--- 9.8.3-P4 released ---

3383.	[security]	A certain combination of records in the RBT could
                        cause named to hang while populating the additional
                        section of a response. [RT #31090]

	--- 9.8.3-P3 released ---

3364.	[security]	Named could die on specially crafted record.
			[RT #30416]

	--- 9.8.3-P2 released ---

3346.	[security]	Bad-cache data could be used before it was
			initialized, causing an assert. [RT #30025]

3342.	[bug]		Change #3314 broke saving of stub zones to disk
			resulting in excessive cpu usage in some cases.
			[RT #29952]

	--- 9.8.3-P1 released ---

3331.	[security]	dns_rdataslab_fromrdataset could produce bad
			rdataslabs. [RT #29644]
			
	--- 9.8.3 released ---

3318.	[tuning]	Reduce the amount of work performed while holding a
			bucket lock when finshed with a fetch context.
			[RT #29239]

3314.	[bug]		The masters list could be updated while refesh_callback
			and stub_callback were using it. [RT #26732]

3313.	[protocol]	Add TLSA record type. [RT #28989]

3312.	[bug]		named-checkconf didn't detect a bad dns64 clients acl.
			[RT #27631]

3311.	[bug]		Abort the zone dump if zone->db is NULL in
			zone.c:zone_gotwritehandle. [RT #29028]

3310.	[test]		Increase table size for mutex profiling. [RT #28809]

3309.	[bug]		resolver.c:fctx_finddone() was not threadsafe.
			[RT #27995]

3307.	[bug]		Add missing ISC_LANG_BEGINDECLS and ISC_LANG_ENDDECLS.
			[RT #28956]

3306.	[bug]		Improve DNS64 reverse zone performance. [RT #28563]

3305.	[func]		Add wire format lookup method to sdb. [RT #28563]

3304.	[bug]		Use hmctx, not mctx when freeing rbtdb->heaps.
			[RT #28571]

3302.	[bug]		dns_dnssec_findmatchingkeys could fail to find
			keys if the zone name contained character that
			required special mappings. [RT #28600]

3301.	[contrib]	Update queryperf to build on darwin.  Add -R flag
			for non-recursive queries. [RT #28565]

3300.	[bug]		Named could die if gssapi was enabled in named.conf
			but was not compiled in. [RT #28338]

3299.	[bug]		Make SDB handle errors from database drivers better.
			[RT #28534]

3232.	[bug]		Zero zone->curmaster before return in
			dns_zone_setmasterswithkeys(). [RT #26732]

3183.	[bug]		Added RTLD_GLOBAL flag to dlopen call. [RT #26301]

3197.	[bug]		Don't try to log the filename and line number when
			the config parser can't open a file. [RT #22263]

	--- 9.8.2 released ---

3298.	[bug]		Named could dereference a NULL pointer in
			zmgr_start_xfrin_ifquota if the zone was being removed.
			[RT #28419]

3297.	[bug]		Named could die on a malformed master file. [RT #28467]

3295.	[bug]		Adjust isc_time_secondsastimet range check to be more
			portable. [RT # 26542]

3294.	[bug]		isccc/cc.c:table_fromwire failed to free alist on
			error. [RT #28265]

3291.	[port]		Fixed a build error on systems without ENOTSUP.
			[RT #28200]

3290.	[bug]		<isc/hmacsha.h> was not being installed. [RT #28169]

3288.	[bug]		dlz_destroy() function wasn't correctly registered
			by the DLZ dlopen driver. [RT #28056]

3287.	[port]		Update ans.pl to work with Net::DNS 0.68. [RT #28028]

3286.	[bug]		Managed key maintenance timer could fail to start
			after 'rndc reconfig'. [RT #26786]

	--- 9.8.2rc2 released ---

3285.	[bug]		val-frdataset was incorrectly disassociated in
			proveunsecure after calling startfinddlvsep.
			[RT #27928]

3284.	[bug]		Address race conditions with the handling of
			rbtnode.deadlink. [RT #27738]

3283.	[bug]		Raw zones with with more than 512 records in a RRset
			failed to load. [RT #27863]

3282.	[bug]		Restrict the TTL of NS RRset to no more than that
			of the old NS RRset when replacing it.
			[RT #27792] [RT #27884]

3281.	[bug]		SOA refresh queries could be treated as cancelled
			despite succeeding over the loopback interface.
			[RT #27782]

3280.	[bug]		Potential double free of a rdataset on out of memory
			with DNS64. [RT #27762]

3278.	[bug]		Make sure automatic key maintenance is started
			when "auto-dnssec maintain" is turned on during
			"rndc reconfig". [RT #26805]

3276.	[bug]		win32: ns_os_openfile failed to return NULL on
			safe_open failure. [RT #27696]

3274.	[bug]		Log when a zone is not reusable.  Only set loadtime
			on successful loads.  [RT #27650]

3273.	[bug]		AAAA responses could be returned in the additional
			section even when filter-aaaa-on-v4 was in use.
			[RT #27292]

3271.	[port]		darwin: mksymtbl is not always stable, loop several
			times before giving up.  mksymtbl was using non
			portable perl to covert 64 bit hex strings. [RT #27653]

3268.	[bug]		Convert RRSIG expiry times to 64 timestamps to work
			out the earliest expiry time. [RT #23311]

3267.	[bug]		Memory allocation failures could be mis-reported as
			unexpected error.  New ISC_R_UNSET result code.
			[RT #27336]

3266.	[bug]		The maximum number of NSEC3 iterations for a
			DNSKEY RRset was not being properly computed.
			[RT #26543]

3262.	[bug]		Signed responses were handled incorrectly by RPZ.
			[RT #27316]

	--- 9.8.2rc1 released ---

3260.	[bug]		"rrset-order cyclic" could appear not to rotate
			for some query patterns.  [RT #27170/27185]

3259.	[bug]		named-compilezone: Suppress "dump zone to <file>"
			message when writing to stdout. [RT #27109]

3258.	[test]		Add "forcing full sign with unreadable keys" test.
			[RT #27153]

3257.	[bug]		Do not generate a error message when calling fsync()
			in a pipe or socket. [RT #27109]

3256.	[bug]		Disable empty zones for lwresd -C. [RT #27139]

3254.	[bug]		Set isc_socket_ipv6only() on the IPv6 control channels.
			[RT #22249]

3253.	[bug]		Return DNS_R_SYNTAX when the input to a text field is
			too long. [RT #26956]

3251.	[bug]		Enforce a upper bound (65535 bytes) on the amount of
			memory dns_sdlz_putrr() can allocate per record to
			prevent run away memory consumption on ISC_R_NOSPACE.
			[RT #26956]

3250.	[func]		'configure --enable-developer'; turn on various
			configure options, normally off by default, that
			we want developers to build and test with. [RT #27103]

3249.	[bug]		Update log message when saving slave zones files for
			analysis after load failures. [RT #27087]

3248.	[bug]		Configure options --enable-fixed-rrset and
			--enable-exportlib were incompatible with each
			other. [RT #27087]

3247.	[bug]		'raw' format zones failed to preserve load order
			breaking 'fixed' sort order. [RT #27087]

3243.	[port]		netbsd,bsdi: the thread defaults were not being
			properly set.

