3 --- 9.8.7rc2 released ---
5 3710. [bug] Address double dns_zone_detach when switching to
6 using automatic empty zones from regular zones.
9 3707. [bug] irs_resconf_load now returns ISC_R_FILENOTFOUND
10 on a missing resolv.conf file and initializes the
11 structure as if it had been configured with:
16 Note: Callers will need to be updated to treat
17 ISC_R_FILENOTFOUND as a qualified success or else
18 they will leak memory. The following code fragment
19 will work with both old and new versions without
20 changing the behaviour of the existing code.
23 result = irs_resconf_load(mctx, "/etc/resolv.conf",
25 if (result != ISC_SUCCESS) {
27 irs_resconf_destroy(&resconf);
33 3706. [contrib] queryperf: Fixed a possible integer overflow when
34 printing results. [RT #35182]
36 3704. [protocol] Accept integer timestamps in RRSIG records. [RT #35185]
38 --- 9.8.7rc1 released ---
40 3701. [func] named-checkconf can now suppress the printing of
41 shared secrets by specifying '-x'. [RT #34465]
43 3698. [cleanup] Replaced all uses of memcpy() with memmove().
46 3697. [bug] Handle "." as a search list element when IDN support
47 is enabled. [RT #35133]
49 3696. [bug] dig failed to handle AXFR style IXFR responses which
50 span multiple messages. [RT #35137]
52 3695. [bug] Address a possible race in dispatch.c. [RT #35107]
54 3694. [bug] Warn when a key-directory is configured for a zone,
55 but does not exist or is not a directory. [RT #35108]
57 3693. [security] memcpy was incorrectly called with overlapping
58 ranges resulting in malformed names being generated
59 on some platforms. This could cause INSIST failures
60 when serving NSEC3 signed zones (CVE-2014-0591).
63 3692. [bug] Two calls to dns_db_getoriginnode were fatal if there
64 was no data at the node. [RT #35080]
66 3689. [bug] Fixed a bug causing an insecure delegation from one
67 static-stub zone to another to fail with a broken
68 trust chain. [RT #35081]
70 --- 9.8.7b1 released ---
72 3688. [bug] loadnode could return a freed node on out of memory.
75 3683. [cleanup] Add a more detailed "not found" message to rndc
76 commands which specify a zone name. [RT #35059]
78 3681. [port] Update the Windows build system to support feature
79 selection and WIN64 builds. This is a work in
82 3679. [bug] dig could fail to clean up TCP sockets still
83 waiting on connect(). [RT #35074]
85 3678. [port] Update config.guess and config.sub. [RT #35060]
87 3677. [bug] 'nsupdate' leaked memory if 'realm' was used multiple
90 3676. [bug] "named-checkconf -z" now checks zones of type
91 hint as well as master. [RT #35046]
93 3675. [misc] Provide a place for third parties to add version
94 information for their extensions in the version
95 file by setting the EXTENSIONS variable.
97 3670. [bug] Address read after free in server side of
98 lwres_getrrsetbyname. [RT #29075]
100 3669. [port] freebsd: --with-gssapi needs -lhx509. [RT #35001]
102 3668. [bug] Fix cast in lex.c which could see 0xff treated as eof.
104 3667. [test] dig: add support to keep the TCP socket open between
105 successive queries (+[no]keepopen). [RT #34918]
107 3664. [bug] Updated OpenSSL PKCS#11 patches to fix active list
108 locking and other bugs. [RT #34855]
110 3663. [bug] Address bugs in dns_rdata_fromstruct and
111 dns_rdata_tostruct for WKS and ISDN types. [RT #34910]
113 3662. [bug] 'host' could die if a UDP query timed out. [RT #34870]
115 3660. [cleanup] Changed the name of "isc-config.sh" to "bind9-config".
118 3658. [port] linux: Address platform specific compilation issue
119 when libcap-devel is installed. [RT #34838]
121 3656. [security] Treat an all zero netmask as invalid when generating
122 the localnets acl. (The prior behavior could
123 allow unexpected matches when using some versions
124 of Winsock: CVE-2013-6320.) [RT #34687]
126 3655. [cleanup] Simplify TCP message processing when requesting a
127 zone transfer. [RT #34825]
129 3654. [bug] Address race condition with manual notify requests.
132 3653. [func] Create delegations for all "children" of empty zones
133 except "forward first". [RT #34826]
135 3651. [tuning] Adjust when a master server is deemed unreachable.
138 3650. [tuning] Use separate rate limiting queues for refresh and
139 notify requests. [RT #30589]
141 3649. [cleanup] Include a comment in .nzf files, giving the name of
142 the associated view. [RT #34765]
144 3648. [test] Updated the ATF test framework to version 0.17.
147 3646. [bug] Journal filename string could be set incorrectly,
148 causing garbage in log messages. [RT #34738]
150 3645. [protocol] Use case sensitive compression when responding to
153 3644. [protocol] Check that EDNS subnet client options are well formed.
156 3641. [bug] Handle changes to sig-validity-interval settings
159 3640. [bug] ndots was not being checked when searching. Only
160 continue searching on NXDOMAIN responses. Add the
161 ability to specify ndots to nslookup. [RT #34711]
163 3639. [bug] Treat type 65533 (KEYDATA) as opaque except when used
164 in a key zone. [RT #34238]
166 --- 9.8.6 released ---
168 3638. [cleanup] Add the ability to handle ENOPROTOOPT in case it is
169 encountered. [RT #34668]
171 --- 9.8.6rc2 released ---
173 3637. [bug] 'allow-query-on' was checking the source address
174 rather than the destination address. [RT #34590]
176 3636. [bug] Automatic empty zones now behave better with
177 forward only "zones" beneath them. [RT #34583]
179 3635. [bug] Signatures were not being removed from a zone with
180 only KSK keys for a algorithm. [RT #34439]
182 3634. [func] Report build-id in rndc status. Report build-id
183 when building from a git repository. [RT #20422]
185 3633. [cleanup] Refactor OPT processing in named to make it easier
186 to support new EDNS options. [RT #34414]
188 3632. [bug] Signature from newly inactive keys were not being
191 3631. [bug] Remove spurious warning about missing signatures when
192 qtype is SIG. [RT #34600]
194 3630. [bug] Ensure correct ID computation for MD5 keys. [RT #33033]
196 3627. [bug] RPZ changes were not effective on slaves. [RT #34450]
198 3625. [bug] Don't send notify messages to machines outside of the
201 --- 9.8.6rc1 released ---
203 3621. [security] Incorrect bounds checking on private type 'keydata'
204 can lead to a remotely triggerable REQUIRE failure
205 (CVE-2013-4854). [RT #34238]
207 3615. [cleanup] "configure" now finishes by printing a summary
208 of optional BIND features and whether they are
209 active or inactive. ("configure --enable-full-report"
210 increases the verbosity of the summary.) [RT #31777]
212 3614. [port] Check for <linux/types.h>. [RT #34162]
214 3611. [bug] Improved resistance to a theoretical authentication
215 attack based on differential timing. [RT #33939]
217 3610. [cleanup] win32: Some executables had been omitted from the
218 installer. [RT #34116]
220 3608. [port] win32: added todos.pl script to ensure all text files
221 the win32 build depends on are converted to DOS
222 newline format. [RT #22067]
224 3607. [bug] dnssec-keygen had broken 'Invalid keyfile' error
227 --- 9.8.6b1 released ---
229 3605. [port] win32: Addressed several compatibility issues
230 with newer versions of Visual Studio. [RT #33916]
232 3603. [bug] Install <isc/stat.h>. [RT #33956]
234 3601. [bug] Added to PKCS#11 openssl patches a value len
235 attribute in DH derive key. [RT #33928]
237 3600. [cleanup] dig: Fixed a typo in the warning output when receiving
238 an oversized response. [RT #33910]
240 3599. [tuning] Check for pointer equivalence in name comparisons.
243 3594. [maint] Update config.guess and config.sub. [RT #33816]
245 3592. [doc] Moved documentation of rndc command options to the
246 rndc man page. [RT #33506]
248 3588. [bug] dig: addressed a memory leak in the sigchase code
249 that could cause a shutdown crash. [RT #33733]
251 3587. [func] 'named -g' now checks the logging configuration but
252 does not use it. [RT #33473]
254 3586. [bug] Handle errors in xmlDocDumpFormatMemoryEnc. [RT #33706]
256 3584. [security] Caching data from an incompletely signed zone could
257 trigger an assertion failure in resolver.c
258 (CVE-2013-3919). [RT #33690]
260 3583. [bug] Address memory leak in GSS-API processing [RT #33574]
262 3581. [bug] Changed the tcp-listen-queue default to 10. [RT #33029]
264 3580. [bug] Addressed a possible race in acache.c [RT #33602]
266 3579. [maint] Updates to PKCS#11 openssl patches, supporting
267 versions 0.9.8y, 1.0.0k, 1.0.1e [RT #33463]
269 3578. [bug] 'rndc -c file' now fails if 'file' does not exist.
272 3577. [bug] Handle zero TTL values better. [RT #33411]
274 3576. [bug] Address a shutdown race when validating. [RT #33573]
276 3574. [doc] The 'hostname' keyword was missing from server-id
277 description in the named.conf man page. [RT #33476]
279 3573. [bug] "rndc addzone" and "rndc delzone" incorrectly handled
280 zone names containing punctuation marks and other
281 nonstandard characters. [RT #33419]
283 3571. [bug] Address race condition in dns_client_startresolve().
286 3566. [func] Log when forwarding updates to master. [RT #33240]
288 --- 9.8.5 released ---
290 3568. [cleanup] Add a product description line to the version file,
291 to be reported by named -v/-V. [RT #33366]
293 3567. [bug] Silence clang static analyzer warnings. [RT #33365]
295 3563. [contrib] zone2sqlite failed with some table names. [RT #33375]
297 3561. [bug] dig: issue a warning if an EDNS query returns FORMERR
298 or NOTIMP. Adjust usage message. [RT #33363]
300 --- 9.8.5rc1 released ---
302 3560. [bug] isc-config.sh did not honor includedir and libdir
303 when set via configure. [RT #33345]
305 3559. [func] Check that both forms of Sender Policy Framework
306 records exist or do not exist. [RT #33355]
308 3558. [bug] IXFR of a DLZ stored zone was broken. [RT #33331]
310 3556. [maint] Added AAAA for D.ROOT-SERVERS.NET.
312 3555. [bug] Address theoretical race conditions in acache.c
313 (change #3553 was incomplete). [RT #33252]
315 3553. [bug] Address suspected double free in acache. [RT #33252]
317 3552. [bug] Wrong getopt option string for 'nsupdate -r'.
320 3549. [doc] Documentation for "request-nsid" was missing.
323 3548. [bug] The NSID request code in resolver.c was broken
324 resulting in invalid EDNS options being sent.
327 3547. [bug] Some malformed unknown rdata records were not properly
328 detected and rejected. [RT #33129]
330 3056. [func] Added support for URI resource record. [RT #23386]
332 --- 9.8.5rc1 released ---
334 3546. [func] Add EUI48 and EUI64 types. [RT #33082]
336 3544. [contrib] check5011.pl: Script to report the status of
337 managed keys as recorded in managed-keys.bind.
338 Contributed by Tony Finch <dot@dotat.at>
340 3543. [bug] Update socket structure before attaching to socket
341 manager after accept. [RT #33084]
343 3542. [bug] masterformat system test was broken. [RT #33086]
345 3541. [bug] Parts of libdns were not properly initialized when
346 built in libexport mode. [RT #33028]
348 3540. [test] libt_api: t_info and t_assert were not thread safe.
350 3539. [port] win32: timestamp format didn't match other platforms.
352 3538. [test] Running "make test" now requires loopback interfaces
353 to be set up. [RT #32452]
355 3537. [tuning] Slave zones, when updated, now send NOTIFY messages
356 to peers before being dumped to disk rather than
359 3535. [bug] Minor win32 cleanups. [RT #32962]
361 3534. [bug] Extra text after an embedded NULL was ignored when
362 parsing zone files. [RT #32699]
364 3533. [contrib] query-loc-0.4.0: memory leaks. [RT #32960]
366 3532. [contrib] zkt: fixed buffer overrun, resource leaks. [RT #32960]
368 3531. [bug] win32: A uninitialized value could be returned on out
369 of memory. [RT #32960]
371 3530. [contrib] Better RTT tracking in queryperf. [RT #30128]
373 3526. [cleanup] Set up dependencies for unit tests correctly during
376 3521. [bug] Address memory leak in opensslecdsa_link.c. [RT #32249]
378 3520. [bug] 'mctx' was not being referenced counted in some places
379 where it should have been. [RT #32794]
381 --- 9.8.5b2 released ---
383 3517. [bug] Reorder destruction to avoid shutdown race. [RT #32777]
385 3515. [port] '%T' is not portable in strftime(). [RT #32763]
387 3514. [bug] The ranges for valid key sizes in ddns-confgen and
388 rndc-confgen were too constrained. Keys up to 512
389 bits are now allowed for most algorithms, and up
390 to 1024 bits for hmac-sha384 and hmac-sha512.
393 3509. [cleanup] Added a product line to version file to allow for
394 easy naming of different products (BIND
395 vs BIND ESV, for example). [RT #32755]
397 3508. [contrib] queryperf was incorrectly rejecting the -T option.
400 3503. [doc] Clarify size_spec syntax. [RT #32449]
402 3500. [security] Support NAPTR regular expression validation on
403 all platforms without using libregex, which
404 can be vulnerable to memory exhaustion attack
405 (CVE-2013-2266). [RT #32688]
407 3499. [doc] Corrected ARM documentation of built-in zones.
410 3498. [bug] zone statistics for zones which matched a potential
411 empty zone could have their zone-statistics setting
414 3496. [func] Improvements to RPZ performance. The "response-policy"
415 syntax now includes a "min-ns-dots" clause, with
416 default 1, to exclude top-level domains from
417 NSIP and NSDNAME checking. --enable-rpz-nsip and
418 --enable-rpz-nsdname are now the default. [RT #32251]
420 3489. [bug] --enable-developer now turns on ISC_LIST_CHECKINIT.
421 When cloning a rdataset do not copy the link contents.
424 3488. [bug] Use after free error with DH generated keys. [RT #32649]
426 3487. [bug] Change 3444 was not complete. There was a additional
427 place where the NOQNAME proof needed to be saved.
430 3486. [bug] named could crash when using TKEY-negotiated keys
431 that had been deleted and then recreated. [RT #32506]
433 3485. [cleanup] Only compile openssl_gostlink.c if we support GOST.
435 3481. [cleanup] Removed use of const const in atf.
437 3479. [bug] Address potential memory leaks in gssapi support
440 3478. [port] Fix a build failure in strict C99 environments
443 3474. [bug] nsupdate could assert when the local and remote
444 address families didn't match. [RT #22897]
446 3470. [bug] Slave zones could fail to dump when successfully
447 refreshing after an initial failure. [RT #31276]
449 --- 9.8.5b1 released ---
451 3468. [security] RPZ rules to generate A records (but not AAAA records)
452 could trigger an assertion failure when used in
453 conjunction with DNS64 (CVE-2012-5689). [RT #32141]
455 3467. [bug] Added checks in dnssec-keygen and dnssec-settime
456 to check for delete date < inactive date. [RT #31719]
458 3465. [bug] Handle isolated reserved ports. [RT #31778]
460 3464. [maint] Updates to PKCS#11 openssl patches, supporting
461 versions 0.9.8x, 1.0.0j, 1.0.1c [RT #29749]
463 3463. [doc] Clarify managed-keys syntax in ARM. [RT #32232]
465 3462. [doc] Clarify server selection behavior of dig when using
466 -4 or -6 options. [RT #32181]
468 3461. [bug] Negative responses could incorrectly have AD=1
471 3458. [bug] Return FORMERR when presented with a overly long
472 domain named in a request. [RT #29682]
474 3457. [protocol] Add ILNP records (NID, LP, L32, L64). [RT #31836]
476 3456. [port] g++47: ATF failed to compile. [RT #32012]
478 3455. [contrib] queryperf: fix getopt option list. [RT #32338]
480 3454. [port] sparc64: improve atomic support. [RT #25182]
482 3452. [bug] Accept duplicate singleton records. [RT #32329]
484 3451. [port] Increase per thread stack size from 64K to 1M.
487 3450. [bug] Stop logfileconfig system test spam system logs.
490 3449. [bug] gen.c: use the pre-processor to construct format
491 strings so that compiler can perform sanity checks;
492 check the snprintf results. [RT #17576]
494 3448. [bug] The allow-query-on ACL was not processed correctly.
497 3447. [port] Add support for libxml2-2.9.x [RT #32231]
499 3446. [port] win32: Add source ID (see change #3400) to build.
502 3445. [bug] Warn about zone files with blank owner names
503 immediately after $ORIGIN directives. [RT #31848]
505 3444. [bug] The NOQNAME proof was not being returned from cached
506 insecure responses. [RT #21409]
508 3443. [bug] ddns-confgen: Some TSIG algorithms were incorrectly
509 rejected when generating keys. [RT #31927]
511 3442. [port] Net::DNS 0.69 introduced a non backwards compatible
514 3441. [maint] D.ROOT-SERVERS.NET is now 199.7.91.13.
516 3440. [bug] Reorder get_key_struct to not trigger a assertion when
517 cleaning up due to out of memory error. [RT #32131]
519 3439. [bug] contrib/dlz error checking fixes. [RT #32102]
521 3438. [bug] Don't accept unknown data escape in quotes. [RT #32031]
523 3437. [bug] isc_buffer_init -> isc_buffer_constinit to initialize
524 buffers with constant data. [RT #32064]
526 3436. [bug] Check malloc/calloc return values. [RT #32088]
528 3435. [bug] Cross compilation support in configure was broken.
531 3431. [bug] ddns-confgen: Some valid key algorithms were
532 not accepted. [RT #31927]
534 3430. [bug] win32: isc_time_formatISO8601 was missing the
535 'T' between the date and time. [RT #32044]
537 3429. [bug] dns_zone_getserial2 could a return success without
538 returning a valid serial. [RT #32007]
540 3428. [cleanup] dig: Add timezone to date output. [RT #2269]
542 3427. [bug] dig +trace incorrectly displayed name server
543 addresses instead of names. [RT #31641]
545 3425. [bug] "acacheentry" reference counting was broken resulting
546 in use after free. [RT #31908]
548 3422. [bug] Added a clear error message for when the SOA does not
549 match the referral. [RT #31281]
551 3421. [bug] Named loops when re-signing if all keys are offline.
554 3420. [bug] Address VPATH compilation issues. [RT #31879]
556 3419. [bug] Memory leak on validation cancel. [RT #31869]
558 3415. [bug] named could die with a REQUIRE failure if a validation
559 was canceled. [RT #31804]
561 3412. [bug] Copy timeval structure from control message data.
564 3411. [tuning] Use IPV6_USE_MIN_MTU or equivalent with TCP in addition
567 3410. [bug] Addressed Coverity warnings. [RT #31626]
569 3409. [contrib] contrib/dane/mkdane.sh: Tool to generate TLSA RR's
570 from X.509 certificates, for use with DANE
571 (DNS-based Authentication of Named Entities).
574 3406. [bug] mem.c: Fix compilation errors when building with
575 ISC_MEM_TRACKLINES or ISC_MEMPOOL_NAMES disabled.
576 Also, ISC_MEM_DEBUG is no longer optional. [RT #31559]
578 3405. [bug] Handle time going backwards in acache. [RT #31253]
580 3404. [bug] dnssec-signzone: When re-signing a zone, remove
581 RRSIG and NSEC records from nodes that used to be
582 in-zone but are now below a zone cut. [RT #31556]
584 3403. [bug] Silence noisy OpenSSL logging. [RT #31497]
586 3402. [test] The IPv6 interface numbers used for system
587 tests were incorrect on some platforms. [RT #25085]
589 3401. [bug] Addressed Coverity warnings. [RT #31484]
591 3400. [cleanup] "named -V" can now report a source ID string, defined
592 in the "srcid" file in the build tree and normally set
593 to the most recent git hash. [RT #31494]
595 3397. [bug] dig crashed when using +nssearch with +tcp. [RT #25298]
597 3396. [bug] OPT records were incorrectly removed from signed,
598 truncated responses. [RT #31439]
600 3395. [protocol] Add RFC 6598 reverse zones to built in empty zones
601 list, 64.100.IN-ADDR.ARPA ... 127.100.IN-ADDR.ARPA.
604 3394. [bug] Adjust 'successfully validated after lower casing
605 signer' log level and category. [RT #31414]
607 3393. [bug] 'host -C' could core dump if REFUSED was received.
610 3391. [bug] A DNSKEY lookup that encountered a CNAME failed.
613 3390. [bug] Silence clang compiler warnings. [RT #30417]
615 3389. [bug] Always return NOERROR (not 0) in TSIG. [RT #31275]
617 3388. [bug] Fixed several Coverity warnings.
618 Note: This change includes a fix for a bug that
619 was subsequently determined to be an exploitable
620 security vulnerability, CVE-2012-5688: named could
621 die on specific queries with dns64 enabled.
624 3386. [bug] Address locking violation when generating new NSEC /
625 NSEC3 chains. [RT #31224]
627 3384. [bug] Improved logging of crypto errors. [RT #30963]
629 3383. [security] A certain combination of records in the RBT could
630 cause named to hang while populating the additional
631 section of a response. [RT #31090]
633 3382. [bug] SOA query from slave used use-v6-udp-ports range,
634 if set, regardless of the address family in use.
637 3381. [contrib] Update queryperf to support more RR types.
640 3380. [bug] named could die if a nonexistent master list was
641 referenced in a also-notify. [RT #31004]
643 3379. [bug] isc_interval_zero and isc_time_epoch should be
644 "const (type)* const". [RT #31069]
646 3378. [bug] Handle missing 'managed-keys-directory' better.
649 3376. [bug] Lack of EDNS support was being recorded without a
650 successful response. [RT #30811]
652 3375. [func] Check that 'rndc dumpdb' works on a empty cache.
655 3374. [bug] isc_parse_uint32 failed to return a range error on
656 systems with 64 bit longs. [RT #30232]
658 3372. [bug] Silence spurious "deleted from unreachable cache"
659 messages. [RT #30501]
661 3371. [bug] AD=1 should behave like DO=1 when deciding whether to
662 add NS RRsets to the additional section or not.
665 --- 9.8.4 released ---
667 3373. [bug] win32: open raw files in binary mode. [RT #30944]
669 3364. [security] Named could die on specially crafted record.
672 --- 9.8.4rc1 released ---
674 3369. [bug] nsupdate terminated unexpectedly in interactive mode
675 if built with readline support. [RT #29550]
677 3368. [bug] <dns/iptable.h> and <dns/zone.h> were not C++ safe.
679 3367. [bug] dns_dnsseckey_create() result was not being checked.
682 3366. [bug] Fixed Read-After-Write dependency violation for IA64
683 atomic operations. [RT #25181]
685 3365. [bug] Removed spurious newlines from log messages in
688 3363. [bug] Need to allow "forward" and "fowarders" options
689 in static-stub zones; this had been overlooked.
692 3362. [bug] Setting some option values to 0 in named.conf
693 could trigger an assertion failure on startup.
696 3360. [bug] 'host -w' could die. [RT #18723]
698 3359. [bug] An improperly-formed TSIG secret could cause a
699 memory leak. [RT #30607]
701 3357. [port] Add support for libxml2-2.8.x [RT #30440]
703 3356. [bug] Cap the TTL of signed RRsets when RRSIGs are
704 approaching their expiry, so they don't remain
705 in caches after expiry. [RT #26429]
707 --- 9.8.4b1 released ---
709 3354. [func] Improve OpenSSL error logging. [RT #29932]
711 3353. [bug] Use a single task for task exclusive operations.
714 3352. [bug] Ensure that learned server attributes timeout of the
715 adb cache. [RT #29856]
717 3351. [bug] isc_mem_put and isc_mem_putanddetach didn't report
718 caller if either ISC_MEM_DEBUGSIZE or ISC_MEM_DEBUGCTX
719 memory debugging flags are set. [RT #30243]
721 3350. [bug] Memory read overrun in isc___mem_reallocate if
722 ISC_MEM_DEBUGCTX memory debugging flag is set.
725 3348. [bug] Prevent RRSIG data from being cached if a negative
726 record matching the covering type exists at a higher
727 trust level. Such data already can't be retrieved from
728 the cache since change 3218 -- this prevents it
729 being inserted into the cache as well. [RT #26809]
731 3347. [bug] dnssec-settime: Issue a warning when writing a new
732 private key file would cause a change in the
733 permissions of the existing file. [RT #27724]
735 3346. [security] Bad-cache data could be used before it was
736 initialized, causing an assert. [RT #30025]
738 3342. [bug] Change #3314 broke saving of stub zones to disk
739 resulting in excessive cpu usage in some cases.
742 3337. [bug] Change #3294 broke support for the multiple keys
743 in controls. [RT #29694]
745 3335. [func] nslookup: return a nonzero exit code when unable
746 to get an answer. [RT #29492]
748 3333. [bug] Setting resolver-query-timeout too low can cause
749 named to not recover if it loses connectivity.
752 3332. [bug] Re-use cached DS rrsets if possible. [RT #29446]
754 3331. [security] dns_rdataslab_fromrdataset could produce bad
755 rdataslabs. [RT #29644]
757 3330. [func] Fix missing signatures on NOERROR results despite
759 - add optional "recursive-only yes|no" to the
760 response-policy statement
761 - add optional "max-policy-ttl" to the response-policy
762 statement to limit the false data that
763 "recursive-only no" can introduce into
765 - add a RPZ performance test to bin/tests/system/rpz
766 when queryperf is available.
767 - the encoding of PASSTHRU action to "rpz-passthru".
768 (The old encoding is still accepted.)
772 3329. [bug] Handle RRSIG signer-name case consistently: We
773 generate RRSIG records with the signer-name in
774 lower case. We accept them with any case, but if
775 they fail to validate, we try again in lower case.
778 3328. [bug] Fixed inconsistent data checking in dst_parse.c.
781 3317. [func] Add ECDSA support (RFC 6605). [RT #21918]
783 --- 9.8.3 released ---
785 3318. [tuning] Reduce the amount of work performed while holding a
786 bucket lock when finished with a fetch context.
789 3314. [bug] The masters list could be updated while stub_callback
790 or refresh_callback were using it. [RT #26732]
792 3313. [protocol] Add TLSA record type. [RT #28989]
794 3312. [bug] named-checkconf didn't detect a bad dns64 clients acl.
797 3311. [bug] Abort the zone dump if zone->db is NULL in
798 zone.c:zone_gotwritehandle. [RT #29028]
800 3310. [test] Increase table size for mutex profiling. [RT #28809]
802 3309. [bug] resolver.c:fctx_finddone() was not thread safe.
805 3307. [bug] Add missing ISC_LANG_BEGINDECLS and ISC_LANG_ENDDECLS.
808 3306. [bug] Improve DNS64 reverse zone performance. [RT #28563]
810 3305. [func] Add wire format lookup method to sdb. [RT #28563]
812 3304. [bug] Use hmctx, not mctx when freeing rbtdb->heaps.
815 3302. [bug] dns_dnssec_findmatchingkeys could fail to find
816 keys if the zone name contained character that
817 required special mappings. [RT #28600]
819 3301. [contrib] Update queryperf to build on darwin. Add -R flag
820 for non-recursive queries. [RT #28565]
822 3300. [bug] Named could die if gssapi was enabled in named.conf
823 but was not compiled in. [RT #28338]
825 3299. [bug] Make SDB handle errors from database drivers better.
828 3232. [bug] Zero zone->curmaster before return in
829 dns_zone_setmasterswithkeys(). [RT #26732]
831 3183. [bug] Added RTLD_GLOBAL flag to dlopen call. [RT #26301]
833 3197. [bug] Don't try to log the filename and line number when
834 the config parser can't open a file. [RT #22263]
836 --- 9.8.2 released ---
838 3298. [bug] Named could dereference a NULL pointer in
839 zmgr_start_xfrin_ifquota if the zone was being removed.
842 3297. [bug] Named could die on a malformed master file. [RT #28467]
844 3295. [bug] Adjust isc_time_secondsastimet range check to be more
845 portable. [RT # 26542]
847 3294. [bug] isccc/cc.c:table_fromwire failed to free alist on
850 3291. [port] Fixed a build error on systems without ENOTSUP.
853 3290. [bug] <isc/hmacsha.h> was not being installed. [RT #28169]
855 3288. [bug] dlz_destroy() function wasn't correctly registered
856 by the DLZ dlopen driver. [RT #28056]
858 3287. [port] Update ans.pl to work with Net::DNS 0.68. [RT #28028]
860 3286. [bug] Managed key maintenance timer could fail to start
861 after 'rndc reconfig'. [RT #26786]
863 --- 9.8.2rc2 released ---
865 3285. [bug] val-frdataset was incorrectly disassociated in
866 proveunsecure after calling startfinddlvsep.
869 3284. [bug] Address race conditions with the handling of
870 rbtnode.deadlink. [RT #27738]
872 3283. [bug] Raw zones with with more than 512 records in a RRset
873 failed to load. [RT #27863]
875 3282. [bug] Restrict the TTL of NS RRset to no more than that
876 of the old NS RRset when replacing it.
877 [RT #27792] [RT #27884]
879 3281. [bug] SOA refresh queries could be treated as cancelled
880 despite succeeding over the loopback interface.
883 3280. [bug] Potential double free of a rdataset on out of memory
884 with DNS64. [RT #27762]
886 3278. [bug] Make sure automatic key maintenance is started
887 when "auto-dnssec maintain" is turned on during
888 "rndc reconfig". [RT #26805]
890 3276. [bug] win32: ns_os_openfile failed to return NULL on
891 safe_open failure. [RT #27696]
893 3274. [bug] Log when a zone is not reusable. Only set loadtime
894 on successful loads. [RT #27650]
896 3273. [bug] AAAA responses could be returned in the additional
897 section even when filter-aaaa-on-v4 was in use.
900 3271. [port] darwin: mksymtbl is not always stable, loop several
901 times before giving up. mksymtbl was using non
902 portable perl to covert 64 bit hex strings. [RT #27653]
904 3268. [bug] Convert RRSIG expiry times to 64 timestamps to work
905 out the earliest expiry time. [RT #23311]
907 3267. [bug] Memory allocation failures could be mis-reported as
908 unexpected error. New ISC_R_UNSET result code.
911 3266. [bug] The maximum number of NSEC3 iterations for a
912 DNSKEY RRset was not being properly computed.
915 3262. [bug] Signed responses were handled incorrectly by RPZ.
918 --- 9.8.2rc1 released ---
920 3260. [bug] "rrset-order cyclic" could appear not to rotate
921 for some query patterns. [RT #27170/27185]
923 3259. [bug] named-compilezone: Suppress "dump zone to <file>"
924 message when writing to stdout. [RT #27109]
926 3258. [test] Add "forcing full sign with unreadable keys" test.
929 3257. [bug] Do not generate a error message when calling fsync()
930 in a pipe or socket. [RT #27109]
932 3256. [bug] Disable empty zones for lwresd -C. [RT #27139]
934 3254. [bug] Set isc_socket_ipv6only() on the IPv6 control channels.
937 3253. [bug] Return DNS_R_SYNTAX when the input to a text field is
938 too long. [RT #26956]
940 3251. [bug] Enforce a upper bound (65535 bytes) on the amount of
941 memory dns_sdlz_putrr() can allocate per record to
942 prevent run away memory consumption on ISC_R_NOSPACE.
945 3250. [func] 'configure --enable-developer'; turn on various
946 configure options, normally off by default, that
947 we want developers to build and test with. [RT #27103]
949 3249. [bug] Update log message when saving slave zones files for
950 analysis after load failures. [RT #27087]
952 3248. [bug] Configure options --enable-fixed-rrset and
953 --enable-exportlib were incompatible with each
956 3247. [bug] 'raw' format zones failed to preserve load order
957 breaking 'fixed' sort order. [RT #27087]
959 3243. [port] netbsd,bsdi: the thread defaults were not being
962 3241. [bug] Address race conditions in the resolver code.
965 3240. [bug] DNSKEY state change events could be missed. [RT #26874]
967 3239. [bug] dns_dnssec_findmatchingkeys needs to use a consistent
968 timestamp. [RT #26883]
970 3238. [bug] keyrdata was not being reinitialized in
971 lib/dns/rbtdb.c:iszonesecure. [RT#26913]
973 3237. [bug] dig -6 didn't work with +trace. [RT #26906]
975 --- 9.8.2b1 released ---
977 3234. [bug] 'make depend' produced invalid makefiles. [RT #26830]
979 3231. [bug] named could fail to send a incompressible zone.
982 3230. [bug] 'dig axfr' failed to properly handle a multi-message
983 axfr with a serial of 0. [RT #26796]
985 3229. [bug] Fix local variable to struct var assignment
986 found by CLANG warning.
988 3228. [tuning] Dynamically grow symbol table to improve zone
989 loading performance. [RT #26523]
991 3227. [bug] Interim fix to make WKS's use of getprotobyname()
992 and getservbyname() self thread safe. [RT #26232]
994 3226. [bug] Address minor resource leakages. [RT #26624]
996 3221. [bug] Fixed a potential core dump on shutdown due to
997 referencing fetch context after it's been freed.
1000 3220. [bug] Change #3186 was incomplete; dns_db_rpz_findips()
1001 could fail to set the database version correctly,
1002 causing an assertion failure. [RT #26180]
1004 3218. [security] Cache lookup could return RRSIG data associated with
1005 nonexistent records, leading to an assertion
1006 failure. [RT #26590]
1008 3217. [cleanup] Fix build problem with --disable-static. [RT #26476]
1010 3216. [bug] resolver.c:validated() was not thread-safe. [RT #26478]
1012 3213. [doc] Clarify ixfr-from-differences behavior. [RT #25188]
1014 3212. [bug] rbtdb.c: failed to remove a node from the deadnodes
1015 list prior to adding a reference to it leading a
1016 possible assertion failure. [RT #23219]
1018 3209. [func] Add "dnssec-lookaside 'no'". [RT #24858]
1020 3208. [bug] 'dig -y' handle unknown tsig algorithm better.
1023 3207. [contrib] Fixed build error in Berkeley DB DLZ module. [RT #26444]
1025 3206. [cleanup] Add ISC information to log at start time. [RT #25484]
1027 3204. [bug] When a master server that has been marked as
1028 unreachable sends a NOTIFY, mark it reachable
1031 3203. [bug] Increase log level to 'info' for validation failures
1032 from expired or not-yet-valid RRSIGs. [RT #21796]
1034 3200. [doc] Some rndc functions were undocumented or were
1035 missing from 'rndc -h' output. [RT #25555]
1037 3198. [doc] Clarified that dnssec-settime can alter keyfile
1038 permissions. [RT #24866]
1040 3196. [bug] nsupdate: return nonzero exit code when target zone
1041 doesn't exist. [RT #25783]
1043 3195. [cleanup] Silence "file not found" warnings when loading
1044 managed-keys zone. [RT #26340]
1046 3194. [doc] Updated RFC references in the 'empty-zones-enable'
1047 documentation. [RT #25203]
1049 3193. [cleanup] Changed MAXZONEKEYS to DNS_MAXZONEKEYS, moved to
1050 dnssec.h. [RT #26415]
1052 3192. [bug] A query structure could be used after being freed.
1055 3191. [bug] Print NULL records using "unknown" format. [RT #26392]
1057 3190. [bug] Underflow in error handling in isc_mutexblock_init.
1060 3189. [test] Added a summary report after system tests. [RT #25517]
1062 3188. [bug] zone.c:zone_refreshkeys() could fail to detach
1063 references correctly when errors occurred, causing
1064 a hang on shutdown. [RT #26372]
1066 3187. [port] win32: support for Visual Studio 2008. [RT #26356]
1068 3186. [bug] Version/db mis-match in rpz code. [RT #26180]
1070 3179. [port] kfreebsd: build issues. [RT #26273]
1072 3175. [bug] Fix how DNSSEC positive wildcard responses from a
1073 NSEC3 signed zone are validated. Stop sending a
1074 unnecessary NSEC3 record when generating such
1075 responses. [RT #26200]
1077 3174. [bug] Always compute to revoked key tag from scratch.
1080 3173. [port] Correctly validate root DS responses. [RT #25726]
1082 3171. [bug] Exclusively lock the task when adding a zone using
1083 'rndc addzone'. [RT #25600]
1085 3170. [func] RPZ update:
1086 - fix precedence among competing rules
1087 - improve ARM text including documenting rule precedence
1088 - try to rewrite CNAME chains until first hit
1089 - new "rpz" logging channel
1090 - RDATA for CNAME rules can include wildcards
1091 - replace "NO-OP" named.conf policy override with
1092 "PASSTHRU" and add "DISABLED" override ("NO-OP"
1093 is still recognized)
1096 3169. [func] Catch db/version mis-matches when calling dns_db_*().
1099 3167. [bug] Negative answers from forwarders were not being
1100 correctly tagged making them appear to not be cached.
1103 3162. [test] start.pl: modified to allow for "named.args" in
1104 ns*/ subdirectory to override stock arguments to
1105 named. Largely from RT#26044, but no separate ticket.
1107 3161. [bug] zone.c:del_sigs failed to always reset rdata leading
1108 assertion failures. [RT #25880]
1110 3157. [tuning] Reduce the time spent in "rndc reconfig" by parsing
1111 the config file before pausing the server. [RT #21373]
1113 3155. [bug] Fixed a build failure when using contrib DLZ
1114 drivers (e.g., mysql, postgresql, etc). [RT #25710]
1116 3154. [bug] Attempting to print an empty rdataset could trigger
1117 an assert. [RT #25452]
1119 3152. [cleanup] Some versions of gcc and clang failed due to
1120 incorrect use of __builtin_expect. [RT #25183]
1122 3151. [bug] Queries for type RRSIG or SIG could be handled
1123 incorrectly. [RT #21050]
1125 3148. [bug] Processing of normal queries could be stalled when
1126 forwarding a UPDATE message. [RT #24711]
1128 3146. [test] Fixed gcc4.6.0 errors in ATF. [RT #25598]
1130 3145. [test] Capture output of ATF unit tests in "./atf.out" if
1131 there were any errors while running them. [RT #25527]
1133 3144. [bug] dns_dbiterator_seek() could trigger an assert when
1134 used with a nonexistent database node. [RT #25358]
1136 3143. [bug] Silence clang compiler warnings. [RT #25174]
1138 3139. [test] Added tests from RFC 6234, RFC 2202, and RFC 1321
1139 for the hashing algorithms (md5, sha1 - sha512, and
1140 their hmac counterparts). [RT #25067]
1142 --- 9.8.1 released ---
1144 --- 9.8.1rc1 released ---
1146 3141. [bug] Silence spurious "zone serial (0) unchanged" messages
1147 associated with empty zones. [RT #25079]
1149 3138. [bug] Address memory leaks and out-of-order operations when
1150 shutting named down. [RT #25210]
1152 3136. [func] Add RFC 1918 reverse zones to the list of built-in
1153 empty zones switched on by the 'empty-zones-enable'
1156 Note: empty-zones-enable must be "yes;" or a empty
1157 zone needs to be disabled in named.conf for RFC 1918
1158 zones to be activated. This requirement may be
1159 removed in future releases.
1161 3135. [port] FreeBSD: workaround broken IPV6_USE_MIN_MTU processing.
1162 See http://www.freebsd.org/cgi/query-pr.cgi?pr=158307
1165 3134. [bug] Improve the accuracy of dnssec-signzone's signing
1166 statistics. [RT #16030]
1168 --- 9.8.1b3 released ---
1170 3133. [bug] Change #3114 was incomplete. [RT #24577]
1172 3131. [tuning] Improve scalability by allocating one zone task
1173 per 100 zones at startup time, rather than using a
1174 fixed-size task table. [RT #24406]
1176 3129. [bug] Named could crash on 'rndc reconfig' when
1177 allow-new-zones was set to yes and named ACLs
1178 were used. [RT #22739]
1180 --- 9.8.1b2 released ---
1182 3126. [security] Using DNAME record to generate replacements caused
1183 RPZ to exit with a assertion failure. [RT #24766]
1185 3125. [security] Using wildcard CNAME records as a replacement with
1186 RPZ caused named to exit with a assertion failure.
1189 3124. [bug] Use an rdataset attribute flag to indicate
1190 negative-cache records rather than using rrtype 0;
1191 this will prevent problems when that rrtype is
1192 used in actual DNS packets. [RT #24777]
1194 3123. [security] Change #2912 exposed a latent flaw in
1195 dns_rdataset_totext() that could cause named to
1196 crash with an assertion failure. [RT #24777]
1198 3122. [cleanup] dnssec-settime: corrected usage message. [RT #24664]
1200 3121. [security] An authoritative name server sending a negative
1201 response containing a very large RRset could
1202 trigger an off-by-one error in the ncache code
1203 and crash named. [RT #24650]
1205 3120. [bug] Named could fail to validate zones listed in a DLV
1206 that validated insecure without using DLV and had
1207 DS records in the parent zone. [RT #24631]
1209 3119. [bug] When rolling to a new DNSSEC key, a private-type
1210 record could be created and never marked complete.
1213 3118. [bug] nsupdate could dump core on shutdown when using
1214 SIG(0) keys. [RT #24604]
1216 3117. [cleanup] Remove doc and parser references to the
1217 never-implemented 'auto-dnssec create' option.
1220 3115. [bug] Named could fail to return requested data when
1221 following a CNAME that points into the same zone.
1224 3114. [bug] Retain expired RRSIGs in dynamic zones if key is
1225 inactive and there is no replacement key. [RT #23136]
1227 3113. [doc] Document the relationship between serial-query-rate
1228 and NOTIFY messages.
1230 --- 9.8.1b1 released ---
1232 3112. [doc] Add missing descriptions of the update policy name
1233 types "ms-self", "ms-subdomain", "krb5-self" and
1234 "krb5-subdomain", which allow machines to update
1235 their own records, to the BIND 9 ARM.
1237 3111. [bug] Improved consistency checks for dnssec-enable and
1238 dnssec-validation, added test cases to the
1239 checkconf system test. [RT #24398]
1241 3110. [bug] dnssec-signzone: Wrong error message could appear
1242 when attempting to sign with no KSK. [RT #24369]
1244 3107. [bug] dnssec-signzone: Report the correct number of ZSKs
1245 when using -x. [RT #20852]
1247 3105. [bug] GOST support can be suppressed by "configure
1248 --without-gost" [RT #24367]
1250 3104. [bug] Better support for cross-compiling. [RT #24367]
1252 3103. [bug] Configuring 'dnssec-validation auto' in a view
1253 instead of in the options statement could trigger
1254 an assertion failure in named-checkconf. [RT #24382]
1256 3101. [bug] Zones using automatic key maintenance could fail
1257 to check the key repository for updates. [RT #23744]
1259 3100. [security] Certain response policy zone configurations could
1260 trigger an INSIST when receiving a query of type
1263 3099. [test] "dlz" system test now runs but gives R:SKIPPED if
1264 not compiled with --with-dlz-filesystem. [RT #24146]
1266 3098. [bug] DLZ zones were answering without setting the AA bit.
1269 3097. [test] Add a tool to test handling of malformed packets.
1272 3096. [bug] Set KRB5_KTNAME before calling log_cred() in
1273 dst_gssapi_acceptctx(). [RT #24004]
1275 3095. [bug] Handle isolated reserved ports in the port range.
1278 3094. [doc] Expand dns64 documentation.
1280 3093. [bug] Fix gssapi/kerberos dependencies [RT #23836]
1282 3092. [bug] Signatures for records at the zone apex could go
1283 stale due to an incorrect timer setting. [RT #23769]
1285 3091. [bug] Fixed a bug in which zone keys that were published
1286 and then subsequently activated could fail to trigger
1287 automatic signing. [RT #22911]
1289 3090. [func] Make --with-gssapi default [RT #23738]
1291 3088. [bug] Remove bin/tests/system/logfileconfig/ns1/named.conf
1292 and add setup.sh in order to resolve changing
1293 named.conf issue. [RT #23687]
1295 3087. [bug] DDNS updates using SIG(0) with update-policy match
1296 type "external" could cause a crash. [RT #23735]
1298 3086. [bug] Running dnssec-settime -f on an old-style key will
1299 now force an update to the new key format even if no
1300 other change has been specified, using "-P now -A now"
1301 as default values. [RT #22474]
1303 3083. [bug] NOTIFY messages were not being sent when generating
1304 a NSEC3 chain incrementally. [RT #23702]
1306 3082. [port] strtok_r is threads only. [RT #23747]
1308 3081. [bug] Failure of DNAME substitution did not return
1309 YXDOMAIN. [RT #23591]
1311 3080. [cleanup] Replaced compile time constant by STDTIME_ON_32BITS.
1314 3079. [bug] Handle isc_event_allocate failures in t_tasks.
1317 3078. [func] Added a new include file with function typedefs
1318 for the DLZ "dlopen" driver. [RT #23629]
1320 3077. [bug] zone.c:zone_refreshkeys() incorrectly called
1321 dns_zone_attach(), use zone->irefs instead. [RT #23303]
1323 3075. [bug] dns_dnssec_findzonekeys{2} used a inconsistent
1324 timestamp when determining which keys are active.
1327 3074. [bug] Make the adb cache read through for zone data and
1328 glue learn for zone named is authoritative for.
1331 3073. [bug] managed-keys changes were not properly being recorded.
1334 3072. [bug] dns_dns64_aaaaok() potential NULL pointer dereference.
1337 3071. [bug] has_nsec could be used uninitialized in
1338 update.c:next_active. [RT #20256]
1340 3070. [bug] dnssec-signzone potential NULL pointer dereference.
1343 3069. [cleanup] Silence warnings messages from clang static analysis.
1346 3068. [bug] Named failed to build with a OpenSSL without engine
1347 support. [RT #23473]
1349 3067. [bug] ixfr-from-differences {master|slave}; failed to
1350 select the master/slave zones. [RT #23580]
1352 3066. [func] The DLZ "dlopen" driver is now built by default,
1353 no longer requiring a configure option. To
1354 disable it, use "configure --without-dlopen".
1355 (Note: driver not supported on win32.) [RT #23467]
1357 3065. [bug] RRSIG could have time stamps too far in the future.
1360 3064. [bug] powerpc: add sync instructions to the end of atomic
1361 operations. [RT #23469]
1363 3063. [contrib] More verbose error reporting from DLZ LDAP. [RT #23402]
1365 3059. [test] Added a regression test for change #3023.
1367 3058. [bug] Cause named to terminate at startup or rndc reconfig/
1368 reload to fail, if a log file specified in the conf
1369 file isn't a plain file. [RT #22771]
1371 3057. [bug] "rndc secroots" would abort after the first error
1372 and so could miss some views. [RT #23488]
1374 3054. [bug] Added elliptic curve support check in
1375 GOST OpenSSL engine detection. [RT #23485]
1377 3053. [bug] Under a sustained high query load with a finite
1378 max-cache-size, it was possible for cache memory
1379 to be exhausted and not recovered. [RT #23371]
1381 3052. [test] Fixed last autosign test report. [RT #23256]
1383 3051. [bug] NS records obscure DNAME records at the bottom of the
1384 zone if both are present. [RT #23035]
1386 3050. [bug] The autosign system test was timing dependent.
1387 Wait for the initial autosigning to complete
1388 before running the rest of the test. [RT #23035]
1390 3049. [bug] Save and restore the gid when creating creating
1391 named.pid at startup. [RT #23290]
1393 3048. [bug] Fully separate view key management. [RT #23419]
1395 3047. [bug] DNSKEY NODATA responses not cached fixed in
1396 validator.c. Tests added to dnssec system test.
1399 3046. [bug] Use RRSIG original TTL to compute validated RRset
1400 and RRSIG TTL. [RT #23332]
1402 3044. [bug] Hold the socket manager lock while freeing the socket.
1405 3043. [test] Merged in the NetBSD ATF test framework (currently
1406 version 0.12) for development of future unit tests.
1407 Use configure --with-atf to build ATF internally
1408 or configure --with-atf=prefix to use an external
1411 3042. [bug] dig +trace could fail attempting to use IPv6
1412 addresses on systems with only IPv4 connectivity.
