"Fossies" - the Fresh Open Source Software Archive

Member "bind-9.11.35/CHANGES" (10 Aug 2021, 573205 Bytes) of package /linux/misc/dns/bind9/9.11.35/bind-9.11.35.tar.gz:


As a special service "Fossies" has tried to format the requested text file into HTML format (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file. See also the last Fossies "Diffs" side-by-side code changes report for "CHANGES": 9.17.17_vs_9.17.18.

    1 	--- 9.11.35 released ---
    2 
    3 5685.	[bug]		named failed to check the opcode of responses when
    4 			performing zone refreshes, stub zone updates, and UPDATE
    5 			forwarding. This has been fixed. [GL #2762]
    6 
    7 	--- 9.11.34 released ---
    8 
    9 	--- 9.11.33 released ---
   10 
   11 	--- 9.11.32 released ---
   12 
   13 5631.	[protocol]	Update the implementation of the ZONEMD RR type to match
   14 			RFC 8976. [GL #2658]
   15 
   16 5630.	[func]		Treat DNSSEC responses containing NSEC3 records with
   17 			iteration counts greater than 150 as insecure.
   18 			[GL #2445]
   19 
   20 5629.	[func]		Reduce the maximum supported number of NSEC3 iterations
   21 			that can be configured for a zone to 150. [GL #2642]
   22 
   23 	--- 9.11.31 released ---
   24 
   25 5621.	[bug]		Due to a backporting mistake in change 5609, named
   26 			binaries built against a Kerberos/GSSAPI library whose
   27 			header files did not define the GSS_SPNEGO_MECHANISM
   28 			preprocessor macro were not able to start if their
   29 			configuration included the "tkey-gssapi-credential"
   30 			option. This has been fixed. [GL #2634]
   31 
   32 	--- 9.11.30 released ---
   33 
   34 5617.	[security]	A specially crafted GSS-TSIG query could cause a buffer
   35 			overflow in the ISC implementation of SPNEGO.
   36 			(CVE-2021-25216) [GL #2604]
   37 
   38 5616.	[security]	named crashed when a DNAME record placed in the ANSWER
   39 			section during DNAME chasing turned out to be the final
   40 			answer to a client query. (CVE-2021-25215) [GL #2540]
   41 
   42 5615.	[security]	Insufficient IXFR checks could result in named serving a
   43 			zone without an SOA record at the apex, leading to a
   44 			RUNTIME_CHECK assertion failure when the zone was
   45 			subsequently refreshed. This has been fixed by adding an
   46 			owner name check for all SOA records which are included
   47 			in a zone transfer. (CVE-2021-25214) [GL #2467]
   48 
   49 5614.	[bug]		Ensure all resources are properly cleaned up when a call
   50 			to gss_accept_sec_context() fails. [GL #2620]
   51 
   52 5609.	[func]		The ISC implementation of SPNEGO was removed from BIND 9
   53 			source code. It was no longer necessary as all major
   54 			contemporary Kerberos/GSSAPI libraries include support
   55 			for SPNEGO. [GL #2607]
   56 
   57 	--- 9.11.29 released ---
   58 
   59 5586.	[bug]		An invalid direction field in a LOC record resulted in
   60 			an INSIST failure when a zone file containing such a
   61 			record was loaded. [GL #2499]
   62 
   63 	--- 9.11.28 released ---
   64 
   65 5562.	[security]	Fix off-by-one bug in ISC SPNEGO implementation.
   66 			(CVE-2020-8625) [GL #2354]
   67 
   68 	--- 9.11.27 released ---
   69 
   70 5559.	[bug]		The --with-maxminddb=PATH form of the build-time option
   71 			enabling support for libmaxminddb was not working
   72 			correctly. This has been fixed. [GL #2366]
   73 
   74 5557.	[bug]		Prevent RBTDB instances from being destroyed by multiple
   75 			threads at the same time. [GL #2317]
   76 
   77 5548.	[bug]		named exited with an assertion failure upon startup when
   78 			compiled with --disable-threads and --with-epoll.
   79 			[GL !4454]
   80 
   81 5547.	[bug]		BIND 9 failed to build with --disable-threads and
   82 			--with-geoip2. [GL #2324]
   83 
   84 	--- 9.11.26 released ---
   85 
   86 5544.	[func]		Restore the default value of "nocookie-udp-size" to 4096
   87 			bytes. [GL #2250]
   88 
   89 5541.	[func]		Adjust the "max-recursion-queries" default from 75 to
   90 			100. [GL #2305]
   91 
   92 5540.	[port]		Fix building with native PKCS#11 support for AEP Keyper.
   93 			[GL #2315]
   94 
   95 5539.	[bug]		Tighten handling of missing DNS COOKIE responses over
   96 			UDP by falling back to TCP. [GL #2275]
   97 
   98 5534.	[bug]		The CNAME synthesized from a DNAME was incorrectly
   99 			followed when the QTYPE was CNAME or ANY. [GL #2280]
  100 
  101 	--- 9.11.25 released ---
  102 
  103 5527.	[bug]		A NULL pointer dereference occurred when creating an NTA
  104 			recheck query failed. [GL #2244]
  105 
  106 5523.	[bug]		The initial lookup in a zone transitioning to/from a
  107 			signed state could fail if the DNSKEY RRset was not
  108 			found. [GL #2236]
  109 
  110 5518.	[bug]		Stub zones now work correctly with primary servers using
  111 			"minimal-responses yes". [GL #1736]
  112 
  113 	--- 9.11.24 released ---
  114 
  115 5516.	[func]		The default EDNS buffer size has been changed from 4096
  116 			to 1232 bytes. [GL #2183]
  117 
  118 5513.	[doc]		The ARM section describing the "rrset-order" statement
  119 			was rewritten to make it unambiguous and up-to-date with
  120 			the source code. [GL #2139]
  121 
  122 5510.	[bug]		Implement the attach/detach semantics for dns_message_t
  123 			to fix a data race in accessing an already-destroyed
  124 			fctx->rmessage. [GL #2124]
  125 
  126 5506.	[bug]		Properly handle failed sysconf() calls, so we don't
  127 			report invalid memory size. [GL #2166]
  128 
  129 	--- 9.11.23 released ---
  130 
  131 5497.	[bug]		'dig +bufsize=0' failed to disable EDNS. [GL #2054]
  132 
  133 5496.	[bug]		Address a TSAN report by ensuring each rate limiter
  134 			object holds a reference to its task. [GL #2081]
  135 
  136 5492.	[bug]		Tighten LOC parsing to reject a period (".") and/or "m"
  137 			as a value. Fix handling of negative altitudes which are
  138 			not whole meters. [GL #2074]
  139 
  140 5489.	[bug]		Named erroneously accepted certain invalid resource
  141 			records that were incorrectly processed after
  142 			subsequently being written to disk and loaded back, as
  143 			the wire format differed. Such records include: CERT,
  144 			IPSECKEY, NSEC3, NSEC3PARAM, NXT, SIG, TLSA, WKS, and
  145 			X25. [GL !3953]
  146 
  147 5488.	[bug]		NTA code needed to have a weak reference on its
  148 			associated view to prevent the latter from being deleted
  149 			while NTA tests were being performed. [GL #2067]
  150 
  151 	--- 9.11.22 released ---
  152 
  153 5481.	[security]	"update-policy" rules of type "subdomain" were
  154 			incorrectly treated as "zonesub" rules, which allowed
  155 			keys used in "subdomain" rules to update names outside
  156 			of the specified subdomains. The problem was fixed by
  157 			making sure "subdomain" rules are again processed as
  158 			described in the ARM. (CVE-2020-8624) [GL #2055]
  159 
  160 5480.	[security]	When BIND 9 was compiled with native PKCS#11 support, it
  161 			was possible to trigger an assertion failure in code
  162 			determining the number of bits in the PKCS#11 RSA public
  163 			key with a specially crafted packet. (CVE-2020-8623)
  164 			[GL #2037]
  165 
  166 5476.	[security]	It was possible to trigger an assertion failure when
  167 			verifying the response to a TSIG-signed request.
  168 			(CVE-2020-8622) [GL #2028]
  169 
  170 5475.	[bug]		Wildcard RPZ passthru rules could incorrectly be
  171 			overridden by other rules that were loaded from RPZ
  172 			zones which appeared later in the "response-policy"
  173 			statement. This has been fixed. [GL #1619]
  174 
  175 5474.	[bug]		dns_rdata_hip_next() failed to return ISC_R_NOMORE
  176 			when it should have. [GL !3880]
  177 
  178 5465.	[func]		Added fallback to built-in trust-anchors, managed-keys,
  179 			or trusted-keys if the bindkeys-file (bind.keys) cannot
  180 			be parsed. [GL #1235]
  181 
  182 5463.	[bug]		Address a potential NULL pointer dereference when out of
  183 			memory in dnstap.c. [GL #2010]
  184 
  185 5462.	[bug]		Move LMDB locking from LMDB itself to named. [GL #1976]
  186 
  187 	--- 9.11.21 released ---
  188 
  189 5458.	[bug]		Prevent a theoretically possible NULL dereference caused
  190 			by a data race between zone_maintenance() and
  191 			dns_zone_setview_helper(). [GL #1627]
  192 
  193 5455.	[bug]		named could crash when cleaning dead nodes in
  194 			lib/dns/rbtdb.c that were being reused. [GL #1968]
  195 
  196 5447.	[bug]		IPv6 addresses ending in "::" could break YAML
  197 			parsing. A "0" is now appended to such addresses
  198 			in YAML output from dig, mdig, delv, and dnstap-read.
  199 			[GL #1952]
  200 
  201 5446.	[bug]		The validator could fail to accept a properly signed
  202 			RRset if an unsupported algorithm appeared earlier in
  203 			the DNSKEY RRset than a supported algorithm. It could
  204 			also stop if it detected a malformed public key.
  205 			[GL #1689]
  206 
  207 5440.	[test]		Properly handle missing kyua. [GL #1950]
  208 
  209 	--- 9.11.20 released ---
  210 
  211 5437.	[bug]		Fix a data race in lib/dns/resolver.c:log_formerr().
  212 			[GL #1808]
  213 
  214 5434.	[security]	It was possible to trigger an INSIST in
  215 			lib/dns/rbtdb.c:new_reference() with a particular zone
  216 			content and query patterns. (CVE-2020-8619) [GL #1111]
  217 			[GL #1718]
  218 
  219 5433.	[test]		Prevent the resolver system test for change #5395
  220 			(max-recursion-queries) from failing on systems without
  221 			IPv6 support. [GL #1873]
  222 
  223 5428.	[bug]		Clean up GSSAPI resources in nsupdate only after taskmgr
  224 			has been destroyed. Thanks to Petr Menšík. [GL !3316]
  225 
  226 5427.	[bug]		Fix a regression in address/prefix length checking that
  227 			should have been a warning instead of an error.
  228 			[GL #1849]
  229 
  230 5415.	[test]		Address race in dnssec system test that led to
  231 			test failures. [GL #1852]
  232 
  233 5413.	[test]		Address race in autosign system test that led to
  234 			test failures. [GL #1852]
  235 
  236 5412.	[bug]		'provide-ixfr no;' failed to return up-to-date responses
  237 			when the serial was greater than or equal to the
  238 			current serial. [GL #1714]
  239 
  240 5409.	[performance]	When looking up NSEC3 data in a zone database, skip the
  241 			check for empty non-terminal nodes; the NSEC3 tree does
  242 			not have any. [GL #1834]
  243 
  244 5408.	[protocol]	Print Extended DNS Errors if present in OPT record.
  245 			[GL #1835]
  246 
  247 5405.	[bug]		'named-checkconf -p' could include spurious text in
  248 			server-addresses statements due to an uninitialized DSCP
  249 			value. [GL #1812]
  250 
  251 	--- 9.11.19 released ---
  252 
  253 5404.	[bug]		'named-checkconf -z' could incorrectly indicate
  254 			success if errors were found in one view but not in a
  255 			subsequent one. [GL #1807]
  256 
  257 5398.	[bug]		Named could fail to restart if a zone with a double
  258 			quote (") in its name was added with 'rndc addzone'.
  259 			[GL #1695]
  260 
  261 5395.	[security]	Further limit the number of queries that can be
  262 			triggered from a request.  Root and TLD servers
  263 			are no longer exempt from max-recursion-queries.
  264 			Fetches for missing name server address records
  265 			are limited to 4 for any domain. (CVE-2020-8616)
  266 			[GL #1388]
  267 
  268 5394.	[cleanup]	Named formerly attempted to change the effective UID and
  269 			GID in named_os_openfile(), which could trigger a
  270 			spurious log message if they were already set to the
  271 			desired values. This has been fixed. [GL #1042]
  272 			[GL #1090]
  273 
  274 5390.	[security]	Replaying a TSIG BADTIME response as a request could
  275 			trigger an assertion failure. (CVE-2020-8617)
  276 			[GL #1703]
  277 
  278 5387.	[func]		Warn about AXFR streams with inconsistent message IDs.
  279 			[GL #1674]
  280 
  281 	--- 9.11.18 released ---
  282 
  283 5380.	[contrib]	Fix building MySQL DLZ modules against MySQL 8
  284 			libraries. [GL #1678]
  285 
  286 5379.	[doc]		Clean up serve-stale related options that leaked into
  287 			the BIND 9.11 release. [GL !3265]
  288 
  289 5378.	[bug]		Receiving invalid DNS data was triggering an assertion
  290 			failure in nslookup. [GL #1652]
  291 
  292 5377.	[feature]	Detect atomic operations support on ppc64le. Thanks to
  293 			Petr Menšík. [GL !3295]
  294 
  295 5376.	[bug]		Fix ineffective DNS rebinding protection when BIND is
  296 			configured as a forwarding DNS server. Thanks to Tobias
  297 			Klein. [GL #1574]
  298 
  299 5368.	[bug]		Named failed to restart if 'rndc addzone' names
  300 			contained special characters (e.g. '/'). [GL #1655]
  301 
  302 	--- 9.11.17 released ---
  303 
  304 5358.	[bug]		Inline master zones whose master files were touched
  305 			but otherwise unchanged and were subsequently reloaded
  306 			may have stopped re-signing. [GL !3135]
  307 
  308 5357.	[bug]		Newly added RRSIG records with expiry times before
  309 			the previous earliest expiry times might not be
  310 			re-signed in time.  This was a side effect of 5315.
  311 			[GL !3137]
  312 
  313 	--- 9.11.16 released ---
  314 
  315 5353.	[doc]		Document port and dscp parameters in forwarders
  316 			configuration option. [GL #914]
  317 
  318 5352.	[bug]		Correctly handle catalog zone entries containing
  319 			characters that aren't legal in filenames. [GL #1592]
  320 
  321 5351.	[bug]		CDS / CDNSKEY consistency checks failed to handle
  322 			removal records. [GL #1554]
  323 
  324 5350.	[bug]		When a view was configured with class CHAOS,
  325 			dns_view_findzonecut() could incorrectly return
  326 			success for non-existent records. [GL #1540]
  327 
  328 5348.	[bug]		dnssec-settime -Psync was not being honoured.
  329 			[GL !2925]
  330 
  331 	--- 9.11.15 released ---
  332 
  333 5339.	[bug]		With some libmaxminddb versions, named could erroneously
  334 			match an IP address not belonging to any subnet defined
  335 			in a given GeoIP2 database to one of the existing
  336 			entries in that database. [GL #1552]
  337 
  338 5338.	[bug]		Fix line spacing in `rndc secroots`.
  339 			Thanks to Tony Finch. [GL !2478]
  340 
  341 5337.	[func]		'named -V' now reports maxminddb and protobuf-c
  342 			versions. [GL !2686]
  343 
  344 	--- 9.11.14 released ---
  345 
  346 5330.	[bug]		'configure --without-python' was ineffective if
  347 			PYTHON was set in the environment. [GL #1434]
  348 
  349 5329.	[bug]		Reconfiguring named caused memory to be leaked when any
  350 			GeoIP2 database was in use. [GL #1445]
  351 
  352 5328.	[bug]		rbtdb.c:rdataset_{get,set}ownercase failed to obtain
  353 			a node lock. [GL #1417]
  354 
  355 5327.	[func]		Added a statistics counter to track queries
  356 			dropped because the recursive-clients quota was
  357 			exceeded. [GL #1399]
  358 
  359 5326.	[bug]		Add Python dependency on 'distutils.core' to configure.
  360 			'distutils.core' is required for installation.
  361 			[GL #1397]
  362 
  363 5322.	[bug]		Conditional compilation of lock_callback was
  364 			inconsistent with conditional use of the function
  365 			when forcing BIND to build with older and unsupported
  366 			versions of OpenSSL. [GL #1386]
  367 
  368 5321.	[bug]		Obtain write lock before updating version->records
  369 			and version->bytes. [GL #1341]
  370 
  371 	--- 9.11.13 released ---
  372 
  373 5315.	[bug]		Apply the initial RRSIG expiration spread fixed
  374 			to all dynamically created records in the zone
  375 			including NSEC3. Also fix the signature clusters
  376 			when the server has been offline for prolonged
  377 			period of times. [GL #1256]
  378 
  379 5314.	[func]		Added a new statistics variable "tcp-highwater"
  380 			that reports the maximum number of simultaneous TCP
  381 			clients BIND has handled while running. [GL #1206]
  382 
  383 5313.	[bug]		The default GeoIP2 database location did not match
  384 			the ARM.  'named -V' now reports the default
  385 			location. [GL #1301]
  386 
  387 5310.	[bug]		TCP failures were affecting EDNS statistics. [GL #1059]
  388 
  389 5309.	[bug]		"geoip-use-ecs yes;" was not working for GeoIP2.
  390 			[GL #1275]
  391 
  392 5308.	[bug]		Don't log DNS_R_UNCHANGED from sync_secure_journal()
  393 			at ERROR level in receive_secure_serial(). [GL #1288]
  394 
  395 5307.	[bug]		Fix hang when named-compilezone output is sent to pipe.
  396 			Thanks to Tony Finch. [GL !2481]
  397 
  398 5306.	[security]	Set a limit on the number of concurrently served
  399 			pipelined TCP queries. (CVE-2019-6477) [GL #1264]
  400 
  401 5302.	[bug]		Fix checking that "dnstap-output" is defined when
  402 			"dnstap" is specified in a view. [GL #1281]
  403 
  404 5301.	[bug]		Detect partial prefixes / incomplete IPv4 address in
  405 			acls. [GL #1143]
  406 
  407 	--- 9.11.12 released ---
  408 
  409 5296.	[bug]		Address various issues reported by cppcheck. [GL !2421]
  410 
  411 5294.	[func]		Fallback to ACE name on output in locale, which does not
  412 			support converting it to unicode.  [GL #846]
  413 
  414 5293.	[bug]		On Windows, named crashed upon any attempt to fetch XML
  415 			statistics from it. [GL #1245]
  416 
  417 5292.	[bug]		Queue 'rndc nsec3param' requests while signing inline
  418 			zone changes. [GL #1205]
  419 
  420 	--- 9.11.11 released ---
  421 
  422 5291.	[cleanup]	Revert change #4825 as it was not appropriate for 9.11.
  423 			[GL #1213]
  424 
  425 5290.	[bug]		Address potential NULL pointer dereference in
  426 			isc_ht_find. [GL #1211]
  427 
  428 5287.	[bug]		Address potential NULL pointer dereference. [GL #1208]
  429 
  430 5286.	[contrib]	Address potential NULL pointer dereferences in
  431 			dlz_mysqldyn_mod.c. [GL #1207]
  432 
  433 5285.	[port]		win32: implement "-T maxudpXXX". [GL #837]
  434 
  435 5282.	[bug]		Fixed a bug in searching for possible wildcard matches
  436 			for query names in the RPZ summary database. [GL #1146]
  437 
  438 5281.	[cleanup]	Don't escape commas when reporting named's command
  439 			line. [GL #1189]
  440 
  441 5280.	[protocol]	Add support for displaying EDNS option LLQ. [GL #1201]
  442 
  443 5279.	[bug]		When loading, reject zones containing CDS or CDNSKEY
  444 			RRsets at the zone apex if they would cause DNSSEC
  445 			validation failures if published in the parent zone
  446 			as the DS RRset.  [GL #1187]
  447 
  448 	--- 9.11.10 released ---
  449 
  450 5275.	[bug]		Mark DS records included in referral messages
  451 			with trust level "pending" so that they can be
  452 			validated and cached immediately, with no need to
  453 			re-query. [GL #964]
  454 
  455 5273.	[bug]		Check that bits [64..71] of a dns64 prefix are zero.
  456 			[GL #1159]
  457 
  458 5269.	[port]		cygwin: can return ETIMEDOUT on connect() with a
  459 			non-blocking socket. [GL #1133]
  460 
  461 5268.	[bug]		named could crash during configuration if
  462 			configured to use "geoip continent" ACLs with
  463 			legacy GeoIP. [GL #1163]
  464 
  465 5266.	[bug]		named-checkconf failed to report dnstap-output
  466 			missing from named.conf when dnstap was specified.
  467 			[GL #1136]
  468 
  469 5265.	[bug]		DNS64 and RPZ nodata (CNAME *.) rules interacted badly
  470 			[GL #1106]
  471 
  472 5264.	[func]		New DNS Cookie algorithm - siphash24 - has been added to
  473 			BIND 9. [GL #605]
  474 
  475 	--- 9.11.9 released ---
  476 
  477 5260.	[bug]		dnstap-read was producing malformed output for large
  478 			packets. [GL #1093]
  479 
  480 5258.	[func]		Added support for the GeoIP2 API from MaxMind,
  481 			when BIND is compiled using "configure --with-geoip2".
  482 			The legacy GeoIP API can be enabled by using
  483 			"configure --with-geoip" instead. These options
  484 			cannot be used together.
  485 
  486 			Certain geoip ACL settings that were available with
  487 			legacy GeoIP are not available when using GeoIP2.
  488 			See the ARM for details. [GL #182]
  489 
  490 5257.	[bug]		Some statistics data was not being displayed.
  491 			Add shading to the zone tables. [GL #1030]
  492 
  493 5256.	[bug]		Ensure that glue records are included in root
  494 			priming responses if "minimal-responses" is not
  495 			set to "yes". [GL #1092]
  496 
  497 5255.	[bug]		Errors encountered while reloading inline-signing
  498 			zones could be ignored, causing the zone content to
  499 			be left in an incompletely updated state rather than
  500 			reverted. [GL #1109]
  501 
  502 5253.	[port]		Support platforms that don't define ULLONG_MAX.
  503 			[GL #1098]
  504 
  505 5249.	[bug]		Fix a possible underflow in recursion clients
  506 			statistics when hitting recursive clients
  507 			soft quota. [GL #1067]
  508 
  509 	--- 9.11.8 released ---
  510 
  511 5244.	[security]	Fixed a race condition in dns_dispatch_getnext()
  512 			that could cause an assertion failure if a
  513 			significant number of incoming packets were
  514 			rejected. (CVE-2019-6471) [GL #942]
  515 
  516 5241.	[bug]		Fix Ed448 private and public key ASN.1 prefix blobs.
  517 			[GL #225]
  518 
  519 5237.	[bug]		Recurse to find the root server list with 'dig +trace'.
  520 			[GL #1028]
  521 
  522 	--- 9.11.7 released ---
  523 
  524 5233.	[bug]		Negative trust anchors did not work with "forward only;"
  525 			to validating resolvers. [GL #997]
  526 
  527 5232.	[bug]		Fix a high-load race/crash in isc_socket_cancel().
  528 			[GL #834]
  529 
  530 5231.	[protocol]	Add support for displaying CLIENT-TAG and SERVER-TAG.
  531 			[GL #960]
  532 
  533 5229.	[protocol]	Enforce known SSHFP fingerprint lengths. [GL #852]
  534 
  535 5228.	[cleanup]	If trusted-keys and managed-keys are configured
  536 			simultaneously for the same name, the key cannot
  537 			be rolled automatically. This configuration now
  538 			logs a warning. [GL #868]
  539 
  540 5224.	[bug]		Only test provide-ixfr on TCP streams. [GL #991]
  541 
  542 5222.	[bug]		'delv -t ANY' could leak memory. [GL #983]
  543 
  544 5221.	[test]		Enable parallel execution of system tests on
  545 			Windows. [GL !4101]
  546 
  547 5218.	[bug]		Conditionally include <dlfcn.h>. [GL #995]
  548 
  549 5214.	[bug]		win32: named now removes its lock file upon shutdown.
  550 			[GL #979]
  551 
  552 5213.	[bug]		win32: Eliminated a race which allowed named.exe running
  553 			as a service to be killed prematurely during shutdown.
  554 			[GL #978]
  555 
  556 5210.	[bug]		When dnstap is enabled and recursion is not
  557 			available, incoming queries are now logged
  558 			as "auth". Previously, this depended on whether
  559 			recursion was requested by the client, not on
  560 			whether recursion was available. [GL #963]
  561 
  562 5209.	[bug]		When update-check-ksk is true, add_sigs was not
  563 			considering offline keys, leaving record sets signed
  564 			with the incorrect type key. [GL #763]
  565 
  566 5208.	[test]		Run valid rdata wire encodings through totext+fromtext
  567 			and tofmttext+fromtext methods to check these methods.
  568 			[GL #899]
  569 
  570 5207.	[test]		Check delv and dig TTL values. [GL #965]
  571 
  572 5205.	[bug]		Enforce that a DS hash exists. [GL #899]
  573 
  574 5204.	[test]		Check that dns_rdata_fromtext() produces a record that
  575 			will be accepted by dns_rdata_fromwire(). [GL #852]
  576 
  577 5203.	[bug]		Enforce whether key rdata exists or not in KEY,
  578 			DNSKEY, CDNSKEY and RKEY. [GL #899]
  579 
  580 5197.	[bug]		dig could die in best effort mode on multiple SIG(0)
  581 			records. Similarly on multiple OPT and multiple TSIG
  582 			records. [GL #920]
  583 
  584 5194.	[bug]		Enforce non empty ZOMEMD hash. [GL #899]
  585 
  586 5193.	[bug]		EID and NIMLOC failed to do multi-line output
  587 			correctly. [GL #899]
  588 
  589 5192.	[bug]		configure --fips-mode failed. [GL #946]
  590 
  591 5191.	[port]		Darwin: dlzexternal/driver.so was not building.
  592 			[GL #948]
  593 
  594 5189.	[cleanup]	Remove revoked root DNSKEY from bind.keys. [GL #945]
  595 
  596 5187.	[test]		Set time zone before running any tests in dnstap_test.
  597 			[GL #940]
  598 
  599 5185.	[bug]		PKCS11 build could fail if ECDSA is not supported.
  600 			[GL #935]
  601 
  602 5184.	[bug]		Missing unlocks in sdlz.c. [GL #936]
  603 
  604 5182.	[bug]		Fix a high-load race/crash in handling of
  605 			isc_socket_close() in resolver. [GL #834]
  606 
  607 5180.	[bug]		delv now honors the operating system's preferred
  608 			ephemeral port range. [GL #925]
  609 
  610 5179.	[cleanup]	Replace some vague type declarations with the more
  611 			specific dns_secalg_t and dns_dsdigest_t.
  612 			Thanks to Tony Finch. [GL !1498]
  613 
  614 5178.	[bug]		Handle EDQUOT (disk quota) and ENOSPC (disk full)
  615 			errors when writing files. [GL #902]
  616 
  617 5176.	[tests]		Remove a dependency on libxml in statschannel system
  618 			test. [GL #926]
  619 
  620 5175.	[bug]		Fixed a problem with file input in dnssec-keymgr,
  621 			dnssec-coverage and dnssec-checkds when using
  622 			python3. [GL #882]
  623 
  624 5174.	[doc]		Tidy dnssec-keygen manual. [GL !1557]
  625 
  626 5172.	[bug]		nsupdate now honors the operating system's preferred
  627 			ephemeral port range. [GL #905]
  628 
  629 5170.	[test]		Added --with-dlz-filesystem to feature-test. [GL !1587]
  630 
  631 5168.	[test]		Do not crash on shutdown when RPZ fails to load.  Also,
  632 			keep previous version of the database if RPZ fails to
  633 			load. [GL #813]
  634 
  635 5167.	[bug]		nxdomain-redirect could sometimes lookup the wrong
  636 			redirect name. [GL #892]
  637 
  638 	--- 9.11.6-P1 released ---
  639 
  640 5200.	[security]	tcp-clients settings could be exceeded in some cases,
  641 			which could lead to exhaustion of file descriptors.
  642 			(CVE-2018-5743) [GL #615]
  643 
  644 	--- 9.11.6 released ---
  645 
  646 	--- 9.11.6rc1 released ---
  647 
  648 5166.	[port]		openbsd: Threads are now enabled by default. [GL !1548]
  649 
  650 5164.	[bug]		Correct errno to result translation in dlz filesystem
  651 			modules. [GL #884]
  652 
  653 5163.	[cleanup]	Out-of-tree builds failed --enable-dnstap. [GL #836]
  654 
  655 5162.	[cleanup]	Improve dnssec-keymgr manual. Thanks to Tony Finch.
  656 			[GL !1518]
  657 
  658 5160.	[contrib]	Added DNAME support to the DLZ LDAP schema. Also
  659 			fixed a compilation bug affecting several DLZ
  660 			modules. [GL #872]
  661 
  662 5159.	[bug]		dnssec-coverage was incorrectly ignoring
  663 			names specified on the command line without
  664 			trailing dots. [GL !1478]
  665 
  666 5158.	[protocol]	Add support for AMTRELAY and ZONEMD. [GL #867]
  667 
  668 5157.	[bug]		Nslookup now errors out if there are extra command
  669 			line arguments. [GL #207]
  670 
  671 5154.	[bug]		dig: process_opt could be called twice on the same
  672 			message leading to a assertion failure. [GL #860]
  673 
  674 5148.	[bug]		named did not sign the TKEY response. [GL #821]
  675 
  676 5147.	[bug]		dnssec-keymgr: Add a five-minute margin to better
  677 			handle key events close to 'now'. [GL #848]
  678 
  679 5146.	[bug]		Removed an unnecessary assert that could be
  680 			triggered from PKCS#11 modules during
  681 			deconstruction. [GL #841]
  682 
  683 5143.	[bug]		dnssec-keymgr and dnssec-coverage failed to find
  684 			key files for zone names ending in ".". [GL #560]
  685 
  686 5141.	[security]	Zone transfer controls for writable DLZ zones were
  687 			not effective as the allowzonexfr method was not being
  688 			called for such zones. (CVE-2019-6465) [GL #790]
  689 
  690 5140.	[bug]		Don't immediately mark existing keys as inactive and
  691 			deleted when running dnssec-keymgr for the first
  692 			time. [GL #117]
  693 
  694 5139.	[bug]		If possible, don't use forwarders when priming.
  695 			This ensures we can get root server IP addresses
  696 			from priming query response glue, which may not
  697 			be present if the forwarding server is returning
  698 			minimal responses. [GL #752]
  699 
  700 5134.	[bug]		win32: WSAStartup was not called before getservbyname
  701 			was called. [GL #590]
  702 
  703 5133.	[bug]		'rndc managed-keys' didn't handle class and view
  704 			correctly and failed to add new lines between each
  705 			view. [GL !1327]
  706 
  707 5128.	[bug]		Refreshkeytime was not being updated for managed
  708 			keys zones. [GL #784]
  709 
  710 5127.	[bug]		rcode.c:maybe_numeric failed to handle NUL in text
  711 			regions. [GL #807]
  712 
  713 5126.	[bug]		Named incorrectly accepted empty base64 and hex encoded
  714 			fields when reading master files. [GL #807]
  715 
  716 5125.	[bug]		Allow for up to 100 records or 64k of data when caching
  717 			a negative response. [GL #804]
  718 
  719 5124.	[bug]		Named could incorrectly return FORMERR rather than
  720 			SERVFAIL. [GL #804]
  721 
  722 5123.	[bug]		dig could hang indefinitely after encountering an error
  723 			before creating a TCP socket. [GL #692]
  724 
  725 5122.	[bug]		In a "forward first;" configuration, a forwarder
  726 			timeout did not prevent that forwarder from being
  727 			queried again after falling back to full recursive
  728 			resolution. [GL #315]
  729 
  730 5121.	[contrib]	dlz_stub_driver.c fails to return ISC_R_NOTFOUND on none
  731 			matching zone names. [GL !1299]
  732 
  733 5118.	[security]	Named could crash if it is managing a key with
  734 			`managed-keys` and the authoritative zone is rolling
  735 			the key to an unsupported algorithm. (CVE-2018-5745)
  736 			[GL #780]
  737 
  738 5112.	[bug]		Named/named-checkconf could dump core if there was
  739 			a missing masters clause and a bad notify clause.
  740 			[GL #779]
  741 
  742 5111.	[bug]		Occluded DNSKEY records could make it into the
  743 			delegating NSEC/NSEC3 bitmap. [GL #742]
  744 
  745 5110.	[security]	Named leaked memory if there were multiple Key Tag
  746 			EDNS options present. (CVE-2018-5744) [GL #772]
  747 
  748 5108.	[bug]		Named could fail to determine bottom of zone when
  749 			removing out of date keys leading to invalid NSEC
  750 			and NSEC3 records being added to the zone. [GL #771]
  751 
  752 5107.	[bug]		'host -U' did not work. [GL #769]
  753 
  754 5104.	[cleanup]	Log clearer informational message when a catz zone
  755 			is overridden by a zone in named.conf.
  756 			Thanks to Tony Finch. [GL !1157]
  757 
  758 5103.	[bug]		Add missing design by contract tests to dns_catz*.
  759 			[GL #748]
  760 
  761 5102.	[bug]		dnssec-coverage failed to use the default TTL when
  762 			checking KSK deletion times leading to a exception.
  763 			[GL #585]
  764 
  765 5101.	[bug]		Fix default installation path for Python modules.
  766 			[GL #730]
  767 
  768 5098.	[func]		Failed memory allocations are now fatal. [GL #674]
  769 
  770 5097.	[cleanup]	Remove embedded ATF unit testing framework
  771 			from BIND source distribution.  [GL !875]
  772 
  773 5095.	[test]		Converted all unit tests from ATF to CMocka;
  774 			removed the source code for the ATF libraries.
  775 			Build with "configure --with-cmocka" to enable
  776 			unit testing. [GL #620]
  777 
  778 5094.	[func]		Add 'dig -r' to disable reading of .digrc. [GL !970]
  779 
  780 5092.	[bug]		Address memory leak on SIGTERM in nsupdate when using
  781 			GSS-TSIG. [GL #558]
  782 
  783 5090.	[bug]		dig and mdig failed to properly pre-parse dash value
  784 			pairs when value was a separate argument and started
  785 			with a dash. [GL #584]
  786 
  787 5088.	[bug]		dig/host/nslookup could crash when interrupted close to
  788 			a query timeout. [GL #599]
  789 
  790 5087.	[test]		Check that result tables are complete. [GL #676]
  791 
  792 5086.	[func]		Log of RPZ now includes the QTYPE and QCLASS. [GL #623]
  793 
  794 5084.	[func]		Add configure time detection of Utimaco HSM
  795 			and disable runtime md5/sha1 detection when it
  796 			compiled with it. [GL #656]
  797 
  798 5079.	[func]		Disable IDN processing in dig and nslookup
  799 			when not on a tty. [GL #653]
  800 
  801 5078.	[cleanup]	Require python components to be explicitly disabled if
  802 			python is not available on unix platforms. [GL #601]
  803 
  804 5076.	[bug]		"require-server-cookie" was not effective if
  805 			"rate-limit" was configured. [GL #617]
  806 
  807 5072.	[bug]		Add unit tests for isc_buffer_copyregion() and fix its
  808 			behavior for auto-reallocated buffers. [GL #644]
  809 
  810 5071.	[bug]		Comparison of NXT records was broken. [GL #631]
  811 
  812 5070.	[bug]		Record types which support a empty rdata field were
  813 			not handling the empty rdata field case. [GL #638]
  814 
  815 5066.	[cleanup]	Allow unquoted strings to be used as a zone names
  816 			in response-policy statements. [GL #641]
  817 
  818 5065.	[bug]		Only set IPV6_USE_MIN_MTU on IPv6. [GL #553]
  819 
  820 5064.	[test]		Initialize TZ environment variable before calling
  821 			dns_test_begin in dnstap_test. [GL #624]
  822 
  823 5061.	[protocol]	Add support for EID and NIMLOC. [GL #626]
  824 
  825 5060.	[bug]		GID, UID and UINFO could not be loaded using unknown
  826 			record format. [GL #627]
  827 
  828 5059.	[bug]		Display a per-view list of zones in the web interface.
  829 			[GL #427]
  830 
  831 5057.	[protocol]	Add support for ATMA. [GL #619]
  832 
  833 5051.	[doc]		Documentation incorrectly stated that the
  834 			"server-addresses" static-stub zone option accepts
  835 			custom port numbers. [GL #582]
  836 
  837 5042.	[test]		Make the chained delegations in reclimit behave
  838 			like they would in a regular name server. [GL  #578]
  839 
  840 5041.	[test]		The chain test contains a incomplete delegation.
  841 			[GL #568]
  842 
  843 5039.	[bug]		Named could fail to preserve owner name case of new
  844 			RRset. [GL #420]
  845 
  846 4887.	[test]		Enable the rpzrecurse test to run on Windows.
  847 			[RT #47093]
  848 
  849 	--- 9.11.5 released ---
  850 
  851 	--- 9.11.5rc1 released ---
  852 
  853 5038.	[bug]		Chaosnet addresses were compared incorrectly.
  854 			[GL #562]
  855 
  856 5034.	[bug]		A race between threads could prevent zone maintenance
  857 			scheduled immediately after zone load from being
  858 			performed. [GL #542]
  859 
  860 5033.	[bug]		When adding NTAs to multiple views using "rndc nta",
  861 			the text returned via rndc was incorrectly terminated
  862 			after the first line, making it look as if only one
  863 			NTA had been added. Also, it was not possible to
  864 			differentiate between views with the same name but
  865 			different classes; this has been corrected with the
  866 			addition of a "-class" option. [GL #105]
  867 
  868 5032.	[func]		Add krb5-selfsub and ms-selfsub update policy rules.
  869 			[GL #511]
  870 
  871 5030.	[bug]		Align CMSG buffers to a 64-bit boundary, fixes crash
  872 			on architectures with strict alignment. [GL #521]
  873 
  874 5028.	[bug]		Spread the initial RRSIG expiration times over the
  875 			entire working sig-validity-interval when signing a
  876 			zone in named to even out re-signing and transfer
  877 			loads. [GL #418]
  878 
  879 5026.	[bug]		rndc reconfig should not touch already loaded zones.
  880 			[GL #276]
  881 
  882 5022.	[doc]		Update ms-self, ms-subdomain, krb5-self, and
  883 			krb5-subdomain documentation. [GL !708]
  884 
  885 5021.	[bug]		dig returned a non-zero exit code when it received a
  886 			reply over TCP after a retry. [GL #487]
  887 
  888 5019.	[cleanup]	A message is now logged when ixfr-from-differences is
  889 			set at zone level for an inline-signed zone. [GL #470]
  890 
  891 5018.	[bug]		Fix incorrect sizeof arguments in lib/isc/pk11.c.
  892 			[GL !588]
  893 
  894 5017.	[bug]		lib/isc/pk11.c failed to unlink the session before
  895 			releasing the lock which is unsafe. [GL !589]
  896 
  897 5016.	[bug]		Named could assert with overlapping filter-aaaa and
  898 			dns64 acls. [GL #445]
  899 
  900 5015.	[bug]		Reloading all zones caused zone maintenance to cease
  901 			for inline-signed zones. [GL #435]
  902 
  903 5014.	[bug]		Signatures loaded from the journal for the signed
  904 			version of an inline-signed zone were not scheduled for
  905 			refresh. [GL #482]
  906 
  907 5012.	[bug]		Fix lock order reversal in pk11_initialize. [GL !590]
  908 
  909 5009.	[bug]		Upon an OpenSSL failure, the first error in the OpenSSL
  910 			error queue was not logged. [GL #476]
  911 
  912 5008.	[bug]		"rndc signing -nsec3param ..." requests were silently
  913 			ignored for zones which were not yet loaded or
  914 			transferred. [GL #468]
  915 
  916 5007.	[cleanup]	Replace custom ISC boolean and integer data types
  917 			with C99 stdint.h and stdbool.h types. [GL #9]
  918 
  919 5005.	[bug]		dnssec-verify, and dnssec-signzone at the verification
  920 			step, failed on some validly signed zones. [GL #442]
  921 
  922 5004.	[bug]		'rndc reconfig' could cause inline zones to stop
  923 			re-signing. [GL #439]
  924 
  925 5003.	[bug]		dns_acl_isinsecure did not handle geoip elements.
  926 			[GL #406]
  927 
  928 5002.	[bug]		mdig: Handle malformed +ednsopt option, support 100
  929 			+ednsopt options per query rather than 100 total and
  930 			address memory leaks if +ednsopt was specified.
  931 			[GL #410]
  932 
  933 5001.	[bug]		Fix refcount errors on error paths. [GL !563]
  934 
  935 4996.	[bug]		dig: Handle malformed +ednsopt option. [GL #403]
  936 
  937 4995.	[test]		Add tests for "tcp-self" update policy. [GL !282]
  938 
  939 4994.	[bug]		Trust anchor telemetry queries were not being sent
  940 			upstream for locally served zones. [GL #392]
  941 
  942 4992.	[bug]		The wrong address was being logged for trust anchor
  943 			telemetry queries. [GL #379]
  944 
  945 4990.	[bug]		Prevent a possible NULL reference in pkcs11-keygen.
  946 			[GL #401]
  947 
  948 	--- 9.11.4-P1 released ---
  949 
  950 4997.	[security]	named could crash during recursive processing
  951 			of DNAME records when "deny-answer-aliases" was
  952 			in use. (CVE-2018-5740) [GL #387]
  953 
  954 	--- 9.11.4 released ---
  955 
  956 	--- 9.11.4rc2 released ---
  957 
  958 4984.	[bug]		Improve handling of very large incremental
  959 			zone transfers to prevent journal corruption. [GL #339]
  960 
  961 4983.	[cleanup]	Remove the deprecated flag from "answer-cookie";
  962 			it will be allowed to persist into 9.13. [GL #275].
  963 
  964 4982.	[cleanup]	Return FORMERR if the question section is empty
  965 			and no COOKIE option is present; this restores
  966 			older behavior except in the newly specified
  967 			COOKIE case. [GL #260]
  968 
  969 4981.	[bug]		Fix race in cmsg buffer usage in socket code.
  970 			[GL #180]
  971 
  972 4980.	[bug]		Named-checkconf failed to detect bad in-view targets.
  973 			[GL #288]
  974 
  975 4979.	[bug]		Non-libcap builds were not checking whether all
  976 			requested capabilities are present in the permitted
  977 			capability set. [GL #321]
  978 
  979 4977.	[func]		When starting up, log the same details that
  980 			would be reported by 'named -V'. [GL #247]
  981 
  982 4975.	[bug]		The server cookie computation for sha1 and sha256 did
  983 			not match the method described in RFC 7873. [GL #356]
  984 
  985 4972.	[func]		Declare the 'rdata' argument for dns_rdata_tostruct()
  986 			to be const. [GL #341]
  987 
  988 4971.	[bug]		dnssec-signzone and dnssec-verify did not treat records
  989 			below a DNAME as out-of-zone data. [GL #298]
  990 
  991 4969.	[cleanup]	Refactor zone logging functions. [GL #269]
  992 
  993 	--- 9.11.4rc1 released ---
  994 
  995 4968.	[bug]		If glue records are signed, attempt to validate them.
  996 			[GL #209]
  997 
  998 4966.	[func]		Add the ability to not return a DNS COOKIE option
  999 			when one is present in the request (answer-cookie no;).
 1000 			[GL #173]
 1001 
 1002 4965.	[func]		Add support for marking options as deprecated.
 1003 			[GL #322]
 1004 
 1005 4964.	[bug]		Reduce the probability of double signature when deleting
 1006 			a DNSKEY by checking if the node is otherwise signed
 1007 			by the algorithm of the key to be deleted. [GL #240]
 1008 
 1009 4963.	[test]		ifconfig.sh now uses "ip" instead of "ifconfig",
 1010 			if available, to configure the test interfaces on
 1011 			linux.  [GL #302]
 1012 
 1013 4962.	[cleanup]	Move 'named -T' processing to its own function.
 1014 			[GL #316]
 1015 
 1016 4960.	[security]	When recursion is enabled, but the "allow-recursion"
 1017 			and "allow-query-cache" ACLs are not specified,
 1018 			they should be limited to local networks,
 1019 			but were inadvertently set to match the default
 1020 			"allow-query", thus allowing remote queries.
 1021 			(CVE-2018-5738) [GL #309]
 1022 
 1023 4958.	[bug]		Remove redundant space from NSEC3 record. [GL #281]
 1024 
 1025 4955.	[cleanup]	Silence cppcheck warnings in lib/dns/master.c.
 1026 			[GL #286]
 1027 
 1028 4951.	[protocol]	Add "HOME.ARPA" to list of built in empty zones as
 1029 			per RFC 8375. [GL #273]
 1030 
 1031 4950.	[bug]		ISC_SOCKEVENTATTR_TRUNC was not be set. [GL #238]
 1032 
 1033 4949.	[bug]		lib/isc/print.c failed to handle floating point
 1034 			output correctly. [GL #261]
 1035 
 1036 4946.	[bug]		Additional glue was not being returned by resolver
 1037 			for unsigned zones since change 4596. [GL #209]
 1038 
 1039 4939.	[test]		Add basic unit tests for update_sigs(). [GL #135]
 1040 
 1041 4935.	[func]		Add support for LibreSSL >= 2.7.0 (some OpenSSL 1.1.0
 1042 			call were added). [GL #191]
 1043 
 1044 4933.	[bug]		Not creating signing keys for an inline signed zone
 1045 			prevented changes applied to the raw zone from being
 1046 			reflected in the secure zone until signing keys were
 1047 			made available. [GL #159]
 1048 
 1049 4932.	[bug]		Bumped signed serial of an inline signed zone was
 1050 			logged even when an error occurred while updating
 1051 			signatures. [GL #159]
 1052 
 1053 4930.	[bug]		Remove a bogus check in nslookup command line
 1054 			argument processing. [GL #206]
 1055 
 1056 4926.	[func]		Add root key sentinel support.  To disable, add
 1057 			'root-key-sentinel no;' to named.conf. [GL #37]
 1058 
 1059 4922.	[bug]		dnstap: Log the destination address of client
 1060 			packets rather than the interface address.
 1061 			[GL #197]
 1062 
 1063 4921.	[cleanup]	Add dns_fixedname_initname() and refactor the caller
 1064 			code to make usage of the new function, as a part of
 1065 			refactoring dns_fixedname_*() macros were turned into
 1066 			functions. [GL #183]
 1067 
 1068 4918.	[bug]		Fix double free after keygen error in dnssec-keygen
 1069 			when OpenSSL >= 1.1.0 is used and RSA_generate_key_ex
 1070 			fails. [GL #109]
 1071 
 1072 4915.	[func]		Implement IDNA2008 support in dig by adding support
 1073 			for libidn2.  New dig option +idnin has been added,
 1074 			which allows to process invalid domain names much
 1075 			like dig without IDN support.  libidn2 version 2.0
 1076 			or higher is needed for +idnout enabled by default.
 1077 
 1078 4913.	[test]		Re-implemented older unit tests in bin/tests as ATF,
 1079 			removed the lib/tests unit testing library. [GL #115]
 1080 
 1081 4911.	[test]		Improved the reliability of the 'mkeys' system test.
 1082 			[GL #128]
 1083 
 1084 4910.	[func]		Update util/check-changes to work on release branches.
 1085 			[GL #113]
 1086 
 1087 4909.	[bug]		named-checkconf did not detect in-view zone collisions.
 1088 			[GL #125]
 1089 
 1090 4908.	[test]		Eliminated unnecessary waiting in the allow_query
 1091 			system test. Also changed its name to allow-query.
 1092 			[GL #81]
 1093 
 1094 4907.	[test]		Improved the reliability of the 'notify' system
 1095 			test. [GL #59]
 1096 
 1097 4905.	[bug]		irs_resconf_load() ignored resolv.conf syntax errors
 1098 			when "domain" or "search" options were present in that
 1099 			file. [GL #110]
 1100 
 1101 4903.	[bug]		"check-mx fail;" did not prevent MX records containing
 1102 			IP addresses from being added to a zone by a dynamic
 1103 			update. [GL #112]
 1104 
 1105 4902.	[test]		Improved the reliability of the 'ixfr' system
 1106 			test. [GL #66]
 1107 
 1108 4899.	[test]		Convert most of the remaining system tests to be able
 1109 			to run in parallel, continuing the work from change
 1110 			#4895. To take advantage of this, use "make -jN check",
 1111 			where N is the number of processors to use. [GL #91]
 1112 
 1113 4896.	[test]		cacheclean system test was not robust. [GL #82]
 1114 
 1115 4895.	[test]		Allow some system tests to run in parallel.
 1116 			[RT #46602]
 1117 
 1118 4893.	[bug]		Address various issues reported by cppcheck. [GL #51]
 1119 
 1120 4892.	[bug]		named could leak memory when "rndc reload" was invoked
 1121 			before all zone loading actions triggered by a previous
 1122 			"rndc reload" command were completed. [RT #47076]
 1123 
 1124 4699.	[func]		Multiple cookie-secret clauses can now be specified.
 1125 			The first one specified is used to generate new
 1126 			server cookies.  [RT #45672]
 1127 
 1128 	--- 9.11.3 released ---
 1129 
 1130 	--- 9.11.3rc2 released ---
 1131 
 1132 4904.	[bug]		Temporarily revert change #4859. [GL #124]
 1133 
 1134 	--- 9.11.3rc1 released ---
 1135 
 1136 4889.	[func]		Warn about the use of old root keys without the new
 1137 			root key being present.  Warn about dlv.isc.org's
 1138 			key being present. Warn about both managed and
 1139 			trusted root keys being present. [RT #43670]
 1140 
 1141 4888.	[test]		Initialize sockets correctly in sample-update so
 1142 			that the nsupdate system test will run on Windows.
 1143 			[RT #47097]
 1144 
 1145 4886.	[doc]		Document dig -u in manpage. [RT #47150]
 1146 
 1147 4885.	[security]	update-policy rules that otherwise ignore the name
 1148 			field now require that it be set to "." to ensure
 1149 			that any type list present is properly interpreted.
 1150 			[RT #47126]
 1151 
 1152 4882.	[bug]		Address potential memory leak in
 1153 			dns_update_signaturesinc. [RT #47084]
 1154 
 1155 4881.	[bug]		Only include dst_openssl.h when OpenSSL is required.
 1156 			[RT #47068]
 1157 
 1158 4879.	[bug]		dns_rdata_caa:value_len field was too small.
 1159 			[RT #47086]
 1160 
 1161 4878.	[bug]		List 'ply' as a requirement for the 'isc' python
 1162 			package. [RT #47065]
 1163 
 1164 4811.	[bug]		Revert api changes to use <isc/buffer.h> inline
 1165 			macros.  Provide a alternative mechanism to turn
 1166 			on the use of inline macros when building BIND.
 1167 			[RT #46520]
 1168 
 1169 	--- 9.11.3b1 released ---
 1170 
 1171 4876.	[bug]		Address deadlock with accessing a keytable. [RT #47000]
 1172 
 1173 4875.	[bug]		Address compile failures on older systems. [RT #47015]
 1174 
 1175 4874.	[bug]		Wrong time display when reporting new keywarntime.
 1176 			[RT #47042]
 1177 
 1178 4873.	[doc]		Grammars for named.conf included in the ARM are now
 1179 			automatically generated by the configuration parser
 1180 			itself.  As a side effect of the work needed to
 1181 			separate zone type grammars from each other, this
 1182 			also makes checking of zone statements in
 1183 			named-checkconf more correct and consistent.
 1184 			[RT #36957]
 1185 
 1186 4872.	[bug]		Don't permit loading meta RR types such as TKEY
 1187 			from master files. [RT #47009]
 1188 
 1189 4871.	[bug]		Fix configure glitch in detecting stdatomic.h
 1190 			support on systems with multiple compilers.
 1191 			[RT #46959]
 1192 
 1193 4870.	[test]		Update included ATF library to atf-0.21 preserving
 1194 			the ATF tool. [RT #46967]
 1195 
 1196 4869.	[bug]		Address some cases where NULL with zero length could
 1197 			be passed to memmove which is undefined behaviour and
 1198 			can lead to bad optimisation. [RT #46888]
 1199 
 1200 4867.	[cleanup]	Normalize rndc on/off commands (validation and
 1201 			querylog) so they accept the same synonyms
 1202 			for on/off (yes/no, true/false, enable/disable).
 1203 			Thanks to Tony Finch. [RT #47022]
 1204 
 1205 4866.	[port]		DST library initialization verifies MD5 (when MD5
 1206 			was not disabled) and SHA-1 hash and HMAC support.
