. DS.
6613 1409. [bug] DS should have attribute DNS_RDATATYPEATTR_DNSSEC.
6615 1408. [bug] "make distclean" was not complete. [RT #4700]
6617 1407. [bug] lfsr incorrectly implements the shift register.
6620 1406. [bug] dispatch initializes one of the LFSR's with a incorrect
6621 polynomial. [RT #4617]
6623 1405. [func] Use arc4random() if available.
6625 1404. [bug] libbind: ns_name_ntol() could overwrite a zero length
6628 1403. [func] dnssec-signzone, dnssec-keygen, dnssec-makekeyset
6629 dnssec-signkey now report their version in the
6632 1402. [cleanup] A6 has been moved to experimental and is no longer
6635 1401. [bug] adb wasn't clearing state when the timer expired.
6637 1400. [bug] Block the addition of wildcard NS records by IXFR
6638 or UPDATE. [RT #3502]
6640 1399. [bug] Use serial number arithmetic when testing SIG
6641 timestamps. [RT #4268]
6643 1398. [doc] ARM: notify-also should have been also-notify.
6646 1397. [maint] J.ROOT-SERVERS.NET is now 192.58.128.30.
6648 1396. [func] dnssec-signzone: adjust the default signing time by
6649 1 hour to allow for clock skew.
6651 1395. [port] OpenSSL 0.9.7 defines CRYPTO_LOCK_ENGINE but doesn't
6652 have a working implementation. [RT #4079]
6654 1394. [func] It is now possible to check if a particular element is
6655 in a acl. Remove duplicate entries from the localnets
6658 1393. [port] Bind to individual IPv6 interfaces if IPV6_IPV6ONLY
6659 is not available in the kernel to prevent accidently
6660 listening on IPv4 interfaces.
6662 1392. [bug] named-checkzone: update usage.
6664 1391. [func] Add support for IPv6 scoped addresses in named.
6666 1390. [func] host now supports ixfr.
6668 1389. [bug] named could fail to rotate long log files. [RT #3666]
6670 1388. [port] irix: check for sys/sysctl.h and NET_RT_IFLIST before
6671 defining HAVE_IFLIST_SYSCTL. [RT #3770]
6673 1387. [bug] named could crash due to an access to invalid memory
6674 space (which caused an assertion failure) in
6675 incremental cleaning. [RT #3588]
6677 1386. [bug] named-checkzone -z stopped on errors in a zone.
6680 1385. [bug] Setting serial-query-rate to 10 would trigger a
6683 1384. [bug] host was incompatible with BIND 8 in its exit code and
6684 in the output with the -l option. [RT #3536]
6686 1383. [func] Track the serial number in a IXFR response and log if
6687 a mismatch occurs. This is a more specific error than
6688 "not exact". [RT #3445]
6690 1382. [bug] make install failed with --enable-libbind. [RT #3656]
6692 1381. [bug] named failed to correctly process answers that
6693 contained DNAME records where the resulting CNAME
6694 resulted in a negative answer.
6696 1380. [func] 'rndc recursing' dump recursing queries to
6697 'recursing-file = "named.recursing";'.
6699 1379. [func] 'rndc status' now reports tcp and recursion quota
6702 1378. [func] Improved positive feedback for 'rndc {reload|refresh}.
6704 1377. [func] dns_zone_load{new}() now reports if the zone was
6705 loaded, queued for loading to up to date.
6707 1376. [func] New function dns_zone_logc() to log to specified
6710 1375. [func] 'rndc dumpdb' now dumps the adb cache along with the
6713 1374. [func] dns_adb_dump() now logs the lame zones associated
6716 1373. [bug] Recovery from expired glue failed under certain
6719 1372. [bug] named crashes with an assertion failure on exit when
6720 sharing the same port for listening and querying, and
6721 changing listening addresses several times. [RT# 3509]
6723 1371. [bug] notify-source-v6, transfer-source-v6 and
6724 query-source-v6 with explicit addresses and using the
6725 same ports as named was listening on could interfere
6726 with named's ability to answer queries sent to those
6729 1370. [bug] dig '+[no]recurse' was incorrectly documented.
6731 1369. [bug] Adding an NS record as the lexicographically last
6732 record in a secure zone didn't work.
6734 1368. [func] remove support for bitstring labels.
6736 1367. [func] Use response times to select forwarders.
6738 1366. [contrib] queryperf usage was incomplete. Add '-h' for help.
6740 1365. [func] "localhost" and "localnets" acls now include IPv6
6741 addresses / prefixes.
6743 1364. [func] Log file name when unable to open memory statistics
6744 and dump database files. [RT# 3437]
6746 1363. [func] Listen-on-v6 now supports specific addresses.
6748 1362. [bug] remove IFF_RUNNING test when scanning interfaces.
6750 1361. [func] log the reason for rejecting a server when resolving
6753 1360. [bug] --enable-libbind would fail when not built in the
6754 source tree for certain OS's.
6756 1359. [security] Support patches OpenSSL libraries.
6757 http://www.cert.org/advisories/CA-2002-23.html
6759 1358. [bug] It was possible to trigger a INSIST when debugging
6760 large dynamic updates. [RT #3390]
6762 1357. [bug] nsupdate was extremely wasteful of memory.
6764 1356. [tuning] Reduce the number of events / quantum for zone tasks.
6766 1355. [bug] Fix DNSSEC wildcard proof for CNAME/DNAME.
6768 1354. [doc] lwres man pages had illegal nroff.
6770 1353. [contrib] sdb/ldap to version 0.9.
6772 1352. [bug] dig, host, nslookup when falling back to TCP use the
6773 current search entry (if any). [RT #3374]
6775 1351. [bug] lwres_getipnodebyname() returned the wrong name
6776 when given a IPv4 literal, af=AF_INET6 and AI_MAPPED
6779 1350. [bug] dns_name_fromtext() failed to handle too many labels
6782 1349. [security] Minimum OpenSSL version now 0.9.6e (was 0.9.5a).
6783 http://www.cert.org/advisories/CA-2002-23.html
6785 1348. [port] win32: Rewrote code to use I/O Completion Ports
6786 in socket.c and eliminating a host of socket
6787 errors. Performance is enhanced.
6793 1345. [port] Use a explicit -Wformat with gcc. Not all versions
6794 include it in -Wall.
6796 1344. [func] Log if the serial number on the master has gone
6798 If you have multiple machines specified in the masters
6799 clause you may want to set 'multi-master yes;' to
6800 suppress this warning.
6802 1343. [func] Log successful notifies received (info). Adjust log
6803 level for failed notifies to notice.
6805 1342. [func] Log remote address with TCP dispatch failures.
6807 1341. [func] Allow a rate limiter to be stalled.
6809 1340. [bug] Delay and spread out the startup refresh load.
6811 1339. [func] dig, host and nslookup now use IP6.ARPA for nibble
6812 lookups. Bit string lookups are no longer attempted.
6818 1336. [func] Nibble lookups under IP6.ARPA are now supported by
6819 dns_byaddr_create(). dns_byaddr_createptrname() is
6820 deprecated, use dns_byaddr_createptrname2() instead.
6822 1335. [bug] When performing a nonexistence proof, the validator
6823 should discard parent NXTs from higher in the DNS.
6825 1334. [bug] When signing/verifying rdatasets, duplicate rdatas
6826 need to be suppressed.
6828 1333. [contrib] queryperf now reports a summary of returned
6829 rcodes (-c), rcodes are printed in mnemonic form (-v).
6831 1332. [func] Report the current serial with periodic commits when
6832 rolling forward the journal.
6834 1331. [func] Generate DNSSEC wildcard proofs.
6836 1330. [bug] When processing events (non-threaded) only allow
6837 the task one chance to use to use its quantum.
6839 1329. [func] named-checkzone will now check if nameservers that
6840 appear to be IP addresses. Available modes "fail",
6841 "warn" (default) and "ignore" the results of the
6844 1328. [bug] The validator could incorrectly verify an invalid
6847 1327. [bug] The validator would incorrectly mark data as insecure
6848 when seeing a bogus signature before a correct
6851 1326. [bug] DNAME/CNAME signatures were not being cached when
6852 validation was not being performed. [RT #3284]
6854 1325. [bug] If the tcpquota was exhausted it was possible to
6855 to trigger a INSIST() failure.
6857 1324. [port] darwin: ifconfig.sh now supports darwin.
6859 1323. [port] linux: Slackware 4.0 needs <asm/unistd.h>. [RT #3205]
6861 1322. [bug] dnssec-signzone usage message was misleading.
6863 1321. [bug] If the last RRset in a zone is glue, dnssec-signzone
6864 would incorrectly duplicate its output and sign it.
6866 1320. [doc] query-source-v6 was missing from options section.
6869 1319. [func] libbind: log attempts to exploit #1318.
6871 1318. [bug] libbind: Remote buffer overrun.
6873 1317. [port] libbind: TrueUNIX 5.1 does not like __align as a
6876 1316. [bug] libbind: gethostans() could get out of sync parsing
6877 the response if there was a very long CNAME chain.
6879 1315. [bug] Options should apply to the internal _bind view.
6881 1314. [port] Handle ECONNRESET from sendmsg() [unix].
6883 1313. [func] Query log now says if the query was signed (S) or
6884 if EDNS was used (E).
6886 1312. [func] Log TSIG key used w/ outgoing zone transfers.
6888 1311. [bug] lwres_getrrsetbyname leaked memory. [RT #3159]
6890 1310. [bug] 'rndc stop' failed to cause zones to be flushed
6891 sometimes. [RT #3157]
6893 1309. [func] Log that a zone transfer was covered by a TSIG.
6895 1308. [func] DS (delegation signer) support.
6897 1307. [bug] nsupdate: allow white space base64 key data.
6899 1306. [bug] Badly encoded LOC record when the size, horizontal
6900 precision or vertical precision was 0.1m.
6902 1305. [bug] Document that internal zones are included in the
6903 rndc status results.
6905 1304. [func] New function: dns_zone_name().
6907 1303. [func] Option 'flush-zones-on-shutdown <boolean>;'.
6909 1302. [func] Extended rndc dumpdb to support dumping of zones and
6910 view selection: 'dumpdb [-all|-zones|-cache] [view]'.
6912 1301. [func] New category 'update-security'.
6914 1300. [port] Compaq Trucluster support.
6916 1299. [bug] Set AI_ADDRCONFIG when looking up addresses
6917 via getaddrinfo() (affects dig, host, nslookup, rndc
6920 1298. [bug] The CINCLUDES macro in lib/dns/sec/dst/Makefile
6921 could be left with a trailing "\" after configure
6924 1297. [port] linux: make handling EINVAL from socket() no longer
6925 conditional on #ifdef LINUX.
6927 1296. [bug] isc_log_closefilelogs() needed to lock the log
6930 1295. [bug] isc_log_setdebuglevel() needed to lock the log
6933 1294. [func] libbind: no longer attempts bit string labels for
6934 IPv6 reverse resolution. Try IP6.ARPA then IP6.INT
6935 for nibble style resolution.
6937 1293. [func] Entropy can now be retrieved from EGDs. [RT #2438]
6939 1292. [func] Enable IPv6 support when using ioctl style interface
6940 scanning and OS supports SIOCGLIFADDR using struct
6943 1291. [func] Enable IPv6 support when using sysctl style interface
6946 1290. [func] "dig axfr" now reports the number of messages
6947 as well as the number of records.
6949 1289. [port] See if -ldl is required for OpenSSL? [RT #2672]
6951 1288. [bug] Adjusted REQUIRE's in lib/dns/name.c to better
6952 reflect written requirements.
6954 1287. [bug] REQUIRE that DNS_DBADD_MERGE only be set when adding
6955 a rdataset to a zone db in the rbtdb implementation of
6958 1286. [bug] dns_name_downcase() enforce requirement that
6959 target != NULL or name->buffer != NULL.
6961 1285. [func] lwres: probe the system to see what address families
6962 are currently in use.
6964 1284. [bug] The RTT estimate on unused servers was not aged.
6967 1283. [func] Use "dataready" accept filter if available.
6969 1282. [port] libbind: hpux 11.11 interface scanning.
6971 1281. [func] Log zone when unable to get private keys to update
6972 zone. Log zone when NXT records are missing from
6975 1280. [bug] libbind: escape '(' and ')' when converting to
6978 1279. [port] Darwin uses (unsigned long) for size_t. [RT #2590]
6980 1278. [func] dig: now supports +[no]cl +[no]ttlid.
6982 1277. [func] You can now create your own customized printing
6983 styles: dns_master_stylecreate() and
6984 dns_master_styledestroy().
6986 1276. [bug] libbind: const pointer conflicts in res_debug.c.
6988 1275. [port] libbind: hpux: treat all hpux systems as BIG_ENDIAN.
6990 1274. [bug] Memory leak in lwres_gnbarequest_parse().
6992 1273. [port] libbind: solaris: 64 bit binary compatibility.
6994 1272. [contrib] Berkeley DB 4.0 sdb implementation from
6995 Nuno Miguel Rodrigues <nmr@co.sapo.pt>.
6997 1271. [bug] "recursion available: {denied,approved}" was too
7000 1270. [bug] Check that system inet_pton() and inet_ntop() support
7003 1269. [port] Openserver: ifconfig.sh support.
7005 1268. [port] Openserver: the value FD_SETSIZE depends on whether
7006 <sys/param.h> is included or not. Be consistent.
7008 1267. [func] isc_file_openunique() now creates file using mode
7009 0666 rather than 0600.
7011 1266. [bug] ISC_LINK_INIT, ISC_LINK_UNLINK, ISC_LIST_DEQUEUE,
7012 __ISC_LINK_UNLINKUNSAFE and __ISC_LIST_DEQUEUEUNSAFE
7013 are not C++ compatible, use *_TYPE versions instead.
7015 1265. [bug] libbind: LINK_INIT and UNLINK were not compatible with
7016 C++, use LINK_INIT_TYPE and UNLINK_TYPE instead.
7020 1263. [bug] Reference after free error if dns_dispatchmgr_create()
7023 1262. [bug] ns_server_destroy() failed to set *serverp to NULL.
7025 1261. [func] libbind: ns_sign2() and ns_sign_tcp() now provide
7026 support for compressed TSIG owner names.
7028 1260. [func] libbind: res_update can now update IPv6 servers,
7029 new function res_findzonecut2().
7031 1259. [bug] libbind: get_salen() IPv6 support was broken for OSs
7034 1258. [bug] libbind: res_nametotype() and res_nametoclass() were
7037 1257. [bug] Failure to write pid-file should not be fatal on
7040 1256. [contrib] 'queryperf' now has EDNS (-e) + DNSSEC DO (-D) support.
7042 1255. [bug] When verifying that an NXT proves nonexistence, check
7043 the rcode of the message and only do the matching NXT
7044 check. That is, for NXDOMAIN responses, check that
7045 the name is in the range between the NXT owner and
7046 next name, and for NOERROR NODATA responses, check
7047 that the type is not present in the NXT bitmap.
7049 1254. [func] preferred-glue option from BIND 8.3.
7051 1253. [bug] The dnssec system test failed to remove the correct
7054 1252. [bug] Dig, host and nslookup were not checking the address
7055 the answer was coming from against the address it was
7058 1251. [port] win32: a make file contained absolute version specific
7061 1250. [func] Nsupdate will report the address the update was
7064 1249. [bug] Missing masters clause was not handled gracefully.
7067 1248. [bug] DESTDIR was not being propagated between makes.
7069 1247. [bug] Don't reset the interface index for link/site local
7070 addresses. [RT #2576]
7072 1246. [func] New functions isc_sockaddr_issitelocal(),
7073 isc_sockaddr_islinklocal(), isc_netaddr_issitelocal()
7074 and isc_netaddr_islinklocal().
7076 1245. [bug] Treat ENOBUFS, ENOMEM and ENFILE as soft errors for
7079 1244. [bug] Receiving a TCP message from a blackhole address would
7080 prevent further messages being received over that
7083 1243. [bug] It was possible to trigger a REQUIRE() in
7084 dns_message_findtype(). [RT #2659]
7086 1242. [bug] named-checkzone failed if a journal existed. [RT #2657]
7088 1241. [bug] Drop received UDP messages with a zero source port
7089 as these are invariably forged. [RT #2621]
7091 1240. [bug] It was possible to leak zone references by
7092 specifying an incorrect zone to rndc.
7094 1239. [bug] Under certain circumstances named could continue to
7095 use a name after it had been freed triggering
7096 INSIST() failures. [RT #2614]
7098 1238. [bug] It is possible to lockup the server when shutting down
7099 if notifies were being processed. [RT #2591]
7101 1237. [bug] nslookup: "set q=type" failed.
7103 1236. [bug] dns_rdata{class,type}_fromtext() didn't handle non
7104 NULL terminated text regions. [RT #2588]
7106 1235. [func] Report 'out of memory' errors from openssl.
7108 1234. [bug] contrib/sdb: 'zonetodb' failed to call
7109 dns_result_register(). DNS_R_SEENINCLUDE should not
7112 1233. [bug] The flags field of a KEY record can be expressed in
7113 hex as well as decimal.
7115 1232. [bug] unix/errno2result() didn't handle EADDRNOTAVAIL.
7117 1231. [port] HPUX 11.11 recvmsg() can return spurious EADDRNOTAVAIL.
7119 1230. [bug] isccc_cc_isreply() and isccc_cc_isack() were broken.
7121 1229. [bug] named would crash if it received a TSIG signed
7122 query as part of an AXFR response. [RT #2570]
7124 1228. [bug] 'make install' did not depend on 'make all'. [RT #2559]
7126 1227. [bug] dns_lex_getmastertoken() now returns ISC_R_BADNUMBER
7127 if a number was expected and some other token was
7130 1226. [func] Use EDNS for zone refresh queries. [RT #2551]
7132 1225. [func] dns_message_setopt() no longer requires that
7133 dns_message_renderbegin() to have been called.
7135 1224. [bug] 'rrset-order' and 'sortlist' should be additive
7138 1223. [func] 'rrset-order' partially works 'cyclic' and 'random'
7141 1222. [bug] Specifying 'port *' did not always result in a system
7142 selected (non-reserved) port being used. [RT #2537]
7144 1221. [bug] Zone types 'master', 'slave' and 'stub' were not being
7145 compared case insensitively. [RT #2542]
7147 1220. [func] Support for APL rdata type.
7149 1219. [func] Named now reports the TSIG extended error code when
7150 signature verification fails. [RT #1651]
7152 1218. [bug] Named incorrectly returned SERVFAIL rather than
7153 NOTAUTH when there was a TSIG BADTIME error. [RT #2519]
7155 1217. [func] Report locations of previous key definition when a
7156 duplicate is detected.
7158 1216. [bug] Multiple server clauses for the same server were not
7159 reported. [RT #2514]
7161 1215. [port] solaris: add support to ifconfig.sh for x86 2.5.1
7163 1214. [bug] Win32: isc_file_renameunique() could leave zero length
7166 1213. [func] Report view associated with client if it is not a
7167 standard view (_default or _bind).
7169 1212. [port] libbind: 64k answer buffers were causing stack space
7170 to be exceeded for certain OS. Use heap space instead.
7172 1211. [bug] dns_name_fromtext() incorrectly handled certain
7173 valid octal bitlabels. [RT #2483]
7175 1210. [bug] libbind: getnameinfo() failed to lookup IPv4 mapped /
7176 compatible addresses. [RT #2461]
7178 1209. [bug] Dig, host, nslookup were not checking the message ids
7179 on the responses. [RT #2454]
7181 1208. [bug] dns_master_load*() failed to log a error message if
7182 an error was detected when parsing the ownername of
7183 a record. [RT #2448]
7185 1207. [bug] libbind: getaddrinfo() could call freeaddrinfo() with
7188 1206. [bug] SERVFAIL and NOTIMP responses to an EDNS query should
7189 trigger a non-EDNS retry.