1415 3041. [bug] dnssec-signzone failed to generate new signatures on
1416 ttl changes. [RT #23330]
1418 3040. [bug] Named failed to validate insecure zones where a node
1419 with a CNAME existed between the trust anchor and the
1420 top of the zone. [RT #23338]
1422 3038. [bug] Install <dns/rpz.h>. [RT #23342]
1424 3037. [doc] Update COPYRIGHT to contain all the individual
1425 copyright notices that cover various parts.
1427 3036. [bug] Check built-in zone arguments to see if the zone
1428 is re-usable or not. [RT #21914]
1430 3035. [cleanup] Simplify by using strlcpy. [RT #22521]
1432 3034. [cleanup] nslookup: use strlcpy instead of safecopy. [RT #22521]
1434 3033. [cleanup] Add two INSIST(bucket != DNS_ADB_INVALIDBUCKET).
1437 3032. [bug] rdatalist.c: add missing REQUIREs. [RT #22521]
1439 3031. [bug] dns_rdataclass_format() handle a zero sized buffer.
1442 3030. [bug] dns_rdatatype_format() handle a zero sized buffer.
1445 3029. [bug] isc_netaddr_format() handle a zero sized buffer.
1448 3028. [bug] isc_sockaddr_format() handle a zero sized buffer.
1451 3027. [bug] Add documented REQUIREs to cfg_obj_asnetprefix() to
1452 catch NULL pointer dereferences before they happen.
1455 3026. [bug] lib/isc/httpd.c: check that we have enough space
1456 after calling grow_headerspace() and if not
1457 re-call grow_headerspace() until we do. [RT #22521]
1459 --- 9.8.0 released ---
1461 3025. [bug] Fixed a possible deadlock due to zone resigning.
1464 3024. [func] RTT Banding removed due to minor security increase
1465 but major impact on resolver latency. [RT #23310]
1467 3023. [bug] Named could be left in an inconsistent state when
1468 receiving multiple AXFR response messages that were
1469 not all TSIG-signed. [RT #23254]
1471 3022. [bug] Fixed rpz SERVFAILs after failed zone transfers
1474 3021. [bug] Change #3010 was incomplete. [RT #22296]
1476 3020. [bug] auto-dnssec failed to correctly update the zone when
1477 changing the DNSKEY RRset. [RT #23232]
1479 3019. [test] Test: check apex NSEC3 records after adding DNSKEY
1480 record via UPDATE. [RT #23229]
1482 --- 9.8.0rc1 released ---
1484 3018. [bug] Named failed to check for the "none;" acl when deciding
1485 if a zone may need to be re-signed. [RT #23120]
1487 3017. [doc] dnssec-keyfromlabel -I was not properly documented.
1490 3016. [bug] rndc usage missing '-b'. [RT #22937]
1492 3015. [port] win32: fix IN6_IS_ADDR_LINKLOCAL and
1493 IN6_IS_ADDR_SITELOCAL macros. [RT #22724]
1495 3013. [bug] The DNS64 ttl was not always being set as expected.
1498 3012. [bug] Remove DNSKEY TTL change pairs before generating
1499 signing records for any remaining DNSKEY changes.
1502 3011. [func] Allow setting this in named.conf using the new
1503 'resolver-query-timeout' option, which specifies a max
1504 time in seconds. 0 means 'default' and anything longer
1505 than 30 will be silently set to 30. [RT #22852]
1507 3010. [bug] Fixed a bug where "rndc reconfig" stopped the timer
1508 for refreshing managed-keys. [RT #22296]
1510 3009. [bug] clients-per-query code didn't work as expected with
1511 particular query patterns. [RT #22972]
1513 --- 9.8.0b1 released ---
1515 3008. [func] Response policy zones (RPZ) support. [RT #21726]
1517 3007. [bug] Named failed to preserve the case of domain names in
1518 rdata which is not compressible when writing master
1521 3006. [func] Allow dynamically generated TSIG keys to be preserved
1522 across restarts of named. Initially this is for
1523 TSIG keys generated using GSSAPI. [RT #22639]
1525 3005. [port] Solaris: Work around the lack of
1526 gsskrb5_register_acceptor_identity() by setting
1527 the KRB5_KTNAME environment variable to the
1528 contents of tkey-gssapi-keytab. Also fixed
1529 test errors on MacOSX. [RT #22853]
1531 3004. [func] DNS64 reverse support. [RT #22769]
1533 3003. [experimental] Added update-policy match type "external",
1534 enabling named to defer the decision of whether to
1535 allow a dynamic update to an external daemon.
1536 (Contributed by Andrew Tridgell.) [RT #22758]
1538 3002. [bug] isc_mutex_init_errcheck() failed to destroy attr.
1541 3001. [func] Added a default trust anchor for the root zone, which
1542 can be switched on by setting "dnssec-validation auto;"
1543 in the named.conf options. [RT #21727]
1545 3000. [bug] More TKEY/GSS fixes:
1546 - nsupdate can now get the default realm from
1547 the user's Kerberos principal
1548 - corrected gsstest compilation flags
1549 - improved documentation
1550 - fixed some NULL dereferences
1553 2999. [func] Add GOST support (RFC 5933). [RT #20639]
1555 2998. [func] Add isc_task_beginexclusive and isc_task_endexclusive
1556 to the task api. [RT #22776]
1558 2997. [func] named -V now reports the OpenSSL and libxml2 verions
1559 it was compiled against. [RT #22687]
1561 2996. [security] Temporarily disable SO_ACCEPTFILTER support.
1564 2995. [bug] The Kerberos realm was not being correctly extracted
1565 from the signer's identity. [RT #22770]
1567 2994. [port] NetBSD: use pthreads by default on NetBSD >= 5.0, and
1568 do not use threads on earlier versions. Also kill
1569 the unproven-pthreads, mit-pthreads, and ptl2 support.
1571 2993. [func] Dynamically grow adb hash tables. [RT #21186]
1573 2992. [contrib] contrib/check-secure-delegation.pl: A simple tool
1574 for looking at a secure delegation. [RT #22059]
1576 2991. [contrib] contrib/zone-edit.sh: A simple zone editing tool for
1577 dynamic zones. [RT #22365]
1579 2990. [bug] 'dnssec-settime -S' no longer tests prepublication
1580 interval validity when the interval is set to 0.
1583 2989. [func] Added support for writable DLZ zones. (Contributed
1584 by Andrew Tridgell of the Samba project.) [RT #22629]
1586 2988. [experimental] Added a "dlopen" DLZ driver, allowing the creation
1587 of external DLZ drivers that can be loaded as
1588 shared objects at runtime rather than linked with
1589 named. Currently this is switched on via a
1590 compile-time option, "configure --with-dlz-dlopen".
1591 Note: the syntax for configuring DLZ zones
1592 is likely to be refined in future releases.
1593 (Contributed by Andrew Tridgell of the Samba
1594 project.) [RT #22629]
1596 2987. [func] Improve ease of configuring TKEY/GSS updates by
1597 adding a "tkey-gssapi-keytab" option. If set,
1598 updates will be allowed with any key matching
1599 a principal in the specified keytab file.
1600 "tkey-gssapi-credential" is no longer required
1601 and is expected to be deprecated. (Contributed
1602 by Andrew Tridgell of the Samba project.)
1605 2986. [func] Add new zone type "static-stub". It's like a stub
1606 zone, but the nameserver names and/or their IP
1607 addresses are statically configured. [RT #21474]
1609 2985. [bug] Add a regression test for change #2896. [RT #21324]
1611 2984. [bug] Don't run MX checks when the target of the MX record
1614 2983. [bug] Include "loadkeys" in rndc help output. [RT #22493]
1616 --- 9.8.0a1 released ---
1618 2982. [bug] Reference count dst keys. dst_key_attach() can be used
1619 increment the reference count.
1621 Note: dns_tsigkey_createfromkey() callers should now
1622 always call dst_key_free() rather than setting it
1623 to NULL on success. [RT #22672]
1625 2981. [func] Partial DNS64 support (AAAA synthesis). [RT #21991]
1627 2980. [bug] named didn't properly handle UPDATES that changed the
1628 TTL of the NSEC3PARAM RRset. [RT #22363]
1630 2979. [bug] named could deadlock during shutdown if two
1631 "rndc stop" commands were issued at the same
1634 2978. [port] hpux: look for <devpoll.h> [RT #21919]
1636 2977. [bug] 'nsupdate -l' report if the session key is missing.
1639 2976. [bug] named could die on exit after negotiating a GSS-TSIG
1642 2975. [bug] rbtdb.c:cleanup_dead_nodes_callback() acquired the
1643 wrong lock which could lead to server deadlock.
1646 2974. [bug] Some valid UPDATE requests could fail due to a
1647 consistency check examining the existing version
1648 of the zone rather than the new version resulting
1649 from the UPDATE. [RT #22413]
1651 2973. [bug] bind.keys.h was being removed by the "make clean"
1652 at the end of configure resulting in build failures
1653 where there is very old version of perl installed.
1654 Move it to "make maintainer-clean". [RT #22230]
1656 2972. [bug] win32: address windows socket errors. [RT #21906]
1658 2971. [bug] Fixed a bug that caused journal files not to be
1659 compacted on Windows systems as a result of
1660 non-POSIX-compliant rename() semantics. [RT #22434]
1662 2970. [security] Adding a NO DATA negative cache entry failed to clear
1663 any matching RRSIG records. A subsequent lookup of
1664 of NO DATA cache entry could trigger a INSIST when the
1665 unexpected RRSIG was also returned with the NO DATA
1668 CVE-2010-3613, VU#706148. [RT #22288]
1670 2969. [security] Fix acl type processing so that allow-query works
1671 in options and view statements. Also add a new
1672 set of tests to verify proper functioning.
1674 CVE-2010-3615, VU#510208. [RT #22418]
1676 2968. [security] Named could fail to prove a data set was insecure
1677 before marking it as insecure. One set of conditions
1678 that can trigger this occurs naturally when rolling
1681 CVE-2010-3614, VU#837744. [RT #22309]
1683 2967. [bug] 'host -D' now turns on debugging messages earlier.
1686 2966. [bug] isc_print_vsnprintf() failed to check if there was
1687 space available in the buffer when adding a left
1688 justified character with a non zero width,
1689 (e.g. "%-1c"). [RT #22270]
1691 2965. [func] Test HMAC functions using test data from RFC 2104 and
1692 RFC 4634. [RT #21702]
1696 2963. [security] The allow-query acl was being applied instead of the
1697 allow-query-cache acl to cache lookups. [RT #22114]
1699 2962. [port] win32: add more dependencies to BINDBuild.dsw.
1702 2961. [bug] Be still more selective about the non-authoritative
1703 answers we apply change 2748 to. [RT #22074]
1705 2960. [func] Check that named accepts non-authoritative answers.
1708 2959. [func] Check that named starts with a missing masterfile.
1711 2958. [bug] named failed to start with a missing master file.
1714 2957. [bug] entropy_get() and entropy_getpseudo() failed to match
1715 the API for RAND_bytes() and RAND_pseudo_bytes()
1716 respectively. [RT #21962]
1718 2956. [port] Enable atomic operations on the PowerPC64. [RT #21899]
1720 2955. [func] Provide more detail in the recursing log. [RT #22043]
1722 2954. [bug] contrib: dlz_mysql_driver.c bad error handling on
1723 build_sqldbinstance failure. [RT #21623]
1725 2953. [bug] Silence spurious "expected covering NSEC3, got an
1726 exact match" message when returning a wildcard
1727 no data response. [RT #21744]
1729 2952. [port] win32: named-checkzone and named-checkconf failed
1730 to initialize winsock. [RT #21932]
1732 2951. [bug] named failed to generate a correct signed response
1733 in a optout, delegation only zone with no secure
1734 delegations. [RT #22007]
1736 2950. [bug] named failed to perform a SOA up to date check when
1737 falling back to TCP on UDP timeouts when
1738 ixfr-from-differences was set. [RT #21595]
1740 2949. [bug] dns_view_setnewzones() contained a memory leak if
1741 it was called multiple times. [RT #21942]
1743 2948. [port] MacOS: provide a mechanism to configure the test
1744 interfaces at reboot. See bin/tests/system/README
1749 2946. [doc] Document the default values for the minimum and maximum
1750 zone refresh and retry values in the ARM. [RT #21886]
1752 2945. [doc] Update empty-zones list in ARM. [RT #21772]
1754 2944. [maint] Remove ORCHID prefix from built in empty zones.
1757 2943. [func] Add support to load new keys into managed zones
1758 without signing immediately with "rndc loadkeys".
1759 Add support to link keys with "dnssec-keygen -S"
1760 and "dnssec-settime -S". [RT #21351]
1762 2942. [contrib] zone2sqlite failed to setup the entropy sources.
1765 2941. [bug] sdb and sdlz (dlz's zone database) failed to support
1766 DNAME at the zone apex. [RT #21610]
1768 2940. [port] Remove connection aborted error message on
1769 Windows. [RT #21549]
1771 2939. [func] Check that named successfully skips NSEC3 records
1772 that fail to match the NSEC3PARAM record currently
1775 2938. [bug] When generating signed responses, from a signed zone
1776 that uses NSEC3, named would use a uninitialized
1777 pointer if it needed to skip a NSEC3 record because
1778 it didn't match the selected NSEC3PARAM record for
1781 2937. [bug] Worked around an apparent race condition in over
1782 memory conditions. Without this fix a DNS cache DB or
1783 ADB could incorrectly stay in an over memory state,
1784 effectively refusing further caching, which
1785 subsequently made a BIND 9 caching server unworkable.
1786 This fix prevents this problem from happening by
1787 polling the state of the memory context, rather than
1788 making a copy of the state, which appeared to cause
1789 a race. This is a "workaround" in that it doesn't
1790 solve the possible race per se, but several experiments
1791 proved this change solves the symptom. Also, the
1792 polling overhead hasn't been reported to be an issue.
1793 This bug should only affect a caching server that
1794 specifies a finite max-cache-size. It's also quite
1795 likely that the bug happens only when enabling threads,
1796 but it's not confirmed yet. [RT #21818]
1798 2936. [func] Improved configuration syntax and multiple-view
1799 support for addzone/delzone feature (see change
1800 #2930). Removed "new-zone-file" option, replaced
1801 with "allow-new-zones (yes|no)". The new-zone-file
1802 for each view is now created automatically, with
1803 a filename generated from a hash of the view name.
1804 It is no longer necessary to "include" the
1805 new-zone-file in named.conf; this happens
1806 automatically. Zones that were not added via
1807 "rndc addzone" can no longer be removed with
1808 "rndc delzone". [RT #19447]
1810 2935. [bug] nsupdate: improve 'file not found' error message.
1813 2934. [bug] Use ANSI C compliant shift range in lib/isc/entropy.c.
1816 2933. [bug] 'dig +nsid' used stack memory after it went out of
1817 scope. This could potentially result in a unknown,
1818 potentially malformed, EDNS option being sent instead
1819 of the desired NSID option. [RT #21781]
1821 2932. [cleanup] Corrected a numbering error in the "dnssec" test.
1824 2931. [bug] Temporarily and partially disable change 2864
1825 because it would cause infinite attempts of RRSIG
1826 queries. This is an urgent care fix; we'll
1827 revisit the issue and complete the fix later.
1830 2930. [experimental] New "rndc addzone" and "rndc delzone" commands
1831 allow dynamic addition and deletion of zones.
1832 To enable this feature, specify a "new-zone-file"
1833 option at the view or options level in named.conf.
1834 Zone configuration information for the new zones
1835 will be written into that file. To make the new
1836 zones persist after a restart, "include" the file
1837 into named.conf in the appropriate view. (Note:
1838 This feature is not yet documented, and its syntax
1839 is expected to change.) [RT #19447]
1841 2929. [bug] Improved handling of GSS security contexts:
1842 - added LRU expiration for generated TSIGs
1843 - added the ability to use a non-default realm
1844 - added new "realm" keyword in nsupdate
1845 - limited lifetime of generated keys to 1 hour
1846 or the lifetime of the context (whichever is
1850 2928. [bug] Be more selective about the non-authoritative
1851 answer we apply change 2748 to. [RT #21594]
1857 2925. [bug] Named failed to accept uncachable negative responses
1858 from insecure zones. [RT# 21555]
1860 2924. [func] 'rndc secroots' dump a combined summary of the
1861 current managed keys combined with trusted keys.
1864 2923. [bug] 'dig +trace' could drop core after "connection
1865 timeout". [RT #21514]
1867 2922. [contrib] Update zkt to version 1.0.
1869 2921. [bug] The resolver could attempt to destroy a fetch context
1870 too soon. [RT #19878]
1872 2920. [func] Allow 'filter-aaaa-on-v4' to be applied selectively
1873 to IPv4 clients. New acl 'filter-aaaa' (default any).
1875 2919. [func] Add autosign-ksk and autosign-zsk virtual time tests.
1878 2918. [maint] Add AAAA address for I.ROOT-SERVERS.NET.
1880 2917. [func] Virtual time test framework. [RT #20801]
1882 2916. [func] Add framework to use IPv6 in tests.
1883 fd92:7065:b8e:ffff::1 ... fd92:7065:b8e:ffff::7
1885 2915. [cleanup] Be smarter about which objects we attempt to compile
1886 based on configure options. [RT #21444]
1888 2914. [bug] Make the "autosign" system test more portable.
1891 2913. [func] Add pkcs#11 system tests. [RT #20784]
1893 2912. [func] Windows clients don't like UPDATE responses that clear
1894 the zone section. [RT #20986]
1896 2911. [bug] dnssec-signzone didn't handle out of zone records well.
1899 2910. [func] Sanity check Kerberos credentials. [RT #20986]
1901 2909. [bug] named-checkconf -p could die if "update-policy local;"
1902 was specified in named.conf. [RT #21416]
1904 2908. [bug] It was possible for re-signing to stop after removing
1905 a DNSKEY. [RT #21384]
1907 2907. [bug] The export version of libdns had undefined references.
1910 2906. [bug] Address RFC 5011 implementation issues. [RT #20903]
1912 2905. [port] aix: set use_atomic=yes with native compiler.
1915 2904. [bug] When using DLV, sub-zones of the zones in the DLV,
1916 could be incorrectly marked as insecure instead of
1917 secure leading to negative proofs failing. This was
1918 a unintended outcome from change 2890. [RT# 21392]
1920 2903. [bug] managed-keys-directory missing from namedconf.c.
1923 2902. [func] Add regression test for change 2897. [RT #21040]
1925 2901. [port] Use AC_C_FLEXIBLE_ARRAY_MEMBER. [RT #21316]
1927 2900. [bug] The placeholder negative caching element was not
1928 properly constructed triggering a INSIST in
1929 dns_ncache_towire(). [RT #21346]
1931 2899. [port] win32: Support linking against OpenSSL 1.0.0.
1933 2898. [bug] nslookup leaked memory when -domain=value was
1934 specified. [RT #21301]
1936 2897. [bug] NSEC3 chains could be left behind when transitioning
1937 to insecure. [RT #21040]
1939 2896. [bug] "rndc sign" failed to properly update the zone
1940 when adding a DNSKEY for publication only. [RT #21045]
1942 2895. [func] genrandom: add support for the generation of multiple
1945 2894. [contrib] DLZ LDAP support now use '$' not '%'. [RT #21294]
1947 2893. [bug] Improve managed keys support. New named.conf option
1948 managed-keys-directory. [RT #20924]
1950 2892. [bug] Handle REVOKED keys better. [RT #20961]
1952 2891. [maint] Update empty-zones list to match
1953 draft-ietf-dnsop-default-local-zones-13. [RT# 21099]
1955 2890. [bug] Handle the introduction of new trusted-keys and
1956 DS, DLV RRsets better. [RT #21097]
1958 2889. [bug] Elements of the grammar where not properly reported.
1961 2888. [bug] Only the first EDNS option was displayed. [RT #21273]
1963 2887. [bug] Report the keytag times in UTC in the .key file,
1964 local time is presented as a comment within the
1965 comment. [RT #21223]
1967 2886. [bug] ctime() is not thread safe. [RT #21223]
1969 2885. [bug] Improve -fno-strict-aliasing support probing in
1970 configure. [RT #21080]
1972 2884. [bug] Insufficient validation in dns_name_getlabelsequence().
1975 2883. [bug] 'dig +short' failed to handle really large datasets.
1978 2882. [bug] Remove memory context from list of active contexts
1979 before clearing 'magic'. [RT #21274]
1981 2881. [bug] Reduce the amount of time the rbtdb write lock
1982 is held when closing a version. [RT #21198]
1984 2880. [cleanup] Make the output of dnssec-keygen and dnssec-revoke
1985 consistent. [RT #21078]
1987 2879. [contrib] DLZ bdbhpt driver fails to close correct cursor.
1990 2878. [func] Incrementally write the master file after performing
1993 2877. [bug] The validator failed to skip obviously mismatching
1996 2876. [bug] Named could return SERVFAIL for negative responses
1997 from unsigned zones. [RT #21131]
1999 2875. [bug] dns_time64_fromtext() could accept non digits.
2002 2874. [bug] Cache lack of EDNS support only after the server
2003 successfully responds to the query using plain DNS.
2006 2873. [bug] Canceling a dynamic update via the dns/client module
2007 could trigger an assertion failure. [RT #21133]
2009 2872. [bug] Modify dns/client.c:dns_client_createx() to only
2010 require one of IPv4 or IPv6 rather than both.
2013 2871. [bug] Type mismatch in mem_api.c between the definition and
2014 the header file, causing build failure with
2015 --enable-exportlib. [RT #21138]
2017 2870. [maint] Add AAAA address for L.ROOT-SERVERS.NET.
2019 2869. [bug] Fix arguments to dns_keytable_findnextkeynode() call.
2022 2868. [cleanup] Run "make clean" at the end of configure to ensure
2023 any changes made by configure are integrated.
2024 Use --with-make-clean=no to disable. [RT #20994]
2026 2867. [bug] Don't set GSS_C_SEQUENCE_FLAG as Windows DNS servers
2027 don't like it. [RT #20986]
2029 2866. [bug] Windows does not like the TSIG name being compressed.
2032 2865. [bug] memset to zero event.data. [RT #20986]
2034 2864. [bug] Direct SIG/RRSIG queries were not handled correctly.
2037 2863. [port] linux: disable IPv6 PMTUD and use network minimum MTU.
2040 2862. [bug] nsupdate didn't default to the parent zone when
2041 updating DS records. [RT #20896]
2043 2861. [doc] dnssec-settime man pages didn't correctly document the
2044 inactivation time. [RT #21039]
2046 2860. [bug] named-checkconf's usage was out of date. [RT #21039]
2048 2859. [bug] When canceling validation it was possible to leak
2051 2858. [bug] RTT estimates were not being adjusted on ICMP errors.
2054 2857. [bug] named-checkconf did not fail on a bad trusted key.
2057 2856. [bug] The size of a memory allocation was not always properly
2058 recorded. [RT #20927]
2060 2855. [func] nsupdate will now preserve the entered case of domain
2061 names in update requests it sends. [RT #20928]
2063 2854. [func] dig: allow the final soa record in a axfr response to
2064 be suppressed, dig +onesoa. [RT #20929]
2066 2853. [bug] add_sigs() could run out of scratch space. [RT #21015]
2068 2852. [bug] Handle broken DNSSEC trust chains better. [RT #15619]
2070 2851. [doc] nslookup.1, removed <informalexample> from the docbook
2071 source as it produced bad nroff. [RT #21007]
2073 2850. [bug] If isc_heap_insert() failed due to memory shortage
2074 the heap would have corrupted entries. [RT #20951]
2076 2849. [bug] Don't treat errors from the xml2 library as fatal.
2079 2848. [doc] Moved README.dnssec, README.libdns, README.pkcs11 and
2080 README.rfc5011 into the ARM. [RT #20899]
2082 2847. [cleanup] Corrected usage message in dnssec-settime. [RT #20921]
2084 2846. [bug] EOF on unix domain sockets was not being handled
2085 correctly. [RT #20731]
2087 2845. [bug] RFC 5011 client could crash on shutdown. [RT #20903]
2089 2844. [doc] notify-delay default in ARM was wrong. It should have
2090 been five (5) seconds.
2092 2843. [func] Prevent dnssec-keygen and dnssec-keyfromlabel from
2093 creating key files if there is a chance that the new
2094 key ID will collide with an existing one after
2095 either of the keys has been revoked. (To override
2096 this in the case of dnssec-keyfromlabel, use the -y
2097 option. dnssec-keygen will simply create a
2098 different, non-colliding key, so an override is
2099 not necessary.) [RT #20838]
2101 2842. [func] Added "smartsign" and improved "autosign" and
2102 "dnssec" regression tests. [RT #20865]
2104 2841. [bug] Change 2836 was not complete. [RT #20883]
2106 2840. [bug] Temporary fixed pkcs11-destroy usage check.
2109 2839. [bug] A KSK revoked by named could not be deleted.
2114 2837. [port] Prevent Linux spurious warnings about fwrite().
2117 2836. [bug] Keys that were scheduled to become active could
2118 be delayed. [RT #20874]
2120 2835. [bug] Key inactivity dates were inadvertently stored in
2121 the private key file with the outdated tag
2122 "Unpublish" rather than "Inactive". This has been
2123 fixed; however, any existing keys that had Inactive
2124 dates set will now need to have them reset, using
2125 'dnssec-settime -I'. [RT #20868]
2127 2834. [bug] HMAC-SHA* keys that were longer than the algorithm
2128 digest length were used incorrectly, leading to
2129 interoperability problems with other DNS
2130 implementations. This has been corrected.
2131 (Note: If an oversize key is in use, and
2132 compatibility is needed with an older release of
2133 BIND, the new tool "isc-hmac-fixup" can convert
2134 the key secret to a form that will work with all
2135 versions.) [RT #20751]
2137 2833. [cleanup] Fix usage messages in dnssec-keygen and dnssec-settime.
2140 2832. [bug] Modify "struct stat" in lib/export/samples/nsprobe.c
2141 to avoid redefinition in some OSs [RT 20831]
2143 2831. [security] Do not attempt to validate or cache
2144 out-of-bailiwick data returned with a secure
2145 answer; it must be re-fetched from its original
2146 source and validated in that context. [RT #20819]
2148 2830. [bug] Changing the OPTOUT setting could take multiple
2151 2829. [bug] Fixed potential node inconsistency in rbtdb.c.
2154 2828. [security] Cached CNAME or DNAME RR could be returned to clients
2155 without DNSSEC validation. [RT #20737]
2157 2827. [security] Bogus NXDOMAIN could be cached as if valid. [RT #20712]
2159 2826. [bug] NSEC3->NSEC transitions could fail due to a lock not
2160 being released. [RT #20740]
2162 2825. [bug] Changing the setting of OPTOUT in a NSEC3 chain that
2163 was in the process of being created was not properly
2164 recorded in the zone. [RT #20786]
2166 2824. [bug] "rndc sign" was not being run by the correct task.
2169 2823. [bug] rbtdb.c:getsigningtime() was missing locks. [RT #20781]
2171 2822. [bug] rbtdb.c:loadnode() could return the wrong result.
2174 2821. [doc] Add note that named-checkconf doesn't automatically
2175 read rndc.key and bind.keys [RT #20758]
2177 2820. [func] Handle read access failure of OpenSSL configuration
2178 file more user friendly (PKCS#11 engine patch).
2181 2819. [cleanup] Removed unnecessary DNS_POINTER_MAXHOPS define.
2184 2818. [cleanup] rndc could return an incorrect error code
2185 when a zone was not found. [RT #20767]
2187 2817. [cleanup] Removed unnecessary isc_task_endexclusive() calls.
2190 2816. [bug] previous_closest_nsec() could fail to return
2191 data for NSEC3 nodes [RT #29730]
2193 2815. [bug] Exclusively lock the task when freezing a zone.
2196 2814. [func] Provide a definitive error message when a master
2197 zone is not loaded. [RT #20757]
2199 2813. [bug] Better handling of unreadable DNSSEC key files.
2202 2812. [bug] Make sure updates can't result in a zone with
2203 NSEC-only keys and NSEC3 records. [RT #20748]
2205 2811. [cleanup] Add "rndc sign" to list of commands in rndc usage
2208 2810. [doc] Clarified the process of transitioning an NSEC3 zone
2209 to insecure. [RT #20746]
2211 2809. [cleanup] Restored accidentally-deleted text in usage output
2212 in dnssec-settime and dnssec-revoke [RT #20739]
2214 2808. [bug] Remove the attempt to install atomic.h from lib/isc.
2215 atomic.h is correctly installed by the architecture
2216 specific subdirectories. [RT #20722]
2218 2807. [bug] Fixed a possible ASSERT when reconfiguring zone
2221 --- 9.7.0rc1 released ---
2223 2806. [bug] "rdnc sign" could delay re-signing the DNSKEY
2224 when it had changed. [RT #20703]
2226 2805. [bug] Fixed namespace problems encountered when building
2227 external programs using non-exported BIND9 libraries
2228 (i.e., built without --enable-exportlib). [RT #20679]
2230 2804. [bug] Send notifies when a zone is signed with "rndc sign"
2231 or as a result of a scheduled key change. [RT #20700]
2233 2803. [port] win32: Install named-journalprint, nsec3hash, arpaname
2234 and genrandom under windows. [RT #20670]
2236 2802. [cleanup] Rename journalprint to named-journalprint. [RT #20670]
2238 2801. [func] Detect and report records that are different according
2239 to DNSSEC but are semantically equal according to plain
2240 DNS. Apply plain DNS comparisons rather than DNSSEC
2241 comparisons when processing UPDATE requests.
2242 dnssec-signzone now removes such semantically duplicate
2243 records prior to signing the RRset.
2245 named-checkzone -r {ignore|warn|fail} (default warn)
2246 named-compilezone -r {ignore|warn|fail} (default warn)
2248 named.conf: check-dup-records {ignore|warn|fail};
2250 2800. [func] Reject zones which have NS records which refer to
2251 CNAMEs, DNAMEs or don't have address record (class IN
2252 only). Reject UPDATEs which would cause the zone
2253 to fail the above checks if committed. [RT #20678]
2255 2799. [cleanup] Changed the "secure-to-insecure" option to
2256 "dnssec-secure-to-insecure", and "dnskey-ksk-only"
2257 to "dnssec-dnskey-kskonly", for clarity. [RT #20586]
2259 2798. [bug] Addressed bugs in managed-keys initialization
2260 and rollover. [RT #20683]
2262 2797. [bug] Don't decrement the dispatch manager's maxbuffers.
2265 2796. [bug] Missing dns_rdataset_disassociate() call in
2266 dns_nsec3_delnsec3sx(). [RT #20681]
2268 2795. [cleanup] Add text to differentiate "update with no effect"
2269 log messages. [RT #18889]
2271 2794. [bug] Install <isc/namespace.h>. [RT #20677]
2273 2793. [func] Add "autosign" and "metadata" tests to the
2274 automatic tests. [RT #19946]
2276 2792. [func] "filter-aaaa-on-v4" can now be set in view
2277 options (if compiled in). [RT #20635]
2279 2791. [bug] The installation of isc-config.sh was broken.
2282 2790. [bug] Handle DS queries to stub zones. [RT #20440]
2284 2789. [bug] Fixed an INSIST in dispatch.c [RT #20576]
2286 2788. [bug] dnssec-signzone could sign with keys that were
2287 not requested [RT #20625]
2289 2787. [bug] Spurious log message when zone keys were
2290 dynamically reconfigured. [RT #20659]
2292 2786. [bug] Additional could be promoted to answer. [RT #20663]
2294 --- 9.7.0b3 released ---
2296 2785. [bug] Revoked keys could fail to self-sign [RT #20652]
2298 2784. [bug] TC was not always being set when required glue was
2299 dropped. [RT #20655]
2301 2783. [func] Return minimal responses to EDNS/UDP queries with a UDP
2302 buffer size of 512 or less. [RT #20654]
2304 2782. [port] win32: use getaddrinfo() for hostname lookups.
2307 2781. [bug] Inactive keys could be used for signing. [RT #20649]
2309 2780. [bug] dnssec-keygen -A none didn't properly unset the
2310 activation date in all cases. [RT #20648]
2312 2779. [bug] Dynamic key revocation could fail. [RT #20644]
2314 2778. [bug] dnssec-signzone could fail when a key was revoked
2315 without deleting the unrevoked version. [RT #20638]
2317 2777. [contrib] DLZ MYSQL auto reconnect support discovery was wrong.
2319 2776. [bug] Change #2762 was not correct. [RT #20647]
2321 2775. [bug] Accept RSASHA256 and RSASHA512 as NSEC3 compatible
2322 in dnssec-keyfromlabel. [RT #20643]
2324 2774. [bug] Existing cache DB wasn't being reused after
2325 reconfiguration. [RT #20629]
2327 2773. [bug] In autosigned zones, the SOA could be signed
2328 with the KSK. [RT #20628]
2330 2772. [security] When validating, track whether pending data was from
2331 the additional section or not and only return it if
2332 validates as secure. [RT #20438]
2334 2771. [bug] dnssec-signzone: DNSKEY records could be
2335 corrupted when importing from key files [RT #20624]
2337 2770. [cleanup] Add log messages to resolver.c to indicate events
2338 causing FORMERR responses. [RT #20526]
2340 2769. [cleanup] Change #2742 was incomplete. [RT #19589]
2342 2768. [bug] dnssec-signzone: -S no longer implies -g [RT #20568]
2344 2767. [bug] named could crash on startup if a zone was
2345 configured with auto-dnssec and there was no
2346 key-directory. [RT #20615]
2348 2766. [bug] isc_socket_fdwatchpoke() should only update the
2349 socketmgr state if the socket is not pending on a
2350 read or write. [RT #20603]
2352 2765. [bug] Skip masters for which the TSIG key cannot be found.
2355 2764. [bug] "rndc-confgen -a" could trigger a REQUIRE. [RT #20610]
2357 2763. [bug] "rndc sign" didn't create an NSEC chain. [RT #20591]
2359 2762. [bug] DLV validation failed with a local slave DLV zone.
2362 2761. [cleanup] Enable internal symbol table for backtrace only for
2363 systems that are known to work. Currently, BSD
2364 variants, Linux and Solaris are supported. [RT# 20202]
2366 2760. [cleanup] Corrected named-compilezone usage summary. [RT #20533]
2368 2759. [doc] Add information about .jbk/.jnw files to
2369 the ARM. [RT #20303]
2371 2758. [bug] win32: Added a workaround for a windows 2008 bug
2372 that could cause the UDP client handler to shut
2375 2757. [bug] dig: assertion failure could occur in connect
2376 timeout. [RT #20599]
2378 2756. [bug] Fixed corrupt logfile message in update.c. [RT# 20597]
2382 2754. [bug] Secure-to-insecure transitions failed when zone
2383 was signed with NSEC3. [RT #20587]
2385 2753. [bug] Removed an unnecessary warning that could appear when
2386 building an NSEC chain. [RT #20589]
2388 2752. [bug] Locking violation. [RT #20587]
2390 2751. [bug] Fixed a memory leak in dnssec-keyfromlabel. [RT #20588]
2392 2750. [bug] dig: assertion failure could occur when a server
2393 didn't have an address. [RT #20579]
2395 2749. [bug] ixfr-from-differences generated a non-minimal ixfr
2396 for NSEC3 signed zones. [RT #20452]
2398 2748. [func] Identify bad answers from GTLD servers and treat them
2399 as referrals. [RT #18884]
2401 2747. [bug] Journal roll forwards failed to set the re-signing
2402 time of RRSIGs correctly. [RT #20541]
2404 2746. [port] hpux: address signed/unsigned expansion mismatch of
2405 dns_rbtnode_t.nsec. [RT #20542]
2407 2745. [bug] configure script didn't probe the return type of
2408 gai_strerror(3) correctly. [RT #20573]
2410 2744. [func] Log if a query was over TCP. [RT #19961]
2412 2743. [bug] RRSIG could be incorrectly set in the NSEC3 record
2413 for a insecure delegation.
2415 --- 9.7.0b2 released ---
2417 2742. [cleanup] Clarify some DNSSEC-related log messages in
2418 validator.c. [RT #19589]
2420 2741. [func] Allow the dnssec-keygen progress messages to be
2421 suppressed (dnssec-keygen -q). Automatically
2422 suppress the progress messages when stdin is not
2427 2739. [cleanup] Clean up API for initializing and clearing trust
2428 anchors for a view. [RT #20211]
2430 2738. [func] Add RSASHA256 and RSASHA512 tests to the dnssec system
2433 2737. [func] UPDATE requests can leak existence information.
2436 2736. [func] Improve the performance of NSEC signed zones with
2437 more than a normal amount of glue below a delegation.
2440 2735. [bug] dnssec-signzone could fail to read keys
2441 that were specified on the command line with
2442 full paths, but weren't in the current
2443 directory. [RT #20421]
2445 2734. [port] cygwin: arpaname did not compile. [RT #20473]
2447 2733. [cleanup] Clean up coding style in pkcs11-* tools. [RT #20355]
2449 2732. [func] Add optional filter-aaaa-on-v4 option, available
2450 if built with './configure --enable-filter-aaaa'.
2451 Filters out AAAA answers to clients connecting
2452 via IPv4. (This is NOT recommended for general
2455 2731. [func] Additional work on change 2709. The key parser
2456 will now ignore unrecognized fields when the
2457 minor version number of the private key format
2458 has been increased. It will reject any key with
2459 the major version number increased. [RT #20310]
2461 2730. [func] Have dnssec-keygen display a progress indication
2462 a la 'openssl genrsa' on standard error. Note
2463 when the first '.' is followed by a long stop
2464 one has the choice between slow generation vs.
2465 poor random quality, i.e., '-r /dev/urandom'.
2468 2729. [func] When constructing a CNAME from a DNAME use the DNAME
2471 2728. [bug] dnssec-keygen, dnssec-keyfromlabel and
2472 dnssec-signzone now warn immediately if asked to
2473 write into a nonexistent directory. [RT #20278]
2475 2727. [func] The 'key-directory' option can now specify a relative
2478 2726. [func] Added support for SHA-2 DNSSEC algorithms,
2479 RSASHA256 and RSASHA512. [RT #20023]
2481 2725. [doc] Added information about the file "managed-keys.bind"
2482 to the ARM. [RT #20235]
2484 2724. [bug] Updates to a existing node in secure zone using NSEC
2485 were failing. [RT #20448]
2487 2723. [bug] isc_base32_totext(), isc_base32hex_totext(), and
2488 isc_base64_totext(), didn't always mark regions of
2489 memory as fully consumed after conversion. [RT #20445]
2491 2722. [bug] Ensure that the memory associated with the name of
2492 a node in a rbt tree is not altered during the life
2493 of the node. [RT #20431]
2495 2721. [port] Have dst__entropy_status() prime the random number
2496 generator. [RT #20369]
2498 2720. [bug] RFC 5011 trust anchor updates could trigger an
2499 assert if the DNSKEY record was unsigned. [RT #20406]
2501 2719. [func] Skip trusted/managed keys for unsupported algorithms.
2504 2718. [bug] The space calculations in opensslrsa_todns() were
2505 incorrect. [RT #20394]
2507 2717. [bug] named failed to update the NSEC/NSEC3 record when
2508 the last private type record was removed as a result
2509 of completing the signing the zone with a key.
2512 2716. [bug] nslookup debug mode didn't return the ttl. [RT #20414]
2514 --- 9.7.0b1 released ---
2516 2715. [bug] Require OpenSSL support to be explicitly disabled.
2519 2714. [port] aix/powerpc: 'asm("ics");' needs non standard assembler
2522 2713. [bug] powerpc: atomic operations missing asm("ics") /
2525 2712. [func] New 'auto-dnssec' zone option allows zone signing
2526 to be fully automated in zones configured for
2527 dynamic DNS. 'auto-dnssec allow;' permits a zone
2528 to be signed by creating keys for it in the
2529 key-directory and using 'rndc sign <zone>'.
2530 'auto-dnssec maintain;' allows that too, plus it
2531 also keeps the zone's DNSSEC keys up to date
2532 according to their timing metadata. [RT #19943]
2534 2711. [port] win32: Add the bin/pkcs11 tools into the full
2537 2710. [func] New 'dnssec-signzone -x' flag and 'dnskey-ksk-only'
2538 zone option cause a zone to be signed with only KSKs
2539 signing the DNSKEY RRset, not ZSKs. This reduces
2540 the size of a DNSKEY answer. [RT #20340]
2542 2709. [func] Added some data fields, currently unused, to the
2543 private key file format, to allow implementation
2544 of explicit key rollover in a future release
2545 without impairing backward or forward compatibility.
2548 2708. [func] Insecure to secure and NSEC3 parameter changes via
2549 update are now fully supported and no longer require
2550 defines to enable. We now no longer overload the
2551 NSEC3PARAM flag field, nor the NSEC OPT bit at the
2552 apex. Secure to insecure changes are controlled by
2553 by the named.conf option 'secure-to-insecure'.
2555 Warning: If you had previously enabled support by
2556 adding defines at compile time to BIND 9.6 you should
2557 ensure that all changes that are in progress have
2558 completed prior to upgrading to BIND 9.7. BIND 9.7
2559 is not backwards compatible.
2561 2707. [func] dnssec-keyfromlabel no longer require engine name
2562 to be specified in the label if there is a default
2563 engine or the -E option has been used. Also, it
2564 now uses default algorithms as dnssec-keygen does
2565 (i.e., RSASHA1, or NSEC3RSASHA1 if -3 is used).
2568 2706. [bug] Loading a zone with a very large NSEC3 salt could
2569 trigger an assert. [RT #20368]
2573 2704. [bug] Serial of dynamic and stub zones could be inconsistent
2574 with their SOA serial. [RT #19387]
2576 2703. [func] Introduce an OpenSSL "engine" argument with -E
2577 for all binaries which can take benefit of
2578 crypto hardware. [RT #20230]
2580 2702. [func] Update PKCS#11 tools (bin/pkcs11) [RT #20225 & all]
2582 2701. [doc] Correction to ARM: hmac-md5 is no longer the only
2583 supported TSIG key algorithm. [RT #18046]
2585 2700. [doc] The match-mapped-addresses option is discouraged.
2588 2699. [bug] Missing lock in rbtdb.c. [RT #20037]
2592 2697. [port] win32: ensure that S_IFMT, S_IFDIR, S_IFCHR and
2593 S_IFREG are defined after including <isc/stat.h>.
2596 2696. [bug] named failed to successfully process some valid
2597 acl constructs. [RT #20308]
2599 2695. [func] DHCP/DDNS - update fdwatch code for use by
2600 DHCP. Modify the api to isc_sockfdwatch_t (the
2601 callback function for isc_socket_fdwatchcreate)
2602 to include information about the direction (read
2603 or write) and add isc_socket_fdwatchpoke.
2606 2694. [bug] Reduce default NSEC3 iterations from 100 to 10.
2609 2693. [port] Add some noreturn attributes. [RT #20257]
2611 2692. [port] win32: 32/64 bit cleanups. [RT #20335]
2613 2691. [func] dnssec-signzone: retain the existing NSEC or NSEC3
2614 chain when re-signing a previously-signed zone.
2615 Use -u to modify NSEC3 parameters or switch
2616 between NSEC and NSEC3. [RT #20304]
2618 2690. [bug] win32: fix isc_thread_key_getspecific() prototype.
2621 2689. [bug] Correctly handle snprintf result. [RT #20306]
2623 2688. [bug] Use INTERFACE_F_POINTTOPOINT, not IFF_POINTOPOINT,
2624 to decide to fetch the destination address. [RT #20305]
2626 2687. [bug] Fixed dnssec-signzone -S handling of revoked keys.
2627 Also, added warnings when revoking a ZSK, as this is
2628 not defined by protocol (but is legal). [RT #19943]
2630 2686. [bug] dnssec-signzone should clean the old NSEC chain when
2631 signing with NSEC3 and vice versa. [RT #20301]
2633 2685. [contrib] Update contrib/zkt to version 0.99c. [RT #20054]
2635 2684. [cleanup] dig: formalize +ad and +cd as synonyms for
2636 +adflag and +cdflag. [RT #19305]
2638 2683. [bug] dnssec-signzone should clean out old NSEC3 chains when
2639 the NSEC3 parameters used to sign the zone change.
2642 2682. [bug] "configure --enable-symtable=all" failed to
2645 2681. [bug] IPSECKEY RR of gateway type 3 was not correctly
2646 decoded. [RT #20269]
2648 2680. [func] Move contrib/pkcs11-keygen to bin/pkcs11. [RT #20067]
2650 2679. [func] dig -k can now accept TSIG keys in named.conf
2653 2678. [func] Treat DS queries as if "minimal-response yes;"
2654 was set. [RT #20258]
2656 2677. [func] Changes to key metadata behavior:
2657 - Keys without "publish" or "active" dates set will
2658 no longer be used for smart signing. However,
2659 those dates will be set to "now" by default when
2660 a key is created; to generate a key but not use
2661 it yet, use dnssec-keygen -G.
2662 - New "inactive" date (dnssec-keygen/settime -I)
2663 sets the time when a key is no longer used for
2664 signing but is still published.
2665 - The "unpublished" date (-U) is deprecated in
2666 favor of "deleted" (-D).
2669 2676. [bug] --with-export-installdir should have been
2670 --with-export-includedir. [RT #20252]
2672 2675. [bug] dnssec-signzone could crash if the key directory
2673 did not exist. [RT #20232]
2675 --- 9.7.0a3 released ---
2677 2674. [bug] "dnssec-lookaside auto;" crashed if named was built
2678 without openssl. [RT #20231]
2680 2673. [bug] The managed-keys.bind zone file could fail to
2681 load due to a spurious result from sync_keyzone()
2684 2672. [bug] Don't enable searching in 'host' when doing reverse
2685 lookups. [RT #20218]
2687 2671. [bug] Add support for PKCS#11 providers not returning
2688 the public exponent in RSA private keys
2689 (OpenCryptoki for instance) in
2690 dnssec-keyfromlabel. [RT #19294]
2692 2670. [bug] Unexpected connect failures failed to log enough
2693 information to be useful. [RT #20205]
2695 2669. [func] Update PKCS#11 support to support Keyper HSM.
2696 Update PKCS#11 patch to be against openssl-0.9.8i.
2698 2668. [func] Several improvements to dnssec-* tools, including:
2699 - dnssec-keygen and dnssec-settime can now set key
2700 metadata fields 0 (to unset a value, use "none")
2701 - dnssec-revoke sets the revocation date in
2702 addition to the revoke bit
2703 - dnssec-settime can now print individual metadata
2704 fields instead of always printing all of them,
2705 and can print them in unix epoch time format for
2709 2667. [func] Add support for logging stack backtrace on assertion
2710 failure (not available for all platforms). [RT #19780]
2712 2666. [func] Added an 'options' argument to dns_name_fromstring()
2713 (API change from 9.7.0a2). [RT #20196]
2715 2665. [func] Clarify syntax for managed-keys {} statement, add
2716 ARM documentation about RFC 5011 support. [RT #19874]
2718 2664. [bug] create_keydata() and minimal_update() in zone.c
2719 didn't properly check return values for some
2720 functions. [RT #19956]
2722 2663. [func] win32: allow named to run as a service using
2723 "NT AUTHORITY\LocalService" as the account. [RT #19977]
2725 2662. [bug] lwres_getipnodebyname() and lwres_getipnodebyaddr()
2726 returned a misleading error code when lwresd was
2729 2661. [bug] Check whether socket fd exceeds FD_SETSIZE when
2730 creating lwres context. [RT #20029]
2732 2660. [func] Add a new set of DNS libraries for non-BIND9
2733 applications. See README.libdns. [RT #19369]
2735 2659. [doc] Clarify dnssec-keygen doc: key name must match zone
2736 name for DNSSEC keys. [RT #19938]
2738 2658. [bug] dnssec-settime and dnssec-revoke didn't process
2739 key file paths correctly. [RT #20078]
2741 2657. [cleanup] Lower "journal file <path> does not exist, creating it"
2742 log level to debug 1. [RT #20058]
2744 2656. [func] win32: add a "tools only" check box to the installer
2745 which causes it to only install dig, host, nslookup,
2746 nsupdate and relevant DLLs. [RT #19998]
2748 2655. [doc] Document that key-directory does not affect
2749 bind.keys, rndc.key or session.key. [RT #20155]
2751 2654. [bug] Improve error reporting on duplicated names for
2752 deny-answer-xxx. [RT #20164]
2754 2653. [bug] Treat ENGINE_load_private_key() failures as key
2755 not found rather than out of memory. [RT #18033]
2757 2652. [func] Provide more detail about what record is being
2758 deleted. [RT #20061]
2760 2651. [bug] Dates could print incorrectly in K*.key files on
2761 64-bit systems. [RT #20076]
2763 2650. [bug] Assertion failure in dnssec-signzone when trying
2764 to read keyset-* files. [RT #20075]
2766 2649. [bug] Set the domain for forward only zones. [RT #19944]
2768 2648. [port] win32: isc_time_seconds() was broken. [RT #19900]
2770 2647. [bug] Remove unnecessary SOA updates when a new KSK is
2773 2646. [bug] Incorrect cleanup on error in socket.c. [RT #19987]
2775 2645. [port] "gcc -m32" didn't work on amd64 and x86_64 platforms
2776 which default to 64 bits. [RT #19927]
2778 --- 9.7.0a2 released ---
2780 2644. [bug] Change #2628 caused a regression on some systems;
2781 named was unable to write the PID file and would
2782 fail on startup. [RT #20001]
2784 2643. [bug] Stub zones interacted badly with NSEC3 support.