 1207 			[RT #46764]
 1208 
 1209 4864.	[bug]		named acting as a slave for a catalog zone crashed if
 1210 			the latter contained a master definition without an IP
 1211 			address. [RT #45999]
 1212 
 1213 4863.	[bug]		Fix various other bugs reported by Valgrind's
 1214 			memcheck tool. [RT #46978]
 1215 
 1216 4862.	[bug]		The rdata flags for RRSIG were not being properly set
 1217 			when constructing a rdataslab. [RT #46978]
 1218 
 1219 4861.	[bug]		The isc_crc64 unit test was not endian independent.
 1220 			[RT #46973]
 1221 
 1222 4860.	[bug]		isc_int8_t should be signed char.  [RT #46973]
 1223 
 1224 4859.	[bug]		A loop was possible when attempting to validate
 1225 			unsigned CNAME responses from secure zones;
 1226 			this caused a delay in returning SERVFAIL and
 1227 			also increased the chances of encountering
 1228 			CVE-2017-3145. [RT #46839]
 1229 
 1230 4858.	[security]	Addresses could be referenced after being freed
 1231 			in resolver.c, causing an assertion failure.
 1232 			(CVE-2017-3145) [RT #46839]
 1233 
 1234 4857.	[bug]		Maintain attach/detach semantics for event->db,
 1235 			event->node, event->rdataset and event->sigrdataset
 1236 			in query.c. [RT #46891]
 1237 
 1238 4856.	[bug]		'rndc zonestatus' reported the wrong underlying type
 1239 			for a inline slave zone. [RT #46875]
 1240 
 1241 4852.	[bug]		Handle strftime() failing in isc_time_formatISO8601ms.
 1242 			Add REQUIRE's and INSIST's to isc_time_formattimestamp,
 1243 			isc_time_formathttptimestamp, isc_time_formatISO8601,
 1244 			isc_time_formatISO8601ms. [RT #46892]
 1245 
 1246 4851.	[port]		Support using kyua as well as atf-run to run the unit
 1247 			tests. [RT #46853]
 1248 
 1249 4850.	[bug]		Named failed to restart with multiple added zones in
 1250 			lmdb database. [RT #46889]
 1251 
 1252 4849.	[bug]		Duplicate zones could appear in the .nzf file if
 1253 			addzone failed. [RT #46435]
 1254 
 1255 4846.	[test]		Adjust timing values in runtime system test. Address
 1256 			named.pid removal races in runtime system test.
 1257 			[RT #46800]
 1258 
 1259 4844.	[test]		Address memory leaks in libatf-c. [RT #46798]
 1260 
 1261 4843.	[bug]		dnssec-signzone free hashlist on exit. [RT #46791]
 1262 
 1263 4842.	[bug]		Conditionally compile opensslecdsa_link.c to avoid
 1264 			warnings about unused function. [RT #46790]
 1265 
 1266 4841.	[bug]		Address -fsanitize=undefined warnings. [RT #46786]
 1267 
 1268 4840.	[test]		Add tests to cover fallback to using ZSK on inactive
 1269 			KSK. [RT #46787]
 1270 
 1271 4839.	[bug]		zone.c:zone_sign was not properly determining
 1272 			if there were active KSK and ZSK keys for
 1273 			a algorithm when update-check-ksk is true
 1274 			(default) leaving records unsigned with one or
 1275 			more DNSKEY algorithms. [RT #46774]
 1276 
 1277 4838.	[bug]		zone.c:add_sigs was not properly determining
 1278 			if there were active KSK and ZSK keys for
 1279 			a algorithm when update-check-ksk is true
 1280 			(default) leaving records unsigned with one or
 1281 			more DNSKEY algorithms. [RT #46754]
 1282 
 1283 4837.	[bug]		dns_update_signatures{inc} (add_sigs) was not
 1284 			properly determining if there were active KSK and
 1285 			ZSK keys for a algorithm when update-check-ksk is
 1286 			true (default) leaving records unsigned when there
 1287 			were multiple DNSKEY algorithms for the zone.
 1288 			[RT #46743]
 1289 
 1290 4836.	[bug]		Zones created using "rndc addzone" could
 1291 			temporarily fail to inherit an "allow-transfer"
 1292 			ACL that had been configured in the options
 1293 			statement. [RT #46603]
 1294 
 1295 4835.	[cleanup]	Clean up and refactor LMDB-related code. [RT #46718]
 1296 
 1297 4834.	[port]		Fix LMDB support on OpenBSD. [RT #46718]
 1298 
 1299 4833.	[bug]		isc_event_free should check that the event is not
 1300 			linked when called. [RT #46725]
 1301 
 1302 4832.	[bug]		Events were not being removed from zone->rss_events.
 1303 			[RT #46725]
 1304 
 1305 4831.	[bug]		Convert the RRSIG expirytime to 64 bits for
 1306 			comparisons in diff.c:resign. [RT #46710]
 1307 
 1308 4830.	[bug]		Failure to configure ATF when requested did not cause
 1309 			an error in top-level configure script. [RT #46655]
 1310 
 1311 4829.	[bug]		isc_heap_delete did not zero the index value when
 1312 			the heap was created with a callback to do that.
 1313 			[RT #46709]
 1314 
 1315 4828.	[bug]		Do not use thread-local storage for storing LMDB reader
 1316 			locktable slots. [RT #46556]
 1317 
 1318 4827.	[misc]		Add a precommit check script util/checklibs.sh
 1319 			[RT #46215]
 1320 
 1321 4826.	[cleanup]	Prevent potential build failures in bin/confgen/ and
 1322 			bin/named/ when using parallel make. [RT #46648]
 1323 
 1324 4825.	[bug]		Prevent a bogus "error during managed-keys processing
 1325 			(no more)" warning from being logged. [RT #46645]
 1326 
 1327 4823.	[test]		Refactor reclimit system test to improve its
 1328 			reliability and speed. [RT #46632]
 1329 
 1330 4822.	[bug]		Use resign_sooner in dns_db_setsigningtime. [RT #46473]
 1331 
 1332 4821.	[bug]		When resigning ensure that the SOA's expire time is
 1333 			always later that the resigning time of other records.
 1334 			[RT #46473]
 1335 
 1336 4820.	[bug]		dns_db_subtractrdataset should transfer the resigning
 1337 			information to the new header. [RT #46473]
 1338 
 1339 4819.	[bug]		Fully backout the transaction when adding a RRset
 1340 			to the resigning / removal heaps fails. [RT #46473]
 1341 
 1342 4818.	[test]		The logfileconfig system test could intermittently
 1343 			report false negatives on some platforms. [RT #46615]
 1344 
 1345 4817.	[cleanup]	Use DNS_NAME_INITABSOLUTE and DNS_NAME_INITNONABSOLUTE.
 1346 			[RT #45433]
 1347 
 1348 4816.	[bug]		Don't use a common array for storing EDNS options
 1349 			in DiG as it could fill up. [RT #45611]
 1350 
 1351 4815.	[bug]		rbt_test.c:insert_and_delete needed to call
 1352 			dns_rbt_addnode instead of dns_rbt_addname. [RT #46553]
 1353 
 1354 4814.	[cleanup]	Use AS_HELP_STRING for consistent help text. [RT #46521]
 1355 
 1356 4812.	[bug]		Minor improvements to stability and consistency of code
 1357 			handling managed keys. [RT #46468]
 1358 
 1359 4810.	[test]		The chain system test failed if the IPv6 interfaces
 1360 			were not configured. [RT #46508]
 1361 
 1362 4809.	[port]		Check at configure time whether -latomic is needed
 1363 			for stdatomic.h. [RT #46324]
 1364 
 1365 4808.	[bug]		Properly test for zlib.h. [RT #46504]
 1366 
 1367 4805.	[bug]		TCP4Active and TCP6Active weren't being updated
 1368 			correctly. [RT #46454]
 1369 
 1370 4804.	[port]		win32: access() does not work on directories as
 1371 			required by POSIX.  Supply a alternative in
 1372 			isc_file_isdirwritable. [RT #46394]
 1373 
 1374 4803.	[bug]		Backport parts of RT #45293 and RT #46267, specifically
 1375 			the fix for RT #46055 and mkeys system test
 1376 			improvements. [RT #46430]
 1377 
 1378 4800.	[bug]		When processing delzone, write one zone config per
 1379 			line to the NZF. [RT #46323]
 1380 
 1381 4799.	[cleanup]	Improve clarity of keytable unit tests. [RT #46407]
 1382 
 1383 4792.	[bug]		Fix map file header correctness check. [RT #38418]
 1384 
 1385 4791.	[doc]		Fixed outdated documentation about export libraries.
 1386 			[RT #46341]
 1387 
 1388 4790.	[bug]		nsupdate could trigger a require when sending a
 1389 			update to the second address of the server.
 1390 			[RT #45731]
 1391 
 1392 4788.	[cleanup]	When using "update-policy local", log a warning
 1393 			when an update matching the session key is received
 1394 			from a remote host. [RT #46213]
 1395 
 1396 4787.	[cleanup]	Turn nsec3param_salt_totext() into a public function,
 1397 			dns_nsec3param_salttotext(), and add unit tests for it.
 1398 			[RT #46289]
 1399 
 1400 4783.	[test]		dnssec: 'check that NOTIFY is sent at the end of
 1401 			NSEC3 chain generation failed' required more time
 1402 			on some machines for the IXFR to complete. [RT #46388]
 1403 
 1404 4782.	[test]		dnssec: 'checking positive and negative validation
 1405 			with negative trust anchors' required more time to
 1406 			complete on some machines. [RT #46386]
 1407 
 1408 4781.	[maint]		B.ROOT-SERVERS.NET is now 199.9.14.201. [RT #45889]
 1409 
 1410 4780.	[bug]		When answering ANY queries, don't include the NS
 1411 			RRset in the authority section if it was already
 1412 			in the answer section. [RT #44543]
 1413 
 1414 4779.	[bug]		Expire NTA at the start of the second. Don't update
 1415 			the expiry value if the record has already expired
 1416 			after a successful check. [RT #46368]
 1417 
 1418 4777.	[cleanup]	Removed a redundant call to configure_view_acl().
 1419 			[RT #46369]
 1420 
 1421 4776.	[bug]		Improve portability of ht_test. [RT #46333]
 1422 
 1423 4775.	[bug]		Address Coverity warnings in ht_test.c [RT #46281]
 1424 
 1425 4774.	[bug]		<isc/util.h> was incorrectly included in several
 1426 			header files. [RT #46311]
 1427 
 1428 4773.	[doc]		Fixed generating Doxygen documentation for functions
 1429 			annotated using certain macros.  Miscellaneous
 1430 			Doxygen-related cleanups. [RT #46276]
 1431 
 1432 4771.	[bug]		When sending RFC 5011 refresh queries, disregard
 1433 			cached DNSKEY rrsets. [RT #46251]
 1434 
 1435 4770.	[bug]		Cache additional data from priming queries as glue.
 1436 			Previously they were ignored as unsigned
 1437 			non-answer data from a secure zone, and never
 1438 			actually got added to the cache, causing hints
 1439 			to be used frequently for root-server
 1440 			addresses, which triggered re-priming. [RT #45241]
 1441 
 1442 4769.	[bug]		Enforce the requirement that the managed keys
 1443 			directory (specified by "managed-keys-directory",
 1444 			and defaulting to the working directory if not
 1445 			specified) must be writable. [RT #46077]
 1446 
 1447 4766.	[cleanup]	Address Coverity warnings. [RT #46150]
 1448 
 1449 4763.	[contrib]	Improve compatibility when building MySQL DLZ
 1450 			module by using mysql_config if available.
 1451 			[RT #45558]
 1452 
 1453 4762.	[func]		"update-policy local" is now restricted to updates
 1454 			from local addresses. (Previously, other addresses
 1455 			were allowed so long as updates were signed by the
 1456 			local session key.) [RT #45492]
 1457 
 1458 4761.	[protocol]	Add support for DOA. [RT #45612]
 1459 
 1460 4759.	[func]		Add logging channel "trust-anchor-telemetry" to
 1461 			record trust-anchor-telemetry in incoming requests.
 1462 			Both _ta-XXXX.<anchor>/NULL and EDNS KEY-TAG options
 1463 			are logged.  [RT #46124]
 1464 
 1465 4758.	[doc]		Remove documentation of unimplemented "topology".
 1466 			[RT #46161]
 1467 
 1468 4756.	[bug]		Interrupting dig could lead to an INSIST failure after
 1469 			certain errors were encountered while querying a host
 1470 			whose name resolved to more than one address.  Change
 1471 			4537 increased the odds of triggering this issue by
 1472 			causing dig to hang indefinitely when certain error
 1473 			paths were evaluated.  dig now also retries TCP queries
 1474 			(once) if the server gracefully closes the connection
 1475 			before sending a response. [RT #42832, #45159]
 1476 
 1477 4755.	[cleanup]	Silence unnecessary log message when NZF file doesn't
 1478 			exist. [RT #46186]
 1479 
 1480 4754.	[bug]		dns_zone_setview needs a two stage commit to properly
 1481 			handle errors. [RT #45841]
 1482 
 1483 4753.	[contrib]	Software obtainable from known upstream locations
 1484 			(i.e., zkt, nslint, query-loc) has been removed.
 1485 			Links to these and other packages can be found at
 1486 			https://www.isc.org/community/tools [RT #46182]
 1487 
 1488 4752.	[test]		Add unit test for isc_net_pton. [RT #46171]
 1489 
 1490 4749.	[func]		The ISC DLV service has been shut down, and all
 1491 			DLV records have been removed from dlv.isc.org.
 1492 			- Removed references to ISC DLV in documentation
 1493 			- Removed DLV key from bind.keys
 1494 			- No longer use ISC DLV by default in delv
 1495 			[RT #46155]
 1496 
 1497 4748.	[cleanup]	Sprintf to snprintf coversions. [RT #46132]
 1498 
 1499 4746.	[cleanup]	Add configured prefixes to configure summary
 1500 			output. [RT #46153]
 1501 
 1502 4745.	[test]		Add color-coded pass/fail messages to system
 1503 			tests when running on terminals that support them.
 1504 			[RT #45977]
 1505 
 1506 4744.	[bug]		Suppress trust-anchor-telemetry queries if
 1507 			validation is disabled. [RT #46131]
 1508 
 1509 4741.	[bug]		Make isc_refcount_current() atomically read the
 1510 			counter value. [RT #46074]
 1511 
 1512 4740.	[cleanup]	Avoid triggering format-truncated warnings. [RT #46107]
 1513 
 1514 4739.	[cleanup]	Address clang static analysis warnings. [RT #45952]
 1515 
 1516 4738.	[port]		win32: strftime mishandles %Z. [RT #46039]
 1517 
 1518 4737.	[cleanup]	Address Coverity warnings. [RT #46012]
 1519 
 1520 4736.	[cleanup]	(a) Added comments to NSEC3-related functions in
 1521 			lib/dns/zone.c.  (b) Refactored NSEC3 salt formatting
 1522 			code.  (c) Minor tweaks to lock and result handling.
 1523 			[RT #46053]
 1524 
 1525 4735.	[bug]		Add @ISC_OPENSSL_LIBS@ to isc-config. [RT #46078]
 1526 
 1527 4734.	[contrib]	Added sample configuration for DNS-over-TLS in
 1528 			contrib/dnspriv.
 1529 
 1530 4731.	[bug]		Fix use after free when closing an LMDB. [RT #46000]
 1531 
 1532 4730.	[bug]		Fix out of bounds access in DHCID totext() method.
 1533 			[RT #46001]
 1534 
 1535 4729.	[bug]		Don't use memset() to wipe memory, as it may be
 1536 			removed by compiler optimizations when the
 1537 			memset() occurs on automatic stack allocation
 1538 			just before function return. [RT #45947]
 1539 
 1540 4728.	[func]		Use C11's stdatomic.h instead of isc_atomic
 1541 			where available. [RT #40668]
 1542 
 1543 4727.	[bug]		Retransferring an inline-signed slave using NSEC3
 1544 			around the time its NSEC3 salt was changed could result
 1545 			in an infinite signing loop. [RT #45080]
 1546 
 1547 4726.	[port]		Prevent setsockopt() errors related to TCP_FASTOPEN
 1548 			from being logged on FreeBSD if the kernel does not
 1549 			support it.  Notify the user when the kernel does
 1550 			support TCP_FASTOPEN, but it is disabled by sysctl.
 1551 			Add a new configure option, --disable-tcp-fastopen, to
 1552 			disable use of TCP_FASTOPEN altogether. [RT #44754]
 1553 
 1554 4725.	[bug]		Nsupdate: "recvsoa" was incorrectly reported for
 1555 			failures in sending the update message.  The correct
 1556 			location to be reported is "update_completed".
 1557 			[RT #46014]
 1558 
 1559 4723.	[bug]		Statistics counter DNSTAPdropped was misidentified
 1560 			as DNSSECdropped. [RT #46002]
 1561 
 1562 4722.	[cleanup]	Clean up uses of strcpy() and strcat() in favor of
 1563 			strlcpy() and strlcat() for safety. [RT #45981]
 1564 
 1565 4719.	[bug]		Address PVS static analyzer warnings. [RT #45946]
 1566 
 1567 4717.	[bug]		Treat replies with QCOUNT=0 as truncated if TC=1,
 1568 			FORMERR if TC=0, and log the error correctly.
 1569 			[RT #45836]
 1570 
 1571 4715.	[bug]		TreeMemMax was mis-identified as a second HeapMemMax
 1572 			in the Json cache statistics. [RT #45980]
 1573 
 1574 4714.	[port]		openbsd/libressl: add support for building with
 1575 			--enable-openssl-hash. [RT #45982]
 1576 
 1577 4713.	[cleanup]	Minor revisions to RPZ code to reduce
 1578 			differences with the development branch. [RT #46037]
 1579 
 1580 4712.	[bug]		"dig +domain" and "dig +search" didn't retain the
 1581 			search domain when retrying with TCP. [RT #45547]
 1582 
 1583 4711.	[test]		Some RR types were missing from genzones.sh.
 1584 			[RT #45782]
 1585 
 1586 4709.	[cleanup]	Use dns_name_fullhash() to hash names for RRL.
 1587 			[RT #45435]
 1588 
 1589 4703.	[bug]		BINDInstall.exe was missing some buffer length checks.
 1590 			[RT #45898]
 1591 
 1592 4698.	[port]		Add --with-python-install-dir configure option to allow
 1593 			specifying a nonstandard installation directory for
 1594 			Python modules. [RT #45407]
 1595 
 1596 4697.	[bug]		Restore workaround for Microsoft Windows TSIG hash
 1597 			computation bug. [RT #45854]
 1598 
 1599 4696.	[port]		Enable filter-aaaa support by default on Windows
 1600 			builds. [RT #45883]
 1601 
 1602 4695.	[bug]		cookie-secrets were not being properly checked by
 1603 			named-checkconf. [RT #45886]
 1604 
 1605 4692.	[bug]		Fix build failures with libressl introduced in 4676.
 1606 			[RT #45879]
 1607 
 1608 4690.	[bug]		Command line options -4/-6 were handled inconsistently
 1609 			between tools. [RT #45632]
 1610 
 1611 4689.	[cleanup]	Turn on minimal responses for CDNSKEY and CDS in
 1612 			addition to DNSKEY and DS. Thanks to Tony Finch.
 1613 			[RT #45690]
 1614 
 1615 4688.	[protocol]	Check and display EDNS KEY TAG options (RFC 8145) in
 1616 			messages. [RT #44804]
 1617 
 1618 4686.	[bug]		dnssec-settime -p could print a bogus warning about
 1619 			key deletion scheduled before its inactivation when a
 1620 			key had an inactivation date set but no deletion date
 1621 			set. [RT #45807]
 1622 
 1623 4685.	[bug]		dnssec-settime incorrectly calculated publication and
 1624 			activation dates for a successor key. [RT #45806]
 1625 
 1626 4684.	[bug]		delv could send bogus DNS queries when an explicit
 1627 			server address was specified on the command line along
 1628 			with -4/-6. [RT #45804]
 1629 
 1630 4683.	[bug]		Prevent nsupdate from immediately exiting on invalid
 1631 			user input in interactive mode. [RT #28194]
 1632 
 1633 4682.	[bug]		Don't report errors on records below a DNAME.
 1634 			[RT #44880]
 1635 
 1636 4680.	[bug]		Fix failing over to another master server address when
 1637 			nsupdate is used with GSS-API. [RT #45380]
 1638 
 1639 4679.	[cleanup]	Suggest using -o when dnssec-verify finds a SOA record
 1640 			not at top of zone and -o is not used. [RT #45519]
 1641 
 1642 4678.	[bug]		geoip-use-ecs has the wrong type when geoip support
 1643 			is disabled at configure time. [RT #45763]
 1644 
 1645 4677.	[cleanup]	Split up the main function in dig to better support
 1646 			the iOS app version. [RT #45508]
 1647 
 1648 4676.	[cleanup]	Allow BIND to be built using OpenSSL 1.0.X with
 1649 			deprecated functions removed. [RT #45706]
 1650 
 1651 4675.	[cleanup]	Don't use C++ keyword class. [RT #45726]
 1652 
 1653 4673.	[port]		Silence GCC 7 warnings. [RT #45592]
 1654 
 1655 4671.	[bug]		Fix a race condition that could cause the
 1656 			resolver to crash with assertion failure when
 1657 			chasing DS in specific conditions with a very
 1658 			short RTT to the upstream nameserver. [RT #45168]
 1659 
 1660 4670.	[cleanup]	Ensure that a request MAC is never sent back
 1661 			in an XFR response unless the signature was
 1662 			verified. [RT #45494]
 1663 
 1664 4668.	[bug]		Use localtime_r and gmtime_r for thread safety.
 1665 			[RT #45664]
 1666 
 1667 4667.	[cleanup]	Refactor RDATA unit tests. [RT #45610]
 1668 
 1669 4666.	[bug]		dnssec-keymgr: Domain names beginning with digits (0-9)
 1670 			could cause a parser error when reading the policy
 1671 			file. This now works correctly so long as the domain
 1672 			name is quoted. [RT #45641]
 1673 
 1674 4665.	[protocol]	Added support for ED25519 and ED448 DNSSEC signing
 1675 			algorithms (RFC 8080). (Note: these algorithms
 1676 			depend on code currently in the development branch
 1677 			of OpenSSL which has not yet been released.)
 1678 			[RT #44696]
 1679 
 1680 4663.	[cleanup]	Clarify error message printed by dnssec-dsfromkey.
 1681 			[RT #21731]
 1682 
 1683 4662.	[performance]	Improve cache memory cleanup of zero TTL records
 1684 			by putting them at the tail of LRU header lists.
 1685 			[RT #45274]
 1686 
 1687 4661.	[bug]		A race condition could occur if a zone was reloaded
 1688 			while resigning, triggering a crash in
 1689 			rbtdb.c:closeversion(). [RT #45276]
 1690 
 1691 4660.	[bug]		Remove spurious "peer" from Windows socket log
 1692 			messages. [RT #45617]
 1693 
 1694 4659.	[bug]		Remove spurious log message about lmdb-mapsize
 1695 			not being supported when parsing builtin
 1696 			configuration file. [RT #45618]
 1697 
 1698 4658.	[bug]		Clean up build directory created by "setup.py install"
 1699 			immediately.  [RT #45628]
 1700 
 1701 4657.	[bug]		rrchecker system test result could be improperly
 1702 			determined. [RT #45602]
 1703 
 1704 4656.	[bug]		Apply "port" and "dscp" values specified in catalog
 1705 			zone's "default-masters" option to the generated
 1706 			configuration of its member zones. [RT #45545]
 1707 
 1708 4655.	[bug]		Lack of seccomp could be falsely reported. [RT #45599]
 1709 
 1710 4654.	[cleanup]	Don't use C++ keywords delete, new and namespace.
 1711 			[RT #45538]
 1712 
 1713 4652.	[bug]		Nsupdate could attempt to use a zeroed address on
 1714 			server timeout. [RT #45417]
 1715 
 1716 4651.	[test]		Silence coverity warnings in tsig_test.c. [RT #45528]
 1717 
 1718 4605.	[performance]	(partial backport) Improve general query
 1719 			performance. Improves performance of owner case
 1720 			restoration, hash function, etc. Uses inline
 1721 			buffer implementation by default. [RT #45637]
 1722 
 1723 	--- 9.11.2 released ---
 1724 
 1725 	--- 9.11.2rc2 released ---
 1726 
 1727 4653.	[bug]		Reorder includes to move @DST_OPENSSL_INC@ and
 1728 			@ISC_OPENSSL_INC@ after shipped include directories.
 1729 			[RT #45581]
 1730 
 1731 	--- 9.11.2rc1 released ---
 1732 
 1733 4649.	[bug]		The wrong zone was logged when a catalog zone is added.
 1734 			[RT #45520]
 1735 
 1736 4648.	[bug]		"rndc reconfig" on a slave no longer causes all member
 1737 			zones of configured catalog zones to be removed from
 1738 			configuration. [RT #45310]
 1739 
 1740 4647.	[bug]		Change 4643 broke verification of TSIG signed TCP
 1741 			message sequences where not all the messages contain
 1742 			TSIG records.  These may be used in AXFR and IXFR
 1743 			responses. [RT #45509]
 1744 
 1745 4645.	[bug]		Fix PKCS#11 RSA parsing when MD5 is disabled.
 1746 			[RT #45300]
 1747 
 1748 	--- 9.11.2b1 released ---
 1749 
 1750 4643.	[security]	An error in TSIG handling could permit unauthorized
 1751 			zone transfers or zone updates. (CVE-2017-3142)
 1752 			(CVE-2017-3143) [RT #45383]
 1753 
 1754 4642.	[cleanup]	Add more logging of RFC 5011 events affecting the
 1755 			status of managed keys: newly observed keys,
 1756 			deletion of revoked keys, etc. [RT #45354]
 1757 
 1758 4641.	[cleanup]	Parallel builds (make -j) could fail with --with-atf /
 1759 			--enable-developer. [RT #45373]
 1760 
 1761 4640.	[bug]		If query_findversion failed in query_getdb due to
 1762 			memory failure the error status was incorrectly
 1763 			discarded. [RT #45331]
 1764 
 1765 4639.	[bug]		Fix a regression in --with-tuning reporting introduced
 1766 			by change 4488. [RT #45396]
 1767 
 1768 4638.	[bug]		Reloading or reconfiguring named could fail on
 1769 			some platforms when LMDB was in use. [RT #45203]
 1770 
 1771 4636.	[bug]		Normalize rpz policy zone names when checking for
 1772 			existence. [RT #45358]
 1773 
 1774 4635.	[bug]		Fix RPZ NSDNAME logging that was logging
 1775 			failures as NSIP. [RT #45052]
 1776 
 1777 4634.	[contrib]	check5011.pl needs to handle optional space before
 1778 			semi-colon in +multi-line output. [RT #45352]
 1779 
 1780 4633.	[maint]		Updated AAAA (2001:500:200::b) for B.ROOT-SERVERS.NET.
 1781 
 1782 4632.	[security]	The BIND installer on Windows used an unquoted
 1783 			service path, which can enable privilege escalation.
 1784 			(CVE-2017-3141) [RT #45229]
 1785 
 1786 4631.	[security]	Some RPZ configurations could go into an infinite
 1787 			query loop when encountering responses with TTL=0.
 1788 			(CVE-2017-3140) [RT #45181]
 1789 
 1790 4630.	[bug]		"dyndb" is dependent on dlopen existing / being
 1791 			enabled. [RT #45291]
 1792 
 1793 4629.	[bug]		dns_client_startupdate could not be called with a
 1794 			running client. [RT #45277]
 1795 
 1796 4628.	[bug]		Fixed a potential reference leak in query_getdb().
 1797 			[RT #45247]
 1798 
 1799 4626.	[test]		Added more tests for handling of different record
 1800 			ordering in CNAME and DNAME responses. [QA #430]
 1801 
 1802 4625.	[bug]		Running "rndc addzone" and "rndc delzone" at close
 1803 			to the same time could trigger a deadlock if using
 1804 			LMDB. [RT #45209]
 1805 
 1806 4623.	[bug]		Use --with-protobuf-c and --with-libfstrm to find
 1807 			protoc-c and fstrm_capture. [RT #45187]
 1808 
 1809 4622.	[bug]		Remove unnecessary escaping of semicolon in CAA and
 1810 			URI records. [RT #45216]
 1811 
 1812 4621.	[port]		Force alignment of oid arrays to silence loader
 1813 			warnings. [RT #45131]
 1814 
 1815 4620.	[port]		Handle EPFNOSUPPORT being returned when probing
 1816 			to see if a socket type is supported. [RT #45214]
 1817 
 1818 4619.	[bug]		Call isc_mem_put instead of isc_mem_free in
 1819 			bin/named/server.c:setup_newzones. [RT #45202]
 1820 
 1821 4618.	[bug]		Check isc_mem_strdup results in dns_view_setnewzones.
 1822 			Add logging for lmdb call failures. [RT #45204]
 1823 
 1824 4617.	[test]		Update rndc system test to be more delay tolerant.
 1825 			[RT #45177]
 1826 
 1827 4616.	[bug]		When using LMDB, zones deleted using "rndc delzone"
 1828 			were not correctly removed from the new-zone
 1829 			database. [RT #45185]
 1830 
 1831 4615.	[bug]		AD could be set on truncated answer with no records
 1832 			present in the answer and authority sections.
 1833 			[RT #45140]
 1834 
 1835 4614.	[test]		Fixed an error in the sockaddr unit test. [RT #45146]
 1836 
 1837 4612.	[bug]		Silence 'may be use uninitalised' warning and simplify
 1838 			the code in lwres/getaddinfo:process_answer.
 1839 			[RT #45158]
 1840 
 1841 4611.	[bug]		The default LMDB mapsize was too low and caused
 1842 			errors after few thousand zones were added using
 1843 			rndc addzone. A new config option "lmdb-mapsize"
 1844 			has been introduced to configure the LMDB
 1845 			mapsize depending on operational needs.
 1846 			[RT #44954]
 1847 
 1848 4609.	[cleanup]	Rearrange makefiles to enable parallel execution
 1849 			(i.e. "make -j"). [RT #45078]
 1850 
 1851 4608.	[func]		DiG now warns about .local queries which are reserved
 1852 			for Multicast DNS. [RT #44783]
 1853 
 1854 4606.	[port]		Stop using experimental "Experimental keys on scalar"
 1855 			feature of perl as it has been removed. [RT #45012]
 1856 
 1857 4604.	[bug]		Don't use ERR_load_crypto_strings() when building
 1858 			with OpenSSL 1.1.0. [RT #45117]
 1859 
 1860 4603.	[doc]		Automatically generate named.conf(5) man page
 1861 			from doc/misc/options. Thanks to Tony Finch.
 1862 			[RT #43525]
 1863 
 1864 4602.	[func]		Threads are now set to human-readable
 1865 			names to assist debugging, when supported by
 1866 			the OS. [RT #43234]
 1867 
 1868 4601.	[bug]		Reject incorrect RSA key lengths during key
 1869 			generation and and sign/verify context
 1870 			creation. [RT #45043]
 1871 
 1872 4600.	[bug]		Adjust RPZ trigger counts only when the entry
 1873 			being deleted exists. [RT #43386]
 1874 
 1875 4599.	[bug]		Fix inconsistencies in inline signing time
 1876 			comparison that were introduced with the
 1877 			introduction of rdatasetheader->resign_lsb.
 1878 			[RT #42112]
 1879 
 1880 4597.	[bug]		The validator now ignores SHA-1 DS digest type
 1881 			when a DS record with SHA-384 digest type is
 1882 			present and is a supported digest type.
 1883 			[RT #45017]
 1884 
 1885 4596.	[bug]		Validate glue before adding it to the additional
 1886 			section. This also fixes incorrect TTL capping
 1887 			when the RRSIG expired earlier than the TTL.
 1888 			[RT #45062]
 1889 
 1890 4593.	[doc]		Update README using markdown, remove outdated FAQ
 1891 			file in favor of the knowledge base.
 1892 
 1893 4592.	[bug]		A race condition on shutdown could trigger an
 1894 			assertion failure in dispatch.c. [RT #43822]
 1895 
 1896 4591.	[port]		Addressed some python 3 compatibility issues.
 1897 			Thanks to Ville Skytta. [RT #44955] [RT #44956]
 1898 
 1899 4590.	[bug]		Support for PTHREAD_MUTEX_ADAPTIVE_NP was not being
 1900 			properly detected. [RT #44871]
 1901 
 1902 4589.	[cleanup]	"configure -q" is now silent. [RT #44829]
 1903 
 1904 4588.	[bug]		nsupdate could send queries for TKEY to the wrong
 1905 			server when using GSSAPI. Thanks to Tomas Hozza.
 1906 			[RT #39893]
 1907 
 1908 4587.	[bug]		named-checkzone failed to handle occulted data below
 1909 			DNAMEs correctly. [RT #44877]
 1910 
 1911 4586.	[func]		dig, host and nslookup now use TCP for ANY queries.
 1912 			[RT #44687]
 1913 
 1914 4585.	[port]		win32: Set CompileAS value. [RT #42474]
 1915 
 1916 4584.	[bug]		A number of memory usage statistics were not properly
 1917 			reported when they exceeded 4G.  [RT #44750]
 1918 
 1919 4574.	[bug]		Dig leaked memory with multiple +subnet options.
 1920 			[RT #44683]
 1921 
 1922 4555.	[func]		dig +ednsopt: EDNS options can now be specified by
 1923 			name in addition to numeric value. [RT #44461]
 1924 
 1925 	--- 9.11.1 released ---
 1926 
 1927 	--- 9.11.1rc3 released ---
 1928 
 1929 4582.	[security]	'rndc ""' could trigger a assertion failure in named.
 1930 			(CVE-2017-3138) [RT #44924]
 1931 
 1932 4581.	[port]		Linux: Add getpid and getrandom to the list of system
 1933 			calls named uses for seccomp. [RT #44883]
 1934 
 1935 4580.	[bug]		4578 introduced a regression when handling CNAME to
 1936 			referral below the current domain. [RT #44850]
 1937 
 1938 	--- 9.11.1rc2 released ---
 1939 
 1940 4578.	[security]	Some chaining (CNAME or DNAME) responses to upstream
 1941 			queries could trigger assertion failures.
 1942 			(CVE-2017-3137) [RT #44734]
 1943 
 1944 4575.	[security]	DNS64 with "break-dnssec yes;" can result in an
 1945 			assertion failure. (CVE-2017-3136) [RT #44653]
 1946 
 1947 	--- 9.11.1rc1 released ---
 1948 
 1949 4571.	[bug]		Out-of-tree builds of backtrace_test failed.
 1950 
 1951 4570.	[cleanup]	named did not correctly fall back to the built-in
 1952 			initializing keys if the bind.keys file was present
 1953 			but empty. [RT #44531]
 1954 
 1955 4569.	[func]		Store both local and remote addresses in dnstap
 1956 			logging, and modify dnstap-read output format to
 1957 			print them. [RT #43595]
 1958 
 1959 4568.	[contrib]	Added a --with-bind option to the dnsperf configure
 1960 			script to specify BIND prefix path.
 1961 
 1962 4567.	[port]		Call getprotobyname and getservbyname prior to calling
 1963 			chroot so that shared libraries get loaded. [RT #44537]
 1964 
 1965 4565.	[cleanup]	The inline macro versions of isc_buffer_put*()
 1966 			did not implement automatic buffer reallocation.
 1967 			[RT #44216]
 1968 
 1969 4564.	[maint]		Update the built in managed keys to include the
 1970 			upcoming root KSK. [RT #44579]
 1971 
 1972 4563.	[bug]		Modified zones would occasionally fail to reload.
 1973 			[RT #39424]
 1974 
 1975 4561.	[port]		Silence a warning in strict C99 compilers. [RT #44414]
 1976 
 1977 4560.	[bug]		mdig: add -m option to enable memory debugging rather
 1978 			than having it on all the time. [RT #44509]
 1979 
 1980 4559.	[bug]		openssl_link.c didn't compile if ISC_MEM_TRACKLINES
 1981 			was turned off.  [RT #44509]
 1982 
 1983 4558.	[bug]		Synthesised CNAME before matching DNAME was still
 1984 			being cached when it should not have been.  [RT #44318]
 1985 
 1986 4557.	[security]	Combining dns64 and rpz can result in dereferencing
 1987 			a NULL pointer (read).  (CVE-2017-3135) [RT#44434]
 1988 
 1989 4554.	[bug]		Remove double unlock in dns_dispatchmgr_setudp.
 1990 			[RT #44336]
 1991 
 1992 4553.	[bug]		Named could deadlock there were multiple changes to
 1993 			NSEC/NSEC3 parameters for a zone being processed at
 1994 			the same time. [RT #42770]
 1995 
 1996 4552.	[bug]		Named could trigger a assertion when sending notify
 1997 			messages. [RT #44019]
 1998 
 1999 4551.	[test]		Add system tests for integrity checks of MX and
 2000 			SRV records. [RT #43953]
 2001 
 2002 4550.	[cleanup]	Increased the number of available master file
 2003 			output style flags from 32 to 64. [RT #44043]
 2004 
 2005 4547.	[port]		Add support for --enable-native-pkcs11 on the AEP
 2006 			Keyper HSM. [RT #42463]
 2007 
 2008 	--- 9.11.1b1 released ---
 2009 
 2010 4545.	[func]		Expand YAML output from dnstap-read to include
 2011 			a detailed breakdown of the DNS message contents.
 2012 			[RT #43642]
 2013 
 2014 4544.	[bug]		Add message/payload size to dnstap-read YAML output.
 2015 			[RT #43622]
 2016 
 2017 4543.	[bug]		dns_client_startupdate now delays sending the update
 2018 			request until isc_app_ctxrun has been called.
 2019 			[RT #43976]
 2020 
 2021 4541.	[bug]		rndc addzone should properly reject non master/slave
 2022 			zones. [RT #43665]
 2023 
 2024 4540.	[bug]		Correctly handle ecs entries in dns_acl_isinsecure.
 2025 			[RT #43601]
 2026 
 2027 4539.	[bug]		Referencing a nonexistent zone with RPZ could lead
 2028 			to a assertion failure when configuring. [RT #43787]
 2029 
 2030 4538.	[bug]		Call dns_client_startresolve from client->task.
 2031 			[RT #43896]
 2032 
 2033 4537.	[bug]		Handle timeouts better in dig/host/nslookup. [RT #43576]
 2034 
 2035 4536.	[bug]		ISC_SOCKEVENTATTR_USEMINMTU was not being cleared
 2036 			when reusing the event structure. [RT #43885]
 2037 
 2038 4535.	[bug]		Address race condition in setting / testing of
 2039 			DNS_REQUEST_F_SENDING. [RT #43889]
 2040 
 2041 4534.	[bug]		Only set RD, RA and CD in QUERY responses. [RT #43879]
 2042 
 2043 4533.	[bug]		dns_client_update should terminate on prerequisite
 2044 			failures (NXDOMAIN, YXDOMAIN, NXRRSET, YXRRSET)
 2045 			and also on BADZONE.  [RT #43865]
 2046 
 2047 4532.	[contrib]	Make gen-data-queryperf.py python 3 compatible.
 2048 			[RT #43836]
 2049 
 2050 4531.	[security]	'is_zone' was not being properly updated by redirect2
 2051 			and subsequently preserved leading to an assertion
 2052 			failure. (CVE-2016-9778) [RT #43837]
 2053 
 2054 4530.	[bug]		Change 4489 broke the handling of CNAME -> DNAME
 2055 			in responses resulting in SERVFAIL being returned.
 2056 			[RT #43779]
 2057 
 2058 4529.	[cleanup]	Silence noisy log warning when DSCP probe fails
 2059 			due to firewall rules. [RT #43847]
 2060 
 2061 4528.	[bug]		Only set the flag bits for the i/o we are waiting
 2062 			for on EPOLLERR or EPOLLHUP. [RT #43617]
 2063 
 2064 4527.	[doc]		Support DocBook XSL Stylesheets v1.79.1. [RT #43831]
 2065 
 2066 4526.	[doc]		Corrected errors and improved formatting of
 2067 			grammar definitions in the ARM. [RT #43739]
 2068 
 2069 4525.	[doc]		Fixed outdated documentation on managed-keys.
 2070 			[RT #43810]
 2071 
 2072 4524.	[bug]		The net zero test was broken causing IPv4 servers
 2073 			with addresses ending in .0 to be rejected. [RT #43776]
 2074 
 2075 4523.	[doc]		Expand config doc for <querysource4> and
 2076 			<querysource6>. [RT #43768]
 2077 
 2078 4522.	[bug]		Handle big gaps in log file version numbers better.
 2079 			[RT #38688]
 2080 
 2081 4521.	[cleanup]	Log it as an error if an entropy source is not
 2082 			found and there is no fallback available. [RT #43659]
 2083 
 2084 4520.	[cleanup]	Alphabetize more of the grammar when printing it
 2085 			out. Fix unbalanced indenting. [RT #43755]
 2086 
 2087 4519.	[port]		win32: handle ERROR_MORE_DATA. [RT #43534]
 2088 
 2089 4517.	[security]	Named could mishandle authority sections that were
 2090 			missing RRSIGs triggering an assertion failure.
 2091 			(CVE-2016-9444) [RT # 43632]
 2092 
 2093 4516.	[bug]		isc_socketmgr_renderjson was missing from the
 2094 			windows build. [RT #43602]
 2095 
 2096 4515.	[port]		FreeBSD: Find readline headers when they are in
 2097 			edit/readline/ instead of readline/. [RT #43658]
 2098 
 2099 4514.	[port]		NetBSD: strip -WL, from ld command line. [RT #43204]
 2100 
 2101 4513.	[cleanup]	Minimum Python versions are now 2.7 and 3.2.
 2102 			[RT #43566]
 2103 
 2104 4512.	[bug]		win32: @GEOIP_INC@ missing from delv.vcxproj.in.
 2105 			[RT #43556]
 2106 
 2107 4511.	[bug]		win32: mdig.exe-BNFT was missing Configure. [RT #43554]
 2108 
 2109 4510.	[security]	Named mishandled some responses where covering RRSIG
 2110 			records are returned without the requested data
 2111 			resulting in a assertion failure. (CVE-2016-9147)
 2112 			[RT #43548]
 2113 
 2114 4509.	[test]		Make the rrl system test more reliable on slower
 2115 			machines by using mdig instead of dig. [RT #43280]
 2116 
 2117 4508.	[security]	Named incorrectly tried to cache TKEY records which
 2118 			could trigger a assertion failure when there was
 2119 			a class mismatch. (CVE-2016-9131) [RT #43522]
 2120 
 2121 4507.	[bug]		Named could incorrectly log 'allows updates by IP
 2122 			address, which is insecure' [RT #43432]
 2123 
 2124 4505.	[port]		Use IP_PMTUDISC_OMIT if available. [RT #35494]
 2125 
 2126 4504.	[security]	Allow the maximum number of records in a zone to
 2127 			be specified.  This provides a control for issues
 2128 			raised in CVE-2016-6170. [RT #42143]
 2129 
 2130 4503.	[cleanup]	"make uninstall" now removes files installed by
 2131 			BIND. (This currently excludes Python files
 2132 			due to lack of support in setup.py.) [RT #42192]
 2133 
 2134 4502.	[func]		Report multiple and experimental options when printing
 2135 			grammar. [RT #43134]
 2136 
 2137 4500.	[bug]		Support modifier I64 in isc__print_printf. [RT #43526]
 2138 
 2139 4499.	[port]		MacOSX: silence deprecated function warning
 2140 			by using arc4random_stir() when available
 2141 			instead of arc4random_addrandom(). [RT #43503]
 2142 
 2143 4498.	[test]		Simplify prerequisite checks in system tests.
 2144 			[RT #43516]
 2145 
 2146 4497.	[port]		Add support for OpenSSL 1.1.0. [RT #41284]
 2147 
 2148 4496.	[func]		dig: add +idnout to control whether labels are
 2149 			display in punycode or not.  Requires idn support
 2150 			to be enabled at compile time. [RT #43398]
 2151 
 2152 4495.	[bug]		A isc_mutex_init call was not being checked.
 2153 			[RT #43391]
 2154 
 2155 4494.	[bug]		Look for <editline/readline.h>. [RT #43429]
 2156 
 2157 4493.	[bug]		bin/tests/system/dyndb/driver/Makefile.in should use
 2158 			SO_TARGETS. [RT# 43336]
 2159 
 2160 4492.	[bug]		irs_resconf_load failed to initialize sortlistnxt
 2161 			causing bad writes if resolv.conf contained a
 2162 			sortlist directive. [RT #43459]
 2163 
 2164 4491.	[bug]		Improve message emitted when testing whether sendmsg
 2165 			works with TOS/TCLASS fails. [RT #43483]
 2166 
 2167 4490.	[maint]		Added AAAA (2001:500:12::d0d) for G.ROOT-SERVERS.NET.
 2168 
 2169 4489.	[security]	It was possible to trigger assertions when processing
 2170 			a response containing a DNAME answer. (CVE-2016-8864)
 2171 			[RT #43465]
 2172 
 2173 4488.	[port]		Darwin: use -framework for Kerberos. [RT #43418]
 2174 
 2175 4487.	[test]		Make system tests work on Windows. [RT #42931]
 2176 
 2177 4486.	[bug]		Look in $prefix/lib/pythonX.Y/site-packages for
 2178 			the python modules we install. [RT #43330]
 2179 
 2180 4485.	[bug]		Failure to find readline when requested should be
 2181 			fatal to configure. [RT #43328]
 2182 
 2183 4484.	[func]		Check prefixes in acls to make sure the address and
 2184 			prefix lengths are consistent.  Warn only in
 2185 			BIND 9.11 and earlier. [RT #43367]
 2186 
 2187 4483.	[bug]		Address use before require check and remove extraneous
 2188 			dns_message_gettsigkey call in dns_tsig_sign.
 2189 			[RT #43374]
 2190 
 2191 4482.	[cleanup]	Change #4455 was incomplete. [RT #43252]
 2192 
 2193 4478.	[func]		Add +continue option to mdig, allow continue on socket
 2194 			errors. [RT #43281]
 2195 
 2196 4477.	[test]		Fix mkeys test timing issues. [RT #41028]
 2197 
 2198 4476.	[test]		Fix reclimit test on slower machines. [RT #43283]
 2199 
 2200 4475.	[doc]		Update named-checkconf documentation. [RT #43153]
 2201 
 2202 4474.	[bug]		win32: call WSAStartup in fromtext_in_wks so that
 2203 			getprotobyname and getservbyname work.  [RT #43197]
 2204 
 2205 4473.	[bug]		Only call fsync / _commit on regular files. [RT #43196]
 2206 
 2207 4472.	[bug]		Named could fail to find the correct NSEC3 records when
 2208 			a zone was updated between looking for the answer and
 2209 			looking for the NSEC3 records proving nonexistence
 2210 			of the answer. [RT #43247]
 2211 
 2212 	--- 9.11.0 released ---
 2213 
 2214 	--- 9.11.0rc3 released ---
 2215 
 2216 4471.	[cleanup]	Render client/query logging format consistent for
 2217 			ease of log file parsing. (Note that this affects
 2218 			"querylog" format: there is now an additional field
 2219 			indicating the client object address.) [RT #43238]
 2220 
 2221 4470.	[bug]		Reset message with intent parse before
 2222 			calling dns_dispatch_getnext. [RT #43229]
 2223 
 2224 	--- 9.11.0rc2 released ---
 2225 
 2226 4468.	[bug]		Address ECS option handling issues. [RT #43191]
 2227 
 2228 4467.	[security]	It was possible to trigger an assertion when
 2229 			rendering a message. (CVE-2016-2776) [RT #43139]
 2230 
 2231 4466.	[bug]		Interface scanning didn't work on a Windows system
 2232 			without a non local IPv6 addresses. [RT #43130]
 2233 
 2234 4465.	[bug]		Don't use "%z" as Windows doesn't support it.
 2235 			[RT #43131]
 2236 
 2237 4464.	[bug]		Fix windows python support. [RT #43173]
 2238 
 2239 4463.	[bug]		The dnstap system test failed on some systems.
 2240 			[RT #43129]
 2241 
 2242 4462.	[bug]		Don't describe a returned EDNS COOKIE as "good"
 2243 			when there isn't a valid server cookie. [RT #43167]
 2244 
 2245 4461.	[bug]		win32: not all external data was properly marked
 2246 			as external data for windows dll. [RT #43161]
 2247 
 2248 	--- 9.11.0rc1 released ---
 2249 
 2250 4460.	[test]		Add system test for dnstap using unix domain sockets.
 2251 			[RT #42926]
 2252 
 2253 4459.	[bug]		TCP client objects created to handle pipeline queries
 2254 			were not cleaned up correctly, causing uncontrolled
 2255 			memory growth. [RT #43106]
 2256 
 2257 4458.	[cleanup]	Update assertions to be more correct, and also remove
 2258 			use of a reserved word. [RT #43090]
 2259 
 2260 4457.	[maint]		Added AAAA (2001:500:a8::e) for E.ROOT-SERVERS.NET.
 2261 
 2262 4456.	[doc]		Add DOCTYPE and lang attribute to <html> tags.
 2263 			[RT #42587]
 2264 
 2265 4455.	[cleanup]	Allow dyndb modules to correctly log the filename
 2266 			and line number when processing configuration text
 2267 			from named.conf. [RT #43050]
 2268 
 2269 4454.	[bug]		'rndc dnstap -reopen' had a race issue. [RT #43089]
 2270 
 2271 4453.	[bug]		Prefetching of DS records failed to update their
 2272 			RRSIGs. [RT #42865]
 2273 
 2274 4452.	[bug]		The default key manager policy file is now
 2275 			<sysdir>/dnssec-policy.conf (usually
 2276 			/etc/dnssec-policy.conf). [RT #43064]
 2277 
 2278 4451.	[cleanup]	Log more useful information if a PKCS#11 provider
 2279 			library cannot be loaded. [RT #43076]
 2280 
 2281 4450.	[port]		Provide more nuanced HSM support which better matches
 2282 			the specific PKCS11 providers capabilities. [RT #42458]
 2283 
 2284 4449.	[test]		Fix catalog zones test on slower systems. [RT #42997]
 2285 
 2286 4448.	[bug]		win32: ::1 was not being found when iterating
 2287 			interfaces. [RT #42993]
 2288 
 2289 4447.	[tuning]	Allow the fstrm_iothr_init() options to be set using
 2290 			named.conf to control how dnstap manages the data
 2291 			flow. [RT #42974]
 2292 
 2293 4446.	[bug]		The cache_find() and _findrdataset() functions
 2294 			could find rdatasets that had been marked stale.
 2295 			[RT #42853]
 2296 
 2297 4445.	[cleanup]	isc_errno_toresult() can now be used to call the
 2298 			formerly private function isc__errno2result().
 2299 			[RT #43050]
 2300 
 2301 4444.	[bug]		Fixed some issues related to dyndb: A bug caused
 2302 			braces to be omitted when passing configuration text
 2303 			from named.conf to a dyndb driver, and there was a
 2304 			use-after-free in the sample dyndb driver. [RT #43050]
 2305 
 2306 4443.	[func]		Set TCP_MAXSEG in addition to IPV6_USE_MIN_MTU on
 2307 			TCP sockets. [RT #42864]
 2308 
 2309 4442.	[bug]		Fix RPZ CIDR tree insertion bug that corrupted
 2310 			tree data structure with overlapping networks
 2311 			(longest prefix match was ineffective).
 2312 			[RT #43035]
 2313 
 2314 4441.	[cleanup]	Alphabetize host's help output. [RT #43031]
 2315 
 2316 4440.	[func]		Enable TCP fast open support when available on the
 2317 			server side. [RT #42866]
 2318 
 2319 4439.	[bug]		Address race conditions getting ownernames of nodes.
 2320 			[RT #43005]
 2321 
 2322 4438.	[func]		Use LIFO rather than FIFO when processing startup
 2323 			notify and refresh queries. [RT #42825]
 2324 
 2325 4437.	[func]		Minimal-responses now has two additional modes
 2326 			no-auth and no-auth-recursive which suppress
 2327 			adding the NS records to the authority section
 2328 			as well as the associated address records for the
 2329 			nameservers. [RT #42005]
 2330 
 2331 4436.	[func]		Return TLSA records as additional data for MX and SRV
 2332 			lookups. [RT #42894]
 2333 
 2334 4435.	[tuning]	Only set IPV6_USE_MIN_MTU for UDP when the message
 2335 			will not fit into a single IPv4 encapsulated IPv6
 2336 			UDP packet when transmitted over a Ethernet link.
 2337 			[RT #42871]
 2338 
 2339 4434.	[protocol]	Return EDNS EXPIRE option for master zones in addition
 2340 			to slave zones. [RT #43008]
 2341 
 2342 4433.	[cleanup]	Report an error when passing an invalid option or
 2343 			view name to "rndc dumpdb". [RT #42958]
 2344 
 2345 4432.	[test]		Hide rndc output on expected failures in logfileconfig
 2346 			system test. [RT #27996]
 2347 
 2348 4431.	[bug]		named-checkconf now checks the rate-limit clause.
 2349 			[RT #42970]
 2350 
 2351 4430.	[bug]		Lwresd died if a search list was not defined.
