1 --- 9.9.8-P4 released ---
3 4319. [security] Fix resolver assertion failure due to improper
4 DNAME handling when parsing fetch reply messages.
5 (CVE-2016-1286) [RT #41753]
7 4318. [security] Malformed control messages can trigger assertions
8 in named and rndc. (CVE-2016-1285) [RT #41666]
10 --- 9.9.8-P3 released ---
12 4288. [bug] Fixed a regression in resolver.c:possibly_mark()
13 which caused known-bogus servers to be queried
16 4285. [security] Specific APL data could trigger a INSIST.
17 (CVE-2015-8704) [RT #41396]
19 --- 9.9.8-P2 released ---
21 4270. [security] Update allowed OpenSSL versions as named is
22 potentially vulnerable to CVE-2015-3193.
24 4261. [maint] H.ROOT-SERVERS.NET is 198.97.190.53 and 2001:500:1::53.
27 4260. [security] Insufficient testing when parsing a message allowed
28 records with an incorrect class to be be accepted,
29 triggering a REQUIRE failure when those records
30 were subsequently cached. (CVE-2015-8000) [RT #40987]
32 4253. [security] Address fetch context reference count handling error
33 on socket error. (CVE-2015-8461) [RT#40945]
35 --- 9.9.8-P1 (withdrawn) ---
37 --- 9.9.8 released ---
39 --- 9.9.8rc1 released ---
41 4193. [bug] Handle broken servers that return BADVERS incorrectly.
44 4192. [bug] The default rrset-order of random was not always being
47 4191. [protocol] Accept DNS-SD non LDH PTR records in reverse zones
48 as per RFC 6763. [RT #37889]
50 4190. [protocol] Accept Active Diretory gc._msdcs.<forest> name as
51 valid with check-names. <forest> still needs to be
54 4189. [cleanup] Don't exit on overly long tokens in named.conf.
57 4188. [bug] Support HTTP/1.0 client properly on the statistics
60 4187. [func] When any RR type implementation doesn't
61 implement totext() for the RDATA's wire
62 representation and returns ISC_R_NOTIMPLEMENTED,
63 such RDATA is now printed in unknown
64 presentation format (RFC 3597). RR types affected
65 include LOC(29) and APL(42). [RT #40317].
67 4183. [cleanup] Use timing-safe memory comparisons in cryptographic
68 code. Also, the timing-safe comparison functions have
69 been renamed to avoid possible confusion with
70 memcmp(). Thanks to Loganaden Velvindron of
73 4182. [cleanup] Use mnemonics for RR class and type comparisons.
76 4181. [bug] Queued notify messages could be dequeued from the
77 wrong rate limiter queue. [RT #40350]
79 4179. [bug] Fix double frees in getaddrinfo() in libirs.
82 4178. [bug] Fix assertion failure in parsing UNSPEC(103) RR from
85 4177. [bug] Fix assertion failure in parsing NSAP records from
88 4176. [bug] Address race issues with lwresd. [RT #40284]
90 4175. [bug] TKEY with GSS-API keys needed bigger buffers.
93 4174. [bug] "dnssec-coverage -r" didn't handle time unit
94 suffixes correctly. [RT #38444]
96 4173. [bug] dig +sigchase was not properly matching the trusted
99 4172. [bug] Named / named-checkconf didn't handle a view of CLASS0.
102 4171. [bug] Fixed incorrect class checks in TSIG RR
103 implementation. [RT #40287]
105 4170. [security] An incorrect boundary check in the OPENPGPKEY
106 rdatatype could trigger an assertion failure.
107 (CVE-2015-5986) [RT #40286]
109 4169. [test] Added a 'wire_test -d' option to read input as
110 raw binary data, for use as a fuzzing harness.
113 4168. [security] A buffer accounting error could trigger an
114 assertion failure when parsing certain malformed
115 DNSSEC keys. (CVE-2015-5722) [RT #40212]
117 --- 9.9.8b1 released ---
119 4165. [security] A failure to reset a value to NULL in tkey.c could
120 result in an assertion failure. (CVE-2015-5477)
123 4164. [bug] Don't rename slave files and journals on out of memory.
126 4163. [bug] Address compiler warnings. [RT #40024]
128 4162. [bug] httpdmgr->flags was not being initialized. [RT #40017]
130 4159. [cleanup] Alphabetize dig's help output. [RT #39966]
132 4158. [protocol] Support the printing of EDNS COOKIE and EXPIRE options.
135 4154. [bug] A OPT record should be included with the FORMERR
136 response when there is a malformed EDNS option.
139 4153. [bug] Check that non significant ECS bits are zero on
142 4151. [bug] 'rndc flush' could cause a deadlock. [RT #39835]
144 4150. [bug] win32: listen-on-v6 { any; }; was not working. Apply
145 minimal fix. [RT #39667]
147 4149. [bug] Fixed a race condition in the getaddrinfo()
148 implementation in libirs. [RT #39899]
150 4148. [bug] Fix a bug when printing zone names with '/' character
151 in XML and JSON statistics output. [RT #39873]
153 4147. [bug] Filter-aaaa / filter-aaaa-on-v4 / filter-aaaa-on-v6
154 was returning referrals rather than nodata responses
155 when the AAAA records were filtered. [RT #39843]
157 4146. [bug] Address reference leak that could prevent a clean
158 shutdown. [RT #37125]
160 4145. [bug] Not all unassociated adb entries where being printed.
163 4143. [bug] serial-query-rate was not effective for notify.
166 4142. [bug] rndc addzone with view specified saved NZF config
167 that could not be read back by named. This has now
168 been fixed. [RT #39845]
170 4138. [security] An uninitialized value in validator.c could result
171 in an assertion failure. (CVE-2015-4620) [RT #39795]
173 4137. [bug] Make rndc reconfig report configuration errors the
174 same way rndc reload does. [RT #39635]
176 4132. [cleanup] dig: added +rd as a synonym for +recurse,
177 added +class as an unabbreviated alternative
180 4130. [bug] The compatibility shim for *printf() misprinted some
181 large numbers. [RT #39586]
183 4129. [port] Address API changes in OpenSSL 1.1.0. [RT #39532]
185 4128. [bug] Address issues raised by Coverity 7.6. [RT #39537]
187 4127. [protocol] CDS and CDNSKEY need to be signed by the key signing
188 key as per RFC 7344, Section 4.1. [RT #37215]
190 4123. [port] Added %z (size_t) format options to the portable
191 internal printf/sprintf implementation. [RT #39586]
193 4118. [bug] Teach isc-config.sh about irs. [RT #39213]
195 4117. [protocol] Add EMPTY.AS112.ARPA as per RFC 7534.
197 4113. [test] Check for Net::DNS is some system test
198 prerequisites. [RT #39369]
200 4112. [bug] Named failed to load when "root-delegation-only"
201 was used without a list of domains to exclude.
204 4111. [doc] Alphabetize rndc man page. [RT #39360]
206 4110. [bug] Address memory leaks / null pointer dereferences
207 on out of memory. [RT #39310]
209 4109. [port] linux: support reading the local port range from
210 net.ipv4.ip_local_port_range. [RT # 39379]
212 4107. [bug] Address potential deadlock when updating zone content.
215 4106. [port] Improve readline support. [RT #38938]
217 4105. [port] Misc fixes for Microsoft Visual Studio
218 2015 CTP6 in 64 bit mode. [RT #39308]
220 4104. [bug] Address uninitialized elements. [RT #39252]
222 4102. [bug] Fix a use after free bug introduced in change
225 4101. [bug] dig: the +split option didn't work with +short.
228 4100. [bug] Inherited owernames on the line immediately following
229 a $INCLUDE were not working. [RT #39268]
231 4099. [port] clang: make unknown commandline options hard errors
232 when determining what options are supported.
235 4098. [bug] Address use-after-free issue when using a
236 predecessor key with dnssec-settime. [RT #39272]
238 4097. [func] Add additional logging about xfrin transfer status.
241 4096. [bug] Fix a use after free of query->sendevent.
244 4094. [bug] A race during shutdown or reconfiguration could
245 cause an assertion in mem.c. [RT #38979]
247 4091. [cleanup] Some cleanups in isc mem code. [RT #38896]
249 4090. [bug] Fix a crash while parsing malformed CAA RRs in
250 presentation format, i.e., from text such as
251 from master files. Thanks to John Van de
252 Meulebrouck Brendgard for discovering and
253 reporting this problem. [RT #39003]
255 4089. [bug] Send notifies immediately for slave zones during
258 4088. [port] Fixed errors when building with libressl. [RT #38899]
260 4087. [bug] Fix a crash due to use-after-free due to sequencing
261 of tasks actions. [RT #38495]
263 4085. [bug] ISC_PLATFORM_HAVEXADDQ could be inconsistently set.
266 4084. [bug] Fix a possible race in updating stats counters.
269 4082. [bug] Incrementally sign large inline zone deltas.
272 4081. [cleanup] Use dns_rdatalist_init consistently. [RT #38759]
274 4077. [test] Add static-stub regression test for DS NXDOMAIN
275 return making the static stub disappear. [RT #38564]
277 4076. [bug] Named could crash on shutdown with outstanding
278 reload / reconfig events. [RT #38622]
280 4075. [bug] Increase nsupdate's input buffer to accomodate
281 very large RRs. [RT #38689]
283 4074. [cleanup] Cleaned up more warnings from gcc -Wshadow. [RT #38708]
285 4073. [cleanup] Add libjson-c version number reporting to
286 "named -V"; normalize version number formatting.
289 4072. [func] Add a --enable-querytrace configure switch for
290 very verbose query trace logging. (This option
291 has a negative performance impact and should be
292 used only for debugging.) [RT #37520]
294 4070. [bug] Fix a segfault in nslookup in a query such as
295 "nslookup isc.org AMS.SNS-PB.ISC.ORG -all".
298 4069. [doc] Reorganize options in the nsupdate man page.
301 4067. [cleanup] Reduce noise from RRL when query logging is
302 disabled. [RT #38648]
304 4066. [doc] Reorganize options in the dig man page. [RT #38516]
306 4064. [contrib] dnssec-keyset.sh: Generates a specified number
307 of DNSSEC keys with timing set to implement a
308 pre-publication key rollover strategy. Thanks
309 to Jeffry A. Spain. [RT #38459]
311 4063. [bug] Asynchronous zone loads were not handled
312 correctly when the zone load was already in
313 progress; this could trigger a crash in zt.c.
316 4062. [bug] Fix an out-of-bounds read in RPZ code. If the
317 read succeeded, it doesn't result in a bug
318 during operation. If the read failed, named
319 could segfault. [RT #38559]
321 3938. [func] Added quotas to be used in recursive resolvers
322 that are under high query load for names in zones
323 whose authoritative servers are nonresponsive or
324 are experiencing a denial of service attack.
326 - "fetches-per-server" limits the number of
327 simultaneous queries that can be sent to any
328 single authoritative server. The configured
329 value is a starting point; it is automatically
330 adjusted downward if the server is partially or
331 completely non-responsive. The algorithm used to
332 adjust the quota can be configured via the
333 "fetch-quota-params" option.
334 - "fetches-per-zone" limits the number of
335 simultaneous queries that can be sent for names
336 within a single domain. (Note: Unlike
337 "fetches-per-server", this value is not
339 - New stats counters have been added to count
340 queries spilled due to these quotas.
342 These options are not available by default;
343 use "configure --enable-fetchlimit" (or
344 --enable-developer) to include them in the build.
346 See the ARM for details of these options. [RT #37125]
348 3937. [func] Added some debug logging to better indicate the
349 conditions causing SERVFAILs when resolving.
352 --- 9.9.7 released ---
354 --- 9.9.7rc2 released ---
356 4061. [bug] Handle timeout in legacy system test. [RT #38573]
358 4060. [bug] dns_rdata_freestruct could be called on a
359 uninitialized structure when handling a error.
362 4059. [bug] Addressed valgrind warnings. [RT #38549]
364 4058. [bug] UDP dispatches could use the wrong pseudorandom
365 number generator context. [RT #38578]
367 4056. [bug] Fixed several small bugs in automatic trust anchor
368 management, including a memory leak and a possible
369 loss of key state information. [RT #38458]
371 4057. [bug] 'dnssec-dsfromkey -T 0' failed to add ttl field.
374 4053. [security] Revoking a managed trust anchor and supplying
375 an untrusted replacement could cause named
376 to crash with an assertion failure.
377 (CVE-2015-1349) [RT #38344]
379 4052. [bug] Fix a leak of query fetchlock. [RT #38454]
381 4050. [bug] RPZ could send spurious SERVFAILs in response
382 to duplicate queries. [RT #38510]
384 4049. [bug] CDS and CDNSKEY had the wrong attributes. [RT #38491]
386 4048. [bug] adb hash table was not being grown. [RT #38470]
388 --- 9.9.7rc1 released ---
390 4047. [cleanup] "named -V" now reports the current running versions
391 of OpenSSL and the libxml2 libraries, in addition to
392 the versions that were in use at build time.
394 4046. [bug] Accounting of "total use" in memory context
395 statistics was not correct. [RT #38370]
397 4045. [bug] Skip to next master on dns_request_createvia4 failure.
400 4044. [bug] Change 3955 was not complete, resulting in an assertion
401 failure if the timing was just right. [RT #38352]
403 4039. [cleanup] Cleaned up warnings from gcc -Wshadow. [RT #37381]
405 4038. [bug] Add 'rpz' flag to node and use it to determine whether
406 to call dns_rpz_delete. This should prevent unbalanced
407 add / delete calls. [RT #36888]
409 4037. [bug] also-notify was ignoring the tsig key when checking
410 for duplicates resulting in some expected notify
411 messages not being sent. [RT #38369]
413 4035. [bug] Close temporary and NZF FILE pointers before moving
414 the former into the latter's place, as required on
417 4032. [bug] Built-in "empty" zones did not correctly inherit the
418 "allow-transfer" ACL from the options or view.
421 4031. [bug] named-checkconf -z failed to report a missing file
422 with a hint zone. [RT #38294]
424 4028. [bug] $GENERATE with a zero step was not being caught as a
425 error. A $GENERATE with a / but no step was not being
426 caught as a error. [RT #38262]
428 3973. [test] Added hooks for Google Performance Tools CPU profiler,
429 including real-time/wall-clock profiling. Use
430 "configure --with-gperftools-profiler" to enable.
433 --- 9.9.7b1 released ---
435 4027. [port] Net::DNS 0.81 compatibility. [RT #38165]
437 4026. [bug] Fix RFC 3658 reference in dig +sigchase. [RT #38173]
439 4025. [port] bsdi: failed to build. [RT #38047]
441 4024. [bug] dns_rdata_opt_first, dns_rdata_opt_next,
442 dns_rdata_opt_current, dns_rdata_txt_first,
443 dns_rdata_txt_next and dns_rdata_txt_current were
444 documented but not implemented. These have now been
447 dns_rdata_spf_first, dns_rdata_spf_next and
448 dns_rdata_spf_current were documented but not
449 implemented. The prototypes for these
450 functions have been removed. [RT #38068]
452 4023. [bug] win32: socket handling with explicit ports and
453 invoking named with -4 was broken for some
454 configurations. [RT #38068]
456 4021. [bug] Adjust max-recursion-queries to accommodate
457 the need for more queries when the cache is
460 4020. [bug] Change 3736 broke nsupdate's SOA MNAME discovery
461 resulting in updates being sent to the wrong server.
464 4019. [func] If named is not configured to validate the answer
465 then allow fallback to plain DNS on timeout even
466 when we know the server supports EDNS. [RT #37978]
468 4018. [bug] Fall back to plain DNS when EDNS queries are being
469 dropped was failing. [RT #37965]
471 4017. [test] Add system test to check lookups to legacy servers
472 with broken DNS behavior. [RT #37965]
474 4016. [bug] Fix a dig segfault due to bad linked list usage.
477 4015. [bug] Nameservers that are skipped due to them being
478 CNAMEs were not being logged. They are now logged
479 to category 'cname' as per BIND 8. [RT #37935]
481 4014. [bug] When including a master file origin_changed was
482 not being properly set leading to a potentially
483 spurious 'inherited owner' warning. [RT #37919]
485 4012. [bug] Check returned status of OpenSSL digest and HMAC
486 functions when they return one. Note this applies
487 only to FIPS capable OpenSSL libraries put in
488 FIPS mode and MD5. [RT #37944]
490 4011. [bug] master's list port inheritance was not properly
491 implemented. [RT #37792]
493 4007. [doc] Remove acl forward reference restriction. [RT #37772]
495 4006. [security] A flaw in delegation handling could be exploited
496 to put named into an infinite loop. This has
497 been addressed by placing limits on the number
498 of levels of recursion named will allow (default 7),
499 and the number of iterative queries that it will
500 send (default 50) before terminating a recursive
501 query (CVE-2014-8500).
503 The recursion depth limit is configured via the
504 "max-recursion-depth" option, and the query limit
505 via the "max-recursion-queries" option. [RT #37580]
507 4004. [bug] When delegations had AAAA glue but not A, a
508 reference could be leaked causing an assertion
509 failure on shutdown. [RT #37796]
511 4000. [bug] NXDOMAIN redirection incorrectly handled NXRRSET
512 from the redirect zone. [RT #37722]
514 3998. [bug] isc_radix_search was returning matches that were
515 too precise. [RT #37680]
517 3997. [protocol] Add OPENGPGKEY record. [RT# 37671]
519 3996. [bug] Address use after free on out of memory error in
520 keyring_add. [RT #37639]
522 3995. [bug] receive_secure_serial holds the zone lock for too
525 3990. [testing] Add tests for unknown DNSSEC algorithm handling.
528 3989. [cleanup] Remove redundant dns_db_resigned calls. [RT #35748]
530 3987. [func] Handle future Visual Studio 14 incompatible changes.
533 3986. [doc] Add the BIND version number to page footers
534 in the ARM. [RT #37398]
536 3985. [doc] Describe how +ndots and +search interact in dig.
539 3982. [doc] Include release notes in product documentation.
542 3981. [bug] Cache DS/NXDOMAIN independently of other query types.
545 3978. [test] Added a unit test for Diffie-Hellman key
546 computation, completing change #3974. [RT #37477]
548 3976. [bug] When refreshing managed-key trust anchors, clear
549 any cached trust so that they will always be
550 revalidated with the current set of secure
553 3974. [bug] Handle DH_compute_key() failure correctly in
554 openssldh_link.c. [RT #37477]
556 3972. [bug] Fix host's usage statement. [RT #37397]
558 3971. [bug] Reduce the cascading failures due to a bad $TTL line
559 in named-checkconf / named-checkzone. [RT #37138]
561 3970. [contrib] Fixed a use after free bug in the SDB LDAP driver.
564 3968. [bug] Silence spurious log messages when using 'named -[46]'.
567 3967. [test] Add test for inlined signed zone in multiple views
568 with different DNSKEY sets. [RT #35759]
570 3966. [bug] Missing dns_db_closeversion call in receive_secure_db.
573 3962. [bug] 'dig +topdown +trace +sigchase' address unhandled error
574 conditions. [RT #34663]
576 3961. [bug] Forwarding of SIG(0) signed UPDATE messages failed with
579 3960. [bug] 'dig +sigchase' could loop forever. [RT #37220]
581 3959. [bug] Updates could be lost if they arrived immediately
582 after a rndc thaw. [RT #37233]
584 3958. [bug] Detect when writeable files have multiple references
585 in named.conf. [RT #37172]
587 3957. [bug] "dnssec-keygen -S" failed for ECCGOST, ECDSAP256SHA256
588 and ECDSAP384SHA384. [RT #37183]
590 3955. [bug] Notify messages due to changes are no longer queued
591 behind startup notify messages. [RT #24454]
593 3954. [bug] Unchecked mutex init in dlz_dlopen_driver.c [RT #37112]
595 3953. [bug] Don't escape semi-colon in TXT fields. [RT #37159]
597 3952. [bug] dns_name_fullcompare failed to set *nlabelsp when the
598 two name pointers were the same. [RT #37176]
600 --- 9.9.6 released ---
602 3950. [port] Changed the bin/python Makefile to work around a
603 bmake bug in FreeBSD 10 and NetBSD 6. [RT #36993]
605 --- 9.9.6rc2 released ---
607 3947. [cleanup] Set the executable bit on libraries when using
610 3946. [cleanup] Improved "configure" search for a python interpreter.
613 3945. [bug] Invalid wildcard expansions could be incorrectly
614 accepted by the validator. [RT #37093]
616 3944. [test] Added a regression test for "server-id". [RT #37057]
618 3942. [bug] Wildcard responses from a optout range should be
619 marked as insecure. [RT #37072]
621 3941. [doc] Include the BIND version number in the ARM. [RT #37067]
623 --- 9.9.6rc1 released ---
625 3933. [bug] Corrected the implementation of dns_rdata_casecompare()
626 for the HIP rdata type. [RT #36911]
628 3932. [test] Improved named-checkconf tests. [RT #36911]
630 3931. [cleanup] Cleanup how dlz grammar is defined. [RT #36879]
632 3929. [bug] 'host -a' needed to clear idnoptions. [RT #36963]
634 3928. [test] Improve rndc system test. [RT #36898]
636 3925. [bug] DS lookup of RFC 1918 empty zones failed. [RT #36917]
638 3924. [bug] Improve 'rndc addzone' error reporting. [RT #35187]
640 3923. [bug] Sanity check the xml2-config output. [RT #22246]
642 3922. [bug] When resigning, dnssec-signzone was removing
643 all signatures from delegation nodes. It now
644 retains DS and (if applicable) NSEC signatures.
647 3921. [bug] AD was inappropriately set on RPZ responses. [RT #36833]
649 3919. [bug] dig: continue to next line if a address lookup fails
650 in batch mode. [RT #36755]
652 3918. [doc] Update check-spf documentation. [RT #36910]
654 3917. [bug] dig, nslookup and host now continue on names that are
655 too long after applying a search list elements.
658 3916. [contrib] zone2sqlite checked wrong result code. Address
659 compiler warnings. [RT #36931]
661 --- 9.9.6b2 released ---
663 3914. [bug] Allow the URI target and CAA value fields to
664 be zero length. [RT #36737]
666 3913. [bug] Address race issue in dispatch. [RT #36731]
668 3910. [bug] Fix races to free event during shutdown. [RT #36720]
670 3909. [bug] When computing the number of elements required for a
671 acl count_acl_elements could have a short count leading
672 to a assertion failure. Also zero out new acl elements
673 in dns_acl_merge. [RT #36675]
675 3908. [bug] rndc now differentiates between a zone in multiple
676 views and a zone that doesn't exist at all. [RT #36691]
678 3907. [cleanup] Alphabetize rndc help. [RT #36683]
680 3906. [protocol] Update URI record format to comply with
681 draft-faltstrom-uri-08. [RT #36642]
683 3905. [bug] Address deadlock between view.c and adb.c. [RT #36341]
685 3904. [func] Add the RPZ SOA to the additional section. [RT36507]
687 3903. [bug] Improve the accuracy of DiG's reported round trip
690 3902. [bug] liblwres wasn't handling link-local addresses in
691 nameserver clauses in resolv.conf. [RT #36039]
693 3901. [protocol] Added support for CAA record type (RFC 6844).
696 3900. [bug] Fix a crash in PostgreSQL DLZ driver. [RT #36637]
698 3899. [bug] "request-ixfr" is only applicable to slave and redirect
701 3898. [bug] Too small a buffer in tohexstr() calls in test code.
704 3894. [bug] Buffers in isc_print_vsnprintf were not properly
705 initialized leading to potential overflows when
706 printing out quad values. [RT #36505]
708 3892. [bug] Setting '-t aaaa' in .digrc had unintended side
711 3891. [bug] Use ${INSTALL_SCRIPT} rather than ${INSTALL_PROGRAM}
712 to install python programs.
714 3890. [bug] RRSIG sets that were not loaded in a single transaction
715 at start up where not being correctly added to
716 re-signing heaps. [RT #36302]
718 3889. [port] hurd: configure fixes as per:
719 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=746540
721 3887. [cleanup] Make all static symbols in rbtdb64 end in "64" so
722 they are easier to use in a debugger. [RT #36373]
724 --- 9.9.6b1 released ---
726 3885. [port] Use 'open()' rather than 'file()' to open files in
729 3884. [protocol] Add CDS and CDNSKEY record types. [RT #36333]
731 3881. [bug] Address memory leak with UPDATE error handling.
734 3880. [test] Update ans.pl to work with new TSIG support in
735 Net::DNS; add additional Net::DNS version prerequisite
738 3879. [func] Add version printing option to various BIND utilities.
741 3878. [bug] Using the incorrect filename for a DLZ module
742 caused a segmentation fault on startup. [RT #36286]
744 3874. [test] Check that only "check-names master" is needed for
745 updates to be accepted.
747 3873. [protocol] Only warn for SPF without TXT spf record. [RT #36210]
749 3872. [bug] Address issues found by static analysis. [RT #36209]
751 3871. [bug] Don't publish an activated key automatically before
752 its publish time. [RT #35063]
758 3868. [bug] isc_mem_setwater incorrectly cleared hi_called
759 potentially leaving over memory cleaner running.
762 3866. [bug] Named could die on disk full in generate_session_key.
765 3864. [bug] RPZ didn't work well when being used as forwarder.
768 3862. [cleanup] Return immediately if we are not going to log the
769 message in ns_client_dumpmessage.
771 3861. [bug] Benign missing isc_buffer_availablelength check in
772 dns_message_pseudosectiontotext. [RT #36078]
774 3860. [bug] ioctl(DP_POLL) array size needs to be determined
775 at run time as it is limited to {OPEN_MAX}.
778 3858. [bug] Disable GCC 4.9 "delete null pointer check".
781 3857. [bug] Make it harder for a incorrect NOEDNS classification
782 to be made. [RT #36020]
784 3855. [bug] Limit smoothed round trip time aging to no more than
785 once a second. [RT #32909]
787 3854. [cleanup] Report unrecognized options, if any, in the final
788 configure summary. [RT #36014]
790 3853. [cleanup] Refactor dns_rdataslab_fromrdataset to separate out
791 the handling of a rdataset with no records. [RT #35968]
793 3849. [doc] Alphabetized dig's +options. [RT #35992]
795 3847. [bug] 'configure --with-dlz-postgres' failed to fail when
796 there is not support available.
798 3846. [bug] "dig +notcp ixfr=<serial>" should result in a UDP
799 ixfr query. [RT #35980]
801 3844. [bug] Use the x64 version of the Microsoft Visual C++
802 Redistributable when built for 64 bit Windows.
805 3843. [protocol] Check EDNS EXPIRE option in dns_rdata_fromwire.
808 3842. [bug] Adjust RRL log-only logging category. [RT #35945]
810 3841. [cleanup] Refactor zone.c:add_opt to use dns_message_buildopt.
813 3840. [port] Check for arc4random_addrandom() before using it;
814 it's been removed from OpenBSD 5.5. [RT #35907]
816 3839. [test] Use only posix-compatible shell in system tests.
819 3838. [protocol] EDNS EXPIRE as been assigned a code point of 9.
821 3836. [bug] Address C++ keyword usage in header file.
823 3834. [bug] The re-signing heaps were not being updated soon enough
824 leading to multiple re-generations of the same RRSIG
825 when a zone transfer was in progress. [RT #35273]
827 3833. [bug] Cross compiling was broken due to calling genrandom at
828 build time. [RT #35869]
830 3827. [contrib] The example DLZ driver (a version of which is
831 also used in the dlzexternal system test) could
832 use absolute names as relative. [RT #35802]
834 3826. [bug] Corrected bad INSIST logic in isc_radix_remove().
837 3825. [bug] Address sign extension bug in isc_regex_validate.
840 3824. [bug] A collision between two flag values could cause
841 problems with cache cleaning. [RT #35858]
843 3822. [bug] Log the correct type of static-stub zones when
844 removing them. [RT #35842]
846 3819. [bug] NSEC3 hashes need to be able to be entered and
847 displayed without padding. This is not a issue for
848 currently defined algorithms but may be for future
849 hash algorithms. [RT #27925]
851 3818. [bug] Stop lying to the optimizer that 'void *arg' is a
852 constant in isc_event_allocate.
854 3815. [doc] Clarify "nsupdate -y" usage in man page. [RT #35808]
856 3809. [doc] Fix NSID documentation.
858 3807. [bug] Fix sign extension bug in dns_name_fromtext when
859 lowercase is set. [RT #35743]
861 3806. [test] Improved system test portability. [RT #35625]
863 3805. [contrib] Added contrib/perftcpdns, a performance testing tool
864 for DNS over TCP. [RT #35710]
866 3804. [bug] Corrected a race condition in dispatch.c in which
867 portentry could be reset leading to an assertion
868 failure in socket_search(). (Change #3708
869 addressed the same issue but was incomplete.)
872 3803. [bug] "named-checkconf -z" incorrectly rejected zones
873 using alternate data sources for not having a "file"
876 3802. [bug] Various header files were not being installed.
878 3801. [port] Fix probing for gssapi support on FreeBSD. [RT #35615]
880 3799. [bug] Improve named's command line error reporting.
883 3796. [bug] Register dns error codes. [RT #35629]
885 3795. [bug] Make named-checkconf detect raw masterfiles for
886 hint zones and reject them. [RT #35268]
888 3794. [maint] Added AAAA for C.ROOT-SERVERS.NET.
890 3793. [bug] zone.c:save_nsec3param() could assert when out of
893 3792. [func] Provide links to the alternate statistics views when
894 displaying in a browser. [RT #35605]
896 3791. [bug] solaris: remove extraneous return. [RT #35589]
898 3787. [bug] The code that checks whether "auto-dnssec" is
899 allowed was ignoring "allow-update" ACLs set at
900 the options or view level. [RT #29536]
902 3780. [bug] $GENERATE handled negative numbers incorrectly.
905 3779. [cleanup] Clarify the error message when using an option
906 that was not enabled at compile time. [RT #35504]
908 3778. [bug] Log a warning when the wrong address family is
909 used in "listen-on" or "listen-on-v6". [RT #17848]
911 3775. [bug] dlz_dlopen driver could return the wrong error
912 code on API version mismatch, leading to a segfault.
915 3773. [func] "host", "nslookup" and "nsupdate" now have
916 options to print the version number and exit.
919 3770. [bug] "dig +trace" could fail with an assertion when it
920 needed to fall back to TCP due to a truncated
921 response. [RT #24660]
923 3769. [doc] Improved documentation of "rndc signing -list".
926 3768. [bug] "dnssec-checkds" was missing the SHA-384 digest
927 algorithm. [RT #34000]
929 3767. [func] Log explicitly when using rndc.key to configure
930 command channel. [RT #35316]
932 3765. [bug] Fixed a bug in "rndc secroots" that could crash
933 named when dumping an empty keynode. [RT #35469]
935 3764. [bug] The dnssec-keygen/settime -S and -i options
936 (to set up a successor key and set the prepublication
937 interval) were missing from dnssec-keyfromlabel.
940 3761. [bug] Address dangling reference bug in dns_keytable_add.
943 3757. [port] Enable Python tools (dnssec-coverage,
944 dnssec-checkds) to run on Windows. [RT #34355]
946 3756. [bug] GSSAPI Kerberos realm checking was broken in
947 check_config leading to spurious messages being
950 3754. [cleanup] win32: Installer now places files in the
951 Program Files area rather than system services.
954 3753. [bug] allow-notify was ignoring keys. [RT #35425]
956 3751. [tuning] The default setting for the -U option (setting
957 the number of UDP listeners per interface) has
958 been adjusted to improve performance. [RT #35417]
960 3747. [bug] A race condition could lead to a core dump when
961 destroying a resolver fetch object. [RT #35385]
963 3743. [bug] delegation-only flag wasn't working in forward zone
964 declarations despite being documented. This is
965 needed to support turning off forwarding and turning
966 on delegation only at the same name. [RT #35392]
968 3742. [port] linux: libcap support: declare curval at start of
971 3740. [contrib] Minor fixes to configure --with-dlz-bdb,
972 --with-dlz-postgres and --with-dlz-odbc. [RT #35340]
974 3737. [bug] 'rndc retransfer' could trigger a assertion failure
975 with inline zones. [RT #35353]
977 3736. [bug] nsupdate: When specifying a server by name,
978 fall back to alternate addresses if the first
979 address for that name is not reachable. [RT #25784]
981 3734. [bug] Improve building with libtool. [RT #35314]
983 3732. [contrib] Fixed a type mismatch causing the ODBC DLZ
984 driver to dump core on 64-bit systems. [RT #35324]
986 3731. [func] Added a "no-case-compress" ACL, which causes
987 named to use case-insensitive compression
988 (disabling change #3645) for specified
989 clients. (This is useful when dealing
990 with broken client implementations that
991 use case-sensitive name comparisons,
992 rejecting responses that fail to match the
993 capitalization of the query that was sent.)
996 3730. [cleanup] Added "never" as a synonym for "none" when
997 configuring key event dates in the dnssec tools.
1000 3729. [bug] dnssec-keygen could set the publication date
1001 incorrectly when only the activation date was
1002 specified on the command line. [RT #35278]
1004 3724. [bug] win32: Fixed a bug that prevented dig and
1005 host from exiting properly after completing
1006 a UDP query. [RT #35288]
1008 3720. [bug] Address compiler warnings. [RT #35261]
1010 3719. [bug] Address memory leak in in peer.c. [RT #35255]
1012 3718. [bug] A missing ISC_LINK_INIT in log.c. [RT #35260]
1014 3714. [test] System tests that need to test for cryptography
1015 support before running can now use a common
1016 "testcrypto.sh" script to do so. [RT #35213]
1018 3713. [bug] Save memory by not storing "also-notify" addresses
1019 in zone objects that are configured not to send
1020 notify requests. [RT #35195]
1022 --- 9.9.5 released ---
1024 --- 9.9.5rc2 released ---
1026 3710. [bug] Address double dns_zone_detach when switching to
1027 using automatic empty zones from regular zones.
1030 3709. [port] Use built-in versions of strptime() and timegm()
1031 on all platforms to avoid portability issues.
1034 3708. [bug] Address a portentry locking issue in dispatch.c.
1037 3707. [bug] irs_resconf_load now returns ISC_R_FILENOTFOUND
1038 on a missing resolv.conf file and initializes the
1039 structure as if it had been configured with:
1042 nameserver 127.0.0.1
1044 Note: Callers will need to be updated to treat
1045 ISC_R_FILENOTFOUND as a qualified success or else
1046 they will leak memory. The following code fragment
1047 will work with both old and new versions without
1048 changing the behaviour of the existing code.
1051 result = irs_resconf_load(mctx, "/etc/resolv.conf",
1053 if (result != ISC_SUCCESS) {
1054 if (resconf != NULL)
1055 irs_resconf_destroy(&resconf);
1061 3706. [contrib] queryperf: Fixed a possible integer overflow when
1062 printing results. [RT #35182]
1064 3704. [protocol] Accept integer timestamps in RRSIG records. [RT #35185]
1066 --- 9.9.5rc1 released ---
1068 3701. [func] named-checkconf can now obscure shared secrets
1069 when printing by specifying '-x'. [RT #34465]
1071 3699. [bug] Improvements to statistics channel XSL stylesheet:
1072 the stylesheet can now be cached by the browser;
1073 section headers are omitted from the stats display
1074 when there is no data in those sections to be
1075 displayed; counters are now right-justified for
1076 easier readability. (Only available with
1077 configure --enable-newstats.) [RT #35117]
1079 3698. [cleanup] Replaced all uses of memcpy() with memmove().
1082 3697. [bug] Handle "." as a search list element when IDN support
1083 is enabled. [RT #35133]
1085 3696. [bug] dig failed to handle AXFR style IXFR responses which
1086 span multiple messages. [RT #35137]
1088 3695. [bug] Address a possible race in dispatch.c. [RT #35107]
1090 3694. [bug] Warn when a key-directory is configured for a zone,
1091 but does not exist or is not a directory. [RT #35108]
1093 3693. [security] memcpy was incorrectly called with overlapping
1094 ranges resulting in malformed names being generated
1095 on some platforms. This could cause INSIST failures
1096 when serving NSEC3 signed zones (CVE-2014-0591).
1099 3692. [bug] Two calls to dns_db_getoriginnode were fatal if there
1100 was no data at the node. [RT #35080]
1102 3690. [bug] Iterative responses could be missed when the source
1103 port for an upstream query was the same as the
1104 listener port (53). [RT #34925]
1106 3689. [bug] Fixed a bug causing an insecure delegation from one
1107 static-stub zone to another to fail with a broken
1108 trust chain. [RT #35081]
1110 --- 9.9.5b1 released ---
1112 3688. [bug] loadnode could return a freed node on out of memory.
1115 3687. [bug] Address null pointer dereference in zone_xfrdone.
1118 3686. [func] "dnssec-signzone -Q" drops signatures from keys
1119 that are still published but no longer active.
1122 3685. [bug] "rndc refresh" didn't work correctly with slave
1123 zones using inline-signing. [RT #35105]
1125 3683. [cleanup] Add a more detailed "not found" message to rndc
1126 commands which specify a zone name. [RT #35059]
1128 3682. [bug] Correct the behavior of rndc retransfer to allow
1129 inline-signing slave zones to retain NSEC3 parameters
1130 instead of reverting to NSEC. [RT #34745]
1132 3681. [port] Update the Windows build system to support feature
1133 selection and WIN64 builds. This is a work in
1134 progress. [RT #34160]
1136 3679. [bug] dig could fail to clean up TCP sockets still
1137 waiting on connect(). [RT #35074]
1139 3678. [port] Update config.guess and config.sub. [RT #35060]
1141 3677. [bug] 'nsupdate' leaked memory if 'realm' was used multiple
1144 3676. [bug] "named-checkconf -z" now checks zones of type
1145 hint and redirect as well as master. [RT #35046]
1147 3675. [misc] Provide a place for third parties to add version
1148 information for their extensions in the version
1149 file by setting the EXTENSIONS variable.
1151 3674. [bug] RPZ zeroed ttls if the query type was '*'. [RT #35026]
1153 3672. [func] Local address can now be specified when using
1154 dns_client API. [RT #34811]
1156 3671. [bug] Don't allow dnssec-importkey overwrite a existing
1157 non-imported private key.
1159 3670. [bug] Address read after free in server side of
1160 lwres_getrrsetbyname. [RT #29075]
1162 3669. [port] freebsd: --with-gssapi needs -lhx509. [RT #35001]
1164 3668. [bug] Fix cast in lex.c which could see 0xff treated as eof.
1167 3667. [test] dig: add support to keep the TCP socket open between
1168 successive queries (+[no]keepopen). [RT #34918]
1170 3665. [bug] Failure to release lock on error in receive_secure_db.
1173 3664. [bug] Updated OpenSSL PKCS#11 patches to fix active list
1174 locking and other bugs. [RT #34855]
1176 3663. [bug] Address bugs in dns_rdata_fromstruct and
1177 dns_rdata_tostruct for WKS and ISDN types. [RT #34910]
1179 3662. [bug] 'host' could die if a UDP query timed out. [RT #34870]
1181 3661. [bug] Address lock order reversal deadlock with inline zones.
1184 3660. [cleanup] Changed the name of "isc-config.sh" to "bind9-config".
1187 3659. [port] solaris: don't add explicit dependencies/rules for
1188 python programs as make won't use the implicit rules.
1191 3658. [port] linux: Address platform specific compilation issue
1192 when libcap-devel is installed. [RT #34838]
1194 3657. [port] Some readline clones don't accept NULL pointers when
1195 calling add_history. [RT #34842]
1197 3656. [security] Treat an all zero netmask as invalid when generating
1198 the localnets acl. (The prior behavior could
1199 allow unexpected matches when using some versions
1200 of Winsock: CVE-2013-6320.) [RT #34687]
1202 3655. [cleanup] Simplify TCP message processing when requesting a
1203 zone transfer. [RT #34825]
1205 3654. [bug] Address race condition with manual notify requests.
1208 3653. [func] Create delegations for all "children" of empty zones
1209 except "forward first". [RT #34826]
1211 3651. [tuning] Adjust when a master server is deemed unreachable.
1214 3650. [tuning] Use separate rate limiting queues for refresh and
1215 notify requests. [RT #30589]
1217 3649. [cleanup] Include a comment in .nzf files, giving the name of
1218 the associated view. [RT #34765]
1220 3648. [test] Updated the ATF test framework to version 0.17.
1223 3647. [bug] Address a race condition when shutting down a zone.
1226 3646. [bug] Journal filename string could be set incorrectly,
1227 causing garbage in log messages. [RT #34738]
1229 3645. [protocol] Use case sensitive compression when responding to
1230 queries. [RT #34737]
1232 3644. [protocol] Check that EDNS subnet client options are well formed.
1235 3642. [func] Allow externally generated DNSKEY to be imported
1236 into the DNSKEY management framework. A new tool
1237 dnssec-importkey is used to do this. [RT #34698]
1239 3641. [bug] Handle changes to sig-validity-interval settings
1242 3640. [bug] ndots was not being checked when searching. Only
1243 continue searching on NXDOMAIN responses. Add the
1244 ability to specify ndots to nslookup. [RT #34711]
1246 3639. [bug] Treat type 65533 (KEYDATA) as opaque except when used
1247 in a key zone. [RT #34238]
1249 --- 9.9.4 released ---
1251 3643. [doc] Clarify RRL "slip" documentation.
1253 3638. [cleanup] Add the ability to handle ENOPROTOOPT in case it is
1254 encountered. [RT #34668]
1256 --- 9.9.4rc2 released ---
1258 3637. [bug] 'allow-query-on' was checking the source address
1259 rather than the destination address. [RT #34590]
1261 3636. [bug] Automatic empty zones now behave better with
1262 forward only "zones" beneath them. [RT #34583]
1264 3635. [bug] Signatures were not being removed from a zone with
1265 only KSK keys for a algorithm. [RT #34439]
1267 3634. [func] Report build-id in rndc status. Report build-id
1268 when building from a git repository. [RT #20422]
1270 3633. [cleanup] Refactor OPT processing in named to make it easier
1271 to support new EDNS options. [RT #34414]
1273 3632. [bug] Signature from newly inactive keys were not being
1274 removed. [RT #32178]
1276 3631. [bug] Remove spurious warning about missing signatures when
1277 qtype is SIG. [RT #34600]
1279 3630. [bug] Ensure correct ID computation for MD5 keys. [RT #33033]
1281 3627. [bug] RPZ changes were not effective on slaves. [RT #34450]
1283 3625. [bug] Don't send notify messages to machines outside of the
1286 3623. [bug] zone-statistics was only effective in new statistics.
1289 --- 9.9.4rc1 released ---
1291 3621. [security] Incorrect bounds checking on private type 'keydata'
1292 can lead to a remotely triggerable REQUIRE failure
1293 (CVE-2013-4854). [RT #34238]
1295 3617. [bug] Named was failing to answer queries during
1296 "rndc reload" [RT #34098]
1298 3616. [bug] Change #3613 was incomplete. [RT #34177]
1300 3615. [cleanup] "configure" now finishes by printing a summary
1301 of optional BIND features and whether they are
1302 active or inactive. ("configure --enable-full-report"
1303 increases the verbosity of the summary.) [RT #31777]
1305 3614. [port] Check for <linux/types.h>. [RT #34162]
1307 3613. [bug] named could crash when deleting inline-signing
1308 zones with "rndc delzone". [RT #34066]
1310 3611. [bug] Improved resistance to a theoretical authentication
1311 attack based on differential timing. [RT #33939]
1313 3610. [cleanup] win32: Some executables had been omitted from the
1314 installer. [RT #34116]
1316 3608. [port] win32: added todos.pl script to ensure all text files
1317 the win32 build depends on are converted to DOS
1318 newline format. [RT #22067]
1320 3607. [bug] dnssec-keygen had broken 'Invalid keyfile' error
1321 message. [RT #34045]
1323 --- 9.9.4b1 released ---
1325 3605. [port] win32: Addressed several compatibility issues
1326 with newer versions of Visual Studio. [RT #33916]
1328 3603. [bug] Install <isc/stat.h>. [RT #33956]
1330 3601. [bug] Added to PKCS#11 openssl patches a value len
1331 attribute in DH derive key. [RT #33928]
1333 3600. [cleanup] dig: Fixed a typo in the warning output when receiving
1334 an oversized response. [RT #33910]
1336 3599. [tuning] Check for pointer equivalence in name comparisons.
1339 3596. [port] Updated win32 build documentation, added
1340 dnssec-verify. [RT #22067]
1342 3594. [maint] Update config.guess and config.sub. [RT #33816]
1344 3592. [doc] Moved documentation of rndc command options to the
1345 rndc man page. [RT #33506]
1347 3590. [bug] When using RRL on recursive servers, defer
1348 rate-limiting until after recursion is complete;
1349 also, use correct rcode for slipped NXDOMAIN
1350 responses. [RT #33604]
1352 3588. [bug] dig: addressed a memory leak in the sigchase code
1353 that could cause a shutdown crash. [RT #33733]
1355 3587. [func] 'named -g' now checks the logging configuration but
1356 does not use it. [RT #33473]
1358 3586. [bug] Handle errors in xmlDocDumpFormatMemoryEnc. [RT #33706]
1360 3584. [security] Caching data from an incompletely signed zone could
1361 trigger an assertion failure in resolver.c
1362 (CVE-2013-3919). [RT #33690]
1364 3583. [bug] Address memory leak in GSS-API processing [RT #33574]
1366 3582. [bug] Silence false positive warning regarding missing file
1367 directive for inline slave zones. [RT #33662]
1369 3581. [bug] Changed the tcp-listen-queue default to 10. [RT #33029]
1371 3580. [bug] Addressed a possible race in acache.c [RT #33602]
1373 3579. [maint] Updates to PKCS#11 openssl patches, supporting
1374 versions 0.9.8y, 1.0.0k, 1.0.1e [RT #33463]
1376 3578. [bug] 'rndc -c file' now fails if 'file' does not exist.
1379 3577. [bug] Handle zero TTL values better. [RT #33411]
1381 3576. [bug] Address a shutdown race when validating. [RT #33573]
1383 3575. [func] Changed the logging category for RRL events from
1384 'queries' to 'query-errors'. [RT #33540]
1386 3574. [doc] The 'hostname' keyword was missing from server-id
1387 description in the named.conf man page. [RT #33476]
1389 3573. [bug] "rndc addzone" and "rndc delzone" incorrectly handled
1390 zone names containing punctuation marks and other
1391 nonstandard characters. [RT #33419]
1393 3571. [bug] Address race condition in dns_client_startresolve().
1396 3566. [func] Log when forwarding updates to master. [RT #33240]
1398 3554. [bug] RRL failed to correctly rate-limit upward
1399 referrals and failed to count dropped error
1400 responses in the statistics. [RT #33225]
1402 3545. [bug] RRL slip behavior was incorrect when set to 1.
1405 3518. [bug] Increase the size of dns_rrl_key.s.rtype by one bit
1406 so that all dns_rrl_rtype_t enum values fit regardless
1407 of whether it is teated as signed or unsigned by
1408 the compiler. [RT #32792]
1410 3494. [func] DNS RRL: Blunt the impact of DNS reflection and
1411 amplification attacks by rate-limiting substantially-
1412 identical responses. To enable, use "configure
1413 --enable-rrl". [RT #28130]
1415 --- 9.9.3 released ---
1417 3568. [cleanup] Add a product description line to the version file,
1418 to be reported by named -v/-V. [RT #33366]
1420 3567. [bug] Silence clang static analyzer warnings. [RT #33365]
1422 3563. [contrib] zone2sqlite failed with some table names. [RT #33375]
1424 3561. [bug] dig: issue a warning if an EDNS query returns FORMERR
1425 or NOTIMP. Adjust usage message. [RT #33363]
1427 --- 9.9.3rc2 released ---
1429 3560. [bug] isc-config.sh did not honor includedir and libdir
1430 when set via configure. [RT #33345]
1432 3559. [func] Check that both forms of Sender Policy Framework
1433 records exist or do not exist. [RT #33355]
1435 3558. [bug] IXFR of a DLZ stored zone was broken. [RT #33331]
1437 3557. [bug] Reloading redirect zones was broken. [RT #33292]
1439 3556. [maint] Added AAAA for D.ROOT-SERVERS.NET.
1441 3555. [bug] Address theoretical race conditions in acache.c
1442 (change #3553 was incomplete). [RT #33252]
1444 3553. [bug] Address suspected double free in acache. [RT #33252]
1446 3552. [bug] Wrong getopt option string for 'nsupdate -r'.
1449 3549. [doc] Documentation for "request-nsid" was missing.
1452 3548. [bug] The NSID request code in resolver.c was broken
1453 resulting in invalid EDNS options being sent.
1456 3547. [bug] Some malformed unknown rdata records were not properly
1457 detected and rejected. [RT #33129]
1459 --- 9.9.3rc1 released ---
1461 3546. [func] Add EUI48 and EUI64 types. [RT #33082]
1463 3544. [contrib] check5011.pl: Script to report the status of
1464 managed keys as recorded in managed-keys.bind.
1465 Contributed by Tony Finch <dot@dotat.at>
1467 3543. [bug] Update socket structure before attaching to socket
1468 manager after accept. [RT #33084]
1470 3541. [bug] Parts of libdns were not properly initialized when
1471 built in libexport mode. [RT #33028]
1473 3540. [test] libt_api: t_info and t_assert were not thread safe.
1475 3539. [port] win32: timestamp format didn't match other platforms.
1477 3538. [test] Running "make test" now requires loopback interfaces
1478 to be set up. [RT #32452]
1480 3537. [tuning] Slave zones, when updated, now send NOTIFY messages
1481 to peers before being dumped to disk rather than
1484 3535. [bug] Minor win32 cleanups. [RT #32962]
1486 3534. [bug] Extra text after an embedded NULL was ignored when
1487 parsing zone files. [RT #32699]
1489 3533. [contrib] query-loc-0.4.0: memory leaks. [RT #32960]
1491 3532. [contrib] zkt: fixed buffer overrun, resource leaks. [RT #32960]
1493 3531. [bug] win32: A uninitialized value could be returned on out
1494 of memory. [RT #32960]
1496 3530. [contrib] Better RTT tracking in queryperf. [RT #30128]
1498 3528. [func] New "dnssec-coverage" command scans the timing
1499 metadata for a set of DNSSEC keys and reports if a
1500 lapse in signing coverage has been scheduled
1501 inadvertently. (Note: This tool depends on python;
1502 it will not be built or installed on systems that
1503 do not have a python interpreter.) [RT #28098]
1505 3527. [compat] Add a URI to allow applications to explicitly
1506 request a particular XML schema from the statistics
1507 channel, returning 404 if not supported. [RT #32481]
1509 3526. [cleanup] Set up dependencies for unit tests correctly during
1512 3521. [bug] Address memory leak in opensslecdsa_link.c. [RT #32249]
1514 3520. [bug] 'mctx' was not being referenced counted in some places
1515 where it should have been. [RT #32794]
1517 --- 9.9.3b2 released ---
1519 3517. [bug] Reorder destruction to avoid shutdown race. [RT #32777]
1521 3515. [port] '%T' is not portable in strftime(). [RT #32763]
1523 3514. [bug] The ranges for valid key sizes in ddns-confgen and
1524 rndc-confgen were too constrained. Keys up to 512
1525 bits are now allowed for most algorithms, and up
1526 to 1024 bits for hmac-sha384 and hmac-sha512.
1529 3511. [doc] Improve documentation of redirect zones. [RT #32756]
1531 3509. [cleanup] Added a product line to version file to allow for
1532 easy naming of different products (BIND
1533 vs BIND ESV, for example). [RT #32755]
1535 3508. [contrib] queryperf was incorrectly rejecting the -T option.
1538 3507. [bug] Statistics channel XSL (when built with
1539 --enable-newstats) had a glitch when attempting
1540 to chart query data before any queries had been
1541 received. [RT #32620]
1543 3505. [bug] When setting "max-cache-size" and "max-acache-size",
1544 larger values than 4 gigabytes could not be set
1545 explicitly, though larger sizes were available
1546 when setting cache size to 0. This has been
1547 corrected; the full range is now available.
1550 3503. [doc] Clarify size_spec syntax. [RT #32449]
1552 3501. [func] zone-statistics now takes three options: full,
1553 terse, and none. "yes" and "no" are retained as
1554 synonyms for full and terse, respectively. [RT #29165]
1556 3500. [security] Support NAPTR regular expression validation on
1557 all platforms without using libregex, which
1558 can be vulnerable to memory exhaustion attack
1559 (CVE-2013-2266). [RT #32688]
1561 3499. [doc] Corrected ARM documentation of built-in zones.
1564 3498. [bug] zone statistics for zones which matched a potential
1565 empty zone could have their zone-statistics setting
1568 3496. [func] Improvements to RPZ performance. The "response-policy"
1569 syntax now includes a "min-ns-dots" clause, with
1570 default 1, to exclude top-level domains from
1571 NSIP and NSDNAME checking. --enable-rpz-nsip and
1572 --enable-rpz-nsdname are now the default. [RT #32251]
1574 3493. [contrib] Added BDBHPT dynamically-lodable DLZ module,
1575 contributed by Mark Goldfinch. [RT #32549]
1577 3492. [bug] Fixed a regression in zone loading performance
1578 due to lock contention. [RT #30399]
1580 3491. [bug] Slave zones using inline-signing must specify a
1581 file name. [RT #31946]
1583 3489. [bug] --enable-developer now turns on ISC_LIST_CHECKINIT.
1584 When cloning a rdataset do not copy the link contents.
1587 3488. [bug] Use after free error with DH generated keys. [RT #32649]
1589 3487. [bug] Change 3444 was not complete. There was a additional
1590 place where the NOQNAME proof needed to be saved.
1593 3486. [bug] named could crash when using TKEY-negotiated keys
1594 that had been deleted and then recreated. [RT #32506]
1596 3485. [cleanup] Only compile openssl_gostlink.c if we support GOST.
1598 3483. [bug] Corrected XSL code in use with --enable-newstats.
1601 3481. [cleanup] Removed use of const const in atf.