2787 2642. [bug] nsupdate could dump core on solaris when reading
2788 improperly formatted key files. [RT #20015]
2790 2641. [bug] Fixed an error in parsing update-policy syntax,
2791 added a regression test to check it. [RT #20007]
2793 2640. [security] A specially crafted update packet will cause named
2794 to exit. [RT #20000]
2796 2639. [bug] Silence compiler warnings in gssapi code. [RT #19954]
2798 2638. [bug] Install arpaname. [RT #19957]
2800 2637. [func] Rationalize dnssec-signzone's signwithkey() calling.
2803 2636. [func] Simplify zone signing and key maintenance with the
2804 dnssec-* tools. Major changes:
2805 - all dnssec-* tools now take a -K option to
2806 specify a directory in which key files will be
2808 - DNSSEC can now store metadata indicating when
2809 they are scheduled to be published, activated,
2810 revoked or removed; these values can be set by
2811 dnssec-keygen or overwritten by the new
2812 dnssec-settime command
2813 - dnssec-signzone -S (for "smart") option reads key
2814 metadata and uses it to determine automatically
2815 which keys to publish to the zone, use for
2816 signing, revoke, or remove from the zone
2819 2635. [bug] isc_inet_ntop() incorrectly handled 0.0/16 addresses.
2822 2634. [port] win32: Add support for libxml2, enable
2823 statschannel. [RT #19773]
2825 2633. [bug] Handle 15 bit rand() functions. [RT #19783]
2827 2632. [func] util/kit.sh: warn if documentation appears to be out of
2830 2631. [bug] Handle "//", "/./" and "/../" in mkdirpath().
2833 2630. [func] Improved syntax for DDNS autoconfiguration: use
2834 "update-policy local;" to switch on local DDNS in a
2835 zone. (The "ddns-autoconf" option has been removed.)
2838 2629. [port] Check for seteuid()/setegid(), use setresuid()/
2839 setresgid() if not present. [RT #19932]
2841 2628. [port] linux: Allow /var/run/named/named.pid to be opened
2842 at startup with reduced capabilities in operation.
2845 2627. [bug] Named aborted if the same key was included in
2846 trusted-keys more than once. [RT #19918]
2848 2626. [bug] Multiple trusted-keys could trigger an assertion
2849 failure. [RT #19914]
2851 2625. [bug] Missing UNLOCK in rbtdb.c. [RT #19865]
2853 2624. [func] 'named-checkconf -p' will print out the parsed
2854 configuration. [RT #18871]
2856 2623. [bug] Named started searches for DS non-optimally. [RT #19915]
2858 2622. [bug] Printing of named.conf grammar was broken. [RT #19919]
2860 2621. [doc] Made copyright boilerplate consistent. [RT #19833]
2862 2620. [bug] Delay thawing the zone until the reload of it has
2863 completed successfully. [RT #19750]
2865 2619. [func] Add support for RFC 5011, automatic trust anchor
2866 maintenance. The new "managed-keys" statement can
2867 be used in place of "trusted-keys" for zones which
2868 support this protocol. (Note: this syntax is
2869 expected to change prior to 9.7.0 final.) [RT #19248]
2871 2618. [bug] The sdb and sdlz db_interator_seek() methods could
2872 loop infinitely. [RT #19847]
2874 2617. [bug] ifconfig.sh failed to emit an error message when
2875 run from the wrong location. [RT #19375]
2877 2616. [bug] 'host' used the nameservers from resolv.conf even
2878 when a explicit nameserver was specified. [RT #19852]
2880 2615. [bug] "__attribute__((unused))" was in the wrong place
2881 for ia64 gcc builds. [RT #19854]
2883 2614. [port] win32: 'named -v' should automatically be executed
2884 in the foreground. [RT #19844]
2888 --- 9.7.0a1 released ---
2890 2612. [func] Add default values for the arguments to
2891 dnssec-keygen. Without arguments, it will now
2892 generate a 1024-bit RSASHA1 zone-signing key,
2893 or with the -f KSK option, a 2048-bit RSASHA1
2894 key-signing key. [RT #19300]
2896 2611. [func] Add -l option to dnssec-dsfromkey to generate
2897 DLV records instead of DS records. [RT #19300]
2899 2610. [port] sunos: Change #2363 was not complete. [RT #19796]
2901 2609. [func] Simplify the configuration of dynamic zones:
2902 - add ddns-confgen command to generate
2903 configuration text for named.conf
2904 - add zone option "ddns-autoconf yes;", which
2905 causes named to generate a TSIG session key
2906 and allow updates to the zone using that key
2907 - add '-l' (localhost) option to nsupdate, which
2908 causes nsupdate to connect to a locally-running
2909 named process using the session key generated
2913 2608. [func] Perform post signing verification checks in
2914 dnssec-signzone. These can be disabled with -P.
2916 The post sign verification test ensures that for each
2917 algorithm in use there is at least one non revoked
2918 self signed KSK key. That all revoked KSK keys are
2919 self signed. That all records in the zone are signed
2920 by the algorithm. [RT #19653]
2922 2607. [bug] named could incorrectly delete NSEC3 records for
2923 empty nodes when processing a update request.
2926 2606. [bug] "delegation-only" was not being accepted in
2927 delegation-only type zones. [RT #19717]
2929 2605. [bug] Accept DS responses from delegation only zones.
2932 2604. [func] Add support for DNS rebinding attack prevention through
2933 new options, deny-answer-addresses and
2934 deny-answer-aliases. Based on contributed code from
2935 JD Nurmi, Google. [RT #18192]
2937 2603. [port] win32: handle .exe extension of named-checkzone and
2938 named-comilezone argv[0] names under windows.
2941 2602. [port] win32: fix debugging command line build of libisccfg.
2944 2601. [doc] Mention file creation mode mask in the
2947 2600. [doc] ARM: miscellaneous reformatting for different
2948 page widths. [RT #19574]
2950 2599. [bug] Address rapid memory growth when validation fails.
2953 2598. [func] Reserve the -F flag. [RT #19657]
2955 2597. [bug] Handle a validation failure with a insecure delegation
2956 from a NSEC3 signed master/slave zone. [RT #19464]
2958 2596. [bug] Stale tree nodes of cache/dynamic rbtdb could stay
2959 long, leading to inefficient memory usage or rejecting
2960 newer cache entries in the worst case. [RT #19563]
2962 2595. [bug] Fix unknown extended rcodes in dig. [RT #19625]
2964 2594. [func] Have rndc warn if using its default configuration
2965 file when the key file also exists. [RT #19424]
2967 2593. [bug] Improve a corner source of SERVFAILs [RT #19632]
2969 2592. [bug] Treat "any" as a type in nsupdate. [RT #19455]
2971 2591. [bug] named could die when processing a update in
2972 removed_orphaned_ds(). [RT #19507]
2974 2590. [func] Report zone/class of "update with no effect".
2977 2589. [bug] dns_db_unregister() failed to clear '*dbimp'.
2980 2588. [bug] SO_REUSEADDR could be set unconditionally after failure
2981 of bind(2) call. This should be rare and mostly
2982 harmless, but may cause interference with other
2983 processes that happen to use the same port. [RT #19642]
2985 2587. [func] Improve logging by reporting serial numbers for
2986 when zone serial has gone backwards or unchanged.
2989 2586. [bug] Missing cleanup of SIG rdataset in searching a DLZ DB
2992 2585. [bug] Uninitialized socket name could be referenced via a
2993 statistics channel, triggering an assertion failure in
2994 XML rendering. [RT #19427]
2996 2584. [bug] alpha: gcc optimization could break atomic operations.
2999 2583. [port] netbsd: provide a control to not add the compile
3000 date to the version string, -DNO_VERSION_DATE.
3002 2582. [bug] Don't emit warning log message when we attempt to
3003 remove non-existent journal. [RT #19516]
3005 2581. [contrib] dlz/mysql set MYSQL_OPT_RECONNECT option on connection.
3006 Requires MySQL 5.0.19 or later. [RT #19084]
3008 2580. [bug] UpdateRej statistics counter could be incremented twice
3009 for one rejection. [RT #19476]
3011 2579. [bug] DNSSEC lookaside validation failed to handle unknown
3012 algorithms. [RT #19479]
3014 2578. [bug] Changed default sig-signing-type to 65534, because
3015 65535 turns out to be reserved. [RT #19477]
3017 2577. [doc] Clarified some statistics counters. [RT #19454]
3019 2576. [bug] NSEC record were not being correctly signed when
3020 a zone transitions from insecure to secure.
3021 Handle such incorrectly signed zones. [RT #19114]
3023 2575. [func] New functions dns_name_fromstring() and
3024 dns_name_tostring(), to simplify conversion
3025 of a string to a dns_name structure and vice
3028 2574. [doc] Document nsupdate -g and -o. [RT #19351]
3030 2573. [bug] Replacing a non-CNAME record with a CNAME record in a
3031 single transaction in a signed zone failed. [RT #19397]
3033 2572. [func] Simplify DLV configuration, with a new option
3034 "dnssec-lookaside auto;" This is the equivalent
3035 of "dnssec-lookaside . trust-anchor dlv.isc.org;"
3036 plus setting a trusted-key for dlv.isc.org.
3038 Note: The trusted key is hard-coded into named,
3039 but is also stored in (and can be overridden
3040 by) $sysconfdir/bind.keys. As the ISC DLV key
3041 rolls over it can be kept up to date by replacing
3042 the bind.keys file with a key downloaded from
3043 https://www.isc.org/solutions/dlv. [RT #18685]
3045 2571. [func] Add a new tool "arpaname" which translates IP addresses
3046 to the corresponding IN-ADDR.ARPA or IP6.ARPA name.
3049 2570. [func] Log the destination address the query was sent to.
3052 2569. [func] Move journalprint, nsec3hash, and genrandom
3053 commands from bin/tests into bin/tools;
3054 "make install" will put them in $sbindir. [RT #19301]
3056 2568. [bug] Report when the write to indicate a otherwise
3057 successful start fails. [RT #19360]
3059 2567. [bug] dst__privstruct_writefile() could miss write errors.
3060 write_public_key() could miss write errors.
3061 dnssec-dsfromkey could miss write errors.
3064 2566. [cleanup] Clarify logged message when an insecure DNSSEC
3065 response arrives from a zone thought to be secure:
3066 "insecurity proof failed" instead of "not
3067 insecure". [RT #19400]
3069 2565. [func] Add support for HIP record. Includes new functions
3070 dns_rdata_hip_first(), dns_rdata_hip_next()
3071 and dns_rdata_hip_current(). [RT #19384]
3073 2564. [bug] Only take EDNS fallback steps when processing timeouts.
3076 2563. [bug] Dig could leak a socket causing it to wait forever
3077 to exit. [RT #19359]
3079 2562. [doc] ARM: miscellaneous improvements, reorganization,
3080 and some new content.
3082 2561. [doc] Add isc-config.sh(1) man page. [RT #16378]
3084 2560. [bug] Add #include <config.h> to iptable.c. [RT #18258]
3086 2559. [bug] dnssec-dsfromkey could compute bad DS records when
3087 reading from a K* files. [RT #19357]
3089 2558. [func] Set the ownership of missing directories created
3090 for pid-file if -u has been specified on the command
3093 2557. [cleanup] PCI compliance:
3094 * new libisc log module file
3095 * isc_dir_chroot() now also changes the working
3097 * additional INSISTs
3098 * additional logging when files can't be removed.
3100 2556. [port] Solaris: mkdir(2) on tmpfs filesystems does not do the
3101 error checks in the correct order resulting in the
3102 wrong error code sometimes being returned. [RT #19249]
3104 2555. [func] dig: when emitting a hex dump also display the
3105 corresponding characters. [RT #19258]
3107 2554. [bug] Validation of uppercase queries from NSEC3 zones could
3110 2553. [bug] Reference leak on DNSSEC validation errors. [RT #19291]
3112 2552. [bug] zero-no-soa-ttl-cache was not being honored.
3115 2551. [bug] Potential Reference leak on return. [RT #19341]
3117 2550. [bug] Check --with-openssl=<path> finds <openssl/opensslv.h>.
3120 2549. [port] linux: define NR_OPEN if not currently defined.
3123 2548. [bug] Install iterated_hash.h. [RT #19335]
3125 2547. [bug] openssl_link.c:mem_realloc() could reference an
3126 out-of-range area of the source buffer. New public
3127 function isc_mem_reallocate() was introduced to address
3128 this bug. [RT #19313]
3130 2546. [func] Add --enable-openssl-hash configure flag to use
3131 OpenSSL (in place of internal routine) for hash
3132 functions (MD5, SHA[12] and HMAC). [RT #18815]
3134 2545. [doc] ARM: Legal hostname checking (check-names) is
3135 for SRV RDATA too. [RT #19304]
3137 2544. [cleanup] Removed unused structure members in adb.c. [RT #19225]
3139 2543. [contrib] Update contrib/zkt to version 0.98. [RT #19113]
3141 2542. [doc] Update the description of dig +adflag. [RT #19290]
3143 2541. [bug] Conditionally update dispatch manager statistics.
3146 2540. [func] Add a nibble mode to $GENERATE. [RT #18872]
3148 2539. [security] Update the interaction between recursion, allow-query,
3149 allow-query-cache and allow-recursion. [RT #19198]
3151 2538. [bug] cache/ADB memory could grow over max-cache-size,
3152 especially with threads and smaller max-cache-size
3155 2537. [func] Added more statistics counters including those on socket
3156 I/O events and query RTT histograms. [RT #18802]
3158 2536. [cleanup] Silence some warnings when -Werror=format-security is
3159 specified. [RT #19083]
3161 2535. [bug] dig +showsearch and +trace interacted badly. [RT #19091]
3163 2534. [func] Check NAPTR records regular expressions and
3164 replacement strings to ensure they are syntactically
3165 valid and consistent. [RT #18168]
3167 2533. [doc] ARM: document @ (at-sign). [RT #17144]
3169 2532. [bug] dig: check the question section of the response to
3170 see if it matches the asked question. [RT #18495]
3172 2531. [bug] Change #2207 was incomplete. [RT #19098]
3174 2530. [bug] named failed to reject insecure to secure transitions
3175 via UPDATE. [RT #19101]
3177 2529. [cleanup] Upgrade libtool to silence complaints from recent
3178 version of autoconf. [RT #18657]
3180 2528. [cleanup] Silence spurious configure warning about
3181 --datarootdir [RT #19096]
3185 2526. [func] New named option "attach-cache" that allows multiple
3186 views to share a single cache to save memory and
3187 improve lookup efficiency. Based on contributed code
3188 from Barclay Osborn, Google. [RT #18905]
3190 2525. [func] New logging category "query-errors" to provide detailed
3191 internal information about query failures, especially
3192 about server failures. [RT #19027]
3194 2524. [port] sunos: dnssec-signzone needs strtoul(). [RT #19129]
3196 2523. [bug] Random type rdata freed by dns_nsec_typepresent().
3199 2522. [security] Handle -1 from DSA_do_verify() and EVP_VerifyFinal().
3201 2521. [bug] Improve epoll cross compilation support. [RT #19047]
3203 2520. [bug] Update xml statistics version number to 2.0 as change
3204 #2388 made the schema incompatible to the previous
3205 version. [RT #19080]
3207 2519. [bug] dig/host with -4 or -6 didn't work if more than two
3208 nameserver addresses of the excluded address family
3209 preceded in resolv.conf. [RT #19081]
3211 2518. [func] Add support for the new CERT types from RFC 4398.
3214 2517. [bug] dig +trace with -4 or -6 failed when it chose a
3215 nameserver address of the excluded address type.
3218 2516. [bug] glue sort for responses was performed even when not
3221 2515. [port] win32: build dnssec-dsfromkey and dnssec-keyfromlabel.
3224 2514. [bug] dig/host failed with -4 or -6 when resolv.conf contains
3225 a nameserver of the excluded address family.
3228 2513. [bug] Fix windows cli build. [RT #19062]
3230 2512. [func] Print a summary of the cached records which make up
3231 the negative response. [RT #18885]
3233 2511. [cleanup] dns_rdata_tofmttext() add const to linebreak.
3236 2510. [bug] "dig +sigchase" could trigger REQUIRE failures.
3239 2509. [bug] Specifying a fixed query source port was broken.
3244 2507. [func] Log the recursion quota values when killing the
3245 oldest query or refusing to recurse due to quota.
3248 2506. [port] solaris: Check at configure time if
3249 hack_shutup_pthreadonceinit is needed. [RT #19037]
3251 2505. [port] Treat amd64 similarly to x86_64 when determining
3252 atomic operation support. [RT #19031]
3254 2504. [bug] Address race condition in the socket code. [RT #18899]
3256 2503. [port] linux: improve compatibility with Linux Standard
3259 2502. [cleanup] isc_radix: Improve compliance with coding style,
3260 document function in <isc/radix.h>. [RT #18534]
3262 2501. [func] $GENERATE now supports all rdata types. Multi-field
3263 rdata types need to be quoted. See the ARM for
3264 details. [RT #18368]
3266 2500. [contrib] contrib/sdb/pgsql/zonetodb.c called non-existent
3267 function. [RT #18582]
3269 2499. [port] solaris: lib/lwres/getaddrinfo.c namespace clash.
3272 --- 9.6.0rc1 released ---
3274 2498. [bug] Removed a bogus function argument used with
3275 ISC_SOCKET_USE_POLLWATCH: it could cause compiler
3276 warning or crash named with the debug 1 level
3277 of logging. [RT #18917]
3279 2497. [bug] Don't add RRSIG bit to NSEC3 bit map for insecure
3282 2496. [bug] Add sanity length checks to NSID option. [RT #18813]
3284 2495. [bug] Tighten RRSIG checks. [RT #18795]
3286 2494. [bug] isc/radix.h, dns/sdlz.h and dns/dlz.h were not being
3287 installed. [RT #18826]
3289 2493. [bug] The linux capabilities code was not correctly cleaning
3290 up after itself. [RT #18767]
3292 2492. [func] Rndc status now reports the number of cpus discovered
3293 and the number of worker threads when running
3294 multi-threaded. [RT #18273]
3296 2491. [func] Attempt to re-use a local port if we are already using
3297 the port. [RT #18548]
3299 2490. [port] aix: work around a kernel bug where IPV6_RECVPKTINFO
3300 is cleared when IPV6_V6ONLY is set. [RT #18785]
3302 2489. [port] solaris: Workaround Solaris's kernel bug about
3304 http://bugs.opensolaris.org/view_bug.do?bug_id=6724237
3305 Define ISC_SOCKET_USE_POLLWATCH at build time to enable
3306 this workaround. [RT #18870]
3308 2488. [func] Added a tool, dnssec-dsfromkey, to generate DS records
3309 from keyset and .key files. [RT #18694]
3311 2487. [bug] Give TCP connections longer to complete. [RT #18675]
3313 2486. [func] The default locations for named.pid and lwresd.pid
3314 are now /var/run/named/named.pid and
3315 /var/run/lwresd/lwresd.pid respectively.
3317 This allows the owner of the containing directory
3318 to be set, for "named -u" support, and allows there
3319 to be a permanent symbolic link in the path, for
3320 "named -t" support. [RT #18306]
3322 2485. [bug] Change update's the handling of obscured RRSIG
3323 records. Not all orphaned DS records were being
3324 removed. [RT #18828]
3326 2484. [bug] It was possible to trigger a REQUIRE failure when
3327 adding NSEC3 proofs to the response in
3328 query_addwildcardproof(). [RT #18828]
3330 2483. [port] win32: chroot() is not supported. [RT #18805]
3332 2482. [port] libxml2: support versions 2.7.* in addition
3333 to 2.6.*. [RT #18806]
3335 --- 9.6.0b1 released ---
3337 2481. [bug] rbtdb.c:matchparams() failed to handle NSEC3 chain
3338 collisions. [RT #18812]
3340 2480. [bug] named could fail to emit all the required NSEC3
3341 records. [RT #18812]
3343 2479. [bug] xfrout:covers was not properly initialized. [RT #18801]
3345 2478. [bug] 'addresses' could be used uninitialized in
3346 configure_forward(). [RT #18800]
3348 2477. [bug] dig: the global option to print the command line is
3349 +cmd not print_cmd. Update the output to reflect
3352 2476. [doc] ARM: improve documentation for max-journal-size and
3353 ixfr-from-differences. [RT #15909] [RT #18541]
3355 2475. [bug] LRU cache cleanup under overmem condition could purge
3356 particular entries more aggressively. [RT #17628]
3358 2474. [bug] ACL structures could be allocated with insufficient
3359 space, causing an array overrun. [RT #18765]
3361 2473. [port] linux: raise the limit on open files to the possible
3362 maximum value before spawning threads; 'files'
3363 specified in named.conf doesn't seem to work with
3364 threads as expected. [RT #18784]
3366 2472. [port] linux: check the number of available cpu's before
3367 calling chroot as it depends on "/proc". [RT #16923]
3369 2471. [bug] named-checkzone was not reporting missing mandatory
3370 glue when sibling checks were disabled. [RT #18768]
3372 2470. [bug] Elements of the isc_radix_node_t could be incorrectly
3373 overwritten. [RT# 18719]
3375 2469. [port] solaris: Work around Solaris's select() limitations.
3378 2468. [bug] Resolver could try unreachable servers multiple times.
3381 2467. [bug] Failure of fcntl(F_DUPFD) wasn't logged. [RT #18740]
3383 2466. [doc] ARM: explain max-cache-ttl 0 SERVFAIL issue.
3386 2465. [bug] Adb's handling of lame addresses was different
3387 for IPv4 and IPv6. [RT #18738]
3389 2464. [port] linux: check that a capability is present before
3390 trying to set it. [RT #18135]
3392 2463. [port] linux: POSIX doesn't include the IPv6 Advanced Socket
3393 API and glibc hides parts of the IPv6 Advanced Socket
3394 API as a result. This is stupid as it breaks how the
3395 two halves (Basic and Advanced) of the IPv6 Socket API
3396 were designed to be used but we have to live with it.
3397 Define _GNU_SOURCE to pull in the IPv6 Advanced Socket
3400 2462. [doc] Document -m (enable memory usage debugging)
3401 option for dig. [RT #18757]
3403 2461. [port] sunos: Change #2363 was not complete. [RT #17513]
3405 --- 9.6.0a1 released ---
3407 2460. [bug] Don't call dns_db_getnsec3parameters() on the cache.
3410 2459. [contrib] Import dnssec-zkt to contrib/zkt. [RT #18448]
3412 2458. [doc] ARM: update and correction for max-cache-size.
3415 2457. [tuning] max-cache-size is reverted to 0, the previous
3416 default. It should be safe because expired cache
3417 entries are also purged. [RT #18684]
3419 2456. [bug] In ACLs, ::/0 and 0.0.0.0/0 would both match any
3420 address, regardless of family. They now correctly
3421 distinguish IPv4 from IPv6. [RT #18559]
3423 2455. [bug] Stop metadata being transferred via axfr/ixfr.
3426 2454. [func] nsupdate: you can now set a default ttl. [RT #18317]
3428 2453. [bug] Remove NULL pointer dereference in dns_journal_print().
3431 2452. [func] Improve bin/test/journalprint. [RT #18316]
3433 2451. [port] solaris: handle runtime linking better. [RT #18356]
3435 2450. [doc] Fix lwresd docbook problem for manual page.
3440 2448. [func] Add NSEC3 support. [RT #15452]
3442 2447. [cleanup] libbind has been split out as a separate product.
3444 2446. [func] Add a new log message about build options on startup.
3445 A new command-line option '-V' for named is also
3446 provided to show this information. [RT# 18645]
3448 2445. [doc] ARM out-of-date on empty reverse zones (list includes
3449 RFC1918 address, but these are not yet compiled in).
3452 2444. [port] Linux, FreeBSD, AIX: Turn off path mtu discovery
3453 (clear DF) for UDP responses and requests.
3455 2443. [bug] win32: UDP connect() would not generate an event,
3456 and so connected UDP sockets would never clean up.
3457 Fix this by doing an immediate WSAConnect() rather
3458 than an io completion port type for UDP.
3460 2442. [bug] A lock could be destroyed twice. [RT# 18626]
3462 2441. [bug] isc_radix_insert() could copy radix tree nodes
3463 incompletely. [RT #18573]
3465 2440. [bug] named-checkconf used an incorrect test to determine
3466 if an ACL was set to none.
3468 2439. [bug] Potential NULL dereference in dns_acl_isanyornone().
3471 2438. [bug] Timeouts could be logged incorrectly under win32.
3473 2437. [bug] Sockets could be closed too early, leading to
3474 inconsistent states in the socket module. [RT #18298]
3476 2436. [security] win32: UDP client handler can be shutdown. [RT #18576]
3478 2435. [bug] Fixed an ACL memory leak affecting win32.
3480 2434. [bug] Fixed a minor error-reporting bug in
3481 lib/isc/win32/socket.c.
3483 2433. [tuning] Set initial timeout to 800ms.
3485 2432. [bug] More Windows socket handling improvements. Stop
3486 using I/O events and use IO Completion Ports
3487 throughout. Rewrite the receive path logic to make
3488 it easier to support multiple simultaneous
3489 requesters in the future. Add stricter consistency
3490 checking as a compile-time option (define
3491 ISC_SOCKET_CONSISTENCY_CHECKS; defaults to off).
3493 2431. [bug] Acl processing could leak memory. [RT #18323]
3495 2430. [bug] win32: isc_interval_set() could round down to
3496 zero if the input was less than NS_INTERVAL
3497 nanoseconds. Round up instead. [RT #18549]
3499 2429. [doc] nsupdate should be in section 1 of the man pages.
3502 2428. [bug] dns_iptable_merge() mishandled merges of negative
3505 2427. [func] Treat DNSKEY queries as if "minimal-response yes;"
3506 was set. [RT #18528]
3508 2426. [bug] libbind: inet_net_pton() can sometimes return the
3509 wrong value if excessively large net masks are
3510 supplied. [RT #18512]
3512 2425. [bug] named didn't detect unavailable query source addresses
3513 at load time. [RT #18536]
3515 2424. [port] configure now probes for a working epoll
3516 implementation. Allow the use of kqueue,
3517 epoll and /dev/poll to be selected at compile
3520 2423. [security] Randomize server selection on queries, so as to
3521 make forgery a little more difficult. Instead of
3522 always preferring the server with the lowest RTT,
3523 pick a server with RTT within the same 128
3524 millisecond band. [RT #18441]
3526 2422. [bug] Handle the special return value of a empty node as
3527 if it was a NXRRSET in the validator. [RT #18447]
3529 2421. [func] Add new command line option '-S' for named to specify
3530 the max number of sockets. [RT #18493]
3531 Use caution: this option may not work for some
3532 operating systems without rebuilding named.
3534 2420. [bug] Windows socket handling cleanup. Let the io
3535 completion event send out canceled read/write
3536 done events, which keeps us from writing to memory
3537 we no longer have ownership of. Add debugging
3538 socket_log() function. Rework TCP socket handling
3539 to not leak sockets.
3541 2419. [cleanup] Document that isc_socket_create() and isc_socket_open()
3542 should not be used for isc_sockettype_fdwatch sockets.
3545 2418. [bug] AXFR request on a DLZ could trigger a REQUIRE failure
3548 2417. [bug] Connecting UDP sockets for outgoing queries could
3549 unexpectedly fail with an 'address already in use'
3552 2416. [func] Log file descriptors that cause exceeding the
3553 internal maximum. [RT #18460]
3555 2415. [bug] 'rndc dumpdb' could trigger various assertion failures
3556 in rbtdb.c. [RT #18455]
3558 2414. [bug] A masterdump context held the database lock too long,
3559 causing various troubles such as dead lock and
3560 recursive lock acquisition. [RT #18311, #18456]
3562 2413. [bug] Fixed an unreachable code path in socket.c. [RT #18442]
3564 2412. [bug] win32: address a resource leak. [RT #18374]
3566 2411. [bug] Allow using a larger number of sockets than FD_SETSIZE
3567 for select(). To enable this, set ISC_SOCKET_MAXSOCKETS
3568 at compilation time. [RT #18433]
3570 Note: with changes #2469 and #2421 above, there is no
3571 need to tweak ISC_SOCKET_MAXSOCKETS at compilation time
3574 2410. [bug] Correctly delete m_versionInfo. [RT #18432]
3576 2409. [bug] Only log that we disabled EDNS processing if we were
3577 subsequently successful. [RT #18029]
3579 2408. [bug] A duplicate TCP dispatch event could be sent, which
3580 could then trigger an assertion failure in
3581 resquery_response(). [RT #18275]
3583 2407. [port] hpux: test for sys/dyntune.h. [RT #18421]
3587 2405. [cleanup] The default value for dnssec-validation was changed to
3588 "yes" in 9.5.0-P1 and all subsequent releases; this
3589 was inadvertently omitted from CHANGES at the time.
3591 2404. [port] hpux: files unlimited support.
3593 2403. [bug] TSIG context leak. [RT #18341]
3595 2402. [port] Support Solaris 2.11 and over. [RT #18362]
3597 2401. [bug] Expect to get E[MN]FILE errno internal_accept()
3598 (from accept() or fcntl() system calls). [RT #18358]
3600 2400. [bug] Log if kqueue()/epoll_create()/open(/dev/poll) fails.
3605 2398. [bug] Improve file descriptor management. New,
3606 temporary, named.conf option reserved-sockets,
3607 default 512. [RT #18344]
3609 2397. [bug] gssapi_functions had too many elements. [RT #18355]
3611 2396. [bug] Don't set SO_REUSEADDR for randomized ports.
3614 2395. [port] Avoid warning and no effect from "files unlimited"
3615 on Linux when running as root. [RT #18335]
3617 2394. [bug] Default configuration options set the limit for
3618 open files to 'unlimited' as described in the
3619 documentation. [RT #18331]
3621 2393. [bug] nested acls containing keys could trigger an
3622 assertion in acl.c. [RT #18166]
3624 2392. [bug] remove 'grep -q' from acl test script, some platforms
3625 don't support it. [RT #18253]
3627 2391. [port] hpux: cover additional recvmsg() error codes.
3630 2390. [bug] dispatch.c could make a false warning on 'odd socket'.
3633 2389. [bug] Move the "working directory writable" check to after
3634 the ns_os_changeuser() call. [RT #18326]
3636 2388. [bug] Avoid using tables for layout purposes in
3637 statistics XSL [RT #18159].
3639 2387. [bug] Silence compiler warnings in lib/isc/radix.c.
3640 [RT #18147] [RT #18258]
3642 2386. [func] Add warning about too small 'open files' limit.
3645 2385. [bug] A condition variable in socket.c could leak in
3646 rare error handling [RT #17968].
3648 2384. [security] Fully randomize UDP query ports to improve
3649 forgery resilience. [RT #17949, #18098]
3651 2383. [bug] named could double queries when they resulted in
3652 SERVFAIL due to overkilling EDNS0 failure detection.
3655 2382. [doc] Add descriptions of DHCID, IPSECKEY, SPF and SSHFP
3658 2381. [port] dlz/mysql: support multiple install layouts for
3659 mysql. <prefix>/include/{,mysql/}mysql.h and
3660 <prefix>/lib/{,mysql/}. [RT #18152]
3662 2380. [bug] dns_view_find() was not returning NXDOMAIN/NXRRSET
3663 proofs which, in turn, caused validation failures
3664 for insecure zones immediately below a secure zone
3665 the server was authoritative for. [RT #18112]
3667 2379. [contrib] queryperf/gen-data-queryperf.py: removed redundant
3668 TLDs and supported RRs with TTLs [RT #17972]
3670 2378. [bug] gssapi_functions{} had a redundant member in BIND 9.5.
3673 2377. [bug] Address race condition in dnssec-signzone. [RT #18142]
3675 2376. [bug] Change #2144 was not complete.
3679 2374. [bug] "blackhole" ACLs could cause named to segfault due
3680 to some uninitialized memory. [RT #18095]
3682 2373. [bug] Default values of zone ACLs were re-parsed each time a
3683 new zone was configured, causing an overconsumption
3684 of memory. [RT #18092]
3686 2372. [bug] Fixed incorrect TAG_HMACSHA256_BITS value [RT #18047]
3688 2371. [doc] Add +nsid option to dig man page. [RT #18039]
3690 2370. [bug] "rndc freeze" could trigger an assertion in named
3691 when called on a nonexistent zone. [RT #18050]
3693 2369. [bug] libbind: Array bounds overrun on read in bitncmp().
3696 2368. [port] Linux: use libcap for capability management if
3697 possible. [RT# 18026]
3699 2367. [bug] Improve counting of dns_resstatscounter_retry
3702 2366. [bug] Adb shutdown race. [RT #18021]
3704 2365. [bug] Fix a bug that caused dns_acl_isany() to return
3705 spurious results. [RT #18000]
3707 2364. [bug] named could trigger a assertion when serving a
3708 malformed signed zone. [RT #17828]
3710 2363. [port] sunos: pre-set "lt_cv_sys_max_cmd_len=4096;".
3713 2362. [cleanup] Make "rrset-order fixed" a compile-time option.
3714 settable by "./configure --enable-fixed-rrset".
3715 Disabled by default. [RT #17977]
3717 2361. [bug] "recursion" statistics counter could be counted
3718 multiple times for a single query. [RT #17990]
3720 2360. [bug] Fix a condition where we release a database version
3721 (which may acquire a lock) while holding the lock.
3723 2359. [bug] Fix NSID bug. [RT #17942]
3725 2358. [doc] Update host's default query description. [RT #17934]
3727 2357. [port] Don't use OpenSSL's engine support in versions before
3728 OpenSSL 0.9.7f. [RT #17922]
3730 2356. [bug] Built in mutex profiler was not scalable enough.
3733 2355. [func] Extend the number statistics counters available.
3736 2354. [bug] Failed to initialize some rdatasetheader_t elements.
3739 2353. [func] Add support for Name Server ID (RFC 5001).
3740 'dig +nsid' requests NSID from server.
3741 'request-nsid yes;' causes recursive server to send
3742 NSID requests to upstream servers. Server responds
3743 to NSID requests with the string configured by
3744 'server-id' option. [RT #17091]
3746 2352. [bug] Various GSS_API fixups. [RT #17729]
3748 2351. [bug] convertxsl.pl generated very long lines. [RT #17906]
3750 2350. [port] win32: IPv6 support. [RT #17797]
3752 2349. [func] Provide incremental re-signing support for secure
3753 dynamic zones. [RT #1091]
3755 2348. [func] Use the EVP interface to OpenSSL. Add PKCS#11 support.
3756 Documentation is in the new README.pkcs11 file.
3757 New tool, dnssec-keyfromlabel, which takes the
3758 label of a key pair in a HSM and constructs a DNS
3759 key pair for use by named and dnssec-signzone.
3762 2347. [bug] Delete now traverses the RB tree in the canonical
3765 2346. [func] Memory statistics now cover all active memory contexts
3766 in increased detail. [RT #17580]
3768 2345. [bug] named-checkconf failed to detect when forwarders
3769 were set at both the options/view level and in
3770 a root zone. [RT #17671]
3772 2344. [bug] Improve "logging{ file ...; };" documentation.
3775 2343. [bug] (Seemingly) duplicate IPv6 entries could be
3776 created in ADB. [RT #17837]
3778 2342. [func] Use getifaddrs() if available under Linux. [RT #17224]
3780 2341. [bug] libbind: add missing -I../include for off source
3781 tree builds. [RT #17606]
3783 2340. [port] openbsd: interface configuration. [RT #17700]
3785 2339. [port] tru64: support for libbind. [RT #17589]
3787 2338. [bug] check_ds() could be called with a non DS rdataset.
3790 2337. [bug] BUILD_LDFLAGS was not being correctly set. [RT #17614]
3792 2336. [func] If "named -6" is specified then listen on all IPv6
3793 interfaces if there are not listen-on-v6 clauses in
3794 named.conf. [RT #17581]
3796 2335. [port] sunos: libbind and *printf() support for long long.
3799 2334. [bug] Bad REQUIRES in fromstruct_in_naptr(), off by one
3800 bug in fromstruct_txt(). [RT #17609]
3802 2333. [bug] Fix off by one error in isc_time_nowplusinterval().
3805 2332. [contrib] query-loc-0.4.0. [RT #17602]
3807 2331. [bug] Failure to regenerate any signatures was not being
3808 reported nor being past back to the UPDATE client.
3811 2330. [bug] Remove potential race condition when handling
3812 over memory events. [RT #17572]
3814 WARNING: API CHANGE: over memory callback
3815 function now needs to call isc_mem_waterack().
3816 See <isc/mem.h> for details.
3818 2329. [bug] Clearer help text for dig's '-x' and '-i' options.
3820 2328. [maint] Add AAAA addresses for A.ROOT-SERVERS.NET,
3821 F.ROOT-SERVERS.NET, H.ROOT-SERVERS.NET,
3822 J.ROOT-SERVERS.NET, K.ROOT-SERVERS.NET and
3825 2327. [bug] It was possible to dereference a NULL pointer in
3826 rbtdb.c. Implement dead node processing in zones as
3827 we do for caches. [RT #17312]
3829 2326. [bug] It was possible to trigger a INSIST in the acache
3832 2325. [port] Linux: use capset() function if available. [RT #17557]
3834 2324. [bug] Fix IPv6 matching against "any;". [RT #17533]
3836 2323. [port] tru64: namespace clash. [RT #17547]
3838 2322. [port] MacOS: work around the limitation of setrlimit()
3839 for RLIMIT_NOFILE. [RT #17526]
3843 2320. [func] Make statistics counters thread-safe for platforms
3844 that support certain atomic operations. [RT #17466]
3846 2319. [bug] Silence Coverity warnings in
3847 lib/dns/rdata/in_1/apl_42.c. [RT #17469]
3849 2318. [port] sunos fixes for libbind. [RT #17514]
3851 2317. [bug] "make distclean" removed bind9.xsl.h. [RT #17518]
3853 2316. [port] Missing #include <isc/print.h> in lib/dns/gssapictx.c.
3856 2315. [bug] Used incorrect address family for mapped IPv4
3857 addresses in acl.c. [RT #17519]
3859 2314. [bug] Uninitialized memory use on error path in
3860 bin/named/lwdnoop.c. [RT #17476]
3862 2313. [cleanup] Silence Coverity warnings. Handle private stacks.
3863 [RT #17447] [RT #17478]
3865 2312. [cleanup] Silence Coverity warning in lib/isc/unix/socket.c.
3868 2311. [bug] IPv6 addresses could match IPv4 ACL entries and
3869 vice versa. [RT #17462]
3871 2310. [bug] dig, host, nslookup: flush stdout before emitting
3872 debug/fatal messages. [RT #17501]
3874 2309. [cleanup] Fix Coverity warnings in lib/dns/acl.c and iptable.c.
3877 2308. [cleanup] Silence Coverity warning in bin/named/controlconf.c.
3880 2307. [bug] Remove infinite loop from lib/dns/sdb.c. [RT #17496]
3882 2306. [bug] Remove potential race from lib/dns/resolver.c.
3885 2305. [security] inet_network() buffer overflow. CVE-2008-0122.
3887 2304. [bug] Check returns from all dns_rdata_tostruct() calls.
3890 2303. [bug] Remove unnecessary code from bin/named/lwdgnba.c.
3893 2302. [bug] Fix memset() calls in lib/tests/t_api.c. [RT #17472]
3895 2301. [bug] Remove resource leak and fix error messages in
3896 bin/tests/system/lwresd/lwtest.c. [RT #17474]
3898 2300. [bug] Fixed failure to close open file in
3899 bin/tests/names/t_names.c. [RT #17473]
3901 2299. [bug] Remove unnecessary NULL check in
3902 bin/nsupdate/nsupdate.c. [RT #17475]
3904 2298. [bug] isc_mutex_lock() failure not caught in
3905 bin/tests/timers/t_timers.c. [RT #17468]
3907 2297. [bug] isc_entropy_createfilesource() failure not caught in
3908 bin/tests/dst/t_dst.c. [RT #17467]
3910 2296. [port] Allow docbook stylesheet location to be specified to
3911 configure. [RT #17457]
3913 2295. [bug] Silence static overrun error in bin/named/lwaddr.c.
3916 2294. [func] Allow the experimental statistics channels to have
3917 multiple connections and ACL.
3918 Note: the stats-server and stats-server-v6 options
3919 available in the previous beta releases are replaced
3920 with the generic statistics-channels statement.
3922 2293. [func] Add ACL regression test. [RT #17375]
3924 2292. [bug] Log if the working directory is not writable.
3927 2291. [bug] PR_SET_DUMPABLE may be set too late. Also report
3928 failure to set PR_SET_DUMPABLE. [RT #17312]
3930 2290. [bug] Let AD in the query signal that the client wants AD
3931 set in the response. [RT #17301]
3933 2289. [func] named-checkzone now reports the out-of-zone CNAME
3936 2288. [port] win32: mark service as running when we have finished
3937 loading. [RT #17441]
3939 2287. [bug] Use 'volatile' if the compiler supports it. [RT #17413]
3941 2286. [func] Allow a TCP connection to be used as a weak
3942 authentication method for reverse zones.
3943 New update-policy methods tcp-self and 6to4-self.
3946 2285. [func] Test framework for client memory context management.
3949 2284. [bug] Memory leak in UPDATE prerequisite processing.
3952 2283. [bug] TSIG keys were not attaching to the memory
3953 context. TSIG keys should use the rings
3954 memory context rather than the clients memory
3955 context. [RT #17377]
3957 2282. [bug] Acl code fixups. [RT #17346] [RT #17374]
3959 2281. [bug] Attempts to use undefined acls were not being logged.
3962 2280. [func] Allow the experimental http server to be reached
3963 over IPv6 as well as IPv4. [RT #17332]
3965 2279. [bug] Use setsockopt(SO_NOSIGPIPE), when available,
3966 to protect applications from receiving spurious
3967 SIGPIPE signals when using the resolver.
3969 2278. [bug] win32: handle the case where Windows returns no
3970 search list or DNS suffix. [RT #17354]
3972 2277. [bug] Empty zone names were not correctly being caught at
3973 in the post parse checks. [RT #17357]
3975 2276. [bug] Install <dst/gssapi.h>. [RT# 17359]
3977 2275. [func] Add support to dig to perform IXFR queries over UDP.
3980 2274. [func] Log zone transfer statistics. [RT #17336]
3982 2273. [bug] Adjust log level to WARNING when saving inconsistent
3983 stub/slave master and journal files. [RT# 17279]
3985 2272. [bug] Handle illegal dnssec-lookaside trust-anchor names.
3988 2271. [bug] Fix a memory leak in http server code [RT #17100]
3990 2270. [bug] dns_db_closeversion() version->writer could be reset
3991 before it is tested. [RT #17290]
3993 2269. [contrib] dbus memory leaks and missing va_end calls. [RT #17232]
3995 2268. [bug] 0.IN-ADDR.ARPA was missing from the empty zones
3998 --- 9.5.0b1 released ---
4000 2267. [bug] Radix tree node_num value could be set incorrectly,
4001 causing positive ACL matches to look like negative
4004 2266. [bug] client.c:get_clientmctx() returned the same mctx
4005 once the pool of mctx's was filled. [RT #17218]
4007 2265. [bug] Test that the memory context's basic_table is non NULL
4008 before freeing. [RT #17265]
4010 2264. [bug] Server prefix length was being ignored. [RT #17308]
4012 2263. [bug] "named-checkconf -z" failed to set default value
4013 for "check-integrity". [RT #17306]
4015 2262. [bug] Error status from all but the last view could be
4018 2261. [bug] Fix memory leak with "any" and "none" ACLs [RT #17272]
4020 2260. [bug] Reported wrong clients-per-query when increasing the
4025 --- 9.5.0a7 released ---
4027 2258. [bug] Fallback from IXFR/TSIG to SOA/AXFR/TSIG broken.
4030 2257. [bug] win32: Use the full path to vcredist_x86.exe when
4031 calling it. [RT #17222]
4033 2256. [bug] win32: Correctly register the installation location of
4034 bindevt.dll. [RT #17159]
4036 2255. [maint] L.ROOT-SERVERS.NET is now 199.7.83.42.
4038 2254. [bug] timer.c:dispatch() failed to lock timer->lock
4039 when reading timer->idle allowing it to see
4040 intermediate values as timer->idle was reset by
4041 isc_timer_touch(). [RT #17243]
4043 2253. [func] "max-cache-size" defaults to 32M.
4044 "max-acache-size" defaults to 16M.
4046 2252. [bug] Fixed errors in sortlist code [RT #17216]
4050 2250. [func] New flag 'memstatistics' to state whether the
4051 memory statistics file should be written or not.
4052 Additionally named's -m option will cause the
4053 statistics file to be written. [RT #17113]
4055 2249. [bug] Only set Authentic Data bit if client requested
4056 DNSSEC, per RFC 3655 [RT #17175]
4058 2248. [cleanup] Fix several errors reported by Coverity. [RT #17160]
4060 2247. [doc] Sort doc/misc/options. [RT #17067]
4062 2246. [bug] Make the startup of test servers (ans.pl) more
4065 2245. [bug] Validating lack of DS records at trust anchors wasn't
4066 working. [RT #17151]
4068 2244. [func] Allow the check of nameserver names against the
4069 SOA MNAME field to be disabled by specifying
4070 'notify-to-soa yes;'. [RT #17073]
4072 2243. [func] Configuration files without a newline at the end now
4073 parse without error. [RT #17120]
4075 2242. [bug] nsupdate: GSS-TSIG support using the Heimdal Kerberos
4076 library could require a source of random data.
4079 2241. [func] nsupdate: add a interactive 'help' command. [RT #17099]
4081 2240. [bug] Cleanup nsupdates GSS-TSIG support. Convert
4082 a number of INSIST()s into plain fatal() errors
4083 which report the triggering result code.
4084 The 'key' command wasn't disabling GSS-TSIG.
4087 2239. [func] Ship a pre built bin/named/bind9.xsl.h. [RT #17114]
4089 2238. [bug] It was possible to trigger a REQUIRE when a
4090 validation was canceled. [RT #17106]
4092 2237. [bug] libbind: res_init() was not thread aware. [RT #17123]
4094 2236. [bug] dnssec-signzone failed to preserve the case of
4095 of wildcard owner names. [RT #17085]
4097 2235. [bug] <isc/atomic.h> was not being installed. [RT #17135]
4099 2234. [port] Correct some compiler warnings on SCO OSr5 [RT #17134]
4101 2233. [func] Add support for O(1) ACL processing, based on
4102 radix tree code originally written by Kevin
4103 Brintnall. [RT #16288]
4105 2232. [bug] dns_adb_findaddrinfo() could fail and return
4106 ISC_R_SUCCESS. [RT #17137]
4108 2231. [bug] Building dlzbdb (contrib/dlz/bin/dlzbdb) was broken.
4111 2230. [bug] We could INSIST reading a corrupted journal.
4114 2229. [bug] Null pointer dereference on query pool creation
4115 failure. [RT #17133]
4117 2228. [contrib] contrib: Change 2188 was incomplete.
4119 2227. [cleanup] Tidied up the FAQ. [RT #17121]
4123 2225. [bug] More support for systems with no IPv4 addresses.
