summaryrefslogtreecommitdiff
path: root/CHANGES
diff options
context:
space:
mode:
Diffstat (limited to 'CHANGES')
-rw-r--r--CHANGES565
1 files changed, 501 insertions, 64 deletions
diff --git a/CHANGES b/CHANGES
index e8383c62baf4..4e3152fd0bb7 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,15 +1,15 @@
- --- 9.8.5-P2 released ---
+ --- 9.9.3-P2 released ---
3621. [security] Incorrect bounds checking on private type 'keydata'
can lead to a remotely triggerable REQUIRE failure
(CVE-2013-4854). [RT #34238]
- --- 9.8.5-P1 released ---
+ --- 9.9.3-P1 released ---
3584. [security] Caching data from an incompletely signed zone could
trigger an assertion failure in resolver.c [RT #33690]
- --- 9.8.5 released ---
+ --- 9.9.3 released ---
3568. [cleanup] Add a product description line to the version file,
to be reported by named -v/-V. [RT #33366]
@@ -21,7 +21,7 @@
3561. [bug] dig: issue a warning if an EDNS query returns FORMERR
or NOTIMP. Adjust usage message. [RT #33363]
- --- 9.8.5rc1 released ---
+ --- 9.9.3rc2 released ---
3560. [bug] isc-config.sh did not honor includedir and libdir
when set via configure. [RT #33345]
@@ -31,6 +31,8 @@
3558. [bug] IXFR of a DLZ stored zone was broken. [RT #33331]
+3557. [bug] Reloading redirect zones was broken. [RT #33292]
+
3556. [maint] Added AAAA for D.ROOT-SERVERS.NET.
3555. [bug] Address theoretical race conditions in acache.c
@@ -51,9 +53,7 @@
3547. [bug] Some malformed unknown rdata records were not properly
detected and rejected. [RT #33129]
-3056. [func] Added support for URI resource record. [RT #23386]
-
- --- 9.8.5rc1 released ---
+ --- 9.9.3rc1 released ---
3546. [func] Add EUI48 and EUI64 types. [RT #33082]
@@ -64,8 +64,6 @@
3543. [bug] Update socket structure before attaching to socket
manager after accept. [RT #33084]
-3542. [bug] masterformat system test was broken. [RT #33086]
-
3541. [bug] Parts of libdns were not properly initialized when
built in libexport mode. [RT #33028]
@@ -94,6 +92,17 @@
3530. [contrib] Better RTT tracking in queryperf. [RT #30128]
+3528. [func] New "dnssec-coverage" command scans the timing
+ metadata for a set of DNSSEC keys and reports if a
+ lapse in signing coverage has been scheduled
+ inadvertently. (Note: This tool depends on python;
+ it will not be built or installed on systems that
+ do not have a python interpreter.) [RT #28098]
+
+3527. [compat] Add a URI to allow applications to explicitly
+ request a particular XML schema from the statistics
+ channel, returning 404 if not supported. [RT #32481]
+
3526. [cleanup] Set up dependencies for unit tests correctly during
build. [RT #32803]
@@ -102,7 +111,7 @@
3520. [bug] 'mctx' was not being referenced counted in some places
where it should have been. [RT #32794]
- --- 9.8.5b2 released ---
+ --- 9.9.3b2 released ---
3517. [bug] Reorder destruction to avoid shutdown race. [RT #32777]
@@ -114,6 +123,8 @@
to 1024 bits for hmac-sha384 and hmac-sha512.
[RT #32753]
+3511. [doc] Improve documentation of redirect zones. [RT #32756]
+
3509. [cleanup] Added a product line to version file to allow for
easy naming of different products (BIND
vs BIND ESV, for example). [RT #32755]
@@ -121,8 +132,24 @@
3508. [contrib] queryperf was incorrectly rejecting the -T option.
[RT #32338]
+3507. [bug] Statistics channel XSL (when built with
+ --enable-newstats) had a glitch when attempting
+ to chart query data before any queries had been
+ received. [RT #32620]
+
+3505. [bug] When setting "max-cache-size" and "max-acache-size",
+ larger values than 4 gigabytes could not be set
+ explicitly, though larger sizes were available
+ when setting cache size to 0. This has been
+ corrected; the full range is now available.
+ [RT #32358]
+
3503. [doc] Clarify size_spec syntax. [RT #32449]
+3501. [func] zone-statistics now takes three options: full,
+ terse, and none. "yes" and "no" are retained as
+ synonyms for full and terse, respectively. [RT #29165]
+
3500. [security] Support NAPTR regular expression validation on
all platforms without using libregex, which
can be vulnerable to memory exhaustion attack
@@ -141,6 +168,15 @@
NSIP and NSDNAME checking. --enable-rpz-nsip and
--enable-rpz-nsdname are now the default. [RT #32251]
+3493. [contrib] Added BDBHPT dynamically-lodable DLZ module,
+ contributed by Mark Goldfinch. [RT #32549]
+
+3492. [bug] Fixed a regression in zone loading performance
+ due to lock contention. [RT #30399]
+
+3491. [bug] Slave zones using inline-signing must specify a
+ file name. [RT #31946]
+
3489. [bug] --enable-developer now turns on ISC_LIST_CHECKINIT.
When cloning a rdataset do not copy the link contents.
[RT #32651]
@@ -156,8 +192,14 @@
3485. [cleanup] Only compile openssl_gostlink.c if we support GOST.
