PageRenderTime 103ms CodeModel.GetById 40ms app.highlight 16ms RepoModel.GetById 1ms app.codeStats 2ms

/contrib/bind9/CHANGES

https://bitbucket.org/freebsd/freebsd-head/
#! | 10494 lines | 7168 code | 3326 blank | 0 comment | 0 complexity | 0d8a88fa8200f197e8df62d75b4cddbc MD5 | raw file

Large files files are truncated, but you can click here to view the full file

   1	--- 9.8.3-P4 released ---
   2
   33383.	[security]	A certain combination of records in the RBT could
   4                        cause named to hang while populating the additional
   5                        section of a response. [RT #31090]
   6
   7	--- 9.8.3-P3 released ---
   8
   93364.	[security]	Named could die on specially crafted record.
  10			[RT #30416]
  11
  12	--- 9.8.3-P2 released ---
  13
  143346.	[security]	Bad-cache data could be used before it was
  15			initialized, causing an assert. [RT #30025]
  16
  173342.	[bug]		Change #3314 broke saving of stub zones to disk
  18			resulting in excessive cpu usage in some cases.
  19			[RT #29952]
  20
  21	--- 9.8.3-P1 released ---
  22
  233331.	[security]	dns_rdataslab_fromrdataset could produce bad
  24			rdataslabs. [RT #29644]
  25			
  26	--- 9.8.3 released ---
  27
  283318.	[tuning]	Reduce the amount of work performed while holding a
  29			bucket lock when finshed with a fetch context.
  30			[RT #29239]
  31
  323314.	[bug]		The masters list could be updated while refesh_callback
  33			and stub_callback were using it. [RT #26732]
  34
  353313.	[protocol]	Add TLSA record type. [RT #28989]
  36
  373312.	[bug]		named-checkconf didn't detect a bad dns64 clients acl.
  38			[RT #27631]
  39
  403311.	[bug]		Abort the zone dump if zone->db is NULL in
  41			zone.c:zone_gotwritehandle. [RT #29028]
  42
  433310.	[test]		Increase table size for mutex profiling. [RT #28809]
  44
  453309.	[bug]		resolver.c:fctx_finddone() was not threadsafe.
  46			[RT #27995]
  47
  483307.	[bug]		Add missing ISC_LANG_BEGINDECLS and ISC_LANG_ENDDECLS.
  49			[RT #28956]
  50
  513306.	[bug]		Improve DNS64 reverse zone performance. [RT #28563]
  52
  533305.	[func]		Add wire format lookup method to sdb. [RT #28563]
  54
  553304.	[bug]		Use hmctx, not mctx when freeing rbtdb->heaps.
  56			[RT #28571]
  57
  583302.	[bug]		dns_dnssec_findmatchingkeys could fail to find
  59			keys if the zone name contained character that
  60			required special mappings. [RT #28600]
  61
  623301.	[contrib]	Update queryperf to build on darwin.  Add -R flag
  63			for non-recursive queries. [RT #28565]
  64
  653300.	[bug]		Named could die if gssapi was enabled in named.conf
  66			but was not compiled in. [RT #28338]
  67
  683299.	[bug]		Make SDB handle errors from database drivers better.
  69			[RT #28534]
  70
  713232.	[bug]		Zero zone->curmaster before return in
  72			dns_zone_setmasterswithkeys(). [RT #26732]
  73
  743183.	[bug]		Added RTLD_GLOBAL flag to dlopen call. [RT #26301]
  75
  763197.	[bug]		Don't try to log the filename and line number when
  77			the config parser can't open a file. [RT #22263]
  78
  79	--- 9.8.2 released ---
  80
  813298.	[bug]		Named could dereference a NULL pointer in
  82			zmgr_start_xfrin_ifquota if the zone was being removed.
  83			[RT #28419]
  84
  853297.	[bug]		Named could die on a malformed master file. [RT #28467]
  86
  873295.	[bug]		Adjust isc_time_secondsastimet range check to be more
  88			portable. [RT # 26542]
  89
  903294.	[bug]		isccc/cc.c:table_fromwire failed to free alist on
  91			error. [RT #28265]
  92
  933291.	[port]		Fixed a build error on systems without ENOTSUP.
  94			[RT #28200]
  95
  963290.	[bug]		<isc/hmacsha.h> was not being installed. [RT #28169]
  97
  983288.	[bug]		dlz_destroy() function wasn't correctly registered
  99			by the DLZ dlopen driver. [RT #28056]
 100
 1013287.	[port]		Update ans.pl to work with Net::DNS 0.68. [RT #28028]
 102
 1033286.	[bug]		Managed key maintenance timer could fail to start
 104			after 'rndc reconfig'. [RT #26786]
 105
 106	--- 9.8.2rc2 released ---
 107
 1083285.	[bug]		val-frdataset was incorrectly disassociated in
 109			proveunsecure after calling startfinddlvsep.
 110			[RT #27928]
 111
 1123284.	[bug]		Address race conditions with the handling of
 113			rbtnode.deadlink. [RT #27738]
 114
 1153283.	[bug]		Raw zones with with more than 512 records in a RRset
 116			failed to load. [RT #27863]
 117
 1183282.	[bug]		Restrict the TTL of NS RRset to no more than that
 119			of the old NS RRset when replacing it.
 120			[RT #27792] [RT #27884]
 121
 1223281.	[bug]		SOA refresh queries could be treated as cancelled
 123			despite succeeding over the loopback interface.
 124			[RT #27782]
 125
 1263280.	[bug]		Potential double free of a rdataset on out of memory
 127			with DNS64. [RT #27762]
 128
 1293278.	[bug]		Make sure automatic key maintenance is started
 130			when "auto-dnssec maintain" is turned on during
 131			"rndc reconfig". [RT #26805]
 132
 1333276.	[bug]		win32: ns_os_openfile failed to return NULL on
 134			safe_open failure. [RT #27696]
 135
 1363274.	[bug]		Log when a zone is not reusable.  Only set loadtime
 137			on successful loads.  [RT #27650]
 138
 1393273.	[bug]		AAAA responses could be returned in the additional
 140			section even when filter-aaaa-on-v4 was in use.
 141			[RT #27292]
 142
 1433271.	[port]		darwin: mksymtbl is not always stable, loop several
 144			times before giving up.  mksymtbl was using non
 145			portable perl to covert 64 bit hex strings. [RT #27653]
 146
 1473268.	[bug]		Convert RRSIG expiry times to 64 timestamps to work
 148			out the earliest expiry time. [RT #23311]
 149
 1503267.	[bug]		Memory allocation failures could be mis-reported as
 151			unexpected error.  New ISC_R_UNSET result code.
 152			[RT #27336]
 153
 1543266.	[bug]		The maximum number of NSEC3 iterations for a
 155			DNSKEY RRset was not being properly computed.
 156			[RT #26543]
 157
 1583262.	[bug]		Signed responses were handled incorrectly by RPZ.
 159			[RT #27316]
 160
 161	--- 9.8.2rc1 released ---
 162
 1633260.	[bug]		"rrset-order cyclic" could appear not to rotate
 164			for some query patterns.  [RT #27170/27185]
 165
 1663259.	[bug]		named-compilezone: Suppress "dump zone to <file>"
 167			message when writing to stdout. [RT #27109]
 168
 1693258.	[test]		Add "forcing full sign with unreadable keys" test.
 170			[RT #27153]
 171
 1723257.	[bug]		Do not generate a error message when calling fsync()
 173			in a pipe or socket. [RT #27109]
 174
 1753256.	[bug]		Disable empty zones for lwresd -C. [RT #27139]
 176
 1773254.	[bug]		Set isc_socket_ipv6only() on the IPv6 control channels.