 2352 			Found by 0x710DDDD At Alibaba Security. [RT #42895]
 2353 
 2354 4429.	[bug]		Address potential use after free on fclose() error.
 2355 			[RT #42976]
 2356 
 2357 4428.	[bug]		The "test dispatch getnext" unit test could fail
 2358 			in a threaded build. [RT #42979]
 2359 
 2360 4427.	[bug]		The "query" and "response" parameters to the
 2361 			"dnstap" option had their functions reversed.
 2362 
 2363 	--- 9.11.0b3 released ---
 2364 
 2365 4426.	[bug]		Addressed Coverity warnings. [RT #42908]
 2366 
 2367 4425.	[bug]		arpaname, dnstap-read and named-rrchecker were not
 2368 			being installed into ${prefix}/bin.  Tidy up
 2369 			installation issues with CHANGE 4421. [RT #42910]
 2370 
 2371 4424.	[experimental]	Named now sends _ta-XXXX.<trust-anchor>/NULL queries
 2372 			to provide feedback to the trust-anchor administrators
 2373 			about how key rollovers are progressing as per
 2374 			draft-ietf-dnsop-edns-key-tag-02.  This can be
 2375 			disabled using 'trust-anchor-telemetry no;'.
 2376 			[RT #40583]
 2377 
 2378 4423.	[maint]		Added missing IPv6 address 2001:500:84::b for
 2379 			B.ROOT-SERVERS.NET. [RT #42898]
 2380 
 2381 4422.	[port]		Silence clang warnings in dig.c and dighost.c.
 2382 			[RT #42451]
 2383 
 2384 4421.	[func]		When built with LMDB (Lightning Memory-mapped
 2385 			Database), named will now use a database to store
 2386 			the configuration for zones added by "rndc addzone"
 2387 			instead of using a flat NZF file. This improves
 2388 			performance of "rndc delzone" and "rndc modzone"
 2389 			significantly. Existing NZF files will
 2390 			automatically by converted to NZD databases.
 2391 			To view the contents of an NZD or to roll back to
 2392 			NZF format, use "named-nzd2nzf". To disable
 2393 			this feature, use "configure --without-lmdb".
 2394 			[RT #39837]
 2395 
 2396 4420.	[func]		nslookup now looks for AAAA as well as A by default.
 2397 			[RT #40420]
 2398 
 2399 4419.	[bug]		Don't cause undefined result if the label of an
 2400 			entry in catalog zone is changed. [RT #42708]
 2401 
 2402 4418.	[bug]		Fix a compiler warning in GSSAPI code. [RT #42879]
 2403 
 2404 4417.	[bug]		dnssec-keymgr could fail to create successor keys
 2405 			if the prepublication interval was set to a value
 2406 			smaller than the default. [RT #42820]
 2407 
 2408 4416.	[bug]		dnssec-keymgr: Domain names in policy files could
 2409 			fail to match due to trailing dots. [RT #42807]
 2410 
 2411 4415.	[bug]		dnssec-keymgr: Expired/deleted keys were not always
 2412 			excluded. [RT #42884]
 2413 
 2414 4414.	[bug]		Corrected a bug in the MIPS implementation of
 2415 			isc_atomic_xadd(). [RT #41965]
 2416 
 2417 4413.	[bug]		GSSAPI negotiation could fail if GSS_S_CONTINUE_NEEDED
 2418 			was returned. [RT #42733]
 2419 
 2420 	--- 9.11.0b2 released ---
 2421 
 2422 4412.	[cleanup]	Make fixes for GCC 6. ISC_OFFSET_MAXIMUM macro was
 2423 			removed. [RT #42721]
 2424 
 2425 4411.	[func]		"rndc dnstap -roll" automatically rolls the
 2426 			dnstap output file; the previous version is
 2427 			saved with ".0" suffix, and earlier versions
 2428 			with ".1" and so on. An optional numeric argument
 2429 			indicates how many prior files to save. [RT #42830]
 2430 
 2431 4410.	[bug]		Address use after free and memory leak with dnstap.
 2432 			[RT #42746]
 2433 
 2434 4409.	[bug]		DNS64 should exclude mapped addresses by default when
 2435 			an exclude acl is not defined. [RT #42810]
 2436 
 2437 4408.	[func]		Continue waiting for expected response when we the
 2438 			response we get does not match the request. [RT #41026]
 2439 
 2440 4407.	[performance]	Use GCC builtin for clz in RPZ lookup code.
 2441 			[RT #42818]
 2442 
 2443 4406.	[security]	getrrsetbyname with a non absolute name could
 2444 			trigger an infinite recursion bug in lwresd
 2445 			and named with lwres configured if when combined
 2446 			with a search list entry the resulting name is
 2447 			too long. (CVE-2016-2775) [RT #42694]
 2448 
 2449 4405.	[bug]		Change 4342 introduced a regression where you could
 2450 			not remove a delegation in a NSEC3 signed zone using
 2451 			OPTOUT via nsupdate. [RT #42702]
 2452 
 2453 4404.	[misc]		Allow krb5-config to be used when configuring gssapi.
 2454 			[RT #42580]
 2455 
 2456 4403.	[bug]		Rename variables and arguments that shadow: basename,
 2457 			clone and gai_error.
 2458 
 2459 4402.	[bug]		protoc-c is now a hard requirement for --enable-dnstap.
 2460 
 2461 	--- 9.11.0b1 released ---
 2462 
 2463 4401.	[misc]		Change LICENSE to MPL 2.0.
 2464 
 2465 4400.	[bug]		ttl policy was not being inherited in policy.py.
 2466 			[RT #42718]
 2467 
 2468 4399.	[bug]		policy.py 'ECCGOST', 'ECDSAP256SHA256', and
 2469 			'ECDSAP384SHA384' don't have settable keysize.
 2470 			[RT #42718]
 2471 
 2472 4398.	[bug]		Correct spelling of ECDSAP256SHA256 in policy.py.
 2473 			[RT #42718]
 2474 
 2475 4397.	[bug]		Update Windows python support. [RT #42538]
 2476 
 2477 4396.	[func]		dnssec-keymgr now takes a '-r randomfile' option.
 2478 			[RT #42455]
 2479 
 2480 4395.	[bug]		Improve out-of-tree installation of python modules.
 2481 			[RT #42586]
 2482 
 2483 4394.	[func]		Add rndc command "dnstap-reopen" to close and
 2484 			reopen dnstap output files. [RT #41803]
 2485 
 2486 4393.	[bug]		Address potential NULL pointer dereferences in
 2487 			dnstap code.
 2488 
 2489 4392.	[func]		Collect statistics for RSSAC02v3 traffic-volume,
 2490 			traffic-sizes and rcode-volume reporting. [RT #41475]
 2491 
 2492 4391.	[contrib]	Fix leaks in contrib DLZ code. [RT #42707]
 2493 
 2494 4390.	[doc]		Description of masters with TSIG, allow-query and
 2495 			allow-transfer options in catalog zones. [RT #42692]
 2496 
 2497 4389.	[test]		Rewritten test suite for catalog zones. [RT #42676]
 2498 
 2499 4388.	[func]		Support for master entries with TSIG keys in catalog
 2500 			zones. [RT #42577]
 2501 
 2502 4387.	[bug]		Change 4336 was not complete leading to SERVFAIL
 2503 			being return as NS records expired. [RT #42683]
 2504 
 2505 4386.	[bug]		Remove shadowed overmem function/variable. [RT #42706]
 2506 
 2507 4385.	[func]		Add support for allow-query and allow-transfer ACLs
 2508 			to catalog zones. [RT #42578]
 2509 
 2510 4384.	[bug]		Change 4256 accidentally disabled logging of the
 2511 			rndc command. [RT #42654]
 2512 
 2513 4383.	[bug]		Correct spelling error in stats channel description of
 2514 			"EDNS client subnet option received". [RT #42633]
 2515 
 2516 4382.	[bug]		rndc {addzone,modzone,delzone,showzone} should all
 2517 			compare the zone name using a canonical format.
 2518 			[RT #42630]
 2519 
 2520 4381.	[bug]		Missing "zone-directory" option in catalog zone
 2521 			definition caused BIND to crash. [RT #42579]
 2522 
 2523 	--- 9.11.0a3 released ---
 2524 
 2525 4380.	[experimental]	Added a "zone-directory" option to "catalog-zones"
 2526 			syntax, allowing local masterfiles for slaves
 2527 			that are provisioned by catalog zones to be stored
 2528 			in a directory other than the server's working
 2529 			directory. [RT #42527]
 2530 
 2531 4379.	[bug]		An INSIST could be triggered if a zone contains
 2532 			RRSIG records with expiry fields that loop
 2533 			using serial number arithmetic. [RT #40571]
 2534 
 2535 4378.	[contrib]	#include <isc/string.h> for strlcat in zone2ldap.c.
 2536 			[RT #42525]
 2537 
 2538 4377.	[bug]		Don't reuse zero TTL responses beyond the current
 2539 			client set (excludes ANY/SIG/RRSIG queries).
 2540 			[RT #42142]
 2541 
 2542 4376.	[experimental]	Added support for Catalog Zones, a new method for
 2543 			provisioning secondary servers in which a list of
 2544 			zones to be served is stored in a DNS zone and can
 2545 			be propagated to slaves via AXFR/IXFR. [RT #41581]
 2546 
 2547 4375.	[func]		Add support for automatic reallocation of isc_buffer
 2548 			to isc_buffer_put* functions. [RT #42394]
 2549 
 2550 4374.	[bug]		Use SAVE/RESTORE macros in query.c to reduce the
 2551 			probability of reference counting errors as seen
 2552 			in 4365. [RT #42405]
 2553 
 2554 4373.	[bug]		Address undefined behavior in getaddrinfo. [RT #42479]
 2555 
 2556 4372.	[bug]		Address undefined behavior in libt_api. [RT #42480]
 2557 
 2558 4371.	[func]		New "minimal-any" option reduces the size of UDP
 2559 			responses for qtype ANY by returning a single
 2560 			arbitrarily selected RRset instead of all RRsets.
 2561 			Thanks to Tony Finch. [RT #41615]
 2562 
 2563 4370.	[bug]		Address python3 compatibility issues with RNDC module.
 2564 			[RT #42499] [RT #42506]
 2565 
 2566 	--- 9.11.0a2 released ---
 2567 
 2568 4369.	[bug]		Fix 'make' and 'make install' out-of-tree python
 2569 			support. [RT #42484]
 2570 
 2571 4368.	[bug]		Fix a crash when calling "rndc stats" on some
 2572 			Windows builds because some Visual Studio compilers
 2573 			generated crashing code for the "%z" printf()
 2574 			format specifier. [RT #42380]
 2575 
 2576 4367.	[bug]		Remove unnecessary assignment of loadtime in
 2577 			zone_touched. [RT #42440]
 2578 
 2579 4366.	[bug]		Address race condition when updating rbtnode bit
 2580 			fields. [RT #42379]
 2581 
 2582 4365.	[bug]		Address zone reference counting errors involving
 2583 			nxdomain-redirect. [RT #42258]
 2584 
 2585 4364.	[port]		freebsd: add -Wl,-E to loader flags [RT #41690]
 2586 
 2587 4363.	[port]		win32: Disable explicit triggering UAC when running
 2588 			BINDInstall.
 2589 
 2590 4362.	[func]		Changed rndc reconfig behavior so that newly added
 2591 			zones are loaded asynchronously and the loading does
 2592 			not block the server. [RT #41934]
 2593 
 2594 4361.	[cleanup]	Where supported, file modification times returned
 2595 			by isc_file_getmodtime() are now accurate to the
 2596 			nanosecond. [RT #41968]
 2597 
 2598 4360.	[bug]		Silence spurious 'bad key type' message when there is
 2599 			a existing TSIG key. [RT #42195]
 2600 
 2601 4359.	[bug]		Inherited 'also-notify' lists were not being checked
 2602 			by named-checkconf. [RT #42174]
 2603 
 2604 4358.	[test]		Added American Fuzzy Lop harness that allows
 2605 			feeding fuzzed packets into BIND.
 2606 			[RT #41723]
 2607 
 2608 4357.	[func]		Add the python RNDC module. [RT #42093]
 2609 
 2610 4356.	[func]		Add the ability to specify whether to wait for
 2611 			nameserver addresses to be looked up or not to
 2612 			RPZ with a new modifying directive 'nsip-wait-recurse'.
 2613 			[RT #35009]
 2614 
 2615 4355.	[func]		"pkcs11-list" now displays the extractability
 2616 			attribute of private or secret keys stored in
 2617 			an HSM, as either "true", "false", or "never"
 2618 			Thanks to Daniel Stirnimann. [RT #36557]
 2619 
 2620 4354.	[bug]		Check that the received HMAC length matches the
 2621 			expected length prior to check the contents on the
 2622 			control channel.  This prevents a OOB read error.
 2623 			This was reported by Lian Yihan, <lianyihan@360.cn>.
 2624 			[RT #42215]
 2625 
 2626 4353.	[cleanup]	Update PKCS#11 header files. [RT #42175]
 2627 
 2628 4352.	[cleanup]	The ISC DNSSEC Lookaside Validation (DLV) service
 2629 			is scheduled to be disabled in 2017.  A warning is
 2630 			now logged when named is configured to use it,
 2631 			either explicitly or via "dnssec-lookaside auto;"
 2632 			[RT #42207]
 2633 
 2634 4351.	[bug]		'dig +noignore' didn't work. [RT #42273]
 2635 
 2636 4350.	[contrib]	Declare result in  dlz_filesystem_dynamic.c.
 2637 
 2638 4349.	[contrib]	kasp2policy: A python script to create a DNSSEC
 2639 			policy file from an OpenDNSSEC KASP XML file.
 2640 
 2641 4348.	[func]		dnssec-keymgr: A new python-based DNSSEC key
 2642 			management utility, which reads a policy definition
 2643 			file and can create or update DNSSEC keys as needed
 2644 			to ensure that a zone's keys match policy, roll over
 2645 			correctly on schedule, etc.  Thanks to Sebastian
 2646 			Castro for assistance in development. [RT #39211]
 2647 
 2648 4347.	[port]		Corrected a build error on x86_64 Solaris. [RT #42150]
 2649 
 2650 4346.	[bug]		Fixed a regression introduced in change #4337 which
 2651 			caused signed domains with revoked KSKs to fail
 2652 			validation. [RT #42147]
 2653 
 2654 4345.	[contrib]	perftcpdns mishandled the return values from
 2655 			clock_nanosleep. [RT #42131]
 2656 
 2657 4344.	[port]		Address openssl version differences. [RT #42059]
 2658 
 2659 4343.	[bug]		dns_dnssec_syncupdate mis-declared in <dns/dnssec.h>.
 2660 			[RT #42090]
 2661 
 2662 4342.	[bug]		'rndc flushtree' could fail to clean the tree if there
 2663 			wasn't a node at the specified name. [RT #41846]
 2664 
 2665 	--- 9.11.0a1 released ---
 2666 
 2667 4341.	[bug]		Correct the handling of ECS options with
 2668 			address family 0. [RT #41377]
 2669 
 2670 4340.	[performance]	Implement adaptive read-write locks, reducing the
 2671 			overhead of locks that are only held briefly.
 2672 			[RT #37329]
 2673 
 2674 4339.	[test]		Use "mdig" to test pipelined queries. [RT #41929]
 2675 
 2676 4338.	[bug]		Reimplement change 4324 as it wasn't properly doing
 2677 			all the required book keeping. [RT #41941]
 2678 
 2679 4337.	[bug]		The previous change exposed a latent flaw in
 2680 			key refresh queries for managed-keys when
 2681 			a cached DNSKEY had TTL 0. [RT #41986]
 2682 
 2683 4336.	[bug]		Don't emit records with zero ttl unless the records
 2684 			were learnt with a zero ttl. [RT #41687]
 2685 
 2686 4335.	[bug]		zone->view could be detached too early. [RT #41942]
 2687 
 2688 4334.	[func]		'named -V' now reports zlib version. [RT #41913]
 2689 
 2690 4333.	[maint]		L.ROOT-SERVERS.NET is now 199.7.83.42 and
 2691 			2001:500:9f::42.
 2692 
 2693 4332.	[placeholder]
 2694 
 2695 4331.	[func]		When loading managed signed zones detect if the
 2696 			RRSIG's inception time is in the future and regenerate
 2697 			the RRSIG immediately. [RT #41808]
 2698 
 2699 4330.	[protocol]	Identify the PAD option as "PAD" when printing out
 2700 			a message.
 2701 
 2702 4329.	[func]		Warn about a common misconfiguration when forwarding
 2703 			RFC 1918 zones. [RT #41441]
 2704 
 2705 4328.	[performance]	Add dns_name_fromwire() benchmark test. [RT #41694]
 2706 
 2707 4327.	[func]		Log query and depth counters during fetches when
 2708 			querytrace (./configure --enable-querytrace) is
 2709 			enabled (helps in diagnosing).  [RT #41787]
 2710 
 2711 4326.	[protocol]	Add support for AVC. [RT #41819]
 2712 
 2713 4325.	[func]		Add a line to "rndc status" indicating the
 2714 			hostname and operating system details. [RT #41610]
 2715 
 2716 4324.	[bug]		When deleting records from a zone database, interior
 2717 			nodes could be left empty but not deleted, damaging
 2718 			search performance afterward. [RT #40997]
 2719 
 2720 4323.	[bug]		Improve HTTP header processing on statschannel.
 2721 			[RT #41674]
 2722 
 2723 4322.	[security]	Duplicate EDNS COOKIE options in a response could
 2724 			trigger an assertion failure. (CVE-2016-2088)
 2725 			[RT #41809]
 2726 
 2727 4321.	[bug]		Zones using mapped files containing out-of-zone data
 2728 			could return SERVFAIL instead of the expected NODATA
 2729 			or NXDOMAIN results. [RT #41596]
 2730 
 2731 4320.	[bug]		Insufficient memory allocation when handling
 2732 			"none" ACL could cause an assertion failure in
 2733 			named when parsing ACL configuration. [RT #41745]
 2734 
 2735 4319.	[security]	Fix resolver assertion failure due to improper
 2736 			DNAME handling when parsing fetch reply messages.
 2737 			(CVE-2016-1286) [RT #41753]
 2738 
 2739 4318.	[security]	Malformed control messages can trigger assertions
 2740 			in named and rndc. (CVE-2016-1285) [RT #41666]
 2741 
 2742 4317.	[bug]		Age all unused servers on fetch timeout. [RT #41597]
 2743 
 2744 4316.	[func]		Add option to tools to print RRs in unknown
 2745 			presentation format [RT #41595].
 2746 
 2747 4315.	[bug]		Check that configured view class isn't a meta class.
 2748 			[RT #41572].
 2749 
 2750 4314.	[contrib]	Added 'dnsperf-2.1.0.0-1', a set of performance
 2751 			testing tools provided by Nominum, Inc.
 2752 
 2753 4313.	[bug]		Handle ns_client_replace failures in test mode.
 2754 			[RT #41190]
 2755 
 2756 4312.	[bug]		dig's unknown DNS and EDNS flags (MBZ value) logging
 2757 			was not consistent. [RT #41600]
 2758 
 2759 4311.	[bug]		Prevent "rndc delzone" from being used on
 2760 			response-policy zones. [RT #41593]
 2761 
 2762 4310.	[performance]	Use __builtin_expect() where available to annotate
 2763 			conditions with known behavior. [RT #41411]
 2764 
 2765 4309.	[cleanup]	Remove the spurious "none" filename from log messages
 2766 			when processing built-in configuration. [RT #41594]
 2767 
 2768 4308.	[func]		Added operating system details to "named -V"
 2769 			output. [RT #41452]
 2770 
 2771 4307.	[bug]		"dig +subnet" and "mdig +subnet" could send
 2772 			incorrectly-formatted Client Subnet options
 2773 			if the prefix length was not divisible by 8.
 2774 			Also fixed a memory leak in "mdig". [RT #45178]
 2775 
 2776 4306.	[maint]		Added a PKCS#11 openssl patch supporting
 2777 			version 1.0.2f [RT #38312]
 2778 
 2779 4305.	[bug]		dnssec-signzone was not removing unnecessary rrsigs
 2780 			from the zone's apex. [RT #41483]
 2781 
 2782 4304.	[port]		xfer system test failed as 'tail -n +value' is not
 2783 			portable. [RT #41315]
 2784 
 2785 4303.	[bug]		"dig +subnet" was unable to send a prefix length of
 2786 			zero, as it was incorrectly changed to 32 for v4
 2787 			prefixes or 128 for v6 prefixes. In addition to
 2788 			fixing this, "dig +subnet=0" has been added as a
 2789 			short form for 0.0.0.0/0. The same changes have
 2790 			also been made in "mdig". [RT #41553]
 2791 
 2792 4302.	[port]		win32: fixed a build error in VS 2015. [RT #41426]
 2793 
 2794 4301.	[bug]		dnssec-settime -p [DP]sync was not working. [RT #41534]
 2795 
 2796 4300.	[bug]		A flag could be set in the wrong field when setting
 2797 			up non-recursive queries; this could cause the
 2798 			SERVFAIL cache to cache responses it shouldn't.
 2799 			New querytrace logging has been added which
 2800 			identified this error. [RT #41155]
 2801 
 2802 4299.	[bug]		Check that exactly totallen bytes are read when
 2803 			reading a RRset from raw files in both single read
 2804 			and incremental modes. [RT #41402]
 2805 
 2806 4298.	[bug]		dns_rpz_add errors in loadzone were not being
 2807 			propagated up the call stack. [RT #41425]
 2808 
 2809 4297.	[test]		Ensure delegations in RPZ zones fail robustly.
 2810 			[RT #41518]
 2811 
 2812 4296.	[bug]		TCP packet sizes were calculated incorrectly in the
 2813 			stats channel; they could be counted in the wrong
 2814 			histogram bucket. [RT #40587]
 2815 
 2816 4295.	[bug]		An unchecked result in dns_message_pseudosectiontotext()
 2817 			could allow incorrect text formatting of EDNS EXPIRE
 2818 			options. [RT #41437]
 2819 
 2820 4294.	[bug]		Fixed a regression in which "rndc stop -p" failed
 2821 			to print the PID. [RT #41513]
 2822 
 2823 4293.	[bug]		Address memory leak on priming query creation failure.
 2824 			[RT #41512]
 2825 
 2826 4292.	[placeholder]
 2827 
 2828 4291.	[cleanup]	Added a required include to dns/forward.h. [RT #41474]
 2829 
 2830 4290.	[func]		The timers returned by the statistics channel
 2831 			(indicating current time, server boot time, and
 2832 			most recent reconfiguration time) are now reported
 2833 			with millisecond accuracy. [RT #40082]
 2834 
 2835 4289.	[bug]		The server could crash due to memory being used
 2836 			after it was freed if a zone transfer timed out.
 2837 			[RT #41297]
 2838 
 2839 4288.	[bug]		Fixed a regression in resolver.c:possibly_mark()
 2840 			which caused known-bogus servers to be queried
 2841 			anyway. [RT #41321]
 2842 
 2843 4287.	[bug]		Silence an overly noisy log message when message
 2844 			parsing fails. [RT #41374]
 2845 
 2846 4286.	[security]	render_ecs errors were mishandled when printing out
 2847 			a OPT record resulting in a assertion failure.
 2848 			(CVE-2015-8705) [RT #41397]
 2849 
 2850 4285.	[security]	Specific APL data could trigger a INSIST.
 2851 			(CVE-2015-8704) [RT #41396]
 2852 
 2853 4284.	[bug]		Some GeoIP options were incorrectly documented
 2854 			using abbreviated forms which were not accepted by
 2855 			named.  The code has been updated to allow both
 2856 			long and abbreviated forms. [RT #41381]
 2857 
 2858 4283.	[bug]		OPENSSL_config is no longer re-callable. [RT #41348]
 2859 
 2860 4282.	[func]		'dig +[no]mapped' determine whether the use of mapped
 2861 			IPv4 addresses over IPv6 is permitted or not.  The
 2862 			default is +mapped.  [RT #41307]
 2863 
 2864 4281.	[bug]		Teach dns_message_totext about BADCOOKIE. [RT #41257]
 2865 
 2866 4280.	[performance]	Use optimal message sizes to improve compression
 2867 			in AXFRs. This reduces network traffic. [RT #40996]
 2868 
 2869 4279.	[test]		Don't use fixed ports when unit testing. [RT #41194]
 2870 
 2871 4278.	[bug]		'delv +short +[no]split[=##]' didn't work as expected.
 2872 			[RT #41238]
 2873 
 2874 4277.	[performance]	Improve performance of the RBT, the central zone
 2875 			datastructure: The aux hashtable was improved,
 2876 			hash function was updated to perform more
 2877 			uniform mapping, uppernode was added to
 2878 			dns_rbtnode, and other cleanups and performance
 2879 			improvements were made. [RT #41165]
 2880 
 2881 4276.	[protocol]	Add support for SMIMEA. [RT #40513]
 2882 
 2883 4275.	[performance]	Lazily initialize dns_compress->table only when
 2884 			compression is enabled. [RT #41189]
 2885 
 2886 4274.	[performance]	Speed up typemap processing from text. [RT #41196]
 2887 
 2888 4273.	[bug]		Only call dns_test_begin() and dns_test_end() once each
 2889 			in nsec3_test as it fails with GOST if called multiple
 2890 			times.
 2891 
 2892 4272.	[bug]		dig: the +norrcomments option didn't work with +multi.
 2893 			[RT #41234]
 2894 
 2895 4271.	[test]		Unit tests could deadlock in isc__taskmgr_pause().
 2896 			[RT #41235]
 2897 
 2898 4270.	[security]	Update allowed OpenSSL versions as named is
 2899 			potentially vulnerable to CVE-2015-3193.
 2900 
 2901 4269.	[bug]		Zones using "map" format master files currently
 2902 			don't work as policy zones.  This limitation has
 2903 			now been documented; attempting to use such zones
 2904 			in "response-policy" statements is now a
 2905 			configuration error.  [RT #38321]
 2906 
 2907 4268.	[func]		"rndc status" now reports the path to the
 2908 			configuration file. [RT #36470]
 2909 
 2910 4267.	[test]		Check sdlz error handling. [RT #41142]
 2911 
 2912 4266.	[placeholder]
 2913 
 2914 4265.	[bug]		Address unchecked isc_mem_get calls. [RT #41187]
 2915 
 2916 4264.	[bug]		Check const of strchr/strrchr assignments match
 2917 			argument's const status. [RT #41150]
 2918 
 2919 4263.	[contrib]	Address compiler warnings in mysqldyn module.
 2920 			[RT #41130]
 2921 
 2922 4262.	[bug]		Fixed a bug in epoll socket code that caused
 2923 			sockets to not be registered for ready
 2924 			notification in some cases, causing named to not
 2925 			read from or write to them, resulting in what
 2926 			appear to the user as blocked connections.
 2927 			[RT #41067]
 2928 
 2929 4261.	[maint]		H.ROOT-SERVERS.NET is 198.97.190.53 and 2001:500:1::53.
 2930 			[RT #40556]
 2931 
 2932 4260.	[security]	Insufficient testing when parsing a message allowed
 2933 			records with an incorrect class to be be accepted,
 2934 			triggering a REQUIRE failure when those records
 2935 			were subsequently cached. (CVE-2015-8000) [RT #40987]
 2936 
 2937 4259.	[func]		Add an option for non-destructive control channel
 2938 			access using a "read-only" clause. In such
 2939 			cases, a restricted set of rndc commands are
 2940 			allowed for querying information from named.
 2941 			[RT #40498]
 2942 
 2943 4258.	[bug]		Limit rndc query message sizes to 32 KiB. This should
 2944 			not break any legitimate rndc commands, but will
 2945 			prevent a rogue rndc query from allocating too
 2946 			much memory. [RT #41073]
 2947 
 2948 4257.	[cleanup]	Python scripts reported incorrect version. [RT #41080]
 2949 
 2950 4256.	[bug]		Allow rndc command arguments to be quoted so as
 2951 			to allow spaces. [RT #36665]
 2952 
 2953 4255.	[performance]	Add 'message-compression' option to disable DNS
 2954 			compression in responses. [RT #40726]
 2955 
 2956 4254.	[bug]		Address missing lock when getting zone's serial.
 2957 			[RT #41072]
 2958 
 2959 4253.	[security]	Address fetch context reference count handling error
 2960 			on socket error. (CVE-2015-8461)  [RT#40945]
 2961 
 2962 4252.	[func]		Add support for automating the generation CDS and
 2963 			CDNSKEY rrsets to named and dnssec-signzone.
 2964 			[RT #40424]
 2965 
 2966 4251.	[bug]		NTAs were deleted when the server was reconfigured
 2967 			or reloaded. [RT #41058]
 2968 
 2969 4250.	[func]		Log the TSIG key in use during inbound zone
 2970 			transfers. [RT #41075]
 2971 
 2972 4249.	[func]		Improve error reporting of TSIG / SIG(0) records in
 2973 			the wrong location. [RT #41030]
 2974 
 2975 4248.	[performance]	Add an isc_atomic_storeq() function, use it in
 2976 			stats counters to improve performance.
 2977 			[RT #39972] [RT #39979]
 2978 
 2979 4247.	[port]		Require both HAVE_JSON and JSON_C_VERSION to be
 2980 			defined to report json library version. [RT #41045]
 2981 
 2982 4246.	[test]		Ensure the statschannel system test runs when BIND
 2983 			is not built with libjson. [RT #40944]
 2984 
 2985 4245.	[placeholder]
 2986 
 2987 4244.	[bug]		The parser was not reporting that use-ixfr is obsolete.
 2988 			[RT #41010]
 2989 
 2990 4243.	[func]		Improved stats reporting from Timothe Litt. [RT #38941]
 2991 
 2992 4242.	[bug]		Replace the client if not already replaced when
 2993 			prefetching. [RT #41001]
 2994 
 2995 4241.	[doc]		Improved the TSIG, TKEY, and SIG(0) sections in
 2996 			the ARM. [RT #40955]
 2997 
 2998 4240.	[port]		Fix LibreSSL compatibility. [RT #40977]
 2999 
 3000 4239.	[func]		Changed default servfail-ttl value to 1 second from 10.
 3001 			Also, the maximum value is now 30 instead of 300.
 3002 			[RT #37556]
 3003 
 3004 4238.	[bug]		Don't send to servers on net zero (0.0.0.0/8).
 3005 			[RT #40947]
 3006 
 3007 4237.	[doc]		Upgraded documentation toolchain to use DocBook 5
 3008 			and dblatex. [RT #40766]
 3009 
 3010 4236.	[performance]	On machines with 2 or more processors (CPU), the
 3011 			default value for the number of UDP listeners
 3012 			has been changed to the number of detected
 3013 			processors minus one. [RT #40761]
 3014 
 3015 4235.	[func]		Added support in named for "dnstap", a fast method of
 3016 			capturing and logging DNS traffic, and a new command
 3017 			"dnstap-read" to read a dnstap log file.  Use
 3018 			"configure --enable-dnstap" to enable this
 3019 			feature (note that this requires libprotobuf-c
 3020 			and libfstrm). See the ARM for configuration details.
 3021 
 3022 			Thanks to Robert Edmonds of Farsight Security.
 3023 			[RT #40211]
 3024 
 3025 4234.	[func]		Add deflate compression in statistics channel HTTP
 3026 			server. [RT #40861]
 3027 
 3028 4233.	[test]		Add tests for CDS and CDNSKEY with delegation-only.
 3029 			[RT #40597]
 3030 
 3031 4232.	[contrib]	Address unchecked memory allocation calls in
 3032 			query-loc and zone2ldap. [RT #40789]
 3033 
 3034 4231.	[contrib]	Address unchecked calloc call in dlz_mysqldyn_mod.c.
 3035 			[RT #40840]
 3036 
 3037 4230.	[contrib]	dlz_wildcard_dynamic.c:dlz_create could return a
 3038 			uninitialized result. [RT #40839]
 3039 
 3040 4229.	[bug]		A variable could be used uninitialized in
 3041 			dns_update_signaturesinc. [RT #40784]
 3042 
 3043 4228.	[bug]		Address race condition in dns_client_destroyrestrans.
 3044 			[RT #40605]
 3045 
 3046 4227.	[bug]		Silence static analysis warnings. [RT #40828]
 3047 
 3048 4226.	[bug]		Address a theoretical shutdown race in
 3049 			zone.c:notify_send_queue(). [RT #38958]
 3050 
 3051 4225.	[port]		freebsd/openbsd:  Use '${CC} -shared' for building
 3052 			shared libraries. [RT #39557]
 3053 
 3054 4224.	[func]		Added support for "dyndb", a new interface for loading
 3055 			zone data from an external database, developed by
 3056 			Red Hat for the FreeIPA project.
 3057 
 3058 			DynDB drivers fully implement the BIND database
 3059 			API, and are capable of significantly better
 3060 			performance and functionality than DLZ drivers,
 3061 			while taking advantage of advanced database
 3062 			features not available in BIND such as multi-master
 3063 			replication.
 3064 
 3065 			Thanks to Adam Tkac and Petr Spacek of Red Hat.
 3066 			[RT #35271]
 3067 
 3068 4223.	[func]		Add support for setting max-cache-size to percentage
 3069 			of available physical memory, set default to 90%.
 3070 			[RT #38442]
 3071 
 3072 4222.	[func]		Bias IPv6 servers when selecting the next server to
 3073 			query. [RT #40836]
 3074 
 3075 4221.	[bug]		Resource leak on DNS_R_NXDOMAIN in fctx_create.
 3076 			[RT #40583]
 3077 
 3078 4220.	[doc]		Improve documentation for zone-statistics.
 3079 			[RT #36955]
 3080 
 3081 4219.	[bug]		Set event->result to ISC_R_WOULDBLOCK on EWOULDBLOCK,
 3082 			EGAIN when these soft error are not retried for
 3083 			isc_socket_send*().
 3084 
 3085 4218.	[bug]		Potential null pointer dereference on out of memory
 3086 			if mmap is not supported. [RT #40777]
 3087 
 3088 4217.	[protocol]	Add support for CSYNC. [RT #40532]
 3089 
 3090 4216.	[cleanup]	Silence static analysis warnings. [RT #40649]
 3091 
 3092 4215.	[bug]		nsupdate: skip to next request on GSSTKEY create
 3093 			failure. [RT #40685]
 3094 
 3095 4214.	[protocol]	Add support for TALINK.  [RT #40544]
 3096 
 3097 4213.	[bug]		Don't reuse a cache across multiple classes.
 3098 			[RT #40205]
 3099 
 3100 4212.	[func]		Re-query if we get a bad client cookie returned over
 3101 			UDP. [RT #40748]
 3102 
 3103 4211.	[bug]		Ensure that lwresd gets at least one task to work
 3104 			with if enabled. [RT #40652]
 3105 
 3106 4210.	[cleanup]	Silence use after free false positive. [RT #40743]
 3107 
 3108 4209.	[bug]		Address resource leaks in dlz modules. [RT #40654]
 3109 
 3110 4208.	[bug]		Address null pointer dereferences on out of memory.
 3111 			[RT #40764]
 3112 
 3113 4207.	[bug]		Handle class mismatches with raw zone files.
 3114 			[RT #40746]
 3115 
 3116 4206.	[bug]		contrib: fixed a possible NULL dereference in
 3117 			DLZ wildcard module. [RT #40745]
 3118 
 3119 4205.	[bug]		'named-checkconf -p' could include unwanted spaces
 3120 			when printing tuples with unset optional fields.
 3121 			[RT #40731]
 3122 
 3123 4204.	[bug]		'dig +trace' failed to lookup the correct type if
 3124 			the initial root NS query was retried. [RT #40296]
 3125 
 3126 4203.	[test]		The rrchecker system test now tests conversion
 3127 			to and from unknown-type format. [RT #40584]
 3128 
 3129 4202.	[bug]		isccc_cc_fromwire() could return an incorrect
 3130 			result. [RT #40614]
 3131 
 3132 4201.	[func]		The default preferred-glue is now the address record
 3133 			type of the transport the query was received
 3134 			over.  [RT #40468]
 3135 
 3136 4200.	[cleanup]	win32: update BINDinstall to be BIND release
 3137 			independent. [RT #38915]
 3138 
 3139 4199.	[protocol]	Add support for NINFO, RKEY, SINK, TA.
 3140 			[RT #40545] [RT #40547] [RT #40561] [RT #40563]
 3141 
 3142 4198.	[placeholder]
 3143 
 3144 4197.	[bug]		'named-checkconf -z' didn't handle 'in-view' clauses.
 3145 			[RT #40603]
 3146 
 3147 4196.	[doc]		Improve how "enum + other" types are documented.
 3148 			[RT #40608]
 3149 
 3150 4195.	[bug]		'max-zone-ttl unlimited;' was broken. [RT #40608]
 3151 
 3152 4194.	[bug]		named-checkconf -p failed to properly print a port
 3153 			range.  [RT #40634]
 3154 
 3155 4193.	[bug]		Handle broken servers that return BADVERS incorrectly.
 3156 			[RT #40427]
 3157 
 3158 4192.	[bug]		The default rrset-order of random was not always being
 3159 			applied. [RT #40456]
 3160 
 3161 4191.	[protocol]	Accept DNS-SD non LDH PTR records in reverse zones
 3162 			as per RFC 6763. [RT #37889]
 3163 
 3164 4190.	[protocol]	Accept Active Directory gc._msdcs.<forest> name as
 3165 			valid with check-names.  <forest> still needs to be
 3166 			LDH. [RT #40399]
 3167 
 3168 4189.	[cleanup]	Don't exit on overly long tokens in named.conf.
 3169 			[RT #40418]
 3170 
 3171 4188.	[bug]		Support HTTP/1.0 client properly on the statistics
 3172 			channel. [RT #40261]
 3173 
 3174 4187.	[func]		When any RR type implementation doesn't
 3175 			implement totext() for the RDATA's wire
 3176 			representation and returns ISC_R_NOTIMPLEMENTED,
 3177 			such RDATA is now printed in unknown
 3178 			presentation format (RFC 3597). RR types affected
 3179 			include LOC(29) and APL(42). [RT #40317].
 3180 
 3181 4186.	[bug]		Fixed an RPZ bug where a QNAME would be matched
 3182 			against a policy RR with wildcard owner name
 3183 			(trigger) where the QNAME was the wildcard owner
 3184 			name's parent. For example, the bug caused a query
 3185 			with QNAME "example.com" to match a policy RR with
 3186 			"*.example.com" as trigger. [RT #40357]
 3187 
 3188 4185.	[bug]		Fixed an RPZ bug where a policy RR with wildcard
 3189 			owner name (trigger) would prevent another policy RR
 3190 			with its parent owner name from being
 3191 			loaded. For example, the bug caused a policy RR
 3192 			with trigger "example.com" to not have any
 3193 			effect when a previous policy RR with trigger
 3194 			"*.example.com" existed in that RPZ zone.
 3195 			[RT #40357]
 3196 
 3197 4184.	[bug]		Fixed a possible memory leak in name compression
 3198 			when rendering long messages. (Also, improved
 3199 			wire_test for testing such messages.) [RT #40375]
 3200 
 3201 4183.	[cleanup]	Use timing-safe memory comparisons in cryptographic
 3202 			code. Also, the timing-safe comparison functions have
 3203 			been renamed to avoid possible confusion with
 3204 			memcmp(). Thanks to Loganaden Velvindron of
 3205 			AFRINIC. [RT #40148]
 3206 
 3207 4182.	[cleanup]	Use mnemonics for RR class and type comparisons.
 3208 			[RT #40297]
 3209 
 3210 4181.	[bug]		Queued notify messages could be dequeued from the
 3211 			wrong rate limiter queue. [RT #40350]
 3212 
 3213 4180.	[bug]		Error responses in pipelined queries could
 3214 			cause a crash in client.c. [RT #40289]
 3215 
 3216 4179.	[bug]		Fix double frees in getaddrinfo() in libirs.
 3217 			[RT #40209]
 3218 
 3219 4178.	[bug]		Fix assertion failure in parsing UNSPEC(103) RR from
 3220 			text. [RT #40274]
 3221 
 3222 4177.	[bug]		Fix assertion failure in parsing NSAP records from
 3223 			text. [RT #40285]
 3224 
 3225 4176.	[bug]		Address race issues with lwresd. [RT #40284]
 3226 
 3227 4175.	[bug]		TKEY with GSS-API keys needed bigger buffers.
 3228 			[RT #40333]
 3229 
 3230 4174.	[bug]		"dnssec-coverage -r" didn't handle time unit
 3231 			suffixes correctly. [RT #38444]
 3232 
 3233 4173.	[bug]		dig +sigchase was not properly matching the trusted
 3234 			key. [RT #40188]
 3235 
 3236 4172.	[bug]		Named / named-checkconf didn't handle a view of CLASS0.
 3237 			[RT #40265]
 3238 
 3239 4171.	[bug]		Fixed incorrect class checks in TSIG RR
 3240 			implementation. [RT #40287]
 3241 
 3242 4170.	[security]	An incorrect boundary check in the OPENPGPKEY
 3243 			rdatatype could trigger an assertion failure.
 3244 			(CVE-2015-5986) [RT #40286]
 3245 
 3246 4169.	[test]		Added a 'wire_test -d' option to read input as
 3247 			raw binary data, for use as a fuzzing harness.
 3248 			[RT #40312]
 3249 
 3250 4168.	[security]	A buffer accounting error could trigger an
 3251 			assertion failure when parsing certain malformed
 3252 			DNSSEC keys. (CVE-2015-5722) [RT #40212]
 3253 
 3254 4167.	[func]		Update rndc's usage output to include recently added
 3255 			commands. Thanks to Tony Finch for submitting a
 3256 			patch. [RT #40010]
 3257 
 3258 4166.	[func]		Print informative output from rndc showzone when
 3259 			allow-new-zones is not enabled for a view. Thanks to
 3260 			Tony Finch for submitting a patch. [RT #40009]
 3261 
 3262 4165.	[security]	A failure to reset a value to NULL in tkey.c could
 3263 			result in an assertion failure. (CVE-2015-5477)
 3264 			[RT #40046]
 3265 
 3266 4164.	[bug]		Don't rename slave files and journals on out of memory.
 3267 			[RT #40033]
 3268 
 3269 4163.	[bug]		Address compiler warnings. [RT #40024]
 3270 
 3271 4162.	[bug]		httpdmgr->flags was not being initialized. [RT #40017]
 3272 
 3273 4161.	[test]		Add JSON test for traffic size stats; also test
 3274 			for consistency between "rndc stats" and the XML
 3275 			and JSON statistics channel contents. [RT #38700]
 3276 
 3277 4160.	[placeholder]
 3278 
 3279 4159.	[cleanup]	Alphabetize dig's help output. [RT #39966]
 3280 
 3281 4158.	[placeholder]
 3282 
 3283 4157.	[placeholder]
 3284 
 3285 4156.	[func]		Added statistics counters to track the sizes
 3286 			of incoming queries and outgoing responses in
 3287 			histogram buckets, as specified in RSSAC002.
 3288 			[RT #39049]
 3289 
 3290 4155.	[func]		Allow RPZ rewrite logging to be configured on a
 3291 			per-zone basis using a newly introduced log clause in
 3292 			the response-policy option. [RT #39754]
 3293 
 3294 4154.	[bug]		A OPT record should be included with the FORMERR
 3295 			response when there is a malformed EDNS option.
 3296 			[RT #39647]
 3297 
 3298 4153.	[bug]		Dig should zero non significant +subnet bits.  Check
 3299 			that non significant ECS bits are zero on receipt.
 3300 			[RT #39647]
 3301 
 3302 4152.	[func]		Implement DNS COOKIE option.  This replaces the
 3303 			experimental SIT option of BIND 9.10.  The following
 3304 			named.conf directives are available: send-cookie,
 3305 			cookie-secret, cookie-algorithm, nocookie-udp-size
 3306 			and require-server-cookie.  The following dig options
 3307 			are available: +[no]cookie[=value] and +[no]badcookie.
 3308 			[RT #39928]
 3309 
 3310 4151.	[bug]		'rndc flush' could cause a deadlock. [RT #39835]
 3311 
 3312 4150.	[bug]		win32: listen-on-v6 { any; }; was not working.  Apply
 3313 			minimal fix.  [RT #39667]
 3314 
 3315 4149.	[bug]		Fixed a race condition in the getaddrinfo()
 3316 			implementation in libirs, which caused the delv
 3317 			utility to crash with an assertion failure when using
 3318 			the '@server' syntax with a hostname argument.
 3319 			[RT #39899]
 3320 
 3321 4148.	[bug]		Fix a bug when printing zone names with '/' character
 3322 			in XML and JSON statistics output. [RT #39873]
 3323 
 3324 4147.	[bug]		Filter-aaaa / filter-aaaa-on-v4 / filter-aaaa-on-v6
 3325 			was returning referrals rather than nodata responses
 3326 			when the AAAA records were filtered.  [RT #39843]
 3327 
 3328 4146.	[bug]		Address reference leak that could prevent a clean
 3329 			shutdown. [RT #37125]
 3330 
 3331 4145.	[bug]		Not all unassociated adb entries where being printed.
 3332 			[RT #37125]
 3333 
 3334 4144.	[func]		Add statistics counters for nxdomain redirections.
 3335 			[RT #39790]
 3336 
 3337 4143.	[placeholder]
 3338 
 3339 4142.	[bug]		rndc addzone with view specified saved NZF config
 3340 			that could not be read back by named. This has now
 3341 			been fixed. [RT #39845]
 3342 
 3343 4141.	[bug]		A formatting bug caused rndc zonestatus to print
 3344 			negative numbers for large serial values. This has
 3345 			now been fixed. [RT #39854]
 3346 
 3347 4140.	[cleanup]	Remove redundant nzf_remove() call during delzone.
 3348 			[RT #39844]
 3349 
 3350 4139.	[doc]		Fix rpz-client-ip documentation. [RT #39783]
 3351 
 3352 4138.	[security]	An uninitialized value in validator.c could result
 3353 			in an assertion failure. (CVE-2015-4620) [RT #39795]
 3354 
 3355 4137.	[bug]		Make rndc reconfig report configuration errors the
 3356 			same way rndc reload does. [RT #39635]
 3357 
 3358 4136.	[bug]		Stale statistics counters with the leading
 3359 			'#' prefix (such as #NXDOMAIN) were not being
 3360 			updated correctly. This has been fixed. [RT #39141]
 3361 
 3362 4135.	[cleanup]	Log expired NTA at startup. [RT #39680]
 3363 
 3364 4134.	[cleanup]	Include client-ip rules when logging the number
 3365 			of RPZ rules of each type. [RT #39670]
 3366 
 3367 4133.	[port]		Update how various json libraries are handled.
 3368 			[RT #39646]
 3369 
 3370 4132.	[cleanup]	dig: added +rd as a synonym for +recurse,
 3371 			added +class as an unabbreviated alternative
 3372 			to +cl. [RT #39686]
 3373 
 3374 4131.	[bug]		Addressed further problems with reloading RPZ
 3375 			zones. [RT #39649]
 3376 
 3377 4130.	[bug]		The compatibility shim for *printf() misprinted some
 3378 			large numbers. [RT #39586]
 3379 
 3380 4129.	[port]		Address API changes in OpenSSL 1.1.0. [RT #39532]
 3381 
 3382 4128.	[bug]		Address issues raised by Coverity 7.6. [RT #39537]
 3383 
 3384 4127.	[protocol]	CDS and CDNSKEY need to be signed by the key signing
 3385 			key as per RFC 7344, Section 4.1. [RT #37215]
 3386 
 3387 4126.	[bug]		Addressed a regression introduced in change #4121.
 3388 			[RT #39611]
 3389 
 3390 4125.	[test]		Added tests for dig, renamed delv test to digdelv.
 3391 			[RT #39490]
 3392 
 3393 4124.	[func]		Log errors or warnings encountered when parsing the
 3394 			internal default configuration.  Clarify the logging
 3395 			of errors and warnings encountered in rndc
 3396 			addzone or modzone parameters. [RT #39440]
 3397 
 3398 4123.	[port]		Added %z (size_t) format options to the portable
 3399 			internal printf/sprintf implementation. [RT #39586]
 3400 
 3401 4122.	[bug]		The server could match a shorter prefix than what was
 3402 			available in CLIENT-IP policy triggers, and so, an
 3403 			unexpected action could be taken. This has been
 3404 			corrected. [RT #39481]
 3405 
 3406 4121.	[bug]		On servers with one or more policy zones
 3407 			configured as slaves, if a policy zone updated
 3408 			during regular operation (rather than at
 3409 			startup) using a full zone reload, such as via
 3410 			AXFR, a bug could allow the RPZ summary data to
 3411 			fall out of sync, potentially leading to an
 3412 			assertion failure in rpz.c when further
 3413 			incremental updates were made to the zone, such
 3414 			as via IXFR. [RT #39567]
 3415 
 3416 4120.	[bug]		A bug in RPZ could cause the server to crash if
 3417 			policy zones were updated while recursion was
 3418 			pending for RPZ processing of an active query.
 3419 			[RT #39415]
 3420 
 3421 4119.	[test]		Allow dig to set the message opcode. [RT #39550]
 3422 
 3423 4118.	[bug]		Teach isc-config.sh about irs. [RT #39213]
 3424 
 3425 4117.	[protocol]	Add EMPTY.AS112.ARPA as per RFC 7534.
 3426 
 3427 4116.	[bug]		Fix a bug in RPZ that could cause some policy
 3428 			zones that did not specifically require
 3429 			recursion to be treated as if they did;
 3430 			consequently, setting qname-wait-recurse no; was
 3431 			sometimes ineffective. [RT #39229]
 3432 
 3433 4115.	[func]		"rndc -r" now prints the result code (e.g.,
 3434 			ISC_R_SUCCESS, ISC_R_TIMEOUT, etc) after
 3435 			running the requested command. [RT #38913]
 3436 
 3437 4114.	[bug]		Fix a regression in radix tree implementation
 3438 			introduced by ECS code. This bug was never
 3439 			released, but it was reported by a user testing
 3440 			master. [RT #38983]
 3441 
 3442 4113.	[test]		Check for Net::DNS is some system test
 3443 			prerequisites. [RT #39369]
 3444 
 3445 4112.	[bug]		Named failed to load when "root-delegation-only"
 3446 			was used without a list of domains to exclude.
 3447 			[RT #39380]
 3448 
 3449 4111.	[doc]		Alphabetize rndc man page. [RT #39360]
 3450 
 3451 4110.	[bug]		Address memory leaks / null pointer dereferences
 3452 			on out of memory. [RT #39310]
 3453 
 3454 4109.	[port]		linux: support reading the local port range from
 3455 			net.ipv4.ip_local_port_range. [RT # 39379]
 3456 
 3457 4108.	[func]		An additional NXDOMAIN redirect method (option
 3458 			"nxdomain-redirect") has been added, allowing
 3459 			redirection to a specified DNS namespace instead
 3460 			of a single redirect zone. [RT #37989]
 3461 
 3462 4107.	[bug]		Address potential deadlock when updating zone content.
 3463 			[RT #39269]
 3464 
 3465 4106.	[port]		Improve readline support. [RT #38938]
 3466 
 3467 4105.	[port]		Misc fixes for Microsoft Visual Studio
 3468 			2015 CTP6 in 64 bit mode. [RT #39308]
 3469 
 3470 4104.	[bug]		Address uninitialized elements. [RT #39252]
 3471 
 3472 4103.	[port]		Misc fixes for Microsoft Visual Studio
 3473 			2015 CTP6. [RT #39267]
 3474 
 3475 4102.	[bug]		Fix a use after free bug introduced in change
 3476 			#4094.  [RT #39281]
 3477 
 3478 4101.	[bug]		dig: the +split and +rrcomments options didn't
 3479 			work with +short. [RT #39291]
 3480 
 3481 4100.	[bug]		Inherited owernames on the line immediately following
 3482 			a $INCLUDE were not working.  [RT #39268]
 3483 
 3484 4099.	[port]		clang: make unknown commandline options hard errors
 3485 			when determining what options are supported.
 3486 			[RT #39273]
 3487 
 3488 4098.	[bug]		Address use-after-free issue when using a
 3489 			predecessor key with dnssec-settime. [RT #39272]
 3490 
 3491 4097.	[func]		Add additional logging about xfrin transfer status.
 3492 			[RT #39170]
 3493 
 3494 4096.	[bug]		Fix a use after free of query->sendevent.
 3495 			[RT #39132]
 3496 
 3497 4095.	[bug]		zone->options2 was not being properly initialized.
 3498 			[RT #39228]
 3499 
 3500 4094.	[bug]		A race during shutdown or reconfiguration could
 3501 			cause an assertion in mem.c. [RT #38979]
 3502 
 3503 4093.	[func]		Dig now learns the SIT value from truncated
 3504 			responses when it retries over TCP. [RT #39047]
 3505 
 3506 4092.	[bug]		'in-view' didn't work for zones beneath a empty zone.