+3483. [bug] Corrected XSL code in use with --enable-newstats.
+ [RT #32587]
+
3481. [cleanup] Removed use of const const in atf.
+3480. [bug] Silence logging noise when setting up zone
+ statistics. [RT #32525]
+
3479. [bug] Address potential memory leaks in gssapi support
code. [RT #32405]
@@ -167,10 +209,18 @@
3474. [bug] nsupdate could assert when the local and remote
address families didn't match. [RT #22897]
+3473. [bug] dnssec-signzone/verify could incorrectly report
+ an error condition due to an empty node above an
+ opt-out delegation lacking an NSEC3. [RT #32072]
+
+3471. [bug] The number of UDP dispatches now defaults to
+ the number of CPUs even if -n has been set to
+ a higher value. [RT #30964]
+
3470. [bug] Slave zones could fail to dump when successfully
refreshing after an initial failure. [RT #31276]
- --- 9.8.5b1 released ---
+ --- 9.9.3b1 released ---
3468. [security] RPZ rules to generate A records (but not AAAA records)
could trigger an assertion failure when used in
@@ -179,6 +229,9 @@
3467. [bug] Added checks in dnssec-keygen and dnssec-settime
to check for delete date < inactive date. [RT #31719]
+3466. [contrib] Corrected the DNS_CLIENTINFOMETHODS_VERSION check
+ in DLZ example driver. [RT #32275]
+
3465. [bug] Handle isolated reserved ports. [RT #31778]
3464. [maint] Updates to PKCS#11 openssl patches, supporting
@@ -192,6 +245,8 @@
3461. [bug] Negative responses could incorrectly have AD=1
set. [RT #32237]
+3460. [bug] Only link against readline where needed. [RT #29810]
+
3458. [bug] Return FORMERR when presented with a overly long
domain named in a request. [RT #29682]
@@ -203,6 +258,9 @@
3454. [port] sparc64: improve atomic support. [RT #25182]
+3453. [bug] 'rndc addzone' of a zone with 'inline-signing yes;'
+ failed. [RT #31960]
+
3452. [bug] Accept duplicate singleton records. [RT #32329]
3451. [port] Increase per thread stack size from 64K to 1M.
@@ -266,9 +324,19 @@
3427. [bug] dig +trace incorrectly displayed name server
addresses instead of names. [RT #31641]
+3426. [bug] dnssec-checkds: Clearer output when records are not
+ found. [RT #31968]
+
3425. [bug] "acacheentry" reference counting was broken resulting
in use after free. [RT #31908]
+3424. [func] dnssec-dsfromkey now emits the hash without spaces.
+ [RT #31951]
+
+3423. [bug] "rndc signing -nsec3param" didn't accept the full
+ range of possible values. Address portability issues.
+ [RT #31938]
+
3422. [bug] Added a clear error message for when the SOA does not
match the referral. [RT #31281]
@@ -279,9 +347,22 @@
3419. [bug] Memory leak on validation cancel. [RT #31869]
+3417. [func] Optional new XML schema (version 3.0) for the
+ statistics channel adds query type statistics at the
+ zone level, and flattens the XML tree and uses
+ compressed format to optimize parsing. Includes new XSL
+ that permits charting via the Google Charts API on
+ browsers that support javascript in XSL. To enable,
+ build with "configure --enable-newstats". [RT #30023]
+
+3416. [bug] Named could die on shutdown if running with 128 UDP
+ dispatches per interface. [RT #31743]
+
3415. [bug] named could die with a REQUIRE failure if a validation
was canceled. [RT #31804]
+3414. [bug] Address locking issues found by Coverity. [RT #31626]
+
3412. [bug] Copy timeval structure from control message data.
[RT #31548]
@@ -295,6 +376,11 @@
(DNS-based Authentication of Named Entities).
[RT #30513]
+3408. [bug] Some DNSSEC-related options (update-check-ksk,
+ dnssec-loadkeys-interval, dnssec-dnskey-kskonly)
+ are now legal in slave zones as long as
+ inline-signing is in use. [RT #31078]
+
3406. [bug] mem.c: Fix compilation errors when building with
ISC_MEM_TRACKLINES or ISC_MEMPOOL_NAMES disabled.
Also, ISC_MEM_DEBUG is no longer optional. [RT #31559]
@@ -316,6 +402,13 @@
in the "srcid" file in the build tree and normally set
to the most recent git hash. [RT #31494]
+3399. [port] netbsd: rename 'bool' parameter to avoid namespace
+ clash. [RT #31515]
+
+3398. [bug] SOA parameters were not being updated with inline
+ signed zones if the zone was modified while the
+ server was offline. [RT #29272]
+
3397. [bug] dig crashed when using +nssearch with +tcp. [RT #25298]
3396. [bug] OPT records were incorrectly removed from signed,
@@ -348,11 +441,10 @@
3386. [bug] Address locking violation when generating new NSEC /
NSEC3 chains. [RT #31224]
-3384. [bug] Improved logging of crypto errors. [RT #30963]
+3385. [bug] named-checkconf didn't detect missing master lists
+ in also-notify clauses. [RT #30810]
-3383. [security] A certain combination of records in the RBT could
- cause named to hang while populating the additional
- section of a response. [RT #31090]
+3384. [bug] Improved logging of crypto errors. [RT #30963]
3382. [bug] SOA query from slave used use-v6-udp-ports range,
if set, regardless of the address family in use.