 178			[RT #22249]
 179
 1803253.	[bug]		Return DNS_R_SYNTAX when the input to a text field is
 181			too long. [RT #26956]
 182
 1833251.	[bug]		Enforce a upper bound (65535 bytes) on the amount of
 184			memory dns_sdlz_putrr() can allocate per record to
 185			prevent run away memory consumption on ISC_R_NOSPACE.
 186			[RT #26956]
 187
 1883250.	[func]		'configure --enable-developer'; turn on various
 189			configure options, normally off by default, that
 190			we want developers to build and test with. [RT #27103]
 191
 1923249.	[bug]		Update log message when saving slave zones files for
 193			analysis after load failures. [RT #27087]
 194
 1953248.	[bug]		Configure options --enable-fixed-rrset and
 196			--enable-exportlib were incompatible with each
 197			other. [RT #27087]
 198
 1993247.	[bug]		'raw' format zones failed to preserve load order
 200			breaking 'fixed' sort order. [RT #27087]
 201
 2023243.	[port]		netbsd,bsdi: the thread defaults were not being
 203			properly set.
 204
 2053241.	[bug]		Address race conditions in the resolver code.
 206			[RT #26889]
 207
 2083240.	[bug]		DNSKEY state change events could be missed. [RT #26874]
 209
 2103239.	[bug]		dns_dnssec_findmatchingkeys needs to use a consistent
 211			timestamp. [RT #26883]
 212
 2133238.	[bug]		keyrdata was not being reinitialized in
 214			lib/dns/rbtdb.c:iszonesecure. [RT#26913]
 215
 2163237.	[bug]		dig -6 didn't work with +trace. [RT #26906]
 217
 218	--- 9.8.2b1 released ---
 219
 2203234.	[bug]		'make depend' produced invalid makefiles. [RT #26830]
 221
 2223231.	[bug]		named could fail to send a uncompressable zone.
 223			[RT #26796]
 224
 2253230.	[bug]		'dig axfr' failed to properly handle a multi-message
 226			axfr with a serial of 0. [RT #26796]
 227
 2283229.	[bug]		Fix local variable to struct var assignment
 229			found by CLANG warning.
 230
 2313228.	[tuning]	Dynamically grow symbol table to improve zone
 232			loading performance. [RT #26523]
 233
 2343227.	[bug]		Interim fix to make WKS's use of getprotobyname()
 235			and getservbyname() self thread safe. [RT #26232]
 236
 2373226.	[bug]		Address minor resource leakages. [RT #26624]
 238
 2393221.	[bug]		Fixed a potential coredump on shutdown due to
 240			referencing fetch context after it's been freed.
 241			[RT #26720]
 242
 2433220.	[bug]		Change #3186 was incomplete; dns_db_rpz_findips()
 244			could fail to set the database version correctly,
 245			causing an assertion failure. [RT #26180]
 246
 2473218.	[security]	Cache lookup could return RRSIG data associated with
 248			nonexistent records, leading to an assertion
 249			failure. [RT #26590]
 250
 2513217.	[cleanup]	Fix build problem with --disable-static. [RT #26476]
 252
 2533216.	[bug]		resolver.c:validated() was not thread-safe. [RT #26478]
 254
 2553213.	[doc]		Clarify ixfr-from-differences behavior. [RT #25188]
 256
 2573212.	[bug]		rbtdb.c: failed to remove a node from the deadnodes
 258			list prior to adding a reference to it leading a
 259			possible assertion failure. [RT #23219]
 260
 2613209.	[func]		Add "dnssec-lookaside 'no'".  [RT #24858]
 262
 2633208.	[bug]		'dig -y' handle unknown tsig alorithm better.
 264			[RT #25522]
 265
 2663207.	[contrib]	Fixed build error in Berkeley DB DLZ module. [RT #26444]
 267
 2683206.	[cleanup]	Add ISC information to log at start time. [RT #25484]
 269
 2703204.	[bug]		When a master server that has been marked as
 271			unreachable sends a NOTIFY, mark it reachable
 272			again. [RT #25960]
 273
 2743203.	[bug]		Increase log level to 'info' for validation failures
 275			from expired or not-yet-valid RRSIGs. [RT #21796]
 276
 2773200.	[doc]		Some rndc functions were undocumented or were
 278			missing from 'rndc -h' output. [RT #25555]
 279
 2803198.	[doc]		Clarified that dnssec-settime can alter keyfile
 281			permissions. [RT #24866]
 282
 2833196.	[bug]		nsupdate: return nonzero exit code when target zone
 284			doesn't exist. [RT #25783]
 285
 2863195.	[cleanup]	Silence "file not found" warnings when loading
 287			managed-keys zone. [RT #26340]
 288
 2893194.	[doc]		Updated RFC references in the 'empty-zones-enable'
 290			documentation. [RT #25203]
 291
 2923193.	[cleanup]	Changed MAXZONEKEYS to DNS_MAXZONEKEYS, moved to
 293			dnssec.h. [RT #26415]
 294
 2953192.	[bug]		A query structure could be used after being freed.
 296			[RT #22208]
 297
 2983191.	[bug]		Print NULL records using "unknown" format. [RT #26392]
 299
 3003190.	[bug]		Underflow in error handling in isc_mutexblock_init.
 301			[RT #26397]
 302
 3033189.	[test]		Added a summary report after system tests. [RT #25517]
 304
 3053188.	[bug]		zone.c:zone_refreshkeys() could fail to detach
 306			references correctly when errors occurred, causing
 307			a hang on shutdown. [RT #26372]
 308
 3093187.	[port]		win32: support for Visual Studio 2008.  [RT #26356]
 310
 3113186.	[bug]		Version/db mis-match in rpz code. [RT #26180]
 312
 3133179.	[port]		kfreebsd: build issues. [RT #26273]
 314
 3153175.	[bug]		Fix how DNSSEC positive wildcard responses from a
 316			NSEC3 signed zone are validated.  Stop sending a
 317			unnecessary NSEC3 record when generating such
 318			responses. [RT #26200]
 319
 3203174.	[bug]		Always compute to revoked key tag from scratch.
 321			[RT #26186]
 322
 3233173.	[port]		Correctly validate root DS responses. [RT #25726]
 324
 3253171.	[bug]		Exclusively lock the task when adding a zone using
 326			'rndc addzone'.  [RT #25600]
 327
 3283170.	[func]		RPZ update:
 329			- fix precedence among competing rules
 330			- improve ARM text including documenting rule precedence
 331			- try to rewrite CNAME chains until first hit
 332			- new "rpz" logging channel
 333			- RDATA for CNAME rules can include wildcards
 334			- replace "NO-OP" named.conf policy override with
 335			  "PASSTHRU" and add "DISABLED" override ("NO-OP"
 336			  is still recognized)
 337			[RT #25172]
 338
 3393169.	[func]		Catch db/version mis-matches when calling dns_db_*().
 340			[RT #26017]
 341
 3423167.	[bug]		Negative answers from forwarders were not being
 343			correctly tagged making them appear to not be cached.
 344			[RT #25380]
 345
 3463162.	[test]		start.pl: modified to allow for "named.args" in
 347			ns*/ subdirectory to override stock arguments to
 348			named. Largely from RT#26044, but no separate ticket.