7191 1205. [bug] OPT, TSIG and TKEY cannot be used to set the "class"
7192 of the message. [RT #2449]
7194 1204. [bug] libbind: res_nupdate() failed to update the name
7195 server addresses before sending the update.
7197 1203. [func] Report locations of previous acl and zone definitions
7198 when a duplicate is detected.
7200 1202. [func] New functions: cfg_obj_line() and cfg_obj_file().
7202 1201. [bug] Require that if 'callbacks' is passed to
7203 dns_rdata_fromtext(), callbacks->error and
7204 callbacks->warn are initialized.
7206 1200. [bug] Log 'errno' that we are unable to convert to
7207 isc_result_t. [RT #2404]
7209 1199. [doc] ARM reference to RFC 2157 should have been RFC 1918.
7212 1198. [bug] OPT printing style was not consistent with the way the
7213 header fields are printed. The DO bit was not reported
7214 if set. Report if any of the MBZ bits are set.
7216 1197. [bug] Attempts to define the same acl multiple times were not
7219 1196. [contrib] update mdnkit to 2.2.3.
7221 1195. [bug] Attempts to redefine builtin acls should be caught.
7224 1194. [bug] Not all duplicate zone definitions were being detected
7225 at the named.conf checking stage. [RT #2431]
7227 1193. [bug] dig +besteffort parsing didn't handle packet
7228 truncation. dns_message_parse() has new flag
7229 DNS_MESSAGE_IGNORETRUNCATION.
7231 1192. [bug] The seconds fields in LOC records were restricted
7232 to three decimal places. More decimal places should
7233 be allowed but warned about.
7235 1191. [bug] A dynamic update removing the last non-apex name in
7236 a secure zone would fail. [RT #2399]
7238 1190. [func] Add the "rndc freeze" and "rndc unfreeze" commands.
7241 1189. [bug] On some systems, malloc(0) returns NULL, which
7242 could cause the caller to report an out of memory
7245 1188. [bug] Dynamic updates of a signed zone would fail if
7246 some of the zone private keys were unavailable.
7248 1187. [bug] named was incorrectly returning DNSSEC records
7249 in negative responses when the DO bit was not set.
7251 1186. [bug] isc_hex_tobuffer(,,length = 0) failed to unget the
7252 EOL token when reading to end of line.
7254 1185. [bug] libbind: don't assume statp->_u._ext.ext is valid
7255 unless RES_INIT is set when calling res_*init().
7257 1184. [bug] libbind: call res_ndestroy() if RES_INIT is set
7258 when res_*init() is called.
7260 1183. [bug] Handle ENOSR error when writing to the internal
7261 control pipe. [RT #2395]
7263 1182. [bug] The server could throw an assertion failure when
7264 constructing a negative response packet.
7266 1181. [func] Add the "key-directory" configuration statement,
7267 which allows the server to look for online signing
7268 keys in alternate directories.
7270 1180. [func] dnssec-keygen should always generate keys with
7271 protocol 3 (DNSSEC), since it's less confusing
7274 1179. [func] Add SIG(0) support to nsupdate.
7276 1178. [bug] Follow and cache (if appropriate) A6 and other
7277 data chains to completion in the additional section.
7279 1177. [func] Report view when loading zones if it is not a
7280 standard view (_default or _bind). [RT #2270]
7282 1176. [doc] Document that allow-v6-synthesis is only performed
7283 for clients that are supplied recursive service.
7286 1175. [bug] named-checkzone and named-checkconf failed to call
7287 dns_result_register() at startup which could
7288 result in runtime exceptions when printing
7289 "out of memory" errors. [RT #2335]
7291 1174. [bug] Win32: add WSAECONNRESET to the expected errors
7292 from connect(). [RT #2308]
7294 1173. [bug] Potential memory leaks in isc_log_create() and
7295 isc_log_settag(). [RT #2336]
7297 1172. [doc] Add CERT, GPOS, KX, NAPTR, NSAP, PX and TXT to
7298 table of RR types in ARM.
7300 1171. [func] Added function isc_region_compare(), updated files in
7301 lib/dns to use this function instead of local one.
7303 1170. [bug] Don't attempt to print the token when a I/O error
7304 occurs when parsing named.conf. [RT #2275]
7306 1169. [func] Identify recursive queries in the query log.
7308 1168. [bug] Empty also-notify clauses were not handled. [RT #2309]
7310 1167. [contrib] nslint-2.1a3 (from author).
7312 1166. [bug] "Not Implemented" should be reported as NOTIMP,
7313 not NOTIMPL. [RT #2281]
7315 1165. [bug] We were rejecting notify-source{-v6} in zone clauses.
7317 1164. [bug] Empty masters clauses in slave / stub zones were not
7318 handled gracefully. [RT #2262]
7320 1163. [func] isc_time_formattimestamp() now includes the year.
7322 1162. [bug] The allow-notify option was not accepted in slave
7325 1161. [bug] named-checkzone looped on unbalanced brackets.
7328 1160. [bug] Generating Diffie-Hellman keys longer than 1024
7329 bits could fail. [RT #2241]
7331 1159. [bug] MD and MF are not permitted to be loaded by RFC1123.
7333 1158. [func] Report the client's address when logging notify
7336 1157. [func] match-clients and match-destinations now accept
7339 1156. [port] The configure test for strsep() incorrectly
7340 succeeded on certain patched versions of
7341 AIX 4.3.3. [RT #2190]
7343 1155. [func] Recover from master files being removed from under
7346 1154. [bug] Don't attempt to obtain the netmask of a interface
7347 if there is no address configured. [RT #2176]
7349 1153. [func] 'rndc {stop|halt} -p' now reports the process id
7350 of the instance of named being shutdown.
7352 1152. [bug] libbind: read buffer overflows.
7354 1151. [bug] nslookup failed to check that the arguments to
7355 the port, timeout, and retry options were
7356 valid integers and in range. [RT #2099]
7358 1150. [bug] named incorrectly accepted TTL values
7359 containing plus or minus signs, such as
7362 1149. [func] New function isc_parse_uint32().
7364 1148. [func] 'rndc-confgen -a' now provides positive feedback.
7366 1147. [func] Set IPV6_V6ONLY on IPv6 sockets if supported by
7367 the OS. listen-on-v6 { any; }; should no longer
7368 result in IPv4 queries be accepted. Similarly
7369 control { inet :: ... }; should no longer result
7370 in IPv4 connections being accepted. This can be
7371 overridden at compile time by defining
7374 1146. [func] Allow IPV6_IPV6ONLY to be set/cleared on a socket if
7375 supported by the OS by a new function
7376 isc_socket_ipv6only().
7378 1145. [func] "host" no longer reports a NOERROR/NODATA response
7379 by printing nothing. [RT #2065]
7381 1144. [bug] rndc-confgen would crash if both the -a and -t
7382 options were specified. [RT #2159]
7384 1143. [bug] When a trusted-keys statement was present and named
7385 was built without crypto support, it would leak memory.
7387 1142. [bug] dnssec-signzone would fail to delete temporary files
7388 in some failure cases. [RT #2144]
7390 1141. [bug] When named rejected a control message, it would
7391 leak a file descriptor and memory. It would also
7392 fail to respond, causing rndc to hang.
7395 1140. [bug] rndc-confgen did not accept IPv6 addresses as arguments
7396 to the -s option. [RT #2138]
7398 1139. [func] It is now possible to flush a given name from the
7399 cache(s) via 'rndc flushname name [view]'. [RT #2051]
7401 1138. [func] It is now possible to flush a given name from the
7402 cache by calling the new function
7403 dns_cache_flushname().
7405 1137. [func] It is now possible to flush a given name from the
7406 ADB by calling the new function dns_adb_flushname().
7408 1136. [bug] CNAME records synthesized from DNAMEs did not
7409 have a TTL of zero as required by RFC2672.
7412 1135. [func] You can now override the default syslog() facility for
7413 named/lwresd at compile time. [RT #1982]
7415 1134. [bug] Multi-threaded servers could deadlock in ferror()
7416 when reloading zone files. [RT #1951, #1998]
7418 1133. [bug] IN6_IS_ADDR_LOOPBACK was not portably defined on
7419 platforms without IN6_IS_ADDR_LOOPBACK. [RT #2106]
7421 1132. [func] Improve UPDATE prerequisite failure diagnostic messages.
7423 1131. [bug] The match-destinations view option did not work with
7424 IPv6 destinations. [RT #2073, #2074]
7426 1130. [bug] Log messages reporting an out-of-range serial number
7427 did not include the out-of-range number but the
7428 following token. [RT #2076]
7430 1129. [bug] Multi-threaded servers could crash under heavy
7431 resolution load due to a race condition. [RT #2018]
7433 1128. [func] sdb drivers can now provide RR data in either text
7434 or wire format, the latter using the new functions
7435 dns_sdb_putrdata() and dns_sdb_putnamedrdata().
7437 1127. [func] rndc: If the server to contact has multiple addresses,
7440 1126. [bug] The server could access a freed event if shut
7441 down while a client start event was pending
7442 delivery. [RT #2061]
7444 1125. [bug] rndc: -k option was missing from usage message.
7447 1124. [doc] dig: +[no]dnssec, +[no]besteffort and +[no]fail
7448 are now documented. [RT #2052]
7450 1123. [bug] dig +[no]fail did not match description. [RT #2052]
7452 1122. [tuning] Resolution timeout reduced from 90 to 30 seconds.
7455 1121. [bug] The server could attempt to access a NULL zone
7456 table if shut down while resolving.
7459 1120. [bug] Errors in options were not fatal. [RT #2002]
7461 1119. [func] Added support in Win32 for NTFS file/directory ACL's
7464 1118. [bug] On multi-threaded servers, a race condition
7465 could cause an assertion failure in resolver.c
7466 during resolver shutdown. [RT #2029]
7468 1117. [port] The configure check for in6addr_loopback incorrectly
7469 succeeded on AIX 4.3 when compiling with -O2
7470 because the test code was optimized away.
7473 1116. [bug] Setting transfers in a server clause, transfers-in,
7474 or transfers-per-ns to a value greater than
7475 2147483647 disabled transfers. [RT #2002]
7477 1115. [func] Set maximum values for cleaning-interval,
7478 heartbeat-interval, interface-interval,
7479 max-transfer-idle-in, max-transfer-idle-out,
7480 max-transfer-time-in, max-transfer-time-out,
7481 statistics-interval of 28 days and
7482 sig-validity-interval of 3660 days. [RT #2002]
7484 1114. [port] Ignore more accept() errors. [RT #2021]
7486 1113. [bug] The allow-update-forwarding option was ignored
7487 when specified in a view. [RT #2014]
7491 1111. [bug] Multi-threaded servers could deadlock processing
7492 recursive queries due to a locking hierarchy
7493 violation in adb.c. [RT #2017]
7495 1110. [bug] dig should only accept valid abbreviations of +options.
7498 1109. [bug] nsupdate accepted illegal ttl values.
7500 1108. [bug] On Win32, rndc was hanging when named was not running
7501 due to failure to select for exceptional conditions
7502 in select(). [RT #1870]
7504 1107. [bug] nsupdate could catch an assertion failure if an
7505 invalid domain name was given as the argument to
7508 1106. [bug] After seeing an out of range TTL, nsupdate would
7509 treat all TTLs as out of range. [RT #2001]
7511 1105. [port] OpenUNIX 8 enable threads by default. [RT #1970]
7513 1104. [bug] Invalid arguments to the transfer-format option
7514 could cause an assertion failure. [RT #1995]
7516 1103. [port] OpenUNIX 8 support (ifconfig.sh). [RT #1970]
7518 1102. [doc] Note that query logging is enabled by directing the
7519 queries category to a channel.
7521 1101. [bug] Array bounds read error in lwres_gai_strerror.
7523 1100. [bug] libbind: DNSSEC key ids were computed incorrectly.
7525 1099. [cleanup] libbind: defining REPORT_ERRORS in lib/bind/dst caused
7526 compile time errors.
7528 1098. [bug] libbind: HMAC-MD5 key files are now mode 0600.
7530 1097. [func] libbind: RES_PRF_TRUNC for dig.
7532 1096. [func] libbind: "DNSSEC OK" (DO) support.
7534 1095. [func] libbind: resolver option: no-tld-query. disables
7535 trying unqualified as a tld. no_tld_query is also
7536 supported for FreeBSD compatibility.
7538 1094. [func] libbind: add support gcc's format string checking.
7540 1093. [doc] libbind: miscellaneous nroff fixes.
7542 1092. [bug] libbind: get*by*() failed to check if res_init() had
7545 1091. [bug] libbind: misplaced va_end().
7547 1090. [bug] libbind: dns_ho.c:add_hostent() was not returning
7548 the amount of memory consumed resulting in garbage
7549 address being returned. Alignment calculations were
7550 wasting space. We weren't suppressing duplicate
7553 1089. [func] libbind: inet_{cidr,net}_{pton,ntop}() now have IPv6
7556 1088. [port] libbind: MPE/iX C.70 (incomplete)
7558 1087. [bug] libbind: struct __res_state too large on 64 bit arch.
7560 1086. [port] libbind: sunos: old sprintf.
7562 1085. [port] libbind: solaris: sys_nerr and sys_errlist do not
7563 exist when compiling in 64 bit mode.
7565 1084. [cleanup] libbind: gai_strerror() rewritten.
7567 1083. [bug] The default control channel listened on the
7568 wildcard address, not the loopback as documented.
7571 1082. [bug] The -g option to named incorrectly caused logging
7572 to be sent to syslog in addition to stderr.
7575 1081. [bug] Multicast queries were incorrectly identified
7576 based on the source address, not the destination
7579 1080. [bug] BIND 8 compatibility: accept bare IP prefixes
7580 as the second element of a two-element top level
7581 sort list statement. [RT #1964]
7583 1079. [bug] BIND 8 compatibility: accept bare elements at top
7584 level of sort list treating them as if they were
7585 a single element list. [RT #1963]
7587 1078. [bug] We failed to correct bad tv_usec values in one case.
7590 1077. [func] Do not accept further recursive clients when
7591 the total number of recursive lookups being
7592 processed exceeds max-recursive-clients, even
7593 if some of the lookups are internally generated.
7596 1076. [bug] A badly defined global key could trigger an assertion
7597 on load/reload if views were used. [RT #1947]
7599 1075. [bug] Out-of-range network prefix lengths were not
7600 reported. [RT #1954]
7602 1074. [bug] Running out of memory in dump_rdataset() could
7603 cause an assertion failure. [RT #1946]
7605 1073. [bug] The ADB cache cleaning should also be space driven.
7608 1072. [bug] The TCP client quota could be exceeded when
7609 recursion occurred. [RT #1937]
7611 1071. [bug] Sockets listening for TCP DNS connections
7612 specified an excessive listen backlog. [RT #1937]
7614 1070. [bug] Copy DNSSEC OK (DO) to response as specified by
7615 draft-ietf-dnsext-dnssec-okbit-03.txt.
7619 1068. [bug] errno could be overwritten by catgets(). [RT #1921]
7621 1067. [func] Allow quotas to be soft, isc_quota_soft().
7623 1066. [bug] Provide a thread safe wrapper for strerror().
7626 1065. [func] Runtime support to select new / old style interface
7627 scanning using ioctls.
7629 1064. [bug] Do not shut down active network interfaces if we
7630 are unable to scan the interface list. [RT #1921]
7632 1063. [bug] libbind: "make install" was failing on IRIX.
7635 1062. [bug] If the control channel listener socket was shut
7636 down before server exit, the listener object could
7637 be freed twice. [RT #1916]
7639 1061. [bug] If periodic cache cleaning happened to start
7640 while cleaning due to reaching the configured
7641 maximum cache size was in progress, the server
7642 could catch an assertion failure. [RT #1912]
7644 1060. [func] Move refresh, stub and notify UDP retry processing
7647 1059. [func] dns_request now support will now retry UDP queries,
7648 dns_request_createvia2() and dns_request_createraw2().
7650 1058. [func] Limited lifetime ticker timers are now available,
7651 isc_timertype_limited.
7653 1057. [bug] Reloading the server after adding a "file" clause
7654 to a zone statement could cause the server to
7655 crash due to a typo in change 1016.
7657 1056. [bug] Rndc could catch an assertion failure on SIGINT due
7658 to an uninitialized variable. [RT #1908]
7660 1055. [func] Version and hostname queries can now be disabled
7661 using "version none;" and "hostname none;",
7664 1054. [bug] On Win32, cfg_categories and cfg_modules need to be
7665 exported from the libisccfg DLL.
7667 1053. [bug] Dig did not increase its timeout when receiving
7668 AXFRs unless the +time option was used. [RT #1904]
7670 1052. [bug] Journals were not being created in binary mode
7671 resulting in "journal format not recognized" error
7672 under Win32. [RT #1889]
7674 1051. [bug] Do not ignore a network interface completely just
7675 because it has a noncontiguous netmask. Instead,
7676 omit it from the localnets ACL and issue a warning.
7679 1050. [bug] Log messages reporting malformed IP addresses in
7680 address lists such as that of the forwarders option
7681 failed to include the correct error code, file
7682 name, and line number. [RT #1890]
7684 1049. [func] "pid-file none;" will disable writing a pid file.
7687 1048. [bug] Servers built with -DISC_MEM_USE_INTERNAL_MALLOC=1
7690 1047. [bug] named was incorrectly refusing all requests signed
7691 with a TSIG key derived from an unsigned TKEY
7692 negotiation with a NOERROR response. [RT #1886]
7694 1046. [bug] The help message for the --with-openssl configure
7695 option was inaccurate. [RT #1880]
7697 1045. [bug] It was possible to skip saving glue for a nameserver
7700 1044. [bug] Specifying allow-transfer, notify-source, or
7701 notify-source-v6 in a stub zone was not treated
7704 1043. [bug] Specifying a transfer-source or transfer-source-v6
7705 option in the zone statement for a master zone was
7706 not treated as an error. [RT #1876]
7708 1042. [bug] The "config" logging category did not work properly.
7711 1041. [bug] Dig/host/nslookup could catch an assertion failure
7712 on SIGINT due to an uninitialized variable. [RT #1867]
7714 1040. [bug] Multiple listen-on-v6 options with different ports
7715 were not accepted. [RT #1875]
7717 1039. [bug] Negative responses with CNAMEs in the answer section
7718 were cached incorrectly. [RT #1862]
7720 1038. [bug] In servers configured with a tkey-domain option,
7721 TKEY queries with an owner name other than the root
7722 could cause an assertion failure. [RT #1866, #1869]
7724 1037. [bug] Negative responses whose authority section contain
7725 SOA or NS records whose owner names are not equal
7726 equal to or parents of the query name should be
7727 rejected. [RT #1862]
7729 1036. [func] Silently drop requests received via multicast as
7730 long as there is no final multicast DNS standard.
7732 1035. [bug] If we respond to multicast queries (which we
7733 currently do not), respond from a unicast address
7734 as specified in RFC 1123. [RT #137]
7736 1034. [bug] Ignore the RD bit on multicast queries as specified
7737 in RFC 1123. [RT #137]
7739 1033. [bug] Always respond to requests with an unsupported opcode
7740 with NOTIMP, even if we don't have a matching view
7741 or cannot determine the class.
7743 1032. [func] hostname.bind/txt/chaos now returns the name of
7744 the machine hosting the nameserver. This is useful
7745 in diagnosing problems with anycast servers.
7747 1031. [bug] libbind.a: isc__gettimeofday() infinite recursion.
7750 1030. [bug] On systems with no resolv.conf file, nsupdate
7751 exited with an error rather than defaulting
7752 to using the loopback address. [RT #1836]
7754 1029. [bug] Some named.conf errors did not cause the loading
7755 of the configuration file to return a failure
7756 status even though they were logged. [RT #1847]
7758 1028. [bug] On Win32, dig/host/nslookup looked for resolv.conf
7759 in the wrong directory. [RT #1833]
7761 1027. [bug] RRs having the reserved type 0 should be rejected.