@@ -370,6 +462,9 @@
3378. [bug] Handle missing 'managed-keys-directory' better.
[RT #30625]
+3377. [bug] Removed spurious newline from NSEC3 multiline
+ output. [RT #31044]
+
3376. [bug] Lack of EDNS support was being recorded without a
successful response. [RT #30811]
@@ -386,19 +481,34 @@
add NS RRsets to the additional section or not.
[RT #30479]
- --- 9.8.4 released ---
+3316. [tuning] Improved locking performance when recursing.
+ [RT #28836]
+
+3315. [tuning] Use multiple dispatch objects for sending upstream
+ queries; this can improve performance on busy
+ multiprocessor systems by reducing lock contention.
+ [RT #28605]
+
+ --- 9.9.2 released ---
+
+3383. [security] A certain combination of records in the RBT could
+ cause named to hang while populating the additional
+ section of a response. [RT #31090]
3373. [bug] win32: open raw files in binary mode. [RT #30944]
3364. [security] Named could die on specially crafted record.
[RT #30416]
- --- 9.8.4rc1 released ---
+ --- 9.9.2rc1 released ---
+
+3370. [bug] Address use after free while shutting down. [RT #30241]
3369. [bug] nsupdate terminated unexpectedly in interactive mode
if built with readline support. [RT #29550]
-3368. [bug] <dns/iptable.h> and <dns/zone.h> were not C++ safe.
+3368. [bug] <dns/iptable.h>, <dns/private.h> and <dns/zone.h>
+ were not C++ safe.
3367. [bug] dns_dnsseckey_create() result was not being checked.
[RT #30685]
@@ -417,6 +527,9 @@
could trigger an assertion failure on startup.
[RT #27730]
+3361. [bug] "rndc signing -nsec3param" didn't work correctly
+ when salt was set to '-' (no salt). [RT #30099]
+
3360. [bug] 'host -w' could die. [RT #18723]
3359. [bug] An improperly-formed TSIG secret could cause a
@@ -428,10 +541,12 @@
approaching their expiry, so they don't remain
in caches after expiry. [RT #26429]
- --- 9.8.4b1 released ---
+3355. [port] Use more portable awk in verify system test.
3354. [func] Improve OpenSSL error logging. [RT #29932]
+ --- 9.9.2b1 released ---
+
3353. [bug] Use a single task for task exclusive operations.
[RT #29872]
@@ -446,6 +561,8 @@
ISC_MEM_DEBUGCTX memory debugging flag is set.
[RT #30240]
+3349. [bug] Change #3345 was incomplete. [RT #30233]
+
3348. [bug] Prevent RRSIG data from being cached if a negative
record matching the covering type exists at a higher
trust level. Such data already can't be retrieved from
@@ -459,16 +576,42 @@
3346. [security] Bad-cache data could be used before it was
initialized, causing an assert. [RT #30025]
+3345. [bug] Addressed race condition when removing the last item
+ or inserting the first item in an ISC_QUEUE.
+ [RT #29539]
+
+3344. [func] New "dnssec-checkds" command checks a zone to
+ determine which DS records should be published
+ in the parent zone, or which DLV records should be
+ published in a DLV zone, and queries the DNS to
+ ensure that it exists. (Note: This tool depends
+ on python; it will not be built or installed on
+ systems that do not have a python interpreter.)
+ [RT #28099]
+
3342. [bug] Change #3314 broke saving of stub zones to disk
resulting in excessive cpu usage in some cases.
[RT #29952]
+3341. [func] New "dnssec-verify" command checks a signed zone
+ to ensure correctness of signatures and of NSEC/NSEC3
+ chains. [RT #23673]
+
+3339. [func] Allow the maximum supported rsa exponent size to be
+ specified: "max-rsa-exponent-size <value>;" [RT #29228]
+
+3338. [bug] Address race condition in units tests: asyncload_zone
+ and asyncload_zt. [RT #26100]
+
3337. [bug] Change #3294 broke support for the multiple keys
in controls. [RT #29694]
3335. [func] nslookup: return a nonzero exit code when unable
to get an answer. [RT #29492]
+3334. [bug] Hold a zone table reference while performing a
+ asynchronous load of a zone. [RT #28326]
+
3333. [bug] Setting resolver-query-timeout too low can cause
named to not recover if it loses connectivity.
[RT #29623]
@@ -504,7 +647,7 @@
3317. [func] Add ECDSA support (RFC 6605). [RT #21918]
- --- 9.8.3 released ---
+ --- 9.9.1 released ---
3318. [tuning] Reduce the amount of work performed while holding a
bucket lock when finished with a fetch context.
@@ -536,6 +679,8 @@
3304. [bug] Use hmctx, not mctx when freeing rbtdb->heaps.
[RT #28571]
+3303. [bug] named could die when reloading. [RT #28606]
+
3302. [bug] dns_dnssec_findmatchingkeys could fail to find
keys if the zone name contained character that
required special mappings. [RT #28600]
@@ -549,22 +694,15 @@
3299. [bug] Make SDB handle errors from database drivers better.