3241.	[bug]		Address race conditions in the resolver code.
			[RT #26889]

3240.	[bug]		DNSKEY state change events could be missed. [RT #26874]

3239.	[bug]		dns_dnssec_findmatchingkeys needs to use a consistent
			timestamp. [RT #26883]

3238.	[bug]		keyrdata was not being reinitialized in
			lib/dns/rbtdb.c:iszonesecure. [RT#26913]

3237.	[bug]		dig -6 didn't work with +trace. [RT #26906]

	--- 9.8.2b1 released ---

3234.	[bug]		'make depend' produced invalid makefiles. [RT #26830]

3231.	[bug]		named could fail to send a uncompressable zone.
			[RT #26796]

3230.	[bug]		'dig axfr' failed to properly handle a multi-message
			axfr with a serial of 0. [RT #26796]

3229.	[bug]		Fix local variable to struct var assignment
			found by CLANG warning.

3228.	[tuning]	Dynamically grow symbol table to improve zone
			loading performance. [RT #26523]

3227.	[bug]		Interim fix to make WKS's use of getprotobyname()
			and getservbyname() self thread safe. [RT #26232]

3226.	[bug]		Address minor resource leakages. [RT #26624]

3221.	[bug]		Fixed a potential coredump on shutdown due to
			referencing fetch context after it's been freed.
			[RT #26720]

3220.	[bug]		Change #3186 was incomplete; dns_db_rpz_findips()
			could fail to set the database version correctly,
			causing an assertion failure. [RT #26180]

3218.	[security]	Cache lookup could return RRSIG data associated with
			nonexistent records, leading to an assertion
			failure. [RT #26590]

3217.	[cleanup]	Fix build problem with --disable-static. [RT #26476]

3216.	[bug]		resolver.c:validated() was not thread-safe. [RT #26478]

3213.	[doc]		Clarify ixfr-from-differences behavior. [RT #25188]

3212.	[bug]		rbtdb.c: failed to remove a node from the deadnodes
			list prior to adding a reference to it leading a
			possible assertion failure. [RT #23219]

3209.	[func]		Add "dnssec-lookaside 'no'".  [RT #24858]

3208.	[bug]		'dig -y' handle unknown tsig alorithm better.
			[RT #25522]

3207.	[contrib]	Fixed build error in Berkeley DB DLZ module. [RT #26444]

3206.	[cleanup]	Add ISC information to log at start time. [RT #25484]

3204.	[bug]		When a master server that has been marked as
			unreachable sends a NOTIFY, mark it reachable
			again. [RT #25960]

3203.	[bug]		Increase log level to 'info' for validation failures
			from expired or not-yet-valid RRSIGs. [RT #21796]

3200.	[doc]		Some rndc functions were undocumented or were
			missing from 'rndc -h' output. [RT #25555]

3198.	[doc]		Clarified that dnssec-settime can alter keyfile
			permissions. [RT #24866]

3196.	[bug]		nsupdate: return nonzero exit code when target zone
			doesn't exist. [RT #25783]

3195.	[cleanup]	Silence "file not found" warnings when loading
			managed-keys zone. [RT #26340]

3194.	[doc]		Updated RFC references in the 'empty-zones-enable'
			documentation. [RT #25203]

3193.	[cleanup]	Changed MAXZONEKEYS to DNS_MAXZONEKEYS, moved to
			dnssec.h. [RT #26415]

3192.	[bug]		A query structure could be used after being freed.
			[RT #22208]

3191.	[bug]		Print NULL records using "unknown" format. [RT #26392]

3190.	[bug]		Underflow in error handling in isc_mutexblock_init.
			[RT #26397]

3189.	[test]		Added a summary report after system tests. [RT #25517]

3188.	[bug]		zone.c:zone_refreshkeys() could fail to detach
			references correctly when errors occurred, causing
			a hang on shutdown. [RT #26372]

3187.	[port]		win32: support for Visual Studio 2008.  [RT #26356]

3186.	[bug]		Version/db mis-match in rpz code. [RT #26180]

3179.	[port]		kfreebsd: build issues. [RT #26273]

3175.	[bug]		Fix how DNSSEC positive wildcard responses from a
			NSEC3 signed zone are validated.  Stop sending a
			unnecessary NSEC3 record when generating such
			responses. [RT #26200]

3174.	[bug]		Always compute to revoked key tag from scratch.
			[RT #26186]

3173.	[port]		Correctly validate root DS responses. [RT #25726]

3171.	[bug]		Exclusively lock the task when adding a zone using
			'rndc addzone'.  [RT #25600]

3170.	[func]		RPZ update:
			- fix precedence among competing rules
			- improve ARM text including documenting rule precedence
			- try to rewrite CNAME chains until first hit
			- new "rpz" logging channel
			- RDATA for CNAME rules can include wildcards
			- replace "NO-OP" named.conf policy override with
			  "PASSTHRU" and add "DISABLED" override ("NO-OP"
			  is still recognized)
			[RT #25172]

3169.	[func]		Catch db/version mis-matches when calling dns_db_*().
			[RT #26017]

3167.	[bug]		Negative answers from forwarders were not being
			correctly tagged making them appear to not be cached.
			[RT #25380]

3162.	[test]		start.pl: modified to allow for "named.args" in
			ns*/ subdirectory to override stock arguments to
			named. Largely from RT#26044, but no separate ticket.