 3507 			[RT #39173]
 3508 
 3509 4091.	[cleanup]	Some cleanups in isc mem code. [RT #38896]
 3510 
 3511 4090.	[bug]		Fix a crash while parsing malformed CAA RRs in
 3512 			presentation format, i.e., from text such as
 3513 			from master files. Thanks to John Van de
 3514 			Meulebrouck Brendgard for discovering and
 3515 			reporting this problem. [RT #39003]
 3516 
 3517 4089.	[bug]		Send notifies immediately for slave zones during
 3518 			startup. [RT #38843]
 3519 
 3520 4088.	[port]		Fixed errors when building with libressl. [RT #38899]
 3521 
 3522 4087.	[bug]		Fix a crash due to use-after-free due to sequencing
 3523 			of tasks actions. [RT #38495]
 3524 
 3525 4086.	[bug]		Fix out-of-srcdir build with native pkcs11. [RT #38831]
 3526 
 3527 4085.	[bug]		ISC_PLATFORM_HAVEXADDQ could be inconsistently set.
 3528 			[RT #38828]
 3529 
 3530 4084.	[bug]		Fix a possible race in updating stats counters.
 3531 			[RT #38826]
 3532 
 3533 4083.	[cleanup]	Print the number of CPUs and UDP listeners
 3534 			consistently in the log and in "rndc status"
 3535 			output; indicate whether threads are supported
 3536 			in "named -V" output. [RT #38811]
 3537 
 3538 4082.	[bug]		Incrementally sign large inline zone deltas.
 3539 			[RT #37927]
 3540 
 3541 4081.	[cleanup]	Use dns_rdatalist_init consistently. [RT #38759]
 3542 
 3543 4080.	[func]		Completed change #4022, adding a "lock-file" option
 3544 			to named.conf to override the default lock file,
 3545 			in addition to the "named -X <filename>" command
 3546 			line option.  Setting the lock file to "none"
 3547 			using either method disables the check completely.
 3548 			[RT #37908]
 3549 
 3550 4079.	[func]		Preserve the case of the owner name of records to
 3551 			the RRset level. [RT #37442]
 3552 
 3553 4078.	[bug]		Handle the case where CMSG_SPACE(sizeof(int)) !=
 3554 			CMSG_SPACE(sizeof(char)). [RT #38621]
 3555 
 3556 4077.	[test]		Add static-stub regression test for DS NXDOMAIN
 3557 			return making the static stub disappear. [RT #38564]
 3558 
 3559 4076.	[bug]		Named could crash on shutdown with outstanding
 3560 			reload / reconfig events. [RT #38622]
 3561 
 3562 4075.	[placeholder]
 3563 
 3564 4074.	[cleanup]	Cleaned up more warnings from gcc -Wshadow. [RT #38708]
 3565 
 3566 4073.	[cleanup]	Add libjson-c version number reporting to
 3567 			"named -V"; normalize version number formatting.
 3568 			[RT #38056]
 3569 
 3570 4072.	[func]		Add a --enable-querytrace configure switch for
 3571 			very verbose query trace logging. (This option
 3572 			has a negative performance impact and should be
 3573 			used only for debugging.) [RT #37520]
 3574 
 3575 4071.	[cleanup]	Initialize pthread mutex attrs just once, instead of
 3576 			doing it per mutex creation. [RT #38547]
 3577 
 3578 4070.	[bug]		Fix a segfault in nslookup in a query such as
 3579 			"nslookup isc.org AMS.SNS-PB.ISC.ORG -all".
 3580 			[RT #38548]
 3581 
 3582 4069.	[doc]		Reorganize options in the nsupdate man page.
 3583 			[RT #38515]
 3584 
 3585 4068.	[bug]		Omit unknown serial number from JSON zone statistics.
 3586 			[RT #38604]
 3587 
 3588 4067.	[cleanup]	Reduce noise from RRL when query logging is
 3589 			disabled. [RT #38648]
 3590 
 3591 4066.	[doc]		Reorganize options in the dig man page. [RT #38516]
 3592 
 3593 4065.	[test]		Additional RFC 5011 tests. [RT #38569]
 3594 
 3595 4064.	[contrib]	dnssec-keyset.sh: Generates a specified number
 3596 			of DNSSEC keys with timing set to implement a
 3597 			pre-publication key rollover strategy. Thanks
 3598 			to Jeffry A. Spain. [RT #38459]
 3599 
 3600 4063.	[bug]		Asynchronous zone loads were not handled
 3601 			correctly when the zone load was already in
 3602 			progress; this could trigger a crash in zt.c.
 3603 			[RT #37573]
 3604 
 3605 4062.	[bug]		Fix an out-of-bounds read in RPZ code. If the
 3606 			read succeeded, it doesn't result in a bug
 3607 			during operation. If the read failed, named
 3608 			could segfault. [RT #38559]
 3609 
 3610 4061.	[bug]		Handle timeout in legacy system test. [RT #38573]
 3611 
 3612 4060.	[bug]		dns_rdata_freestruct could be called on a
 3613 			uninitialized structure when handling a error.
 3614 			[RT #38568]
 3615 
 3616 4059.	[bug]		Addressed valgrind warnings. [RT #38549]
 3617 
 3618 4058.	[bug]		UDP dispatches could use the wrong pseudorandom
 3619 			number generator context. [RT #38578]
 3620 
 3621 4057.	[bug]		'dnssec-dsfromkey -T 0' failed to add ttl field.
 3622 			[RT #38565]
 3623 
 3624 4056.	[bug]		Expanded automatic testing of trust anchor
 3625 			management and fixed several small bugs including
 3626 			a memory leak and a possible loss of key state
 3627 			information. [RT #38458]
 3628 
 3629 4055.	[func]		"rndc managed-keys" can be used to check status
 3630 			of trust anchors or to force keys to be refreshed,
 3631 			Also, the managed keys data file has easier-to-read
 3632 			comments.  [RT #38458]
 3633 
 3634 4054.	[func]		Added a new tool 'mdig', a lightweight clone of
 3635 			dig able to send multiple pipelined queries.
 3636 			[RT #38261]
 3637 
 3638 4053.	[security]	Revoking a managed trust anchor and supplying
 3639 			an untrusted replacement could cause named
 3640 			to crash with an assertion failure.
 3641 			(CVE-2015-1349) [RT #38344]
 3642 
 3643 4052.	[bug]		Fix a leak of query fetchlock. [RT #38454]
 3644 
 3645 4051.	[bug]		Fix a leak of pthread_mutexattr_t. [RT #38454]
 3646 
 3647 4050.	[bug]		RPZ could send spurious SERVFAILs in response
 3648 			to duplicate queries. [RT #38510]
 3649 
 3650 4049.	[bug]		CDS and CDNSKEY had the wrong attributes. [RT #38491]
 3651 
 3652 4048.	[bug]		adb hash table was not being grown. [RT #38470]
 3653 
 3654 4047.	[cleanup]	"named -V" now reports the current running versions
 3655 			of OpenSSL and the libxml2 libraries, in addition to
 3656 			the versions that were in use at build time.
 3657 
 3658 4046.	[bug]		Accounting of "total use" in memory context
 3659 			statistics was not correct. [RT #38370]
 3660 
 3661 4045.	[bug]		Skip to next master on dns_request_createvia4 failure.
 3662 			[RT #25185]
 3663 
 3664 4044.	[bug]		Change 3955 was not complete, resulting in an assertion
 3665 			failure if the timing was just right. [RT #38352]
 3666 
 3667 4043.	[func]		"rndc modzone" can be used to modify the
 3668 			configuration of an existing zone, using similar
 3669 			syntax to "rndc addzone". [RT #37895]
 3670 
 3671 4042.	[bug]		zone.c:iszonesecure was being called too late.
 3672 			[RT #38371]
 3673 
 3674 4041.	[func]		TCP sockets can now be shared while connecting.
 3675 			(This will be used to enable client-side support
 3676 			of pipelined queries.) [RT #38231]
 3677 
 3678 4040.	[func]		Added server-side support for pipelined TCP
 3679 			queries. Clients may continue sending queries via
 3680 			TCP while previous queries are being processed
 3681 			in parallel.  (The new "keep-response-order"
 3682 			option allows clients to be specified for which
 3683 			the old behavior will still be used.) [RT #37821]
 3684 
 3685 4039.	[cleanup]	Cleaned up warnings from gcc -Wshadow. [RT #37381]
 3686 
 3687 4038.	[bug]		Add 'rpz' flag to node and use it to determine whether
 3688 			to call dns_rpz_delete.  This should prevent unbalanced
 3689 			add / delete calls. [RT #36888]
 3690 
 3691 4037.	[bug]		also-notify was ignoring the tsig key when checking
 3692 			for duplicates resulting in some expected notify
 3693 			messages not being sent. [RT #38369]
 3694 
 3695 4036.	[bug]		Make call to open a temporary file name safe during
 3696 			NZF creation. [RT #38331]
 3697 
 3698 4035.	[bug]		Close temporary and NZF FILE pointers before moving
 3699 			the former into the latter's place, as required on
 3700 			Windows. [RT #38332]
 3701 
 3702 4034.	[func]		When added, negative trust anchors (NTA) are now
 3703 			saved to files (viewname.nta), in order to
 3704 			persist across restarts of the named server.
 3705 			[RT #37087]
 3706 
 3707 4033.	[bug]		Missing out of memory check in request.c:req_send.
 3708 			[RT #38311]
 3709 
 3710 4032.	[bug]		Built-in "empty" zones did not correctly inherit the
 3711 			"allow-transfer" ACL from the options or view.
 3712 			[RT #38310]
 3713 
 3714 4031.	[bug]		named-checkconf -z failed to report a missing file
 3715 			with a hint zone. [RT #38294]
 3716 
 3717 4030.	[func]		"rndc delzone" is now applicable to zones that were
 3718 			configured in named.conf, as well as zones that
 3719 			were added via "rndc addzone". (Note, however, that
 3720 			if named.conf is not also modified, the deleted zone
 3721 			will return when named is reloaded.) [RT #37887]
 3722 
 3723 4029.	[func]		"rndc showzone" displays the current configuration
 3724 			of a specified zone. [RT #37887]
 3725 
 3726 4028.	[bug]		$GENERATE with a zero step was not being caught as a
 3727 			error.  A $GENERATE with a / but no step was not being
 3728 			caught as a error. [RT #38262]
 3729 
 3730 4027.	[port]		Net::DNS 0.81 compatibility. [RT #38165]
 3731 
 3732 4026.	[bug]		Fix RFC 3658 reference in dig +sigchase. [RT #38173]
 3733 
 3734 4025.	[port]		bsdi: failed to build. [RT #38047]
 3735 
 3736 4024.	[bug]		dns_rdata_opt_first, dns_rdata_opt_next,
 3737 			dns_rdata_opt_current, dns_rdata_txt_first,
 3738 			dns_rdata_txt_next and dns_rdata_txt_current were
 3739 			documented but not implemented.  These have now been
 3740 			implemented.
 3741 
 3742 			dns_rdata_spf_first, dns_rdata_spf_next and
 3743 			dns_rdata_spf_current were documented but not
 3744 			implemented.  The prototypes for these
 3745 			functions have been removed. [RT #38068]
 3746 
 3747 4023.	[bug]		win32: socket handling with explicit ports and
 3748 			invoking named with -4 was broken for some
 3749 			configurations. [RT #38068]
 3750 
 3751 4022.	[func]		Stop multiple spawns of named by limiting number of
 3752 			processes to 1. This is done by using a lockfile and
 3753 			checking whether we can listen on any configured
 3754 			TCP interfaces. [RT #37908]
 3755 
 3756 4021.	[bug]		Adjust max-recursion-queries to accommodate
 3757 			the need for more queries when the cache is
 3758 			empty. [RT #38104]
 3759 
 3760 4020.	[bug]		Change 3736 broke nsupdate's SOA MNAME discovery
 3761 			resulting in updates being sent to the wrong server.
 3762 			[RT #37925]
 3763 
 3764 4019.	[func]		If named is not configured to validate the answer
 3765 			then allow fallback to plain DNS on timeout even
 3766 			when we know the server supports EDNS. [RT #37978]
 3767 
 3768 4018.	[placeholder]
 3769 
 3770 4017.	[test]		Add system test to check lookups to legacy servers
 3771 			with broken DNS behavior. [RT #37965]
 3772 
 3773 4016.	[bug]		Fix a dig segfault due to bad linked list usage.
 3774 			[RT #37591]
 3775 
 3776 4015.	[bug]		Nameservers that are skipped due to them being
 3777 			CNAMEs were not being logged. They are now logged
 3778 			to category 'cname' as per BIND 8. [RT #37935]
 3779 
 3780 4014.	[bug]		When including a master file origin_changed was
 3781 			not being properly set leading to a potentially
 3782 			spurious 'inherited owner' warning. [RT #37919]
 3783 
 3784 4013.	[func]		Add a new tcp-only option to server (config) /
 3785 			peer (struct) to use TCP transport to send
 3786 			queries (in place of UDP transport with a
 3787 			TCP fallback on truncated (TC set) response).
 3788 			[RT #37800]
 3789 
 3790 4012.	[cleanup]	Check returned status of OpenSSL digest and HMAC
 3791 			functions when they return one. Note this applies
 3792 			only to FIPS capable OpenSSL libraries put in
 3793 			FIPS mode and MD5. [RT #37944]
 3794 
 3795 4011.	[bug]		master's list port and dscp inheritance was not
 3796 			properly implemented. [RT #37792]
 3797 
 3798 4010.	[cleanup]	Clear the prefetchable state when initiating a
 3799 			prefetch. [RT #37399]
 3800 
 3801 4009.	[func]		delv: added a +tcp option. [RT #37855]
 3802 
 3803 4008.	[contrib]	Updated zkt to latest version (1.1.3). [RT #37886]
 3804 
 3805 4007.	[doc]		Remove acl forward reference restriction. [RT #37772]
 3806 
 3807 4006.	[security]	A flaw in delegation handling could be exploited
 3808 			to put named into an infinite loop.  This has
 3809 			been addressed by placing limits on the number
 3810 			of levels of recursion named will allow (default 7),
 3811 			and the number of iterative queries that it will
 3812 			send (default 50) before terminating a recursive
 3813 			query (CVE-2014-8500).
 3814 
 3815 			The recursion depth limit is configured via the
 3816 			"max-recursion-depth" option, and the query limit
 3817 			via the "max-recursion-queries" option.  [RT #37580]
 3818 
 3819 4005.	[func]		The buffer used for returning text from rndc
 3820 			commands is now dynamically resizable, allowing
 3821 			arbitrarily large amounts of text to be sent back
 3822 			to the client. (Prior to this change, it was
 3823 			possible for the output of "rndc tsig-list" to be
 3824 			truncated.) [RT #37731]
 3825 
 3826 4004.	[bug]		When delegations had AAAA glue but not A, a
 3827 			reference could be leaked causing an assertion
 3828 			failure on shutdown. [RT #37796]
 3829 
 3830 4003.	[security]	When geoip-directory was reconfigured during
 3831 			named run-time, the previously loaded GeoIP
 3832 			data could remain, potentially causing wrong
 3833 			ACLs to be used or wrong results to be served
 3834 			based on geolocation (CVE-2014-8680). [RT #37720]
 3835 
 3836 4002.	[security]	Lookups in GeoIP databases that were not
 3837 			loaded could cause an assertion failure
 3838 			(CVE-2014-8680). [RT #37679]
 3839 
 3840 4001.	[security]	The caching of GeoIP lookups did not always
 3841 			handle address families correctly, potentially
 3842 			resulting in an assertion failure (CVE-2014-8680).
 3843 			[RT #37672]
 3844 
 3845 4000.	[bug]		NXDOMAIN redirection incorrectly handled NXRRSET
 3846 			from the redirect zone. [RT #37722]
 3847 
 3848 3999.	[func]		"mkeys" and "nzf" files are now named after
 3849 			their corresponding views, unless the view name
 3850 			contains characters that would be incompatible
 3851 			with use in a filename (i.e., slash, backslash,
 3852 			or capital letters). If a view name does contain
 3853 			these characters, the files will still be named
 3854 			using a cryptographic hash of the view name.
 3855 			Regardless of this, if a file using the old name
 3856 			format is found to exist, it will continue to be
 3857 			used. [RT #37704]
 3858 
 3859 3998.	[bug]		isc_radix_search was returning matches that were
 3860 			too precise. [RT #37680]
 3861 
 3862 3997.	[protocol]	Add OPENGPGKEY record. [RT# 37671]
 3863 
 3864 3996.	[bug]		Address use after free on out of memory error in
 3865 			keyring_add. [RT #37639]
 3866 
 3867 3995.	[bug]		receive_secure_serial holds the zone lock for too
 3868 			long. [RT #37626]
 3869 
 3870 3994.	[func]		Dig now supports setting the last unassigned DNS
 3871 			header flag bit (dig +zflag). [RT #37421]
 3872 
 3873 3993.	[func]		Dig now supports EDNS negotiation by default.
 3874 			(dig +[no]ednsnegotiation).
 3875 
 3876 			Note:  This is disabled by default in BIND 9.10
 3877 			and enabled by default in BIND 9.11.  [RT #37604]
 3878 
 3879 3992.	[func]		DiG can now send queries without questions
 3880 			(dig +header-only). [RT #37599]
 3881 
 3882 3991.	[func]		Add the ability to buffer logging output by specifying
 3883 			"buffered yes;" when defining a channel. [RT #26561]
 3884 
 3885 3990.	[test]		Add tests for unknown DNSSEC algorithm handling.
 3886 			[RT #37541]
 3887 
 3888 3989.	[cleanup]	Remove redundant dns_db_resigned calls. [RT #35748]
 3889 
 3890 3988.	[func]		Allow the zone serial of a dynamically updatable
 3891 			zone to be updated via "rndc signing -serial".
 3892 			[RT #37404]
 3893 
 3894 3987.	[port]		Handle future Visual Studio 14 incompatible changes.
 3895 			[RT #37380]
 3896 
 3897 3986.	[doc]		Add the BIND version number to page footers
 3898 			in the ARM. [RT #37398]
 3899 
 3900 3985.	[doc]		Describe how +ndots and +search interact in dig.
 3901 			[RT #37529]
 3902 
 3903 3984.	[func]		Accept 256 byte long PINs in native PKCS#11
 3904 			crypto. [RT #37410]
 3905 
 3906 3983.	[bug]		Change #3940 was incomplete: negative trust anchors
 3907 			could be set to last up to a week, but the
 3908 			"nta-lifetime" and "nta-recheck" options were
 3909 			still limited to one day. [RT #37522]
 3910 
 3911 3982.	[doc]		Include release notes in product documentation.
 3912 			[RT #37272]
 3913 
 3914 3981.	[bug]		Cache DS/NXDOMAIN independently of other query types.
 3915 			[RT #37467]
 3916 
 3917 3980.	[bug]		Improve --with-tuning=large by self tuning of SO_RCVBUF
 3918 			size. [RT #37187]
 3919 
 3920 3979.	[bug]		Negative trust anchor fetches were not properly
 3921 			managed. [RT #37488]
 3922 
 3923 3978.	[test]		Added a unit test for Diffie-Hellman key
 3924 			computation, completing change #3974. [RT #37477]
 3925 
 3926 3977.	[cleanup]	"rndc secroots" reported a "not found" error when
 3927 			there were no negative trust anchors set. [RT #37506]
 3928 
 3929 3976.	[bug]		When refreshing managed-key trust anchors, clear
 3930 			any cached trust so that they will always be
 3931 			revalidated with the current set of secure
 3932 			roots. [RT #37506]
 3933 
 3934 3975.	[bug]		Don't populate or use the bad cache for queries that
 3935 			don't request or use recursion. [RT #37466]
 3936 
 3937 3974.	[bug]		Handle DH_compute_key() failure correctly in
 3938 			openssldh_link.c. [RT #37477]
 3939 
 3940 3973.	[test]		Added hooks for Google Performance Tools CPU profiler,
 3941 			including real-time/wall-clock profiling. Use
 3942 			"configure --with-gperftools-profiler" to enable.
 3943 			[RT #37339]
 3944 
 3945 3972.	[bug]		Fix host's usage statement. [RT #37397]
 3946 
 3947 3971.	[bug]		Reduce the cascading failures due to a bad $TTL line
 3948 			in named-checkconf / named-checkzone. [RT #37138]
 3949 
 3950 3970.	[contrib]	Fixed a use after free bug in the SDB LDAP driver.
 3951 			[RT #37237]
 3952 
 3953 3969.	[test]		Added 'delv' system test. [RT #36901]
 3954 
 3955 3968.	[bug]		Silence spurious log messages when using 'named -[46]'.
 3956 			[RT #37308]
 3957 
 3958 3967.	[test]		Add test for inlined signed zone in multiple views
 3959 			with different DNSKEY sets. [RT #35759]
 3960 
 3961 3966.	[bug]		Missing dns_db_closeversion call in receive_secure_db.
 3962 			[RT #35746]
 3963 
 3964 3965.	[func]		Log outgoing packets and improve packet logging to
 3965 			support logging the remote address. [RT #36624]
 3966 
 3967 3964.	[func]		nsupdate now performs check-names processing.
 3968 			[RT #36266]
 3969 
 3970 3963.	[test]		Added NXRRSET test cases to the "dlzexternal"
 3971 			system test. [RT #37344]
 3972 
 3973 3962.	[bug]		'dig +topdown +trace +sigchase' address unhandled error
 3974 			conditions. [RT #34663]
 3975 
 3976 3961.	[bug]		Forwarding of SIG(0) signed UPDATE messages failed with
 3977 			BADSIG.  [RT #37216]
 3978 
 3979 3960.	[bug]		'dig +sigchase' could loop forever. [RT #37220]
 3980 
 3981 3959.	[bug]		Updates could be lost if they arrived immediately
 3982 			after a rndc thaw. [RT #37233]
 3983 
 3984 3958.	[bug]		Detect when writeable files have multiple references
 3985 			in named.conf. [RT #37172]
 3986 
 3987 3957.	[bug]		"dnssec-keygen -S" failed for ECCGOST, ECDSAP256SHA256
 3988 			and ECDSAP384SHA384. [RT #37183]
 3989 
 3990 3956.	[func]		Notify messages are now rate limited by notify-rate and
 3991 			startup-notify-rate instead of serial-query-rate.
 3992 			[RT #24454]
 3993 
 3994 3955.	[bug]		Notify messages due to changes are no longer queued
 3995 			behind startup notify messages. [RT #24454]
 3996 
 3997 3954.	[bug]		Unchecked mutex init in dlz_dlopen_driver.c [RT #37112]
 3998 
 3999 3953.	[bug]		Don't escape semi-colon in TXT fields. [RT #37159]
 4000 
 4001 3952.	[bug]		dns_name_fullcompare failed to set *nlabelsp when the
 4002 			two name pointers were the same. [RT #37176]
 4003 
 4004 3951.	[func]		Add the ability to set yet-to-be-defined EDNS flags
 4005 			to dig (+ednsflags=#). [RT #37142]
 4006 
 4007 3950.	[port]		Changed the bin/python Makefile to work around a
 4008 			bmake bug in FreeBSD 10 and NetBSD 6. [RT #36993]
 4009 
 4010 3949.	[experimental]	Experimental support for draft-andrews-edns1 by sending
 4011 			EDNS(1) queries (define DRAFT_ANDREWS_EDNS1 when
 4012 			building).  Add support for limiting the EDNS version
 4013 			advertised to servers: server { edns-version 0; };
 4014 			Log the EDNS version received in the query log.
 4015 			[RT #35864]
 4016 
 4017 3948.	[port]		solaris: RCVBUFSIZE was too large on Solaris with
 4018 			--with-tuning=large. [RT #37059]
 4019 
 4020 3947.	[cleanup]	Set the executable bit on libraries when using
 4021 			libtool. [RT #36786]
 4022 
 4023 3946.	[cleanup]	Improved "configure" search for a python interpreter.
 4024 			[RT #36992]
 4025 
 4026 3945.	[bug]		Invalid wildcard expansions could be incorrectly
 4027 			accepted by the validator. [RT #37093]
 4028 
 4029 3944.	[test]		Added a regression test for "server-id". [RT #37057]
 4030 
 4031 3943.	[func]		SERVFAIL responses can now be cached for a
 4032 			limited time (configured by "servfail-ttl",
 4033 			default 10 seconds, limit 30). This can reduce
 4034 			the frequency of retries when an authoritative
 4035 			server is known to be failing, e.g., due to
 4036 			ongoing DNSSEC validation problems. [RT #21347]
 4037 
 4038 3942.	[bug]		Wildcard responses from a optout range should be
 4039 			marked as insecure. [RT #37072]
 4040 
 4041 3941.	[doc]		Include the BIND version number in the ARM. [RT #37067]
 4042 
 4043 3940.	[func]		"rndc nta" now allows negative trust anchors to be
 4044 			set for up to one week. [RT #37069]
 4045 
 4046 3939.	[func]		Improve UPDATE forwarding performance by allowing TCP
 4047 			connections to be shared. [RT #37039]
 4048 
 4049 3938.	[func]		Added quotas to be used in recursive resolvers
 4050 			that are under high query load for names in zones
 4051 			whose authoritative servers are nonresponsive or
 4052 			are experiencing a denial of service attack.
 4053 
 4054 			- "fetches-per-server" limits the number of
 4055 			  simultaneous queries that can be sent to any
 4056 			  single authoritative server.  The configured
 4057 			  value is a starting point; it is automatically
 4058 			  adjusted downward if the server is partially or
 4059 			  completely non-responsive. The algorithm used to
 4060 			  adjust the quota can be configured via the
 4061 			  "fetch-quota-params" option.
 4062 			- "fetches-per-zone" limits the number of
 4063 			  simultaneous queries that can be sent for names
 4064 			  within a single domain.  (Note: Unlike
 4065 			  "fetches-per-server", this value is not
 4066 			  self-tuning.)
 4067 			- New stats counters have been added to count
 4068 			  queries spilled due to these quotas.
 4069 
 4070 			See the ARM for details of these options. [RT #37125]
 4071 
 4072 3937.	[func]		Added some debug logging to better indicate the
 4073 			conditions causing SERVFAILs when resolving.
 4074 			[RT #35538]
 4075 
 4076 3936.	[func]		Added authoritative support for the EDNS Client
 4077 			Subnet (ECS) option.
 4078 
 4079 			ACLs can now include "ecs" elements which specify
 4080 			an address or network prefix; if an ECS option is
 4081 			included in a DNS query, then the address encoded
 4082 			in the option will be matched against "ecs" ACL
 4083 			elements.
 4084 
 4085 			Also, if an ECS address is included in a query,
 4086 			then it will be used instead of the client source
 4087 			address when matching "geoip" ACL elements.  This
 4088 			behavior can be overridden with "geoip-use-ecs no;".
 4089 			(Note: to enable "geoip" ACLs, use "configure
 4090 			--with-geoip". This requires libGeoIP version
 4091 			1.5.0 or higher.)
 4092 
 4093 			When "ecs" or "geoip" ACL elements are used to
 4094 			select a view for a query, the response will include
 4095 			an ECS option to indicate which client network the
 4096 			answer is valid for.
 4097 
 4098 			(Thanks to Vincent Bernat.) [RT #36781]
 4099 
 4100 3935.	[bug]		"geoip asnum" ACL elements would not match unless
 4101 			the full organization name was specified.  They
 4102 			can now match against the AS number alone (e.g.,
 4103 			AS1234). [RT #36945]
 4104 
 4105 3934.	[bug]		Catch bad 'sit-secret' in named-checkconf.  Improve
 4106 			sit-secret documentation. [RT #36980]
 4107 
 4108 3933.	[bug]		Corrected the implementation of dns_rdata_casecompare()
 4109 			for the HIP rdata type.  [RT #36911]
 4110 
 4111 3932.	[test]		Improved named-checkconf tests. [RT #36911]
 4112 
 4113 3931.	[cleanup]	Cleanup how dlz grammar is defined. [RT #36879]
 4114 
 4115 3930.	[bug]		"rndc nta -r" could cause a server hang if the
 4116 			NTA was not found. [RT #36909]
 4117 
 4118 3929.	[bug]		'host -a' needed to clear idnoptions. [RT #36963]
 4119 
 4120 3928.	[test]		Improve rndc system test. [RT #36898]
 4121 
 4122 3927.	[bug]		dig: report PKCS#11 error codes correctly when
 4123 			compiled with --enable-native-pkcs11. [RT #36956]
 4124 
 4125 3926.	[doc]		Added doc for geoip-directory. [RT #36877]
 4126 
 4127 3925.	[bug]		DS lookup of RFC 1918 empty zones failed. [RT #36917]
 4128 
 4129 3924.	[bug]		Improve 'rndc addzone' error reporting. [RT #35187]
 4130 
 4131 3923.	[bug]		Sanity check the xml2-config output. [RT #22246]
 4132 
 4133 3922.	[bug]		When resigning, dnssec-signzone was removing
 4134 			all signatures from delegation nodes. It now
 4135 			retains DS and (if applicable) NSEC signatures.
 4136 			[RT #36946]
 4137 
 4138 3921.	[bug]		AD was inappropriately set on RPZ responses. [RT #36833]
 4139 
 4140 3920.	[doc]		Added doc for masterfile-style. [RT #36823]
 4141 
 4142 3919.	[bug]		dig: continue to next line if a address lookup fails
 4143 			in batch mode. [RT #36755]
 4144 
 4145 3918.	[doc]		Update check-spf documentation. [RT #36910]
 4146 
 4147 3917.	[bug]		dig, nslookup and host now continue on names that are
 4148 			too long after applying a search list elements.
 4149 			[RT #36892]
 4150 
 4151 3916.	[contrib]	zone2sqlite checked wrong result code.  Address
 4152 			compiler warnings. [RT #36931]
 4153 
 4154 3915.	[bug]		Address a assertion if a route event arrived while
 4155 			shutting down. [RT #36887]
 4156 
 4157 3914.	[bug]		Allow the URI target and CAA value fields to
 4158 			be zero length. [RT #36737]
 4159 
 4160 3913.	[bug]		Address race issue in dispatch. [RT #36731]
 4161 
 4162 3912.	[bug]		Address some unrecoverable lookup failures. [RT #36330]
 4163 
 4164 3911.	[func]		Implement EDNS EXPIRE option client side, allowing
 4165 			a slave server to set the expiration timer correctly
 4166 			when transferring zone data from another slave
 4167 			server. [RT #35925]
 4168 
 4169 3910.	[bug]		Fix races to free event during shutdown. [RT #36720]
 4170 
 4171 3909.	[bug]		When computing the number of elements required for a
 4172 			acl count_acl_elements could have a short count leading
 4173 			to a assertion failure.  Also zero out new acl elements
 4174 			in dns_acl_merge.  [RT #36675]
 4175 
 4176 3908.	[bug]		rndc now differentiates between a zone in multiple
 4177 			views and a zone that doesn't exist at all. [RT #36691]
 4178 
 4179 3907.	[cleanup]	Alphabetize rndc help. [RT #36683]
 4180 
 4181 3906.	[protocol]	Update URI record format to comply with
 4182 			draft-faltstrom-uri-08. [RT #36642]
 4183 
 4184 3905.	[bug]		Address deadlock between view.c and adb.c. [RT #36341]
 4185 
 4186 3904.	[func]		Add the RPZ SOA to the additional section. [RT36507]
 4187 
 4188 3903.	[bug]		Improve the accuracy of DiG's reported round trip
 4189 			time. [RT 36611]
 4190 
 4191 3902.	[bug]		liblwres wasn't handling link-local addresses in
 4192 			nameserver clauses in resolv.conf. [RT #36039]
 4193 
 4194 3901.	[protocol]	Added support for CAA record type (RFC 6844).
 4195 			[RT #36625]
 4196 
 4197 3900.	[bug]		Fix a crash in PostgreSQL DLZ driver. [RT #36637]
 4198 
 4199 3899.	[bug]		"request-ixfr" is only applicable to slave and redirect
 4200 			zones. [RT #36608]
 4201 
 4202 3898.	[bug]		Too small a buffer in tohexstr() calls in test code.
 4203 			[RT #36598]
 4204 
 4205 3897.	[bug]		RPZ summary information was not properly being updated
 4206 			after a AXFR resulting in changes sometimes being
 4207 			ignored.  [RT #35885]
 4208 
 4209 3896.	[bug]		Address performance issues with DSCP code on some
 4210 			platforms. [RT #36534]
 4211 
 4212 3895.	[func]		Add the ability to set the DSCP code point to dig.
 4213 			[RT #36546]
 4214 
 4215 3894.	[bug]		Buffers in isc_print_vsnprintf were not properly
 4216 			initialized leading to potential overflows when
 4217 			printing out quad values. [RT #36505]
 4218 
 4219 3893.	[bug]		Peer DSCP values could be returned without being set.
 4220 			[RT #36538]
 4221 
 4222 3892.	[bug]		Setting '-t aaaa' in .digrc had unintended side
 4223 			effects. [RT #36452]
 4224 
 4225 3891.	[bug]		Use ${INSTALL_SCRIPT} rather than ${INSTALL_PROGRAM}
 4226 			to install python programs.
 4227 
 4228 3890.	[bug]		RRSIG sets that were not loaded in a single transaction
 4229 			at start up where not being correctly added to
 4230 			re-signing heaps.  [RT #36302]
 4231 
 4232 3889.	[port]		hurd: configure fixes as per:
 4233 			https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=746540
 4234 
 4235 3888.	[func]		'rndc status' now reports the number of automatic
 4236 			zones. [RT #36015]
 4237 
 4238 3887.	[cleanup]	Make all static symbols in rbtdb64 end in "64" so
 4239 			they are easier to use in a debugger. [RT #36373]
 4240 
 4241 3886.	[bug]		rbtdb_write_header should use a once to initialize
 4242 			FILE_VERSION. [RT #36374]
 4243 
 4244 3885.	[port]		Use 'open()' rather than 'file()' to open files in
 4245 			python.
 4246 
 4247 3884.	[protocol]	Add CDS and CDNSKEY record types. [RT #36333]
 4248 
 4249 3883.	[placeholder]
 4250 
 4251 3882.	[func]		By default, negative trust anchors will be tested
 4252 			periodically to see whether data below them can be
 4253 			validated, and if so, they will be allowed to
 4254 			expire early. The "rndc nta -force" option
 4255 			overrides this behavior.  The default NTA lifetime
 4256 			and the recheck frequency can be configured by the
 4257 			"nta-lifetime" and "nta-recheck" options. [RT #36146]
 4258 
 4259 3881.	[bug]		Address memory leak with UPDATE error handling.
 4260 			[RT #36303]
 4261 
 4262 3880.	[test]		Update ans.pl to work with new TSIG support in
 4263 			Net::DNS; add additional Net::DNS version prerequisite
 4264 			checks. [RT #36327]
 4265 
 4266 3879.	[func]		Add version printing option to various BIND utilities.
 4267 			[RT #10686]
 4268 
 4269 3878.	[bug]		Using the incorrect filename for a DLZ module
 4270 			caused a segmentation fault on startup. [RT #36286]
 4271 
 4272 3877.	[bug]		Inserting and deleting parent and child nodes
 4273 			in response policy zones could trigger an assertion
 4274 			failure. [RT #36272]
 4275 
 4276 3876.	[bug]		Improve efficiency of DLZ redirect zones by
 4277 			suppressing unnecessary database lookups. [RT #35835]
 4278 
 4279 3875.	[cleanup]	Clarify log message when unable to read private
 4280 			key files. [RT #24702]
 4281 
 4282 3874.	[test]		Check that only "check-names master" is needed for
 4283 			updates to be accepted.
 4284 
 4285 3873.	[protocol]	Only warn for SPF without TXT spf record. [RT #36210]
 4286 
 4287 3872.	[bug]		Address issues found by static analysis. [RT #36209]
 4288 
 4289 3871.	[bug]		Don't publish an activated key automatically before
 4290 			its publish time. [RT #35063]
 4291 
 4292 3870.	[func]		Updated the random number generator used in
 4293 			the resolver to use the updated ChaCha based one
 4294 			(similar to OpenBSD's changes). Also moved the
 4295 			RNG to libisc and added unit tests for it.
 4296 			[RT #35942]
 4297 
 4298 3869.	[doc]		Document that in-view zones cannot be used for
 4299 			response policy zones. [RT #35941]
 4300 
 4301 3868.	[bug]		isc_mem_setwater incorrectly cleared hi_called
 4302 			potentially leaving over memory cleaner running.
 4303 			[RT #35270]
 4304 
 4305 3867.	[func]		"rndc nta" can now be used to set a temporary
 4306 			negative trust anchor, which disables DNSSEC
 4307 			validation below a specified name for a specified
 4308 			period of time (not exceeding 24 hours).  This
 4309 			can be used when validation for a domain is known
 4310 			to be failing due to a configuration error on
 4311 			the part of the domain owner rather than a
 4312 			spoofing attack. [RT #29358]
 4313 
 4314 3866.	[bug]		Named could die on disk full in generate_session_key.
 4315 			[RT #36119]
 4316 
 4317 3865.	[test]		Improved testability of the red-black tree
 4318 			implementation and added unit tests. [RT #35904]
 4319 
 4320 3864.	[bug]		RPZ didn't work well when being used as forwarder.
 4321 			[RT #36060]
 4322 
 4323 3863.	[bug]		The "E" flag was missing from the query log as a
 4324 			unintended side effect of code rearrangement to
 4325 			support EDNS EXPIRE. [RT #36117]
 4326 
 4327 3862.	[cleanup]	Return immediately if we are not going to log the
 4328 			message in ns_client_dumpmessage.
 4329 
 4330 3861.	[security]	Missing isc_buffer_availablelength check results
 4331 			in a REQUIRE assertion when printing out a packet
 4332 			(CVE-2014-3859).  [RT #36078]
 4333 
 4334 3860.	[bug]		ioctl(DP_POLL) array size needs to be determined
 4335 			at run time as it is limited to {OPEN_MAX}.
 4336 			[RT #35878]
 4337 
 4338 3859.	[placeholder]
 4339 
 4340 3858.	[bug]		Disable GCC 4.9 "delete null pointer check".
 4341 			[RT #35968]
 4342 
 4343 3857.	[bug]		Make it harder for a incorrect NOEDNS classification
 4344 			to be made. [RT #36020]
 4345 
 4346 3856.	[bug]		Configuring libjson without also configuring libxml
 4347 			resulted in a REQUIRE assertion when retrieving
 4348 			statistics using json. [RT #36009]
 4349 
 4350 3855.	[bug]		Limit smoothed round trip time aging to no more than
 4351 			once a second. [RT #32909]
 4352 
 4353 3854.	[cleanup]	Report unrecognized options, if any, in the final
 4354 			configure summary. [RT #36014]
 4355 
 4356 3853.	[cleanup]	Refactor dns_rdataslab_fromrdataset to separate out
 4357 			the handling of a rdataset with no records. [RT #35968]
 4358 
 4359 3852.	[func]		Increase the default number of clients available
 4360 			for servicing lightweight resolver queries, and
 4361 			make them configurable via the "lwres-tasks" and
 4362 			"lwres-clients" options.  (Thanks to Tomas Hozza.)
 4363 			[RT #35857]
 4364 
 4365 3851.	[func]		Allow libseccomp based system-call filtering
 4366 			on Linux; use "configure --enable-seccomp" to
 4367 			turn it on.  Thanks to Loganaden Velvindron
 4368 			of AFRINIC for the contribution. [RT #35347]
 4369 
 4370 3850.	[bug]		Disabling forwarding could trigger a REQUIRE assertion.
 4371 			[RT #35979]
 4372 
 4373 3849.	[doc]		Alphabetized dig's +options. [RT #35992]
 4374 
 4375 3848.	[bug]		Adjust 'statistics-channels specified but not effective'
 4376 			error message to account for JSON support. [RT #36008]
 4377 
 4378 3847.	[bug]		'configure --with-dlz-postgres' failed to fail when
 4379 			there is not support available.
 4380 
 4381 3846.	[bug]		"dig +notcp ixfr=<serial>" should result in a UDP
 4382 			ixfr query. [RT #35980]
 4383 
 4384 3845.	[placeholder]
 4385 
 4386 3844.	[bug]		Use the x64 version of the Microsoft Visual C++
 4387 			Redistributable when built for 64 bit Windows.
 4388 			[RT #35973]
 4389 
 4390 3843.	[protocol]	Check EDNS EXPIRE option in dns_rdata_fromwire.
 4391 			[RT #35969]
 4392 
 4393 3842.	[bug]		Adjust RRL log-only logging category. [RT #35945]
 4394 
 4395 3841.	[cleanup]	Refactor zone.c:add_opt to use dns_message_buildopt.
 4396 			[RT #35924]
 4397 
 4398 3840.	[port]		Check for arc4random_addrandom() before using it;
 4399 			it's been removed from OpenBSD 5.5. [RT #35907]
 4400 
 4401 3839.	[test]		Use only posix-compatible shell in system tests.
 4402 			[RT #35625]
 4403 
 4404 3838.	[protocol]	EDNS EXPIRE as been assigned a code point of 9.
 4405 
 4406 3837.	[security]	A NULL pointer is passed to query_prefetch resulting
 4407 			a REQUIRE assertion failure when a fetch is actually
 4408 			initiated (CVE-2014-3214).  [RT #35899]
 4409 
 4410 3836.	[bug]		Address C++ keyword usage in header file.
 4411 
 4412 3835.	[bug]		Geoip ACL elements didn't work correctly when
 4413 			referenced via named or nested ACLs. [RT #35879]
 4414 
 4415 3834.	[bug]		The re-signing heaps were not being updated soon enough
 4416 			leading to multiple re-generations of the same RRSIG
 4417 			when a zone transfer was in progress. [RT #35273]
 4418 
 4419 3833.	[bug]		Cross compiling was broken due to calling genrandom at
 4420 			build time. [RT #35869]
 4421 
 4422 3832.	[func]		"named -L <filename>" causes named to send log
 4423 			messages to the specified file by default instead
 4424 			of to the system log. (Thanks to Tony Finch.)
 4425 			[RT #35845]
 4426 
 4427 3831.	[cleanup]	Reduce logging noise when EDNS state changes occur.
 4428 			[RT #35843]
 4429 
 4430 3830.	[func]		When query logging is enabled, log query errors at
 4431 			the same level ('info') as the queries themselves.
 4432 			[RT #35844]
 4433 
 4434 3829.	[func]		"dig +ttlunits" causes dig to print TTL values
 4435 			with time-unit suffixes: w, d, h, m, s for
 4436 			weeks, days, hours, minutes, and seconds. (Thanks
 4437 			to Tony Finch.) [RT #35823]
 4438 
 4439 3828.	[func]		"dnssec-signzone -N date" updates serial number
 4440 			to the current date in YYYYMMDDNN format.
 4441 			[RT #35800]
 4442 
 4443 3827.	[placeholder]
 4444 
 4445 3826.	[bug]		Corrected bad INSIST logic in isc_radix_remove().
 4446 			[RT #35870]
 4447 
 4448 3825.	[bug]		Address sign extension bug in isc_regex_validate.
 4449 			[RT #35758]
 4450 
 4451 3824.	[bug]		A collision between two flag values could cause
 4452 			problems with cache cleaning when SIT was enabled.
 4453 			[RT #35858]
 4454 
 4455 3823.	[func]		Log the rpz cname target when rewriting. [RT #35667]
 4456 
 4457 3822.	[bug]		Log the correct type of static-stub zones when
 4458 			removing them. [RT #35842]
 4459 
 4460 3821.	[contrib]	Added a new "mysqldyn" DLZ module with dynamic
 4461 			update and transaction support. Thanks to Marty
 4462 			Lee for the contribution. [RT #35656]
 4463 
 4464 3820.	[func]		The DLZ API doesn't pass the database version to
 4465 			the lookup() function; this can cause DLZ modules
 4466 			that allow dynamic updates to mishandle prerequisite
 4467 			checks. This has been corrected by adding a
 4468 			'dbversion' field to the dns_clientinfo_t
 4469 			structure. [RT #35656]
 4470 
 4471 3819.	[bug]		NSEC3 hashes need to be able to be entered and
 4472 			displayed without padding.  This is not a issue for
 4473 			currently defined algorithms but may be for future
 4474 			hash algorithms. [RT #27925]
 4475 
 4476 3818.	[bug]		Stop lying to the optimizer that 'void *arg' is a
 4477 			constant in isc_event_allocate.
 4478 
 4479 3817.	[func]		The "delve" command is now spelled "delv" to avoid
 4480 			a namespace collision with the Xapian project.
 4481 			[RT #35801]
 4482 
 4483 3816.	[func]		"dig +qr" now reports query size. (Thanks to
 4484 			Tony Finch.) [RT #35822]
 4485 
 4486 3815.	[doc]		Clarify "nsupdate -y" usage in man page. [RT #35808]
 4487 
 4488 3814.	[func]		The "masterfile-style" zone option controls the
 4489 			formatting of dumped zone files. Options are
 4490 			"relative" (multiline format) and "full" (one
 4491 			record per line). The default is "relative".
 4492 			[RT #20798]
 4493 
 4494 3813.	[func]		"host" now recognizes the "timeout", "attempts" and
 4495 			"debug" options when set in /etc/resolv.conf.
 4496 			(Thanks to Adam Tkac at RedHat.) [RT #21885]
 4497 
 4498 3812.	[func]		Dig now supports sending arbitrary EDNS options from
 4499 			the command line (+ednsopt=code[:value]). [RT #35584]
 4500 
 4501 3811.	[func]		"serial-update-method date;" sets serial number
 4502 			on dynamic update to today's date in YYYYMMDDNN
 4503 			format. (Thanks to Bradley Forschinger.) [RT #24903]
 4504 
 4505 3810.	[bug]		Work around broken nameservers that fail to ignore
 4506 			unknown EDNS options. [RT #35766]
 4507 
 4508 3809.	[doc]		Fix SIT and NSID documentation.
 4509 
 4510 3808.	[doc]		Clean up "prefetch" documentation. [RT #35751]
 4511 
 4512 3807.	[bug]		Fix sign extension bug in dns_name_fromtext when
 4513 			lowercase is set. [RT #35743]
 4514 
 4515 3806.	[test]		Improved system test portability. [RT #35625]
 4516 
 4517 3805.	[contrib]	Added contrib/perftcpdns, a performance testing tool
 4518 			for DNS over TCP. [RT #35710]
 4519 
 4520 	--- 9.10.0rc1 released ---
 4521 
 4522 3804.	[bug]		Corrected a race condition in dispatch.c in which
 4523 			portentry could be reset leading to an assertion
 4524 			failure in socket_search(). (Change #3708
 4525 			addressed the same issue but was incomplete.)
 4526 			[RT #35128]
 4527 
 4528 3803.	[bug]		"named-checkconf -z" incorrectly rejected zones
 4529 			using alternate data sources for not having a "file"
 4530 			option. [RT #35685]
 4531 
 4532 3802.	[bug]		Various header files were not being installed.
 4533 
 4534 3801.	[port]		Fix probing for gssapi support on FreeBSD. [RT #35615]
 4535 
 4536 3800.	[bug]		A pending event on the route socket could cause an
 4537 			assertion failure when shutting down named. [RT #35674]
 4538 
 4539 3799.	[bug]		Improve named's command line error reporting.
 4540 			[RT #35603]
 4541 
 4542 3798.	[bug]		'rndc zonestatus' was reporting the wrong re-signing
 4543 			time. [RT #35659]
 4544 
 4545 3797.	[port]		netbsd: geoip support probing was broken. [RT #35642]
 4546 
 4547 3796.	[bug]		Register dns and pkcs#11 error codes. [RT #35629]
 4548 
 4549 3795.	[bug]		Make named-checkconf detect raw masterfiles for
 4550 			hint zones and reject them. [RT #35268]
 4551 
 4552 3794.	[maint]		Added AAAA for C.ROOT-SERVERS.NET.
 4553 
 4554 3793.	[bug]		zone.c:save_nsec3param() could assert when out of
 4555 			memory. [RT #35621]
 4556 
 4557 3792.	[func]		Provide links to the alternate statistics views when
 4558 			displaying in a browser.  [RT #35605]
 4559 
 4560 3791.	[placeholder]
 4561 
 4562 3790.	[bug]		Handle broken nameservers that send BADVERS in
 4563 			response to unknown EDNS options.  Maintain
 4564 			statistics on BADVERS responses.
 4565 
 4566 3789.	[bug]		Null pointer dereference on rbt creation failure.
 4567 
 4568 3788.	[bug]		dns_peer_getrequestsit was returning request_nsid by
 4569 			mistake.
 4570 
 4571 	--- 9.10.0b2 released ---
 4572 
 4573 3787.	[bug]		The code that checks whether "auto-dnssec" is
 4574 			allowed was ignoring "allow-update" ACLs set at
 4575 			the options or view level. [RT #29536]
 4576 
 4577 3786.	[func]		Provide more detailed error codes when using
 4578 			native PKCS#11. "pkcs11-tokens" now fails robustly
 4579 			rather than asserting when run against an HSM with
 4580 			an incomplete PKCS#11 API implementation. [RT #35479]
 4581 
 4582 3785.	[bug]		Debugging code dumphex didn't accept arbitrarily long
 4583 			input (only compiled with -DDEBUG). [RT #35544]
 4584 
 4585 3784.	[bug]		Using "rrset-order fixed" when it had not been
 4586 			enabled at compile time caused inconsistent
 4587 			results. It now works as documented, defaulting
 4588 			to cyclic mode. [RT #28104]
 4589 
 4590 3783.	[func]		"tsig-keygen" is now available as an alternate
 4591 			command name for "ddns-confgen".  It generates
 4592 			a TSIG key in named.conf format without comments.
 4593 			[RT #35503]
 4594 
 4595 3782.	[func]		Specifying "auto" as the salt when using
 4596 			"rndc signing -nsec3param" causes named to
 4597 			generate a 64-bit salt at random. [RT #35322]
 4598 
 4599 3781.	[tuning]	Use adaptive mutex locks when available; this
 4600 			has been found to improve performance under load
 4601 			on many systems. "configure --with-locktype=standard"
 4602 			restores conventional mutex locks. [RT #32576]
 4603 
 4604 3780.	[bug]		$GENERATE handled negative numbers incorrectly.
 4605 			[RT #25528]
 4606 
 4607 3779.	[cleanup]	Clarify the error message when using an option
 4608 			that was not enabled at compile time. [RT #35504]
 4609 
 4610 3778.	[bug]		Log a warning when the wrong address family is
 4611 			used in "listen-on" or "listen-on-v6". [RT #17848]
 4612 
 4613 3777.	[bug]		EDNS EXPIRE code could dump core when processing
 4614 			DLZ queries. [RT #35493]
 4615 
 4616 3776.	[func]		"rndc -q" suppresses output from successful
 4617 			rndc commands. Errors are printed on stderr.
 4618 			[RT #21393]
 4619 
 4620 3775.	[bug]		dlz_dlopen driver could return the wrong error
 4621 			code on API version mismatch, leading to a segfault.
 4622 			[RT #35495]
 4623 
 4624 3774.	[func]		When using "request-nsid", log the NSID value in
 4625 			printable form as well as hex. [RT #20864]
 4626 
 4627 3773.	[func]		"host", "nslookup" and "nsupdate" now have
 4628 			options to print the version number and exit.
 4629 			[RT #26057]
 4630 
 4631 3772.	[contrib]	Added sqlite3 dynamically-loadable DLZ module.
 4632 			(Based in part on a contribution from Tim Tessier.)
 4633 			[RT #20822]
 4634 
 4635 3771.	[cleanup]	Adjusted log level for "using built-in key"
 4636 			messages. [RT #24383]
 4637 
 4638 3770.	[bug]		"dig +trace" could fail with an assertion when it
 4639 			needed to fall back to TCP due to a truncated
 4640 			response. [RT #24660]
 4641 
 4642 3769.	[doc]		Improved documentation of "rndc signing -list".
 4643 			[RT #30652]
 4644 
 4645 3768.	[bug]		"dnssec-checkds" was missing the SHA-384 digest
 4646 			algorithm. [RT #34000]
 4647 
 4648 3767.	[func]		Log explicitly when using rndc.key to configure
 4649 			command channel. [RT #35316]
 4650 
 4651 3766.	[cleanup]	Fixed problems with building outside the source
 4652 			tree when using native PKCS#11. [RT #35459]
 4653 
 4654 3765.	[bug]		Fixed a bug in "rndc secroots" that could crash
 4655 			named when dumping an empty keynode. [RT #35469]
 4656 
 4657 3764.	[bug]		The dnssec-keygen/settime -S and -i options
 4658 			(to set up a successor key and set the prepublication
 4659 			interval) were missing from dnssec-keyfromlabel.
 4660 			[RT #35394]
 4661 
 4662 3763.	[bug]		delve: Cache DNSSEC records to avoid the need to
 4663 			re-fetch them when restarting validation. [RT #35476]
 4664 
 4665 3762.	[bug]		Address build problems with --pkcs11-native +
 4666 			--with-openssl with ECDSA support. [RT #35467]
 4667 
 4668 3761.	[bug]		Address dangling reference bug in dns_keytable_add.
 4669 			[RT #35471]
 4670 
 4671 3760.	[bug]		Improve SIT with native PKCS#11 and on Windows.