4126 2224. [bug] Defer journal compaction if a xfrin is in progress.
4129 2223. [bug] Make a new journal when compacting. [RT #17119]
4131 2222. [func] named-checkconf now checks server key references.
4134 2221. [bug] Set the event result code to reflect the actual
4135 record turned to caller when a cache update is
4136 rejected due to a more credible answer existing.
4139 2220. [bug] win32: Address a race condition in final shutdown of
4140 the Windows socket code. [RT #17028]
4142 2219. [bug] Apply zone consistency checks to additions, not
4143 removals, when updating. [RT #17049]
4145 2218. [bug] Remove unnecessary REQUIRE from dns_validator_create().
4148 2217. [func] Adjust update log levels. [RT #17092]
4150 2216. [cleanup] Fix a number of errors reported by Coverity.
4153 2215. [bug] Bad REQUIRE check isc_hmacsha1_verify(). [RT #17094]
4155 2214. [bug] Deregister OpenSSL lock callback when cleaning
4156 up. Reorder OpenSSL cleanup so that RAND_cleanup()
4157 is called before the locks are destroyed. [RT #17098]
4159 2213. [bug] SIG0 diagnostic failure messages were looking at the
4160 wrong status code. [RT #17101]
4162 2212. [func] 'host -m' now causes memory statistics and active
4163 memory to be printed at exit. [RT 17028]
4165 2211. [func] Update "dynamic update temporarily disabled" message.
4168 2210. [bug] Deleting class specific records via UPDATE could
4171 2209. [port] osx: linking against user supplied static OpenSSL
4172 libraries failed as the system ones were still being
4175 2208. [port] win32: make sure both build methods produce the
4176 same output. [RT #17058]
4178 2207. [port] Some implementations of getaddrinfo() fail to set
4179 ai_canonname correctly. [RT #17061]
4181 --- 9.5.0a6 released ---
4183 2206. [security] "allow-query-cache" and "allow-recursion" now
4184 cross inherit from each other.
4186 If allow-query-cache is not set in named.conf then
4187 allow-recursion is used if set, otherwise allow-query
4188 is used if set, otherwise the default (localnets;
4189 localhost;) is used.
4191 If allow-recursion is not set in named.conf then
4192 allow-query-cache is used if set, otherwise allow-query
4193 is used if set, otherwise the default (localnets;
4194 localhost;) is used.
4198 2205. [bug] libbind: change #2119 broke thread support. [RT #16982]
4200 2204. [bug] "rndc flushanme name unknown-view" caused named
4201 to crash. [RT #16984]
4203 2203. [security] Query id generation was cryptographically weak.
4206 2202. [security] The default acls for allow-query-cache and
4207 allow-recursion were not being applied. [RT #16960]
4209 2201. [bug] The build failed in a separate object directory.
4212 2200. [bug] The search for cached NSEC records was stopping to
4213 early leading to excessive DLV queries. [RT #16930]
4215 2199. [bug] win32: don't call WSAStartup() while loading dlls.
4218 2198. [bug] win32: RegCloseKey() could be called when
4219 RegOpenKeyEx() failed. [RT #16911]
4221 2197. [bug] Add INSIST to catch negative responses which are
4222 not setting the event result code appropriately.
4225 2196. [port] win32: yield processor while waiting for once to
4226 to complete. [RT #16958]
4228 2195. [func] dnssec-keygen now defaults to nametype "ZONE"
4229 when generating DNSKEYs. [RT #16954]
4231 2194. [bug] Close journal before calling 'done' in xfrin.c.
4233 --- 9.5.0a5 released ---
4235 2193. [port] win32: BINDInstall.exe is now linked statically.
4238 2192. [port] win32: use vcredist_x86.exe to install Visual
4239 Studio's redistributable dlls if building with
4240 Visual Stdio 2005 or later.
4242 2191. [func] named-checkzone now allows dumping to stdout (-).
4243 named-checkconf now has -h for help.
4244 named-checkzone now has -h for help.
4245 rndc now has -h for help.
4246 Better handling of '-?' for usage summaries.
4249 2190. [func] Make fallback to plain DNS from EDNS due to timeouts
4250 more visible. New logging category "edns-disabled".
4253 2189. [bug] Handle socket() returning EINTR. [RT #15949]
4255 2188. [contrib] queryperf: autoconf changes to make the search for
4256 libresolv or libbind more robust. [RT #16299]
4258 2187. [bug] query_addds(), query_addwildcardproof() and
4259 query_addnxrrsetnsec() should take a version
4260 argument. [RT #16368]
4262 2186. [port] cygwin: libbind: check for struct sockaddr_storage
4263 independently of IPv6. [RT #16482]
4265 2185. [port] sunos: libbind: check for ssize_t, memmove() and
4266 memchr(). [RT #16463]
4268 2184. [bug] bind9.xsl.h didn't build out of the source tree.
4271 2183. [bug] dnssec-signzone didn't handle offline private keys
4274 2182. [bug] dns_dispatch_createtcp() and dispatch_createudp()
4275 could return ISC_R_SUCCESS when they ran out of
4278 2181. [port] sunos: libbind: add paths.h from BIND 8. [RT #16462]
4280 2180. [cleanup] Remove bit test from 'compress_test' as they
4281 are no longer needed. [RT #16497]
4283 2179. [func] 'rndc command zone' will now find 'zone' if it is
4284 unique to all the views. [RT #16821]
4286 2178. [bug] 'rndc reload' of a slave or stub zone resulted in
4287 a reference leak. [RT #16867]
4289 2177. [bug] Array bounds overrun on read (rcodetext) at
4290 debug level 10+. [RT #16798]
4292 2176. [contrib] dbus update to handle race condition during
4293 initialization (Bugzilla 235809). [RT #16842]
4295 2175. [bug] win32: windows broadcast condition variable support
4296 was broken. [RT #16592]
4298 2174. [bug] I/O errors should always be fatal when reading
4299 master files. [RT #16825]
4301 2173. [port] win32: When compiling with MSVS 2005 SP1 we also
4302 need to ship Microsoft.VC80.MFCLOC.
4304 --- 9.5.0a4 released ---
4306 2172. [bug] query_addsoa() was being called with a non zone db.
4309 2171. [bug] Handle breaks in DNSSEC trust chains where the parent
4310 servers are not DS aware (DS queries to the parent
4311 return a referral to the child).
4313 2170. [func] Add acache processing to test suite. [RT #16711]
4315 2169. [bug] host, nslookup: when reporting NXDOMAIN report the
4316 given name and not the last name searched for.
4319 2168. [bug] nsupdate: in non-interactive mode treat syntax errors
4320 as fatal errors. [RT #16785]
4322 2167. [bug] When re-using a automatic zone named failed to
4323 attach it to the new view. [RT #16786]
4325 --- 9.5.0a3 released ---
4327 2166. [bug] When running in batch mode, dig could misinterpret
4328 a server address as a name to be looked up, causing
4329 unexpected output. [RT #16743]
4331 2165. [func] Allow the destination address of a query to determine
4332 if we will answer the query or recurse.
4333 allow-query-on, allow-recursion-on and
4334 allow-query-cache-on. [RT #16291]
4336 2164. [bug] The code to determine how named-checkzone /
4337 named-compilezone was called failed under windows.
4340 2163. [bug] If only one of query-source and query-source-v6
4341 specified a port the query pools code broke (change
4344 2162. [func] Allow "rrset-order fixed" to be disabled at compile
4347 2161. [bug] Fix which log messages are emitted for 'rndc flush'.
4350 2160. [bug] libisc wasn't handling NULL ifa_addr pointers returned
4351 from getifaddrs(). [RT #16708]
4353 --- 9.5.0a2 released ---
4355 2159. [bug] Array bounds overrun in acache processing. [RT #16710]
4357 2158. [bug] ns_client_isself() failed to initialize key
4358 leading to a REQUIRE failure. [RT #16688]
4360 2157. [func] dns_db_transfernode() created. [RT #16685]
4362 2156. [bug] Fix node reference leaks in lookup.c:lookup_find(),
4363 resolver.c:validated() and resolver.c:cache_name().
4364 Fix a memory leak in rbtdb.c:free_noqname().
4365 Make lookup.c:lookup_find() robust against
4366 event leaks. [RT #16685]
4368 2155. [contrib] SQLite sdb module from jaboydjr@netwalk.com.
4371 2154. [func] Scoped (e.g. IPv6 link-local) addresses may now be
4372 matched in acls by omitting the scope. [RT #16599]
4374 2153. [bug] nsupdate could leak memory. [RT #16691]
4376 2152. [cleanup] Use sizeof(buf) instead of fixed number in
4377 dighost.c:get_trusted_key(). [RT #16678]
4379 2151. [bug] Missing newline in usage message for journalprint.
4382 2150. [bug] 'rrset-order cyclic' uniformly distribute the
4383 starting point for the first response for a given
4386 2149. [bug] isc_mem_checkdestroyed() failed to abort on
4387 if there were still active memory contexts.
4390 2148. [func] Add positive logging for rndc commands. [RT #14623]
4392 2147. [bug] libbind: remove potential buffer overflow from
4393 hmac_link.c. [RT #16437]
4395 2146. [cleanup] Silence Linux's spurious "obsolete setsockopt
4396 SO_BSDCOMPAT" message. [RT #16641]
4398 2145. [bug] Check DS/DLV digest lengths for known digests.
4401 2144. [cleanup] Suppress logging of SERVFAIL from forwarders.
4404 2143. [bug] We failed to restart the IPv6 client when the
4405 kernel failed to return the destination the
4406 packet was sent to. [RT #16613]
4408 2142. [bug] Handle master files with a modification time that
4409 matches the epoch. [RT# 16612]
4411 2141. [bug] dig/host should not be setting IDN_ASCCHECK (IDN
4412 equivalent of LDH checks). [RT #16609]
4414 2140. [bug] libbind: missing unlock on pthread_key_create()
4415 failures. [RT #16654]
4417 2139. [bug] dns_view_find() was being called with wrong type
4418 in adb.c. [RT #16670]
4420 2138. [bug] Lock order reversal in resolver.c. [RT #16653]
4422 2137. [port] Mips little endian and/or mips 64 bit are now
4423 supported for atomic operations. [RT#16648]
4425 2136. [bug] nslookup/host looped if there was no search list
4426 and the host didn't exist. [RT #16657]
4428 2135. [bug] Uninitialized rdataset in sdlz.c. [RT# 16656]
4430 2134. [func] Additional statistics support. [RT #16666]
4432 2133. [port] powerpc: Support both IBM and MacOS Power PC
4433 assembler syntaxes. [RT #16647]
4435 2132. [bug] Missing unlock on out of memory in
4436 dns_dispatchmgr_setudp().
4438 2131. [contrib] dlz/mysql: AXFR was broken. [RT #16630]
4440 2130. [func] Log if CD or DO were set. [RT #16640]
4442 2129. [func] Provide a pool of UDP sockets for queries to be
4443 made over. See use-queryport-pool, queryport-pool-ports
4444 and queryport-pool-updateinterval. [RT #16415]
4446 2128. [doc] xsltproc --nonet, update DTD versions. [RT #16635]
4448 2127. [port] Improved OpenSSL 0.9.8 support. [RT #16563]
4450 2126. [security] Serialize validation of type ANY responses. [RT #16555]
4452 2125. [bug] dns_zone_getzeronosoattl() REQUIRE failure if DLZ
4453 was defined. [RT #16574]
4455 2124. [security] It was possible to dereference a freed fetch
4456 context. [RT #16584]
4458 --- 9.5.0a1 released ---
4460 2123. [func] Use Doxygen to generate internal documentation.
4463 2122. [func] Experimental http server and statistics support
4466 2121. [func] Add a 10 slot dead masters cache (LRU) with a 600
4467 second timeout. [RT #16553]
4469 2120. [doc] Fix markup on nsupdate man page. [RT #16556]
4471 2119. [compat] libbind: allow res_init() to succeed enough to
4472 return the default domain even if it was unable
4475 2118. [bug] Handle response with long chains of domain name
4476 compression pointers which point to other compression
4477 pointers. [RT #16427]
4479 2117. [bug] DNSSEC fixes: named could fail to cache NSEC records
4480 which could lead to validation failures. named didn't
4481 handle negative DS responses that were in the process
4482 of being validated. Check CNAME bit before accepting
4483 NODATA proof. To be able to ignore a child NSEC there
4484 must be SOA (and NS) set in the bitmap. [RT #16399]
4486 2116. [bug] 'rndc reload' could cause the cache to continually
4487 be cleaned. [RT #16401]
4489 2115. [bug] 'rndc reconfig' could trigger a INSIST if the
4490 number of masters for a zone was reduced. [RT #16444]
4492 2114. [bug] dig/host/nslookup: searches for names with multiple
4493 labels were failing. [RT #16447]
4495 2113. [bug] nsupdate: if a zone is specified it should be used
4496 for server discover. [RT# 16455]
4498 2112. [security] Warn if weak RSA exponent is used. [RT #16460]
4500 2111. [bug] Fix a number of errors reported by Coverity.
4503 2110. [bug] "minimal-responses yes;" interacted badly with BIND 8
4504 priming queries. [RT #16491]
4506 2109. [port] libbind: silence aix 5.3 compiler warnings. [RT #16502]
4508 2108. [func] DHCID support. [RT #16456]
4510 2107. [bug] dighost.c: more cleanup of buffers. [RT #16499]
4512 2106. [func] 'rndc status' now reports named's version. [RT #16426]
4514 2105. [func] GSS-TSIG support (RFC 3645).
4516 2104. [port] Fix Solaris SMF error message.
4518 2103. [port] Add /usr/sfw to list of locations for OpenSSL
4521 2102. [port] Silence Solaris 10 warnings.
4523 2101. [bug] OpenSSL version checks were not quite right.
4526 2100. [port] win32: copy libeay32.dll to Build\Debug.
4527 Copy Debug\named-checkzone to Debug\named-compilezone.
4529 2099. [port] win32: more manifest issues.
4531 2098. [bug] Race in rbtdb.c:no_references(), which occasionally
4532 triggered an INSIST failure about the node lock
4533 reference. [RT #16411]
4535 2097. [bug] named could reference a destroyed memory context
4536 after being reloaded / reconfigured. [RT #16428]
4538 2096. [bug] libbind: handle applications that fail to detect
4539 res_init() failures better.
4541 2095. [port] libbind: alway prototype inet_cidr_ntop_ipv6() and
4542 net_cidr_ntop_ipv6(). [RT #16388]
4544 2094. [contrib] Update named-bootconf. [RT# 16404]
4546 2093. [bug] named-checkzone -s was broken.
4548 2092. [bug] win32: dig, host, nslookup. Use registry config
4549 if resolv.conf does not exist or no nameservers
4552 2091. [port] dighost.c: race condition on cleanup. [RT #16417]
4554 2090. [port] win32: Visual C++ 2005 command line manifest support.
4557 2089. [security] Raise the minimum safe OpenSSL versions to
4558 OpenSSL 0.9.7l and OpenSSL 0.9.8d. Versions
4559 prior to these have known security flaws which
4560 are (potentially) exploitable in named. [RT #16391]
4562 2088. [security] Change the default RSA exponent from 3 to 65537.
4565 2087. [port] libisc failed to compile on OS's w/o a vsnprintf.
4568 2086. [port] libbind: FreeBSD now has get*by*_r() functions.
4571 2085. [doc] win32: added index.html and README to zip. [RT #16201]
4573 2084. [contrib] dbus update for 9.3.3rc2.
4575 2083. [port] win32: Visual C++ 2005 support.
4577 2082. [doc] Document 'cache-file' as a test only option.
4579 2081. [port] libbind: minor 64-bit portability fix in memcluster.c.
4582 2080. [port] libbind: res_init.c did not compile on older versions
4583 of Solaris. [RT #16363]
4585 2079. [bug] The lame cache was not handling multiple types
4586 correctly. [RT #16361]
4588 2078. [bug] dnssec-checkzone output style "default" was badly
4589 named. It is now called "relative". [RT #16326]
4591 2077. [bug] 'dnssec-signzone -O raw' wasn't outputting the
4592 complete signed zone. [RT #16326]
4594 2076. [bug] Several files were missing #include <config.h>
4595 causing build failures on OSF. [RT #16341]
4597 2075. [bug] The spillat timer event hander could leak memory.
4600 2074. [bug] dns_request_createvia2(), dns_request_createvia3(),
4601 dns_request_createraw2() and dns_request_createraw3()
4602 failed to send multiple UDP requests. [RT #16349]
4604 2073. [bug] Incorrect semantics check for update policy "wildcard".
4607 2072. [bug] We were not generating valid HMAC SHA digests.
4610 2071. [port] Test whether gcc accepts -fno-strict-aliasing.
4613 2070. [bug] The remote address was not always displayed when
4614 reporting dispatch failures. [RT #16315]
4616 2069. [bug] Cross compiling was not working. [RT #16330]
4618 2068. [cleanup] Lower incremental tuning message to debug 1.
4621 2067. [bug] 'rndc' could close the socket too early triggering
4622 a INSIST under Windows. [RT #16317]
4624 2066. [security] Handle SIG queries gracefully. [RT #16300]
4626 2065. [bug] libbind: probe for HPUX prototypes for
4627 endprotoent_r() and endservent_r(). [RT 16313]
4629 2064. [bug] libbind: silence AIX compiler warnings. [RT #16218]
4631 2063. [bug] Change #1955 introduced a bug which caused the first
4632 'rndc flush' call to not free memory. [RT #16244]
4634 2062. [bug] 'dig +nssearch' was reusing a buffer before it had
4635 been returned by the socket code. [RT #16307]
4637 2061. [bug] Accept expired wildcard message reversed. [RT #16296]
4639 2060. [bug] Enabling DLZ support could leave views partially
4640 configured. [RT #16295]
4642 2059. [bug] Search into cache rbtdb could trigger an INSIST
4643 failure while cleaning up a stale rdataset.
4646 2058. [bug] Adjust how we calculate rtt estimates in the presence
4647 of authoritative servers that drop EDNS and/or CD
4648 requests. Also fallback to EDNS/512 and plain DNS
4649 faster for zones with less than 3 servers. [RT #16187]
4651 2057. [bug] Make setting "ra" dependent on both allow-query-cache
4652 and allow-recursion. [RT #16290]
4654 2056. [bug] dig: ixfr= was not being treated case insensitively
4655 at all times. [RT #15955]
4657 2055. [bug] Missing goto after dropping multicast query.
4660 2054. [port] freebsd: do not explicitly link against -lpthread.
4663 2053. [port] netbsd:libbind: silence compiler warnings. [RT #16220]
4665 2052. [bug] 'rndc' improve connect failed message to report
4666 the failing address. [RT #15978]
4668 2051. [port] More strtol() fixes. [RT #16249]
4670 2050. [bug] Parsing of NSAP records was not case insensitive.
4673 2049. [bug] Restore SOA before AXFR when falling back from
4674 a attempted IXFR when transferring in a zone.
4675 Allow a initial SOA query before attempting
4676 a AXFR to be requested. [RT #16156]
4678 2048. [bug] It was possible to loop forever when using
4679 avoid-v4-udp-ports / avoid-v6-udp-ports when
4680 the OS always returned the same local port.
4683 2047. [bug] Failed to initialize the interface flags to zero.
4686 2046. [bug] rbtdb.c:rdataset_setadditional() could cause duplicate
4687 cleanup [RT #16247].
4689 2045. [func] Use lock buckets for acache entries to limit memory
4690 consumption. [RT #16183]
4692 2044. [port] Add support for atomic operations for Itanium.
4695 2043. [port] nsupdate/nslookup: Force the flushing of the prompt
4696 for interactive sessions. [RT#16148]
4698 2042. [bug] named-checkconf was incorrectly rejecting the
4699 logging category "config". [RT #16117]
4701 2041. [bug] "configure --with-dlz-bdb=yes" produced a bad
4702 set of libraries to be linked. [RT #16129]
4704 2040. [bug] rbtdb no_references() could trigger an INSIST
4705 failure with --enable-atomic. [RT #16022]
4707 2039. [func] Check that all buffers passed to the socket code
4708 have been retrieved when the socket event is freed.
4711 2038. [bug] dig/nslookup/host was unlinking from wrong list
4712 when handling errors. [RT #16122]
4714 2037. [func] When unlinking the first or last element in a list
4715 check that the list head points to the element to
4716 be unlinked. [RT #15959]
4718 2036. [bug] 'rndc recursing' could cause trigger a REQUIRE.
4721 2035. [func] Make falling back to TCP on UDP refresh failure
4722 optional. Default "try-tcp-refresh yes;" for BIND 8
4723 compatibility. [RT #16123]
4725 2034. [bug] gcc: set -fno-strict-aliasing. [RT #16124]
4727 2033. [bug] We weren't creating multiple client memory contexts
4728 on demand as expected. [RT #16095]
4730 2032. [bug] Remove a INSIST in query_addadditional2(). [RT #16074]
4732 2031. [bug] Emit a error message when "rndc refresh" is called on
4733 a non slave/stub zone. [RT # 16073]
4735 2030. [bug] We were being overly conservative when disabling
4736 openssl engine support. [RT #16030]
4738 2029. [bug] host printed out the server multiple times when
4739 specified on the command line. [RT #15992]
4741 2028. [port] linux: socket.c compatibility for old systems.
4744 2027. [port] libbind: Solaris x86 support. [RT #16020]
4746 2026. [bug] Rate limit the two recursive client exceeded messages.
4749 2025. [func] Update "zone serial unchanged" message. [RT #16026]
4751 2024. [bug] named emitted spurious "zone serial unchanged"
4752 messages on reload. [RT #16027]
4754 2023. [bug] "make install" should create ${localstatedir}/run and
4755 ${sysconfdir} if they do not exist. [RT #16033]
4757 2022. [bug] If dnssec validation is disabled only assert CD if
4758 CD was requested. [RT #16037]
4760 2021. [bug] dnssec-enable no; triggered a REQUIRE. [RT #16037]
4762 2020. [bug] rdataset_setadditional() could leak memory. [RT #16034]
4764 2019. [tuning] Reduce the amount of work performed per quantum
4765 when cleaning the cache. [RT #15986]
4767 2018. [bug] Checking if the HMAC MD5 private file was broken.
4770 2017. [bug] allow-query default was not correct. [RT #15946]
4772 2016. [bug] Return a partial answer if recursion is not
4773 allowed but requested and we had the answer
4774 to the original qname. [RT #15945]
4776 2015. [cleanup] use-additional-cache is now acache-enable for
4777 consistency. Default acache-enable off in BIND 9.4
4778 as it requires memory usage to be configured.
4779 It may be enabled by default in BIND 9.5 once we
4780 have more experience with it.
4782 2014. [func] Statistics about acache now recorded and sent
4785 2013. [bug] Handle unexpected TSIGs on unsigned AXFR/IXFR
4786 responses more gracefully. [RT #15941]
4788 2012. [func] Don't insert new acache entries if acache is full.
4791 2011. [func] dnssec-signzone can now update the SOA record of
4792 the signed zone, either as an increment or as the
4793 system time(). [RT #15633]
4795 2010. [placeholder] rt15958
4797 2009. [bug] libbind: Coverity fixes. [RT #15808]
4799 2008. [func] It is now possible to enable/disable DNSSEC
4800 validation from rndc. This is useful for the
4801 mobile hosts where the current connection point
4802 breaks DNSSEC (firewall/proxy). [RT #15592]
4804 rndc validation newstate [view]
4806 2007. [func] It is now possible to explicitly enable DNSSEC
4807 validation. default dnssec-validation no; to
4808 be changed to yes in 9.5.0. [RT #15674]
4810 2006. [security] Allow-query-cache and allow-recursion now default
4811 to the built in acls "localnets" and "localhost".
4813 This is being done to make caching servers less
4814 attractive as reflective amplifying targets for
4815 spoofed traffic. This still leave authoritative
4818 The best fix is for full BCP 38 deployment to
4819 remove spoofed traffic.
4821 2005. [bug] libbind: Retransmission timeouts should be
4822 based on which attempt it is to the nameserver
4823 and not the nameserver itself. [RT #13548]
4825 2004. [bug] dns_tsig_sign() could pass a NULL pointer to
4826 dst_context_destroy() when cleaning up after a
4829 2003. [bug] libbind: The DNS name/address lookup functions could
4830 occasionally follow a random pointer due to
4831 structures not being completely zeroed. [RT #15806]
4833 2002. [bug] libbind: tighten the constraints on when
4834 struct addrinfo._ai_pad exists. [RT #15783]
4836 2001. [func] Check the KSK flag when updating a secure dynamic zone.
4837 New zone option "update-check-ksk yes;". [RT #15817]
4839 2000. [bug] memmove()/strtol() fix was incomplete. [RT #15812]
4841 1999. [func] Implement "rrset-order fixed". [RT #13662]
4843 1998. [bug] Restrict handling of fifos as sockets to just SunOS.
4844 This allows named to connect to entropy gathering
4845 daemons that use fifos instead of sockets. [RT #15840]
4847 1997. [bug] Named was failing to replace negative cache entries
4848 when a positive one for the type was learnt.
4851 1996. [bug] nsupdate: if a zone has been specified it should
4852 appear in the output of 'show'. [RT #15797]
4854 1995. [bug] 'host' was reporting multiple "is an alias" messages.
4857 1994. [port] OpenSSL 0.9.8 support. [RT #15694]
4859 1993. [bug] Log messages, via syslog, were missing the space
4860 after the timestamp if "print-time yes" was specified.
4863 1992. [bug] Not all incoming zone transfer messages included the
4866 1991. [cleanup] The configuration data, once read, should be treated
4867 as read only. Expand the use of const to enforce this
4868 at compile time. [RT #15813]
4870 1990. [bug] libbind: isc's override of broken gettimeofday()
4871 implementations was not always effective.
4874 1989. [bug] win32: don't check the service password when
4875 re-installing. [RT #15882]
4877 1988. [bug] Remove a bus error from the SHA256/SHA512 support.
4880 1987. [func] DS/DLV SHA256 digest algorithm support. [RT #15608]
4882 1986. [func] Report when a zone is removed. [RT #15849]
4884 1985. [protocol] DLV has now been assigned a official type code of
4887 Note: care should be taken to ensure you upgrade
4888 both named and dnssec-signzone at the same time for
4889 zones with DLV records where named is the master
4890 server for the zone. Also any zones that contain
4891 DLV records should be removed when upgrading a slave
4892 zone. You do not however have to upgrade all
4893 servers for a zone with DLV records simultaneously.
4895 1984. [func] dig, nslookup and host now advertise a 4096 byte
4896 EDNS UDP buffer size by default. [RT #15855]
4898 1983. [func] Two new update policies. "selfsub" and "selfwild".
4901 1982. [bug] DNSKEY was being accepted on the parent side of
4902 a delegation. KEY is still accepted there for
4903 RFC 3007 validated updates. [RT #15620]
4905 1981. [bug] win32: condition.c:wait() could fail to reattain
4908 1980. [func] dnssec-signzone: output the SOA record as the
4909 first record in the signed zone. [RT #15758]
4911 1979. [port] linux: allow named to drop core after changing
4912 user ids. [RT #15753]
4914 1978. [port] Handle systems which have a broken recvmsg().
4917 1977. [bug] Silence noisy log message. [RT #15704]
4919 1976. [bug] Handle systems with no IPv4 addresses. [RT #15695]
4921 1975. [bug] libbind: isc_gethexstring() could misparse multi-line
4922 hex strings with comments. [RT #15814]
4924 1974. [doc] List each of the zone types and associated zone
4925 options separately in the ARM.
4927 1973. [func] TSIG HMACSHA1, HMACSHA224, HMACSHA256, HMACSHA384 and
4928 HMACSHA512 support. [RT #13606]
4930 1972. [contrib] DBUS dynamic forwarders integration from
4931 Jason Vas Dias <jvdias@redhat.com>.
4933 1971. [port] linux: make detection of missing IF_NAMESIZE more
4936 1970. [bug] nsupdate: adjust UDP timeout when falling back to
4937 unsigned SOA query. [RT #15775]
4939 1969. [bug] win32: the socket code was freeing the socket
4940 structure too early. [RT #15776]
4942 1968. [bug] Missing lock in resolver.c:validated(). [RT #15739]
4944 1967. [func] dig/nslookup/host: warn about missing "QR". [RT #15779]
4946 1966. [bug] Don't set CD when we have fallen back to plain DNS.
4949 1965. [func] Suppress spurious "recursion requested but not
4950 available" warning with 'dig +qr'. [RT #15780].
4952 1964. [func] Separate out MX and SRV to CNAME checks. [RT #15723]
4954 1963. [port] Tru64 4.0E doesn't support send() and recv().
4957 1962. [bug] Named failed to clear old update-policy when it
4958 was removed. [RT #15491]
4960 1961. [bug] Check the port and address of responses forwarded
4961 to dispatch. [RT #15474]
4963 1960. [bug] Update code should set NSEC ttls from SOA MINIMUM.
4966 1959. [func] Control the zeroing of the negative response TTL to
4967 a soa query. Defaults "zero-no-soa-ttl yes;" and
4968 "zero-no-soa-ttl-cache no;". [RT #15460]
4970 1958. [bug] Named failed to update the zone's secure state
4971 until the zone was reloaded. [RT #15412]
4973 1957. [bug] Dig mishandled responses to class ANY queries.
4976 1956. [bug] Improve cross compile support, 'gen' is now built
4977 by native compiler. See README for additional
4978 cross compile support information. [RT #15148]
4980 1955. [bug] Pre-allocate the cache cleaning iterator. [RT #14998]
4982 1954. [func] Named now falls back to advertising EDNS with a
4983 512 byte receive buffer if the initial EDNS queries
4986 1953. [func] The maximum EDNS UDP response named will send can
4987 now be set in named.conf (max-udp-size). This is
4988 independent of the advertised receive buffer
4989 (edns-udp-size). [RT #14852]
4991 1952. [port] hpux: tell the linker to build a runtime link
4992 path "-Wl,+b:". [RT #14816].
4994 1951. [security] Drop queries from particular well known ports.
4995 Don't return FORMERR to queries from particular
4996 well known ports. [RT #15636]
4998 1950. [port] Solaris 2.5.1 and earlier cannot bind() then connect()
4999 a TCP socket. This prevents the source address being
5000 set for TCP connections. [RT #15628]
5002 1949. [func] Addition memory leakage checks. [RT #15544]
5004 1948. [bug] If was possible to trigger a REQUIRE failure in
5005 xfrin.c:maybe_free() if named ran out of memory.
5008 1947. [func] It is now possible to configure named to accept
5009 expired RRSIGs. Default "dnssec-accept-expired no;".
5010 Setting "dnssec-accept-expired yes;" leaves named
5011 vulnerable to replay attacks. [RT #14685]
5013 1946. [bug] resume_dslookup() could trigger a REQUIRE failure
5014 when using forwarders. [RT #15549]
5016 1945. [cleanup] dnssec-keygen: RSA (RSAMD5) is no longer recommended.
5017 To generate a RSAMD5 key you must explicitly request
5020 1944. [cleanup] isc_hash_create() does not need a read/write lock.
5023 1943. [bug] Set the loadtime after rolling forward the journal.
5026 1942. [bug] If the name of a DNSKEY match that of one in
5027 trusted-keys do not attempt to validate the DNSKEY
5028 using the parents DS RRset. [RT #15649]
5030 1941. [bug] ncache_adderesult() should set eresult even if no
5031 rdataset is passed to it. [RT #15642]
5033 1940. [bug] Fixed a number of error conditions reported by
5036 1939. [bug] The resolver could dereference a null pointer after
5037 validation if all the queries have timed out.
5040 1938. [bug] The validator was not correctly handling unsecure
5041 negative responses at or below a SEP. [RT #15528]
5043 1937. [bug] sdlz doesn't handle RRSIG records. [RT #15564]
5045 1936. [bug] The validator could leak memory. [RT #15544]
5047 1935. [bug] 'acache' was DO sensitive. [RT #15430]
5049 1934. [func] Validate pending NS RRsets, in the authority section,
5050 prior to returning them if it can be done without
5051 requiring DNSKEYs to be fetched. [RT #15430]
5053 1933. [bug] dump_rdataset_raw() had a incorrect INSIST. [RT #15534]
5055 1932. [bug] hpux: LDFLAGS was getting corrupted. [RT #15530]
5057 1931. [bug] Per-client mctx could require a huge amount of memory,
5058 particularly for a busy caching server. [RT #15519]
5060 1930. [port] HPUX: ia64 support. [RT #15473]
5062 1929. [port] FreeBSD: extend use of PTHREAD_SCOPE_SYSTEM.
5064 1928. [bug] Race in rbtdb.c:currentversion(). [RT #15517]
5066 1927. [bug] Access to soanode or nsnode in rbtdb violated the
5067 lock order rule and could cause a dead lock.
5070 1926. [bug] The Windows installer did not check for empty
5071 passwords. BINDinstall was being installed in
5072 the wrong place. [RT #15483]
5074 1925. [port] All outer level AC_TRY_RUNs need cross compiling
5075 defaults. [RT #15469]
5077 1924. [port] libbind: hpux ia64 support. [RT #15473]
5079 1923. [bug] ns_client_detach() called too early. [RT #15499]
5081 1922. [bug] check-tool.c:setup_logging() missing call to
5082 dns_log_setcontext().
5084 1921. [bug] Client memory contexts were not using internal
5087 1920. [bug] The cache rbtdb lock array was too small to
5088 have the desired performance characteristics.
5091 1919. [contrib] queryperf: a set of new features: collecting/printing
5092 response delays, printing intermediate results, and
5093 adjusting query rate for the "target" qps.
5095 1918. [bug] Memory leak when checking acls. [RT #15391]
5097 1917. [doc] funcsynopsisinfo wasn't being treated as verbatim
5098 when generating man pages. [RT #15385]
5100 1916. [func] Integrate contributed IDN code from JPNIC. [RT #15383]
5102 1915. [bug] dig +ndots was broken. [RT #15215]
5104 1914. [protocol] DS is required to accept mnemonic algorithms
5105 (RFC 4034). Still emit numeric algorithms for
5106 compatibility with RFC 3658. [RT #15354]
5108 1913. [func] Integrate contributed DLZ code into named. [RT #11382]
5110 1912. [port] aix: atomic locking for powerpc. [RT #15020]
5112 1911. [bug] Update windows socket code. [RT #14965]
5114 1910. [bug] dig's +sigchase code overhauled. [RT #14933]
5116 1909. [bug] The DLV code has been re-worked to make no longer
5117 query order sensitive. [RT #14933]
5119 1908. [func] dig now warns if 'RA' is not set in the answer when
5120 'RD' was set in the query. host/nslookup skip servers
5121 that fail to set 'RA' when 'RD' is set unless a server
5122 is explicitly set. [RT #15005]
5124 1907. [func] host/nslookup now continue (default)/fail on SERVFAIL.
5127 1906. [func] dig now has a '-q queryname' and '+showsearch' options.
5130 1905. [bug] Strings returned from cfg_obj_asstring() should be
5131 treated as read-only. The prototype for
5132 cfg_obj_asstring() has been updated to reflect this.
5135 1904. [func] Automatic empty zone creation for D.F.IP6.ARPA and
5136 friends. Note: RFC 1918 zones are not yet covered by
5137 this but are likely to be in a future release.
5139 New options: empty-server, empty-contact,
5140 empty-zones-enable and disable-empty-zone.
5142 1903. [func] ISC string copy API.
5144 1902. [func] Attempt to make the amount of work performed in a
5145 iteration self tuning. The covers nodes clean from
5146 the cache per iteration, nodes written to disk when
5147 rewriting a master file and nodes destroyed per
5148 iteration when destroying a zone or a cache.
5151 1901. [cleanup] Don't add DNSKEY records to the additional section.
5153 1900. [bug] ixfr-from-differences failed to ensure that the
5154 serial number increased. [RT #15036]
5156 1899. [func] named-checkconf now validates update-policy entries.
5159 1898. [bug] Extend ISC_SOCKADDR_FORMATSIZE and
5160 ISC_NETADDR_FORMATSIZE to allow for scope details.
5162 1897. [func] x86 and x86_64 now have separate atomic locking
5165 1896. [bug] Recursive clients soft quota support wasn't working
5166 as expected. [RT #15103]
5168 1895. [bug] A escaped character is, potentially, converted to
5169 the output character set too early. [RT #14666]
5171 1894. [doc] Review ARM for BIND 9.4.
5173 1893. [port] Use uintptr_t if available. [RT #14606]
5175 1892. [func] Support for SPF rdata type. [RT #15033]
5177 1891. [port] freebsd: pthread_mutex_init can fail if it runs out
5178 of memory. [RT #14995]
5180 1890. [func] Raise the UDP receive buffer size to 32k if it is
5181 less than 32k. [RT #14953]
5183 1889. [port] sunos: non blocking i/o support. [RT #14951]
5185 1888. [func] Support for IPSECKEY rdata type. [RT #14967]
5187 1887. [bug] The cache could delete expired records too fast for
5188 clients with a virtual time in the past. [RT #14991]
5190 1886. [bug] fctx_create() could return success even though it
5193 1885. [func] dig: report the number of extra bytes still left in
5194 the packet after processing all the records.
5196 1884. [cleanup] dighost.c: move external declarations into <dig/dig.h>.
5198 1883. [bug] dnssec-signzone, dnssec-keygen: handle negative debug
5201 1882. [func] Limit the number of recursive clients that can be
5202 waiting for a single query (<qname,qtype,qclass>) to
5203 resolve. New options clients-per-query and
5204 max-clients-per-query.
5206 1881. [func] Add a system test for named-checkconf. [RT #14931]
5208 1880. [func] The lame cache is now done on a <qname,qclass,qtype>
5209 basis as some servers only appear to be lame for
5210 certain query types. [RT #14916]
5212 1879. [func] "USE INTERNAL MALLOC" is now runtime selectable.
5215 1878. [func] Detect duplicates of UDP queries we are recursing on
5216 and drop them. New stats category "duplicate".
5219 1877. [bug] Fix unreasonably low quantum on call to
5220 dns_rbt_destroy2(). Remove unnecessary unhash_node()
5223 1876. [func] Additional memory debugging support to track size
5224 and mctx arguments. [RT #14814]
5226 1875. [bug] process_dhtkey() was using the wrong memory context
5227 to free some memory. [RT #14890]
5229 1874. [port] sunos: portability fixes. [RT #14814]
5231 1873. [port] win32: isc__errno2result() now reports its caller.
5234 1872. [port] win32: Handle ERROR_NETNAME_DELETED. [RT #13753]
5238 1870. [func] Added framework for handling multiple EDNS versions.
5241 1869. [func] dig can now specify the EDNS version when making
5242 a query. [RT #14873]
5244 1868. [func] edns-udp-size can now be overridden on a per
5245 server basis. [RT #14851]
5247 1867. [bug] It was possible to trigger a INSIST in
5248 dlv_validatezonekey(). [RT #14846]
5250 1866. [bug] resolv.conf parse errors were being ignored by
5251 dig/host/nslookup. [RT #14841]
5253 1865. [bug] Silently ignore nameservers in /etc/resolv.conf with
5254 bad addresses. [RT #14841]
5256 1864. [bug] Don't try the alternative transfer source if you
5257 got a answer / transfer with the main source
5258 address. [RT #14802]
5260 1863. [bug] rrset-order "fixed" error messages not complete.
5262 1862. [func] Add additional zone data constancy checks.
5263 named-checkzone has extended checking of NS, MX and
5264 SRV record and the hosts they reference.
5265 named has extended post zone load checks.
5266 New zone options: check-mx and integrity-check.
5269 1861. [bug] dig could trigger a INSIST on certain malformed
5270 responses. [RT #14801]
5272 1860. [port] solaris 2.8: hack_shutup_pthreadmutexinit was
5273 incorrectly set. [RT #14775]
5275 1859. [func] Add support for CH A record. [RT #14695]
5277 1858. [bug] The flush-zones-on-shutdown option wasn't being
5280 1857. [bug] named could trigger a INSIST() if reconfigured /
5281 reloaded too fast. [RT #14673]
5283 1856. [doc] Switch Docbook toolchain from DSSSL to XSL.
5286 1855. [bug] ixfr-from-differences was failing to detect changes
5287 of ttl due to dns_diff_subtract() was ignoring the ttl
5288 of records. [RT #14616]
5290 1854. [bug] lwres also needs to know the print format for
5291 (long long). [RT #13754]
5293 1853. [bug] Rework how DLV interacts with proveunsecure().
5296 1852. [cleanup] Remove last vestiges of dnssec-signkey and
5297 dnssec-makekeyset (removed from Makefile years ago).
5299 1851. [doc] Doxygen comment markup. [RT #11398]
5301 1850. [bug] Memory leak in lwres_getipnodebyaddr(). [RT #14591]
5303 1849. [doc] All forms of the man pages (docbook, man, html) should
5304 have consistent copyright dates.
5306 1848. [bug] Improve SMF integration. [RT #13238]
5308 1847. [bug] isc_ondestroy_init() is called too late in
5309 dns_rbtdb_create()/dns_rbtdb64_create().
5312 1846. [contrib] query-loc-0.3.0 from Stephane Bortzmeyer
5313 <bortzmeyer@nic.fr>.
5315 1845. [bug] Improve error reporting to distinguish between
5316 accept()/fcntl() and socket()/fcntl() errors.
5319 1844. [bug] inet_pton() accepted more that 4 hexadecimal digits
5320 for each 16 bit piece of the IPv6 address. The text
5321 representation of a IPv6 address has been tightened
5322 to disallow this (draft-ietf-ipv6-addr-arch-v4-02.txt).
5325 1843. [cleanup] CINCLUDES takes precedence over CFLAGS. This helps
5326 when CFLAGS contains "-I /usr/local/include"
5327 resulting in old header files being used.
5329 1842. [port] cmsg_len() could produce incorrect results on
5330 some platform. [RT #13744]
5332 1841. [bug] "dig +nssearch" now makes a recursive query to
5333 find the list of nameservers to query. [RT #13694]
5335 1840. [func] dnssec-signzone can now randomize signature end times
5336 (dnssec-signzone -j jitter). [RT #13609]
5338 1839. [bug] <isc/hash.h> was not being installed.
5340 1838. [cleanup] Don't allow Linux capabilities to be inherited.
5343 1837. [bug] Compile time option ISC_FACILITY was not effective
5344 for 'named -u <user>'. [RT #13714]
5346 1836. [cleanup] Silence compiler warnings in hash_test.c.
5348 1835. [bug] Update dnssec-signzone's usage message. [RT #13657]
5350 1834. [bug] Bad memset in rdata_test.c. [RT #13658]
5352 1833. [bug] Race condition in isc_mutex_lock_profile(). [RT #13660]
5354 1832. [bug] named fails to return BADKEY on unknown TSIG algorithm.
5357 1831. [doc] Update named-checkzone documentation. [RT#13604]
5359 1830. [bug] adb lame cache has sence of test reversed. [RT #13600]
5361 1829. [bug] win32: "pid-file none;" broken. [RT #13563]
5363 1828. [bug] isc_rwlock_init() failed to properly cleanup if it
5364 encountered a error. [RT #13549]
5366 1827. [bug] host: update usage message for '-a'. [RT #37116]
5368 1826. [bug] Missing DESTROYLOCK() in isc_mem_createx() on out
5369 of memory error. [RT #13537]
5371 1825. [bug] Missing UNLOCK() on out of memory error from in
5372 rbtdb.c:subtractrdataset(). [RT #13519]
5374 1824. [bug] Memory leak on dns_zone_setdbtype() failure.
5377 1823. [bug] Wrong macro used to check for point to point interface.
5380 1822. [bug] check-names test for RT was reversed. [RT #13382]
5384 1820. [bug] Gracefully handle acl loops. [RT #13659]
5386 1819. [bug] The validator needed to check both the algorithm and
5387 digest types of the DS to determine if it could be
5388 used to introduce a secure zone. [RT #13593]
5390 1818. [bug] 'named-checkconf -z' triggered an INSIST. [RT #13599]
5392 1817. [func] Add support for additional zone file formats for
5393 improving loading performance. The masterfile-format
5394 option in named.conf can be used to specify a
5395 non-default format. A separate command
5396 named-compilezone was provided to generate zone files
5397 in the new format. Additionally, the -I and -O options
5398 for dnssec-signzone specify the input and output
5401 1816. [port] UnixWare: failed to compile lib/isc/unix/net.c.
5404 1815. [bug] nsupdate triggered a REQUIRE if the server was set
5405 without also setting the zone and it encountered
5406 a CNAME and was using TSIG. [RT #13086]
5408 1814. [func] UNIX domain controls are now supported.
5410 1813. [func] Restructured the data locking framework using
5411 architecture dependent atomic operations (when
5412 available), improving response performance on
5413 multi-processor machines significantly.
5414 x86, x86_64, alpha, powerpc, and mips are currently
5417 1812. [port] win32: IN6_IS_ADDR_UNSPECIFIED macro is incorrect.
5420 1811. [func] Preserve the case of domain names in rdata during
5421 zone transfers. [RT #13547]
5423 1810. [bug] configure, lib/bind/configure make different default
5424 decisions about whether to do a threaded build.
5427 1809. [bug] "make distclean" failed for libbind if the platform
5430 1808. [bug] zone.c:notify_zone() contained a race condition,
5431 zone->db could change underneath it. [RT #13511]
5433 1807. [bug] When forwarding (forward only) set the active domain
5434 from the forward zone name. [RT #13526]
5436 1806. [bug] The resolver returned the wrong result when a CNAME /
5437 DNAME was encountered when fetching glue from a
5438 secure namespace. [RT #13501]
5440 1805. [bug] Pending status was not being cleared when DLV was
5443 1804. [bug] Ensure that if we are queried for glue that it fits
5444 in the additional section or TC is set to tell the
5445 client to retry using TCP. [RT #10114]
5447 1803. [bug] dnssec-signzone sometimes failed to remove old
5450 1802. [bug] Handle connection resets better. [RT #11280]
5452 1801. [func] Report differences between hints and real NS rrset
5453 and associated address records.
5455 1800. [bug] Changes #1719 allowed a INSIST to be triggered.
5458 1799. [bug] 'rndc flushname' failed to flush negative cache
5459 entries. [RT #13438]
5461 1798. [func] The server syntax has been extended to support a
5462 range of servers. [RT #11132]
5464 1797. [func] named-checkconf now check acls to verify that they
5465 only refer to existing acls. [RT #13101]
5467 1796. [func] "rndc freeze/thaw" now freezes/thaws all zones.
5469 1795. [bug] "rndc dumpdb" was not fully documented. Minor
5470 formating issues with "rndc dumpdb -all". [RT #13396]
5472 1794. [func] Named and named-checkzone can now both check for
5473 non-terminal wildcard records.
5475 1793. [func] Extend adjusting TTL warning messages. [RT #13378]
5477 1792. [func] New zone option "notify-delay". Specify a minimum
5478 delay between sets of NOTIFY messages.
5480 1791. [bug] 'host -t a' still printed out AAAA and MX records.
5483 1790. [cleanup] Move lib/dns/sec/dst up into lib/dns. This should
5484 allow parallel make to succeed.
5486 1789. [bug] Prerequisite test for tkey and dnssec could fail
5487 with "configure --with-libtool".
5489 1788. [bug] libbind9.la/libbind9.so needs to link against
5490 libisccfg.la/libisccfg.so.
5492 1787. [port] HPUX: both "cc" and "gcc" need -Wl,+vnocompatwarnings.
5494 1786. [port] AIX: libt_api needs to be taught to look for
5495 T_testlist in the main executable (--with-libtool).
5498 1785. [bug] libbind9.la/libbind9.so needs to link against
5499 libisc.la/libisc.so.
5501 1784. [cleanup] "libtool -allow-undefined" is the default.
5502 Leave hooks in configure to allow it to be set
5503 if needed in the future.
5505 1783. [cleanup] We only need one copy of libtool.m4, ltmain.sh in the
5508 1782. [port] OSX: --with-libtool + --enable-libbind broke on
5509 __evOptMonoTime. [RT #13219]
5511 1781. [port] FreeBSD 5.3: set PTHREAD_SCOPE_SYSTEM. [RT #12810]
5513 1780. [bug] Update libtool to 1.5.10.
5515 1779. [port] OSF 5.1: libtool didn't handle -pthread correctly.