1603 3480. [bug] Silence logging noise when setting up zone
1604 statistics. [RT #32525]
1606 3479. [bug] Address potential memory leaks in gssapi support
1609 3478. [port] Fix a build failure in strict C99 environments
1612 3474. [bug] nsupdate could assert when the local and remote
1613 address families didn't match. [RT #22897]
1615 3473. [bug] dnssec-signzone/verify could incorrectly report
1616 an error condition due to an empty node above an
1617 opt-out delegation lacking an NSEC3. [RT #32072]
1619 3471. [bug] The number of UDP dispatches now defaults to
1620 the number of CPUs even if -n has been set to
1621 a higher value. [RT #30964]
1623 3470. [bug] Slave zones could fail to dump when successfully
1624 refreshing after an initial failure. [RT #31276]
1626 --- 9.9.3b1 released ---
1628 3468. [security] RPZ rules to generate A records (but not AAAA records)
1629 could trigger an assertion failure when used in
1630 conjunction with DNS64 (CVE-2012-5689). [RT #32141]
1632 3467. [bug] Added checks in dnssec-keygen and dnssec-settime
1633 to check for delete date < inactive date. [RT #31719]
1635 3466. [contrib] Corrected the DNS_CLIENTINFOMETHODS_VERSION check
1636 in DLZ example driver. [RT #32275]
1638 3465. [bug] Handle isolated reserved ports. [RT #31778]
1640 3464. [maint] Updates to PKCS#11 openssl patches, supporting
1641 versions 0.9.8x, 1.0.0j, 1.0.1c [RT #29749]
1643 3463. [doc] Clarify managed-keys syntax in ARM. [RT #32232]
1645 3462. [doc] Clarify server selection behavior of dig when using
1646 -4 or -6 options. [RT #32181]
1648 3461. [bug] Negative responses could incorrectly have AD=1
1651 3460. [bug] Only link against readline where needed. [RT #29810]
1653 3458. [bug] Return FORMERR when presented with a overly long
1654 domain named in a request. [RT #29682]
1656 3457. [protocol] Add ILNP records (NID, LP, L32, L64). [RT #31836]
1658 3456. [port] g++47: ATF failed to compile. [RT #32012]
1660 3455. [contrib] queryperf: fix getopt option list. [RT #32338]
1662 3454. [port] sparc64: improve atomic support. [RT #25182]
1664 3453. [bug] 'rndc addzone' of a zone with 'inline-signing yes;'
1667 3452. [bug] Accept duplicate singleton records. [RT #32329]
1669 3451. [port] Increase per thread stack size from 64K to 1M.
1672 3450. [bug] Stop logfileconfig system test spam system logs.
1675 3449. [bug] gen.c: use the pre-processor to construct format
1676 strings so that compiler can perform sanity checks;
1677 check the snprintf results. [RT #17576]
1679 3448. [bug] The allow-query-on ACL was not processed correctly.
1682 3447. [port] Add support for libxml2-2.9.x [RT #32231]
1684 3446. [port] win32: Add source ID (see change #3400) to build.
1687 3445. [bug] Warn about zone files with blank owner names
1688 immediately after $ORIGIN directives. [RT #31848]
1690 3444. [bug] The NOQNAME proof was not being returned from cached
1691 insecure responses. [RT #21409]
1693 3443. [bug] ddns-confgen: Some TSIG algorithms were incorrectly
1694 rejected when generating keys. [RT #31927]
1696 3442. [port] Net::DNS 0.69 introduced a non backwards compatible
1699 3441. [maint] D.ROOT-SERVERS.NET is now 199.7.91.13.
1701 3440. [bug] Reorder get_key_struct to not trigger a assertion when
1702 cleaning up due to out of memory error. [RT #32131]
1704 3439. [bug] contrib/dlz error checking fixes. [RT #32102]
1706 3438. [bug] Don't accept unknown data escape in quotes. [RT #32031]
1708 3437. [bug] isc_buffer_init -> isc_buffer_constinit to initialize
1709 buffers with constant data. [RT #32064]
1711 3436. [bug] Check malloc/calloc return values. [RT #32088]
1713 3435. [bug] Cross compilation support in configure was broken.
1716 3431. [bug] ddns-confgen: Some valid key algorithms were
1717 not accepted. [RT #31927]
1719 3430. [bug] win32: isc_time_formatISO8601 was missing the
1720 'T' between the date and time. [RT #32044]
1722 3429. [bug] dns_zone_getserial2 could a return success without
1723 returning a valid serial. [RT #32007]
1725 3428. [cleanup] dig: Add timezone to date output. [RT #2269]
1727 3427. [bug] dig +trace incorrectly displayed name server
1728 addresses instead of names. [RT #31641]
1730 3426. [bug] dnssec-checkds: Clearer output when records are not
1733 3425. [bug] "acacheentry" reference counting was broken resulting
1734 in use after free. [RT #31908]
1736 3424. [func] dnssec-dsfromkey now emits the hash without spaces.
1739 3423. [bug] "rndc signing -nsec3param" didn't accept the full
1740 range of possible values. Address portability issues.
1743 3422. [bug] Added a clear error message for when the SOA does not
1744 match the referral. [RT #31281]
1746 3421. [bug] Named loops when re-signing if all keys are offline.
1749 3420. [bug] Address VPATH compilation issues. [RT #31879]
1751 3419. [bug] Memory leak on validation cancel. [RT #31869]
1753 3417. [func] Optional new XML schema (version 3.0) for the
1754 statistics channel adds query type statistics at the
1755 zone level, and flattens the XML tree and uses
1756 compressed format to optimize parsing. Includes new XSL
1757 that permits charting via the Google Charts API on
1758 browsers that support javascript in XSL. To enable,
1759 build with "configure --enable-newstats". [RT #30023]
1761 3416. [bug] Named could die on shutdown if running with 128 UDP
1762 dispatches per interface. [RT #31743]
1764 3415. [bug] named could die with a REQUIRE failure if a validation
1765 was canceled. [RT #31804]
1767 3414. [bug] Address locking issues found by Coverity. [RT #31626]
1769 3412. [bug] Copy timeval structure from control message data.
1772 3411. [tuning] Use IPV6_USE_MIN_MTU or equivalent with TCP in addition
1775 3410. [bug] Addressed Coverity warnings. [RT #31626]
1777 3409. [contrib] contrib/dane/mkdane.sh: Tool to generate TLSA RR's
1778 from X.509 certificates, for use with DANE
1779 (DNS-based Authentication of Named Entities).
1782 3408. [bug] Some DNSSEC-related options (update-check-ksk,
1783 dnssec-loadkeys-interval, dnssec-dnskey-kskonly)
1784 are now legal in slave zones as long as
1785 inline-signing is in use. [RT #31078]
1787 3406. [bug] mem.c: Fix compilation errors when building with
1788 ISC_MEM_TRACKLINES or ISC_MEMPOOL_NAMES disabled.
1789 Also, ISC_MEM_DEBUG is no longer optional. [RT #31559]
1791 3405. [bug] Handle time going backwards in acache. [RT #31253]
1793 3404. [bug] dnssec-signzone: When re-signing a zone, remove
1794 RRSIG and NSEC records from nodes that used to be
1795 in-zone but are now below a zone cut. [RT #31556]
1797 3403. [bug] Silence noisy OpenSSL logging. [RT #31497]
1799 3402. [test] The IPv6 interface numbers used for system
1800 tests were incorrect on some platforms. [RT #25085]
1802 3401. [bug] Addressed Coverity warnings. [RT #31484]
1804 3400. [cleanup] "named -V" can now report a source ID string, defined
1805 in the "srcid" file in the build tree and normally set
1806 to the most recent git hash. [RT #31494]
1808 3399. [port] netbsd: rename 'bool' parameter to avoid namespace
1811 3398. [bug] SOA parameters were not being updated with inline
1812 signed zones if the zone was modified while the
1813 server was offline. [RT #29272]
1815 3397. [bug] dig crashed when using +nssearch with +tcp. [RT #25298]
1817 3396. [bug] OPT records were incorrectly removed from signed,
1818 truncated responses. [RT #31439]
1820 3395. [protocol] Add RFC 6598 reverse zones to built in empty zones
1821 list, 64.100.IN-ADDR.ARPA ... 127.100.IN-ADDR.ARPA.
1824 3394. [bug] Adjust 'successfully validated after lower casing
1825 signer' log level and category. [RT #31414]
1827 3393. [bug] 'host -C' could core dump if REFUSED was received.
1830 3391. [bug] A DNSKEY lookup that encountered a CNAME failed.
1833 3390. [bug] Silence clang compiler warnings. [RT #30417]
1835 3389. [bug] Always return NOERROR (not 0) in TSIG. [RT #31275]
1837 3388. [bug] Fixed several Coverity warnings.
1838 Note: This change includes a fix for a bug that
1839 was subsequently determined to be an exploitable
1840 security vulnerability, CVE-2012-5688: named could
1841 die on specific queries with dns64 enabled.
1844 3386. [bug] Address locking violation when generating new NSEC /
1845 NSEC3 chains. [RT #31224]
1847 3385. [bug] named-checkconf didn't detect missing master lists
1848 in also-notify clauses. [RT #30810]
1850 3384. [bug] Improved logging of crypto errors. [RT #30963]
1852 3382. [bug] SOA query from slave used use-v6-udp-ports range,
1853 if set, regardless of the address family in use.
1856 3381. [contrib] Update queryperf to support more RR types.
1859 3380. [bug] named could die if a nonexistent master list was
1860 referenced in a also-notify. [RT #31004]
1862 3379. [bug] isc_interval_zero and isc_time_epoch should be
1863 "const (type)* const". [RT #31069]
1865 3378. [bug] Handle missing 'managed-keys-directory' better.
1868 3377. [bug] Removed spurious newline from NSEC3 multiline
1871 3376. [bug] Lack of EDNS support was being recorded without a
1872 successful response. [RT #30811]
1874 3375. [func] Check that 'rndc dumpdb' works on a empty cache.
1877 3374. [bug] isc_parse_uint32 failed to return a range error on
1878 systems with 64 bit longs. [RT #30232]
1880 3372. [bug] Silence spurious "deleted from unreachable cache"
1881 messages. [RT #30501]
1883 3371. [bug] AD=1 should behave like DO=1 when deciding whether to
1884 add NS RRsets to the additional section or not.
1887 3316. [tuning] Improved locking performance when recursing.
1890 3315. [tuning] Use multiple dispatch objects for sending upstream
1891 queries; this can improve performance on busy
1892 multiprocessor systems by reducing lock contention.
1895 --- 9.9.2 released ---
1897 3383. [security] A certain combination of records in the RBT could
1898 cause named to hang while populating the additional
1899 section of a response. [RT #31090]
1901 3373. [bug] win32: open raw files in binary mode. [RT #30944]
1903 3364. [security] Named could die on specially crafted record.
1906 --- 9.9.2rc1 released ---
1908 3370. [bug] Address use after free while shutting down. [RT #30241]
1910 3369. [bug] nsupdate terminated unexpectedly in interactive mode
1911 if built with readline support. [RT #29550]
1913 3368. [bug] <dns/iptable.h>, <dns/private.h> and <dns/zone.h>
1916 3367. [bug] dns_dnsseckey_create() result was not being checked.
1919 3366. [bug] Fixed Read-After-Write dependency violation for IA64
1920 atomic operations. [RT #25181]
1922 3365. [bug] Removed spurious newlines from log messages in
1925 3363. [bug] Need to allow "forward" and "fowarders" options
1926 in static-stub zones; this had been overlooked.
1929 3362. [bug] Setting some option values to 0 in named.conf
1930 could trigger an assertion failure on startup.
1933 3361. [bug] "rndc signing -nsec3param" didn't work correctly
1934 when salt was set to '-' (no salt). [RT #30099]
1936 3360. [bug] 'host -w' could die. [RT #18723]
1938 3359. [bug] An improperly-formed TSIG secret could cause a
1939 memory leak. [RT #30607]
1941 3357. [port] Add support for libxml2-2.8.x [RT #30440]
1943 3356. [bug] Cap the TTL of signed RRsets when RRSIGs are
1944 approaching their expiry, so they don't remain
1945 in caches after expiry. [RT #26429]
1947 3355. [port] Use more portable awk in verify system test.
1949 3354. [func] Improve OpenSSL error logging. [RT #29932]
1951 --- 9.9.2b1 released ---
1953 3353. [bug] Use a single task for task exclusive operations.
1956 3352. [bug] Ensure that learned server attributes timeout of the
1957 adb cache. [RT #29856]
1959 3351. [bug] isc_mem_put and isc_mem_putanddetach didn't report
1960 caller if either ISC_MEM_DEBUGSIZE or ISC_MEM_DEBUGCTX
1961 memory debugging flags are set. [RT #30243]
1963 3350. [bug] Memory read overrun in isc___mem_reallocate if
1964 ISC_MEM_DEBUGCTX memory debugging flag is set.
1967 3349. [bug] Change #3345 was incomplete. [RT #30233]
1969 3348. [bug] Prevent RRSIG data from being cached if a negative
1970 record matching the covering type exists at a higher
1971 trust level. Such data already can't be retrieved from
1972 the cache since change 3218 -- this prevents it
1973 being inserted into the cache as well. [RT #26809]
1975 3347. [bug] dnssec-settime: Issue a warning when writing a new
1976 private key file would cause a change in the
1977 permissions of the existing file. [RT #27724]
1979 3346. [security] Bad-cache data could be used before it was
1980 initialized, causing an assert. [RT #30025]
1982 3345. [bug] Addressed race condition when removing the last item
1983 or inserting the first item in an ISC_QUEUE.
1986 3344. [func] New "dnssec-checkds" command checks a zone to
1987 determine which DS records should be published
1988 in the parent zone, or which DLV records should be
1989 published in a DLV zone, and queries the DNS to
1990 ensure that it exists. (Note: This tool depends
1991 on python; it will not be built or installed on
1992 systems that do not have a python interpreter.)
1995 3342. [bug] Change #3314 broke saving of stub zones to disk
1996 resulting in excessive cpu usage in some cases.
1999 3341. [func] New "dnssec-verify" command checks a signed zone
2000 to ensure correctness of signatures and of NSEC/NSEC3
2003 3339. [func] Allow the maximum supported rsa exponent size to be
2004 specified: "max-rsa-exponent-size <value>;" [RT #29228]
2006 3338. [bug] Address race condition in units tests: asyncload_zone
2007 and asyncload_zt. [RT #26100]
2009 3337. [bug] Change #3294 broke support for the multiple keys
2010 in controls. [RT #29694]
2012 3335. [func] nslookup: return a nonzero exit code when unable
2013 to get an answer. [RT #29492]
2015 3334. [bug] Hold a zone table reference while performing a
2016 asynchronous load of a zone. [RT #28326]
2018 3333. [bug] Setting resolver-query-timeout too low can cause
2019 named to not recover if it loses connectivity.
2022 3332. [bug] Re-use cached DS rrsets if possible. [RT #29446]
2024 3331. [security] dns_rdataslab_fromrdataset could produce bad
2025 rdataslabs. [RT #29644]
2027 3330. [func] Fix missing signatures on NOERROR results despite
2029 - add optional "recursive-only yes|no" to the
2030 response-policy statement
2031 - add optional "max-policy-ttl" to the response-policy
2032 statement to limit the false data that
2033 "recursive-only no" can introduce into
2035 - add a RPZ performance test to bin/tests/system/rpz
2036 when queryperf is available.
2037 - the encoding of PASSTHRU action to "rpz-passthru".
2038 (The old encoding is still accepted.)
2042 3329. [bug] Handle RRSIG signer-name case consistently: We
2043 generate RRSIG records with the signer-name in
2044 lower case. We accept them with any case, but if
2045 they fail to validate, we try again in lower case.
2048 3328. [bug] Fixed inconsistent data checking in dst_parse.c.
2051 3317. [func] Add ECDSA support (RFC 6605). [RT #21918]
2053 --- 9.9.1 released ---
2055 3318. [tuning] Reduce the amount of work performed while holding a
2056 bucket lock when finished with a fetch context.
2059 3314. [bug] The masters list could be updated while stub_callback
2060 or refresh_callback were using it. [RT #26732]
2062 3313. [protocol] Add TLSA record type. [RT #28989]
2064 3312. [bug] named-checkconf didn't detect a bad dns64 clients acl.
2067 3311. [bug] Abort the zone dump if zone->db is NULL in
2068 zone.c:zone_gotwritehandle. [RT #29028]
2070 3310. [test] Increase table size for mutex profiling. [RT #28809]
2072 3309. [bug] resolver.c:fctx_finddone() was not thread safe.
2075 3307. [bug] Add missing ISC_LANG_BEGINDECLS and ISC_LANG_ENDDECLS.
2078 3306. [bug] Improve DNS64 reverse zone performance. [RT #28563]
2080 3305. [func] Add wire format lookup method to sdb. [RT #28563]
2082 3304. [bug] Use hmctx, not mctx when freeing rbtdb->heaps.
2085 3303. [bug] named could die when reloading. [RT #28606]
2087 3302. [bug] dns_dnssec_findmatchingkeys could fail to find
2088 keys if the zone name contained character that
2089 required special mappings. [RT #28600]
2091 3301. [contrib] Update queryperf to build on darwin. Add -R flag
2092 for non-recursive queries. [RT #28565]
2094 3300. [bug] Named could die if gssapi was enabled in named.conf
2095 but was not compiled in. [RT #28338]
2097 3299. [bug] Make SDB handle errors from database drivers better.
2100 3298. [bug] Named could dereference a NULL pointer in
2101 zmgr_start_xfrin_ifquota if the zone was being removed.
2104 3297. [bug] Named could die on a malformed master file. [RT #28467]
2106 3296. [bug] Named could die with a INSIST failure in
2107 client.c:exit_check. [RT #28346]
2109 3295. [bug] Adjust isc_time_secondsastimet range check to be more
2110 portable. [RT # 26542]
2112 3294. [bug] isccc/cc.c:table_fromwire failed to free alist on
2115 3291. [port] Fixed a build error on systems without ENOTSUP.
2118 3290. [bug] <isc/hmacsha.h> was not being installed. [RT #28169]
2120 3273. [bug] AAAA responses could be returned in the additional
2121 section even when filter-aaaa-on-v4 was in use.
2124 --- 9.9.0 released ---
2126 --- 9.9.0rc4 released ---
2128 3289. [bug] 'rndc retransfer' failed for inline zones. [RT #28036]
2130 3288. [bug] dlz_destroy() function wasn't correctly registered
2131 by the DLZ dlopen driver. [RT #28056]
2133 3287. [port] Update ans.pl to work with Net::DNS 0.68. [RT #28028]
2135 3286. [bug] Managed key maintenance timer could fail to start
2136 after 'rndc reconfig'. [RT #26786]
2138 --- 9.9.0rc3 released ---
2140 3285. [bug] val-frdataset was incorrectly disassociated in
2141 proveunsecure after calling startfinddlvsep.
2144 3284. [bug] Address race conditions with the handling of
2145 rbtnode.deadlink. [RT #27738]
2147 3283. [bug] Raw zones with with more than 512 records in a RRset
2148 failed to load. [RT #27863]
2150 3282. [bug] Restrict the TTL of NS RRset to no more than that
2151 of the old NS RRset when replacing it.
2152 [RT #27792] [RT #27884]
2154 3281. [bug] SOA refresh queries could be treated as cancelled
2155 despite succeeding over the loopback interface.
2158 3280. [bug] Potential double free of a rdataset on out of memory
2159 with DNS64. [RT #27762]
2161 3279. [bug] Hold a internal reference to the zone while performing
2162 a asynchronous load. Address potential memory leak
2163 if the asynchronous is cancelled. [RT #27750]
2165 3278. [bug] Make sure automatic key maintenance is started
2166 when "auto-dnssec maintain" is turned on during
2167 "rndc reconfig". [RT #26805]
2169 3277. [bug] win32: isc_socket_dup is not implemented. [RT #27696]
2171 3276. [bug] win32: ns_os_openfile failed to return NULL on
2172 safe_open failure. [RT #27696]
2174 3275. [bug] Corrected rndc -h output; the 'rndc sync -clean'
2175 option had been misspelled as '-clear'. (To avoid
2176 future confusion, both options now work.) [RT #27173]
2178 3271. [port] darwin: mksymtbl is not always stable, loop several
2179 times before giving up. mksymtbl was using non
2180 portable perl to covert 64 bit hex strings. [RT #27653]
2182 --- 9.9.0rc2 released ---
2184 3270. [bug] "rndc reload" didn't reuse existing zones correctly
2185 when inline-signing was in use. [RT #27650]
2187 3269. [port] darwin 11 and later now built threaded by default.
2189 3268. [bug] Convert RRSIG expiry times to 64 timestamps to work
2190 out the earliest expiry time. [RT #23311]
2192 3267. [bug] Memory allocation failures could be mis-reported as
2193 unexpected error. New ISC_R_UNSET result code.
2196 3266. [bug] The maximum number of NSEC3 iterations for a
2197 DNSKEY RRset was not being properly computed.
2200 3265. [bug] Corrected a problem with lock ordering in the
2201 inline-signing code. [RT #27557]
2203 3264. [bug] Automatic regeneration of signatures in an
2204 inline-signing zone could stall when the server
2205 was restarted. [RT #27344]
2207 3263. [bug] "rndc sync" did not affect the unsigned side of an
2208 inline-signing zone. [RT #27337]
2210 3262. [bug] Signed responses were handled incorrectly by RPZ.
2213 3261. [func] RRset ordering now defaults to random. [RT #27174]
2215 3260. [bug] "rrset-order cyclic" could appear not to rotate
2216 for some query patterns. [RT #27170/27185]
2218 --- 9.9.0rc1 released ---
2220 3259. [bug] named-compilezone: Suppress "dump zone to <file>"
2221 message when writing to stdout. [RT #27109]
2223 3258. [test] Add "forcing full sign with unreadable keys" test.
2226 3257. [bug] Do not generate a error message when calling fsync()
2227 in a pipe or socket. [RT #27109]
2229 3256. [bug] Disable empty zones for lwresd -C. [RT #27139]
2231 3255. [func] No longer require that a empty zones be explicitly
2232 enabled or that a empty zone is disabled for
2233 RFC 1918 empty zones to be configured. [RT #27139]
2235 3254. [bug] Set isc_socket_ipv6only() on the IPv6 control channels.
2238 3253. [bug] Return DNS_R_SYNTAX when the input to a text field is
2239 too long. [RT #26956]
2241 3252. [bug] When master zones using inline-signing were
2242 updated while the server was offline, the source
2243 zone could fall out of sync with the signed
2244 copy. They can now resynchronize. [RT #26676]
2246 3251. [bug] Enforce a upper bound (65535 bytes) on the amount of
2247 memory dns_sdlz_putrr() can allocate per record to
2248 prevent run away memory consumption on ISC_R_NOSPACE.
2251 3250. [func] 'configure --enable-developer'; turn on various
2252 configure options, normally off by default, that
2253 we want developers to build and test with. [RT #27103]
2255 3249. [bug] Update log message when saving slave zones files for
2256 analysis after load failures. [RT #27087]
2258 3248. [bug] Configure options --enable-fixed-rrset and
2259 --enable-exportlib were incompatible with each
2262 3247. [bug] 'raw' format zones failed to preserve load order
2263 breaking 'fixed' sort order. [RT #27087]
2265 3246. [bug] Named failed to start with a empty also-notify list.
2268 3245. [bug] Don't report a error unchanged serials unless there
2269 were other changes when thawing a zone with
2270 ixfr-fromdifferences. [RT #26845]
2272 3244. [func] Added readline support to nslookup and nsupdate.
2273 Also simplified nsupdate syntax to make "update"
2274 and "prereq" optional. [RT #24659]
2276 3243. [port] freebsd,netbsd,bsdi: the thread defaults were not
2279 3242. [func] Extended the header of raw-format master files to
2280 include the serial number of the zone from which
2281 they were generated, if different (as in the case
2282 of inline-signing zones). This is to be used in
2283 inline-signing zones, to track changes between the
2284 unsigned and signed versions of the zone, which may
2285 have different serial numbers.
2287 (Note: raw zonefiles generated by this version of
2288 BIND are no longer compatible with prior versions.
2289 To generate a backward-compatible raw zonefile
2290 using dnssec-signzone or named-compilezone, specify
2291 output format "raw=0" instead of simply "raw".)
2294 3241. [bug] Address race conditions in the resolver code.
2297 3240. [bug] DNSKEY state change events could be missed. [RT #26874]
2299 3239. [bug] dns_dnssec_findmatchingkeys needs to use a consistent
2300 timestamp. [RT #26883]
2302 3238. [bug] keyrdata was not being reinitialized in
2303 lib/dns/rbtdb.c:iszonesecure. [RT #26913]
2305 3237. [bug] dig -6 didn't work with +trace. [RT #26906]
2307 3236. [bug] Backed out changes #3182 and #3202, related to
2308 EDNS(0) fallback behavior. [RT #26416]
2310 3235. [func] dns_db_diffx, a extended dns_db_diff which returns
2311 the generated diff and optionally writes it to a
2312 journal. [RT #26386]
2314 3234. [bug] 'make depend' produced invalid makefiles. [RT #26830]
2316 3233. [bug] 'rndc freeze/thaw' didn't work for inline zones.
2319 3232. [bug] Zero zone->curmaster before return in
2320 dns_zone_setmasterswithkeys(). [RT #26732]
2322 3231. [bug] named could fail to send a incompressible zone.
2325 3230. [bug] 'dig axfr' failed to properly handle a multi-message
2326 axfr with a serial of 0. [RT #26796]
2328 3229. [bug] Fix local variable to struct var assignment
2329 found by CLANG warning.
2331 3228. [tuning] Dynamically grow symbol table to improve zone
2332 loading performance. [RT #26523]
2334 3227. [bug] Interim fix to make WKS's use of getprotobyname()
2335 and getservbyname() self thread safe. [RT #26232]
2337 3226. [bug] Address minor resource leakages. [RT #26624]
2339 3225. [bug] Silence spurious "setsockopt(517, IPV6_V6ONLY) failed"
2340 messages. [RT #26507]
2342 3224. [bug] 'rndc signing' argument parsing was broken. [RT #26684]
2344 3223. [bug] 'task_test privilege_drop' generated false positives.
2347 3222. [cleanup] Replace dns_journal_{get,set}_bitws with
2348 dns_journal_{get,set}_sourceserial. [RT #26634]
2350 3221. [bug] Fixed a potential core dump on shutdown due to
2351 referencing fetch context after it's been freed.
2354 --- 9.9.0b2 released ---
2356 3220. [bug] Change #3186 was incomplete; dns_db_rpz_findips()
2357 could fail to set the database version correctly,
2358 causing an assertion failure. [RT #26180]
2360 3219. [bug] Disable NOEDNS caching following a timeout.
2362 3218. [security] Cache lookup could return RRSIG data associated with
2363 nonexistent records, leading to an assertion
2364 failure. [RT #26590]
2366 3217. [cleanup] Fix build problem with --disable-static. [RT #26476]
2368 3216. [bug] resolver.c:validated() was not thread-safe. [RT #26478]
2370 3215. [bug] 'rndc recursing' could cause a core dump. [RT #26495]
2372 3214. [func] Add 'named -U' option to set the number of UDP
2373 listener threads per interface. [RT #26485]
2375 3213. [doc] Clarify ixfr-from-differences behavior. [RT #25188]
2377 3212. [bug] rbtdb.c: failed to remove a node from the deadnodes
2378 list prior to adding a reference to it leading a
2379 possible assertion failure. [RT #23219]
2381 3211. [func] dnssec-signzone: "-f -" prints to stdout; "-O full"
2382 option prints in single-line-per-record format.
2385 3210. [bug] Canceling the oldest query due to recursive-client
2386 overload could trigger an assertion failure. [RT #26463]
2388 3209. [func] Add "dnssec-lookaside 'no'". [RT #24858]
2390 3208. [bug] 'dig -y' handle unknown tsig algorithm better.
2393 3207. [contrib] Fixed build error in Berkeley DB DLZ module. [RT #26444]
2395 3206. [cleanup] Add ISC information to log at start time. [RT #25484]
2397 3205. [func] Upgrade dig's defaults to better reflect modern
2398 nameserver behavior. Enable "dig +adflag" and
2399 "dig +edns=0" by default. Enable "+dnssec" when
2400 running "dig +trace". [RT #23497]
2402 3204. [bug] When a master server that has been marked as
2403 unreachable sends a NOTIFY, mark it reachable
2406 3203. [bug] Increase log level to 'info' for validation failures
2407 from expired or not-yet-valid RRSIGs. [RT #21796]
2409 3202. [bug] NOEDNS caching on timeout was too aggressive.
2412 3201. [func] 'rndc querylog' can now be given an on/off parameter
2413 instead of only being used as a toggle. [RT #18351]
2415 3200. [doc] Some rndc functions were undocumented or were
2416 missing from 'rndc -h' output. [RT #25555]
2418 3199. [func] When logging client information, include the name
2419 being queried. [RT #25944]
2421 3198. [doc] Clarified that dnssec-settime can alter keyfile
2422 permissions. [RT #24866]
2424 3197. [bug] Don't try to log the filename and line number when
2425 the config parser can't open a file. [RT #22263]
2427 3196. [bug] nsupdate: return nonzero exit code when target zone
2428 doesn't exist. [RT #25783]
2430 3195. [cleanup] Silence "file not found" warnings when loading
2431 managed-keys zone. [RT #26340]
2433 3194. [doc] Updated RFC references in the 'empty-zones-enable'
2434 documentation. [RT #25203]
2436 3193. [cleanup] Changed MAXZONEKEYS to DNS_MAXZONEKEYS, moved to
2437 dnssec.h. [RT #26415]
2439 3192. [bug] A query structure could be used after being freed.
2442 3191. [bug] Print NULL records using "unknown" format. [RT #26392]
2444 3190. [bug] Underflow in error handling in isc_mutexblock_init.
2447 3189. [test] Added a summary report after system tests. [RT #25517]
2449 3188. [bug] zone.c:zone_refreshkeys() could fail to detach
2450 references correctly when errors occurred, causing
2451 a hang on shutdown. [RT #26372]
2453 3187. [port] win32: support for Visual Studio 2008. [RT #26356]
2455 --- 9.9.0b1 released ---
2457 3186. [bug] Version/db mis-match in rpz code. [RT #26180]
2459 3185. [func] New 'rndc signing' option for auto-dnssec zones:
2460 - 'rndc signing -list' displays the current
2461 state of signing operations
2462 - 'rndc signing -clear' clears the signing state
2463 records for keys that have fully signed the zone
2464 - 'rndc signing -nsec3param' sets the NSEC3
2465 parameters for the zone
2466 The 'rndc keydone' syntax is removed. [RT #23729]
2468 3184. [bug] named had excessive cpu usage when a redirect zone was
2469 configured. [RT #26013]
2471 3183. [bug] Added RTLD_GLOBAL flag to dlopen call. [RT #26301]
2473 3182. [bug] Auth servers behind firewalls which block packets
2474 greater than 512 bytes may cause other servers to
2475 perform poorly. Now, adb retains edns information
2476 and caches noedns servers. [RT #23392/24964]
2478 3181. [func] Inline-signing is now supported for master zones.
2481 3180. [func] Local copies of slave zones are now saved in raw
2482 format by default, to improve startup performance.
2483 'masterfile-format text;' can be used to override
2484 the default, if desired. [RT #25867]
2486 3179. [port] kfreebsd: build issues. [RT #26273]
2488 3178. [bug] A race condition introduced by change #3163 could
2489 cause an assertion failure on shutdown. [RT #26271]
2491 3177. [func] 'rndc keydone', remove the indicator record that
2492 named has finished signing the zone with the
2493 corresponding key. [RT #26206]
2495 3176. [doc] Corrected example code and added a README to the
2496 sample external DLZ module in contrib/dlz/example.
2499 3175. [bug] Fix how DNSSEC positive wildcard responses from a
2500 NSEC3 signed zone are validated. Stop sending a
2501 unnecessary NSEC3 record when generating such
2502 responses. [RT #26200]
2504 3174. [bug] Always compute to revoked key tag from scratch.
2507 3173. [port] Correctly validate root DS responses. [RT #25726]
2509 3172. [port] darwin 10.* and freebsd [89] are now built threaded by
2512 3171. [bug] Exclusively lock the task when adding a zone using
2513 'rndc addzone'. [RT #25600]
2515 --- 9.9.0a3 released ---
2517 3170. [func] RPZ update:
2518 - fix precedence among competing rules
2519 - improve ARM text including documenting rule precedence
2520 - try to rewrite CNAME chains until first hit
2521 - new "rpz" logging channel
2522 - RDATA for CNAME rules can include wildcards
2523 - replace "NO-OP" named.conf policy override with
2524 "PASSTHRU" and add "DISABLED" override ("NO-OP"
2525 is still recognized)
2528 3169. [func] Catch db/version mis-matches when calling dns_db_*().
2531 3168. [bug] Nxdomain redirection could trigger an assert with
2532 a ANY query. [RT #26017]
2534 3167. [bug] Negative answers from forwarders were not being
2535 correctly tagged making them appear to not be cached.
2538 3166. [bug] Upgrading a zone to support inline-signing failed.
2541 3165. [bug] dnssec-signzone could generate new signatures when
2542 resigning, even when valid signatures were already
2543 present. [RT #26025]
2545 3164. [func] Enable DLZ modules to retrieve client information,
2546 so that responses can be changed depending on the
2547 source address of the query. [RT #25768]
2549 3163. [bug] Use finer-grained locking in client.c to address
2550 concurrency problems with large numbers of threads.
2553 3162. [test] start.pl: modified to allow for "named.args" in
2554 ns*/ subdirectory to override stock arguments to
2555 named. Largely from RT #26044, but no separate ticket.
2557 3161. [bug] zone.c:del_sigs failed to always reset rdata leading
2558 assertion failures. [RT #25880]
2560 3160. [bug] When printing out a NSEC3 record in multiline form
2561 the newline was not being printed causing type codes
2562 to be run together. [RT #25873]
2564 3159. [bug] On some platforms, named could assert on startup
2565 when running in a chrooted environment without
2568 3158. [bug] Recursive servers would prefer a particular UDP
2569 socket instead of using all available sockets.
2572 3157. [tuning] Reduce the time spent in "rndc reconfig" by parsing
2573 the config file before pausing the server. [RT #21373]
2577 --- 9.9.0a2 released ---
2579 3155. [bug] Fixed a build failure when using contrib DLZ
2580 drivers (e.g., mysql, postgresql, etc). [RT #25710]
2582 3154. [bug] Attempting to print an empty rdataset could trigger
2583 an assert. [RT #25452]
2585 3153. [func] Extend request-ixfr to zone level and remove the
2586 side effect of forcing an AXFR. [RT #25156]
2588 3152. [cleanup] Some versions of gcc and clang failed due to
2589 incorrect use of __builtin_expect. [RT #25183]
2591 3151. [bug] Queries for type RRSIG or SIG could be handled
2592 incorrectly. [RT #21050]
2594 3150. [func] Improved startup and reconfiguration time by
2595 enabling zones to load in multiple threads. [RT #25333]
2599 3148. [bug] Processing of normal queries could be stalled when
2600 forwarding a UPDATE message. [RT #24711]
2602 3147. [func] Initial inline signing support. [RT #23657]
2604 --- 9.9.0a1 released ---
2606 3146. [test] Fixed gcc4.6.0 errors in ATF. [RT #25598]
2608 3145. [test] Capture output of ATF unit tests in "./atf.out" if
2609 there were any errors while running them. [RT #25527]
2611 3144. [bug] dns_dbiterator_seek() could trigger an assert when
2612 used with a nonexistent database node. [RT #25358]
2614 3143. [bug] Silence clang compiler warnings. [RT #25174]
2616 3142. [bug] NAPTR is class agnostic. [RT #25429]
2618 3141. [bug] Silence spurious "zone serial (0) unchanged" messages
2619 associated with empty zones. [RT #25079]
2621 3140. [func] New command "rndc flushtree <name>" clears the
2622 specified name from the server cache along with
2623 all names under it. [RT #19970]
2625 3139. [test] Added tests from RFC 6234, RFC 2202, and RFC 1321
2626 for the hashing algorithms (md5, sha1 - sha512, and
2627 their hmac counterparts). [RT #25067]
2629 3138. [bug] Address memory leaks and out-of-order operations when
2630 shutting named down. [RT #25210]
2632 3137. [func] Improve hardware scalability by allowing multiple
2633 worker threads to process incoming UDP packets.
2634 This can significantly increase query throughput
2635 on some systems. [RT #22992]
2637 3136. [func] Add RFC 1918 reverse zones to the list of built-in
2638 empty zones switched on by the 'empty-zones-enable'
2641 3135. [port] FreeBSD: workaround broken IPV6_USE_MIN_MTU processing.
2642 See http://www.freebsd.org/cgi/query-pr.cgi?pr=158307
2645 3134. [bug] Improve the accuracy of dnssec-signzone's signing
2646 statistics. [RT #16030]
2648 3133. [bug] Change #3114 was incomplete. [RT #24577]
2652 3131. [tuning] Improve scalability by allocating one zone task
2653 per 100 zones at startup time, rather than using a
2654 fixed-size task table. [RT #24406]
2656 3130. [func] Support alternate methods for managing a dynamic
2657 zone's serial number. Two methods are currently
2658 defined using serial-update-method, "increment"
2659 (default) and "unixtime". [RT #23849]
2661 3129. [bug] Named could crash on 'rndc reconfig' when
2662 allow-new-zones was set to yes and named ACLs
2663 were used. [RT #22739]
2665 3128. [func] Inserting an NSEC3PARAM via dynamic update in an
2666 auto-dnssec zone that has not been signed yet
2667 will cause it to be signed with the specified NSEC3
2668 parameters when keys are activated. The
2669 NSEC3PARAM record will not appear in the zone until
2670 it is signed, but the parameters will be stored.
2673 3127. [bug] 'rndc thaw' will now remove a zone's journal file
2674 if the zone serial number has been changed and
2675 ixfr-from-differences is not in use. [RT #24687]
2677 3126. [security] Using DNAME record to generate replacements caused
2678 RPZ to exit with a assertion failure. [RT #24766]
2680 3125. [security] Using wildcard CNAME records as a replacement with
2681 RPZ caused named to exit with a assertion failure.
2684 3124. [bug] Use an rdataset attribute flag to indicate
2685 negative-cache records rather than using rrtype 0;
2686 this will prevent problems when that rrtype is
2687 used in actual DNS packets. [RT #24777]
2689 3123. [security] Change #2912 exposed a latent flaw in
2690 dns_rdataset_totext() that could cause named to
2691 crash with an assertion failure. [RT #24777]
2693 3122. [cleanup] dnssec-settime: corrected usage message. [RT #24664]
2695 3121. [security] An authoritative name server sending a negative
2696 response containing a very large RRset could
2697 trigger an off-by-one error in the ncache code
2698 and crash named. [RT #24650]
2700 3120. [bug] Named could fail to validate zones listed in a DLV
2701 that validated insecure without using DLV and had
2702 DS records in the parent zone. [RT #24631]
2704 3119. [bug] When rolling to a new DNSSEC key, a private-type
2705 record could be created and never marked complete.
2708 3118. [bug] nsupdate could dump core on shutdown when using
2709 SIG(0) keys. [RT #24604]
2711 3117. [cleanup] Remove doc and parser references to the
2712 never-implemented 'auto-dnssec create' option.
2715 3116. [func] New 'dnssec-update-mode' option controls updates
2716 of DNSSEC records in signed dynamic zones. Set to
2717 'no-resign' to disable automatic RRSIG regeneration
2718 while retaining the ability to sign new or changed
2721 3115. [bug] Named could fail to return requested data when
2722 following a CNAME that points into the same zone.
2725 3114. [bug] Retain expired RRSIGs in dynamic zones if key is
2726 inactive and there is no replacement key. [RT #23136]
2728 3113. [doc] Document the relationship between serial-query-rate
2729 and NOTIFY messages.
2731 3112. [doc] Add missing descriptions of the update policy name
2732 types "ms-self", "ms-subdomain", "krb5-self" and
2733 "krb5-subdomain", which allow machines to update
2734 their own records, to the BIND 9 ARM.
2736 3111. [bug] Improved consistency checks for dnssec-enable and
2737 dnssec-validation, added test cases to the
2738 checkconf system test. [RT #24398]
2740 3110. [bug] dnssec-signzone: Wrong error message could appear
2741 when attempting to sign with no KSK. [RT #24369]
2743 3109. [func] The also-notify option now uses the same syntax
2744 as a zone's masters clause. This means it is
2745 now possible to specify a TSIG key to use when
2746 sending notifies to a given server, or to include
2747 an explicit named masters list in an also-notfiy
2748 statement. [RT #23508]
2750 3108. [cleanup] dnssec-signzone: Clarified some error and
2751 warning messages; removed #ifdef ALLOW_KSKLESS_ZONES
2752 code (use -P instead). [RT #20852]
2754 3107. [bug] dnssec-signzone: Report the correct number of ZSKs
2755 when using -x. [RT #20852]
2757 3106. [func] When logging client requests, include the name of
2758 the TSIG key if any. [RT #23619]
2760 3105. [bug] GOST support can be suppressed by "configure
2761 --without-gost" [RT #24367]
2763 3104. [bug] Better support for cross-compiling. [RT #24367]
2765 3103. [bug] Configuring 'dnssec-validation auto' in a view
2766 instead of in the options statement could trigger
2767 an assertion failure in named-checkconf. [RT #24382]
2769 3102. [func] New 'dnssec-loadkeys-interval' option configures
2770 how often, in minutes, to check the key repository
2771 for updates when using automatic key maintenance.
2772 Default is every 60 minutes (formerly hard-coded
2773 to 12 hours). [RT #23744]
2775 3101. [bug] Zones using automatic key maintenance could fail
2776 to check the key repository for updates. [RT #23744]
2778 3100. [security] Certain response policy zone configurations could
2779 trigger an INSIST when receiving a query of type
2782 3099. [test] "dlz" system test now runs but gives R:SKIPPED if
2783 not compiled with --with-dlz-filesystem. [RT #24146]
2785 3098. [bug] DLZ zones were answering without setting the AA bit.
2788 3097. [test] Add a tool to test handling of malformed packets.
2791 3096. [bug] Set KRB5_KTNAME before calling log_cred() in
2792 dst_gssapi_acceptctx(). [RT #24004]
2794 3095. [bug] Handle isolated reserved ports in the port range.
2797 3094. [doc] Expand dns64 documentation.
2799 3093. [bug] Fix gssapi/kerberos dependencies [RT #23836]
2801 3092. [bug] Signatures for records at the zone apex could go
2802 stale due to an incorrect timer setting. [RT #23769]
2804 3091. [bug] Fixed a bug in which zone keys that were published
2805 and then subsequently activated could fail to trigger
2806 automatic signing. [RT #22911]
2808 3090. [func] Make --with-gssapi default [RT #23738]
2810 3089. [func] dnssec-dsfromkey now supports reading keys from
2811 standard input "dnssec-dsfromkey -f -". [RT #20662]
2813 3088. [bug] Remove bin/tests/system/logfileconfig/ns1/named.conf
2814 and add setup.sh in order to resolve changing
2815 named.conf issue. [RT #23687]
2817 3087. [bug] DDNS updates using SIG(0) with update-policy match
2818 type "external" could cause a crash. [RT #23735]
2820 3086. [bug] Running dnssec-settime -f on an old-style key will
2821 now force an update to the new key format even if no
2822 other change has been specified, using "-P now -A now"
2823 as default values. [RT #22474]
2825 3085. [func] New '-R' option in dnssec-signzone forces removal
2826 of signatures which have not yet expired but
2827 were generated by a key that no longer exists.
2830 3084. [func] A new command "rndc sync" dumps pending changes in
2831 a dynamic zone to disk; "rndc sync -clean" also
2832 removes the journal file after syncing. Also,
2833 "rndc freeze" no longer removes journal files.
2836 3083. [bug] NOTIFY messages were not being sent when generating
2837 a NSEC3 chain incrementally. [RT #23702]
2839 3082. [port] strtok_r is threads only. [RT #23747]
2841 3081. [bug] Failure of DNAME substitution did not return
2842 YXDOMAIN. [RT #23591]
2844 3080. [cleanup] Replaced compile time constant by STDTIME_ON_32BITS.
2847 3079. [bug] Handle isc_event_allocate failures in t_tasks.
2850 3078. [func] Added a new include file with function typedefs
2851 for the DLZ "dlopen" driver. [RT #23629]
2853 3077. [bug] zone.c:zone_refreshkeys() incorrectly called
2854 dns_zone_attach(), use zone->irefs instead. [RT #23303]
2856 3076. [func] New '-L' option in dnssec-keygen, dnsset-settime, and
2857 dnssec-keyfromlabel sets the default TTL of the
2858 key. When possible, automatic signing will use that
2859 TTL when the key is published. [RT #23304]
2861 3075. [bug] dns_dnssec_findzonekeys{2} used a inconsistent
2862 timestamp when determining which keys are active.
2865 3074. [bug] Make the adb cache read through for zone data and
2866 glue learn for zone named is authoritative for.
2869 3073. [bug] managed-keys changes were not properly being recorded.
2872 3072. [bug] dns_dns64_aaaaok() potential NULL pointer dereference.
2875 3071. [bug] has_nsec could be used uninitialized in
2876 update.c:next_active. [RT #20256]
2878 3070. [bug] dnssec-signzone potential NULL pointer dereference.
2881 3069. [cleanup] Silence warnings messages from clang static analysis.
2884 3068. [bug] Named failed to build with a OpenSSL without engine
2885 support. [RT #23473]
2887 3067. [bug] ixfr-from-differences {master|slave}; failed to
2888 select the master/slave zones. [RT #23580]
2890 3066. [func] The DLZ "dlopen" driver is now built by default,
2891 no longer requiring a configure option. To
2892 disable it, use "configure --without-dlopen".
2893 Driver also supported on win32. [RT #23467]
2895 3065. [bug] RRSIG could have time stamps too far in the future.
2898 3064. [bug] powerpc: add sync instructions to the end of atomic
2899 operations. [RT #23469]
2901 3063. [contrib] More verbose error reporting from DLZ LDAP. [RT #23402]
2903 3062. [func] Made several changes to enhance human readability
2904 of DNSSEC data in dig output and in generated
2906 - DNSKEY record comments are more verbose, no
2907 longer used in multiline mode only
2908 - multiline RRSIG records reformatted
2909 - multiline output mode for NSEC3PARAM records
2910 - "dig +norrcomments" suppresses DNSKEY comments
2911 - "dig +split=X" breaks hex/base64 records into
2912 fields of width X; "dig +nosplit" disables this.
2915 3061. [func] New option "dnssec-signzone -D", only write out
2916 generated DNSSEC records. [RT #22896]
2918 3060. [func] New option "dnssec-signzone -X <date>" allows
2919 specification of a separate expiration date
2920 for DNSKEY RRSIGs and other RRSIGs. [RT #22141]
2922 3059. [test] Added a regression test for change #3023.
2924 3058. [bug] Cause named to terminate at startup or rndc reconfig/
2925 reload to fail, if a log file specified in the conf
2926 file isn't a plain file. [RT #22771]
2928 3057. [bug] "rndc secroots" would abort after the first error
2929 and so could miss some views. [RT #23488]
2931 3056. [func] Added support for URI resource record. [RT #23386]
2935 3054. [bug] Added elliptic curve support check in
2936 GOST OpenSSL engine detection. [RT #23485]
2938 3053. [bug] Under a sustained high query load with a finite
2939 max-cache-size, it was possible for cache memory
2940 to be exhausted and not recovered. [RT #23371]
2942 3052. [test] Fixed last autosign test report. [RT #23256]
2944 3051. [bug] NS records obscure DNAME records at the bottom of the
2945 zone if both are present. [RT #23035]
2947 3050. [bug] The autosign system test was timing dependent.
2948 Wait for the initial autosigning to complete
2949 before running the rest of the test. [RT #23035]
2951 3049. [bug] Save and restore the gid when creating creating
2952 named.pid at startup. [RT #23290]
2954 3048. [bug] Fully separate view key management. [RT #23419]
2956 3047. [bug] DNSKEY NODATA responses not cached fixed in
2957 validator.c. Tests added to dnssec system test.
2960 3046. [bug] Use RRSIG original TTL to compute validated RRset
2961 and RRSIG TTL. [RT #23332]
2963 3045. [removed] Replaced by change #3050.
2965 3044. [bug] Hold the socket manager lock while freeing the socket.
2968 3043. [test] Merged in the NetBSD ATF test framework (currently
2969 version 0.12) for development of future unit tests.
2970 Use configure --with-atf to build ATF internally
2971 or configure --with-atf=prefix to use an external
2974 3042. [bug] dig +trace could fail attempting to use IPv6
2975 addresses on systems with only IPv4 connectivity.
2978 3041. [bug] dnssec-signzone failed to generate new signatures on
2979 ttl changes. [RT #23330]
2981 3040. [bug] Named failed to validate insecure zones where a node
2982 with a CNAME existed between the trust anchor and the
2983 top of the zone. [RT #23338]
2985 3039. [func] Redirect on NXDOMAIN support. [RT #23146]
2987 3038. [bug] Install <dns/rpz.h>. [RT #23342]
2989 3037. [doc] Update COPYRIGHT to contain all the individual
2990 copyright notices that cover various parts.
2992 3036. [bug] Check built-in zone arguments to see if the zone
2993 is re-usable or not. [RT #21914]
2995 3035. [cleanup] Simplify by using strlcpy. [RT #22521]
2997 3034. [cleanup] nslookup: use strlcpy instead of safecopy. [RT #22521]
2999 3033. [cleanup] Add two INSIST(bucket != DNS_ADB_INVALIDBUCKET).
3002 3032. [bug] rdatalist.c: add missing REQUIREs. [RT #22521]
3004 3031. [bug] dns_rdataclass_format() handle a zero sized buffer.
3007 3030. [bug] dns_rdatatype_format() handle a zero sized buffer.
3010 3029. [bug] isc_netaddr_format() handle a zero sized buffer.
3013 3028. [bug] isc_sockaddr_format() handle a zero sized buffer.
3016 3027. [bug] Add documented REQUIREs to cfg_obj_asnetprefix() to
3017 catch NULL pointer dereferences before they happen.
3020 3026. [bug] lib/isc/httpd.c: check that we have enough space
3021 after calling grow_headerspace() and if not
3022 re-call grow_headerspace() until we do. [RT #22521]
3024 3025. [bug] Fixed a possible deadlock due to zone resigning.
3027 3024. [func] RTT Banding removed due to minor security increase
3028 but major impact on resolver latency. [RT #23310]
3030 3023. [bug] Named could be left in an inconsistent state when
3031 receiving multiple AXFR response messages that were
3032 not all TSIG-signed. [RT #23254]
3034 3022. [bug] Fixed rpz SERVFAILs after failed zone transfers
3037 3021. [bug] Change #3010 was incomplete. [RT #22296]
3039 3020. [bug] auto-dnssec failed to correctly update the zone when
3040 changing the DNSKEY RRset. [RT #23232]
3042 3019. [test] Test: check apex NSEC3 records after adding DNSKEY
3043 record via UPDATE. [RT #23229]
3045 3018. [bug] Named failed to check for the "none;" acl when deciding
3046 if a zone may need to be re-signed. [RT #23120]
3048 3017. [doc] dnssec-keyfromlabel -I was not properly documented.
3051 3016. [bug] rndc usage missing '-b'. [RT #22937]
3053 3015. [port] win32: fix IN6_IS_ADDR_LINKLOCAL and
3054 IN6_IS_ADDR_SITELOCAL macros. [RT #22724]
3058 3013. [bug] The DNS64 ttl was not always being set as expected.
3061 3012. [bug] Remove DNSKEY TTL change pairs before generating
3062 signing records for any remaining DNSKEY changes.
3065 3011. [func] Change the default query timeout from 30 seconds
3066 to 10. Allow setting this in named.conf using the new
3067 'resolver-query-timeout' option, which specifies a max
3068 time in seconds. 0 means 'default' and anything longer
3069 than 30 will be silently set to 30. [RT #22852]
3071 3010. [bug] Fixed a bug where "rndc reconfig" stopped the timer
3072 for refreshing managed-keys. [RT #22296]
3074 3009. [bug] clients-per-query code didn't work as expected with
3075 particular query patterns. [RT #22972]
3077 --- 9.8.0b1 released ---
3079 3008. [func] Response policy zones (RPZ) support. [RT #21726]
3081 3007. [bug] Named failed to preserve the case of domain names in
3082 rdata which is not compressible when writing master
3085 3006. [func] Allow dynamically generated TSIG keys to be preserved
3086 across restarts of named. Initially this is for
3087 TSIG keys generated using GSSAPI. [RT #22639]
3089 3005. [port] Solaris: Work around the lack of
3090 gsskrb5_register_acceptor_identity() by setting
3091 the KRB5_KTNAME environment variable to the
3092 contents of tkey-gssapi-keytab. Also fixed
3093 test errors on MacOSX. [RT #22853]
3095 3004. [func] DNS64 reverse support. [RT #22769]
3097 3003. [experimental] Added update-policy match type "external",
3098 enabling named to defer the decision of whether to
3099 allow a dynamic update to an external daemon.
3100 (Contributed by Andrew Tridgell.) [RT #22758]
3102 3002. [bug] isc_mutex_init_errcheck() failed to destroy attr.
3105 3001. [func] Added a default trust anchor for the root zone, which
3106 can be switched on by setting "dnssec-validation auto;"
3107 in the named.conf options. [RT #21727]
3109 3000. [bug] More TKEY/GSS fixes:
3110 - nsupdate can now get the default realm from
3111 the user's Kerberos principal
3112 - corrected gsstest compilation flags
3113 - improved documentation
3114 - fixed some NULL dereferences
3117 2999. [func] Add GOST support (RFC 5933). [RT #20639]
3119 2998. [func] Add isc_task_beginexclusive and isc_task_endexclusive
3120 to the task api. [RT #22776]
3122 2997. [func] named -V now reports the OpenSSL and libxml2 verions
3123 it was compiled against. [RT #22687]
3125 2996. [security] Temporarily disable SO_ACCEPTFILTER support.
3128 2995. [bug] The Kerberos realm was not being correctly extracted
3129 from the signer's identity. [RT #22770]
3131 2994. [port] NetBSD: use pthreads by default on NetBSD >= 5.0, and
3132 do not use threads on earlier versions. Also kill
3133 the unproven-pthreads, mit-pthreads, and ptl2 support.
3135 2993. [func] Dynamically grow adb hash tables. [RT #21186]
3137 2992. [contrib] contrib/check-secure-delegation.pl: A simple tool
3138 for looking at a secure delegation. [RT #22059]
3140 2991. [contrib] contrib/zone-edit.sh: A simple zone editing tool for
3141 dynamic zones. [RT #22365]
3143 2990. [bug] 'dnssec-settime -S' no longer tests prepublication
3144 interval validity when the interval is set to 0.
3147 2989. [func] Added support for writable DLZ zones. (Contributed
3148 by Andrew Tridgell of the Samba project.) [RT #22629]
3150 2988. [experimental] Added a "dlopen" DLZ driver, allowing the creation
3151 of external DLZ drivers that can be loaded as
3152 shared objects at runtime rather than linked with
3153 named. Currently this is switched on via a
3154 compile-time option, "configure --with-dlz-dlopen".
3155 Note: the syntax for configuring DLZ zones
3156 is likely to be refined in future releases.
3157 (Contributed by Andrew Tridgell of the Samba
3158 project.) [RT #22629]
3160 2987. [func] Improve ease of configuring TKEY/GSS updates by
3161 adding a "tkey-gssapi-keytab" option. If set,
3162 updates will be allowed with any key matching
3163 a principal in the specified keytab file.
3164 "tkey-gssapi-credential" is no longer required
3165 and is expected to be deprecated. (Contributed
3166 by Andrew Tridgell of the Samba project.)
3169 2986. [func] Add new zone type "static-stub". It's like a stub
3170 zone, but the nameserver names and/or their IP
3171 addresses are statically configured. [RT #21474]
3173 2985. [bug] Add a regression test for change #2896. [RT #21324]
3175 2984. [bug] Don't run MX checks when the target of the MX record
3178 2983. [bug] Include "loadkeys" in rndc help output. [RT #22493]
3180 --- 9.8.0a1 released ---
3182 2982. [bug] Reference count dst keys. dst_key_attach() can be used
3183 increment the reference count.