7766 1025. [bug] Don't use multicast addresses to resolve iterative
7769 1024. [port] Compilation failed on HP-UX 11.11 due to
7770 incompatible use of the SIOCGLIFCONF macro
7773 1023. [func] Accept hints without TTLs.
7775 1022. [bug] Don't report empty root hints as "extra data".
7778 1021. [bug] On Win32, log message timestamps were one month
7779 later than they should have been, and the server
7780 would exhibit unspecified behavior in December.
7782 1020. [bug] IXFR log messages did not distinguish between
7783 true IXFRs, AXFR-style IXFRs, and mere version
7786 1019. [bug] The value of the lame-ttl option was limited to 18000
7787 seconds, not 1800 seconds as documented. [RT #1803]
7789 1018. [bug] The default log channel was not always initialized
7790 correctly. [RT #1813]
7792 1017. [bug] When specifying TSIG keys to dig and nsupdate using
7793 the -k option, they must be HMAC-MD5 keys. [RT #1810]
7795 1016. [bug] Slave zones with no backup file were re-transferred
7796 on every server reload.
7798 1015. [bug] Log channels that had a "versions" option but no
7799 "size" option failed to create numbered log
7802 1014. [bug] Some queries would cause statistics counters to
7803 increment more than once or not at all. [RT #1321]
7805 1013. [bug] It was possible to cancel a query twice when marking
7806 a server as bogus or by having a blackhole acl.
7809 1012. [bug] The -p option to named did not behave as documented.
7811 1011. [cleanup] Removed isc_dir_current().
7813 1010. [bug] The server could attempt to execute a command channel
7814 command after initiating server shutdown, causing
7815 an assertion failure. [RT #1766]
7817 1009. [port] OpenUNIX 8 support. [RT #1728]
7819 1008. [port] libtool.m4, ltmain.sh from libtool-1.4.2.
7821 1007. [port] config.guess, config.sub from autoconf-2.52.
7823 1006. [bug] If a KEY RR was found missing during DNSSEC validation,
7824 an assertion failure could subsequently be triggered
7825 in the resolver. [RT #1763]
7827 1005. [bug] Don't copy nonzero RCODEs from request to response.
7830 1004. [port] Deal with recvfrom() returning EHOSTDOWN. [RT #1770]
7832 1003. [func] Add the +retry option to dig.
7834 1002. [bug] When reporting an unknown class name in named.conf,
7835 including the file name and line number. [RT #1759]
7837 1001. [bug] win32 socket code doio_recv was not catching a
7838 WSACONNRESET error when a client was timing out
7839 the request and closing its socket. [RT #1745]
7841 1000. [bug] BIND 8 compatibility: accept "HESIOD" as an alias
7842 for class "HS". [RT #1759]
7844 999. [func] "rndc retransfer zone [class [view]]" added.
7847 998. [func] named-checkzone now has arguments to specify the
7848 chroot directory (-t) and working directory (-w).
7851 997. [func] Add support for RSA-SHA1 keys (RFC3110).
7853 996. [func] Issue warning if the configuration filename contains
7856 995. [bug] dig, host, nslookup: using a raw IPv6 address as a
7857 target address should be fatal on a IPv4 only system.
7859 994. [func] Treat non-authoritative responses to queries for type
7860 NS as referrals even if the NS records are in the
7861 answer section, because BIND 8 servers incorrectly
7862 send them that way. This is necessary for DNSSEC
7863 validation of the NS records of a secure zone to
7864 succeed when the parent is a BIND 8 server. [RT #1706]
7866 993. [func] dig: -v now reports the version.
7868 992. [doc] dig: ~/.digrc is now documented.
7870 991. [func] Lower UDP refresh timeout messages to level
7873 990. [bug] The rndc-confgen man page was not installed.
7875 989. [bug] Report filename if $INCLUDE fails for file related
7878 988. [bug] 'additional-from-auth no;' did not work reliably
7879 in the case of queries answered from the cache.
7882 987. [bug] "dig -help" didn't show "+[no]stats".
7884 986. [bug] "dig +noall" failed to clear stats and command
7887 985. [func] Consider network interfaces to be up iff they have
7888 a nonzero IP address rather than based on the
7889 IFF_UP flag. [RT #1160]
7891 984. [bug] Multi-threading should be enabled by default on
7892 Solaris 2.7 and newer, but it wasn't.
7894 983. [func] The server now supports generating IXFR difference
7895 sequences for non-dynamic zones by comparing zone
7896 versions, when enabled using the new config
7897 option "ixfr-from-differences". [RT #1727]
7899 982. [func] If "memstatistics-file" is set in options the memory
7900 statistics will be written to it.
7902 981. [func] The dnssec tools can now take multiple '-r randomfile'
7905 980. [bug] Incoming zone transfers restarting after an error
7906 could trigger an assertion failure. [RT #1692]
7908 979. [func] Incremental master file dumping. dns_master_dumpinc(),
7909 dns_master_dumptostreaminc(), dns_dumpctx_attach(),
7910 dns_dumpctx_detach(), dns_dumpctx_cancel(),
7911 dns_dumpctx_db() and dns_dumpctx_version().
7913 978. [bug] dns_db_attachversion() had an invalid REQUIRE()
7916 977. [bug] Improve "not at top of zone" error message.
7918 976. [func] named-checkconf can now test load master zones
7919 (named-checkconf -z). [RT #1468]
7921 975. [bug] "max-cache-size default;" as a view option
7922 caused an assertion failure.
7924 974. [bug] "max-cache-size unlimited;" as a global option
7927 973. [bug] Failed to log the question name when logging:
7928 "bad zone transfer request: non-authoritative zone
7931 972. [bug] The file modification time code in zone.c was using the
7932 wrong epoch. [RT #1667]
7936 970. [func] 'max-journal-size' can now be used to set a target
7939 969. [func] dig now supports the undocumented dig 8 feature
7940 of allowing arbitrary labels, not just dotted
7941 decimal quads, with the -x option. This can be
7942 used to conveniently look up RFC2317 names as in
7943 "dig -x 10.0.0.0-127". [RT #827, #1576, #1598]
7945 968. [bug] On win32, the isc_time_now() function was unnecessarily
7946 calling strtime(). [RT #1671]
7948 967. [bug] On win32, the link for bindevt was not including the
7949 required resource file to enable the event viewer
7950 to interpret the error messages in the event log,
7955 965. [bug] Including data other than root server NS and A
7956 records in the root hint file could cause a rbtdb
7957 node reference leak. [RT #1581, #1618]
7959 964. [func] Warn if data other than root server NS and A records
7960 are found in the root hint file. [RT #1581, #1618]
7962 963. [bug] Bad ISC_LANG_ENDDECLS. [RT #1645]
7964 962. [bug] libbind: bad "#undef", don't attempt to install
7965 non-existent nlist.h. [RT #1640]
7967 961. [bug] Tried to use a IPV6 feature when ISC_PLATFORM_HAVEIPV6
7968 was not defined. [RT #1482]
7970 960. [port] liblwres failed to build on systems with support for
7971 getrrsetbyname() in the OS. [RT #1592]
7973 959. [port] On FreeBSD, determine the number of CPUs by calling
7974 sysctlbyname(). [RT #1584]
7976 958. [port] ssize_t is not available on all platforms. [RT #1607]
7978 957. [bug] sys/select.h inclusion was broken on older platforms.
7981 956. [bug] ns_g_autorndcfile changed to ns_g_keyfile
7982 in named/win32/os.c due to code changes in
7983 change #953. win32 .make file for rndc-confgen
7984 updated to add include path for os.h header.
7986 --- 9.2.0rc1 released ---
7988 955. [bug] When using views, the zone's class was not being
7989 inherited from the view's class. [RT #1583]
7991 954. [bug] When requesting AXFRs or IXFRs using dig, host, or
7992 nslookup, the RD bit should not be set as zone
7993 transfers are inherently non-recursive. [RT #1575]
7995 953. [func] The /var/run/named.key file from change #843
7996 has been replaced by /etc/rndc.key. Both
7997 named and rndc will look for this file and use
7998 it to configure a default control channel key
7999 if not already configured using a different
8000 method (rndc.conf / controls). Unlike
8001 named.key, rndc.key is not created automatically;
8002 it must be created by manually running
8005 952. [bug] The server required manual intervention to serve the
8006 affected zones if it died between creating a journal
8007 and committing the first change to it.
8009 951. [bug] CFLAGS was not passed to the linker when
8010 linking some of the test programs under
8011 bin/tests. [RT #1555].
8013 950. [bug] Explicit TTLs did not properly override $TTL
8014 due to a bug in change 834. [RT #1558]
8016 949. [bug] host was unable to print records larger than 512
8019 --- 9.2.0b2 released ---
8021 948. [port] Integrated support for building on Windows NT /
8024 947. [bug] dns_rdata_soa_t had a badly named element "mname" which
8025 was really the RNAME field from RFC1035. To avoid
8026 confusion and silent errors that would occur it the
8027 "origin" and "mname" elements were given their correct
8028 names "mname" and "rname" respectively, the "mname"
8029 element is renamed to "contact".
8031 946. [cleanup] doc/misc/options is now machine-generated from the
8032 configuration parser syntax tables, and therefore
8033 more likely to be correct.
8035 945. [func] Add the new view-specific options
8036 "match-destinations" and "match-recursive-only".
8038 944. [func] Check for expired signatures on load.
8040 943. [bug] The server could crash when receiving a command
8041 via rndc if the configuration file listed only
8042 nonexistent keys in the controls statement. [RT #1530]
8044 942. [port] libbind: GETNETBYADDR_ADDR_T was not correctly
8045 defined on some platforms.
8047 941. [bug] The configuration checker crashed if a slave
8048 zone didn't contain a masters statement. [RT #1514]
8050 940. [bug] Double zone locking failure on error path. [RT #1510]
8052 --- 9.2.0b1 released ---
8054 939. [port] Add the --disable-linux-caps option to configure for
8055 systems that manage capabilities outside of named.
8060 937. [bug] A race when shutting down a zone could trigger a
8061 INSIST() failure. [RT #1034]
8063 936. [func] Warn about IPv4 addresses that are not complete
8064 dotted quads. [RT #1084]
8066 935. [bug] inet_pton failed to reject leading zeros.
8068 934. [port] Deal with systems where accept() spuriously returns
8071 933. [bug] configure failed doing libbind on platforms not
8072 supported by BIND 8. [RT #1496]
8074 --- 9.2.0a3 released ---
8076 932. [bug] Use INSTALL_SCRIPT, not INSTALL_PROGRAM,
8077 when installing isc-config.sh.
8080 931. [bug] The controls statement only attempted to verify
8081 messages using the first key in the key list.
8084 930. [func] Query performance testing tool added as
8089 928. [bug] nsupdate would send empty update packets if the
8090 send (or empty line) command was run after
8091 another send but before any new updates or
8092 prerequisites were specified. It should simply
8093 ignore this command.
8095 927. [bug] Don't hold the zone lock for the entire dump to disk.
8098 926. [bug] The resolver could deadlock with the ADB when
8099 shutting down (multi-threaded builds only).
8102 925. [cleanup] Remove openssl from the distribution; require that
8103 --with-openssl be specified if DNSSEC is needed.
8105 924. [port] Extend support for pre-RFC2133 IPv6 implementation.
8108 923. [bug] Multiline TSIG secrets (and other multiline strings)
8109 were not accepted in named.conf. [RT #1469]
8111 922. [func] Added two new lwres_getrrsetbyname() result codes,
8112 ERR_NONAME and ERR_NODATA.
8114 921. [bug] lwres returned an incorrect error code if it received
8115 a truncated message.
8117 920. [func] Increase the lwres receive buffer size to 16K.
8122 918. [func] In nsupdate, TSIG errors are no longer treated as
8125 917. [func] New nsupdate command 'key', allowing TSIG keys to
8126 be specified in the nsupdate command stream rather
8127 than the command line.
8129 916. [bug] Specifying type ixfr to dig without specifying
8130 a serial number failed in unexpected ways.
8132 915. [func] The named-checkconf and named-checkzone programs
8133 now have a '-v' option for printing their version.
8136 914. [bug] Global 'server' statements were rejected when
8137 using views, even though they were accepted
8140 913. [bug] Cache cleaning was not sufficiently aggressive.
8143 912. [bug] Attempts to set the 'additional-from-cache' or
8144 'additional-from-auth' option to 'no' in a
8145 server with recursion enabled will now
8146 be ignored and cause a warning message.
8151 910. [port] Some pre-RFC2133 IPv6 implementations do not define
8152 IN6ADDR_ANY_INIT. [RT #1416]
8156 908. [func] New program, rndc-confgen, to simplify setting up rndc.
8158 907. [func] The ability to get entropy from either the
8159 random device, a user-provided file or from
8160 the keyboard was migrated from the DNSSEC tools
8161 to libisc as isc_entropy_usebestsource().
8163 906. [port] Separated the system independent portion of
8164 lib/isc/unix/entropy.c into lib/isc/entropy.c
8165 and added lib/isc/win32/entropy.c.
8167 905. [bug] Configuring a forward "zone" for the root domain
8168 did not work. [RT #1418]
8170 904. [bug] The server would leak memory if attempting to use
8171 an expired TSIG key. [RT #1406]
8173 903. [bug] dig should not crash when receiving a TCP packet
8176 902. [bug] The -d option was ignored if both -t and -g were also
8181 900. [bug] A config.guess update changed the system identification
8182 string of FreeBSD systems; configure and
8183 bin/tests/system/ifconfig.sh now recognize the new
8186 --- 9.2.0a2 released ---
8188 899. [bug] lib/dns/soa.c failed to compile on many platforms
8189 due to inappropriate use of a void value.
8190 [RT #1372, #1373, #1386, #1387, #1395]
8192 898. [bug] "dig" failed to set a nonzero exit status
8193 on UDP query timeout. [RT #1323]
8195 897. [bug] A config.guess update changed the system identification
8196 string of UnixWare systems; configure now recognizes
8199 896. [bug] If a configuration file is set on named's command line
8200 and it has a relative pathname, the current directory
8201 (after any possible jailing resulting from named -t)
8202 will be prepended to it so that reloading works
8203 properly even when a directory option is present.
8205 895. [func] New function, isc_dir_current(), akin to POSIX's
8208 894. [bug] When using the DNSSEC tools, a message intended to warn
8209 when the keyboard was being used because of the lack
8210 of a suitable random device was not being printed.
8212 893. [func] Removed isc_file_test() and added isc_file_exists()
8213 for the basic functionality that was being added
8214 with isc_file_test().
8218 891. [bug] Return an error when a SIG(0) signed response to
8219 an unsigned query is seen. This should actually
8220 do the verification, but it's not currently
8221 possible. [RT #1391]
8223 890. [cleanup] The man pages no longer require the mandoc macros
8224 and should now format cleanly using most versions of
8225 nroff, and HTML versions of the man pages have been
8226 added. Both are generated from DocBook source.
8228 889. [port] Eliminated blank lines before .TH in nroff man
8229 pages since they cause problems with some versions
8230 of nroff. [RT #1390]
8232 888. [bug] Don't die when using TKEY to delete a nonexistent
8233 TSIG key. [RT #1392]
8235 887. [port] Detect broken compilers that can't call static
8236 functions from inline functions. [RT #1212]
8278 866. [func] Close debug only file channels when debug is set to
8281 865. [bug] The new configuration parser did not allow
8282 the optional debug level in a "severity debug"
8283 clause of a logging channel to be omitted.
8284 This is now allowed and treated as "severity
8285 debug 1;" like it does in BIND 8.2.4, not as
8286 "severity debug 0;" like it did in BIND 9.1.
8289 864. [cleanup] Multi-threading is now enabled by default on
8290 OSF1, Solaris 2.7 and newer, AIX, IRIX, and HP-UX.
8292 863. [bug] If an error occurred while an outgoing zone transfer
8293 was starting up, the server could access a domain
8294 name that had already been freed when logging a
8295 message saying that the transfer was starting.
8298 862. [bug] Use after realloc(), non portable pointer arithmetic in
8301 861. [port] Add support for Mac OS X, by making it equivalent
8302 to Darwin. This was derived from the config.guess
8303 file shipped with Mac OS X. [RT #1355]
8305 860. [func] Drop cross class glue in zone transfers.
8307 859. [bug] Cache cleaning now won't swamp the CPU if there
8308 is a persistent over limit condition.
8310 858. [func] isc_mem_setwater() no longer requires that when the
8311 callback function is non-NULL then its hi_water
8312 argument must be greater than its lo_water argument
8313 (they can now be equal) or that they be non-zero.
8315 857. [cleanup] Use ISC_MAGIC() to define all magic numbers for
8316 structs, for our friends in EBCDIC-land.
8318 856. [func] Allow partial rdatasets to be returned in answer and
8319 authority sections to help non-TCP capable clients
8320 recover from truncation. [RT #1301]
8322 855. [bug] Stop spurious "using RFC 1035 TTL semantics" warnings.
8324 854. [bug] The config parser didn't properly handle config
8325 options that were specified in units of time other
8326 than seconds. [RT #1372]
8328 853. [bug] configure_view_acl() failed to detach existing acls.
8331 852. [bug] Handle responses from servers which do not know
8334 851. [cleanup] The obsolete support-ixfr option was not properly
8337 --- 9.2.0a1 released ---
8339 850. [bug] dns_rbt_findnode() would not find nodes that were
8340 split on a bitstring label somewhere other than in
8341 the last label of the node. [RT #1351]
8343 849. [func] <isc/net.h> will ensure INADDR_LOOPBACK is defined.
8345 848. [func] A minimum max-cache-size of two megabytes is enforced
8346 by the cache cleaner.
8348 847. [func] Added isc_file_test(), which currently only has
8349 some very basic functionality to test for the
8350 existence of a file, whether a pathname is absolute,
8351 or whether a pathname is the fundamental representation
8352 of the current directory. It is intended that this
8353 function can be expanded to test other things a
8354 programmer might want to know about a file.
8356 846. [func] A non-zero 'param' to dst_key_generate() when making an
8357 hmac-md5 key means that good entropy is not required.
8359 845. [bug] The access rights on the public file of a symmetric
8360 key are now restricted as soon as the file is opened,
8361 rather than after it has been written and closed.
8363 844. [func] <isc/net.h> will ensure INADDR_LOOPBACK is defined,
8364 just as <lwres/net.h> does.
8366 843. [func] If no controls statement is present in named.conf,
8367 or if any inet phrase of a controls statement is
8368 lacking a keys clause, then a key will be automatically
8369 generated by named and an rndc.conf-style file
8370 named named.key will be written that uses it. rndc
8371 will use this file only if its normal configuration
8372 file, or one provided on the command line, does not
8375 842. [func] 'rndc flush' now takes an optional view.
8377 841. [bug] When sdb modules were not declared threadsafe, their
8378 create and destroy functions were not serialized.
8380 840. [bug] The config file parser could print the wrong file
8381 name if an error was detected after an included file
8382 was parsed. [RT #1353]
8384 839. [func] Dump packets for which there was no view or that the
8385 class could not be determined to category "unmatched".
8387 838. [port] UnixWare 7.x.x is now suported by
8388 bin/tests/system/ifconfig.sh.
8390 837. [cleanup] Multi-threading is now enabled by default only on
8391 OSF1, Solaris 2.7 and newer, and AIX.
8393 836. [func] Upgraded libtool to 1.4.
8395 835. [bug] The dispatcher could enter a busy loop if
8396 it got an I/O error receiving on a UDP socket.