5517 1778. [port] HUX 11.11: fix broken IN6ADDR_ANY_INIT and
5518 IN6ADDR_LOOPBACK_INIT macros.
5520 1777. [port] OSF 5.1: fix broken IN6ADDR_ANY_INIT and
5521 IN6ADDR_LOOPBACK_INIT macros.
5523 1776. [port] Solaris 2.9: fix broken IN6ADDR_ANY_INIT and
5524 IN6ADDR_LOOPBACK_INIT macros.
5526 1775. [bug] Only compile getnetent_r.c when threaded. [RT #13205]
5528 1774. [port] Aix: Silence compiler warnings / build failures.
5531 1773. [bug] Fast retry on host / net unreachable. [RT #13153]
5537 1770. [bug] named-checkconf failed to report missing a missing
5538 file clause for rbt{64} master/hint zones. [RT#13009]
5540 1769. [port] win32: change compiler flags /MTd ==> /MDd,
5543 1768. [bug] nsecnoexistnodata() could be called with a non-NSEC
5544 rdataset. [RT #12907]
5546 1767. [port] Builds on IPv6 platforms without IPv6 Advanced API
5547 support for (struct in6_pktinfo) failed. [RT #13077]
5549 1766. [bug] Update the master file timestamp on successful refresh
5550 as well as the journal's timestamp. [RT# 13062]
5552 1765. [bug] configure --with-openssl=auto failed. [RT #12937]
5554 1764. [bug] dns_zone_replacedb failed to emit a error message
5555 if there was no SOA record in the replacement db.
5558 1763. [func] Perform sanity checks on NS records which refer to
5559 'in zone' names. [RT #13002]
5561 1762. [bug] isc_interfaceiter_create() could return ISC_R_SUCCESS
5562 even when it failed. [RT #12995]
5564 1761. [bug] 'rndc dumpdb' didn't report unassociated entries.
5567 1760. [bug] Host / net unreachable was not penalising rtt
5568 estimates. [RT #12970]
5570 1759. [bug] Named failed to startup if the OS supported IPv6
5571 but had no IPv6 interfaces configured. [RT #12942]
5573 1758. [func] Don't send notify messages to self. [RT #12933]
5575 1757. [func] host now can turn on memory debugging flags with '-m'.
5577 1756. [func] named-checkconf now checks the logging configuration.
5580 1755. [func] allow-update is now settable at the options / view
5583 1754. [bug] We weren't always attempting to query the parent
5584 server for the DS records at the zone cut.
5587 1753. [bug] Don't serve a slave zone which has no NS records.
5590 1752. [port] Move isc_app_start() to after ns_os_daemonise()
5591 as some fork() implementations unblock the signals
5592 that are blocked by isc_app_start(). [RT #12810]
5594 1751. [bug] --enable-getifaddrs failed under linux. [RT #12867]
5596 1750. [port] lib/bind/make/rules.in:subdirs was not bash friendly.
5599 1749. [bug] 'check-names response ignore;' failed to ignore.
5602 1748. [func] dig now returns the byte count for axfr/ixfr.
5604 1747. [bug] BIND 8 compatibility: named/named-checkconf failed
5605 to parse "host-statistics-max" in named.conf.
5607 1746. [func] Make public the function to read a key file,
5608 dst_key_read_public(). [RT #12450]
5610 1745. [bug] Dig/host/nslookup accept replies from link locals
5611 regardless of scope if no scope was specified when
5612 query was sent. [RT #12745]
5614 1744. [bug] If tuple2msgname() failed to convert a tuple to
5615 a name a REQUIRE could be triggered. [RT #12796]
5617 1743. [bug] If isc_taskmgr_create() was not able to create the
5618 requested number of worker threads then destruction
5619 of the manager would trigger an INSIST() failure.
5622 1742. [bug] Deleting all records at a node then adding a
5623 previously existing record, in a single UPDATE
5624 transaction, failed to leave / regenerate the
5625 associated RRSIG records. [RT #12788]
5627 1741. [bug] Deleting all records at a node in a secure zone
5628 using a update-policy grant failed. [RT #12787]
5630 1740. [bug] Replace rbt's hash algorithm as it performed badly
5631 with certain zones. [RT #12729]
5633 NOTE: a hash context now needs to be established
5634 via isc_hash_create() if the application was not
5637 1739. [bug] dns_rbt_deletetree() could incorrectly return
5638 ISC_R_QUOTA. [RT #12695]
5640 1738. [bug] Enable overrun checking by default. [RT #12695]
5642 1737. [bug] named failed if more than 16 masters were specified.
5645 1736. [bug] dst_key_fromnamedfile() could fail to read a
5646 public key. [RT #12687]
5648 1735. [bug] 'dig +sigtrace' could die with a REQUIRE failure.
5651 1734. [cleanup] 'rndc-confgen -a -t' remove extra '/' in path.
5654 1733. [bug] Return non-zero exit status on initial load failure.
5657 1732. [bug] 'rrset-order name "*"' wasn't being applied to ".".
5660 1731. [port] darwin: relax version test in ifconfig.sh.
5663 1730. [port] Determine the length type used by the socket API.
5666 1729. [func] Improve check-names error messages.
5668 1728. [doc] Update check-names documentation.
5670 1727. [bug] named-checkzone: check-names support didn't match
5673 1726. [port] aix5: add support for aix5.
5675 1725. [port] linux: update error message on interaction of threads,
5676 capabilities and setuid support (named -u). [RT #12541]
5678 1724. [bug] Look for DNSKEY records with "dig +sigtrace".
5681 1723. [cleanup] Silence compiler warnings from t_tasks.c. [RT #12493]
5683 1722. [bug] Don't commit the journal on malformed ixfr streams.
5686 1721. [bug] Error message from the journal processing were not
5687 always identifying the relevant journal. [RT #12519]
5689 1720. [bug] 'dig +chase' did not terminate on a RFC 2308 Type 1
5690 negative response. [RT #12506]
5692 1719. [bug] named was not correctly caching a RFC 2308 Type 1
5693 negative response. [RT #12506]
5695 1718. [bug] nsupdate was not handling RFC 2308 Type 3 negative
5696 responses when looking for the zone / master server.
5699 1717. [port] solaris: ifconfig.sh did not support Solaris 10.
5700 "ifconfig.sh down" didn't work for Solaris 9.
5702 1716. [doc] named.conf(5) was being installed in the wrong
5703 location. [RT# 12441]
5705 1715. [func] 'dig +trace' now randomly selects the next servers
5706 to try. Report if there is a bad delegation.
5708 1714. [bug] dig/host/nslookup were only trying the first
5709 address when a nameserver was specified by name.
5712 1713. [port] linux: extend capset failure message to say:
5713 please ensure that the capset kernel module is
5714 loaded. see insmod(8)
5716 1712. [bug] Missing FULLCHECK for "trusted-key" in dig.
5718 1711. [func] 'rndc unfreeze' has been deprecated by 'rndc thaw'.
5720 1710. [func] 'rndc notify zone [class [view]]' resend the NOTIFY
5721 messages for the specified zone. [RT #9479]
5723 1709. [port] solaris: add SMF support from Sun.
5725 1708. [cleanup] Replaced dns_fullname_hash() with dns_name_fullhash()
5726 for conformance to the name space convention. Binary
5727 backward compatibility to the old function name is
5728 provided. [RT #12376]
5730 1707. [contrib] sdb/ldap updated to version 1.0-beta.
5732 1706. [bug] 'rndc stop' failed to cause zones to be flushed
5733 sometimes. [RT #12328]
5735 1705. [func] Allow the journal's name to be changed via named.conf.
5737 1704. [port] lwres needed a snprintf() implementation for
5738 platforms without snprintf(). Add missing
5739 "#include <isc/print.h>". [RT #12321]
5741 1703. [bug] named would loop sending NOTIFY messages when it
5742 failed to receive a response. [RT #12322]
5744 1702. [bug] also-notify should not be applied to built in zones.
5747 1701. [doc] A minimal named.conf man page.
5749 1700. [func] nslookup is no longer to be treated as deprecated.
5750 Remove "deprecated" warning message. Add man page.
5752 1699. [bug] dnssec-signzone can generate "not exact" errors
5753 when resigning. [RT #12281]
5755 1698. [doc] Use reserved IPv6 documentation prefix.
5757 1697. [bug] xxx-source{,-v6} was not effective when it
5758 specified one of listening addresses and a
5759 different port than the listening port. [RT #12257]
5761 1696. [bug] dnssec-signzone failed to clean out nodes that
5762 consisted of only NSEC and RRSIG records.
5765 1695. [bug] DS records when forwarding require special handling.
5768 1694. [bug] Report if the builtin views of "_default" / "_bind"
5769 are defined in named.conf. [RT #12023]
5771 1693. [bug] max-journal-size was not effective for master zones
5772 with ixfr-from-differences set. [RT# 12024]
5774 1692. [bug] Don't set -I, -L and -R flags when libcrypto is in
5775 /usr/lib. [RT #11971]
5777 1691. [bug] sdb's attachversion was not complete. [RT #11990]
5779 1690. [bug] Delay detaching view from the client until UPDATE
5780 processing completes when shutting down. [RT #11714]
5782 1689. [bug] DNS_NAME_TOREGION() and DNS_NAME_SPLIT() macros
5783 contained gratuitous semicolons. [RT #11707]
5785 1688. [bug] LDFLAGS was not supported.
5787 1687. [bug] Race condition in dispatch. [RT #10272]
5789 1686. [bug] Named sent a extraneous NOTIFY when it received a
5790 redundant UPDATE request. [RT #11943]
5792 1685. [bug] Change #1679 loop tests weren't quite right.
5794 1684. [func] ixfr-from-differences now takes master and slave in
5795 addition to yes and no at the options and view levels.
5797 1683. [bug] dig +sigchase could leak memory. [RT #11445]
5799 1682. [port] Update configure test for (long long) printf format.
5802 1681. [bug] Only set SO_REUSEADDR when a port is specified in
5803 isc_socket_bind(). [RT #11742]
5805 1680. [func] rndc: the source address can now be specified.
5807 1679. [bug] When there was a single nameserver with multiple
5808 addresses for a zone not all addresses were tried.
5811 1678. [bug] RRSIG should use TYPEXXXXX for unknown types.
5813 1677. [bug] dig: +aaonly didn't work, +aaflag undocumented.
5815 1676. [func] New option "allow-query-cache". This lets
5816 allow-query be used to specify the default zone
5817 access level rather than having to have every
5818 zone override the global value. allow-query-cache
5819 can be set at both the options and view levels.
5820 If allow-query-cache is not set allow-query applies.
5822 1675. [bug] named would sometimes add extra NSEC records to
5823 the authority section.
5825 1674. [port] linux: increase buffer size used to scan
5828 1673. [port] linux: issue a error messages if IPv6 interface
5831 1672. [cleanup] Tests which only function in a threaded build
5832 now return R:THREADONLY (rather than R:UNTESTED)
5833 in a non-threaded build.
5835 1671. [contrib] queryperf: add NAPTR to the list of known types.
5837 1670. [func] Log UPDATE requests to slave zones without an acl as
5838 "disabled" at debug level 3. [RT# 11657]
5842 1668. [bug] DIG_SIGCHASE was making bin/dig/host dump core.
5844 1667. [port] linux: not all versions have IF_NAMESIZE.
5846 1666. [bug] The optional port on hostnames in dual-stack-servers
5849 1665. [func] rndc now allows addresses to be set in the
5852 1664. [bug] nsupdate needed KEY for SIG(0), not DNSKEY.
5854 1663. [func] Look for OpenSSL by default.
5856 1662. [bug] Change #1658 failed to change one use of 'type'
5859 1661. [bug] Restore dns_name_concatenate() call in
5860 adb.c:set_target(). [RT #11582]
5862 1660. [bug] win32: connection_reset_fix() was being called
5863 unconditionally. [RT #11595]
5865 1659. [cleanup] Cleanup some messages that were referring to KEY vs
5866 DNSKEY, NXT vs NSEC and SIG vs RRSIG.
5868 1658. [func] Update dnssec-keygen to default to KEY for HMAC-MD5
5869 and DH. Tighten which options apply to KEY and
5872 1657. [doc] ARM: document query log output.
5874 1656. [doc] Update DNSSEC description in ARM to cover DS, NSEC
5875 DNSKEY and RRSIG. [RT #11542]
5877 1655. [bug] Logging multiple versions w/o a size was broken.
5880 1654. [bug] isc_result_totext() contained array bounds read
5883 1653. [func] Add key type checking to dst_key_fromfilename(),
5884 DST_TYPE_KEY should be used to read TSIG, TKEY and
5887 1652. [bug] TKEY still uses KEY.
5889 1651. [bug] dig: process multiple dash options.
5891 1650. [bug] dig, nslookup: flush standard out after each command.
5893 1649. [bug] Silence "unexpected non-minimal diff" message.
5896 1648. [func] Update dnssec-lookaside named.conf syntax to support
5897 multiple dnssec-lookaside namespaces (not yet
5900 1647. [bug] It was possible trigger a INSIST when chasing a DS
5901 record that required walking back over a empty node.
5904 1646. [bug] win32: logging file versions didn't work with
5905 non-UNC filenames. [RT#11486]
5907 1645. [bug] named could trigger a REQUIRE failure if multiple
5908 masters with keys are specified.
5910 1644. [bug] Update the journal modification time after a
5911 successful refresh query. [RT #11436]
5913 1643. [bug] dns_db_closeversion() could leak memory / node
5914 references. [RT #11163]
5916 1642. [port] Support OpenSSL implementations which don't have
5917 DSA support. [RT #11360]
5919 1641. [bug] Update the check-names description in ARM. [RT #11389]
5921 1640. [bug] win32: isc_socket_cancel(ISC_SOCKCANCEL_ACCEPT) was
5922 incorrectly closing the socket. [RT #11291]
5924 1639. [func] Initial dlv system test.
5926 1638. [bug] "ixfr-from-differences" could generate a REQUIRE
5927 failure if the journal open failed. [RT #11347]
5929 1637. [bug] Node reference leak on error in addnoqname().
5931 1636. [bug] The dump done callback could get ISC_R_SUCCESS even if
5932 a error had occurred. The database version no longer
5933 matched the version of the database that was dumped.
5935 1635. [bug] Memory leak on error in query_addds().
5937 1634. [bug] named didn't supply a useful error message when it
5938 detected duplicate views. [RT #11208]
5940 1633. [bug] named should return NOTIMP to update requests to a
5941 slaves without a allow-update-forwarding acl specified.
5944 1632. [bug] nsupdate failed to send prerequisite only UPDATE
5945 messages. [RT #11288]
5947 1631. [bug] dns_journal_compact() could sometimes corrupt the
5948 journal. [RT #11124]
5950 1630. [contrib] queryperf: add support for IPv6 transport.
5952 1629. [func] dig now supports IPv6 scoped addresses with the
5953 extended format in the local-server part. [RT #8753]
5955 1628. [bug] Typo in Compaq Trucluster support. [RT# 11264]
5957 1627. [bug] win32: sockets were not being closed when the
5958 last external reference was removed. [RT# 11179]
5960 1626. [bug] --enable-getifaddrs was broken. [RT#11259]
5962 1625. [bug] named failed to load/transfer RFC2535 signed zones
5963 which contained CNAMES. [RT# 11237]
5965 1624. [bug] zonemgr_putio() call should be locked. [RT# 11163]
5967 1623. [bug] A serial number of zero was being displayed in the
5968 "sending notifies" log message when also-notify was
5971 1622. [func] probe the system to see if IPV6_(RECV)PKTINFO is
5972 available, and suppress wildcard binding if not.
5974 1621. [bug] match-destinations did not work for IPv6 TCP queries.
5977 1620. [func] When loading a zone report if it is signed. [RT #11149]
5979 1619. [bug] Missing ISC_LIST_UNLINK in end_reserved_dispatches().
5982 1618. [bug] Fencepost errors in dns_name_ishostname() and
5983 dns_name_ismailbox() could trigger a INSIST().
5985 1617. [port] win32: VC++ 6.0 support.
5987 1616. [compat] Ensure that named's version is visible in the core
5990 1615. [port] Define ISC_SOCKADDR_LEN_T based on _BSD_SOCKLEN_T_ if
5993 1614. [port] win32: silence resource limit messages. [RT# 11101]
5995 1613. [bug] Builds would fail on machines w/o a if_nametoindex().
5996 Missing #ifdef ISC_PLATFORM_HAVEIFNAMETOINDEX/#endif.
5999 1612. [bug] check-names at the option/view level could trigger
6000 an INSIST. [RT# 11116]
6002 1611. [bug] solaris: IPv6 interface scanning failed to cope with
6003 no active IPv6 interfaces.
6005 1610. [bug] On dual stack machines "dig -b" failed to set the
6006 address type to be looked up with "@server".
6009 1609. [func] dig now has support to chase DNSSEC signature chains.
6010 Requires -DDIG_SIGCHASE=1 to be set in STD_CDEFINES.
6012 DNSSEC validation code in dig coded by Olivier Courtay
6013 (olivier.courtay@irisa.fr) for the IDsA project
6014 (http://idsa.irisa.fr).
6016 1608. [func] dig and host now accept -4/-6 to select IP transport
6017 to use when making queries.
6019 1607. [bug] dig, host and nslookup were still using random()
6020 to generate query ids. [RT# 11013]
6022 1606. [bug] DLV insecurity proof was failing.
6024 1605. [func] New dns_db_find() option DNS_DBFIND_COVERINGNSEC.
6026 1604. [bug] A xfrout_ctx_create() failure would result in
6027 xfrout_ctx_destroy() being called with a
6028 partially initialized structure.
6030 1603. [bug] nsupdate: set interactive based on isatty().
6033 1602. [bug] Logging to a file failed unless a size was specified.
6036 1601. [bug] Silence spurious warning 'both "recursion no;" and
6037 "allow-recursion" active' warning from view "_bind".
6040 1600. [bug] Duplicate zone pre-load checks were not case
6043 1599. [bug] Fix memory leak on error path when checking named.conf.
6045 1598. [func] Specify that certain parts of the namespace must
6046 be secure (dnssec-must-be-secure).
6048 1597. [func] Allow notify-source and query-source to be specified
6049 on a per server basis similar to transfer-source.
6052 1596. [func] Accept 'notify-source' style syntax for query-source.
6054 1595. [func] New notify type 'master-only'. Enable notify for
6057 1594. [bug] 'rndc dumpdb' could prevent named from answering
6058 queries while the dump was in progress. [RT #10565]
6060 1593. [bug] rndc should return "unknown command" to unknown
6061 commands. [RT# 10642]
6063 1592. [bug] configure_view() could leak a dispatch. [RT# 10675]
6065 1591. [bug] libbind: updated to BIND 8.4.5.
6067 1590. [port] netbsd: update thread support.
6069 1589. [func] DNSSEC lookaside validation.
6071 1588. [bug] win32: TCP sockets could become blocked. [RT #10115]
6073 1587. [bug] dns_message_settsigkey() failed to clear existing key.
6076 1586. [func] "check-names" is now implemented.
6080 1584. [bug] "make test" failed with a read only source tree.
6083 1583. [bug] Records add via UPDATE failed to get the correct trust
6086 1582. [bug] rrset-order failed to work on RRsets with more
6087 than 32 elements. [RT #10381]
6089 1581. [func] Disable DNSSEC support by default. To enable
6090 DNSSEC specify "dnssec-enable yes;" in named.conf.
6092 1580. [bug] Zone destruction on final detach takes a long time.
6095 1579. [bug] Multiple task managers could not be created.
6097 1578. [bug] Don't use CLASS E IPv4 addresses when resolving.
6100 1577. [bug] Use isc_uint32_t in ultrasparc optimizer bug
6101 workaround code. [RT #10331]
6103 1576. [bug] Race condition in dns_dispatch_addresponse().
6106 1575. [func] Log TSIG name on TSIG verify failure. [RT #4404]
6108 1574. [bug] Don't attempt to open the controls socket(s) when
6109 running tests. [RT #9091]
6111 1573. [port] linux: update to libtool 1.5.2 so that
6112 "make install DESTDIR=/xx" works with
6113 "configure --with-libtool". [RT #9941]
6115 1572. [bug] nsupdate: sign the soa query to find the enclosing
6116 zone if the server is specified. [RT #10148]
6118 1571. [bug] rbt:hash_node() could fail leaving the hash table
6119 in an inconsistent state. [RT #10208]
6121 1570. [bug] nsupdate failed to handle classes other than IN.
6122 New keyword 'class' which sets the default class.
6125 1569. [func] nsupdate new command 'answer' which displays the
6126 complete answer message to the last update.
6128 1568. [bug] nsupdate now reports that the update failed in
6129 interactive mode. [RT# 10236]
6131 1567. [maint] B.ROOT-SERVERS.NET is now 192.228.79.201.
6133 1566. [port] Support for the cmsg framework on Solaris and HP/UX.
6134 This also solved the problem that match-destinations
6135 for IPv6 addresses did not work on these systems.
6138 1565. [bug] CD flag should be copied to outgoing queries unless
6139 the query is under a secure entry point in which case
6142 1564. [func] Attempt to provide a fallback entropy source to be
6143 used if named is running chrooted and named is unable
6144 to open entropy source within the chroot area.
6147 1563. [bug] Gracefully fail when unable to obtain neither an IPv4
6148 nor an IPv6 dispatch. [RT #10230]
6150 1562. [bug] isc_socket_create() and isc_socket_accept() could
6151 leak memory under error conditions. [RT #10230]
6153 1561. [bug] It was possible to release the same name twice if
6154 named ran out of memory. [RT #10197]
6156 1560. [port] FreeBSD: work around FreeBSD 5.2 mapping EAI_NODATA
6157 and EAI_NONAME to the same value.
6159 1559. [port] named should ignore SIGFSZ.
6161 1558. [func] New DNSSEC 'disable-algorithms'. Support entry into
6162 child zones for which we don't have a supported
6163 algorithm. Such child zones are treated as unsigned.
6165 1557. [func] Implement missing DNSSEC tests for
6166 * NOQNAME proof with wildcard answers.
6167 * NOWILDARD proof with NXDOMAIN.
6168 Cache and return NOQNAME with wildcard answers.
6170 1556. [bug] nsupdate now treats all names as fully qualified.
6173 1555. [func] 'rrset-order cyclic' no longer has a random starting
6174 point per query. [RT #7572]
6176 1554. [bug] dig, host, nslookup failed when no nameservers
6177 were specified in /etc/resolv.conf. [RT #8232]
6179 1553. [bug] The windows socket code could stop accepting
6180 connections. [RT#10115]
6182 1552. [bug] Accept NOTIFY requests from mapped masters if
6183 matched-mapped is set. [RT #10049]
6185 1551. [port] Open "/dev/null" before calling chroot().
6187 1550. [port] Call tzset(), if available, before calling chroot().
6189 1549. [func] named-checkzone can now write out the zone contents
6190 in a easily parsable format (-D and -o).
6192 1548. [bug] When parsing APL records it was possible to silently
6193 accept out of range ADDRESSFAMILY values. [RT# 9979]
6195 1547. [bug] Named wasted memory recording duplicate lame zone
6198 1546. [bug] We were rejecting valid secure CNAME to negative
6201 1545. [bug] It was possible to leak memory if named was unable to
6202 bind to the specified transfer source and TSIG was
6203 being used. [RT #10120]
6205 1544. [bug] Named would logged a single entry to a file despite it
6206 being over the specified size limit.
6208 1543. [bug] Logging using "versions unlimited" did not work.
6212 1541. [func] NSEC now uses new bitmap format.
6214 1540. [bug] "rndc reload <dynamiczone>" was silently accepted.
6217 1539. [bug] Open UDP sockets for notify-source and transfer-source
6218 that use reserved ports at startup. [RT #9475]
6220 1538. [placeholder] rt9997
6222 1537. [func] New option "querylog". If set specify whether query
6223 logging is to be enabled or disabled at startup.
6225 1536. [bug] Windows socket code failed to log a error description
6226 when returning ISC_R_UNEXPECTED. [RT #9998]
6230 1534. [bug] Race condition when priming cache. [RT# 9940]
6232 1533. [func] Warn if both "recursion no;" and "allow-recursion"
6233 are active. [RT# 4389]
6235 1532. [port] netbsd: the configure test for <sys/sysctl.h>
6236 requires <sys/param.h>.
6238 1531. [port] AIX more libtool fixes.
6240 1530. [bug] It was possible to trigger a INSIST() failure if a
6241 slave master file was removed at just the correct
6244 1529. [bug] "notify explicit;" failed to log that NOTIFY messages
6245 were being sent for the zone. [RT# 9442]
6247 1528. [cleanup] Simplify some dns_name_ functions based on the
6248 deprecation of bitstring labels.
6250 1527. [cleanup] Reduce the number of gettimeofday() calls without
6251 losing necessary timer granularity.
6253 1526. [func] Implemented "additional section caching (or acache)",
6254 an internal cache framework for additional section
6255 content to improve response performance. Several
6256 configuration options were provided to control the
6259 1525. [bug] dns_cache_create() could trigger a REQUIRE
6260 failure in isc_mem_put() during error cleanup.
6263 1524. [port] AIX needs to be able to resolve all symbols when
6264 creating shared libraries (--with-libtool).
6266 1523. [bug] Fix race condition in rbtdb. [RT# 9189]
6268 1522. [bug] dns_db_findnode() relax the requirements on 'name'.
6271 1521. [bug] dns_view_createresolver() failed to check the
6272 result from isc_mem_create(). [RT# 9294]
6274 1520. [protocol] Add SSHFP (SSH Finger Print) type.
6276 1519. [bug] dnssec-signzone:nsec_setbit() computed the wrong
6277 length of the new bitmap.
6279 1518. [bug] dns_nsec_buildrdata(), and hence dns_nsec_build(),
6280 contained a off-by-one error when working out the
6281 number of octets in the bitmap.
6283 1517. [port] Support for IPv6 interface scanning on HP/UX and
6286 1516. [func] Roll the DNSSEC types to RRSIG, NSEC and DNSKEY.
6288 1515. [func] Allow transfer source to be set in a server statement.
6291 1514. [bug] named: isc_hash_destroy() was being called too early.
6294 1513. [doc] Add "US" to root-delegation-only exclude list.
6296 1512. [bug] Extend the delegation-only logging to return query
6297 type, class and responding nameserver.
6299 1511. [bug] delegation-only was generating false positives
6300 on negative answers from sub-zones.
6302 1510. [func] New view option "root-delegation-only". Apply
6303 delegation-only check to all TLDs and root.
6304 Note there are some TLDs that are NOT delegation
6305 only (e.g. DE, LV, US and MUSEUM) these can be excluded
6306 from the checks by using exclude.
6308 root-delegation-only exclude {
6309 "DE"; "LV"; "US"; "MUSEUM";
6312 1509. [bug] Hint zones should accept delegation-only. Forward
6313 zone should not accept delegation-only.
6315 1508. [bug] Don't apply delegation-only checks to answers from
6318 1507. [bug] Handle BIND 8 style returns to NS queries to parents
6319 when making delegation-only checks.
6321 1506. [bug] Wrong return type for dns_view_isdelegationonly().
6323 1505. [bug] Uninitialized rdataset in sdb. [RT #8750]
6325 1504. [func] New zone type "delegation-only".
6327 1503. [port] win32: install libeay32.dll outside of system32.
6329 1502. [bug] nsupdate: adjust timeouts for UPDATE requests over TCP.
6331 1501. [func] Allow TCP queue length to be specified via
6332 named.conf, tcp-listen-queue.
6334 1500. [bug] host failed to lookup MX records. Also look up
6337 1499. [bug] isc_random need to be seeded better if arc4random()
6340 1498. [port] bsdos: 5.x support.
6344 1496. [port] test for pthread_attr_setstacksize().
6346 1495. [cleanup] Replace hash functions with universal hash.
6348 1494. [security] Turn on RSA BLINDING as a precaution.
6352 1492. [cleanup] Preserve rwlock quota context when upgrading /
6353 downgrading. [RT #5599]
6355 1491. [bug] dns_master_dump*() would produce extraneous $ORIGIN
6358 1490. [bug] Accept reading state as well as working state in
6359 ns_client_next(). [RT #6813]
6361 1489. [compat] Treat 'allow-update' on slave zones as a warning.
6364 1488. [bug] Don't override trust levels for glue addresses.
6367 1487. [bug] A REQUIRE() failure could be triggered if a zone was
6368 queued for transfer and the zone was then removed.
6371 1486. [bug] isc_print_snprintf() '%%' consumed one too many format
6372 characters. [RT# 8230]
6374 1485. [bug] gen failed to handle high type values. [RT #6225]
6376 1484. [bug] The number of records reported after a AXFR was wrong.
6379 1483. [bug] dig axfr failed if the message id in the answer failed
6380 to match that in the request. Only the id in the first
6381 message is required to match. [RT #8138]
6383 1482. [bug] named could fail to start if the kernel supports
6384 IPv6 but no interfaces are configured. Similarly
6385 for IPv4. [RT #6229]
6387 1481. [bug] Refresh and stub queries failed to use masters keys
6388 if specified. [RT #7391]
6390 1480. [bug] Provide replay protection for rndc commands. Full
6391 replay protection requires both rndc and named to
6392 be updated. Partial replay protection (limited
6393 exposure after restart) is provided if just named
6396 1479. [bug] cfg_create_tuple() failed to handle out of
6397 memory cleanup. parse_list() would leak memory
6400 1478. [port] ifconfig.sh didn't account for other virtual
6401 interfaces. It now takes a optional argument
6402 to specify the first interface number. [RT #3907]
6404 1477. [bug] memory leak using stub zones and TSIG.
6408 1475. [port] Probe for old sprintf().
6410 1474. [port] Provide strtoul() and memmove() for platforms
6413 1473. [bug] create_map() and create_string() failed to handle out
6414 of memory cleanup. [RT #6813]
6416 1472. [contrib] idnkit-1.0 from JPNIC, replaces mdnkit.
6418 1471. [bug] libbind: updated to BIND 8.4.0.
6420 1470. [bug] Incorrect length passed to snprintf. [RT #5966]
6422 1469. [func] Log end of outgoing zone transfer at same level
6423 as the start of transfer is logged. [RT #4441]
6425 1468. [func] Internal zones are no longer counted for
6426 'rndc status'. [RT #4706]
6428 1467. [func] $GENERATES now supports optional class and ttl.
6430 1466. [bug] lwresd configuration errors resulted in memory
6431 and lock leaks. [RT #5228]
6433 1465. [bug] isc_base64_decodestring() and isc_base64_tobuffer()
6434 failed to check that trailing bits were zero allowing
6435 some invalid base64 strings to be accepted. [RT #5397]
6437 1464. [bug] Preserve "out of zone" data for outgoing zone
6438 transfers. [RT #5192]
6440 1463. [bug] dns_rdata_from{wire,struct}() failed to catch bad
6441 NXT bit maps. [RT #5577]
6443 1462. [bug] parse_sizeval() failed to check the token type.
6446 1461. [bug] Remove deadlock from rbtdb code. [RT #5599]
6448 1460. [bug] inet_pton() failed to reject certain malformed
6453 1458. [cleanup] sprintf() -> snprintf().
6455 1457. [port] Provide strlcat() and strlcpy() for platforms without
6458 1456. [contrib] gen-data-queryperf.py from Stephane Bortzmeyer.
6460 1455. [bug] <netaddr> missing from server grammar in
6461 doc/misc/options. [RT #5616]
6463 1454. [port] Use getifaddrs() if available for interface scanning.
6464 --disable-getifaddrs to override. Glibc currently
6465 has a getifaddrs() that does not support IPv6.
6466 Use --enable-getifaddrs=glibc to force the use of
6467 this version under linux machines.
6469 1453. [doc] ARM: $GENERATE example wasn't accurate. [RT #5298]
6473 1451. [bug] rndc-confgen didn't exit with a error code for all
6474 failures. [RT #5209]
6476 1450. [bug] Fetching expired glue failed under certain
6477 circumstances. [RT #5124]
6479 1449. [bug] query_addbestns() didn't handle running out of memory
6482 1448. [bug] Handle empty wildcards labels.
6484 1447. [bug] We were casting (unsigned int) to and from (void *).
6485 rdataset->private4 is now rdataset->privateuint4
6486 to reflect a type change.
6488 1446. [func] Implemented undocumented alternate transfer sources
6489 from BIND 8. See use-alt-transfer-source,
6490 alt-transfer-source and alt-transfer-source-v6.
6492 SECURITY: use-alt-transfer-source is ENABLED unless
6493 you are using views. This may cause a security risk
6494 resulting in accidental disclosure of wrong zone
6495 content if the master supplying different source
6496 content based on IP address. If you are not certain
6497 ISC recommends setting use-alt-transfer-source no;
6499 1445. [bug] DNS_ADBFIND_STARTATROOT broke stub zones. This has
6500 been replaced with DNS_ADBFIND_STARTATZONE which
6501 causes the search to start using the closest zone.
6503 1444. [func] dns_view_findzonecut2() allows you to specify if the
6504 cache should be searched for zone cuts.
6506 1443. [func] Masters lists can now be specified and referenced
6507 in zone masters clauses and other masters lists.
6509 1442. [func] New functions for manipulating port lists:
6510 dns_portlist_create(), dns_portlist_add(),
6511 dns_portlist_remove(), dns_portlist_match(),
6512 dns_portlist_attach() and dns_portlist_detach().
6514 1441. [func] It is now possible to tell dig to bind to a specific
6517 1440. [func] It is now possible to tell named to avoid using
6518 certain source ports (avoid-v4-udp-ports,
6519 avoid-v6-udp-ports).
6521 1439. [bug] Named could return NOERROR with certain NOTIFY
6522 failures. Return NOTAUTH if the NOTIFY zone is
6525 1438. [func] Log TSIG (if any) when logging NOTIFY requests.
6527 1437. [bug] Leave space for stdio to work in. [RT #5033]
6529 1436. [func] dns_zonemgr_resumexfrs() can be used to restart
6532 1435. [bug] zmgr_resume_xfrs() was being called read locked
6533 rather than write locked. zmgr_resume_xfrs()
6534 was not being called if the zone was being
6537 1434. [bug] "rndc reconfig" failed to initiate the initial
6538 zone transfer of new slave zones.
6540 1433. [bug] named could trigger a REQUIRE failure if it could
6541 not get a file descriptor when attempting to write
6542 a master file. [RT #4347]
6544 1432. [func] The advertised EDNS UDP buffer size can now be set
6545 via named.conf (edns-udp-size).
6547 1431. [bug] isc_print_snprintf() "%s" with precision could walk off
6548 end of argument. [RT #5191]
6550 1430. [port] linux: IPv6 interface scanning support.
6552 1429. [bug] Prevent the cache getting locked to old servers.
6556 1427. [bug] Race condition in adb with threaded build.
6560 1425. [port] linux/libbind: define __USE_MISC when testing *_r()
6561 function prototypes in netdb.h. [RT #4921]
6563 1424. [bug] EDNS version not being correctly printed.
6565 1423. [contrib] queryperf: added A6 and SRV.
6567 1422. [func] Log name/type/class when denying a query. [RT #4663]
6569 1421. [func] Differentiate updates that don't succeed due to
6570 prerequisites (unsuccessful) vs other reasons
6573 1420. [port] solaris: work around gcc optimizer bug.
6575 1419. [port] openbsd: use /dev/arandom. [RT #4950]
6577 1418. [bug] 'rndc reconfig' did not cause new slaves to load.
6579 1417. [func] ID.SERVER/CHAOS is now a built in zone.
6580 See "server-id" for how to configure.
6582 1416. [bug] Empty node should return NOERROR NODATA, not NXDOMAIN.
6585 1415. [func] DS TTL now derived from NS ttl. NXT TTL now derived
6588 1414. [func] Support for KSK flag.
6590 1413. [func] Explicitly request the (re-)generation of DS records
6591 from keysets (dnssec-signzone -g).
6593 1412. [func] You can now specify servers to be tried if a nameserver
6594 has IPv6 address and you only support IPv4 or the
6595 reverse. See dual-stack-servers.
6597 1411. [bug] empty nodes should stop wildcard matches. [RT #4802]
6599 1410. [func] Handle records that live in the parent zone, e.g. DS.
6601 1409. [bug] DS should have attribute DNS_RDATATYPEATTR_DNSSEC.
6603 1408. [bug] "make distclean" was not complete. [RT #4700]
6605 1407. [bug] lfsr incorrectly implements the shift register.
6608 1406. [bug] dispatch initializes one of the LFSR's with a incorrect
6609 polynomial. [RT #4617]
6611 1405. [func] Use arc4random() if available.
6613 1404. [bug] libbind: ns_name_ntol() could overwrite a zero length
6616 1403. [func] dnssec-signzone, dnssec-keygen, dnssec-makekeyset
6617 dnssec-signkey now report their version in the
6620 1402. [cleanup] A6 has been moved to experimental and is no longer
6623 1401. [bug] adb wasn't clearing state when the timer expired.
6625 1400. [bug] Block the addition of wildcard NS records by IXFR
6626 or UPDATE. [RT #3502]
6628 1399. [bug] Use serial number arithmetic when testing SIG
6629 timestamps. [RT #4268]
6631 1398. [doc] ARM: notify-also should have been also-notify.
6634 1397. [maint] J.ROOT-SERVERS.NET is now 192.58.128.30.
6636 1396. [func] dnssec-signzone: adjust the default signing time by
6637 1 hour to allow for clock skew.
6639 1395. [port] OpenSSL 0.9.7 defines CRYPTO_LOCK_ENGINE but doesn't
6640 have a working implementation. [RT #4079]
6642 1394. [func] It is now possible to check if a particular element is
6643 in a acl. Remove duplicate entries from the localnets
6646 1393. [port] Bind to individual IPv6 interfaces if IPV6_IPV6ONLY
6647 is not available in the kernel to prevent accidently
6648 listening on IPv4 interfaces.
6650 1392. [bug] named-checkzone: update usage.
6652 1391. [func] Add support for IPv6 scoped addresses in named.
6654 1390. [func] host now supports ixfr.
6656 1389. [bug] named could fail to rotate long log files. [RT #3666]
6658 1388. [port] irix: check for sys/sysctl.h and NET_RT_IFLIST before
6659 defining HAVE_IFLIST_SYSCTL. [RT #3770]
6661 1387. [bug] named could crash due to an access to invalid memory
6662 space (which caused an assertion failure) in
6663 incremental cleaning. [RT #3588]
6665 1386. [bug] named-checkzone -z stopped on errors in a zone.
6668 1385. [bug] Setting serial-query-rate to 10 would trigger a
6671 1384. [bug] host was incompatible with BIND 8 in its exit code and
6672 in the output with the -l option. [RT #3536]
6674 1383. [func] Track the serial number in a IXFR response and log if
6675 a mismatch occurs. This is a more specific error than
6676 "not exact". [RT #3445]
6678 1382. [bug] make install failed with --enable-libbind. [RT #3656]
6680 1381. [bug] named failed to correctly process answers that
6681 contained DNAME records where the resulting CNAME
6682 resulted in a negative answer.
6684 1380. [func] 'rndc recursing' dump recursing queries to
6685 'recursing-file = "named.recursing";'.
6687 1379. [func] 'rndc status' now reports tcp and recursion quota
6690 1378. [func] Improved positive feedback for 'rndc {reload|refresh}.
6692 1377. [func] dns_zone_load{new}() now reports if the zone was
6693 loaded, queued for loading to up to date.
6695 1376. [func] New function dns_zone_logc() to log to specified
6698 1375. [func] 'rndc dumpdb' now dumps the adb cache along with the
6701 1374. [func] dns_adb_dump() now logs the lame zones associated
6704 1373. [bug] Recovery from expired glue failed under certain
6707 1372. [bug] named crashes with an assertion failure on exit when
6708 sharing the same port for listening and querying, and
6709 changing listening addresses several times. [RT# 3509]
6711 1371. [bug] notify-source-v6, transfer-source-v6 and
6712 query-source-v6 with explicit addresses and using the
6713 same ports as named was listening on could interfere
6714 with named's ability to answer queries sent to those
6717 1370. [bug] dig '+[no]recurse' was incorrectly documented.
6719 1369. [bug] Adding an NS record as the lexicographically last
6720 record in a secure zone didn't work.
6722 1368. [func] remove support for bitstring labels.
6724 1367. [func] Use response times to select forwarders.
6726 1366. [contrib] queryperf usage was incomplete. Add '-h' for help.
6728 1365. [func] "localhost" and "localnets" acls now include IPv6
6729 addresses / prefixes.
6731 1364. [func] Log file name when unable to open memory statistics
6732 and dump database files. [RT# 3437]
6734 1363. [func] Listen-on-v6 now supports specific addresses.
6736 1362. [bug] remove IFF_RUNNING test when scanning interfaces.
6738 1361. [func] log the reason for rejecting a server when resolving
6741 1360. [bug] --enable-libbind would fail when not built in the
6742 source tree for certain OS's.
6744 1359. [security] Support patches OpenSSL libraries.
6745 http://www.cert.org/advisories/CA-2002-23.html
6747 1358. [bug] It was possible to trigger a INSIST when debugging
6748 large dynamic updates. [RT #3390]
6750 1357. [bug] nsupdate was extremely wasteful of memory.
6752 1356. [tuning] Reduce the number of events / quantum for zone tasks.
6754 1355. [bug] Fix DNSSEC wildcard proof for CNAME/DNAME.
6756 1354. [doc] lwres man pages had illegal nroff.
6758 1353. [contrib] sdb/ldap to version 0.9.
6760 1352. [bug] dig, host, nslookup when falling back to TCP use the
6761 current search entry (if any). [RT #3374]
6763 1351. [bug] lwres_getipnodebyname() returned the wrong name
6764 when given a IPv4 literal, af=AF_INET6 and AI_MAPPED
6767 1350. [bug] dns_name_fromtext() failed to handle too many labels
6770 1349. [security] Minimum OpenSSL version now 0.9.6e (was 0.9.5a).
6771 http://www.cert.org/advisories/CA-2002-23.html
6773 1348. [port] win32: Rewrote code to use I/O Completion Ports
6774 in socket.c and eliminating a host of socket
6775 errors. Performance is enhanced.
6781 1345. [port] Use a explicit -Wformat with gcc. Not all versions
6782 include it in -Wall.
6784 1344. [func] Log if the serial number on the master has gone
6786 If you have multiple machines specified in the masters
6787 clause you may want to set 'multi-master yes;' to
6788 suppress this warning.
6790 1343. [func] Log successful notifies received (info). Adjust log
6791 level for failed notifies to notice.
6793 1342. [func] Log remote address with TCP dispatch failures.
6795 1341. [func] Allow a rate limiter to be stalled.
6797 1340. [bug] Delay and spread out the startup refresh load.
6799 1339. [func] dig, host and nslookup now use IP6.ARPA for nibble
6800 lookups. Bit string lookups are no longer attempted.
6806 1336. [func] Nibble lookups under IP6.ARPA are now supported by
6807 dns_byaddr_create(). dns_byaddr_createptrname() is
6808 deprecated, use dns_byaddr_createptrname2() instead.
6810 1335. [bug] When performing a nonexistence proof, the validator
6811 should discard parent NXTs from higher in the DNS.
6813 1334. [bug] When signing/verifying rdatasets, duplicate rdatas
6814 need to be suppressed.
6816 1333. [contrib] queryperf now reports a summary of returned
6817 rcodes (-c), rcodes are printed in mnemonic form (-v).
6819 1332. [func] Report the current serial with periodic commits when
6820 rolling forward the journal.
6822 1331. [func] Generate DNSSEC wildcard proofs.
6824 1330. [bug] When processing events (non-threaded) only allow
6825 the task one chance to use to use its quantum.
6827 1329. [func] named-checkzone will now check if nameservers that
6828 appear to be IP addresses. Available modes "fail",
6829 "warn" (default) and "ignore" the results of the
6832 1328. [bug] The validator could incorrectly verify an invalid
6835 1327. [bug] The validator would incorrectly mark data as insecure
6836 when seeing a bogus signature before a correct
6839 1326. [bug] DNAME/CNAME signatures were not being cached when
6840 validation was not being performed. [RT #3284]
6842 1325. [bug] If the tcpquota was exhausted it was possible to
6843 to trigger a INSIST() failure.
6845 1324. [port] darwin: ifconfig.sh now supports darwin.
6847 1323. [port] linux: Slackware 4.0 needs <asm/unistd.h>. [RT #3205]
6849 1322. [bug] dnssec-signzone usage message was misleading.
6851 1321. [bug] If the last RRset in a zone is glue, dnssec-signzone
6852 would incorrectly duplicate its output and sign it.
6854 1320. [doc] query-source-v6 was missing from options section.
6857 1319. [func] libbind: log attempts to exploit #1318.
6859 1318. [bug] libbind: Remote buffer overrun.
6861 1317. [port] libbind: TrueUNIX 5.1 does not like __align as a
6864 1316. [bug] libbind: gethostans() could get out of sync parsing
6865 the response if there was a very long CNAME chain.
6867 1315. [bug] Options should apply to the internal _bind view.
6869 1314. [port] Handle ECONNRESET from sendmsg() [unix].
6871 1313. [func] Query log now says if the query was signed (S) or
6872 if EDNS was used (E).
6874 1312. [func] Log TSIG key used w/ outgoing zone transfers.
6876 1311. [bug] lwres_getrrsetbyname leaked memory. [RT #3159]
6878 1310. [bug] 'rndc stop' failed to cause zones to be flushed
6879 sometimes. [RT #3157]
6881 1309. [func] Log that a zone transfer was covered by a TSIG.
6883 1308. [func] DS (delegation signer) support.
6885 1307. [bug] nsupdate: allow white space base64 key data.
6887 1306. [bug] Badly encoded LOC record when the size, horizontal
6888 precision or vertical precision was 0.1m.
6890 1305. [bug] Document that internal zones are included in the
6891 rndc status results.
6893 1304. [func] New function: dns_zone_name().
6895 1303. [func] Option 'flush-zones-on-shutdown <boolean>;'.
6897 1302. [func] Extended rndc dumpdb to support dumping of zones and
6898 view selection: 'dumpdb [-all|-zones|-cache] [view]'.
6900 1301. [func] New category 'update-security'.
6902 1300. [port] Compaq Trucluster support.
6904 1299. [bug] Set AI_ADDRCONFIG when looking up addresses
6905 via getaddrinfo() (affects dig, host, nslookup, rndc
6908 1298. [bug] The CINCLUDES macro in lib/dns/sec/dst/Makefile
6909 could be left with a trailing "\" after configure
6912 1297. [port] linux: make handling EINVAL from socket() no longer
6913 conditional on #ifdef LINUX.
6915 1296. [bug] isc_log_closefilelogs() needed to lock the log
6918 1295. [bug] isc_log_setdebuglevel() needed to lock the log
6921 1294. [func] libbind: no longer attempts bit string labels for
6922 IPv6 reverse resolution. Try IP6.ARPA then IP6.INT
6923 for nibble style resolution.
6925 1293. [func] Entropy can now be retrieved from EGDs. [RT #2438]
6927 1292. [func] Enable IPv6 support when using ioctl style interface
6928 scanning and OS supports SIOCGLIFADDR using struct
6931 1291. [func] Enable IPv6 support when using sysctl style interface
6934 1290. [func] "dig axfr" now reports the number of messages
6935 as well as the number of records.
6937 1289. [port] See if -ldl is required for OpenSSL? [RT #2672]
6939 1288. [bug] Adjusted REQUIRE's in lib/dns/name.c to better
6940 reflect written requirements.
6942 1287. [bug] REQUIRE that DNS_DBADD_MERGE only be set when adding
6943 a rdataset to a zone db in the rbtdb implementation of
6946 1286. [bug] dns_name_downcase() enforce requirement that
6947 target != NULL or name->buffer != NULL.
6949 1285. [func] lwres: probe the system to see what address families
6950 are currently in use.
6952 1284. [bug] The RTT estimate on unused servers was not aged.
6955 1283. [func] Use "dataready" accept filter if available.
6957 1282. [port] libbind: hpux 11.11 interface scanning.
6959 1281. [func] Log zone when unable to get private keys to update
6960 zone. Log zone when NXT records are missing from
6963 1280. [bug] libbind: escape '(' and ')' when converting to
6966 1279. [port] Darwin uses (unsigned long) for size_t. [RT #2590]
6968 1278. [func] dig: now supports +[no]cl +[no]ttlid.