3161.	[bug]		zone.c:del_sigs failed to always reset rdata leading
			assertion failures. [RT #25880]

3157.	[tuning]	Reduce the time spent in "rndc reconfig" by parsing
			the config file before pausing the server. [RT #21373]

3155.	[bug]		Fixed a build failure when using contrib DLZ
			drivers (e.g., mysql, postgresql, etc). [RT #25710]

3154.	[bug]		Attempting to print an empty rdataset could trigger
			an assert. [RT #25452]

3152.	[cleanup]	Some versions of gcc and clang failed due to
			incorrect use of __builtin_expect. [RT #25183]

3151.	[bug]		Queries for type RRSIG or SIG could be handled
			incorrectly.  [RT #21050]

3148.	[bug]		Processing of normal queries could be stalled when
			forwarding a UPDATE message. [RT #24711]

3146.	[test]		Fixed gcc4.6.0 errors in ATF. [RT #25598]

3145.	[test]		Capture output of ATF unit tests in "./atf.out" if
			there were any errors while running them. [RT #25527]

3144.	[bug]		dns_dbiterator_seek() could trigger an assert when
			used with a nonexistent database node. [RT #25358]

3143.	[bug]		Silence clang compiler warnings. [RT #25174]

3139.	[test]		Added tests from RFC 6234, RFC 2202, and RFC 1321
			for the hashing algorithms (md5, sha1 - sha512, and
			their hmac counterparts).  [RT #25067]

	--- 9.8.1 released ---

	--- 9.8.1rc1 released ---

3141.	[bug]		Silence spurious "zone serial (0) unchanged" messages
			associated with empty zones. [RT #25079]

3138.	[bug]		Address memory leaks and out-of-order operations when
			shutting named down. [RT #25210]

3136.	[func]		Add RFC 1918 reverse zones to the list of built-in
			empty zones switched on by the 'empty-zones-enable'
			option. [RT #24990]

			Note: empty-zones-enable must be "yes;" or a empty
			zone needs to be disabled in named.conf for RFC 1918
			zones to be activated.  This requirement may be
			removed in future releases.

3135.	[port]		FreeBSD: workaround broken IPV6_USE_MIN_MTU processing.
			See http://www.freebsd.org/cgi/query-pr.cgi?pr=158307
			[RT #24950]

3134.	[bug]		Improve the accuracy of dnssec-signzone's signing
			statistics. [RT #16030]

	--- 9.8.1b3 released ---

3133.	[bug]		Change #3114 was incomplete. [RT #24577]

3131.	[tuning]	Improve scalability by allocating one zone task
			per 100 zones at startup time, rather than using a
			fixed-size task table. [RT #24406]

3129.	[bug]		Named could crash on 'rndc reconfig' when
			allow-new-zones was set to yes and named ACLs
			were used. [RT #22739]

	--- 9.8.1b2 released ---

3126.	[security]	Using DNAME record to generate replacements caused
			RPZ to exit with a assertion failure. [RT #24766]

3125.	[security]	Using wildcard CNAME records as a replacement with
			RPZ caused named to exit with a assertion failure.
			[RT #24715]

3124.	[bug]		Use an rdataset attribute flag to indicate
			negative-cache records rather than using rrtype 0;
			this will prevent problems when that rrtype is
			used in actual DNS packets. [RT #24777]

3123.	[security]	Change #2912 exposed a latent flaw in
			dns_rdataset_totext() that could cause named to
			crash with an assertion failure. [RT #24777]

3122.	[cleanup]	dnssec-settime: corrected usage message. [RT #24664]

3121.	[security]	An authoritative name server sending a negative
			response containing a very large RRset could
			trigger an off-by-one error in the ncache code
			and crash named. [RT #24650]

3120.	[bug]		Named could fail to validate zones listed in a DLV
			that validated insecure without using DLV and had
			DS records in the parent zone. [RT #24631]

3119.	[bug]		When rolling to a new DNSSEC key, a private-type
			record could be created and never marked complete.
			[RT #23253]

3118.	[bug]		nsupdate could dump core on shutdown when using
			SIG(0) keys. [RT #24604]

3117.	[cleanup]	Remove doc and parser references to the
			never-implemented 'auto-dnssec create' option.
			[RT #24533]

3115.	[bug]		Named could fail to return requested data when
			following a CNAME that points into the same zone.
			[RT #24455]

3114.	[bug]		Retain expired RRSIGs in dynamic zones if key is
			inactive and there is no replacement key. [RT #23136]

3113.	[doc]		Document the relationship between serial-query-rate
			and NOTIFY messages.

	--- 9.8.1b1 released ---

3112.	[doc]		Add missing descriptions of the update policy name
			types "ms-self", "ms-subdomain", "krb5-self" and
			"krb5-subdomain", which allow machines to update
			their own records, to the BIND 9 ARM.

3111.	[bug]		Improved consistency checks for dnssec-enable and
			dnssec-validation, added test cases to the
			checkconf system test. [RT #24398]

3110.	[bug]		dnssec-signzone: Wrong error message could appear
			when attempting to sign with no KSK. [RT #24369]

3107.	[bug]		dnssec-signzone: Report the correct number of ZSKs
			when using -x. [RT #20852]

3105.	[bug]		GOST support can be suppressed by "configure
			--without-gost" [RT #24367]

3104.	[bug]		Better support for cross-compiling. [RT #24367]

3103.	[bug]		Configuring 'dnssec-validation auto' in a view
			instead of in the options statement could trigger
			an assertion failure in named-checkconf. [RT #24382]

3101.	[bug]		Zones using automatic key maintenance could fail
			to check the key repository for updates. [RT #23744]

3100.	[security]	Certain response policy zone configurations could
			trigger an INSIST when receiving a query of type
			RRSIG. [RT #24280]

3099.	[test]		"dlz" system test now runs but gives R:SKIPPED if
			not compiled with --with-dlz-filesystem.  [RT #24146]

3098.	[bug]		DLZ zones were answering without setting the AA bit.
			[RT #24146]

3097.	[test]		Add a tool to test handling of malformed packets.
			[RT #24096]

3096.	[bug]		Set KRB5_KTNAME before calling log_cred() in
			dst_gssapi_acceptctx(). [RT #24004]

3095.	[bug]		Handle isolated reserved ports in the port range.
			[RT #23957]

3094.	[doc]		Expand dns64 documentation.

3093.	[bug]		Fix gssapi/kerberos dependencies [RT #23836]

3092.	[bug]		Signatures for records at the zone apex could go
			stale due to an incorrect timer setting. [RT #23769]

3091.	[bug]		Fixed a bug in which zone keys that were published
			and then subsequently activated could fail to trigger
			automatic signing. [RT #22911]

3090.	[func]		Make --with-gssapi default [RT #23738]

3088.	[bug]		Remove bin/tests/system/logfileconfig/ns1/named.conf
			and add setup.sh in order to resolve changing
			named.conf issue.  [RT #23687]

3087.	[bug]		DDNS updates using SIG(0) with update-policy match
			type "external" could cause a crash. [RT #23735]

3086.	[bug]		Running dnssec-settime -f on an old-style key will
			now force an update to the new key format even if no
			other change has been specified, using "-P now -A now"
			as default values.  [RT #22474]

3083.	[bug]		NOTIFY messages were not being sent when generating
			a NSEC3 chain incrementally. [RT #23702]

3082.	[port]		strtok_r is threads only. [RT #23747]

3081.	[bug]		Failure of DNAME substitution did not return
			YXDOMAIN. [RT #23591]

3080.	[cleanup]	Replaced compile time constant by STDTIME_ON_32BITS.
			[RT #23587]

3079.	[bug]		Handle isc_event_allocate failures in t_tasks.
			[RT #23572]