 349
 3503161.	[bug]		zone.c:del_sigs failed to always reset rdata leading
 351			assertion failures. [RT #25880]
 352
 3533157.	[tuning]	Reduce the time spent in "rndc reconfig" by parsing
 354			the config file before pausing the server. [RT #21373]
 355
 3563155.	[bug]		Fixed a build failure when using contrib DLZ
 357			drivers (e.g., mysql, postgresql, etc). [RT #25710]
 358
 3593154.	[bug]		Attempting to print an empty rdataset could trigger
 360			an assert. [RT #25452]
 361
 3623152.	[cleanup]	Some versions of gcc and clang failed due to
 363			incorrect use of __builtin_expect. [RT #25183]
 364
 3653151.	[bug]		Queries for type RRSIG or SIG could be handled
 366			incorrectly.  [RT #21050]
 367
 3683148.	[bug]		Processing of normal queries could be stalled when
 369			forwarding a UPDATE message. [RT #24711]
 370
 3713146.	[test]		Fixed gcc4.6.0 errors in ATF. [RT #25598]
 372
 3733145.	[test]		Capture output of ATF unit tests in "./atf.out" if
 374			there were any errors while running them. [RT #25527]
 375
 3763144.	[bug]		dns_dbiterator_seek() could trigger an assert when
 377			used with a nonexistent database node. [RT #25358]
 378
 3793143.	[bug]		Silence clang compiler warnings. [RT #25174]
 380
 3813139.	[test]		Added tests from RFC 6234, RFC 2202, and RFC 1321
 382			for the hashing algorithms (md5, sha1 - sha512, and
 383			their hmac counterparts).  [RT #25067]
 384
 385	--- 9.8.1 released ---
 386
 387	--- 9.8.1rc1 released ---
 388
 3893141.	[bug]		Silence spurious "zone serial (0) unchanged" messages
 390			associated with empty zones. [RT #25079]
 391
 3923138.	[bug]		Address memory leaks and out-of-order operations when
 393			shutting named down. [RT #25210]
 394
 3953136.	[func]		Add RFC 1918 reverse zones to the list of built-in
 396			empty zones switched on by the 'empty-zones-enable'
 397			option. [RT #24990]
 398
 399			Note: empty-zones-enable must be "yes;" or a empty
 400			zone needs to be disabled in named.conf for RFC 1918
 401			zones to be activated.  This requirement may be
 402			removed in future releases.
 403
 4043135.	[port]		FreeBSD: workaround broken IPV6_USE_MIN_MTU processing.
 405			See http://www.freebsd.org/cgi/query-pr.cgi?pr=158307
 406			[RT #24950]
 407
 4083134.	[bug]		Improve the accuracy of dnssec-signzone's signing
 409			statistics. [RT #16030]
 410
 411	--- 9.8.1b3 released ---
 412
 4133133.	[bug]		Change #3114 was incomplete. [RT #24577]
 414
 4153131.	[tuning]	Improve scalability by allocating one zone task
 416			per 100 zones at startup time, rather than using a
 417			fixed-size task table. [RT #24406]
 418
 4193129.	[bug]		Named could crash on 'rndc reconfig' when
 420			allow-new-zones was set to yes and named ACLs
 421			were used. [RT #22739]
 422
 423	--- 9.8.1b2 released ---
 424
 4253126.	[security]	Using DNAME record to generate replacements caused
 426			RPZ to exit with a assertion failure. [RT #24766]
 427
 4283125.	[security]	Using wildcard CNAME records as a replacement with
 429			RPZ caused named to exit with a assertion failure.
 430			[RT #24715]
 431
 4323124.	[bug]		Use an rdataset attribute flag to indicate
 433			negative-cache records rather than using rrtype 0;
 434			this will prevent problems when that rrtype is
 435			used in actual DNS packets. [RT #24777]
 436
 4373123.	[security]	Change #2912 exposed a latent flaw in
 438			dns_rdataset_totext() that could cause named to
 439			crash with an assertion failure. [RT #24777]
 440
 4413122.	[cleanup]	dnssec-settime: corrected usage message. [RT #24664]
 442
 4433121.	[security]	An authoritative name server sending a negative
 444			response containing a very large RRset could
 445			trigger an off-by-one error in the ncache code
 446			and crash named. [RT #24650]
 447
 4483120.	[bug]		Named could fail to validate zones listed in a DLV
 449			that validated insecure without using DLV and had
 450			DS records in the parent zone. [RT #24631]
 451
 4523119.	[bug]		When rolling to a new DNSSEC key, a private-type
 453			record could be created and never marked complete.
 454			[RT #23253]
 455
 4563118.	[bug]		nsupdate could dump core on shutdown when using
 457			SIG(0) keys. [RT #24604]
 458
 4593117.	[cleanup]	Remove doc and parser references to the
 460			never-implemented 'auto-dnssec create' option.
 461			[RT #24533]
 462
 4633115.	[bug]		Named could fail to return requested data when
 464			following a CNAME that points into the same zone.
 465			[RT #24455]
 466
 4673114.	[bug]		Retain expired RRSIGs in dynamic zones if key is
 468			inactive and there is no replacement key. [RT #23136]
 469
 4703113.	[doc]		Document the relationship between serial-query-rate
 471			and NOTIFY messages.
 472
 473	--- 9.8.1b1 released ---
 474
 4753112.	[doc]		Add missing descriptions of the update policy name
 476			types "ms-self", "ms-subdomain", "krb5-self" and
 477			"krb5-subdomain", which allow machines to update
 478			their own records, to the BIND 9 ARM.
 479
 4803111.	[bug]		Improved consistency checks for dnssec-enable and
 481			dnssec-validation, added test cases to the
 482			checkconf system test. [RT #24398]
 483
 4843110.	[bug]		dnssec-signzone: Wrong error message could appear
 485			when attempting to sign with no KSK. [RT #24369]
 486
 4873107.	[bug]		dnssec-signzone: Report the correct number of ZSKs
 488			when using -x. [RT #20852]
 489
 4903105.	[bug]		GOST support can be suppressed by "configure
 491			--without-gost" [RT #24367]
 492
 4933104.	[bug]		Better support for cross-compiling. [RT #24367]
 494
 4953103.	[bug]		Configuring 'dnssec-validation auto' in a view
 496			instead of in the options statement could trigger
 497			an assertion failure in named-checkconf. [RT #24382]
 498
 4993101.	[bug]		Zones using automatic key maintenance could fail
 500			to check the key repository for updates. [RT #23744]
 501
 5023100.	[security]	Certain response policy zone configurations could
 503			trigger an INSIST when receiving a query of type
 504			RRSIG. [RT #24280]
 505
 5063099.	[test]		"dlz" system test now runs but gives R:SKIPPED if
 507			not compiled with --with-dlz-filesystem.  [RT #24146]
 508
 5093098.	[bug]		DLZ zones were answering without setting the AA bit.
 510			[RT #24146]
 511
 5123097.	[test]		Add a tool to test handling of malformed packets.
 513			[RT #24096]
 514
 5153096.	[bug]		Set KRB5_KTNAME before calling log_cred() in
 516			dst_gssapi_acceptctx(). [RT #24004]
 517
 5183095.	[bug]		Handle isolated reserved ports in the port range.
 519			[RT #23957]
 520
 5213094.	[doc]		Expand dns64 documentation.
 522
 5233093.	[bug]		Fix gssapi/kerberos dependencies [RT #23836]
 524
 5253092.	[bug]		Signatures for records at the zone apex could go
 526			stale due to an incorrect timer setting. [RT #23769]
 527
 5283091.	[bug]		Fixed a bug in which zone keys that were published
 529			and then subsequently activated could fail to trigger
 530			automatic signing. [RT #22911]
 531
 5323090.	[func]		Make --with-gssapi default [RT #23738]
 533
 5343088.	[bug]		Remove bin/tests/system/logfileconfig/ns1/named.conf
 535			and add setup.sh in order to resolve changing
 536			named.conf issue.  [RT #23687]
 537
 5383087.	[bug]		DDNS updates using SIG(0) with update-policy match
 539			type "external" could cause a crash. [RT #23735]
 540
 5413086.	[bug]		Running dnssec-settime -f on an old-style key will
 542			now force an update to the new key format even if no
 543			other change has been specified, using "-P now -A now"
 544			as default values.  [RT #22474]
 545
 5463083.	[bug]		NOTIFY messages were not being sent when generating
 547			a NSEC3 chain incrementally. [RT #23702]
 548
 5493082.	[port]		strtok_r is threads only. [RT #23747]
 550
 5513081.	[bug]		Failure of DNAME substitution did not return
 552			YXDOMAIN. [RT #23591]
 553
 5543080.	[cleanup]	Replaced compile time constant by STDTIME_ON_32BITS.