3185 Note: dns_tsigkey_createfromkey() callers should now
3186 always call dst_key_free() rather than setting it
3187 to NULL on success. [RT #22672]
3189 2981. [func] Partial DNS64 support (AAAA synthesis). [RT #21991]
3191 2980. [bug] named didn't properly handle UPDATES that changed the
3192 TTL of the NSEC3PARAM RRset. [RT #22363]
3194 2979. [bug] named could deadlock during shutdown if two
3195 "rndc stop" commands were issued at the same
3198 2978. [port] hpux: look for <devpoll.h> [RT #21919]
3200 2977. [bug] 'nsupdate -l' report if the session key is missing.
3203 2976. [bug] named could die on exit after negotiating a GSS-TSIG
3206 2975. [bug] rbtdb.c:cleanup_dead_nodes_callback() acquired the
3207 wrong lock which could lead to server deadlock.
3210 2974. [bug] Some valid UPDATE requests could fail due to a
3211 consistency check examining the existing version
3212 of the zone rather than the new version resulting
3213 from the UPDATE. [RT #22413]
3215 2973. [bug] bind.keys.h was being removed by the "make clean"
3216 at the end of configure resulting in build failures
3217 where there is very old version of perl installed.
3218 Move it to "make maintainer-clean". [RT #22230]
3220 2972. [bug] win32: address windows socket errors. [RT #21906]
3222 2971. [bug] Fixed a bug that caused journal files not to be
3223 compacted on Windows systems as a result of
3224 non-POSIX-compliant rename() semantics. [RT #22434]
3226 2970. [security] Adding a NO DATA negative cache entry failed to clear
3227 any matching RRSIG records. A subsequent lookup of
3228 of NO DATA cache entry could trigger a INSIST when the
3229 unexpected RRSIG was also returned with the NO DATA
3232 CVE-2010-3613, VU#706148. [RT #22288]
3234 2969. [security] Fix acl type processing so that allow-query works
3235 in options and view statements. Also add a new
3236 set of tests to verify proper functioning.
3238 CVE-2010-3615, VU#510208. [RT #22418]
3240 2968. [security] Named could fail to prove a data set was insecure
3241 before marking it as insecure. One set of conditions
3242 that can trigger this occurs naturally when rolling
3245 CVE-2010-3614, VU#837744. [RT #22309]
3247 2967. [bug] 'host -D' now turns on debugging messages earlier.
3250 2966. [bug] isc_print_vsnprintf() failed to check if there was
3251 space available in the buffer when adding a left
3252 justified character with a non zero width,
3253 (e.g. "%-1c"). [RT #22270]
3255 2965. [func] Test HMAC functions using test data from RFC 2104 and
3256 RFC 4634. [RT #21702]
3260 2963. [security] The allow-query acl was being applied instead of the
3261 allow-query-cache acl to cache lookups. [RT #22114]
3263 2962. [port] win32: add more dependencies to BINDBuild.dsw.
3266 2961. [bug] Be still more selective about the non-authoritative
3267 answers we apply change 2748 to. [RT #22074]
3269 2960. [func] Check that named accepts non-authoritative answers.
3272 2959. [func] Check that named starts with a missing masterfile.
3275 2958. [bug] named failed to start with a missing master file.
3278 2957. [bug] entropy_get() and entropy_getpseudo() failed to match
3279 the API for RAND_bytes() and RAND_pseudo_bytes()
3280 respectively. [RT #21962]
3282 2956. [port] Enable atomic operations on the PowerPC64. [RT #21899]
3284 2955. [func] Provide more detail in the recursing log. [RT #22043]
3286 2954. [bug] contrib: dlz_mysql_driver.c bad error handling on
3287 build_sqldbinstance failure. [RT #21623]
3289 2953. [bug] Silence spurious "expected covering NSEC3, got an
3290 exact match" message when returning a wildcard
3291 no data response. [RT #21744]
3293 2952. [port] win32: named-checkzone and named-checkconf failed
3294 to initialize winsock. [RT #21932]
3296 2951. [bug] named failed to generate a correct signed response
3297 in a optout, delegation only zone with no secure
3298 delegations. [RT #22007]
3300 2950. [bug] named failed to perform a SOA up to date check when
3301 falling back to TCP on UDP timeouts when
3302 ixfr-from-differences was set. [RT #21595]
3304 2949. [bug] dns_view_setnewzones() contained a memory leak if
3305 it was called multiple times. [RT #21942]
3307 2948. [port] MacOS: provide a mechanism to configure the test
3308 interfaces at reboot. See bin/tests/system/README
3313 2946. [doc] Document the default values for the minimum and maximum
3314 zone refresh and retry values in the ARM. [RT #21886]
3316 2945. [doc] Update empty-zones list in ARM. [RT #21772]
3318 2944. [maint] Remove ORCHID prefix from built in empty zones.
3321 2943. [func] Add support to load new keys into managed zones
3322 without signing immediately with "rndc loadkeys".
3323 Add support to link keys with "dnssec-keygen -S"
3324 and "dnssec-settime -S". [RT #21351]
3326 2942. [contrib] zone2sqlite failed to setup the entropy sources.
3329 2941. [bug] sdb and sdlz (dlz's zone database) failed to support
3330 DNAME at the zone apex. [RT #21610]
3332 2940. [port] Remove connection aborted error message on
3333 Windows. [RT #21549]
3335 2939. [func] Check that named successfully skips NSEC3 records
3336 that fail to match the NSEC3PARAM record currently
3339 2938. [bug] When generating signed responses, from a signed zone
3340 that uses NSEC3, named would use a uninitialized
3341 pointer if it needed to skip a NSEC3 record because
3342 it didn't match the selected NSEC3PARAM record for
3345 2937. [bug] Worked around an apparent race condition in over
3346 memory conditions. Without this fix a DNS cache DB or
3347 ADB could incorrectly stay in an over memory state,
3348 effectively refusing further caching, which
3349 subsequently made a BIND 9 caching server unworkable.
3350 This fix prevents this problem from happening by
3351 polling the state of the memory context, rather than
3352 making a copy of the state, which appeared to cause
3353 a race. This is a "workaround" in that it doesn't
3354 solve the possible race per se, but several experiments
3355 proved this change solves the symptom. Also, the
3356 polling overhead hasn't been reported to be an issue.
3357 This bug should only affect a caching server that
3358 specifies a finite max-cache-size. It's also quite
3359 likely that the bug happens only when enabling threads,
3360 but it's not confirmed yet. [RT #21818]
3362 2936. [func] Improved configuration syntax and multiple-view
3363 support for addzone/delzone feature (see change
3364 #2930). Removed "new-zone-file" option, replaced
3365 with "allow-new-zones (yes|no)". The new-zone-file
3366 for each view is now created automatically, with
3367 a filename generated from a hash of the view name.
3368 It is no longer necessary to "include" the
3369 new-zone-file in named.conf; this happens
3370 automatically. Zones that were not added via
3371 "rndc addzone" can no longer be removed with
3372 "rndc delzone". [RT #19447]
3374 2935. [bug] nsupdate: improve 'file not found' error message.
3377 2934. [bug] Use ANSI C compliant shift range in lib/isc/entropy.c.
3380 2933. [bug] 'dig +nsid' used stack memory after it went out of
3381 scope. This could potentially result in a unknown,
3382 potentially malformed, EDNS option being sent instead
3383 of the desired NSID option. [RT #21781]
3385 2932. [cleanup] Corrected a numbering error in the "dnssec" test.
3388 2931. [bug] Temporarily and partially disable change 2864
3389 because it would cause infinite attempts of RRSIG
3390 queries. This is an urgent care fix; we'll
3391 revisit the issue and complete the fix later.
3394 2930. [experimental] New "rndc addzone" and "rndc delzone" commands
3395 allow dynamic addition and deletion of zones.
3396 To enable this feature, specify a "new-zone-file"
3397 option at the view or options level in named.conf.
3398 Zone configuration information for the new zones
3399 will be written into that file. To make the new
3400 zones persist after a restart, "include" the file
3401 into named.conf in the appropriate view. (Note:
3402 This feature is not yet documented, and its syntax
3403 is expected to change.) [RT #19447]
3405 2929. [bug] Improved handling of GSS security contexts:
3406 - added LRU expiration for generated TSIGs
3407 - added the ability to use a non-default realm
3408 - added new "realm" keyword in nsupdate
3409 - limited lifetime of generated keys to 1 hour
3410 or the lifetime of the context (whichever is
3414 2928. [bug] Be more selective about the non-authoritative
3415 answer we apply change 2748 to. [RT #21594]
3421 2925. [bug] Named failed to accept uncachable negative responses
3422 from insecure zones. [RT #21555]
3424 2924. [func] 'rndc secroots' dump a combined summary of the
3425 current managed keys combined with trusted keys.
3428 2923. [bug] 'dig +trace' could drop core after "connection
3429 timeout". [RT #21514]
3431 2922. [contrib] Update zkt to version 1.0.
3433 2921. [bug] The resolver could attempt to destroy a fetch context
3434 too soon. [RT #19878]
3436 2920. [func] Allow 'filter-aaaa-on-v4' to be applied selectively
3437 to IPv4 clients. New acl 'filter-aaaa' (default any).
3439 2919. [func] Add autosign-ksk and autosign-zsk virtual time tests.
3442 2918. [maint] Add AAAA address for I.ROOT-SERVERS.NET.
3444 2917. [func] Virtual time test framework. [RT #20801]
3446 2916. [func] Add framework to use IPv6 in tests.
3447 fd92:7065:b8e:ffff::1 ... fd92:7065:b8e:ffff::7
3449 2915. [cleanup] Be smarter about which objects we attempt to compile
3450 based on configure options. [RT #21444]
3452 2914. [bug] Make the "autosign" system test more portable.
3455 2913. [func] Add pkcs#11 system tests. [RT #20784]
3457 2912. [func] Windows clients don't like UPDATE responses that clear
3458 the zone section. [RT #20986]
3460 2911. [bug] dnssec-signzone didn't handle out of zone records well.
3463 2910. [func] Sanity check Kerberos credentials. [RT #20986]
3465 2909. [bug] named-checkconf -p could die if "update-policy local;"
3466 was specified in named.conf. [RT #21416]
3468 2908. [bug] It was possible for re-signing to stop after removing
3469 a DNSKEY. [RT #21384]
3471 2907. [bug] The export version of libdns had undefined references.
3474 2906. [bug] Address RFC 5011 implementation issues. [RT #20903]
3476 2905. [port] aix: set use_atomic=yes with native compiler.
3479 2904. [bug] When using DLV, sub-zones of the zones in the DLV,
3480 could be incorrectly marked as insecure instead of
3481 secure leading to negative proofs failing. This was
3482 a unintended outcome from change 2890. [RT #21392]
3484 2903. [bug] managed-keys-directory missing from namedconf.c.
3487 2902. [func] Add regression test for change 2897. [RT #21040]
3489 2901. [port] Use AC_C_FLEXIBLE_ARRAY_MEMBER. [RT #21316]
3491 2900. [bug] The placeholder negative caching element was not
3492 properly constructed triggering a INSIST in
3493 dns_ncache_towire(). [RT #21346]
3495 2899. [port] win32: Support linking against OpenSSL 1.0.0.
3497 2898. [bug] nslookup leaked memory when -domain=value was
3498 specified. [RT #21301]
3500 2897. [bug] NSEC3 chains could be left behind when transitioning
3501 to insecure. [RT #21040]
3503 2896. [bug] "rndc sign" failed to properly update the zone
3504 when adding a DNSKEY for publication only. [RT #21045]
3506 2895. [func] genrandom: add support for the generation of multiple
3509 2894. [contrib] DLZ LDAP support now use '$' not '%'. [RT #21294]
3511 2893. [bug] Improve managed keys support. New named.conf option
3512 managed-keys-directory. [RT #20924]
3514 2892. [bug] Handle REVOKED keys better. [RT #20961]
3516 2891. [maint] Update empty-zones list to match
3517 draft-ietf-dnsop-default-local-zones-13. [RT #21099]
3519 2890. [bug] Handle the introduction of new trusted-keys and
3520 DS, DLV RRsets better. [RT #21097]
3522 2889. [bug] Elements of the grammar where not properly reported.
3525 2888. [bug] Only the first EDNS option was displayed. [RT #21273]
3527 2887. [bug] Report the keytag times in UTC in the .key file,
3528 local time is presented as a comment within the
3529 comment. [RT #21223]
3531 2886. [bug] ctime() is not thread safe. [RT #21223]
3533 2885. [bug] Improve -fno-strict-aliasing support probing in
3534 configure. [RT #21080]
3536 2884. [bug] Insufficient validation in dns_name_getlabelsequence().
3539 2883. [bug] 'dig +short' failed to handle really large datasets.
3542 2882. [bug] Remove memory context from list of active contexts
3543 before clearing 'magic'. [RT #21274]
3545 2881. [bug] Reduce the amount of time the rbtdb write lock
3546 is held when closing a version. [RT #21198]
3548 2880. [cleanup] Make the output of dnssec-keygen and dnssec-revoke
3549 consistent. [RT #21078]
3551 2879. [contrib] DLZ bdbhpt driver fails to close correct cursor.
3554 2878. [func] Incrementally write the master file after performing
3557 2877. [bug] The validator failed to skip obviously mismatching
3560 2876. [bug] Named could return SERVFAIL for negative responses
3561 from unsigned zones. [RT #21131]
3563 2875. [bug] dns_time64_fromtext() could accept non digits.
3566 2874. [bug] Cache lack of EDNS support only after the server
3567 successfully responds to the query using plain DNS.
3570 2873. [bug] Canceling a dynamic update via the dns/client module
3571 could trigger an assertion failure. [RT #21133]
3573 2872. [bug] Modify dns/client.c:dns_client_createx() to only
3574 require one of IPv4 or IPv6 rather than both.
3577 2871. [bug] Type mismatch in mem_api.c between the definition and
3578 the header file, causing build failure with
3579 --enable-exportlib. [RT #21138]
3581 2870. [maint] Add AAAA address for L.ROOT-SERVERS.NET.
3583 2869. [bug] Fix arguments to dns_keytable_findnextkeynode() call.
3586 2868. [cleanup] Run "make clean" at the end of configure to ensure
3587 any changes made by configure are integrated.
3588 Use --with-make-clean=no to disable. [RT #20994]
3590 2867. [bug] Don't set GSS_C_SEQUENCE_FLAG as Windows DNS servers
3591 don't like it. [RT #20986]
3593 2866. [bug] Windows does not like the TSIG name being compressed.
3596 2865. [bug] memset to zero event.data. [RT #20986]
3598 2864. [bug] Direct SIG/RRSIG queries were not handled correctly.
3601 2863. [port] linux: disable IPv6 PMTUD and use network minimum MTU.
3604 2862. [bug] nsupdate didn't default to the parent zone when
3605 updating DS records. [RT #20896]
3607 2861. [doc] dnssec-settime man pages didn't correctly document the
3608 inactivation time. [RT #21039]
3610 2860. [bug] named-checkconf's usage was out of date. [RT #21039]
3612 2859. [bug] When canceling validation it was possible to leak
3615 2858. [bug] RTT estimates were not being adjusted on ICMP errors.
3618 2857. [bug] named-checkconf did not fail on a bad trusted key.
3621 2856. [bug] The size of a memory allocation was not always properly
3622 recorded. [RT #20927]
3624 2855. [func] nsupdate will now preserve the entered case of domain
3625 names in update requests it sends. [RT #20928]
3627 2854. [func] dig: allow the final soa record in a axfr response to
3628 be suppressed, dig +onesoa. [RT #20929]
3630 2853. [bug] add_sigs() could run out of scratch space. [RT #21015]
3632 2852. [bug] Handle broken DNSSEC trust chains better. [RT #15619]
3634 2851. [doc] nslookup.1, removed <informalexample> from the docbook
3635 source as it produced bad nroff. [RT #21007]
3637 2850. [bug] If isc_heap_insert() failed due to memory shortage
3638 the heap would have corrupted entries. [RT #20951]
3640 2849. [bug] Don't treat errors from the xml2 library as fatal.
3643 2848. [doc] Moved README.dnssec, README.libdns, README.pkcs11 and
3644 README.rfc5011 into the ARM. [RT #20899]
3646 2847. [cleanup] Corrected usage message in dnssec-settime. [RT #20921]
3648 2846. [bug] EOF on unix domain sockets was not being handled
3649 correctly. [RT #20731]
3651 2845. [bug] RFC 5011 client could crash on shutdown. [RT #20903]
3653 2844. [doc] notify-delay default in ARM was wrong. It should have
3654 been five (5) seconds.
3656 2843. [func] Prevent dnssec-keygen and dnssec-keyfromlabel from
3657 creating key files if there is a chance that the new
3658 key ID will collide with an existing one after
3659 either of the keys has been revoked. (To override
3660 this in the case of dnssec-keyfromlabel, use the -y
3661 option. dnssec-keygen will simply create a
3662 different, non-colliding key, so an override is
3663 not necessary.) [RT #20838]
3665 2842. [func] Added "smartsign" and improved "autosign" and
3666 "dnssec" regression tests. [RT #20865]
3668 2841. [bug] Change 2836 was not complete. [RT #20883]
3670 2840. [bug] Temporary fixed pkcs11-destroy usage check.
3673 2839. [bug] A KSK revoked by named could not be deleted.
3678 2837. [port] Prevent Linux spurious warnings about fwrite().
3681 2836. [bug] Keys that were scheduled to become active could
3682 be delayed. [RT #20874]
3684 2835. [bug] Key inactivity dates were inadvertently stored in
3685 the private key file with the outdated tag
3686 "Unpublish" rather than "Inactive". This has been
3687 fixed; however, any existing keys that had Inactive
3688 dates set will now need to have them reset, using
3689 'dnssec-settime -I'. [RT #20868]
3691 2834. [bug] HMAC-SHA* keys that were longer than the algorithm
3692 digest length were used incorrectly, leading to
3693 interoperability problems with other DNS
3694 implementations. This has been corrected.
3695 (Note: If an oversize key is in use, and
3696 compatibility is needed with an older release of
3697 BIND, the new tool "isc-hmac-fixup" can convert
3698 the key secret to a form that will work with all
3699 versions.) [RT #20751]
3701 2833. [cleanup] Fix usage messages in dnssec-keygen and dnssec-settime.
3704 2832. [bug] Modify "struct stat" in lib/export/samples/nsprobe.c
3705 to avoid redefinition in some OSs [RT 20831]
3707 2831. [security] Do not attempt to validate or cache
3708 out-of-bailiwick data returned with a secure
3709 answer; it must be re-fetched from its original
3710 source and validated in that context. [RT #20819]
3712 2830. [bug] Changing the OPTOUT setting could take multiple
3715 2829. [bug] Fixed potential node inconsistency in rbtdb.c.
3718 2828. [security] Cached CNAME or DNAME RR could be returned to clients
3719 without DNSSEC validation. [RT #20737]
3721 2827. [security] Bogus NXDOMAIN could be cached as if valid. [RT #20712]
3723 2826. [bug] NSEC3->NSEC transitions could fail due to a lock not
3724 being released. [RT #20740]
3726 2825. [bug] Changing the setting of OPTOUT in a NSEC3 chain that
3727 was in the process of being created was not properly
3728 recorded in the zone. [RT #20786]
3730 2824. [bug] "rndc sign" was not being run by the correct task.
3733 2823. [bug] rbtdb.c:getsigningtime() was missing locks. [RT #20781]
3735 2822. [bug] rbtdb.c:loadnode() could return the wrong result.
3738 2821. [doc] Add note that named-checkconf doesn't automatically
3739 read rndc.key and bind.keys [RT #20758]
3741 2820. [func] Handle read access failure of OpenSSL configuration
3742 file more user friendly (PKCS#11 engine patch).
3745 2819. [cleanup] Removed unnecessary DNS_POINTER_MAXHOPS define.
3748 2818. [cleanup] rndc could return an incorrect error code
3749 when a zone was not found. [RT #20767]
3751 2817. [cleanup] Removed unnecessary isc_task_endexclusive() calls.
3754 2816. [bug] previous_closest_nsec() could fail to return
3755 data for NSEC3 nodes [RT #29730]
3757 2815. [bug] Exclusively lock the task when freezing a zone.
3760 2814. [func] Provide a definitive error message when a master
3761 zone is not loaded. [RT #20757]
3763 2813. [bug] Better handling of unreadable DNSSEC key files.
3766 2812. [bug] Make sure updates can't result in a zone with
3767 NSEC-only keys and NSEC3 records. [RT #20748]
3769 2811. [cleanup] Add "rndc sign" to list of commands in rndc usage
3772 2810. [doc] Clarified the process of transitioning an NSEC3 zone
3773 to insecure. [RT #20746]
3775 2809. [cleanup] Restored accidentally-deleted text in usage output
3776 in dnssec-settime and dnssec-revoke [RT #20739]
3778 2808. [bug] Remove the attempt to install atomic.h from lib/isc.
3779 atomic.h is correctly installed by the architecture
3780 specific subdirectories. [RT #20722]
3782 2807. [bug] Fixed a possible ASSERT when reconfiguring zone
3785 --- 9.7.0rc1 released ---
3787 2806. [bug] "rdnc sign" could delay re-signing the DNSKEY
3788 when it had changed. [RT #20703]
3790 2805. [bug] Fixed namespace problems encountered when building
3791 external programs using non-exported BIND9 libraries
3792 (i.e., built without --enable-exportlib). [RT #20679]
3794 2804. [bug] Send notifies when a zone is signed with "rndc sign"
3795 or as a result of a scheduled key change. [RT #20700]
3797 2803. [port] win32: Install named-journalprint, nsec3hash, arpaname
3798 and genrandom under windows. [RT #20670]
3800 2802. [cleanup] Rename journalprint to named-journalprint. [RT #20670]
3802 2801. [func] Detect and report records that are different according
3803 to DNSSEC but are semantically equal according to plain
3804 DNS. Apply plain DNS comparisons rather than DNSSEC
3805 comparisons when processing UPDATE requests.
3806 dnssec-signzone now removes such semantically duplicate
3807 records prior to signing the RRset.
3809 named-checkzone -r {ignore|warn|fail} (default warn)
3810 named-compilezone -r {ignore|warn|fail} (default warn)
3812 named.conf: check-dup-records {ignore|warn|fail};
3814 2800. [func] Reject zones which have NS records which refer to
3815 CNAMEs, DNAMEs or don't have address record (class IN
3816 only). Reject UPDATEs which would cause the zone
3817 to fail the above checks if committed. [RT #20678]
3819 2799. [cleanup] Changed the "secure-to-insecure" option to
3820 "dnssec-secure-to-insecure", and "dnskey-ksk-only"
3821 to "dnssec-dnskey-kskonly", for clarity. [RT #20586]
3823 2798. [bug] Addressed bugs in managed-keys initialization
3824 and rollover. [RT #20683]
3826 2797. [bug] Don't decrement the dispatch manager's maxbuffers.
3829 2796. [bug] Missing dns_rdataset_disassociate() call in
3830 dns_nsec3_delnsec3sx(). [RT #20681]
3832 2795. [cleanup] Add text to differentiate "update with no effect"
3833 log messages. [RT #18889]
3835 2794. [bug] Install <isc/namespace.h>. [RT #20677]
3837 2793. [func] Add "autosign" and "metadata" tests to the
3838 automatic tests. [RT #19946]
3840 2792. [func] "filter-aaaa-on-v4" can now be set in view
3841 options (if compiled in). [RT #20635]
3843 2791. [bug] The installation of isc-config.sh was broken.
3846 2790. [bug] Handle DS queries to stub zones. [RT #20440]
3848 2789. [bug] Fixed an INSIST in dispatch.c [RT #20576]
3850 2788. [bug] dnssec-signzone could sign with keys that were
3851 not requested [RT #20625]
3853 2787. [bug] Spurious log message when zone keys were
3854 dynamically reconfigured. [RT #20659]
3856 2786. [bug] Additional could be promoted to answer. [RT #20663]
3858 --- 9.7.0b3 released ---
3860 2785. [bug] Revoked keys could fail to self-sign [RT #20652]
3862 2784. [bug] TC was not always being set when required glue was
3863 dropped. [RT #20655]
3865 2783. [func] Return minimal responses to EDNS/UDP queries with a UDP
3866 buffer size of 512 or less. [RT #20654]
3868 2782. [port] win32: use getaddrinfo() for hostname lookups.
3871 2781. [bug] Inactive keys could be used for signing. [RT #20649]
3873 2780. [bug] dnssec-keygen -A none didn't properly unset the
3874 activation date in all cases. [RT #20648]
3876 2779. [bug] Dynamic key revocation could fail. [RT #20644]
3878 2778. [bug] dnssec-signzone could fail when a key was revoked
3879 without deleting the unrevoked version. [RT #20638]
3881 2777. [contrib] DLZ MYSQL auto reconnect support discovery was wrong.
3883 2776. [bug] Change #2762 was not correct. [RT #20647]
3885 2775. [bug] Accept RSASHA256 and RSASHA512 as NSEC3 compatible
3886 in dnssec-keyfromlabel. [RT #20643]
3888 2774. [bug] Existing cache DB wasn't being reused after
3889 reconfiguration. [RT #20629]
3891 2773. [bug] In autosigned zones, the SOA could be signed
3892 with the KSK. [RT #20628]
3894 2772. [security] When validating, track whether pending data was from
3895 the additional section or not and only return it if
3896 validates as secure. [RT #20438]
3898 2771. [bug] dnssec-signzone: DNSKEY records could be
3899 corrupted when importing from key files [RT #20624]
3901 2770. [cleanup] Add log messages to resolver.c to indicate events
3902 causing FORMERR responses. [RT #20526]
3904 2769. [cleanup] Change #2742 was incomplete. [RT #19589]
3906 2768. [bug] dnssec-signzone: -S no longer implies -g [RT #20568]
3908 2767. [bug] named could crash on startup if a zone was
3909 configured with auto-dnssec and there was no
3910 key-directory. [RT #20615]
3912 2766. [bug] isc_socket_fdwatchpoke() should only update the
3913 socketmgr state if the socket is not pending on a
3914 read or write. [RT #20603]
3916 2765. [bug] Skip masters for which the TSIG key cannot be found.
3919 2764. [bug] "rndc-confgen -a" could trigger a REQUIRE. [RT #20610]
3921 2763. [bug] "rndc sign" didn't create an NSEC chain. [RT #20591]
3923 2762. [bug] DLV validation failed with a local slave DLV zone.
3926 2761. [cleanup] Enable internal symbol table for backtrace only for
3927 systems that are known to work. Currently, BSD
3928 variants, Linux and Solaris are supported. [RT #20202]
3930 2760. [cleanup] Corrected named-compilezone usage summary. [RT #20533]
3932 2759. [doc] Add information about .jbk/.jnw files to
3933 the ARM. [RT #20303]
3935 2758. [bug] win32: Added a workaround for a windows 2008 bug
3936 that could cause the UDP client handler to shut
3939 2757. [bug] dig: assertion failure could occur in connect
3940 timeout. [RT #20599]
3942 2756. [bug] Fixed corrupt logfile message in update.c. [RT #20597]
3946 2754. [bug] Secure-to-insecure transitions failed when zone
3947 was signed with NSEC3. [RT #20587]
3949 2753. [bug] Removed an unnecessary warning that could appear when
3950 building an NSEC chain. [RT #20589]
3952 2752. [bug] Locking violation. [RT #20587]
3954 2751. [bug] Fixed a memory leak in dnssec-keyfromlabel. [RT #20588]
3956 2750. [bug] dig: assertion failure could occur when a server
3957 didn't have an address. [RT #20579]
3959 2749. [bug] ixfr-from-differences generated a non-minimal ixfr
3960 for NSEC3 signed zones. [RT #20452]
3962 2748. [func] Identify bad answers from GTLD servers and treat them
3963 as referrals. [RT #18884]
3965 2747. [bug] Journal roll forwards failed to set the re-signing
3966 time of RRSIGs correctly. [RT #20541]
3968 2746. [port] hpux: address signed/unsigned expansion mismatch of
3969 dns_rbtnode_t.nsec. [RT #20542]
3971 2745. [bug] configure script didn't probe the return type of
3972 gai_strerror(3) correctly. [RT #20573]
3974 2744. [func] Log if a query was over TCP. [RT #19961]
3976 2743. [bug] RRSIG could be incorrectly set in the NSEC3 record
3977 for a insecure delegation.
3979 --- 9.7.0b2 released ---
3981 2742. [cleanup] Clarify some DNSSEC-related log messages in
3982 validator.c. [RT #19589]
3984 2741. [func] Allow the dnssec-keygen progress messages to be
3985 suppressed (dnssec-keygen -q). Automatically
3986 suppress the progress messages when stdin is not
3991 2739. [cleanup] Clean up API for initializing and clearing trust
3992 anchors for a view. [RT #20211]
3994 2738. [func] Add RSASHA256 and RSASHA512 tests to the dnssec system
3997 2737. [func] UPDATE requests can leak existence information.
4000 2736. [func] Improve the performance of NSEC signed zones with
4001 more than a normal amount of glue below a delegation.
4004 2735. [bug] dnssec-signzone could fail to read keys
4005 that were specified on the command line with
4006 full paths, but weren't in the current
4007 directory. [RT #20421]
4009 2734. [port] cygwin: arpaname did not compile. [RT #20473]
4011 2733. [cleanup] Clean up coding style in pkcs11-* tools. [RT #20355]
4013 2732. [func] Add optional filter-aaaa-on-v4 option, available
4014 if built with './configure --enable-filter-aaaa'.
4015 Filters out AAAA answers to clients connecting
4016 via IPv4. (This is NOT recommended for general
4019 2731. [func] Additional work on change 2709. The key parser
4020 will now ignore unrecognized fields when the
4021 minor version number of the private key format
4022 has been increased. It will reject any key with
4023 the major version number increased. [RT #20310]
4025 2730. [func] Have dnssec-keygen display a progress indication
4026 a la 'openssl genrsa' on standard error. Note
4027 when the first '.' is followed by a long stop
4028 one has the choice between slow generation vs.
4029 poor random quality, i.e., '-r /dev/urandom'.
4032 2729. [func] When constructing a CNAME from a DNAME use the DNAME
4035 2728. [bug] dnssec-keygen, dnssec-keyfromlabel and
4036 dnssec-signzone now warn immediately if asked to
4037 write into a nonexistent directory. [RT #20278]
4039 2727. [func] The 'key-directory' option can now specify a relative
4042 2726. [func] Added support for SHA-2 DNSSEC algorithms,
4043 RSASHA256 and RSASHA512. [RT #20023]
4045 2725. [doc] Added information about the file "managed-keys.bind"
4046 to the ARM. [RT #20235]
4048 2724. [bug] Updates to a existing node in secure zone using NSEC
4049 were failing. [RT #20448]
4051 2723. [bug] isc_base32_totext(), isc_base32hex_totext(), and
4052 isc_base64_totext(), didn't always mark regions of
4053 memory as fully consumed after conversion. [RT #20445]
4055 2722. [bug] Ensure that the memory associated with the name of
4056 a node in a rbt tree is not altered during the life
4057 of the node. [RT #20431]
4059 2721. [port] Have dst__entropy_status() prime the random number
4060 generator. [RT #20369]
4062 2720. [bug] RFC 5011 trust anchor updates could trigger an
4063 assert if the DNSKEY record was unsigned. [RT #20406]
4065 2719. [func] Skip trusted/managed keys for unsupported algorithms.
4068 2718. [bug] The space calculations in opensslrsa_todns() were
4069 incorrect. [RT #20394]
4071 2717. [bug] named failed to update the NSEC/NSEC3 record when
4072 the last private type record was removed as a result
4073 of completing the signing the zone with a key.
4076 2716. [bug] nslookup debug mode didn't return the ttl. [RT #20414]
4078 --- 9.7.0b1 released ---
4080 2715. [bug] Require OpenSSL support to be explicitly disabled.
4083 2714. [port] aix/powerpc: 'asm("ics");' needs non standard assembler
4086 2713. [bug] powerpc: atomic operations missing asm("ics") /
4089 2712. [func] New 'auto-dnssec' zone option allows zone signing
4090 to be fully automated in zones configured for
4091 dynamic DNS. 'auto-dnssec allow;' permits a zone
4092 to be signed by creating keys for it in the
4093 key-directory and using 'rndc sign <zone>'.
4094 'auto-dnssec maintain;' allows that too, plus it
4095 also keeps the zone's DNSSEC keys up to date
4096 according to their timing metadata. [RT #19943]
4098 2711. [port] win32: Add the bin/pkcs11 tools into the full
4101 2710. [func] New 'dnssec-signzone -x' flag and 'dnskey-ksk-only'
4102 zone option cause a zone to be signed with only KSKs
4103 signing the DNSKEY RRset, not ZSKs. This reduces
4104 the size of a DNSKEY answer. [RT #20340]
4106 2709. [func] Added some data fields, currently unused, to the
4107 private key file format, to allow implementation
4108 of explicit key rollover in a future release
4109 without impairing backward or forward compatibility.
4112 2708. [func] Insecure to secure and NSEC3 parameter changes via
4113 update are now fully supported and no longer require
4114 defines to enable. We now no longer overload the
4115 NSEC3PARAM flag field, nor the NSEC OPT bit at the
4116 apex. Secure to insecure changes are controlled by
4117 by the named.conf option 'secure-to-insecure'.
4119 Warning: If you had previously enabled support by
4120 adding defines at compile time to BIND 9.6 you should
4121 ensure that all changes that are in progress have
4122 completed prior to upgrading to BIND 9.7. BIND 9.7
4123 is not backwards compatible.
4125 2707. [func] dnssec-keyfromlabel no longer require engine name
4126 to be specified in the label if there is a default
4127 engine or the -E option has been used. Also, it
4128 now uses default algorithms as dnssec-keygen does
4129 (i.e., RSASHA1, or NSEC3RSASHA1 if -3 is used).
4132 2706. [bug] Loading a zone with a very large NSEC3 salt could
4133 trigger an assert. [RT #20368]
4137 2704. [bug] Serial of dynamic and stub zones could be inconsistent
4138 with their SOA serial. [RT #19387]
4140 2703. [func] Introduce an OpenSSL "engine" argument with -E
4141 for all binaries which can take benefit of
4142 crypto hardware. [RT #20230]
4144 2702. [func] Update PKCS#11 tools (bin/pkcs11) [RT #20225 & all]
4146 2701. [doc] Correction to ARM: hmac-md5 is no longer the only
4147 supported TSIG key algorithm. [RT #18046]
4149 2700. [doc] The match-mapped-addresses option is discouraged.
4152 2699. [bug] Missing lock in rbtdb.c. [RT #20037]
4156 2697. [port] win32: ensure that S_IFMT, S_IFDIR, S_IFCHR and
4157 S_IFREG are defined after including <isc/stat.h>.
4160 2696. [bug] named failed to successfully process some valid
4161 acl constructs. [RT #20308]
4163 2695. [func] DHCP/DDNS - update fdwatch code for use by
4164 DHCP. Modify the api to isc_sockfdwatch_t (the
4165 callback function for isc_socket_fdwatchcreate)
4166 to include information about the direction (read
4167 or write) and add isc_socket_fdwatchpoke.
4170 2694. [bug] Reduce default NSEC3 iterations from 100 to 10.
4173 2693. [port] Add some noreturn attributes. [RT #20257]
4175 2692. [port] win32: 32/64 bit cleanups. [RT #20335]
4177 2691. [func] dnssec-signzone: retain the existing NSEC or NSEC3
4178 chain when re-signing a previously-signed zone.
4179 Use -u to modify NSEC3 parameters or switch
4180 between NSEC and NSEC3. [RT #20304]
4182 2690. [bug] win32: fix isc_thread_key_getspecific() prototype.
4185 2689. [bug] Correctly handle snprintf result. [RT #20306]
4187 2688. [bug] Use INTERFACE_F_POINTTOPOINT, not IFF_POINTOPOINT,
4188 to decide to fetch the destination address. [RT #20305]
4190 2687. [bug] Fixed dnssec-signzone -S handling of revoked keys.
4191 Also, added warnings when revoking a ZSK, as this is
4192 not defined by protocol (but is legal). [RT #19943]
4194 2686. [bug] dnssec-signzone should clean the old NSEC chain when
4195 signing with NSEC3 and vice versa. [RT #20301]
4197 2685. [contrib] Update contrib/zkt to version 0.99c. [RT #20054]
4199 2684. [cleanup] dig: formalize +ad and +cd as synonyms for
4200 +adflag and +cdflag. [RT #19305]
4202 2683. [bug] dnssec-signzone should clean out old NSEC3 chains when
4203 the NSEC3 parameters used to sign the zone change.
4206 2682. [bug] "configure --enable-symtable=all" failed to
4209 2681. [bug] IPSECKEY RR of gateway type 3 was not correctly
4210 decoded. [RT #20269]
4212 2680. [func] Move contrib/pkcs11-keygen to bin/pkcs11. [RT #20067]
4214 2679. [func] dig -k can now accept TSIG keys in named.conf
4217 2678. [func] Treat DS queries as if "minimal-response yes;"
4218 was set. [RT #20258]
4220 2677. [func] Changes to key metadata behavior:
4221 - Keys without "publish" or "active" dates set will
4222 no longer be used for smart signing. However,
4223 those dates will be set to "now" by default when
4224 a key is created; to generate a key but not use
4225 it yet, use dnssec-keygen -G.
4226 - New "inactive" date (dnssec-keygen/settime -I)
4227 sets the time when a key is no longer used for
4228 signing but is still published.
4229 - The "unpublished" date (-U) is deprecated in
4230 favor of "deleted" (-D).
4233 2676. [bug] --with-export-installdir should have been
4234 --with-export-includedir. [RT #20252]
4236 2675. [bug] dnssec-signzone could crash if the key directory
4237 did not exist. [RT #20232]
4239 --- 9.7.0a3 released ---
4241 2674. [bug] "dnssec-lookaside auto;" crashed if named was built
4242 without openssl. [RT #20231]
4244 2673. [bug] The managed-keys.bind zone file could fail to
4245 load due to a spurious result from sync_keyzone()
4248 2672. [bug] Don't enable searching in 'host' when doing reverse
4249 lookups. [RT #20218]
4251 2671. [bug] Add support for PKCS#11 providers not returning
4252 the public exponent in RSA private keys
4253 (OpenCryptoki for instance) in
4254 dnssec-keyfromlabel. [RT #19294]
4256 2670. [bug] Unexpected connect failures failed to log enough
4257 information to be useful. [RT #20205]
4259 2669. [func] Update PKCS#11 support to support Keyper HSM.
4260 Update PKCS#11 patch to be against openssl-0.9.8i.
4262 2668. [func] Several improvements to dnssec-* tools, including:
4263 - dnssec-keygen and dnssec-settime can now set key
4264 metadata fields 0 (to unset a value, use "none")
4265 - dnssec-revoke sets the revocation date in
4266 addition to the revoke bit
4267 - dnssec-settime can now print individual metadata
4268 fields instead of always printing all of them,
4269 and can print them in unix epoch time format for
4273 2667. [func] Add support for logging stack backtrace on assertion
4274 failure (not available for all platforms). [RT #19780]
4276 2666. [func] Added an 'options' argument to dns_name_fromstring()
4277 (API change from 9.7.0a2). [RT #20196]
4279 2665. [func] Clarify syntax for managed-keys {} statement, add
4280 ARM documentation about RFC 5011 support. [RT #19874]
4282 2664. [bug] create_keydata() and minimal_update() in zone.c
4283 didn't properly check return values for some
4284 functions. [RT #19956]
4286 2663. [func] win32: allow named to run as a service using
4287 "NT AUTHORITY\LocalService" as the account. [RT #19977]
4289 2662. [bug] lwres_getipnodebyname() and lwres_getipnodebyaddr()
4290 returned a misleading error code when lwresd was
4293 2661. [bug] Check whether socket fd exceeds FD_SETSIZE when
4294 creating lwres context. [RT #20029]
4296 2660. [func] Add a new set of DNS libraries for non-BIND9
4297 applications. See README.libdns. [RT #19369]
4299 2659. [doc] Clarify dnssec-keygen doc: key name must match zone
4300 name for DNSSEC keys. [RT #19938]
4302 2658. [bug] dnssec-settime and dnssec-revoke didn't process
4303 key file paths correctly. [RT #20078]
4305 2657. [cleanup] Lower "journal file <path> does not exist, creating it"
4306 log level to debug 1. [RT #20058]
4308 2656. [func] win32: add a "tools only" check box to the installer
4309 which causes it to only install dig, host, nslookup,
4310 nsupdate and relevant DLLs. [RT #19998]
4312 2655. [doc] Document that key-directory does not affect
4313 bind.keys, rndc.key or session.key. [RT #20155]
4315 2654. [bug] Improve error reporting on duplicated names for
4316 deny-answer-xxx. [RT #20164]
4318 2653. [bug] Treat ENGINE_load_private_key() failures as key
4319 not found rather than out of memory. [RT #18033]
4321 2652. [func] Provide more detail about what record is being
4322 deleted. [RT #20061]
4324 2651. [bug] Dates could print incorrectly in K*.key files on
4325 64-bit systems. [RT #20076]
4327 2650. [bug] Assertion failure in dnssec-signzone when trying
4328 to read keyset-* files. [RT #20075]
4330 2649. [bug] Set the domain for forward only zones. [RT #19944]
4332 2648. [port] win32: isc_time_seconds() was broken. [RT #19900]
4334 2647. [bug] Remove unnecessary SOA updates when a new KSK is
4337 2646. [bug] Incorrect cleanup on error in socket.c. [RT #19987]
4339 2645. [port] "gcc -m32" didn't work on amd64 and x86_64 platforms
4340 which default to 64 bits. [RT #19927]
4342 --- 9.7.0a2 released ---
4344 2644. [bug] Change #2628 caused a regression on some systems;
4345 named was unable to write the PID file and would
4346 fail on startup. [RT #20001]
4348 2643. [bug] Stub zones interacted badly with NSEC3 support.
4351 2642. [bug] nsupdate could dump core on solaris when reading
4352 improperly formatted key files. [RT #20015]
4354 2641. [bug] Fixed an error in parsing update-policy syntax,
4355 added a regression test to check it. [RT #20007]
4357 2640. [security] A specially crafted update packet will cause named
4358 to exit. [RT #20000]
4360 2639. [bug] Silence compiler warnings in gssapi code. [RT #19954]
4362 2638. [bug] Install arpaname. [RT #19957]
4364 2637. [func] Rationalize dnssec-signzone's signwithkey() calling.
4367 2636. [func] Simplify zone signing and key maintenance with the
4368 dnssec-* tools. Major changes:
4369 - all dnssec-* tools now take a -K option to
4370 specify a directory in which key files will be
4372 - DNSSEC can now store metadata indicating when
4373 they are scheduled to be published, activated,
4374 revoked or removed; these values can be set by
4375 dnssec-keygen or overwritten by the new
4376 dnssec-settime command
4377 - dnssec-signzone -S (for "smart") option reads key
4378 metadata and uses it to determine automatically
4379 which keys to publish to the zone, use for
4380 signing, revoke, or remove from the zone
4383 2635. [bug] isc_inet_ntop() incorrectly handled 0.0/16 addresses.
4386 2634. [port] win32: Add support for libxml2, enable
4387 statschannel. [RT #19773]
4389 2633. [bug] Handle 15 bit rand() functions. [RT #19783]
4391 2632. [func] util/kit.sh: warn if documentation appears to be out of
4394 2631. [bug] Handle "//", "/./" and "/../" in mkdirpath().
4397 2630. [func] Improved syntax for DDNS autoconfiguration: use
4398 "update-policy local;" to switch on local DDNS in a
4399 zone. (The "ddns-autoconf" option has been removed.)
4402 2629. [port] Check for seteuid()/setegid(), use setresuid()/
4403 setresgid() if not present. [RT #19932]
4405 2628. [port] linux: Allow /var/run/named/named.pid to be opened
4406 at startup with reduced capabilities in operation.
4409 2627. [bug] Named aborted if the same key was included in
4410 trusted-keys more than once. [RT #19918]
4412 2626. [bug] Multiple trusted-keys could trigger an assertion
4413 failure. [RT #19914]
4415 2625. [bug] Missing UNLOCK in rbtdb.c. [RT #19865]
4417 2624. [func] 'named-checkconf -p' will print out the parsed
4418 configuration. [RT #18871]
4420 2623. [bug] Named started searches for DS non-optimally. [RT #19915]
4422 2622. [bug] Printing of named.conf grammar was broken. [RT #19919]
4424 2621. [doc] Made copyright boilerplate consistent. [RT #19833]
4426 2620. [bug] Delay thawing the zone until the reload of it has
4427 completed successfully. [RT #19750]
4429 2619. [func] Add support for RFC 5011, automatic trust anchor
4430 maintenance. The new "managed-keys" statement can
4431 be used in place of "trusted-keys" for zones which
4432 support this protocol. (Note: this syntax is
4433 expected to change prior to 9.7.0 final.) [RT #19248]
4435 2618. [bug] The sdb and sdlz db_interator_seek() methods could
4436 loop infinitely. [RT #19847]
4438 2617. [bug] ifconfig.sh failed to emit an error message when
4439 run from the wrong location. [RT #19375]
4441 2616. [bug] 'host' used the nameservers from resolv.conf even
4442 when a explicit nameserver was specified. [RT #19852]
4444 2615. [bug] "__attribute__((unused))" was in the wrong place
4445 for ia64 gcc builds. [RT #19854]
4447 2614. [port] win32: 'named -v' should automatically be executed
4448 in the foreground. [RT #19844]
4452 --- 9.7.0a1 released ---
4454 2612. [func] Add default values for the arguments to
4455 dnssec-keygen. Without arguments, it will now
4456 generate a 1024-bit RSASHA1 zone-signing key,
4457 or with the -f KSK option, a 2048-bit RSASHA1
4458 key-signing key. [RT #19300]
4460 2611. [func] Add -l option to dnssec-dsfromkey to generate
4461 DLV records instead of DS records. [RT #19300]
4463 2610. [port] sunos: Change #2363 was not complete. [RT #19796]
4465 2609. [func] Simplify the configuration of dynamic zones:
4466 - add ddns-confgen command to generate
4467 configuration text for named.conf
4468 - add zone option "ddns-autoconf yes;", which
4469 causes named to generate a TSIG session key
4470 and allow updates to the zone using that key
4471 - add '-l' (localhost) option to nsupdate, which
4472 causes nsupdate to connect to a locally-running
4473 named process using the session key generated
4477 2608. [func] Perform post signing verification checks in
4478 dnssec-signzone. These can be disabled with -P.
4480 The post sign verification test ensures that for each
4481 algorithm in use there is at least one non revoked
4482 self signed KSK key. That all revoked KSK keys are
4483 self signed. That all records in the zone are signed
4484 by the algorithm. [RT #19653]
4486 2607. [bug] named could incorrectly delete NSEC3 records for
4487 empty nodes when processing a update request.
4490 2606. [bug] "delegation-only" was not being accepted in
4491 delegation-only type zones. [RT #19717]
4493 2605. [bug] Accept DS responses from delegation only zones.
4496 2604. [func] Add support for DNS rebinding attack prevention through
4497 new options, deny-answer-addresses and
4498 deny-answer-aliases. Based on contributed code from
4499 JD Nurmi, Google. [RT #18192]
4501 2603. [port] win32: handle .exe extension of named-checkzone and
4502 named-comilezone argv[0] names under windows.
4505 2602. [port] win32: fix debugging command line build of libisccfg.
4508 2601. [doc] Mention file creation mode mask in the
4511 2600. [doc] ARM: miscellaneous reformatting for different
4512 page widths. [RT #19574]
4514 2599. [bug] Address rapid memory growth when validation fails.
4517 2598. [func] Reserve the -F flag. [RT #19657]
4519 2597. [bug] Handle a validation failure with a insecure delegation
4520 from a NSEC3 signed master/slave zone. [RT #19464]
4522 2596. [bug] Stale tree nodes of cache/dynamic rbtdb could stay
4523 long, leading to inefficient memory usage or rejecting
4524 newer cache entries in the worst case. [RT #19563]
4526 2595. [bug] Fix unknown extended rcodes in dig. [RT #19625]
4528 2594. [func] Have rndc warn if using its default configuration
4529 file when the key file also exists. [RT #19424]
4531 2593. [bug] Improve a corner source of SERVFAILs [RT #19632]
4533 2592. [bug] Treat "any" as a type in nsupdate. [RT #19455]
4535 2591. [bug] named could die when processing a update in
4536 removed_orphaned_ds(). [RT #19507]
4538 2590. [func] Report zone/class of "update with no effect".
4541 2589. [bug] dns_db_unregister() failed to clear '*dbimp'.
4544 2588. [bug] SO_REUSEADDR could be set unconditionally after failure
4545 of bind(2) call. This should be rare and mostly
4546 harmless, but may cause interference with other
4547 processes that happen to use the same port. [RT #19642]
4549 2587. [func] Improve logging by reporting serial numbers for
4550 when zone serial has gone backwards or unchanged.
4553 2586. [bug] Missing cleanup of SIG rdataset in searching a DLZ DB
4556 2585. [bug] Uninitialized socket name could be referenced via a
4557 statistics channel, triggering an assertion failure in
4558 XML rendering. [RT #19427]
4560 2584. [bug] alpha: gcc optimization could break atomic operations.
4563 2583. [port] netbsd: provide a control to not add the compile
4564 date to the version string, -DNO_VERSION_DATE.
4566 2582. [bug] Don't emit warning log message when we attempt to
4567 remove non-existent journal. [RT #19516]
4569 2581. [contrib] dlz/mysql set MYSQL_OPT_RECONNECT option on connection.
4570 Requires MySQL 5.0.19 or later. [RT #19084]
4572 2580. [bug] UpdateRej statistics counter could be incremented twice
4573 for one rejection. [RT #19476]
4575 2579. [bug] DNSSEC lookaside validation failed to handle unknown
4576 algorithms. [RT #19479]
4578 2578. [bug] Changed default sig-signing-type to 65534, because
4579 65535 turns out to be reserved. [RT #19477]
4581 2577. [doc] Clarified some statistics counters. [RT #19454]
4583 2576. [bug] NSEC record were not being correctly signed when
4584 a zone transitions from insecure to secure.
4585 Handle such incorrectly signed zones. [RT #19114]
4587 2575. [func] New functions dns_name_fromstring() and
4588 dns_name_tostring(), to simplify conversion
4589 of a string to a dns_name structure and vice
4592 2574. [doc] Document nsupdate -g and -o. [RT #19351]
4594 2573. [bug] Replacing a non-CNAME record with a CNAME record in a
4595 single transaction in a signed zone failed. [RT #19397]
4597 2572. [func] Simplify DLV configuration, with a new option
4598 "dnssec-lookaside auto;" This is the equivalent
4599 of "dnssec-lookaside . trust-anchor dlv.isc.org;"
4600 plus setting a trusted-key for dlv.isc.org.
4602 Note: The trusted key is hard-coded into named,
4603 but is also stored in (and can be overridden
4604 by) $sysconfdir/bind.keys. As the ISC DLV key
4605 rolls over it can be kept up to date by replacing
4606 the bind.keys file with a key downloaded from
4607 https://www.isc.org/solutions/dlv. [RT #18685]
4609 2571. [func] Add a new tool "arpaname" which translates IP addresses
4610 to the corresponding IN-ADDR.ARPA or IP6.ARPA name.
4613 2570. [func] Log the destination address the query was sent to.
4616 2569. [func] Move journalprint, nsec3hash, and genrandom
4617 commands from bin/tests into bin/tools;
4618 "make install" will put them in $sbindir. [RT #19301]
4620 2568. [bug] Report when the write to indicate a otherwise
4621 successful start fails. [RT #19360]
4623 2567. [bug] dst__privstruct_writefile() could miss write errors.
4624 write_public_key() could miss write errors.
4625 dnssec-dsfromkey could miss write errors.
4628 2566. [cleanup] Clarify logged message when an insecure DNSSEC
4629 response arrives from a zone thought to be secure:
4630 "insecurity proof failed" instead of "not
4631 insecure". [RT #19400]
4633 2565. [func] Add support for HIP record. Includes new functions
4634 dns_rdata_hip_first(), dns_rdata_hip_next()
4635 and dns_rdata_hip_current(). [RT #19384]
4637 2564. [bug] Only take EDNS fallback steps when processing timeouts.
4640 2563. [bug] Dig could leak a socket causing it to wait forever
4641 to exit. [RT #19359]
4643 2562. [doc] ARM: miscellaneous improvements, reorganization,
4644 and some new content.
4646 2561. [doc] Add isc-config.sh(1) man page. [RT #16378]
4648 2560. [bug] Add #include <config.h> to iptable.c. [RT #18258]
4650 2559. [bug] dnssec-dsfromkey could compute bad DS records when
4651 reading from a K* files. [RT #19357]
4653 2558. [func] Set the ownership of missing directories created
4654 for pid-file if -u has been specified on the command
4657 2557. [cleanup] PCI compliance:
4658 * new libisc log module file
4659 * isc_dir_chroot() now also changes the working
4661 * additional INSISTs
4662 * additional logging when files can't be removed.
4664 2556. [port] Solaris: mkdir(2) on tmpfs filesystems does not do the
4665 error checks in the correct order resulting in the
4666 wrong error code sometimes being returned. [RT #19249]
4668 2555. [func] dig: when emitting a hex dump also display the
4669 corresponding characters. [RT #19258]
4671 2554. [bug] Validation of uppercase queries from NSEC3 zones could
4674 2553. [bug] Reference leak on DNSSEC validation errors. [RT #19291]
4676 2552. [bug] zero-no-soa-ttl-cache was not being honored.
4679 2551. [bug] Potential Reference leak on return. [RT #19341]
4681 2550. [bug] Check --with-openssl=<path> finds <openssl/opensslv.h>.
4684 2549. [port] linux: define NR_OPEN if not currently defined.
4687 2548. [bug] Install iterated_hash.h. [RT #19335]
4689 2547. [bug] openssl_link.c:mem_realloc() could reference an
4690 out-of-range area of the source buffer. New public
4691 function isc_mem_reallocate() was introduced to address
4692 this bug. [RT #19313]
4694 2546. [func] Add --enable-openssl-hash configure flag to use
4695 OpenSSL (in place of internal routine) for hash
4696 functions (MD5, SHA[12] and HMAC). [RT #18815]
4698 2545. [doc] ARM: Legal hostname checking (check-names) is
4699 for SRV RDATA too. [RT #19304]
4701 2544. [cleanup] Removed unused structure members in adb.c. [RT #19225]
4703 2543. [contrib] Update contrib/zkt to version 0.98. [RT #19113]
4705 2542. [doc] Update the description of dig +adflag. [RT #19290]
4707 2541. [bug] Conditionally update dispatch manager statistics.