3078.	[func]		Added a new include file with function typedefs
			for the DLZ "dlopen" driver. [RT #23629]

3077.	[bug]		zone.c:zone_refreshkeys() incorrectly called
			dns_zone_attach(), use zone->irefs instead. [RT #23303]

3075.	[bug]		dns_dnssec_findzonekeys{2} used a inconsistant
			timestamp when determining which keys are active.
			[RT #23642]

3074.	[bug]		Make the adb cache read through for zone data and
			glue learn for zone named is authoritative for.
			[RT #22842]

3073.	[bug]		managed-keys changes were not properly being recorded.
			[RT #20256]

3072.	[bug]		dns_dns64_aaaaok() potential NULL pointer dereference.
			[RT #20256]

3071.	[bug]		has_nsec could be used unintialised in
			update.c:next_active. [RT #20256]

3070.	[bug]		dnssec-signzone potential NULL pointer dereference.
			[RT #20256]

3069.	[cleanup]	Silence warnings messages from clang static analysis.
			[RT #20256]

3068.	[bug]		Named failed to build with a OpenSSL without engine
			support. [RT #23473]

3067.	[bug]		ixfr-from-differences {master|slave}; failed to
			select the master/slave zones.  [RT #23580]

3066.	[func]		The DLZ "dlopen" driver is now built by default,
			no longer requiring a configure option.  To
			disable it, use "configure --without-dlopen".
			(Note: driver not supported on win32.) [RT #23467]

3065.	[bug]		RRSIG could have time stamps too far in the future.
			[RT #23356]

3064.	[bug]		powerpc: add sync instructions to the end of atomic
			operations. [RT #23469]

3063.	[contrib]	More verbose error reporting from DLZ LDAP. [RT #23402]

3059.	[test]		Added a regression test for change #3023.

3058.	[bug]		Cause named to terminate at startup or rndc reconfig/
			reload to fail, if a log file specified in the conf
			file isn't a plain file. [RT #22771]

3057.	[bug]		"rndc secroots" would abort after the first error
			and so could miss some views. [RT #23488]

3054.	[bug]		Added elliptic curve support check in
			GOST OpenSSL engine detection. [RT #23485]

3053.	[bug]		Under a sustained high query load with a finite
			max-cache-size, it was possible for cache memory
			to be exhausted and not recovered. [RT #23371]

3052.	[test]		Fixed last autosign test report. [RT #23256]

3051.	[bug]		NS records obsure DNAME records at the bottom of the
			zone if both are present. [RT #23035]

3050.	[bug]		The autosign system test was timing dependent.
			Wait for the initial autosigning to complete
			before running the rest of the test. [RT #23035]

3049.	[bug]		Save and restore the gid when creating creating
			named.pid at startup. [RT #23290]

3048.	[bug]		Fully separate view key mangement. [RT #23419]

3047.	[bug]		DNSKEY NODATA responses not cached fixed in
			validator.c. Tests added to dnssec system test.
			[RT #22908]

3046.	[bug]		Use RRSIG original TTL to compute validated RRset
			and RRSIG TTL. [RT #23332]

3044.	[bug]		Hold the socket manager lock while freeing the socket.
			[RT #23333]

3043.	[test]		Merged in the NetBSD ATF test framework (currently
			version 0.12) for development of future unit tests.
			Use configure --with-atf to build ATF internally
			or configure --with-atf=prefix to use an external
			copy.  [RT #23209]

3042.	[bug]		dig +trace could fail attempting to use IPv6
			addresses on systems with only IPv4 connectivity.
			[RT #23297]

3041.	[bug]		dnssec-signzone failed to generate new signatures on
			ttl changes. [RT #23330]

3040.	[bug]		Named failed to validate insecure zones where a node
			with a CNAME existed between the trust anchor and the
			top of the zone. [RT #23338]

3038.	[bug]		Install <dns/rpz.h>.  [RT #23342]

3037.	[doc]		Update COPYRIGHT to contain all the individual
			copyright notices that cover various parts.

3036.	[bug]		Check built-in zone arguments to see if the zone
			is re-usable or not. [RT #21914]

3035.	[cleanup]	Simplify by using strlcpy. [RT #22521]

3034.	[cleanup]	nslookup: use strlcpy instead of safecopy. [RT #22521]

3033.	[cleanup]	Add two INSIST(bucket != DNS_ADB_INVALIDBUCKET).
			[RT #22521]

3032.	[bug]		rdatalist.c: add missing REQUIREs. [RT #22521]

3031.	[bug]		dns_rdataclass_format() handle a zero sized buffer.
			[RT #22521]

3030.	[bug]		dns_rdatatype_format() handle a zero sized buffer.
			[RT #22521]

3029.	[bug]		isc_netaddr_format() handle a zero sized buffer.
			[RT #22521]

3028.	[bug]		isc_sockaddr_format() handle a zero sized buffer.
			[RT #22521]

3027.	[bug]		Add documented REQUIREs to cfg_obj_asnetprefix() to
			catch NULL pointer dereferences before they happen.
			[RT #22521]

3026.	[bug]		lib/isc/httpd.c: check that we have enough space
			after calling grow_headerspace() and if not
			re-call grow_headerspace() until we do. [RT #22521]

	--- 9.8.0 released ---

3025.	[bug]		Fixed a possible deadlock due to zone resigning.
			[RT #22964]

3024.	[func]		RTT Banding removed due to minor security increase
			but major impact on resolver latency. [RT #23310]

3023.	[bug]		Named could be left in an inconsistent state when
			receiving multiple AXFR response messages that were
			not all TSIG-signed. [RT #23254]

3022.	[bug]		Fixed rpz SERVFAILs after failed zone transfers
			[RT #23246]

3021.	[bug]		Change #3010 was incomplete. [RT #22296]

3020.	[bug]		auto-dnssec failed to correctly update the zone when
			changing the DNSKEY RRset. [RT #23232]

3019.	[test]		Test: check apex NSEC3 records after adding DNSKEY
			record via UPDATE. [RT #23229]

	--- 9.8.0rc1 released ---

3018.	[bug]		Named failed to check for the "none;" acl when deciding
			if a zone may need to be re-signed. [RT #23120]

3017.	[doc]		dnssec-keyfromlabel -I was not properly documented.
			[RT #22887]

3016.	[bug]		rndc usage missing '-b'. [RT #22937]

3015.	[port]		win32: fix IN6_IS_ADDR_LINKLOCAL and
			IN6_IS_ADDR_SITELOCAL macros. [RT #22724]

3013.	[bug]		The DNS64 ttl was not always being set as expected.
			[RT #23034]

3012.	[bug]		Remove DNSKEY TTL change pairs before generating
			signing records for any remaining DNSKEY changes.
			[RT #22590]