 555			[RT #23587]
 556
 5573079.	[bug]		Handle isc_event_allocate failures in t_tasks.
 558			[RT #23572]
 559
 5603078.	[func]		Added a new include file with function typedefs
 561			for the DLZ "dlopen" driver. [RT #23629]
 562
 5633077.	[bug]		zone.c:zone_refreshkeys() incorrectly called
 564			dns_zone_attach(), use zone->irefs instead. [RT #23303]
 565
 5663075.	[bug]		dns_dnssec_findzonekeys{2} used a inconsistant
 567			timestamp when determining which keys are active.
 568			[RT #23642]
 569
 5703074.	[bug]		Make the adb cache read through for zone data and
 571			glue learn for zone named is authoritative for.
 572			[RT #22842]
 573
 5743073.	[bug]		managed-keys changes were not properly being recorded.
 575			[RT #20256]
 576
 5773072.	[bug]		dns_dns64_aaaaok() potential NULL pointer dereference.
 578			[RT #20256]
 579
 5803071.	[bug]		has_nsec could be used unintialised in
 581			update.c:next_active. [RT #20256]
 582
 5833070.	[bug]		dnssec-signzone potential NULL pointer dereference.
 584			[RT #20256]
 585
 5863069.	[cleanup]	Silence warnings messages from clang static analysis.
 587			[RT #20256]
 588
 5893068.	[bug]		Named failed to build with a OpenSSL without engine
 590			support. [RT #23473]
 591
 5923067.	[bug]		ixfr-from-differences {master|slave}; failed to
 593			select the master/slave zones.  [RT #23580]
 594
 5953066.	[func]		The DLZ "dlopen" driver is now built by default,
 596			no longer requiring a configure option.  To
 597			disable it, use "configure --without-dlopen".
 598			(Note: driver not supported on win32.) [RT #23467]
 599
 6003065.	[bug]		RRSIG could have time stamps too far in the future.
 601			[RT #23356]
 602
 6033064.	[bug]		powerpc: add sync instructions to the end of atomic
 604			operations. [RT #23469]
 605
 6063063.	[contrib]	More verbose error reporting from DLZ LDAP. [RT #23402]
 607
 6083059.	[test]		Added a regression test for change #3023.
 609
 6103058.	[bug]		Cause named to terminate at startup or rndc reconfig/
 611			reload to fail, if a log file specified in the conf
 612			file isn't a plain file. [RT #22771]
 613
 6143057.	[bug]		"rndc secroots" would abort after the first error
 615			and so could miss some views. [RT #23488]
 616
 6173054.	[bug]		Added elliptic curve support check in
 618			GOST OpenSSL engine detection. [RT #23485]
 619
 6203053.	[bug]		Under a sustained high query load with a finite
 621			max-cache-size, it was possible for cache memory
 622			to be exhausted and not recovered. [RT #23371]
 623
 6243052.	[test]		Fixed last autosign test report. [RT #23256]
 625
 6263051.	[bug]		NS records obsure DNAME records at the bottom of the
 627			zone if both are present. [RT #23035]
 628
 6293050.	[bug]		The autosign system test was timing dependent.
 630			Wait for the initial autosigning to complete
 631			before running the rest of the test. [RT #23035]
 632
 6333049.	[bug]		Save and restore the gid when creating creating
 634			named.pid at startup. [RT #23290]
 635
 6363048.	[bug]		Fully separate view key mangement. [RT #23419]
 637
 6383047.	[bug]		DNSKEY NODATA responses not cached fixed in
 639			validator.c. Tests added to dnssec system test.
 640			[RT #22908]
 641
 6423046.	[bug]		Use RRSIG original TTL to compute validated RRset
 643			and RRSIG TTL. [RT #23332]
 644
 6453044.	[bug]		Hold the socket manager lock while freeing the socket.
 646			[RT #23333]
 647
 6483043.	[test]		Merged in the NetBSD ATF test framework (currently
 649			version 0.12) for development of future unit tests.
 650			Use configure --with-atf to build ATF internally
 651			or configure --with-atf=prefix to use an external
 652			copy.  [RT #23209]
 653
 6543042.	[bug]		dig +trace could fail attempting to use IPv6
 655			addresses on systems with only IPv4 connectivity.
 656			[RT #23297]
 657
 6583041.	[bug]		dnssec-signzone failed to generate new signatures on
 659			ttl changes. [RT #23330]
 660
 6613040.	[bug]		Named failed to validate insecure zones where a node
 662			with a CNAME existed between the trust anchor and the
 663			top of the zone. [RT #23338]
 664
 6653038.	[bug]		Install <dns/rpz.h>.  [RT #23342]
 666
 6673037.	[doc]		Update COPYRIGHT to contain all the individual
 668			copyright notices that cover various parts.
 669
 6703036.	[bug]		Check built-in zone arguments to see if the zone
 671			is re-usable or not. [RT #21914]
 672
 6733035.	[cleanup]	Simplify by using strlcpy. [RT #22521]
 674
 6753034.	[cleanup]	nslookup: use strlcpy instead of safecopy. [RT #22521]
 676
 6773033.	[cleanup]	Add two INSIST(bucket != DNS_ADB_INVALIDBUCKET).
 678			[RT #22521]
 679
 6803032.	[bug]		rdatalist.c: add missing REQUIREs. [RT #22521]
 681
 6823031.	[bug]		dns_rdataclass_format() handle a zero sized buffer.
 683			[RT #22521]
 684
 6853030.	[bug]		dns_rdatatype_format() handle a zero sized buffer.
 686			[RT #22521]
 687
 6883029.	[bug]		isc_netaddr_format() handle a zero sized buffer.
 689			[RT #22521]
 690
 6913028.	[bug]		isc_sockaddr_format() handle a zero sized buffer.
 692			[RT #22521]
 693
 6943027.	[bug]		Add documented REQUIREs to cfg_obj_asnetprefix() to
 695			catch NULL pointer dereferences before they happen.
 696			[RT #22521]
 697
 6983026.	[bug]		lib/isc/httpd.c: check that we have enough space
 699			after calling grow_headerspace() and if not
 700			re-call grow_headerspace() until we do. [RT #22521]
 701
 702	--- 9.8.0 released ---
 703
 7043025.	[bug]		Fixed a possible deadlock due to zone resigning.
 705			[RT #22964]
 706
 7073024.	[func]		RTT Banding removed due to minor security increase
 708			but major impact on resolver latency. [RT #23310]
 709
 7103023.	[bug]		Named could be left in an inconsistent state when
 711			receiving multiple AXFR response messages that were
 712			not all TSIG-signed. [RT #23254]
 713
 7143022.	[bug]		Fixed rpz SERVFAILs after failed zone transfers
 715			[RT #23246]
 716
 7173021.	[bug]		Change #3010 was incomplete. [RT #22296]
 718
 7193020.	[bug]		auto-dnssec failed to correctly update the zone when
 720			changing the DNSKEY RRset. [RT #23232]
 721
 7223019.	[test]		Test: check apex NSEC3 records after adding DNSKEY
 723			record via UPDATE. [RT #23229]
 724
 725	--- 9.8.0rc1 released ---
 726
 7273018.	[bug]		Named failed to check for the "none;" acl when deciding
 728			if a zone may need to be re-signed. [RT #23120]
 729
 7303017.	[doc]		dnssec-keyfromlabel -I was not properly documented.
 731			[RT #22887]
 732
 7333016.	[bug]		rndc usage missing '-b'. [RT #22937]
 734
 7353015.	[port]		win32: fix IN6_IS_ADDR_LINKLOCAL and
 736			IN6_IS_ADDR_SITELOCAL macros. [RT #22724]
 737
 7383013.	[bug]		The DNS64 ttl was not always being set as expected.