6970 1277. [func] You can now create your own customized printing
6971 styles: dns_master_stylecreate() and
6972 dns_master_styledestroy().
6974 1276. [bug] libbind: const pointer conflicts in res_debug.c.
6976 1275. [port] libbind: hpux: treat all hpux systems as BIG_ENDIAN.
6978 1274. [bug] Memory leak in lwres_gnbarequest_parse().
6980 1273. [port] libbind: solaris: 64 bit binary compatibility.
6982 1272. [contrib] Berkeley DB 4.0 sdb implementation from
6983 Nuno Miguel Rodrigues <nmr@co.sapo.pt>.
6985 1271. [bug] "recursion available: {denied,approved}" was too
6988 1270. [bug] Check that system inet_pton() and inet_ntop() support
6991 1269. [port] Openserver: ifconfig.sh support.
6993 1268. [port] Openserver: the value FD_SETSIZE depends on whether
6994 <sys/param.h> is included or not. Be consistent.
6996 1267. [func] isc_file_openunique() now creates file using mode
6997 0666 rather than 0600.
6999 1266. [bug] ISC_LINK_INIT, ISC_LINK_UNLINK, ISC_LIST_DEQUEUE,
7000 __ISC_LINK_UNLINKUNSAFE and __ISC_LIST_DEQUEUEUNSAFE
7001 are not C++ compatible, use *_TYPE versions instead.
7003 1265. [bug] libbind: LINK_INIT and UNLINK were not compatible with
7004 C++, use LINK_INIT_TYPE and UNLINK_TYPE instead.
7008 1263. [bug] Reference after free error if dns_dispatchmgr_create()
7011 1262. [bug] ns_server_destroy() failed to set *serverp to NULL.
7013 1261. [func] libbind: ns_sign2() and ns_sign_tcp() now provide
7014 support for compressed TSIG owner names.
7016 1260. [func] libbind: res_update can now update IPv6 servers,
7017 new function res_findzonecut2().
7019 1259. [bug] libbind: get_salen() IPv6 support was broken for OSs
7022 1258. [bug] libbind: res_nametotype() and res_nametoclass() were
7025 1257. [bug] Failure to write pid-file should not be fatal on
7028 1256. [contrib] 'queryperf' now has EDNS (-e) + DNSSEC DO (-D) support.
7030 1255. [bug] When verifying that an NXT proves nonexistence, check
7031 the rcode of the message and only do the matching NXT
7032 check. That is, for NXDOMAIN responses, check that
7033 the name is in the range between the NXT owner and
7034 next name, and for NOERROR NODATA responses, check
7035 that the type is not present in the NXT bitmap.
7037 1254. [func] preferred-glue option from BIND 8.3.
7039 1253. [bug] The dnssec system test failed to remove the correct
7042 1252. [bug] Dig, host and nslookup were not checking the address
7043 the answer was coming from against the address it was
7046 1251. [port] win32: a make file contained absolute version specific
7049 1250. [func] Nsupdate will report the address the update was
7052 1249. [bug] Missing masters clause was not handled gracefully.
7055 1248. [bug] DESTDIR was not being propagated between makes.
7057 1247. [bug] Don't reset the interface index for link/site local
7058 addresses. [RT #2576]
7060 1246. [func] New functions isc_sockaddr_issitelocal(),
7061 isc_sockaddr_islinklocal(), isc_netaddr_issitelocal()
7062 and isc_netaddr_islinklocal().
7064 1245. [bug] Treat ENOBUFS, ENOMEM and ENFILE as soft errors for
7067 1244. [bug] Receiving a TCP message from a blackhole address would
7068 prevent further messages being received over that
7071 1243. [bug] It was possible to trigger a REQUIRE() in
7072 dns_message_findtype(). [RT #2659]
7074 1242. [bug] named-checkzone failed if a journal existed. [RT #2657]
7076 1241. [bug] Drop received UDP messages with a zero source port
7077 as these are invariably forged. [RT #2621]
7079 1240. [bug] It was possible to leak zone references by
7080 specifying an incorrect zone to rndc.
7082 1239. [bug] Under certain circumstances named could continue to
7083 use a name after it had been freed triggering
7084 INSIST() failures. [RT #2614]
7086 1238. [bug] It is possible to lockup the server when shutting down
7087 if notifies were being processed. [RT #2591]
7089 1237. [bug] nslookup: "set q=type" failed.
7091 1236. [bug] dns_rdata{class,type}_fromtext() didn't handle non
7092 NULL terminated text regions. [RT #2588]
7094 1235. [func] Report 'out of memory' errors from openssl.
7096 1234. [bug] contrib/sdb: 'zonetodb' failed to call
7097 dns_result_register(). DNS_R_SEENINCLUDE should not
7100 1233. [bug] The flags field of a KEY record can be expressed in
7101 hex as well as decimal.
7103 1232. [bug] unix/errno2result() didn't handle EADDRNOTAVAIL.
7105 1231. [port] HPUX 11.11 recvmsg() can return spurious EADDRNOTAVAIL.
7107 1230. [bug] isccc_cc_isreply() and isccc_cc_isack() were broken.
7109 1229. [bug] named would crash if it received a TSIG signed
7110 query as part of an AXFR response. [RT #2570]
7112 1228. [bug] 'make install' did not depend on 'make all'. [RT #2559]
7114 1227. [bug] dns_lex_getmastertoken() now returns ISC_R_BADNUMBER
7115 if a number was expected and some other token was
7118 1226. [func] Use EDNS for zone refresh queries. [RT #2551]
7120 1225. [func] dns_message_setopt() no longer requires that
7121 dns_message_renderbegin() to have been called.
7123 1224. [bug] 'rrset-order' and 'sortlist' should be additive
7126 1223. [func] 'rrset-order' partially works 'cyclic' and 'random'
7129 1222. [bug] Specifying 'port *' did not always result in a system
7130 selected (non-reserved) port being used. [RT #2537]
7132 1221. [bug] Zone types 'master', 'slave' and 'stub' were not being
7133 compared case insensitively. [RT #2542]
7135 1220. [func] Support for APL rdata type.
7137 1219. [func] Named now reports the TSIG extended error code when
7138 signature verification fails. [RT #1651]
7140 1218. [bug] Named incorrectly returned SERVFAIL rather than
7141 NOTAUTH when there was a TSIG BADTIME error. [RT #2519]
7143 1217. [func] Report locations of previous key definition when a
7144 duplicate is detected.
7146 1216. [bug] Multiple server clauses for the same server were not
7147 reported. [RT #2514]
7149 1215. [port] solaris: add support to ifconfig.sh for x86 2.5.1
7151 1214. [bug] Win32: isc_file_renameunique() could leave zero length
7154 1213. [func] Report view associated with client if it is not a
7155 standard view (_default or _bind).
7157 1212. [port] libbind: 64k answer buffers were causing stack space
7158 to be exceeded for certain OS. Use heap space instead.
7160 1211. [bug] dns_name_fromtext() incorrectly handled certain
7161 valid octal bitlabels. [RT #2483]
7163 1210. [bug] libbind: getnameinfo() failed to lookup IPv4 mapped /
7164 compatible addresses. [RT #2461]
7166 1209. [bug] Dig, host, nslookup were not checking the message ids
7167 on the responses. [RT #2454]
7169 1208. [bug] dns_master_load*() failed to log a error message if
7170 an error was detected when parsing the ownername of
7171 a record. [RT #2448]
7173 1207. [bug] libbind: getaddrinfo() could call freeaddrinfo() with
7176 1206. [bug] SERVFAIL and NOTIMP responses to an EDNS query should
7177 trigger a non-EDNS retry.
7179 1205. [bug] OPT, TSIG and TKEY cannot be used to set the "class"
7180 of the message. [RT #2449]
7182 1204. [bug] libbind: res_nupdate() failed to update the name
7183 server addresses before sending the update.
7185 1203. [func] Report locations of previous acl and zone definitions
7186 when a duplicate is detected.
7188 1202. [func] New functions: cfg_obj_line() and cfg_obj_file().
7190 1201. [bug] Require that if 'callbacks' is passed to
7191 dns_rdata_fromtext(), callbacks->error and
7192 callbacks->warn are initialized.
7194 1200. [bug] Log 'errno' that we are unable to convert to
7195 isc_result_t. [RT #2404]
7197 1199. [doc] ARM reference to RFC 2157 should have been RFC 1918.
7200 1198. [bug] OPT printing style was not consistent with the way the
7201 header fields are printed. The DO bit was not reported
7202 if set. Report if any of the MBZ bits are set.
7204 1197. [bug] Attempts to define the same acl multiple times were not
7207 1196. [contrib] update mdnkit to 2.2.3.
7209 1195. [bug] Attempts to redefine builtin acls should be caught.
7212 1194. [bug] Not all duplicate zone definitions were being detected
7213 at the named.conf checking stage. [RT #2431]
7215 1193. [bug] dig +besteffort parsing didn't handle packet
7216 truncation. dns_message_parse() has new flag
7217 DNS_MESSAGE_IGNORETRUNCATION.
7219 1192. [bug] The seconds fields in LOC records were restricted
7220 to three decimal places. More decimal places should
7221 be allowed but warned about.
7223 1191. [bug] A dynamic update removing the last non-apex name in
7224 a secure zone would fail. [RT #2399]
7226 1190. [func] Add the "rndc freeze" and "rndc unfreeze" commands.
7229 1189. [bug] On some systems, malloc(0) returns NULL, which
7230 could cause the caller to report an out of memory
7233 1188. [bug] Dynamic updates of a signed zone would fail if
7234 some of the zone private keys were unavailable.
7236 1187. [bug] named was incorrectly returning DNSSEC records
7237 in negative responses when the DO bit was not set.
7239 1186. [bug] isc_hex_tobuffer(,,length = 0) failed to unget the
7240 EOL token when reading to end of line.
7242 1185. [bug] libbind: don't assume statp->_u._ext.ext is valid
7243 unless RES_INIT is set when calling res_*init().
7245 1184. [bug] libbind: call res_ndestroy() if RES_INIT is set
7246 when res_*init() is called.
7248 1183. [bug] Handle ENOSR error when writing to the internal
7249 control pipe. [RT #2395]
7251 1182. [bug] The server could throw an assertion failure when
7252 constructing a negative response packet.
7254 1181. [func] Add the "key-directory" configuration statement,
7255 which allows the server to look for online signing
7256 keys in alternate directories.
7258 1180. [func] dnssec-keygen should always generate keys with
7259 protocol 3 (DNSSEC), since it's less confusing
7262 1179. [func] Add SIG(0) support to nsupdate.
7264 1178. [bug] Follow and cache (if appropriate) A6 and other
7265 data chains to completion in the additional section.
7267 1177. [func] Report view when loading zones if it is not a
7268 standard view (_default or _bind). [RT #2270]
7270 1176. [doc] Document that allow-v6-synthesis is only performed
7271 for clients that are supplied recursive service.
7274 1175. [bug] named-checkzone and named-checkconf failed to call
7275 dns_result_register() at startup which could
7276 result in runtime exceptions when printing
7277 "out of memory" errors. [RT #2335]
7279 1174. [bug] Win32: add WSAECONNRESET to the expected errors
7280 from connect(). [RT #2308]
7282 1173. [bug] Potential memory leaks in isc_log_create() and
7283 isc_log_settag(). [RT #2336]
7285 1172. [doc] Add CERT, GPOS, KX, NAPTR, NSAP, PX and TXT to
7286 table of RR types in ARM.
7288 1171. [func] Added function isc_region_compare(), updated files in
7289 lib/dns to use this function instead of local one.
7291 1170. [bug] Don't attempt to print the token when a I/O error
7292 occurs when parsing named.conf. [RT #2275]
7294 1169. [func] Identify recursive queries in the query log.
7296 1168. [bug] Empty also-notify clauses were not handled. [RT #2309]
7298 1167. [contrib] nslint-2.1a3 (from author).
7300 1166. [bug] "Not Implemented" should be reported as NOTIMP,
7301 not NOTIMPL. [RT #2281]
7303 1165. [bug] We were rejecting notify-source{-v6} in zone clauses.
7305 1164. [bug] Empty masters clauses in slave / stub zones were not
7306 handled gracefully. [RT #2262]
7308 1163. [func] isc_time_formattimestamp() now includes the year.
7310 1162. [bug] The allow-notify option was not accepted in slave
7313 1161. [bug] named-checkzone looped on unbalanced brackets.
7316 1160. [bug] Generating Diffie-Hellman keys longer than 1024
7317 bits could fail. [RT #2241]
7319 1159. [bug] MD and MF are not permitted to be loaded by RFC1123.
7321 1158. [func] Report the client's address when logging notify
7324 1157. [func] match-clients and match-destinations now accept
7327 1156. [port] The configure test for strsep() incorrectly
7328 succeeded on certain patched versions of
7329 AIX 4.3.3. [RT #2190]
7331 1155. [func] Recover from master files being removed from under
7334 1154. [bug] Don't attempt to obtain the netmask of a interface
7335 if there is no address configured. [RT #2176]
7337 1153. [func] 'rndc {stop|halt} -p' now reports the process id
7338 of the instance of named being shutdown.
7340 1152. [bug] libbind: read buffer overflows.
7342 1151. [bug] nslookup failed to check that the arguments to
7343 the port, timeout, and retry options were
7344 valid integers and in range. [RT #2099]
7346 1150. [bug] named incorrectly accepted TTL values
7347 containing plus or minus signs, such as
7350 1149. [func] New function isc_parse_uint32().
7352 1148. [func] 'rndc-confgen -a' now provides positive feedback.
7354 1147. [func] Set IPV6_V6ONLY on IPv6 sockets if supported by
7355 the OS. listen-on-v6 { any; }; should no longer
7356 result in IPv4 queries be accepted. Similarly
7357 control { inet :: ... }; should no longer result
7358 in IPv4 connections being accepted. This can be
7359 overridden at compile time by defining
7362 1146. [func] Allow IPV6_IPV6ONLY to be set/cleared on a socket if
7363 supported by the OS by a new function
7364 isc_socket_ipv6only().
7366 1145. [func] "host" no longer reports a NOERROR/NODATA response
7367 by printing nothing. [RT #2065]
7369 1144. [bug] rndc-confgen would crash if both the -a and -t
7370 options were specified. [RT #2159]
7372 1143. [bug] When a trusted-keys statement was present and named
7373 was built without crypto support, it would leak memory.
7375 1142. [bug] dnssec-signzone would fail to delete temporary files
7376 in some failure cases. [RT #2144]
7378 1141. [bug] When named rejected a control message, it would
7379 leak a file descriptor and memory. It would also
7380 fail to respond, causing rndc to hang.
7383 1140. [bug] rndc-confgen did not accept IPv6 addresses as arguments
7384 to the -s option. [RT #2138]
7386 1139. [func] It is now possible to flush a given name from the
7387 cache(s) via 'rndc flushname name [view]'. [RT #2051]
7389 1138. [func] It is now possible to flush a given name from the
7390 cache by calling the new function
7391 dns_cache_flushname().
7393 1137. [func] It is now possible to flush a given name from the
7394 ADB by calling the new function dns_adb_flushname().
7396 1136. [bug] CNAME records synthesized from DNAMEs did not
7397 have a TTL of zero as required by RFC2672.
7400 1135. [func] You can now override the default syslog() facility for
7401 named/lwresd at compile time. [RT #1982]
7403 1134. [bug] Multi-threaded servers could deadlock in ferror()
7404 when reloading zone files. [RT #1951, #1998]
7406 1133. [bug] IN6_IS_ADDR_LOOPBACK was not portably defined on
7407 platforms without IN6_IS_ADDR_LOOPBACK. [RT #2106]
7409 1132. [func] Improve UPDATE prerequisite failure diagnostic messages.
7411 1131. [bug] The match-destinations view option did not work with
7412 IPv6 destinations. [RT #2073, #2074]
7414 1130. [bug] Log messages reporting an out-of-range serial number
7415 did not include the out-of-range number but the
7416 following token. [RT #2076]
7418 1129. [bug] Multi-threaded servers could crash under heavy
7419 resolution load due to a race condition. [RT #2018]
7421 1128. [func] sdb drivers can now provide RR data in either text
7422 or wire format, the latter using the new functions
7423 dns_sdb_putrdata() and dns_sdb_putnamedrdata().
7425 1127. [func] rndc: If the server to contact has multiple addresses,
7428 1126. [bug] The server could access a freed event if shut
7429 down while a client start event was pending
7430 delivery. [RT #2061]
7432 1125. [bug] rndc: -k option was missing from usage message.
7435 1124. [doc] dig: +[no]dnssec, +[no]besteffort and +[no]fail
7436 are now documented. [RT #2052]
7438 1123. [bug] dig +[no]fail did not match description. [RT #2052]
7440 1122. [tuning] Resolution timeout reduced from 90 to 30 seconds.
7443 1121. [bug] The server could attempt to access a NULL zone
7444 table if shut down while resolving.
7447 1120. [bug] Errors in options were not fatal. [RT #2002]
7449 1119. [func] Added support in Win32 for NTFS file/directory ACL's
7452 1118. [bug] On multi-threaded servers, a race condition
7453 could cause an assertion failure in resolver.c
7454 during resolver shutdown. [RT #2029]
7456 1117. [port] The configure check for in6addr_loopback incorrectly
7457 succeeded on AIX 4.3 when compiling with -O2
7458 because the test code was optimized away.
7461 1116. [bug] Setting transfers in a server clause, transfers-in,
7462 or transfers-per-ns to a value greater than
7463 2147483647 disabled transfers. [RT #2002]
7465 1115. [func] Set maximum values for cleaning-interval,
7466 heartbeat-interval, interface-interval,
7467 max-transfer-idle-in, max-transfer-idle-out,
7468 max-transfer-time-in, max-transfer-time-out,
7469 statistics-interval of 28 days and
7470 sig-validity-interval of 3660 days. [RT #2002]
7472 1114. [port] Ignore more accept() errors. [RT #2021]
7474 1113. [bug] The allow-update-forwarding option was ignored
7475 when specified in a view. [RT #2014]
7479 1111. [bug] Multi-threaded servers could deadlock processing
7480 recursive queries due to a locking hierarchy
7481 violation in adb.c. [RT #2017]
7483 1110. [bug] dig should only accept valid abbreviations of +options.
7486 1109. [bug] nsupdate accepted illegal ttl values.
7488 1108. [bug] On Win32, rndc was hanging when named was not running
7489 due to failure to select for exceptional conditions
7490 in select(). [RT #1870]
7492 1107. [bug] nsupdate could catch an assertion failure if an
7493 invalid domain name was given as the argument to
7496 1106. [bug] After seeing an out of range TTL, nsupdate would
7497 treat all TTLs as out of range. [RT #2001]
7499 1105. [port] OpenUNIX 8 enable threads by default. [RT #1970]
7501 1104. [bug] Invalid arguments to the transfer-format option
7502 could cause an assertion failure. [RT #1995]
7504 1103. [port] OpenUNIX 8 support (ifconfig.sh). [RT #1970]
7506 1102. [doc] Note that query logging is enabled by directing the
7507 queries category to a channel.
7509 1101. [bug] Array bounds read error in lwres_gai_strerror.
7511 1100. [bug] libbind: DNSSEC key ids were computed incorrectly.
7513 1099. [cleanup] libbind: defining REPORT_ERRORS in lib/bind/dst caused
7514 compile time errors.
7516 1098. [bug] libbind: HMAC-MD5 key files are now mode 0600.
7518 1097. [func] libbind: RES_PRF_TRUNC for dig.
7520 1096. [func] libbind: "DNSSEC OK" (DO) support.
7522 1095. [func] libbind: resolver option: no-tld-query. disables
7523 trying unqualified as a tld. no_tld_query is also
7524 supported for FreeBSD compatibility.
7526 1094. [func] libbind: add support gcc's format string checking.
7528 1093. [doc] libbind: miscellaneous nroff fixes.
7530 1092. [bug] libbind: get*by*() failed to check if res_init() had
7533 1091. [bug] libbind: misplaced va_end().
7535 1090. [bug] libbind: dns_ho.c:add_hostent() was not returning
7536 the amount of memory consumed resulting in garbage
7537 address being returned. Alignment calculations were
7538 wasting space. We weren't suppressing duplicate
7541 1089. [func] libbind: inet_{cidr,net}_{pton,ntop}() now have IPv6
7544 1088. [port] libbind: MPE/iX C.70 (incomplete)
7546 1087. [bug] libbind: struct __res_state too large on 64 bit arch.
7548 1086. [port] libbind: sunos: old sprintf.
7550 1085. [port] libbind: solaris: sys_nerr and sys_errlist do not
7551 exist when compiling in 64 bit mode.
7553 1084. [cleanup] libbind: gai_strerror() rewritten.
7555 1083. [bug] The default control channel listened on the
7556 wildcard address, not the loopback as documented.
7559 1082. [bug] The -g option to named incorrectly caused logging
7560 to be sent to syslog in addition to stderr.
7563 1081. [bug] Multicast queries were incorrectly identified
7564 based on the source address, not the destination
7567 1080. [bug] BIND 8 compatibility: accept bare IP prefixes
7568 as the second element of a two-element top level
7569 sort list statement. [RT #1964]
7571 1079. [bug] BIND 8 compatibility: accept bare elements at top
7572 level of sort list treating them as if they were
7573 a single element list. [RT #1963]
7575 1078. [bug] We failed to correct bad tv_usec values in one case.
7578 1077. [func] Do not accept further recursive clients when
7579 the total number of recursive lookups being
7580 processed exceeds max-recursive-clients, even
7581 if some of the lookups are internally generated.
7584 1076. [bug] A badly defined global key could trigger an assertion
7585 on load/reload if views were used. [RT #1947]
7587 1075. [bug] Out-of-range network prefix lengths were not
7588 reported. [RT #1954]
7590 1074. [bug] Running out of memory in dump_rdataset() could
7591 cause an assertion failure. [RT #1946]
7593 1073. [bug] The ADB cache cleaning should also be space driven.
7596 1072. [bug] The TCP client quota could be exceeded when
7597 recursion occurred. [RT #1937]
7599 1071. [bug] Sockets listening for TCP DNS connections
7600 specified an excessive listen backlog. [RT #1937]
7602 1070. [bug] Copy DNSSEC OK (DO) to response as specified by
7603 draft-ietf-dnsext-dnssec-okbit-03.txt.
7607 1068. [bug] errno could be overwritten by catgets(). [RT #1921]
7609 1067. [func] Allow quotas to be soft, isc_quota_soft().
7611 1066. [bug] Provide a thread safe wrapper for strerror().
7614 1065. [func] Runtime support to select new / old style interface
7615 scanning using ioctls.
7617 1064. [bug] Do not shut down active network interfaces if we
7618 are unable to scan the interface list. [RT #1921]
7620 1063. [bug] libbind: "make install" was failing on IRIX.
7623 1062. [bug] If the control channel listener socket was shut
7624 down before server exit, the listener object could
7625 be freed twice. [RT #1916]
7627 1061. [bug] If periodic cache cleaning happened to start
7628 while cleaning due to reaching the configured
7629 maximum cache size was in progress, the server
7630 could catch an assertion failure. [RT #1912]
7632 1060. [func] Move refresh, stub and notify UDP retry processing
7635 1059. [func] dns_request now support will now retry UDP queries,
7636 dns_request_createvia2() and dns_request_createraw2().
7638 1058. [func] Limited lifetime ticker timers are now available,
7639 isc_timertype_limited.
7641 1057. [bug] Reloading the server after adding a "file" clause
7642 to a zone statement could cause the server to
7643 crash due to a typo in change 1016.
7645 1056. [bug] Rndc could catch an assertion failure on SIGINT due
7646 to an uninitialized variable. [RT #1908]
7648 1055. [func] Version and hostname queries can now be disabled
7649 using "version none;" and "hostname none;",
7652 1054. [bug] On Win32, cfg_categories and cfg_modules need to be
7653 exported from the libisccfg DLL.
7655 1053. [bug] Dig did not increase its timeout when receiving
7656 AXFRs unless the +time option was used. [RT #1904]
7658 1052. [bug] Journals were not being created in binary mode
7659 resulting in "journal format not recognized" error
7660 under Win32. [RT #1889]
7662 1051. [bug] Do not ignore a network interface completely just
7663 because it has a noncontiguous netmask. Instead,
7664 omit it from the localnets ACL and issue a warning.
7667 1050. [bug] Log messages reporting malformed IP addresses in
7668 address lists such as that of the forwarders option
7669 failed to include the correct error code, file
7670 name, and line number. [RT #1890]
7672 1049. [func] "pid-file none;" will disable writing a pid file.
7675 1048. [bug] Servers built with -DISC_MEM_USE_INTERNAL_MALLOC=1
7678 1047. [bug] named was incorrectly refusing all requests signed
7679 with a TSIG key derived from an unsigned TKEY
7680 negotiation with a NOERROR response. [RT #1886]
7682 1046. [bug] The help message for the --with-openssl configure
7683 option was inaccurate. [RT #1880]
7685 1045. [bug] It was possible to skip saving glue for a nameserver
7688 1044. [bug] Specifying allow-transfer, notify-source, or
7689 notify-source-v6 in a stub zone was not treated
7692 1043. [bug] Specifying a transfer-source or transfer-source-v6
7693 option in the zone statement for a master zone was
7694 not treated as an error. [RT #1876]
7696 1042. [bug] The "config" logging category did not work properly.
7699 1041. [bug] Dig/host/nslookup could catch an assertion failure
7700 on SIGINT due to an uninitialized variable. [RT #1867]
7702 1040. [bug] Multiple listen-on-v6 options with different ports
7703 were not accepted. [RT #1875]
7705 1039. [bug] Negative responses with CNAMEs in the answer section
7706 were cached incorrectly. [RT #1862]
7708 1038. [bug] In servers configured with a tkey-domain option,
7709 TKEY queries with an owner name other than the root
7710 could cause an assertion failure. [RT #1866, #1869]
7712 1037. [bug] Negative responses whose authority section contain
7713 SOA or NS records whose owner names are not equal
7714 equal to or parents of the query name should be
7715 rejected. [RT #1862]
7717 1036. [func] Silently drop requests received via multicast as
7718 long as there is no final multicast DNS standard.
7720 1035. [bug] If we respond to multicast queries (which we
7721 currently do not), respond from a unicast address
7722 as specified in RFC 1123. [RT #137]
7724 1034. [bug] Ignore the RD bit on multicast queries as specified
7725 in RFC 1123. [RT #137]
7727 1033. [bug] Always respond to requests with an unsupported opcode
7728 with NOTIMP, even if we don't have a matching view
7729 or cannot determine the class.
7731 1032. [func] hostname.bind/txt/chaos now returns the name of
7732 the machine hosting the nameserver. This is useful
7733 in diagnosing problems with anycast servers.
7735 1031. [bug] libbind.a: isc__gettimeofday() infinite recursion.
7738 1030. [bug] On systems with no resolv.conf file, nsupdate
7739 exited with an error rather than defaulting
7740 to using the loopback address. [RT #1836]
7742 1029. [bug] Some named.conf errors did not cause the loading
7743 of the configuration file to return a failure
7744 status even though they were logged. [RT #1847]
7746 1028. [bug] On Win32, dig/host/nslookup looked for resolv.conf
7747 in the wrong directory. [RT #1833]
7749 1027. [bug] RRs having the reserved type 0 should be rejected.
7754 1025. [bug] Don't use multicast addresses to resolve iterative
7757 1024. [port] Compilation failed on HP-UX 11.11 due to
7758 incompatible use of the SIOCGLIFCONF macro
7761 1023. [func] Accept hints without TTLs.
7763 1022. [bug] Don't report empty root hints as "extra data".
7766 1021. [bug] On Win32, log message timestamps were one month
7767 later than they should have been, and the server
7768 would exhibit unspecified behavior in December.
7770 1020. [bug] IXFR log messages did not distinguish between
7771 true IXFRs, AXFR-style IXFRs, and mere version
7774 1019. [bug] The value of the lame-ttl option was limited to 18000
7775 seconds, not 1800 seconds as documented. [RT #1803]
7777 1018. [bug] The default log channel was not always initialized
7778 correctly. [RT #1813]
7780 1017. [bug] When specifying TSIG keys to dig and nsupdate using
7781 the -k option, they must be HMAC-MD5 keys. [RT #1810]
7783 1016. [bug] Slave zones with no backup file were re-transferred
7784 on every server reload.
7786 1015. [bug] Log channels that had a "versions" option but no
7787 "size" option failed to create numbered log
7790 1014. [bug] Some queries would cause statistics counters to
7791 increment more than once or not at all. [RT #1321]
7793 1013. [bug] It was possible to cancel a query twice when marking
7794 a server as bogus or by having a blackhole acl.
7797 1012. [bug] The -p option to named did not behave as documented.
7799 1011. [cleanup] Removed isc_dir_current().
7801 1010. [bug] The server could attempt to execute a command channel
7802 command after initiating server shutdown, causing
7803 an assertion failure. [RT #1766]
7805 1009. [port] OpenUNIX 8 support. [RT #1728]
7807 1008. [port] libtool.m4, ltmain.sh from libtool-1.4.2.
7809 1007. [port] config.guess, config.sub from autoconf-2.52.
7811 1006. [bug] If a KEY RR was found missing during DNSSEC validation,
7812 an assertion failure could subsequently be triggered
7813 in the resolver. [RT #1763]
7815 1005. [bug] Don't copy nonzero RCODEs from request to response.
7818 1004. [port] Deal with recvfrom() returning EHOSTDOWN. [RT #1770]
7820 1003. [func] Add the +retry option to dig.
7822 1002. [bug] When reporting an unknown class name in named.conf,
7823 including the file name and line number. [RT #1759]
7825 1001. [bug] win32 socket code doio_recv was not catching a
7826 WSACONNRESET error when a client was timing out
7827 the request and closing its socket. [RT #1745]
7829 1000. [bug] BIND 8 compatibility: accept "HESIOD" as an alias
7830 for class "HS". [RT #1759]
7832 999. [func] "rndc retransfer zone [class [view]]" added.
7835 998. [func] named-checkzone now has arguments to specify the
7836 chroot directory (-t) and working directory (-w).
7839 997. [func] Add support for RSA-SHA1 keys (RFC3110).
7841 996. [func] Issue warning if the configuration filename contains
7844 995. [bug] dig, host, nslookup: using a raw IPv6 address as a
7845 target address should be fatal on a IPv4 only system.
7847 994. [func] Treat non-authoritative responses to queries for type
7848 NS as referrals even if the NS records are in the
7849 answer section, because BIND 8 servers incorrectly
7850 send them that way. This is necessary for DNSSEC
7851 validation of the NS records of a secure zone to
7852 succeed when the parent is a BIND 8 server. [RT #1706]
7854 993. [func] dig: -v now reports the version.
7856 992. [doc] dig: ~/.digrc is now documented.
7858 991. [func] Lower UDP refresh timeout messages to level
7861 990. [bug] The rndc-confgen man page was not installed.
7863 989. [bug] Report filename if $INCLUDE fails for file related
7866 988. [bug] 'additional-from-auth no;' did not work reliably
7867 in the case of queries answered from the cache.
7870 987. [bug] "dig -help" didn't show "+[no]stats".
7872 986. [bug] "dig +noall" failed to clear stats and command
7875 985. [func] Consider network interfaces to be up iff they have
7876 a nonzero IP address rather than based on the
7877 IFF_UP flag. [RT #1160]
7879 984. [bug] Multi-threading should be enabled by default on
7880 Solaris 2.7 and newer, but it wasn't.
7882 983. [func] The server now supports generating IXFR difference
7883 sequences for non-dynamic zones by comparing zone
7884 versions, when enabled using the new config
7885 option "ixfr-from-differences". [RT #1727]
7887 982. [func] If "memstatistics-file" is set in options the memory
7888 statistics will be written to it.
7890 981. [func] The dnssec tools can now take multiple '-r randomfile'
7893 980. [bug] Incoming zone transfers restarting after an error
7894 could trigger an assertion failure. [RT #1692]
7896 979. [func] Incremental master file dumping. dns_master_dumpinc(),
7897 dns_master_dumptostreaminc(), dns_dumpctx_attach(),
7898 dns_dumpctx_detach(), dns_dumpctx_cancel(),
7899 dns_dumpctx_db() and dns_dumpctx_version().
7901 978. [bug] dns_db_attachversion() had an invalid REQUIRE()
7904 977. [bug] Improve "not at top of zone" error message.
7906 976. [func] named-checkconf can now test load master zones
7907 (named-checkconf -z). [RT #1468]
7909 975. [bug] "max-cache-size default;" as a view option
7910 caused an assertion failure.
7912 974. [bug] "max-cache-size unlimited;" as a global option
7915 973. [bug] Failed to log the question name when logging:
7916 "bad zone transfer request: non-authoritative zone
7919 972. [bug] The file modification time code in zone.c was using the
7920 wrong epoch. [RT #1667]
7924 970. [func] 'max-journal-size' can now be used to set a target
7927 969. [func] dig now supports the undocumented dig 8 feature
7928 of allowing arbitrary labels, not just dotted
7929 decimal quads, with the -x option. This can be
7930 used to conveniently look up RFC2317 names as in
7931 "dig -x 10.0.0.0-127". [RT #827, #1576, #1598]
7933 968. [bug] On win32, the isc_time_now() function was unnecessarily
7934 calling strtime(). [RT #1671]
7936 967. [bug] On win32, the link for bindevt was not including the
7937 required resource file to enable the event viewer
7938 to interpret the error messages in the event log,
7943 965. [bug] Including data other than root server NS and A
7944 records in the root hint file could cause a rbtdb
7945 node reference leak. [RT #1581, #1618]
7947 964. [func] Warn if data other than root server NS and A records
7948 are found in the root hint file. [RT #1581, #1618]
7950 963. [bug] Bad ISC_LANG_ENDDECLS. [RT #1645]
7952 962. [bug] libbind: bad "#undef", don't attempt to install
7953 non-existent nlist.h. [RT #1640]
7955 961. [bug] Tried to use a IPV6 feature when ISC_PLATFORM_HAVEIPV6
7956 was not defined. [RT #1482]
7958 960. [port] liblwres failed to build on systems with support for
7959 getrrsetbyname() in the OS. [RT #1592]
7961 959. [port] On FreeBSD, determine the number of CPUs by calling
7962 sysctlbyname(). [RT #1584]
7964 958. [port] ssize_t is not available on all platforms. [RT #1607]
7966 957. [bug] sys/select.h inclusion was broken on older platforms.
7969 956. [bug] ns_g_autorndcfile changed to ns_g_keyfile
7970 in named/win32/os.c due to code changes in
7971 change #953. win32 .make file for rndc-confgen
7972 updated to add include path for os.h header.
7974 --- 9.2.0rc1 released ---
7976 955. [bug] When using views, the zone's class was not being
7977 inherited from the view's class. [RT #1583]
7979 954. [bug] When requesting AXFRs or IXFRs using dig, host, or
7980 nslookup, the RD bit should not be set as zone
7981 transfers are inherently non-recursive. [RT #1575]
7983 953. [func] The /var/run/named.key file from change #843
7984 has been replaced by /etc/rndc.key. Both
7985 named and rndc will look for this file and use
7986 it to configure a default control channel key
7987 if not already configured using a different
7988 method (rndc.conf / controls). Unlike
7989 named.key, rndc.key is not created automatically;
7990 it must be created by manually running
7993 952. [bug] The server required manual intervention to serve the
7994 affected zones if it died between creating a journal
7995 and committing the first change to it.
7997 951. [bug] CFLAGS was not passed to the linker when
7998 linking some of the test programs under
7999 bin/tests. [RT #1555].
8001 950. [bug] Explicit TTLs did not properly override $TTL
8002 due to a bug in change 834. [RT #1558]
8004 949. [bug] host was unable to print records larger than 512
8007 --- 9.2.0b2 released ---
8009 948. [port] Integrated support for building on Windows NT /
8012 947. [bug] dns_rdata_soa_t had a badly named element "mname" which
8013 was really the RNAME field from RFC1035. To avoid
8014 confusion and silent errors that would occur it the
8015 "origin" and "mname" elements were given their correct
8016 names "mname" and "rname" respectively, the "mname"
8017 element is renamed to "contact".
8019 946. [cleanup] doc/misc/options is now machine-generated from the
8020 configuration parser syntax tables, and therefore
8021 more likely to be correct.
8023 945. [func] Add the new view-specific options
8024 "match-destinations" and "match-recursive-only".
8026 944. [func] Check for expired signatures on load.
8028 943. [bug] The server could crash when receiving a command
8029 via rndc if the configuration file listed only
8030 nonexistent keys in the controls statement. [RT #1530]
8032 942. [port] libbind: GETNETBYADDR_ADDR_T was not correctly
8033 defined on some platforms.
8035 941. [bug] The configuration checker crashed if a slave
8036 zone didn't contain a masters statement. [RT #1514]
8038 940. [bug] Double zone locking failure on error path. [RT #1510]
8040 --- 9.2.0b1 released ---
8042 939. [port] Add the --disable-linux-caps option to configure for
8043 systems that manage capabilities outside of named.
8048 937. [bug] A race when shutting down a zone could trigger a
8049 INSIST() failure. [RT #1034]
8051 936. [func] Warn about IPv4 addresses that are not complete
8052 dotted quads. [RT #1084]
8054 935. [bug] inet_pton failed to reject leading zeros.
8056 934. [port] Deal with systems where accept() spuriously returns
8059 933. [bug] configure failed doing libbind on platforms not
8060 supported by BIND 8. [RT #1496]
8062 --- 9.2.0a3 released ---
8064 932. [bug] Use INSTALL_SCRIPT, not INSTALL_PROGRAM,
8065 when installing isc-config.sh.
8068 931. [bug] The controls statement only attempted to verify
8069 messages using the first key in the key list.
8072 930. [func] Query performance testing tool added as
8077 928. [bug] nsupdate would send empty update packets if the
8078 send (or empty line) command was run after
8079 another send but before any new updates or
8080 prerequisites were specified. It should simply
8081 ignore this command.
8083 927. [bug] Don't hold the zone lock for the entire dump to disk.
8086 926. [bug] The resolver could deadlock with the ADB when
8087 shutting down (multi-threaded builds only).
8090 925. [cleanup] Remove openssl from the distribution; require that
8091 --with-openssl be specified if DNSSEC is needed.
8093 924. [port] Extend support for pre-RFC2133 IPv6 implementation.
8096 923. [bug] Multiline TSIG secrets (and other multiline strings)
8097 were not accepted in named.conf. [RT #1469]
8099 922. [func] Added two new lwres_getrrsetbyname() result codes,
8100 ERR_NONAME and ERR_NODATA.
8102 921. [bug] lwres returned an incorrect error code if it received
8103 a truncated message.
8105 920. [func] Increase the lwres receive buffer size to 16K.
8110 918. [func] In nsupdate, TSIG errors are no longer treated as
8113 917. [func] New nsupdate command 'key', allowing TSIG keys to
8114 be specified in the nsupdate command stream rather
8115 than the command line.
8117 916. [bug] Specifying type ixfr to dig without specifying
8118 a serial number failed in unexpected ways.
8120 915. [func] The named-checkconf and named-checkzone programs
8121 now have a '-v' option for printing their version.
8124 914. [bug] Global 'server' statements were rejected when
8125 using views, even though they were accepted
8128 913. [bug] Cache cleaning was not sufficiently aggressive.
8131 912. [bug] Attempts to set the 'additional-from-cache' or
8132 'additional-from-auth' option to 'no' in a
8133 server with recursion enabled will now
8134 be ignored and cause a warning message.
8139 910. [port] Some pre-RFC2133 IPv6 implementations do not define
8140 IN6ADDR_ANY_INIT. [RT #1416]
8144 908. [func] New program, rndc-confgen, to simplify setting up rndc.
8146 907. [func] The ability to get entropy from either the
8147 random device, a user-provided file or from
8148 the keyboard was migrated from the DNSSEC tools
8149 to libisc as isc_entropy_usebestsource().
8151 906. [port] Separated the system independent portion of
8152 lib/isc/unix/entropy.c into lib/isc/entropy.c
8153 and added lib/isc/win32/entropy.c.
8155 905. [bug] Configuring a forward "zone" for the root domain
8156 did not work. [RT #1418]
8158 904. [bug] The server would leak memory if attempting to use
8159 an expired TSIG key. [RT #1406]
8161 903. [bug] dig should not crash when receiving a TCP packet
8164 902. [bug] The -d option was ignored if both -t and -g were also
8169 900. [bug] A config.guess update changed the system identification
8170 string of FreeBSD systems; configure and
8171 bin/tests/system/ifconfig.sh now recognize the new
8174 --- 9.2.0a2 released ---
8176 899. [bug] lib/dns/soa.c failed to compile on many platforms
8177 due to inappropriate use of a void value.
8178 [RT #1372, #1373, #1386, #1387, #1395]
8180 898. [bug] "dig" failed to set a nonzero exit status
8181 on UDP query timeout. [RT #1323]
8183 897. [bug] A config.guess update changed the system identification
8184 string of UnixWare systems; configure now recognizes
8187 896. [bug] If a configuration file is set on named's command line
8188 and it has a relative pathname, the current directory
8189 (after any possible jailing resulting from named -t)
8190 will be prepended to it so that reloading works
8191 properly even when a directory option is present.
8193 895. [func] New function, isc_dir_current(), akin to POSIX's
8196 894. [bug] When using the DNSSEC tools, a message intended to warn
8197 when the keyboard was being used because of the lack
8198 of a suitable random device was not being printed.
8200 893. [func] Removed isc_file_test() and added isc_file_exists()
8201 for the basic functionality that was being added
8202 with isc_file_test().
8206 891. [bug] Return an error when a SIG(0) signed response to
8207 an unsigned query is seen. This should actually
8208 do the verification, but it's not currently
8209 possible. [RT #1391]
8211 890. [cleanup] The man pages no longer require the mandoc macros
8212 and should now format cleanly using most versions of
8213 nroff, and HTML versions of the man pages have been
8214 added. Both are generated from DocBook source.
8216 889. [port] Eliminated blank lines before .TH in nroff man
8217 pages since they cause problems with some versions
8218 of nroff. [RT #1390]
8220 888. [bug] Don't die when using TKEY to delete a nonexistent
8221 TSIG key. [RT #1392]
8223 887. [port] Detect broken compilers that can't call static
8224 functions from inline functions. [RT #1212]
8266 866. [func] Close debug only file channels when debug is set to
8269 865. [bug] The new configuration parser did not allow
8270 the optional debug level in a "severity debug"
8271 clause of a logging channel to be omitted.
8272 This is now allowed and treated as "severity
8273 debug 1;" like it does in BIND 8.2.4, not as
8274 "severity debug 0;" like it did in BIND 9.1.
8277 864. [cleanup] Multi-threading is now enabled by default on
8278 OSF1, Solaris 2.7 and newer, AIX, IRIX, and HP-UX.
8280 863. [bug] If an error occurred while an outgoing zone transfer
8281 was starting up, the server could access a domain
8282 name that had already been freed when logging a
8283 message saying that the transfer was starting.
8286 862. [bug] Use after realloc(), non portable pointer arithmetic in
8289 861. [port] Add support for Mac OS X, by making it equivalent
8290 to Darwin. This was derived from the config.guess
8291 file shipped with Mac OS X. [RT #1355]
8293 860. [func] Drop cross class glue in zone transfers.
8295 859. [bug] Cache cleaning now won't swamp the CPU if there
8296 is a persistent over limit condition.
8298 858. [func] isc_mem_setwater() no longer requires that when the
8299 callback function is non-NULL then its hi_water
8300 argument must be greater than its lo_water argument
8301 (they can now be equal) or that they be non-zero.
8303 857. [cleanup] Use ISC_MAGIC() to define all magic numbers for
8304 structs, for our friends in EBCDIC-land.
8306 856. [func] Allow partial rdatasets to be returned in answer and
8307 authority sections to help non-TCP capable clients
8308 recover from truncation. [RT #1301]
8310 855. [bug] Stop spurious "using RFC 1035 TTL semantics" warnings.
8312 854. [bug] The config parser didn't properly handle config
8313 options that were specified in units of time other
8314 than seconds. [RT #1372]
8316 853. [bug] configure_view_acl() failed to detach existing acls.
8319 852. [bug] Handle responses from servers which do not know
8322 851. [cleanup] The obsolete support-ixfr option was not properly
8325 --- 9.2.0a1 released ---
8327 850. [bug] dns_rbt_findnode() would not find nodes that were
8328 split on a bitstring label somewhere other than in
8329 the last label of the node. [RT #1351]
8331 849. [func] <isc/net.h> will ensure INADDR_LOOPBACK is defined.
8333 848. [func] A minimum max-cache-size of two megabytes is enforced
8334 by the cache cleaner.
8336 847. [func] Added isc_file_test(), which currently only has
8337 some very basic functionality to test for the
8338 existence of a file, whether a pathname is absolute,
8339 or whether a pathname is the fundamental representation
8340 of the current directory. It is intended that this
8341 function can be expanded to test other things a
8342 programmer might want to know about a file.
8344 846. [func] A non-zero 'param' to dst_key_generate() when making an
8345 hmac-md5 key means that good entropy is not required.
8347 845. [bug] The access rights on the public file of a symmetric
8348 key are now restricted as soon as the file is opened,
8349 rather than after it has been written and closed.
8351 844. [func] <isc/net.h> will ensure INADDR_LOOPBACK is defined,
8352 just as <lwres/net.h> does.
8354 843. [func] If no controls statement is present in named.conf,
8355 or if any inet phrase of a controls statement is
8356 lacking a keys clause, then a key will be automatically
8357 generated by named and an rndc.conf-style file
8358 named named.key will be written that uses it. rndc
8359 will use this file only if its normal configuration
8360 file, or one provided on the command line, does not
8363 842. [func] 'rndc flush' now takes an optional view.
8365 841. [bug] When sdb modules were not declared threadsafe, their
8366 create and destroy functions were not serialized.
8368 840. [bug] The config file parser could print the wrong file
8369 name if an error was detected after an included file
8370 was parsed. [RT #1353]
8372 839. [func] Dump packets for which there was no view or that the
8373 class could not be determined to category "unmatched".
8375 838. [port] UnixWare 7.x.x is now suported by
8376 bin/tests/system/ifconfig.sh.
8378 837. [cleanup] Multi-threading is now enabled by default only on
8379 OSF1, Solaris 2.7 and newer, and AIX.
8381 836. [func] Upgraded libtool to 1.4.
8383 835. [bug] The dispatcher could enter a busy loop if
8384 it got an I/O error receiving on a UDP socket.
8387 834. [func] Accept (but warn about) master files beginning with
8388 an SOA record without an explicit TTL field and
8389 lacking a $TTL directive, by using the SOA MINTTL
8390 as a default TTL. This is for backwards compatibility
8391 with old versions of BIND 8, which accepted such
8392 files without warning although they are illegal
8393 according to RFC1035.
8395 833. [cleanup] Moved dns_soa_*() from <dns/journal.h> to
8396 <dns/soa.h>, and extended them to support
8397 all the integer-valued fields of the SOA RR.
8399 832. [bug] The default location for named.conf in named-checkconf
8400 should depend on --sysconfdir like it does in named.
8405 830. [func] Implement 'rndc status'.
8407 829. [bug] The DNS_R_ZONECUT result code should only be returned
8408 when an ANY query is made with DNS_DBFIND_GLUEOK set.
8409 In all other ANY query cases, returning the delegation
8412 828. [bug] The errno value from recvfrom() could be overwritten
8413 by logging code. [RT #1293]
8415 827. [bug] When an IXFR protocol error occurs, the slave
8416 should retry with AXFR.
8418 826. [bug] Some IXFR protocol errors were not detected.
8420 825. [bug] zone.c:ns_query() detached from the wrong zone
8421 reference. [RT #1264]
8423 824. [bug] Correct line numbers reported by dns_master_load().
8426 823. [func] The output of "dig -h" now goes to stdout so that it
8427 can easily be piped through "more". [RT #1254]
8429 822. [bug] Sending nxrrset prerequisites would crash nsupdate.
8432 821. [bug] The program name used when logging to syslog should
8433 be stripped of leading path components.