3011.	[func]		Allow setting this in named.conf using the new
			'resolver-query-timeout' option, which specifies a max
			time in seconds.  0 means 'default' and anything longer
			than 30 will be silently set to 30. [RT #22852]

3010.	[bug]		Fixed a bug where "rndc reconfig" stopped the timer
			for refreshing managed-keys. [RT #22296]

3009.	[bug]		clients-per-query code didn't work as expected with
			particular query patterns. [RT #22972]

	--- 9.8.0b1 released ---

3008.	[func]		Response policy zones (RPZ) support. [RT #21726]

3007.	[bug]		Named failed to preserve the case of domain names in
			rdata which is not compressible when writing master
			files.  [RT #22863]

3006.	[func]		Allow dynamically generated TSIG keys to be preserved
			across restarts of named.  Initially this is for
			TSIG keys generated using GSSAPI. [RT #22639]

3005.	[port]		Solaris: Work around the lack of
			gsskrb5_register_acceptor_identity() by setting
			the KRB5_KTNAME environment variable to the
			contents of tkey-gssapi-keytab.  Also fixed
			test errors on MacOSX.  [RT #22853]

3004.	[func]		DNS64 reverse support. [RT #22769]

3003.	[experimental]	Added update-policy match type "external",
			enabling named to defer the decision of whether to
			allow a dynamic update to an external daemon.
			(Contributed by Andrew Tridgell.) [RT #22758]

3002.	[bug]		isc_mutex_init_errcheck() failed to destroy attr.
			[RT #22766]

3001.	[func]		Added a default trust anchor for the root zone, which
			can be switched on by setting "dnssec-validation auto;"
			in the named.conf options. [RT #21727]

3000.	[bug]		More TKEY/GSS fixes:
			 - nsupdate can now get the default realm from
			   the user's Kerberos principal
			 - corrected gsstest compilation flags
			 - improved documentation
			 - fixed some NULL dereferences
			[RT #22795]

2999.	[func]		Add GOST support (RFC 5933). [RT #20639]

2998.	[func]		Add isc_task_beginexclusive and isc_task_endexclusive
			to the task api. [RT #22776]

2997.	[func]		named -V now reports the OpenSSL and libxml2 verions
			it was compiled against. [RT #22687]

2996.	[security]	Temporarily disable SO_ACCEPTFILTER support.
			[RT #22589]

2995.	[bug]		The Kerberos realm was not being correctly extracted
			from the signer's identity. [RT #22770]

2994.	[port]		NetBSD: use pthreads by default on NetBSD >= 5.0, and
			do not use threads on earlier versions.  Also kill
			the unproven-pthreads, mit-pthreads, and ptl2 support.

2993.	[func]		Dynamically grow adb hash tables. [RT #21186]

2992.	[contrib]	contrib/check-secure-delegation.pl:  A simple tool
			for looking at a secure delegation. [RT #22059]

2991.	[contrib]	contrib/zone-edit.sh: A simple zone editing tool for
			dynamic zones. [RT #22365]

2990.	[bug]		'dnssec-settime -S' no longer tests prepublication
			interval validity when the interval is set to 0.
			[RT #22761]

2989.	[func]		Added support for writable DLZ zones. (Contributed
			by Andrew Tridgell of the Samba project.) [RT #22629]

2988.	[experimental]	Added a "dlopen" DLZ driver, allowing the creation
			of external DLZ drivers that can be loaded as
			shared objects at runtime rather than linked with
			named.  Currently this is switched on via a
			compile-time option, "configure --with-dlz-dlopen".
			Note: the syntax for configuring DLZ zones
			is likely to be refined in future releases.
			(Contributed by Andrew Tridgell of the Samba
			project.) [RT #22629]

2987.	[func]		Improve ease of configuring TKEY/GSS updates by
			adding a "tkey-gssapi-keytab" option.  If set,
			updates will be allowed with any key matching
			a principal in the specified keytab file.
			"tkey-gssapi-credential" is no longer required
			and is expected to be deprecated.  (Contributed
			by Andrew Tridgell of the Samba project.)
			[RT #22629]

2986.	[func]		Add new zone type "static-stub".  It's like a stub
			zone, but the nameserver names and/or their IP
			addresses are statically configured. [RT #21474]

2985.	[bug]		Add a regression test for change #2896. [RT #21324]

2984.	[bug]		Don't run MX checks when the target of the MX record
			is ".".  [RT #22645]

2983.	[bug]		Include "loadkeys" in rndc help output. [RT #22493]

	--- 9.8.0a1 released ---

2982.	[bug]		Reference count dst keys.  dst_key_attach() can be used
			increment the reference count.

			Note: dns_tsigkey_createfromkey() callers should now
			always call dst_key_free() rather than setting it
			to NULL on success. [RT #22672]

2981.	[func]		Partial DNS64 support (AAAA synthesis). [RT #21991]

2980.	[bug]		named didn't properly handle UPDATES that changed the
			TTL of the NSEC3PARAM RRset. [RT #22363]

2979.	[bug]		named could deadlock during shutdown if two
			"rndc stop" commands were issued at the same
			time. [RT #22108]

2978.	[port]		hpux: look for <devpoll.h> [RT #21919]

2977.	[bug]		'nsupdate -l' report if the session key is missing.
			[RT #21670]

2976.	[bug]		named could die on exit after negotiating a GSS-TSIG
			key. [RT #22573]

2975.	[bug]		rbtdb.c:cleanup_dead_nodes_callback() acquired the
			wrong lock which could lead to server deadlock.
			[RT #22614]

2974.	[bug]		Some valid UPDATE requests could fail due to a
			consistency check examining the existing version
			of the zone rather than the new version resulting
			from the UPDATE. [RT #22413]

2973.	[bug]		bind.keys.h was being removed by the "make clean"
			at the end of configure resulting in build failures
			where there is very old version of perl installed.
			Move it to "make maintainer-clean". [RT #22230]

2972.	[bug]		win32: address windows socket errors. [RT #21906]

2971.	[bug]		Fixed a bug that caused journal files not to be
			compacted on Windows systems as a result of
			non-POSIX-compliant rename() semantics. [RT #22434]

2970.	[security]	Adding a NO DATA negative cache entry failed to clear
			any matching RRSIG records.  A subsequent lookup of
			of NO DATA cache entry could trigger a INSIST when the
			unexpected RRSIG was also returned with the NO DATA
			cache entry.

			CVE-2010-3613, VU#706148. [RT #22288]

2969.	[security]	Fix acl type processing so that allow-query works
			in options and view statements.  Also add a new
			set of tests to verify proper functioning.

			CVE-2010-3615, VU#510208. [RT #22418]

2968.	[security]	Named could fail to prove a data set was insecure
			before marking it as insecure.  One set of conditions
			that can trigger this occurs naturally when rolling
			DNSKEY algorithms.