4710 2540. [func] Add a nibble mode to $GENERATE. [RT #18872]
4712 2539. [security] Update the interaction between recursion, allow-query,
4713 allow-query-cache and allow-recursion. [RT #19198]
4715 2538. [bug] cache/ADB memory could grow over max-cache-size,
4716 especially with threads and smaller max-cache-size
4719 2537. [func] Added more statistics counters including those on socket
4720 I/O events and query RTT histograms. [RT #18802]
4722 2536. [cleanup] Silence some warnings when -Werror=format-security is
4723 specified. [RT #19083]
4725 2535. [bug] dig +showsearch and +trace interacted badly. [RT #19091]
4727 2534. [func] Check NAPTR records regular expressions and
4728 replacement strings to ensure they are syntactically
4729 valid and consistent. [RT #18168]
4731 2533. [doc] ARM: document @ (at-sign). [RT #17144]
4733 2532. [bug] dig: check the question section of the response to
4734 see if it matches the asked question. [RT #18495]
4736 2531. [bug] Change #2207 was incomplete. [RT #19098]
4738 2530. [bug] named failed to reject insecure to secure transitions
4739 via UPDATE. [RT #19101]
4741 2529. [cleanup] Upgrade libtool to silence complaints from recent
4742 version of autoconf. [RT #18657]
4744 2528. [cleanup] Silence spurious configure warning about
4745 --datarootdir [RT #19096]
4749 2526. [func] New named option "attach-cache" that allows multiple
4750 views to share a single cache to save memory and
4751 improve lookup efficiency. Based on contributed code
4752 from Barclay Osborn, Google. [RT #18905]
4754 2525. [func] New logging category "query-errors" to provide detailed
4755 internal information about query failures, especially
4756 about server failures. [RT #19027]
4758 2524. [port] sunos: dnssec-signzone needs strtoul(). [RT #19129]
4760 2523. [bug] Random type rdata freed by dns_nsec_typepresent().
4763 2522. [security] Handle -1 from DSA_do_verify() and EVP_VerifyFinal().
4765 2521. [bug] Improve epoll cross compilation support. [RT #19047]
4767 2520. [bug] Update xml statistics version number to 2.0 as change
4768 #2388 made the schema incompatible to the previous
4769 version. [RT #19080]
4771 2519. [bug] dig/host with -4 or -6 didn't work if more than two
4772 nameserver addresses of the excluded address family
4773 preceded in resolv.conf. [RT #19081]
4775 2518. [func] Add support for the new CERT types from RFC 4398.
4778 2517. [bug] dig +trace with -4 or -6 failed when it chose a
4779 nameserver address of the excluded address type.
4782 2516. [bug] glue sort for responses was performed even when not
4785 2515. [port] win32: build dnssec-dsfromkey and dnssec-keyfromlabel.
4788 2514. [bug] dig/host failed with -4 or -6 when resolv.conf contains
4789 a nameserver of the excluded address family.
4792 2513. [bug] Fix windows cli build. [RT #19062]
4794 2512. [func] Print a summary of the cached records which make up
4795 the negative response. [RT #18885]
4797 2511. [cleanup] dns_rdata_tofmttext() add const to linebreak.
4800 2510. [bug] "dig +sigchase" could trigger REQUIRE failures.
4803 2509. [bug] Specifying a fixed query source port was broken.
4808 2507. [func] Log the recursion quota values when killing the
4809 oldest query or refusing to recurse due to quota.
4812 2506. [port] solaris: Check at configure time if
4813 hack_shutup_pthreadonceinit is needed. [RT #19037]
4815 2505. [port] Treat amd64 similarly to x86_64 when determining
4816 atomic operation support. [RT #19031]
4818 2504. [bug] Address race condition in the socket code. [RT #18899]
4820 2503. [port] linux: improve compatibility with Linux Standard
4823 2502. [cleanup] isc_radix: Improve compliance with coding style,
4824 document function in <isc/radix.h>. [RT #18534]
4826 2501. [func] $GENERATE now supports all rdata types. Multi-field
4827 rdata types need to be quoted. See the ARM for
4828 details. [RT #18368]
4830 2500. [contrib] contrib/sdb/pgsql/zonetodb.c called non-existent
4831 function. [RT #18582]
4833 2499. [port] solaris: lib/lwres/getaddrinfo.c namespace clash.
4836 --- 9.6.0rc1 released ---
4838 2498. [bug] Removed a bogus function argument used with
4839 ISC_SOCKET_USE_POLLWATCH: it could cause compiler
4840 warning or crash named with the debug 1 level
4841 of logging. [RT #18917]
4843 2497. [bug] Don't add RRSIG bit to NSEC3 bit map for insecure
4846 2496. [bug] Add sanity length checks to NSID option. [RT #18813]
4848 2495. [bug] Tighten RRSIG checks. [RT #18795]
4850 2494. [bug] isc/radix.h, dns/sdlz.h and dns/dlz.h were not being
4851 installed. [RT #18826]
4853 2493. [bug] The linux capabilities code was not correctly cleaning
4854 up after itself. [RT #18767]
4856 2492. [func] Rndc status now reports the number of cpus discovered
4857 and the number of worker threads when running
4858 multi-threaded. [RT #18273]
4860 2491. [func] Attempt to re-use a local port if we are already using
4861 the port. [RT #18548]
4863 2490. [port] aix: work around a kernel bug where IPV6_RECVPKTINFO
4864 is cleared when IPV6_V6ONLY is set. [RT #18785]
4866 2489. [port] solaris: Workaround Solaris's kernel bug about
4868 http://bugs.opensolaris.org/view_bug.do?bug_id=6724237
4869 Define ISC_SOCKET_USE_POLLWATCH at build time to enable
4870 this workaround. [RT #18870]
4872 2488. [func] Added a tool, dnssec-dsfromkey, to generate DS records
4873 from keyset and .key files. [RT #18694]
4875 2487. [bug] Give TCP connections longer to complete. [RT #18675]
4877 2486. [func] The default locations for named.pid and lwresd.pid
4878 are now /var/run/named/named.pid and
4879 /var/run/lwresd/lwresd.pid respectively.
4881 This allows the owner of the containing directory
4882 to be set, for "named -u" support, and allows there
4883 to be a permanent symbolic link in the path, for
4884 "named -t" support. [RT #18306]
4886 2485. [bug] Change update's the handling of obscured RRSIG
4887 records. Not all orphaned DS records were being
4888 removed. [RT #18828]
4890 2484. [bug] It was possible to trigger a REQUIRE failure when
4891 adding NSEC3 proofs to the response in
4892 query_addwildcardproof(). [RT #18828]
4894 2483. [port] win32: chroot() is not supported. [RT #18805]
4896 2482. [port] libxml2: support versions 2.7.* in addition
4897 to 2.6.*. [RT #18806]
4899 --- 9.6.0b1 released ---
4901 2481. [bug] rbtdb.c:matchparams() failed to handle NSEC3 chain
4902 collisions. [RT #18812]
4904 2480. [bug] named could fail to emit all the required NSEC3
4905 records. [RT #18812]
4907 2479. [bug] xfrout:covers was not properly initialized. [RT #18801]
4909 2478. [bug] 'addresses' could be used uninitialized in
4910 configure_forward(). [RT #18800]
4912 2477. [bug] dig: the global option to print the command line is
4913 +cmd not print_cmd. Update the output to reflect
4916 2476. [doc] ARM: improve documentation for max-journal-size and
4917 ixfr-from-differences. [RT #15909] [RT #18541]
4919 2475. [bug] LRU cache cleanup under overmem condition could purge
4920 particular entries more aggressively. [RT #17628]
4922 2474. [bug] ACL structures could be allocated with insufficient
4923 space, causing an array overrun. [RT #18765]
4925 2473. [port] linux: raise the limit on open files to the possible
4926 maximum value before spawning threads; 'files'
4927 specified in named.conf doesn't seem to work with
4928 threads as expected. [RT #18784]
4930 2472. [port] linux: check the number of available cpu's before
4931 calling chroot as it depends on "/proc". [RT #16923]
4933 2471. [bug] named-checkzone was not reporting missing mandatory
4934 glue when sibling checks were disabled. [RT #18768]
4936 2470. [bug] Elements of the isc_radix_node_t could be incorrectly
4937 overwritten. [RT #18719]
4939 2469. [port] solaris: Work around Solaris's select() limitations.
4942 2468. [bug] Resolver could try unreachable servers multiple times.
4945 2467. [bug] Failure of fcntl(F_DUPFD) wasn't logged. [RT #18740]
4947 2466. [doc] ARM: explain max-cache-ttl 0 SERVFAIL issue.
4950 2465. [bug] Adb's handling of lame addresses was different
4951 for IPv4 and IPv6. [RT #18738]
4953 2464. [port] linux: check that a capability is present before
4954 trying to set it. [RT #18135]
4956 2463. [port] linux: POSIX doesn't include the IPv6 Advanced Socket
4957 API and glibc hides parts of the IPv6 Advanced Socket
4958 API as a result. This is stupid as it breaks how the
4959 two halves (Basic and Advanced) of the IPv6 Socket API
4960 were designed to be used but we have to live with it.
4961 Define _GNU_SOURCE to pull in the IPv6 Advanced Socket
4964 2462. [doc] Document -m (enable memory usage debugging)
4965 option for dig. [RT #18757]
4967 2461. [port] sunos: Change #2363 was not complete. [RT #17513]
4969 --- 9.6.0a1 released ---
4971 2460. [bug] Don't call dns_db_getnsec3parameters() on the cache.
4974 2459. [contrib] Import dnssec-zkt to contrib/zkt. [RT #18448]
4976 2458. [doc] ARM: update and correction for max-cache-size.
4979 2457. [tuning] max-cache-size is reverted to 0, the previous
4980 default. It should be safe because expired cache
4981 entries are also purged. [RT #18684]
4983 2456. [bug] In ACLs, ::/0 and 0.0.0.0/0 would both match any
4984 address, regardless of family. They now correctly
4985 distinguish IPv4 from IPv6. [RT #18559]
4987 2455. [bug] Stop metadata being transferred via axfr/ixfr.
4990 2454. [func] nsupdate: you can now set a default ttl. [RT #18317]
4992 2453. [bug] Remove NULL pointer dereference in dns_journal_print().
4995 2452. [func] Improve bin/test/journalprint. [RT #18316]
4997 2451. [port] solaris: handle runtime linking better. [RT #18356]
4999 2450. [doc] Fix lwresd docbook problem for manual page.
5004 2448. [func] Add NSEC3 support. [RT #15452]
5006 2447. [cleanup] libbind has been split out as a separate product.
5008 2446. [func] Add a new log message about build options on startup.
5009 A new command-line option '-V' for named is also
5010 provided to show this information. [RT #18645]
5012 2445. [doc] ARM out-of-date on empty reverse zones (list includes
5013 RFC1918 address, but these are not yet compiled in).
5016 2444. [port] Linux, FreeBSD, AIX: Turn off path mtu discovery
5017 (clear DF) for UDP responses and requests.
5019 2443. [bug] win32: UDP connect() would not generate an event,
5020 and so connected UDP sockets would never clean up.
5021 Fix this by doing an immediate WSAConnect() rather
5022 than an io completion port type for UDP.
5024 2442. [bug] A lock could be destroyed twice. [RT #18626]
5026 2441. [bug] isc_radix_insert() could copy radix tree nodes
5027 incompletely. [RT #18573]
5029 2440. [bug] named-checkconf used an incorrect test to determine
5030 if an ACL was set to none.
5032 2439. [bug] Potential NULL dereference in dns_acl_isanyornone().
5035 2438. [bug] Timeouts could be logged incorrectly under win32.
5037 2437. [bug] Sockets could be closed too early, leading to
5038 inconsistent states in the socket module. [RT #18298]
5040 2436. [security] win32: UDP client handler can be shutdown. [RT #18576]
5042 2435. [bug] Fixed an ACL memory leak affecting win32.
5044 2434. [bug] Fixed a minor error-reporting bug in
5045 lib/isc/win32/socket.c.
5047 2433. [tuning] Set initial timeout to 800ms.
5049 2432. [bug] More Windows socket handling improvements. Stop
5050 using I/O events and use IO Completion Ports
5051 throughout. Rewrite the receive path logic to make
5052 it easier to support multiple simultaneous
5053 requesters in the future. Add stricter consistency
5054 checking as a compile-time option (define
5055 ISC_SOCKET_CONSISTENCY_CHECKS; defaults to off).
5057 2431. [bug] Acl processing could leak memory. [RT #18323]
5059 2430. [bug] win32: isc_interval_set() could round down to
5060 zero if the input was less than NS_INTERVAL
5061 nanoseconds. Round up instead. [RT #18549]
5063 2429. [doc] nsupdate should be in section 1 of the man pages.
5066 2428. [bug] dns_iptable_merge() mishandled merges of negative
5069 2427. [func] Treat DNSKEY queries as if "minimal-response yes;"
5070 was set. [RT #18528]
5072 2426. [bug] libbind: inet_net_pton() can sometimes return the
5073 wrong value if excessively large net masks are
5074 supplied. [RT #18512]
5076 2425. [bug] named didn't detect unavailable query source addresses
5077 at load time. [RT #18536]
5079 2424. [port] configure now probes for a working epoll
5080 implementation. Allow the use of kqueue,
5081 epoll and /dev/poll to be selected at compile
5084 2423. [security] Randomize server selection on queries, so as to
5085 make forgery a little more difficult. Instead of
5086 always preferring the server with the lowest RTT,
5087 pick a server with RTT within the same 128
5088 millisecond band. [RT #18441]
5090 2422. [bug] Handle the special return value of a empty node as
5091 if it was a NXRRSET in the validator. [RT #18447]
5093 2421. [func] Add new command line option '-S' for named to specify
5094 the max number of sockets. [RT #18493]
5095 Use caution: this option may not work for some
5096 operating systems without rebuilding named.
5098 2420. [bug] Windows socket handling cleanup. Let the io
5099 completion event send out canceled read/write
5100 done events, which keeps us from writing to memory
5101 we no longer have ownership of. Add debugging
5102 socket_log() function. Rework TCP socket handling
5103 to not leak sockets.
5105 2419. [cleanup] Document that isc_socket_create() and isc_socket_open()
5106 should not be used for isc_sockettype_fdwatch sockets.
5109 2418. [bug] AXFR request on a DLZ could trigger a REQUIRE failure
5112 2417. [bug] Connecting UDP sockets for outgoing queries could
5113 unexpectedly fail with an 'address already in use'
5116 2416. [func] Log file descriptors that cause exceeding the
5117 internal maximum. [RT #18460]
5119 2415. [bug] 'rndc dumpdb' could trigger various assertion failures
5120 in rbtdb.c. [RT #18455]
5122 2414. [bug] A masterdump context held the database lock too long,
5123 causing various troubles such as dead lock and
5124 recursive lock acquisition. [RT #18311, #18456]
5126 2413. [bug] Fixed an unreachable code path in socket.c. [RT #18442]
5128 2412. [bug] win32: address a resource leak. [RT #18374]
5130 2411. [bug] Allow using a larger number of sockets than FD_SETSIZE
5131 for select(). To enable this, set ISC_SOCKET_MAXSOCKETS
5132 at compilation time. [RT #18433]
5134 Note: with changes #2469 and #2421 above, there is no
5135 need to tweak ISC_SOCKET_MAXSOCKETS at compilation time
5138 2410. [bug] Correctly delete m_versionInfo. [RT #18432]
5140 2409. [bug] Only log that we disabled EDNS processing if we were
5141 subsequently successful. [RT #18029]
5143 2408. [bug] A duplicate TCP dispatch event could be sent, which
5144 could then trigger an assertion failure in
5145 resquery_response(). [RT #18275]
5147 2407. [port] hpux: test for sys/dyntune.h. [RT #18421]
5151 2405. [cleanup] The default value for dnssec-validation was changed to
5152 "yes" in 9.5.0-P1 and all subsequent releases; this
5153 was inadvertently omitted from CHANGES at the time.
5155 2404. [port] hpux: files unlimited support.
5157 2403. [bug] TSIG context leak. [RT #18341]
5159 2402. [port] Support Solaris 2.11 and over. [RT #18362]
5161 2401. [bug] Expect to get E[MN]FILE errno internal_accept()
5162 (from accept() or fcntl() system calls). [RT #18358]
5164 2400. [bug] Log if kqueue()/epoll_create()/open(/dev/poll) fails.
5169 2398. [bug] Improve file descriptor management. New,
5170 temporary, named.conf option reserved-sockets,
5171 default 512. [RT #18344]
5173 2397. [bug] gssapi_functions had too many elements. [RT #18355]
5175 2396. [bug] Don't set SO_REUSEADDR for randomized ports.
5178 2395. [port] Avoid warning and no effect from "files unlimited"
5179 on Linux when running as root. [RT #18335]
5181 2394. [bug] Default configuration options set the limit for
5182 open files to 'unlimited' as described in the
5183 documentation. [RT #18331]
5185 2393. [bug] nested acls containing keys could trigger an
5186 assertion in acl.c. [RT #18166]
5188 2392. [bug] remove 'grep -q' from acl test script, some platforms
5189 don't support it. [RT #18253]
5191 2391. [port] hpux: cover additional recvmsg() error codes.
5194 2390. [bug] dispatch.c could make a false warning on 'odd socket'.
5197 2389. [bug] Move the "working directory writable" check to after
5198 the ns_os_changeuser() call. [RT #18326]
5200 2388. [bug] Avoid using tables for layout purposes in
5201 statistics XSL [RT #18159].
5203 2387. [bug] Silence compiler warnings in lib/isc/radix.c.
5204 [RT #18147] [RT #18258]
5206 2386. [func] Add warning about too small 'open files' limit.
5209 2385. [bug] A condition variable in socket.c could leak in
5210 rare error handling [RT #17968].
5212 2384. [security] Fully randomize UDP query ports to improve
5213 forgery resilience. [RT #17949, #18098]
5215 2383. [bug] named could double queries when they resulted in
5216 SERVFAIL due to overkilling EDNS0 failure detection.
5219 2382. [doc] Add descriptions of DHCID, IPSECKEY, SPF and SSHFP
5222 2381. [port] dlz/mysql: support multiple install layouts for
5223 mysql. <prefix>/include/{,mysql/}mysql.h and
5224 <prefix>/lib/{,mysql/}. [RT #18152]
5226 2380. [bug] dns_view_find() was not returning NXDOMAIN/NXRRSET
5227 proofs which, in turn, caused validation failures
5228 for insecure zones immediately below a secure zone
5229 the server was authoritative for. [RT #18112]
5231 2379. [contrib] queryperf/gen-data-queryperf.py: removed redundant
5232 TLDs and supported RRs with TTLs [RT #17972]
5234 2378. [bug] gssapi_functions{} had a redundant member in BIND 9.5.
5237 2377. [bug] Address race condition in dnssec-signzone. [RT #18142]
5239 2376. [bug] Change #2144 was not complete.
5243 2374. [bug] "blackhole" ACLs could cause named to segfault due
5244 to some uninitialized memory. [RT #18095]
5246 2373. [bug] Default values of zone ACLs were re-parsed each time a
5247 new zone was configured, causing an overconsumption
5248 of memory. [RT #18092]
5250 2372. [bug] Fixed incorrect TAG_HMACSHA256_BITS value [RT #18047]
5252 2371. [doc] Add +nsid option to dig man page. [RT #18039]
5254 2370. [bug] "rndc freeze" could trigger an assertion in named
5255 when called on a nonexistent zone. [RT #18050]
5257 2369. [bug] libbind: Array bounds overrun on read in bitncmp().
5260 2368. [port] Linux: use libcap for capability management if
5261 possible. [RT #18026]
5263 2367. [bug] Improve counting of dns_resstatscounter_retry
5266 2366. [bug] Adb shutdown race. [RT #18021]
5268 2365. [bug] Fix a bug that caused dns_acl_isany() to return
5269 spurious results. [RT #18000]
5271 2364. [bug] named could trigger a assertion when serving a
5272 malformed signed zone. [RT #17828]
5274 2363. [port] sunos: pre-set "lt_cv_sys_max_cmd_len=4096;".
5277 2362. [cleanup] Make "rrset-order fixed" a compile-time option.
5278 settable by "./configure --enable-fixed-rrset".
5279 Disabled by default. [RT #17977]
5281 2361. [bug] "recursion" statistics counter could be counted
5282 multiple times for a single query. [RT #17990]
5284 2360. [bug] Fix a condition where we release a database version
5285 (which may acquire a lock) while holding the lock.
5287 2359. [bug] Fix NSID bug. [RT #17942]
5289 2358. [doc] Update host's default query description. [RT #17934]
5291 2357. [port] Don't use OpenSSL's engine support in versions before
5292 OpenSSL 0.9.7f. [RT #17922]
5294 2356. [bug] Built in mutex profiler was not scalable enough.
5297 2355. [func] Extend the number statistics counters available.
5300 2354. [bug] Failed to initialize some rdatasetheader_t elements.
5303 2353. [func] Add support for Name Server ID (RFC 5001).
5304 'dig +nsid' requests NSID from server.
5305 'request-nsid yes;' causes recursive server to send
5306 NSID requests to upstream servers. Server responds
5307 to NSID requests with the string configured by
5308 'server-id' option. [RT #17091]
5310 2352. [bug] Various GSS_API fixups. [RT #17729]
5312 2351. [bug] convertxsl.pl generated very long lines. [RT #17906]
5314 2350. [port] win32: IPv6 support. [RT #17797]
5316 2349. [func] Provide incremental re-signing support for secure
5317 dynamic zones. [RT #1091]
5319 2348. [func] Use the EVP interface to OpenSSL. Add PKCS#11 support.
5320 Documentation is in the new README.pkcs11 file.
5321 New tool, dnssec-keyfromlabel, which takes the
5322 label of a key pair in a HSM and constructs a DNS
5323 key pair for use by named and dnssec-signzone.
5326 2347. [bug] Delete now traverses the RB tree in the canonical
5329 2346. [func] Memory statistics now cover all active memory contexts
5330 in increased detail. [RT #17580]
5332 2345. [bug] named-checkconf failed to detect when forwarders
5333 were set at both the options/view level and in
5334 a root zone. [RT #17671]
5336 2344. [bug] Improve "logging{ file ...; };" documentation.
5339 2343. [bug] (Seemingly) duplicate IPv6 entries could be
5340 created in ADB. [RT #17837]
5342 2342. [func] Use getifaddrs() if available under Linux. [RT #17224]
5344 2341. [bug] libbind: add missing -I../include for off source
5345 tree builds. [RT #17606]
5347 2340. [port] openbsd: interface configuration. [RT #17700]
5349 2339. [port] tru64: support for libbind. [RT #17589]
5351 2338. [bug] check_ds() could be called with a non DS rdataset.
5354 2337. [bug] BUILD_LDFLAGS was not being correctly set. [RT #17614]
5356 2336. [func] If "named -6" is specified then listen on all IPv6
5357 interfaces if there are not listen-on-v6 clauses in
5358 named.conf. [RT #17581]
5360 2335. [port] sunos: libbind and *printf() support for long long.
5363 2334. [bug] Bad REQUIRES in fromstruct_in_naptr(), off by one
5364 bug in fromstruct_txt(). [RT #17609]
5366 2333. [bug] Fix off by one error in isc_time_nowplusinterval().
5369 2332. [contrib] query-loc-0.4.0. [RT #17602]
5371 2331. [bug] Failure to regenerate any signatures was not being
5372 reported nor being past back to the UPDATE client.
5375 2330. [bug] Remove potential race condition when handling
5376 over memory events. [RT #17572]
5378 WARNING: API CHANGE: over memory callback
5379 function now needs to call isc_mem_waterack().
5380 See <isc/mem.h> for details.
5382 2329. [bug] Clearer help text for dig's '-x' and '-i' options.
5384 2328. [maint] Add AAAA addresses for A.ROOT-SERVERS.NET,
5385 F.ROOT-SERVERS.NET, H.ROOT-SERVERS.NET,
5386 J.ROOT-SERVERS.NET, K.ROOT-SERVERS.NET and
5389 2327. [bug] It was possible to dereference a NULL pointer in
5390 rbtdb.c. Implement dead node processing in zones as
5391 we do for caches. [RT #17312]
5393 2326. [bug] It was possible to trigger a INSIST in the acache
5396 2325. [port] Linux: use capset() function if available. [RT #17557]
5398 2324. [bug] Fix IPv6 matching against "any;". [RT #17533]
5400 2323. [port] tru64: namespace clash. [RT #17547]
5402 2322. [port] MacOS: work around the limitation of setrlimit()
5403 for RLIMIT_NOFILE. [RT #17526]
5407 2320. [func] Make statistics counters thread-safe for platforms
5408 that support certain atomic operations. [RT #17466]
5410 2319. [bug] Silence Coverity warnings in
5411 lib/dns/rdata/in_1/apl_42.c. [RT #17469]
5413 2318. [port] sunos fixes for libbind. [RT #17514]
5415 2317. [bug] "make distclean" removed bind9.xsl.h. [RT #17518]
5417 2316. [port] Missing #include <isc/print.h> in lib/dns/gssapictx.c.
5420 2315. [bug] Used incorrect address family for mapped IPv4
5421 addresses in acl.c. [RT #17519]
5423 2314. [bug] Uninitialized memory use on error path in
5424 bin/named/lwdnoop.c. [RT #17476]
5426 2313. [cleanup] Silence Coverity warnings. Handle private stacks.
5427 [RT #17447] [RT #17478]
5429 2312. [cleanup] Silence Coverity warning in lib/isc/unix/socket.c.
5432 2311. [bug] IPv6 addresses could match IPv4 ACL entries and
5433 vice versa. [RT #17462]
5435 2310. [bug] dig, host, nslookup: flush stdout before emitting
5436 debug/fatal messages. [RT #17501]
5438 2309. [cleanup] Fix Coverity warnings in lib/dns/acl.c and iptable.c.
5441 2308. [cleanup] Silence Coverity warning in bin/named/controlconf.c.
5444 2307. [bug] Remove infinite loop from lib/dns/sdb.c. [RT #17496]
5446 2306. [bug] Remove potential race from lib/dns/resolver.c.
5449 2305. [security] inet_network() buffer overflow. CVE-2008-0122.
5451 2304. [bug] Check returns from all dns_rdata_tostruct() calls.
5454 2303. [bug] Remove unnecessary code from bin/named/lwdgnba.c.
5457 2302. [bug] Fix memset() calls in lib/tests/t_api.c. [RT #17472]
5459 2301. [bug] Remove resource leak and fix error messages in
5460 bin/tests/system/lwresd/lwtest.c. [RT #17474]
5462 2300. [bug] Fixed failure to close open file in
5463 bin/tests/names/t_names.c. [RT #17473]
5465 2299. [bug] Remove unnecessary NULL check in
5466 bin/nsupdate/nsupdate.c. [RT #17475]
5468 2298. [bug] isc_mutex_lock() failure not caught in
5469 bin/tests/timers/t_timers.c. [RT #17468]
5471 2297. [bug] isc_entropy_createfilesource() failure not caught in
5472 bin/tests/dst/t_dst.c. [RT #17467]
5474 2296. [port] Allow docbook stylesheet location to be specified to
5475 configure. [RT #17457]
5477 2295. [bug] Silence static overrun error in bin/named/lwaddr.c.
5480 2294. [func] Allow the experimental statistics channels to have
5481 multiple connections and ACL.
5482 Note: the stats-server and stats-server-v6 options
5483 available in the previous beta releases are replaced
5484 with the generic statistics-channels statement.
5486 2293. [func] Add ACL regression test. [RT #17375]
5488 2292. [bug] Log if the working directory is not writable.
5491 2291. [bug] PR_SET_DUMPABLE may be set too late. Also report
5492 failure to set PR_SET_DUMPABLE. [RT #17312]
5494 2290. [bug] Let AD in the query signal that the client wants AD
5495 set in the response. [RT #17301]
5497 2289. [func] named-checkzone now reports the out-of-zone CNAME
5500 2288. [port] win32: mark service as running when we have finished
5501 loading. [RT #17441]
5503 2287. [bug] Use 'volatile' if the compiler supports it. [RT #17413]
5505 2286. [func] Allow a TCP connection to be used as a weak
5506 authentication method for reverse zones.
5507 New update-policy methods tcp-self and 6to4-self.
5510 2285. [func] Test framework for client memory context management.
5513 2284. [bug] Memory leak in UPDATE prerequisite processing.
5516 2283. [bug] TSIG keys were not attaching to the memory
5517 context. TSIG keys should use the rings
5518 memory context rather than the clients memory
5519 context. [RT #17377]
5521 2282. [bug] Acl code fixups. [RT #17346] [RT #17374]
5523 2281. [bug] Attempts to use undefined acls were not being logged.
5526 2280. [func] Allow the experimental http server to be reached
5527 over IPv6 as well as IPv4. [RT #17332]
5529 2279. [bug] Use setsockopt(SO_NOSIGPIPE), when available,
5530 to protect applications from receiving spurious
5531 SIGPIPE signals when using the resolver.
5533 2278. [bug] win32: handle the case where Windows returns no
5534 search list or DNS suffix. [RT #17354]
5536 2277. [bug] Empty zone names were not correctly being caught at
5537 in the post parse checks. [RT #17357]
5539 2276. [bug] Install <dst/gssapi.h>. [RT #17359]
5541 2275. [func] Add support to dig to perform IXFR queries over UDP.
5544 2274. [func] Log zone transfer statistics. [RT #17336]
5546 2273. [bug] Adjust log level to WARNING when saving inconsistent
5547 stub/slave master and journal files. [RT #17279]
5549 2272. [bug] Handle illegal dnssec-lookaside trust-anchor names.
5552 2271. [bug] Fix a memory leak in http server code [RT #17100]
5554 2270. [bug] dns_db_closeversion() version->writer could be reset
5555 before it is tested. [RT #17290]
5557 2269. [contrib] dbus memory leaks and missing va_end calls. [RT #17232]
5559 2268. [bug] 0.IN-ADDR.ARPA was missing from the empty zones
5562 --- 9.5.0b1 released ---
5564 2267. [bug] Radix tree node_num value could be set incorrectly,
5565 causing positive ACL matches to look like negative
5568 2266. [bug] client.c:get_clientmctx() returned the same mctx
5569 once the pool of mctx's was filled. [RT #17218]
5571 2265. [bug] Test that the memory context's basic_table is non NULL
5572 before freeing. [RT #17265]
5574 2264. [bug] Server prefix length was being ignored. [RT #17308]
5576 2263. [bug] "named-checkconf -z" failed to set default value
5577 for "check-integrity". [RT #17306]
5579 2262. [bug] Error status from all but the last view could be
5582 2261. [bug] Fix memory leak with "any" and "none" ACLs [RT #17272]
5584 2260. [bug] Reported wrong clients-per-query when increasing the
5589 --- 9.5.0a7 released ---
5591 2258. [bug] Fallback from IXFR/TSIG to SOA/AXFR/TSIG broken.
5594 2257. [bug] win32: Use the full path to vcredist_x86.exe when
5595 calling it. [RT #17222]
5597 2256. [bug] win32: Correctly register the installation location of
5598 bindevt.dll. [RT #17159]
5600 2255. [maint] L.ROOT-SERVERS.NET is now 199.7.83.42.
5602 2254. [bug] timer.c:dispatch() failed to lock timer->lock
5603 when reading timer->idle allowing it to see
5604 intermediate values as timer->idle was reset by
5605 isc_timer_touch(). [RT #17243]
5607 2253. [func] "max-cache-size" defaults to 32M.
5608 "max-acache-size" defaults to 16M.
5610 2252. [bug] Fixed errors in sortlist code [RT #17216]
5614 2250. [func] New flag 'memstatistics' to state whether the
5615 memory statistics file should be written or not.
5616 Additionally named's -m option will cause the
5617 statistics file to be written. [RT #17113]
5619 2249. [bug] Only set Authentic Data bit if client requested
5620 DNSSEC, per RFC 3655 [RT #17175]
5622 2248. [cleanup] Fix several errors reported by Coverity. [RT #17160]
5624 2247. [doc] Sort doc/misc/options. [RT #17067]
5626 2246. [bug] Make the startup of test servers (ans.pl) more
5629 2245. [bug] Validating lack of DS records at trust anchors wasn't
5630 working. [RT #17151]
5632 2244. [func] Allow the check of nameserver names against the
5633 SOA MNAME field to be disabled by specifying
5634 'notify-to-soa yes;'. [RT #17073]
5636 2243. [func] Configuration files without a newline at the end now
5637 parse without error. [RT #17120]
5639 2242. [bug] nsupdate: GSS-TSIG support using the Heimdal Kerberos
5640 library could require a source of random data.
5643 2241. [func] nsupdate: add a interactive 'help' command. [RT #17099]
5645 2240. [bug] Cleanup nsupdates GSS-TSIG support. Convert
5646 a number of INSIST()s into plain fatal() errors
5647 which report the triggering result code.
5648 The 'key' command wasn't disabling GSS-TSIG.
5651 2239. [func] Ship a pre built bin/named/bind9.xsl.h. [RT #17114]
5653 2238. [bug] It was possible to trigger a REQUIRE when a
5654 validation was canceled. [RT #17106]
5656 2237. [bug] libbind: res_init() was not thread aware. [RT #17123]
5658 2236. [bug] dnssec-signzone failed to preserve the case of
5659 of wildcard owner names. [RT #17085]
5661 2235. [bug] <isc/atomic.h> was not being installed. [RT #17135]
5663 2234. [port] Correct some compiler warnings on SCO OSr5 [RT #17134]
5665 2233. [func] Add support for O(1) ACL processing, based on
5666 radix tree code originally written by Kevin
5667 Brintnall. [RT #16288]
5669 2232. [bug] dns_adb_findaddrinfo() could fail and return
5670 ISC_R_SUCCESS. [RT #17137]
5672 2231. [bug] Building dlzbdb (contrib/dlz/bin/dlzbdb) was broken.
5675 2230. [bug] We could INSIST reading a corrupted journal.
5678 2229. [bug] Null pointer dereference on query pool creation
5679 failure. [RT #17133]
5681 2228. [contrib] contrib: Change 2188 was incomplete.
5683 2227. [cleanup] Tidied up the FAQ. [RT #17121]
5687 2225. [bug] More support for systems with no IPv4 addresses.
5690 2224. [bug] Defer journal compaction if a xfrin is in progress.
5693 2223. [bug] Make a new journal when compacting. [RT #17119]
5695 2222. [func] named-checkconf now checks server key references.
5698 2221. [bug] Set the event result code to reflect the actual
5699 record turned to caller when a cache update is
5700 rejected due to a more credible answer existing.
5703 2220. [bug] win32: Address a race condition in final shutdown of
5704 the Windows socket code. [RT #17028]
5706 2219. [bug] Apply zone consistency checks to additions, not
5707 removals, when updating. [RT #17049]
5709 2218. [bug] Remove unnecessary REQUIRE from dns_validator_create().
5712 2217. [func] Adjust update log levels. [RT #17092]
5714 2216. [cleanup] Fix a number of errors reported by Coverity.
5717 2215. [bug] Bad REQUIRE check isc_hmacsha1_verify(). [RT #17094]
5719 2214. [bug] Deregister OpenSSL lock callback when cleaning
5720 up. Reorder OpenSSL cleanup so that RAND_cleanup()
5721 is called before the locks are destroyed. [RT #17098]
5723 2213. [bug] SIG0 diagnostic failure messages were looking at the
5724 wrong status code. [RT #17101]
5726 2212. [func] 'host -m' now causes memory statistics and active
5727 memory to be printed at exit. [RT 17028]
5729 2211. [func] Update "dynamic update temporarily disabled" message.
5732 2210. [bug] Deleting class specific records via UPDATE could
5735 2209. [port] osx: linking against user supplied static OpenSSL
5736 libraries failed as the system ones were still being
5739 2208. [port] win32: make sure both build methods produce the
5740 same output. [RT #17058]
5742 2207. [port] Some implementations of getaddrinfo() fail to set
5743 ai_canonname correctly. [RT #17061]
5745 --- 9.5.0a6 released ---
5747 2206. [security] "allow-query-cache" and "allow-recursion" now
5748 cross inherit from each other.
5750 If allow-query-cache is not set in named.conf then
5751 allow-recursion is used if set, otherwise allow-query
5752 is used if set, otherwise the default (localnets;
5753 localhost;) is used.
5755 If allow-recursion is not set in named.conf then
5756 allow-query-cache is used if set, otherwise allow-query
5757 is used if set, otherwise the default (localnets;
5758 localhost;) is used.
5762 2205. [bug] libbind: change #2119 broke thread support. [RT #16982]
5764 2204. [bug] "rndc flushanme name unknown-view" caused named
5765 to crash. [RT #16984]
5767 2203. [security] Query id generation was cryptographically weak.
5770 2202. [security] The default acls for allow-query-cache and
5771 allow-recursion were not being applied. [RT #16960]
5773 2201. [bug] The build failed in a separate object directory.
5776 2200. [bug] The search for cached NSEC records was stopping to
5777 early leading to excessive DLV queries. [RT #16930]
5779 2199. [bug] win32: don't call WSAStartup() while loading dlls.
5782 2198. [bug] win32: RegCloseKey() could be called when
5783 RegOpenKeyEx() failed. [RT #16911]
5785 2197. [bug] Add INSIST to catch negative responses which are
5786 not setting the event result code appropriately.
5789 2196. [port] win32: yield processor while waiting for once to
5790 to complete. [RT #16958]
5792 2195. [func] dnssec-keygen now defaults to nametype "ZONE"
5793 when generating DNSKEYs. [RT #16954]
5795 2194. [bug] Close journal before calling 'done' in xfrin.c.
5797 --- 9.5.0a5 released ---
5799 2193. [port] win32: BINDInstall.exe is now linked statically.
5802 2192. [port] win32: use vcredist_x86.exe to install Visual
5803 Studio's redistributable dlls if building with
5804 Visual Stdio 2005 or later.
5806 2191. [func] named-checkzone now allows dumping to stdout (-).
5807 named-checkconf now has -h for help.
5808 named-checkzone now has -h for help.
5809 rndc now has -h for help.
5810 Better handling of '-?' for usage summaries.
5813 2190. [func] Make fallback to plain DNS from EDNS due to timeouts
5814 more visible. New logging category "edns-disabled".
5817 2189. [bug] Handle socket() returning EINTR. [RT #15949]
5819 2188. [contrib] queryperf: autoconf changes to make the search for
5820 libresolv or libbind more robust. [RT #16299]
5822 2187. [bug] query_addds(), query_addwildcardproof() and
5823 query_addnxrrsetnsec() should take a version
5824 argument. [RT #16368]
5826 2186. [port] cygwin: libbind: check for struct sockaddr_storage
5827 independently of IPv6. [RT #16482]
5829 2185. [port] sunos: libbind: check for ssize_t, memmove() and
5830 memchr(). [RT #16463]
5832 2184. [bug] bind9.xsl.h didn't build out of the source tree.
5835 2183. [bug] dnssec-signzone didn't handle offline private keys
5838 2182. [bug] dns_dispatch_createtcp() and dispatch_createudp()
5839 could return ISC_R_SUCCESS when they ran out of
5842 2181. [port] sunos: libbind: add paths.h from BIND 8. [RT #16462]
5844 2180. [cleanup] Remove bit test from 'compress_test' as they
5845 are no longer needed. [RT #16497]
5847 2179. [func] 'rndc command zone' will now find 'zone' if it is
5848 unique to all the views. [RT #16821]
5850 2178. [bug] 'rndc reload' of a slave or stub zone resulted in
5851 a reference leak. [RT #16867]
5853 2177. [bug] Array bounds overrun on read (rcodetext) at
5854 debug level 10+. [RT #16798]
5856 2176. [contrib] dbus update to handle race condition during
5857 initialization (Bugzilla 235809). [RT #16842]
5859 2175. [bug] win32: windows broadcast condition variable support
5860 was broken. [RT #16592]
5862 2174. [bug] I/O errors should always be fatal when reading
5863 master files. [RT #16825]
5865 2173. [port] win32: When compiling with MSVS 2005 SP1 we also
5866 need to ship Microsoft.VC80.MFCLOC.
5868 --- 9.5.0a4 released ---
5870 2172. [bug] query_addsoa() was being called with a non zone db.
5873 2171. [bug] Handle breaks in DNSSEC trust chains where the parent
5874 servers are not DS aware (DS queries to the parent
5875 return a referral to the child).
5877 2170. [func] Add acache processing to test suite. [RT #16711]
5879 2169. [bug] host, nslookup: when reporting NXDOMAIN report the
5880 given name and not the last name searched for.
5883 2168. [bug] nsupdate: in non-interactive mode treat syntax errors
5884 as fatal errors. [RT #16785]
5886 2167. [bug] When re-using a automatic zone named failed to
5887 attach it to the new view. [RT #16786]
5889 --- 9.5.0a3 released ---
5891 2166. [bug] When running in batch mode, dig could misinterpret
5892 a server address as a name to be looked up, causing
5893 unexpected output. [RT #16743]
5895 2165. [func] Allow the destination address of a query to determine
5896 if we will answer the query or recurse.
5897 allow-query-on, allow-recursion-on and
5898 allow-query-cache-on. [RT #16291]
5900 2164. [bug] The code to determine how named-checkzone /
5901 named-compilezone was called failed under windows.
5904 2163. [bug] If only one of query-source and query-source-v6
5905 specified a port the query pools code broke (change
5908 2162. [func] Allow "rrset-order fixed" to be disabled at compile
5911 2161. [bug] Fix which log messages are emitted for 'rndc flush'.
5914 2160. [bug] libisc wasn't handling NULL ifa_addr pointers returned
5915 from getifaddrs(). [RT #16708]
5917 --- 9.5.0a2 released ---
5919 2159. [bug] Array bounds overrun in acache processing. [RT #16710]
5921 2158. [bug] ns_client_isself() failed to initialize key
5922 leading to a REQUIRE failure. [RT #16688]
5924 2157. [func] dns_db_transfernode() created. [RT #16685]
5926 2156. [bug] Fix node reference leaks in lookup.c:lookup_find(),
5927 resolver.c:validated() and resolver.c:cache_name().
5928 Fix a memory leak in rbtdb.c:free_noqname().
5929 Make lookup.c:lookup_find() robust against
5930 event leaks. [RT #16685]
5932 2155. [contrib] SQLite sdb module from jaboydjr@netwalk.com.
5935 2154. [func] Scoped (e.g. IPv6 link-local) addresses may now be
5936 matched in acls by omitting the scope. [RT #16599]
5938 2153. [bug] nsupdate could leak memory. [RT #16691]
5940 2152. [cleanup] Use sizeof(buf) instead of fixed number in
5941 dighost.c:get_trusted_key(). [RT #16678]
5943 2151. [bug] Missing newline in usage message for journalprint.
5946 2150. [bug] 'rrset-order cyclic' uniformly distribute the
5947 starting point for the first response for a given
5950 2149. [bug] isc_mem_checkdestroyed() failed to abort on
5951 if there were still active memory contexts.
5954 2148. [func] Add positive logging for rndc commands. [RT #14623]
5956 2147. [bug] libbind: remove potential buffer overflow from
5957 hmac_link.c. [RT #16437]
5959 2146. [cleanup] Silence Linux's spurious "obsolete setsockopt
5960 SO_BSDCOMPAT" message. [RT #16641]
5962 2145. [bug] Check DS/DLV digest lengths for known digests.
5965 2144. [cleanup] Suppress logging of SERVFAIL from forwarders.
5968 2143. [bug] We failed to restart the IPv6 client when the
5969 kernel failed to return the destination the
5970 packet was sent to. [RT #16613]
5972 2142. [bug] Handle master files with a modification time that
5973 matches the epoch. [RT #16612]
5975 2141. [bug] dig/host should not be setting IDN_ASCCHECK (IDN
5976 equivalent of LDH checks). [RT #16609]
5978 2140. [bug] libbind: missing unlock on pthread_key_create()
5979 failures. [RT #16654]
5981 2139. [bug] dns_view_find() was being called with wrong type
5982 in adb.c. [RT #16670]
5984 2138. [bug] Lock order reversal in resolver.c. [RT #16653]
5986 2137. [port] Mips little endian and/or mips 64 bit are now
5987 supported for atomic operations. [RT #16648]
5989 2136. [bug] nslookup/host looped if there was no search list
5990 and the host didn't exist. [RT #16657]
5992 2135. [bug] Uninitialized rdataset in sdlz.c. [RT #16656]
5994 2134. [func] Additional statistics support. [RT #16666]
5996 2133. [port] powerpc: Support both IBM and MacOS Power PC
5997 assembler syntaxes. [RT #16647]
5999 2132. [bug] Missing unlock on out of memory in
6000 dns_dispatchmgr_setudp().
6002 2131. [contrib] dlz/mysql: AXFR was broken. [RT #16630]
6004 2130. [func] Log if CD or DO were set. [RT #16640]
6006 2129. [func] Provide a pool of UDP sockets for queries to be
6007 made over. See use-queryport-pool, queryport-pool-ports
6008 and queryport-pool-updateinterval. [RT #16415]
6010 2128. [doc] xsltproc --nonet, update DTD versions. [RT #16635]
6012 2127. [port] Improved OpenSSL 0.9.8 support. [RT #16563]
6014 2126. [security] Serialize validation of type ANY responses. [RT #16555]
6016 2125. [bug] dns_zone_getzeronosoattl() REQUIRE failure if DLZ
6017 was defined. [RT #16574]
6019 2124. [security] It was possible to dereference a freed fetch
6020 context. [RT #16584]
6022 --- 9.5.0a1 released ---
6024 2123. [func] Use Doxygen to generate internal documentation.
6027 2122. [func] Experimental http server and statistics support
6030 2121. [func] Add a 10 slot dead masters cache (LRU) with a 600
6031 second timeout. [RT #16553]
6033 2120. [doc] Fix markup on nsupdate man page. [RT #16556]
6035 2119. [compat] libbind: allow res_init() to succeed enough to
6036 return the default domain even if it was unable
6039 2118. [bug] Handle response with long chains of domain name
6040 compression pointers which point to other compression
6041 pointers. [RT #16427]
6043 2117. [bug] DNSSEC fixes: named could fail to cache NSEC records
6044 which could lead to validation failures. named didn't
6045 handle negative DS responses that were in the process
6046 of being validated. Check CNAME bit before accepting
6047 NODATA proof. To be able to ignore a child NSEC there
6048 must be SOA (and NS) set in the bitmap. [RT #16399]
6050 2116. [bug] 'rndc reload' could cause the cache to continually
6051 be cleaned. [RT #16401]
6053 2115. [bug] 'rndc reconfig' could trigger a INSIST if the
6054 number of masters for a zone was reduced. [RT #16444]
6056 2114. [bug] dig/host/nslookup: searches for names with multiple
6057 labels were failing. [RT #16447]
6059 2113. [bug] nsupdate: if a zone is specified it should be used
6060 for server discover. [RT #16455]
6062 2112. [security] Warn if weak RSA exponent is used. [RT #16460]
6064 2111. [bug] Fix a number of errors reported by Coverity.
6067 2110. [bug] "minimal-responses yes;" interacted badly with BIND 8
6068 priming queries. [RT #16491]
6070 2109. [port] libbind: silence aix 5.3 compiler warnings. [RT #16502]
6072 2108. [func] DHCID support. [RT #16456]
6074 2107. [bug] dighost.c: more cleanup of buffers. [RT #16499]
6076 2106. [func] 'rndc status' now reports named's version. [RT #16426]
6078 2105. [func] GSS-TSIG support (RFC 3645).
6080 2104. [port] Fix Solaris SMF error message.
6082 2103. [port] Add /usr/sfw to list of locations for OpenSSL
6085 2102. [port] Silence Solaris 10 warnings.
6087 2101. [bug] OpenSSL version checks were not quite right.
6090 2100. [port] win32: copy libeay32.dll to Build\Debug.
6091 Copy Debug\named-checkzone to Debug\named-compilezone.
6093 2099. [port] win32: more manifest issues.
6095 2098. [bug] Race in rbtdb.c:no_references(), which occasionally
6096 triggered an INSIST failure about the node lock
6097 reference. [RT #16411]
6099 2097. [bug] named could reference a destroyed memory context
6100 after being reloaded / reconfigured. [RT #16428]
6102 2096. [bug] libbind: handle applications that fail to detect
6103 res_init() failures better.
6105 2095. [port] libbind: alway prototype inet_cidr_ntop_ipv6() and
6106 net_cidr_ntop_ipv6(). [RT #16388]
6108 2094. [contrib] Update named-bootconf. [RT #16404]
6110 2093. [bug] named-checkzone -s was broken.
6112 2092. [bug] win32: dig, host, nslookup. Use registry config
6113 if resolv.conf does not exist or no nameservers
6116 2091. [port] dighost.c: race condition on cleanup. [RT #16417]
6118 2090. [port] win32: Visual C++ 2005 command line manifest support.
6121 2089. [security] Raise the minimum safe OpenSSL versions to
6122 OpenSSL 0.9.7l and OpenSSL 0.9.8d. Versions
6123 prior to these have known security flaws which
6124 are (potentially) exploitable in named. [RT #16391]
6126 2088. [security] Change the default RSA exponent from 3 to 65537.
6129 2087. [port] libisc failed to compile on OS's w/o a vsnprintf.
6132 2086. [port] libbind: FreeBSD now has get*by*_r() functions.
6135 2085. [doc] win32: added index.html and README to zip. [RT #16201]
6137 2084. [contrib] dbus update for 9.3.3rc2.
6139 2083. [port] win32: Visual C++ 2005 support.
6141 2082. [doc] Document 'cache-file' as a test only option.
6143 2081. [port] libbind: minor 64-bit portability fix in memcluster.c.
6146 2080. [port] libbind: res_init.c did not compile on older versions
6147 of Solaris. [RT #16363]
6149 2079. [bug] The lame cache was not handling multiple types
6150 correctly. [RT #16361]
6152 2078. [bug] dnssec-checkzone output style "default" was badly
6153 named. It is now called "relative". [RT #16326]
6155 2077. [bug] 'dnssec-signzone -O raw' wasn't outputting the
6156 complete signed zone. [RT #16326]
6158 2076. [bug] Several files were missing #include <config.h>
6159 causing build failures on OSF. [RT #16341]
6161 2075. [bug] The spillat timer event hander could leak memory.
6164 2074. [bug] dns_request_createvia2(), dns_request_createvia3(),
6165 dns_request_createraw2() and dns_request_createraw3()
6166 failed to send multiple UDP requests. [RT #16349]
6168 2073. [bug] Incorrect semantics check for update policy "wildcard".
6171 2072. [bug] We were not generating valid HMAC SHA digests.
6174 2071. [port] Test whether gcc accepts -fno-strict-aliasing.
6177 2070. [bug] The remote address was not always displayed when
6178 reporting dispatch failures. [RT #16315]
6180 2069. [bug] Cross compiling was not working. [RT #16330]
6182 2068. [cleanup] Lower incremental tuning message to debug 1.
6185 2067. [bug] 'rndc' could close the socket too early triggering
6186 a INSIST under Windows. [RT #16317]
6188 2066. [security] Handle SIG queries gracefully. [RT #16300]
6190 2065. [bug] libbind: probe for HPUX prototypes for
6191 endprotoent_r() and endservent_r(). [RT 16313]
6193 2064. [bug] libbind: silence AIX compiler warnings. [RT #16218]
6195 2063. [bug] Change #1955 introduced a bug which caused the first
6196 'rndc flush' call to not free memory. [RT #16244]
6198 2062. [bug] 'dig +nssearch' was reusing a buffer before it had
6199 been returned by the socket code. [RT #16307]
6201 2061. [bug] Accept expired wildcard message reversed. [RT #16296]
6203 2060. [bug] Enabling DLZ support could leave views partially
6204 configured. [RT #16295]
6206 2059. [bug] Search into cache rbtdb could trigger an INSIST
6207 failure while cleaning up a stale rdataset.
6210 2058. [bug] Adjust how we calculate rtt estimates in the presence
6211 of authoritative servers that drop EDNS and/or CD
6212 requests. Also fallback to EDNS/512 and plain DNS
6213 faster for zones with less than 3 servers. [RT #16187]
6215 2057. [bug] Make setting "ra" dependent on both allow-query-cache
6216 and allow-recursion. [RT #16290]
6218 2056. [bug] dig: ixfr= was not being treated case insensitively
6219 at all times. [RT #15955]
6221 2055. [bug] Missing goto after dropping multicast query.
6224 2054. [port] freebsd: do not explicitly link against -lpthread.
6227 2053. [port] netbsd:libbind: silence compiler warnings. [RT #16220]
6229 2052. [bug] 'rndc' improve connect failed message to report
6230 the failing address. [RT #15978]
6232 2051. [port] More strtol() fixes. [RT #16249]
6234 2050. [bug] Parsing of NSAP records was not case insensitive.
6237 2049. [bug] Restore SOA before AXFR when falling back from
6238 a attempted IXFR when transferring in a zone.
6239 Allow a initial SOA query before attempting
6240 a AXFR to be requested. [RT #16156]
6242 2048. [bug] It was possible to loop forever when using
6243 avoid-v4-udp-ports / avoid-v6-udp-ports when
6244 the OS always returned the same local port.
6247 2047. [bug] Failed to initialize the interface flags to zero.
6250 2046. [bug] rbtdb.c:rdataset_setadditional() could cause duplicate
6251 cleanup [RT #16247].
6253 2045. [func] Use lock buckets for acache entries to limit memory
6254 consumption. [RT #16183]
6256 2044. [port] Add support for atomic operations for Itanium.
6259 2043. [port] nsupdate/nslookup: Force the flushing of the prompt
6260 for interactive sessions. [RT #16148]
6262 2042. [bug] named-checkconf was incorrectly rejecting the
6263 logging category "config". [RT #16117]
6265 2041. [bug] "configure --with-dlz-bdb=yes" produced a bad
6266 set of libraries to be linked. [RT #16129]
6268 2040. [bug] rbtdb no_references() could trigger an INSIST
6269 failure with --enable-atomic. [RT #16022]
6271 2039. [func] Check that all buffers passed to the socket code
6272 have been retrieved when the socket event is freed.
6275 2038. [bug] dig/nslookup/host was unlinking from wrong list
6276 when handling errors. [RT #16122]
6278 2037. [func] When unlinking the first or last element in a list
6279 check that the list head points to the element to
6280 be unlinked. [RT #15959]
6282 2036. [bug] 'rndc recursing' could cause trigger a REQUIRE.
6285 2035. [func] Make falling back to TCP on UDP refresh failure
6286 optional. Default "try-tcp-refresh yes;" for BIND 8
6287 compatibility. [RT #16123]
6289 2034. [bug] gcc: set -fno-strict-aliasing. [RT #16124]
6291 2033. [bug] We weren't creating multiple client memory contexts
6292 on demand as expected. [RT #16095]
6294 2032. [bug] Remove a INSIST in query_addadditional2(). [RT #16074]
6296 2031. [bug] Emit a error message when "rndc refresh" is called on
6297 a non slave/stub zone. [RT # 16073]
6299 2030. [bug] We were being overly conservative when disabling
6300 openssl engine support. [RT #16030]
6302 2029. [bug] host printed out the server multiple times when
6303 specified on the command line. [RT #15992]
6305 2028. [port] linux: socket.c compatibility for old systems.