 4672 			[RT #35433]
 4673 
 4674 3759.	[port]		Enable delve on Windows. [RT #35441]
 4675 
 4676 3758.	[port]		Enable export library APIs on Windows. [RT #35382]
 4677 
 4678 3757.	[port]		Enable Python tools (dnssec-coverage,
 4679 			dnssec-checkds) to run on Windows. [RT #34355]
 4680 
 4681 3756.	[bug]		GSSAPI Kerberos realm checking was broken in
 4682 			check_config leading to spurious messages being
 4683 			logged.  [RT #35443]
 4684 
 4685 	--- 9.10.0b1 released ---
 4686 
 4687 3755.	[func]		Add stats counters for known EDNS options + others.
 4688 			[RT #35447]
 4689 
 4690 3754.	[cleanup]	win32: Installer now places files in the
 4691 			Program Files area rather than system services.
 4692 			[RT #35361]
 4693 
 4694 3753.	[bug]		allow-notify was ignoring keys. [RT #35425]
 4695 
 4696 3752.	[bug]		Address potential REQUIRE failure if
 4697 			DNS_STYLEFLAG_COMMENTDATA is set when printing out
 4698 			a rdataset.
 4699 
 4700 3751.	[tuning]	The default setting for the -U option (setting
 4701 			the number of UDP listeners per interface) has
 4702 			been adjusted to improve performance. [RT #35417]
 4703 
 4704 3750.	[experimental]	Partially implement EDNS EXPIRE option as described
 4705 			in draft-andrews-dnsext-expire-00.  Retrieval of
 4706 			the remaining time until expiry for slave zones
 4707 			is supported.
 4708 
 4709 			EXPIRE uses an experimental option code (65002),
 4710 			which is subject to change. [RT #35416]
 4711 
 4712 3749.	[func]		"dig +subnet" sends an EDNS client subnet option
 4713 			containing the specified address/prefix when
 4714 			querying. (Thanks to Wilmer van der Gaast.)
 4715 			[RT #35415]
 4716 
 4717 3748.	[test]		Use delve to test dns_client interfaces. [RT #35383]
 4718 
 4719 3747.	[bug]		A race condition could lead to a core dump when
 4720 			destroying a resolver fetch object. [RT #35385]
 4721 
 4722 3746.	[func]		New "max-zone-ttl" option enforces maximum
 4723 			TTLs for zones. If loading a zone containing a
 4724 			higher TTL, the load fails. DDNS updates with
 4725 			higher TTLs are accepted but the TTL is truncated.
 4726 			(Note: Currently supported for master zones only;
 4727 			inline-signing slaves will be added.) [RT #38405]
 4728 
 4729 3745.	[func]		"configure --with-tuning=large" adjusts various
 4730 			compiled-in constants and default settings to
 4731 			values suited to large servers with abundant
 4732 			memory. [RT #29538]
 4733 
 4734 3744.	[experimental]	SIT: send and process Source Identity Tokens
 4735 			(similar to DNS Cookies by Donald Eastlake 3rd),
 4736 			which are designed to help clients detect off-path
 4737 			spoofed responses and for servers to identify
 4738 			legitimate clients.
 4739 
 4740 			SIT uses an experimental EDNS option code (65001),
 4741 			which will be changed to an IANA-assigned value
 4742 			if the experiment is deemed a success.
 4743 
 4744 			SIT can be enabled via "configure --enable-sit" (or
 4745 			--enable-developer). It is enabled by default in
 4746 			Windows.
 4747 
 4748 			Servers can be configured to send smaller responses
 4749 			to clients that have not identified themselves via
 4750 			SIT.  RRL processing has also been updated;
 4751 			legitimate clients are not subject to rate
 4752 			limiting. [RT #35389]
 4753 
 4754 3743.	[bug]		delegation-only flag wasn't working in forward zone
 4755 			declarations despite being documented.  This is
 4756 			needed to support turning off forwarding and turning
 4757 			on delegation only at the same name.  [RT #35392]
 4758 
 4759 3742.	[port]		linux: libcap support: declare curval at start of
 4760 			block. [RT #35387]
 4761 
 4762 3741.	[func]		"delve" (domain entity lookup and validation engine):
 4763 			A new tool with dig-like semantics for performing DNS
 4764 			lookups, with internal DNSSEC validation, using the
 4765 			same resolver and validator logic as named. This
 4766 			allows easy validation of DNSSEC data in environments
 4767 			with untrustworthy resolvers, and assists with
 4768 			troubleshooting of DNSSEC problems. [RT #32406]
 4769 
 4770 3740.	[contrib]	Minor fixes to configure --with-dlz-bdb,
 4771 			--with-dlz-postgres and --with-dlz-odbc. [RT #35340]
 4772 
 4773 3739.	[func]		Added per-zone stats counters to track TCP and
 4774 			UDP queries. [RT #35375]
 4775 
 4776 3738.	[bug]		--enable-openssl-hash failed to build. [RT #35343]
 4777 
 4778 3737.	[bug]		'rndc retransfer' could trigger a assertion failure
 4779 			with inline zones. [RT #35353]
 4780 
 4781 3736.	[bug]		nsupdate: When specifying a server by name,
 4782 			fall back to alternate addresses if the first
 4783 			address for that name is not reachable. [RT #25784]
 4784 
 4785 3735.	[cleanup]	Merged the libiscpk11 library into libisc
 4786 			to simplify dependencies. [RT #35205]
 4787 
 4788 3734.	[bug]		Improve building with libtool. [RT #35314]
 4789 
 4790 3733.	[func]		Improve interface scanning support.  Interface
 4791 			information will be automatically updated if the
 4792 			OS supports routing sockets (MacOS, *BSD, Linux).
 4793 			Use "automatic-interface-scan no;" to disable.
 4794 
 4795 			Add "rndc scan" to trigger a scan. [RT #23027]
 4796 
 4797 3732.	[contrib]	Fixed a type mismatch causing the ODBC DLZ
 4798 			driver to dump core on 64-bit systems. [RT #35324]
 4799 
 4800 3731.	[func]		Added a "no-case-compress" ACL, which causes
 4801 			named to use case-insensitive compression
 4802 			(disabling change #3645) for specified
 4803 			clients. (This is useful when dealing
 4804 			with broken client implementations that
 4805 			use case-sensitive name comparisons,
 4806 			rejecting responses that fail to match the
 4807 			capitalization of the query that was sent.)
 4808 			[RT #35300]
 4809 
 4810 3730.	[cleanup]	Added "never" as a synonym for "none" when
 4811 			configuring key event dates in the dnssec tools.
 4812 			[RT #35277]
 4813 
 4814 3729.	[bug]		dnssec-keygen could set the publication date
 4815 			incorrectly when only the activation date was
 4816 			specified on the command line. [RT #35278]
 4817 
 4818 3728.	[doc]		Expanded native-PKCS#11 documentation,
 4819 			specifically pkcs11: URI labels. [RT #35287]
 4820 
 4821 3727.	[func]		The isc_bitstring API is no longer used and
 4822 			has been removed from libisc. [RT #35284]
 4823 
 4824 3726.	[cleanup]	Clarified the error message when attempting
 4825 			to configure more than 32 response-policy zones.
 4826 			[RT #35283]
 4827 
 4828 3725.	[contrib]	Updated zkt and nslint to newest versions,
 4829 			cleaned up and rearranged the contrib
 4830 			directory, and added a README.
 4831 
 4832 	--- 9.10.0a2 released ---
 4833 
 4834 3724.	[bug]		win32: Fixed a bug that prevented dig and
 4835 			host from exiting properly after completing
 4836 			a UDP query. [RT #35288]
 4837 
 4838 3723.	[cleanup]	Imported keys are now handled the same way
 4839 			regardless of DNSSEC algorithm. [RT #35215]
 4840 
 4841 3722.	[bug]		Using geoip ACLs in a blackhole statement
 4842 			could cause a segfault. [RT #35272]
 4843 
 4844 3721.	[doc]		Improved documentation of the EDNS processing
 4845 			enhancements introduced in change #3593. [RT #35275]
 4846 
 4847 3720.	[bug]		Address compiler warnings. [RT #35261]
 4848 
 4849 3719.	[bug]		Address memory leak in in peer.c. [RT #35255]
 4850 
 4851 3718.	[bug]		A missing ISC_LINK_INIT in log.c. [RT #35260]
 4852 
 4853 3717.	[port]		hpux: Treat EOPNOTSUPP as a expected error code when
 4854 			probing to see if it is possible to set dscp values
 4855 			on a per packet basis. [RT #35252]
 4856 
 4857 3716.	[bug]		The dns_request code was setting dcsp values when not
 4858 			requested.  [RT #35252]
 4859 
 4860 3715.	[bug]		The region and city databases could fail to
 4861 			initialize when using some versions of libGeoIP,
 4862 			causing assertion failures when named was
 4863 			configured to use them. [RT #35427]
 4864 
 4865 3714.	[test]		System tests that need to test for cryptography
 4866 			support before running can now use a common
 4867 			"testcrypto.sh" script to do so. [RT #35213]
 4868 
 4869 3713.	[bug]		Save memory by not storing "also-notify" addresses
 4870 			in zone objects that are configured not to send
 4871 			notify requests. [RT #35195]
 4872 
 4873 3712.	[placeholder]
 4874 
 4875 3711.	[placeholder]
 4876 
 4877 3710.	[bug]		Address double dns_zone_detach when switching to
 4878 			using automatic empty zones from regular zones.
 4879 			[RT #35177]
 4880 
 4881 3709.	[port]		Use built-in versions of strptime() and timegm()
 4882 			on all platforms to avoid portability issues.
 4883 			[RT #35183]
 4884 
 4885 3708.	[bug]		Address a portentry locking issue in dispatch.c.
 4886 			[RT #35128]
 4887 
 4888 3707.	[bug]		irs_resconf_load now returns ISC_R_FILENOTFOUND
 4889 			on a missing resolv.conf file and initializes the
 4890 			structure as if it had been configured with:
 4891 
 4892 				nameserver ::1
 4893 				nameserver 127.0.0.1
 4894 
 4895 			Note: Callers will need to be updated to treat
 4896 			ISC_R_FILENOTFOUND as a qualified success or else
 4897 			they will leak memory. The following code fragment
 4898 			will work with both old and new versions without
 4899 			changing the behaviour of the existing code.
 4900 
 4901 			resconf = NULL;
 4902 			result = irs_resconf_load(mctx, "/etc/resolv.conf",
 4903 						  &resconf);
 4904 			if (result != ISC_SUCCESS) {
 4905 				if (resconf != NULL)
 4906 					irs_resconf_destroy(&resconf);
 4907 				....
 4908 			}
 4909 
 4910 			[RT #35194]
 4911 
 4912 3706.	[contrib]	queryperf: Fixed a possible integer overflow when
 4913 			printing results. [RT #35182]
 4914 
 4915 3705.	[func]		"configure --enable-native-pkcs11" enables BIND
 4916 			to use the PKCS#11 API for all cryptographic
 4917 			functions, so that it can drive a hardware service
 4918 			module directly without the need to use a modified
 4919 			OpenSSL as intermediary (so long as the HSM's vendor
 4920 			provides a complete-enough implementation of the
 4921 			PKCS#11 interface). This has been tested successfully
 4922 			with the Thales nShield HSM and with SoftHSMv2 from
 4923 			the OpenDNSSEC project. [RT #29031]
 4924 
 4925 3704.	[protocol]	Accept integer timestamps in RRSIG records. [RT #35185]
 4926 
 4927 3703.	[func]		To improve recursive resolver performance, cache
 4928 			records which are still being requested by clients
 4929 			can now be automatically refreshed from the
 4930 			authoritative server before they expire, reducing
 4931 			or eliminating the time window in which no answer
 4932 			is available in the cache. See the "prefetch" option
 4933 			for more details. [RT #35041]
 4934 
 4935 3702.	[func]		'dnssec-coverage -l' option specifies a length
 4936 			of time to check for coverage; events further into
 4937 			the future are ignored.  'dnssec-coverage -z'
 4938 			checks only ZSK events, and 'dnssec-coverage -k'
 4939 			checks only KSK events.  (Thanks to Peter Palfrader.)
 4940 			[RT #35168]
 4941 
 4942 3701.	[func]		named-checkconf can now obscure shared secrets
 4943 			when printing by specifying '-x'. [RT #34465]
 4944 
 4945 3700.	[func]		Allow access to subgroups of XML statistics via
 4946 			special URLs http://<server>:<port>/xml/v3/server,
 4947 			/zones, /net, /tasks, /mem, and /status.  [RT #35115]
 4948 
 4949 3699.	[bug]		Improvements to statistics channel XSL stylesheet:
 4950 			the stylesheet can now be cached by the browser;
 4951 			section headers are omitted from the stats display
 4952 			when there is no data in those sections to be
 4953 			displayed; counters are now right-justified for
 4954 			easier readability. [RT #35117]
 4955 
 4956 3698.	[cleanup]	Replaced all uses of memcpy() with memmove().
 4957 			[RT #35120]
 4958 
 4959 3697.	[bug]		Handle "." as a search list element when IDN support
 4960 			is enabled. [RT #35133]
 4961 
 4962 3696.	[bug]		dig failed to handle AXFR style IXFR responses which
 4963 			span multiple messages. [RT #35137]
 4964 
 4965 3695.	[bug]		Address a possible race in dispatch.c. [RT #35107]
 4966 
 4967 3694.	[bug]		Warn when a key-directory is configured for a zone,
 4968 			but does not exist or is not a directory. [RT #35108]
 4969 
 4970 3693.	[security]	memcpy was incorrectly called with overlapping
 4971 			ranges resulting in malformed names being generated
 4972 			on some platforms.  This could cause INSIST failures
 4973 			when serving NSEC3 signed zones (CVE-2014-0591).
 4974 			[RT #35120]
 4975 
 4976 3692.	[bug]		Two calls to dns_db_getoriginnode were fatal if there
 4977 			was no data at the node. [RT #35080]
 4978 
 4979 3691.	[contrib]	Address null pointer dereference in LDAP and
 4980 			MySQL DLZ modules.
 4981 
 4982 3690.	[bug]		Iterative responses could be missed when the source
 4983 			port for an upstream query was the same as the
 4984 			listener port (53). [RT #34925]
 4985 
 4986 3689.	[bug]		Fixed a bug causing an insecure delegation from one
 4987 			static-stub zone to another to fail with a broken
 4988 			trust chain. [RT #35081]
 4989 
 4990 3688.	[bug]		loadnode could return a freed node on out of memory.
 4991 			[RT #35106]
 4992 
 4993 3687.	[bug]		Address null pointer dereference in zone_xfrdone.
 4994 			[RT #35042]
 4995 
 4996 3686.	[func]		"dnssec-signzone -Q" drops signatures from keys
 4997 			that are still published but no longer active.
 4998 			[RT #34990]
 4999 
 5000 3685.	[bug]		"rndc refresh" didn't work correctly with slave
 5001 			zones using inline-signing. [RT #35105]
 5002 
 5003 3684.	[bug]		The list of included files would grow on reload.
 5004 			[RT 35090]
 5005 
 5006 3683.	[cleanup]	Add a more detailed "not found" message to rndc
 5007 			commands which specify a zone name. [RT #35059]
 5008 
 5009 3682.	[bug]		Correct the behavior of rndc retransfer to allow
 5010 			inline-signing slave zones to retain NSEC3 parameters
 5011 			instead of reverting to NSEC. [RT #34745]
 5012 
 5013 3681.	[port]		Update the Windows build system to support feature
 5014 			selection and WIN64 builds.  This is a work in
 5015 			progress. [RT #34160]
 5016 
 5017 3680.	[bug]		Ensure buffer space is available in "rndc zonestatus".
 5018 			[RT #35084]
 5019 
 5020 3679.	[bug]		dig could fail to clean up TCP sockets still
 5021 			waiting on connect(). [RT #35074]
 5022 
 5023 3678.	[port]		Update config.guess and config.sub. [RT #35060]
 5024 
 5025 3677.	[bug]		'nsupdate' leaked memory if 'realm' was used multiple
 5026 			times.  [RT #35073]
 5027 
 5028 3676.	[bug]		"named-checkconf -z" now checks zones of type
 5029 			hint and redirect as well as master. [RT #35046]
 5030 
 5031 3675.	[misc]		Provide a place for third parties to add version
 5032 			information for their extensions in the version
 5033 			file by setting the EXTENSIONS variable.
 5034 
 5035 	--- 9.10.0a1 released ---
 5036 
 5037 3674.	[bug]		RPZ zeroed ttls if the query type was '*'. [RT #35026]
 5038 
 5039 3673.	[func]		New "in-view" zone option allows direct sharing
 5040 			of zones between views. [RT #32968]
 5041 
 5042 3672.	[func]		Local address can now be specified when using
 5043 			dns_client API. [RT #34811]
 5044 
 5045 3671.	[bug]		Don't allow dnssec-importkey overwrite a existing
 5046 			non-imported private key.
 5047 
 5048 3670.	[bug]		Address read after free in server side of
 5049 			lwres_getrrsetbyname. [RT #29075]
 5050 
 5051 3669.	[port]		freebsd: --with-gssapi needs -lhx509. [RT #35001]
 5052 
 5053 3668.	[bug]		Fix cast in lex.c which could see 0xff treated as eof.
 5054 			[RT #34993]
 5055 
 5056 3667.	[test]		dig: add support to keep the TCP socket open between
 5057 			successive queries (+[no]keepopen).  [RT #34918]
 5058 
 5059 3666.	[func]		Add a tool, named-rrchecker, for checking the syntax
 5060 			of individual resource records.  This tool is intended
 5061 			to be called by provisioning systems so that the front
 5062 			end does not need to be upgraded to support new DNS
 5063 			record types. [RT #34778]
 5064 
 5065 3665.	[bug]		Failure to release lock on error in receive_secure_db.
 5066 			[RT #34944]
 5067 
 5068 3664.	[bug]		Updated OpenSSL PKCS#11 patches to fix active list
 5069 			locking and other bugs. [RT #34855]
 5070 
 5071 3663.	[bug]		Address bugs in dns_rdata_fromstruct and
 5072 			dns_rdata_tostruct for WKS and ISDN types. [RT #34910]
 5073 
 5074 3662.	[bug]		'host' could die if a UDP query timed out. [RT #34870]
 5075 
 5076 3661.	[bug]		Address lock order reversal deadlock with inline zones.
 5077 			[RT #34856]
 5078 
 5079 3660.	[cleanup]	Changed the name of "isc-config.sh" to "bind9-config".
 5080 			[RT #23825]
 5081 
 5082 3659.	[port]		solaris: don't add explicit dependencies/rules for
 5083 			python programs as make won't use the implicit rules.
 5084 			[RT #34835]
 5085 
 5086 3658.	[port]		linux: Address platform specific compilation issue
 5087 			when libcap-devel is installed. [RT #34838]
 5088 
 5089 3657.	[port]		Some readline clones don't accept NULL pointers when
 5090 			calling add_history. [RT #34842]
 5091 
 5092 3656.	[security]	Treat an all zero netmask as invalid when generating
 5093 			the localnets acl. (The prior behavior could
 5094 			allow unexpected matches when using some versions
 5095 			of Winsock: CVE-2013-6320.) [RT #34687]
 5096 
 5097 3655.	[cleanup]	Simplify TCP message processing when requesting a
 5098 			zone transfer.  [RT #34825]
 5099 
 5100 3654.	[bug]		Address race condition with manual notify requests.
 5101 			[RT #34806]
 5102 
 5103 3653.	[func]		Create delegations for all "children" of empty zones
 5104 			except "forward first". [RT #34826]
 5105 
 5106 3652.	[bug]		Address bug with rpz-drop policy. [RT #34816]
 5107 
 5108 3651.	[tuning]	Adjust when a master server is deemed unreachable.
 5109 			[RT #27075]
 5110 
 5111 3650.	[tuning]	Use separate rate limiting queues for refresh and
 5112 			notify requests. [RT #30589]
 5113 
 5114 3649.	[cleanup]	Include a comment in .nzf files, giving the name of
 5115 			the associated view. [RT #34765]
 5116 
 5117 3648.	[test]		Updated the ATF test framework to version 0.17.
 5118 			[RT #25627]
 5119 
 5120 3647.	[bug]		Address a race condition when shutting down a zone.
 5121 			[RT #34750]
 5122 
 5123 3646.	[bug]		Journal filename string could be set incorrectly,
 5124 			causing garbage in log messages. [RT #34738]
 5125 
 5126 3645.	[protocol]	Use case sensitive compression when responding to
 5127 			queries. [RT #34737]
 5128 
 5129 3644.	[protocol]	Check that EDNS subnet client options are well formed.
 5130 			[RT #34718]
 5131 
 5132 3643.	[doc]		Clarify RRL "slip" documentation.
 5133 
 5134 3642.	[func]		Allow externally generated DNSKEY to be imported
 5135 			into the DNSKEY management framework.  A new tool
 5136 			dnssec-importkey is used to do this. [RT #34698]
 5137 
 5138 3641.	[bug]		Handle changes to sig-validity-interval settings
 5139 			better. [RT #34625]
 5140 
 5141 3640.	[bug]		ndots was not being checked when searching.  Only
 5142 			continue searching on NXDOMAIN responses.  Add the
 5143 			ability to specify ndots to nslookup. [RT #34711]
 5144 
 5145 3639.	[bug]		Treat type 65533 (KEYDATA) as opaque except when used
 5146 			in a key zone. [RT #34238]
 5147 
 5148 3638.	[cleanup]	Add the ability to handle ENOPROTOOPT in case it is
 5149 			encountered. [RT #34668]
 5150 
 5151 3637.	[bug]		'allow-query-on' was checking the source address
 5152 			rather than the destination address. [RT #34590]
 5153 
 5154 3636.	[bug]		Automatic empty zones now behave better with
 5155 			forward only "zones" beneath them. [RT #34583]
 5156 
 5157 3635.	[bug]		Signatures were not being removed from a zone with
 5158 			only KSK keys for a algorithm. [RT #34439]
 5159 
 5160 3634.	[func]		Report build-id in rndc status. Report build-id
 5161 			when building from a git repository. [RT #20422]
 5162 
 5163 3633.	[cleanup]	Refactor OPT processing in named to make it easier
 5164 			to support new EDNS options. [RT #34414]
 5165 
 5166 3632.	[bug]		Signature from newly inactive keys were not being
 5167 			removed. [RT #32178]
 5168 
 5169 3631.	[bug]		Remove spurious warning about missing signatures when
 5170 			qtype is SIG. [RT #34600]
 5171 
 5172 3630.	[bug]		Ensure correct ID computation for MD5 keys. [RT #33033]
 5173 
 5174 3629.	[func]		Allow the printing of cryptographic fields in DNSSEC
 5175 			records by dig to be suppressed (dig +nocrypto).
 5176 			[RT #34534]
 5177 
 5178 3628.	[func]		Report DNSKEY key id's when dumping the cache.
 5179 			[RT #34533]
 5180 
 5181 3627.	[bug]		RPZ changes were not effective on slaves. [RT #34450]
 5182 
 5183 3626.	[func]		dig: NSID output now easier to read. [RT #21160]
 5184 
 5185 3625.	[bug]		Don't send notify messages to machines outside of the
 5186 			test setup.
 5187 
 5188 3624.	[bug]		Look for 'json_object_new_int64' when looking for a
 5189 			the json library. [RT #34449]
 5190 
 5191 3623.	[placeholder]
 5192 
 5193 3622.	[tuning]	Eliminate an unnecessary lock when incrementing
 5194 			cache statistics. [RT #34339]
 5195 
 5196 3621.	[security]	Incorrect bounds checking on private type 'keydata'
 5197 			can lead to a remotely triggerable REQUIRE failure
 5198 			(CVE-2013-4854). [RT #34238]
 5199 
 5200 3620.	[func]		Added "rpz-client-ip" policy triggers, enabling
 5201 			RPZ responses to be configured on the basis of
 5202 			the client IP address; this can be used, for
 5203 			example, to blacklist misbehaving recursive
 5204 			or stub resolvers. [RT #33605]
 5205 
 5206 3619.	[bug]		Fixed a bug in RPZ with "recursive-only no;"
 5207 			[RT #33776]
 5208 
 5209 3618.	[func]		"rndc reload" now checks modification times of
 5210 			include files as well as master files to determine
 5211 			whether to skip reloading a zone. [RT #33936]
 5212 
 5213 3617.	[bug]		Named was failing to answer queries during
 5214 			"rndc reload" [RT #34098]
 5215 
 5216 3616.	[bug]		Change #3613 was incomplete. [RT #34177]
 5217 
 5218 3615.	[cleanup]	"configure" now finishes by printing a summary
 5219 			of optional BIND features and whether they are
 5220 			active or inactive. ("configure --enable-full-report"
 5221 			increases the verbosity of the summary.) [RT #31777]
 5222 
 5223 3614.	[port]		Check for <linux/types.h>. [RT #34162]
 5224 
 5225 3613.	[bug]		named could crash when deleting inline-signing
 5226 			zones with "rndc delzone". [RT #34066]
 5227 
 5228 3612.	[port]		Check whether to use -ljson or -ljson-c. [RT #34115]
 5229 
 5230 3611.	[bug]		Improved resistance to a theoretical authentication
 5231 			attack based on differential timing.  [RT #33939]
 5232 
 5233 3610.	[cleanup]	win32: Some executables had been omitted from the
 5234 			installer. [RT #34116]
 5235 
 5236 3609.	[bug]		Corrected a possible deadlock in applications using
 5237 			the export version of the isc_app API. [RT #33967]
 5238 
 5239 3608.	[port]		win32: added todos.pl script to ensure all text files
 5240 			the win32 build depends on are converted to DOS
 5241 			newline format. [RT #22067]
 5242 
 5243 3607.	[bug]		dnssec-keygen had broken 'Invalid keyfile' error
 5244 			message. [RT #34045]
 5245 
 5246 3606.	[func]		"rndc flushtree" now flushes matching
 5247 			records in the address database and bad cache
 5248 			as well as the DNS cache. (Previously only the
 5249 			DNS cache was flushed.) [RT #33970]
 5250 
 5251 3605.	[port]		win32: Addressed several compatibility issues
 5252 			with newer versions of Visual Studio. [RT #33916]
 5253 
 5254 3604.	[bug]		Fixed a compile-time error when building with
 5255 			JSON but not XML. [RT #33959]
 5256 
 5257 3603.	[bug]		Install <isc/stat.h>. [RT #33956]
 5258 
 5259 3602.	[contrib]	Added DLZ Perl module, allowing Perl scripts to
 5260 			integrate with named and serve DNS data.
 5261 			(Contributed by John Eaglesham of Yahoo.)
 5262 
 5263 3601.	[bug]		Added to PKCS#11 openssl patches a value len
 5264 			attribute in DH derive key. [RT #33928]
 5265 
 5266 3600.	[cleanup]	dig: Fixed a typo in the warning output when receiving
 5267 			an oversized response. [RT #33910]
 5268 
 5269 3599.	[tuning]	Check for pointer equivalence in name comparisons.
 5270 			[RT #18125]
 5271 
 5272 3598.	[cleanup]	Improved portability of map file code. [RT #33820]
 5273 
 5274 3597.	[bug]		Ensure automatic-resigning heaps are reconstructed
 5275 			when loading zones in map format. [RT #33381]
 5276 
 5277 3596.	[port]		Updated win32 build documentation, added
 5278 			dnssec-verify. [RT #22067]
 5279 
 5280 3595.	[port]		win32: Fix build problems introduced by change #3550.
 5281 			[RT #33807]
 5282 
 5283 3594.	[maint]		Update config.guess and config.sub. [RT #33816]
 5284 
 5285 3593.	[func]		Update EDNS processing to better track remote server
 5286 			capabilities. [RT #30655]
 5287 
 5288 3592.	[doc]		Moved documentation of rndc command options to the
 5289 			rndc man page. [RT #33506]
 5290 
 5291 3591.	[func]		Use CRC-64 to detect map file corruption at load
 5292 			time. [RT #33746]
 5293 
 5294 3590.	[bug]		When using RRL on recursive servers, defer
 5295 			rate-limiting until after recursion is complete;
 5296 			also, use correct rcode for slipped NXDOMAIN
 5297 			responses.  [RT #33604]
 5298 
 5299 3589.	[func]		Report serial numbers in when starting zone transfers.
 5300 			Report accepted NOTIFY requests including serial.
 5301 			[RT #33037]
 5302 
 5303 3588.	[bug]		dig: addressed a memory leak in the sigchase code
 5304 			that could cause a shutdown crash.  [RT #33733]
 5305 
 5306 3587.	[func]		'named -g' now checks the logging configuration but
 5307 			does not use it. [RT #33473]
 5308 
 5309 3586.	[bug]		Handle errors in xmlDocDumpFormatMemoryEnc. [RT #33706]
 5310 
 5311 3585.	[func]		"rndc delzone -clean" option removes zone files
 5312 			when deleting a zone. [RT #33570]
 5313 
 5314 3584.	[security]	Caching data from an incompletely signed zone could
 5315 			trigger an assertion failure in resolver.c
 5316 			(CVE-2013-3919). [RT #33690]
 5317 
 5318 3583.	[bug]		Address memory leak in GSS-API processing [RT #33574]
 5319 
 5320 3582.	[bug]		Silence false positive warning regarding missing file
 5321 			directive for inline slave zones.  [RT #33662]
 5322 
 5323 3581.	[bug]		Changed the tcp-listen-queue default to 10. [RT #33029]
 5324 
 5325 3580.	[bug]		Addressed a possible race in acache.c [RT #33602]
 5326 
 5327 3579.	[maint]		Updates to PKCS#11 openssl patches, supporting
 5328 			versions 0.9.8y, 1.0.0k, 1.0.1e [RT #33463]
 5329 
 5330 3578.	[bug]		'rndc -c file' now fails if 'file' does not exist.
 5331 			[RT #33571]
 5332 
 5333 3577.	[bug]		Handle zero TTL values better. [RT #33411]
 5334 
 5335 3576.	[bug]		Address a shutdown race when validating. [RT #33573]
 5336 
 5337 3575.	[func]		Changed the logging category for RRL events from
 5338 			'queries' to 'query-errors'. [RT #33540]
 5339 
 5340 3574.	[doc]		The 'hostname' keyword was missing from server-id
 5341 			description in the named.conf man page. [RT #33476]
 5342 
 5343 3573.	[bug]		"rndc addzone" and "rndc delzone" incorrectly handled
 5344 			zone names containing punctuation marks and other
 5345 			nonstandard characters. [RT #33419]
 5346 
 5347 3572.	[func]		Threads are now enabled by default on most
 5348 			operating systems. [RT #25483]
 5349 
 5350 3571.	[bug]		Address race condition in dns_client_startresolve().
 5351 			[RT #33234]
 5352 
 5353 3570.	[bug]		Check internal pointers are valid when loading map
 5354 			files. [RT #33403]
 5355 
 5356 3569.	[contrib]	Ported mysql DLZ driver to dynamically-loadable
 5357 			module, and added multithread support. [RT #33394]
 5358 
 5359 3568.	[cleanup]	Add a product description line to the version file,
 5360 			to be reported by named -v/-V. [RT #33366]
 5361 
 5362 3567.	[bug]		Silence clang static analyzer warnings. [RT #33365]
 5363 
 5364 3566.	[func]		Log when forwarding updates to master. [RT #33240]
 5365 
 5366 3565.	[placeholder]
 5367 
 5368 3564.	[bug]		Improved handling of corrupted map files. [RT #33380]
 5369 
 5370 3563.	[contrib]	zone2sqlite failed with some table names. [RT #33375]
 5371 
 5372 3562.	[func]		Update map file header format to include a SHA-1 hash
 5373 			of the database content, so that corrupted map files
 5374 			can be rejected at load time. [RT #32459]
 5375 
 5376 3561.	[bug]		dig: issue a warning if an EDNS query returns FORMERR
 5377 			or NOTIMP.  Adjust usage message. [RT #33363]
 5378 
 5379 3560.	[bug]		isc-config.sh did not honor includedir and libdir
 5380 			when set via configure. [RT #33345]
 5381 
 5382 3559.	[func]		Check that both forms of Sender Policy Framework
 5383 			records exist or do not exist. [RT #33355]
 5384 
 5385 3558.	[bug]		IXFR of a DLZ stored zone was broken. [RT #33331]
 5386 
 5387 3557.	[bug]		Reloading redirect zones was broken. [RT #33292]
 5388 
 5389 3556.	[maint]		Added AAAA for D.ROOT-SERVERS.NET.
 5390 
 5391 3555.	[bug]		Address theoretical race conditions in acache.c
 5392 			(change #3553 was incomplete). [RT #33252]
 5393 
 5394 3554.	[bug]		RRL failed to correctly rate-limit upward
 5395 			referrals and failed to count dropped error
 5396 			responses in the statistics. [RT #33225]
 5397 
 5398 3553.	[bug]		Address suspected double free in acache. [RT #33252]
 5399 
 5400 3552.	[bug]		Wrong getopt option string for 'nsupdate -r'.
 5401 			[RT #33280]
 5402 
 5403 3551.	[bug]		resolver.querydscp[46] were uninitialized.  [RT #32686]
 5404 
 5405 3550.	[func]		Unified the internal and export versions of the
 5406 			BIND libraries, allowing external clients to use
 5407 			the same libraries as BIND. [RT #33131]
 5408 
 5409 3549.	[doc]		Documentation for "request-nsid" was missing.
 5410 			[RT #33153]
 5411 
 5412 3548.	[bug]		The NSID request code in resolver.c was broken
 5413 			resulting in invalid EDNS options being sent.
 5414 			[RT #33153]
 5415 
 5416 3547.	[bug]		Some malformed unknown rdata records were not properly
 5417 			detected and rejected. [RT #33129]
 5418 
 5419 3546.	[func]		Add EUI48 and EUI64 types. [RT #33082]
 5420 
 5421 3545.	[bug]		RRL slip behavior was incorrect when set to 1.
 5422 			[RT #33111]
 5423 
 5424 3544.	[contrib]	check5011.pl: Script to report the status of
 5425 			managed keys as recorded in managed-keys.bind.
 5426 			Contributed by Tony Finch <dot@dotat.at>
 5427 
 5428 3543.	[bug]		Update socket structure before attaching to socket
 5429 			manager after accept. [RT #33084]
 5430 
 5431 3542.	[placeholder]
 5432 
 5433 3541.	[bug]		Parts of libdns were not properly initialized when
 5434 			built in libexport mode. [RT #33028]
 5435 
 5436 3540.	[test]		libt_api: t_info and t_assert were not thread safe.
 5437 
 5438 3539.	[port]		win32: timestamp format didn't match other platforms.
 5439 
 5440 3538.	[test]		Running "make test" now requires loopback interfaces
 5441 			to be set up. [RT #32452]
 5442 
 5443 3537.	[tuning]	Slave zones, when updated, now send NOTIFY messages
 5444 			to peers before being dumped to disk rather than
 5445 			after. [RT #27242]
 5446 
 5447 3536.	[func]		Add support for setting Differentiated Services Code
 5448 			Point (DSCP) values in named.  Most configuration
 5449 			options which take a "port" option (e.g.,
 5450 			listen-on, forwarders, also-notify, masters,
 5451 			notify-source, etc) can now also take a "dscp"
 5452 			option specifying a code point for use with
 5453 			outgoing traffic, if supported by the underlying
 5454 			OS. [RT #27596]
 5455 
 5456 3535.	[bug]		Minor win32 cleanups. [RT #32962]
 5457 
 5458 3534.	[bug]		Extra text after an embedded NULL was ignored when
 5459 			parsing zone files. [RT #32699]
 5460 
 5461 3533.	[contrib]	query-loc-0.4.0: memory leaks. [RT #32960]
 5462 
 5463 3532.	[contrib]	zkt: fixed buffer overrun, resource leaks. [RT #32960]
 5464 
 5465 3531.	[bug]		win32: A uninitialized value could be returned on out
 5466 			of memory. [RT #32960]
 5467 
 5468 3530.	[contrib]	Better RTT tracking in queryperf. [RT #30128]
 5469 
 5470 3529.	[func]		Named now listens on both IPv4 and IPv6 interfaces
 5471 			by default.  Named previously only listened on IPv4
 5472 			interfaces by default unless named was running in
 5473 			IPv6 only mode.  [RT #32945]
 5474 
 5475 3528.	[func]		New "dnssec-coverage" command scans the timing
 5476 			metadata for a set of DNSSEC keys and reports if a
 5477 			lapse in signing coverage has been scheduled
 5478 			inadvertently. (Note: This tool depends on python;
 5479 			it will not be built or installed on systems that
 5480 			do not have a python interpreter.) [RT #28098]
 5481 
 5482 3527.	[compat]	Add a URI to allow applications to explicitly
 5483 			request a particular XML schema from the statistics
 5484 			channel, returning 404 if not supported. [RT #32481]
 5485 
 5486 3526.	[cleanup]	Set up dependencies for unit tests correctly during
 5487 			build. [RT #32803]
 5488 
 5489 3525.	[func]		Support for additional signing algorithms in rndc:
 5490 			hmac-sha1, -sha224, -sha256, -sha384, and -sha512.
 5491 			The -A option to rndc-confgen can be used to
 5492 			select the algorithm for the generated key.
 5493 			(The default is still hmac-md5; this may
 5494 			change in a future release.) [RT #20363]
 5495 
 5496 3524.	[func]		Added an alternate statistics channel in JSON format,
 5497 			when the server is built with the json-c library:
 5498 			http://[address]:[port]/json. [RT #32630]
 5499 
 5500 3523.	[contrib]	Ported filesystem and ldap DLZ drivers to
 5501 			dynamically-loadable modules, and added the
 5502 			"wildcard" module based on a contribution from
 5503 			Vadim Goncharov <vgoncharov@nic.ru>. [RT #23569]
 5504 
 5505 3522.	[bug]		DLZ lookups could fail to return SERVFAIL when
 5506 			they ought to. [RT #32685]
 5507 
 5508 3521.	[bug]		Address memory leak in opensslecdsa_link.c. [RT #32249]
 5509 
 5510 3520.	[bug]		'mctx' was not being referenced counted in some places
 5511 			where it should have been.  [RT #32794]
 5512 
 5513 3519.	[func]		Full replay protection via four-way handshake is
 5514 			now mandatory for rndc clients. Very old versions
 5515 			of rndc will no longer work. [RT #32798]
 5516 
 5517 3518.	[bug]		Increase the size of dns_rrl_key.s.rtype by one bit
 5518 			so that all dns_rrl_rtype_t enum values fit regardless
 5519 			of whether it is treated as signed or unsigned by
 5520 			the compiler. [RT #32792]
 5521 
 5522 3517.	[bug]		Reorder destruction to avoid shutdown race. [RT #32777]
 5523 
 5524 3516.	[placeholder]
 5525 
 5526 3515.	[port]		'%T' is not portable in strftime(). [RT #32763]
 5527 
 5528 3514.	[bug]		The ranges for valid key sizes in ddns-confgen and
 5529 			rndc-confgen were too constrained. Keys up to 512
 5530 			bits are now allowed for most algorithms, and up
 5531 			to 1024 bits for hmac-sha384 and hmac-sha512.
 5532 			[RT #32753]
 5533 
 5534 3513.	[func]		"dig -u" prints times in microseconds rather than
 5535 			milliseconds. [RT #32704]
 5536 
 5537 3512.	[func]		"rndc validation check" reports the current status
 5538 			of DNSSEC validation. [RT #21397]
 5539 
 5540 3511.	[doc]		Improve documentation of redirect zones. [RT #32756]
 5541 
 5542 3510.	[func]		"rndc status" and XML statistics channel now report
 5543 			server start and reconfiguration times. [RT #21048]
 5544 
 5545 3509.	[cleanup]	Added a product line to version file to allow for
 5546 			easy naming of different products (BIND
 5547 			vs BIND ESV, for example). [RT #32755]
 5548 
 5549 3508.	[contrib]	queryperf was incorrectly rejecting the -T option.
 5550 			[RT #32338]
 5551 
 5552 3507.	[bug]		Statistics channel XSL had a glitch when attempting
 5553 			to chart query data before any queries had been
 5554 			received. [RT #32620]
 5555 
 5556 3506.	[func]		When setting "max-cache-size" and "max-acache-size",
 5557 			the keyword "unlimited" is no longer defined as equal
 5558 			to 4 gigabytes (except on 32-bit platforms); it
 5559 			means literally unlimited. [RT #32358]
 5560 
 5561 3505.	[bug]		When setting "max-cache-size" and "max-acache-size",
 5562 			larger values than 4 gigabytes could not be set
 5563 			explicitly, though larger sizes were available
 5564 			when setting cache size to 0. This has been
 5565 			corrected; the full range is now available.
 5566 			[RT #32358]
 5567 
 5568 3504.	[func]		Add support for ACLs based on geographic location,
 5569 			using MaxMind GeoIP databases. Based on code
 5570 			contributed by Ken Brownfield <kb@slide.com>.
 5571 			[RT #30681]
 5572 
 5573 3503.	[doc]		Clarify size_spec syntax. [RT #32449]
 5574 
 5575 3502.	[func]		zone-statistics: "no" is now a synonym for "none",
 5576 			instead of "terse". [RT #29165]
 5577 
 5578 3501.	[func]		zone-statistics now takes three options: full,
 5579 			terse, and none. "yes" and "no" are retained as
 5580 			synonyms for full and terse, respectively. [RT #29165]
 5581 
 5582 3500.	[security]	Support NAPTR regular expression validation on
 5583 			all platforms without using libregex, which
 5584 			can be vulnerable to memory exhaustion attack
 5585 			(CVE-2013-2266). [RT #32688]
 5586 
 5587 3499.	[doc]		Corrected ARM documentation of built-in zones.
 5588 			[RT #32694]
 5589 
 5590 3498.	[bug]		zone statistics for zones which matched a potential
 5591 			empty zone could have their zone-statistics setting
 5592 			overridden.
 5593 
 5594 3497.	[func]		When deleting a slave/stub zone using 'rndc delzone'
 5595 			report the files that were being used so they can
 5596 			be cleaned up if desired. [RT #27899]
 5597 
 5598 3496.	[placeholder]
 5599 
 5600 3495.	[func]		Support multiple response-policy zones (up to 32),
 5601 			while improving RPZ performance.  "response-policy"
 5602 			syntax now includes a "min-ns-dots" clause, with
 5603 			default 1, to exclude top-level domains from
 5604 			NSIP and NSDNAME checking. --enable-rpz-nsip and
 5605 			--enable-rpz-nsdname are now the default. [RT #32251]
 5606 
 5607 3494.	[func]		DNS RRL: Blunt the impact of DNS reflection and
 5608 			amplification attacks by rate-limiting substantially-
 5609 			identical responses. [RT #28130]
 5610 
 5611 3493.	[contrib]	Added BDBHPT dynamically-loadable DLZ module,
 5612 			contributed by Mark Goldfinch. [RT #32549]
 5613 
 5614 3492.	[bug]		Fixed a regression in zone loading performance
 5615 			due to lock contention. [RT #30399]
 5616 
 5617 3491.	[bug]		Slave zones using inline-signing must specify a
 5618 			file name. [RT #31946]
 5619 
 5620 3490.	[bug]		When logging RDATA during update, truncate if it's
 5621 			too long. [RT #32365]
 5622 
 5623 3489.	[bug]		--enable-developer now turns on ISC_LIST_CHECKINIT.
 5624 			dns_dlzcreate() failed to properly initialize
 5625 			dlzdb.link.  When cloning a rdataset do not copy
 5626 			the link contents.  [RT #32651]
 5627 
 5628 3488.	[bug]		Use after free error with DH generated keys. [RT #32649]
 5629 
 5630 3487.	[bug]		Change 3444 was not complete.  There was a additional
 5631 			place where the NOQNAME proof needed to be saved.
 5632 			[RT #32629]
 5633 
 5634 3486.	[bug]		named could crash when using TKEY-negotiated keys
 5635 			that had been deleted and then recreated. [RT #32506]
 5636 
 5637 3485.	[cleanup]	Only compile openssl_gostlink.c if we support GOST.
 5638 
 5639 3484.	[bug]		Some statistics were incorrectly rendered in XML.
 5640 			[RT #32587]
 5641 
 5642 3483.	[placeholder]
 5643 
 5644 3482.	[func]		dig +nssearch now prints name servers that don't
 5645 			have address records (missing AAAA or A, or the name
 5646 			doesn't exist). [RT #29348]
 5647 
 5648 3481.	[cleanup]	Removed use of const const in atf.
 5649 
 5650 3480.	[bug]		Silence logging noise when setting up zone
 5651 			statistics. [RT #32525]
 5652 
 5653 3479.	[bug]		Address potential memory leaks in gssapi support
 5654 			code. [RT #32405]
 5655 
 5656 3478.	[port]		Fix a build failure in strict C99 environments
 5657 			[RT #32475]
 5658 
 5659 3477.	[func]		Expand logging when adding records via DDNS update
 5660 			[RT #32365]
 5661 
 5662 3476.	[bug]		"rndc zonestatus" could report a spurious "not
 5663 			found" error on inline-signing zones. [RT #29226]
 5664 
 5665 3475.	[cleanup]	Changed name of 'map' zone file format (previously
 5666 			'fast'). [RT #32458]
 5667 
 5668 3474.	[bug]		nsupdate could assert when the local and remote
 5669 			address families didn't match. [RT #22897]
 5670 
 5671 3473.	[bug]		dnssec-signzone/verify could incorrectly report
 5672 			an error condition due to an empty node above an
 5673 			opt-out delegation lacking an NSEC3. [RT #32072]
 5674 
 5675 3472.	[bug]		The active-connections counter in the socket
 5676 			statistics could underflow. [RT #31747]
 5677 
 5678 3471.	[bug]		The number of UDP dispatches now defaults to
 5679 			the number of CPUs even if -n has been set to
 5680 			a higher value. [RT #30964]
 5681 
 5682 3470.	[bug]		Slave zones could fail to dump when successfully
 5683 			refreshing after an initial failure. [RT #31276]
 5684 
 5685 3469.	[bug]		Handle DLZ lookup failures more gracefully. Improve
 5686 			backward compatibility between versions of DLZ dlopen
 5687 			API. [RT #32275]
 5688 
 5689 3468.	[security]	RPZ rules to generate A records (but not AAAA records)
 5690 			could trigger an assertion failure when used in
 5691 			conjunction with DNS64 (CVE-2012-5689). [RT #32141]
 5692 
 5693 3467.	[bug]		Added checks in dnssec-keygen and dnssec-settime
 5694 			to check for delete date < inactive date. [RT #31719]
 5695 
 5696 3466.	[contrib]	Corrected the DNS_CLIENTINFOMETHODS_VERSION check
 5697 			in DLZ example driver. [RT #32275]
 5698 
 5699 3465.	[bug]		Handle isolated reserved ports. [RT #31778]
 5700 
 5701 3464.	[maint]		Updates to PKCS#11 openssl patches, supporting
 5702 			versions 0.9.8x, 1.0.0j, 1.0.1c [RT #29749]
 5703 
 5704 3463.	[doc]		Clarify managed-keys syntax in ARM. [RT #32232]
 5705 
 5706 3462.	[doc]		Clarify server selection behavior of dig when using
 5707 			-4 or -6 options. [RT #32181]
 5708 
 5709 3461.	[bug]		Negative responses could incorrectly have AD=1
 5710 			set. [RT #32237]
 5711 
 5712 3460.	[bug]		Only link against readline where needed. [RT #29810]
 5713 
 5714 3459.	[func]		Added -J option to named-checkzone/named-compilezone
 5715 			to specify the path to the journal file. [RT #30958]
 5716 
 5717 3458.	[bug]		Return FORMERR when presented with a overly long
 5718 			domain named in a request. [RT #29682]
 5719 
 5720 3457.	[protocol]	Add ILNP records (NID, LP, L32, L64). [RT #31836]
 5721 
 5722 3456.	[port]		g++47: ATF failed to compile. [RT #32012]
 5723 
 5724 3455.	[contrib]	queryperf: fix getopt option list. [RT #32338]
 5725 
 5726 3454.	[port]		sparc64: improve atomic support. [RT #25182]
 5727 
 5728 3453.	[bug]		'rndc addzone' of a zone with 'inline-signing yes;'
 5729 			failed. [RT #31960]
 5730 
 5731 3452.	[bug]		Accept duplicate singleton records. [RT #32329]
 5732 
 5733 3451.	[port]		Increase per thread stack size from 64K to 1M.
 5734 			[RT #32230]
 5735 
 5736 3450.	[bug]		Stop logfileconfig system test spam system logs.
 5737 			[RT #32315]
 5738 
 5739 3449.	[bug]		gen.c: use the pre-processor to construct format
 5740 			strings so that compiler can perform sanity checks;
 5741 			check the snprintf results. [RT #17576]
 5742 
 5743 3448.	[bug]		The allow-query-on ACL was not processed correctly.
 5744 			[RT #29486]
 5745 
 5746 3447.	[port]		Add support for libxml2-2.9.x [RT #32231]
 5747 
 5748 3446.	[port]		win32: Add source ID (see change #3400) to build.
 5749 			[RT #31683]
 5750 
 5751 3445.	[bug]		Warn about zone files with blank owner names
 5752 			immediately after $ORIGIN directives. [RT #31848]
 5753 
 5754 3444.	[bug]		The NOQNAME proof was not being returned from cached
 5755 			insecure responses. [RT #21409]
 5756 
 5757 3443.	[bug]		ddns-confgen: Some TSIG algorithms were incorrectly
 5758 			rejected when generating keys. [RT #31927]
 5759 
 5760 3442.	[port]		Net::DNS 0.69 introduced a non backwards compatible
 5761 			change. [RT #32216]
 5762 
 5763 3441.	[maint]		D.ROOT-SERVERS.NET is now 199.7.91.13.
 5764 
 5765 3440.	[bug]		Reorder get_key_struct to not trigger a assertion when
 5766 			cleaning up due to out of memory error. [RT #32131]
 5767 
 5768 3439.	[placeholder]
 5769 
 5770 3438.	[bug]		Don't accept unknown data escape in quotes. [RT #32031]
 5771 
 5772 3437.	[bug]		isc_buffer_init -> isc_buffer_constinit to initialize
 5773 			buffers with constant data. [RT #32064]
 5774 
 5775 3436.	[bug]		Check malloc/calloc return values. [RT #32088]
 5776 
 5777 3435.	[bug]		Cross compilation support in configure was broken.
 5778 			[RT #32078]
 5779 
 5780 3434.	[bug]		Pass client info to the DLZ findzone() entry
 5781 			point in addition to lookup().  This makes it
 5782 			possible for a database to answer differently
 5783 			whether it's authoritative for a name depending
 5784 			on the address of the client.  [RT #31775]
 5785 
 5786 3433.	[bug]		dlz_findzone() did not correctly handle
 5787 			ISC_R_NOMORE. [RT #31172]
 5788 
 5789 3432.	[func]		Multiple DLZ databases can now be configured.
 5790 			DLZ databases are searched in the order configured,
 5791 			unless set to "search no", in which case a
 5792 			zone can be configured to be retrieved from a
 5793 			particular DLZ database by using a "dlz <name>"
 5794 			option in the zone statement.  DLZ databases can
 5795 			support type "master" and "redirect" zones.
 5796 			[RT #27597]
 5797 
 5798 3431.	[bug]		ddns-confgen: Some valid key algorithms were
 5799 			not accepted. [RT #31927]
 5800 
 5801 3430.	[bug]		win32: isc_time_formatISO8601 was missing the
 5802 			'T' between the date and time. [RT #32044]
 5803 
 5804 3429.	[bug]		dns_zone_getserial2 could a return success without
 5805 			returning a valid serial. [RT #32007]
 5806 
 5807 3428.	[cleanup]	dig: Add timezone to date output. [RT #2269]
 5808 
 5809 3427.	[bug]		dig +trace incorrectly displayed name server
 5810 			addresses instead of names. [RT #31641]
 5811 
 5812 3426.	[bug]		dnssec-checkds: Clearer output when records are not
 5813 			found. [RT #31968]
 5814 
 5815 3425.	[bug]		"acacheentry" reference counting was broken resulting
 5816 			in use after free. [RT #31908]
 5817 
 5818 3424.	[func]		dnssec-dsfromkey now emits the hash without spaces.
 5819 			[RT #31951]
 5820 
 5821 3423.	[bug]		"rndc signing -nsec3param" didn't accept the full
 5822 			range of possible values.  Address portability issues.
 5823 			[RT #31938]
 5824 
 5825 3422.	[bug]		Added a clear error message for when the SOA does not
 5826 			match the referral. [RT #31281]
 5827 
 5828 3421.	[bug]		Named loops when re-signing if all keys are offline.