			CVE-2010-3614, VU#837744. [RT #22309]

2967.	[bug]		'host -D' now turns on debugging messages earlier.
			[RT #22361]

2966.	[bug]		isc_print_vsnprintf() failed to check if there was
			space available in the buffer when adding a left
			justified character with a non zero width,
			(e.g. "%-1c"). [RT #22270]

2965.	[func]		Test HMAC functions using test data from RFC 2104 and
			RFC 4634. [RT #21702]

2964.	[placeholder]

2963.	[security]	The allow-query acl was being applied instead of the
			allow-query-cache acl to cache lookups. [RT #22114]

2962.	[port]		win32: add more dependencies to BINDBuild.dsw.
			[RT #22062]

2961.	[bug]		Be still more selective about the non-authoritative
			answers we apply change 2748 to. [RT #22074]

2960.	[func]		Check that named accepts non-authoritative answers.
			[RT #21594]

2959.	[func]		Check that named starts with a missing masterfile.
			[RT #22076]

2958.	[bug]		named failed to start with a missing master file.
			[RT #22076]

2957.	[bug]		entropy_get() and entropy_getpseudo() failed to match
			the API for RAND_bytes() and RAND_pseudo_bytes()
			respectively. [RT #21962]

2956.	[port]		Enable atomic operations on the PowerPC64. [RT #21899]

2955.	[func]		Provide more detail in the recursing log. [RT #22043]

2954.	[bug]		contrib: dlz_mysql_driver.c bad error handling on
			build_sqldbinstance failure. [RT #21623]

2953.	[bug]		Silence spurious "expected covering NSEC3, got an
			exact match" message when returning a wildcard
			no data response. [RT #21744]

2952.	[port]		win32: named-checkzone and named-checkconf failed
			to initialise winsock. [RT #21932]

2951.	[bug]		named failed to generate a correct signed response
			in a optout, delegation only zone with no secure
			delegations. [RT #22007]

2950.	[bug]		named failed to perform a SOA up to date check when
			falling back to TCP on UDP timeouts when
			ixfr-from-differences was set. [RT #21595]

2949.	[bug]		dns_view_setnewzones() contained a memory leak if
			it was called multiple times. [RT #21942]

2948.	[port]		MacOS: provide a mechanism to configure the test
			interfaces at reboot. See bin/tests/system/README
			for details.

2947.	[placeholder]

2946.	[doc]		Document the default values for the minimum and maximum
			zone refresh and retry values in the ARM. [RT #21886]

2945.	[doc]		Update empty-zones list in ARM. [RT #21772]

2944.	[maint]		Remove ORCHID prefix from built in empty zones.
			[RT #21772]

2943.	[func]		Add support to load new keys into managed zones
			without signing immediately with "rndc loadkeys".
			Add support to link keys with "dnssec-keygen -S"
			and "dnssec-settime -S".  [RT #21351]

2942.	[contrib]	zone2sqlite failed to setup the entropy sources.
			[RT #21610]

2941.	[bug]		sdb and sdlz (dlz's zone database) failed to support
			DNAME at the zone apex.  [RT #21610]

2940.	[port]		Remove connection aborted error message on
			Windows. [RT #21549]

2939.	[func]		Check that named successfully skips NSEC3 records
			that fail to match the NSEC3PARAM record currently
			in use. [RT# 21868]

2938.	[bug]		When generating signed responses, from a signed zone
			that uses NSEC3, named would use a uninitialised
			pointer if it needed to skip a NSEC3 record because
			it didn't match the selected NSEC3PARAM record for
			zone. [RT# 21868]

2937.	[bug]		Worked around an apparent race condition in over
			memory conditions.  Without this fix a DNS cache DB or
			ADB could incorrectly stay in an over memory state,
			effectively refusing further caching, which
			subsequently made a BIND 9 caching server unworkable.
			This fix prevents this problem from happening by
			polling the state of the memory context, rather than
			making a copy of the state, which appeared to cause
			a race.  This is a "workaround" in that it doesn't
			solve the possible race per se, but several experiments
			proved this change solves the symptom.  Also, the
			polling overhead hasn't been reported to be an issue.
			This bug should only affect a caching server that
			specifies a finite max-cache-size.  It's also quite
			likely that the bug happens only when enabling threads,
			but it's not confirmed yet. [RT #21818]

2936.	[func]		Improved configuration syntax and multiple-view
			support for addzone/delzone feature (see change
			#2930).  Removed "new-zone-file" option, replaced
			with "allow-new-zones (yes|no)".  The new-zone-file
			for each view is now created automatically, with
			a filename generated from a hash of the view name.
			It is no longer necessary to "include" the
			new-zone-file in named.conf; this happens
			automatically.  Zones that were not added via
			"rndc addzone" can no longer be removed with
			"rndc delzone". [RT #19447]

2935.	[bug]		nsupdate: improve 'file not found' error message.
			[RT #21871]

2934.	[bug]		Use ANSI C compliant shift range in lib/isc/entropy.c.
			[RT #21871]

2933.	[bug]		'dig +nsid' used stack memory after it went out of
			scope.  This could potentially result in a unknown,
			potentially malformed, EDNS option being sent instead
			of the desired NSID option. [RT #21781]

2932.	[cleanup]	Corrected a numbering error in the "dnssec" test.
			[RT #21597]

2931.	[bug]		Temporarily and partially disable change 2864
			because it would cause infinite attempts of RRSIG
			queries.  This is an urgent care fix; we'll
			revisit the issue and complete the fix later.
			[RT #21710]

2930.	[experimental]	New "rndc addzone" and "rndc delzone" commads
			allow dynamic addition and deletion of zones.
			To enable this feature, specify a "new-zone-file"
			option at the view or options level in named.conf.
			Zone configuration information for the new zones
			will be written into that file.  To make the new
			zones persist after a restart, "include" the file
			into named.conf in the appropriate view.  (Note:
			This feature is not yet documented, and its syntax
			is expected to change.) [RT #19447]

2929.	[bug]		Improved handling of GSS security contexts:
			 - added LRU expiration for generated TSIGs
			 - added the ability to use a non-default realm
			 - added new "realm" keyword in nsupdate
			 - limited lifetime of generated keys to 1 hour
			   or the lifetime of the context (whichever is
			   smaller)
			[RT #19737]

2928.	[bug]		Be more selective about the non-authoritative
			answer we apply change 2748 to. [RT #21594]

2927.	[placeholder]

2926.	[placeholder]

2925.	[bug]		Named failed to accept uncachable negative responses
			from insecure zones. [RT# 21555]

2924.	[func]		'rndc  secroots'  dump a combined summary of the
			current managed keys combined with trusted keys.
			[RT #20904]

2923.	[bug]		'dig +trace' could drop core after "connection
			timeout". [RT #21514]

2922.	[contrib]	Update zkt to version 1.0.