6308 2027. [port] libbind: Solaris x86 support. [RT #16020]
6310 2026. [bug] Rate limit the two recursive client exceeded messages.
6313 2025. [func] Update "zone serial unchanged" message. [RT #16026]
6315 2024. [bug] named emitted spurious "zone serial unchanged"
6316 messages on reload. [RT #16027]
6318 2023. [bug] "make install" should create ${localstatedir}/run and
6319 ${sysconfdir} if they do not exist. [RT #16033]
6321 2022. [bug] If dnssec validation is disabled only assert CD if
6322 CD was requested. [RT #16037]
6324 2021. [bug] dnssec-enable no; triggered a REQUIRE. [RT #16037]
6326 2020. [bug] rdataset_setadditional() could leak memory. [RT #16034]
6328 2019. [tuning] Reduce the amount of work performed per quantum
6329 when cleaning the cache. [RT #15986]
6331 2018. [bug] Checking if the HMAC MD5 private file was broken.
6334 2017. [bug] allow-query default was not correct. [RT #15946]
6336 2016. [bug] Return a partial answer if recursion is not
6337 allowed but requested and we had the answer
6338 to the original qname. [RT #15945]
6340 2015. [cleanup] use-additional-cache is now acache-enable for
6341 consistency. Default acache-enable off in BIND 9.4
6342 as it requires memory usage to be configured.
6343 It may be enabled by default in BIND 9.5 once we
6344 have more experience with it.
6346 2014. [func] Statistics about acache now recorded and sent
6349 2013. [bug] Handle unexpected TSIGs on unsigned AXFR/IXFR
6350 responses more gracefully. [RT #15941]
6352 2012. [func] Don't insert new acache entries if acache is full.
6355 2011. [func] dnssec-signzone can now update the SOA record of
6356 the signed zone, either as an increment or as the
6357 system time(). [RT #15633]
6359 2010. [placeholder] rt15958
6361 2009. [bug] libbind: Coverity fixes. [RT #15808]
6363 2008. [func] It is now possible to enable/disable DNSSEC
6364 validation from rndc. This is useful for the
6365 mobile hosts where the current connection point
6366 breaks DNSSEC (firewall/proxy). [RT #15592]
6368 rndc validation newstate [view]
6370 2007. [func] It is now possible to explicitly enable DNSSEC
6371 validation. default dnssec-validation no; to
6372 be changed to yes in 9.5.0. [RT #15674]
6374 2006. [security] Allow-query-cache and allow-recursion now default
6375 to the built in acls "localnets" and "localhost".
6377 This is being done to make caching servers less
6378 attractive as reflective amplifying targets for
6379 spoofed traffic. This still leave authoritative
6382 The best fix is for full BCP 38 deployment to
6383 remove spoofed traffic.
6385 2005. [bug] libbind: Retransmission timeouts should be
6386 based on which attempt it is to the nameserver
6387 and not the nameserver itself. [RT #13548]
6389 2004. [bug] dns_tsig_sign() could pass a NULL pointer to
6390 dst_context_destroy() when cleaning up after a
6393 2003. [bug] libbind: The DNS name/address lookup functions could
6394 occasionally follow a random pointer due to
6395 structures not being completely zeroed. [RT #15806]
6397 2002. [bug] libbind: tighten the constraints on when
6398 struct addrinfo._ai_pad exists. [RT #15783]
6400 2001. [func] Check the KSK flag when updating a secure dynamic zone.
6401 New zone option "update-check-ksk yes;". [RT #15817]
6403 2000. [bug] memmove()/strtol() fix was incomplete. [RT #15812]
6405 1999. [func] Implement "rrset-order fixed". [RT #13662]
6407 1998. [bug] Restrict handling of fifos as sockets to just SunOS.
6408 This allows named to connect to entropy gathering
6409 daemons that use fifos instead of sockets. [RT #15840]
6411 1997. [bug] Named was failing to replace negative cache entries
6412 when a positive one for the type was learnt.
6415 1996. [bug] nsupdate: if a zone has been specified it should
6416 appear in the output of 'show'. [RT #15797]
6418 1995. [bug] 'host' was reporting multiple "is an alias" messages.
6421 1994. [port] OpenSSL 0.9.8 support. [RT #15694]
6423 1993. [bug] Log messages, via syslog, were missing the space
6424 after the timestamp if "print-time yes" was specified.
6427 1992. [bug] Not all incoming zone transfer messages included the
6430 1991. [cleanup] The configuration data, once read, should be treated
6431 as read only. Expand the use of const to enforce this
6432 at compile time. [RT #15813]
6434 1990. [bug] libbind: isc's override of broken gettimeofday()
6435 implementations was not always effective.
6438 1989. [bug] win32: don't check the service password when
6439 re-installing. [RT #15882]
6441 1988. [bug] Remove a bus error from the SHA256/SHA512 support.
6444 1987. [func] DS/DLV SHA256 digest algorithm support. [RT #15608]
6446 1986. [func] Report when a zone is removed. [RT #15849]
6448 1985. [protocol] DLV has now been assigned a official type code of
6451 Note: care should be taken to ensure you upgrade
6452 both named and dnssec-signzone at the same time for
6453 zones with DLV records where named is the master
6454 server for the zone. Also any zones that contain
6455 DLV records should be removed when upgrading a slave
6456 zone. You do not however have to upgrade all
6457 servers for a zone with DLV records simultaneously.
6459 1984. [func] dig, nslookup and host now advertise a 4096 byte
6460 EDNS UDP buffer size by default. [RT #15855]
6462 1983. [func] Two new update policies. "selfsub" and "selfwild".
6465 1982. [bug] DNSKEY was being accepted on the parent side of
6466 a delegation. KEY is still accepted there for
6467 RFC 3007 validated updates. [RT #15620]
6469 1981. [bug] win32: condition.c:wait() could fail to reattain
6472 1980. [func] dnssec-signzone: output the SOA record as the
6473 first record in the signed zone. [RT #15758]
6475 1979. [port] linux: allow named to drop core after changing
6476 user ids. [RT #15753]
6478 1978. [port] Handle systems which have a broken recvmsg().
6481 1977. [bug] Silence noisy log message. [RT #15704]
6483 1976. [bug] Handle systems with no IPv4 addresses. [RT #15695]
6485 1975. [bug] libbind: isc_gethexstring() could misparse multi-line
6486 hex strings with comments. [RT #15814]
6488 1974. [doc] List each of the zone types and associated zone
6489 options separately in the ARM.
6491 1973. [func] TSIG HMACSHA1, HMACSHA224, HMACSHA256, HMACSHA384 and
6492 HMACSHA512 support. [RT #13606]
6494 1972. [contrib] DBUS dynamic forwarders integration from
6495 Jason Vas Dias <jvdias@redhat.com>.
6497 1971. [port] linux: make detection of missing IF_NAMESIZE more
6500 1970. [bug] nsupdate: adjust UDP timeout when falling back to
6501 unsigned SOA query. [RT #15775]
6503 1969. [bug] win32: the socket code was freeing the socket
6504 structure too early. [RT #15776]
6506 1968. [bug] Missing lock in resolver.c:validated(). [RT #15739]
6508 1967. [func] dig/nslookup/host: warn about missing "QR". [RT #15779]
6510 1966. [bug] Don't set CD when we have fallen back to plain DNS.
6513 1965. [func] Suppress spurious "recursion requested but not
6514 available" warning with 'dig +qr'. [RT #15780].
6516 1964. [func] Separate out MX and SRV to CNAME checks. [RT #15723]
6518 1963. [port] Tru64 4.0E doesn't support send() and recv().
6521 1962. [bug] Named failed to clear old update-policy when it
6522 was removed. [RT #15491]
6524 1961. [bug] Check the port and address of responses forwarded
6525 to dispatch. [RT #15474]
6527 1960. [bug] Update code should set NSEC ttls from SOA MINIMUM.
6530 1959. [func] Control the zeroing of the negative response TTL to
6531 a soa query. Defaults "zero-no-soa-ttl yes;" and
6532 "zero-no-soa-ttl-cache no;". [RT #15460]
6534 1958. [bug] Named failed to update the zone's secure state
6535 until the zone was reloaded. [RT #15412]
6537 1957. [bug] Dig mishandled responses to class ANY queries.
6540 1956. [bug] Improve cross compile support, 'gen' is now built
6541 by native compiler. See README for additional
6542 cross compile support information. [RT #15148]
6544 1955. [bug] Pre-allocate the cache cleaning iterator. [RT #14998]
6546 1954. [func] Named now falls back to advertising EDNS with a
6547 512 byte receive buffer if the initial EDNS queries
6550 1953. [func] The maximum EDNS UDP response named will send can
6551 now be set in named.conf (max-udp-size). This is
6552 independent of the advertised receive buffer
6553 (edns-udp-size). [RT #14852]
6555 1952. [port] hpux: tell the linker to build a runtime link
6556 path "-Wl,+b:". [RT #14816].
6558 1951. [security] Drop queries from particular well known ports.
6559 Don't return FORMERR to queries from particular
6560 well known ports. [RT #15636]
6562 1950. [port] Solaris 2.5.1 and earlier cannot bind() then connect()
6563 a TCP socket. This prevents the source address being
6564 set for TCP connections. [RT #15628]
6566 1949. [func] Addition memory leakage checks. [RT #15544]
6568 1948. [bug] If was possible to trigger a REQUIRE failure in
6569 xfrin.c:maybe_free() if named ran out of memory.
6572 1947. [func] It is now possible to configure named to accept
6573 expired RRSIGs. Default "dnssec-accept-expired no;".
6574 Setting "dnssec-accept-expired yes;" leaves named
6575 vulnerable to replay attacks. [RT #14685]
6577 1946. [bug] resume_dslookup() could trigger a REQUIRE failure
6578 when using forwarders. [RT #15549]
6580 1945. [cleanup] dnssec-keygen: RSA (RSAMD5) is no longer recommended.
6581 To generate a RSAMD5 key you must explicitly request
6584 1944. [cleanup] isc_hash_create() does not need a read/write lock.
6587 1943. [bug] Set the loadtime after rolling forward the journal.
6590 1942. [bug] If the name of a DNSKEY match that of one in
6591 trusted-keys do not attempt to validate the DNSKEY
6592 using the parents DS RRset. [RT #15649]
6594 1941. [bug] ncache_adderesult() should set eresult even if no
6595 rdataset is passed to it. [RT #15642]
6597 1940. [bug] Fixed a number of error conditions reported by
6600 1939. [bug] The resolver could dereference a null pointer after
6601 validation if all the queries have timed out.
6604 1938. [bug] The validator was not correctly handling unsecure
6605 negative responses at or below a SEP. [RT #15528]
6607 1937. [bug] sdlz doesn't handle RRSIG records. [RT #15564]
6609 1936. [bug] The validator could leak memory. [RT #15544]
6611 1935. [bug] 'acache' was DO sensitive. [RT #15430]
6613 1934. [func] Validate pending NS RRsets, in the authority section,
6614 prior to returning them if it can be done without
6615 requiring DNSKEYs to be fetched. [RT #15430]
6617 1933. [bug] dump_rdataset_raw() had a incorrect INSIST. [RT #15534]
6619 1932. [bug] hpux: LDFLAGS was getting corrupted. [RT #15530]
6621 1931. [bug] Per-client mctx could require a huge amount of memory,
6622 particularly for a busy caching server. [RT #15519]
6624 1930. [port] HPUX: ia64 support. [RT #15473]
6626 1929. [port] FreeBSD: extend use of PTHREAD_SCOPE_SYSTEM.
6628 1928. [bug] Race in rbtdb.c:currentversion(). [RT #15517]
6630 1927. [bug] Access to soanode or nsnode in rbtdb violated the
6631 lock order rule and could cause a dead lock.
6634 1926. [bug] The Windows installer did not check for empty
6635 passwords. BINDinstall was being installed in
6636 the wrong place. [RT #15483]
6638 1925. [port] All outer level AC_TRY_RUNs need cross compiling
6639 defaults. [RT #15469]
6641 1924. [port] libbind: hpux ia64 support. [RT #15473]
6643 1923. [bug] ns_client_detach() called too early. [RT #15499]
6645 1922. [bug] check-tool.c:setup_logging() missing call to
6646 dns_log_setcontext().
6648 1921. [bug] Client memory contexts were not using internal
6651 1920. [bug] The cache rbtdb lock array was too small to
6652 have the desired performance characteristics.
6655 1919. [contrib] queryperf: a set of new features: collecting/printing
6656 response delays, printing intermediate results, and
6657 adjusting query rate for the "target" qps.
6659 1918. [bug] Memory leak when checking acls. [RT #15391]
6661 1917. [doc] funcsynopsisinfo wasn't being treated as verbatim
6662 when generating man pages. [RT #15385]
6664 1916. [func] Integrate contributed IDN code from JPNIC. [RT #15383]
6666 1915. [bug] dig +ndots was broken. [RT #15215]
6668 1914. [protocol] DS is required to accept mnemonic algorithms
6669 (RFC 4034). Still emit numeric algorithms for
6670 compatibility with RFC 3658. [RT #15354]
6672 1913. [func] Integrate contributed DLZ code into named. [RT #11382]
6674 1912. [port] aix: atomic locking for powerpc. [RT #15020]
6676 1911. [bug] Update windows socket code. [RT #14965]
6678 1910. [bug] dig's +sigchase code overhauled. [RT #14933]
6680 1909. [bug] The DLV code has been re-worked to make no longer
6681 query order sensitive. [RT #14933]
6683 1908. [func] dig now warns if 'RA' is not set in the answer when
6684 'RD' was set in the query. host/nslookup skip servers
6685 that fail to set 'RA' when 'RD' is set unless a server
6686 is explicitly set. [RT #15005]
6688 1907. [func] host/nslookup now continue (default)/fail on SERVFAIL.
6691 1906. [func] dig now has a '-q queryname' and '+showsearch' options.
6694 1905. [bug] Strings returned from cfg_obj_asstring() should be
6695 treated as read-only. The prototype for
6696 cfg_obj_asstring() has been updated to reflect this.
6699 1904. [func] Automatic empty zone creation for D.F.IP6.ARPA and
6700 friends. Note: RFC 1918 zones are not yet covered by
6701 this but are likely to be in a future release.
6703 New options: empty-server, empty-contact,
6704 empty-zones-enable and disable-empty-zone.
6706 1903. [func] ISC string copy API.
6708 1902. [func] Attempt to make the amount of work performed in a
6709 iteration self tuning. The covers nodes clean from
6710 the cache per iteration, nodes written to disk when
6711 rewriting a master file and nodes destroyed per
6712 iteration when destroying a zone or a cache.
6715 1901. [cleanup] Don't add DNSKEY records to the additional section.
6717 1900. [bug] ixfr-from-differences failed to ensure that the
6718 serial number increased. [RT #15036]
6720 1899. [func] named-checkconf now validates update-policy entries.
6723 1898. [bug] Extend ISC_SOCKADDR_FORMATSIZE and
6724 ISC_NETADDR_FORMATSIZE to allow for scope details.
6726 1897. [func] x86 and x86_64 now have separate atomic locking
6729 1896. [bug] Recursive clients soft quota support wasn't working
6730 as expected. [RT #15103]
6732 1895. [bug] A escaped character is, potentially, converted to
6733 the output character set too early. [RT #14666]
6735 1894. [doc] Review ARM for BIND 9.4.
6737 1893. [port] Use uintptr_t if available. [RT #14606]
6739 1892. [func] Support for SPF rdata type. [RT #15033]
6741 1891. [port] freebsd: pthread_mutex_init can fail if it runs out
6742 of memory. [RT #14995]
6744 1890. [func] Raise the UDP receive buffer size to 32k if it is
6745 less than 32k. [RT #14953]
6747 1889. [port] sunos: non blocking i/o support. [RT #14951]
6749 1888. [func] Support for IPSECKEY rdata type. [RT #14967]
6751 1887. [bug] The cache could delete expired records too fast for
6752 clients with a virtual time in the past. [RT #14991]
6754 1886. [bug] fctx_create() could return success even though it
6757 1885. [func] dig: report the number of extra bytes still left in
6758 the packet after processing all the records.
6760 1884. [cleanup] dighost.c: move external declarations into <dig/dig.h>.
6762 1883. [bug] dnssec-signzone, dnssec-keygen: handle negative debug
6765 1882. [func] Limit the number of recursive clients that can be
6766 waiting for a single query (<qname,qtype,qclass>) to
6767 resolve. New options clients-per-query and
6768 max-clients-per-query.
6770 1881. [func] Add a system test for named-checkconf. [RT #14931]
6772 1880. [func] The lame cache is now done on a <qname,qclass,qtype>
6773 basis as some servers only appear to be lame for
6774 certain query types. [RT #14916]
6776 1879. [func] "USE INTERNAL MALLOC" is now runtime selectable.
6779 1878. [func] Detect duplicates of UDP queries we are recursing on
6780 and drop them. New stats category "duplicate".
6783 1877. [bug] Fix unreasonably low quantum on call to
6784 dns_rbt_destroy2(). Remove unnecessary unhash_node()
6787 1876. [func] Additional memory debugging support to track size
6788 and mctx arguments. [RT #14814]
6790 1875. [bug] process_dhtkey() was using the wrong memory context
6791 to free some memory. [RT #14890]
6793 1874. [port] sunos: portability fixes. [RT #14814]
6795 1873. [port] win32: isc__errno2result() now reports its caller.
6798 1872. [port] win32: Handle ERROR_NETNAME_DELETED. [RT #13753]
6802 1870. [func] Added framework for handling multiple EDNS versions.
6805 1869. [func] dig can now specify the EDNS version when making
6806 a query. [RT #14873]
6808 1868. [func] edns-udp-size can now be overridden on a per
6809 server basis. [RT #14851]
6811 1867. [bug] It was possible to trigger a INSIST in
6812 dlv_validatezonekey(). [RT #14846]
6814 1866. [bug] resolv.conf parse errors were being ignored by
6815 dig/host/nslookup. [RT #14841]
6817 1865. [bug] Silently ignore nameservers in /etc/resolv.conf with
6818 bad addresses. [RT #14841]
6820 1864. [bug] Don't try the alternative transfer source if you
6821 got a answer / transfer with the main source
6822 address. [RT #14802]
6824 1863. [bug] rrset-order "fixed" error messages not complete.
6826 1862. [func] Add additional zone data constancy checks.
6827 named-checkzone has extended checking of NS, MX and
6828 SRV record and the hosts they reference.
6829 named has extended post zone load checks.
6830 New zone options: check-mx and integrity-check.
6833 1861. [bug] dig could trigger a INSIST on certain malformed
6834 responses. [RT #14801]
6836 1860. [port] solaris 2.8: hack_shutup_pthreadmutexinit was
6837 incorrectly set. [RT #14775]
6839 1859. [func] Add support for CH A record. [RT #14695]
6841 1858. [bug] The flush-zones-on-shutdown option wasn't being
6844 1857. [bug] named could trigger a INSIST() if reconfigured /
6845 reloaded too fast. [RT #14673]
6847 1856. [doc] Switch Docbook toolchain from DSSSL to XSL.
6850 1855. [bug] ixfr-from-differences was failing to detect changes
6851 of ttl due to dns_diff_subtract() was ignoring the ttl
6852 of records. [RT #14616]
6854 1854. [bug] lwres also needs to know the print format for
6855 (long long). [RT #13754]
6857 1853. [bug] Rework how DLV interacts with proveunsecure().
6860 1852. [cleanup] Remove last vestiges of dnssec-signkey and
6861 dnssec-makekeyset (removed from Makefile years ago).
6863 1851. [doc] Doxygen comment markup. [RT #11398]
6865 1850. [bug] Memory leak in lwres_getipnodebyaddr(). [RT #14591]
6867 1849. [doc] All forms of the man pages (docbook, man, html) should
6868 have consistent copyright dates.
6870 1848. [bug] Improve SMF integration. [RT #13238]
6872 1847. [bug] isc_ondestroy_init() is called too late in
6873 dns_rbtdb_create()/dns_rbtdb64_create().
6876 1846. [contrib] query-loc-0.3.0 from Stephane Bortzmeyer
6877 <bortzmeyer@nic.fr>.
6879 1845. [bug] Improve error reporting to distinguish between
6880 accept()/fcntl() and socket()/fcntl() errors.
6883 1844. [bug] inet_pton() accepted more that 4 hexadecimal digits
6884 for each 16 bit piece of the IPv6 address. The text
6885 representation of a IPv6 address has been tightened
6886 to disallow this (draft-ietf-ipv6-addr-arch-v4-02.txt).
6889 1843. [cleanup] CINCLUDES takes precedence over CFLAGS. This helps
6890 when CFLAGS contains "-I /usr/local/include"
6891 resulting in old header files being used.
6893 1842. [port] cmsg_len() could produce incorrect results on
6894 some platform. [RT #13744]
6896 1841. [bug] "dig +nssearch" now makes a recursive query to
6897 find the list of nameservers to query. [RT #13694]
6899 1840. [func] dnssec-signzone can now randomize signature end times
6900 (dnssec-signzone -j jitter). [RT #13609]
6902 1839. [bug] <isc/hash.h> was not being installed.
6904 1838. [cleanup] Don't allow Linux capabilities to be inherited.
6907 1837. [bug] Compile time option ISC_FACILITY was not effective
6908 for 'named -u <user>'. [RT #13714]
6910 1836. [cleanup] Silence compiler warnings in hash_test.c.
6912 1835. [bug] Update dnssec-signzone's usage message. [RT #13657]
6914 1834. [bug] Bad memset in rdata_test.c. [RT #13658]
6916 1833. [bug] Race condition in isc_mutex_lock_profile(). [RT #13660]
6918 1832. [bug] named fails to return BADKEY on unknown TSIG algorithm.
6921 1831. [doc] Update named-checkzone documentation. [RT #13604]
6923 1830. [bug] adb lame cache has sence of test reversed. [RT #13600]
6925 1829. [bug] win32: "pid-file none;" broken. [RT #13563]
6927 1828. [bug] isc_rwlock_init() failed to properly cleanup if it
6928 encountered a error. [RT #13549]
6930 1827. [bug] host: update usage message for '-a'. [RT #37116]
6932 1826. [bug] Missing DESTROYLOCK() in isc_mem_createx() on out
6933 of memory error. [RT #13537]
6935 1825. [bug] Missing UNLOCK() on out of memory error from in
6936 rbtdb.c:subtractrdataset(). [RT #13519]
6938 1824. [bug] Memory leak on dns_zone_setdbtype() failure.
6941 1823. [bug] Wrong macro used to check for point to point interface.
6944 1822. [bug] check-names test for RT was reversed. [RT #13382]
6948 1820. [bug] Gracefully handle acl loops. [RT #13659]
6950 1819. [bug] The validator needed to check both the algorithm and
6951 digest types of the DS to determine if it could be
6952 used to introduce a secure zone. [RT #13593]
6954 1818. [bug] 'named-checkconf -z' triggered an INSIST. [RT #13599]
6956 1817. [func] Add support for additional zone file formats for
6957 improving loading performance. The masterfile-format
6958 option in named.conf can be used to specify a
6959 non-default format. A separate command
6960 named-compilezone was provided to generate zone files
6961 in the new format. Additionally, the -I and -O options
6962 for dnssec-signzone specify the input and output
6965 1816. [port] UnixWare: failed to compile lib/isc/unix/net.c.
6968 1815. [bug] nsupdate triggered a REQUIRE if the server was set
6969 without also setting the zone and it encountered
6970 a CNAME and was using TSIG. [RT #13086]
6972 1814. [func] UNIX domain controls are now supported.
6974 1813. [func] Restructured the data locking framework using
6975 architecture dependent atomic operations (when
6976 available), improving response performance on
6977 multi-processor machines significantly.
6978 x86, x86_64, alpha, powerpc, and mips are currently
6981 1812. [port] win32: IN6_IS_ADDR_UNSPECIFIED macro is incorrect.
6984 1811. [func] Preserve the case of domain names in rdata during
6985 zone transfers. [RT #13547]
6987 1810. [bug] configure, lib/bind/configure make different default
6988 decisions about whether to do a threaded build.
6991 1809. [bug] "make distclean" failed for libbind if the platform
6994 1808. [bug] zone.c:notify_zone() contained a race condition,
6995 zone->db could change underneath it. [RT #13511]
6997 1807. [bug] When forwarding (forward only) set the active domain
6998 from the forward zone name. [RT #13526]
7000 1806. [bug] The resolver returned the wrong result when a CNAME /
7001 DNAME was encountered when fetching glue from a
7002 secure namespace. [RT #13501]
7004 1805. [bug] Pending status was not being cleared when DLV was
7007 1804. [bug] Ensure that if we are queried for glue that it fits
7008 in the additional section or TC is set to tell the
7009 client to retry using TCP. [RT #10114]
7011 1803. [bug] dnssec-signzone sometimes failed to remove old
7014 1802. [bug] Handle connection resets better. [RT #11280]
7016 1801. [func] Report differences between hints and real NS rrset
7017 and associated address records.
7019 1800. [bug] Changes #1719 allowed a INSIST to be triggered.
7022 1799. [bug] 'rndc flushname' failed to flush negative cache
7023 entries. [RT #13438]
7025 1798. [func] The server syntax has been extended to support a
7026 range of servers. [RT #11132]
7028 1797. [func] named-checkconf now check acls to verify that they
7029 only refer to existing acls. [RT #13101]
7031 1796. [func] "rndc freeze/thaw" now freezes/thaws all zones.
7033 1795. [bug] "rndc dumpdb" was not fully documented. Minor
7034 formating issues with "rndc dumpdb -all". [RT #13396]
7036 1794. [func] Named and named-checkzone can now both check for
7037 non-terminal wildcard records.
7039 1793. [func] Extend adjusting TTL warning messages. [RT #13378]
7041 1792. [func] New zone option "notify-delay". Specify a minimum
7042 delay between sets of NOTIFY messages.
7044 1791. [bug] 'host -t a' still printed out AAAA and MX records.
7047 1790. [cleanup] Move lib/dns/sec/dst up into lib/dns. This should
7048 allow parallel make to succeed.
7050 1789. [bug] Prerequisite test for tkey and dnssec could fail
7051 with "configure --with-libtool".
7053 1788. [bug] libbind9.la/libbind9.so needs to link against
7054 libisccfg.la/libisccfg.so.
7056 1787. [port] HPUX: both "cc" and "gcc" need -Wl,+vnocompatwarnings.
7058 1786. [port] AIX: libt_api needs to be taught to look for
7059 T_testlist in the main executable (--with-libtool).
7062 1785. [bug] libbind9.la/libbind9.so needs to link against
7063 libisc.la/libisc.so.
7065 1784. [cleanup] "libtool -allow-undefined" is the default.
7066 Leave hooks in configure to allow it to be set
7067 if needed in the future.
7069 1783. [cleanup] We only need one copy of libtool.m4, ltmain.sh in the
7072 1782. [port] OSX: --with-libtool + --enable-libbind broke on
7073 __evOptMonoTime. [RT #13219]
7075 1781. [port] FreeBSD 5.3: set PTHREAD_SCOPE_SYSTEM. [RT #12810]
7077 1780. [bug] Update libtool to 1.5.10.
7079 1779. [port] OSF 5.1: libtool didn't handle -pthread correctly.
7081 1778. [port] HUX 11.11: fix broken IN6ADDR_ANY_INIT and
7082 IN6ADDR_LOOPBACK_INIT macros.
7084 1777. [port] OSF 5.1: fix broken IN6ADDR_ANY_INIT and
7085 IN6ADDR_LOOPBACK_INIT macros.
7087 1776. [port] Solaris 2.9: fix broken IN6ADDR_ANY_INIT and
7088 IN6ADDR_LOOPBACK_INIT macros.
7090 1775. [bug] Only compile getnetent_r.c when threaded. [RT #13205]
7092 1774. [port] Aix: Silence compiler warnings / build failures.
7095 1773. [bug] Fast retry on host / net unreachable. [RT #13153]
7101 1770. [bug] named-checkconf failed to report missing a missing
7102 file clause for rbt{64} master/hint zones. [RT #13009]
7104 1769. [port] win32: change compiler flags /MTd ==> /MDd,
7107 1768. [bug] nsecnoexistnodata() could be called with a non-NSEC
7108 rdataset. [RT #12907]
7110 1767. [port] Builds on IPv6 platforms without IPv6 Advanced API
7111 support for (struct in6_pktinfo) failed. [RT #13077]
7113 1766. [bug] Update the master file timestamp on successful refresh
7114 as well as the journal's timestamp. [RT #13062]
7116 1765. [bug] configure --with-openssl=auto failed. [RT #12937]
7118 1764. [bug] dns_zone_replacedb failed to emit a error message
7119 if there was no SOA record in the replacement db.
7122 1763. [func] Perform sanity checks on NS records which refer to
7123 'in zone' names. [RT #13002]
7125 1762. [bug] isc_interfaceiter_create() could return ISC_R_SUCCESS
7126 even when it failed. [RT #12995]
7128 1761. [bug] 'rndc dumpdb' didn't report unassociated entries.
7131 1760. [bug] Host / net unreachable was not penalising rtt
7132 estimates. [RT #12970]
7134 1759. [bug] Named failed to startup if the OS supported IPv6
7135 but had no IPv6 interfaces configured. [RT #12942]
7137 1758. [func] Don't send notify messages to self. [RT #12933]
7139 1757. [func] host now can turn on memory debugging flags with '-m'.
7141 1756. [func] named-checkconf now checks the logging configuration.
7144 1755. [func] allow-update is now settable at the options / view
7147 1754. [bug] We weren't always attempting to query the parent
7148 server for the DS records at the zone cut.
7151 1753. [bug] Don't serve a slave zone which has no NS records.
7154 1752. [port] Move isc_app_start() to after ns_os_daemonise()
7155 as some fork() implementations unblock the signals
7156 that are blocked by isc_app_start(). [RT #12810]
7158 1751. [bug] --enable-getifaddrs failed under linux. [RT #12867]
7160 1750. [port] lib/bind/make/rules.in:subdirs was not bash friendly.
7163 1749. [bug] 'check-names response ignore;' failed to ignore.
7166 1748. [func] dig now returns the byte count for axfr/ixfr.
7168 1747. [bug] BIND 8 compatibility: named/named-checkconf failed
7169 to parse "host-statistics-max" in named.conf.
7171 1746. [func] Make public the function to read a key file,
7172 dst_key_read_public(). [RT #12450]
7174 1745. [bug] Dig/host/nslookup accept replies from link locals
7175 regardless of scope if no scope was specified when
7176 query was sent. [RT #12745]
7178 1744. [bug] If tuple2msgname() failed to convert a tuple to
7179 a name a REQUIRE could be triggered. [RT #12796]
7181 1743. [bug] If isc_taskmgr_create() was not able to create the
7182 requested number of worker threads then destruction
7183 of the manager would trigger an INSIST() failure.
7186 1742. [bug] Deleting all records at a node then adding a
7187 previously existing record, in a single UPDATE
7188 transaction, failed to leave / regenerate the
7189 associated RRSIG records. [RT #12788]
7191 1741. [bug] Deleting all records at a node in a secure zone
7192 using a update-policy grant failed. [RT #12787]
7194 1740. [bug] Replace rbt's hash algorithm as it performed badly
7195 with certain zones. [RT #12729]
7197 NOTE: a hash context now needs to be established
7198 via isc_hash_create() if the application was not
7201 1739. [bug] dns_rbt_deletetree() could incorrectly return
7202 ISC_R_QUOTA. [RT #12695]
7204 1738. [bug] Enable overrun checking by default. [RT #12695]
7206 1737. [bug] named failed if more than 16 masters were specified.
7209 1736. [bug] dst_key_fromnamedfile() could fail to read a
7210 public key. [RT #12687]
7212 1735. [bug] 'dig +sigtrace' could die with a REQUIRE failure.
7215 1734. [cleanup] 'rndc-confgen -a -t' remove extra '/' in path.
7218 1733. [bug] Return non-zero exit status on initial load failure.
7221 1732. [bug] 'rrset-order name "*"' wasn't being applied to ".".
7224 1731. [port] darwin: relax version test in ifconfig.sh.
7227 1730. [port] Determine the length type used by the socket API.
7230 1729. [func] Improve check-names error messages.
7232 1728. [doc] Update check-names documentation.
7234 1727. [bug] named-checkzone: check-names support didn't match
7237 1726. [port] aix5: add support for aix5.
7239 1725. [port] linux: update error message on interaction of threads,
7240 capabilities and setuid support (named -u). [RT #12541]
7242 1724. [bug] Look for DNSKEY records with "dig +sigtrace".
7245 1723. [cleanup] Silence compiler warnings from t_tasks.c. [RT #12493]
7247 1722. [bug] Don't commit the journal on malformed ixfr streams.
7250 1721. [bug] Error message from the journal processing were not
7251 always identifying the relevant journal. [RT #12519]
7253 1720. [bug] 'dig +chase' did not terminate on a RFC 2308 Type 1
7254 negative response. [RT #12506]
7256 1719. [bug] named was not correctly caching a RFC 2308 Type 1
7257 negative response. [RT #12506]
7259 1718. [bug] nsupdate was not handling RFC 2308 Type 3 negative
7260 responses when looking for the zone / master server.
7263 1717. [port] solaris: ifconfig.sh did not support Solaris 10.
7264 "ifconfig.sh down" didn't work for Solaris 9.
7266 1716. [doc] named.conf(5) was being installed in the wrong
7267 location. [RT #12441]
7269 1715. [func] 'dig +trace' now randomly selects the next servers
7270 to try. Report if there is a bad delegation.
7272 1714. [bug] dig/host/nslookup were only trying the first
7273 address when a nameserver was specified by name.
7276 1713. [port] linux: extend capset failure message to say:
7277 please ensure that the capset kernel module is
7278 loaded. see insmod(8)
7280 1712. [bug] Missing FULLCHECK for "trusted-key" in dig.
7282 1711. [func] 'rndc unfreeze' has been deprecated by 'rndc thaw'.
7284 1710. [func] 'rndc notify zone [class [view]]' resend the NOTIFY
7285 messages for the specified zone. [RT #9479]
7287 1709. [port] solaris: add SMF support from Sun.
7289 1708. [cleanup] Replaced dns_fullname_hash() with dns_name_fullhash()
7290 for conformance to the name space convention. Binary
7291 backward compatibility to the old function name is
7292 provided. [RT #12376]
7294 1707. [contrib] sdb/ldap updated to version 1.0-beta.
7296 1706. [bug] 'rndc stop' failed to cause zones to be flushed
7297 sometimes. [RT #12328]
7299 1705. [func] Allow the journal's name to be changed via named.conf.
7301 1704. [port] lwres needed a snprintf() implementation for
7302 platforms without snprintf(). Add missing
7303 "#include <isc/print.h>". [RT #12321]
7305 1703. [bug] named would loop sending NOTIFY messages when it
7306 failed to receive a response. [RT #12322]
7308 1702. [bug] also-notify should not be applied to built in zones.
7311 1701. [doc] A minimal named.conf man page.
7313 1700. [func] nslookup is no longer to be treated as deprecated.
7314 Remove "deprecated" warning message. Add man page.
7316 1699. [bug] dnssec-signzone can generate "not exact" errors
7317 when resigning. [RT #12281]
7319 1698. [doc] Use reserved IPv6 documentation prefix.
7321 1697. [bug] xxx-source{,-v6} was not effective when it
7322 specified one of listening addresses and a
7323 different port than the listening port. [RT #12257]
7325 1696. [bug] dnssec-signzone failed to clean out nodes that
7326 consisted of only NSEC and RRSIG records.
7329 1695. [bug] DS records when forwarding require special handling.
7332 1694. [bug] Report if the builtin views of "_default" / "_bind"
7333 are defined in named.conf. [RT #12023]
7335 1693. [bug] max-journal-size was not effective for master zones
7336 with ixfr-from-differences set. [RT #12024]
7338 1692. [bug] Don't set -I, -L and -R flags when libcrypto is in
7339 /usr/lib. [RT #11971]
7341 1691. [bug] sdb's attachversion was not complete. [RT #11990]
7343 1690. [bug] Delay detaching view from the client until UPDATE
7344 processing completes when shutting down. [RT #11714]
7346 1689. [bug] DNS_NAME_TOREGION() and DNS_NAME_SPLIT() macros
7347 contained gratuitous semicolons. [RT #11707]
7349 1688. [bug] LDFLAGS was not supported.
7351 1687. [bug] Race condition in dispatch. [RT #10272]
7353 1686. [bug] Named sent a extraneous NOTIFY when it received a
7354 redundant UPDATE request. [RT #11943]
7356 1685. [bug] Change #1679 loop tests weren't quite right.
7358 1684. [func] ixfr-from-differences now takes master and slave in
7359 addition to yes and no at the options and view levels.
7361 1683. [bug] dig +sigchase could leak memory. [RT #11445]
7363 1682. [port] Update configure test for (long long) printf format.
7366 1681. [bug] Only set SO_REUSEADDR when a port is specified in
7367 isc_socket_bind(). [RT #11742]
7369 1680. [func] rndc: the source address can now be specified.
7371 1679. [bug] When there was a single nameserver with multiple
7372 addresses for a zone not all addresses were tried.
7375 1678. [bug] RRSIG should use TYPEXXXXX for unknown types.
7377 1677. [bug] dig: +aaonly didn't work, +aaflag undocumented.
7379 1676. [func] New option "allow-query-cache". This lets
7380 allow-query be used to specify the default zone
7381 access level rather than having to have every
7382 zone override the global value. allow-query-cache
7383 can be set at both the options and view levels.
7384 If allow-query-cache is not set allow-query applies.
7386 1675. [bug] named would sometimes add extra NSEC records to
7387 the authority section.
7389 1674. [port] linux: increase buffer size used to scan
7392 1673. [port] linux: issue a error messages if IPv6 interface
7395 1672. [cleanup] Tests which only function in a threaded build
7396 now return R:THREADONLY (rather than R:UNTESTED)
7397 in a non-threaded build.
7399 1671. [contrib] queryperf: add NAPTR to the list of known types.
7401 1670. [func] Log UPDATE requests to slave zones without an acl as
7402 "disabled" at debug level 3. [RT #11657]
7406 1668. [bug] DIG_SIGCHASE was making bin/dig/host dump core.
7408 1667. [port] linux: not all versions have IF_NAMESIZE.
7410 1666. [bug] The optional port on hostnames in dual-stack-servers
7413 1665. [func] rndc now allows addresses to be set in the
7416 1664. [bug] nsupdate needed KEY for SIG(0), not DNSKEY.
7418 1663. [func] Look for OpenSSL by default.
7420 1662. [bug] Change #1658 failed to change one use of 'type'
7423 1661. [bug] Restore dns_name_concatenate() call in
7424 adb.c:set_target(). [RT #11582]
7426 1660. [bug] win32: connection_reset_fix() was being called
7427 unconditionally. [RT #11595]
7429 1659. [cleanup] Cleanup some messages that were referring to KEY vs
7430 DNSKEY, NXT vs NSEC and SIG vs RRSIG.
7432 1658. [func] Update dnssec-keygen to default to KEY for HMAC-MD5
7433 and DH. Tighten which options apply to KEY and
7436 1657. [doc] ARM: document query log output.
7438 1656. [doc] Update DNSSEC description in ARM to cover DS, NSEC
7439 DNSKEY and RRSIG. [RT #11542]
7441 1655. [bug] Logging multiple versions w/o a size was broken.
7444 1654. [bug] isc_result_totext() contained array bounds read
7447 1653. [func] Add key type checking to dst_key_fromfilename(),
7448 DST_TYPE_KEY should be used to read TSIG, TKEY and
7451 1652. [bug] TKEY still uses KEY.
7453 1651. [bug] dig: process multiple dash options.
7455 1650. [bug] dig, nslookup: flush standard out after each command.
7457 1649. [bug] Silence "unexpected non-minimal diff" message.
7460 1648. [func] Update dnssec-lookaside named.conf syntax to support
7461 multiple dnssec-lookaside namespaces (not yet
7464 1647. [bug] It was possible trigger a INSIST when chasing a DS
7465 record that required walking back over a empty node.
7468 1646. [bug] win32: logging file versions didn't work with
7469 non-UNC filenames. [RT #11486]
7471 1645. [bug] named could trigger a REQUIRE failure if multiple
7472 masters with keys are specified.
7474 1644. [bug] Update the journal modification time after a
7475 successful refresh query. [RT #11436]
7477 1643. [bug] dns_db_closeversion() could leak memory / node
7478 references. [RT #11163]
7480 1642. [port] Support OpenSSL implementations which don't have
7481 DSA support. [RT #11360]
7483 1641. [bug] Update the check-names description in ARM. [RT #11389]
7485 1640. [bug] win32: isc_socket_cancel(ISC_SOCKCANCEL_ACCEPT) was
7486 incorrectly closing the socket. [RT #11291]
7488 1639. [func] Initial dlv system test.
7490 1638. [bug] "ixfr-from-differences" could generate a REQUIRE
7491 failure if the journal open failed. [RT #11347]
7493 1637. [bug] Node reference leak on error in addnoqname().
7495 1636. [bug] The dump done callback could get ISC_R_SUCCESS even if
7496 a error had occurred. The database version no longer
7497 matched the version of the database that was dumped.
7499 1635. [bug] Memory leak on error in query_addds().
7501 1634. [bug] named didn't supply a useful error message when it
7502 detected duplicate views. [RT #11208]
7504 1633. [bug] named should return NOTIMP to update requests to a
7505 slaves without a allow-update-forwarding acl specified.
7508 1632. [bug] nsupdate failed to send prerequisite only UPDATE
7509 messages. [RT #11288]
7511 1631. [bug] dns_journal_compact() could sometimes corrupt the
7512 journal. [RT #11124]
7514 1630. [contrib] queryperf: add support for IPv6 transport.
7516 1629. [func] dig now supports IPv6 scoped addresses with the
7517 extended format in the local-server part. [RT #8753]
7519 1628. [bug] Typo in Compaq Trucluster support. [RT #11264]
7521 1627. [bug] win32: sockets were not being closed when the
7522 last external reference was removed. [RT #11179]
7524 1626. [bug] --enable-getifaddrs was broken. [RT #11259]
7526 1625. [bug] named failed to load/transfer RFC2535 signed zones
7527 which contained CNAMES. [RT #11237]
7529 1624. [bug] zonemgr_putio() call should be locked. [RT #11163]
7531 1623. [bug] A serial number of zero was being displayed in the
7532 "sending notifies" log message when also-notify was
7535 1622. [func] probe the system to see if IPV6_(RECV)PKTINFO is
7536 available, and suppress wildcard binding if not.
7538 1621. [bug] match-destinations did not work for IPv6 TCP queries.
7541 1620. [func] When loading a zone report if it is signed. [RT #11149]
7543 1619. [bug] Missing ISC_LIST_UNLINK in end_reserved_dispatches().
7546 1618. [bug] Fencepost errors in dns_name_ishostname() and
7547 dns_name_ismailbox() could trigger a INSIST().
7549 1617. [port] win32: VC++ 6.0 support.
7551 1616. [compat] Ensure that named's version is visible in the core
7554 1615. [port] Define ISC_SOCKADDR_LEN_T based on _BSD_SOCKLEN_T_ if
7557 1614. [port] win32: silence resource limit messages. [RT #11101]
7559 1613. [bug] Builds would fail on machines w/o a if_nametoindex().
7560 Missing #ifdef ISC_PLATFORM_HAVEIFNAMETOINDEX/#endif.
7563 1612. [bug] check-names at the option/view level could trigger
7564 an INSIST. [RT #11116]
7566 1611. [bug] solaris: IPv6 interface scanning failed to cope with
7567 no active IPv6 interfaces.
7569 1610. [bug] On dual stack machines "dig -b" failed to set the
7570 address type to be looked up with "@server".
7573 1609. [func] dig now has support to chase DNSSEC signature chains.
7574 Requires -DDIG_SIGCHASE=1 to be set in STD_CDEFINES.
7576 DNSSEC validation code in dig coded by Olivier Courtay
7577 (olivier.courtay@irisa.fr) for the IDsA project
7578 (http://idsa.irisa.fr).
7580 1608. [func] dig and host now accept -4/-6 to select IP transport
7581 to use when making queries.
7583 1607. [bug] dig, host and nslookup were still using random()
7584 to generate query ids. [RT #11013]
7586 1606. [bug] DLV insecurity proof was failing.
7588 1605. [func] New dns_db_find() option DNS_DBFIND_COVERINGNSEC.
7590 1604. [bug] A xfrout_ctx_create() failure would result in
7591 xfrout_ctx_destroy() being called with a
7592 partially initialized structure.
7594 1603. [bug] nsupdate: set interactive based on isatty().
7597 1602. [bug] Logging to a file failed unless a size was specified.
7600 1601. [bug] Silence spurious warning 'both "recursion no;" and
7601 "allow-recursion" active' warning from view "_bind".
7604 1600. [bug] Duplicate zone pre-load checks were not case
7607 1599. [bug] Fix memory leak on error path when checking named.conf.
7609 1598. [func] Specify that certain parts of the namespace must
7610 be secure (dnssec-must-be-secure).
7612 1597. [func] Allow notify-source and query-source to be specified
7613 on a per server basis similar to transfer-source.
7616 1596. [func] Accept 'notify-source' style syntax for query-source.
7618 1595. [func] New notify type 'master-only'. Enable notify for
7621 1594. [bug] 'rndc dumpdb' could prevent named from answering
7622 queries while the dump was in progress. [RT #10565]
7624 1593. [bug] rndc should return "unknown command" to unknown
7625 commands. [RT #10642]
7627 1592. [bug] configure_view() could leak a dispatch. [RT #10675]
7629 1591. [bug] libbind: updated to BIND 8.4.5.
7631 1590. [port] netbsd: update thread support.
7633 1589. [func] DNSSEC lookaside validation.
7635 1588. [bug] win32: TCP sockets could become blocked. [RT #10115]
7637 1587. [bug] dns_message_settsigkey() failed to clear existing key.
7640 1586. [func] "check-names" is now implemented.
7644 1584. [bug] "make test" failed with a read only source tree.
7647 1583. [bug] Records add via UPDATE failed to get the correct trust
7650 1582. [bug] rrset-order failed to work on RRsets with more
7651 than 32 elements. [RT #10381]
7653 1581. [func] Disable DNSSEC support by default. To enable
7654 DNSSEC specify "dnssec-enable yes;" in named.conf.
7656 1580. [bug] Zone destruction on final detach takes a long time.
7659 1579. [bug] Multiple task managers could not be created.
7661 1578. [bug] Don't use CLASS E IPv4 addresses when resolving.
7664 1577. [bug] Use isc_uint32_t in ultrasparc optimizer bug
7665 workaround code. [RT #10331]
7667 1576. [bug] Race condition in dns_dispatch_addresponse().
7670 1575. [func] Log TSIG name on TSIG verify failure. [RT #4404]
7672 1574. [bug] Don't attempt to open the controls socket(s) when
7673 running tests. [RT #9091]
7675 1573. [port] linux: update to libtool 1.5.2 so that
7676 "make install DESTDIR=/xx" works with
7677 "configure --with-libtool". [RT #9941]
7679 1572. [bug] nsupdate: sign the soa query to find the enclosing
7680 zone if the server is specified. [RT #10148]
7682 1571. [bug] rbt:hash_node() could fail leaving the hash table
7683 in an inconsistent state. [RT #10208]
7685 1570. [bug] nsupdate failed to handle classes other than IN.
7686 New keyword 'class' which sets the default class.
7689 1569. [func] nsupdate new command 'answer' which displays the
7690 complete answer message to the last update.
7692 1568. [bug] nsupdate now reports that the update failed in
7693 interactive mode. [RT #10236]
7695 1567. [maint] B.ROOT-SERVERS.NET is now 192.228.79.201.
7697 1566. [port] Support for the cmsg framework on Solaris and HP/UX.
7698 This also solved the problem that match-destinations
7699 for IPv6 addresses did not work on these systems.
7702 1565. [bug] CD flag should be copied to outgoing queries unless
7703 the query is under a secure entry point in which case
7706 1564. [func] Attempt to provide a fallback entropy source to be
7707 used if named is running chrooted and named is unable
7708 to open entropy source within the chroot area.
7711 1563. [bug] Gracefully fail when unable to obtain neither an IPv4
7712 nor an IPv6 dispatch. [RT #10230]
7714 1562. [bug] isc_socket_create() and isc_socket_accept() could
7715 leak memory under error conditions. [RT #10230]
7717 1561. [bug] It was possible to release the same name twice if
7718 named ran out of memory. [RT #10197]
7720 1560. [port] FreeBSD: work around FreeBSD 5.2 mapping EAI_NODATA
7721 and EAI_NONAME to the same value.
7723 1559. [port] named should ignore SIGFSZ.
7725 1558. [func] New DNSSEC 'disable-algorithms'. Support entry into
7726 child zones for which we don't have a supported
7727 algorithm. Such child zones are treated as unsigned.
7729 1557. [func] Implement missing DNSSEC tests for
7730 * NOQNAME proof with wildcard answers.
7731 * NOWILDARD proof with NXDOMAIN.
7732 Cache and return NOQNAME with wildcard answers.
7734 1556. [bug] nsupdate now treats all names as fully qualified.
7737 1555. [func] 'rrset-order cyclic' no longer has a random starting
7738 point per query. [RT #7572]
7740 1554. [bug] dig, host, nslookup failed when no nameservers
7741 were specified in /etc/resolv.conf. [RT #8232]
7743 1553. [bug] The windows socket code could stop accepting
7744 connections. [RT #10115]
7746 1552. [bug] Accept NOTIFY requests from mapped masters if
7747 matched-mapped is set. [RT #10049]
7749 1551. [port] Open "/dev/null" before calling chroot().
7751 1550. [port] Call tzset(), if available, before calling chroot().
7753 1549. [func] named-checkzone can now write out the zone contents
7754 in a easily parsable format (-D and -o).
7756 1548. [bug] When parsing APL records it was possible to silently
7757 accept out of range ADDRESSFAMILY values. [RT #9979]
7759 1547. [bug] Named wasted memory recording duplicate lame zone
7762 1546. [bug] We were rejecting valid secure CNAME to negative
7765 1545. [bug] It was possible to leak memory if named was unable to
7766 bind to the specified transfer source and TSIG was
7767 being used. [RT #10120]
7769 1544. [bug] Named would logged a single entry to a file despite it
7770 being over the specified size limit.
7772 1543. [bug] Logging using "versions unlimited" did not work.
7776 1541. [func] NSEC now uses new bitmap format.
7778 1540. [bug] "rndc reload <dynamiczone>" was silently accepted.
7781 1539. [bug] Open UDP sockets for notify-source and transfer-source
7782 that use reserved ports at startup. [RT #9475]
7784 1538. [placeholder] rt9997
7786 1537. [func] New option "querylog". If set specify whether query
7787 logging is to be enabled or disabled at startup.
7789 1536. [bug] Windows socket code failed to log a error description
7790 when returning ISC_R_UNEXPECTED. [RT #9998]
7794 1534. [bug] Race condition when priming cache. [RT #9940]
7796 1533. [func] Warn if both "recursion no;" and "allow-recursion"
7797 are active. [RT #4389]
7799 1532. [port] netbsd: the configure test for <sys/sysctl.h>
7800 requires <sys/param.h>.
7802 1531. [port] AIX more libtool fixes.
7804 1530. [bug] It was possible to trigger a INSIST() failure if a
7805 slave master file was removed at just the correct
7808 1529. [bug] "notify explicit;" failed to log that NOTIFY messages
7809 were being sent for the zone. [RT #9442]
7811 1528. [cleanup] Simplify some dns_name_ functions based on the
7812 deprecation of bitstring labels.
7814 1527. [cleanup] Reduce the number of gettimeofday() calls without
7815 losing necessary timer granularity.
7817 1526. [func] Implemented "additional section caching (or acache)",
7818 an internal cache framework for additional section
7819 content to improve response performance. Several
7820 configuration options were provided to control the
7823 1525. [bug] dns_cache_create() could trigger a REQUIRE
7824 failure in isc_mem_put() during error cleanup.
7827 1524. [port] AIX needs to be able to resolve all symbols when
7828 creating shared libraries (--with-libtool).
7830 1523. [bug] Fix race condition in rbtdb. [RT #9189]
7832 1522. [bug] dns_db_findnode() relax the requirements on 'name'.
7835 1521. [bug] dns_view_createresolver() failed to check the
7836 result from isc_mem_create(). [RT #9294]
7838 1520. [protocol] Add SSHFP (SSH Finger Print) type.
7840 1519. [bug] dnssec-signzone:nsec_setbit() computed the wrong
7841 length of the new bitmap.
7843 1518. [bug] dns_nsec_buildrdata(), and hence dns_nsec_build(),
7844 contained a off-by-one error when working out the
7845 number of octets in the bitmap.
7847 1517. [port] Support for IPv6 interface scanning on HP/UX and
7850 1516. [func] Roll the DNSSEC types to RRSIG, NSEC and DNSKEY.
7852 1515. [func] Allow transfer source to be set in a server statement.
7855 1514. [bug] named: isc_hash_destroy() was being called too early.
7858 1513. [doc] Add "US" to root-delegation-only exclude list.
7860 1512. [bug] Extend the delegation-only logging to return query
7861 type, class and responding nameserver.
7863 1511. [bug] delegation-only was generating false positives
7864 on negative answers from sub-zones.
7866 1510. [func] New view option "root-delegation-only". Apply
7867 delegation-only check to all TLDs and root.
7868 Note there are some TLDs that are NOT delegation
7869 only (e.g. DE, LV, US and MUSEUM) these can be excluded
7870 from the checks by using exclude.
7872 root-delegation-only exclude {
7873 "DE"; "LV"; "US"; "MUSEUM";
7876 1509. [bug] Hint zones should accept delegation-only. Forward
7877 zone should not accept delegation-only.
7879 1508. [bug] Don't apply delegation-only checks to answers from
7882 1507. [bug] Handle BIND 8 style returns to NS queries to parents
7883 when making delegation-only checks.
7885 1506. [bug] Wrong return type for dns_view_isdelegationonly().
7887 1505. [bug] Uninitialized rdataset in sdb. [RT #8750]
7889 1504. [func] New zone type "delegation-only".
7891 1503. [port] win32: install libeay32.dll outside of system32.
7893 1502. [bug] nsupdate: adjust timeouts for UPDATE requests over TCP.
7895 1501. [func] Allow TCP queue length to be specified via
7896 named.conf, tcp-listen-queue.
7898 1500. [bug] host failed to lookup MX records. Also look up
7901 1499. [bug] isc_random need to be seeded better if arc4random()
7904 1498. [port] bsdos: 5.x support.
7908 1496. [port] test for pthread_attr_setstacksize().
7910 1495. [cleanup] Replace hash functions with universal hash.
7912 1494. [security] Turn on RSA BLINDING as a precaution.
7916 1492. [cleanup] Preserve rwlock quota context when upgrading /
7917 downgrading. [RT #5599]
7919 1491. [bug] dns_master_dump*() would produce extraneous $ORIGIN
7922 1490. [bug] Accept reading state as well as working state in
7923 ns_client_next(). [RT #6813]
7925 1489. [compat] Treat 'allow-update' on slave zones as a warning.