[RT #28534]
-3232. [bug] Zero zone->curmaster before return in
- dns_zone_setmasterswithkeys(). [RT #26732]
-
-3183. [bug] Added RTLD_GLOBAL flag to dlopen call. [RT #26301]
-
-3197. [bug] Don't try to log the filename and line number when
- the config parser can't open a file. [RT #22263]
-
- --- 9.8.2 released ---
-
3298. [bug] Named could dereference a NULL pointer in
zmgr_start_xfrin_ifquota if the zone was being removed.
[RT #28419]
3297. [bug] Named could die on a malformed master file. [RT #28467]
+3296. [bug] Named could die with a INSIST failure in
+ client.c:exit_check. [RT #28346]
+
3295. [bug] Adjust isc_time_secondsastimet range check to be more
portable. [RT # 26542]
@@ -576,6 +714,16 @@
3290. [bug] <isc/hmacsha.h> was not being installed. [RT #28169]
+3273. [bug] AAAA responses could be returned in the additional
+ section even when filter-aaaa-on-v4 was in use.
+ [RT #27292]
+
+ --- 9.9.0 released ---
+
+ --- 9.9.0rc4 released ---
+
+3289. [bug] 'rndc retransfer' failed for inline zones. [RT #28036]
+
3288. [bug] dlz_destroy() function wasn't correctly registered
by the DLZ dlopen driver. [RT #28056]
@@ -584,7 +732,7 @@
3286. [bug] Managed key maintenance timer could fail to start
after 'rndc reconfig'. [RT #26786]
- --- 9.8.2rc2 released ---
+ --- 9.9.0rc3 released ---
3285. [bug] val-frdataset was incorrectly disassociated in
proveunsecure after calling startfinddlvsep.
@@ -607,24 +755,34 @@
3280. [bug] Potential double free of a rdataset on out of memory
with DNS64. [RT #27762]
+3279. [bug] Hold a internal reference to the zone while performing
+ a asynchronous load. Address potential memory leak
+ if the asynchronous is cancelled. [RT #27750]
+
3278. [bug] Make sure automatic key maintenance is started
when "auto-dnssec maintain" is turned on during
"rndc reconfig". [RT #26805]
+3277. [bug] win32: isc_socket_dup is not implemented. [RT #27696]
+
3276. [bug] win32: ns_os_openfile failed to return NULL on
safe_open failure. [RT #27696]
-3274. [bug] Log when a zone is not reusable. Only set loadtime
- on successful loads. [RT #27650]
-
-3273. [bug] AAAA responses could be returned in the additional
- section even when filter-aaaa-on-v4 was in use.
- [RT #27292]
+3275. [bug] Corrected rndc -h output; the 'rndc sync -clean'
+ option had been misspelled as '-clear'. (To avoid
+ future confusion, both options now work.) [RT #27173]
3271. [port] darwin: mksymtbl is not always stable, loop several
times before giving up. mksymtbl was using non
portable perl to covert 64 bit hex strings. [RT #27653]
+ --- 9.9.0rc2 released ---
+
+3270. [bug] "rndc reload" didn't reuse existing zones correctly
+ when inline-signing was in use. [RT #27650]
+
+3269. [port] darwin 11 and later now built threaded by default.
+
3268. [bug] Convert RRSIG expiry times to 64 timestamps to work
out the earliest expiry time. [RT #23311]
@@ -636,14 +794,26 @@
DNSKEY RRset was not being properly computed.
[RT #26543]
+3265. [bug] Corrected a problem with lock ordering in the
+ inline-signing code. [RT #27557]
+
+3264. [bug] Automatic regeneration of signatures in an
+ inline-signing zone could stall when the server
+ was restarted. [RT #27344]
+
+3263. [bug] "rndc sync" did not affect the unsigned side of an
+ inline-signing zone. [RT #27337]
+
3262. [bug] Signed responses were handled incorrectly by RPZ.
[RT #27316]
- --- 9.8.2rc1 released ---
+3261. [func] RRset ordering now defaults to random. [RT #27174]
3260. [bug] "rrset-order cyclic" could appear not to rotate
for some query patterns. [RT #27170/27185]
+ --- 9.9.0rc1 released ---
+
3259. [bug] named-compilezone: Suppress "dump zone to <file>"
message when writing to stdout. [RT #27109]
@@ -655,12 +825,21 @@
3256. [bug] Disable empty zones for lwresd -C. [RT #27139]
+3255. [func] No longer require that a empty zones be explicitly
+ enabled or that a empty zone is disabled for
+ RFC 1918 empty zones to be configured. [RT #27139]
+
3254. [bug] Set isc_socket_ipv6only() on the IPv6 control channels.
[RT #22249]
3253. [bug] Return DNS_R_SYNTAX when the input to a text field is
too long. [RT #26956]
+3252. [bug] When master zones using inline-signing were
+ updated while the server was offline, the source
+ zone could fall out of sync with the signed
+ copy. They can now resynchronize. [RT #26676]
+
3251. [bug] Enforce a upper bound (65535 bytes) on the amount of
memory dns_sdlz_putrr() can allocate per record to
prevent run away memory consumption on ISC_R_NOSPACE.
@@ -680,8 +859,34 @@
3247. [bug] 'raw' format zones failed to preserve load order
breaking 'fixed' sort order. [RT #27087]
-3243. [port] netbsd,bsdi: the thread defaults were not being
- properly set.
+3246. [bug] Named failed to start with a empty also-notify list.