2921.	[bug]		The resolver could attempt to destroy a fetch context
			too soon.  [RT #19878]

2920.	[func]		Allow 'filter-aaaa-on-v4' to be applied selectively
			to IPv4 clients.  New acl 'filter-aaaa' (default any).

2919.	[func]		Add autosign-ksk and autosign-zsk virtual time tests.
			[RT #20840]

2918.	[maint]		Add AAAA address for I.ROOT-SERVERS.NET.

2917.	[func]		Virtual time test framework. [RT #20801]

2916.	[func]		Add framework to use IPv6 in tests.
			fd92:7065:b8e:ffff::1 ... fd92:7065:b8e:ffff::7

2915.	[cleanup]	Be smarter about which objects we attempt to compile
			based on configure options. [RT #21444]

2914.	[bug]		Make the "autosign" system test more portable.
			[RT #20997]

2913.	[func]		Add pkcs#11 system tests. [RT #20784]

2912.	[func]		Windows clients don't like UPDATE responses that clear
			the zone section. [RT #20986]

2911.	[bug]		dnssec-signzone didn't handle out of zone records well.
			[RT #21367]

2910.	[func]		Sanity check Kerberos credentials. [RT #20986]

2909.	[bug]		named-checkconf -p could die if "update-policy local;"
			was specified in named.conf. [RT #21416]

2908.	[bug]		It was possible for re-signing to stop after removing
			a DNSKEY. [RT #21384]

2907.	[bug]		The export version of libdns had undefined references.
			[RT #21444]

2906.	[bug]		Address RFC 5011 implementation issues. [RT #20903]

2905.	[port]		aix: set use_atomic=yes with native compiler.
			[RT #21402]

2904.	[bug]		When using DLV, sub-zones of the zones in the DLV,
			could be incorrectly marked as insecure instead of
			secure leading to negative proofs failing.  This was
			a unintended outcome from change 2890. [RT# 21392]

2903.	[bug]		managed-keys-directory missing from namedconf.c.
			[RT #21370]

2902.	[func]		Add regression test for change 2897. [RT #21040]

2901.	[port]		Use AC_C_FLEXIBLE_ARRAY_MEMBER. [RT #21316]

2900.	[bug]		The placeholder negative caching element was not
			properly constructed triggering a INSIST in
			dns_ncache_towire(). [RT #21346]

2899.	[port]		win32: Support linking against OpenSSL 1.0.0.

2898.	[bug]		nslookup leaked memory when -domain=value was
			specified. [RT #21301]

2897.	[bug]		NSEC3 chains could be left behind when transitioning
			to insecure. [RT #21040]

2896.	[bug]		"rndc sign" failed to properly update the zone
			when adding a DNSKEY for publication only. [RT #21045]

2895.	[func]		genrandom: add support for the generation of multiple
			files.  [RT #20917]

2894.	[contrib]	DLZ LDAP support now use '$' not '%'. [RT #21294]

2893.	[bug]		Improve managed keys support.  New named.conf option
			managed-keys-directory. [RT #20924]

2892.	[bug]		Handle REVOKED keys better. [RT #20961]

2891.	[maint]		Update empty-zones list to match
			draft-ietf-dnsop-default-local-zones-13. [RT# 21099]

2890.	[bug]		Handle the introduction of new trusted-keys and
			DS, DLV RRsets better. [RT #21097]

2889.	[bug]		Elements of the grammar where not properly reported.
			[RT #21046]

2888.	[bug]		Only the first EDNS option was displayed. [RT #21273]

2887.	[bug]		Report the keytag times in UTC in the .key file,
			local time is presented as a comment within the
			comment.  [RT #21223]

2886.	[bug]		ctime() is not thread safe. [RT #21223]

2885.	[bug]		Improve -fno-strict-aliasing support probing in
			configure. [RT #21080]

2884.	[bug]		Insufficient validation in dns_name_getlabelsequence().
			[RT #21283]

2883.	[bug]		'dig +short' failed to handle really large datasets.
			[RT #21113]

2882.	[bug]		Remove memory context from list of active contexts
			before clearing 'magic'. [RT #21274]

2881.	[bug]		Reduce the amount of time the rbtdb write lock
			is held when closing a version. [RT #21198]

2880.	[cleanup]	Make the output of dnssec-keygen and dnssec-revoke
			consistent. [RT #21078]

2879.	[contrib]	DLZ bdbhpt driver fails to close correct cursor.
			[RT #21106]

2878.	[func]		Incrementally write the master file after performing
			a AXFR.  [RT #21010]

2877.	[bug]		The validator failed to skip obviously mismatching
			RRSIGs. [RT #21138]

2876.	[bug]		Named could return SERVFAIL for negative responses
			from unsigned zones. [RT #21131]

2875.	[bug]		dns_time64_fromtext() could accept non digits.
			[RT #21033]

2874.	[bug]		Cache lack of EDNS support only after the server
			successfully responds to the query using plain DNS.
			[RT #20930]

2873.	[bug]		Cancelling a dynamic update via the dns/client module
			could trigger an assertion failure. [RT #21133]

2872.	[bug]		Modify dns/client.c:dns_client_createx() to only
			require one of IPv4 or IPv6 rather than both.
			[RT #21122]

2871.	[bug]		Type mismatch in mem_api.c between the definition and
			the header file, causing build failure with
			--enable-exportlib. [RT #21138]

2870.	[maint]		Add AAAA address for L.ROOT-SERVERS.NET.

2869.	[bug]		Fix arguments to dns_keytable_findnextkeynode() call.
			[RT #20877]

2868.	[cleanup]	Run "make clean" at the end of configure to ensure
			any changes made by configure are integrated.
			Use --with-make-clean=no to disable.  [RT #20994]

2867.	[bug]		Don't set GSS_C_SEQUENCE_FLAG as Windows DNS servers
			don't like it.  [RT #20986]

2866.	[bug]		Windows does not like the TSIG name being compressed.
			[RT #20986]

2865.	[bug]		memset to zero event.data.  [RT #20986]

2864.	[bug]		Direct SIG/RRSIG queries were not handled correctly.
			[RT #21050]

2863.	[port]		linux: disable IPv6 PMTUD and use network minimum MTU.
			[RT #21056]

2862.	[bug]		nsupdate didn't default to the parent zone when
			updating DS records. [RT #20896]

2861.	[doc]		dnssec-settime man pages didn't correctly document the
			inactivation time. [RT #21039]

2860.	[bug]		named-checkconf's usage was out of date. [RT #21039]

2859.	[bug]		When cancelling validation it was possible to leak
			memory. [RT #20800]

2858.	[bug]		RTT estimates were not being adjusted on ICMP errors.
			[RT #20772]

2857.	[bug]		named-checkconf did not fail on a bad trusted key.
			[RT #20705]