8399 834. [func] Accept (but warn about) master files beginning with
8400 an SOA record without an explicit TTL field and
8401 lacking a $TTL directive, by using the SOA MINTTL
8402 as a default TTL. This is for backwards compatibility
8403 with old versions of BIND 8, which accepted such
8404 files without warning although they are illegal
8405 according to RFC1035.
8407 833. [cleanup] Moved dns_soa_*() from <dns/journal.h> to
8408 <dns/soa.h>, and extended them to support
8409 all the integer-valued fields of the SOA RR.
8411 832. [bug] The default location for named.conf in named-checkconf
8412 should depend on --sysconfdir like it does in named.
8417 830. [func] Implement 'rndc status'.
8419 829. [bug] The DNS_R_ZONECUT result code should only be returned
8420 when an ANY query is made with DNS_DBFIND_GLUEOK set.
8421 In all other ANY query cases, returning the delegation
8424 828. [bug] The errno value from recvfrom() could be overwritten
8425 by logging code. [RT #1293]
8427 827. [bug] When an IXFR protocol error occurs, the slave
8428 should retry with AXFR.
8430 826. [bug] Some IXFR protocol errors were not detected.
8432 825. [bug] zone.c:ns_query() detached from the wrong zone
8433 reference. [RT #1264]
8435 824. [bug] Correct line numbers reported by dns_master_load().
8438 823. [func] The output of "dig -h" now goes to stdout so that it
8439 can easily be piped through "more". [RT #1254]
8441 822. [bug] Sending nxrrset prerequisites would crash nsupdate.
8444 821. [bug] The program name used when logging to syslog should
8445 be stripped of leading path components.
8448 820. [bug] Name server address lookups failed to follow
8449 A6 chains into the glue of local authoritative
8452 819. [bug] In certain cases, the resolver's attempts to
8453 restart an address lookup at the root could cause
8454 the fetch to deadlock (with itself) instead of
8455 restarting. [RT #1225]
8457 818. [bug] Certain pathological responses to ANY queries could
8458 cause an assertion failure. [RT #1218]
8460 817. [func] Adjust timeouts for dialup zone queries.
8462 816. [bug] Report potential problems with log file accessibility
8463 at configuration time, since such problems can't
8464 reliably be reported at the time they actually occur.
8466 815. [bug] If a log file was specified with a path separator
8467 character (i.e. "/") in its name and the directory
8468 did not exist, the log file's name was treated as
8469 though it were the directory name. [RT #1189]
8471 814. [bug] Socket objects left over from accept() failures
8472 were incorrectly destroyed, causing corruption
8473 of socket manager data structures.
8475 813. [bug] File descriptors exceeding FD_SETSIZE were handled
8478 812. [bug] dig sometimes printed incomplete IXFR responses
8479 due to an uninitialized variable. [RT #1188]
8481 811. [bug] Parentheses were not quoted in zone dumps. [RT #1194]
8483 810. [bug] The signer name in SIG records was not properly
8484 down-cased when signing/verifying records. [RT #1186]
8486 809. [bug] Configuring a non-local address as a transfer-source
8487 could cause an assertion failure during load.
8489 808. [func] Add 'rndc flush' to flush the server's cache.
8491 807. [bug] When setting up TCP connections for incoming zone
8492 transfers, the transfer-source port was not
8493 ignored like it should be.
8495 806. [bug] DNS_R_SEENINCLUDE was failing to propagate back up
8496 the calling stack to the zone maintenance level,
8497 causing zones to not reload when an included file was
8498 touched but the top-level zone file was not.
8500 805. [bug] When using "forward only", missing root hints should
8501 not cause queries to fail. [RT #1143]
8503 804. [bug] Attempting to obtain entropy could fail in some
8504 situations. This would be most common on systems
8505 with user-space threads. [RT #1131]
8507 803. [bug] Treat all SIG queries as if they have the CD bit set,
8508 otherwise no data will be returned [RT #749]
8510 802. [bug] DNSSEC key tags were computed incorrectly in almost
8511 all cases. [RT #1146]
8513 801. [bug] nsupdate should treat lines beginning with ';' as
8514 comments. [RT #1139]
8516 800. [bug] dnssec-signzone produced incorrect statistics for
8517 large zones. [RT #1133]
8519 799. [bug] The ADB didn't find AAAA glue in a zone unless A6
8520 glue was also present.
8522 798. [bug] nsupdate should be able to reject bad input lines
8523 and continue. [RT #1130]
8525 797. [func] Issue a warning if the 'directory' option contains
8526 a relative path. [RT #269]
8528 796. [func] When a size limit is associated with a log file,
8529 only roll it when the size is reached, not every
8530 time the log file is opened. [RT #1096]
8532 795. [func] Add the +multiline option to dig. [RT #1095]
8534 794. [func] Implement the "port" and "default-port" statements
8537 793. [cleanup] The DNSSEC tools could create filenames that were
8538 illegal or contained shell meta-characters. They
8539 now use a different text encoding of names that
8540 doesn't have these problems. [RT #1101]
8542 792. [cleanup] Replace the OMAPI command channel protocol with a
8545 791. [bug] The command channel now works over IPv6.
8547 790. [bug] Wildcards created using dynamic update or IXFR
8548 could fail to match. [RT #1111]
8550 789. [bug] The "localhost" and "localnets" ACLs did not match
8551 when used as the second element of a two-element
8554 788. [func] Add the "match-mapped-addresses" option, which
8555 causes IPv6 v4mapped addresses to be treated as
8556 IPv4 addresses for the purpose of acl matching.
8558 787. [bug] The DNSSEC tools failed to downcase domain
8559 names when mapping them into file names.
8561 786. [bug] When DNSSEC signing/verifying data, owner names were
8562 not properly down-cased.
8564 785. [bug] A race condition in the resolver could cause
8565 an assertion failure. [RT #673, #872, #1048]
8567 784. [bug] nsupdate and other programs would not quit properly
8568 if some signals were blocked by the caller. [RT #1081]
8570 783. [bug] Following CNAMEs could cause an assertion failure
8571 when either using an sdb database or under very
8574 782. [func] Implement the "serial-query-rate" option.
8576 781. [func] Avoid error packet loops by dropping duplicate FORMERR
8577 responses. [RT #1006]
8579 780. [bug] Error handling code dealing with out of memory or
8580 other rare errors could lead to assertion failures
8581 by calling functions on uninitialized names. [RT #1065]
8583 779. [func] Added the "minimal-responses" option.
8585 778. [bug] When starting cache cleaning, cleaning_timer_action()
8586 returned without first pausing the iterator, which
8587 could cause deadlock. [RT #998]
8589 777. [bug] An empty forwarders list in a zone failed to override
8590 global forwarders. [RT #995]
8592 776. [func] Improved error reporting in denied messages. [RT #252]
8596 774. [func] max-cache-size is implemented.
8598 773. [func] Added isc_rwlock_trylock() to attempt to lock without
8601 772. [bug] Owner names could be incorrectly omitted from cache
8602 dumps in the presence of negative caching entries.
8605 771. [cleanup] TSIG errors related to unsynchronized clocks
8606 are logged better. [RT #919]
8608 770. [func] Add the "edns yes_or_no" statement to the server
8611 769. [func] Improved error reporting when parsing rdata. [RT #740]
8613 768. [bug] The server did not emit an SOA when a CNAME
8614 or DNAME chain ended in NXDOMAIN in an
8619 766. [bug] A few cases in query_find() could leak fname.
8620 This would trigger the mpctx->allocated == 0
8621 assertion when the server exited.
8622 [RT #739, #776, #798, #812, #818, #821, #845,
8625 765. [func] ACL names are once again case insensitive, like
8626 in BIND 8. [RT #252]
8628 764. [func] Configuration files now allow "include" directives
8629 in more places, such as inside the "view" statement.
8630 [RT #377, #728, #860]
8632 763. [func] Configuration files no longer have reserved words.
8635 762. [cleanup] The named.conf and rndc.conf file parsers have
8636 been completely rewritten.
8638 761. [bug] _REENTRANT was still defined when building with
8641 760. [contrib] Significant enhancements to the pgsql sdb driver.
8643 759. [bug] The resolver didn't turn off "avoid fetches" mode
8644 when restarting, possibly causing resolution
8645 to fail when it should not. This bug only affected
8646 platforms which support both IPv4 and IPv6. [RT #927]
8648 758. [bug] The "avoid fetches" code did not treat negative
8649 cache entries correctly, causing fetches that would
8650 be useful to be avoided. This bug only affected
8651 platforms which support both IPv4 and IPv6. [RT #927]
8653 757. [func] Log zone transfers.
8655 756. [bug] dns_zone_load() could "return" success when no master
8656 file was configured.
8658 755. [bug] Fix incorrectly formatted log messages in zone.c.
8660 754. [bug] Certain failure conditions sending UDP packets
8661 could cause the server to retry the transmission
8662 indefinitely. [RT #902]
8664 753. [bug] dig, host, and nslookup would fail to contact a
8665 remote server if getaddrinfo() returned an IPv6
8666 address on a system that doesn't support IPv6.
8669 752. [func] Correct bad tv_usec elements returned by
8672 751. [func] Log successful zone loads / transfers. [RT #898]
8674 750. [bug] A query should not match a DNAME whose trust level
8675 is pending. [RT #916]
8677 749. [bug] When a query matched a DNAME in a secure zone, the
8678 server did not return the signature of the DNAME.
8681 748. [doc] List supported RFCs in doc/misc/rfc-compliance.
8684 747. [bug] The code to determine whether an IXFR was possible
8685 did not properly check for a database that could
8686 not have a journal. [RT #865, #908]
8688 746. [bug] The sdb didn't clone rdatasets properly, causing
8689 a crash when the server followed delegations. [RT #905]
8691 745. [func] Report the owner name of records that fail
8692 semantic checks while loading.
8694 744. [bug] When returning DNS_R_CNAME or DNS_R_DNAME as the
8695 result of an ANY or SIG query, the resolver failed
8696 to setup the return event's rdatasets, causing an
8697 assertion failure in the query code. [RT #881]
8699 743. [bug] Receiving a large number of certain malformed
8700 answers could cause named to stop responding.
8705 741. [port] Support openssl-engine. [RT #709]
8707 740. [port] Handle openssl library mismatches slightly better.
8709 739. [port] Look for /dev/random in configure, rather than
8710 assuming it will be there for only a predefined
8713 738. [bug] If a non-threadsafe sdb driver supported AXFR and
8714 received an AXFR request, it would deadlock or die
8715 with an assertion failure. [RT #852]
8717 737. [port] stdtime.c failed to compile on certain platforms.
8719 736. [func] New functions isc_task_{begin,end}exclusive().
8721 735. [doc] Add BIND 4 migration notes.
8723 734. [bug] An attempt to re-lock the zone lock could occur if
8724 the server was shutdown during a zone transfer.
8727 733. [bug] Reference counts of dns_acl_t objects need to be
8728 locked but were not. [RT #801, #821]
8730 732. [bug] Glue with 0 TTL could also cause SERVFAIL. [RT #828]
8732 731. [bug] Certain zone errors could cause named-checkzone to
8733 fail ungracefully. [RT #819]
8735 730. [bug] lwres_getaddrinfo() returns the correct result when
8736 it fails to contact a server. [RT #768]
8738 729. [port] pthread_setconcurrency() needs to be called on Solaris.
8740 728. [bug] Fix comment processing on master file directives.
8743 727. [port] Work around OS bug where accept() succeeds but
8744 fails to fill in the peer address of the accepted
8745 connection, by treating it as an error rather than
8746 an assertion failure. [RT #809]
8748 726. [func] Implement the "trace" and "notrace" commands in rndc.
8750 725. [bug] Installing man pages could fail.
8752 724. [func] New libisc functions isc_netaddr_any(),
8755 723. [bug] Referrals whose NS RRs had a 0 TTL caused the resolver
8756 to return DNS_R_SERVFAIL. [RT #783]
8758 722. [func] Allow incremental loads to be canceled.
8760 721. [cleanup] Load manager and dns_master_loadfilequota() are no
8763 720. [bug] Server could enter infinite loop in
8764 dispatch.c:do_cancel(). [RT #733]
8766 719. [bug] Rapid reloads could trigger an assertion failure.
8769 718. [cleanup] "internal" is no longer a reserved word in named.conf.
8772 717. [bug] Certain TKEY processing failure modes could
8773 reference an uninitialized variable, causing the
8774 server to crash. [RT #750]
8776 716. [bug] The first line of a $INCLUDE master file was lost if
8777 an origin was specified. [RT #744]
8779 715. [bug] Resolving some A6 chains could cause an assertion
8780 failure in adb.c. [RT #738]
8782 714. [bug] Preserve interval timers across reloads unless changed.
8785 713. [func] named-checkconf takes '-t directory' similar to named.
8788 712. [bug] Sending a large signed update message caused an
8789 assertion failure. [RT #718]
8791 711. [bug] The libisc and liblwres implementations of
8792 inet_ntop contained an off by one error.
8794 710. [func] The forwarders statement now takes an optional
8797 709. [bug] ANY or SIG queries for data with a TTL of 0
8798 would return SERVFAIL. [RT #620]
8800 708. [bug] When building with --with-openssl, the openssl headers
8801 included with BIND 9 should not be used. [RT #702]
8803 707. [func] The "filename" argument to named-checkzone is no
8804 longer optional, to reduce confusion. [RT #612]
8806 706. [bug] Zones with an explicit "allow-update { none; };"
8807 were considered dynamic and therefore not reloaded
8808 on SIGHUP or "rndc reload".
8810 705. [port] Work out resource limit type for use where rlim_t is
8811 not available. [RT #695]
8813 704. [port] RLIMIT_NOFILE is not available on all platforms.
8816 703. [port] sys/select.h is needed on older platforms. [RT #695]
8818 702. [func] If the address 0.0.0.0 is seen in resolv.conf,
8819 use 127.0.0.1 instead. [RT #693]
8821 701. [func] Root hints are now fully optional. Class IN
8822 views use compiled-in hints by default, as
8823 before. Non-IN views with no root hints now
8824 provide authoritative service but not recursion.
8825 A warning is logged if a view has neither root
8826 hints nor authoritative data for the root. [RT #696]
8828 700. [bug] $GENERATE range check was wrong. [RT #688]
8830 699. [bug] The lexer mishandled empty quoted strings. [RT #694]
8832 698. [bug] Aborting nsupdate with ^C would lead to several
8835 697. [bug] nsupdate was not compatible with the undocumented
8836 BIND 8 behavior of ignoring TTLs in "update delete"
8839 696. [bug] lwresd would die with an assertion failure when passed
8840 a zero-length name. [RT #692]
8842 695. [bug] If the resolver attempted to query a blackholed or
8843 bogus server, the resolution would fail immediately.
8845 694. [bug] $GENERATE did not produce the last entry.
8848 693. [bug] An empty lwres statement in named.conf caused
8849 the server to crash while loading.
8851 692. [bug] Deal with systems that have getaddrinfo() but not
8852 gai_strerror(). [RT #679]
8854 691. [bug] Configuring per-view forwarders caused an assertion
8855 failure. [RT #675, #734]
8857 690. [func] $GENERATE now supports DNAME. [RT #654]
8859 689. [doc] man pages are now installed. [RT #210]
8861 688. [func] "make tags" now works on systems with the
8862 "Exuberant Ctags" etags.
8864 687. [bug] Only say we have IPv6, with sufficient functionality,
8865 if it has actually been tested. [RT #586]
8867 686. [bug] dig and nslookup can now be properly aborted during
8868 blocking operations. [RT #568]
8870 685. [bug] nslookup should use the search list/domain options
8871 from resolv.conf by default. [RT #405, #630]
8873 684. [bug] Memory leak with view forwarders. [RT #656]
8875 683. [bug] File descriptor leak in isc_lex_openfile().
8877 682. [bug] nslookup displayed SOA records incorrectly. [RT #665]
8879 681. [bug] $GENERATE specifying output format was broken. [RT #653]
8881 680. [bug] dns_rdata_fromstruct() mishandled options bigger
8884 679. [bug] $INCLUDE could leak memory and file descriptors on
8887 678. [bug] "transfer-format one-answer;" could trigger an assertion
8890 677. [bug] dnssec-signzone would occasionally use the wrong ttl
8891 for database operations and fail. [RT #643]
8893 676. [bug] Log messages about lame servers to category
8894 'lame-servers' rather than 'resolver', so as not
8895 to be gratuitously incompatible with BIND 8.
8897 675. [bug] TKEY queries could cause the server to leak
8900 674. [func] Allow messages to be TSIG signed / verified using
8901 a offset from the current time.
8903 673. [func] The server can now convert RFC1886-style recursive
8904 lookup requests into RFC2874-style lookups, when
8905 enabled using the new option "allow-v6-synthesis".
8907 672. [bug] The wrong time was in the "time signed" field when
8908 replying with BADTIME error.
8910 671. [bug] The message code was failing to parse a message with
8911 no question section and a TSIG record. [RT #628]
8913 670. [bug] The lwres replacements for getaddrinfo and
8914 getipnodebyname didn't properly check for the
8915 existence of the sockaddr sa_len field.
8917 669. [bug] dnssec-keygen now makes the public key file
8918 non-world-readable for symmetric keys. [RT #403]
8920 668. [func] named-checkzone now reports multiple errors in master
8923 667. [bug] On Linux, running named with the -u option and a
8924 non-world-readable configuration file didn't work.
8927 666. [bug] If a request sent by dig is longer than 512 bytes,
8930 665. [bug] Signed responses were not sent when the size of the
8931 TSIG + question exceeded the maximum message size.
8934 664. [bug] The t_tasks and t_timers module tests are now skipped
8935 when building without threads, since they require
8938 663. [func] Accept a size_spec, not just an integer, in the
8939 (unimplemented and ignored) max-ixfr-log-size option
8940 for compatibility with recent versions of BIND 8.
8943 662. [bug] dns_rdata_fromtext() failed to log certain errors.
8945 661. [bug] Certain UDP IXFR requests caused an assertion failure
8946 (mpctx->allocated == 0). [RT #355, #394, #623]
8948 660. [port] Detect multiple CPUs on HP-UX and IRIX.
8950 659. [performance] Rewrite the name compression code to be much faster.
8952 658. [cleanup] Remove all vestiges of 16 bit global compression.
8954 657. [bug] When a listen-on statement in an lwres block does not
8955 specify a port, use 921, not 53. Also update the
8956 listen-on documentation. [RT #616]
8958 656. [func] Treat an unescaped newline in a quoted string as
8959 an error. This means that TXT records with missing
8960 close quotes should have meaningful errors printed.
8962 655. [bug] Improve error reporting on unexpected eof when loading
8965 654. [bug] Origin was being forgotten in TCP retries in dig.
8968 653. [bug] +defname option in dig was reversed in sense.
8971 652. [bug] zone_saveunique() did not report the new name.
8973 651. [func] The AD bit in responses now has the meaning
8974 specified in <draft-ietf-dnsext-ad-is-secure>.
8976 650. [bug] SIG(0) records were being generated and verified
8977 incorrectly. [RT #606]
8979 649. [bug] It was possible to join to an already running fctx
8980 after it had "cloned" its events, but before it sent
8981 them. In this case, the event of the newly joined
8982 fetch would not contain the answer, and would
8983 trigger the INSIST() in fctx_sendevents(). In
8984 BIND 9.0, this bug did not trigger an INSIST(), but
8985 caused the fetch to fail with a SERVFAIL result.
8986 [RT #588, #597, #605, #607]
8988 648. [port] Add support for pre-RFC2133 IPv6 implementations.
8990 647. [bug] Resolver queries sent after following multiple
8991 referrals had excessively long retransmission
8992 timeouts due to incorrectly counting the referrals
8995 646. [bug] The UnixWare ISC_PLATFORM_FIXIN6INADDR fix in isc/net.h
8996 didn't _cleanly_ fix the problem it was trying to fix.