+ [RT #27087]
+
+3245. [bug] Don't report a error unchanged serials unless there
+ were other changes when thawing a zone with
+ ixfr-fromdifferences. [RT #26845]
+
+3244. [func] Added readline support to nslookup and nsupdate.
+ Also simplified nsupdate syntax to make "update"
+ and "prereq" optional. [RT #24659]
+
+3243. [port] freebsd,netbsd,bsdi: the thread defaults were not
+ being properly set.
+
+3242. [func] Extended the header of raw-format master files to
+ include the serial number of the zone from which
+ they were generated, if different (as in the case
+ of inline-signing zones). This is to be used in
+ inline-signing zones, to track changes between the
+ unsigned and signed versions of the zone, which may
+ have different serial numbers.
+
+ (Note: raw zonefiles generated by this version of
+ BIND are no longer compatible with prior versions.
+ To generate a backward-compatible raw zonefile
+ using dnssec-signzone or named-compilezone, specify
+ output format "raw=0" instead of simply "raw".)
+ [RT #26587]
3241. [bug] Address race conditions in the resolver code.
[RT #26889]
@@ -696,10 +901,21 @@
3237. [bug] dig -6 didn't work with +trace. [RT #26906]
- --- 9.8.2b1 released ---
+3236. [bug] Backed out changes #3182 and #3202, related to
+ EDNS(0) fallback behavior. [RT #26416]
+
+3235. [func] dns_db_diffx, a extended dns_db_diff which returns
+ the generated diff and optionally writes it to a
+ journal. [RT #26386]
3234. [bug] 'make depend' produced invalid makefiles. [RT #26830]
+3233. [bug] 'rndc freeze/thaw' didn't work for inline zones.
+ [RT #26632]
+
+3232. [bug] Zero zone->curmaster before return in
+ dns_zone_setmasterswithkeys(). [RT #26732]
+
3231. [bug] named could fail to send a incompressible zone.
[RT #26796]
@@ -717,14 +933,29 @@
3226. [bug] Address minor resource leakages. [RT #26624]
+3225. [bug] Silence spurious "setsockopt(517, IPV6_V6ONLY) failed"
+ messages. [RT #26507]
+
+3224. [bug] 'rndc signing' argument parsing was broken. [RT #26684]
+
+3223. [bug] 'task_test privilege_drop' generated false positives.
+ [RT #26766]
+
+3222. [cleanup] Replace dns_journal_{get,set}_bitws with
+ dns_journal_{get,set}_sourceserial. [RT #26634]
+
3221. [bug] Fixed a potential core dump on shutdown due to
referencing fetch context after it's been freed.
[RT #26720]
+ --- 9.9.0b2 released ---
+
3220. [bug] Change #3186 was incomplete; dns_db_rpz_findips()
could fail to set the database version correctly,
causing an assertion failure. [RT #26180]
+3219. [bug] Disable NOEDNS caching following a timeout.
+
3218. [security] Cache lookup could return RRSIG data associated with
nonexistent records, leading to an assertion
failure. [RT #26590]
@@ -733,12 +964,24 @@
3216. [bug] resolver.c:validated() was not thread-safe. [RT #26478]
+3215. [bug] 'rndc recursing' could cause a core dump. [RT #26495]
+
+3214. [func] Add 'named -U' option to set the number of UDP
+ listener threads per interface. [RT #26485]
+
3213. [doc] Clarify ixfr-from-differences behavior. [RT #25188]
3212. [bug] rbtdb.c: failed to remove a node from the deadnodes
list prior to adding a reference to it leading a
possible assertion failure. [RT #23219]
+3211. [func] dnssec-signzone: "-f -" prints to stdout; "-O full"
+ option prints in single-line-per-record format.
+ [RT #20287]
+
+3210. [bug] Canceling the oldest query due to recursive-client
+ overload could trigger an assertion failure. [RT #26463]
+
3209. [func] Add "dnssec-lookaside 'no'". [RT #24858]
3208. [bug] 'dig -y' handle unknown tsig algorithm better.
@@ -748,6 +991,11 @@
3206. [cleanup] Add ISC information to log at start time. [RT #25484]
+3205. [func] Upgrade dig's defaults to better reflect modern
+ nameserver behavior. Enable "dig +adflag" and
+ "dig +edns=0" by default. Enable "+dnssec" when
+ running "dig +trace". [RT #23497]
+
3204. [bug] When a master server that has been marked as
unreachable sends a NOTIFY, mark it reachable
again. [RT #25960]
@@ -755,12 +1003,24 @@
3203. [bug] Increase log level to 'info' for validation failures
from expired or not-yet-valid RRSIGs. [RT #21796]
+3202. [bug] NOEDNS caching on timeout was too aggressive.