2856.	[bug]		The size of a memory allocation was not always properly
			recorded. [RT #20927]

2855.	[func]		nsupdate will now preserve the entered case of domain
			names in update requests it sends. [RT #20928]

2854.	[func]		dig: allow the final soa record in a axfr response to
			be suppressed, dig +onesoa. [RT #20929]

2853.	[bug]		add_sigs() could run out of scratch space. [RT #21015]

2852.	[bug]		Handle broken DNSSEC trust chains better. [RT #15619]

2851.	[doc]		nslookup.1, removed <informalexample> from the docbook
			source as it produced bad nroff.  [RT #21007]

2850.	[bug]		If isc_heap_insert() failed due to memory shortage
			the heap would have corrupted entries. [RT #20951]

2849.	[bug]		Don't treat errors from the xml2 library as fatal.
			[RT #20945]

2848.	[doc]		Moved README.dnssec, README.libdns, README.pkcs11 and
			README.rfc5011 into the ARM. [RT #20899]

2847.	[cleanup]	Corrected usage message in dnssec-settime. [RT #20921]

2846.	[bug]		EOF on unix domain sockets was not being handled
			correctly. [RT #20731]

2845.	[bug]		RFC 5011 client could crash on shutdown. [RT #20903]

2844.	[doc]		notify-delay default in ARM was wrong.  It should have
			been five (5) seconds.

2843.	[func]		Prevent dnssec-keygen and dnssec-keyfromlabel from
			creating key files if there is a chance that the new
			key ID will collide with an existing one after
			either of the keys has been revoked.  (To override
			this in the case of dnssec-keyfromlabel, use the -y
			option.  dnssec-keygen will simply create a
			different, non-colliding key, so an override is
			not necessary.) [RT #20838]

2842.	[func]		Added "smartsign" and improved "autosign" and
			"dnssec" regression tests. [RT #20865]

2841.	[bug]		Change 2836 was not complete. [RT #20883]

2840.	[bug]		Temporary fixed pkcs11-destroy usage check.
			[RT #20760]

2839.	[bug]		A KSK revoked by named could not be deleted.
			[RT #20881]

2838.	[placeholder]

2837.	[port]		Prevent Linux spurious warnings about fwrite().
			[RT #20812]

2836.	[bug]		Keys that were scheduled to become active could
			be delayed. [RT #20874]

2835.	[bug]		Key inactivity dates were inadvertently stored in
			the private key file with the outdated tag
			"Unpublish" rather than "Inactive".  This has been
			fixed; however, any existing keys that had Inactive
			dates set will now need to have them reset, using
			'dnssec-settime -I'. [RT #20868]

2834.	[bug]		HMAC-SHA* keys that were longer than the algorithm
			digest length were used incorrectly, leading to
			interoperability problems with other DNS
			implementations.  This has been corrected.
			(Note: If an oversize key is in use, and
			compatibility is needed with an older release of
			BIND, the new tool "isc-hmac-fixup" can convert
			the key secret to a form that will work with all
			versions.) [RT #20751]

2833.	[cleanup]	Fix usage messages in dnssec-keygen and dnssec-settime.
			[RT #20851]

2832.	[bug]		Modify "struct stat" in lib/export/samples/nsprobe.c
			to avoid redefinition in some OSs [RT 20831]

2831.	[security]	Do not attempt to validate or cache
			out-of-bailiwick data returned with a secure
			answer; it must be re-fetched from its original
			source and validated in that context. [RT #20819]

2830.	[bug]		Changing the OPTOUT setting could take multiple
			passes. [RT #20813]

2829.	[bug]		Fixed potential node inconsistency in rbtdb.c.
			[RT #20808]

2828.	[security]	Cached CNAME or DNAME RR could be returned to clients
			without DNSSEC validation. [RT #20737]

2827.	[security]	Bogus NXDOMAIN could be cached as if valid. [RT #20712]

2826.	[bug]		NSEC3->NSEC transitions could fail due to a lock not
			being released.  [RT #20740]

2825.	[bug]		Changing the setting of OPTOUT in a NSEC3 chain that
			was in the process of being created was not properly
			recorded in the zone. [RT #20786]

2824.	[bug]		"rndc sign" was not being run by the correct task.
			[RT #20759]

2823.	[bug]		rbtdb.c:getsigningtime() was missing locks. [RT #20781]

2822.	[bug]		rbtdb.c:loadnode() could return the wrong result.
			[RT #20802]

2821.	[doc]		Add note that named-checkconf doesn't automatically
			read rndc.key and bind.keys [RT #20758]

2820.	[func]		Handle read access failure of OpenSSL configuration
			file more user friendly (PKCS#11 engine patch).
			[RT #20668]

2819.	[cleanup]	Removed unnecessary DNS_POINTER_MAXHOPS define.
			[RT #20771]

2818.	[cleanup]	rndc could return an incorrect error code
			when a zone was not found. [RT #20767]

2817.	[cleanup]	Removed unnecessary isc_task_endexclusive() calls.
			[RT #20768]

2816.	[bug]		previous_closest_nsec() could fail to return
			data for NSEC3 nodes [RT #29730]

2815.	[bug]		Exclusively lock the task when freezing a zone.
			[RT #19838]

2814.	[func]		Provide a definitive error message when a master
			zone is not loaded. [RT #20757]

2813.	[bug]		Better handling of unreadable DNSSEC key files.
			[RT #20710]

2812.	[bug]		Make sure updates can't result in a zone with
			NSEC-only keys and NSEC3 records. [RT #20748]

2811.	[cleanup]	Add "rndc sign" to list of commands in rndc usage
			output. [RT #20733]

2810.	[doc]		Clarified the process of transitioning an NSEC3 zone
			to insecure. [RT #20746]

2809.	[cleanup]	Restored accidentally-deleted text in usage output
			in dnssec-settime and dnssec-revoke [RT #20739]

2808.	[bug]		Remove the attempt to install atomic.h from lib/isc.
			atomic.h is correctly installed by the architecture
			specific subdirectories.  [RT #20722]

2807.	[bug]		Fixed a possible ASSERT when reconfiguring zone
			keys. [RT #20720]

	--- 9.7.0rc1 released ---

2806.	[bug]		"rdnc sign" could delay re-signing the DNSKEY
			when it had changed. [RT #20703]

2805.	[bug]		Fixed namespace problems encountered when building
			external programs using non-exported BIND9 libraries
			(i.e., built without --enable-exportlib). [RT #20679]

2804.	[bug]		Send notifies when a zone is signed with "rndc sign"
			or as a result of a scheduled key change. [RT #20700]

2803.	[port]		win32: Install named-journalprint, nsec3hash, arpaname
			and genrandom under windows. [RT #20670]

2802.	[cleanup]	Rena…