8998 645. [port] BSD/OS 3.0 needs pthread_init(). [RT #603]
9000 644. [bug] #622 needed more work. [RT #562]
9002 643. [bug] xfrin error messages made more verbose, added class
9003 of the zone. [RT# 599]
9005 642. [bug] Break the exit_check() race in the zone module.
9008 --- 9.1.0b2 released ---
9010 641. [bug] $GENERATE caused a uninitialized link to be used.
9013 640. [bug] Memory leak in error path could cause
9014 "mpctx->allocated == 0" failure. [RT #584]
9016 639. [bug] Reading entropy from the keyboard would sometimes fail.
9019 638. [port] lib/isc/random.c needed to explicitly include time.h
9020 to get a prototype for time() when pthreads was not
9021 being used. [RT #592]
9023 637. [port] Use isc_u?int64_t instead of (unsigned) long long in
9024 lib/isc/print.c. Also allow lib/isc/print.c to
9025 be compiled even if the platform does not need it.
9028 636. [port] Shut up MSVC++ about a possible loss of precision
9029 in the ISC__BUFFER_PUTUINT*() macros. [RT #592]
9031 635. [bug] Reloading a server with a configured blackhole list
9032 would cause an assertion. [RT #590]
9034 634. [bug] A log file will completely stop being written when
9035 it reaches the maximum size in all cases, not just
9036 when versioning is also enabled. [RT #570]
9038 633. [port] Cope with rlim_t missing on BSD/OS systems. [RT #575]
9040 632. [bug] The index array of the journal file was
9041 corrupted as it was written to disk.
9043 631. [port] Build without thread support on systems without
9046 630. [bug] Locking failure in zone code. [RT #582]
9048 629. [bug] 9.1.0b1 dereferenced a null pointer and crashed
9049 when responding to a UDP IXFR request.
9051 628. [bug] If the root hints contained only AAAA addresses,
9052 named would be unable to perform resolution.
9054 627. [bug] The EDNS0 blackhole detection code of change 324
9055 waited for three retransmissions to each server,
9056 which takes much too long when a domain has many
9057 name servers and all of them drop EDNS0 queries.
9058 Now we retry without EDNS0 after three consecutive
9059 timeouts, even if they are all from different
9062 626. [bug] The lightweight resolver daemon no longer crashes
9063 when asked for a SIG rrset. [RT #558]
9065 625. [func] Zones now inherit their class from the enclosing view.
9067 624. [bug] The zone object could get timer events after it had
9068 been destroyed, causing a server crash. [RT #571]
9070 623. [func] Added "named-checkconf" and "named-checkzone" program
9071 for syntax checking named.conf files and zone files,
9074 622. [bug] A canceled request could be destroyed before
9075 dns_request_destroy() was called. [RT #562]
9077 621. [port] Disable IPv6 at runtime if IPv6 sockets are unusable.
9078 This mostly affects Red Hat Linux 7.0, which has
9079 conflicts between libc and the kernel.
9081 620. [bug] dns_master_load*inc() now require 'task' and 'load'
9082 to be non-null. Also 'done' will not be called if
9083 dns_master_load*inc() fails immediately. [RT #565]
9087 618. [bug] Queries to a signed zone could sometimes cause
9088 an assertion failure.
9090 617. [bug] When using dynamic update to add a new RR to an
9091 existing RRset with a different TTL, the journal
9092 entries generated from the update did not include
9093 explicit deletions and re-additions of the existing
9094 RRs to update their TTL to the new value.
9096 616. [func] dnssec-signzone -t output now includes performance
9099 615. [bug] dnssec-signzone did not like child keysets signed
9102 614. [bug] Checks for uninitialized link fields were prone
9103 to false positives, causing assertion failures.
9104 The checks are now disabled by default and may
9105 be re-enabled by defining ISC_LIST_CHECKINIT.
9107 613. [bug] "rndc reload zone" now reloads primary zones.
9108 It previously only updated slave and stub zones,
9109 if an SOA query indicated an out of date serial.
9111 612. [cleanup] Shutup a ridiculously noisy HP-UX compiler that
9112 complains relentlessly about how its treatment
9113 of 'const' has changed as well as how casting
9114 sometimes tightens alignment constraints.
9116 611. [func] allow-notify can be used to permit processing of
9117 notify messages from hosts other than a slave's
9120 610. [func] rndc dumpdb is now supported.
9122 609. [bug] getrrsetbyname() would crash lwresd if the server
9123 found more SIGs than answers. [RT #554]
9125 608. [func] dnssec-signzone now adds a comment to the zone
9126 with the time the file was signed.
9128 607. [bug] nsupdate would fail if it encountered a CNAME or
9129 DNAME in a response to an SOA query. [RT #515]
9131 606. [bug] Compiling with --disable-threads failed due
9132 to isc_thread_self() being incorrectly defined
9133 as an integer rather than a function.
9135 605. [func] New function isc_lex_getlasttokentext().
9137 604. [bug] The named.conf parser could print incorrect line
9138 numbers when long comments were present.
9140 603. [bug] Make dig handle multiple types or classes on the same
9141 query more correctly.
9143 602. [func] Cope automatically with UnixWare's broken
9144 IN6_IS_ADDR_* macros. [RT #539]
9146 601. [func] Return a non-zero exit code if an update fails
9149 600. [bug] Reverse lookups sometimes failed in dig, etc...
9151 599. [func] Added four new functions to the libisc log API to
9152 support i18n messages. isc_log_iwrite(),
9153 isc_log_ivwrite(), isc_log_iwrite1() and
9154 isc_log_ivwrite1() were added.
9156 598. [bug] An update-policy statement would cause the server
9157 to assert while loading. [RT #536]
9159 597. [func] dnssec-signzone is now multi-threaded.
9161 596. [bug] DNS_RDATASLAB_FORCE and DNS_RDATASLAB_EXACT are
9162 not mutually exclusive.
9164 595. [port] On Linux 2.2, socket() returns EINVAL when it
9165 should return EAFNOSUPPORT. Work around this.
9168 594. [func] sdb drivers are now assumed to not be thread-safe
9169 unless the DNS_SDBFLAG_THREADSAFE flag is supplied.
9171 593. [bug] If a secure zone was missing all its NXTs and
9172 a dynamic update was attempted, the server entered
9175 592. [bug] The sig-validity-interval option now specifies a
9176 number of days, not seconds. This matches the
9177 documentation. [RT #529]
9179 --- 9.1.0b1 released ---
9181 591. [bug] Work around non-reentrancy in openssl by disabling
9182 pre-computation in keys.
9184 590. [doc] There are now man pages for the lwres library in
9187 589. [bug] The server could deadlock if a zone was updated
9188 while being transferred out.
9190 588. [bug] ctx->in_use was not being correctly initialized when
9191 when pushing a file for $INCLUDE. [RT #523]
9193 587. [func] A warning is now printed if the "allow-update"
9194 option allows updates based on the source IP
9195 address, to alert users to the fact that this
9196 is insecure and becoming increasingly so as
9197 servers capable of update forwarding are being
9200 586. [bug] multiple views with the same name were fatal. [RT #516]
9202 585. [func] dns_db_addrdataset() and and dns_rdataslab_merge()
9203 now support 'exact' additions in a similar manner to
9204 dns_db_subtractrdataset() and dns_rdataslab_subtract().
9206 584. [func] You can now say 'notify explicit'; to suppress
9207 notification of the servers listed in NS records
9208 and notify only those servers listed in the
9209 'also-notify' option.
9211 583. [func] "rndc querylog" will now toggle logging of
9212 queries, like "ndc querylog" in BIND 8.
9214 582. [bug] dns_zone_idetach() failed to lock the zone.
9217 581. [bug] log severity was not being correctly processed.
9220 580. [func] Ignore trailing garbage on incoming DNS packets,
9221 for interoperability with broken server
9222 implementations. [RT #491]
9224 579. [bug] nsupdate did not take a filename to read update from.
9227 578. [func] New config option "notify-source", to specify the
9228 source address for notify messages.
9230 577. [func] Log illegal RDATA combinations. e.g. multiple
9231 singleton types, cname and other data.
9233 576. [doc] isc_log_create() description did not match reality.
9235 575. [bug] isc_log_create() was not setting internal state
9236 correctly to reflect the default channels created.
9238 574. [bug] TSIG signed queries sent by the resolver would fail to
9239 have their responses validated and would leak memory.
9241 573. [bug] The journal files of IXFRed slave zones were
9242 inadvertently discarded on server reload, causing
9243 "journal out of sync with zone" errors on subsequent
9246 572. [bug] Quoted strings were not accepted as key names in
9247 address match lists.
9249 571. [bug] It was possible to create an rdataset of singleton
9250 type which had more than one rdata. [RT #154]
9253 570. [bug] rbtdb.c allowed zones containing nodes which had
9254 both a CNAME and "other data". [RT #154]
9256 569. [func] The DNSSEC AD bit will not be set on queries which
9257 have not requested a DNSSEC response.
9259 568. [func] Add sample simple database drivers in contrib/sdb.
9261 567. [bug] Setting the zone transfer timeout to zero caused an
9262 assertion failure. [RT #302]
9264 566. [func] New public function dns_timer_setidle().
9266 565. [func] Log queries more like BIND 8: query logging is now
9267 done to category "queries", level "info". [RT #169]
9269 564. [func] Add sortlist support to lwresd.
9271 563. [func] New public functions dns_rdatatype_format() and
9272 dns_rdataclass_format(), for convenient formatting
9273 of rdata type/class mnemonics in log messages.
9275 562. [cleanup] Moved lib/dns/*conf.c to bin/named where they belong.
9277 561. [func] The 'datasize', 'stacksize', 'coresize' and 'files'
9278 clauses of the options{} statement are now implemented.
9280 560. [bug] dns_name_split did not properly the resulting prefix
9281 when a maximal length bitstring label was split which
9282 was preceded by another bitstring label. [RT #429]
9284 559. [bug] dns_name_split did not properly create the suffix
9285 when splitting within a maximal length bitstring label.
9287 558. [func] New functions, isc_resource_getlimit and
9288 isc_resource_setlimit.
9290 557. [func] Symbolic constants for libisc integral types.
9292 556. [func] The DNSSEC OK bit in the EDNS extended flags
9293 is now implemented. Responses to queries without
9294 this bit set will not contain any DNSSEC records.
9296 555. [bug] A slave server attempting a zone transfer could
9297 crash with an assertion failure on certain
9298 malformed responses from the master. [RT #457]
9300 554. [bug] In some cases, not all of the dnssec tools were
9303 553. [bug] Incoming zone transfers deferred due to quota
9304 were not started when quota was increased but
9305 only when a transfer in progress finished. [RT #456]
9307 552. [bug] We were not correctly detecting the end of all c-style
9310 551. [func] Implemented the 'sortlist' option.
9312 550. [func] Support unknown rdata types and classes.
9314 549. [bug] "make" did not immediately abort the build when a
9315 subdirectory make failed [RT #450].
9317 548. [func] The lexer now ungets tokens more correctly.
9321 546. [func] Option 'lame-ttl' is now implemented.
9323 545. [func] Name limit and counting options removed from dig;
9324 they didn't work properly, and cannot be correctly
9325 implemented without significant changes.
9327 544. [func] Add statistics option, enable statistics-file option,
9328 add RNDC option "dump-statistics" to write out a
9329 query statistics file.
9331 543. [doc] The 'port' option is now documented.
9333 542. [func] Add support for update forwarding as required for
9334 full compliance with RFC2136. It is turned off
9335 by default and can be enabled using the
9336 'allow-update-forwarding' option.
9338 541. [func] Add bogus server support.
9340 540. [func] Add dialup support.
9342 539. [func] Support the blackhole option.
9344 538. [bug] fix buffer overruns by 1 in lwres_getnameinfo().
9348 536. [func] Use transfer-source{-v6} when sending refresh queries.
9349 Transfer-source{-v6} now take a optional port
9350 parameter for setting the UDP source port. The port
9351 parameter is ignored for TCP.
9353 535. [func] Use transfer-source{-v6} when forwarding update
9356 534. [func] Ancestors have been removed from RBT chains. Ancestor
9357 information can be discerned via node parent pointers.
9359 533. [func] Incorporated name hashing into the RBT database to
9360 improve search speed.
9362 532. [func] Implement DNS UPDATE pseudo records using
9363 DNS_RDATA_UPDATE flag.
9365 531. [func] Rdata really should be initialized before being assigned
9366 to (dns_rdata_fromwire(), dns_rdata_fromtext(),
9367 dns_rdata_clone(), dns_rdata_fromregion()),
9370 530. [func] New function dns_rdata_invalidate().
9372 529. [bug] 521 contained a bug which caused zones to always
9375 528. [func] The ISC_LIST_XXXX macros now perform sanity checks
9376 on their arguments. ISC_LIST_XXXXUNSAFE can be use
9377 to skip the checks however use with caution.
9379 527. [func] New function dns_rdata_clone().
9381 526. [bug] nsupdate incorrectly refused to add RRs with a TTL
9384 525. [func] New arguments 'options' for dns_db_subtractrdataset(),
9385 and 'flags' for dns_rdataslab_subtract() allowing you
9386 to request that the RR's must exist prior to deletion.
9387 DNS_R_NOTEXACT is returned if the condition is not met.
9389 524. [func] The 'forward' and 'forwarders' statement in
9390 non-forward zones should work now.
9392 523. [doc] The source to the Administrator Reference Manual is
9393 now an XML file using the DocBook DTD, and is included
9394 in the distribution. The plain text version of the
9395 ARM is temporarily unavailable while we figure out
9396 how to generate readable plain text from the XML.
9398 522. [func] The lightweight resolver daemon can now use
9399 a real configuration file, and its functionality
9400 can be provided by a name server. Also, the -p and -P
9401 options to lwresd have been reversed.
9403 521. [bug] Detect master files which contain $INCLUDE and always
9406 520. [bug] Upgraded libtool to 1.3.5, which makes shared
9407 library builds almost work on AIX (and possibly
9410 519. [bug] dns_name_split() would improperly split some bitstring
9411 labels, zeroing a few of the least significant bits in
9412 the prefix part. When such an improperly created
9413 prefix was returned to the RBT database, the bogus
9414 label was dutifully stored, corrupting the tree.
9417 518. [bug] The resolver did not realize that a DNAME which was
9418 "the answer" to the client's query was "the answer",
9419 and such queries would fail. [RT #399]
9421 517. [bug] The resolver's DNAME code would trigger an assertion
9422 if there was more than one DNAME in the chain.
9425 516. [bug] Cache lookups which had a NULL node pointer, e.g.
9426 those by dns_view_find(), and which would match a
9427 DNAME, would trigger an INSIST(!search.need_cleanup)
9428 assertion. [RT #399]
9430 515. [bug] The ssu table was not being attached / detached
9431 by dns_zone_[sg]etssutable. [RT#397]
9433 514. [func] Retry refresh and notify queries if they timeout.
9436 513. [func] New functionality added to rdnc and server to allow
9437 individual zones to be refreshed or reloaded.
9439 512. [bug] The zone transfer code could throw an exception with
9440 an invalid IXFR stream.
9442 511. [bug] The message code could throw an assertion on an
9443 out of memory failure. [RT #392]
9445 510. [bug] Remove spurious view notify warning. [RT #376]
9447 509. [func] Add support for write of zone files on shutdown.
9449 508. [func] dns_message_parse() can now do a best-effort
9450 attempt, which should allow dig to print more invalid
9453 507. [func] New functions dns_zone_flush(), dns_zt_flushanddetach()
9454 and dns_view_flushanddetach().
9456 506. [func] Do not fail to start on errors in zone files.
9458 505. [bug] nsupdate was printing "unknown result code". [RT #373]
9460 504. [bug] The zone was not being marked as dirty when updated via
9463 503. [bug] dumptime was not being set along with
9464 DNS_ZONEFLG_NEEDDUMP.
9466 502. [func] On a SERVFAIL reply, DiG will now try the next server
9467 in the list, unless the +fail option is specified.
9469 501. [bug] Incorrect port numbers were being displayed by
9472 500. [func] Nearly useless +details option removed from DiG.
9474 499. [func] In DiG, specifying a class with -c or type with -t
9475 changes command-line parsing so that classes and
9476 types are only recognized if following -c or -t.
9477 This allows hosts with the same name as a class or
9478 type to be looked up.
9480 498. [doc] There is now a man page for "dig"
9481 in doc/man/bin/dig.1.
9483 497. [bug] The error messages printed when an IP match list
9484 contained a network address with a nonzero host
9485 part where not sufficiently detailed. [RT #365]
9487 496. [bug] named didn't sanity check numeric parameters. [RT #361]
9489 495. [bug] nsupdate was unable to handle large records. [RT #368]
9491 494. [func] Do not cache NXDOMAIN responses for SOA queries.
9493 493. [func] Return non-cachable (ttl = 0) NXDOMAIN responses
9494 for SOA queries. This makes it easier to locate
9495 the containing zone without polluting intermediate
9498 492. [bug] attempting to reload a zone caused the server fail
9499 to shutdown cleanly. [RT #360]
9501 491. [bug] nsupdate would segfault when sending certain
9502 prerequisites with empty RDATA. [RT #356]
9504 490. [func] When a slave/stub zone has not yet successfully
9505 obtained an SOA containing the zone's configured
9506 retry time, perform the SOA query retries using
9507 exponential backoff. [RT #337]
9509 489. [func] The zone manager now has a "i/o" queue.
9511 488. [bug] Locks weren't properly destroyed in some cases.
9513 487. [port] flockfile() is not defined on all systems.
9515 486. [bug] nslookup: "set all" and "server" commands showed
9516 the incorrect port number if a port other than 53
9517 was specified. [RT #352]
9519 485. [func] When dig had more than one server to query, it would
9520 send all of the messages at the same time. Add
9521 rate limiting of the transmitted messages.
9523 484. [bug] When the server was reloaded after removing addresses
9524 from the named.conf "listen-on" statement, sockets
9525 were still listening on the removed addresses due
9526 to reference count loops. [RT #325]
9528 483. [bug] nslookup: "set all" showed a "search" option but it
9531 482. [bug] nslookup: a plain "server" or "lserver" should be
9532 treated as a lookup.
9534 481. [bug] nslookup:get_next_command() stack size could exceed
9537 480. [bug] strtok() is not thread safe. [RT #349]
9539 479. [func] The test suite can now be run by typing "make check"
9540 or "make test" at the top level.
9542 478. [bug] "make install" failed if the directory specified with
9543 --prefix did not already exist.
9545 477. [bug] The the isc-config.sh script could be installed before
9546 its directory was created. [RT #324]
9548 476. [bug] A zone could expire while a zone transfer was in
9549 progress triggering a INSIST failure. [RT #329]
9551 475. [bug] query_getzonedb() sometimes returned a non-null version
9552 on failure. This caused assertion failures when
9553 generating query responses where names subject to
9554 additional section processing pointed to a zone
9555 to which access had been denied by means of the
9556 allow-query option. [RT #336]
9558 474. [bug] The mnemonic of the CHAOS class is CH according to
9559 RFC1035, but it was printed and read only as CHAOS.
9560 We now accept both forms as input, and print it
9563 473. [bug] nsupdate overran the end of the list of name servers
9564 when no servers could be reached, typically causing
9565 it to print the error message "dns_request_create:
9568 472. [bug] Off-by-one error caused isc_time_add() to sometimes
9569 produce invalid time values.
9571 471. [bug] nsupdate didn't compile on HP/UX 10.20
9573 470. [func] $GENERATE is now supported. See also
9576 469. [bug] "query-source address * port 53;" now works.
9578 468. [bug] dns_master_load*() failed to report file and line
9579 number in certain error conditions.
9581 467. [bug] dns_master_load*() failed to log an error if
9584 466. [bug] dns_master_load*() could return success when it failed.