7928 1488. [bug] Don't override trust levels for glue addresses.
7931 1487. [bug] A REQUIRE() failure could be triggered if a zone was
7932 queued for transfer and the zone was then removed.
7935 1486. [bug] isc_print_snprintf() '%%' consumed one too many format
7936 characters. [RT #8230]
7938 1485. [bug] gen failed to handle high type values. [RT #6225]
7940 1484. [bug] The number of records reported after a AXFR was wrong.
7943 1483. [bug] dig axfr failed if the message id in the answer failed
7944 to match that in the request. Only the id in the first
7945 message is required to match. [RT #8138]
7947 1482. [bug] named could fail to start if the kernel supports
7948 IPv6 but no interfaces are configured. Similarly
7949 for IPv4. [RT #6229]
7951 1481. [bug] Refresh and stub queries failed to use masters keys
7952 if specified. [RT #7391]
7954 1480. [bug] Provide replay protection for rndc commands. Full
7955 replay protection requires both rndc and named to
7956 be updated. Partial replay protection (limited
7957 exposure after restart) is provided if just named
7960 1479. [bug] cfg_create_tuple() failed to handle out of
7961 memory cleanup. parse_list() would leak memory
7964 1478. [port] ifconfig.sh didn't account for other virtual
7965 interfaces. It now takes a optional argument
7966 to specify the first interface number. [RT #3907]
7968 1477. [bug] memory leak using stub zones and TSIG.
7972 1475. [port] Probe for old sprintf().
7974 1474. [port] Provide strtoul() and memmove() for platforms
7977 1473. [bug] create_map() and create_string() failed to handle out
7978 of memory cleanup. [RT #6813]
7980 1472. [contrib] idnkit-1.0 from JPNIC, replaces mdnkit.
7982 1471. [bug] libbind: updated to BIND 8.4.0.
7984 1470. [bug] Incorrect length passed to snprintf. [RT #5966]
7986 1469. [func] Log end of outgoing zone transfer at same level
7987 as the start of transfer is logged. [RT #4441]
7989 1468. [func] Internal zones are no longer counted for
7990 'rndc status'. [RT #4706]
7992 1467. [func] $GENERATES now supports optional class and ttl.
7994 1466. [bug] lwresd configuration errors resulted in memory
7995 and lock leaks. [RT #5228]
7997 1465. [bug] isc_base64_decodestring() and isc_base64_tobuffer()
7998 failed to check that trailing bits were zero allowing
7999 some invalid base64 strings to be accepted. [RT #5397]
8001 1464. [bug] Preserve "out of zone" data for outgoing zone
8002 transfers. [RT #5192]
8004 1463. [bug] dns_rdata_from{wire,struct}() failed to catch bad
8005 NXT bit maps. [RT #5577]
8007 1462. [bug] parse_sizeval() failed to check the token type.
8010 1461. [bug] Remove deadlock from rbtdb code. [RT #5599]
8012 1460. [bug] inet_pton() failed to reject certain malformed
8017 1458. [cleanup] sprintf() -> snprintf().
8019 1457. [port] Provide strlcat() and strlcpy() for platforms without
8022 1456. [contrib] gen-data-queryperf.py from Stephane Bortzmeyer.
8024 1455. [bug] <netaddr> missing from server grammar in
8025 doc/misc/options. [RT #5616]
8027 1454. [port] Use getifaddrs() if available for interface scanning.
8028 --disable-getifaddrs to override. Glibc currently
8029 has a getifaddrs() that does not support IPv6.
8030 Use --enable-getifaddrs=glibc to force the use of
8031 this version under linux machines.
8033 1453. [doc] ARM: $GENERATE example wasn't accurate. [RT #5298]
8037 1451. [bug] rndc-confgen didn't exit with a error code for all
8038 failures. [RT #5209]
8040 1450. [bug] Fetching expired glue failed under certain
8041 circumstances. [RT #5124]
8043 1449. [bug] query_addbestns() didn't handle running out of memory
8046 1448. [bug] Handle empty wildcards labels.
8048 1447. [bug] We were casting (unsigned int) to and from (void *).
8049 rdataset->private4 is now rdataset->privateuint4
8050 to reflect a type change.
8052 1446. [func] Implemented undocumented alternate transfer sources
8053 from BIND 8. See use-alt-transfer-source,
8054 alt-transfer-source and alt-transfer-source-v6.
8056 SECURITY: use-alt-transfer-source is ENABLED unless
8057 you are using views. This may cause a security risk
8058 resulting in accidental disclosure of wrong zone
8059 content if the master supplying different source
8060 content based on IP address. If you are not certain
8061 ISC recommends setting use-alt-transfer-source no;
8063 1445. [bug] DNS_ADBFIND_STARTATROOT broke stub zones. This has
8064 been replaced with DNS_ADBFIND_STARTATZONE which
8065 causes the search to start using the closest zone.
8067 1444. [func] dns_view_findzonecut2() allows you to specify if the
8068 cache should be searched for zone cuts.
8070 1443. [func] Masters lists can now be specified and referenced
8071 in zone masters clauses and other masters lists.
8073 1442. [func] New functions for manipulating port lists:
8074 dns_portlist_create(), dns_portlist_add(),
8075 dns_portlist_remove(), dns_portlist_match(),
8076 dns_portlist_attach() and dns_portlist_detach().
8078 1441. [func] It is now possible to tell dig to bind to a specific
8081 1440. [func] It is now possible to tell named to avoid using
8082 certain source ports (avoid-v4-udp-ports,
8083 avoid-v6-udp-ports).
8085 1439. [bug] Named could return NOERROR with certain NOTIFY
8086 failures. Return NOTAUTH if the NOTIFY zone is
8089 1438. [func] Log TSIG (if any) when logging NOTIFY requests.
8091 1437. [bug] Leave space for stdio to work in. [RT #5033]
8093 1436. [func] dns_zonemgr_resumexfrs() can be used to restart
8096 1435. [bug] zmgr_resume_xfrs() was being called read locked
8097 rather than write locked. zmgr_resume_xfrs()
8098 was not being called if the zone was being
8101 1434. [bug] "rndc reconfig" failed to initiate the initial
8102 zone transfer of new slave zones.
8104 1433. [bug] named could trigger a REQUIRE failure if it could
8105 not get a file descriptor when attempting to write
8106 a master file. [RT #4347]
8108 1432. [func] The advertised EDNS UDP buffer size can now be set
8109 via named.conf (edns-udp-size).
8111 1431. [bug] isc_print_snprintf() "%s" with precision could walk off
8112 end of argument. [RT #5191]
8114 1430. [port] linux: IPv6 interface scanning support.
8116 1429. [bug] Prevent the cache getting locked to old servers.
8120 1427. [bug] Race condition in adb with threaded build.
8124 1425. [port] linux/libbind: define __USE_MISC when testing *_r()
8125 function prototypes in netdb.h. [RT #4921]
8127 1424. [bug] EDNS version not being correctly printed.
8129 1423. [contrib] queryperf: added A6 and SRV.
8131 1422. [func] Log name/type/class when denying a query. [RT #4663]
8133 1421. [func] Differentiate updates that don't succeed due to
8134 prerequisites (unsuccessful) vs other reasons
8137 1420. [port] solaris: work around gcc optimizer bug.
8139 1419. [port] openbsd: use /dev/arandom. [RT #4950]
8141 1418. [bug] 'rndc reconfig' did not cause new slaves to load.
8143 1417. [func] ID.SERVER/CHAOS is now a built in zone.
8144 See "server-id" for how to configure.
8146 1416. [bug] Empty node should return NOERROR NODATA, not NXDOMAIN.
8149 1415. [func] DS TTL now derived from NS ttl. NXT TTL now derived
8152 1414. [func] Support for KSK flag.
8154 1413. [func] Explicitly request the (re-)generation of DS records
8155 from keysets (dnssec-signzone -g).
8157 1412. [func] You can now specify servers to be tried if a nameserver
8158 has IPv6 address and you only support IPv4 or the
8159 reverse. See dual-stack-servers.
8161 1411. [bug] empty nodes should stop wildcard matches. [RT #4802]
8163 1410. [func] Handle records that live in the parent zone, e.g. DS.
8165 1409. [bug] DS should have attribute DNS_RDATATYPEATTR_DNSSEC.
8167 1408. [bug] "make distclean" was not complete. [RT #4700]
8169 1407. [bug] lfsr incorrectly implements the shift register.
8172 1406. [bug] dispatch initializes one of the LFSR's with a incorrect
8173 polynomial. [RT #4617]
8175 1405. [func] Use arc4random() if available.
8177 1404. [bug] libbind: ns_name_ntol() could overwrite a zero length
8180 1403. [func] dnssec-signzone, dnssec-keygen, dnssec-makekeyset
8181 dnssec-signkey now report their version in the
8184 1402. [cleanup] A6 has been moved to experimental and is no longer
8187 1401. [bug] adb wasn't clearing state when the timer expired.
8189 1400. [bug] Block the addition of wildcard NS records by IXFR
8190 or UPDATE. [RT #3502]
8192 1399. [bug] Use serial number arithmetic when testing SIG
8193 timestamps. [RT #4268]
8195 1398. [doc] ARM: notify-also should have been also-notify.
8198 1397. [maint] J.ROOT-SERVERS.NET is now 192.58.128.30.
8200 1396. [func] dnssec-signzone: adjust the default signing time by
8201 1 hour to allow for clock skew.
8203 1395. [port] OpenSSL 0.9.7 defines CRYPTO_LOCK_ENGINE but doesn't
8204 have a working implementation. [RT #4079]
8206 1394. [func] It is now possible to check if a particular element is
8207 in a acl. Remove duplicate entries from the localnets
8210 1393. [port] Bind to individual IPv6 interfaces if IPV6_IPV6ONLY
8211 is not available in the kernel to prevent accidently
8212 listening on IPv4 interfaces.
8214 1392. [bug] named-checkzone: update usage.
8216 1391. [func] Add support for IPv6 scoped addresses in named.
8218 1390. [func] host now supports ixfr.
8220 1389. [bug] named could fail to rotate long log files. [RT #3666]
8222 1388. [port] irix: check for sys/sysctl.h and NET_RT_IFLIST before
8223 defining HAVE_IFLIST_SYSCTL. [RT #3770]
8225 1387. [bug] named could crash due to an access to invalid memory
8226 space (which caused an assertion failure) in
8227 incremental cleaning. [RT #3588]
8229 1386. [bug] named-checkzone -z stopped on errors in a zone.
8232 1385. [bug] Setting serial-query-rate to 10 would trigger a
8235 1384. [bug] host was incompatible with BIND 8 in its exit code and
8236 in the output with the -l option. [RT #3536]
8238 1383. [func] Track the serial number in a IXFR response and log if
8239 a mismatch occurs. This is a more specific error than
8240 "not exact". [RT #3445]
8242 1382. [bug] make install failed with --enable-libbind. [RT #3656]
8244 1381. [bug] named failed to correctly process answers that
8245 contained DNAME records where the resulting CNAME
8246 resulted in a negative answer.
8248 1380. [func] 'rndc recursing' dump recursing queries to
8249 'recursing-file = "named.recursing";'.
8251 1379. [func] 'rndc status' now reports tcp and recursion quota
8254 1378. [func] Improved positive feedback for 'rndc {reload|refresh}.
8256 1377. [func] dns_zone_load{new}() now reports if the zone was
8257 loaded, queued for loading to up to date.
8259 1376. [func] New function dns_zone_logc() to log to specified
8262 1375. [func] 'rndc dumpdb' now dumps the adb cache along with the
8265 1374. [func] dns_adb_dump() now logs the lame zones associated
8268 1373. [bug] Recovery from expired glue failed under certain
8271 1372. [bug] named crashes with an assertion failure on exit when
8272 sharing the same port for listening and querying, and
8273 changing listening addresses several times. [RT #3509]
8275 1371. [bug] notify-source-v6, transfer-source-v6 and
8276 query-source-v6 with explicit addresses and using the
8277 same ports as named was listening on could interfere
8278 with named's ability to answer queries sent to those
8281 1370. [bug] dig '+[no]recurse' was incorrectly documented.
8283 1369. [bug] Adding an NS record as the lexicographically last
8284 record in a secure zone didn't work.
8286 1368. [func] remove support for bitstring labels.
8288 1367. [func] Use response times to select forwarders.
8290 1366. [contrib] queryperf usage was incomplete. Add '-h' for help.
8292 1365. [func] "localhost" and "localnets" acls now include IPv6
8293 addresses / prefixes.
8295 1364. [func] Log file name when unable to open memory statistics
8296 and dump database files. [RT #3437]
8298 1363. [func] Listen-on-v6 now supports specific addresses.
8300 1362. [bug] remove IFF_RUNNING test when scanning interfaces.
8302 1361. [func] log the reason for rejecting a server when resolving
8305 1360. [bug] --enable-libbind would fail when not built in the
8306 source tree for certain OS's.
8308 1359. [security] Support patches OpenSSL libraries.
8309 http://www.cert.org/advisories/CA-2002-23.html
8311 1358. [bug] It was possible to trigger a INSIST when debugging
8312 large dynamic updates. [RT #3390]
8314 1357. [bug] nsupdate was extremely wasteful of memory.
8316 1356. [tuning] Reduce the number of events / quantum for zone tasks.
8318 1355. [bug] Fix DNSSEC wildcard proof for CNAME/DNAME.
8320 1354. [doc] lwres man pages had illegal nroff.
8322 1353. [contrib] sdb/ldap to version 0.9.
8324 1352. [bug] dig, host, nslookup when falling back to TCP use the
8325 current search entry (if any). [RT #3374]
8327 1351. [bug] lwres_getipnodebyname() returned the wrong name
8328 when given a IPv4 literal, af=AF_INET6 and AI_MAPPED
8331 1350. [bug] dns_name_fromtext() failed to handle too many labels
8334 1349. [security] Minimum OpenSSL version now 0.9.6e (was 0.9.5a).
8335 http://www.cert.org/advisories/CA-2002-23.html
8337 1348. [port] win32: Rewrote code to use I/O Completion Ports
8338 in socket.c and eliminating a host of socket
8339 errors. Performance is enhanced.
8345 1345. [port] Use a explicit -Wformat with gcc. Not all versions
8346 include it in -Wall.
8348 1344. [func] Log if the serial number on the master has gone
8350 If you have multiple machines specified in the masters
8351 clause you may want to set 'multi-master yes;' to
8352 suppress this warning.
8354 1343. [func] Log successful notifies received (info). Adjust log
8355 level for failed notifies to notice.
8357 1342. [func] Log remote address with TCP dispatch failures.
8359 1341. [func] Allow a rate limiter to be stalled.
8361 1340. [bug] Delay and spread out the startup refresh load.
8363 1339. [func] dig, host and nslookup now use IP6.ARPA for nibble
8364 lookups. Bit string lookups are no longer attempted.
8370 1336. [func] Nibble lookups under IP6.ARPA are now supported by
8371 dns_byaddr_create(). dns_byaddr_createptrname() is
8372 deprecated, use dns_byaddr_createptrname2() instead.
8374 1335. [bug] When performing a nonexistence proof, the validator
8375 should discard parent NXTs from higher in the DNS.
8377 1334. [bug] When signing/verifying rdatasets, duplicate rdatas
8378 need to be suppressed.
8380 1333. [contrib] queryperf now reports a summary of returned
8381 rcodes (-c), rcodes are printed in mnemonic form (-v).
8383 1332. [func] Report the current serial with periodic commits when
8384 rolling forward the journal.
8386 1331. [func] Generate DNSSEC wildcard proofs.
8388 1330. [bug] When processing events (non-threaded) only allow
8389 the task one chance to use to use its quantum.
8391 1329. [func] named-checkzone will now check if nameservers that
8392 appear to be IP addresses. Available modes "fail",
8393 "warn" (default) and "ignore" the results of the
8396 1328. [bug] The validator could incorrectly verify an invalid
8399 1327. [bug] The validator would incorrectly mark data as insecure
8400 when seeing a bogus signature before a correct
8403 1326. [bug] DNAME/CNAME signatures were not being cached when
8404 validation was not being performed. [RT #3284]
8406 1325. [bug] If the tcpquota was exhausted it was possible to
8407 to trigger a INSIST() failure.
8409 1324. [port] darwin: ifconfig.sh now supports darwin.
8411 1323. [port] linux: Slackware 4.0 needs <asm/unistd.h>. [RT #3205]
8413 1322. [bug] dnssec-signzone usage message was misleading.
8415 1321. [bug] If the last RRset in a zone is glue, dnssec-signzone
8416 would incorrectly duplicate its output and sign it.
8418 1320. [doc] query-source-v6 was missing from options section.
8421 1319. [func] libbind: log attempts to exploit #1318.
8423 1318. [bug] libbind: Remote buffer overrun.
8425 1317. [port] libbind: TrueUNIX 5.1 does not like __align as a
8428 1316. [bug] libbind: gethostans() could get out of sync parsing
8429 the response if there was a very long CNAME chain.
8431 1315. [bug] Options should apply to the internal _bind view.
8433 1314. [port] Handle ECONNRESET from sendmsg() [unix].
8435 1313. [func] Query log now says if the query was signed (S) or
8436 if EDNS was used (E).
8438 1312. [func] Log TSIG key used w/ outgoing zone transfers.
8440 1311. [bug] lwres_getrrsetbyname leaked memory. [RT #3159]
8442 1310. [bug] 'rndc stop' failed to cause zones to be flushed
8443 sometimes. [RT #3157]
8445 1309. [func] Log that a zone transfer was covered by a TSIG.
8447 1308. [func] DS (delegation signer) support.
8449 1307. [bug] nsupdate: allow white space base64 key data.
8451 1306. [bug] Badly encoded LOC record when the size, horizontal
8452 precision or vertical precision was 0.1m.
8454 1305. [bug] Document that internal zones are included in the
8455 rndc status results.
8457 1304. [func] New function: dns_zone_name().
8459 1303. [func] Option 'flush-zones-on-shutdown <boolean>;'.
8461 1302. [func] Extended rndc dumpdb to support dumping of zones and
8462 view selection: 'dumpdb [-all|-zones|-cache] [view]'.
8464 1301. [func] New category 'update-security'.
8466 1300. [port] Compaq Trucluster support.
8468 1299. [bug] Set AI_ADDRCONFIG when looking up addresses
8469 via getaddrinfo() (affects dig, host, nslookup, rndc
8472 1298. [bug] The CINCLUDES macro in lib/dns/sec/dst/Makefile
8473 could be left with a trailing "\" after configure
8476 1297. [port] linux: make handling EINVAL from socket() no longer
8477 conditional on #ifdef LINUX.
8479 1296. [bug] isc_log_closefilelogs() needed to lock the log
8482 1295. [bug] isc_log_setdebuglevel() needed to lock the log
8485 1294. [func] libbind: no longer attempts bit string labels for
8486 IPv6 reverse resolution. Try IP6.ARPA then IP6.INT
8487 for nibble style resolution.
8489 1293. [func] Entropy can now be retrieved from EGDs. [RT #2438]
8491 1292. [func] Enable IPv6 support when using ioctl style interface
8492 scanning and OS supports SIOCGLIFADDR using struct
8495 1291. [func] Enable IPv6 support when using sysctl style interface
8498 1290. [func] "dig axfr" now reports the number of messages
8499 as well as the number of records.
8501 1289. [port] See if -ldl is required for OpenSSL? [RT #2672]
8503 1288. [bug] Adjusted REQUIRE's in lib/dns/name.c to better
8504 reflect written requirements.
8506 1287. [bug] REQUIRE that DNS_DBADD_MERGE only be set when adding
8507 a rdataset to a zone db in the rbtdb implementation of
8510 1286. [bug] dns_name_downcase() enforce requirement that
8511 target != NULL or name->buffer != NULL.
8513 1285. [func] lwres: probe the system to see what address families
8514 are currently in use.
8516 1284. [bug] The RTT estimate on unused servers was not aged.
8519 1283. [func] Use "dataready" accept filter if available.
8521 1282. [port] libbind: hpux 11.11 interface scanning.
8523 1281. [func] Log zone when unable to get private keys to update
8524 zone. Log zone when NXT records are missing from
8527 1280. [bug] libbind: escape '(' and ')' when converting to
8530 1279. [port] Darwin uses (unsigned long) for size_t. [RT #2590]
8532 1278. [func] dig: now supports +[no]cl +[no]ttlid.
8534 1277. [func] You can now create your own customized printing
8535 styles: dns_master_stylecreate() and
8536 dns_master_styledestroy().
8538 1276. [bug] libbind: const pointer conflicts in res_debug.c.
8540 1275. [port] libbind: hpux: treat all hpux systems as BIG_ENDIAN.
8542 1274. [bug] Memory leak in lwres_gnbarequest_parse().
8544 1273. [port] libbind: solaris: 64 bit binary compatibility.
8546 1272. [contrib] Berkeley DB 4.0 sdb implementation from
8547 Nuno Miguel Rodrigues <nmr@co.sapo.pt>.
8549 1271. [bug] "recursion available: {denied,approved}" was too
8552 1270. [bug] Check that system inet_pton() and inet_ntop() support
8555 1269. [port] Openserver: ifconfig.sh support.
8557 1268. [port] Openserver: the value FD_SETSIZE depends on whether
8558 <sys/param.h> is included or not. Be consistent.
8560 1267. [func] isc_file_openunique() now creates file using mode
8561 0666 rather than 0600.
8563 1266. [bug] ISC_LINK_INIT, ISC_LINK_UNLINK, ISC_LIST_DEQUEUE,
8564 __ISC_LINK_UNLINKUNSAFE and __ISC_LIST_DEQUEUEUNSAFE
8565 are not C++ compatible, use *_TYPE versions instead.
8567 1265. [bug] libbind: LINK_INIT and UNLINK were not compatible with
8568 C++, use LINK_INIT_TYPE and UNLINK_TYPE instead.
8572 1263. [bug] Reference after free error if dns_dispatchmgr_create()
8575 1262. [bug] ns_server_destroy() failed to set *serverp to NULL.
8577 1261. [func] libbind: ns_sign2() and ns_sign_tcp() now provide
8578 support for compressed TSIG owner names.
8580 1260. [func] libbind: res_update can now update IPv6 servers,
8581 new function res_findzonecut2().
8583 1259. [bug] libbind: get_salen() IPv6 support was broken for OSs
8586 1258. [bug] libbind: res_nametotype() and res_nametoclass() were
8589 1257. [bug] Failure to write pid-file should not be fatal on
8592 1256. [contrib] 'queryperf' now has EDNS (-e) + DNSSEC DO (-D) support.
8594 1255. [bug] When verifying that an NXT proves nonexistence, check
8595 the rcode of the message and only do the matching NXT
8596 check. That is, for NXDOMAIN responses, check that
8597 the name is in the range between the NXT owner and
8598 next name, and for NOERROR NODATA responses, check
8599 that the type is not present in the NXT bitmap.
8601 1254. [func] preferred-glue option from BIND 8.3.
8603 1253. [bug] The dnssec system test failed to remove the correct
8606 1252. [bug] Dig, host and nslookup were not checking the address
8607 the answer was coming from against the address it was
8610 1251. [port] win32: a make file contained absolute version specific
8613 1250. [func] Nsupdate will report the address the update was
8616 1249. [bug] Missing masters clause was not handled gracefully.
8619 1248. [bug] DESTDIR was not being propagated between makes.
8621 1247. [bug] Don't reset the interface index for link/site local
8622 addresses. [RT #2576]
8624 1246. [func] New functions isc_sockaddr_issitelocal(),
8625 isc_sockaddr_islinklocal(), isc_netaddr_issitelocal()
8626 and isc_netaddr_islinklocal().
8628 1245. [bug] Treat ENOBUFS, ENOMEM and ENFILE as soft errors for
8631 1244. [bug] Receiving a TCP message from a blackhole address would
8632 prevent further messages being received over that
8635 1243. [bug] It was possible to trigger a REQUIRE() in
8636 dns_message_findtype(). [RT #2659]
8638 1242. [bug] named-checkzone failed if a journal existed. [RT #2657]
8640 1241. [bug] Drop received UDP messages with a zero source port
8641 as these are invariably forged. [RT #2621]
8643 1240. [bug] It was possible to leak zone references by
8644 specifying an incorrect zone to rndc.
8646 1239. [bug] Under certain circumstances named could continue to
8647 use a name after it had been freed triggering
8648 INSIST() failures. [RT #2614]
8650 1238. [bug] It is possible to lockup the server when shutting down
8651 if notifies were being processed. [RT #2591]
8653 1237. [bug] nslookup: "set q=type" failed.
8655 1236. [bug] dns_rdata{class,type}_fromtext() didn't handle non
8656 NULL terminated text regions. [RT #2588]
8658 1235. [func] Report 'out of memory' errors from openssl.
8660 1234. [bug] contrib/sdb: 'zonetodb' failed to call
8661 dns_result_register(). DNS_R_SEENINCLUDE should not
8664 1233. [bug] The flags field of a KEY record can be expressed in
8665 hex as well as decimal.
8667 1232. [bug] unix/errno2result() didn't handle EADDRNOTAVAIL.
8669 1231. [port] HPUX 11.11 recvmsg() can return spurious EADDRNOTAVAIL.
8671 1230. [bug] isccc_cc_isreply() and isccc_cc_isack() were broken.
8673 1229. [bug] named would crash if it received a TSIG signed
8674 query as part of an AXFR response. [RT #2570]
8676 1228. [bug] 'make install' did not depend on 'make all'. [RT #2559]
8678 1227. [bug] dns_lex_getmastertoken() now returns ISC_R_BADNUMBER
8679 if a number was expected and some other token was
8682 1226. [func] Use EDNS for zone refresh queries. [RT #2551]
8684 1225. [func] dns_message_setopt() no longer requires that
8685 dns_message_renderbegin() to have been called.
8687 1224. [bug] 'rrset-order' and 'sortlist' should be additive
8690 1223. [func] 'rrset-order' partially works 'cyclic' and 'random'
8693 1222. [bug] Specifying 'port *' did not always result in a system
8694 selected (non-reserved) port being used. [RT #2537]
8696 1221. [bug] Zone types 'master', 'slave' and 'stub' were not being
8697 compared case insensitively. [RT #2542]
8699 1220. [func] Support for APL rdata type.
8701 1219. [func] Named now reports the TSIG extended error code when
8702 signature verification fails. [RT #1651]
8704 1218. [bug] Named incorrectly returned SERVFAIL rather than
8705 NOTAUTH when there was a TSIG BADTIME error. [RT #2519]
8707 1217. [func] Report locations of previous key definition when a
8708 duplicate is detected.
8710 1216. [bug] Multiple server clauses for the same server were not
8711 reported. [RT #2514]
8713 1215. [port] solaris: add support to ifconfig.sh for x86 2.5.1
8715 1214. [bug] Win32: isc_file_renameunique() could leave zero length
8718 1213. [func] Report view associated with client if it is not a
8719 standard view (_default or _bind).
8721 1212. [port] libbind: 64k answer buffers were causing stack space
8722 to be exceeded for certain OS. Use heap space instead.
8724 1211. [bug] dns_name_fromtext() incorrectly handled certain
8725 valid octal bitlabels. [RT #2483]
8727 1210. [bug] libbind: getnameinfo() failed to lookup IPv4 mapped /
8728 compatible addresses. [RT #2461]
8730 1209. [bug] Dig, host, nslookup were not checking the message ids
8731 on the responses. [RT #2454]
8733 1208. [bug] dns_master_load*() failed to log a error message if
8734 an error was detected when parsing the owner name of
8735 a record. [RT #2448]
8737 1207. [bug] libbind: getaddrinfo() could call freeaddrinfo() with
8740 1206. [bug] SERVFAIL and NOTIMP responses to an EDNS query should
8741 trigger a non-EDNS retry.
8743 1205. [bug] OPT, TSIG and TKEY cannot be used to set the "class"
8744 of the message. [RT #2449]
8746 1204. [bug] libbind: res_nupdate() failed to update the name
8747 server addresses before sending the update.
8749 1203. [func] Report locations of previous acl and zone definitions
8750 when a duplicate is detected.
8752 1202. [func] New functions: cfg_obj_line() and cfg_obj_file().
8754 1201. [bug] Require that if 'callbacks' is passed to
8755 dns_rdata_fromtext(), callbacks->error and
8756 callbacks->warn are initialized.
8758 1200. [bug] Log 'errno' that we are unable to convert to
8759 isc_result_t. [RT #2404]
8761 1199. [doc] ARM reference to RFC 2157 should have been RFC 1918.
8764 1198. [bug] OPT printing style was not consistent with the way the
8765 header fields are printed. The DO bit was not reported
8766 if set. Report if any of the MBZ bits are set.
8768 1197. [bug] Attempts to define the same acl multiple times were not
8771 1196. [contrib] update mdnkit to 2.2.3.
8773 1195. [bug] Attempts to redefine builtin acls should be caught.
8776 1194. [bug] Not all duplicate zone definitions were being detected
8777 at the named.conf checking stage. [RT #2431]
8779 1193. [bug] dig +besteffort parsing didn't handle packet
8780 truncation. dns_message_parse() has new flag
8781 DNS_MESSAGE_IGNORETRUNCATION.
8783 1192. [bug] The seconds fields in LOC records were restricted
8784 to three decimal places. More decimal places should
8785 be allowed but warned about.
8787 1191. [bug] A dynamic update removing the last non-apex name in
8788 a secure zone would fail. [RT #2399]
8790 1190. [func] Add the "rndc freeze" and "rndc unfreeze" commands.
8793 1189. [bug] On some systems, malloc(0) returns NULL, which
8794 could cause the caller to report an out of memory
8797 1188. [bug] Dynamic updates of a signed zone would fail if
8798 some of the zone private keys were unavailable.
8800 1187. [bug] named was incorrectly returning DNSSEC records
8801 in negative responses when the DO bit was not set.
8803 1186. [bug] isc_hex_tobuffer(,,length = 0) failed to unget the
8804 EOL token when reading to end of line.
8806 1185. [bug] libbind: don't assume statp->_u._ext.ext is valid
8807 unless RES_INIT is set when calling res_*init().
8809 1184. [bug] libbind: call res_ndestroy() if RES_INIT is set
8810 when res_*init() is called.
8812 1183. [bug] Handle ENOSR error when writing to the internal
8813 control pipe. [RT #2395]
8815 1182. [bug] The server could throw an assertion failure when
8816 constructing a negative response packet.
8818 1181. [func] Add the "key-directory" configuration statement,
8819 which allows the server to look for online signing
8820 keys in alternate directories.
8822 1180. [func] dnssec-keygen should always generate keys with
8823 protocol 3 (DNSSEC), since it's less confusing
8826 1179. [func] Add SIG(0) support to nsupdate.
8828 1178. [bug] Follow and cache (if appropriate) A6 and other
8829 data chains to completion in the additional section.
8831 1177. [func] Report view when loading zones if it is not a
8832 standard view (_default or _bind). [RT #2270]
8834 1176. [doc] Document that allow-v6-synthesis is only performed
8835 for clients that are supplied recursive service.
8838 1175. [bug] named-checkzone and named-checkconf failed to call
8839 dns_result_register() at startup which could
8840 result in runtime exceptions when printing
8841 "out of memory" errors. [RT #2335]
8843 1174. [bug] Win32: add WSAECONNRESET to the expected errors
8844 from connect(). [RT #2308]
8846 1173. [bug] Potential memory leaks in isc_log_create() and
8847 isc_log_settag(). [RT #2336]
8849 1172. [doc] Add CERT, GPOS, KX, NAPTR, NSAP, PX and TXT to
8850 table of RR types in ARM.
8852 1171. [func] Added function isc_region_compare(), updated files in
8853 lib/dns to use this function instead of local one.
8855 1170. [bug] Don't attempt to print the token when a I/O error
8856 occurs when parsing named.conf. [RT #2275]
8858 1169. [func] Identify recursive queries in the query log.
8860 1168. [bug] Empty also-notify clauses were not handled. [RT #2309]
8862 1167. [contrib] nslint-2.1a3 (from author).
8864 1166. [bug] "Not Implemented" should be reported as NOTIMP,
8865 not NOTIMPL. [RT #2281]
8867 1165. [bug] We were rejecting notify-source{-v6} in zone clauses.
8869 1164. [bug] Empty masters clauses in slave / stub zones were not
8870 handled gracefully. [RT #2262]
8872 1163. [func] isc_time_formattimestamp() now includes the year.
8874 1162. [bug] The allow-notify option was not accepted in slave
8877 1161. [bug] named-checkzone looped on unbalanced brackets.
8880 1160. [bug] Generating Diffie-Hellman keys longer than 1024
8881 bits could fail. [RT #2241]
8883 1159. [bug] MD and MF are not permitted to be loaded by RFC1123.
8885 1158. [func] Report the client's address when logging notify
8888 1157. [func] match-clients and match-destinations now accept
8891 1156. [port] The configure test for strsep() incorrectly
8892 succeeded on certain patched versions of
8893 AIX 4.3.3. [RT #2190]
8895 1155. [func] Recover from master files being removed from under
8898 1154. [bug] Don't attempt to obtain the netmask of a interface
8899 if there is no address configured. [RT #2176]
8901 1153. [func] 'rndc {stop|halt} -p' now reports the process id
8902 of the instance of named being shutdown.
8904 1152. [bug] libbind: read buffer overflows.
8906 1151. [bug] nslookup failed to check that the arguments to
8907 the port, timeout, and retry options were
8908 valid integers and in range. [RT #2099]
8910 1150. [bug] named incorrectly accepted TTL values
8911 containing plus or minus signs, such as
8914 1149. [func] New function isc_parse_uint32().
8916 1148. [func] 'rndc-confgen -a' now provides positive feedback.
8918 1147. [func] Set IPV6_V6ONLY on IPv6 sockets if supported by
8919 the OS. listen-on-v6 { any; }; should no longer
8920 result in IPv4 queries be accepted. Similarly
8921 control { inet :: ... }; should no longer result
8922 in IPv4 connections being accepted. This can be
8923 overridden at compile time by defining
8926 1146. [func] Allow IPV6_IPV6ONLY to be set/cleared on a socket if
8927 supported by the OS by a new function
8928 isc_socket_ipv6only().
8930 1145. [func] "host" no longer reports a NOERROR/NODATA response
8931 by printing nothing. [RT #2065]
8933 1144. [bug] rndc-confgen would crash if both the -a and -t
8934 options were specified. [RT #2159]
8936 1143. [bug] When a trusted-keys statement was present and named
8937 was built without crypto support, it would leak memory.
8939 1142. [bug] dnssec-signzone would fail to delete temporary files
8940 in some failure cases. [RT #2144]
8942 1141. [bug] When named rejected a control message, it would
8943 leak a file descriptor and memory. It would also
8944 fail to respond, causing rndc to hang.
8947 1140. [bug] rndc-confgen did not accept IPv6 addresses as arguments
8948 to the -s option. [RT #2138]
8950 1139. [func] It is now possible to flush a given name from the
8951 cache(s) via 'rndc flushname name [view]'. [RT #2051]
8953 1138. [func] It is now possible to flush a given name from the
8954 cache by calling the new function
8955 dns_cache_flushname().
8957 1137. [func] It is now possible to flush a given name from the
8958 ADB by calling the new function dns_adb_flushname().
8960 1136. [bug] CNAME records synthesized from DNAMEs did not
8961 have a TTL of zero as required by RFC2672.
8964 1135. [func] You can now override the default syslog() facility for
8965 named/lwresd at compile time. [RT #1982]
8967 1134. [bug] Multi-threaded servers could deadlock in ferror()
8968 when reloading zone files. [RT #1951, #1998]
8970 1133. [bug] IN6_IS_ADDR_LOOPBACK was not portably defined on
8971 platforms without IN6_IS_ADDR_LOOPBACK. [RT #2106]
8973 1132. [func] Improve UPDATE prerequisite failure diagnostic messages.
8975 1131. [bug] The match-destinations view option did not work with
8976 IPv6 destinations. [RT #2073, #2074]
8978 1130. [bug] Log messages reporting an out-of-range serial number
8979 did not include the out-of-range number but the
8980 following token. [RT #2076]
8982 1129. [bug] Multi-threaded servers could crash under heavy
8983 resolution load due to a race condition. [RT #2018]
8985 1128. [func] sdb drivers can now provide RR data in either text
8986 or wire format, the latter using the new functions
8987 dns_sdb_putrdata() and dns_sdb_putnamedrdata().
8989 1127. [func] rndc: If the server to contact has multiple addresses,
8992 1126. [bug] The server could access a freed event if shut
8993 down while a client start event was pending
8994 delivery. [RT #2061]
8996 1125. [bug] rndc: -k option was missing from usage message.
8999 1124. [doc] dig: +[no]dnssec, +[no]besteffort and +[no]fail
9000 are now documented. [RT #2052]
9002 1123. [bug] dig +[no]fail did not match description. [RT #2052]
9004 1122. [tuning] Resolution timeout reduced from 90 to 30 seconds.
9007 1121. [bug] The server could attempt to access a NULL zone
9008 table if shut down while resolving.
9011 1120. [bug] Errors in options were not fatal. [RT #2002]
9013 1119. [func] Added support in Win32 for NTFS file/directory ACL's
9016 1118. [bug] On multi-threaded servers, a race condition
9017 could cause an assertion failure in resolver.c
9018 during resolver shutdown. [RT #2029]
9020 1117. [port] The configure check for in6addr_loopback incorrectly
9021 succeeded on AIX 4.3 when compiling with -O2
9022 because the test code was optimized away.
9025 1116. [bug] Setting transfers in a server clause, transfers-in,
9026 or transfers-per-ns to a value greater than
9027 2147483647 disabled transfers. [RT #2002]
9029 1115. [func] Set maximum values for cleaning-interval,
9030 heartbeat-interval, interface-interval,
9031 max-transfer-idle-in, max-transfer-idle-out,
9032 max-transfer-time-in, max-transfer-time-out,
9033 statistics-interval of 28 days and
9034 sig-validity-interval of 3660 days. [RT #2002]
9036 1114. [port] Ignore more accept() errors. [RT #2021]
9038 1113. [bug] The allow-update-forwarding option was ignored
9039 when specified in a view. [RT #2014]
9043 1111. [bug] Multi-threaded servers could deadlock processing
9044 recursive queries due to a locking hierarchy
9045 violation in adb.c. [RT #2017]
9047 1110. [bug] dig should only accept valid abbreviations of +options.
9050 1109. [bug] nsupdate accepted illegal ttl values.
9052 1108. [bug] On Win32, rndc was hanging when named was not running
9053 due to failure to select for exceptional conditions
9054 in select(). [RT #1870]
9056 1107. [bug] nsupdate could catch an assertion failure if an
9057 invalid domain name was given as the argument to
9060 1106. [bug] After seeing an out of range TTL, nsupdate would
9061 treat all TTLs as out of range. [RT #2001]
9063 1105. [port] OpenUNIX 8 enable threads by default. [RT #1970]
9065 1104. [bug] Invalid arguments to the transfer-format option
9066 could cause an assertion failure. [RT #1995]
9068 1103. [port] OpenUNIX 8 support (ifconfig.sh). [RT #1970]
9070 1102. [doc] Note that query logging is enabled by directing the
9071 queries category to a channel.
9073 1101. [bug] Array bounds read error in lwres_gai_strerror.
9075 1100. [bug] libbind: DNSSEC key ids were computed incorrectly.
9077 1099. [cleanup] libbind: defining REPORT_ERRORS in lib/bind/dst caused
9078 compile time errors.
9080 1098. [bug] libbind: HMAC-MD5 key files are now mode 0600.
9082 1097. [func] libbind: RES_PRF_TRUNC for dig.
9084 1096. [func] libbind: "DNSSEC OK" (DO) support.
9086 1095. [func] libbind: resolver option: no-tld-query. disables
9087 trying unqualified as a tld. no_tld_query is also
9088 supported for FreeBSD compatibility.
9090 1094. [func] libbind: add support gcc's format string checking.
9092 1093. [doc] libbind: miscellaneous nroff fixes.
9094 1092. [bug] libbind: get*by*() failed to check if res_init() had
9097 1091. [bug] libbind: misplaced va_end().
9099 1090. [bug] libbind: dns_ho.c:add_hostent() was not returning
9100 the amount of memory consumed resulting in garbage
9101 address being returned. Alignment calculations were
9102 wasting space. We weren't suppressing duplicate
9105 1089. [func] libbind: inet_{cidr,net}_{pton,ntop}() now have IPv6
9108 1088. [port] libbind: MPE/iX C.70 (incomplete)
9110 1087. [bug] libbind: struct __res_state too large on 64 bit arch.
9112 1086. [port] libbind: sunos: old sprintf.
9114 1085. [port] libbind: solaris: sys_nerr and sys_errlist do not
9115 exist when compiling in 64 bit mode.
9117 1084. [cleanup] libbind: gai_strerror() rewritten.
9119 1083. [bug] The default control channel listened on the
9120 wildcard address, not the loopback as documented.
9123 1082. [bug] The -g option to named incorrectly caused logging
9124 to be sent to syslog in addition to stderr.
9127 1081. [bug] Multicast queries were incorrectly identified
9128 based on the source address, not the destination
9131 1080. [bug] BIND 8 compatibility: accept bare IP prefixes
9132 as the second element of a two-element top level
9133 sort list statement. [RT #1964]
9135 1079. [bug] BIND 8 compatibility: accept bare elements at top
9136 level of sort list treating them as if they were
9137 a single element list. [RT #1963]
9139 1078. [bug] We failed to correct bad tv_usec values in one case.
9142 1077. [func] Do not accept further recursive clients when
9143 the total number of recursive lookups being
9144 processed exceeds max-recursive-clients, even
9145 if some of the lookups are internally generated.
9148 1076. [bug] A badly defined global key could trigger an assertion
9149 on load/reload if views were used. [RT #1947]
9151 1075. [bug] Out-of-range network prefix lengths were not
9152 reported. [RT #1954]
9154 1074. [bug] Running out of memory in dump_rdataset() could
9155 cause an assertion failure. [RT #1946]
9157 1073. [bug] The ADB cache cleaning should also be space driven.
9160 1072. [bug] The TCP client quota could be exceeded when
9161 recursion occurred. [RT #1937]
9163 1071. [bug] Sockets listening for TCP DNS connections
9164 specified an excessive listen backlog. [RT #1937]
9166 1070. [bug] Copy DNSSEC OK (DO) to response as specified by
9167 draft-ietf-dnsext-dnssec-okbit-03.txt.
9171 1068. [bug] errno could be overwritten by catgets(). [RT #1921]
9173 1067. [func] Allow quotas to be soft, isc_quota_soft().
9175 1066. [bug] Provide a thread safe wrapper for strerror().
9178 1065. [func] Runtime support to select new / old style interface
9179 scanning using ioctls.
9181 1064. [bug] Do not shut down active network interfaces if we
9182 are unable to scan the interface list. [RT #1921]
9184 1063. [bug] libbind: "make install" was failing on IRIX.
9187 1062. [bug] If the control channel listener socket was shut
9188 down before server exit, the listener object could
9189 be freed twice. [RT #1916]
9191 1061. [bug] If periodic cache cleaning happened to start
9192 while cleaning due to reaching the configured
9193 maximum cache size was in progress, the server
9194 could catch an assertion failure. [RT #1912]
9196 1060. [func] Move refresh, stub and notify UDP retry processing
9199 1059. [func] dns_request now support will now retry UDP queries,
9200 dns_request_createvia2() and dns_request_createraw2().
9202 1058. [func] Limited lifetime ticker timers are now available,
9203 isc_timertype_limited.
9205 1057. [bug] Reloading the server after adding a "file" clause
9206 to a zone statement could cause the server to
9207 crash due to a typo in change 1016.
9209 1056. [bug] Rndc could catch an assertion failure on SIGINT due
9210 to an uninitialized variable. [RT #1908]
9212 1055. [func] Version and hostname queries can now be disabled
9213 using "version none;" and "hostname none;",
9216 1054. [bug] On Win32, cfg_categories and cfg_modules need to be
9217 exported from the libisccfg DLL.
9219 1053. [bug] Dig did not increase its timeout when receiving
9220 AXFRs unless the +time option was used. [RT #1904]
9222 1052. [bug] Journals were not being created in binary mode
9223 resulting in "journal format not recognized" error
9224 under Win32. [RT #1889]
9226 1051. [bug] Do not ignore a network interface completely just
9227 because it has a noncontiguous netmask. Instead,
9228 omit it from the localnets ACL and issue a warning.
9231 1050. [bug] Log messages reporting malformed IP addresses in
9232 address lists such as that of the forwarders option
9233 failed to include the correct error code, file
9234 name, and line number. [RT #1890]
9236 1049. [func] "pid-file none;" will disable writing a pid file.
9239 1048. [bug] Servers built with -DISC_MEM_USE_INTERNAL_MALLOC=1
9242 1047. [bug] named was incorrectly refusing all requests signed
9243 with a TSIG key derived from an unsigned TKEY
9244 negotiation with a NOERROR response. [RT #1886]
9246 1046. [bug] The help message for the --with-openssl configure
9247 option was inaccurate. [RT #1880]
9249 1045. [bug] It was possible to skip saving glue for a nameserver
9252 1044. [bug] Specifying allow-transfer, notify-source, or
9253 notify-source-v6 in a stub zone was not treated
9256 1043. [bug] Specifying a transfer-source or transfer-source-v6
9257 option in the zone statement for a master zone was
9258 not treated as an error. [RT #1876]
9260 1042. [bug] The "config" logging category did not work properly.
9263 1041. [bug] Dig/host/nslookup could catch an assertion failure
9264 on SIGINT due to an uninitialized variable. [RT #1867]
9266 1040. [bug] Multiple listen-on-v6 options with different ports
9267 were not accepted. [RT #1875]
9269 1039. [bug] Negative responses with CNAMEs in the answer section
9270 were cached incorrectly. [RT #1862]
9272 1038. [bug] In servers configured with a tkey-domain option,
9273 TKEY queries with an owner name other than the root
9274 could cause an assertion failure. [RT #1866, #1869]
9276 1037. [bug] Negative responses whose authority section contain
9277 SOA or NS records whose owner names are not equal
9278 equal to or parents of the query name should be
9279 rejected. [RT #1862]
9281 1036. [func] Silently drop requests received via multicast as
9282 long as there is no final multicast DNS standard.
9284 1035. [bug] If we respond to multicast queries (which we
9285 currently do not), respond from a unicast address
9286 as specified in RFC 1123. [RT #137]
9288 1034. [bug] Ignore the RD bit on multicast queries as specified
9289 in RFC 1123. [RT #137]
9291 1033. [bug] Always respond to requests with an unsupported opcode
9292 with NOTIMP, even if we don't have a matching view
9293 or cannot determine the class.
9295 1032. [func] hostname.bind/txt/chaos now returns the name of
9296 the machine hosting the nameserver. This is useful
9297 in diagnosing problems with anycast servers.
9299 1031. [bug] libbind.a: isc__gettimeofday() infinite recursion.
9302 1030. [bug] On systems with no resolv.conf file, nsupdate
9303 exited with an error rather than defaulting
9304 to using the loopback address. [RT #1836]
9306 1029. [bug] Some named.conf errors did not cause the loading
9307 of the configuration file to return a failure
9308 status even though they were logged. [RT #1847]
9310 1028. [bug] On Win32, dig/host/nslookup looked for resolv.conf
9311 in the wrong directory. [RT #1833]
9313 1027. [bug] RRs having the reserved type 0 should be rejected.
9318 1025. [bug] Don't use multicast addresses to resolve iterative
9321 1024. [port] Compilation failed on HP-UX 11.11 due to
9322 incompatible use of the SIOCGLIFCONF macro
9325 1023. [func] Accept hints without TTLs.
9327 1022. [bug] Don't report empty root hints as "extra data".
9330 1021. [bug] On Win32, log message timestamps were one month
9331 later than they should have been, and the server
9332 would exhibit unspecified behavior in December.
9334 1020. [bug] IXFR log messages did not distinguish between
9335 true IXFRs, AXFR-style IXFRs, and mere version
9338 1019. [bug] The value of the lame-ttl option was limited to 18000
9339 seconds, not 1800 seconds as documented. [RT #1803]
9341 1018. [bug] The default log channel was not always initialized
9342 correctly. [RT #1813]
9344 1017. [bug] When specifying TSIG keys to dig and nsupdate using
9345 the -k option, they must be HMAC-MD5 keys. [RT #1810]
9347 1016. [bug] Slave zones with no backup file were re-transferred
9348 on every server reload.
9350 1015. [bug] Log channels that had a "versions" option but no
9351 "size" option failed to create numbered log
9354 1014. [bug] Some queries would cause statistics counters to
9355 increment more than once or not at all. [RT #1321]
9357 1013. [bug] It was possible to cancel a query twice when marking
9358 a server as bogus or by having a blackhole acl.
9361 1012. [bug] The -p option to named did not behave as documented.
9363 1011. [cleanup] Removed isc_dir_current().
9365 1010. [bug] The server could attempt to execute a command channel
9366 command after initiating server shutdown, causing
9367 an assertion failure. [RT #1766]
9369 1009. [port] OpenUNIX 8 support. [RT #1728]
9371 1008. [port] libtool.m4, ltmain.sh from libtool-1.4.2.
9373 1007. [port] config.guess, config.sub from autoconf-2.52.
9375 1006. [bug] If a KEY RR was found missing during DNSSEC validation,
9376 an assertion failure could subsequently be triggered
9377 in the resolver. [RT #1763]
9379 1005. [bug] Don't copy nonzero RCODEs from request to response.
9382 1004. [port] Deal with recvfrom() returning EHOSTDOWN. [RT #1770]
9384 1003. [func] Add the +retry option to dig.
9386 1002. [bug] When reporting an unknown class name in named.conf,
9387 including the file name and line number. [RT #1759]
9389 1001. [bug] win32 socket code doio_recv was not catching a
9390 WSACONNRESET error when a client was timing out
9391 the request and closing its socket. [RT #1745]
9393 1000. [bug] BIND 8 compatibility: accept "HESIOD" as an alias
9394 for class "HS". [RT #1759]
9396 999. [func] "rndc retransfer zone [class [view]]" added.
9399 998. [func] named-checkzone now has arguments to specify the
9400 chroot directory (-t) and working directory (-w).
9403 997. [func] Add support for RSA-SHA1 keys (RFC3110).
9405 996. [func] Issue warning if the configuration filename contains
9408 995. [bug] dig, host, nslookup: using a raw IPv6 address as a
9409 target address should be fatal on a IPv4 only system.
9411 994. [func] Treat non-authoritative responses to queries for type
9412 NS as referrals even if the NS records are in the
9413 answer section, because BIND 8 servers incorrectly
9414 send them that way. This is necessary for DNSSEC
9415 validation of the NS records of a secure zone to
9416 succeed when the parent is a BIND 8 server. [RT #1706]
9418 993. [func] dig: -v now reports the version.
9420 992. [doc] dig: ~/.digrc is now documented.
9422 991. [func] Lower UDP refresh timeout messages to level
9425 990. [bug] The rndc-confgen man page was not installed.
9427 989. [bug] Report filename if $INCLUDE fails for file related
9430 988. [bug] 'additional-from-auth no;' did not work reliably
9431 in the case of queries answered from the cache.
9434 987. [bug] "dig -help" didn't show "+[no]stats".
9436 986. [bug] "dig +noall" failed to clear stats and command
9439 985. [func] Consider network interfaces to be up iff they have
9440 a nonzero IP address rather than based on the
9441 IFF_UP flag. [RT #1160]
9443 984. [bug] Multi-threading should be enabled by default on
9444 Solaris 2.7 and newer, but it wasn't.
9446 983. [func] The server now supports generating IXFR difference
9447 sequences for non-dynamic zones by comparing zone
9448 versions, when enabled using the new config
9449 option "ixfr-from-differences". [RT #1727]
9451 982. [func] If "memstatistics-file" is set in options the memory
9452 statistics will be written to it.
9454 981. [func] The dnssec tools can now take multiple '-r randomfile'
9457 980. [bug] Incoming zone transfers restarting after an error
9458 could trigger an assertion failure. [RT #1692]
9460 979. [func] Incremental master file dumping. dns_master_dumpinc(),
9461 dns_master_dumptostreaminc(), dns_dumpctx_attach(),
9462 dns_dumpctx_detach(), dns_dumpctx_cancel(),
9463 dns_dumpctx_db() and dns_dumpctx_version().
9465 978. [bug] dns_db_attachversion() had an invalid REQUIRE()
9468 977. [bug] Improve "not at top of zone" error message.
9470 976. [func] named-checkconf can now test load master zones
9471 (named-checkconf -z). [RT #1468]
9473 975. [bug] "max-cache-size default;" as a view option
9474 caused an assertion failure.
9476 974. [bug] "max-cache-size unlimited;" as a global option
9479 973. [bug] Failed to log the question name when logging:
9480 "bad zone transfer request: non-authoritative zone
9483 972. [bug] The file modification time code in zone.c was using the
9484 wrong epoch. [RT #1667]
9488 970. [func] 'max-journal-size' can now be used to set a target
9491 969. [func] dig now supports the undocumented dig 8 feature
9492 of allowing arbitrary labels, not just dotted
9493 decimal quads, with the -x option. This can be
9494 used to conveniently look up RFC2317 names as in
9495 "dig -x 10.0.0.0-127". [RT #827, #1576, #1598]
9497 968. [bug] On win32, the isc_time_now() function was unnecessarily
9498 calling strtime(). [RT #1671]
9500 967. [bug] On win32, the link for bindevt was not including the
9501 required resource file to enable the event viewer
9502 to interpret the error messages in the event log,
9507 965. [bug] Including data other than root server NS and A
9508 records in the root hint file could cause a rbtdb
9509 node reference leak. [RT #1581, #1618]
9511 964. [func] Warn if data other than root server NS and A records
9512 are found in the root hint file. [RT #1581, #1618]
9514 963. [bug] Bad ISC_LANG_ENDDECLS. [RT #1645]
9516 962. [bug] libbind: bad "#undef", don't attempt to install
9517 non-existent nlist.h. [RT #1640]
9519 961. [bug] Tried to use a IPV6 feature when ISC_PLATFORM_HAVEIPV6
9520 was not defined. [RT #1482]
9522 960. [port] liblwres failed to build on systems with support for
9523 getrrsetbyname() in the OS. [RT #1592]
9525 959. [port] On FreeBSD, determine the number of CPUs by calling
9526 sysctlbyname(). [RT #1584]
9528 958. [port] ssize_t is not available on all platforms. [RT #1607]
9530 957. [bug] sys/select.h inclusion was broken on older platforms.
9533 956. [bug] ns_g_autorndcfile changed to ns_g_keyfile
9534 in named/win32/os.c due to code changes in
9535 change #953. win32 .make file for rndc-confgen
9536 updated to add include path for os.h header.