+ [RT #26416]
+
+3201. [func] 'rndc querylog' can now be given an on/off parameter
+ instead of only being used as a toggle. [RT #18351]
+
3200. [doc] Some rndc functions were undocumented or were
missing from 'rndc -h' output. [RT #25555]
+3199. [func] When logging client information, include the name
+ being queried. [RT #25944]
+
3198. [doc] Clarified that dnssec-settime can alter keyfile
permissions. [RT #24866]
+3197. [bug] Don't try to log the filename and line number when
+ the config parser can't open a file. [RT #22263]
+
3196. [bug] nsupdate: return nonzero exit code when target zone
doesn't exist. [RT #25783]
@@ -789,10 +1049,50 @@
3187. [port] win32: support for Visual Studio 2008. [RT #26356]
+ --- 9.9.0b1 released ---
+
3186. [bug] Version/db mis-match in rpz code. [RT #26180]
+3185. [func] New 'rndc signing' option for auto-dnssec zones:
+ - 'rndc signing -list' displays the current
+ state of signing operations
+ - 'rndc signing -clear' clears the signing state
+ records for keys that have fully signed the zone
+ - 'rndc signing -nsec3param' sets the NSEC3
+ parameters for the zone
+ The 'rndc keydone' syntax is removed. [RT #23729]
+
+3184. [bug] named had excessive cpu usage when a redirect zone was
+ configured. [RT #26013]
+
+3183. [bug] Added RTLD_GLOBAL flag to dlopen call. [RT #26301]
+
+3182. [bug] Auth servers behind firewalls which block packets
+ greater than 512 bytes may cause other servers to
+ perform poorly. Now, adb retains edns information
+ and caches noedns servers. [RT #23392/24964]
+
+3181. [func] Inline-signing is now supported for master zones.
+ [RT #26224]
+
+3180. [func] Local copies of slave zones are now saved in raw
+ format by default, to improve startup performance.
+ 'masterfile-format text;' can be used to override
+ the default, if desired. [RT #25867]
+
3179. [port] kfreebsd: build issues. [RT #26273]
+3178. [bug] A race condition introduced by change #3163 could
+ cause an assertion failure on shutdown. [RT #26271]
+
+3177. [func] 'rndc keydone', remove the indicator record that
+ named has finished signing the zone with the
+ corresponding key. [RT #26206]
+
+3176. [doc] Corrected example code and added a README to the
+ sample external DLZ module in contrib/dlz/example.
+ [RT #26215]
+
3175. [bug] Fix how DNSSEC positive wildcard responses from a
NSEC3 signed zone are validated. Stop sending a
unnecessary NSEC3 record when generating such
@@ -803,9 +1103,14 @@
3173. [port] Correctly validate root DS responses. [RT #25726]
+3172. [port] darwin 10.* and freebsd [89] are now built threaded by
+ default.
+
3171. [bug] Exclusively lock the task when adding a zone using
'rndc addzone'. [RT #25600]
+ --- 9.9.0a3 released ---
+
3170. [func] RPZ update:
- fix precedence among competing rules
- improve ARM text including documenting rule precedence
@@ -820,10 +1125,28 @@
3169. [func] Catch db/version mis-matches when calling dns_db_*().
[RT #26017]
+3168. [bug] Nxdomain redirection could trigger an assert with
+ a ANY query. [RT #26017]
+
3167. [bug] Negative answers from forwarders were not being
correctly tagged making them appear to not be cached.
[RT #25380]
+3166. [bug] Upgrading a zone to support inline-signing failed.
+ [RT #26014]
+
+3165. [bug] dnssec-signzone could generate new signatures when
+ resigning, even when valid signatures were already
+ present. [RT #26025]
+
+3164. [func] Enable DLZ modules to retrieve client information,
+ so that responses can be changed depending on the
+ source address of the query. [RT #25768]
+
+3163. [bug] Use finer-grained locking in client.c to address
+ concurrency problems with large numbers of threads.
+ [RT #26044]
+
3162. [test] start.pl: modified to allow for "named.args" in
ns*/ subdirectory to override stock arguments to
named. Largely from RT#26044, but no separate ticket.
@@ -831,24 +1154,52 @@
3161. [bug] zone.c:del_sigs failed to always reset rdata leading
assertion failures. [RT #25880]
+3160. [bug] When printing out a NSEC3 record in multiline form
+ the newline was not being printed causing type codes
+ to be run together. [RT #25873]
+
+3159. [bug] On some platforms, named could assert on startup
+ when running in a chrooted environment without
+ /proc. [RT #25863]
+
+3158. [bug] Recursive servers would prefer a particular UDP
+ socket instead of using all available sockets.
+ [RT #26038]
+
3157. [tuning] Reduce the time spent in "rndc reconfig" by parsing
the config file before pausing the server. [RT #21373]
+3156. [placeholder]
+
+ --- 9.9.0a2 released ---
+
3155. [bug] Fixed a build failure when using contrib DLZ
drivers (e.g., mysql, postgresql, etc). [RT #25710]
3154. [bug] Attempting to print an empty rdataset could trigger
an assert. [RT #25452]
+3153. [func] Extend request-ixfr to zone level and remove the
+ side effect of forcing an AXFR. [RT #25156]
+
3152. [cleanup] Some versions of gcc and clang failed due to
incorrect use of __builtin_expect. [RT #25183]
3151. [bug] Queries for type RRSIG or SIG could be handled
incorrectly. [RT #21050]
+3150. [func] Improved startup and reconfiguration time by
+ enabling zones to load in multiple threads. [RT #25333]
+
+3149. [placeholder]
+
3148. [bug] Processing of normal queries could be stalled when
forwarding a UPDATE message. [RT #24711]
+3147. [func] Initial inline signing support. [RT #23657]
+
+ --- 9.9.0a1 released ---
+
3146. [test] Fixed gcc4.6.0 errors in ATF. [RT #25598]
3145. [test] Capture output of ATF unit tests in "./atf.out" if
@@ -859,29 +1210,31 @@
3143. [bug] Silence clang compiler warnings. [RT #25174]
-3139. [test] Added tests from RFC 6234, RFC 2202, and RFC 1321
- for the hashing algorithms (md5, sha1 - sha512, and
- their hmac counterparts). [RT #25067]
-
- --- 9.8.1 released ---
-
- --- 9.8.1rc1 released ---
+3142. [bug] NAPTR is class agnostic. [RT #25429]
3141. [bug] Silence spurious "zone serial (0) unchanged" messages
associated with empty zones. [RT #25079]
+3140. [func] New command "rndc flushtree <name>" clears the
+ specified name from the server cache along with
+ all names under it. [RT #19970]
+
+3139. [test] Added tests from RFC 6234, RFC 2202, and RFC 1321
+ for the hashing algorithms (md5, sha1 - sha512, and
+ their hmac counterparts). [RT #25067]
+
3138. [bug] Address memory leaks and out-of-order operations when
shutting named down. [RT #25210]
+3137. [func] Improve hardware scalability by allowing multiple
+ worker threads to process incoming UDP packets.