 739			[RT #23034]
 740
 7413012.	[bug]		Remove DNSKEY TTL change pairs before generating
 742			signing records for any remaining DNSKEY changes.
 743			[RT #22590]
 744
 7453011.	[func]		Allow setting this in named.conf using the new
 746			'resolver-query-timeout' option, which specifies a max
 747			time in seconds.  0 means 'default' and anything longer
 748			than 30 will be silently set to 30. [RT #22852]
 749
 7503010.	[bug]		Fixed a bug where "rndc reconfig" stopped the timer
 751			for refreshing managed-keys. [RT #22296]
 752
 7533009.	[bug]		clients-per-query code didn't work as expected with
 754			particular query patterns. [RT #22972]
 755
 756	--- 9.8.0b1 released ---
 757
 7583008.	[func]		Response policy zones (RPZ) support. [RT #21726]
 759
 7603007.	[bug]		Named failed to preserve the case of domain names in
 761			rdata which is not compressible when writing master
 762			files.  [RT #22863]
 763
 7643006.	[func]		Allow dynamically generated TSIG keys to be preserved
 765			across restarts of named.  Initially this is for
 766			TSIG keys generated using GSSAPI. [RT #22639]
 767
 7683005.	[port]		Solaris: Work around the lack of
 769			gsskrb5_register_acceptor_identity() by setting
 770			the KRB5_KTNAME environment variable to the
 771			contents of tkey-gssapi-keytab.  Also fixed
 772			test errors on MacOSX.  [RT #22853]
 773
 7743004.	[func]		DNS64 reverse support. [RT #22769]
 775
 7763003.	[experimental]	Added update-policy match type "external",
 777			enabling named to defer the decision of whether to
 778			allow a dynamic update to an external daemon.
 779			(Contributed by Andrew Tridgell.) [RT #22758]
 780
 7813002.	[bug]		isc_mutex_init_errcheck() failed to destroy attr.
 782			[RT #22766]
 783
 7843001.	[func]		Added a default trust anchor for the root zone, which
 785			can be switched on by setting "dnssec-validation auto;"
 786			in the named.conf options. [RT #21727]
 787
 7883000.	[bug]		More TKEY/GSS fixes:
 789			 - nsupdate can now get the default realm from
 790			   the user's Kerberos principal
 791			 - corrected gsstest compilation flags
 792			 - improved documentation
 793			 - fixed some NULL dereferences
 794			[RT #22795]
 795
 7962999.	[func]		Add GOST support (RFC 5933). [RT #20639]
 797
 7982998.	[func]		Add isc_task_beginexclusive and isc_task_endexclusive
 799			to the task api. [RT #22776]
 800
 8012997.	[func]		named -V now reports the OpenSSL and libxml2 verions
 802			it was compiled against. [RT #22687]
 803
 8042996.	[security]	Temporarily disable SO_ACCEPTFILTER support.
 805			[RT #22589]
 806
 8072995.	[bug]		The Kerberos realm was not being correctly extracted
 808			from the signer's identity. [RT #22770]
 809
 8102994.	[port]		NetBSD: use pthreads by default on NetBSD >= 5.0, and
 811			do not use threads on earlier versions.  Also kill
 812			the unproven-pthreads, mit-pthreads, and ptl2 support.
 813
 8142993.	[func]		Dynamically grow adb hash tables. [RT #21186]
 815
 8162992.	[contrib]	contrib/check-secure-delegation.pl:  A simple tool
 817			for looking at a secure delegation. [RT #22059]
 818
 8192991.	[contrib]	contrib/zone-edit.sh: A simple zone editing tool for
 820			dynamic zones. [RT #22365]
 821
 8222990.	[bug]		'dnssec-settime -S' no longer tests prepublication
 823			interval validity when the interval is set to 0.
 824			[RT #22761]
 825
 8262989.	[func]		Added support for writable DLZ zones. (Contributed
 827			by Andrew Tridgell of the Samba project.) [RT #22629]
 828
 8292988.	[experimental]	Added a "dlopen" DLZ driver, allowing the creation
 830			of external DLZ drivers that can be loaded as
 831			shared objects at runtime rather than linked with
 832			named.  Currently this is switched on via a
 833			compile-time option, "configure --with-dlz-dlopen".
 834			Note: the syntax for configuring DLZ zones
 835			is likely to be refined in future releases.
 836			(Contributed by Andrew Tridgell of the Samba
 837			project.) [RT #22629]
 838
 8392987.	[func]		Improve ease of configuring TKEY/GSS updates by
 840			adding a "tkey-gssapi-keytab" option.  If set,
 841			updates will be allowed with any key matching
 842			a principal in the specified keytab file.
 843			"tkey-gssapi-credential" is no longer required
 844			and is expected to be deprecated.  (Contributed
 845			by Andrew Tridgell of the Samba project.)
 846			[RT #22629]
 847
 8482986.	[func]		Add new zone type "static-stub".  It's like a stub
 849			zone, but the nameserver names and/or their IP
 850			addresses are statically configured. [RT #21474]
 851
 8522985.	[bug]		Add a regression test for change #2896. [RT #21324]
 853
 8542984.	[bug]		Don't run MX checks when the target of the MX record
 855			is ".".  [RT #22645]
 856
 8572983.	[bug]		Include "loadkeys" in rndc help output. [RT #22493]
 858
 859	--- 9.8.0a1 released ---
 860
 8612982.	[bug]		Reference count dst keys.  dst_key_attach() can be used
 862			increment the reference count.
 863
 864			Note: dns_tsigkey_createfromkey() callers should now
 865			always call dst_key_free() rather than setting it
 866			to NULL on success. [RT #22672]
 867
 8682981.	[func]		Partial DNS64 support (AAAA synthesis). [RT #21991]
 869
 8702980.	[bug]		named didn't properly handle UPDATES that changed the
 871			TTL of the NSEC3PARAM RRset. [RT #22363]
 872
 8732979.	[bug]		named could deadlock during shutdown if two
 874			"rndc stop" commands were issued at the same
 875			time. [RT #22108]
 876
 8772978.	[port]		hpux: look for <devpoll.h> [RT #21919]
 878
 8792977.	[bug]		'nsupdate -l' report if the session key is missing.
 880			[RT #21670]
 881
 8822976.	[bug]		named could die on exit after negotiating a GSS-TSIG
 883			key. [RT #22573]
 884
 8852975.	[bug]		rbtdb.c:cleanup_dead_nodes_callback() acquired the
 886			wrong lock which could lead to server deadlock.
 887			[RT #22614]
 888
 8892974.	[bug]		Some valid UPDATE requests could fail due to a
 890			consistency check examining the existing version
 891			of the zone rather than the new version resulting
 892			from the UPDATE. [RT #22413]
 893
 8942973.	[bug]		bind.keys.h was being removed by the "make clean"
 895			at the end of configure resulting in build failures
 896			where there is very old version of perl installed.
 897			Move it to "make maintainer-clean". [RT #22230]
 898
 8992972.	[bug]		win32: address windows socket errors. [RT #21906]
 900
 9012971.	[bug]		Fixed a bug that caused journal files not to be
 902			compacted on Windows systems as a result of
 903			non-POSIX-compliant rename() semantics. [RT #22434]
 904
 9052970.	[security]	Adding a NO DATA negative cache entry failed to clear
 906			any matching RRSIG records.  A subsequent lookup of
 907			of NO DATA cache entry could trigger a INSIST when the
 908			unexpected RRSIG was also returned with the NO DATA
 909			cache entry.
 910
 911			CVE-2010-3613, VU#706148. [RT #22288]
 912
 9132969.	[security]	Fix acl type processing so that allow-query works
 914			in options and view statements.  Also add a new
 915			set of tests to verify proper functioning.