8436 820. [bug] Name server address lookups failed to follow
8437 A6 chains into the glue of local authoritative
8440 819. [bug] In certain cases, the resolver's attempts to
8441 restart an address lookup at the root could cause
8442 the fetch to deadlock (with itself) instead of
8443 restarting. [RT #1225]
8445 818. [bug] Certain pathological responses to ANY queries could
8446 cause an assertion failure. [RT #1218]
8448 817. [func] Adjust timeouts for dialup zone queries.
8450 816. [bug] Report potential problems with log file accessibility
8451 at configuration time, since such problems can't
8452 reliably be reported at the time they actually occur.
8454 815. [bug] If a log file was specified with a path separator
8455 character (i.e. "/") in its name and the directory
8456 did not exist, the log file's name was treated as
8457 though it were the directory name. [RT #1189]
8459 814. [bug] Socket objects left over from accept() failures
8460 were incorrectly destroyed, causing corruption
8461 of socket manager data structures.
8463 813. [bug] File descriptors exceeding FD_SETSIZE were handled
8466 812. [bug] dig sometimes printed incomplete IXFR responses
8467 due to an uninitialized variable. [RT #1188]
8469 811. [bug] Parentheses were not quoted in zone dumps. [RT #1194]
8471 810. [bug] The signer name in SIG records was not properly
8472 down-cased when signing/verifying records. [RT #1186]
8474 809. [bug] Configuring a non-local address as a transfer-source
8475 could cause an assertion failure during load.
8477 808. [func] Add 'rndc flush' to flush the server's cache.
8479 807. [bug] When setting up TCP connections for incoming zone
8480 transfers, the transfer-source port was not
8481 ignored like it should be.
8483 806. [bug] DNS_R_SEENINCLUDE was failing to propagate back up
8484 the calling stack to the zone maintenance level,
8485 causing zones to not reload when an included file was
8486 touched but the top-level zone file was not.
8488 805. [bug] When using "forward only", missing root hints should
8489 not cause queries to fail. [RT #1143]
8491 804. [bug] Attempting to obtain entropy could fail in some
8492 situations. This would be most common on systems
8493 with user-space threads. [RT #1131]
8495 803. [bug] Treat all SIG queries as if they have the CD bit set,
8496 otherwise no data will be returned [RT #749]
8498 802. [bug] DNSSEC key tags were computed incorrectly in almost
8499 all cases. [RT #1146]
8501 801. [bug] nsupdate should treat lines beginning with ';' as
8502 comments. [RT #1139]
8504 800. [bug] dnssec-signzone produced incorrect statistics for
8505 large zones. [RT #1133]
8507 799. [bug] The ADB didn't find AAAA glue in a zone unless A6
8508 glue was also present.
8510 798. [bug] nsupdate should be able to reject bad input lines
8511 and continue. [RT #1130]
8513 797. [func] Issue a warning if the 'directory' option contains
8514 a relative path. [RT #269]
8516 796. [func] When a size limit is associated with a log file,
8517 only roll it when the size is reached, not every
8518 time the log file is opened. [RT #1096]
8520 795. [func] Add the +multiline option to dig. [RT #1095]
8522 794. [func] Implement the "port" and "default-port" statements
8525 793. [cleanup] The DNSSEC tools could create filenames that were
8526 illegal or contained shell meta-characters. They
8527 now use a different text encoding of names that
8528 doesn't have these problems. [RT #1101]
8530 792. [cleanup] Replace the OMAPI command channel protocol with a
8533 791. [bug] The command channel now works over IPv6.
8535 790. [bug] Wildcards created using dynamic update or IXFR
8536 could fail to match. [RT #1111]
8538 789. [bug] The "localhost" and "localnets" ACLs did not match
8539 when used as the second element of a two-element
8542 788. [func] Add the "match-mapped-addresses" option, which
8543 causes IPv6 v4mapped addresses to be treated as
8544 IPv4 addresses for the purpose of acl matching.
8546 787. [bug] The DNSSEC tools failed to downcase domain
8547 names when mapping them into file names.
8549 786. [bug] When DNSSEC signing/verifying data, owner names were
8550 not properly down-cased.
8552 785. [bug] A race condition in the resolver could cause
8553 an assertion failure. [RT #673, #872, #1048]
8555 784. [bug] nsupdate and other programs would not quit properly
8556 if some signals were blocked by the caller. [RT #1081]
8558 783. [bug] Following CNAMEs could cause an assertion failure
8559 when either using an sdb database or under very
8562 782. [func] Implement the "serial-query-rate" option.
8564 781. [func] Avoid error packet loops by dropping duplicate FORMERR
8565 responses. [RT #1006]
8567 780. [bug] Error handling code dealing with out of memory or
8568 other rare errors could lead to assertion failures
8569 by calling functions on uninitialized names. [RT #1065]
8571 779. [func] Added the "minimal-responses" option.
8573 778. [bug] When starting cache cleaning, cleaning_timer_action()
8574 returned without first pausing the iterator, which
8575 could cause deadlock. [RT #998]
8577 777. [bug] An empty forwarders list in a zone failed to override
8578 global forwarders. [RT #995]
8580 776. [func] Improved error reporting in denied messages. [RT #252]
8584 774. [func] max-cache-size is implemented.
8586 773. [func] Added isc_rwlock_trylock() to attempt to lock without
8589 772. [bug] Owner names could be incorrectly omitted from cache
8590 dumps in the presence of negative caching entries.
8593 771. [cleanup] TSIG errors related to unsynchronized clocks
8594 are logged better. [RT #919]
8596 770. [func] Add the "edns yes_or_no" statement to the server
8599 769. [func] Improved error reporting when parsing rdata. [RT #740]
8601 768. [bug] The server did not emit an SOA when a CNAME
8602 or DNAME chain ended in NXDOMAIN in an
8607 766. [bug] A few cases in query_find() could leak fname.
8608 This would trigger the mpctx->allocated == 0
8609 assertion when the server exited.
8610 [RT #739, #776, #798, #812, #818, #821, #845,
8613 765. [func] ACL names are once again case insensitive, like
8614 in BIND 8. [RT #252]
8616 764. [func] Configuration files now allow "include" directives
8617 in more places, such as inside the "view" statement.
8618 [RT #377, #728, #860]
8620 763. [func] Configuration files no longer have reserved words.
8623 762. [cleanup] The named.conf and rndc.conf file parsers have
8624 been completely rewritten.
8626 761. [bug] _REENTRANT was still defined when building with
8629 760. [contrib] Significant enhancements to the pgsql sdb driver.
8631 759. [bug] The resolver didn't turn off "avoid fetches" mode
8632 when restarting, possibly causing resolution
8633 to fail when it should not. This bug only affected
8634 platforms which support both IPv4 and IPv6. [RT #927]
8636 758. [bug] The "avoid fetches" code did not treat negative
8637 cache entries correctly, causing fetches that would
8638 be useful to be avoided. This bug only affected
8639 platforms which support both IPv4 and IPv6. [RT #927]
8641 757. [func] Log zone transfers.
8643 756. [bug] dns_zone_load() could "return" success when no master
8644 file was configured.
8646 755. [bug] Fix incorrectly formatted log messages in zone.c.
8648 754. [bug] Certain failure conditions sending UDP packets
8649 could cause the server to retry the transmission
8650 indefinitely. [RT #902]
8652 753. [bug] dig, host, and nslookup would fail to contact a
8653 remote server if getaddrinfo() returned an IPv6
8654 address on a system that doesn't support IPv6.
8657 752. [func] Correct bad tv_usec elements returned by
8660 751. [func] Log successful zone loads / transfers. [RT #898]
8662 750. [bug] A query should not match a DNAME whose trust level
8663 is pending. [RT #916]
8665 749. [bug] When a query matched a DNAME in a secure zone, the
8666 server did not return the signature of the DNAME.
8669 748. [doc] List supported RFCs in doc/misc/rfc-compliance.
8672 747. [bug] The code to determine whether an IXFR was possible
8673 did not properly check for a database that could
8674 not have a journal. [RT #865, #908]
8676 746. [bug] The sdb didn't clone rdatasets properly, causing
8677 a crash when the server followed delegations. [RT #905]
8679 745. [func] Report the owner name of records that fail
8680 semantic checks while loading.
8682 744. [bug] When returning DNS_R_CNAME or DNS_R_DNAME as the
8683 result of an ANY or SIG query, the resolver failed
8684 to setup the return event's rdatasets, causing an
8685 assertion failure in the query code. [RT #881]
8687 743. [bug] Receiving a large number of certain malformed
8688 answers could cause named to stop responding.
8693 741. [port] Support openssl-engine. [RT #709]
8695 740. [port] Handle openssl library mismatches slightly better.
8697 739. [port] Look for /dev/random in configure, rather than
8698 assuming it will be there for only a predefined
8701 738. [bug] If a non-threadsafe sdb driver supported AXFR and
8702 received an AXFR request, it would deadlock or die
8703 with an assertion failure. [RT #852]
8705 737. [port] stdtime.c failed to compile on certain platforms.
8707 736. [func] New functions isc_task_{begin,end}exclusive().
8709 735. [doc] Add BIND 4 migration notes.
8711 734. [bug] An attempt to re-lock the zone lock could occur if
8712 the server was shutdown during a zone transfer.
8715 733. [bug] Reference counts of dns_acl_t objects need to be
8716 locked but were not. [RT #801, #821]
8718 732. [bug] Glue with 0 TTL could also cause SERVFAIL. [RT #828]
8720 731. [bug] Certain zone errors could cause named-checkzone to
8721 fail ungracefully. [RT #819]
8723 730. [bug] lwres_getaddrinfo() returns the correct result when
8724 it fails to contact a server. [RT #768]
8726 729. [port] pthread_setconcurrency() needs to be called on Solaris.
8728 728. [bug] Fix comment processing on master file directives.
8731 727. [port] Work around OS bug where accept() succeeds but
8732 fails to fill in the peer address of the accepted
8733 connection, by treating it as an error rather than
8734 an assertion failure. [RT #809]
8736 726. [func] Implement the "trace" and "notrace" commands in rndc.
8738 725. [bug] Installing man pages could fail.
8740 724. [func] New libisc functions isc_netaddr_any(),
8743 723. [bug] Referrals whose NS RRs had a 0 TTL caused the resolver
8744 to return DNS_R_SERVFAIL. [RT #783]
8746 722. [func] Allow incremental loads to be canceled.
8748 721. [cleanup] Load manager and dns_master_loadfilequota() are no
8751 720. [bug] Server could enter infinite loop in
8752 dispatch.c:do_cancel(). [RT #733]
8754 719. [bug] Rapid reloads could trigger an assertion failure.
8757 718. [cleanup] "internal" is no longer a reserved word in named.conf.
8760 717. [bug] Certain TKEY processing failure modes could
8761 reference an uninitialized variable, causing the
8762 server to crash. [RT #750]
8764 716. [bug] The first line of a $INCLUDE master file was lost if
8765 an origin was specified. [RT #744]
8767 715. [bug] Resolving some A6 chains could cause an assertion
8768 failure in adb.c. [RT #738]
8770 714. [bug] Preserve interval timers across reloads unless changed.
8773 713. [func] named-checkconf takes '-t directory' similar to named.
8776 712. [bug] Sending a large signed update message caused an
8777 assertion failure. [RT #718]
8779 711. [bug] The libisc and liblwres implementations of
8780 inet_ntop contained an off by one error.
8782 710. [func] The forwarders statement now takes an optional
8785 709. [bug] ANY or SIG queries for data with a TTL of 0
8786 would return SERVFAIL. [RT #620]
8788 708. [bug] When building with --with-openssl, the openssl headers
8789 included with BIND 9 should not be used. [RT #702]
8791 707. [func] The "filename" argument to named-checkzone is no
8792 longer optional, to reduce confusion. [RT #612]
8794 706. [bug] Zones with an explicit "allow-update { none; };"
8795 were considered dynamic and therefore not reloaded
8796 on SIGHUP or "rndc reload".
8798 705. [port] Work out resource limit type for use where rlim_t is
8799 not available. [RT #695]
8801 704. [port] RLIMIT_NOFILE is not available on all platforms.
8804 703. [port] sys/select.h is needed on older platforms. [RT #695]
8806 702. [func] If the address 0.0.0.0 is seen in resolv.conf,
8807 use 127.0.0.1 instead. [RT #693]
8809 701. [func] Root hints are now fully optional. Class IN
8810 views use compiled-in hints by default, as
8811 before. Non-IN views with no root hints now
8812 provide authoritative service but not recursion.
8813 A warning is logged if a view has neither root
8814 hints nor authoritative data for the root. [RT #696]
8816 700. [bug] $GENERATE range check was wrong. [RT #688]
8818 699. [bug] The lexer mishandled empty quoted strings. [RT #694]
8820 698. [bug] Aborting nsupdate with ^C would lead to several
8823 697. [bug] nsupdate was not compatible with the undocumented
8824 BIND 8 behavior of ignoring TTLs in "update delete"
8827 696. [bug] lwresd would die with an assertion failure when passed
8828 a zero-length name. [RT #692]
8830 695. [bug] If the resolver attempted to query a blackholed or
8831 bogus server, the resolution would fail immediately.
8833 694. [bug] $GENERATE did not produce the last entry.
8836 693. [bug] An empty lwres statement in named.conf caused
8837 the server to crash while loading.
8839 692. [bug] Deal with systems that have getaddrinfo() but not
8840 gai_strerror(). [RT #679]
8842 691. [bug] Configuring per-view forwarders caused an assertion
8843 failure. [RT #675, #734]
8845 690. [func] $GENERATE now supports DNAME. [RT #654]
8847 689. [doc] man pages are now installed. [RT #210]
8849 688. [func] "make tags" now works on systems with the
8850 "Exuberant Ctags" etags.
8852 687. [bug] Only say we have IPv6, with sufficient functionality,
8853 if it has actually been tested. [RT #586]
8855 686. [bug] dig and nslookup can now be properly aborted during
8856 blocking operations. [RT #568]
8858 685. [bug] nslookup should use the search list/domain options
8859 from resolv.conf by default. [RT #405, #630]
8861 684. [bug] Memory leak with view forwarders. [RT #656]
8863 683. [bug] File descriptor leak in isc_lex_openfile().
8865 682. [bug] nslookup displayed SOA records incorrectly. [RT #665]
8867 681. [bug] $GENERATE specifying output format was broken. [RT #653]
8869 680. [bug] dns_rdata_fromstruct() mishandled options bigger
8872 679. [bug] $INCLUDE could leak memory and file descriptors on
8875 678. [bug] "transfer-format one-answer;" could trigger an assertion
8878 677. [bug] dnssec-signzone would occasionally use the wrong ttl
8879 for database operations and fail. [RT #643]
8881 676. [bug] Log messages about lame servers to category
8882 'lame-servers' rather than 'resolver', so as not
8883 to be gratuitously incompatible with BIND 8.
8885 675. [bug] TKEY queries could cause the server to leak
8888 674. [func] Allow messages to be TSIG signed / verified using
8889 a offset from the current time.
8891 673. [func] The server can now convert RFC1886-style recursive
8892 lookup requests into RFC2874-style lookups, when
8893 enabled using the new option "allow-v6-synthesis".
8895 672. [bug] The wrong time was in the "time signed" field when
8896 replying with BADTIME error.
8898 671. [bug] The message code was failing to parse a message with
8899 no question section and a TSIG record. [RT #628]
8901 670. [bug] The lwres replacements for getaddrinfo and
8902 getipnodebyname didn't properly check for the
8903 existence of the sockaddr sa_len field.
8905 669. [bug] dnssec-keygen now makes the public key file
8906 non-world-readable for symmetric keys. [RT #403]
8908 668. [func] named-checkzone now reports multiple errors in master
8911 667. [bug] On Linux, running named with the -u option and a
8912 non-world-readable configuration file didn't work.
8915 666. [bug] If a request sent by dig is longer than 512 bytes,
8918 665. [bug] Signed responses were not sent when the size of the
8919 TSIG + question exceeded the maximum message size.
8922 664. [bug] The t_tasks and t_timers module tests are now skipped
8923 when building without threads, since they require
8926 663. [func] Accept a size_spec, not just an integer, in the
8927 (unimplemented and ignored) max-ixfr-log-size option
8928 for compatibility with recent versions of BIND 8.
8931 662. [bug] dns_rdata_fromtext() failed to log certain errors.
8933 661. [bug] Certain UDP IXFR requests caused an assertion failure
8934 (mpctx->allocated == 0). [RT #355, #394, #623]
8936 660. [port] Detect multiple CPUs on HP-UX and IRIX.
8938 659. [performance] Rewrite the name compression code to be much faster.
8940 658. [cleanup] Remove all vestiges of 16 bit global compression.
8942 657. [bug] When a listen-on statement in an lwres block does not
8943 specify a port, use 921, not 53. Also update the
8944 listen-on documentation. [RT #616]
8946 656. [func] Treat an unescaped newline in a quoted string as
8947 an error. This means that TXT records with missing
8948 close quotes should have meaningful errors printed.
8950 655. [bug] Improve error reporting on unexpected eof when loading
8953 654. [bug] Origin was being forgotten in TCP retries in dig.
8956 653. [bug] +defname option in dig was reversed in sense.
8959 652. [bug] zone_saveunique() did not report the new name.
8961 651. [func] The AD bit in responses now has the meaning
8962 specified in <draft-ietf-dnsext-ad-is-secure>.
8964 650. [bug] SIG(0) records were being generated and verified
8965 incorrectly. [RT #606]
8967 649. [bug] It was possible to join to an already running fctx
8968 after it had "cloned" its events, but before it sent
8969 them. In this case, the event of the newly joined
8970 fetch would not contain the answer, and would
8971 trigger the INSIST() in fctx_sendevents(). In
8972 BIND 9.0, this bug did not trigger an INSIST(), but
8973 caused the fetch to fail with a SERVFAIL result.
8974 [RT #588, #597, #605, #607]
8976 648. [port] Add support for pre-RFC2133 IPv6 implementations.
8978 647. [bug] Resolver queries sent after following multiple
8979 referrals had excessively long retransmission
8980 timeouts due to incorrectly counting the referrals
8983 646. [bug] The UnixWare ISC_PLATFORM_FIXIN6INADDR fix in isc/net.h
8984 didn't _cleanly_ fix the problem it was trying to fix.
8986 645. [port] BSD/OS 3.0 needs pthread_init(). [RT #603]
8988 644. [bug] #622 needed more work. [RT #562]
8990 643. [bug] xfrin error messages made more verbose, added class
8991 of the zone. [RT# 599]
8993 642. [bug] Break the exit_check() race in the zone module.
8996 --- 9.1.0b2 released ---
8998 641. [bug] $GENERATE caused a uninitialized link to be used.
9001 640. [bug] Memory leak in error path could cause
9002 "mpctx->allocated == 0" failure. [RT #584]
9004 639. [bug] Reading entropy from the keyboard would sometimes fail.
9007 638. [port] lib/isc/random.c needed to explicitly include time.h
9008 to get a prototype for time() when pthreads was not
9009 being used. [RT #592]
9011 637. [port] Use isc_u?int64_t instead of (unsigned) long long in
9012 lib/isc/print.c. Also allow lib/isc/print.c to
9013 be compiled even if the platform does not need it.
9016 636. [port] Shut up MSVC++ about a possible loss of precision
9017 in the ISC__BUFFER_PUTUINT*() macros. [RT #592]
9019 635. [bug] Reloading a server with a configured blackhole list
9020 would cause an assertion. [RT #590]
9022 634. [bug] A log file will completely stop being written when
9023 it reaches the maximum size in all cases, not just
9024 when versioning is also enabled. [RT #570]
9026 633. [port] Cope with rlim_t missing on BSD/OS systems. [RT #575]
9028 632. [bug] The index array of the journal file was
9029 corrupted as it was written to disk.
9031 631. [port] Build without thread support on systems without
9034 630. [bug] Locking failure in zone code. [RT #582]
9036 629. [bug] 9.1.0b1 dereferenced a null pointer and crashed
9037 when responding to a UDP IXFR request.
9039 628. [bug] If the root hints contained only AAAA addresses,
9040 named would be unable to perform resolution.
9042 627. [bug] The EDNS0 blackhole detection code of change 324
9043 waited for three retransmissions to each server,
9044 which takes much too long when a domain has many
9045 name servers and all of them drop EDNS0 queries.
9046 Now we retry without EDNS0 after three consecutive
9047 timeouts, even if they are all from different
9050 626. [bug] The lightweight resolver daemon no longer crashes
9051 when asked for a SIG rrset. [RT #558]
9053 625. [func] Zones now inherit their class from the enclosing view.
9055 624. [bug] The zone object could get timer events after it had
9056 been destroyed, causing a server crash. [RT #571]
9058 623. [func] Added "named-checkconf" and "named-checkzone" program
9059 for syntax checking named.conf files and zone files,
9062 622. [bug] A canceled request could be destroyed before
9063 dns_request_destroy() was called. [RT #562]
9065 621. [port] Disable IPv6 at runtime if IPv6 sockets are unusable.
9066 This mostly affects Red Hat Linux 7.0, which has
9067 conflicts between libc and the kernel.
9069 620. [bug] dns_master_load*inc() now require 'task' and 'load'
9070 to be non-null. Also 'done' will not be called if
9071 dns_master_load*inc() fails immediately. [RT #565]
9075 618. [bug] Queries to a signed zone could sometimes cause
9076 an assertion failure.
9078 617. [bug] When using dynamic update to add a new RR to an
9079 existing RRset with a different TTL, the journal
9080 entries generated from the update did not include
9081 explicit deletions and re-additions of the existing
9082 RRs to update their TTL to the new value.
9084 616. [func] dnssec-signzone -t output now includes performance
9087 615. [bug] dnssec-signzone did not like child keysets signed
9090 614. [bug] Checks for uninitialized link fields were prone
9091 to false positives, causing assertion failures.
9092 The checks are now disabled by default and may
9093 be re-enabled by defining ISC_LIST_CHECKINIT.
9095 613. [bug] "rndc reload zone" now reloads primary zones.
9096 It previously only updated slave and stub zones,
9097 if an SOA query indicated an out of date serial.
9099 612. [cleanup] Shutup a ridiculously noisy HP-UX compiler that
9100 complains relentlessly about how its treatment
9101 of 'const' has changed as well as how casting
9102 sometimes tightens alignment constraints.
9104 611. [func] allow-notify can be used to permit processing of
9105 notify messages from hosts other than a slave's
9108 610. [func] rndc dumpdb is now supported.
9110 609. [bug] getrrsetbyname() would crash lwresd if the server
9111 found more SIGs than answers. [RT #554]
9113 608. [func] dnssec-signzone now adds a comment to the zone
9114 with the time the file was signed.
9116 607. [bug] nsupdate would fail if it encountered a CNAME or
9117 DNAME in a response to an SOA query. [RT #515]
9119 606. [bug] Compiling with --disable-threads failed due
9120 to isc_thread_self() being incorrectly defined
9121 as an integer rather than a function.
9123 605. [func] New function isc_lex_getlasttokentext().
9125 604. [bug] The named.conf parser could print incorrect line
9126 numbers when long comments were present.
9128 603. [bug] Make dig handle multiple types or classes on the same
9129 query more correctly.
9131 602. [func] Cope automatically with UnixWare's broken
9132 IN6_IS_ADDR_* macros. [RT #539]
9134 601. [func] Return a non-zero exit code if an update fails
9137 600. [bug] Reverse lookups sometimes failed in dig, etc...
9139 599. [func] Added four new functions to the libisc log API to
9140 support i18n messages. isc_log_iwrite(),
9141 isc_log_ivwrite(), isc_log_iwrite1() and
9142 isc_log_ivwrite1() were added.
9144 598. [bug] An update-policy statement would cause the server
9145 to assert while loading. [RT #536]
9147 597. [func] dnssec-signzone is now multi-threaded.
9149 596. [bug] DNS_RDATASLAB_FORCE and DNS_RDATASLAB_EXACT are
9150 not mutually exclusive.
9152 595. [port] On Linux 2.2, socket() returns EINVAL when it
9153 should return EAFNOSUPPORT. Work around this.
9156 594. [func] sdb drivers are now assumed to not be thread-safe
9157 unless the DNS_SDBFLAG_THREADSAFE flag is supplied.
9159 593. [bug] If a secure zone was missing all its NXTs and
9160 a dynamic update was attempted, the server entered
9163 592. [bug] The sig-validity-interval option now specifies a
9164 number of days, not seconds. This matches the
9165 documentation. [RT #529]
9167 --- 9.1.0b1 released ---
9169 591. [bug] Work around non-reentrancy in openssl by disabling
9170 pre-computation in keys.
9172 590. [doc] There are now man pages for the lwres library in
9175 589. [bug] The server could deadlock if a zone was updated
9176 while being transferred out.
9178 588. [bug] ctx->in_use was not being correctly initialized when
9179 when pushing a file for $INCLUDE. [RT #523]
9181 587. [func] A warning is now printed if the "allow-update"
9182 option allows updates based on the source IP
9183 address, to alert users to the fact that this
9184 is insecure and becoming increasingly so as
9185 servers capable of update forwarding are being
9188 586. [bug] multiple views with the same name were fatal. [RT #516]
9190 585. [func] dns_db_addrdataset() and and dns_rdataslab_merge()
9191 now support 'exact' additions in a similar manner to
9192 dns_db_subtractrdataset() and dns_rdataslab_subtract().
9194 584. [func] You can now say 'notify explicit'; to suppress
9195 notification of the servers listed in NS records
9196 and notify only those servers listed in the
9197 'also-notify' option.
9199 583. [func] "rndc querylog" will now toggle logging of
9200 queries, like "ndc querylog" in BIND 8.
9202 582. [bug] dns_zone_idetach() failed to lock the zone.
9205 581. [bug] log severity was not being correctly processed.
9208 580. [func] Ignore trailing garbage on incoming DNS packets,
9209 for interoperability with broken server
9210 implementations. [RT #491]
9212 579. [bug] nsupdate did not take a filename to read update from.
9215 578. [func] New config option "notify-source", to specify the
9216 source address for notify messages.
9218 577. [func] Log illegal RDATA combinations. e.g. multiple
9219 singleton types, cname and other data.
9221 576. [doc] isc_log_create() description did not match reality.
9223 575. [bug] isc_log_create() was not setting internal state
9224 correctly to reflect the default channels created.
9226 574. [bug] TSIG signed queries sent by the resolver would fail to
9227 have their responses validated and would leak memory.
9229 573. [bug] The journal files of IXFRed slave zones were
9230 inadvertently discarded on server reload, causing
9231 "journal out of sync with zone" errors on subsequent
9234 572. [bug] Quoted strings were not accepted as key names in
9235 address match lists.
9237 571. [bug] It was possible to create an rdataset of singleton
9238 type which had more than one rdata. [RT #154]
9241 570. [bug] rbtdb.c allowed zones containing nodes which had
9242 both a CNAME and "other data". [RT #154]
9244 569. [func] The DNSSEC AD bit will not be set on queries which
9245 have not requested a DNSSEC response.
9247 568. [func] Add sample simple database drivers in contrib/sdb.
9249 567. [bug] Setting the zone transfer timeout to zero caused an
9250 assertion failure. [RT #302]
9252 566. [func] New public function dns_timer_setidle().
9254 565. [func] Log queries more like BIND 8: query logging is now
9255 done to category "queries", level "info". [RT #169]
9257 564. [func] Add sortlist support to lwresd.
9259 563. [func] New public functions dns_rdatatype_format() and
9260 dns_rdataclass_format(), for convenient formatting
9261 of rdata type/class mnemonics in log messages.
9263 562. [cleanup] Moved lib/dns/*conf.c to bin/named where they belong.
9265 561. [func] The 'datasize', 'stacksize', 'coresize' and 'files'
9266 clauses of the options{} statement are now implemented.
9268 560. [bug] dns_name_split did not properly the resulting prefix
9269 when a maximal length bitstring label was split which
9270 was preceded by another bitstring label. [RT #429]
9272 559. [bug] dns_name_split did not properly create the suffix
9273 when splitting within a maximal length bitstring label.
9275 558. [func] New functions, isc_resource_getlimit and
9276 isc_resource_setlimit.
9278 557. [func] Symbolic constants for libisc integral types.
9280 556. [func] The DNSSEC OK bit in the EDNS extended flags
9281 is now implemented. Responses to queries without
9282 this bit set will not contain any DNSSEC records.
9284 555. [bug] A slave server attempting a zone transfer could
9285 crash with an assertion failure on certain
9286 malformed responses from the master. [RT #457]
9288 554. [bug] In some cases, not all of the dnssec tools were
9291 553. [bug] Incoming zone transfers deferred due to quota
9292 were not started when quota was increased but
9293 only when a transfer in progress finished. [RT #456]
9295 552. [bug] We were not correctly detecting the end of all c-style
9298 551. [func] Implemented the 'sortlist' option.
9300 550. [func] Support unknown rdata types and classes.
9302 549. [bug] "make" did not immediately abort the build when a
9303 subdirectory make failed [RT #450].
9305 548. [func] The lexer now ungets tokens more correctly.
9309 546. [func] Option 'lame-ttl' is now implemented.
9311 545. [func] Name limit and counting options removed from dig;
9312 they didn't work properly, and cannot be correctly
9313 implemented without significant changes.
9315 544. [func] Add statistics option, enable statistics-file option,
9316 add RNDC option "dump-statistics" to write out a
9317 query statistics file.
9319 543. [doc] The 'port' option is now documented.
9321 542. [func] Add support for update forwarding as required for
9322 full compliance with RFC2136. It is turned off
9323 by default and can be enabled using the
9324 'allow-update-forwarding' option.
9326 541. [func] Add bogus server support.
9328 540. [func] Add dialup support.
9330 539. [func] Support the blackhole option.
9332 538. [bug] fix buffer overruns by 1 in lwres_getnameinfo().
9336 536. [func] Use transfer-source{-v6} when sending refresh queries.
9337 Transfer-source{-v6} now take a optional port
9338 parameter for setting the UDP source port. The port
9339 parameter is ignored for TCP.
9341 535. [func] Use transfer-source{-v6} when forwarding update
9344 534. [func] Ancestors have been removed from RBT chains. Ancestor
9345 information can be discerned via node parent pointers.
9347 533. [func] Incorporated name hashing into the RBT database to
9348 improve search speed.
9350 532. [func] Implement DNS UPDATE pseudo records using
9351 DNS_RDATA_UPDATE flag.
9353 531. [func] Rdata really should be initialized before being assigned
9354 to (dns_rdata_fromwire(), dns_rdata_fromtext(),
9355 dns_rdata_clone(), dns_rdata_fromregion()),
9358 530. [func] New function dns_rdata_invalidate().
9360 529. [bug] 521 contained a bug which caused zones to always
9363 528. [func] The ISC_LIST_XXXX macros now perform sanity checks
9364 on their arguments. ISC_LIST_XXXXUNSAFE can be use
9365 to skip the checks however use with caution.
9367 527. [func] New function dns_rdata_clone().
9369 526. [bug] nsupdate incorrectly refused to add RRs with a TTL
9372 525. [func] New arguments 'options' for dns_db_subtractrdataset(),
9373 and 'flags' for dns_rdataslab_subtract() allowing you
9374 to request that the RR's must exist prior to deletion.
9375 DNS_R_NOTEXACT is returned if the condition is not met.
9377 524. [func] The 'forward' and 'forwarders' statement in
9378 non-forward zones should work now.
9380 523. [doc] The source to the Administrator Reference Manual is
9381 now an XML file using the DocBook DTD, and is included
9382 in the distribution. The plain text version of the
9383 ARM is temporarily unavailable while we figure out
9384 how to generate readable plain text from the XML.
9386 522. [func] The lightweight resolver daemon can now use
9387 a real configuration file, and its functionality
9388 can be provided by a name server. Also, the -p and -P
9389 options to lwresd have been reversed.
9391 521. [bug] Detect master files which contain $INCLUDE and always
9394 520. [bug] Upgraded libtool to 1.3.5, which makes shared
9395 library builds almost work on AIX (and possibly
9398 519. [bug] dns_name_split() would improperly split some bitstring
9399 labels, zeroing a few of the least significant bits in
9400 the prefix part. When such an improperly created
9401 prefix was returned to the RBT database, the bogus
9402 label was dutifully stored, corrupting the tree.
9405 518. [bug] The resolver did not realize that a DNAME which was
9406 "the answer" to the client's query was "the answer",
9407 and such queries would fail. [RT #399]
9409 517. [bug] The resolver's DNAME code would trigger an assertion
9410 if there was more than one DNAME in the chain.
9413 516. [bug] Cache lookups which had a NULL node pointer, e.g.
9414 those by dns_view_find(), and which would match a
9415 DNAME, would trigger an INSIST(!search.need_cleanup)
9416 assertion. [RT #399]
9418 515. [bug] The ssu table was not being attached / detached
9419 by dns_zone_[sg]etssutable. [RT#397]
9421 514. [func] Retry refresh and notify queries if they timeout.
9424 513. [func] New functionality added to rdnc and server to allow
9425 individual zones to be refreshed or reloaded.
9427 512. [bug] The zone transfer code could throw an exception with
9428 an invalid IXFR stream.
9430 511. [bug] The message code could throw an assertion on an
9431 out of memory failure. [RT #392]
9433 510. [bug] Remove spurious view notify warning. [RT #376]
9435 509. [func] Add support for write of zone files on shutdown.
9437 508. [func] dns_message_parse() can now do a best-effort
9438 attempt, which should allow dig to print more invalid
9441 507. [func] New functions dns_zone_flush(), dns_zt_flushanddetach()
9442 and dns_view_flushanddetach().
9444 506. [func] Do not fail to start on errors in zone files.
9446 505. [bug] nsupdate was printing "unknown result code". [RT #373]
9448 504. [bug] The zone was not being marked as dirty when updated via
9451 503. [bug] dumptime was not being set along with
9452 DNS_ZONEFLG_NEEDDUMP.
9454 502. [func] On a SERVFAIL reply, DiG will now try the next server
9455 in the list, unless the +fail option is specified.
9457 501. [bug] Incorrect port numbers were being displayed by
9460 500. [func] Nearly useless +details option removed from DiG.
9462 499. [func] In DiG, specifying a class with -c or type with -t
9463 changes command-line parsing so that classes and
9464 types are only recognized if following -c or -t.
9465 This allows hosts with the same name as a class or
9466 type to be looked up.
9468 498. [doc] There is now a man page for "dig"
9469 in doc/man/bin/dig.1.
9471 497. [bug] The error messages printed when an IP match list
9472 contained a network address with a nonzero host
9473 part where not sufficiently detailed. [RT #365]
9475 496. [bug] named didn't sanity check numeric parameters. [RT #361]
9477 495. [bug] nsupdate was unable to handle large records. [RT #368]
9479 494. [func] Do not cache NXDOMAIN responses for SOA queries.
9481 493. [func] Return non-cachable (ttl = 0) NXDOMAIN responses
9482 for SOA queries. This makes it easier to locate
9483 the containing zone without polluting intermediate
9486 492. [bug] attempting to reload a zone caused the server fail
9487 to shutdown cleanly. [RT #360]
9489 491. [bug] nsupdate would segfault when sending certain
9490 prerequisites with empty RDATA. [RT #356]
9492 490. [func] When a slave/stub zone has not yet successfully
9493 obtained an SOA containing the zone's configured
9494 retry time, perform the SOA query retries using
9495 exponential backoff. [RT #337]
9497 489. [func] The zone manager now has a "i/o" queue.
9499 488. [bug] Locks weren't properly destroyed in some cases.
9501 487. [port] flockfile() is not defined on all systems.
9503 486. [bug] nslookup: "set all" and "server" commands showed
9504 the incorrect port number if a port other than 53
9505 was specified. [RT #352]
9507 485. [func] When dig had more than one server to query, it would
9508 send all of the messages at the same time. Add
9509 rate limiting of the transmitted messages.
9511 484. [bug] When the server was reloaded after removing addresses
9512 from the named.conf "listen-on" statement, sockets
9513 were still listening on the removed addresses due
9514 to reference count loops. [RT #325]
9516 483. [bug] nslookup: "set all" showed a "search" option but it
9519 482. [bug] nslookup: a plain "server" or "lserver" should be
9520 treated as a lookup.
9522 481. [bug] nslookup:get_next_command() stack size could exceed
9525 480. [bug] strtok() is not thread safe. [RT #349]
9527 479. [func] The test suite can now be run by typing "make check"
9528 or "make test" at the top level.
9530 478. [bug] "make install" failed if the directory specified with
9531 --prefix did not already exist.
9533 477. [bug] The the isc-config.sh script could be installed before
9534 its directory was created. [RT #324]
9536 476. [bug] A zone could expire while a zone transfer was in
9537 progress triggering a INSIST failure. [RT #329]
9539 475. [bug] query_getzonedb() sometimes returned a non-null version
9540 on failure. This caused assertion failures when
9541 generating query responses where names subject to
9542 additional section processing pointed to a zone
9543 to which access had been denied by means of the
9544 allow-query option. [RT #336]
9546 474. [bug] The mnemonic of the CHAOS class is CH according to
9547 RFC1035, but it was printed and read only as CHAOS.
9548 We now accept both forms as input, and print it
9551 473. [bug] nsupdate overran the end of the list of name servers
9552 when no servers could be reached, typically causing
9553 it to print the error message "dns_request_create:
9556 472. [bug] Off-by-one error caused isc_time_add() to sometimes
9557 produce invalid time values.
9559 471. [bug] nsupdate didn't compile on HP/UX 10.20
9561 470. [func] $GENERATE is now supported. See also
9564 469. [bug] "query-source address * port 53;" now works.
9566 468. [bug] dns_master_load*() failed to report file and line
9567 number in certain error conditions.
9569 467. [bug] dns_master_load*() failed to log an error if
9572 466. [bug] dns_master_load*() could return success when it failed.
9574 465. [cleanup] Allow 0 to be set as an omapi_value_t value by
9575 omapi_value_storeint().
9577 464. [cleanup] Build with openssl's RSA code instead of dnssafe.
9579 463. [bug] nsupdate sent malformed SOA queries to the second
9580 and subsequent name servers in resolv.conf if the
9581 query sent to the first one failed.
9583 462. [bug] --disable-ipv6 should work now.
9585 461. [bug] Specifying an unknown key in the "keys" clause of the
9586 "controls" statement caused a NULL pointer dereference.
9589 460. [bug] Much of the DNSSEC code only worked with class IN.
9591 459. [bug] Nslookup processed the "set" command incorrectly.
9593 458. [bug] Nslookup didn't properly check class and type values.
9596 457. [bug] Dig/host/hslookup didn't properly handle connect
9597 timeouts in certain situations, causing an
9598 unnecessary warning message to be printed.
9600 456. [bug] Stub zones were not resetting the refresh and expire
9601 counters, loadtime or clearing the DNS_ZONE_REFRESH
9602 (refresh in progress) flag upon successful update.
9603 This disabled further refreshing of the stub zone,
9604 causing it to eventually expire. [RT #300]
9606 455. [doc] Document IPv4 prefix notation does not require a
9607 dotted decimal quad but may be just dotted decimal.
9609 454. [bug] Enforce dotted decimal and dotted decimal quad where
9610 documented as such in named.conf. [RT #304, RT #311]
9612 453. [bug] Warn if the obsolete option "maintain-ixfr-base"
9613 is specified in named.conf. [RT #306]
9615 452. [bug] Warn if the unimplemented option "statistics-file"
9616 is specified in named.conf. [RT #301]
9618 451. [func] Update forwarding implemented.
9620 450. [func] New function ns_client_sendraw().
9622 449. [bug] isc_bitstring_copy() only works correctly if the
9623 two bitstrings have the same lsb0 value, but this
9624 requirement was not documented, nor was there a
9627 448. [bug] Host output formatting change, to match v8. [RT #255]
9629 447. [bug] Dig didn't properly retry in TCP mode after
9630 a truncated reply. [RT #277]
9632 446. [bug] Confusing notify log message. [RT #298]
9634 445. [bug] Doing a 0 bit isc_bitstring_copy() of an lsb0
9635 bitstring triggered a REQUIRE statement. The REQUIRE
9636 statement was incorrect. [RT #297]
9638 444. [func] "recursion denied" messages are always logged at
9639 debug level 1, now, rather than sometimes at ERROR.
9640 This silences these warnings in the usual case, where
9641 some clients set the RD bit in all queries.
9643 443. [bug] When loading a master file failed because of an
9644 unrecognized RR type name, the error message
9645 did not include the file name and line number.
9648 442. [bug] TSIG signed messages that did not match any view
9649 crashed the server. [RT #290]
9651 441. [bug] Nodes obscured by a DNAME were inaccessible even
9652 when DNS_DBFIND_GLUEOK was set.
9654 440. [func] New function dns_zone_forwardupdate().
9656 439. [func] New function dns_request_createraw().
9658 438. [func] New function dns_message_getrawmessage().
9660 437. [func] Log NOTIFY activity to the notify channel.
9662 436. [bug] If recvmsg() returned EHOSTUNREACH or ENETUNREACH,
9663 which sometimes happens on Linux, named would enter
9664 a busy loop. Also, unexpected socket errors were
9665 not logged at a high enough logging level to be
9666 useful in diagnosing this situation. [RT #275]
9668 435. [bug] dns_zone_dump() overwrote existing zone files
9669 rather than writing to a temporary file and
9670 renaming. This could lead to empty or partial
9671 zone files being left around in certain error
9672 conditions involving the initial transfer of a
9673 slave zone, interfering with subsequent server
9676 434. [func] New function isc_file_isabsolute().
9678 433. [func] isc_base64_decodestring() now accepts newlines
9679 within the base64 data. This makes it possible
9680 to break up the key data in a "trusted-keys"
9681 statement into multiple lines. [RT #284]
9683 432. [func] Added refresh/retry jitter. The actual refresh/
9684 retry time is now a random value between 75% and
9685 100% of the configured value.
9687 431. [func] Log at ISC_LOG_INFO when a zone is successfully
9690 430. [bug] Rewrote the lightweight resolver client management
9691 code to handle shutdown correctly and general
9694 429. [bug] The space reserved for a TSIG record in a response
9695 was 2 bytes too short, leading to message
9696 generation failures.
9698 428. [bug] rbtdb.c:find_closest_nxt() erroneously returned
9699 DNS_R_BADDB for nodes which had neither NXT nor SIG NXT
9700 (e.g. glue). This could cause SERVFAILs when
9701 generating negative responses in a secure zone.
9703 427. [bug] Avoid going into an infinite loop when the validator
9704 gets a negative response to a key query where the
9705 records are signed by the missing key.
9707 426. [bug] Attempting to generate an oversized RSA key could
9708 cause dnssec-keygen to dump core.
9710 425. [bug] Warn about the auth-nxdomain default value change
9711 if there is no auth-nxdomain statement in the
9712 config file. [RT #287]
9714 424. [bug] notify_createmessage() could trigger an assertion
9715 failure when creating the notify message failed,
9716 e.g. due to corrupt zones with multiple SOA records.
9719 423. [bug] When responding to a recursive query, errors that occur
9720 after following a CNAME should cause the query to fail.
9723 422. [func] get rid of isc_random_t, and make isc_random_get()
9724 and isc_random_jitter() use rand() internally
9725 instead of local state. Note that isc_random_*()
9726 functions are only for weak, non-critical "randomness"
9727 such as timing jitter and such.
9729 421. [bug] nslookup would exit when given a blank line as input.
9731 420. [bug] nslookup failed to implement the "exit" command.
9733 419. [bug] The certificate type PKIX was misspelled as SKIX.
9735 418. [bug] At debug levels >= 10, getting an unexpected
9736 socket receive error would crash the server
9737 while trying to log the error message.
9739 417. [func] Add isc_app_block() and isc_app_unblock(), which
9740 allow an application to handle signals while
9743 416. [bug] Slave zones with no master file tried to use a
9744 NULL pointer for a journal file name when they
9745 received an IXFR. [RT #273]
9747 415. [bug] The logging code leaked file descriptors.
9749 414. [bug] Server did not shut down until all incoming zone
9750 transfers were finished.
9752 413. [bug] Notify could attempt to use the zone database after
9753 it had been unloaded. [RT#267]
9755 412. [bug] named -v didn't print the version.
9757 411. [bug] A typo in the HS A code caused an assertion failure.
9759 410. [bug] lwres_gethostbyname() and company set lwres_h_errno
9760 to a random value on success.
9762 409. [bug] If named was shut down early in the startup
9763 process, ns_omapi_shutdown() would attempt to lock
9764 an uninitialized mutex. [RT #262]
9766 408. [bug] stub zones could leak memory and reference counts if
9767 all the masters were unreachable.
9769 407. [bug] isc_rwlock_lock() would needlessly block
9770 readers when it reached the read quota even
9771 if no writers were waiting.
9773 406. [bug] Log messages were occasionally lost or corrupted
9774 due to a race condition in isc_log_doit().
9776 405. [func] Add support for selective forwarding (forward zones)
9778 404. [bug] The request library didn't completely work with IPv6.
9780 403. [bug] "host" did not use the search list.
9782 402. [bug] Treat undefined acls as errors, rather than
9783 warning and then later throwing an assertion.
9786 401. [func] Added simple database API.
9788 400. [bug] SIG(0) signing and verifying was done incorrectly.
9791 399. [bug] When reloading the server with a config file
9792 containing a syntax error, it could catch an
9793 assertion failure trying to perform zone
9794 maintenance on, or sending notifies from,
9795 tentatively created zones whose views were
9796 never fully configured and lacked an address
9797 database and request manager.
9799 398. [bug] "dig" sometimes caught an assertion failure when
9800 using TSIG, depending on the key length.
9802 397. [func] Added utility functions dns_view_gettsig() and
9803 dns_view_getpeertsig().
9805 396. [doc] There is now a man page for "nsupdate"
9806 in doc/man/bin/nsupdate.8.
9808 395. [bug] nslookup printed incorrect RR type mnemonics
9809 for RRs of type >= 21 [RT #237].
9811 394. [bug] Current name was not propagated via $INCLUDE.
9813 393. [func] Initial answer while loading (awl) support.
9814 Entry points: dns_master_loadfileinc(),
9815 dns_master_loadstreaminc(), dns_master_loadbufferinc().
9816 Note: calls to dns_master_load*inc() should be rate
9817 be rate limited so as to not use up all file
9820 392. [func] Add ISC_R_FAMILYNOSUPPORT. Returned when OS does
9821 not support the given address family requested.
9823 391. [clarity] ISC_R_FAMILY -> ISC_R_FAMILYMISMATCH.
9825 390. [func] The function dns_zone_setdbtype() now takes
9826 an argc/argv style vector of words and sets
9827 both the zone database type and its arguments,
9828 making the functions dns_zone_adddbarg()
9829 and dns_zone_cleardbargs() unnecessary.
9831 389. [bug] Attempting to send a request over IPv6 using
9832 dns_request_create() on a system without IPv6
9833 support caused an assertion failure [RT #235].
9835 388. [func] dig and host can now do reverse ipv6 lookups.
9837 387. [func] Add dns_byaddr_createptrname(), which converts
9838 an address into the name used by a PTR query.
9840 386. [bug] Missing strdup() of ACL name caused random
9841 ACL matching failures [RT #228].
9843 385. [cleanup] Removed functions dns_zone_equal(), dns_zone_print(),
9846 384. [bug] nsupdate was incorrectly limiting TTLs to 65535 instead
9849 383. [func] When writing a master file, print the SOA and NS
9850 records (and their SIGs) before other records.
9852 382. [bug] named -u failed on many Linux systems where the
9853 libc provided kernel headers do not match
9856 381. [bug] Check for IPV6_RECVPKTINFO and use it instead of
9857 IPV6_PKTINFO if found. [RT #229]
9859 380. [bug] nsupdate didn't work with IPv6.
9861 379. [func] New library function isc_sockaddr_anyofpf().
9863 378. [func] named and lwresd will log the command line arguments
9864 they were started with in the "starting ..." message.
9866 377. [bug] When additional data lookups were refused due to
9867 "allow-query", the databases were still being
9868 attached causing reference leaks.
9870 376. [bug] The server should always use good entropy when
9871 performing cryptographic functions needing entropy.
9873 375. [bug] Per-zone "allow-query" did not properly override the
9874 view/global one for CNAME targets and additional
9877 374. [bug] SOA in authoritative negative responses had wrong TTL.
9879 373. [func] nslookup is now installed by "make install".