9586 465. [cleanup] Allow 0 to be set as an omapi_value_t value by
9587 omapi_value_storeint().
9589 464. [cleanup] Build with openssl's RSA code instead of dnssafe.
9591 463. [bug] nsupdate sent malformed SOA queries to the second
9592 and subsequent name servers in resolv.conf if the
9593 query sent to the first one failed.
9595 462. [bug] --disable-ipv6 should work now.
9597 461. [bug] Specifying an unknown key in the "keys" clause of the
9598 "controls" statement caused a NULL pointer dereference.
9601 460. [bug] Much of the DNSSEC code only worked with class IN.
9603 459. [bug] Nslookup processed the "set" command incorrectly.
9605 458. [bug] Nslookup didn't properly check class and type values.
9608 457. [bug] Dig/host/hslookup didn't properly handle connect
9609 timeouts in certain situations, causing an
9610 unnecessary warning message to be printed.
9612 456. [bug] Stub zones were not resetting the refresh and expire
9613 counters, loadtime or clearing the DNS_ZONE_REFRESH
9614 (refresh in progress) flag upon successful update.
9615 This disabled further refreshing of the stub zone,
9616 causing it to eventually expire. [RT #300]
9618 455. [doc] Document IPv4 prefix notation does not require a
9619 dotted decimal quad but may be just dotted decimal.
9621 454. [bug] Enforce dotted decimal and dotted decimal quad where
9622 documented as such in named.conf. [RT #304, RT #311]
9624 453. [bug] Warn if the obsolete option "maintain-ixfr-base"
9625 is specified in named.conf. [RT #306]
9627 452. [bug] Warn if the unimplemented option "statistics-file"
9628 is specified in named.conf. [RT #301]
9630 451. [func] Update forwarding implemented.
9632 450. [func] New function ns_client_sendraw().
9634 449. [bug] isc_bitstring_copy() only works correctly if the
9635 two bitstrings have the same lsb0 value, but this
9636 requirement was not documented, nor was there a
9639 448. [bug] Host output formatting change, to match v8. [RT #255]
9641 447. [bug] Dig didn't properly retry in TCP mode after
9642 a truncated reply. [RT #277]
9644 446. [bug] Confusing notify log message. [RT #298]
9646 445. [bug] Doing a 0 bit isc_bitstring_copy() of an lsb0
9647 bitstring triggered a REQUIRE statement. The REQUIRE
9648 statement was incorrect. [RT #297]
9650 444. [func] "recursion denied" messages are always logged at
9651 debug level 1, now, rather than sometimes at ERROR.
9652 This silences these warnings in the usual case, where
9653 some clients set the RD bit in all queries.
9655 443. [bug] When loading a master file failed because of an
9656 unrecognized RR type name, the error message
9657 did not include the file name and line number.
9660 442. [bug] TSIG signed messages that did not match any view
9661 crashed the server. [RT #290]
9663 441. [bug] Nodes obscured by a DNAME were inaccessible even
9664 when DNS_DBFIND_GLUEOK was set.
9666 440. [func] New function dns_zone_forwardupdate().
9668 439. [func] New function dns_request_createraw().
9670 438. [func] New function dns_message_getrawmessage().
9672 437. [func] Log NOTIFY activity to the notify channel.
9674 436. [bug] If recvmsg() returned EHOSTUNREACH or ENETUNREACH,
9675 which sometimes happens on Linux, named would enter
9676 a busy loop. Also, unexpected socket errors were
9677 not logged at a high enough logging level to be
9678 useful in diagnosing this situation. [RT #275]
9680 435. [bug] dns_zone_dump() overwrote existing zone files
9681 rather than writing to a temporary file and
9682 renaming. This could lead to empty or partial
9683 zone files being left around in certain error
9684 conditions involving the initial transfer of a
9685 slave zone, interfering with subsequent server
9688 434. [func] New function isc_file_isabsolute().
9690 433. [func] isc_base64_decodestring() now accepts newlines
9691 within the base64 data. This makes it possible
9692 to break up the key data in a "trusted-keys"
9693 statement into multiple lines. [RT #284]
9695 432. [func] Added refresh/retry jitter. The actual refresh/
9696 retry time is now a random value between 75% and
9697 100% of the configured value.
9699 431. [func] Log at ISC_LOG_INFO when a zone is successfully
9702 430. [bug] Rewrote the lightweight resolver client management
9703 code to handle shutdown correctly and general
9706 429. [bug] The space reserved for a TSIG record in a response
9707 was 2 bytes too short, leading to message
9708 generation failures.
9710 428. [bug] rbtdb.c:find_closest_nxt() erroneously returned
9711 DNS_R_BADDB for nodes which had neither NXT nor SIG NXT
9712 (e.g. glue). This could cause SERVFAILs when
9713 generating negative responses in a secure zone.
9715 427. [bug] Avoid going into an infinite loop when the validator
9716 gets a negative response to a key query where the
9717 records are signed by the missing key.
9719 426. [bug] Attempting to generate an oversized RSA key could
9720 cause dnssec-keygen to dump core.
9722 425. [bug] Warn about the auth-nxdomain default value change
9723 if there is no auth-nxdomain statement in the
9724 config file. [RT #287]
9726 424. [bug] notify_createmessage() could trigger an assertion
9727 failure when creating the notify message failed,
9728 e.g. due to corrupt zones with multiple SOA records.
9731 423. [bug] When responding to a recursive query, errors that occur
9732 after following a CNAME should cause the query to fail.
9735 422. [func] get rid of isc_random_t, and make isc_random_get()
9736 and isc_random_jitter() use rand() internally
9737 instead of local state. Note that isc_random_*()
9738 functions are only for weak, non-critical "randomness"
9739 such as timing jitter and such.
9741 421. [bug] nslookup would exit when given a blank line as input.
9743 420. [bug] nslookup failed to implement the "exit" command.
9745 419. [bug] The certificate type PKIX was misspelled as SKIX.
9747 418. [bug] At debug levels >= 10, getting an unexpected
9748 socket receive error would crash the server
9749 while trying to log the error message.
9751 417. [func] Add isc_app_block() and isc_app_unblock(), which
9752 allow an application to handle signals while
9755 416. [bug] Slave zones with no master file tried to use a
9756 NULL pointer for a journal file name when they
9757 received an IXFR. [RT #273]
9759 415. [bug] The logging code leaked file descriptors.
9761 414. [bug] Server did not shut down until all incoming zone
9762 transfers were finished.
9764 413. [bug] Notify could attempt to use the zone database after
9765 it had been unloaded. [RT#267]
9767 412. [bug] named -v didn't print the version.
9769 411. [bug] A typo in the HS A code caused an assertion failure.
9771 410. [bug] lwres_gethostbyname() and company set lwres_h_errno
9772 to a random value on success.
9774 409. [bug] If named was shut down early in the startup
9775 process, ns_omapi_shutdown() would attempt to lock
9776 an uninitialized mutex. [RT #262]
9778 408. [bug] stub zones could leak memory and reference counts if
9779 all the masters were unreachable.
9781 407. [bug] isc_rwlock_lock() would needlessly block
9782 readers when it reached the read quota even
9783 if no writers were waiting.
9785 406. [bug] Log messages were occasionally lost or corrupted
9786 due to a race condition in isc_log_doit().
9788 405. [func] Add support for selective forwarding (forward zones)
9790 404. [bug] The request library didn't completely work with IPv6.
9792 403. [bug] "host" did not use the search list.
9794 402. [bug] Treat undefined acls as errors, rather than
9795 warning and then later throwing an assertion.
9798 401. [func] Added simple database API.
9800 400. [bug] SIG(0) signing and verifying was done incorrectly.
9803 399. [bug] When reloading the server with a config file
9804 containing a syntax error, it could catch an
9805 assertion failure trying to perform zone
9806 maintenance on, or sending notifies from,
9807 tentatively created zones whose views were
9808 never fully configured and lacked an address
9809 database and request manager.
9811 398. [bug] "dig" sometimes caught an assertion failure when
9812 using TSIG, depending on the key length.
9814 397. [func] Added utility functions dns_view_gettsig() and
9815 dns_view_getpeertsig().
9817 396. [doc] There is now a man page for "nsupdate"
9818 in doc/man/bin/nsupdate.8.
9820 395. [bug] nslookup printed incorrect RR type mnemonics
9821 for RRs of type >= 21 [RT #237].
9823 394. [bug] Current name was not propagated via $INCLUDE.
9825 393. [func] Initial answer while loading (awl) support.
9826 Entry points: dns_master_loadfileinc(),
9827 dns_master_loadstreaminc(), dns_master_loadbufferinc().
9828 Note: calls to dns_master_load*inc() should be rate
9829 be rate limited so as to not use up all file
9832 392. [func] Add ISC_R_FAMILYNOSUPPORT. Returned when OS does
9833 not support the given address family requested.
9835 391. [clarity] ISC_R_FAMILY -> ISC_R_FAMILYMISMATCH.
9837 390. [func] The function dns_zone_setdbtype() now takes
9838 an argc/argv style vector of words and sets
9839 both the zone database type and its arguments,
9840 making the functions dns_zone_adddbarg()
9841 and dns_zone_cleardbargs() unnecessary.
9843 389. [bug] Attempting to send a request over IPv6 using
9844 dns_request_create() on a system without IPv6
9845 support caused an assertion failure [RT #235].
9847 388. [func] dig and host can now do reverse ipv6 lookups.
9849 387. [func] Add dns_byaddr_createptrname(), which converts
9850 an address into the name used by a PTR query.
9852 386. [bug] Missing strdup() of ACL name caused random
9853 ACL matching failures [RT #228].
9855 385. [cleanup] Removed functions dns_zone_equal(), dns_zone_print(),
9858 384. [bug] nsupdate was incorrectly limiting TTLs to 65535 instead
9861 383. [func] When writing a master file, print the SOA and NS
9862 records (and their SIGs) before other records.
9864 382. [bug] named -u failed on many Linux systems where the
9865 libc provided kernel headers do not match
9868 381. [bug] Check for IPV6_RECVPKTINFO and use it instead of
9869 IPV6_PKTINFO if found. [RT #229]
9871 380. [bug] nsupdate didn't work with IPv6.
9873 379. [func] New library function isc_sockaddr_anyofpf().
9875 378. [func] named and lwresd will log the command line arguments
9876 they were started with in the "starting ..." message.
9878 377. [bug] When additional data lookups were refused due to
9879 "allow-query", the databases were still being
9880 attached causing reference leaks.
9882 376. [bug] The server should always use good entropy when
9883 performing cryptographic functions needing entropy.
9885 375. [bug] Per-zone "allow-query" did not properly override the
9886 view/global one for CNAME targets and additional
9889 374. [bug] SOA in authoritative negative responses had wrong TTL.
9891 373. [func] nslookup is now installed by "make install".
9893 372. [bug] Deal with Microsoft DNS servers appending two bytes of
9894 garbage to zone transfer requests.
9896 371. [bug] At high debug levels, doing an outgoing zone transfer
9897 of a very large RRset could cause an assertion failure
9900 370. [bug] The error messages for roll-forward failures were
9903 369. [func] Support new named.conf options, view and zone
9906 max-retry-time, min-retry-time,
9907 max-refresh-time, min-refresh-time.
9909 368. [func] Restructure the internal ".bind" view so that more
9910 zones can be added to it.
9912 367. [bug] Allow proper selection of server on nslookup command
9915 366. [func] Allow use of '-' batch file in dig for stdin.
9917 365. [bug] nsupdate -k leaked memory.
9919 364. [func] Added additional-from-{cache,auth}
9923 362. [bug] rndc no longer aborts if the configuration file is
9924 missing an options statement. [RT #209]
9926 361. [func] When the RBT find or chain functions set the name and
9927 origin for a node that stores the root label
9928 the name is now set to an empty name, instead of ".",
9929 to simplify later use of the name and origin by
9930 dns_name_concatenate(), dns_name_totext() or
9933 360. [func] dns_name_totext() and dns_name_format() now allow
9934 an empty name to be passed, which is formatted as "@".
9936 359. [bug] dnssec-signzone occasionally signed glue records.
9938 358. [cleanup] Rename the intermediate files used by the dnssec
9941 357. [bug] The zone file parser crashed if the argument
9942 to $INCLUDE was a quoted string.
9944 356. [cleanup] isc_task_send no longer requires event->sender to
9947 355. [func] Added isc_dir_createunique(), similar to mkdtemp().
9949 354. [doc] Man pages for the dnssec tools are now included in
9950 the distribution, in doc/man/dnssec.
9952 353. [bug] double increment in lwres/gethost.c:copytobuf().
9955 352. [bug] Race condition in dns_client_t startup could cause
9956 an assertion failure.
9958 351. [bug] Constructing a response with rcode SERVFAIL to a TSIG
9959 signed query could crash the server.
9961 350. [bug] Also-notify lists specified in the global options
9962 block were not correctly reference counted, causing
9965 349. [bug] Processing a query with the CD bit set now works
9968 348. [func] New boolean named.conf options 'additional-from-auth'
9969 and 'additional-from-cache' now supported in view and
9970 global options statement.
9972 347. [bug] Don't crash if an argument is left off options in dig.
9976 345. [bug] Large-scale changes/cleanups to dig:
9977 * Significantly improve structure handling
9978 * Don't pre-load entire batch files
9979 * Add name/rr counting/limiting
9980 * Fix SIGINT handling
9981 * Shorten timeouts to match v8's behavior
9983 344. [bug] When shutting down, lwresd sometimes tried
9984 to shut down its client tasks twice,
9985 triggering an assertion.
9987 343. [bug] Although zone maintenance SOA queries and
9988 notify requests were signed with TSIG keys
9989 when configured for the server in case,
9990 the TSIG was not verified on the response.
9992 342. [bug] The wrong name was being passed to
9993 dns_name_dup() when generating a TSIG
9996 341. [func] Support 'key' clause in named.conf zone masters
9997 statement to allow authentication via TSIG keys:
10000 10.0.0.1 port 5353 key "foo";
10004 340. [bug] The top-level COPYRIGHT file was missing from
10007 339. [bug] DNSSEC validation of the response to an ANY
10008 query at a name with a CNAME RR in a secure
10009 zone triggered an assertion failure.
10011 338. [bug] lwresd logged to syslog as named, not lwresd.
10013 337. [bug] "dig" did not recognize "nsap-ptr" as an RR type
10014 on the command line.
10016 336. [bug] "dig -f" used 64 k of memory for each line in
10017 the file. It now uses much less, though still
10018 proportionally to the file size.
10020 335. [bug] named would occasionally attempt recursion when
10021 it was disallowed or undesired.
10023 334. [func] Added hmac-md5 to libisc.
10025 333. [bug] The resolver incorrectly accepted referrals to
10026 domains that were not parents of the query name,
10027 causing assertion failures.
10029 332. [func] New function dns_name_reset().
10031 331. [bug] Only log "recursion denied" if RD is set. [RT #178]
10033 330. [bug] Many debugging messages were partially formatted
10034 even when debugging was turned off, causing a
10035 significant decrease in query performance.
10037 329. [func] omapi_auth_register() now takes a size_t argument for
10038 the length of a key's secret data. Previously
10039 OMAPI only stored secrets up to the first NUL byte.
10041 328. [func] Added isc_base64_decodestring().
10043 327. [bug] rndc.conf parser wasn't correctly recognizing an IP
10044 address where a host specification was required.
10046 326. [func] 'keys' in an 'inet' control statement is now
10047 required and must have at least one item in it.
10048 A "not supported" warning is now issued if a 'unix'
10049 control channel is defined.
10051 325. [bug] isc_lex_gettoken was processing octal strings when
10052 ISC_LEXOPT_CNUMBER was not set.
10054 324. [func] In the resolver, turn EDNS0 off if there is no
10055 response after a number of retransmissions.
10056 This is to allow queries some chance of succeeding
10057 even if all the authoritative servers of a zone
10058 silently discard EDNS0 requests instead of
10059 sending an error response like they ought to.
10061 323. [bug] dns_rbt_findname() did not ignore empty rbt nodes.
10062 Because of this, servers authoritative for a parent
10063 and grandchild zone but not authoritative for the
10064 intervening child zone did not correctly issue
10065 referrals to the servers of the child zone.
10067 322. [bug] Queries for KEY RRs are now sent to the parent
10068 server before the authoritative one, making
10069 DNSSEC insecurity proofs work in many cases
10070 where they previously didn't.
10072 321. [bug] When synthesizing a CNAME RR for a DNAME
10073 response, query_addcname() failed to initialize
10074 the type and class of the CNAME dns_rdata_t,
10075 causing random failures.
10077 320. [func] Multiple rndc changes: parses an rndc.conf file,
10078 uses authentication to talk to named, command
10079 line syntax changed. This will all be described
10082 319. [func] The named.conf "controls" statement is now used
10083 to configure the OMAPI command channel.
10085 318. [func] dns_c_ndcctx_destroy() could never return anything
10086 except ISC_R_SUCCESS; made it have void return instead.
10088 317. [func] Use callbacks from libomapi to determine if a
10089 new connection is valid, and if a key requested
10090 to be used with that connection is valid.
10092 316. [bug] Generate a warning if we detect an unexpected <eof>
10093 but treat as <eol><eof>.
10095 315. [bug] Handle non-empty blanks lines. [RT #163]
10097 314. [func] The named.conf controls statement can now have
10098 more than one key specified for the inet clause.
10100 313. [bug] When parsing resolv.conf, don't terminate on an
10101 error. Instead, parse as much as possible, but
10102 still return an error if one was found.
10104 312. [bug] Increase the number of allowed elements in the
10105 resolv.conf search path from 6 to 8. If there
10106 are more than this, ignore the remainder rather
10107 than returning a failure in lwres_conf_parse.
10109 311. [bug] lwres_conf_parse failed when the first line of
10110 resolv.conf was empty or a comment.
10112 310. [func] Changes to named.conf "controls" statement (inet
10115 - support "keys" clause
10119 allow { any; } keys { "foo"; }
10122 - allow "port xxx" to be left out of statement,
10123 in which case it defaults to omapi's default port
10126 309. [bug] When sending a referral, the server did not look
10127 for name server addresses as glue in the zone
10128 holding the NS RRset in the case where this zone
10129 was not the same as the one where it looked for
10130 name server addresses as authoritative data.
10132 308. [bug] Treat a SOA record not at top of zone as an error
10133 when loading a zone. [RT #154]
10135 307. [bug] When canceling a query, the resolver didn't check for
10136 isc_socket_sendto() calls that did not yet have their
10137 completion events posted, so it could (rarely) end up
10138 destroying the query context and then want to use
10139 it again when the send event posted, triggering an
10140 assertion as it tried to cancel an already-canceled
10143 306. [bug] Reading HMAC-MD5 private key files didn't work.
10145 305. [bug] When reloading the server with a config file
10146 containing a syntax error, it could catch an
10147 assertion failure trying to perform zone
10148 maintenance on tentatively created zones whose
10149 views were never fully configured and lacked
10150 an address database.
10152 304. [bug] If more than LWRES_CONFMAXNAMESERVERS servers
10153 are listed in resolv.conf, silently ignore them
10154 instead of returning failure.
10156 303. [bug] Add additional sanity checks to differentiate a AXFR
10157 response vs a IXFR response. [RT #157]
10159 302. [bug] In dig, host, and nslookup, MXNAME should be large
10160 enough to hold any legal domain name in presentation
10161 format + terminating NULL.
10163 301. [bug] Uninitialized pointer in host:printmessage(). [RT #159]
10165 300. [bug] Using both <isc/net.h> and <lwres/net.h> didn't work
10166 on platforms lacking IPv6 because each included their
10167 own ipv6 header file for the missing definitions. Now
10168 each library's ipv6.h defines the wrapper symbol of
10169 the other (ISC_IPV6_H and LWRES_IPV6_H).