 916
 917			CVE-2010-3615, VU#510208. [RT #22418]
 918
 9192968.	[security]	Named could fail to prove a data set was insecure
 920			before marking it as insecure.  One set of conditions
 921			that can trigger this occurs naturally when rolling
 922			DNSKEY algorithms.
 923
 924			CVE-2010-3614, VU#837744. [RT #22309]
 925
 9262967.	[bug]		'host -D' now turns on debugging messages earlier.
 927			[RT #22361]
 928
 9292966.	[bug]		isc_print_vsnprintf() failed to check if there was
 930			space available in the buffer when adding a left
 931			justified character with a non zero width,
 932			(e.g. "%-1c"). [RT #22270]
 933
 9342965.	[func]		Test HMAC functions using test data from RFC 2104 and
 935			RFC 4634. [RT #21702]
 936
 9372964.	[placeholder]
 938
 9392963.	[security]	The allow-query acl was being applied instead of the
 940			allow-query-cache acl to cache lookups. [RT #22114]
 941
 9422962.	[port]		win32: add more dependencies to BINDBuild.dsw.
 943			[RT #22062]
 944
 9452961.	[bug]		Be still more selective about the non-authoritative
 946			answers we apply change 2748 to. [RT #22074]
 947
 9482960.	[func]		Check that named accepts non-authoritative answers.
 949			[RT #21594]
 950
 9512959.	[func]		Check that named starts with a missing masterfile.
 952			[RT #22076]
 953
 9542958.	[bug]		named failed to start with a missing master file.
 955			[RT #22076]
 956
 9572957.	[bug]		entropy_get() and entropy_getpseudo() failed to match
 958			the API for RAND_bytes() and RAND_pseudo_bytes()
 959			respectively. [RT #21962]
 960
 9612956.	[port]		Enable atomic operations on the PowerPC64. [RT #21899]
 962
 9632955.	[func]		Provide more detail in the recursing log. [RT #22043]
 964
 9652954.	[bug]		contrib: dlz_mysql_driver.c bad error handling on
 966			build_sqldbinstance failure. [RT #21623]
 967
 9682953.	[bug]		Silence spurious "expected covering NSEC3, got an
 969			exact match" message when returning a wildcard
 970			no data response. [RT #21744]
 971
 9722952.	[port]		win32: named-checkzone and named-checkconf failed
 973			to initialise winsock. [RT #21932]
 974
 9752951.	[bug]		named failed to generate a correct signed response
 976			in a optout, delegation only zone with no secure
 977			delegations. [RT #22007]
 978
 9792950.	[bug]		named failed to perform a SOA up to date check when
 980			falling back to TCP on UDP timeouts when
 981			ixfr-from-differences was set. [RT #21595]
 982
 9832949.	[bug]		dns_view_setnewzones() contained a memory leak if
 984			it was called multiple times. [RT #21942]
 985
 9862948.	[port]		MacOS: provide a mechanism to configure the test
 987			interfaces at reboot. See bin/tests/system/README
 988			for details.
 989
 9902947.	[placeholder]
 991
 9922946.	[doc]		Document the default values for the minimum and maximum
 993			zone refresh and retry values in the ARM. [RT #21886]
 994
 9952945.	[doc]		Update empty-zones list in ARM. [RT #21772]
 996
 9972944.	[maint]		Remove ORCHID prefix from built in empty zones.
 998			[RT #21772]
 999
10002943.	[func]		Add support to load new keys into managed zones
1001			without signing immediately with "rndc loadkeys".
1002			Add support to link keys with "dnssec-keygen -S"
1003			and "dnssec-settime -S".  [RT #21351]
1004
10052942.	[contrib]	zone2sqlite failed to setup the entropy sources.
1006			[RT #21610]
1007
10082941.	[bug]		sdb and sdlz (dlz's zone database) failed to support
1009			DNAME at the zone apex.  [RT #21610]
1010
10112940.	[port]		Remove connection aborted error message on
1012			Windows. [RT #21549]
1013
10142939.	[func]		Check that named successfully skips NSEC3 records
1015			that fail to match the NSEC3PARAM record currently
1016			in use. [RT# 21868]
1017
10182938.	[bug]		When generating signed responses, from a signed zone
1019			that uses NSEC3, named would use a uninitialised
1020			pointer if it needed to skip a NSEC3 record because
1021			it didn't match the selected NSEC3PARAM record for
1022			zone. [RT# 21868]
1023
10242937.	[bug]		Worked around an apparent race condition in over
1025			memory conditions.  Without this fix a DNS cache DB or
1026			ADB could incorrectly stay in an over memory state,
1027			effectively refusing further caching, which
1028			subsequently made a BIND 9 caching server unworkable.
1029			This fix prevents this problem from happening by
1030			polling the state of the memory context, rather than
1031			making a copy of the state, which appeared to cause
1032			a race.  This is a "workaround" in that it doesn't
1033			solve the possible race per se, but several experiments
1034			proved this change solves the symptom.  Also, the
1035			polling overhead hasn't been reported to be an issue.
1036			This bug should only affect a caching server that
1037			specifies a finite max-cache-size.  It's also quite
1038			likely that the bug happens only when enabling threads,
1039			but it's not confirmed yet. [RT #21818]
1040
10412936.	[func]		Improved configuration syntax and multiple-view
1042			support for addzone/delzone feature (see change
1043			#2930).  Removed "new-zone-file" option, replaced
1044			with "allow-new-zones (yes|no)".  The new-zone-file
1045			for each view is now created automatically, with
1046			a filename generated from a hash of the view name.
1047			It is no longer necessary to "include" the
1048			new-zone-file in named.conf; this happens
1049			automatically.  Zones that were not added via
1050			"rndc addzone" can no longer be removed with
1051			"rndc delzone". [RT #19447]
1052
10532935.	[bug]		nsupdate: improve 'file not found' error message.
1054			[RT #21871]
1055
10562934.	[bug]		Use ANSI C compliant shift range in lib/isc/entropy.c.
1057			[RT #21871]
1058
10592933.	[bug]		'dig +nsid' used stack memory after it went out of
1060			scope.  This could potentially result in a unknown,
1061			potentially malformed, EDNS option being sent instead
1062			of the desired NSID option. [RT #21781]
1063
10642932.	[cleanup]	Corrected a numbering error in the "dnssec" test.
1065			[RT #21597]
1066
10672931.	[bug]		Temporarily and partially disable change 2864
1068			because it would cause infinite attempts of RRSIG
1069			queries.  This is an urgent care fix; we'll
1070			revisit the issue and complete the fix later.
1071			[RT #21710]
1072
10732930.	[experimental]	New "rndc addzone" and "rndc delzone" commads
1074			allow dynamic addition and deletion of zones.
1075			To enable this feature, specify a "new-zone-file"
1076			option at the view or options level in named.conf.
1077			Zone configuration information for the new zones
1078			will be written into that file.  To make the new
1079			zones persist after a restart, "include" the file
1080			into named.conf in the appropriate view.  (Note:
1081			This feature is not yet documented, and its syntax
1082			is expected to change.) [RT #19447]
1083
10842929.	[bug]		Improved handling of GSS security contexts:
1085			 - added LRU expiration for generated TSIGs
1086			 - added the ability to use a non-default realm
1087			 - added new "realm" keyword in nsupdate
1088			 - limited lifetime of generated keys to 1 hour
1089			   or the lifetime of the context (whichever is
1090			   smaller)
1091			[RT #19737]
1092
10932928.	[bug]		Be more selective about the non-authoritative
1094			answer we apply change 2748 to. [RT #21594]
1095
10962927.	[placeholder]
1097
10982926.	[placeholder]
1099
11002925.	[bug]		Named failed to accept uncachable negative responses
1101			from insecure zones. [RT# 21555]
1102
11032924.	[func]		'rndc  secroots'  dump a combined summary of the
1104			current managed keys combined with trusted keys.