9538 --- 9.2.0rc1 released ---
9540 955. [bug] When using views, the zone's class was not being
9541 inherited from the view's class. [RT #1583]
9543 954. [bug] When requesting AXFRs or IXFRs using dig, host, or
9544 nslookup, the RD bit should not be set as zone
9545 transfers are inherently non-recursive. [RT #1575]
9547 953. [func] The /var/run/named.key file from change #843
9548 has been replaced by /etc/rndc.key. Both
9549 named and rndc will look for this file and use
9550 it to configure a default control channel key
9551 if not already configured using a different
9552 method (rndc.conf / controls). Unlike
9553 named.key, rndc.key is not created automatically;
9554 it must be created by manually running
9557 952. [bug] The server required manual intervention to serve the
9558 affected zones if it died between creating a journal
9559 and committing the first change to it.
9561 951. [bug] CFLAGS was not passed to the linker when
9562 linking some of the test programs under
9563 bin/tests. [RT #1555].
9565 950. [bug] Explicit TTLs did not properly override $TTL
9566 due to a bug in change 834. [RT #1558]
9568 949. [bug] host was unable to print records larger than 512
9571 --- 9.2.0b2 released ---
9573 948. [port] Integrated support for building on Windows NT /
9576 947. [bug] dns_rdata_soa_t had a badly named element "mname" which
9577 was really the RNAME field from RFC1035. To avoid
9578 confusion and silent errors that would occur it the
9579 "origin" and "mname" elements were given their correct
9580 names "mname" and "rname" respectively, the "mname"
9581 element is renamed to "contact".
9583 946. [cleanup] doc/misc/options is now machine-generated from the
9584 configuration parser syntax tables, and therefore
9585 more likely to be correct.
9587 945. [func] Add the new view-specific options
9588 "match-destinations" and "match-recursive-only".
9590 944. [func] Check for expired signatures on load.
9592 943. [bug] The server could crash when receiving a command
9593 via rndc if the configuration file listed only
9594 nonexistent keys in the controls statement. [RT #1530]
9596 942. [port] libbind: GETNETBYADDR_ADDR_T was not correctly
9597 defined on some platforms.
9599 941. [bug] The configuration checker crashed if a slave
9600 zone didn't contain a masters statement. [RT #1514]
9602 940. [bug] Double zone locking failure on error path. [RT #1510]
9604 --- 9.2.0b1 released ---
9606 939. [port] Add the --disable-linux-caps option to configure for
9607 systems that manage capabilities outside of named.
9612 937. [bug] A race when shutting down a zone could trigger a
9613 INSIST() failure. [RT #1034]
9615 936. [func] Warn about IPv4 addresses that are not complete
9616 dotted quads. [RT #1084]
9618 935. [bug] inet_pton failed to reject leading zeros.
9620 934. [port] Deal with systems where accept() spuriously returns
9623 933. [bug] configure failed doing libbind on platforms not
9624 supported by BIND 8. [RT #1496]
9626 --- 9.2.0a3 released ---
9628 932. [bug] Use INSTALL_SCRIPT, not INSTALL_PROGRAM,
9629 when installing isc-config.sh.
9632 931. [bug] The controls statement only attempted to verify
9633 messages using the first key in the key list.
9636 930. [func] Query performance testing tool added as
9641 928. [bug] nsupdate would send empty update packets if the
9642 send (or empty line) command was run after
9643 another send but before any new updates or
9644 prerequisites were specified. It should simply
9645 ignore this command.
9647 927. [bug] Don't hold the zone lock for the entire dump to disk.
9650 926. [bug] The resolver could deadlock with the ADB when
9651 shutting down (multi-threaded builds only).
9654 925. [cleanup] Remove openssl from the distribution; require that
9655 --with-openssl be specified if DNSSEC is needed.
9657 924. [port] Extend support for pre-RFC2133 IPv6 implementation.
9660 923. [bug] Multiline TSIG secrets (and other multiline strings)
9661 were not accepted in named.conf. [RT #1469]
9663 922. [func] Added two new lwres_getrrsetbyname() result codes,
9664 ERR_NONAME and ERR_NODATA.
9666 921. [bug] lwres returned an incorrect error code if it received
9667 a truncated message.
9669 920. [func] Increase the lwres receive buffer size to 16K.
9674 918. [func] In nsupdate, TSIG errors are no longer treated as
9677 917. [func] New nsupdate command 'key', allowing TSIG keys to
9678 be specified in the nsupdate command stream rather
9679 than the command line.
9681 916. [bug] Specifying type ixfr to dig without specifying
9682 a serial number failed in unexpected ways.
9684 915. [func] The named-checkconf and named-checkzone programs
9685 now have a '-v' option for printing their version.
9688 914. [bug] Global 'server' statements were rejected when
9689 using views, even though they were accepted
9692 913. [bug] Cache cleaning was not sufficiently aggressive.
9695 912. [bug] Attempts to set the 'additional-from-cache' or
9696 'additional-from-auth' option to 'no' in a
9697 server with recursion enabled will now
9698 be ignored and cause a warning message.
9703 910. [port] Some pre-RFC2133 IPv6 implementations do not define
9704 IN6ADDR_ANY_INIT. [RT #1416]
9708 908. [func] New program, rndc-confgen, to simplify setting up rndc.
9710 907. [func] The ability to get entropy from either the
9711 random device, a user-provided file or from
9712 the keyboard was migrated from the DNSSEC tools
9713 to libisc as isc_entropy_usebestsource().
9715 906. [port] Separated the system independent portion of
9716 lib/isc/unix/entropy.c into lib/isc/entropy.c
9717 and added lib/isc/win32/entropy.c.
9719 905. [bug] Configuring a forward "zone" for the root domain
9720 did not work. [RT #1418]
9722 904. [bug] The server would leak memory if attempting to use
9723 an expired TSIG key. [RT #1406]
9725 903. [bug] dig should not crash when receiving a TCP packet
9728 902. [bug] The -d option was ignored if both -t and -g were also
9733 900. [bug] A config.guess update changed the system identification
9734 string of FreeBSD systems; configure and
9735 bin/tests/system/ifconfig.sh now recognize the new
9738 --- 9.2.0a2 released ---
9740 899. [bug] lib/dns/soa.c failed to compile on many platforms
9741 due to inappropriate use of a void value.
9742 [RT #1372, #1373, #1386, #1387, #1395]
9744 898. [bug] "dig" failed to set a nonzero exit status
9745 on UDP query timeout. [RT #1323]
9747 897. [bug] A config.guess update changed the system identification
9748 string of UnixWare systems; configure now recognizes
9751 896. [bug] If a configuration file is set on named's command line
9752 and it has a relative pathname, the current directory
9753 (after any possible jailing resulting from named -t)
9754 will be prepended to it so that reloading works
9755 properly even when a directory option is present.
9757 895. [func] New function, isc_dir_current(), akin to POSIX's
9760 894. [bug] When using the DNSSEC tools, a message intended to warn
9761 when the keyboard was being used because of the lack
9762 of a suitable random device was not being printed.
9764 893. [func] Removed isc_file_test() and added isc_file_exists()
9765 for the basic functionality that was being added
9766 with isc_file_test().
9770 891. [bug] Return an error when a SIG(0) signed response to
9771 an unsigned query is seen. This should actually
9772 do the verification, but it's not currently
9773 possible. [RT #1391]
9775 890. [cleanup] The man pages no longer require the mandoc macros
9776 and should now format cleanly using most versions of
9777 nroff, and HTML versions of the man pages have been
9778 added. Both are generated from DocBook source.
9780 889. [port] Eliminated blank lines before .TH in nroff man
9781 pages since they cause problems with some versions
9782 of nroff. [RT #1390]
9784 888. [bug] Don't die when using TKEY to delete a nonexistent
9785 TSIG key. [RT #1392]
9787 887. [port] Detect broken compilers that can't call static
9788 functions from inline functions. [RT #1212]
9830 866. [func] Close debug only file channels when debug is set to
9833 865. [bug] The new configuration parser did not allow
9834 the optional debug level in a "severity debug"
9835 clause of a logging channel to be omitted.
9836 This is now allowed and treated as "severity
9837 debug 1;" like it does in BIND 8.2.4, not as
9838 "severity debug 0;" like it did in BIND 9.1.
9841 864. [cleanup] Multi-threading is now enabled by default on
9842 OSF1, Solaris 2.7 and newer, AIX, IRIX, and HP-UX.
9844 863. [bug] If an error occurred while an outgoing zone transfer
9845 was starting up, the server could access a domain
9846 name that had already been freed when logging a
9847 message saying that the transfer was starting.
9850 862. [bug] Use after realloc(), non portable pointer arithmetic in
9853 861. [port] Add support for Mac OS X, by making it equivalent
9854 to Darwin. This was derived from the config.guess
9855 file shipped with Mac OS X. [RT #1355]
9857 860. [func] Drop cross class glue in zone transfers.
9859 859. [bug] Cache cleaning now won't swamp the CPU if there
9860 is a persistent over limit condition.
9862 858. [func] isc_mem_setwater() no longer requires that when the
9863 callback function is non-NULL then its hi_water
9864 argument must be greater than its lo_water argument
9865 (they can now be equal) or that they be non-zero.
9867 857. [cleanup] Use ISC_MAGIC() to define all magic numbers for
9868 structs, for our friends in EBCDIC-land.
9870 856. [func] Allow partial rdatasets to be returned in answer and
9871 authority sections to help non-TCP capable clients
9872 recover from truncation. [RT #1301]
9874 855. [bug] Stop spurious "using RFC 1035 TTL semantics" warnings.
9876 854. [bug] The config parser didn't properly handle config
9877 options that were specified in units of time other
9878 than seconds. [RT #1372]
9880 853. [bug] configure_view_acl() failed to detach existing acls.
9883 852. [bug] Handle responses from servers which do not know
9886 851. [cleanup] The obsolete support-ixfr option was not properly
9889 --- 9.2.0a1 released ---
9891 850. [bug] dns_rbt_findnode() would not find nodes that were
9892 split on a bitstring label somewhere other than in
9893 the last label of the node. [RT #1351]
9895 849. [func] <isc/net.h> will ensure INADDR_LOOPBACK is defined.
9897 848. [func] A minimum max-cache-size of two megabytes is enforced
9898 by the cache cleaner.
9900 847. [func] Added isc_file_test(), which currently only has
9901 some very basic functionality to test for the
9902 existence of a file, whether a pathname is absolute,
9903 or whether a pathname is the fundamental representation
9904 of the current directory. It is intended that this
9905 function can be expanded to test other things a
9906 programmer might want to know about a file.
9908 846. [func] A non-zero 'param' to dst_key_generate() when making an
9909 hmac-md5 key means that good entropy is not required.
9911 845. [bug] The access rights on the public file of a symmetric
9912 key are now restricted as soon as the file is opened,
9913 rather than after it has been written and closed.
9915 844. [func] <isc/net.h> will ensure INADDR_LOOPBACK is defined,
9916 just as <lwres/net.h> does.
9918 843. [func] If no controls statement is present in named.conf,
9919 or if any inet phrase of a controls statement is
9920 lacking a keys clause, then a key will be automatically
9921 generated by named and an rndc.conf-style file
9922 named named.key will be written that uses it. rndc
9923 will use this file only if its normal configuration
9924 file, or one provided on the command line, does not
9927 842. [func] 'rndc flush' now takes an optional view.
9929 841. [bug] When sdb modules were not declared threadsafe, their
9930 create and destroy functions were not serialized.
9932 840. [bug] The config file parser could print the wrong file
9933 name if an error was detected after an included file
9934 was parsed. [RT #1353]
9936 839. [func] Dump packets for which there was no view or that the
9937 class could not be determined to category "unmatched".
9939 838. [port] UnixWare 7.x.x is now suported by
9940 bin/tests/system/ifconfig.sh.
9942 837. [cleanup] Multi-threading is now enabled by default only on
9943 OSF1, Solaris 2.7 and newer, and AIX.
9945 836. [func] Upgraded libtool to 1.4.
9947 835. [bug] The dispatcher could enter a busy loop if
9948 it got an I/O error receiving on a UDP socket.
9951 834. [func] Accept (but warn about) master files beginning with
9952 an SOA record without an explicit TTL field and
9953 lacking a $TTL directive, by using the SOA MINTTL
9954 as a default TTL. This is for backwards compatibility
9955 with old versions of BIND 8, which accepted such
9956 files without warning although they are illegal
9957 according to RFC1035.
9959 833. [cleanup] Moved dns_soa_*() from <dns/journal.h> to
9960 <dns/soa.h>, and extended them to support
9961 all the integer-valued fields of the SOA RR.
9963 832. [bug] The default location for named.conf in named-checkconf
9964 should depend on --sysconfdir like it does in named.
9969 830. [func] Implement 'rndc status'.
9971 829. [bug] The DNS_R_ZONECUT result code should only be returned
9972 when an ANY query is made with DNS_DBFIND_GLUEOK set.
9973 In all other ANY query cases, returning the delegation
9976 828. [bug] The errno value from recvfrom() could be overwritten
9977 by logging code. [RT #1293]
9979 827. [bug] When an IXFR protocol error occurs, the slave
9980 should retry with AXFR.
9982 826. [bug] Some IXFR protocol errors were not detected.
9984 825. [bug] zone.c:ns_query() detached from the wrong zone
9985 reference. [RT #1264]
9987 824. [bug] Correct line numbers reported by dns_master_load().
9990 823. [func] The output of "dig -h" now goes to stdout so that it
9991 can easily be piped through "more". [RT #1254]
9993 822. [bug] Sending nxrrset prerequisites would crash nsupdate.
9996 821. [bug] The program name used when logging to syslog should
9997 be stripped of leading path components.
10000 820. [bug] Name server address lookups failed to follow
10001 A6 chains into the glue of local authoritative
10004 819. [bug] In certain cases, the resolver's attempts to
10005 restart an address lookup at the root could cause
10006 the fetch to deadlock (with itself) instead of
10007 restarting. [RT #1225]
10009 818. [bug] Certain pathological responses to ANY queries could
10010 cause an assertion failure. [RT #1218]
10012 817. [func] Adjust timeouts for dialup zone queries.
10014 816. [bug] Report potential problems with log file accessibility
10015 at configuration time, since such problems can't
10016 reliably be reported at the time they actually occur.
10018 815. [bug] If a log file was specified with a path separator
10019 character (i.e. "/") in its name and the directory
10020 did not exist, the log file's name was treated as
10021 though it were the directory name. [RT #1189]
10023 814. [bug] Socket objects left over from accept() failures
10024 were incorrectly destroyed, causing corruption
10025 of socket manager data structures.
10027 813. [bug] File descriptors exceeding FD_SETSIZE were handled
10030 812. [bug] dig sometimes printed incomplete IXFR responses
10031 due to an uninitialized variable. [RT #1188]
10033 811. [bug] Parentheses were not quoted in zone dumps. [RT #1194]
10035 810. [bug] The signer name in SIG records was not properly
10036 down-cased when signing/verifying records. [RT #1186]
10038 809. [bug] Configuring a non-local address as a transfer-source
10039 could cause an assertion failure during load.
10041 808. [func] Add 'rndc flush' to flush the server's cache.
10043 807. [bug] When setting up TCP connections for incoming zone
10044 transfers, the transfer-source port was not
10045 ignored like it should be.
10047 806. [bug] DNS_R_SEENINCLUDE was failing to propagate back up
10048 the calling stack to the zone maintenance level,
10049 causing zones to not reload when an included file was
10050 touched but the top-level zone file was not.
10052 805. [bug] When using "forward only", missing root hints should
10053 not cause queries to fail. [RT #1143]
10055 804. [bug] Attempting to obtain entropy could fail in some
10056 situations. This would be most common on systems
10057 with user-space threads. [RT #1131]
10059 803. [bug] Treat all SIG queries as if they have the CD bit set,
10060 otherwise no data will be returned [RT #749]
10062 802. [bug] DNSSEC key tags were computed incorrectly in almost
10063 all cases. [RT #1146]
10065 801. [bug] nsupdate should treat lines beginning with ';' as
10066 comments. [RT #1139]
10068 800. [bug] dnssec-signzone produced incorrect statistics for
10069 large zones. [RT #1133]
10071 799. [bug] The ADB didn't find AAAA glue in a zone unless A6
10072 glue was also present.
10074 798. [bug] nsupdate should be able to reject bad input lines
10075 and continue. [RT #1130]
10077 797. [func] Issue a warning if the 'directory' option contains
10078 a relative path. [RT #269]
10080 796. [func] When a size limit is associated with a log file,
10081 only roll it when the size is reached, not every
10082 time the log file is opened. [RT #1096]
10084 795. [func] Add the +multiline option to dig. [RT #1095]
10086 794. [func] Implement the "port" and "default-port" statements
10089 793. [cleanup] The DNSSEC tools could create filenames that were
10090 illegal or contained shell meta-characters. They
10091 now use a different text encoding of names that
10092 doesn't have these problems. [RT #1101]
10094 792. [cleanup] Replace the OMAPI command channel protocol with a
10097 791. [bug] The command channel now works over IPv6.
10099 790. [bug] Wildcards created using dynamic update or IXFR
10100 could fail to match. [RT #1111]
10102 789. [bug] The "localhost" and "localnets" ACLs did not match
10103 when used as the second element of a two-element
10106 788. [func] Add the "match-mapped-addresses" option, which
10107 causes IPv6 v4mapped addresses to be treated as
10108 IPv4 addresses for the purpose of acl matching.
10110 787. [bug] The DNSSEC tools failed to downcase domain
10111 names when mapping them into file names.
10113 786. [bug] When DNSSEC signing/verifying data, owner names were
10114 not properly down-cased.
10116 785. [bug] A race condition in the resolver could cause
10117 an assertion failure. [RT #673, #872, #1048]
10119 784. [bug] nsupdate and other programs would not quit properly
10120 if some signals were blocked by the caller. [RT #1081]
10122 783. [bug] Following CNAMEs could cause an assertion failure
10123 when either using an sdb database or under very
10126 782. [func] Implement the "serial-query-rate" option.
10128 781. [func] Avoid error packet loops by dropping duplicate FORMERR
10129 responses. [RT #1006]
10131 780. [bug] Error handling code dealing with out of memory or
10132 other rare errors could lead to assertion failures
10133 by calling functions on uninitialized names. [RT #1065]
10135 779. [func] Added the "minimal-responses" option.
10137 778. [bug] When starting cache cleaning, cleaning_timer_action()
10138 returned without first pausing the iterator, which
10139 could cause deadlock. [RT #998]
10141 777. [bug] An empty forwarders list in a zone failed to override
10142 global forwarders. [RT #995]
10144 776. [func] Improved error reporting in denied messages. [RT #252]
10148 774. [func] max-cache-size is implemented.
10150 773. [func] Added isc_rwlock_trylock() to attempt to lock without
10153 772. [bug] Owner names could be incorrectly omitted from cache
10154 dumps in the presence of negative caching entries.
10157 771. [cleanup] TSIG errors related to unsynchronized clocks
10158 are logged better. [RT #919]
10160 770. [func] Add the "edns yes_or_no" statement to the server
10163 769. [func] Improved error reporting when parsing rdata. [RT #740]
10165 768. [bug] The server did not emit an SOA when a CNAME
10166 or DNAME chain ended in NXDOMAIN in an
10167 authoritative zone.
10171 766. [bug] A few cases in query_find() could leak fname.
10172 This would trigger the mpctx->allocated == 0
10173 assertion when the server exited.
10174 [RT #739, #776, #798, #812, #818, #821, #845,
10177 765. [func] ACL names are once again case insensitive, like
10178 in BIND 8. [RT #252]
10180 764. [func] Configuration files now allow "include" directives
10181 in more places, such as inside the "view" statement.
10182 [RT #377, #728, #860]
10184 763. [func] Configuration files no longer have reserved words.
10187 762. [cleanup] The named.conf and rndc.conf file parsers have
10188 been completely rewritten.
10190 761. [bug] _REENTRANT was still defined when building with
10193 760. [contrib] Significant enhancements to the pgsql sdb driver.
10195 759. [bug] The resolver didn't turn off "avoid fetches" mode
10196 when restarting, possibly causing resolution
10197 to fail when it should not. This bug only affected
10198 platforms which support both IPv4 and IPv6. [RT #927]
10200 758. [bug] The "avoid fetches" code did not treat negative
10201 cache entries correctly, causing fetches that would
10202 be useful to be avoided. This bug only affected
10203 platforms which support both IPv4 and IPv6. [RT #927]
10205 757. [func] Log zone transfers.
10207 756. [bug] dns_zone_load() could "return" success when no master
10208 file was configured.
10210 755. [bug] Fix incorrectly formatted log messages in zone.c.
10212 754. [bug] Certain failure conditions sending UDP packets
10213 could cause the server to retry the transmission
10214 indefinitely. [RT #902]
10216 753. [bug] dig, host, and nslookup would fail to contact a
10217 remote server if getaddrinfo() returned an IPv6
10218 address on a system that doesn't support IPv6.
10221 752. [func] Correct bad tv_usec elements returned by
10224 751. [func] Log successful zone loads / transfers. [RT #898]
10226 750. [bug] A query should not match a DNAME whose trust level
10227 is pending. [RT #916]
10229 749. [bug] When a query matched a DNAME in a secure zone, the
10230 server did not return the signature of the DNAME.
10233 748. [doc] List supported RFCs in doc/misc/rfc-compliance.
10236 747. [bug] The code to determine whether an IXFR was possible
10237 did not properly check for a database that could
10238 not have a journal. [RT #865, #908]
10240 746. [bug] The sdb didn't clone rdatasets properly, causing
10241 a crash when the server followed delegations. [RT #905]
10243 745. [func] Report the owner name of records that fail
10244 semantic checks while loading.
10246 744. [bug] When returning DNS_R_CNAME or DNS_R_DNAME as the
10247 result of an ANY or SIG query, the resolver failed
10248 to setup the return event's rdatasets, causing an
10249 assertion failure in the query code. [RT #881]
10251 743. [bug] Receiving a large number of certain malformed
10252 answers could cause named to stop responding.
10257 741. [port] Support openssl-engine. [RT #709]
10259 740. [port] Handle openssl library mismatches slightly better.
10261 739. [port] Look for /dev/random in configure, rather than
10262 assuming it will be there for only a predefined
10265 738. [bug] If a non-threadsafe sdb driver supported AXFR and
10266 received an AXFR request, it would deadlock or die
10267 with an assertion failure. [RT #852]
10269 737. [port] stdtime.c failed to compile on certain platforms.
10271 736. [func] New functions isc_task_{begin,end}exclusive().
10273 735. [doc] Add BIND 4 migration notes.
10275 734. [bug] An attempt to re-lock the zone lock could occur if
10276 the server was shutdown during a zone transfer.
10279 733. [bug] Reference counts of dns_acl_t objects need to be
10280 locked but were not. [RT #801, #821]
10282 732. [bug] Glue with 0 TTL could also cause SERVFAIL. [RT #828]
10284 731. [bug] Certain zone errors could cause named-checkzone to
10285 fail ungracefully. [RT #819]
10287 730. [bug] lwres_getaddrinfo() returns the correct result when
10288 it fails to contact a server. [RT #768]
10290 729. [port] pthread_setconcurrency() needs to be called on Solaris.
10292 728. [bug] Fix comment processing on master file directives.
10295 727. [port] Work around OS bug where accept() succeeds but
10296 fails to fill in the peer address of the accepted
10297 connection, by treating it as an error rather than
10298 an assertion failure. [RT #809]
10300 726. [func] Implement the "trace" and "notrace" commands in rndc.
10302 725. [bug] Installing man pages could fail.
10304 724. [func] New libisc functions isc_netaddr_any(),
10305 isc_netaddr_any6().
10307 723. [bug] Referrals whose NS RRs had a 0 TTL caused the resolver
10308 to return DNS_R_SERVFAIL. [RT #783]
10310 722. [func] Allow incremental loads to be canceled.
10312 721. [cleanup] Load manager and dns_master_loadfilequota() are no
10315 720. [bug] Server could enter infinite loop in
10316 dispatch.c:do_cancel(). [RT #733]
10318 719. [bug] Rapid reloads could trigger an assertion failure.
10321 718. [cleanup] "internal" is no longer a reserved word in named.conf.
10324 717. [bug] Certain TKEY processing failure modes could
10325 reference an uninitialized variable, causing the
10326 server to crash. [RT #750]
10328 716. [bug] The first line of a $INCLUDE master file was lost if
10329 an origin was specified. [RT #744]
10331 715. [bug] Resolving some A6 chains could cause an assertion
10332 failure in adb.c. [RT #738]
10334 714. [bug] Preserve interval timers across reloads unless changed.
10337 713. [func] named-checkconf takes '-t directory' similar to named.
10340 712. [bug] Sending a large signed update message caused an
10341 assertion failure. [RT #718]
10343 711. [bug] The libisc and liblwres implementations of
10344 inet_ntop contained an off by one error.
10346 710. [func] The forwarders statement now takes an optional
10349 709. [bug] ANY or SIG queries for data with a TTL of 0
10350 would return SERVFAIL. [RT #620]
10352 708. [bug] When building with --with-openssl, the openssl headers
10353 included with BIND 9 should not be used. [RT #702]
10355 707. [func] The "filename" argument to named-checkzone is no
10356 longer optional, to reduce confusion. [RT #612]
10358 706. [bug] Zones with an explicit "allow-update { none; };"
10359 were considered dynamic and therefore not reloaded
10360 on SIGHUP or "rndc reload".
10362 705. [port] Work out resource limit type for use where rlim_t is
10363 not available. [RT #695]
10365 704. [port] RLIMIT_NOFILE is not available on all platforms.
10368 703. [port] sys/select.h is needed on older platforms. [RT #695]
10370 702. [func] If the address 0.0.0.0 is seen in resolv.conf,
10371 use 127.0.0.1 instead. [RT #693]
10373 701. [func] Root hints are now fully optional. Class IN
10374 views use compiled-in hints by default, as
10375 before. Non-IN views with no root hints now
10376 provide authoritative service but not recursion.
10377 A warning is logged if a view has neither root
10378 hints nor authoritative data for the root. [RT #696]
10380 700. [bug] $GENERATE range check was wrong. [RT #688]
10382 699. [bug] The lexer mishandled empty quoted strings. [RT #694]
10384 698. [bug] Aborting nsupdate with ^C would lead to several
10387 697. [bug] nsupdate was not compatible with the undocumented
10388 BIND 8 behavior of ignoring TTLs in "update delete"
10389 commands. [RT #693]
10391 696. [bug] lwresd would die with an assertion failure when passed
10392 a zero-length name. [RT #692]
10394 695. [bug] If the resolver attempted to query a blackholed or
10395 bogus server, the resolution would fail immediately.
10397 694. [bug] $GENERATE did not produce the last entry.
10400 693. [bug] An empty lwres statement in named.conf caused
10401 the server to crash while loading.
10403 692. [bug] Deal with systems that have getaddrinfo() but not
10404 gai_strerror(). [RT #679]
10406 691. [bug] Configuring per-view forwarders caused an assertion
10407 failure. [RT #675, #734]
10409 690. [func] $GENERATE now supports DNAME. [RT #654]
10411 689. [doc] man pages are now installed. [RT #210]
10413 688. [func] "make tags" now works on systems with the
10414 "Exuberant Ctags" etags.
10416 687. [bug] Only say we have IPv6, with sufficient functionality,
10417 if it has actually been tested. [RT #586]
10419 686. [bug] dig and nslookup can now be properly aborted during
10420 blocking operations. [RT #568]
10422 685. [bug] nslookup should use the search list/domain options
10423 from resolv.conf by default. [RT #405, #630]
10425 684. [bug] Memory leak with view forwarders. [RT #656]
10427 683. [bug] File descriptor leak in isc_lex_openfile().
10429 682. [bug] nslookup displayed SOA records incorrectly. [RT #665]
10431 681. [bug] $GENERATE specifying output format was broken. [RT #653]
10433 680. [bug] dns_rdata_fromstruct() mishandled options bigger
10436 679. [bug] $INCLUDE could leak memory and file descriptors on
10439 678. [bug] "transfer-format one-answer;" could trigger an assertion
10442 677. [bug] dnssec-signzone would occasionally use the wrong ttl
10443 for database operations and fail. [RT #643]
10445 676. [bug] Log messages about lame servers to category
10446 'lame-servers' rather than 'resolver', so as not
10447 to be gratuitously incompatible with BIND 8.
10449 675. [bug] TKEY queries could cause the server to leak
10452 674. [func] Allow messages to be TSIG signed / verified using
10453 a offset from the current time.
10455 673. [func] The server can now convert RFC1886-style recursive
10456 lookup requests into RFC2874-style lookups, when
10457 enabled using the new option "allow-v6-synthesis".
10459 672. [bug] The wrong time was in the "time signed" field when
10460 replying with BADTIME error.
10462 671. [bug] The message code was failing to parse a message with
10463 no question section and a TSIG record. [RT #628]
10465 670. [bug] The lwres replacements for getaddrinfo and
10466 getipnodebyname didn't properly check for the
10467 existence of the sockaddr sa_len field.
10469 669. [bug] dnssec-keygen now makes the public key file
10470 non-world-readable for symmetric keys. [RT #403]
10472 668. [func] named-checkzone now reports multiple errors in master
10475 667. [bug] On Linux, running named with the -u option and a
10476 non-world-readable configuration file didn't work.
10479 666. [bug] If a request sent by dig is longer than 512 bytes,
10482 665. [bug] Signed responses were not sent when the size of the
10483 TSIG + question exceeded the maximum message size.
10486 664. [bug] The t_tasks and t_timers module tests are now skipped
10487 when building without threads, since they require
10490 663. [func] Accept a size_spec, not just an integer, in the
10491 (unimplemented and ignored) max-ixfr-log-size option
10492 for compatibility with recent versions of BIND 8.
10495 662. [bug] dns_rdata_fromtext() failed to log certain errors.
10497 661. [bug] Certain UDP IXFR requests caused an assertion failure
10498 (mpctx->allocated == 0). [RT #355, #394, #623]
10500 660. [port] Detect multiple CPUs on HP-UX and IRIX.
10502 659. [performance] Rewrite the name compression code to be much faster.
10504 658. [cleanup] Remove all vestiges of 16 bit global compression.
10506 657. [bug] When a listen-on statement in an lwres block does not
10507 specify a port, use 921, not 53. Also update the
10508 listen-on documentation. [RT #616]
10510 656. [func] Treat an unescaped newline in a quoted string as
10511 an error. This means that TXT records with missing
10512 close quotes should have meaningful errors printed.
10514 655. [bug] Improve error reporting on unexpected eof when loading
10517 654. [bug] Origin was being forgotten in TCP retries in dig.
10520 653. [bug] +defname option in dig was reversed in sense.
10523 652. [bug] zone_saveunique() did not report the new name.
10525 651. [func] The AD bit in responses now has the meaning
10526 specified in <draft-ietf-dnsext-ad-is-secure>.
10528 650. [bug] SIG(0) records were being generated and verified
10529 incorrectly. [RT #606]
10531 649. [bug] It was possible to join to an already running fctx
10532 after it had "cloned" its events, but before it sent
10533 them. In this case, the event of the newly joined
10534 fetch would not contain the answer, and would
10535 trigger the INSIST() in fctx_sendevents(). In
10536 BIND 9.0, this bug did not trigger an INSIST(), but
10537 caused the fetch to fail with a SERVFAIL result.
10538 [RT #588, #597, #605, #607]
10540 648. [port] Add support for pre-RFC2133 IPv6 implementations.
10542 647. [bug] Resolver queries sent after following multiple
10543 referrals had excessively long retransmission
10544 timeouts due to incorrectly counting the referrals
10547 646. [bug] The UnixWare ISC_PLATFORM_FIXIN6INADDR fix in isc/net.h
10548 didn't _cleanly_ fix the problem it was trying to fix.
10550 645. [port] BSD/OS 3.0 needs pthread_init(). [RT #603]
10552 644. [bug] #622 needed more work. [RT #562]
10554 643. [bug] xfrin error messages made more verbose, added class
10555 of the zone. [RT #599]
10557 642. [bug] Break the exit_check() race in the zone module.
10560 --- 9.1.0b2 released ---
10562 641. [bug] $GENERATE caused a uninitialized link to be used.
10565 640. [bug] Memory leak in error path could cause
10566 "mpctx->allocated == 0" failure. [RT #584]
10568 639. [bug] Reading entropy from the keyboard would sometimes fail.
10571 638. [port] lib/isc/random.c needed to explicitly include time.h
10572 to get a prototype for time() when pthreads was not
10573 being used. [RT #592]
10575 637. [port] Use isc_u?int64_t instead of (unsigned) long long in
10576 lib/isc/print.c. Also allow lib/isc/print.c to
10577 be compiled even if the platform does not need it.
10580 636. [port] Shut up MSVC++ about a possible loss of precision
10581 in the ISC__BUFFER_PUTUINT*() macros. [RT #592]
10583 635. [bug] Reloading a server with a configured blackhole list
10584 would cause an assertion. [RT #590]
10586 634. [bug] A log file will completely stop being written when
10587 it reaches the maximum size in all cases, not just
10588 when versioning is also enabled. [RT #570]
10590 633. [port] Cope with rlim_t missing on BSD/OS systems. [RT #575]
10592 632. [bug] The index array of the journal file was
10593 corrupted as it was written to disk.
10595 631. [port] Build without thread support on systems without
10598 630. [bug] Locking failure in zone code. [RT #582]
10600 629. [bug] 9.1.0b1 dereferenced a null pointer and crashed
10601 when responding to a UDP IXFR request.
10603 628. [bug] If the root hints contained only AAAA addresses,
10604 named would be unable to perform resolution.
10606 627. [bug] The EDNS0 blackhole detection code of change 324
10607 waited for three retransmissions to each server,
10608 which takes much too long when a domain has many
10609 name servers and all of them drop EDNS0 queries.
10610 Now we retry without EDNS0 after three consecutive
10611 timeouts, even if they are all from different
10614 626. [bug] The lightweight resolver daemon no longer crashes
10615 when asked for a SIG rrset. [RT #558]
10617 625. [func] Zones now inherit their class from the enclosing view.
10619 624. [bug] The zone object could get timer events after it had
10620 been destroyed, causing a server crash. [RT #571]
10622 623. [func] Added "named-checkconf" and "named-checkzone" program
10623 for syntax checking named.conf files and zone files,
10626 622. [bug] A canceled request could be destroyed before
10627 dns_request_destroy() was called. [RT #562]
10629 621. [port] Disable IPv6 at runtime if IPv6 sockets are unusable.
10630 This mostly affects Red Hat Linux 7.0, which has
10631 conflicts between libc and the kernel.
10633 620. [bug] dns_master_load*inc() now require 'task' and 'load'
10634 to be non-null. Also 'done' will not be called if
10635 dns_master_load*inc() fails immediately. [RT #565]
10639 618. [bug] Queries to a signed zone could sometimes cause
10640 an assertion failure.
10642 617. [bug] When using dynamic update to add a new RR to an
10643 existing RRset with a different TTL, the journal
10644 entries generated from the update did not include
10645 explicit deletions and re-additions of the existing
10646 RRs to update their TTL to the new value.
10648 616. [func] dnssec-signzone -t output now includes performance
10651 615. [bug] dnssec-signzone did not like child keysets signed
10654 614. [bug] Checks for uninitialized link fields were prone
10655 to false positives, causing assertion failures.
10656 The checks are now disabled by default and may
10657 be re-enabled by defining ISC_LIST_CHECKINIT.
10659 613. [bug] "rndc reload zone" now reloads primary zones.
10660 It previously only updated slave and stub zones,
10661 if an SOA query indicated an out of date serial.
10663 612. [cleanup] Shutup a ridiculously noisy HP-UX compiler that
10664 complains relentlessly about how its treatment
10665 of 'const' has changed as well as how casting
10666 sometimes tightens alignment constraints.
10668 611. [func] allow-notify can be used to permit processing of
10669 notify messages from hosts other than a slave's
10672 610. [func] rndc dumpdb is now supported.
10674 609. [bug] getrrsetbyname() would crash lwresd if the server
10675 found more SIGs than answers. [RT #554]
10677 608. [func] dnssec-signzone now adds a comment to the zone
10678 with the time the file was signed.
10680 607. [bug] nsupdate would fail if it encountered a CNAME or
10681 DNAME in a response to an SOA query. [RT #515]
10683 606. [bug] Compiling with --disable-threads failed due
10684 to isc_thread_self() being incorrectly defined
10685 as an integer rather than a function.
10687 605. [func] New function isc_lex_getlasttokentext().
10689 604. [bug] The named.conf parser could print incorrect line
10690 numbers when long comments were present.
10692 603. [bug] Make dig handle multiple types or classes on the same
10693 query more correctly.
10695 602. [func] Cope automatically with UnixWare's broken
10696 IN6_IS_ADDR_* macros. [RT #539]
10698 601. [func] Return a non-zero exit code if an update fails
10701 600. [bug] Reverse lookups sometimes failed in dig, etc...
10703 599. [func] Added four new functions to the libisc log API to
10704 support i18n messages. isc_log_iwrite(),
10705 isc_log_ivwrite(), isc_log_iwrite1() and
10706 isc_log_ivwrite1() were added.
10708 598. [bug] An update-policy statement would cause the server
10709 to assert while loading. [RT #536]
10711 597. [func] dnssec-signzone is now multi-threaded.
10713 596. [bug] DNS_RDATASLAB_FORCE and DNS_RDATASLAB_EXACT are
10714 not mutually exclusive.
10716 595. [port] On Linux 2.2, socket() returns EINVAL when it
10717 should return EAFNOSUPPORT. Work around this.
10720 594. [func] sdb drivers are now assumed to not be thread-safe
10721 unless the DNS_SDBFLAG_THREADSAFE flag is supplied.
10723 593. [bug] If a secure zone was missing all its NXTs and
10724 a dynamic update was attempted, the server entered
10727 592. [bug] The sig-validity-interval option now specifies a
10728 number of days, not seconds. This matches the
10729 documentation. [RT #529]
10731 --- 9.1.0b1 released ---
10733 591. [bug] Work around non-reentrancy in openssl by disabling
10734 pre-computation in keys.
10736 590. [doc] There are now man pages for the lwres library in
10739 589. [bug] The server could deadlock if a zone was updated
10740 while being transferred out.
10742 588. [bug] ctx->in_use was not being correctly initialized when
10743 when pushing a file for $INCLUDE. [RT #523]
10745 587. [func] A warning is now printed if the "allow-update"
10746 option allows updates based on the source IP
10747 address, to alert users to the fact that this
10748 is insecure and becoming increasingly so as
10749 servers capable of update forwarding are being
10752 586. [bug] multiple views with the same name were fatal. [RT #516]
10754 585. [func] dns_db_addrdataset() and and dns_rdataslab_merge()
10755 now support 'exact' additions in a similar manner to
10756 dns_db_subtractrdataset() and dns_rdataslab_subtract().
10758 584. [func] You can now say 'notify explicit'; to suppress
10759 notification of the servers listed in NS records
10760 and notify only those servers listed in the
10761 'also-notify' option.
10763 583. [func] "rndc querylog" will now toggle logging of
10764 queries, like "ndc querylog" in BIND 8.
10766 582. [bug] dns_zone_idetach() failed to lock the zone.
10769 581. [bug] log severity was not being correctly processed.
10772 580. [func] Ignore trailing garbage on incoming DNS packets,
10773 for interoperability with broken server
10774 implementations. [RT #491]
10776 579. [bug] nsupdate did not take a filename to read update from.
10779 578. [func] New config option "notify-source", to specify the
10780 source address for notify messages.
10782 577. [func] Log illegal RDATA combinations. e.g. multiple
10783 singleton types, cname and other data.
10785 576. [doc] isc_log_create() description did not match reality.
10787 575. [bug] isc_log_create() was not setting internal state
10788 correctly to reflect the default channels created.
10790 574. [bug] TSIG signed queries sent by the resolver would fail to
10791 have their responses validated and would leak memory.
10793 573. [bug] The journal files of IXFRed slave zones were
10794 inadvertently discarded on server reload, causing
10795 "journal out of sync with zone" errors on subsequent
10798 572. [bug] Quoted strings were not accepted as key names in
10799 address match lists.
10801 571. [bug] It was possible to create an rdataset of singleton
10802 type which had more than one rdata. [RT #154]
10805 570. [bug] rbtdb.c allowed zones containing nodes which had
10806 both a CNAME and "other data". [RT #154]
10808 569. [func] The DNSSEC AD bit will not be set on queries which
10809 have not requested a DNSSEC response.
10811 568. [func] Add sample simple database drivers in contrib/sdb.
10813 567. [bug] Setting the zone transfer timeout to zero caused an
10814 assertion failure. [RT #302]
10816 566. [func] New public function dns_timer_setidle().
10818 565. [func] Log queries more like BIND 8: query logging is now
10819 done to category "queries", level "info". [RT #169]
10821 564. [func] Add sortlist support to lwresd.
10823 563. [func] New public functions dns_rdatatype_format() and
10824 dns_rdataclass_format(), for convenient formatting
10825 of rdata type/class mnemonics in log messages.
10827 562. [cleanup] Moved lib/dns/*conf.c to bin/named where they belong.
10829 561. [func] The 'datasize', 'stacksize', 'coresize' and 'files'
10830 clauses of the options{} statement are now implemented.
10832 560. [bug] dns_name_split did not properly the resulting prefix
10833 when a maximal length bitstring label was split which
10834 was preceded by another bitstring label. [RT #429]
10836 559. [bug] dns_name_split did not properly create the suffix
10837 when splitting within a maximal length bitstring label.
10839 558. [func] New functions, isc_resource_getlimit and
10840 isc_resource_setlimit.
10842 557. [func] Symbolic constants for libisc integral types.
10844 556. [func] The DNSSEC OK bit in the EDNS extended flags
10845 is now implemented. Responses to queries without
10846 this bit set will not contain any DNSSEC records.
10848 555. [bug] A slave server attempting a zone transfer could
10849 crash with an assertion failure on certain
10850 malformed responses from the master. [RT #457]
10852 554. [bug] In some cases, not all of the dnssec tools were
10853 properly installed.
10855 553. [bug] Incoming zone transfers deferred due to quota
10856 were not started when quota was increased but
10857 only when a transfer in progress finished. [RT #456]
10859 552. [bug] We were not correctly detecting the end of all c-style
10860 comments. [RT #455]
10862 551. [func] Implemented the 'sortlist' option.
10864 550. [func] Support unknown rdata types and classes.
10866 549. [bug] "make" did not immediately abort the build when a
10867 subdirectory make failed [RT #450].
10869 548. [func] The lexer now ungets tokens more correctly.
10873 546. [func] Option 'lame-ttl' is now implemented.
10875 545. [func] Name limit and counting options removed from dig;
10876 they didn't work properly, and cannot be correctly
10877 implemented without significant changes.
10879 544. [func] Add statistics option, enable statistics-file option,
10880 add RNDC option "dump-statistics" to write out a
10881 query statistics file.
10883 543. [doc] The 'port' option is now documented.
10885 542. [func] Add support for update forwarding as required for
10886 full compliance with RFC2136. It is turned off
10887 by default and can be enabled using the
10888 'allow-update-forwarding' option.
10890 541. [func] Add bogus server support.
10892 540. [func] Add dialup support.
10894 539. [func] Support the blackhole option.
10896 538. [bug] fix buffer overruns by 1 in lwres_getnameinfo().
10900 536. [func] Use transfer-source{-v6} when sending refresh queries.
10901 Transfer-source{-v6} now take a optional port
10902 parameter for setting the UDP source port. The port
10903 parameter is ignored for TCP.
10905 535. [func] Use transfer-source{-v6} when forwarding update
10908 534. [func] Ancestors have been removed from RBT chains. Ancestor
10909 information can be discerned via node parent pointers.
10911 533. [func] Incorporated name hashing into the RBT database to
10912 improve search speed.
10914 532. [func] Implement DNS UPDATE pseudo records using
10915 DNS_RDATA_UPDATE flag.
10917 531. [func] Rdata really should be initialized before being assigned
10918 to (dns_rdata_fromwire(), dns_rdata_fromtext(),
10919 dns_rdata_clone(), dns_rdata_fromregion()),
10922 530. [func] New function dns_rdata_invalidate().
10924 529. [bug] 521 contained a bug which caused zones to always
10927 528. [func] The ISC_LIST_XXXX macros now perform sanity checks
10928 on their arguments. ISC_LIST_XXXXUNSAFE can be use
10929 to skip the checks however use with caution.
10931 527. [func] New function dns_rdata_clone().
10933 526. [bug] nsupdate incorrectly refused to add RRs with a TTL
10936 525. [func] New arguments 'options' for dns_db_subtractrdataset(),
10937 and 'flags' for dns_rdataslab_subtract() allowing you
10938 to request that the RR's must exist prior to deletion.
10939 DNS_R_NOTEXACT is returned if the condition is not met.
10941 524. [func] The 'forward' and 'forwarders' statement in
10942 non-forward zones should work now.
10944 523. [doc] The source to the Administrator Reference Manual is
10945 now an XML file using the DocBook DTD, and is included
10946 in the distribution. The plain text version of the
10947 ARM is temporarily unavailable while we figure out
10948 how to generate readable plain text from the XML.
10950 522. [func] The lightweight resolver daemon can now use
10951 a real configuration file, and its functionality
10952 can be provided by a name server. Also, the -p and -P
10953 options to lwresd have been reversed.
10955 521. [bug] Detect master files which contain $INCLUDE and always
10958 520. [bug] Upgraded libtool to 1.3.5, which makes shared
10959 library builds almost work on AIX (and possibly
10962 519. [bug] dns_name_split() would improperly split some bitstring
10963 labels, zeroing a few of the least significant bits in
10964 the prefix part. When such an improperly created
10965 prefix was returned to the RBT database, the bogus
10966 label was dutifully stored, corrupting the tree.
10969 518. [bug] The resolver did not realize that a DNAME which was
10970 "the answer" to the client's query was "the answer",
10971 and such queries would fail. [RT #399]
10973 517. [bug] The resolver's DNAME code would trigger an assertion
10974 if there was more than one DNAME in the chain.
10977 516. [bug] Cache lookups which had a NULL node pointer, e.g.
10978 those by dns_view_find(), and which would match a
10979 DNAME, would trigger an INSIST(!search.need_cleanup)
10980 assertion. [RT #399]
10982 515. [bug] The ssu table was not being attached / detached
10983 by dns_zone_[sg]etssutable. [RT #397]
10985 514. [func] Retry refresh and notify queries if they timeout.
10988 513. [func] New functionality added to rdnc and server to allow
10989 individual zones to be refreshed or reloaded.
10991 512. [bug] The zone transfer code could throw an exception with
10992 an invalid IXFR stream.
10994 511. [bug] The message code could throw an assertion on an
10995 out of memory failure. [RT #392]
10997 510. [bug] Remove spurious view notify warning. [RT #376]
10999 509. [func] Add support for write of zone files on shutdown.
11001 508. [func] dns_message_parse() can now do a best-effort
11002 attempt, which should allow dig to print more invalid
11005 507. [func] New functions dns_zone_flush(), dns_zt_flushanddetach()
11006 and dns_view_flushanddetach().
11008 506. [func] Do not fail to start on errors in zone files.
11010 505. [bug] nsupdate was printing "unknown result code". [RT #373]
11012 504. [bug] The zone was not being marked as dirty when updated via
11015 503. [bug] dumptime was not being set along with
11016 DNS_ZONEFLG_NEEDDUMP.
11018 502. [func] On a SERVFAIL reply, DiG will now try the next server
11019 in the list, unless the +fail option is specified.
11021 501. [bug] Incorrect port numbers were being displayed by
11022 nslookup. [RT #352]
11024 500. [func] Nearly useless +details option removed from DiG.
11026 499. [func] In DiG, specifying a class with -c or type with -t
11027 changes command-line parsing so that classes and
11028 types are only recognized if following -c or -t.
11029 This allows hosts with the same name as a class or
11030 type to be looked up.
11032 498. [doc] There is now a man page for "dig"
11033 in doc/man/bin/dig.1.
11035 497. [bug] The error messages printed when an IP match list
11036 contained a network address with a nonzero host
11037 part where not sufficiently detailed. [RT #365]
11039 496. [bug] named didn't sanity check numeric parameters. [RT #361]
11041 495. [bug] nsupdate was unable to handle large records. [RT #368]
11043 494. [func] Do not cache NXDOMAIN responses for SOA queries.
11045 493. [func] Return non-cachable (ttl = 0) NXDOMAIN responses
11046 for SOA queries. This makes it easier to locate
11047 the containing zone without polluting intermediate
11050 492. [bug] attempting to reload a zone caused the server fail
11051 to shutdown cleanly. [RT #360]
11053 491. [bug] nsupdate would segfault when sending certain
11054 prerequisites with empty RDATA. [RT #356]
11056 490. [func] When a slave/stub zone has not yet successfully
11057 obtained an SOA containing the zone's configured
11058 retry time, perform the SOA query retries using
11059 exponential backoff. [RT #337]
11061 489. [func] The zone manager now has a "i/o" queue.
11063 488. [bug] Locks weren't properly destroyed in some cases.
11065 487. [port] flockfile() is not defined on all systems.
11067 486. [bug] nslookup: "set all" and "server" commands showed
11068 the incorrect port number if a port other than 53
11069 was specified. [RT #352]
11071 485. [func] When dig had more than one server to query, it would
11072 send all of the messages at the same time. Add
11073 rate limiting of the transmitted messages.
11075 484. [bug] When the server was reloaded after removing addresses
11076 from the named.conf "listen-on" statement, sockets
11077 were still listening on the removed addresses due
11078 to reference count loops. [RT #325]
11080 483. [bug] nslookup: "set all" showed a "search" option but it
11083 482. [bug] nslookup: a plain "server" or "lserver" should be
11084 treated as a lookup.
11086 481. [bug] nslookup:get_next_command() stack size could exceed
11089 480. [bug] strtok() is not thread safe. [RT #349]
11091 479. [func] The test suite can now be run by typing "make check"
11092 or "make test" at the top level.
11094 478. [bug] "make install" failed if the directory specified with
11095 --prefix did not already exist.
11097 477. [bug] The the isc-config.sh script could be installed before
11098 its directory was created. [RT #324]
11100 476. [bug] A zone could expire while a zone transfer was in
11101 progress triggering a INSIST failure. [RT #329]
11103 475. [bug] query_getzonedb() sometimes returned a non-null version
11104 on failure. This caused assertion failures when
11105 generating query responses where names subject to
11106 additional section processing pointed to a zone
11107 to which access had been denied by means of the
11108 allow-query option. [RT #336]
11110 474. [bug] The mnemonic of the CHAOS class is CH according to
11111 RFC1035, but it was printed and read only as CHAOS.
11112 We now accept both forms as input, and print it
11115 473. [bug] nsupdate overran the end of the list of name servers
11116 when no servers could be reached, typically causing
11117 it to print the error message "dns_request_create:
11120 472. [bug] Off-by-one error caused isc_time_add() to sometimes
11121 produce invalid time values.
11123 471. [bug] nsupdate didn't compile on HP/UX 10.20
11125 470. [func] $GENERATE is now supported. See also
11126 doc/misc/migration.
11128 469. [bug] "query-source address * port 53;" now works.
11130 468. [bug] dns_master_load*() failed to report file and line
11131 number in certain error conditions.
11133 467. [bug] dns_master_load*() failed to log an error if
11136 466. [bug] dns_master_load*() could return success when it failed.
11138 465. [cleanup] Allow 0 to be set as an omapi_value_t value by
11139 omapi_value_storeint().
11141 464. [cleanup] Build with openssl's RSA code instead of dnssafe.
11143 463. [bug] nsupdate sent malformed SOA queries to the second
11144 and subsequent name servers in resolv.conf if the
11145 query sent to the first one failed.
11147 462. [bug] --disable-ipv6 should work now.
11149 461. [bug] Specifying an unknown key in the "keys" clause of the
11150 "controls" statement caused a NULL pointer dereference.
11153 460. [bug] Much of the DNSSEC code only worked with class IN.
11155 459. [bug] Nslookup processed the "set" command incorrectly.
11157 458. [bug] Nslookup didn't properly check class and type values.
11160 457. [bug] Dig/host/hslookup didn't properly handle connect
11161 timeouts in certain situations, causing an
11162 unnecessary warning message to be printed.
11164 456. [bug] Stub zones were not resetting the refresh and expire
11165 counters, loadtime or clearing the DNS_ZONE_REFRESH
11166 (refresh in progress) flag upon successful update.
11167 This disabled further refreshing of the stub zone,
11168 causing it to eventually expire. [RT #300]
11170 455. [doc] Document IPv4 prefix notation does not require a
11171 dotted decimal quad but may be just dotted decimal.
11173 454. [bug] Enforce dotted decimal and dotted decimal quad where
11174 documented as such in named.conf. [RT #304, RT #311]
11176 453. [bug] Warn if the obsolete option "maintain-ixfr-base"
11177 is specified in named.conf. [RT #306]
11179 452. [bug] Warn if the unimplemented option "statistics-file"
11180 is specified in named.conf. [RT #301]
11182 451. [func] Update forwarding implemented.
11184 450. [func] New function ns_client_sendraw().
11186 449. [bug] isc_bitstring_copy() only works correctly if the
11187 two bitstrings have the same lsb0 value, but this
11188 requirement was not documented, nor was there a
11191 448. [bug] Host output formatting change, to match v8. [RT #255]
11193 447. [bug] Dig didn't properly retry in TCP mode after
11194 a truncated reply. [RT #277]
11196 446. [bug] Confusing notify log message. [RT #298]
11198 445. [bug] Doing a 0 bit isc_bitstring_copy() of an lsb0
11199 bitstring triggered a REQUIRE statement. The REQUIRE
11200 statement was incorrect. [RT #297]
11202 444. [func] "recursion denied" messages are always logged at
11203 debug level 1, now, rather than sometimes at ERROR.
11204 This silences these warnings in the usual case, where
11205 some clients set the RD bit in all queries.
11207 443. [bug] When loading a master file failed because of an
11208 unrecognized RR type name, the error message
11209 did not include the file name and line number.
11212 442. [bug] TSIG signed messages that did not match any view
11213 crashed the server. [RT #290]
11215 441. [bug] Nodes obscured by a DNAME were inaccessible even
11216 when DNS_DBFIND_GLUEOK was set.
11218 440. [func] New function dns_zone_forwardupdate().
11220 439. [func] New function dns_request_createraw().
11222 438. [func] New function dns_message_getrawmessage().
11224 437. [func] Log NOTIFY activity to the notify channel.
11226 436. [bug] If recvmsg() returned EHOSTUNREACH or ENETUNREACH,
11227 which sometimes happens on Linux, named would enter
11228 a busy loop. Also, unexpected socket errors were
11229 not logged at a high enough logging level to be
11230 useful in diagnosing this situation. [RT #275]
11232 435. [bug] dns_zone_dump() overwrote existing zone files
11233 rather than writing to a temporary file and
11234 renaming. This could lead to empty or partial
11235 zone files being left around in certain error
11236 conditions involving the initial transfer of a
11237 slave zone, interfering with subsequent server
11240 434. [func] New function isc_file_isabsolute().