 5829 			[RT #31916]
 5830 
 5831 3420.	[bug]		Address VPATH compilation issues. [RT #31879]
 5832 
 5833 3419.	[bug]		Memory leak on validation cancel. [RT #31869]
 5834 
 5835 3418.	[func]		New XML schema (version 3.0) for the statistics channel
 5836 			adds query type statistics at the zone level, and
 5837 			flattens the XML tree and uses compressed format to
 5838 			optimize parsing. Includes new XSL that permits
 5839 			charting via the Google Charts API on browsers that
 5840 			support javascript in XSL.  The old XML schema has been
 5841 			deprecated. [RT #30023]
 5842 
 5843 3417.	[placeholder]
 5844 
 5845 3416.	[bug]		Named could die on shutdown if running with 128 UDP
 5846 			dispatches per interface. [RT #31743]
 5847 
 5848 3415.	[bug]		named could die with a REQUIRE failure if a validation
 5849 			was canceled. [RT #31804]
 5850 
 5851 3414.	[bug]		Address locking issues found by Coverity. [RT #31626]
 5852 
 5853 3413.	[func]		Record the number of DNS64 AAAA RRsets that have been
 5854 			synthesized. [RT #27636]
 5855 
 5856 3412.	[bug]		Copy timeval structure from control message data.
 5857 			[RT #31548]
 5858 
 5859 3411.	[tuning]	Use IPV6_USE_MIN_MTU or equivalent with TCP in addition
 5860 			to UDP. [RT #31690]
 5861 
 5862 3410.	[bug]		Addressed Coverity warnings. [RT #31626]
 5863 
 5864 3409.	[contrib]	contrib/dane/mkdane.sh: Tool to generate TLSA RR's
 5865 			from X.509 certificates, for use with DANE
 5866 			(DNS-based Authentication of Named Entities).
 5867 			[RT #30513]
 5868 
 5869 3408.	[bug]		Some DNSSEC-related options (update-check-ksk,
 5870 			dnssec-loadkeys-interval, dnssec-dnskey-kskonly)
 5871 			are now legal in slave zones as long as
 5872 			inline-signing is in use. [RT #31078]
 5873 
 5874 3407.	[placeholder]
 5875 
 5876 3406.	[bug]		mem.c: Fix compilation errors when building with
 5877 			ISC_MEM_TRACKLINES or ISC_MEMPOOL_NAMES disabled.
 5878 			Also, ISC_MEM_DEBUG is no longer optional. [RT #31559]
 5879 
 5880 3405.	[bug]		Handle time going backwards in acache. [RT #31253]
 5881 
 5882 3404.	[bug]		dnssec-signzone: When re-signing a zone, remove
 5883 			RRSIG and NSEC records from nodes that used to be
 5884 			in-zone but are now below a zone cut. [RT #31556]
 5885 
 5886 3403.	[bug]		Silence noisy OpenSSL logging. [RT #31497]
 5887 
 5888 3402.	[test]		The IPv6 interface numbers used for system
 5889 			tests were incorrect on some platforms. [RT #25085]
 5890 
 5891 3401.	[bug]		Addressed Coverity warnings. [RT #31484]
 5892 
 5893 3400.	[cleanup]	"named -V" can now report a source ID string, defined
 5894 			in the "srcid" file in the build tree and normally set
 5895 			to the most recent git hash.  [RT #31494]
 5896 
 5897 3399.	[port]		netbsd: rename 'bool' parameter to avoid namespace
 5898 			clash.  [RT #31515]
 5899 
 5900 3398.	[bug]		SOA parameters were not being updated with inline
 5901 			signed zones if the zone was modified while the
 5902 			server was offline. [RT #29272]
 5903 
 5904 3397.	[bug]		dig crashed when using +nssearch with +tcp. [RT #25298]
 5905 
 5906 3396.	[bug]		OPT records were incorrectly removed from signed,
 5907 			truncated responses. [RT #31439]
 5908 
 5909 3395.	[protocol]	Add RFC 6598 reverse zones to built in empty zones
 5910 			list, 64.100.IN-ADDR.ARPA ... 127.100.IN-ADDR.ARPA.
 5911 			[RT #31336]
 5912 
 5913 3394.	[bug]		Adjust 'successfully validated after lower casing
 5914 			signer' log level and category. [RT #31414]
 5915 
 5916 3393.	[bug]		'host -C' could core dump if REFUSED was received.
 5917 			[RT #31381]
 5918 
 5919 3392.	[func]		Keep statistics on REFUSED responses. [RT #31412]
 5920 
 5921 3391.	[bug]		A DNSKEY lookup that encountered a CNAME failed.
 5922 			[RT #31262]
 5923 
 5924 3390.	[bug]		Silence clang compiler warnings. [RT #30417]
 5925 
 5926 3389.	[bug]		Always return NOERROR (not 0) in TSIG. [RT #31275]
 5927 
 5928 3388.	[bug]		Fixed several Coverity warnings.
 5929 			Note: This change includes a fix for a bug that
 5930 			was subsequently determined to be an exploitable
 5931 			security vulnerability, CVE-2012-5688: named could
 5932 			die on specific queries with dns64 enabled.
 5933 			[RT #30996]
 5934 
 5935 3387.	[func]		DS digest can be disabled at runtime with
 5936 			disable-ds-digests. [RT #21581]
 5937 
 5938 3386.	[bug]		Address locking violation when generating new NSEC /
 5939 			NSEC3 chains. [RT #31224]
 5940 
 5941 3385.	[bug]		named-checkconf didn't detect missing master lists
 5942 			in also-notify clauses. [RT #30810]
 5943 
 5944 3384.	[bug]		Improved logging of crypto errors. [RT #30963]
 5945 
 5946 3383.	[security]	A certain combination of records in the RBT could
 5947 			cause named to hang while populating the additional
 5948 			section of a response. [RT #31090]
 5949 
 5950 3382.	[bug]		SOA query from slave used use-v6-udp-ports range,
 5951 			if set, regardless of the address family in use.
 5952 			[RT #24173]
 5953 
 5954 3381.	[contrib]	Update queryperf to support more RR types.
 5955 			[RT #30762]
 5956 
 5957 3380.	[bug]		named could die if a nonexistent master list was
 5958 			referenced in a also-notify. [RT #31004]
 5959 
 5960 3379.	[bug]		isc_interval_zero and isc_time_epoch should be
 5961 			"const (type)* const". [RT #31069]
 5962 
 5963 3378.	[bug]		Handle missing 'managed-keys-directory' better.
 5964 			[RT #30625]
 5965 
 5966 3377.	[bug]		Removed spurious newline from NSEC3 multiline
 5967 			output. [RT #31044]
 5968 
 5969 3376.	[bug]		Lack of EDNS support was being recorded without a
 5970 			successful response. [RT #30811]
 5971 
 5972 3375.	[bug]		'rndc dumpdb' failed on empty caches. [RT #30808]
 5973 
 5974 3374.	[bug]		isc_parse_uint32 failed to return a range error on
 5975 			systems with 64 bit longs. [RT #30232]
 5976 
 5977 3373.	[bug]		win32: open raw files in binary mode. [RT #30944]
 5978 
 5979 3372.	[bug]		Silence spurious "deleted from unreachable cache"
 5980 			messages.  [RT #30501]
 5981 
 5982 3371.	[bug]		AD=1 should behave like DO=1 when deciding whether to
 5983 			add NS RRsets to the additional section or not.
 5984 			[RT #30479]
 5985 
 5986 3370.	[bug]		Address use after free while shutting down. [RT #30241]
 5987 
 5988 3369.	[bug]		nsupdate terminated unexpectedly in interactive mode
 5989 			if built with readline support. [RT #29550]
 5990 
 5991 3368.	[bug]		<dns/iptable.h>, <dns/private.h> and <dns/zone.h>
 5992 			were not C++ safe.
 5993 
 5994 3367.	[bug]		dns_dnsseckey_create() result was not being checked.
 5995 			[RT #30685]
 5996 
 5997 3366.	[bug]		Fixed Read-After-Write dependency violation for IA64
 5998 			atomic operations. [RT #25181]
 5999 
 6000 3365.	[bug]		Removed spurious newlines from log messages in
 6001 			zone.c [RT #30675]
 6002 
 6003 3364.	[security]	Named could die on specially crafted record.
 6004 			[RT #30416]
 6005 
 6006 3363.	[bug]		Need to allow "forward" and "fowarders" options
 6007 			in static-stub zones; this had been overlooked.
 6008 			[RT #30482]
 6009 
 6010 3362.	[bug]		Setting some option values to 0 in named.conf
 6011 			could trigger an assertion failure on startup.
 6012 			[RT #27730]
 6013 
 6014 3361.	[bug]		"rndc signing -nsec3param" didn't work correctly
 6015 			when salt was set to '-' (no salt). [RT #30099]
 6016 
 6017 3360.	[bug]		'host -w' could die.  [RT #18723]
 6018 
 6019 3359.	[bug]		An improperly-formed TSIG secret could cause a
 6020 			memory leak. [RT #30607]
 6021 
 6022 3358.	[placeholder]
 6023 
 6024 3357.	[port]		Add support for libxml2-2.8.x [RT #30440]
 6025 
 6026 3356.	[bug]		Cap the TTL of signed RRsets when RRSIGs are
 6027 			approaching their expiry, so they don't remain
 6028 			in caches after expiry. [RT #26429]
 6029 
 6030 3355.	[port]		Use more portable awk in verify system test.
 6031 
 6032 3354.	[func]		Improve OpenSSL error logging. [RT #29932]
 6033 
 6034 3353.	[bug]		Use a single task for task exclusive operations.
 6035 			[RT #29872]
 6036 
 6037 3352.	[bug]		Ensure that learned server attributes timeout of the
 6038 			adb cache. [RT #29856]
 6039 
 6040 3351.	[bug]		isc_mem_put and isc_mem_putanddetach didn't report
 6041 			caller if either ISC_MEM_DEBUGSIZE or ISC_MEM_DEBUGCTX
 6042 			memory debugging flags are set. [RT #30243]
 6043 
 6044 3350.	[bug]		Memory read overrun in isc___mem_reallocate if
 6045 			ISC_MEM_DEBUGCTX memory debugging flag is set.
 6046 			[RT #30240]
 6047 
 6048 3349.	[bug]		Change #3345 was incomplete. [RT #30233]
 6049 
 6050 3348.	[bug]		Prevent RRSIG data from being cached if a negative
 6051 			record matching the covering type exists at a higher
 6052 			trust level. Such data already can't be retrieved from
 6053 			the cache since change 3218 -- this prevents it
 6054 			being inserted into the cache as well. [RT #26809]
 6055 
 6056 3347.	[bug]		dnssec-settime: Issue a warning when writing a new
 6057 			private key file would cause a change in the
 6058 			permissions of the existing file. [RT #27724]
 6059 
 6060 3346.	[security]	Bad-cache data could be used before it was
 6061 			initialized, causing an assert. [RT #30025]
 6062 
 6063 3345.	[bug]		Addressed race condition when removing the last item
 6064 			or inserting the first item in an ISC_QUEUE.
 6065 			[RT #29539]
 6066 
 6067 3344.	[func]		New "dnssec-checkds" command checks a zone to
 6068 			determine which DS records should be published
 6069 			in the parent zone, or which DLV records should be
 6070 			published in a DLV zone, and queries the DNS to
 6071 			ensure that it exists. (Note: This tool depends
 6072 			on python; it will not be built or installed on
 6073 			systems that do not have a python interpreter.)
 6074 			[RT #28099]
 6075 
 6076 3343.	[placeholder]
 6077 
 6078 3342.	[bug]		Change #3314 broke saving of stub zones to disk
 6079 			resulting in excessive cpu usage in some cases.
 6080 			[RT #29952]
 6081 
 6082 3341.	[func]		New "dnssec-verify" command checks a signed zone
 6083 			to ensure correctness of signatures and of NSEC/NSEC3
 6084 			chains. [RT #23673]
 6085 
 6086 3340.	[func]		Added new 'map' zone file format, which is an image
 6087 			of a zone database that can be loaded directly into
 6088 			memory via mmap(), allowing much faster zone loading.
 6089 			(Note: Because of pointer sizes and other
 6090 			considerations, this file format is platform-dependent;
 6091 			'map' zone files cannot always be transferred from one
 6092 			server to another.) [RT #25419]
 6093 
 6094 3339.	[func]		Allow the maximum supported rsa exponent size to be
 6095 			specified: "max-rsa-exponent-size <value>;" [RT #29228]
 6096 
 6097 3338.	[bug]		Address race condition in units tests: asyncload_zone
 6098 			and asyncload_zt. [RT #26100]
 6099 
 6100 3337.	[bug]		Change #3294 broke support for the multiple keys
 6101 			in controls. [RT #29694]
 6102 
 6103 3336.	[func]		Maintain statistics for RRsets tagged as "stale".
 6104 			[RT #29514]
 6105 
 6106 3335.	[func]		nslookup: return a nonzero exit code when unable
 6107 			to get an answer. [RT #29492]
 6108 
 6109 3334.	[bug]		Hold a zone table reference while performing a
 6110 			asynchronous load of a zone. [RT #28326]
 6111 
 6112 3333.	[bug]		Setting resolver-query-timeout too low can cause
 6113 			named to not recover if it loses connectivity.
 6114 			[RT #29623]
 6115 
 6116 3332.	[bug]		Re-use cached DS rrsets if possible. [RT #29446]
 6117 
 6118 3331.	[security]	dns_rdataslab_fromrdataset could produce bad
 6119 			rdataslabs. [RT #29644]
 6120 
 6121 3330.	[func]		Fix missing signatures on NOERROR results despite
 6122 			RPZ rewriting.  Also
 6123 			 - add optional "recursive-only yes|no" to the
 6124 			   response-policy statement
 6125 			 - add optional "max-policy-ttl" to the response-policy
 6126 			    statement to limit the false data that
 6127 			    "recursive-only no" can introduce into
 6128 			    resolvers' caches
 6129 			 - add a RPZ performance test to bin/tests/system/rpz
 6130 			     when queryperf is available.
 6131 			 - the encoding of PASSTHRU action to "rpz-passthru".
 6132 			     (The old encoding is still accepted.)
 6133 			[RT #26172]
 6134 
 6135 
 6136 3329.	[bug]		Handle RRSIG signer-name case consistently: We
 6137 			generate RRSIG records with the signer-name in
 6138 			lower case.  We accept them with any case, but if
 6139 			they fail to validate, we try again in lower case.
 6140 			[RT #27451]
 6141 
 6142 3328.	[bug]		Fixed inconsistent data checking in dst_parse.c.
 6143 			[RT #29401]
 6144 
 6145 3327.	[func]		Added 'filter-aaaa-on-v6' option; this is similar
 6146 			to 'filter-aaaa-on-v4' but applies to IPv6
 6147 			connections.  (Use "configure --enable-filter-aaaa"
 6148 			to enable this option.)  [RT #27308]
 6149 
 6150 3326.	[func]		Added task list statistics: task model, worker
 6151 			threads, quantum, tasks running, tasks ready.
 6152 			[RT #27678]
 6153 
 6154 3325.	[func]		Report cache statistics: memory use, number of
 6155 			nodes, number of hash buckets, hit and miss counts.
 6156 			[RT #27056]
 6157 
 6158 3324.	[test]		Add better tests for ADB stats [RT #27057]
 6159 
 6160 3323.	[func]		Report the number of buckets the resolver is using.
 6161 			[RT #27020]
 6162 
 6163 3322.	[func]		Monitor the number of active TCP and UDP dispatches.
 6164 			[RT #27055]
 6165 
 6166 3321.	[func]		Monitor the number of recursive fetches and the
 6167 			number of open sockets, and report these values in
 6168 			the statistics channel. [RT #27054]
 6169 
 6170 3320.	[func]		Added support for monitoring of recursing client
 6171 			count. [RT #27009]
 6172 
 6173 3319.	[func]		Added support for monitoring of ADB entry count and
 6174 			hash size. [RT #27057]
 6175 
 6176 3318.	[tuning]	Reduce the amount of work performed while holding a
 6177 			bucket lock when finished with a fetch context.
 6178 			[RT #29239]
 6179 
 6180 3317.	[func]		Add ECDSA support (RFC 6605). [RT #21918]
 6181 
 6182 3316.	[tuning]	Improved locking performance when recursing.
 6183 			[RT #28836]
 6184 
 6185 3315.	[tuning]	Use multiple dispatch objects for sending upstream
 6186 			queries; this can improve performance on busy
 6187 			multiprocessor systems by reducing lock contention.
 6188 			[RT #28605]
 6189 
 6190 3314.	[bug]		The masters list could be updated while stub_callback
 6191 			or refresh_callback were using it. [RT #26732]
 6192 
 6193 3313.	[protocol]	Add TLSA record type. [RT #28989]
 6194 
 6195 3312.	[bug]		named-checkconf didn't detect a bad dns64 clients acl.
 6196 			[RT #27631]
 6197 
 6198 3311.	[bug]		Abort the zone dump if zone->db is NULL in
 6199 			zone.c:zone_gotwritehandle. [RT #29028]
 6200 
 6201 3310.	[test]		Increase table size for mutex profiling. [RT #28809]
 6202 
 6203 3309.	[bug]		resolver.c:fctx_finddone() was not thread safe.
 6204 			[RT #27995]
 6205 
 6206 3308.	[placeholder]
 6207 
 6208 3307.	[bug]		Add missing ISC_LANG_BEGINDECLS and ISC_LANG_ENDDECLS.
 6209 			[RT #28956]
 6210 
 6211 3306.	[bug]		Improve DNS64 reverse zone performance. [RT #28563]
 6212 
 6213 3305.	[func]		Add wire format lookup method to sdb. [RT #28563]
 6214 
 6215 3304.	[bug]		Use hmctx, not mctx when freeing rbtdb->heaps.
 6216 			[RT #28571]
 6217 
 6218 3303.	[bug]		named could die when reloading. [RT #28606]
 6219 
 6220 3302.	[bug]		dns_dnssec_findmatchingkeys could fail to find
 6221 			keys if the zone name contained character that
 6222 			required special mappings. [RT #28600]
 6223 
 6224 3301.	[contrib]	Update queryperf to build on darwin.  Add -R flag
 6225 			for non-recursive queries. [RT #28565]
 6226 
 6227 3300.	[bug]		Named could die if gssapi was enabled in named.conf
 6228 			but was not compiled in. [RT #28338]
 6229 
 6230 3299.	[bug]		Make SDB handle errors from database drivers better.
 6231 			[RT #28534]
 6232 
 6233 3298.	[bug]		Named could dereference a NULL pointer in
 6234 			zmgr_start_xfrin_ifquota if the zone was being removed.
 6235 			[RT #28419]
 6236 
 6237 3297.	[bug]		Named could die on a malformed master file. [RT #28467]
 6238 
 6239 3296.	[bug]		Named could die with a INSIST failure in
 6240 			client.c:exit_check. [RT #28346]
 6241 
 6242 3295.	[bug]		Adjust isc_time_secondsastimet range check to be more
 6243 			portable. [RT # 26542]
 6244 
 6245 3294.	[bug]		isccc/cc.c:table_fromwire failed to free alist on
 6246 			error. [RT #28265]
 6247 
 6248 3293.	[func]		nsupdate: list supported type. [RT #28261]
 6249 
 6250 3292.	[func]		Log messages in the axfr stream at debug 10.
 6251 			[RT #28040]
 6252 
 6253 3291.	[port]		Fixed a build error on systems without ENOTSUP.
 6254 			[RT #28200]
 6255 
 6256 3290.	[bug]		<isc/hmacsha.h> was not being installed. [RT #28169]
 6257 
 6258 3289.	[bug]		'rndc retransfer' failed for inline zones. [RT #28036]
 6259 
 6260 3288.	[bug]		dlz_destroy() function wasn't correctly registered
 6261 			by the DLZ dlopen driver. [RT #28056]
 6262 
 6263 3287.	[port]		Update ans.pl to work with Net::DNS 0.68. [RT #28028]
 6264 
 6265 3286.	[bug]		Managed key maintenance timer could fail to start
 6266 			after 'rndc reconfig'. [RT #26786]
 6267 
 6268 3285.	[bug]		val-frdataset was incorrectly disassociated in
 6269 			proveunsecure after calling startfinddlvsep.
 6270 			[RT #27928]
 6271 
 6272 3284.	[bug]		Address race conditions with the handling of
 6273 			rbtnode.deadlink. [RT #27738]
 6274 
 6275 3283.	[bug]		Raw zones with with more than 512 records in a RRset
 6276 			failed to load. [RT #27863]
 6277 
 6278 3282.	[bug]		Restrict the TTL of NS RRset to no more than that
 6279 			of the old NS RRset when replacing it.
 6280 			[RT #27792] [RT #27884]
 6281 
 6282 3281.	[bug]		SOA refresh queries could be treated as cancelled
 6283 			despite succeeding over the loopback interface.
 6284 			[RT #27782]
 6285 
 6286 3280.	[bug]		Potential double free of a rdataset on out of memory
 6287 			with DNS64. [RT #27762]
 6288 
 6289 3279.	[bug]		Hold a internal reference to the zone while performing
 6290 			a asynchronous load.  Address potential memory leak
 6291 			if the asynchronous is cancelled. [RT #27750]
 6292 
 6293 3278.	[bug]		Make sure automatic key maintenance is started
 6294 			when "auto-dnssec maintain" is turned on during
 6295 			"rndc reconfig". [RT #26805]
 6296 
 6297 3277.	[bug]		win32: isc_socket_dup is not implemented. [RT #27696]
 6298 
 6299 3276.	[bug]		win32: ns_os_openfile failed to return NULL on
 6300 			safe_open failure. [RT #27696]
 6301 
 6302 3275.	[bug]		Corrected rndc -h output; the 'rndc sync -clean'
 6303 			option had been misspelled as '-clear'.  (To avoid
 6304 			future confusion, both options now work.) [RT #27173]
 6305 
 6306 3274.	[placeholder]
 6307 
 6308 3273.	[bug]		AAAA responses could be returned in the additional
 6309 			section even when filter-aaaa-on-v4 was in use.
 6310 			[RT #27292]
 6311 
 6312 3272.	[func]		New "rndc zonestatus" command prints information
 6313 			about the specified zone. [RT #21671]
 6314 
 6315 3271.	[port]		darwin: mksymtbl is not always stable, loop several
 6316 			times before giving up.  mksymtbl was using non
 6317 			portable perl to covert 64 bit hex strings. [RT #27653]
 6318 
 6319 	--- 9.9.0rc2 released ---
 6320 
 6321 3270.	[bug]		"rndc reload" didn't reuse existing zones correctly
 6322 			when inline-signing was in use. [RT #27650]
 6323 
 6324 3269.	[port]		darwin 11 and later now built threaded by default.
 6325 
 6326 3268.	[bug]		Convert RRSIG expiry times to 64 timestamps to work
 6327 			out the earliest expiry time. [RT #23311]
 6328 
 6329 3267.	[bug]		Memory allocation failures could be mis-reported as
 6330 			unexpected error.  New ISC_R_UNSET result code.
 6331 			[RT #27336]
 6332 
 6333 3266.	[bug]		The maximum number of NSEC3 iterations for a
 6334 			DNSKEY RRset was not being properly computed.
 6335 			[RT #26543]
 6336 
 6337 3265.	[bug]		Corrected a problem with lock ordering in the
 6338 			inline-signing code. [RT #27557]
 6339 
 6340 3264.	[bug]		Automatic regeneration of signatures in an
 6341 			inline-signing zone could stall when the server
 6342 			was restarted. [RT #27344]
 6343 
 6344 3263.	[bug]		"rndc sync" did not affect the unsigned side of an
 6345 			inline-signing zone. [RT #27337]
 6346 
 6347 3262.	[bug]		Signed responses were handled incorrectly by RPZ.
 6348 			[RT #27316]
 6349 
 6350 3261.	[func]		RRset ordering now defaults to random. [RT #27174]
 6351 
 6352 3260.	[bug]		"rrset-order cyclic" could appear not to rotate
 6353 			for some query patterns.  [RT #27170/27185]
 6354 
 6355 	--- 9.9.0rc1 released ---
 6356 
 6357 3259.	[bug]		named-compilezone: Suppress "dump zone to <file>"
 6358 			message when writing to stdout. [RT #27109]
 6359 
 6360 3258.	[test]		Add "forcing full sign with unreadable keys" test.
 6361 			[RT #27153]
 6362 
 6363 3257.	[bug]		Do not generate a error message when calling fsync()
 6364 			in a pipe or socket. [RT #27109]
 6365 
 6366 3256.	[bug]		Disable empty zones for lwresd -C. [RT #27139]
 6367 
 6368 3255.	[func]		No longer require that a empty zones be explicitly
 6369 			enabled or that a empty zone is disabled for
 6370 			RFC 1918 empty zones to be configured. [RT #27139]
 6371 
 6372 3254.	[bug]		Set isc_socket_ipv6only() on the IPv6 control channels.
 6373 			[RT #22249]
 6374 
 6375 3253.	[bug]		Return DNS_R_SYNTAX when the input to a text field is
 6376 			too long. [RT #26956]
 6377 
 6378 3252.	[bug]		When master zones using inline-signing were
 6379 			updated while the server was offline, the source
 6380 			zone could fall out of sync with the signed
 6381 			copy. They can now resynchronize. [RT #26676]
 6382 
 6383 3251.	[bug]		Enforce a upper bound (65535 bytes) on the amount of
 6384 			memory dns_sdlz_putrr() can allocate per record to
 6385 			prevent run away memory consumption on ISC_R_NOSPACE.
 6386 			[RT #26956]
 6387 
 6388 3250.	[func]		'configure --enable-developer'; turn on various
 6389 			configure options, normally off by default, that
 6390 			we want developers to build and test with. [RT #27103]
 6391 
 6392 3249.	[bug]		Update log message when saving slave zones files for
 6393 			analysis after load failures. [RT #27087]
 6394 
 6395 3248.	[bug]		Configure options --enable-fixed-rrset and
 6396 			--enable-exportlib were incompatible with each
 6397 			other. [RT #27087]
 6398 
 6399 3247.	[bug]		'raw' format zones failed to preserve load order
 6400 			breaking 'fixed' sort order. [RT #27087]
 6401 
 6402 3246.	[bug]		Named failed to start with a empty also-notify list.
 6403 			[RT #27087]
 6404 
 6405 3245.	[bug]		Don't report a error unchanged serials unless there
 6406 			were other changes when thawing a zone with
 6407 			ixfr-fromdifferences. [RT #26845]
 6408 
 6409 3244.	[func]		Added readline support to nslookup and nsupdate.
 6410 			Also simplified nsupdate syntax to make "update"
 6411 			and "prereq" optional. [RT #24659]
 6412 
 6413 3243.	[port]		freebsd,netbsd,bsdi: the thread defaults were not
 6414 			being properly set.
 6415 
 6416 3242.	[func]		Extended the header of raw-format master files to
 6417 			include the serial number of the zone from which
 6418 			they were generated, if different (as in the case
 6419 			of inline-signing zones).  This is to be used in
 6420 			inline-signing zones, to track changes between the
 6421 			unsigned and signed versions of the zone, which may
 6422 			have different serial numbers.
 6423 
 6424 			(Note: raw zonefiles generated by this version of
 6425 			BIND are no longer compatible with prior versions.
 6426 			To generate a backward-compatible raw zonefile
 6427 			using dnssec-signzone or named-compilezone, specify
 6428 			output format "raw=0" instead of simply "raw".)
 6429 			[RT #26587]
 6430 
 6431 3241.	[bug]		Address race conditions in the resolver code.
 6432 			[RT #26889]
 6433 
 6434 3240.	[bug]		DNSKEY state change events could be missed. [RT #26874]
 6435 
 6436 3239.	[bug]		dns_dnssec_findmatchingkeys needs to use a consistent
 6437 			timestamp. [RT #26883]
 6438 
 6439 3238.	[bug]		keyrdata was not being reinitialized in
 6440 			lib/dns/rbtdb.c:iszonesecure. [RT #26913]
 6441 
 6442 3237.	[bug]		dig -6 didn't work with +trace. [RT #26906]
 6443 
 6444 3236.	[bug]		Backed out changes #3182 and #3202, related to
 6445 			EDNS(0) fallback behavior. [RT #26416]
 6446 
 6447 3235.	[func]		dns_db_diffx, a extended dns_db_diff which returns
 6448 			the generated diff and optionally writes it to a
 6449 			journal. [RT #26386]
 6450 
 6451 3234.	[bug]		'make depend' produced invalid makefiles. [RT #26830]
 6452 
 6453 3233.	[bug]		'rndc freeze/thaw' didn't work for inline zones.
 6454 			[RT #26632]
 6455 
 6456 3232.	[bug]		Zero zone->curmaster before return in
 6457 			dns_zone_setmasterswithkeys(). [RT #26732]
 6458 
 6459 3231.	[bug]		named could fail to send a incompressible zone.
 6460 			[RT #26796]
 6461 
 6462 3230.	[bug]		'dig axfr' failed to properly handle a multi-message
 6463 			axfr with a serial of 0. [RT #26796]
 6464 
 6465 3229.	[bug]		Fix local variable to struct var assignment
 6466 			found by CLANG warning.
 6467 
 6468 3228.	[tuning]	Dynamically grow symbol table to improve zone
 6469 			loading performance. [RT #26523]
 6470 
 6471 3227.	[bug]		Interim fix to make WKS's use of getprotobyname()
 6472 			and getservbyname() self thread safe. [RT #26232]
 6473 
 6474 3226.	[bug]		Address minor resource leakages. [RT #26624]
 6475 
 6476 3225.	[bug]		Silence spurious "setsockopt(517, IPV6_V6ONLY) failed"
 6477 			messages. [RT #26507]
 6478 
 6479 3224.	[bug]		'rndc signing' argument parsing was broken. [RT #26684]
 6480 
 6481 3223.	[bug]		'task_test privilege_drop' generated false positives.
 6482 			[RT #26766]
 6483 
 6484 3222.	[cleanup]	Replace dns_journal_{get,set}_bitws with
 6485 			dns_journal_{get,set}_sourceserial. [RT #26634]
 6486 
 6487 3221.	[bug]		Fixed a potential core dump on shutdown due to
 6488 			referencing fetch context after it's been freed.
 6489 			[RT #26720]
 6490 
 6491 	--- 9.9.0b2 released ---
 6492 
 6493 3220.	[bug]		Change #3186 was incomplete; dns_db_rpz_findips()
 6494 			could fail to set the database version correctly,
 6495 			causing an assertion failure. [RT #26180]
 6496 
 6497 3219.	[bug]		Disable NOEDNS caching following a timeout.
 6498 
 6499 3218.	[security]	Cache lookup could return RRSIG data associated with
 6500 			nonexistent records, leading to an assertion
 6501 			failure. [RT #26590]
 6502 
 6503 3217.	[cleanup]	Fix build problem with --disable-static. [RT #26476]
 6504 
 6505 3216.	[bug]		resolver.c:validated() was not thread-safe. [RT #26478]
 6506 
 6507 3215.	[bug]		'rndc recursing' could cause a core dump. [RT #26495]
 6508 
 6509 3214.	[func]		Add 'named -U' option to set the number of UDP
 6510 			listener threads per interface. [RT #26485]
 6511 
 6512 3213.	[doc]		Clarify ixfr-from-differences behavior. [RT #25188]
 6513 
 6514 3212.	[bug]		rbtdb.c: failed to remove a node from the deadnodes
 6515 			list prior to adding a reference to it leading a
 6516 			possible assertion failure. [RT #23219]
 6517 
 6518 3211.	[func]		dnssec-signzone: "-f -" prints to stdout; "-O full"
 6519 			option prints in single-line-per-record format.
 6520 			[RT #20287]
 6521 
 6522 3210.	[bug]		Canceling the oldest query due to recursive-client
 6523 			overload could trigger an assertion failure. [RT #26463]
 6524 
 6525 3209.	[func]		Add "dnssec-lookaside 'no'".  [RT #24858]
 6526 
 6527 3208.	[bug]		'dig -y' handle unknown tsig algorithm better.
 6528 			[RT #25522]
 6529 
 6530 3207.	[contrib]	Fixed build error in Berkeley DB DLZ module. [RT #26444]
 6531 
 6532 3206.	[cleanup]	Add ISC information to log at start time. [RT #25484]
 6533 
 6534 3205.	[func]		Upgrade dig's defaults to better reflect modern
 6535 			nameserver behavior.  Enable "dig +adflag" and
 6536 			"dig +edns=0" by default.  Enable "+dnssec" when
 6537 			running "dig +trace". [RT #23497]
 6538 
 6539 3204.	[bug]		When a master server that has been marked as
 6540 			unreachable sends a NOTIFY, mark it reachable
 6541 			again. [RT #25960]
 6542 
 6543 3203.	[bug]		Increase log level to 'info' for validation failures
 6544 			from expired or not-yet-valid RRSIGs. [RT #21796]
 6545 
 6546 3202.	[bug]		NOEDNS caching on timeout was too aggressive.
 6547 			[RT #26416]
 6548 
 6549 3201.	[func]		'rndc querylog' can now be given an on/off parameter
 6550 			instead of only being used as a toggle. [RT #18351]
 6551 
 6552 3200.	[doc]		Some rndc functions were undocumented or were
 6553 			missing from 'rndc -h' output. [RT #25555]
 6554 
 6555 3199.	[func]		When logging client information, include the name
 6556 			being queried. [RT #25944]
 6557 
 6558 3198.	[doc]		Clarified that dnssec-settime can alter keyfile
 6559 			permissions. [RT #24866]
 6560 
 6561 3197.	[bug]		Don't try to log the filename and line number when
 6562 			the config parser can't open a file. [RT #22263]
 6563 
 6564 3196.	[bug]		nsupdate: return nonzero exit code when target zone
 6565 			doesn't exist. [RT #25783]
 6566 
 6567 3195.	[cleanup]	Silence "file not found" warnings when loading
 6568 			managed-keys zone. [RT #26340]
 6569 
 6570 3194.	[doc]		Updated RFC references in the 'empty-zones-enable'
 6571 			documentation. [RT #25203]
 6572 
 6573 3193.	[cleanup]	Changed MAXZONEKEYS to DNS_MAXZONEKEYS, moved to
 6574 			dnssec.h. [RT #26415]
 6575 
 6576 3192.	[bug]		A query structure could be used after being freed.
 6577 			[RT #22208]
 6578 
 6579 3191.	[bug]		Print NULL records using "unknown" format. [RT #26392]
 6580 
 6581 3190.	[bug]		Underflow in error handling in isc_mutexblock_init.
 6582 			[RT #26397]
 6583 
 6584 3189.	[test]		Added a summary report after system tests. [RT #25517]
 6585 
 6586 3188.	[bug]		zone.c:zone_refreshkeys() could fail to detach
 6587 			references correctly when errors occurred, causing
 6588 			a hang on shutdown. [RT #26372]
 6589 
 6590 3187.	[port]		win32: support for Visual Studio 2008.  [RT #26356]
 6591 
 6592 	--- 9.9.0b1 released ---
 6593 
 6594 3186.	[bug]		Version/db mismatch in rpz code. [RT #26180]
 6595 
 6596 3185.	[func]		New 'rndc signing' option for auto-dnssec zones:
 6597 			 - 'rndc signing -list' displays the current
 6598 			   state of signing operations
 6599 			 - 'rndc signing -clear' clears the signing state
 6600 			   records for keys that have fully signed the zone
 6601 			 - 'rndc signing -nsec3param' sets the NSEC3
 6602 			   parameters for the zone
 6603 			The 'rndc keydone' syntax is removed. [RT #23729]
 6604 
 6605 3184.	[bug]		named had excessive cpu usage when a redirect zone was
 6606 			configured. [RT #26013]
 6607 
 6608 3183.	[bug]		Added RTLD_GLOBAL flag to dlopen call. [RT #26301]
 6609 
 6610 3182.	[bug]		Auth servers behind firewalls which block packets
 6611 			greater than 512 bytes may cause other servers to
 6612 			perform poorly. Now, adb retains edns information
 6613 			and caches noedns servers. [RT #23392/24964]
 6614 
 6615 3181.	[func]		Inline-signing is now supported for master zones.
 6616 			[RT #26224]
 6617 
 6618 3180.	[func]		Local copies of slave zones are now saved in raw
 6619 			format by default, to improve startup performance.
 6620 			'masterfile-format text;' can be used to override
 6621 			the default, if desired. [RT #25867]
 6622 
 6623 3179.	[port]		kfreebsd: build issues. [RT #26273]
 6624 
 6625 3178.	[bug]		A race condition introduced by change #3163 could
 6626 			cause an assertion failure on shutdown. [RT #26271]
 6627 
 6628 3177.	[func]		'rndc keydone', remove the indicator record that
 6629 			named has finished signing the zone with the
 6630 			corresponding key.  [RT #26206]
 6631 
 6632 3176.	[doc]		Corrected example code and added a README to the
 6633 			sample external DLZ module in contrib/dlz/example.
 6634 			[RT #26215]
 6635 
 6636 3175.	[bug]		Fix how DNSSEC positive wildcard responses from a
 6637 			NSEC3 signed zone are validated.  Stop sending a
 6638 			unnecessary NSEC3 record when generating such
 6639 			responses. [RT #26200]
 6640 
 6641 3174.	[bug]		Always compute to revoked key tag from scratch.
 6642 			[RT #26186]
 6643 
 6644 3173.	[port]		Correctly validate root DS responses. [RT #25726]
 6645 
 6646 3172.	[port]		darwin 10.* and freebsd [89] are now built threaded by
 6647 			default.
 6648 
 6649 3171.	[bug]		Exclusively lock the task when adding a zone using
 6650 			'rndc addzone'.  [RT #25600]
 6651 
 6652 	--- 9.9.0a3 released ---
 6653 
 6654 3170.	[func]		RPZ update:
 6655 			- fix precedence among competing rules
 6656 			- improve ARM text including documenting rule precedence
 6657 			- try to rewrite CNAME chains until first hit
 6658 			- new "rpz" logging channel
 6659 			- RDATA for CNAME rules can include wildcards
 6660 			- replace "NO-OP" named.conf policy override with
 6661 			  "PASSTHRU" and add "DISABLED" override ("NO-OP"
 6662 			  is still recognized)
 6663 			[RT #25172]
 6664 
 6665 3169.	[func]		Catch db/version mis-matches when calling dns_db_*().
 6666 			[RT #26017]
 6667 
 6668 3168.	[bug]		Nxdomain redirection could trigger an assert with
 6669 			a ANY query. [RT #26017]
 6670 
 6671 3167.	[bug]		Negative answers from forwarders were not being
 6672 			correctly tagged making them appear to not be cached.
 6673 			[RT #25380]
 6674 
 6675 3166.	[bug]		Upgrading a zone to support inline-signing failed.
 6676 			[RT #26014]
 6677 
 6678 3165.	[bug]		dnssec-signzone could generate new signatures when
 6679 			resigning, even when valid signatures were already
 6680 			present. [RT #26025]
 6681 
 6682 3164.	[func]		Enable DLZ modules to retrieve client information,
 6683 			so that responses can be changed depending on the
 6684 			source address of the query. [RT #25768]
 6685 
 6686 3163.	[bug]		Use finer-grained locking in client.c to address
 6687 			concurrency problems with large numbers of threads.
 6688 			[RT #26044]
 6689 
 6690 3162.	[test]		start.pl: modified to allow for "named.args" in
 6691 			ns*/ subdirectory to override stock arguments to
 6692 			named. Largely from RT #26044, but no separate ticket.
 6693 
 6694 3161.	[bug]		zone.c:del_sigs failed to always reset rdata leading
 6695 			assertion failures. [RT #25880]
 6696 
 6697 3160.	[bug]		When printing out a NSEC3 record in multiline form
 6698 			the newline was not being printed causing type codes
 6699 			to be run together. [RT #25873]
 6700 
 6701 3159.	[bug]		On some platforms, named could assert on startup
 6702 			when running in a chrooted environment without
 6703 			/proc. [RT #25863]
 6704 
 6705 3158.	[bug]		Recursive servers would prefer a particular UDP
 6706 			socket instead of using all available sockets.
 6707 			[RT #26038]
 6708 
 6709 3157.	[tuning]	Reduce the time spent in "rndc reconfig" by parsing
 6710 			the config file before pausing the server. [RT #21373]
 6711 
 6712 3156.	[placeholder]
 6713 
 6714 	--- 9.9.0a2 released ---
 6715 
 6716 3155.	[bug]		Fixed a build failure when using contrib DLZ
 6717 			drivers (e.g., mysql, postgresql, etc). [RT #25710]
 6718 
 6719 3154.	[bug]		Attempting to print an empty rdataset could trigger
 6720 			an assert. [RT #25452]
 6721 
 6722 3153.	[func]		Extend request-ixfr to zone level and remove the
 6723 			side effect of forcing an AXFR. [RT #25156]
 6724 
 6725 3152.	[cleanup]	Some versions of gcc and clang failed due to
 6726 			incorrect use of __builtin_expect. [RT #25183]
 6727 
 6728 3151.	[bug]		Queries for type RRSIG or SIG could be handled
 6729 			incorrectly.  [RT #21050]
 6730 
 6731 3150.	[func]		Improved startup and reconfiguration time by
 6732 			enabling zones to load in multiple threads. [RT #25333]
 6733 
 6734 3149.	[placeholder]
 6735 
 6736 3148.	[bug]		Processing of normal queries could be stalled when
 6737 			forwarding a UPDATE message. [RT #24711]
 6738 
 6739 3147.	[func]		Initial inline signing support.  [RT #23657]
 6740 
 6741 	--- 9.9.0a1 released ---
 6742 
 6743 3146.	[test]		Fixed gcc4.6.0 errors in ATF. [RT #25598]
 6744 
 6745 3145.	[test]		Capture output of ATF unit tests in "./atf.out" if
 6746 			there were any errors while running them. [RT #25527]
 6747 
 6748 3144.	[bug]		dns_dbiterator_seek() could trigger an assert when
 6749 			used with a nonexistent database node. [RT #25358]
 6750 
 6751 3143.	[bug]		Silence clang compiler warnings. [RT #25174]
 6752 
 6753 3142.	[bug]		NAPTR is class agnostic. [RT #25429]
 6754 
 6755 3141.	[bug]		Silence spurious "zone serial (0) unchanged" messages
 6756 			associated with empty zones. [RT #25079]
 6757 
 6758 3140.	[func]		New command "rndc flushtree <name>" clears the
 6759 			specified name from the server cache along with
 6760 			all names under it. [RT #19970]
 6761 
 6762 3139.	[test]		Added tests from RFC 6234, RFC 2202, and RFC 1321
 6763 			for the hashing algorithms (md5, sha1 - sha512, and
 6764 			their hmac counterparts).  [RT #25067]
 6765 
 6766 3138.	[bug]		Address memory leaks and out-of-order operations when
 6767 			shutting named down. [RT #25210]
 6768 
 6769 3137.	[func]		Improve hardware scalability by allowing multiple
 6770 			worker threads to process incoming UDP packets.
 6771 			This can significantly increase query throughput
 6772 			on some systems.  [RT #22992]
 6773 
 6774 3136.	[func]		Add RFC 1918 reverse zones to the list of built-in
 6775 			empty zones switched on by the 'empty-zones-enable'
 6776 			option. [RT #24990]
 6777 
 6778 3135.	[port]		FreeBSD: workaround broken IPV6_USE_MIN_MTU processing.
 6779 			See http://www.freebsd.org/cgi/query-pr.cgi?pr=158307
 6780 			[RT #24950]
 6781 
 6782 3134.	[bug]		Improve the accuracy of dnssec-signzone's signing
 6783 			statistics. [RT #16030]
 6784 
 6785 3133.	[bug]		Change #3114 was incomplete. [RT #24577]
 6786 
 6787 3132.	[placeholder]
 6788 
 6789 3131.	[tuning]	Improve scalability by allocating one zone task
 6790 			per 100 zones at startup time, rather than using a
 6791 			fixed-size task table. [RT #24406]
 6792 
 6793 3130.	[func]		Support alternate methods for managing a dynamic
 6794 			zone's serial number.  Two methods are currently
 6795 			defined using serial-update-method, "increment"
 6796 			(default) and "unixtime".  [RT #23849]
 6797 
 6798 3129.	[bug]		Named could crash on 'rndc reconfig' when
 6799 			allow-new-zones was set to yes and named ACLs
 6800 			were used. [RT #22739]
 6801 
 6802 3128.	[func]		Inserting an NSEC3PARAM via dynamic update in an
 6803 			auto-dnssec zone that has not been signed yet
 6804 			will cause it to be signed with the specified NSEC3
 6805 			parameters when keys are activated.  The
 6806 			NSEC3PARAM record will not appear in the zone until
 6807 			it is signed, but the parameters will be stored.
 6808 			[RT #23684]
 6809 
 6810 3127.	[bug]		'rndc thaw' will now remove a zone's journal file
 6811 			if the zone serial number has been changed and
 6812 			ixfr-from-differences is not in use.  [RT #24687]
 6813 
 6814 3126.	[security]	Using DNAME record to generate replacements caused
 6815 			RPZ to exit with a assertion failure. [RT #24766]
 6816 
 6817 3125.	[security]	Using wildcard CNAME records as a replacement with
 6818 			RPZ caused named to exit with a assertion failure.
 6819 			[RT #24715]
 6820 
 6821 3124.	[bug]		Use an rdataset attribute flag to indicate
 6822 			negative-cache records rather than using rrtype 0;
 6823 			this will prevent problems when that rrtype is
 6824 			used in actual DNS packets. [RT #24777]
 6825 
 6826 3123.	[security]	Change #2912 exposed a latent flaw in
 6827 			dns_rdataset_totext() that could cause named to
 6828 			crash with an assertion failure. [RT #24777]
 6829 
 6830 3122.	[cleanup]	dnssec-settime: corrected usage message. [RT #24664]
 6831 
 6832 3121.	[security]	An authoritative name server sending a negative
 6833 			response containing a very large RRset could
 6834 			trigger an off-by-one error in the ncache code
 6835 			and crash named. [RT #24650]
 6836 
 6837 3120.	[bug]		Named could fail to validate zones listed in a DLV
 6838 			that validated insecure without using DLV and had
 6839 			DS records in the parent zone. [RT #24631]
 6840 
 6841 3119.	[bug]		When rolling to a new DNSSEC key, a private-type
 6842 			record could be created and never marked complete.
 6843 			[RT #23253]
 6844 
 6845 3118.	[bug]		nsupdate could dump core on shutdown when using
 6846 			SIG(0) keys. [RT #24604]
 6847 
 6848 3117.	[cleanup]	Remove doc and parser references to the
 6849 			never-implemented 'auto-dnssec create' option.
 6850 			[RT #24533]
 6851 
 6852 3116.	[func]		New 'dnssec-update-mode' option controls updates
 6853 			of DNSSEC records in signed dynamic zones.  Set to
 6854 			'no-resign' to disable automatic RRSIG regeneration
 6855 			while retaining the ability to sign new or changed
 6856 			data. [RT #24533]
 6857 
 6858 3115.	[bug]		Named could fail to return requested data when
 6859 			following a CNAME that points into the same zone.
 6860 			[RT #24455]
 6861 
 6862 3114.	[bug]		Retain expired RRSIGs in dynamic zones if key is
 6863 			inactive and there is no replacement key. [RT #23136]
 6864 
 6865 3113.	[doc]		Document the relationship between serial-query-rate
 6866 			and NOTIFY messages.
 6867 
 6868 3112.	[doc]		Add missing descriptions of the update policy name
 6869 			types "ms-self", "ms-subdomain", "krb5-self" and
 6870 			"krb5-subdomain", which allow machines to update
 6871 			their own records, to the BIND 9 ARM.
 6872 
 6873 3111.	[bug]		Improved consistency checks for dnssec-enable and
 6874 			dnssec-validation, added test cases to the
 6875 			checkconf system test. [RT #24398]
 6876 
 6877 3110.	[bug]		dnssec-signzone: Wrong error message could appear
 6878 			when attempting to sign with no KSK. [RT #24369]
 6879 
 6880 3109.	[func]		The also-notify option now uses the same syntax
 6881 			as a zone's masters clause.  This means it is
 6882 			now possible to specify a TSIG key to use when
 6883 			sending notifies to a given server, or to include
 6884 			an explicit named masters list in an also-notify
 6885 			statement.  [RT #23508]
 6886 
 6887 3108.	[cleanup]	dnssec-signzone: Clarified some error and
 6888 			warning messages; removed #ifdef ALLOW_KSKLESS_ZONES
 6889 			code (use -P instead). [RT #20852]
 6890 
 6891 3107.	[bug]		dnssec-signzone: Report the correct number of ZSKs
 6892 			when using -x. [RT #20852]
 6893 
 6894 3106.	[func]		When logging client requests, include the name of
 6895 			the TSIG key if any. [RT #23619]
 6896 
 6897 3105.	[bug]		GOST support can be suppressed by "configure
 6898 			--without-gost" [RT #24367]
 6899 
 6900 3104.	[bug]		Better support for cross-compiling. [RT #24367]
 6901 
 6902 3103.	[bug]		Configuring 'dnssec-validation auto' in a view
 6903 			instead of in the options statement could trigger
 6904 			an assertion failure in named-checkconf. [RT #24382]
 6905 
 6906 3102.	[func]		New 'dnssec-loadkeys-interval' option configures
 6907 			how often, in minutes, to check the key repository
 6908 			for updates when using automatic key maintenance.
 6909 			Default is every 60 minutes (formerly hard-coded
 6910 			to 12 hours). [RT #23744]
 6911 
 6912 3101.	[bug]		Zones using automatic key maintenance could fail
 6913 			to check the key repository for updates. [RT #23744]
 6914 
 6915 3100.	[security]	Certain response policy zone configurations could
 6916 			trigger an INSIST when receiving a query of type
 6917 			RRSIG. [RT #24280]
 6918 
 6919 3099.	[test]		"dlz" system test now runs but gives R:SKIPPED if
 6920 			not compiled with --with-dlz-filesystem.  [RT #24146]
 6921 
 6922 3098.	[bug]		DLZ zones were answering without setting the AA bit.
 6923 			[RT #24146]
 6924 
 6925 3097.	[test]		Add a tool to test handling of malformed packets.
 6926 			[RT #24096]
 6927 
 6928 3096.	[bug]		Set KRB5_KTNAME before calling log_cred() in
 6929 			dst_gssapi_acceptctx(). [RT #24004]
 6930 
 6931 3095.	[bug]		Handle isolated reserved ports in the port range.
 6932 			[RT #23957]
 6933 
 6934 3094.	[doc]		Expand dns64 documentation.
 6935 
 6936 3093.	[bug]		Fix gssapi/kerberos dependencies [RT #23836]
 6937 
 6938 3092.	[bug]		Signatures for records at the zone apex could go
 6939 			stale due to an incorrect timer setting. [RT #23769]
 6940 
 6941 3091.	[bug]		Fixed a bug in which zone keys that were published
 6942 			and then subsequently activated could fail to trigger
 6943 			automatic signing. [RT #22911]
 6944 
 6945 3090.	[func]		Make --with-gssapi default [RT #23738]
 6946 
 6947 3089.	[func]		dnssec-dsfromkey now supports reading keys from
 6948 			standard input "dnssec-dsfromkey -f -". [RT #20662]
 6949 
 6950 3088.	[bug]		Remove bin/tests/system/logfileconfig/ns1/named.conf
 6951 			and add setup.sh in order to resolve changing
 6952 			named.conf issue.  [RT #23687]
 6953 
 6954 3087.	[bug]		DDNS updates using SIG(0) with update-policy match
 6955 			type "external" could cause a crash. [RT #23735]
 6956 
 6957 3086.	[bug]		Running dnssec-settime -f on an old-style key will
 6958 			now force an update to the new key format even if no
 6959 			other change has been specified, using "-P now -A now"
 6960 			as default values.  [RT #22474]
 6961 
 6962 3085.	[func]		New '-R' option in dnssec-signzone forces removal
 6963 			of signatures which have not yet expired but
 6964 			were generated by a key that no longer exists.
 6965 			[RT #22471]
 6966 
 6967 3084.	[func]		A new command "rndc sync" dumps pending changes in
 6968 			a dynamic zone to disk; "rndc sync -clean" also
 6969 			removes the journal file after syncing.  Also,
 6970 			"rndc freeze" no longer removes journal files.
 6971 			[RT #22473]
 6972 
 6973 3083.	[bug]		NOTIFY messages were not being sent when generating
 6974 			a NSEC3 chain incrementally. [RT #23702]
 6975 
 6976 3082.	[port]		strtok_r is threads only. [RT #23747]
 6977 
 6978 3081.	[bug]		Failure of DNAME substitution did not return
 6979 			YXDOMAIN. [RT #23591]
 6980 
 6981 3080.	[cleanup]	Replaced compile time constant by STDTIME_ON_32BITS.
 6982 			[RT #23587]
 6983 
 6984 3079.	[bug]		Handle isc_event_allocate failures in t_tasks.
 6985 			[RT #23572]
 6986 
 6987 3078.	[func]		Added a new include file with function typedefs
 6988 			for the DLZ "dlopen" driver. [RT #23629]
 6989 
 6990 3077.	[bug]		zone.c:zone_refreshkeys() incorrectly called
 6991 			dns_zone_attach(), use zone->irefs instead. [RT #23303]
 6992 
 6993 3076.	[func]		New '-L' option in dnssec-keygen, dnsset-settime, and
 6994 			dnssec-keyfromlabel sets the default TTL of the
 6995 			key.  When possible, automatic signing will use that
 6996 			TTL when the key is published.  [RT #23304]
 6997 
 6998 3075.	[bug]		dns_dnssec_findzonekeys{2} used a inconsistent
 6999 			timestamp when determining which keys are active.