1105			[RT #20904]
1106
11072923.	[bug]		'dig +trace' could drop core after "connection
1108			timeout". [RT #21514]
1109
11102922.	[contrib]	Update zkt to version 1.0.
1111
11122921.	[bug]		The resolver could attempt to destroy a fetch context
1113			too soon.  [RT #19878]
1114
11152920.	[func]		Allow 'filter-aaaa-on-v4' to be applied selectively
1116			to IPv4 clients.  New acl 'filter-aaaa' (default any).
1117
11182919.	[func]		Add autosign-ksk and autosign-zsk virtual time tests.
1119			[RT #20840]
1120
11212918.	[maint]		Add AAAA address for I.ROOT-SERVERS.NET.
1122
11232917.	[func]		Virtual time test framework. [RT #20801]
1124
11252916.	[func]		Add framework to use IPv6 in tests.
1126			fd92:7065:b8e:ffff::1 ... fd92:7065:b8e:ffff::7
1127
11282915.	[cleanup]	Be smarter about which objects we attempt to compile
1129			based on configure options. [RT #21444]
1130
11312914.	[bug]		Make the "autosign" system test more portable.
1132			[RT #20997]
1133
11342913.	[func]		Add pkcs#11 system tests. [RT #20784]
1135
11362912.	[func]		Windows clients don't like UPDATE responses that clear
1137			the zone section. [RT #20986]
1138
11392911.	[bug]		dnssec-signzone didn't handle out of zone records well.
1140			[RT #21367]
1141
11422910.	[func]		Sanity check Kerberos credentials. [RT #20986]
1143
11442909.	[bug]		named-checkconf -p could die if "update-policy local;"
1145			was specified in named.conf. [RT #21416]
1146
11472908.	[bug]		It was possible for re-signing to stop after removing
1148			a DNSKEY. [RT #21384]
1149
11502907.	[bug]		The export version of libdns had undefined references.
1151			[RT #21444]
1152
11532906.	[bug]		Address RFC 5011 implementation issues. [RT #20903]
1154
11552905.	[port]		aix: set use_atomic=yes with native compiler.
1156			[RT #21402]
1157
11582904.	[bug]		When using DLV, sub-zones of the zones in the DLV,
1159			could be incorrectly marked as insecure instead of
1160			secure leading to negative proofs failing.  This was
1161			a unintended outcome from change 2890. [RT# 21392]
1162
11632903.	[bug]		managed-keys-directory missing from namedconf.c.
1164			[RT #21370]
1165
11662902.	[func]		Add regression test for change 2897. [RT #21040]
1167
11682901.	[port]		Use AC_C_FLEXIBLE_ARRAY_MEMBER. [RT #21316]
1169
11702900.	[bug]		The placeholder negative caching element was not
1171			properly constructed triggering a INSIST in
1172			dns_ncache_towire(). [RT #21346]
1173
11742899.	[port]		win32: Support linking against OpenSSL 1.0.0.
1175
11762898.	[bug]		nslookup leaked memory when -domain=value was
1177			specified. [RT #21301]
1178
11792897.	[bug]		NSEC3 chains could be left behind when transitioning
1180			to insecure. [RT #21040]
1181
11822896.	[bug]		"rndc sign" failed to properly update the zone
1183			when adding a DNSKEY for publication only. [RT #21045]
1184
11852895.	[func]		genrandom: add support for the generation of multiple
1186			files.  [RT #20917]
1187
11882894.	[contrib]	DLZ LDAP support now use '$' not '%'. [RT #21294]
1189
11902893.	[bug]		Improve managed keys support.  New named.conf option
1191			managed-keys-directory. [RT #20924]
1192
11932892.	[bug]		Handle REVOKED keys better. [RT #20961]
1194
11952891.	[maint]		Update empty-zones list to match
1196			draft-ietf-dnsop-default-local-zones-13. [RT# 21099]
1197
11982890.	[bug]		Handle the introduction of new trusted-keys and
1199			DS, DLV RRsets better. [RT #21097]
1200
12012889.	[bug]		Elements of the grammar where not properly reported.
1202			[RT #21046]
1203
12042888.	[bug]		Only the first EDNS option was displayed. [RT #21273]
1205
12062887.	[bug]		Report the keytag times in UTC in the .key file,
1207			local time is presented as a comment within the
1208			comment.  [RT #21223]
1209
12102886.	[bug]		ctime() is not thread safe. [RT #21223]
1211
12122885.	[bug]		Improve -fno-strict-aliasing support probing in
1213			configure. [RT #21080]
1214
12152884.	[bug]		Insufficient validation in dns_name_getlabelsequence().
1216			[RT #21283]
1217
12182883.	[bug]		'dig +short' failed to handle really large datasets.
1219			[RT #21113]
1220
12212882.	[bug]		Remove memory context from list of active contexts
1222			before clearing 'magic'. [RT #21274]
1223
12242881.	[bug]		Reduce the amount of time the rbtdb write lock
1225			is held when closing a version. [RT #21198]
1226
12272880.	[cleanup]	Make the output of dnssec-keygen and dnssec-revoke
1228			consistent. [RT #21078]
1229
12302879.	[contrib]	DLZ bdbhpt driver fails to close correct cursor.
1231			[RT #21106]
1232
12332878.	[func]		Incrementally write the master file after performing
1234			a AXFR.  [RT #21010]
1235
12362877.	[bug]		The validator failed to skip obviously mismatching
1237			RRSIGs. [RT #21138]
1238
12392876.	[bug]		Named could return SERVFAIL for negative responses
1240			from unsigned zones. [RT #21131]
1241
12422875.	[bug]		dns_time64_fromtext() could accept non digits.
1243			[RT #21033]
1244
12452874.	[bug]		Cache lack of EDNS support only after the server
1246			successfully responds to the query using plain DNS.
1247			[RT #20930]
1248
12492873.	[bug]		Cancelling a dynamic update via the dns/client module
1250			could trigger an assertion failure. [RT #21133]
1251
12522872.	[bug]		Modify dns/client.c:dns_client_createx() to only
1253			require one of IPv4 or IPv6 rather than both.
1254			[RT #21122]
1255
12562871.	[bug]		Type mismatch in mem_api.c between the definition and
1257			the header file, causing build failure with
1258			--enable-exportlib. [RT #21138]
1259
12602870.	[maint]		Add AAAA address for L.ROOT-SERVERS.NET.
1261
12622869.	[bug]		Fix arguments to dns_keytable_findnextkeynode() call.
1263			[RT #20877]
1264
12652868.	[cleanup]	Run "make clean" at the end of configure to ensure
1266			any changes made by configure are integrated.
1267			Use --with-make-clean=no to disable.  [RT #20994]
1268
12692867.	[bug]		Don't set GSS_C_SEQUENCE_FLAG as Windows DNS servers
1270			don't like it.  [RT #20986]
1271
12722866.	[bug]		Windows does not like the TSIG name being compressed.
1273			[RT #20986]
1274
12752865.	[bug]		memset to zero event.data.  [RT #20986]
1276
12772864.	[bug]		Direct SIG/RRSIG queries were not handled correctly.
1278			[RT #21050]
1279
12802863.	[port]		linux: disable IPv6 PMTUD and use network minimum MTU.
1281			[RT #21056]
1282
12832862.	[bug]		nsupdate didn't default to the parent zone when
1284			updating DS records. [RT #20896]
1285
12862861.	[doc]		dnssec-settime man pages didn't correctly document the
1287			inactivation time. [RT #21039]
1288
12892860.	[bug]		named-checkconf's usage was out of date. [RT #21039]
1290
12912859.	[bug]		When cancelling validation it was possible to leak
1292			memory. [RT #20800]
1293
12942858.	[bug]		RTT estimates were not being adjusted on ICMP errors.