11242 433. [func] isc_base64_decodestring() now accepts newlines
11243 within the base64 data. This makes it possible
11244 to break up the key data in a "trusted-keys"
11245 statement into multiple lines. [RT #284]
11247 432. [func] Added refresh/retry jitter. The actual refresh/
11248 retry time is now a random value between 75% and
11249 100% of the configured value.
11251 431. [func] Log at ISC_LOG_INFO when a zone is successfully
11254 430. [bug] Rewrote the lightweight resolver client management
11255 code to handle shutdown correctly and general
11258 429. [bug] The space reserved for a TSIG record in a response
11259 was 2 bytes too short, leading to message
11260 generation failures.
11262 428. [bug] rbtdb.c:find_closest_nxt() erroneously returned
11263 DNS_R_BADDB for nodes which had neither NXT nor SIG NXT
11264 (e.g. glue). This could cause SERVFAILs when
11265 generating negative responses in a secure zone.
11267 427. [bug] Avoid going into an infinite loop when the validator
11268 gets a negative response to a key query where the
11269 records are signed by the missing key.
11271 426. [bug] Attempting to generate an oversized RSA key could
11272 cause dnssec-keygen to dump core.
11274 425. [bug] Warn about the auth-nxdomain default value change
11275 if there is no auth-nxdomain statement in the
11276 config file. [RT #287]
11278 424. [bug] notify_createmessage() could trigger an assertion
11279 failure when creating the notify message failed,
11280 e.g. due to corrupt zones with multiple SOA records.
11283 423. [bug] When responding to a recursive query, errors that occur
11284 after following a CNAME should cause the query to fail.
11287 422. [func] get rid of isc_random_t, and make isc_random_get()
11288 and isc_random_jitter() use rand() internally
11289 instead of local state. Note that isc_random_*()
11290 functions are only for weak, non-critical "randomness"
11291 such as timing jitter and such.
11293 421. [bug] nslookup would exit when given a blank line as input.
11295 420. [bug] nslookup failed to implement the "exit" command.
11297 419. [bug] The certificate type PKIX was misspelled as SKIX.
11299 418. [bug] At debug levels >= 10, getting an unexpected
11300 socket receive error would crash the server
11301 while trying to log the error message.
11303 417. [func] Add isc_app_block() and isc_app_unblock(), which
11304 allow an application to handle signals while
11307 416. [bug] Slave zones with no master file tried to use a
11308 NULL pointer for a journal file name when they
11309 received an IXFR. [RT #273]
11311 415. [bug] The logging code leaked file descriptors.
11313 414. [bug] Server did not shut down until all incoming zone
11314 transfers were finished.
11316 413. [bug] Notify could attempt to use the zone database after
11317 it had been unloaded. [RT #267]
11319 412. [bug] named -v didn't print the version.
11321 411. [bug] A typo in the HS A code caused an assertion failure.
11323 410. [bug] lwres_gethostbyname() and company set lwres_h_errno
11324 to a random value on success.
11326 409. [bug] If named was shut down early in the startup
11327 process, ns_omapi_shutdown() would attempt to lock
11328 an uninitialized mutex. [RT #262]
11330 408. [bug] stub zones could leak memory and reference counts if
11331 all the masters were unreachable.
11333 407. [bug] isc_rwlock_lock() would needlessly block
11334 readers when it reached the read quota even
11335 if no writers were waiting.
11337 406. [bug] Log messages were occasionally lost or corrupted
11338 due to a race condition in isc_log_doit().
11340 405. [func] Add support for selective forwarding (forward zones)
11342 404. [bug] The request library didn't completely work with IPv6.
11344 403. [bug] "host" did not use the search list.
11346 402. [bug] Treat undefined acls as errors, rather than
11347 warning and then later throwing an assertion.
11350 401. [func] Added simple database API.
11352 400. [bug] SIG(0) signing and verifying was done incorrectly.
11355 399. [bug] When reloading the server with a config file
11356 containing a syntax error, it could catch an
11357 assertion failure trying to perform zone
11358 maintenance on, or sending notifies from,
11359 tentatively created zones whose views were
11360 never fully configured and lacked an address
11361 database and request manager.
11363 398. [bug] "dig" sometimes caught an assertion failure when
11364 using TSIG, depending on the key length.
11366 397. [func] Added utility functions dns_view_gettsig() and
11367 dns_view_getpeertsig().
11369 396. [doc] There is now a man page for "nsupdate"
11370 in doc/man/bin/nsupdate.8.
11372 395. [bug] nslookup printed incorrect RR type mnemonics
11373 for RRs of type >= 21 [RT #237].
11375 394. [bug] Current name was not propagated via $INCLUDE.
11377 393. [func] Initial answer while loading (awl) support.
11378 Entry points: dns_master_loadfileinc(),
11379 dns_master_loadstreaminc(), dns_master_loadbufferinc().
11380 Note: calls to dns_master_load*inc() should be rate
11381 be rate limited so as to not use up all file
11384 392. [func] Add ISC_R_FAMILYNOSUPPORT. Returned when OS does
11385 not support the given address family requested.
11387 391. [clarity] ISC_R_FAMILY -> ISC_R_FAMILYMISMATCH.
11389 390. [func] The function dns_zone_setdbtype() now takes
11390 an argc/argv style vector of words and sets
11391 both the zone database type and its arguments,
11392 making the functions dns_zone_adddbarg()
11393 and dns_zone_cleardbargs() unnecessary.
11395 389. [bug] Attempting to send a request over IPv6 using
11396 dns_request_create() on a system without IPv6
11397 support caused an assertion failure [RT #235].
11399 388. [func] dig and host can now do reverse ipv6 lookups.
11401 387. [func] Add dns_byaddr_createptrname(), which converts
11402 an address into the name used by a PTR query.
11404 386. [bug] Missing strdup() of ACL name caused random
11405 ACL matching failures [RT #228].
11407 385. [cleanup] Removed functions dns_zone_equal(), dns_zone_print(),
11408 and dns_zt_print().
11410 384. [bug] nsupdate was incorrectly limiting TTLs to 65535 instead
11413 383. [func] When writing a master file, print the SOA and NS
11414 records (and their SIGs) before other records.
11416 382. [bug] named -u failed on many Linux systems where the
11417 libc provided kernel headers do not match
11418 the current kernel.
11420 381. [bug] Check for IPV6_RECVPKTINFO and use it instead of
11421 IPV6_PKTINFO if found. [RT #229]
11423 380. [bug] nsupdate didn't work with IPv6.
11425 379. [func] New library function isc_sockaddr_anyofpf().
11427 378. [func] named and lwresd will log the command line arguments
11428 they were started with in the "starting ..." message.
11430 377. [bug] When additional data lookups were refused due to
11431 "allow-query", the databases were still being
11432 attached causing reference leaks.
11434 376. [bug] The server should always use good entropy when
11435 performing cryptographic functions needing entropy.
11437 375. [bug] Per-zone "allow-query" did not properly override the
11438 view/global one for CNAME targets and additional
11441 374. [bug] SOA in authoritative negative responses had wrong TTL.
11443 373. [func] nslookup is now installed by "make install".
11445 372. [bug] Deal with Microsoft DNS servers appending two bytes of
11446 garbage to zone transfer requests.
11448 371. [bug] At high debug levels, doing an outgoing zone transfer
11449 of a very large RRset could cause an assertion failure
11452 370. [bug] The error messages for roll-forward failures were
11455 369. [func] Support new named.conf options, view and zone
11458 max-retry-time, min-retry-time,
11459 max-refresh-time, min-refresh-time.
11461 368. [func] Restructure the internal ".bind" view so that more
11462 zones can be added to it.
11464 367. [bug] Allow proper selection of server on nslookup command
11467 366. [func] Allow use of '-' batch file in dig for stdin.
11469 365. [bug] nsupdate -k leaked memory.
11471 364. [func] Added additional-from-{cache,auth}
11475 362. [bug] rndc no longer aborts if the configuration file is
11476 missing an options statement. [RT #209]
11478 361. [func] When the RBT find or chain functions set the name and
11479 origin for a node that stores the root label
11480 the name is now set to an empty name, instead of ".",
11481 to simplify later use of the name and origin by
11482 dns_name_concatenate(), dns_name_totext() or
11485 360. [func] dns_name_totext() and dns_name_format() now allow
11486 an empty name to be passed, which is formatted as "@".
11488 359. [bug] dnssec-signzone occasionally signed glue records.
11490 358. [cleanup] Rename the intermediate files used by the dnssec
11493 357. [bug] The zone file parser crashed if the argument
11494 to $INCLUDE was a quoted string.
11496 356. [cleanup] isc_task_send no longer requires event->sender to
11499 355. [func] Added isc_dir_createunique(), similar to mkdtemp().
11501 354. [doc] Man pages for the dnssec tools are now included in
11502 the distribution, in doc/man/dnssec.
11504 353. [bug] double increment in lwres/gethost.c:copytobuf().
11507 352. [bug] Race condition in dns_client_t startup could cause
11508 an assertion failure.
11510 351. [bug] Constructing a response with rcode SERVFAIL to a TSIG
11511 signed query could crash the server.
11513 350. [bug] Also-notify lists specified in the global options
11514 block were not correctly reference counted, causing
11517 349. [bug] Processing a query with the CD bit set now works
11520 348. [func] New boolean named.conf options 'additional-from-auth'
11521 and 'additional-from-cache' now supported in view and
11522 global options statement.
11524 347. [bug] Don't crash if an argument is left off options in dig.
11528 345. [bug] Large-scale changes/cleanups to dig:
11529 * Significantly improve structure handling
11530 * Don't pre-load entire batch files
11531 * Add name/rr counting/limiting
11532 * Fix SIGINT handling
11533 * Shorten timeouts to match v8's behavior
11535 344. [bug] When shutting down, lwresd sometimes tried
11536 to shut down its client tasks twice,
11537 triggering an assertion.
11539 343. [bug] Although zone maintenance SOA queries and
11540 notify requests were signed with TSIG keys
11541 when configured for the server in case,
11542 the TSIG was not verified on the response.
11544 342. [bug] The wrong name was being passed to
11545 dns_name_dup() when generating a TSIG
11548 341. [func] Support 'key' clause in named.conf zone masters
11549 statement to allow authentication via TSIG keys:
11552 10.0.0.1 port 5353 key "foo";
11556 340. [bug] The top-level COPYRIGHT file was missing from
11559 339. [bug] DNSSEC validation of the response to an ANY
11560 query at a name with a CNAME RR in a secure
11561 zone triggered an assertion failure.
11563 338. [bug] lwresd logged to syslog as named, not lwresd.
11565 337. [bug] "dig" did not recognize "nsap-ptr" as an RR type
11566 on the command line.
11568 336. [bug] "dig -f" used 64 k of memory for each line in
11569 the file. It now uses much less, though still
11570 proportionally to the file size.
11572 335. [bug] named would occasionally attempt recursion when
11573 it was disallowed or undesired.
11575 334. [func] Added hmac-md5 to libisc.
11577 333. [bug] The resolver incorrectly accepted referrals to
11578 domains that were not parents of the query name,
11579 causing assertion failures.
11581 332. [func] New function dns_name_reset().
11583 331. [bug] Only log "recursion denied" if RD is set. [RT #178]
11585 330. [bug] Many debugging messages were partially formatted
11586 even when debugging was turned off, causing a
11587 significant decrease in query performance.
11589 329. [func] omapi_auth_register() now takes a size_t argument for
11590 the length of a key's secret data. Previously
11591 OMAPI only stored secrets up to the first NUL byte.
11593 328. [func] Added isc_base64_decodestring().
11595 327. [bug] rndc.conf parser wasn't correctly recognizing an IP
11596 address where a host specification was required.
11598 326. [func] 'keys' in an 'inet' control statement is now
11599 required and must have at least one item in it.
11600 A "not supported" warning is now issued if a 'unix'
11601 control channel is defined.
11603 325. [bug] isc_lex_gettoken was processing octal strings when
11604 ISC_LEXOPT_CNUMBER was not set.
11606 324. [func] In the resolver, turn EDNS0 off if there is no
11607 response after a number of retransmissions.
11608 This is to allow queries some chance of succeeding
11609 even if all the authoritative servers of a zone
11610 silently discard EDNS0 requests instead of
11611 sending an error response like they ought to.
11613 323. [bug] dns_rbt_findname() did not ignore empty rbt nodes.
11614 Because of this, servers authoritative for a parent
11615 and grandchild zone but not authoritative for the
11616 intervening child zone did not correctly issue
11617 referrals to the servers of the child zone.
11619 322. [bug] Queries for KEY RRs are now sent to the parent
11620 server before the authoritative one, making
11621 DNSSEC insecurity proofs work in many cases
11622 where they previously didn't.
11624 321. [bug] When synthesizing a CNAME RR for a DNAME
11625 response, query_addcname() failed to initialize
11626 the type and class of the CNAME dns_rdata_t,
11627 causing random failures.
11629 320. [func] Multiple rndc changes: parses an rndc.conf file,
11630 uses authentication to talk to named, command
11631 line syntax changed. This will all be described
11634 319. [func] The named.conf "controls" statement is now used
11635 to configure the OMAPI command channel.
11637 318. [func] dns_c_ndcctx_destroy() could never return anything
11638 except ISC_R_SUCCESS; made it have void return instead.
11640 317. [func] Use callbacks from libomapi to determine if a
11641 new connection is valid, and if a key requested
11642 to be used with that connection is valid.
11644 316. [bug] Generate a warning if we detect an unexpected <eof>
11645 but treat as <eol><eof>.
11647 315. [bug] Handle non-empty blanks lines. [RT #163]
11649 314. [func] The named.conf controls statement can now have
11650 more than one key specified for the inet clause.
11652 313. [bug] When parsing resolv.conf, don't terminate on an
11653 error. Instead, parse as much as possible, but
11654 still return an error if one was found.
11656 312. [bug] Increase the number of allowed elements in the
11657 resolv.conf search path from 6 to 8. If there
11658 are more than this, ignore the remainder rather
11659 than returning a failure in lwres_conf_parse.
11661 311. [bug] lwres_conf_parse failed when the first line of
11662 resolv.conf was empty or a comment.
11664 310. [func] Changes to named.conf "controls" statement (inet
11667 - support "keys" clause
11671 allow { any; } keys { "foo"; }
11674 - allow "port xxx" to be left out of statement,
11675 in which case it defaults to omapi's default port
11678 309. [bug] When sending a referral, the server did not look
11679 for name server addresses as glue in the zone
11680 holding the NS RRset in the case where this zone
11681 was not the same as the one where it looked for
11682 name server addresses as authoritative data.
11684 308. [bug] Treat a SOA record not at top of zone as an error
11685 when loading a zone. [RT #154]
11687 307. [bug] When canceling a query, the resolver didn't check for
11688 isc_socket_sendto() calls that did not yet have their
11689 completion events posted, so it could (rarely) end up
11690 destroying the query context and then want to use
11691 it again when the send event posted, triggering an
11692 assertion as it tried to cancel an already-canceled
11695 306. [bug] Reading HMAC-MD5 private key files didn't work.
11697 305. [bug] When reloading the server with a config file
11698 containing a syntax error, it could catch an
11699 assertion failure trying to perform zone
11700 maintenance on tentatively created zones whose
11701 views were never fully configured and lacked
11702 an address database.
11704 304. [bug] If more than LWRES_CONFMAXNAMESERVERS servers
11705 are listed in resolv.conf, silently ignore them
11706 instead of returning failure.
11708 303. [bug] Add additional sanity checks to differentiate a AXFR
11709 response vs a IXFR response. [RT #157]
11711 302. [bug] In dig, host, and nslookup, MXNAME should be large
11712 enough to hold any legal domain name in presentation
11713 format + terminating NULL.
11715 301. [bug] Uninitialized pointer in host:printmessage(). [RT #159]
11717 300. [bug] Using both <isc/net.h> and <lwres/net.h> didn't work
11718 on platforms lacking IPv6 because each included their
11719 own ipv6 header file for the missing definitions. Now
11720 each library's ipv6.h defines the wrapper symbol of
11721 the other (ISC_IPV6_H and LWRES_IPV6_H).
11723 299. [cleanup] Get the user and group information before changing the
11724 root directory, so the administrator does not need to
11725 keep a copy of the user and group databases in the
11726 chroot'ed environment. Suggested by Hakan Olsson.
11728 298. [bug] A mutex deadlock occurred during shutdown of the
11729 interface manager under certain conditions.
11730 Digital Unix systems were the most affected.
11732 297. [bug] Specifying a key name that wasn't fully qualified
11733 in certain parts of the config file could cause
11734 an assertion failure.
11736 296. [bug] "make install" from a separate build directory
11737 failed unless configure had been run in the source
11740 295. [bug] When invoked with type==CNAME and a message
11741 not constructed by dns_message_parse(),
11742 dns_message_findname() failed to find anything
11743 due to checking for attribute bits that are set
11744 only in dns_message_parse(). This caused an
11745 infinite loop when constructing the response to
11746 an ANY query at a CNAME in a secure zone.
11748 294. [bug] If we run out of space in while processing glue
11749 when reading a master file and commit "current name"
11750 reverts to "name_current" instead of staying as
11753 293. [port] Add support for FreeBSD 4.0 system tests.
11755 292. [bug] Due to problems with the way some operating systems
11756 handle simultaneous listening on IPv4 and IPv6
11757 addresses, the server no longer listens on IPv6
11758 addresses by default. To revert to the previous
11759 behavior, specify "listen-on-v6 { any; };" in
11762 291. [func] Caching servers no longer send outgoing queries
11763 over TCP just because the incoming recursive query
11766 290. [cleanup] +twiddle option to dig (for testing only) removed.
11768 289. [cleanup] dig is now installed in $bindir instead of $sbindir.
11769 host is now installed in $bindir. (Be sure to remove
11770 any $sbindir/dig from a previous release.)
11772 288. [func] rndc is now installed by "make install" into $sbindir.
11774 287. [bug] rndc now works again as "rndc 127.1 reload" (for
11775 only that task). Parsing its configuration file and
11776 using digital signatures for authentication has been
11777 disabled until named supports the "controls" statement,
11780 286. [bug] On Solaris 2, when named inherited a signal state
11781 where SIGHUP had the SIG_IGN action, SIGHUP would
11782 be ignored rather than causing the server to reload
11785 285. [bug] A change made to the dst API for beta4 inadvertently
11786 broke OMAPI's creation of a dst key from an incoming
11787 message, causing an assertion to be triggered. Fixed.
11789 284. [func] The DNSSEC key generation and signing tools now
11790 generate randomness from keyboard input on systems
11791 that lack /dev/random.
11793 283. [cleanup] The 'lwresd' program is now a link to 'named'.
11795 282. [bug] The lexer now returns ISC_R_RANGE if parsed integer is
11796 too big for an unsigned long.
11798 281. [bug] Fixed list of recognized config file category names.
11800 280. [func] Add isc-config.sh, which can be used to more
11801 easily build applications that link with
11804 279. [bug] Private omapi function symbols shared between
11805 two or more files in libomapi.a were not namespace
11806 protected using the ISC convention of starting with
11807 the library name and two underscores ("omapi__"...)
11809 278. [bug] bin/named/logconf.c:category_fromconf() didn't take
11810 note of when isc_log_categorybyname() wasn't able
11811 to find the category name and would then apply the
11812 channel list of the unknown category to all categories.
11814 277. [bug] isc_log_categorybyname() and isc_log_modulebyname()
11815 would fail to find the first member of any category
11816 or module array apart from the internal defaults.
11817 Thus, for example, the "notify" category was improperly
11818 configured by named.
11820 276. [bug] dig now supports maximum sized TCP messages.
11822 275. [bug] The definition of lwres_gai_strerror() was missing
11825 274. [bug] TSIG AXFR verify failed when talking to a BIND 8
11828 273. [func] The default for the 'transfer-format' option is
11829 now 'many-answers'. This will break zone transfers
11830 to BIND 4.9.5 and older unless there is an explicit
11831 'one-answer' configuration.
11833 272. [bug] The sending of large TCP responses was canceled
11834 in mid-transmission due to a race condition
11835 caused by the failure to set the client object's
11836 "newstate" variable correctly when transitioning
11837 to the "working" state.
11839 271. [func] Attempt to probe the number of cpus in named
11840 if unspecified rather than defaulting to 1.
11842 270. [func] Allow maximum sized TCP answers.
11844 269. [bug] Failed DNSSEC validations could cause an assertion
11845 failure by causing clone_results() to be called with
11846 with hevent->node == NULL.
11848 268. [doc] A plain text version of the Administrator
11849 Reference Manual is now included in the distribution,
11850 as doc/arm/Bv9ARM.txt.
11852 267. [func] Nsupdate is now provided in the distribution.
11854 266. [bug] zone.c:save_nsrrset() node was not initialized.
11856 265. [bug] dns_request_create() now works for TCP.
11858 264. [func] Dispatch can not take TCP sockets in connecting
11859 state. Set DNS_DISPATCHATTR_CONNECTED when calling
11860 dns_dispatch_createtcp() for connected TCP sockets
11861 or call dns_dispatch_starttcp() when the socket is
11864 263. [func] New logging channel type 'stderr'
11866 channel some-name {
11871 262. [bug] 'master' was not initialized in zone.c:stub_callback().
11873 261. [func] Add dns_zone_markdirty().
11875 260. [bug] Running named as a non-root user failed on Linux
11876 kernels new enough to support retaining capabilities
11879 259. [func] New random-device and random-seed-file statements
11880 for global options block of named.conf. Both accept
11881 a single string argument.
11883 258. [bug] Fixed printing of lwres_addr_t.address field.
11885 257. [bug] The server detached the last zone manager reference
11886 too early, while it could still be in use by queries.
11887 This manifested itself as assertion failures during the
11888 shutdown process for busy name servers. [RT #133]
11890 256. [func] isc_ratelimiter_t now has attach/detach semantics, and
11891 isc_ratelimiter_shutdown guarantees that the rate
11892 limiter is detached from its task.
11894 255. [func] New function dns_zonemgr_attach().
11896 254. [bug] Suppress "query denied" messages on additional data
11899 --- 9.0.0b4 released ---
11901 253. [func] resolv.conf parser now recognizes ';' and '#' as
11902 comments (anywhere in line, not just as the beginning).
11904 252. [bug] resolv.conf parser mishandled masks on sortlists.
11905 It also aborted when an unrecognized keyword was seen,
11906 now it silently ignores the entire line.
11908 251. [bug] lwresd caught an assertion failure on startup.
11910 250. [bug] fixed handling of size+unit when value would be too
11911 large for internal representation.
11913 249. [cleanup] max-cache-size config option now takes a size-spec
11914 like 'datasize', except 'default' is not allowed.
11916 248. [bug] global lame-ttl option was not being printed when
11917 config structures were written out.
11919 247. [cleanup] Rename cache-size config option to max-cache-size.
11921 246. [func] Rename global option cachesize to cache-size and
11922 add corresponding option to view statement.
11924 245. [bug] If an uncompressed name will take more than 255
11925 bytes and the buffer is sufficiently long,
11926 dns_name_fromwire should return DNS_R_FORMERR,
11927 not ISC_R_NOSPACE. This bug caused cause the
11928 server to catch an assertion failure when it
11929 received a query for a name longer than 255
11932 244. [bug] empty named.conf file and empty options statement are
11933 now parsed properly.
11935 243. [func] new cachesize option for named.conf
11937 242. [cleanup] fixed incorrect warning about auth-nxdomain usage.
11939 241. [cleanup] nscount and soacount have been removed from the
11940 dns_master_*() argument lists.
11942 240. [func] databases now come in three flavours: zone, cache
11945 239. [func] If ISC_MEM_DEBUG is enabled, the variable
11946 isc_mem_debugging controls whether messages
11947 are printed or not.
11949 238. [cleanup] A few more compilation warnings have been quieted:
11950 + missing sigwait prototype on BSD/OS 4.0/4.0.1.
11951 + PTHREAD_ONCE_INIT unbraced initializer warnings on
11953 + IN6ADDR_ANY_INIT unbraced initializer warnings on
11954 BSD/OS 4.*, Linux and Solaris 2.8.
11956 237. [bug] If connect() returned ENOBUFS when the resolver was
11957 initiating a TCP query, the socket didn't get
11958 destroyed, and the server did not shut down cleanly.
11960 236. [func] Added new listen-on-v6 config file statement.
11962 235. [func] Consider it a config file error if a listen-on
11963 statement has an IPv6 address in it, or a
11964 listen-on-v6 statement has an IPv4 address in it.
11966 234. [bug] Allow a trusted-key's first field (domain-name) be
11967 either a quoted or an unquoted string, instead of
11968 requiring a quoted string.
11970 233. [cleanup] Convert all config structure integer values to unsigned
11971 integer (isc_uint32_t) to match grammar.
11973 232. [bug] Allow slave zones to not have a file.
11975 231. [func] Support new 'port' clause in config file options
11976 section. Causes 'listen-on', 'masters' and
11977 'also-notify' statements to use its value instead of
11980 230. [func] Replace the dst sign/verify API with a cleaner one.
11982 229. [func] Support config file sig-validity-interval statement
11983 in options, views and zone statements (master
11986 228. [cleanup] Logging messages in config module stripped of
11989 227. [cleanup] The enumerated identifiers dns_rdataclass_*,
11990 dns_rcode_*, dns_opcode_*, and dns_trust_* are
11991 also now cast to their appropriate types, as with
11992 dns_rdatatype_* in item number 225 below.
11994 226. [func] dns_name_totext() now always prints the root name as
11995 '.', even when omit_final_dot is true.
11997 225. [cleanup] The enumerated dns_rdatatype_* identifiers are now
11998 cast to dns_rdatatype_t via macros of their same name
11999 so that they are of the proper integral type wherever
12000 a dns_rdatatype_t is needed.
12002 224. [cleanup] The entire project builds cleanly with gcc's
12003 -Wcast-qual and -Wwrite-strings warnings enabled,
12004 which is now the default when using gcc. (Warnings
12005 from confparser.c, because of yacc's code, are
12006 unfortunately to be expected.)
12008 223. [func] Several functions were re-prototyped to qualify one
12009 or more of their arguments with "const". Similarly,
12010 several functions that return pointers now have
12011 those pointers qualified with const.
12013 222. [bug] The global 'also-notify' option was ignored.
12015 221. [bug] An uninitialized variable was sometimes passed to
12016 dns_rdata_freestruct() when loading a zone, causing
12017 an assertion failure.
12019 220. [cleanup] Set the default outgoing port in the view, and
12020 set it in sockaddrs returned from the ADB.
12021 [31-May-2000 explorer]
12023 219. [bug] Signed truncated messages more correctly follow
12024 the respective specs.
12026 218. [func] When an rdataset is signed, its ttl is normalized
12027 based on the signature validity period.
12029 217. [func] Also-notify and trusted-keys can now be used in
12030 the 'view' statement.
12032 216. [func] The 'max-cache-ttl' and 'max-ncache-ttl' options
12035 215. [bug] Failures at certain points in request processing
12036 could cause the assertion INSIST(client->lockview
12037 == NULL) to be triggered.
12039 214. [func] New public function isc_netaddr_format(), for
12040 formatting network addresses in log messages.
12042 213. [bug] Don't leak memory when reloading the zone if
12043 an update-policy clause was present in the old zone.
12045 212. [func] Added dns_message_get/settsigkey, to make TSIG
12046 key management reasonable.
12048 211. [func] The 'key' and 'server' statements can now occur
12049 inside 'view' statements.
12051 210. [bug] The 'allow-transfer' option was ignored for slave
12052 zones, and the 'transfers-per-ns' option was
12053 was ignored for all zones.
12055 209. [cleanup] Upgraded openssl files to new version 0.9.5a
12057 208. [func] Added ISC_OFFSET_MAXIMUM for the maximum value
12058 of an isc_offset_t.
12060 207. [func] The dnssec tools properly use the logging subsystem.
12062 206. [cleanup] dst now stores the key name as a dns_name_t, not
12065 205. [cleanup] On IRIX, turn off the mostly harmless warnings 1692
12066 ("prototyped function redeclared without prototype")
12067 and 1552 ("variable ... set but not used") when
12068 compiling in the lib/dns/sec/{dnssafe,openssl}
12069 directories, which contain code imported from outside
12072 204. [cleanup] On HP/UX, pass +vnocompatwarnings to the linker
12073 to quiet the warnings that "The linked output may not
12074 run on a PA 1.x system."
12076 203. [func] notify and zone soa queries are now tsig signed when
12079 202. [func] isc_lex_getsourceline() changed from returning int
12080 to returning unsigned long, the type of its underlying
12083 201. [cleanup] Removed the test/sdig program, it has been
12084 replaced by bin/dig/dig.
12086 --- 9.0.0b3 released ---
12088 200. [bug] Failures in sending query responses to clients
12089 (e.g., running out of network buffers) were
12092 199. [bug] isc_heap_delete() sometimes violated the heap
12093 invariant, causing timer events not to be posted
12096 198. [func] Dispatch managers hold memory pools which
12097 any managed dispatcher may use. This allows
12098 us to avoid dipping into the memory context for
12099 most allocations. [19-May-2000 explorer]
12101 197. [bug] When an incoming AXFR or IXFR completes, the
12102 zone's internal state is refreshed from the
12103 SOA data. [19-May-2000 explorer]
12105 196. [func] Dispatchers can be shared easily between views
12106 and/or interfaces. [19-May-2000 explorer]
12108 195. [bug] Including the NXT record of the root domain
12109 in a negative response caused an assertion
12112 194. [doc] The PDF version of the Administrator's Reference
12113 Manual is no longer included in the ISC BIND9
12116 193. [func] changed dst_key_free() prototype.
12118 192. [bug] Zone configuration validation is now done at end
12119 of config file parsing, and before loading
12122 191. [func] Patched to compile on UnixWare 7.x. This platform
12123 is not directly supported by the ISC.
12125 190. [cleanup] The DNSSEC tools have been moved to a separate
12126 directory dnssec/ and given the following new,
12127 more descriptive names:
12134 Their command line arguments have also been changed to
12135 be more consistent. dnssec-keygen now prints the
12136 name of the generated key files (sans extension)
12137 on standard output to simplify its use in automated
12140 189. [func] isc_time_secondsastimet(), a new function, will ensure
12141 that the number of seconds in an isc_time_t does not
12142 exceed the range of a time_t, or return ISC_R_RANGE.
12143 Similarly, isc_time_now(), isc_time_nowplusinterval(),
12144 isc_time_add() and isc_time_subtract() now check the
12145 range for overflow/underflow. In the case of
12146 isc_time_subtract, this changed a calling requirement
12147 (ie, something that could generate an assertion)
12148 into merely a condition that returns an error result.
12149 isc_time_add() and isc_time_subtract() were void-
12150 valued before but now return isc_result_t.
12152 188. [func] Log a warning message when an incoming zone transfer
12153 contains out-of-zone data.
12155 187. [func] isc_ratelimiter_enqueue() has an additional argument
12158 186. [func] dns_request_getresponse() has an additional argument
12161 185. [bug] Fixed up handling of ISC_MEMCLUSTER_LEGACY. Several
12162 public functions did not have an isc__ prefix, and
12163 referred to functions that had previously been
12166 184. [cleanup] Variables/functions which began with two leading
12167 underscores were made to conform to the ANSI/ISO
12168 standard, which says that such names are reserved.
12170 183. [func] ISC_LOG_PRINTTAG option for log channels. Useful
12171 for logging the program name or other identifier.
12173 182. [cleanup] New command-line parameters for dnssec tools
12175 181. [func] Added dst_key_buildfilename and dst_key_parsefilename
12177 180. [func] New isc_result_t ISC_R_RANGE. Supersedes DNS_R_RANGE.
12179 179. [func] options named.conf statement *must* now come
12180 before any zone or view statements.
12182 178. [func] Post-load of named.conf check verifies a slave zone
12183 has non-empty list of masters defined.
12185 177. [func] New per-zone boolean:
12187 enable-zone yes | no ;
12189 intended to let a zone be disabled without having
12190 to comment out the entire zone statement.
12192 176. [func] New global and per-view option:
12194 max-cache-ttl number
12196 175. [func] New global and per-view option:
12198 additional-data internal | minimal | maximal;
12200 174. [func] New public function isc_sockaddr_format(), for
12201 formatting socket addresses in log messages.
12203 173. [func] Keep a queue of zones waiting for zone transfer
12204 quota so that a new transfer can be dispatched
12205 immediately whenever quota becomes available.
12207 172. [bug] $TTL directive was sometimes missing from dumped
12208 master files because totext_ctx_init() failed to
12209 initialize ctx->current_ttl_valid.
12211 171. [cleanup] On NetBSD systems, the mit-pthreads or
12212 unproven-pthreads library is now always used
12213 unless --with-ptl2 is explicitly specified on
12214 the configure command line. The
12215 --with-mit-pthreads option is no longer needed
12216 and has been removed.
12218 170. [cleanup] Remove inter server consistency checks from zone,
12219 these should return as a separate module in 9.1.
12220 dns_zone_checkservers(), dns_zone_checkparents(),
12221 dns_zone_checkchildren(), dns_zone_checkglue().
12223 Remove dns_zone_setadb(), dns_zone_setresolver(),
12224 dns_zone_setrequestmgr() these should now be found
12227 169. [func] ratelimiter can now process N events per interval.
12229 168. [bug] include statements in named.conf caused syntax errors
12230 due to not consuming the semicolon ending the include
12231 statement before switching input streams.
12233 167. [bug] Make lack of masters for a slave zone a soft error.
12235 166. [bug] Keygen was overwriting existing keys if key_id
12236 conflicted, now it will retry, and non-null keys
12237 with key_id == 0 are not generated anymore. Key
12238 was not able to generate NOAUTHCONF DSA key,
12239 increased RSA key size to 2048 bits.
12241 165. [cleanup] Silence "end-of-loop condition not reached" warnings
12242 from Solaris compiler.
12244 164. [func] Added functions isc_stdio_open(), isc_stdio_close(),
12245 isc_stdio_seek(), isc_stdio_read(), isc_stdio_write(),
12246 isc_stdio_flush(), isc_stdio_sync(), isc_file_remove()
12247 to encapsulate nonportable usage of errno and sync.
12249 163. [func] Added result codes ISC_R_FILENOTFOUND and
12252 162. [bug] Ensure proper range for arguments to ctype.h functions.
12254 161. [cleanup] error in yyparse prototype that only HPUX caught.
12256 160. [cleanup] getnet*() are not going to be implemented at this
12259 159. [func] Redefinition of config file elements is now an
12260 error (instead of a warning).
12262 158. [bug] Log channel and category list copy routines
12263 weren't assigning properly to output parameter.
12265 157. [port] Fix missing prototype for getopt().
12267 156. [func] Support new 'database' statement in zone.
12269 database "quoted-string";
12271 155. [bug] ns_notify_start() was not detaching the found zone.
12273 154. [func] The signer now logs libdns warnings to stderr even when
12274 not verbose, and in a nicer format.
12276 153. [func] dns_rdata_tostruct() 'mctx' is now optional. If 'mctx'
12277 is NULL then you need to preserve the 'rdata' until
12278 you have finished using the structure as there may be
12279 references to the associated memory. If 'mctx' is
12280 non-NULL it is guaranteed that there are no references
12281 to memory associated with 'rdata'.
12283 dns_rdata_freestruct() must be called if 'mctx' was
12284 non-NULL and may safely be called if 'mctx' was NULL.
12286 152. [bug] keygen dumped core if domain name argument was omitted
12289 151. [func] Support 'disabled' statement in zone config (causes
12290 zone to be parsed and then ignored). Currently must
12291 come after the 'type' clause.
12293 150. [func] Support optional ports in masters and also-notify
12296 masters [ port xxx ] { y.y.y.y [ port zzz ] ; }
12298 149. [cleanup] Removed unused argument 'olist' from
12299 dns_c_view_unsetordering().
12301 148. [cleanup] Stop issuing some warnings about some configuration
12302 file statements that were not implemented, but now are.
12304 147. [bug] Changed yacc union size to be smaller for yaccs that
12305 put yacc-stack on the real stack.
12307 146. [cleanup] More general redundant header file cleanup. Rather
12308 than continuing to itemize every header which changed,
12309 this changelog entry just notes that if a header file
12310 did not need another header file that it was including
12311 in order to provide its advertised functionality, the
12312 inclusion of the other header file was removed. See
12313 util/check-includes for how this was tested.
12315 145. [cleanup] Added <isc/lang.h> and ISC_LANG_BEGINDECLS/
12316 ISC_LANG_ENDDECLS to header files that had function
12317 prototypes, and removed it from those that did not.
12319 144. [cleanup] libdns header files too numerous to name were made
12320 to conform to the same style for multiple inclusion
12323 143. [func] Added function dns_rdatatype_isknown().
12325 142. [cleanup] <isc/stdtime.h> does not need <time.h> or
12328 141. [bug] Corrupt requests with multiple questions could
12329 cause an assertion failure.
12331 140. [cleanup] <isc/time.h> does not need <time.h> or <isc/result.h>.
12333 139. [cleanup] <isc/net.h> now includes <isc/types.h> instead of
12334 <isc/int.h> and <isc/result.h>.
12336 138. [cleanup] isc_strtouq moved from str.[ch] to string.[ch] and
12337 renamed isc_string_touint64. isc_strsep moved from
12338 strsep.c to string.c and renamed isc_string_separate.
12340 137. [cleanup] <isc/commandline.h>, <isc/mem.h>, <isc/print.h>
12341 <isc/serial.h>, <isc/string.h> and <isc/offset.h>
12342 made to conform to the same style for multiple
12343 inclusion protection.
12345 136. [cleanup] <isc/commandline.h>, <isc/interfaceiter.h>,
12346 <isc/net.h> and Win32's <isc/thread.h> needed
12347 ISC_LANG_BEGINDECLS/ISC_LANG_ENDDECLS.
12349 135. [cleanup] Win32's <isc/condition.h> did not need <isc/result.h>
12350 or <isc/boolean.h>, now uses <isc/types.h> in place
12351 of <isc/time.h>, and needed ISC_LANG_BEGINDECLS
12352 and ISC_LANG_ENDDECLS.
12354 134. [cleanup] <isc/dir.h> does not need <limits.h>.
12356 133. [cleanup] <isc/ipv6.h> needs <isc/platform.h>.
12358 132. [cleanup] <isc/app.h> does not need <isc/task.h>, but does
12359 need <isc/eventclass.h>.
12361 131. [cleanup] <isc/mutex.h> and <isc/util.h> need <isc/result.h>
12362 for ISC_R_* codes used in macros.
12364 130. [cleanup] <isc/condition.h> does not need <pthread.h> or
12365 <isc/boolean.h>, and now includes <isc/types.h>
12366 instead of <isc/time.h>.
12368 129. [bug] The 'default_debug' log channel was not set up when
12369 'category default' was present in the config file
12371 128. [cleanup] <isc/dir.h> had ISC_LANG_BEGINDECLS instead of
12372 ISC_LANG_ENDDECLS at end of header.
12374 127. [cleanup] The contracts for the comparison routines
12375 dns_name_fullcompare(), dns_name_compare(),
12376 dns_name_rdatacompare(), and dns_rdata_compare() now
12377 specify that the order value returned is < 0, 0, or > 0
12378 instead of -1, 0, or 1.
12380 126. [cleanup] <isc/quota.h> and <isc/taskpool.h> need <isc/lang.h>.
12382 125. [cleanup] <isc/eventclass.h>, <isc/ipv6.h>, <isc/magic.h>,
12383 <isc/mutex.h>, <isc/once.h>, <isc/region.h>, and
12384 <isc/resultclass.h> do not need <isc/lang.h>.
12386 124. [func] signer now imports parent's zone key signature
12387 and creates null keys/sets zone status bit for
12388 children when necessary
12390 123. [cleanup] <isc/event.h> does not need <stddef.h>.
12392 122. [cleanup] <isc/task.h> does not need <isc/mem.h> or
12395 121. [cleanup] <isc/symtab.h> does not need <isc/mem.h> or
12396 <isc/result.h>. Multiple inclusion protection
12397 symbol fixed from ISC_SYMBOL_H to ISC_SYMTAB_H.
12398 isc_symtab_t moved to <isc/types.h>.
12400 120. [cleanup] <isc/socket.h> does not need <isc/boolean.h>,
12401 <isc/bufferlist.h>, <isc/task.h>, <isc/mem.h> or
12404 119. [cleanup] structure definitions for generic rdata structures do
12405 not have _generic_ in their names.
12407 118. [cleanup] libdns.a is now namespace-clean, on NetBSD, excepting
12408 YACC crust (yyparse, etc) [2000-apr-27 explorer]
12410 117. [cleanup] libdns.a changes:
12411 dns_zone_clearnotify() and dns_zone_addnotify()
12412 are replaced by dns_zone_setnotifyalso().
12413 dns_zone_clearmasters() and dns_zone_addmaster()
12414 are replaced by dns_zone_setmasters().
12416 116. [func] Added <isc/offset.h> for isc_offset_t (aka off_t
12419 115. [port] Shut up the -Wmissing-declarations warning about
12420 <stdio.h>'s __sputaux on BSD/OS pre-4.1.
12422 114. [cleanup] <isc/sockaddr.h> does not need <isc/buffer.h> or
12425 113. [func] Utility programs dig and host added.
12427 112. [cleanup] <isc/serial.h> does not need <isc/boolean.h>.
12429 111. [cleanup] <isc/rwlock.h> does not need <isc/result.h> or
12432 110. [cleanup] <isc/result.h> does not need <isc/boolean.h> or
12435 109. [bug] "make depend" did nothing for
12436 bin/tests/{db,mem,sockaddr,tasks,timers}/.
12438 108. [cleanup] DNS_SETBIT/DNS_GETBIT/DNS_CLEARBIT moved from
12439 <dns/types.h> to <dns/bit.h> and renamed to
12440 DNS_BIT_SET/DNS_BIT_GET/DNS_BIT_CLEAR.
12442 107. [func] Add keysigner and keysettool.
12444 106. [func] Allow dnssec verifications to ignore the validity
12445 period. Used by several of the dnssec tools.
12447 105. [doc] doc/dev/coding.html expanded with other
12448 implicit conventions the developers have used.
12450 104. [bug] Made compress_add and compress_find static to
12451 lib/dns/compress.c.
12453 103. [func] libisc buffer API changes for <isc/buffer.h>:
12455 isc_buffer_base(b) (pointer)
12456 isc_buffer_current(b) (pointer)
12457 isc_buffer_active(b) (pointer)
12458 isc_buffer_used(b) (pointer)
12459 isc_buffer_length(b) (int)
12460 isc_buffer_usedlength(b) (int)
12461 isc_buffer_consumedlength(b) (int)
12462 isc_buffer_remaininglength(b) (int)
12463 isc_buffer_activelength(b) (int)
12464 isc_buffer_availablelength(b) (int)
12466 ISC_BUFFER_USEDCOUNT(b)
12467 ISC_BUFFER_AVAILABLECOUNT(b)
12470 isc_buffer_used(b, r) ->
12471 isc_buffer_usedregion(b, r)
12472 isc_buffer_available(b, r) ->
12473 isc_buffer_available_region(b, r)
12474 isc_buffer_consumed(b, r) ->
12475 isc_buffer_consumedregion(b, r)
12476 isc_buffer_active(b, r) ->
12477 isc_buffer_activeregion(b, r)
12478 isc_buffer_remaining(b, r) ->
12479 isc_buffer_remainingregion(b, r)
12481 Buffer types were removed, so the ISC_BUFFERTYPE_*
12482 macros are no more, and the type argument to
12483 isc_buffer_init and isc_buffer_allocate were removed.
12484 isc_buffer_putstr is now void (instead of isc_result_t)
12485 and requires that the caller ensure that there
12486 is enough available buffer space for the string.
12488 102. [port] Correctly detect inet_aton, inet_pton and inet_ptop
12491 101. [cleanup] Quieted EGCS warnings from lib/isc/print.c.
12493 100. [cleanup] <isc/random.h> does not need <isc/int.h> or
12494 <isc/mutex.h>. isc_random_t moved to <isc/types.h>.
12496 99. [cleanup] Rate limiter now has separate shutdown() and
12497 destroy() functions, and it guarantees that all
12498 queued events are delivered even in the shutdown case.
12500 98. [cleanup] <isc/print.h> does not need <stdarg.h> or <stddef.h>
12501 unless ISC_PLATFORM_NEEDVSNPRINTF is defined.
12503 97. [cleanup] <isc/ondestroy.h> does not need <stddef.h> or
12506 96. [cleanup] <isc/mutex.h> does not need <isc/result.h>.
12508 95. [cleanup] <isc/mutexblock.h> does not need <isc/result.h>.
12510 94. [cleanup] Some installed header files did not compile as C++.
12512 93. [cleanup] <isc/msgcat.h> does not need <isc/result.h>.
12514 92. [cleanup] <isc/mem.h> does not need <stddef.h>, <isc/boolean.h>,
12517 91. [cleanup] <isc/log.h> does not need <sys/types.h> or
12520 90. [cleanup] Removed unneeded ISC_LANG_BEGINDECLS/ISC_LANG_ENDDECLS
12521 from <named/listenlist.h>.
12523 89. [cleanup] <isc/lex.h> does not need <stddef.h>.
12525 88. [cleanup] <isc/interfaceiter.h> does not need <isc/result.h> or
12526 <isc/mem.h>. isc_interface_t and isc_interfaceiter_t
12527 moved to <isc/types.h>.
12529 87. [cleanup] <isc/heap.h> does not need <isc/boolean.h>,
12530 <isc/mem.h> or <isc/result.h>.
12532 86. [cleanup] isc_bufferlist_t moved from <isc/bufferlist.h> to
12535 85. [cleanup] <isc/bufferlist.h> does not need <isc/buffer.h>,
12536 <isc/list.h>, <isc/mem.h>, <isc/region.h> or
12539 84. [func] allow-query ACL checks now apply to all data
12540 added to a response.
12542 83. [func] If the server is authoritative for both a
12543 delegating zone and its (nonsecure) delegatee, and
12544 a query is made for a KEY RR at the top of the
12545 delegatee, then the server will look for a KEY
12546 in the delegator if it is not found in the delegatee.
12548 82. [cleanup] <isc/buffer.h> does not need <isc/list.h>.
12550 81. [cleanup] <isc/int.h> and <isc/boolean.h> do not need
12553 80. [cleanup] <isc/print.h> does not need <stdio.h> or <stdlib.h>.
12555 79. [cleanup] <dns/callbacks.h> does not need <stdio.h>.
12557 78. [cleanup] lwres_conftest renamed to lwresconf_test for
12558 consistency with other *_test programs.
12560 77. [cleanup] typedef of isc_time_t and isc_interval_t moved from
12561 <isc/time.h> to <isc/types.h>.
12563 76. [cleanup] Rewrote keygen.
12565 75. [func] Don't load a zone if its database file is older
12566 than the last time the zone was loaded.
12568 74. [cleanup] Removed mktemplate.o and ufile.o from libisc.a,
12569 subsumed by file.o.
12571 73. [func] New "file" API in libisc, including new function
12572 isc_file_getmodtime, isc_mktemplate renamed to
12573 isc_file_mktemplate and isc_ufile renamed to
12574 isc_file_openunique. By no means an exhaustive API,
12575 it is just what's needed for now.
12577 72. [func] DNS_RBTFIND_NOPREDECESSOR and DNS_RBTFIND_NOOPTIONS
12578 added for dns_rbt_findnode, the former to disable the
12579 setting of the chain to the predecessor, and the
12580 latter to make clear when no options are set.
12582 71. [cleanup] Made explicit the implicit REQUIREs of
12583 isc_time_seconds, isc_time_nanoseconds, and
12586 70. [func] isc_time_set() added.
12588 69. [bug] The zone object's master and also-notify lists grew
12589 longer with each server reload.
12591 68. [func] Partial support for SIG(0) on incoming messages.
12593 67. [performance] Allow use of alternate (compile-time supplied)
12594 OpenSSL libraries/headers.
12596 66. [func] Data in authoritative zones should have a trust level
12599 65. [cleanup] Removed obsolete typedef of dns_zone_callbackarg_t
12600 from <dns/types.h>.
12602 64. [func] The RBT, DB, and zone table APIs now allow the
12603 caller find the most-enclosing superdomain of
12606 63. [func] Generate NOTIFY messages.
12608 62. [func] Add UDP refresh support.
12610 61. [cleanup] Use single quotes consistently in log messages.
12612 60. [func] Catch and disallow singleton types on message
12615 59. [bug] Cause net/host unreachable to be a hard error
12616 when sending and receiving.
12618 58. [bug] bin/named/query.c could sometimes trigger the
12619 (client->query.attributes & NS_QUERYATTR_NAMEBUFUSED)
12620 == 0 assertion in query_newname().
12622 57. [func] Added dns_nxt_typepresent()
12624 56. [bug] SIG records were not properly returned in cached
12627 55. [bug] Responses containing multiple names in the authority
12628 section were not negatively cached.
12630 54. [bug] If a fetch with sigrdataset==NULL joined one with
12631 sigrdataset!=NULL or vice versa, the resolver
12632 could catch an assertion or lose signature data,
12635 53. [port] freebsd 4.0: lib/isc/unix/socket.c requires
12638 52. [bug] rndc: taskmgr and socketmgr were not initialized
12641 51. [cleanup] dns/compress.h and dns/zt.h did not need to include
12642 dns/rbt.h; it was needed only by compress.c and zt.c.
12644 50. [func] RBT deletion no longer requires a valid chain to work,
12645 and dns_rbt_deletenode was added.
12647 49. [func] Each cache now has its own mctx.
12649 48. [func] isc_task_create() no longer takes an mctx.
12650 isc_task_mem() has been eliminated.
12652 47. [func] A number of modules now use memory context reference
12655 46. [func] Memory contexts are now reference counted.
12656 Added isc_mem_inuse() and isc_mem_preallocate().
12657 Renamed isc_mem_destroy_check() to
12658 isc_mem_setdestroycheck().
12660 45. [bug] The trusted-key statement incorrectly loaded keys.
12662 44. [bug] Don't include authority data if it would force us
12663 to unset the AD bit in the message.
12665 43. [bug] DNSSEC verification of cached rdatasets was failing.
12667 42. [cleanup] Simplified logging of messages with embedded domain
12668 names by introducing a new convenience function
12671 41. [func] Use PR_SET_KEEPCAPS on Linux 2.3.99-pre3 and later
12672 to allow 'named' to run as a non-root user while
12673 retaining the ability to bind() to privileged
12676 40. [func] Introduced new logging category "dnssec" and
12677 logging module "dns/validator".
12679 39. [cleanup] Moved the typedefs for isc_region_t, isc_textregion_t,
12680 and isc_lex_t to <isc/types.h>.
12682 38. [bug] TSIG signed incoming zone transfers work now.
12684 37. [bug] If the first RR in an incoming zone transfer was
12685 not an SOA, the server died with an assertion failure
12686 instead of just reporting an error.
12688 36. [cleanup] Change DNS_R_SUCCESS (and others) to ISC_R_SUCCESS
12690 35. [performance] Log messages which are of a level too high to be
12691 logged by any channel in the logging configuration
12692 will not cause the log mutex to be locked.
12694 34. [bug] Recursion was allowed even with 'recursion no'.
12696 33. [func] The RBT now maintains a parent pointer at each node.
12698 32. [cleanup] bin/lwresd/client.c needs <string.h> for memset()
12701 31. [bug] Use ${LIBTOOL} to compile bin/named/main.@O@.
12703 30. [func] config file grammar change to support optional
12704 class type for a view.
12706 29. [func] support new config file view options:
12708 auth-nxdomain recursion query-source
12709 query-source-v6 transfer-source
12710 transfer-source-v6 max-transfer-time-out
12711 max-transfer-idle-out transfer-format
12712 request-ixfr provide-ixfr cleaning-interval
12713 fetch-glue notify rfc2308-type1 lame-ttl
12714 max-ncache-ttl min-roots
12716 28. [func] support lame-ttl, min-roots and serial-queries
12717 config global options.
12719 27. [bug] Only include <netinet6/in6.h> on BSD/OS 4.[01]*.
12720 Including it on other platforms (eg, NetBSD) can
12721 cause a forced #error from the C preprocessor.
12723 26. [func] new match-clients statement in config file view.
12725 25. [bug] make install failed to install <isc/log.h> and
12728 24. [cleanup] Eliminate some unnecessary #includes of header
12729 files from header files.
12731 23. [cleanup] Provide more context in log messages about client
12732 requests, using a new function ns_client_log().
12734 22. [bug] SIGs weren't returned in the answer section when
12735 the query resulted in a fetch.
12737 21. [port] Look at STD_CINCLUDES after CINCLUDES during
12738 compilation, so additional system include directories
12739 can be searched but header files in the bind9 source
12740 tree with conflicting names take precedence. This
12741 avoids issues with installed versions of dnssafe and
12744 20. [func] Configuration file post-load validation of zones
12745 failed if there were no zones.
12747 19. [bug] dns_zone_notifyreceive() failed to unlock the zone
12748 lock in certain error cases.
12750 18. [bug] Use AC_TRY_LINK rather than AC_TRY_COMPILE in
12751 configure.in to check for presence of in6addr_any.
12753 17. [func] Do configuration file post-load validation of zones.
12755 16. [bug] put quotes around key names on config file
12756 output to avoid possible keyword clashes.
12758 15. [func] Add dns_name_dupwithoffsets(). This function is
12759 improves comparison performance for duped names.
12761 14. [bug] free_rbtdb() could have 'put' unallocated memory in
12762 an unlikely error path.
12764 13. [bug] lib/dns/master.c and lib/dns/xfrin.c didn't ignore
12767 12. [bug] Fixed possible uninitialized variable error.
12769 11. [bug] axfr_rrstream_first() didn't check the result code of
12770 db_rr_iterator_first(), possibly causing an assertion
12771 to be triggered later.
12773 10. [bug] A bug in the code which makes EDNS0 OPT records in
12774 bin/named/client.c and lib/dns/resolver.c could
12775 trigger an assertion.
12777 9. [cleanup] replaced bit-setting code in confctx.c and replaced
12778 repeated code with macro calls.
12780 8. [bug] Shutdown of incoming zone transfer accessed
12783 7. [cleanup] removed 'listen-on' from view statement.
12785 6. [bug] quote RR names when generating config file to
12786 prevent possible clash with config file keywords
12789 5. [func] syntax change to named.conf file: new ssu grant/deny
12790 statements must now be enclosed by an 'update-policy'
12793 4. [port] bin/named/unix/os.c didn't compile on systems with
12794 linux 2.3 kernel includes due to conflicts between
12795 C library includes and the kernel includes. We now
12796 get only what we need from <linux/capability.h>, and
12797 avoid pulling in other linux kernel .h files.
12799 3. [bug] TKEYs go in the answer section of responses, not
12800 the additional section.
12802 2. [bug] Generating cryptographic randomness failed on
12803 systems without /dev/random.
12805 1. [bug] The installdirs rule in
12806 lib/isc/unix/include/isc/Makefile.in had a typo which
12807 prevented the isc directory from being created if it
12810 --- 9.0.0b2 released ---
12812 # This tells Emacs to use hard tabs in this file.
12814 # indent-tabs-mode: t
projects / FreeBSD / stable / 9.git / blob