+ This can significantly increase query throughput
+ on some systems. [RT #22992]
+
3136. [func] Add RFC 1918 reverse zones to the list of built-in
empty zones switched on by the 'empty-zones-enable'
option. [RT #24990]
- Note: empty-zones-enable must be "yes;" or a empty
- zone needs to be disabled in named.conf for RFC 1918
- zones to be activated. This requirement may be
- removed in future releases.
-
3135. [port] FreeBSD: workaround broken IPV6_USE_MIN_MTU processing.
See http://www.freebsd.org/cgi/query-pr.cgi?pr=158307
[RT #24950]
@@ -889,19 +1242,34 @@
3134. [bug] Improve the accuracy of dnssec-signzone's signing
statistics. [RT #16030]
- --- 9.8.1b3 released ---
-
3133. [bug] Change #3114 was incomplete. [RT #24577]
+3132. [placeholder]
+
3131. [tuning] Improve scalability by allocating one zone task
per 100 zones at startup time, rather than using a
fixed-size task table. [RT #24406]
+3130. [func] Support alternate methods for managing a dynamic
+ zone's serial number. Two methods are currently
+ defined using serial-update-method, "increment"
+ (default) and "unixtime". [RT #23849]
+
3129. [bug] Named could crash on 'rndc reconfig' when
allow-new-zones was set to yes and named ACLs
were used. [RT #22739]
- --- 9.8.1b2 released ---
+3128. [func] Inserting an NSEC3PARAM via dynamic update in an
+ auto-dnssec zone that has not been signed yet
+ will cause it to be signed with the specified NSEC3
+ parameters when keys are activated. The
+ NSEC3PARAM record will not appear in the zone until
+ it is signed, but the parameters will be stored.
+ [RT #23684]
+
+3127. [bug] 'rndc thaw' will now remove a zone's journal file
+ if the zone serial number has been changed and
+ ixfr-from-differences is not in use. [RT #24687]
3126. [security] Using DNAME record to generate replacements caused
RPZ to exit with a assertion failure. [RT #24766]
@@ -941,6 +1309,12 @@
never-implemented 'auto-dnssec create' option.
[RT #24533]
+3116. [func] New 'dnssec-update-mode' option controls updates
+ of DNSSEC records in signed dynamic zones. Set to
+ 'no-resign' to disable automatic RRSIG regeneration
+ while retaining the ability to sign new or changed
+ data. [RT #24533]
+
3115. [bug] Named could fail to return requested data when
following a CNAME that points into the same zone.
[RT #24455]
@@ -951,8 +1325,6 @@
3113. [doc] Document the relationship between serial-query-rate
and NOTIFY messages.
- --- 9.8.1b1 released ---
-
3112. [doc] Add missing descriptions of the update policy name
types "ms-self", "ms-subdomain", "krb5-self" and
"krb5-subdomain", which allow machines to update
@@ -965,9 +1337,23 @@
3110. [bug] dnssec-signzone: Wrong error message could appear
when attempting to sign with no KSK. [RT #24369]
+3109. [func] The also-notify option now uses the same syntax
+ as a zone's masters clause. This means it is
+ now possible to specify a TSIG key to use when
+ sending notifies to a given server, or to include
+ an explicit named masters list in an also-notfiy
+ statement. [RT #23508]
+
+3108. [cleanup] dnssec-signzone: Clarified some error and
+ warning messages; removed #ifdef ALLOW_KSKLESS_ZONES
+ code (use -P instead). [RT #20852]
+
3107. [bug] dnssec-signzone: Report the correct number of ZSKs
when using -x. [RT #20852]
+3106. [func] When logging client requests, include the name of
+ the TSIG key if any. [RT #23619]
+
3105. [bug] GOST support can be suppressed by "configure
--without-gost" [RT #24367]
@@ -977,6 +1363,12 @@
instead of in the options statement could trigger
an assertion failure in named-checkconf. [RT #24382]
+3102. [func] New 'dnssec-loadkeys-interval' option configures
+ how often, in minutes, to check the key repository
+ for updates when using automatic key maintenance.