9881 372. [bug] Deal with Microsoft DNS servers appending two bytes of
9882 garbage to zone transfer requests.
9884 371. [bug] At high debug levels, doing an outgoing zone transfer
9885 of a very large RRset could cause an assertion failure
9888 370. [bug] The error messages for roll-forward failures were
9891 369. [func] Support new named.conf options, view and zone
9894 max-retry-time, min-retry-time,
9895 max-refresh-time, min-refresh-time.
9897 368. [func] Restructure the internal ".bind" view so that more
9898 zones can be added to it.
9900 367. [bug] Allow proper selection of server on nslookup command
9903 366. [func] Allow use of '-' batch file in dig for stdin.
9905 365. [bug] nsupdate -k leaked memory.
9907 364. [func] Added additional-from-{cache,auth}
9911 362. [bug] rndc no longer aborts if the configuration file is
9912 missing an options statement. [RT #209]
9914 361. [func] When the RBT find or chain functions set the name and
9915 origin for a node that stores the root label
9916 the name is now set to an empty name, instead of ".",
9917 to simplify later use of the name and origin by
9918 dns_name_concatenate(), dns_name_totext() or
9921 360. [func] dns_name_totext() and dns_name_format() now allow
9922 an empty name to be passed, which is formatted as "@".
9924 359. [bug] dnssec-signzone occasionally signed glue records.
9926 358. [cleanup] Rename the intermediate files used by the dnssec
9929 357. [bug] The zone file parser crashed if the argument
9930 to $INCLUDE was a quoted string.
9932 356. [cleanup] isc_task_send no longer requires event->sender to
9935 355. [func] Added isc_dir_createunique(), similar to mkdtemp().
9937 354. [doc] Man pages for the dnssec tools are now included in
9938 the distribution, in doc/man/dnssec.
9940 353. [bug] double increment in lwres/gethost.c:copytobuf().
9943 352. [bug] Race condition in dns_client_t startup could cause
9944 an assertion failure.
9946 351. [bug] Constructing a response with rcode SERVFAIL to a TSIG
9947 signed query could crash the server.
9949 350. [bug] Also-notify lists specified in the global options
9950 block were not correctly reference counted, causing
9953 349. [bug] Processing a query with the CD bit set now works
9956 348. [func] New boolean named.conf options 'additional-from-auth'
9957 and 'additional-from-cache' now supported in view and
9958 global options statement.
9960 347. [bug] Don't crash if an argument is left off options in dig.
9964 345. [bug] Large-scale changes/cleanups to dig:
9965 * Significantly improve structure handling
9966 * Don't pre-load entire batch files
9967 * Add name/rr counting/limiting
9968 * Fix SIGINT handling
9969 * Shorten timeouts to match v8's behavior
9971 344. [bug] When shutting down, lwresd sometimes tried
9972 to shut down its client tasks twice,
9973 triggering an assertion.
9975 343. [bug] Although zone maintenance SOA queries and
9976 notify requests were signed with TSIG keys
9977 when configured for the server in case,
9978 the TSIG was not verified on the response.
9980 342. [bug] The wrong name was being passed to
9981 dns_name_dup() when generating a TSIG
9984 341. [func] Support 'key' clause in named.conf zone masters
9985 statement to allow authentication via TSIG keys:
9988 10.0.0.1 port 5353 key "foo";
9992 340. [bug] The top-level COPYRIGHT file was missing from
9995 339. [bug] DNSSEC validation of the response to an ANY
9996 query at a name with a CNAME RR in a secure
9997 zone triggered an assertion failure.
9999 338. [bug] lwresd logged to syslog as named, not lwresd.
10001 337. [bug] "dig" did not recognize "nsap-ptr" as an RR type
10002 on the command line.
10004 336. [bug] "dig -f" used 64 k of memory for each line in
10005 the file. It now uses much less, though still
10006 proportionally to the file size.
10008 335. [bug] named would occasionally attempt recursion when
10009 it was disallowed or undesired.
10011 334. [func] Added hmac-md5 to libisc.
10013 333. [bug] The resolver incorrectly accepted referrals to
10014 domains that were not parents of the query name,
10015 causing assertion failures.
10017 332. [func] New function dns_name_reset().
10019 331. [bug] Only log "recursion denied" if RD is set. [RT #178]
10021 330. [bug] Many debugging messages were partially formatted
10022 even when debugging was turned off, causing a
10023 significant decrease in query performance.
10025 329. [func] omapi_auth_register() now takes a size_t argument for
10026 the length of a key's secret data. Previously
10027 OMAPI only stored secrets up to the first NUL byte.
10029 328. [func] Added isc_base64_decodestring().
10031 327. [bug] rndc.conf parser wasn't correctly recognizing an IP
10032 address where a host specification was required.
10034 326. [func] 'keys' in an 'inet' control statement is now
10035 required and must have at least one item in it.
10036 A "not supported" warning is now issued if a 'unix'
10037 control channel is defined.
10039 325. [bug] isc_lex_gettoken was processing octal strings when
10040 ISC_LEXOPT_CNUMBER was not set.
10042 324. [func] In the resolver, turn EDNS0 off if there is no
10043 response after a number of retransmissions.
10044 This is to allow queries some chance of succeeding
10045 even if all the authoritative servers of a zone
10046 silently discard EDNS0 requests instead of
10047 sending an error response like they ought to.
10049 323. [bug] dns_rbt_findname() did not ignore empty rbt nodes.
10050 Because of this, servers authoritative for a parent
10051 and grandchild zone but not authoritative for the
10052 intervening child zone did not correctly issue
10053 referrals to the servers of the child zone.
10055 322. [bug] Queries for KEY RRs are now sent to the parent
10056 server before the authoritative one, making
10057 DNSSEC insecurity proofs work in many cases
10058 where they previously didn't.
10060 321. [bug] When synthesizing a CNAME RR for a DNAME
10061 response, query_addcname() failed to initialize
10062 the type and class of the CNAME dns_rdata_t,
10063 causing random failures.
10065 320. [func] Multiple rndc changes: parses an rndc.conf file,
10066 uses authentication to talk to named, command
10067 line syntax changed. This will all be described
10070 319. [func] The named.conf "controls" statement is now used
10071 to configure the OMAPI command channel.
10073 318. [func] dns_c_ndcctx_destroy() could never return anything
10074 except ISC_R_SUCCESS; made it have void return instead.
10076 317. [func] Use callbacks from libomapi to determine if a
10077 new connection is valid, and if a key requested
10078 to be used with that connection is valid.
10080 316. [bug] Generate a warning if we detect an unexpected <eof>
10081 but treat as <eol><eof>.
10083 315. [bug] Handle non-empty blanks lines. [RT #163]
10085 314. [func] The named.conf controls statement can now have
10086 more than one key specified for the inet clause.
10088 313. [bug] When parsing resolv.conf, don't terminate on an
10089 error. Instead, parse as much as possible, but
10090 still return an error if one was found.
10092 312. [bug] Increase the number of allowed elements in the
10093 resolv.conf search path from 6 to 8. If there
10094 are more than this, ignore the remainder rather
10095 than returning a failure in lwres_conf_parse.
10097 311. [bug] lwres_conf_parse failed when the first line of
10098 resolv.conf was empty or a comment.
10100 310. [func] Changes to named.conf "controls" statement (inet
10103 - support "keys" clause
10107 allow { any; } keys { "foo"; }
10110 - allow "port xxx" to be left out of statement,
10111 in which case it defaults to omapi's default port
10114 309. [bug] When sending a referral, the server did not look
10115 for name server addresses as glue in the zone
10116 holding the NS RRset in the case where this zone
10117 was not the same as the one where it looked for
10118 name server addresses as authoritative data.
10120 308. [bug] Treat a SOA record not at top of zone as an error
10121 when loading a zone. [RT #154]
10123 307. [bug] When canceling a query, the resolver didn't check for
10124 isc_socket_sendto() calls that did not yet have their
10125 completion events posted, so it could (rarely) end up
10126 destroying the query context and then want to use
10127 it again when the send event posted, triggering an
10128 assertion as it tried to cancel an already-canceled
10131 306. [bug] Reading HMAC-MD5 private key files didn't work.
10133 305. [bug] When reloading the server with a config file
10134 containing a syntax error, it could catch an
10135 assertion failure trying to perform zone
10136 maintenance on tentatively created zones whose
10137 views were never fully configured and lacked
10138 an address database.
10140 304. [bug] If more than LWRES_CONFMAXNAMESERVERS servers
10141 are listed in resolv.conf, silently ignore them
10142 instead of returning failure.
10144 303. [bug] Add additional sanity checks to differentiate a AXFR
10145 response vs a IXFR response. [RT #157]
10147 302. [bug] In dig, host, and nslookup, MXNAME should be large
10148 enough to hold any legal domain name in presentation
10149 format + terminating NULL.
10151 301. [bug] Uninitialized pointer in host:printmessage(). [RT #159]
10153 300. [bug] Using both <isc/net.h> and <lwres/net.h> didn't work
10154 on platforms lacking IPv6 because each included their
10155 own ipv6 header file for the missing definitions. Now
10156 each library's ipv6.h defines the wrapper symbol of
10157 the other (ISC_IPV6_H and LWRES_IPV6_H).
10159 299. [cleanup] Get the user and group information before changing the
10160 root directory, so the administrator does not need to
10161 keep a copy of the user and group databases in the
10162 chroot'ed environment. Suggested by Hakan Olsson.
10164 298. [bug] A mutex deadlock occurred during shutdown of the
10165 interface manager under certain conditions.
10166 Digital Unix systems were the most affected.
10168 297. [bug] Specifying a key name that wasn't fully qualified
10169 in certain parts of the config file could cause
10170 an assertion failure.
10172 296. [bug] "make install" from a separate build directory
10173 failed unless configure had been run in the source
10176 295. [bug] When invoked with type==CNAME and a message
10177 not constructed by dns_message_parse(),
10178 dns_message_findname() failed to find anything
10179 due to checking for attribute bits that are set
10180 only in dns_message_parse(). This caused an
10181 infinite loop when constructing the response to
10182 an ANY query at a CNAME in a secure zone.
10184 294. [bug] If we run out of space in while processing glue
10185 when reading a master file and commit "current name"
10186 reverts to "name_current" instead of staying as
10189 293. [port] Add support for FreeBSD 4.0 system tests.
10191 292. [bug] Due to problems with the way some operating systems
10192 handle simultaneous listening on IPv4 and IPv6
10193 addresses, the server no longer listens on IPv6
10194 addresses by default. To revert to the previous
10195 behavior, specify "listen-on-v6 { any; };" in
10198 291. [func] Caching servers no longer send outgoing queries
10199 over TCP just because the incoming recursive query
10202 290. [cleanup] +twiddle option to dig (for testing only) removed.
10204 289. [cleanup] dig is now installed in $bindir instead of $sbindir.
10205 host is now installed in $bindir. (Be sure to remove
10206 any $sbindir/dig from a previous release.)
10208 288. [func] rndc is now installed by "make install" into $sbindir.
10210 287. [bug] rndc now works again as "rndc 127.1 reload" (for
10211 only that task). Parsing its configuration file and
10212 using digital signatures for authentication has been
10213 disabled until named supports the "controls" statement,
10216 286. [bug] On Solaris 2, when named inherited a signal state
10217 where SIGHUP had the SIG_IGN action, SIGHUP would
10218 be ignored rather than causing the server to reload
10221 285. [bug] A change made to the dst API for beta4 inadvertently
10222 broke OMAPI's creation of a dst key from an incoming
10223 message, causing an assertion to be triggered. Fixed.
10225 284. [func] The DNSSEC key generation and signing tools now
10226 generate randomness from keyboard input on systems
10227 that lack /dev/random.
10229 283. [cleanup] The 'lwresd' program is now a link to 'named'.
10231 282. [bug] The lexer now returns ISC_R_RANGE if parsed integer is
10232 too big for an unsigned long.
10234 281. [bug] Fixed list of recognized config file category names.
10236 280. [func] Add isc-config.sh, which can be used to more
10237 easily build applications that link with
10240 279. [bug] Private omapi function symbols shared between
10241 two or more files in libomapi.a were not namespace
10242 protected using the ISC convention of starting with
10243 the library name and two underscores ("omapi__"...)
10245 278. [bug] bin/named/logconf.c:category_fromconf() didn't take
10246 note of when isc_log_categorybyname() wasn't able
10247 to find the category name and would then apply the
10248 channel list of the unknown category to all categories.
10250 277. [bug] isc_log_categorybyname() and isc_log_modulebyname()
10251 would fail to find the first member of any category
10252 or module array apart from the internal defaults.
10253 Thus, for example, the "notify" category was improperly
10254 configured by named.
10256 276. [bug] dig now supports maximum sized TCP messages.
10258 275. [bug] The definition of lwres_gai_strerror() was missing
10261 274. [bug] TSIG AXFR verify failed when talking to a BIND 8
10264 273. [func] The default for the 'transfer-format' option is
10265 now 'many-answers'. This will break zone transfers
10266 to BIND 4.9.5 and older unless there is an explicit
10267 'one-answer' configuration.
10269 272. [bug] The sending of large TCP responses was canceled
10270 in mid-transmission due to a race condition
10271 caused by the failure to set the client object's
10272 "newstate" variable correctly when transitioning
10273 to the "working" state.
10275 271. [func] Attempt to probe the number of cpus in named
10276 if unspecified rather than defaulting to 1.
10278 270. [func] Allow maximum sized TCP answers.
10280 269. [bug] Failed DNSSEC validations could cause an assertion
10281 failure by causing clone_results() to be called with
10282 with hevent->node == NULL.
10284 268. [doc] A plain text version of the Administrator
10285 Reference Manual is now included in the distribution,
10286 as doc/arm/Bv9ARM.txt.
10288 267. [func] Nsupdate is now provided in the distribution.
10290 266. [bug] zone.c:save_nsrrset() node was not initialized.
10292 265. [bug] dns_request_create() now works for TCP.
10294 264. [func] Dispatch can not take TCP sockets in connecting
10295 state. Set DNS_DISPATCHATTR_CONNECTED when calling
10296 dns_dispatch_createtcp() for connected TCP sockets
10297 or call dns_dispatch_starttcp() when the socket is
10300 263. [func] New logging channel type 'stderr'
10302 channel some-name {
10307 262. [bug] 'master' was not initialized in zone.c:stub_callback().
10309 261. [func] Add dns_zone_markdirty().
10311 260. [bug] Running named as a non-root user failed on Linux
10312 kernels new enough to support retaining capabilities
10315 259. [func] New random-device and random-seed-file statements
10316 for global options block of named.conf. Both accept
10317 a single string argument.
10319 258. [bug] Fixed printing of lwres_addr_t.address field.
10321 257. [bug] The server detached the last zone manager reference
10322 too early, while it could still be in use by queries.
10323 This manifested itself as assertion failures during the
10324 shutdown process for busy name servers. [RT #133]
10326 256. [func] isc_ratelimiter_t now has attach/detach semantics, and
10327 isc_ratelimiter_shutdown guarantees that the rate
10328 limiter is detached from its task.
10330 255. [func] New function dns_zonemgr_attach().
10332 254. [bug] Suppress "query denied" messages on additional data
10335 --- 9.0.0b4 released ---
10337 253. [func] resolv.conf parser now recognizes ';' and '#' as
10338 comments (anywhere in line, not just as the beginning).
10340 252. [bug] resolv.conf parser mishandled masks on sortlists.
10341 It also aborted when an unrecognized keyword was seen,
10342 now it silently ignores the entire line.
10344 251. [bug] lwresd caught an assertion failure on startup.
10346 250. [bug] fixed handling of size+unit when value would be too
10347 large for internal representation.
10349 249. [cleanup] max-cache-size config option now takes a size-spec
10350 like 'datasize', except 'default' is not allowed.
10352 248. [bug] global lame-ttl option was not being printed when
10353 config structures were written out.
10355 247. [cleanup] Rename cache-size config option to max-cache-size.
10357 246. [func] Rename global option cachesize to cache-size and
10358 add corresponding option to view statement.
10360 245. [bug] If an uncompressed name will take more than 255
10361 bytes and the buffer is sufficiently long,
10362 dns_name_fromwire should return DNS_R_FORMERR,
10363 not ISC_R_NOSPACE. This bug caused cause the
10364 server to catch an assertion failure when it
10365 received a query for a name longer than 255
10368 244. [bug] empty named.conf file and empty options statement are
10369 now parsed properly.
10371 243. [func] new cachesize option for named.conf
10373 242. [cleanup] fixed incorrect warning about auth-nxdomain usage.
10375 241. [cleanup] nscount and soacount have been removed from the
10376 dns_master_*() argument lists.
10378 240. [func] databases now come in three flavours: zone, cache
10381 239. [func] If ISC_MEM_DEBUG is enabled, the variable
10382 isc_mem_debugging controls whether messages
10383 are printed or not.
10385 238. [cleanup] A few more compilation warnings have been quieted:
10386 + missing sigwait prototype on BSD/OS 4.0/4.0.1.
10387 + PTHREAD_ONCE_INIT unbraced initializer warnings on
10389 + IN6ADDR_ANY_INIT unbraced initializer warnings on
10390 BSD/OS 4.*, Linux and Solaris 2.8.
10392 237. [bug] If connect() returned ENOBUFS when the resolver was
10393 initiating a TCP query, the socket didn't get
10394 destroyed, and the server did not shut down cleanly.
10396 236. [func] Added new listen-on-v6 config file statement.
10398 235. [func] Consider it a config file error if a listen-on
10399 statement has an IPv6 address in it, or a
10400 listen-on-v6 statement has an IPv4 address in it.
10402 234. [bug] Allow a trusted-key's first field (domain-name) be
10403 either a quoted or an unquoted string, instead of
10404 requiring a quoted string.
10406 233. [cleanup] Convert all config structure integer values to unsigned
10407 integer (isc_uint32_t) to match grammar.
10409 232. [bug] Allow slave zones to not have a file.
10411 231. [func] Support new 'port' clause in config file options
10412 section. Causes 'listen-on', 'masters' and
10413 'also-notify' statements to use its value instead of
10416 230. [func] Replace the dst sign/verify API with a cleaner one.
10418 229. [func] Support config file sig-validity-interval statement
10419 in options, views and zone statements (master
10422 228. [cleanup] Logging messages in config module stripped of
10425 227. [cleanup] The enumerated identifiers dns_rdataclass_*,
10426 dns_rcode_*, dns_opcode_*, and dns_trust_* are
10427 also now cast to their appropriate types, as with
10428 dns_rdatatype_* in item number 225 below.
10430 226. [func] dns_name_totext() now always prints the root name as
10431 '.', even when omit_final_dot is true.
10433 225. [cleanup] The enumerated dns_rdatatype_* identifiers are now
10434 cast to dns_rdatatype_t via macros of their same name
10435 so that they are of the proper integral type wherever
10436 a dns_rdatatype_t is needed.
10438 224. [cleanup] The entire project builds cleanly with gcc's
10439 -Wcast-qual and -Wwrite-strings warnings enabled,
10440 which is now the default when using gcc. (Warnings
10441 from confparser.c, because of yacc's code, are
10442 unfortunately to be expected.)
10444 223. [func] Several functions were re-prototyped to qualify one
10445 or more of their arguments with "const". Similarly,
10446 several functions that return pointers now have
10447 those pointers qualified with const.
10449 222. [bug] The global 'also-notify' option was ignored.
10451 221. [bug] An uninitialized variable was sometimes passed to
10452 dns_rdata_freestruct() when loading a zone, causing
10453 an assertion failure.
10455 220. [cleanup] Set the default outgoing port in the view, and
10456 set it in sockaddrs returned from the ADB.
10457 [31-May-2000 explorer]
10459 219. [bug] Signed truncated messages more correctly follow
10460 the respective specs.
10462 218. [func] When an rdataset is signed, its ttl is normalized
10463 based on the signature validity period.
10465 217. [func] Also-notify and trusted-keys can now be used in
10466 the 'view' statement.
10468 216. [func] The 'max-cache-ttl' and 'max-ncache-ttl' options
10471 215. [bug] Failures at certain points in request processing
10472 could cause the assertion INSIST(client->lockview
10473 == NULL) to be triggered.
10475 214. [func] New public function isc_netaddr_format(), for
10476 formatting network addresses in log messages.
10478 213. [bug] Don't leak memory when reloading the zone if
10479 an update-policy clause was present in the old zone.
10481 212. [func] Added dns_message_get/settsigkey, to make TSIG
10482 key management reasonable.
10484 211. [func] The 'key' and 'server' statements can now occur
10485 inside 'view' statements.
10487 210. [bug] The 'allow-transfer' option was ignored for slave
10488 zones, and the 'transfers-per-ns' option was
10489 was ignored for all zones.
10491 209. [cleanup] Upgraded openssl files to new version 0.9.5a
10493 208. [func] Added ISC_OFFSET_MAXIMUM for the maximum value
10494 of an isc_offset_t.
10496 207. [func] The dnssec tools properly use the logging subsystem.
10498 206. [cleanup] dst now stores the key name as a dns_name_t, not
10501 205. [cleanup] On IRIX, turn off the mostly harmless warnings 1692
10502 ("prototyped function redeclared without prototype")
10503 and 1552 ("variable ... set but not used") when
10504 compiling in the lib/dns/sec/{dnssafe,openssl}
10505 directories, which contain code imported from outside
10508 204. [cleanup] On HP/UX, pass +vnocompatwarnings to the linker
10509 to quiet the warnings that "The linked output may not
10510 run on a PA 1.x system."
10512 203. [func] notify and zone soa queries are now tsig signed when
10515 202. [func] isc_lex_getsourceline() changed from returning int
10516 to returning unsigned long, the type of its underlying
10519 201. [cleanup] Removed the test/sdig program, it has been
10520 replaced by bin/dig/dig.
10522 --- 9.0.0b3 released ---
10524 200. [bug] Failures in sending query responses to clients
10525 (e.g., running out of network buffers) were
10528 199. [bug] isc_heap_delete() sometimes violated the heap
10529 invariant, causing timer events not to be posted
10532 198. [func] Dispatch managers hold memory pools which
10533 any managed dispatcher may use. This allows
10534 us to avoid dipping into the memory context for
10535 most allocations. [19-May-2000 explorer]
10537 197. [bug] When an incoming AXFR or IXFR completes, the
10538 zone's internal state is refreshed from the
10539 SOA data. [19-May-2000 explorer]
10541 196. [func] Dispatchers can be shared easily between views
10542 and/or interfaces. [19-May-2000 explorer]
10544 195. [bug] Including the NXT record of the root domain
10545 in a negative response caused an assertion
10548 194. [doc] The PDF version of the Administrator's Reference
10549 Manual is no longer included in the ISC BIND9
10552 193. [func] changed dst_key_free() prototype.
10554 192. [bug] Zone configuration validation is now done at end
10555 of config file parsing, and before loading
10558 191. [func] Patched to compile on UnixWare 7.x. This platform
10559 is not directly supported by the ISC.
10561 190. [cleanup] The DNSSEC tools have been moved to a separate
10562 directory dnssec/ and given the following new,
10563 more descriptive names:
10570 Their command line arguments have also been changed to
10571 be more consistent. dnssec-keygen now prints the
10572 name of the generated key files (sans extension)
10573 on standard output to simplify its use in automated
10576 189. [func] isc_time_secondsastimet(), a new function, will ensure
10577 that the number of seconds in an isc_time_t does not
10578 exceed the range of a time_t, or return ISC_R_RANGE.
10579 Similarly, isc_time_now(), isc_time_nowplusinterval(),
10580 isc_time_add() and isc_time_subtract() now check the
10581 range for overflow/underflow. In the case of
10582 isc_time_subtract, this changed a calling requirement
10583 (ie, something that could generate an assertion)
10584 into merely a condition that returns an error result.
10585 isc_time_add() and isc_time_subtract() were void-
10586 valued before but now return isc_result_t.
10588 188. [func] Log a warning message when an incoming zone transfer
10589 contains out-of-zone data.
10591 187. [func] isc_ratelimiter_enqueue() has an additional argument
10594 186. [func] dns_request_getresponse() has an additional argument
10597 185. [bug] Fixed up handling of ISC_MEMCLUSTER_LEGACY. Several
10598 public functions did not have an isc__ prefix, and
10599 referred to functions that had previously been
10602 184. [cleanup] Variables/functions which began with two leading
10603 underscores were made to conform to the ANSI/ISO
10604 standard, which says that such names are reserved.
10606 183. [func] ISC_LOG_PRINTTAG option for log channels. Useful
10607 for logging the program name or other identifier.
10609 182. [cleanup] New command-line parameters for dnssec tools
10611 181. [func] Added dst_key_buildfilename and dst_key_parsefilename
10613 180. [func] New isc_result_t ISC_R_RANGE. Supersedes DNS_R_RANGE.
10615 179. [func] options named.conf statement *must* now come
10616 before any zone or view statements.
10618 178. [func] Post-load of named.conf check verifies a slave zone
10619 has non-empty list of masters defined.
10621 177. [func] New per-zone boolean:
10623 enable-zone yes | no ;
10625 intended to let a zone be disabled without having
10626 to comment out the entire zone statement.
10628 176. [func] New global and per-view option:
10630 max-cache-ttl number
10632 175. [func] New global and per-view option:
10634 additional-data internal | minimal | maximal;
10636 174. [func] New public function isc_sockaddr_format(), for
10637 formatting socket addresses in log messages.
10639 173. [func] Keep a queue of zones waiting for zone transfer
10640 quota so that a new transfer can be dispatched
10641 immediately whenever quota becomes available.
10643 172. [bug] $TTL directive was sometimes missing from dumped
10644 master files because totext_ctx_init() failed to
10645 initialize ctx->current_ttl_valid.
10647 171. [cleanup] On NetBSD systems, the mit-pthreads or
10648 unproven-pthreads library is now always used
10649 unless --with-ptl2 is explicitly specified on
10650 the configure command line. The
10651 --with-mit-pthreads option is no longer needed
10652 and has been removed.
10654 170. [cleanup] Remove inter server consistency checks from zone,
10655 these should return as a separate module in 9.1.
10656 dns_zone_checkservers(), dns_zone_checkparents(),
10657 dns_zone_checkchildren(), dns_zone_checkglue().
10659 Remove dns_zone_setadb(), dns_zone_setresolver(),
10660 dns_zone_setrequestmgr() these should now be found
10663 169. [func] ratelimiter can now process N events per interval.
10665 168. [bug] include statements in named.conf caused syntax errors
10666 due to not consuming the semicolon ending the include
10667 statement before switching input streams.
10669 167. [bug] Make lack of masters for a slave zone a soft error.
10671 166. [bug] Keygen was overwriting existing keys if key_id
10672 conflicted, now it will retry, and non-null keys
10673 with key_id == 0 are not generated anymore. Key
10674 was not able to generate NOAUTHCONF DSA key,
10675 increased RSA key size to 2048 bits.
10677 165. [cleanup] Silence "end-of-loop condition not reached" warnings
10678 from Solaris compiler.
10680 164. [func] Added functions isc_stdio_open(), isc_stdio_close(),
10681 isc_stdio_seek(), isc_stdio_read(), isc_stdio_write(),
10682 isc_stdio_flush(), isc_stdio_sync(), isc_file_remove()
10683 to encapsulate nonportable usage of errno and sync.
10685 163. [func] Added result codes ISC_R_FILENOTFOUND and
10688 162. [bug] Ensure proper range for arguments to ctype.h functions.
10690 161. [cleanup] error in yyparse prototype that only HPUX caught.
10692 160. [cleanup] getnet*() are not going to be implemented at this
10695 159. [func] Redefinition of config file elements is now an
10696 error (instead of a warning).
10698 158. [bug] Log channel and category list copy routines
10699 weren't assigning properly to output parameter.
10701 157. [port] Fix missing prototype for getopt().
10703 156. [func] Support new 'database' statement in zone.
10705 database "quoted-string";
10707 155. [bug] ns_notify_start() was not detaching the found zone.
10709 154. [func] The signer now logs libdns warnings to stderr even when
10710 not verbose, and in a nicer format.
10712 153. [func] dns_rdata_tostruct() 'mctx' is now optional. If 'mctx'
10713 is NULL then you need to preserve the 'rdata' until
10714 you have finished using the structure as there may be
10715 references to the associated memory. If 'mctx' is
10716 non-NULL it is guaranteed that there are no references
10717 to memory associated with 'rdata'.
10719 dns_rdata_freestruct() must be called if 'mctx' was
10720 non-NULL and may safely be called if 'mctx' was NULL.
10722 152. [bug] keygen dumped core if domain name argument was omitted
10725 151. [func] Support 'disabled' statement in zone config (causes
10726 zone to be parsed and then ignored). Currently must
10727 come after the 'type' clause.
10729 150. [func] Support optional ports in masters and also-notify
10732 masters [ port xxx ] { y.y.y.y [ port zzz ] ; }
10734 149. [cleanup] Removed unused argument 'olist' from
10735 dns_c_view_unsetordering().
10737 148. [cleanup] Stop issuing some warnings about some configuration
10738 file statements that were not implemented, but now are.
10740 147. [bug] Changed yacc union size to be smaller for yaccs that
10741 put yacc-stack on the real stack.
10743 146. [cleanup] More general redundant header file cleanup. Rather
10744 than continuing to itemize every header which changed,
10745 this changelog entry just notes that if a header file
10746 did not need another header file that it was including
10747 in order to provide its advertised functionality, the
10748 inclusion of the other header file was removed. See
10749 util/check-includes for how this was tested.
10751 145. [cleanup] Added <isc/lang.h> and ISC_LANG_BEGINDECLS/
10752 ISC_LANG_ENDDECLS to header files that had function
10753 prototypes, and removed it from those that did not.
10755 144. [cleanup] libdns header files too numerous to name were made
10756 to conform to the same style for multiple inclusion
10759 143. [func] Added function dns_rdatatype_isknown().
10761 142. [cleanup] <isc/stdtime.h> does not need <time.h> or
10764 141. [bug] Corrupt requests with multiple questions could
10765 cause an assertion failure.
10767 140. [cleanup] <isc/time.h> does not need <time.h> or <isc/result.h>.
10769 139. [cleanup] <isc/net.h> now includes <isc/types.h> instead of
10770 <isc/int.h> and <isc/result.h>.
10772 138. [cleanup] isc_strtouq moved from str.[ch] to string.[ch] and
10773 renamed isc_string_touint64. isc_strsep moved from
10774 strsep.c to string.c and renamed isc_string_separate.
10776 137. [cleanup] <isc/commandline.h>, <isc/mem.h>, <isc/print.h>
10777 <isc/serial.h>, <isc/string.h> and <isc/offset.h>
10778 made to conform to the same style for multiple
10779 inclusion protection.
10781 136. [cleanup] <isc/commandline.h>, <isc/interfaceiter.h>,
10782 <isc/net.h> and Win32's <isc/thread.h> needed
10783 ISC_LANG_BEGINDECLS/ISC_LANG_ENDDECLS.
10785 135. [cleanup] Win32's <isc/condition.h> did not need <isc/result.h>
10786 or <isc/boolean.h>, now uses <isc/types.h> in place
10787 of <isc/time.h>, and needed ISC_LANG_BEGINDECLS
10788 and ISC_LANG_ENDDECLS.
10790 134. [cleanup] <isc/dir.h> does not need <limits.h>.
10792 133. [cleanup] <isc/ipv6.h> needs <isc/platform.h>.
10794 132. [cleanup] <isc/app.h> does not need <isc/task.h>, but does
10795 need <isc/eventclass.h>.
10797 131. [cleanup] <isc/mutex.h> and <isc/util.h> need <isc/result.h>
10798 for ISC_R_* codes used in macros.
10800 130. [cleanup] <isc/condition.h> does not need <pthread.h> or
10801 <isc/boolean.h>, and now includes <isc/types.h>
10802 instead of <isc/time.h>.
10804 129. [bug] The 'default_debug' log channel was not set up when
10805 'category default' was present in the config file
10807 128. [cleanup] <isc/dir.h> had ISC_LANG_BEGINDECLS instead of
10808 ISC_LANG_ENDDECLS at end of header.
10810 127. [cleanup] The contracts for the comparison routines
10811 dns_name_fullcompare(), dns_name_compare(),
10812 dns_name_rdatacompare(), and dns_rdata_compare() now
10813 specify that the order value returned is < 0, 0, or > 0
10814 instead of -1, 0, or 1.
10816 126. [cleanup] <isc/quota.h> and <isc/taskpool.h> need <isc/lang.h>.
10818 125. [cleanup] <isc/eventclass.h>, <isc/ipv6.h>, <isc/magic.h>,
10819 <isc/mutex.h>, <isc/once.h>, <isc/region.h>, and
10820 <isc/resultclass.h> do not need <isc/lang.h>.
10822 124. [func] signer now imports parent's zone key signature
10823 and creates null keys/sets zone status bit for
10824 children when necessary
10826 123. [cleanup] <isc/event.h> does not need <stddef.h>.
10828 122. [cleanup] <isc/task.h> does not need <isc/mem.h> or
10831 121. [cleanup] <isc/symtab.h> does not need <isc/mem.h> or
10832 <isc/result.h>. Multiple inclusion protection
10833 symbol fixed from ISC_SYMBOL_H to ISC_SYMTAB_H.
10834 isc_symtab_t moved to <isc/types.h>.
10836 120. [cleanup] <isc/socket.h> does not need <isc/boolean.h>,
10837 <isc/bufferlist.h>, <isc/task.h>, <isc/mem.h> or
10840 119. [cleanup] structure definitions for generic rdata structures do
10841 not have _generic_ in their names.
10843 118. [cleanup] libdns.a is now namespace-clean, on NetBSD, excepting
10844 YACC crust (yyparse, etc) [2000-apr-27 explorer]
10846 117. [cleanup] libdns.a changes:
10847 dns_zone_clearnotify() and dns_zone_addnotify()
10848 are replaced by dns_zone_setnotifyalso().
10849 dns_zone_clearmasters() and dns_zone_addmaster()
10850 are replaced by dns_zone_setmasters().
10852 116. [func] Added <isc/offset.h> for isc_offset_t (aka off_t
10855 115. [port] Shut up the -Wmissing-declarations warning about
10856 <stdio.h>'s __sputaux on BSD/OS pre-4.1.
10858 114. [cleanup] <isc/sockaddr.h> does not need <isc/buffer.h> or
10861 113. [func] Utility programs dig and host added.
10863 112. [cleanup] <isc/serial.h> does not need <isc/boolean.h>.
10865 111. [cleanup] <isc/rwlock.h> does not need <isc/result.h> or
10868 110. [cleanup] <isc/result.h> does not need <isc/boolean.h> or
10871 109. [bug] "make depend" did nothing for
10872 bin/tests/{db,mem,sockaddr,tasks,timers}/.
10874 108. [cleanup] DNS_SETBIT/DNS_GETBIT/DNS_CLEARBIT moved from
10875 <dns/types.h> to <dns/bit.h> and renamed to
10876 DNS_BIT_SET/DNS_BIT_GET/DNS_BIT_CLEAR.
10878 107. [func] Add keysigner and keysettool.
10880 106. [func] Allow dnssec verifications to ignore the validity
10881 period. Used by several of the dnssec tools.
10883 105. [doc] doc/dev/coding.html expanded with other
10884 implicit conventions the developers have used.
10886 104. [bug] Made compress_add and compress_find static to
10887 lib/dns/compress.c.
10889 103. [func] libisc buffer API changes for <isc/buffer.h>:
10891 isc_buffer_base(b) (pointer)
10892 isc_buffer_current(b) (pointer)
10893 isc_buffer_active(b) (pointer)
10894 isc_buffer_used(b) (pointer)
10895 isc_buffer_length(b) (int)
10896 isc_buffer_usedlength(b) (int)
10897 isc_buffer_consumedlength(b) (int)
10898 isc_buffer_remaininglength(b) (int)
10899 isc_buffer_activelength(b) (int)
10900 isc_buffer_availablelength(b) (int)
10902 ISC_BUFFER_USEDCOUNT(b)
10903 ISC_BUFFER_AVAILABLECOUNT(b)
10906 isc_buffer_used(b, r) ->
10907 isc_buffer_usedregion(b, r)
10908 isc_buffer_available(b, r) ->
10909 isc_buffer_available_region(b, r)
10910 isc_buffer_consumed(b, r) ->
10911 isc_buffer_consumedregion(b, r)
10912 isc_buffer_active(b, r) ->
10913 isc_buffer_activeregion(b, r)
10914 isc_buffer_remaining(b, r) ->
10915 isc_buffer_remainingregion(b, r)
10917 Buffer types were removed, so the ISC_BUFFERTYPE_*
10918 macros are no more, and the type argument to
10919 isc_buffer_init and isc_buffer_allocate were removed.
10920 isc_buffer_putstr is now void (instead of isc_result_t)
10921 and requires that the caller ensure that there
10922 is enough available buffer space for the string.
10924 102. [port] Correctly detect inet_aton, inet_pton and inet_ptop
10927 101. [cleanup] Quieted EGCS warnings from lib/isc/print.c.
10929 100. [cleanup] <isc/random.h> does not need <isc/int.h> or
10930 <isc/mutex.h>. isc_random_t moved to <isc/types.h>.
10932 99. [cleanup] Rate limiter now has separate shutdown() and
10933 destroy() functions, and it guarantees that all
10934 queued events are delivered even in the shutdown case.
10936 98. [cleanup] <isc/print.h> does not need <stdarg.h> or <stddef.h>
10937 unless ISC_PLATFORM_NEEDVSNPRINTF is defined.
10939 97. [cleanup] <isc/ondestroy.h> does not need <stddef.h> or
10942 96. [cleanup] <isc/mutex.h> does not need <isc/result.h>.
10944 95. [cleanup] <isc/mutexblock.h> does not need <isc/result.h>.
10946 94. [cleanup] Some installed header files did not compile as C++.
10948 93. [cleanup] <isc/msgcat.h> does not need <isc/result.h>.
10950 92. [cleanup] <isc/mem.h> does not need <stddef.h>, <isc/boolean.h>,
10953 91. [cleanup] <isc/log.h> does not need <sys/types.h> or
10956 90. [cleanup] Removed unneeded ISC_LANG_BEGINDECLS/ISC_LANG_ENDDECLS
10957 from <named/listenlist.h>.
10959 89. [cleanup] <isc/lex.h> does not need <stddef.h>.
10961 88. [cleanup] <isc/interfaceiter.h> does not need <isc/result.h> or
10962 <isc/mem.h>. isc_interface_t and isc_interfaceiter_t
10963 moved to <isc/types.h>.
10965 87. [cleanup] <isc/heap.h> does not need <isc/boolean.h>,
10966 <isc/mem.h> or <isc/result.h>.
10968 86. [cleanup] isc_bufferlist_t moved from <isc/bufferlist.h> to
10971 85. [cleanup] <isc/bufferlist.h> does not need <isc/buffer.h>,
10972 <isc/list.h>, <isc/mem.h>, <isc/region.h> or
10975 84. [func] allow-query ACL checks now apply to all data
10976 added to a response.
10978 83. [func] If the server is authoritative for both a
10979 delegating zone and its (nonsecure) delegatee, and
10980 a query is made for a KEY RR at the top of the
10981 delegatee, then the server will look for a KEY
10982 in the delegator if it is not found in the delegatee.
10984 82. [cleanup] <isc/buffer.h> does not need <isc/list.h>.
10986 81. [cleanup] <isc/int.h> and <isc/boolean.h> do not need
10989 80. [cleanup] <isc/print.h> does not need <stdio.h> or <stdlib.h>.
10991 79. [cleanup] <dns/callbacks.h> does not need <stdio.h>.
10993 78. [cleanup] lwres_conftest renamed to lwresconf_test for
10994 consistency with other *_test programs.
10996 77. [cleanup] typedef of isc_time_t and isc_interval_t moved from
10997 <isc/time.h> to <isc/types.h>.
10999 76. [cleanup] Rewrote keygen.
11001 75. [func] Don't load a zone if its database file is older
11002 than the last time the zone was loaded.
11004 74. [cleanup] Removed mktemplate.o and ufile.o from libisc.a,
11005 subsumed by file.o.
11007 73. [func] New "file" API in libisc, including new function
11008 isc_file_getmodtime, isc_mktemplate renamed to
11009 isc_file_mktemplate and isc_ufile renamed to
11010 isc_file_openunique. By no means an exhaustive API,
11011 it is just what's needed for now.
11013 72. [func] DNS_RBTFIND_NOPREDECESSOR and DNS_RBTFIND_NOOPTIONS
11014 added for dns_rbt_findnode, the former to disable the
11015 setting of the chain to the predecessor, and the
11016 latter to make clear when no options are set.
11018 71. [cleanup] Made explicit the implicit REQUIREs of
11019 isc_time_seconds, isc_time_nanoseconds, and
11022 70. [func] isc_time_set() added.
11024 69. [bug] The zone object's master and also-notify lists grew
11025 longer with each server reload.
11027 68. [func] Partial support for SIG(0) on incoming messages.
11029 67. [performance] Allow use of alternate (compile-time supplied)
11030 OpenSSL libraries/headers.
11032 66. [func] Data in authoritative zones should have a trust level
11035 65. [cleanup] Removed obsolete typedef of dns_zone_callbackarg_t
11036 from <dns/types.h>.
11038 64. [func] The RBT, DB, and zone table APIs now allow the
11039 caller find the most-enclosing superdomain of
11042 63. [func] Generate NOTIFY messages.
11044 62. [func] Add UDP refresh support.
11046 61. [cleanup] Use single quotes consistently in log messages.
11048 60. [func] Catch and disallow singleton types on message
11051 59. [bug] Cause net/host unreachable to be a hard error
11052 when sending and receiving.
11054 58. [bug] bin/named/query.c could sometimes trigger the
11055 (client->query.attributes & NS_QUERYATTR_NAMEBUFUSED)
11056 == 0 assertion in query_newname().
11058 57. [func] Added dns_nxt_typepresent()
11060 56. [bug] SIG records were not properly returned in cached
11063 55. [bug] Responses containing multiple names in the authority
11064 section were not negatively cached.
11066 54. [bug] If a fetch with sigrdataset==NULL joined one with
11067 sigrdataset!=NULL or vice versa, the resolver
11068 could catch an assertion or lose signature data,
11071 53. [port] freebsd 4.0: lib/isc/unix/socket.c requires
11074 52. [bug] rndc: taskmgr and socketmgr were not initialized
11077 51. [cleanup] dns/compress.h and dns/zt.h did not need to include
11078 dns/rbt.h; it was needed only by compress.c and zt.c.
11080 50. [func] RBT deletion no longer requires a valid chain to work,
11081 and dns_rbt_deletenode was added.
11083 49. [func] Each cache now has its own mctx.
11085 48. [func] isc_task_create() no longer takes an mctx.
11086 isc_task_mem() has been eliminated.
11088 47. [func] A number of modules now use memory context reference
11091 46. [func] Memory contexts are now reference counted.
11092 Added isc_mem_inuse() and isc_mem_preallocate().
11093 Renamed isc_mem_destroy_check() to
11094 isc_mem_setdestroycheck().
11096 45. [bug] The trusted-key statement incorrectly loaded keys.
11098 44. [bug] Don't include authority data if it would force us
11099 to unset the AD bit in the message.
11101 43. [bug] DNSSEC verification of cached rdatasets was failing.
11103 42. [cleanup] Simplified logging of messages with embedded domain
11104 names by introducing a new convenience function
11107 41. [func] Use PR_SET_KEEPCAPS on Linux 2.3.99-pre3 and later
11108 to allow 'named' to run as a non-root user while
11109 retaining the ability to bind() to privileged
11112 40. [func] Introduced new logging category "dnssec" and
11113 logging module "dns/validator".
11115 39. [cleanup] Moved the typedefs for isc_region_t, isc_textregion_t,
11116 and isc_lex_t to <isc/types.h>.
11118 38. [bug] TSIG signed incoming zone transfers work now.
11120 37. [bug] If the first RR in an incoming zone transfer was
11121 not an SOA, the server died with an assertion failure
11122 instead of just reporting an error.
11124 36. [cleanup] Change DNS_R_SUCCESS (and others) to ISC_R_SUCCESS
11126 35. [performance] Log messages which are of a level too high to be
11127 logged by any channel in the logging configuration
11128 will not cause the log mutex to be locked.
11130 34. [bug] Recursion was allowed even with 'recursion no'.
11132 33. [func] The RBT now maintains a parent pointer at each node.
11134 32. [cleanup] bin/lwresd/client.c needs <string.h> for memset()
11137 31. [bug] Use ${LIBTOOL} to compile bin/named/main.@O@.
11139 30. [func] config file grammar change to support optional
11140 class type for a view.
11142 29. [func] support new config file view options:
11144 auth-nxdomain recursion query-source
11145 query-source-v6 transfer-source
11146 transfer-source-v6 max-transfer-time-out
11147 max-transfer-idle-out transfer-format
11148 request-ixfr provide-ixfr cleaning-interval
11149 fetch-glue notify rfc2308-type1 lame-ttl
11150 max-ncache-ttl min-roots
11152 28. [func] support lame-ttl, min-roots and serial-queries
11153 config global options.
11155 27. [bug] Only include <netinet6/in6.h> on BSD/OS 4.[01]*.
11156 Including it on other platforms (eg, NetBSD) can
11157 cause a forced #error from the C preprocessor.
11159 26. [func] new match-clients statement in config file view.
11161 25. [bug] make install failed to install <isc/log.h> and
11164 24. [cleanup] Eliminate some unnecessary #includes of header
11165 files from header files.
11167 23. [cleanup] Provide more context in log messages about client
11168 requests, using a new function ns_client_log().
11170 22. [bug] SIGs weren't returned in the answer section when
11171 the query resulted in a fetch.
11173 21. [port] Look at STD_CINCLUDES after CINCLUDES during
11174 compilation, so additional system include directories
11175 can be searched but header files in the bind9 source
11176 tree with conflicting names take precedence. This
11177 avoids issues with installed versions of dnssafe and
11180 20. [func] Configuration file post-load validation of zones
11181 failed if there were no zones.
11183 19. [bug] dns_zone_notifyreceive() failed to unlock the zone
11184 lock in certain error cases.
11186 18. [bug] Use AC_TRY_LINK rather than AC_TRY_COMPILE in
11187 configure.in to check for presence of in6addr_any.
11189 17. [func] Do configuration file post-load validation of zones.
11191 16. [bug] put quotes around key names on config file
11192 output to avoid possible keyword clashes.
11194 15. [func] Add dns_name_dupwithoffsets(). This function is
11195 improves comparison performance for duped names.
11197 14. [bug] free_rbtdb() could have 'put' unallocated memory in
11198 an unlikely error path.
11200 13. [bug] lib/dns/master.c and lib/dns/xfrin.c didn't ignore
11203 12. [bug] Fixed possible uninitialized variable error.
11205 11. [bug] axfr_rrstream_first() didn't check the result code of
11206 db_rr_iterator_first(), possibly causing an assertion
11207 to be triggered later.
11209 10. [bug] A bug in the code which makes EDNS0 OPT records in
11210 bin/named/client.c and lib/dns/resolver.c could
11211 trigger an assertion.
11213 9. [cleanup] replaced bit-setting code in confctx.c and replaced
11214 repeated code with macro calls.
11216 8. [bug] Shutdown of incoming zone transfer accessed
11219 7. [cleanup] removed 'listen-on' from view statement.
11221 6. [bug] quote RR names when generating config file to
11222 prevent possible clash with config file keywords
11225 5. [func] syntax change to named.conf file: new ssu grant/deny
11226 statements must now be enclosed by an 'update-policy'
11229 4. [port] bin/named/unix/os.c didn't compile on systems with
11230 linux 2.3 kernel includes due to conflicts between
11231 C library includes and the kernel includes. We now
11232 get only what we need from <linux/capability.h>, and
11233 avoid pulling in other linux kernel .h files.
11235 3. [bug] TKEYs go in the answer section of responses, not
11236 the additional section.
11238 2. [bug] Generating cryptographic randomness failed on
11239 systems without /dev/random.
11241 1. [bug] The installdirs rule in
11242 lib/isc/unix/include/isc/Makefile.in had a typo which
11243 prevented the isc directory from being created if it
11246 --- 9.0.0b2 released ---
11248 # This tells Emacs to use hard tabs in this file.
11250 # indent-tabs-mode: t