10171 299. [cleanup] Get the user and group information before changing the
10172 root directory, so the administrator does not need to
10173 keep a copy of the user and group databases in the
10174 chroot'ed environment. Suggested by Hakan Olsson.
10176 298. [bug] A mutex deadlock occurred during shutdown of the
10177 interface manager under certain conditions.
10178 Digital Unix systems were the most affected.
10180 297. [bug] Specifying a key name that wasn't fully qualified
10181 in certain parts of the config file could cause
10182 an assertion failure.
10184 296. [bug] "make install" from a separate build directory
10185 failed unless configure had been run in the source
10188 295. [bug] When invoked with type==CNAME and a message
10189 not constructed by dns_message_parse(),
10190 dns_message_findname() failed to find anything
10191 due to checking for attribute bits that are set
10192 only in dns_message_parse(). This caused an
10193 infinite loop when constructing the response to
10194 an ANY query at a CNAME in a secure zone.
10196 294. [bug] If we run out of space in while processing glue
10197 when reading a master file and commit "current name"
10198 reverts to "name_current" instead of staying as
10201 293. [port] Add support for FreeBSD 4.0 system tests.
10203 292. [bug] Due to problems with the way some operating systems
10204 handle simultaneous listening on IPv4 and IPv6
10205 addresses, the server no longer listens on IPv6
10206 addresses by default. To revert to the previous
10207 behavior, specify "listen-on-v6 { any; };" in
10210 291. [func] Caching servers no longer send outgoing queries
10211 over TCP just because the incoming recursive query
10214 290. [cleanup] +twiddle option to dig (for testing only) removed.
10216 289. [cleanup] dig is now installed in $bindir instead of $sbindir.
10217 host is now installed in $bindir. (Be sure to remove
10218 any $sbindir/dig from a previous release.)
10220 288. [func] rndc is now installed by "make install" into $sbindir.
10222 287. [bug] rndc now works again as "rndc 127.1 reload" (for
10223 only that task). Parsing its configuration file and
10224 using digital signatures for authentication has been
10225 disabled until named supports the "controls" statement,
10228 286. [bug] On Solaris 2, when named inherited a signal state
10229 where SIGHUP had the SIG_IGN action, SIGHUP would
10230 be ignored rather than causing the server to reload
10233 285. [bug] A change made to the dst API for beta4 inadvertently
10234 broke OMAPI's creation of a dst key from an incoming
10235 message, causing an assertion to be triggered. Fixed.
10237 284. [func] The DNSSEC key generation and signing tools now
10238 generate randomness from keyboard input on systems
10239 that lack /dev/random.
10241 283. [cleanup] The 'lwresd' program is now a link to 'named'.
10243 282. [bug] The lexer now returns ISC_R_RANGE if parsed integer is
10244 too big for an unsigned long.
10246 281. [bug] Fixed list of recognized config file category names.
10248 280. [func] Add isc-config.sh, which can be used to more
10249 easily build applications that link with
10252 279. [bug] Private omapi function symbols shared between
10253 two or more files in libomapi.a were not namespace
10254 protected using the ISC convention of starting with
10255 the library name and two underscores ("omapi__"...)
10257 278. [bug] bin/named/logconf.c:category_fromconf() didn't take
10258 note of when isc_log_categorybyname() wasn't able
10259 to find the category name and would then apply the
10260 channel list of the unknown category to all categories.
10262 277. [bug] isc_log_categorybyname() and isc_log_modulebyname()
10263 would fail to find the first member of any category
10264 or module array apart from the internal defaults.
10265 Thus, for example, the "notify" category was improperly
10266 configured by named.
10268 276. [bug] dig now supports maximum sized TCP messages.
10270 275. [bug] The definition of lwres_gai_strerror() was missing
10273 274. [bug] TSIG AXFR verify failed when talking to a BIND 8
10276 273. [func] The default for the 'transfer-format' option is
10277 now 'many-answers'. This will break zone transfers
10278 to BIND 4.9.5 and older unless there is an explicit
10279 'one-answer' configuration.
10281 272. [bug] The sending of large TCP responses was canceled
10282 in mid-transmission due to a race condition
10283 caused by the failure to set the client object's
10284 "newstate" variable correctly when transitioning
10285 to the "working" state.
10287 271. [func] Attempt to probe the number of cpus in named
10288 if unspecified rather than defaulting to 1.
10290 270. [func] Allow maximum sized TCP answers.
10292 269. [bug] Failed DNSSEC validations could cause an assertion
10293 failure by causing clone_results() to be called with
10294 with hevent->node == NULL.
10296 268. [doc] A plain text version of the Administrator
10297 Reference Manual is now included in the distribution,
10298 as doc/arm/Bv9ARM.txt.
10300 267. [func] Nsupdate is now provided in the distribution.
10302 266. [bug] zone.c:save_nsrrset() node was not initialized.
10304 265. [bug] dns_request_create() now works for TCP.
10306 264. [func] Dispatch can not take TCP sockets in connecting
10307 state. Set DNS_DISPATCHATTR_CONNECTED when calling
10308 dns_dispatch_createtcp() for connected TCP sockets
10309 or call dns_dispatch_starttcp() when the socket is
10312 263. [func] New logging channel type 'stderr'
10314 channel some-name {
10319 262. [bug] 'master' was not initialized in zone.c:stub_callback().
10321 261. [func] Add dns_zone_markdirty().
10323 260. [bug] Running named as a non-root user failed on Linux
10324 kernels new enough to support retaining capabilities
10327 259. [func] New random-device and random-seed-file statements
10328 for global options block of named.conf. Both accept
10329 a single string argument.
10331 258. [bug] Fixed printing of lwres_addr_t.address field.
10333 257. [bug] The server detached the last zone manager reference
10334 too early, while it could still be in use by queries.
10335 This manifested itself as assertion failures during the
10336 shutdown process for busy name servers. [RT #133]
10338 256. [func] isc_ratelimiter_t now has attach/detach semantics, and
10339 isc_ratelimiter_shutdown guarantees that the rate
10340 limiter is detached from its task.
10342 255. [func] New function dns_zonemgr_attach().
10344 254. [bug] Suppress "query denied" messages on additional data
10347 --- 9.0.0b4 released ---
10349 253. [func] resolv.conf parser now recognizes ';' and '#' as
10350 comments (anywhere in line, not just as the beginning).
10352 252. [bug] resolv.conf parser mishandled masks on sortlists.
10353 It also aborted when an unrecognized keyword was seen,
10354 now it silently ignores the entire line.
10356 251. [bug] lwresd caught an assertion failure on startup.
10358 250. [bug] fixed handling of size+unit when value would be too
10359 large for internal representation.
10361 249. [cleanup] max-cache-size config option now takes a size-spec
10362 like 'datasize', except 'default' is not allowed.
10364 248. [bug] global lame-ttl option was not being printed when
10365 config structures were written out.
10367 247. [cleanup] Rename cache-size config option to max-cache-size.
10369 246. [func] Rename global option cachesize to cache-size and
10370 add corresponding option to view statement.
10372 245. [bug] If an uncompressed name will take more than 255
10373 bytes and the buffer is sufficiently long,
10374 dns_name_fromwire should return DNS_R_FORMERR,
10375 not ISC_R_NOSPACE. This bug caused cause the
10376 server to catch an assertion failure when it
10377 received a query for a name longer than 255
10380 244. [bug] empty named.conf file and empty options statement are
10381 now parsed properly.
10383 243. [func] new cachesize option for named.conf
10385 242. [cleanup] fixed incorrect warning about auth-nxdomain usage.
10387 241. [cleanup] nscount and soacount have been removed from the
10388 dns_master_*() argument lists.
10390 240. [func] databases now come in three flavours: zone, cache
10393 239. [func] If ISC_MEM_DEBUG is enabled, the variable
10394 isc_mem_debugging controls whether messages
10395 are printed or not.
10397 238. [cleanup] A few more compilation warnings have been quieted:
10398 + missing sigwait prototype on BSD/OS 4.0/4.0.1.
10399 + PTHREAD_ONCE_INIT unbraced initializer warnings on
10401 + IN6ADDR_ANY_INIT unbraced initializer warnings on
10402 BSD/OS 4.*, Linux and Solaris 2.8.
10404 237. [bug] If connect() returned ENOBUFS when the resolver was
10405 initiating a TCP query, the socket didn't get
10406 destroyed, and the server did not shut down cleanly.
10408 236. [func] Added new listen-on-v6 config file statement.
10410 235. [func] Consider it a config file error if a listen-on
10411 statement has an IPv6 address in it, or a
10412 listen-on-v6 statement has an IPv4 address in it.
10414 234. [bug] Allow a trusted-key's first field (domain-name) be
10415 either a quoted or an unquoted string, instead of
10416 requiring a quoted string.
10418 233. [cleanup] Convert all config structure integer values to unsigned
10419 integer (isc_uint32_t) to match grammar.
10421 232. [bug] Allow slave zones to not have a file.
10423 231. [func] Support new 'port' clause in config file options
10424 section. Causes 'listen-on', 'masters' and
10425 'also-notify' statements to use its value instead of
10428 230. [func] Replace the dst sign/verify API with a cleaner one.
10430 229. [func] Support config file sig-validity-interval statement
10431 in options, views and zone statements (master
10434 228. [cleanup] Logging messages in config module stripped of
10437 227. [cleanup] The enumerated identifiers dns_rdataclass_*,
10438 dns_rcode_*, dns_opcode_*, and dns_trust_* are
10439 also now cast to their appropriate types, as with
10440 dns_rdatatype_* in item number 225 below.
10442 226. [func] dns_name_totext() now always prints the root name as
10443 '.', even when omit_final_dot is true.
10445 225. [cleanup] The enumerated dns_rdatatype_* identifiers are now
10446 cast to dns_rdatatype_t via macros of their same name
10447 so that they are of the proper integral type wherever
10448 a dns_rdatatype_t is needed.
10450 224. [cleanup] The entire project builds cleanly with gcc's
10451 -Wcast-qual and -Wwrite-strings warnings enabled,
10452 which is now the default when using gcc. (Warnings
10453 from confparser.c, because of yacc's code, are
10454 unfortunately to be expected.)
10456 223. [func] Several functions were re-prototyped to qualify one
10457 or more of their arguments with "const". Similarly,
10458 several functions that return pointers now have
10459 those pointers qualified with const.
10461 222. [bug] The global 'also-notify' option was ignored.
10463 221. [bug] An uninitialized variable was sometimes passed to
10464 dns_rdata_freestruct() when loading a zone, causing
10465 an assertion failure.
10467 220. [cleanup] Set the default outgoing port in the view, and
10468 set it in sockaddrs returned from the ADB.
10469 [31-May-2000 explorer]
10471 219. [bug] Signed truncated messages more correctly follow
10472 the respective specs.
10474 218. [func] When an rdataset is signed, its ttl is normalized
10475 based on the signature validity period.
10477 217. [func] Also-notify and trusted-keys can now be used in
10478 the 'view' statement.
10480 216. [func] The 'max-cache-ttl' and 'max-ncache-ttl' options
10483 215. [bug] Failures at certain points in request processing
10484 could cause the assertion INSIST(client->lockview
10485 == NULL) to be triggered.
10487 214. [func] New public function isc_netaddr_format(), for
10488 formatting network addresses in log messages.
10490 213. [bug] Don't leak memory when reloading the zone if
10491 an update-policy clause was present in the old zone.
10493 212. [func] Added dns_message_get/settsigkey, to make TSIG
10494 key management reasonable.
10496 211. [func] The 'key' and 'server' statements can now occur
10497 inside 'view' statements.
10499 210. [bug] The 'allow-transfer' option was ignored for slave
10500 zones, and the 'transfers-per-ns' option was
10501 was ignored for all zones.
10503 209. [cleanup] Upgraded openssl files to new version 0.9.5a
10505 208. [func] Added ISC_OFFSET_MAXIMUM for the maximum value
10506 of an isc_offset_t.
10508 207. [func] The dnssec tools properly use the logging subsystem.
10510 206. [cleanup] dst now stores the key name as a dns_name_t, not
10513 205. [cleanup] On IRIX, turn off the mostly harmless warnings 1692
10514 ("prototyped function redeclared without prototype")
10515 and 1552 ("variable ... set but not used") when
10516 compiling in the lib/dns/sec/{dnssafe,openssl}
10517 directories, which contain code imported from outside
10520 204. [cleanup] On HP/UX, pass +vnocompatwarnings to the linker
10521 to quiet the warnings that "The linked output may not
10522 run on a PA 1.x system."
10524 203. [func] notify and zone soa queries are now tsig signed when
10527 202. [func] isc_lex_getsourceline() changed from returning int
10528 to returning unsigned long, the type of its underlying
10531 201. [cleanup] Removed the test/sdig program, it has been
10532 replaced by bin/dig/dig.
10534 --- 9.0.0b3 released ---
10536 200. [bug] Failures in sending query responses to clients
10537 (e.g., running out of network buffers) were
10540 199. [bug] isc_heap_delete() sometimes violated the heap
10541 invariant, causing timer events not to be posted
10544 198. [func] Dispatch managers hold memory pools which
10545 any managed dispatcher may use. This allows
10546 us to avoid dipping into the memory context for
10547 most allocations. [19-May-2000 explorer]
10549 197. [bug] When an incoming AXFR or IXFR completes, the
10550 zone's internal state is refreshed from the
10551 SOA data. [19-May-2000 explorer]
10553 196. [func] Dispatchers can be shared easily between views
10554 and/or interfaces. [19-May-2000 explorer]
10556 195. [bug] Including the NXT record of the root domain
10557 in a negative response caused an assertion
10560 194. [doc] The PDF version of the Administrator's Reference
10561 Manual is no longer included in the ISC BIND9
10564 193. [func] changed dst_key_free() prototype.
10566 192. [bug] Zone configuration validation is now done at end
10567 of config file parsing, and before loading
10570 191. [func] Patched to compile on UnixWare 7.x. This platform
10571 is not directly supported by the ISC.
10573 190. [cleanup] The DNSSEC tools have been moved to a separate
10574 directory dnssec/ and given the following new,
10575 more descriptive names:
10582 Their command line arguments have also been changed to
10583 be more consistent. dnssec-keygen now prints the
10584 name of the generated key files (sans extension)
10585 on standard output to simplify its use in automated
10588 189. [func] isc_time_secondsastimet(), a new function, will ensure
10589 that the number of seconds in an isc_time_t does not
10590 exceed the range of a time_t, or return ISC_R_RANGE.
10591 Similarly, isc_time_now(), isc_time_nowplusinterval(),
10592 isc_time_add() and isc_time_subtract() now check the
10593 range for overflow/underflow. In the case of
10594 isc_time_subtract, this changed a calling requirement
10595 (ie, something that could generate an assertion)
10596 into merely a condition that returns an error result.
10597 isc_time_add() and isc_time_subtract() were void-
10598 valued before but now return isc_result_t.
10600 188. [func] Log a warning message when an incoming zone transfer
10601 contains out-of-zone data.
10603 187. [func] isc_ratelimiter_enqueue() has an additional argument
10606 186. [func] dns_request_getresponse() has an additional argument
10609 185. [bug] Fixed up handling of ISC_MEMCLUSTER_LEGACY. Several
10610 public functions did not have an isc__ prefix, and
10611 referred to functions that had previously been
10614 184. [cleanup] Variables/functions which began with two leading
10615 underscores were made to conform to the ANSI/ISO
10616 standard, which says that such names are reserved.
10618 183. [func] ISC_LOG_PRINTTAG option for log channels. Useful
10619 for logging the program name or other identifier.
10621 182. [cleanup] New command-line parameters for dnssec tools
10623 181. [func] Added dst_key_buildfilename and dst_key_parsefilename
10625 180. [func] New isc_result_t ISC_R_RANGE. Supersedes DNS_R_RANGE.
10627 179. [func] options named.conf statement *must* now come
10628 before any zone or view statements.
10630 178. [func] Post-load of named.conf check verifies a slave zone
10631 has non-empty list of masters defined.
10633 177. [func] New per-zone boolean:
10635 enable-zone yes | no ;
10637 intended to let a zone be disabled without having
10638 to comment out the entire zone statement.
10640 176. [func] New global and per-view option:
10642 max-cache-ttl number
10644 175. [func] New global and per-view option:
10646 additional-data internal | minimal | maximal;
10648 174. [func] New public function isc_sockaddr_format(), for
10649 formatting socket addresses in log messages.
10651 173. [func] Keep a queue of zones waiting for zone transfer
10652 quota so that a new transfer can be dispatched
10653 immediately whenever quota becomes available.
10655 172. [bug] $TTL directive was sometimes missing from dumped
10656 master files because totext_ctx_init() failed to
10657 initialize ctx->current_ttl_valid.
10659 171. [cleanup] On NetBSD systems, the mit-pthreads or
10660 unproven-pthreads library is now always used
10661 unless --with-ptl2 is explicitly specified on
10662 the configure command line. The
10663 --with-mit-pthreads option is no longer needed
10664 and has been removed.
10666 170. [cleanup] Remove inter server consistency checks from zone,
10667 these should return as a separate module in 9.1.
10668 dns_zone_checkservers(), dns_zone_checkparents(),
10669 dns_zone_checkchildren(), dns_zone_checkglue().
10671 Remove dns_zone_setadb(), dns_zone_setresolver(),
10672 dns_zone_setrequestmgr() these should now be found
10675 169. [func] ratelimiter can now process N events per interval.
10677 168. [bug] include statements in named.conf caused syntax errors
10678 due to not consuming the semicolon ending the include
10679 statement before switching input streams.
10681 167. [bug] Make lack of masters for a slave zone a soft error.
10683 166. [bug] Keygen was overwriting existing keys if key_id
10684 conflicted, now it will retry, and non-null keys
10685 with key_id == 0 are not generated anymore. Key
10686 was not able to generate NOAUTHCONF DSA key,
10687 increased RSA key size to 2048 bits.
10689 165. [cleanup] Silence "end-of-loop condition not reached" warnings
10690 from Solaris compiler.
10692 164. [func] Added functions isc_stdio_open(), isc_stdio_close(),
10693 isc_stdio_seek(), isc_stdio_read(), isc_stdio_write(),
10694 isc_stdio_flush(), isc_stdio_sync(), isc_file_remove()
10695 to encapsulate nonportable usage of errno and sync.
10697 163. [func] Added result codes ISC_R_FILENOTFOUND and
10700 162. [bug] Ensure proper range for arguments to ctype.h functions.
10702 161. [cleanup] error in yyparse prototype that only HPUX caught.
10704 160. [cleanup] getnet*() are not going to be implemented at this
10707 159. [func] Redefinition of config file elements is now an
10708 error (instead of a warning).
10710 158. [bug] Log channel and category list copy routines
10711 weren't assigning properly to output parameter.
10713 157. [port] Fix missing prototype for getopt().
10715 156. [func] Support new 'database' statement in zone.
10717 database "quoted-string";
10719 155. [bug] ns_notify_start() was not detaching the found zone.
10721 154. [func] The signer now logs libdns warnings to stderr even when
10722 not verbose, and in a nicer format.
10724 153. [func] dns_rdata_tostruct() 'mctx' is now optional. If 'mctx'
10725 is NULL then you need to preserve the 'rdata' until
10726 you have finished using the structure as there may be
10727 references to the associated memory. If 'mctx' is
10728 non-NULL it is guaranteed that there are no references
10729 to memory associated with 'rdata'.
10731 dns_rdata_freestruct() must be called if 'mctx' was
10732 non-NULL and may safely be called if 'mctx' was NULL.
10734 152. [bug] keygen dumped core if domain name argument was omitted
10737 151. [func] Support 'disabled' statement in zone config (causes
10738 zone to be parsed and then ignored). Currently must
10739 come after the 'type' clause.