+ Default is every 60 minutes (formerly hard-coded
+ to 12 hours). [RT #23744]
+
3101. [bug] Zones using automatic key maintenance could fail
to check the key repository for updates. [RT #23744]
@@ -1012,6 +1404,9 @@
3090. [func] Make --with-gssapi default [RT #23738]
+3089. [func] dnssec-dsfromkey now supports reading keys from
+ standard input "dnssec-dsfromkey -f -". [RT# 20662]
+
3088. [bug] Remove bin/tests/system/logfileconfig/ns1/named.conf
and add setup.sh in order to resolve changing
named.conf issue. [RT #23687]
@@ -1024,6 +1419,17 @@
other change has been specified, using "-P now -A now"
as default values. [RT #22474]
+3085. [func] New '-R' option in dnssec-signzone forces removal
+ of signatures which have not yet expired but
+ were generated by a key that no longer exists.
+ [RT #22471]
+
+3084. [func] A new command "rndc sync" dumps pending changes in
+ a dynamic zone to disk; "rndc sync -clean" also
+ removes the journal file after syncing. Also,
+ "rndc freeze" no longer removes journal files.
+ [RT #22473]
+
3083. [bug] NOTIFY messages were not being sent when generating
a NSEC3 chain incrementally. [RT #23702]
@@ -1044,6 +1450,11 @@
3077. [bug] zone.c:zone_refreshkeys() incorrectly called
dns_zone_attach(), use zone->irefs instead. [RT #23303]
+3076. [func] New '-L' option in dnssec-keygen, dnsset-settime, and
+ dnssec-keyfromlabel sets the default TTL of the
+ key. When possible, automatic signing will use that
+ TTL when the key is published. [RT #23304]
+
3075. [bug] dns_dnssec_findzonekeys{2} used a inconsistent
timestamp when determining which keys are active.
[RT #23642]
@@ -1076,7 +1487,7 @@
3066. [func] The DLZ "dlopen" driver is now built by default,
no longer requiring a configure option. To
disable it, use "configure --without-dlopen".
- (Note: driver not supported on win32.) [RT #23467]
+ Driver also supported on win32. [RT #23467]
3065. [bug] RRSIG could have time stamps too far in the future.
[RT #23356]
@@ -1086,6 +1497,25 @@
3063. [contrib] More verbose error reporting from DLZ LDAP. [RT #23402]
+3062. [func] Made several changes to enhance human readability
+ of DNSSEC data in dig output and in generated
+ zone files:
+ - DNSKEY record comments are more verbose, no
+ longer used in multiline mode only
+ - multiline RRSIG records reformatted
+ - multiline output mode for NSEC3PARAM records
+ - "dig +norrcomments" suppresses DNSKEY comments
+ - "dig +split=X" breaks hex/base64 records into
+ fields of width X; "dig +nosplit" disables this.
+ [RT #22820]
+
+3061. [func] New option "dnssec-signzone -D", only write out
+ generated DNSSEC records. [RT #22896]
+
+3060. [func] New option "dnssec-signzone -X <date>" allows
+ specification of a separate expiration date
+ for DNSKEY RRSIGs and other RRSIGs. [RT #22141]
+
3059. [test] Added a regression test for change #3023.
3058. [bug] Cause named to terminate at startup or rndc reconfig/
@@ -1095,6 +1525,10 @@
3057. [bug] "rndc secroots" would abort after the first error
and so could miss some views. [RT #23488]
+3056. [func] Added support for URI resource record. [RT #23386]
+
+3055. [placeholder]
+
3054. [bug] Added elliptic curve support check in
GOST OpenSSL engine detection. [RT #23485]
@@ -1123,6 +1557,8 @@
3046. [bug] Use RRSIG original TTL to compute validated RRset
and RRSIG TTL. [RT #23332]
+3045. [removed] Replaced by change #3050.
+
3044. [bug] Hold the socket manager lock while freeing the socket.
[RT #23333]
@@ -1143,6 +1579,8 @@
with a CNAME existed between the trust anchor and the
top of the zone. [RT #23338]
+3039. [func] Redirect on NXDOMAIN support. [RT #23146]
+
3038. [bug] Install <dns/rpz.h>. [RT #23342]
3037. [doc] Update COPYRIGHT to contain all the individual
@@ -1180,8 +1618,6 @@
after calling grow_headerspace() and if not
re-call grow_headerspace() until we do. [RT #22521]
- --- 9.8.0 released ---
-
3025. [bug] Fixed a possible deadlock due to zone resigning.
[RT #22964]
@@ -1203,8 +1639,6 @@
3019. [test] Test: check apex NSEC3 records after adding DNSKEY
record via UPDATE. [RT #23229]
- --- 9.8.0rc1 released ---
-
3018. [bug] Named failed to check for the "none;" acl when deciding
if a zone may need to be re-signed. [RT #23120]
@@ -1216,6 +1650,8 @@
3015. [port] win32: fix IN6_IS_ADDR_LINKLOCAL and
IN6_IS_ADDR_SITELOCAL macros. [RT #22724]
+3014. [placeholder]
+
3013. [bug] The DNS64 ttl was not always being set as expected.
[RT #23034]
@@ -1223,7 +1659,8 @@
signing records for any remaining DNSKEY changes.
[RT #22590]
-3011. [func] Allow setting this in named.conf using the new
+3011. [func] Change the default query timeout from 30 seconds
+ to 10. Allow setting this in named.conf using the new
'resolver-query-timeout' option, which specifies a max
time in seconds. 0 means 'default' and anything longer
than 30 will be silently set to 30. [RT #22852]