 7000 			[RT #23642]
 7001 
 7002 3074.	[bug]		Make the adb cache read through for zone data and
 7003 			glue learn for zone named is authoritative for.
 7004 			[RT #22842]
 7005 
 7006 3073.	[bug]		managed-keys changes were not properly being recorded.
 7007 			[RT #20256]
 7008 
 7009 3072.	[bug]		dns_dns64_aaaaok() potential NULL pointer dereference.
 7010 			[RT #20256]
 7011 
 7012 3071.	[bug]		has_nsec could be used uninitialized in
 7013 			update.c:next_active. [RT #20256]
 7014 
 7015 3070.	[bug]		dnssec-signzone potential NULL pointer dereference.
 7016 			[RT #20256]
 7017 
 7018 3069.	[cleanup]	Silence warnings messages from clang static analysis.
 7019 			[RT #20256]
 7020 
 7021 3068.	[bug]		Named failed to build with a OpenSSL without engine
 7022 			support. [RT #23473]
 7023 
 7024 3067.	[bug]		ixfr-from-differences {master|slave}; failed to
 7025 			select the master/slave zones.  [RT #23580]
 7026 
 7027 3066.	[func]		The DLZ "dlopen" driver is now built by default,
 7028 			no longer requiring a configure option.  To
 7029 			disable it, use "configure --without-dlopen".
 7030 			Driver also supported on win32.  [RT #23467]
 7031 
 7032 3065.	[bug]		RRSIG could have time stamps too far in the future.
 7033 			[RT #23356]
 7034 
 7035 3064.	[bug]		powerpc: add sync instructions to the end of atomic
 7036 			operations. [RT #23469]
 7037 
 7038 3063.	[contrib]	More verbose error reporting from DLZ LDAP. [RT #23402]
 7039 
 7040 3062.	[func]		Made several changes to enhance human readability
 7041 			of DNSSEC data in dig output and in generated
 7042 			zone files:
 7043 			 - DNSKEY record comments are more verbose, no
 7044 			   longer used in multiline mode only
 7045 			 - multiline RRSIG records reformatted
 7046 			 - multiline output mode for NSEC3PARAM records
 7047 			 - "dig +norrcomments" suppresses DNSKEY comments
 7048 			 - "dig +split=X" breaks hex/base64 records into
 7049 			   fields of width X; "dig +nosplit" disables this.
 7050 			[RT #22820]
 7051 
 7052 3061.	[func]		New option "dnssec-signzone -D", only write out
 7053 			generated DNSSEC records. [RT #22896]
 7054 
 7055 3060.	[func]		New option "dnssec-signzone -X <date>" allows
 7056 			specification of a separate expiration date
 7057 			for DNSKEY RRSIGs and other RRSIGs. [RT #22141]
 7058 
 7059 3059.	[test]		Added a regression test for change #3023.
 7060 
 7061 3058.	[bug]		Cause named to terminate at startup or rndc reconfig/
 7062 			reload to fail, if a log file specified in the conf
 7063 			file isn't a plain file. [RT #22771]
 7064 
 7065 3057.	[bug]		"rndc secroots" would abort after the first error
 7066 			and so could miss some views. [RT #23488]
 7067 
 7068 3056.	[func]		Added support for URI resource record. [RT #23386]
 7069 
 7070 3055.	[placeholder]
 7071 
 7072 3054.	[bug]		Added elliptic curve support check in
 7073 			GOST OpenSSL engine detection. [RT #23485]
 7074 
 7075 3053.	[bug]		Under a sustained high query load with a finite
 7076 			max-cache-size, it was possible for cache memory
 7077 			to be exhausted and not recovered. [RT #23371]
 7078 
 7079 3052.	[test]		Fixed last autosign test report. [RT #23256]
 7080 
 7081 3051.	[bug]		NS records obscure DNAME records at the bottom of the
 7082 			zone if both are present. [RT #23035]
 7083 
 7084 3050.	[bug]		The autosign system test was timing dependent.
 7085 			Wait for the initial autosigning to complete
 7086 			before running the rest of the test. [RT #23035]
 7087 
 7088 3049.	[bug]		Save and restore the gid when creating creating
 7089 			named.pid at startup. [RT #23290]
 7090 
 7091 3048.	[bug]		Fully separate view key management. [RT #23419]
 7092 
 7093 3047.	[bug]		DNSKEY NODATA responses not cached fixed in
 7094 			validator.c. Tests added to dnssec system test.
 7095 			[RT #22908]
 7096 
 7097 3046.	[bug]		Use RRSIG original TTL to compute validated RRset
 7098 			and RRSIG TTL. [RT #23332]
 7099 
 7100 3045.	[removed]	Replaced by change #3050.
 7101 
 7102 3044.	[bug]		Hold the socket manager lock while freeing the socket.
 7103 			[RT #23333]
 7104 
 7105 3043.	[test]		Merged in the NetBSD ATF test framework (currently
 7106 			version 0.12) for development of future unit tests.
 7107 			Use configure --with-atf to build ATF internally
 7108 			or configure --with-atf=prefix to use an external
 7109 			copy.  [RT #23209]
 7110 
 7111 3042.	[bug]		dig +trace could fail attempting to use IPv6
 7112 			addresses on systems with only IPv4 connectivity.
 7113 			[RT #23297]
 7114 
 7115 3041.	[bug]		dnssec-signzone failed to generate new signatures on
 7116 			ttl changes. [RT #23330]
 7117 
 7118 3040.	[bug]		Named failed to validate insecure zones where a node
 7119 			with a CNAME existed between the trust anchor and the
 7120 			top of the zone. [RT #23338]
 7121 
 7122 3039.	[func]		Redirect on NXDOMAIN support. [RT #23146]
 7123 
 7124 3038.	[bug]		Install <dns/rpz.h>.  [RT #23342]
 7125 
 7126 3037.	[doc]		Update COPYRIGHT to contain all the individual
 7127 			copyright notices that cover various parts.
 7128 
 7129 3036.	[bug]		Check built-in zone arguments to see if the zone
 7130 			is re-usable or not. [RT #21914]
 7131 
 7132 3035.	[cleanup]	Simplify by using strlcpy. [RT #22521]
 7133 
 7134 3034.	[cleanup]	nslookup: use strlcpy instead of safecopy. [RT #22521]
 7135 
 7136 3033.	[cleanup]	Add two INSIST(bucket != DNS_ADB_INVALIDBUCKET).
 7137 			[RT #22521]
 7138 
 7139 3032.	[bug]		rdatalist.c: add missing REQUIREs. [RT #22521]
 7140 
 7141 3031.	[bug]		dns_rdataclass_format() handle a zero sized buffer.
 7142 			[RT #22521]
 7143 
 7144 3030.	[bug]		dns_rdatatype_format() handle a zero sized buffer.
 7145 			[RT #22521]
 7146 
 7147 3029.	[bug]		isc_netaddr_format() handle a zero sized buffer.
 7148 			[RT #22521]
 7149 
 7150 3028.	[bug]		isc_sockaddr_format() handle a zero sized buffer.
 7151 			[RT #22521]
 7152 
 7153 3027.	[bug]		Add documented REQUIREs to cfg_obj_asnetprefix() to
 7154 			catch NULL pointer dereferences before they happen.
 7155 			[RT #22521]
 7156 
 7157 3026.	[bug]		lib/isc/httpd.c: check that we have enough space
 7158 			after calling grow_headerspace() and if not
 7159 			re-call grow_headerspace() until we do. [RT #22521]
 7160 
 7161 3025.	[bug]		Fixed a possible deadlock due to zone resigning.
 7162 			[RT #22964]
 7163 
 7164 3024.	[func]		RTT Banding removed due to minor security increase
 7165 			but major impact on resolver latency. [RT #23310]
 7166 
 7167 3023.	[bug]		Named could be left in an inconsistent state when
 7168 			receiving multiple AXFR response messages that were
 7169 			not all TSIG-signed. [RT #23254]
 7170 
 7171 3022.	[bug]		Fixed rpz SERVFAILs after failed zone transfers
 7172 			[RT #23246]
 7173 
 7174 3021.	[bug]		Change #3010 was incomplete. [RT #22296]
 7175 
 7176 3020.	[bug]		auto-dnssec failed to correctly update the zone when
 7177 			changing the DNSKEY RRset. [RT #23232]
 7178 
 7179 3019.	[test]		Test: check apex NSEC3 records after adding DNSKEY
 7180 			record via UPDATE. [RT #23229]
 7181 
 7182 3018.	[bug]		Named failed to check for the "none;" acl when deciding
 7183 			if a zone may need to be re-signed. [RT #23120]
 7184 
 7185 3017.	[doc]		dnssec-keyfromlabel -I was not properly documented.
 7186 			[RT #22887]
 7187 
 7188 3016.	[bug]		rndc usage missing '-b'. [RT #22937]
 7189 
 7190 3015.	[port]		win32: fix IN6_IS_ADDR_LINKLOCAL and
 7191 			IN6_IS_ADDR_SITELOCAL macros. [RT #22724]
 7192 
 7193 3014.	[placeholder]
 7194 
 7195 3013.	[bug]		The DNS64 ttl was not always being set as expected.
 7196 			[RT #23034]
 7197 
 7198 3012.	[bug]		Remove DNSKEY TTL change pairs before generating
 7199 			signing records for any remaining DNSKEY changes.
 7200 			[RT #22590]
 7201 
 7202 3011.	[func]		Change the default query timeout from 30 seconds
 7203 			to 10.  Allow setting this in named.conf using the new
 7204 			'resolver-query-timeout' option, which specifies a max
 7205 			time in seconds.  0 means 'default' and anything longer
 7206 			than 30 will be silently set to 30. [RT #22852]
 7207 
 7208 3010.	[bug]		Fixed a bug where "rndc reconfig" stopped the timer
 7209 			for refreshing managed-keys. [RT #22296]
 7210 
 7211 3009.	[bug]		clients-per-query code didn't work as expected with
 7212 			particular query patterns. [RT #22972]
 7213 
 7214 	--- 9.8.0b1 released ---
 7215 
 7216 3008.	[func]		Response policy zones (RPZ) support. [RT #21726]
 7217 
 7218 3007.	[bug]		Named failed to preserve the case of domain names in
 7219 			rdata which is not compressible when writing master
 7220 			files.  [RT #22863]
 7221 
 7222 3006.	[func]		Allow dynamically generated TSIG keys to be preserved
 7223 			across restarts of named.  Initially this is for
 7224 			TSIG keys generated using GSSAPI. [RT #22639]
 7225 
 7226 3005.	[port]		Solaris: Work around the lack of
 7227 			gsskrb5_register_acceptor_identity() by setting
 7228 			the KRB5_KTNAME environment variable to the
 7229 			contents of tkey-gssapi-keytab.  Also fixed
 7230 			test errors on MacOSX.  [RT #22853]
 7231 
 7232 3004.	[func]		DNS64 reverse support. [RT #22769]
 7233 
 7234 3003.	[experimental]	Added update-policy match type "external",
 7235 			enabling named to defer the decision of whether to
 7236 			allow a dynamic update to an external daemon.
 7237 			(Contributed by Andrew Tridgell.) [RT #22758]
 7238 
 7239 3002.	[bug]		isc_mutex_init_errcheck() failed to destroy attr.
 7240 			[RT #22766]
 7241 
 7242 3001.	[func]		Added a default trust anchor for the root zone, which
 7243 			can be switched on by setting "dnssec-validation auto;"
 7244 			in the named.conf options. [RT #21727]
 7245 
 7246 3000.	[bug]		More TKEY/GSS fixes:
 7247 			 - nsupdate can now get the default realm from
 7248 			   the user's Kerberos principal
 7249 			 - corrected gsstest compilation flags
 7250 			 - improved documentation
 7251 			 - fixed some NULL dereferences
 7252 			[RT #22795]
 7253 
 7254 2999.	[func]		Add GOST support (RFC 5933). [RT #20639]
 7255 
 7256 2998.	[func]		Add isc_task_beginexclusive and isc_task_endexclusive
 7257 			to the task api. [RT #22776]
 7258 
 7259 2997.	[func]		named -V now reports the OpenSSL and libxml2 versions
 7260 			it was compiled against. [RT #22687]
 7261 
 7262 2996.	[security]	Temporarily disable SO_ACCEPTFILTER support.
 7263 			[RT #22589]
 7264 
 7265 2995.	[bug]		The Kerberos realm was not being correctly extracted
 7266 			from the signer's identity. [RT #22770]
 7267 
 7268 2994.	[port]		NetBSD: use pthreads by default on NetBSD >= 5.0, and
 7269 			do not use threads on earlier versions.  Also kill
 7270 			the unproven-pthreads, mit-pthreads, and ptl2 support.
 7271 
 7272 2993.	[func]		Dynamically grow adb hash tables. [RT #21186]
 7273 
 7274 2992.	[contrib]	contrib/check-secure-delegation.pl:  A simple tool
 7275 			for looking at a secure delegation. [RT #22059]
 7276 
 7277 2991.	[contrib]	contrib/zone-edit.sh: A simple zone editing tool for
 7278 			dynamic zones. [RT #22365]
 7279 
 7280 2990.	[bug]		'dnssec-settime -S' no longer tests prepublication
 7281 			interval validity when the interval is set to 0.
 7282 			[RT #22761]
 7283 
 7284 2989.	[func]		Added support for writable DLZ zones. (Contributed
 7285 			by Andrew Tridgell of the Samba project.) [RT #22629]
 7286 
 7287 2988.	[experimental]	Added a "dlopen" DLZ driver, allowing the creation
 7288 			of external DLZ drivers that can be loaded as
 7289 			shared objects at runtime rather than linked with
 7290 			named.  Currently this is switched on via a
 7291 			compile-time option, "configure --with-dlz-dlopen".
 7292 			Note: the syntax for configuring DLZ zones
 7293 			is likely to be refined in future releases.
 7294 			(Contributed by Andrew Tridgell of the Samba
 7295 			project.) [RT #22629]
 7296 
 7297 2987.	[func]		Improve ease of configuring TKEY/GSS updates by
 7298 			adding a "tkey-gssapi-keytab" option.  If set,
 7299 			updates will be allowed with any key matching
 7300 			a principal in the specified keytab file.
 7301 			"tkey-gssapi-credential" is no longer required
 7302 			and is expected to be deprecated.  (Contributed
 7303 			by Andrew Tridgell of the Samba project.)
 7304 			[RT #22629]
 7305 
 7306 2986.	[func]		Add new zone type "static-stub".  It's like a stub
 7307 			zone, but the nameserver names and/or their IP
 7308 			addresses are statically configured. [RT #21474]
 7309 
 7310 2985.	[bug]		Add a regression test for change #2896. [RT #21324]
 7311 
 7312 2984.	[bug]		Don't run MX checks when the target of the MX record
 7313 			is ".".  [RT #22645]
 7314 
 7315 2983.	[bug]		Include "loadkeys" in rndc help output. [RT #22493]
 7316 
 7317 	--- 9.8.0a1 released ---
 7318 
 7319 2982.	[bug]		Reference count dst keys.  dst_key_attach() can be used
 7320 			increment the reference count.
 7321 
 7322 			Note: dns_tsigkey_createfromkey() callers should now
 7323 			always call dst_key_free() rather than setting it
 7324 			to NULL on success. [RT #22672]
 7325 
 7326 2981.	[func]		Partial DNS64 support (AAAA synthesis). [RT #21991]
 7327 
 7328 2980.	[bug]		named didn't properly handle UPDATES that changed the
 7329 			TTL of the NSEC3PARAM RRset. [RT #22363]
 7330 
 7331 2979.	[bug]		named could deadlock during shutdown if two
 7332 			"rndc stop" commands were issued at the same
 7333 			time. [RT #22108]
 7334 
 7335 2978.	[port]		hpux: look for <devpoll.h> [RT #21919]
 7336 
 7337 2977.	[bug]		'nsupdate -l' report if the session key is missing.
 7338 			[RT #21670]
 7339 
 7340 2976.	[bug]		named could die on exit after negotiating a GSS-TSIG
 7341 			key. [RT #22573]
 7342 
 7343 2975.	[bug]		rbtdb.c:cleanup_dead_nodes_callback() acquired the
 7344 			wrong lock which could lead to server deadlock.
 7345 			[RT #22614]
 7346 
 7347 2974.	[bug]		Some valid UPDATE requests could fail due to a
 7348 			consistency check examining the existing version
 7349 			of the zone rather than the new version resulting
 7350 			from the UPDATE. [RT #22413]
 7351 
 7352 2973.	[bug]		bind.keys.h was being removed by the "make clean"
 7353 			at the end of configure resulting in build failures
 7354 			where there is very old version of perl installed.
 7355 			Move it to "make maintainer-clean". [RT #22230]
 7356 
 7357 2972.	[bug]		win32: address windows socket errors. [RT #21906]
 7358 
 7359 2971.	[bug]		Fixed a bug that caused journal files not to be
 7360 			compacted on Windows systems as a result of
 7361 			non-POSIX-compliant rename() semantics. [RT #22434]
 7362 
 7363 2970.	[security]	Adding a NO DATA negative cache entry failed to clear
 7364 			any matching RRSIG records.  A subsequent lookup of
 7365 			of NO DATA cache entry could trigger a INSIST when the
 7366 			unexpected RRSIG was also returned with the NO DATA
 7367 			cache entry.
 7368 
 7369 			CVE-2010-3613, VU#706148. [RT #22288]
 7370 
 7371 2969.	[security]	Fix acl type processing so that allow-query works
 7372 			in options and view statements.  Also add a new
 7373 			set of tests to verify proper functioning.
 7374 
 7375 			CVE-2010-3615, VU#510208. [RT #22418]
 7376 
 7377 2968.	[security]	Named could fail to prove a data set was insecure
 7378 			before marking it as insecure.  One set of conditions
 7379 			that can trigger this occurs naturally when rolling
 7380 			DNSKEY algorithms.
 7381 
 7382 			CVE-2010-3614, VU#837744. [RT #22309]
 7383 
 7384 2967.	[bug]		'host -D' now turns on debugging messages earlier.
 7385 			[RT #22361]
 7386 
 7387 2966.	[bug]		isc_print_vsnprintf() failed to check if there was
 7388 			space available in the buffer when adding a left
 7389 			justified character with a non zero width,
 7390 			(e.g. "%-1c"). [RT #22270]
 7391 
 7392 2965.	[func]		Test HMAC functions using test data from RFC 2104 and
 7393 			RFC 4634. [RT #21702]
 7394 
 7395 2964.	[placeholder]
 7396 
 7397 2963.	[security]	The allow-query acl was being applied instead of the
 7398 			allow-query-cache acl to cache lookups. [RT #22114]
 7399 
 7400 2962.	[port]		win32: add more dependencies to BINDBuild.dsw.
 7401 			[RT #22062]
 7402 
 7403 2961.	[bug]		Be still more selective about the non-authoritative
 7404 			answers we apply change 2748 to. [RT #22074]
 7405 
 7406 2960.	[func]		Check that named accepts non-authoritative answers.
 7407 			[RT #21594]
 7408 
 7409 2959.	[func]		Check that named starts with a missing masterfile.
 7410 			[RT #22076]
 7411 
 7412 2958.	[bug]		named failed to start with a missing master file.
 7413 			[RT #22076]
 7414 
 7415 2957.	[bug]		entropy_get() and entropy_getpseudo() failed to match
 7416 			the API for RAND_bytes() and RAND_pseudo_bytes()
 7417 			respectively. [RT #21962]
 7418 
 7419 2956.	[port]		Enable atomic operations on the PowerPC64. [RT #21899]
 7420 
 7421 2955.	[func]		Provide more detail in the recursing log. [RT #22043]
 7422 
 7423 2954.	[bug]		contrib: dlz_mysql_driver.c bad error handling on
 7424 			build_sqldbinstance failure. [RT #21623]
 7425 
 7426 2953.	[bug]		Silence spurious "expected covering NSEC3, got an
 7427 			exact match" message when returning a wildcard
 7428 			no data response. [RT #21744]
 7429 
 7430 2952.	[port]		win32: named-checkzone and named-checkconf failed
 7431 			to initialize winsock. [RT #21932]
 7432 
 7433 2951.	[bug]		named failed to generate a correct signed response
 7434 			in a optout, delegation only zone with no secure
 7435 			delegations. [RT #22007]
 7436 
 7437 2950.	[bug]		named failed to perform a SOA up to date check when
 7438 			falling back to TCP on UDP timeouts when
 7439 			ixfr-from-differences was set. [RT #21595]
 7440 
 7441 2949.	[bug]		dns_view_setnewzones() contained a memory leak if
 7442 			it was called multiple times. [RT #21942]
 7443 
 7444 2948.	[port]		MacOS: provide a mechanism to configure the test
 7445 			interfaces at reboot. See bin/tests/system/README
 7446 			for details.
 7447 
 7448 2947.	[placeholder]
 7449 
 7450 2946.	[doc]		Document the default values for the minimum and maximum
 7451 			zone refresh and retry values in the ARM. [RT #21886]
 7452 
 7453 2945.	[doc]		Update empty-zones list in ARM. [RT #21772]
 7454 
 7455 2944.	[maint]		Remove ORCHID prefix from built in empty zones.
 7456 			[RT #21772]
 7457 
 7458 2943.	[func]		Add support to load new keys into managed zones
 7459 			without signing immediately with "rndc loadkeys".
 7460 			Add support to link keys with "dnssec-keygen -S"
 7461 			and "dnssec-settime -S".  [RT #21351]
 7462 
 7463 2942.	[contrib]	zone2sqlite failed to setup the entropy sources.
 7464 			[RT #21610]
 7465 
 7466 2941.	[bug]		sdb and sdlz (dlz's zone database) failed to support
 7467 			DNAME at the zone apex.  [RT #21610]
 7468 
 7469 2940.	[port]		Remove connection aborted error message on
 7470 			Windows. [RT #21549]
 7471 
 7472 2939.	[func]		Check that named successfully skips NSEC3 records
 7473 			that fail to match the NSEC3PARAM record currently
 7474 			in use. [RT #21868]
 7475 
 7476 2938.	[bug]		When generating signed responses, from a signed zone
 7477 			that uses NSEC3, named would use a uninitialized
 7478 			pointer if it needed to skip a NSEC3 record because
 7479 			it didn't match the selected NSEC3PARAM record for
 7480 			zone. [RT #21868]
 7481 
 7482 2937.	[bug]		Worked around an apparent race condition in over
 7483 			memory conditions.  Without this fix a DNS cache DB or
 7484 			ADB could incorrectly stay in an over memory state,
 7485 			effectively refusing further caching, which
 7486 			subsequently made a BIND 9 caching server unworkable.
 7487 			This fix prevents this problem from happening by
 7488 			polling the state of the memory context, rather than
 7489 			making a copy of the state, which appeared to cause
 7490 			a race.  This is a "workaround" in that it doesn't
 7491 			solve the possible race per se, but several experiments
 7492 			proved this change solves the symptom.  Also, the
 7493 			polling overhead hasn't been reported to be an issue.
 7494 			This bug should only affect a caching server that
 7495 			specifies a finite max-cache-size.  It's also quite
 7496 			likely that the bug happens only when enabling threads,
 7497 			but it's not confirmed yet. [RT #21818]
 7498 
 7499 2936.	[func]		Improved configuration syntax and multiple-view
 7500 			support for addzone/delzone feature (see change
 7501 			#2930).  Removed "new-zone-file" option, replaced
 7502 			with "allow-new-zones (yes|no)".  The new-zone-file
 7503 			for each view is now created automatically, with
 7504 			a filename generated from a hash of the view name.
 7505 			It is no longer necessary to "include" the
 7506 			new-zone-file in named.conf; this happens
 7507 			automatically.  Zones that were not added via
 7508 			"rndc addzone" can no longer be removed with
 7509 			"rndc delzone". [RT #19447]
 7510 
 7511 2935.	[bug]		nsupdate: improve 'file not found' error message.
 7512 			[RT #21871]
 7513 
 7514 2934.	[bug]		Use ANSI C compliant shift range in lib/isc/entropy.c.
 7515 			[RT #21871]
 7516 
 7517 2933.	[bug]		'dig +nsid' used stack memory after it went out of
 7518 			scope.  This could potentially result in a unknown,
 7519 			potentially malformed, EDNS option being sent instead
 7520 			of the desired NSID option. [RT #21781]
 7521 
 7522 2932.	[cleanup]	Corrected a numbering error in the "dnssec" test.
 7523 			[RT #21597]
 7524 
 7525 2931.	[bug]		Temporarily and partially disable change 2864
 7526 			because it would cause infinite attempts of RRSIG
 7527 			queries.  This is an urgent care fix; we'll
 7528 			revisit the issue and complete the fix later.
 7529 			[RT #21710]
 7530 
 7531 2930.	[experimental]	New "rndc addzone" and "rndc delzone" commands
 7532 			allow dynamic addition and deletion of zones.
 7533 			To enable this feature, specify a "new-zone-file"
 7534 			option at the view or options level in named.conf.
 7535 			Zone configuration information for the new zones
 7536 			will be written into that file.  To make the new
 7537 			zones persist after a restart, "include" the file
 7538 			into named.conf in the appropriate view.  (Note:
 7539 			This feature is not yet documented, and its syntax
 7540 			is expected to change.) [RT #19447]
 7541 
 7542 2929.	[bug]		Improved handling of GSS security contexts:
 7543 			 - added LRU expiration for generated TSIGs
 7544 			 - added the ability to use a non-default realm
 7545 			 - added new "realm" keyword in nsupdate
 7546 			 - limited lifetime of generated keys to 1 hour
 7547 			   or the lifetime of the context (whichever is
 7548 			   smaller)
 7549 			[RT #19737]
 7550 
 7551 2928.	[bug]		Be more selective about the non-authoritative
 7552 			answer we apply change 2748 to. [RT #21594]
 7553 
 7554 2927.	[placeholder]
 7555 
 7556 2926.	[placeholder]
 7557 
 7558 2925.	[bug]		Named failed to accept uncachable negative responses
 7559 			from insecure zones. [RT #21555]
 7560 
 7561 2924.	[func]		'rndc  secroots'  dump a combined summary of the
 7562 			current managed keys combined with trusted keys.
 7563 			[RT #20904]
 7564 
 7565 2923.	[bug]		'dig +trace' could drop core after "connection
 7566 			timeout". [RT #21514]
 7567 
 7568 2922.	[contrib]	Update zkt to version 1.0.
 7569 
 7570 2921.	[bug]		The resolver could attempt to destroy a fetch context
 7571 			too soon.  [RT #19878]
 7572 
 7573 2920.	[func]		Allow 'filter-aaaa-on-v4' to be applied selectively
 7574 			to IPv4 clients.  New acl 'filter-aaaa' (default any).
 7575 
 7576 2919.	[func]		Add autosign-ksk and autosign-zsk virtual time tests.
 7577 			[RT #20840]
 7578 
 7579 2918.	[maint]		Add AAAA address for I.ROOT-SERVERS.NET.
 7580 
 7581 2917.	[func]		Virtual time test framework. [RT #20801]
 7582 
 7583 2916.	[func]		Add framework to use IPv6 in tests.
 7584 			fd92:7065:b8e:ffff::1 ... fd92:7065:b8e:ffff::7
 7585 
 7586 2915.	[cleanup]	Be smarter about which objects we attempt to compile
 7587 			based on configure options. [RT #21444]
 7588 
 7589 2914.	[bug]		Make the "autosign" system test more portable.
 7590 			[RT #20997]
 7591 
 7592 2913.	[func]		Add pkcs#11 system tests. [RT #20784]
 7593 
 7594 2912.	[func]		Windows clients don't like UPDATE responses that clear
 7595 			the zone section. [RT #20986]
 7596 
 7597 2911.	[bug]		dnssec-signzone didn't handle out of zone records well.
 7598 			[RT #21367]
 7599 
 7600 2910.	[func]		Sanity check Kerberos credentials. [RT #20986]
 7601 
 7602 2909.	[bug]		named-checkconf -p could die if "update-policy local;"
 7603 			was specified in named.conf. [RT #21416]
 7604 
 7605 2908.	[bug]		It was possible for re-signing to stop after removing
 7606 			a DNSKEY. [RT #21384]
 7607 
 7608 2907.	[bug]		The export version of libdns had undefined references.
 7609 			[RT #21444]
 7610 
 7611 2906.	[bug]		Address RFC 5011 implementation issues. [RT #20903]
 7612 
 7613 2905.	[port]		aix: set use_atomic=yes with native compiler.
 7614 			[RT #21402]
 7615 
 7616 2904.	[bug]		When using DLV, sub-zones of the zones in the DLV,
 7617 			could be incorrectly marked as insecure instead of
 7618 			secure leading to negative proofs failing.  This was
 7619 			a unintended outcome from change 2890. [RT #21392]
 7620 
 7621 2903.	[bug]		managed-keys-directory missing from namedconf.c.
 7622 			[RT #21370]
 7623 
 7624 2902.	[func]		Add regression test for change 2897. [RT #21040]
 7625 
 7626 2901.	[port]		Use AC_C_FLEXIBLE_ARRAY_MEMBER. [RT #21316]
 7627 
 7628 2900.	[bug]		The placeholder negative caching element was not
 7629 			properly constructed triggering a INSIST in
 7630 			dns_ncache_towire(). [RT #21346]
 7631 
 7632 2899.	[port]		win32: Support linking against OpenSSL 1.0.0.
 7633 
 7634 2898.	[bug]		nslookup leaked memory when -domain=value was
 7635 			specified. [RT #21301]
 7636 
 7637 2897.	[bug]		NSEC3 chains could be left behind when transitioning
 7638 			to insecure. [RT #21040]
 7639 
 7640 2896.	[bug]		"rndc sign" failed to properly update the zone
 7641 			when adding a DNSKEY for publication only. [RT #21045]
 7642 
 7643 2895.	[func]		genrandom: add support for the generation of multiple
 7644 			files.  [RT #20917]
 7645 
 7646 2894.	[contrib]	DLZ LDAP support now use '$' not '%'. [RT #21294]
 7647 
 7648 2893.	[bug]		Improve managed keys support.  New named.conf option
 7649 			managed-keys-directory. [RT #20924]
 7650 
 7651 2892.	[bug]		Handle REVOKED keys better. [RT #20961]
 7652 
 7653 2891.	[maint]		Update empty-zones list to match
 7654 			draft-ietf-dnsop-default-local-zones-13. [RT #21099]
 7655 
 7656 2890.	[bug]		Handle the introduction of new trusted-keys and
 7657 			DS, DLV RRsets better. [RT #21097]
 7658 
 7659 2889.	[bug]		Elements of the grammar where not properly reported.
 7660 			[RT #21046]
 7661 
 7662 2888.	[bug]		Only the first EDNS option was displayed. [RT #21273]
 7663 
 7664 2887.	[bug]		Report the keytag times in UTC in the .key file,
 7665 			local time is presented as a comment within the
 7666 			comment.  [RT #21223]
 7667 
 7668 2886.	[bug]		ctime() is not thread safe. [RT #21223]
 7669 
 7670 2885.	[bug]		Improve -fno-strict-aliasing support probing in
 7671 			configure. [RT #21080]
 7672 
 7673 2884.	[bug]		Insufficient validation in dns_name_getlabelsequence().
 7674 			[RT #21283]
 7675 
 7676 2883.	[bug]		'dig +short' failed to handle really large datasets.
 7677 			[RT #21113]
 7678 
 7679 2882.	[bug]		Remove memory context from list of active contexts
 7680 			before clearing 'magic'. [RT #21274]
 7681 
 7682 2881.	[bug]		Reduce the amount of time the rbtdb write lock
 7683 			is held when closing a version. [RT #21198]
 7684 
 7685 2880.	[cleanup]	Make the output of dnssec-keygen and dnssec-revoke
 7686 			consistent. [RT #21078]
 7687 
 7688 2879.	[contrib]	DLZ bdbhpt driver fails to close correct cursor.
 7689 			[RT #21106]
 7690 
 7691 2878.	[func]		Incrementally write the master file after performing
 7692 			a AXFR.  [RT #21010]
 7693 
 7694 2877.	[bug]		The validator failed to skip obviously mismatching
 7695 			RRSIGs. [RT #21138]
 7696 
 7697 2876.	[bug]		Named could return SERVFAIL for negative responses
 7698 			from unsigned zones. [RT #21131]
 7699 
 7700 2875.	[bug]		dns_time64_fromtext() could accept non digits.
 7701 			[RT #21033]
 7702 
 7703 2874.	[bug]		Cache lack of EDNS support only after the server
 7704 			successfully responds to the query using plain DNS.
 7705 			[RT #20930]
 7706 
 7707 2873.	[bug]		Canceling a dynamic update via the dns/client module
 7708 			could trigger an assertion failure. [RT #21133]
 7709 
 7710 2872.	[bug]		Modify dns/client.c:dns_client_createx() to only
 7711 			require one of IPv4 or IPv6 rather than both.
 7712 			[RT #21122]
 7713 
 7714 2871.	[bug]		Type mismatch in mem_api.c between the definition and
 7715 			the header file, causing build failure with
 7716 			--enable-exportlib. [RT #21138]
 7717 
 7718 2870.	[maint]		Add AAAA address for L.ROOT-SERVERS.NET.
 7719 
 7720 2869.	[bug]		Fix arguments to dns_keytable_findnextkeynode() call.
 7721 			[RT #20877]
 7722 
 7723 2868.	[cleanup]	Run "make clean" at the end of configure to ensure
 7724 			any changes made by configure are integrated.
 7725 			Use --with-make-clean=no to disable.  [RT #20994]
 7726 
 7727 2867.	[bug]		Don't set GSS_C_SEQUENCE_FLAG as Windows DNS servers
 7728 			don't like it.  [RT #20986]
 7729 
 7730 2866.	[bug]		Windows does not like the TSIG name being compressed.
 7731 			[RT #20986]
 7732 
 7733 2865.	[bug]		memset to zero event.data.  [RT #20986]
 7734 
 7735 2864.	[bug]		Direct SIG/RRSIG queries were not handled correctly.
 7736 			[RT #21050]
 7737 
 7738 2863.	[port]		linux: disable IPv6 PMTUD and use network minimum MTU.
 7739 			[RT #21056]
 7740 
 7741 2862.	[bug]		nsupdate didn't default to the parent zone when
 7742 			updating DS records. [RT #20896]
 7743 
 7744 2861.	[doc]		dnssec-settime man pages didn't correctly document the
 7745 			inactivation time. [RT #21039]
 7746 
 7747 2860.	[bug]		named-checkconf's usage was out of date. [RT #21039]
 7748 
 7749 2859.	[bug]		When canceling validation it was possible to leak
 7750 			memory. [RT #20800]
 7751 
 7752 2858.	[bug]		RTT estimates were not being adjusted on ICMP errors.
 7753 			[RT #20772]
 7754 
 7755 2857.	[bug]		named-checkconf did not fail on a bad trusted key.
 7756 			[RT #20705]
 7757 
 7758 2856.	[bug]		The size of a memory allocation was not always properly
 7759 			recorded. [RT #20927]
 7760 
 7761 2855.	[func]		nsupdate will now preserve the entered case of domain
 7762 			names in update requests it sends. [RT #20928]
 7763 
 7764 2854.	[func]		dig: allow the final soa record in a axfr response to
 7765 			be suppressed, dig +onesoa. [RT #20929]
 7766 
 7767 2853.	[bug]		add_sigs() could run out of scratch space. [RT #21015]
 7768 
 7769 2852.	[bug]		Handle broken DNSSEC trust chains better. [RT #15619]
 7770 
 7771 2851.	[doc]		nslookup.1, removed <informalexample> from the docbook
 7772 			source as it produced bad nroff.  [RT #21007]
 7773 
 7774 2850.	[bug]		If isc_heap_insert() failed due to memory shortage
 7775 			the heap would have corrupted entries. [RT #20951]
 7776 
 7777 2849.	[bug]		Don't treat errors from the xml2 library as fatal.
 7778 			[RT #20945]
 7779 
 7780 2848.	[doc]		Moved README.dnssec, README.libdns, README.pkcs11 and
 7781 			README.rfc5011 into the ARM. [RT #20899]
 7782 
 7783 2847.	[cleanup]	Corrected usage message in dnssec-settime. [RT #20921]
 7784 
 7785 2846.	[bug]		EOF on unix domain sockets was not being handled
 7786 			correctly. [RT #20731]
 7787 
 7788 2845.	[bug]		RFC 5011 client could crash on shutdown. [RT #20903]
 7789 
 7790 2844.	[doc]		notify-delay default in ARM was wrong.  It should have
 7791 			been five (5) seconds.
 7792 
 7793 2843.	[func]		Prevent dnssec-keygen and dnssec-keyfromlabel from
 7794 			creating key files if there is a chance that the new
 7795 			key ID will collide with an existing one after
 7796 			either of the keys has been revoked.  (To override
 7797 			this in the case of dnssec-keyfromlabel, use the -y
 7798 			option.  dnssec-keygen will simply create a
 7799 			different, non-colliding key, so an override is
 7800 			not necessary.) [RT #20838]
 7801 
 7802 2842.	[func]		Added "smartsign" and improved "autosign" and
 7803 			"dnssec" regression tests. [RT #20865]
 7804 
 7805 2841.	[bug]		Change 2836 was not complete. [RT #20883]
 7806 
 7807 2840.	[bug]		Temporary fixed pkcs11-destroy usage check.
 7808 			[RT #20760]
 7809 
 7810 2839.	[bug]		A KSK revoked by named could not be deleted.
 7811 			[RT #20881]
 7812 
 7813 2838.	[placeholder]
 7814 
 7815 2837.	[port]		Prevent Linux spurious warnings about fwrite().
 7816 			[RT #20812]
 7817 
 7818 2836.	[bug]		Keys that were scheduled to become active could
 7819 			be delayed. [RT #20874]
 7820 
 7821 2835.	[bug]		Key inactivity dates were inadvertently stored in
 7822 			the private key file with the outdated tag
 7823 			"Unpublish" rather than "Inactive".  This has been
 7824 			fixed; however, any existing keys that had Inactive
 7825 			dates set will now need to have them reset, using
 7826 			'dnssec-settime -I'. [RT #20868]
 7827 
 7828 2834.	[bug]		HMAC-SHA* keys that were longer than the algorithm
 7829 			digest length were used incorrectly, leading to
 7830 			interoperability problems with other DNS
 7831 			implementations.  This has been corrected.
 7832 			(Note: If an oversize key is in use, and
 7833 			compatibility is needed with an older release of
 7834 			BIND, the new tool "isc-hmac-fixup" can convert
 7835 			the key secret to a form that will work with all
 7836 			versions.) [RT #20751]
 7837 
 7838 2833.	[cleanup]	Fix usage messages in dnssec-keygen and dnssec-settime.
 7839 			[RT #20851]
 7840 
 7841 2832.	[bug]		Modify "struct stat" in lib/export/samples/nsprobe.c
 7842 			to avoid redefinition in some OSs [RT 20831]
 7843 
 7844 2831.	[security]	Do not attempt to validate or cache
 7845 			out-of-bailiwick data returned with a secure
 7846 			answer; it must be re-fetched from its original
 7847 			source and validated in that context. [RT #20819]
 7848 
 7849 2830.	[bug]		Changing the OPTOUT setting could take multiple
 7850 			passes. [RT #20813]
 7851 
 7852 2829.	[bug]		Fixed potential node inconsistency in rbtdb.c.
 7853 			[RT #20808]
 7854 
 7855 2828.	[security]	Cached CNAME or DNAME RR could be returned to clients
 7856 			without DNSSEC validation. [RT #20737]
 7857 
 7858 2827.	[security]	Bogus NXDOMAIN could be cached as if valid. [RT #20712]
 7859 
 7860 2826.	[bug]		NSEC3->NSEC transitions could fail due to a lock not
 7861 			being released.  [RT #20740]
 7862 
 7863 2825.	[bug]		Changing the setting of OPTOUT in a NSEC3 chain that
 7864 			was in the process of being created was not properly
 7865 			recorded in the zone. [RT #20786]
 7866 
 7867 2824.	[bug]		"rndc sign" was not being run by the correct task.
 7868 			[RT #20759]
 7869 
 7870 2823.	[bug]		rbtdb.c:getsigningtime() was missing locks. [RT #20781]
 7871 
 7872 2822.	[bug]		rbtdb.c:loadnode() could return the wrong result.
 7873 			[RT #20802]
 7874 
 7875 2821.	[doc]		Add note that named-checkconf doesn't automatically
 7876 			read rndc.key and bind.keys [RT #20758]
 7877 
 7878 2820.	[func]		Handle read access failure of OpenSSL configuration
 7879 			file more user friendly (PKCS#11 engine patch).
 7880 			[RT #20668]
 7881 
 7882 2819.	[cleanup]	Removed unnecessary DNS_POINTER_MAXHOPS define.
 7883 			[RT #20771]
 7884 
 7885 2818.	[cleanup]	rndc could return an incorrect error code
 7886 			when a zone was not found. [RT #20767]
 7887 
 7888 2817.	[cleanup]	Removed unnecessary isc_task_endexclusive() calls.
 7889 			[RT #20768]
 7890 
 7891 2816.	[bug]		previous_closest_nsec() could fail to return
 7892 			data for NSEC3 nodes [RT #29730]
 7893 
 7894 2815.	[bug]		Exclusively lock the task when freezing a zone.
 7895 			[RT #19838]
 7896 
 7897 2814.	[func]		Provide a definitive error message when a master
 7898 			zone is not loaded. [RT #20757]
 7899 
 7900 2813.	[bug]		Better handling of unreadable DNSSEC key files.
 7901 			[RT #20710]
 7902 
 7903 2812.	[bug]		Make sure updates can't result in a zone with
 7904 			NSEC-only keys and NSEC3 records. [RT #20748]
 7905 
 7906 2811.	[cleanup]	Add "rndc sign" to list of commands in rndc usage
 7907 			output. [RT #20733]
 7908 
 7909 2810.	[doc]		Clarified the process of transitioning an NSEC3 zone
 7910 			to insecure. [RT #20746]
 7911 
 7912 2809.	[cleanup]	Restored accidentally-deleted text in usage output
 7913 			in dnssec-settime and dnssec-revoke [RT #20739]
 7914 
 7915 2808.	[bug]		Remove the attempt to install atomic.h from lib/isc.
 7916 			atomic.h is correctly installed by the architecture
 7917 			specific subdirectories.  [RT #20722]
 7918 
 7919 2807.	[bug]		Fixed a possible ASSERT when reconfiguring zone
 7920 			keys. [RT #20720]
 7921 
 7922 	--- 9.7.0rc1 released ---
 7923 
 7924 2806.	[bug]		"rdnc sign" could delay re-signing the DNSKEY
 7925 			when it had changed. [RT #20703]
 7926 
 7927 2805.	[bug]		Fixed namespace problems encountered when building
 7928 			external programs using non-exported BIND9 libraries
 7929 			(i.e., built without --enable-exportlib). [RT #20679]
 7930 
 7931 2804.	[bug]		Send notifies when a zone is signed with "rndc sign"
 7932 			or as a result of a scheduled key change. [RT #20700]
 7933 
 7934 2803.	[port]		win32: Install named-journalprint, nsec3hash, arpaname
 7935 			and genrandom under windows. [RT #20670]
 7936 
 7937 2802.	[cleanup]	Rename journalprint to named-journalprint. [RT #20670]
 7938 
 7939 2801.	[func]		Detect and report records that are different according
 7940 			to DNSSEC but are semantically equal according to plain
 7941 			DNS.  Apply plain DNS comparisons rather than DNSSEC
 7942 			comparisons when processing UPDATE requests.
 7943 			dnssec-signzone now removes such semantically duplicate
 7944 			records prior to signing the RRset.
 7945 
 7946 			named-checkzone -r {ignore|warn|fail} (default warn)
 7947 			named-compilezone -r {ignore|warn|fail} (default warn)
 7948 
 7949 			named.conf: check-dup-records {ignore|warn|fail};
 7950 
 7951 2800.	[func]		Reject zones which have NS records which refer to
 7952 			CNAMEs, DNAMEs or don't have address record (class IN
 7953 			only).  Reject UPDATEs which would cause the zone
 7954 			to fail the above checks if committed. [RT #20678]
 7955 
 7956 2799.	[cleanup]	Changed the "secure-to-insecure" option to
 7957 			"dnssec-secure-to-insecure", and "dnskey-ksk-only"
 7958 			to "dnssec-dnskey-kskonly", for clarity. [RT #20586]
 7959 
 7960 2798.	[bug]		Addressed bugs in managed-keys initialization
 7961 			and rollover. [RT #20683]
 7962 
 7963 2797.	[bug]		Don't decrement the dispatch manager's maxbuffers.
 7964 			[RT #20613]
 7965 
 7966 2796.	[bug]		Missing dns_rdataset_disassociate() call in
 7967 			dns_nsec3_delnsec3sx(). [RT #20681]
 7968 
 7969 2795.	[cleanup]	Add text to differentiate "update with no effect"
 7970 			log messages. [RT #18889]
 7971 
 7972 2794.	[bug]		Install <isc/namespace.h>.  [RT #20677]
 7973 
 7974 2793.	[func]		Add "autosign" and "metadata" tests to the
 7975 			automatic tests. [RT #19946]
 7976 
 7977 2792.	[func]		"filter-aaaa-on-v4" can now be set in view
 7978 			options (if compiled in).  [RT #20635]
 7979 
 7980 2791.	[bug]		The installation of isc-config.sh was broken.
 7981 			[RT #20667]
 7982 
 7983 2790.	[bug]		Handle DS queries to stub zones. [RT #20440]
 7984 
 7985 2789.	[bug]		Fixed an INSIST in dispatch.c [RT #20576]
 7986 
 7987 2788.	[bug]		dnssec-signzone could sign with keys that were
 7988 			not requested [RT #20625]
 7989 
 7990 2787.	[bug]		Spurious log message when zone keys were
 7991 			dynamically reconfigured. [RT #20659]
 7992 
 7993 2786.	[bug]		Additional could be promoted to answer. [RT #20663]
 7994 
 7995 	--- 9.7.0b3 released ---
 7996 
 7997 2785.	[bug]		Revoked keys could fail to self-sign [RT #20652]
 7998 
 7999 2784.	[bug]		TC was not always being set when required glue was
 8000 			dropped. [RT #20655]
 8001 
 8002 2783.	[func]		Return minimal responses to EDNS/UDP queries with a UDP
 8003 			buffer size of 512 or less.  [RT #20654]
 8004 
 8005 2782.	[port]		win32: use getaddrinfo() for hostname lookups.
 8006 			[RT #20650]
 8007 
 8008 2781.	[bug]		Inactive keys could be used for signing. [RT #20649]
 8009 
 8010 2780.	[bug]		dnssec-keygen -A none didn't properly unset the
 8011 			activation date in all cases. [RT #20648]
 8012 
 8013 2779.	[bug]		Dynamic key revocation could fail. [RT #20644]
 8014 
 8015 2778.	[bug]		dnssec-signzone could fail when a key was revoked
 8016 			without deleting the unrevoked version. [RT #20638]
 8017 
 8018 2777.	[contrib]	DLZ MYSQL auto reconnect support discovery was wrong.
 8019 
 8020 2776.	[bug]		Change #2762 was not correct. [RT #20647]
 8021 
 8022 2775.	[bug]		Accept RSASHA256 and RSASHA512 as NSEC3 compatible
 8023 			in dnssec-keyfromlabel. [RT #20643]
 8024 
 8025 2774.	[bug]		Existing cache DB wasn't being reused after
 8026 			reconfiguration. [RT #20629]
 8027 
 8028 2773.	[bug]		In autosigned zones, the SOA could be signed
 8029 			with the KSK. [RT #20628]
 8030 
 8031 2772.	[security]	When validating, track whether pending data was from
 8032 			the additional section or not and only return it if
 8033 			validates as secure. [RT #20438]
 8034 
 8035 2771.	[bug]		dnssec-signzone: DNSKEY records could be
 8036 			corrupted when importing from key files [RT #20624]
 8037 
 8038 2770.	[cleanup]	Add log messages to resolver.c to indicate events
 8039 			causing FORMERR responses. [RT #20526]
 8040 
 8041 2769.	[cleanup]	Change #2742 was incomplete. [RT #19589]
 8042 
 8043 2768.	[bug]		dnssec-signzone: -S no longer implies -g [RT #20568]
 8044 
 8045 2767.	[bug]		named could crash on startup if a zone was
 8046 			configured with auto-dnssec and there was no
 8047 			key-directory. [RT #20615]
 8048 
 8049 2766.	[bug]		isc_socket_fdwatchpoke() should only update the
 8050 			socketmgr state if the socket is not pending on a
 8051 			read or write.  [RT #20603]
 8052 
 8053 2765.	[bug]		Skip masters for which the TSIG key cannot be found.
 8054 			[RT #20595]
 8055 
 8056 2764.	[bug]		"rndc-confgen -a" could trigger a REQUIRE. [RT #20610]
 8057 
 8058 2763.	[bug]		"rndc sign" didn't create an NSEC chain. [RT #20591]
 8059 
 8060 2762.	[bug]		DLV validation failed with a local slave DLV zone.
 8061 			[RT #20577]
 8062 
 8063 2761.	[cleanup]	Enable internal symbol table for backtrace only for
 8064 			systems that are known to work.  Currently, BSD
 8065 			variants, Linux and Solaris are supported. [RT #20202]
 8066 
 8067 2760.	[cleanup]	Corrected named-compilezone usage summary. [RT #20533]
 8068 
 8069 2759.	[doc]		Add information about .jbk/.jnw files to
 8070 			the ARM. [RT #20303]
 8071 
 8072 2758.	[bug]		win32: Added a workaround for a windows 2008 bug
 8073 			that could cause the UDP client handler to shut
 8074 			down. [RT #19176]
 8075 
 8076 2757.	[bug]		dig: assertion failure could occur in connect
 8077 			timeout. [RT #20599]
 8078 
 8079 2756.	[bug]		Fixed corrupt logfile message in update.c. [RT #20597]
 8080 
 8081 2755.	[placeholder]
 8082 
 8083 2754.	[bug]		Secure-to-insecure transitions failed when zone
 8084 			was signed with NSEC3. [RT #20587]
 8085 
 8086 2753.	[bug]		Removed an unnecessary warning that could appear when
 8087 			building an NSEC chain. [RT #20589]
 8088 
 8089 2752.	[bug]		Locking violation. [RT #20587]
 8090 
 8091 2751.	[bug]		Fixed a memory leak in dnssec-keyfromlabel. [RT #20588]
 8092 
 8093 2750.	[bug]		dig: assertion failure could occur when a server
 8094 			didn't have an address. [RT #20579]
 8095 
 8096 2749.	[bug]		ixfr-from-differences generated a non-minimal ixfr
 8097 			for NSEC3 signed zones. [RT #20452]
 8098 
 8099 2748.	[func]		Identify bad answers from GTLD servers and treat them
 8100 			as referrals. [RT #18884]
 8101 
 8102 2747.	[bug]		Journal roll forwards failed to set the re-signing
 8103 			time of RRSIGs correctly. [RT #20541]
 8104 
 8105 2746.	[port]		hpux: address signed/unsigned expansion mismatch of
 8106 			dns_rbtnode_t.nsec. [RT #20542]
 8107 
 8108 2745.	[bug]		configure script didn't probe the return type of
 8109 			gai_strerror(3) correctly. [RT #20573]
 8110 
 8111 2744.	[func]		Log if a query was over TCP. [RT #19961]
 8112 
 8113 2743.	[bug]		RRSIG could be incorrectly set in the NSEC3 record
 8114 			for a insecure delegation.
 8115 
 8116 	--- 9.7.0b2 released ---
 8117 
 8118 2742.	[cleanup]	Clarify some DNSSEC-related log messages in
 8119 			validator.c. [RT #19589]
 8120 
 8121 2741.	[func]		Allow the dnssec-keygen progress messages to be
 8122 			suppressed (dnssec-keygen -q).  Automatically
 8123 			suppress the progress messages when stdin is not
 8124 			a tty. [RT #20474]
 8125 
 8126 2740.	[placeholder]
 8127 
 8128 2739.	[cleanup]	Clean up API for initializing and clearing trust
 8129 			anchors for a view. [RT #20211]
 8130 
 8131 2738.	[func]		Add RSASHA256 and RSASHA512 tests to the dnssec system
 8132 			test. [RT #20453]
 8133 
 8134 2737.	[func]		UPDATE requests can leak existence information.
 8135 			[RT #17261]
 8136 
 8137 2736.	[func]		Improve the performance of NSEC signed zones with
 8138 			more than a normal amount of glue below a delegation.
 8139 			[RT #20191]
 8140 
 8141 2735.	[bug]		dnssec-signzone could fail to read keys
 8142 			that were specified on the command line with
 8143 			full paths, but weren't in the current
 8144 			directory. [RT #20421]
 8145 
 8146 2734.	[port]		cygwin: arpaname did not compile. [RT #20473]
 8147 
 8148 2733.	[cleanup]	Clean up coding style in pkcs11-* tools. [RT #20355]
 8149 
 8150 2732.	[func]		Add optional filter-aaaa-on-v4 option, available
 8151 			if built with './configure --enable-filter-aaaa'.