1295			[RT #20772]
1296
12972857.	[bug]		named-checkconf did not fail on a bad trusted key.
1298			[RT #20705]
1299
13002856.	[bug]		The size of a memory allocation was not always properly
1301			recorded. [RT #20927]
1302
13032855.	[func]		nsupdate will now preserve the entered case of domain
1304			names in update requests it sends. [RT #20928]
1305
13062854.	[func]		dig: allow the final soa record in a axfr response to
1307			be suppressed, dig +onesoa. [RT #20929]
1308
13092853.	[bug]		add_sigs() could run out of scratch space. [RT #21015]
1310
13112852.	[bug]		Handle broken DNSSEC trust chains better. [RT #15619]
1312
13132851.	[doc]		nslookup.1, removed <informalexample> from the docbook
1314			source as it produced bad nroff.  [RT #21007]
1315
13162850.	[bug]		If isc_heap_insert() failed due to memory shortage
1317			the heap would have corrupted entries. [RT #20951]
1318
13192849.	[bug]		Don't treat errors from the xml2 library as fatal.
1320			[RT #20945]
1321
13222848.	[doc]		Moved README.dnssec, README.libdns, README.pkcs11 and
1323			README.rfc5011 into the ARM. [RT #20899]
1324
13252847.	[cleanup]	Corrected usage message in dnssec-settime. [RT #20921]
1326
13272846.	[bug]		EOF on unix domain sockets was not being handled
1328			correctly. [RT #20731]
1329
13302845.	[bug]		RFC 5011 client could crash on shutdown. [RT #20903]
1331
13322844.	[doc]		notify-delay default in ARM was wrong.  It should have
1333			been five (5) seconds.
1334
13352843.	[func]		Prevent dnssec-keygen and dnssec-keyfromlabel from
1336			creating key files if there is a chance that the new
1337			key ID will collide with an existing one after
1338			either of the keys has been revoked.  (To override
1339			this in the case of dnssec-keyfromlabel, use the -y
1340			option.  dnssec-keygen will simply create a
1341			different, non-colliding key, so an override is
1342			not necessary.) [RT #20838]
1343
13442842.	[func]		Added "smartsign" and improved "autosign" and
1345			"dnssec" regression tests. [RT #20865]
1346
13472841.	[bug]		Change 2836 was not complete. [RT #20883]
1348
13492840.	[bug]		Temporary fixed pkcs11-destroy usage check.
1350			[RT #20760]
1351
13522839.	[bug]		A KSK revoked by named could not be deleted.
1353			[RT #20881]
1354
13552838.	[placeholder]
1356
13572837.	[port]		Prevent Linux spurious warnings about fwrite().
1358			[RT #20812]
1359
13602836.	[bug]		Keys that were scheduled to become active could
1361			be delayed. [RT #20874]
1362
13632835.	[bug]		Key inactivity dates were inadvertently stored in
1364			the private key file with the outdated tag
1365			"Unpublish" rather than "Inactive".  This has been
1366			fixed; however, any existing keys that had Inactive
1367			dates set will now need to have them reset, using
1368			'dnssec-settime -I'. [RT #20868]
1369
13702834.	[bug]		HMAC-SHA* keys that were longer than the algorithm
1371			digest length were used incorrectly, leading to
1372			interoperability problems with other DNS
1373			implementations.  This has been corrected.
1374			(Note: If an oversize key is in use, and
1375			compatibility is needed with an older release of
1376			BIND, the new tool "isc-hmac-fixup" can convert
1377			the key secret to a form that will work with all
1378			versions.) [RT #20751]
1379
13802833.	[cleanup]	Fix usage messages in dnssec-keygen and dnssec-settime.
1381			[RT #20851]
1382
13832832.	[bug]		Modify "struct stat" in lib/export/samples/nsprobe.c
1384			to avoid redefinition in some OSs [RT 20831]
1385
13862831.	[security]	Do not attempt to validate or cache
1387			out-of-bailiwick data returned with a secure
1388			answer; it must be re-fetched from its original
1389			source and validated in that context. [RT #20819]
1390
13912830.	[bug]		Changing the OPTOUT setting could take multiple
1392			passes. [RT #20813]
1393
13942829.	[bug]		Fixed potential node inconsistency in rbtdb.c.
1395			[RT #20808]
1396
13972828.	[security]	Cached CNAME or DNAME RR could be returned to clients
1398			without DNSSEC validation. [RT #20737]
1399
14002827.	[security]	Bogus NXDOMAIN could be cached as if valid. [RT #20712]
1401
14022826.	[bug]		NSEC3->NSEC transitions could fail due to a lock not
1403			being released.  [RT #20740]
1404
14052825.	[bug]		Changing the setting of OPTOUT in a NSEC3 chain that
1406			was in the process of being created was not properly
1407			recorded in the zone. [RT #20786]
1408
14092824.	[bug]		"rndc sign" was not being run by the correct task.
1410			[RT #20759]
1411
14122823.	[bug]		rbtdb.c:getsigningtime() was missing locks. [RT #20781]
1413
14142822.	[bug]		rbtdb.c:loadnode() could return the wrong result.
1415			[RT #20802]
1416
14172821.	[doc]		Add note that named-checkconf doesn't automatically
1418			read rndc.key and bind.keys [RT #20758]
1419
14202820.	[func]		Handle read access failure of OpenSSL configuration
1421			file more user friendly (PKCS#11 engine patch).
1422			[RT #20668]
1423
14242819.	[cleanup]	Removed unnecessary DNS_POINTER_MAXHOPS define.
1425			[RT #20771]
1426
14272818.	[cleanup]	rndc could return an incorrect error code
1428			when a zone was not found. [RT #20767]
1429
14302817.	[cleanup]	Removed unnecessary isc_task_endexclusive() calls.
1431			[RT #20768]
1432
14332816.	[bug]		previous_closest_nsec() could fail to return
1434			data for NSEC3 nodes [RT #29730]
1435
14362815.	[bug]		Exclusively lock the task when freezing a zone.
1437			[RT #19838]
1438
14392814.	[func]		Provide a definitive error message when a master
1440			zone is not loaded. [RT #20757]
1441
14422813.	[bug]		Better handling of unreadable DNSSEC key files.
1443			[RT #20710]
1444
14452812.	[bug]		Make sure updates can't result in a zone with
1446			NSEC-only keys and NSEC3 records. [RT #20748]
1447
14482811.	[cleanup]	Add "rndc sign" to list of commands in rndc usage
1449			output. [RT #20733]
1450
14512810.	[doc]		Clarified the process of transitioning an NSEC3 zone
1452			to insecure. [RT #20746]
1453
14542809.	[cleanup]	Restored accidentally-deleted text in usage output
1455			in dnssec-settime and dnssec-revoke [RT #20739]
1456
14572808.	[bug]		Remove the attempt to install atomic.h from lib/isc.
1458			atomic.h is correctly installed by the architecture
1459			specific subdirectories.  [RT #20722]
1460
14612807.	[bug]		Fixed a possible ASSERT when reconfiguring zone
1462			keys. [RT #20720]
1463
1464	--- 9.7.0rc1 released ---
1465
14662806.	[bug]		"rdnc sign" could delay re-signing the DNSKEY
1467			when it had changed. [RT #20703]
1468
14692805.	[bug]		Fixed namespace problems encountered when building
1470			external programs using non-exported BIND9 libraries
1471			(i.e., built without --enable-exportlib). [RT #20679]
1472
14732804.	[bug]		Send notifies when a zone is signed with "rndc sign"
1474			or as a result of a scheduled key change. [RT #20700]
1475
14762803.	[port]		win32: Install named-journalprint, nsec3hash, arpaname
1477			and genrandom under windows. [RT #20670]
1478
14792802.	[cleanup]	Ren…

Large files files are truncated, but you can click here to view the full file