10741 150. [func] Support optional ports in masters and also-notify
10744 masters [ port xxx ] { y.y.y.y [ port zzz ] ; }
10746 149. [cleanup] Removed unused argument 'olist' from
10747 dns_c_view_unsetordering().
10749 148. [cleanup] Stop issuing some warnings about some configuration
10750 file statements that were not implemented, but now are.
10752 147. [bug] Changed yacc union size to be smaller for yaccs that
10753 put yacc-stack on the real stack.
10755 146. [cleanup] More general redundant header file cleanup. Rather
10756 than continuing to itemize every header which changed,
10757 this changelog entry just notes that if a header file
10758 did not need another header file that it was including
10759 in order to provide its advertised functionality, the
10760 inclusion of the other header file was removed. See
10761 util/check-includes for how this was tested.
10763 145. [cleanup] Added <isc/lang.h> and ISC_LANG_BEGINDECLS/
10764 ISC_LANG_ENDDECLS to header files that had function
10765 prototypes, and removed it from those that did not.
10767 144. [cleanup] libdns header files too numerous to name were made
10768 to conform to the same style for multiple inclusion
10771 143. [func] Added function dns_rdatatype_isknown().
10773 142. [cleanup] <isc/stdtime.h> does not need <time.h> or
10776 141. [bug] Corrupt requests with multiple questions could
10777 cause an assertion failure.
10779 140. [cleanup] <isc/time.h> does not need <time.h> or <isc/result.h>.
10781 139. [cleanup] <isc/net.h> now includes <isc/types.h> instead of
10782 <isc/int.h> and <isc/result.h>.
10784 138. [cleanup] isc_strtouq moved from str.[ch] to string.[ch] and
10785 renamed isc_string_touint64. isc_strsep moved from
10786 strsep.c to string.c and renamed isc_string_separate.
10788 137. [cleanup] <isc/commandline.h>, <isc/mem.h>, <isc/print.h>
10789 <isc/serial.h>, <isc/string.h> and <isc/offset.h>
10790 made to conform to the same style for multiple
10791 inclusion protection.
10793 136. [cleanup] <isc/commandline.h>, <isc/interfaceiter.h>,
10794 <isc/net.h> and Win32's <isc/thread.h> needed
10795 ISC_LANG_BEGINDECLS/ISC_LANG_ENDDECLS.
10797 135. [cleanup] Win32's <isc/condition.h> did not need <isc/result.h>
10798 or <isc/boolean.h>, now uses <isc/types.h> in place
10799 of <isc/time.h>, and needed ISC_LANG_BEGINDECLS
10800 and ISC_LANG_ENDDECLS.
10802 134. [cleanup] <isc/dir.h> does not need <limits.h>.
10804 133. [cleanup] <isc/ipv6.h> needs <isc/platform.h>.
10806 132. [cleanup] <isc/app.h> does not need <isc/task.h>, but does
10807 need <isc/eventclass.h>.
10809 131. [cleanup] <isc/mutex.h> and <isc/util.h> need <isc/result.h>
10810 for ISC_R_* codes used in macros.
10812 130. [cleanup] <isc/condition.h> does not need <pthread.h> or
10813 <isc/boolean.h>, and now includes <isc/types.h>
10814 instead of <isc/time.h>.
10816 129. [bug] The 'default_debug' log channel was not set up when
10817 'category default' was present in the config file
10819 128. [cleanup] <isc/dir.h> had ISC_LANG_BEGINDECLS instead of
10820 ISC_LANG_ENDDECLS at end of header.
10822 127. [cleanup] The contracts for the comparison routines
10823 dns_name_fullcompare(), dns_name_compare(),
10824 dns_name_rdatacompare(), and dns_rdata_compare() now
10825 specify that the order value returned is < 0, 0, or > 0
10826 instead of -1, 0, or 1.
10828 126. [cleanup] <isc/quota.h> and <isc/taskpool.h> need <isc/lang.h>.
10830 125. [cleanup] <isc/eventclass.h>, <isc/ipv6.h>, <isc/magic.h>,
10831 <isc/mutex.h>, <isc/once.h>, <isc/region.h>, and
10832 <isc/resultclass.h> do not need <isc/lang.h>.
10834 124. [func] signer now imports parent's zone key signature
10835 and creates null keys/sets zone status bit for
10836 children when necessary
10838 123. [cleanup] <isc/event.h> does not need <stddef.h>.
10840 122. [cleanup] <isc/task.h> does not need <isc/mem.h> or
10843 121. [cleanup] <isc/symtab.h> does not need <isc/mem.h> or
10844 <isc/result.h>. Multiple inclusion protection
10845 symbol fixed from ISC_SYMBOL_H to ISC_SYMTAB_H.
10846 isc_symtab_t moved to <isc/types.h>.
10848 120. [cleanup] <isc/socket.h> does not need <isc/boolean.h>,
10849 <isc/bufferlist.h>, <isc/task.h>, <isc/mem.h> or
10852 119. [cleanup] structure definitions for generic rdata structures do
10853 not have _generic_ in their names.
10855 118. [cleanup] libdns.a is now namespace-clean, on NetBSD, excepting
10856 YACC crust (yyparse, etc) [2000-apr-27 explorer]
10858 117. [cleanup] libdns.a changes:
10859 dns_zone_clearnotify() and dns_zone_addnotify()
10860 are replaced by dns_zone_setnotifyalso().
10861 dns_zone_clearmasters() and dns_zone_addmaster()
10862 are replaced by dns_zone_setmasters().
10864 116. [func] Added <isc/offset.h> for isc_offset_t (aka off_t
10867 115. [port] Shut up the -Wmissing-declarations warning about
10868 <stdio.h>'s __sputaux on BSD/OS pre-4.1.
10870 114. [cleanup] <isc/sockaddr.h> does not need <isc/buffer.h> or
10873 113. [func] Utility programs dig and host added.
10875 112. [cleanup] <isc/serial.h> does not need <isc/boolean.h>.
10877 111. [cleanup] <isc/rwlock.h> does not need <isc/result.h> or
10880 110. [cleanup] <isc/result.h> does not need <isc/boolean.h> or
10883 109. [bug] "make depend" did nothing for
10884 bin/tests/{db,mem,sockaddr,tasks,timers}/.
10886 108. [cleanup] DNS_SETBIT/DNS_GETBIT/DNS_CLEARBIT moved from
10887 <dns/types.h> to <dns/bit.h> and renamed to
10888 DNS_BIT_SET/DNS_BIT_GET/DNS_BIT_CLEAR.
10890 107. [func] Add keysigner and keysettool.
10892 106. [func] Allow dnssec verifications to ignore the validity
10893 period. Used by several of the dnssec tools.
10895 105. [doc] doc/dev/coding.html expanded with other
10896 implicit conventions the developers have used.
10898 104. [bug] Made compress_add and compress_find static to
10899 lib/dns/compress.c.
10901 103. [func] libisc buffer API changes for <isc/buffer.h>:
10903 isc_buffer_base(b) (pointer)
10904 isc_buffer_current(b) (pointer)
10905 isc_buffer_active(b) (pointer)
10906 isc_buffer_used(b) (pointer)
10907 isc_buffer_length(b) (int)
10908 isc_buffer_usedlength(b) (int)
10909 isc_buffer_consumedlength(b) (int)
10910 isc_buffer_remaininglength(b) (int)
10911 isc_buffer_activelength(b) (int)
10912 isc_buffer_availablelength(b) (int)
10914 ISC_BUFFER_USEDCOUNT(b)
10915 ISC_BUFFER_AVAILABLECOUNT(b)
10918 isc_buffer_used(b, r) ->
10919 isc_buffer_usedregion(b, r)
10920 isc_buffer_available(b, r) ->
10921 isc_buffer_available_region(b, r)
10922 isc_buffer_consumed(b, r) ->
10923 isc_buffer_consumedregion(b, r)
10924 isc_buffer_active(b, r) ->
10925 isc_buffer_activeregion(b, r)
10926 isc_buffer_remaining(b, r) ->
10927 isc_buffer_remainingregion(b, r)
10929 Buffer types were removed, so the ISC_BUFFERTYPE_*
10930 macros are no more, and the type argument to
10931 isc_buffer_init and isc_buffer_allocate were removed.
10932 isc_buffer_putstr is now void (instead of isc_result_t)
10933 and requires that the caller ensure that there
10934 is enough available buffer space for the string.
10936 102. [port] Correctly detect inet_aton, inet_pton and inet_ptop
10939 101. [cleanup] Quieted EGCS warnings from lib/isc/print.c.
10941 100. [cleanup] <isc/random.h> does not need <isc/int.h> or
10942 <isc/mutex.h>. isc_random_t moved to <isc/types.h>.
10944 99. [cleanup] Rate limiter now has separate shutdown() and
10945 destroy() functions, and it guarantees that all
10946 queued events are delivered even in the shutdown case.
10948 98. [cleanup] <isc/print.h> does not need <stdarg.h> or <stddef.h>
10949 unless ISC_PLATFORM_NEEDVSNPRINTF is defined.
10951 97. [cleanup] <isc/ondestroy.h> does not need <stddef.h> or
10954 96. [cleanup] <isc/mutex.h> does not need <isc/result.h>.
10956 95. [cleanup] <isc/mutexblock.h> does not need <isc/result.h>.
10958 94. [cleanup] Some installed header files did not compile as C++.
10960 93. [cleanup] <isc/msgcat.h> does not need <isc/result.h>.
10962 92. [cleanup] <isc/mem.h> does not need <stddef.h>, <isc/boolean.h>,
10965 91. [cleanup] <isc/log.h> does not need <sys/types.h> or
10968 90. [cleanup] Removed unneeded ISC_LANG_BEGINDECLS/ISC_LANG_ENDDECLS
10969 from <named/listenlist.h>.
10971 89. [cleanup] <isc/lex.h> does not need <stddef.h>.
10973 88. [cleanup] <isc/interfaceiter.h> does not need <isc/result.h> or
10974 <isc/mem.h>. isc_interface_t and isc_interfaceiter_t
10975 moved to <isc/types.h>.
10977 87. [cleanup] <isc/heap.h> does not need <isc/boolean.h>,
10978 <isc/mem.h> or <isc/result.h>.
10980 86. [cleanup] isc_bufferlist_t moved from <isc/bufferlist.h> to
10983 85. [cleanup] <isc/bufferlist.h> does not need <isc/buffer.h>,
10984 <isc/list.h>, <isc/mem.h>, <isc/region.h> or
10987 84. [func] allow-query ACL checks now apply to all data
10988 added to a response.
10990 83. [func] If the server is authoritative for both a
10991 delegating zone and its (nonsecure) delegatee, and
10992 a query is made for a KEY RR at the top of the
10993 delegatee, then the server will look for a KEY
10994 in the delegator if it is not found in the delegatee.
10996 82. [cleanup] <isc/buffer.h> does not need <isc/list.h>.
10998 81. [cleanup] <isc/int.h> and <isc/boolean.h> do not need
11001 80. [cleanup] <isc/print.h> does not need <stdio.h> or <stdlib.h>.
11003 79. [cleanup] <dns/callbacks.h> does not need <stdio.h>.
11005 78. [cleanup] lwres_conftest renamed to lwresconf_test for
11006 consistency with other *_test programs.
11008 77. [cleanup] typedef of isc_time_t and isc_interval_t moved from
11009 <isc/time.h> to <isc/types.h>.
11011 76. [cleanup] Rewrote keygen.
11013 75. [func] Don't load a zone if its database file is older
11014 than the last time the zone was loaded.
11016 74. [cleanup] Removed mktemplate.o and ufile.o from libisc.a,
11017 subsumed by file.o.
11019 73. [func] New "file" API in libisc, including new function
11020 isc_file_getmodtime, isc_mktemplate renamed to
11021 isc_file_mktemplate and isc_ufile renamed to
11022 isc_file_openunique. By no means an exhaustive API,
11023 it is just what's needed for now.
11025 72. [func] DNS_RBTFIND_NOPREDECESSOR and DNS_RBTFIND_NOOPTIONS
11026 added for dns_rbt_findnode, the former to disable the
11027 setting of the chain to the predecessor, and the
11028 latter to make clear when no options are set.
11030 71. [cleanup] Made explicit the implicit REQUIREs of
11031 isc_time_seconds, isc_time_nanoseconds, and
11034 70. [func] isc_time_set() added.
11036 69. [bug] The zone object's master and also-notify lists grew
11037 longer with each server reload.
11039 68. [func] Partial support for SIG(0) on incoming messages.
11041 67. [performance] Allow use of alternate (compile-time supplied)
11042 OpenSSL libraries/headers.
11044 66. [func] Data in authoritative zones should have a trust level
11047 65. [cleanup] Removed obsolete typedef of dns_zone_callbackarg_t
11048 from <dns/types.h>.
11050 64. [func] The RBT, DB, and zone table APIs now allow the
11051 caller find the most-enclosing superdomain of
11054 63. [func] Generate NOTIFY messages.
11056 62. [func] Add UDP refresh support.
11058 61. [cleanup] Use single quotes consistently in log messages.
11060 60. [func] Catch and disallow singleton types on message
11063 59. [bug] Cause net/host unreachable to be a hard error
11064 when sending and receiving.
11066 58. [bug] bin/named/query.c could sometimes trigger the
11067 (client->query.attributes & NS_QUERYATTR_NAMEBUFUSED)
11068 == 0 assertion in query_newname().
11070 57. [func] Added dns_nxt_typepresent()
11072 56. [bug] SIG records were not properly returned in cached
11075 55. [bug] Responses containing multiple names in the authority
11076 section were not negatively cached.
11078 54. [bug] If a fetch with sigrdataset==NULL joined one with
11079 sigrdataset!=NULL or vice versa, the resolver
11080 could catch an assertion or lose signature data,
11083 53. [port] freebsd 4.0: lib/isc/unix/socket.c requires
11086 52. [bug] rndc: taskmgr and socketmgr were not initialized
11089 51. [cleanup] dns/compress.h and dns/zt.h did not need to include
11090 dns/rbt.h; it was needed only by compress.c and zt.c.
11092 50. [func] RBT deletion no longer requires a valid chain to work,
11093 and dns_rbt_deletenode was added.
11095 49. [func] Each cache now has its own mctx.
11097 48. [func] isc_task_create() no longer takes an mctx.
11098 isc_task_mem() has been eliminated.
11100 47. [func] A number of modules now use memory context reference
11103 46. [func] Memory contexts are now reference counted.
11104 Added isc_mem_inuse() and isc_mem_preallocate().
11105 Renamed isc_mem_destroy_check() to
11106 isc_mem_setdestroycheck().
11108 45. [bug] The trusted-key statement incorrectly loaded keys.
11110 44. [bug] Don't include authority data if it would force us
11111 to unset the AD bit in the message.
11113 43. [bug] DNSSEC verification of cached rdatasets was failing.
11115 42. [cleanup] Simplified logging of messages with embedded domain
11116 names by introducing a new convenience function
11119 41. [func] Use PR_SET_KEEPCAPS on Linux 2.3.99-pre3 and later
11120 to allow 'named' to run as a non-root user while
11121 retaining the ability to bind() to privileged
11124 40. [func] Introduced new logging category "dnssec" and
11125 logging module "dns/validator".
11127 39. [cleanup] Moved the typedefs for isc_region_t, isc_textregion_t,
11128 and isc_lex_t to <isc/types.h>.
11130 38. [bug] TSIG signed incoming zone transfers work now.
11132 37. [bug] If the first RR in an incoming zone transfer was
11133 not an SOA, the server died with an assertion failure
11134 instead of just reporting an error.
11136 36. [cleanup] Change DNS_R_SUCCESS (and others) to ISC_R_SUCCESS
11138 35. [performance] Log messages which are of a level too high to be
11139 logged by any channel in the logging configuration
11140 will not cause the log mutex to be locked.
11142 34. [bug] Recursion was allowed even with 'recursion no'.
11144 33. [func] The RBT now maintains a parent pointer at each node.
11146 32. [cleanup] bin/lwresd/client.c needs <string.h> for memset()
11149 31. [bug] Use ${LIBTOOL} to compile bin/named/main.@O@.
11151 30. [func] config file grammar change to support optional
11152 class type for a view.
11154 29. [func] support new config file view options:
11156 auth-nxdomain recursion query-source
11157 query-source-v6 transfer-source
11158 transfer-source-v6 max-transfer-time-out
11159 max-transfer-idle-out transfer-format
11160 request-ixfr provide-ixfr cleaning-interval
11161 fetch-glue notify rfc2308-type1 lame-ttl
11162 max-ncache-ttl min-roots
11164 28. [func] support lame-ttl, min-roots and serial-queries
11165 config global options.
11167 27. [bug] Only include <netinet6/in6.h> on BSD/OS 4.[01]*.
11168 Including it on other platforms (eg, NetBSD) can
11169 cause a forced #error from the C preprocessor.
11171 26. [func] new match-clients statement in config file view.
11173 25. [bug] make install failed to install <isc/log.h> and
11176 24. [cleanup] Eliminate some unnecessary #includes of header
11177 files from header files.
11179 23. [cleanup] Provide more context in log messages about client
11180 requests, using a new function ns_client_log().
11182 22. [bug] SIGs weren't returned in the answer section when
11183 the query resulted in a fetch.
11185 21. [port] Look at STD_CINCLUDES after CINCLUDES during
11186 compilation, so additional system include directories
11187 can be searched but header files in the bind9 source
11188 tree with conflicting names take precedence. This
11189 avoids issues with installed versions of dnssafe and
11192 20. [func] Configuration file post-load validation of zones
11193 failed if there were no zones.
11195 19. [bug] dns_zone_notifyreceive() failed to unlock the zone
11196 lock in certain error cases.
11198 18. [bug] Use AC_TRY_LINK rather than AC_TRY_COMPILE in
11199 configure.in to check for presence of in6addr_any.
11201 17. [func] Do configuration file post-load validation of zones.
11203 16. [bug] put quotes around key names on config file
11204 output to avoid possible keyword clashes.
11206 15. [func] Add dns_name_dupwithoffsets(). This function is
11207 improves comparison performance for duped names.
11209 14. [bug] free_rbtdb() could have 'put' unallocated memory in
11210 an unlikely error path.
11212 13. [bug] lib/dns/master.c and lib/dns/xfrin.c didn't ignore
11215 12. [bug] Fixed possible uninitialized variable error.
11217 11. [bug] axfr_rrstream_first() didn't check the result code of
11218 db_rr_iterator_first(), possibly causing an assertion
11219 to be triggered later.
11221 10. [bug] A bug in the code which makes EDNS0 OPT records in
11222 bin/named/client.c and lib/dns/resolver.c could
11223 trigger an assertion.
11225 9. [cleanup] replaced bit-setting code in confctx.c and replaced
11226 repeated code with macro calls.
11228 8. [bug] Shutdown of incoming zone transfer accessed
11231 7. [cleanup] removed 'listen-on' from view statement.
11233 6. [bug] quote RR names when generating config file to
11234 prevent possible clash with config file keywords
11237 5. [func] syntax change to named.conf file: new ssu grant/deny
11238 statements must now be enclosed by an 'update-policy'
11241 4. [port] bin/named/unix/os.c didn't compile on systems with
11242 linux 2.3 kernel includes due to conflicts between
11243 C library includes and the kernel includes. We now
11244 get only what we need from <linux/capability.h>, and
11245 avoid pulling in other linux kernel .h files.
11247 3. [bug] TKEYs go in the answer section of responses, not
11248 the additional section.
11250 2. [bug] Generating cryptographic randomness failed on
11251 systems without /dev/random.
11253 1. [bug] The installdirs rule in
11254 lib/isc/unix/include/isc/Makefile.in had a typo which
11255 prevented the isc directory from being created if it
11258 --- 9.0.0b2 released ---
11260 # This tells Emacs to use hard tabs in this file.
11262 # indent-tabs-mode: t