 8152 			Filters out AAAA answers to clients connecting
 8153 			via IPv4.  (This is NOT recommended for general
 8154 			use.) [RT #20339]
 8155 
 8156 2731.	[func]		Additional work on change 2709.  The key parser
 8157 			will now ignore unrecognized fields when the
 8158 			minor version number of the private key format
 8159 			has been increased.  It will reject any key with
 8160 			the major version number increased. [RT #20310]
 8161 
 8162 2730.	[func]		Have dnssec-keygen display a progress indication
 8163 			a la 'openssl genrsa' on standard error. Note
 8164 			when the first '.' is followed by a long stop
 8165 			one has the choice between slow generation vs.
 8166 			poor random quality, i.e., '-r /dev/urandom'.
 8167 			[RT #20284]
 8168 
 8169 2729.	[func]		When constructing a CNAME from a DNAME use the DNAME
 8170 			TTL. [RT #20451]
 8171 
 8172 2728.	[bug]		dnssec-keygen, dnssec-keyfromlabel and
 8173 			dnssec-signzone now warn immediately if asked to
 8174 			write into a nonexistent directory. [RT #20278]
 8175 
 8176 2727.	[func]		The 'key-directory' option can now specify a relative
 8177 			path. [RT #20154]
 8178 
 8179 2726.	[func]		Added support for SHA-2 DNSSEC algorithms,
 8180 			RSASHA256 and RSASHA512. [RT #20023]
 8181 
 8182 2725.	[doc]		Added information about the file "managed-keys.bind"
 8183 			to the ARM. [RT #20235]
 8184 
 8185 2724.	[bug]		Updates to a existing node in secure zone using NSEC
 8186 			were failing. [RT #20448]
 8187 
 8188 2723.	[bug]		isc_base32_totext(), isc_base32hex_totext(), and
 8189 			isc_base64_totext(), didn't always mark regions of
 8190 			memory as fully consumed after conversion.  [RT #20445]
 8191 
 8192 2722.	[bug]		Ensure that the memory associated with the name of
 8193 			a node in a rbt tree is not altered during the life
 8194 			of the node. [RT #20431]
 8195 
 8196 2721.	[port]		Have dst__entropy_status() prime the random number
 8197 			generator. [RT #20369]
 8198 
 8199 2720.	[bug]		RFC 5011 trust anchor updates could trigger an
 8200 			assert if the DNSKEY record was unsigned. [RT #20406]
 8201 
 8202 2719.	[func]		Skip trusted/managed keys for unsupported algorithms.
 8203 			[RT #20392]
 8204 
 8205 2718.	[bug]		The space calculations in opensslrsa_todns() were
 8206 			incorrect. [RT #20394]
 8207 
 8208 2717.	[bug]		named failed to update the NSEC/NSEC3 record when
 8209 			the last private type record was removed as a result
 8210 			of completing the signing the zone with a key.
 8211 			[RT #20399]
 8212 
 8213 2716.	[bug]		nslookup debug mode didn't return the ttl. [RT #20414]
 8214 
 8215 	--- 9.7.0b1 released ---
 8216 
 8217 2715.	[bug]		Require OpenSSL support to be explicitly disabled.
 8218 			[RT #20288]
 8219 
 8220 2714.	[port]		aix/powerpc: 'asm("ics");' needs non standard assembler
 8221 			flags.
 8222 
 8223 2713.	[bug]		powerpc: atomic operations missing asm("ics") /
 8224 			__isync() calls.
 8225 
 8226 2712.	[func]		New 'auto-dnssec' zone option allows zone signing
 8227 			to be fully automated in zones configured for
 8228 			dynamic DNS.  'auto-dnssec allow;' permits a zone
 8229 			to be signed by creating keys for it in the
 8230 			key-directory and using 'rndc sign <zone>'.
 8231 			'auto-dnssec maintain;' allows that too, plus it
 8232 			also keeps the zone's DNSSEC keys up to date
 8233 			according to their timing metadata. [RT #19943]
 8234 
 8235 2711.	[port]		win32: Add the bin/pkcs11 tools into the full
 8236 			build. [RT #20372]
 8237 
 8238 2710.	[func]		New 'dnssec-signzone -x' flag and 'dnskey-ksk-only'
 8239 			zone option cause a zone to be signed with only KSKs
 8240 			signing the DNSKEY RRset, not ZSKs.  This reduces
 8241 			the size of a DNSKEY answer.  [RT #20340]
 8242 
 8243 2709.	[func]		Added some data fields, currently unused, to the
 8244 			private key file format, to allow implementation
 8245 			of explicit key rollover in a future release
 8246 			without impairing backward or forward compatibility.
 8247 			[RT #20310]
 8248 
 8249 2708.	[func]		Insecure to secure and NSEC3 parameter changes via
 8250 			update are now fully supported and no longer require
 8251 			defines to enable.  We now no longer overload the
 8252 			NSEC3PARAM flag field, nor the NSEC OPT bit at the
 8253 			apex.  Secure to insecure changes are controlled by
 8254 			by the named.conf option 'secure-to-insecure'.
 8255 
 8256 			Warning: If you had previously enabled support by
 8257 			adding defines at compile time to BIND 9.6 you should
 8258 			ensure that all changes that are in progress have
 8259 			completed prior to upgrading to BIND 9.7.  BIND 9.7
 8260 			is not backwards compatible.
 8261 
 8262 2707.	[func]		dnssec-keyfromlabel no longer require engine name
 8263 			to be specified in the label if there is a default
 8264 			engine or the -E option has been used.  Also, it
 8265 			now uses default algorithms as dnssec-keygen does
 8266 			(i.e., RSASHA1, or NSEC3RSASHA1 if -3 is used).
 8267 			[RT #20371]
 8268 
 8269 2706.	[bug]		Loading a zone with a very large NSEC3 salt could
 8270 			trigger an assert. [RT #20368]
 8271 
 8272 2705.	[placeholder]
 8273 
 8274 2704.	[bug]		Serial of dynamic and stub zones could be inconsistent
 8275 			with their SOA serial.  [RT #19387]
 8276 
 8277 2703.	[func]		Introduce an OpenSSL "engine" argument with -E
 8278 			for all binaries which can take benefit of
 8279 			crypto hardware. [RT #20230]
 8280 
 8281 2702.	[func]		Update PKCS#11 tools (bin/pkcs11) [RT #20225 & all]
 8282 
 8283 2701.	[doc]		Correction to ARM: hmac-md5 is no longer the only
 8284 			supported TSIG key algorithm. [RT #18046]
 8285 
 8286 2700.	[doc]		The match-mapped-addresses option is discouraged.
 8287 			[RT #12252]
 8288 
 8289 2699.	[bug]		Missing lock in rbtdb.c. [RT #20037]
 8290 
 8291 2698.	[placeholder]
 8292 
 8293 2697.	[port]		win32: ensure that S_IFMT, S_IFDIR, S_IFCHR and
 8294 			S_IFREG are defined after including <isc/stat.h>.
 8295 			[RT #20309]
 8296 
 8297 2696.	[bug]		named failed to successfully process some valid
 8298 			acl constructs. [RT #20308]
 8299 
 8300 2695.	[func]		DHCP/DDNS - update fdwatch code for use by
 8301 			DHCP.  Modify the api to isc_sockfdwatch_t (the
 8302 			callback function for isc_socket_fdwatchcreate)
 8303 			to include information about the direction (read
 8304 			or write) and add isc_socket_fdwatchpoke.
 8305 			[RT #20253]
 8306 
 8307 2694.	[bug]		Reduce default NSEC3 iterations from 100 to 10.
 8308 			[RT #19970]
 8309 
 8310 2693.	[port]		Add some noreturn attributes. [RT #20257]
 8311 
 8312 2692.	[port]		win32: 32/64 bit cleanups. [RT #20335]
 8313 
 8314 2691.	[func]		dnssec-signzone: retain the existing NSEC or NSEC3
 8315 			chain when re-signing a previously-signed zone.
 8316 			Use -u to modify NSEC3 parameters or switch
 8317 			between NSEC and NSEC3. [RT #20304]
 8318 
 8319 2690.	[bug]		win32: fix isc_thread_key_getspecific() prototype.
 8320 			[RT #20315]
 8321 
 8322 2689.	[bug]		Correctly handle snprintf result. [RT #20306]
 8323 
 8324 2688.	[bug]		Use INTERFACE_F_POINTTOPOINT, not IFF_POINTOPOINT,
 8325 			to decide to fetch the destination address. [RT #20305]
 8326 
 8327 2687.	[bug]		Fixed dnssec-signzone -S handling of revoked keys.
 8328 			Also, added warnings when revoking a ZSK, as this is
 8329 			not defined by protocol (but is legal).  [RT #19943]
 8330 
 8331 2686.	[bug]		dnssec-signzone should clean the old NSEC chain when
 8332 			signing with NSEC3 and vice versa. [RT #20301]
 8333 
 8334 2685.	[contrib]	Update contrib/zkt to version 0.99c. [RT #20054]
 8335 
 8336 2684.	[cleanup]	dig: formalize +ad and +cd as synonyms for
 8337 			+adflag and +cdflag.  [RT #19305]
 8338 
 8339 2683.	[bug]		dnssec-signzone should clean out old NSEC3 chains when
 8340 			the NSEC3 parameters used to sign the zone change.
 8341 			[RT #20246]
 8342 
 8343 2682.	[bug]		"configure --enable-symtable=all" failed to
 8344 			build. [RT #20282]
 8345 
 8346 2681.	[bug]		IPSECKEY RR of gateway type 3 was not correctly
 8347 			decoded. [RT #20269]
 8348 
 8349 2680.	[func]		Move contrib/pkcs11-keygen to bin/pkcs11. [RT #20067]
 8350 
 8351 2679.	[func]		dig -k can now accept TSIG keys in named.conf
 8352 			format.  [RT #20031]
 8353 
 8354 2678.	[func]		Treat DS queries as if "minimal-response yes;"
 8355 			was set. [RT #20258]
 8356 
 8357 2677.	[func]		Changes to key metadata behavior:
 8358 			- Keys without "publish" or "active" dates set will
 8359 			  no longer be used for smart signing.  However,
 8360 			  those dates will be set to "now" by default when
 8361 			  a key is created; to generate a key but not use
 8362 			  it yet, use dnssec-keygen -G.
 8363 			- New "inactive" date (dnssec-keygen/settime -I)
 8364 			  sets the time when a key is no longer used for
 8365 			  signing but is still published.
 8366 			- The "unpublished" date (-U) is deprecated in
 8367 			  favor of "deleted" (-D).
 8368 			[RT #20247]
 8369 
 8370 2676.	[bug]		--with-export-installdir should have been
 8371 			--with-export-includedir. [RT #20252]
 8372 
 8373 2675.	[bug]		dnssec-signzone could crash if the key directory
 8374 			did not exist. [RT #20232]
 8375 
 8376 	--- 9.7.0a3 released ---
 8377 
 8378 2674.	[bug]		"dnssec-lookaside auto;" crashed if named was built
 8379 			without openssl. [RT #20231]
 8380 
 8381 2673.	[bug]		The managed-keys.bind zone file could fail to
 8382 			load due to a spurious result from sync_keyzone()
 8383 			[RT #20045]
 8384 
 8385 2672.	[bug]		Don't enable searching in 'host' when doing reverse
 8386 			lookups. [RT #20218]
 8387 
 8388 2671.	[bug]		Add support for PKCS#11 providers not returning
 8389 			the public exponent in RSA private keys
 8390 			(OpenCryptoki for instance) in
 8391 			dnssec-keyfromlabel. [RT #19294]
 8392 
 8393 2670.	[bug]		Unexpected connect failures failed to log enough
 8394 			information to be useful. [RT #20205]
 8395 
 8396 2669.	[func]		Update PKCS#11 support to support Keyper HSM.
 8397 			Update PKCS#11 patch to be against openssl-0.9.8i.
 8398 
 8399 2668.	[func]		Several improvements to dnssec-* tools, including:
 8400 			- dnssec-keygen and dnssec-settime can now set key
 8401 			  metadata fields 0 (to unset a value, use "none")
 8402 			- dnssec-revoke sets the revocation date in
 8403 			  addition to the revoke bit
 8404 			- dnssec-settime can now print individual metadata
 8405 			  fields instead of always printing all of them,
 8406 			  and can print them in unix epoch time format for
 8407 			  use by scripts
 8408 			[RT #19942]
 8409 
 8410 2667.	[func]		Add support for logging stack backtrace on assertion
 8411 			failure (not available for all platforms). [RT #19780]
 8412 
 8413 2666.	[func]		Added an 'options' argument to dns_name_fromstring()
 8414 			(API change from 9.7.0a2). [RT #20196]
 8415 
 8416 2665.	[func]		Clarify syntax for managed-keys {} statement, add
 8417 			ARM documentation about RFC 5011 support. [RT #19874]
 8418 
 8419 2664.	[bug]		create_keydata() and minimal_update() in zone.c
 8420 			didn't properly check return values for some
 8421 			functions.  [RT #19956]
 8422 
 8423 2663.	[func]		win32:  allow named to run as a service using
 8424 			"NT AUTHORITY\LocalService" as the account. [RT #19977]
 8425 
 8426 2662.	[bug]		lwres_getipnodebyname() and lwres_getipnodebyaddr()
 8427 			returned a misleading error code when lwresd was
 8428 			down. [RT #20028]
 8429 
 8430 2661.	[bug]		Check whether socket fd exceeds FD_SETSIZE when
 8431 			creating lwres context. [RT #20029]
 8432 
 8433 2660.	[func]		Add a new set of DNS libraries for non-BIND9
 8434 			applications.  See README.libdns. [RT #19369]
 8435 
 8436 2659.	[doc]		Clarify dnssec-keygen doc: key name must match zone
 8437 			name for DNSSEC keys. [RT #19938]
 8438 
 8439 2658.	[bug]		dnssec-settime and dnssec-revoke didn't process
 8440 			key file paths correctly. [RT #20078]
 8441 
 8442 2657.	[cleanup]	Lower "journal file <path> does not exist, creating it"
 8443 			log level to debug 1. [RT #20058]
 8444 
 8445 2656.	[func]		win32: add a "tools only" check box to the installer
 8446 			which causes it to only install dig, host, nslookup,
 8447 			nsupdate and relevant DLLs.  [RT #19998]
 8448 
 8449 2655.	[doc]		Document that key-directory does not affect
 8450 			bind.keys, rndc.key or session.key.  [RT #20155]
 8451 
 8452 2654.	[bug]		Improve error reporting on duplicated names for
 8453 			deny-answer-xxx. [RT #20164]
 8454 
 8455 2653.	[bug]		Treat ENGINE_load_private_key() failures as key
 8456 			not found rather than out of memory.  [RT #18033]
 8457 
 8458 2652.	[func]		Provide more detail about what record is being
 8459 			deleted. [RT #20061]
 8460 
 8461 2651.	[bug]		Dates could print incorrectly in K*.key files on
 8462 			64-bit systems. [RT #20076]
 8463 
 8464 2650.	[bug]		Assertion failure in dnssec-signzone when trying
 8465 			to read keyset-* files. [RT #20075]
 8466 
 8467 2649.	[bug]		Set the domain for forward only zones. [RT #19944]
 8468 
 8469 2648.	[port]		win32: isc_time_seconds() was broken. [RT #19900]
 8470 
 8471 2647.	[bug]		Remove unnecessary SOA updates when a new KSK is
 8472 			added. [RT #19913]
 8473 
 8474 2646.	[bug]		Incorrect cleanup on error in socket.c. [RT #19987]
 8475 
 8476 2645.	[port]		"gcc -m32" didn't work on amd64 and x86_64 platforms
 8477 			which default to 64 bits. [RT #19927]
 8478 
 8479 	--- 9.7.0a2 released ---
 8480 
 8481 2644.	[bug]		Change #2628 caused a regression on some systems;
 8482 			named was unable to write the PID file and would
 8483 			fail on startup. [RT #20001]
 8484 
 8485 2643.	[bug]		Stub zones interacted badly with NSEC3 support.
 8486 			[RT #19777]
 8487 
 8488 2642.	[bug]		nsupdate could dump core on solaris when reading
 8489 			improperly formatted key files.  [RT #20015]
 8490 
 8491 2641.	[bug]		Fixed an error in parsing update-policy syntax,
 8492 			added a regression test to check it. [RT #20007]
 8493 
 8494 2640.	[security]	A specially crafted update packet will cause named
 8495 			to exit. [RT #20000]
 8496 
 8497 2639.	[bug]		Silence compiler warnings in gssapi code. [RT #19954]
 8498 
 8499 2638.	[bug]		Install arpaname. [RT #19957]
 8500 
 8501 2637.	[func]		Rationalize dnssec-signzone's signwithkey() calling.
 8502 			[RT #19959]
 8503 
 8504 2636.	[func]		Simplify zone signing and key maintenance with the
 8505 			dnssec-* tools.  Major changes:
 8506 			- all dnssec-* tools now take a -K option to
 8507 			  specify a directory in which key files will be
 8508 			  stored
 8509 			- DNSSEC can now store metadata indicating when
 8510 			  they are scheduled to be published, activated,
 8511 			  revoked or removed; these values can be set by
 8512 			  dnssec-keygen or overwritten by the new
 8513 			  dnssec-settime command
 8514 			- dnssec-signzone -S (for "smart") option reads key
 8515 			  metadata and uses it to determine automatically
 8516 			  which keys to publish to the zone, use for
 8517 			  signing, revoke, or remove from the zone
 8518 			[RT #19816]
 8519 
 8520 2635.	[bug]		isc_inet_ntop() incorrectly handled 0.0/16 addresses.
 8521 			[RT #19716]
 8522 
 8523 2634.	[port]		win32: Add support for libxml2, enable
 8524 			statschannel. [RT #19773]
 8525 
 8526 2633.	[bug]		Handle 15 bit rand() functions. [RT #19783]
 8527 
 8528 2632.	[func]		util/kit.sh: warn if documentation appears to be out of
 8529 			date.  [RT #19922]
 8530 
 8531 2631.	[bug]		Handle "//", "/./" and "/../" in mkdirpath().
 8532 			[RT #19926 ]
 8533 
 8534 2630.	[func]		Improved syntax for DDNS autoconfiguration:  use
 8535 			"update-policy local;" to switch on local DDNS in a
 8536 			zone. (The "ddns-autoconf" option has been removed.)
 8537 			[RT #19875]
 8538 
 8539 2629.	[port]		Check for seteuid()/setegid(), use setresuid()/
 8540 			setresgid() if not present. [RT #19932]
 8541 
 8542 2628.	[port]		linux: Allow /var/run/named/named.pid to be opened
 8543 			at startup with reduced capabilities in operation.
 8544 			[RT #19884]
 8545 
 8546 2627.	[bug]		Named aborted if the same key was included in
 8547 			trusted-keys more than once. [RT #19918]
 8548 
 8549 2626.	[bug]		Multiple trusted-keys could trigger an assertion
 8550 			failure. [RT #19914]
 8551 
 8552 2625.	[bug]		Missing UNLOCK in rbtdb.c. [RT #19865]
 8553 
 8554 2624.	[func]		'named-checkconf -p' will print out the parsed
 8555 			configuration. [RT #18871]
 8556 
 8557 2623.	[bug]		Named started searches for DS non-optimally. [RT #19915]
 8558 
 8559 2622.	[bug]		Printing of named.conf grammar was broken. [RT #19919]
 8560 
 8561 2621.	[doc]		Made copyright boilerplate consistent.  [RT #19833]
 8562 
 8563 2620.	[bug]		Delay thawing the zone until the reload of it has
 8564 			completed successfully.  [RT #19750]
 8565 
 8566 2619.	[func]		Add support for RFC 5011, automatic trust anchor
 8567 			maintenance.  The new "managed-keys" statement can
 8568 			be used in place of "trusted-keys" for zones which
 8569 			support this protocol.  (Note: this syntax is
 8570 			expected to change prior to 9.7.0 final.) [RT #19248]
 8571 
 8572 2618.	[bug]		The sdb and sdlz db_interator_seek() methods could
 8573 			loop infinitely. [RT #19847]
 8574 
 8575 2617.	[bug]		ifconfig.sh failed to emit an error message when
 8576 			run from the wrong location. [RT #19375]
 8577 
 8578 2616.	[bug]		'host' used the nameservers from resolv.conf even
 8579 			when a explicit nameserver was specified. [RT #19852]
 8580 
 8581 2615.	[bug]		"__attribute__((unused))" was in the wrong place
 8582 			for ia64 gcc builds. [RT #19854]
 8583 
 8584 2614.	[port]		win32: 'named -v' should automatically be executed
 8585 			in the foreground. [RT #19844]
 8586 
 8587 2613.	[placeholder]
 8588 
 8589 	--- 9.7.0a1 released ---
 8590 
 8591 2612.	[func]		Add default values for the arguments to
 8592 			dnssec-keygen.  Without arguments, it will now
 8593 			generate a 1024-bit RSASHA1 zone-signing key,
 8594 			or with the -f KSK option, a 2048-bit RSASHA1
 8595 			key-signing key. [RT #19300]
 8596 
 8597 2611.	[func]		Add -l option to dnssec-dsfromkey to generate
 8598 			DLV records instead of DS records. [RT #19300]
 8599 
 8600 2610.	[port]		sunos: Change #2363 was not complete. [RT #19796]
 8601 
 8602 2609.	[func]		Simplify the configuration of dynamic zones:
 8603 			- add ddns-confgen command to generate
 8604 			  configuration text for named.conf
 8605 			- add zone option "ddns-autoconf yes;", which
 8606 			  causes named to generate a TSIG session key
 8607 			  and allow updates to the zone using that key
 8608 			- add '-l' (localhost) option to nsupdate, which
 8609 			  causes nsupdate to connect to a locally-running
 8610 			  named process using the session key generated
 8611 			  by named
 8612 			[RT #19284]
 8613 
 8614 2608.	[func]		Perform post signing verification checks in
 8615 			dnssec-signzone.  These can be disabled with -P.
 8616 
 8617 			The post sign verification test ensures that for each
 8618 			algorithm in use there is at least one non revoked
 8619 			self signed KSK key.  That all revoked KSK keys are
 8620 			self signed.  That all records in the zone are signed
 8621 			by the algorithm.  [RT #19653]
 8622 
 8623 2607.	[bug]		named could incorrectly delete NSEC3 records for
 8624 			empty nodes when processing a update request.
 8625 			[RT #19749]
 8626 
 8627 2606.	[bug]		"delegation-only" was not being accepted in
 8628 			delegation-only type zones. [RT #19717]
 8629 
 8630 2605.	[bug]		Accept DS responses from delegation only zones.
 8631 			[RT # 19296]
 8632 
 8633 2604.	[func]		Add support for DNS rebinding attack prevention through
 8634 			new options, deny-answer-addresses and
 8635 			deny-answer-aliases.  Based on contributed code from
 8636 			JD Nurmi, Google. [RT #18192]
 8637 
 8638 2603.	[port]		win32: handle .exe extension of named-checkzone and
 8639 			named-comilezone argv[0] names under windows.
 8640 			[RT #19767]
 8641 
 8642 2602.	[port]		win32: fix debugging command line build of libisccfg.
 8643 			[RT #19767]
 8644 
 8645 2601.	[doc]		Mention file creation mode mask in the
 8646 			named manual page.
 8647 
 8648 2600.	[doc]		ARM: miscellaneous reformatting for different
 8649 			page widths. [RT #19574]
 8650 
 8651 2599.	[bug]		Address rapid memory growth when validation fails.
 8652 			[RT #19654]
 8653 
 8654 2598.	[func]		Reserve the -F flag. [RT #19657]
 8655 
 8656 2597.	[bug]		Handle a validation failure with a insecure delegation
 8657 			from a NSEC3 signed master/slave zone.  [RT #19464]
 8658 
 8659 2596.	[bug]		Stale tree nodes of cache/dynamic rbtdb could stay
 8660 			long, leading to inefficient memory usage or rejecting
 8661 			newer cache entries in the worst case. [RT #19563]
 8662 
 8663 2595.	[bug]		Fix unknown extended rcodes in dig. [RT #19625]
 8664 
 8665 2594.	[func]		Have rndc warn if using its default configuration
 8666 			file when the key file also exists. [RT #19424]
 8667 
 8668 2593.	[bug]		Improve a corner source of SERVFAILs [RT #19632]
 8669 
 8670 2592.	[bug]		Treat "any" as a type in nsupdate. [RT #19455]
 8671 
 8672 2591.	[bug]		named could die when processing a update in
 8673 			removed_orphaned_ds(). [RT #19507]
 8674 
 8675 2590.	[func]		Report zone/class of "update with no effect".
 8676 			[RT #19542]
 8677 
 8678 2589.	[bug]		dns_db_unregister() failed to clear '*dbimp'.
 8679 			[RT #19626]
 8680 
 8681 2588.	[bug]		SO_REUSEADDR could be set unconditionally after failure
 8682 			of bind(2) call.  This should be rare and mostly
 8683 			harmless, but may cause interference with other
 8684 			processes that happen to use the same port. [RT #19642]
 8685 
 8686 2587.	[func]		Improve logging by reporting serial numbers for
 8687 			when zone serial has gone backwards or unchanged.
 8688 			[RT #19506]
 8689 
 8690 2586.	[bug]		Missing cleanup of SIG rdataset in searching a DLZ DB
 8691 			or SDB. [RT #19577]
 8692 
 8693 2585.	[bug]		Uninitialized socket name could be referenced via a
 8694 			statistics channel, triggering an assertion failure in
 8695 			XML rendering. [RT #19427]
 8696 
 8697 2584.	[bug]		alpha: gcc optimization could break atomic operations.
 8698 			[RT #19227]
 8699 
 8700 2583.	[port]		netbsd: provide a control to not add the compile
 8701 			date to the version string, -DNO_VERSION_DATE.
 8702 
 8703 2582.	[bug]		Don't emit warning log message when we attempt to
 8704 			remove non-existent journal. [RT #19516]
 8705 
 8706 2581.	[contrib]	dlz/mysql set MYSQL_OPT_RECONNECT option on connection.
 8707 			Requires MySQL 5.0.19 or later. [RT #19084]
 8708 
 8709 2580.	[bug]		UpdateRej statistics counter could be incremented twice
 8710 			for one rejection. [RT #19476]
 8711 
 8712 2579.	[bug]		DNSSEC lookaside validation failed to handle unknown
 8713 			algorithms. [RT #19479]
 8714 
 8715 2578.	[bug]		Changed default sig-signing-type to 65534, because
 8716 			65535 turns out to be reserved.  [RT #19477]
 8717 
 8718 2577.	[doc]		Clarified some statistics counters. [RT #19454]
 8719 
 8720 2576.	[bug]		NSEC record were not being correctly signed when
 8721 			a zone transitions from insecure to secure.
 8722 			Handle such incorrectly signed zones. [RT #19114]
 8723 
 8724 2575.	[func]		New functions dns_name_fromstring() and
 8725 			dns_name_tostring(), to simplify conversion
 8726 			of a string to a dns_name structure and vice
 8727 			versa. [RT #19451]
 8728 
 8729 2574.	[doc]		Document nsupdate -g and -o. [RT #19351]
 8730 
 8731 2573.	[bug]		Replacing a non-CNAME record with a CNAME record in a
 8732 			single transaction in a signed zone failed. [RT #19397]
 8733 
 8734 2572.	[func]		Simplify DLV configuration, with a new option
 8735 			"dnssec-lookaside auto;"  This is the equivalent
 8736 			of "dnssec-lookaside . trust-anchor dlv.isc.org;"
 8737 			plus setting a trusted-key for dlv.isc.org.
 8738 
 8739 			Note: The trusted key is hard-coded into named,
 8740 			but is also stored in (and can be overridden
 8741 			by) $sysconfdir/bind.keys.  As the ISC DLV key
 8742 			rolls over it can be kept up to date by replacing
 8743 			the bind.keys file with a key downloaded from
 8744 			https://www.isc.org/solutions/dlv. [RT #18685]
 8745 
 8746 2571.	[func]		Add a new tool "arpaname" which translates IP addresses
 8747 			to the corresponding IN-ADDR.ARPA or IP6.ARPA name.
 8748 			[RT #18976]
 8749 
 8750 2570.	[func]		Log the destination address the query was sent to.
 8751 			[RT #19209]
 8752 
 8753 2569.	[func]		Move journalprint, nsec3hash, and genrandom
 8754 			commands from bin/tests into bin/tools;
 8755 			"make install" will put them in $sbindir. [RT #19301]
 8756 
 8757 2568.	[bug]		Report when the write to indicate a otherwise
 8758 			successful start fails. [RT #19360]
 8759 
 8760 2567.	[bug]		dst__privstruct_writefile() could miss write errors.
 8761 			write_public_key() could miss write errors.
 8762 			dnssec-dsfromkey could miss write errors.
 8763 			[RT #19360]
 8764 
 8765 2566.	[cleanup]	Clarify logged message when an insecure DNSSEC
 8766 			response arrives from a zone thought to be secure:
 8767 			"insecurity proof failed" instead of "not
 8768 			insecure". [RT #19400]
 8769 
 8770 2565.	[func]		Add support for HIP record.  Includes new functions
 8771 			dns_rdata_hip_first(), dns_rdata_hip_next()
 8772 			and dns_rdata_hip_current().  [RT #19384]
 8773 
 8774 2564.	[bug]		Only take EDNS fallback steps when processing timeouts.
 8775 			[RT #19405]
 8776 
 8777 2563.	[bug]		Dig could leak a socket causing it to wait forever
 8778 			to exit. [RT #19359]
 8779 
 8780 2562.	[doc]		ARM: miscellaneous improvements, reorganization,
 8781 			and some new content.
 8782 
 8783 2561.	[doc]		Add isc-config.sh(1) man page. [RT #16378]
 8784 
 8785 2560.	[bug]		Add #include <config.h> to iptable.c. [RT #18258]
 8786 
 8787 2559.	[bug]		dnssec-dsfromkey could compute bad DS records when
 8788 			reading from a K* files.  [RT #19357]
 8789 
 8790 2558.	[func]		Set the ownership of missing directories created
 8791 			for pid-file if -u has been specified on the command
 8792 			line. [RT #19328]
 8793 
 8794 2557.	[cleanup]	PCI compliance:
 8795 			* new libisc log module file
 8796 			* isc_dir_chroot() now also changes the working
 8797 			  directory to "/".
 8798 			* additional INSISTs
 8799 			* additional logging when files can't be removed.
 8800 
 8801 2556.	[port]		Solaris: mkdir(2) on tmpfs filesystems does not do the
 8802 			error checks in the correct order resulting in the
 8803 			wrong error code sometimes being returned. [RT #19249]
 8804 
 8805 2555.	[func]		dig: when emitting a hex dump also display the
 8806 			corresponding characters. [RT #19258]
 8807 
 8808 2554.	[bug]		Validation of uppercase queries from NSEC3 zones could
 8809 			fail. [RT #19297]
 8810 
 8811 2553.	[bug]		Reference leak on DNSSEC validation errors. [RT #19291]
 8812 
 8813 2552.	[bug]		zero-no-soa-ttl-cache was not being honored.
 8814 			[RT #19340]
 8815 
 8816 2551.	[bug]		Potential Reference leak on return. [RT #19341]
 8817 
 8818 2550.	[bug]		Check --with-openssl=<path> finds <openssl/opensslv.h>.
 8819 			[RT #19343]
 8820 
 8821 2549.	[port]		linux: define NR_OPEN if not currently defined.
 8822 			[RT #19344]
 8823 
 8824 2548.	[bug]		Install iterated_hash.h. [RT #19335]
 8825 
 8826 2547.	[bug]		openssl_link.c:mem_realloc() could reference an
 8827 			out-of-range area of the source buffer.  New public
 8828 			function isc_mem_reallocate() was introduced to address
 8829 			this bug. [RT #19313]
 8830 
 8831 2546.	[func]		Add --enable-openssl-hash configure flag to use
 8832 			OpenSSL (in place of internal routine) for hash
 8833 			functions (MD5, SHA[12] and HMAC). [RT #18815]
 8834 
 8835 2545.	[doc]		ARM: Legal hostname checking (check-names) is
 8836 			for SRV RDATA too. [RT #19304]
 8837 
 8838 2544.	[cleanup]	Removed unused structure members in adb.c. [RT #19225]
 8839 
 8840 2543.	[contrib]	Update contrib/zkt to version 0.98. [RT #19113]
 8841 
 8842 2542.	[doc]		Update the description of dig +adflag. [RT #19290]
 8843 
 8844 2541.	[bug]		Conditionally update dispatch manager statistics.
 8845 			[RT #19247]
 8846 
 8847 2540.	[func]		Add a nibble mode to $GENERATE. [RT #18872]
 8848 
 8849 2539.	[security]	Update the interaction between recursion, allow-query,
 8850 			allow-query-cache and allow-recursion.  [RT #19198]
 8851 
 8852 2538.	[bug]		cache/ADB memory could grow over max-cache-size,
 8853 			especially with threads and smaller max-cache-size
 8854 			values. [RT #19240]
 8855 
 8856 2537.	[func]		Added more statistics counters including those on socket
 8857 			I/O events and query RTT histograms. [RT #18802]
 8858 
 8859 2536.	[cleanup]	Silence some warnings when -Werror=format-security is
 8860 			specified. [RT #19083]
 8861 
 8862 2535.	[bug]		dig +showsearch and +trace interacted badly. [RT #19091]
 8863 
 8864 2534.	[func]		Check NAPTR records regular expressions and
 8865 			replacement strings to ensure they are syntactically
 8866 			valid and consistent. [RT #18168]
 8867 
 8868 2533.	[doc]		ARM: document @ (at-sign). [RT #17144]
 8869 
 8870 2532.	[bug]		dig: check the question section of the response to
 8871 			see if it matches the asked question. [RT #18495]
 8872 
 8873 2531.	[bug]		Change #2207 was incomplete. [RT #19098]
 8874 
 8875 2530.	[bug]		named failed to reject insecure to secure transitions
 8876 			via UPDATE. [RT #19101]
 8877 
 8878 2529.	[cleanup]	Upgrade libtool to silence complaints from recent
 8879 			version of autoconf. [RT #18657]
 8880 
 8881 2528.	[cleanup]	Silence spurious configure warning about
 8882 			--datarootdir [RT #19096]
 8883 
 8884 2527.	[placeholder]
 8885 
 8886 2526.	[func]		New named option "attach-cache" that allows multiple
 8887 			views to share a single cache to save memory and
 8888 			improve lookup efficiency.  Based on contributed code
 8889 			from Barclay Osborn, Google. [RT #18905]
 8890 
 8891 2525.	[func]		New logging category "query-errors" to provide detailed
 8892 			internal information about query failures, especially
 8893 			about server failures. [RT #19027]
 8894 
 8895 2524.	[port]		sunos: dnssec-signzone needs strtoul(). [RT #19129]
 8896 
 8897 2523.	[bug]		Random type rdata freed by dns_nsec_typepresent().
 8898 			[RT #19112]
 8899 
 8900 2522.	[security]	Handle -1 from DSA_do_verify() and EVP_VerifyFinal().
 8901 
 8902 2521.	[bug]		Improve epoll cross compilation support. [RT #19047]
 8903 
 8904 2520.	[bug]		Update xml statistics version number to 2.0 as change
 8905 			#2388 made the schema incompatible to the previous
 8906 			version. [RT #19080]
 8907 
 8908 2519.	[bug]		dig/host with -4 or -6 didn't work if more than two
 8909 			nameserver addresses of the excluded address family
 8910 			preceded in resolv.conf. [RT #19081]
 8911 
 8912 2518.	[func]		Add support for the new CERT types from RFC 4398.
 8913 			[RT #19077]
 8914 
 8915 2517.	[bug]		dig +trace with -4 or -6 failed when it chose a
 8916 			nameserver address of the excluded address type.
 8917 			[RT #18843]
 8918 
 8919 2516.	[bug]		glue sort for responses was performed even when not
 8920 			needed. [RT #19039]
 8921 
 8922 2515.	[port]		win32: build dnssec-dsfromkey and dnssec-keyfromlabel.
 8923 			[RT #19063]
 8924 
 8925 2514.	[bug]		dig/host failed with -4 or -6 when resolv.conf contains
 8926 			a nameserver of the excluded address family.
 8927 			[RT #18848]
 8928 
 8929 2513.	[bug]		Fix windows cli build. [RT #19062]
 8930 
 8931 2512.	[func]		Print a summary of the cached records which make up
 8932 			the negative response.  [RT #18885]
 8933 
 8934 2511.	[cleanup]	dns_rdata_tofmttext() add const to linebreak.
 8935 			[RT #18885]
 8936 
 8937 2510.	[bug]		"dig +sigchase" could trigger REQUIRE failures.
 8938 			[RT #19033]
 8939 
 8940 2509.	[bug]		Specifying a fixed query source port was broken.
 8941 			[RT #19051]
 8942 
 8943 2508.	[placeholder]
 8944 
 8945 2507.	[func]		Log the recursion quota values when killing the
 8946 			oldest query or refusing to recurse due to quota.
 8947 			[RT #19022]
 8948 
 8949 2506.	[port]		solaris: Check at configure time if
 8950 			hack_shutup_pthreadonceinit is needed. [RT #19037]
 8951 
 8952 2505.	[port]		Treat amd64 similarly to x86_64 when determining
 8953 			atomic operation support. [RT #19031]
 8954 
 8955 2504.	[bug]		Address race condition in the socket code. [RT #18899]
 8956 
 8957 2503.	[port]		linux: improve compatibility with Linux Standard
 8958 			Base. [RT #18793]
 8959 
 8960 2502.	[cleanup]	isc_radix: Improve compliance with coding style,
 8961 			document function in <isc/radix.h>. [RT #18534]
 8962 
 8963 2501.	[func]		$GENERATE now supports all rdata types.  Multi-field
 8964 			rdata types need to be quoted.  See the ARM for
 8965 			details. [RT #18368]
 8966 
 8967 2500.	[contrib]	contrib/sdb/pgsql/zonetodb.c called non-existent
 8968 			function. [RT #18582]
 8969 
 8970 2499.	[port]		solaris: lib/lwres/getaddrinfo.c namespace clash.
 8971 			[RT #18837]
 8972 
 8973 	--- 9.6.0rc1 released ---
 8974 
 8975 2498.	[bug]		Removed a bogus function argument used with
 8976 			ISC_SOCKET_USE_POLLWATCH: it could cause compiler
 8977 			warning or crash named with the debug 1 level
 8978 			of logging. [RT #18917]
 8979 
 8980 2497.	[bug]		Don't add RRSIG bit to NSEC3 bit map for insecure
 8981 			delegation.
 8982 
 8983 2496.	[bug]		Add sanity length checks to NSID option. [RT #18813]
 8984 
 8985 2495.	[bug]		Tighten RRSIG checks. [RT #18795]
 8986 
 8987 2494.	[bug]		isc/radix.h, dns/sdlz.h and dns/dlz.h were not being
 8988 			installed. [RT #18826]
 8989 
 8990 2493.	[bug]		The linux capabilities code was not correctly cleaning
 8991 			up after itself. [RT #18767]
 8992 
 8993 2492.	[func]		Rndc status now reports the number of cpus discovered
 8994 			and the number of worker threads when running
 8995 			multi-threaded. [RT #18273]
 8996 
 8997 2491.	[func]		Attempt to re-use a local port if we are already using
 8998 			the port. [RT #18548]
 8999 
 9000 2490.	[port]		aix: work around a kernel bug where IPV6_RECVPKTINFO
 9001 			is cleared when IPV6_V6ONLY is set. [RT #18785]
 9002 
 9003 2489.	[port]		solaris: Workaround Solaris's kernel bug about
 9004 			/dev/poll:
 9005 			http://bugs.opensolaris.org/view_bug.do?bug_id=6724237
 9006 			Define ISC_SOCKET_USE_POLLWATCH at build time to enable
 9007 			this workaround. [RT #18870]
 9008 
 9009 2488.	[func]		Added a tool, dnssec-dsfromkey, to generate DS records
 9010 			from keyset and .key files. [RT #18694]
 9011 
 9012 2487.	[bug]		Give TCP connections longer to complete. [RT #18675]
 9013 
 9014 2486.	[func]		The default locations for named.pid and lwresd.pid
 9015 			are now /var/run/named/named.pid and
 9016 			/var/run/lwresd/lwresd.pid respectively.
 9017 
 9018 			This allows the owner of the containing directory
 9019 			to be set, for "named -u" support, and allows there
 9020 			to be a permanent symbolic link in the path, for
 9021 			"named -t" support.  [RT #18306]
 9022 
 9023 2485.	[bug]		Change update's the handling of obscured RRSIG
 9024 			records.  Not all orphaned DS records were being
 9025 			removed. [RT #18828]
 9026 
 9027 2484.	[bug]		It was possible to trigger a REQUIRE failure when
 9028 			adding NSEC3 proofs to the response in
 9029 			query_addwildcardproof().  [RT #18828]
 9030 
 9031 2483.	[port]		win32: chroot() is not supported. [RT #18805]
 9032 
 9033 2482.	[port]		libxml2: support versions 2.7.* in addition
 9034 			to 2.6.*. [RT #18806]
 9035 
 9036 	--- 9.6.0b1 released ---
 9037 
 9038 2481.	[bug]		rbtdb.c:matchparams() failed to handle NSEC3 chain
 9039 			collisions.  [RT #18812]
 9040 
 9041 2480.	[bug]		named could fail to emit all the required NSEC3
 9042 			records.  [RT #18812]
 9043 
 9044 2479.	[bug]		xfrout:covers was not properly initialized. [RT #18801]
 9045 
 9046 2478.	[bug]		'addresses' could be used uninitialized in
 9047 			configure_forward(). [RT #18800]
 9048 
 9049 2477.	[bug]		dig: the global option to print the command line is
 9050 			+cmd not print_cmd.  Update the output to reflect
 9051 			this. [RT #17008]
 9052 
 9053 2476.	[doc]		ARM: improve documentation for max-journal-size and
 9054 			ixfr-from-differences. [RT #15909] [RT #18541]
 9055 
 9056 2475.	[bug]		LRU cache cleanup under overmem condition could purge
 9057 			particular entries more aggressively. [RT #17628]
 9058 
 9059 2474.	[bug]		ACL structures could be allocated with insufficient
 9060 			space, causing an array overrun. [RT #18765]
 9061 
 9062 2473.	[port]		linux: raise the limit on open files to the possible
 9063 			maximum value before spawning threads; 'files'
 9064 			specified in named.conf doesn't seem to work with
 9065 			threads as expected. [RT #18784]
 9066 
 9067 2472.	[port]		linux: check the number of available cpu's before
 9068 			calling chroot as it depends on "/proc". [RT #16923]
 9069 
 9070 2471.	[bug]		named-checkzone was not reporting missing mandatory
 9071 			glue when sibling checks were disabled. [RT #18768]
 9072 
 9073 2470.	[bug]		Elements of the isc_radix_node_t could be incorrectly
 9074 			overwritten.  [RT #18719]
 9075 
 9076 2469.	[port]		solaris: Work around Solaris's select() limitations.
 9077 			[RT #18769]
 9078 
 9079 2468.	[bug]		Resolver could try unreachable servers multiple times.
 9080 			[RT #18739]
 9081 
 9082 2467.	[bug]		Failure of fcntl(F_DUPFD) wasn't logged. [RT #18740]
 9083 
 9084 2466.	[doc]		ARM: explain max-cache-ttl 0 SERVFAIL issue.
 9085 			[RT #18302]
 9086 
 9087 2465.	[bug]		Adb's handling of lame addresses was different
 9088 			for IPv4 and IPv6. [RT #18738]
 9089 
 9090 2464.	[port]		linux: check that a capability is present before
 9091 			trying to set it. [RT #18135]
 9092 
 9093 2463.	[port]		linux: POSIX doesn't include the IPv6 Advanced Socket
 9094 			API and glibc hides parts of the IPv6 Advanced Socket
 9095 			API as a result.  This is stupid as it breaks how the
 9096 			two halves (Basic and Advanced) of the IPv6 Socket API
 9097 			were designed to be used but we have to live with it.
 9098 			Define _GNU_SOURCE to pull in the IPv6 Advanced Socket
 9099 			API. [RT #18388]
 9100 
 9101 2462.	[doc]		Document -m (enable memory usage debugging)
 9102 			option for dig. [RT #18757]
 9103 
 9104 2461.	[port]		sunos: Change #2363 was not complete. [RT #17513]
 9105 
 9106 	--- 9.6.0a1 released ---
 9107 
 9108 2460.	[bug]		Don't call dns_db_getnsec3parameters() on the cache.
 9109 			[RT #18697]
 9110 
 9111 2459.	[contrib]	Import dnssec-zkt to contrib/zkt. [RT #18448]
 9112 
 9113 2458.	[doc]		ARM: update and correction for max-cache-size.
 9114 			[RT #18294]
 9115 
 9116 2457.	[tuning]	max-cache-size is reverted to 0, the previous
 9117 			default.  It should be safe because expired cache
 9118 			entries are also purged. [RT #18684]
 9119 
 9120 2456.	[bug]		In ACLs, ::/0 and 0.0.0.0/0 would both match any
 9121 			address, regardless of family.  They now correctly
 9122 			distinguish IPv4 from IPv6.  [RT #18559]
 9123 
 9124 2455.	[bug]		Stop metadata being transferred via axfr/ixfr.
 9125 			[RT #18639]
 9126 
 9127 2454.	[func]		nsupdate: you can now set a default ttl. [RT #18317]
 9128 
 9129 2453.	[bug]		Remove NULL pointer dereference in dns_journal_print().
 9130 			[RT #18316]
 9131 
 9132 2452.	[func]		Improve bin/test/journalprint. [RT #18316]
 9133 
 9134 2451.	[port]		solaris: handle runtime linking better. [RT #18356]
 9135 
 9136 2450.	[doc]		Fix lwresd docbook problem for manual page.
 9137 			[RT #18672]
 9138 
 9139 2449.	[placeholder]
 9140 
 9141 2448.	[func]		Add NSEC3 support. [RT #15452]
 9142 
 9143 2447.	[cleanup]	libbind has been split out as a separate product.
 9144 
 9145 2446.	[func]		Add a new log message about build options on startup.
 9146 			A new command-line option '-V' for named is also
 9147 			provided to show this information. [RT #18645]
 9148 
 9149 2445.	[doc]		ARM out-of-date on empty reverse zones (list includes
 9150 			RFC1918 address, but these are not yet compiled in).
 9151 			[RT #18578]
 9152 
 9153 2444.	[port]		Linux, FreeBSD, AIX: Turn off path mtu discovery
 9154 			(clear DF) for UDP responses and requests.
 9155 
 9156 2443.	[bug]		win32: UDP connect() would not generate an event,
 9157 			and so connected UDP sockets would never clean up.
 9158 			Fix this by doing an immediate WSAConnect() rather
 9159 			than an io completion port type for UDP.
 9160 
 9161 2442.	[bug]		A lock could be destroyed twice. [RT #18626]
 9162 
 9163 2441.	[bug]		isc_radix_insert() could copy radix tree nodes
 9164 			incompletely. [RT #18573]
 9165 
 9166 2440.	[bug]		named-checkconf used an incorrect test to determine
 9167 			if an ACL was set to none.
 9168 
 9169 2439.	[bug]		Potential NULL dereference in dns_acl_isanyornone().
 9170 			[RT #18559]
 9171 
 9172 2438.	[bug]		Timeouts could be logged incorrectly under win32.
 9173 
 9174 2437.	[bug]		Sockets could be closed too early, leading to
 9175 			inconsistent states in the socket module. [RT #18298]
 9176 
 9177 2436.	[security]	win32: UDP client handler can be shutdown. [RT #18576]
 9178 
 9179 2435.	[bug]		Fixed an ACL memory leak affecting win32.
 9180 
 9181 2434.	[bug]		Fixed a minor error-reporting bug in
 9182 			lib/isc/win32/socket.c.
 9183 
 9184 2433.	[tuning]	Set initial timeout to 800ms.
 9185 
 9186 2432.	[bug]		More Windows socket handling improvements.  Stop
 9187 			using I/O events and use IO Completion Ports
 9188 			throughout.  Rewrite the receive path logic to make
 9189 			it easier to support multiple simultaneous
 9190 			requesters in the future.  Add stricter consistency
 9191 			checking as a compile-time option (define
 9192 			ISC_SOCKET_CONSISTENCY_CHECKS; defaults to off).
 9193 
 9194 2431.	[bug]		Acl processing could leak memory. [RT #18323]
 9195 
 9196 2430.	[bug]		win32: isc_interval_set() could round down to
 9197 			zero if the input was less than NS_INTERVAL
 9198 			nanoseconds.  Round up instead. [RT #18549]
 9199 
 9200 2429.	[doc]		nsupdate should be in section 1 of the man pages.
 9201 			[RT #18283]
 9202 
 9203 2428.	[bug]		dns_iptable_merge() mishandled merges of negative
 9204 			tables. [RT #18409]
 9205 
 9206 2427.	[func]		Treat DNSKEY queries as if "minimal-response yes;"
 9207 			was set. [RT #18528]
 9208 
 9209 2426.	[bug]		libbind: inet_net_pton() can sometimes return the
 9210 			wrong value if excessively large net masks are
 9211 			supplied. [RT #18512]
 9212 
 9213 2425.	[bug]		named didn't detect unavailable query source addresses
 9214 			at load time. [RT #18536]
 9215 
 9216 2424.	[port]		configure now probes for a working epoll
 9217 			implementation.  Allow the use of kqueue,
 9218 			epoll and /dev/poll to be selected at compile
 9219 			time. [RT #18277]
 9220 
 9221 2423.	[security]	Randomize server selection on queries, so as to
 9222 			make forgery a little more difficult.  Instead of
 9223 			always preferring the server with the lowest RTT,
 9224 			pick a server with RTT within the same 128
 9225 			millisecond band.  [RT #18441]
 9226 
 9227 2422.	[bug]		Handle the special return value of a empty node as
 9228 			if it was a NXRRSET in the validator. [RT #18447]
 9229 
 9230 2421.	[func]		Add new command line option '-S' for named to specify
 9231 			the max number of sockets. [RT #18493]
 9232 			Use caution: this option may not work for some
 9233 			operating systems without rebuilding named.
 9234 
 9235 2420.	[bug]		Windows socket handling cleanup.  Let the io
 9236 			completion event send out canceled read/write
 9237 			done events, which keeps us from writing to memory
 9238 			we no longer have ownership of.  Add debugging
 9239 			socket_log() function.  Rework TCP socket handling
 9240 			to not leak sockets.
 9241 
 9242 2419.	[cleanup]	Document that isc_socket_create() and isc_socket_open()
 9243 			should not be used for isc_sockettype_fdwatch sockets.
 9244 			[RT #18521]
 9245 
 9246 2418.	[bug]		AXFR request on a DLZ could trigger a REQUIRE failure
 9247 			[RT #18430]
 9248 
 9249 2417.	[bug]		Connecting UDP sockets for outgoing queries could
 9250 			unexpectedly fail with an 'address already in use'
 9251 			error. [RT #18411]
 9252 
 9253 2416.	[func]		Log file descriptors that cause exceeding the
 9254 			internal maximum. [RT #18460]
 9255 
 9256 2415.	[bug]		'rndc dumpdb' could trigger various assertion failures
 9257 			in rbtdb.c. [RT #18455]
 9258 
 9259 2414.	[bug]		A masterdump context held the database lock too long,
 9260 			causing various troubles such as dead lock and
 9261 			recursive lock acquisition. [RT #18311, #18456]
 9262 
 9263 2413.	[bug]		Fixed an unreachable code path in socket.c. [RT #18442]
 9264 
 9265 2412.	[bug]		win32: address a resource leak. [RT #18374]
 9266 
 9267 2411.	[bug]		Allow using a larger number of sockets than FD_SETSIZE
 9268 			for select().  To enable this, set ISC_SOCKET_MAXSOCKETS
 9269 			at compilation time.  [RT #18433]
 9270 
 9271 			Note: with changes #2469 and #2421 above, there is no
 9272 			need to tweak ISC_SOCKET_MAXSOCKETS at compilation time
 9273 			any more.
 9274 
 9275 2410.	[bug]		Correctly delete m_versionInfo. [RT #18432]
 9276 
 9277 2409.	[bug]		Only log that we disabled EDNS processing if we were
 9278 			subsequently successful.  [RT #18029]
 9279 
 9280 2408.	[bug]		A duplicate TCP dispatch event could be sent, which
 9281 			could then trigger an assertion failure in
 9282 			resquery_response().  [RT #18275]
 9283 
 9284 2407.	[port]		hpux: test for sys/dyntune.h. [RT #18421]
 9285 
 9286 2406.	[placeholder]
 9287 
 9288 2405.	[cleanup]	The default value for dnssec-validation was changed to
 9289 			"yes" in 9.5.0-P1 and all subsequent releases; this
 9290 			was inadvertently omitted from CHANGES at the time.
 9291 
 9292 2404.	[port]		hpux: files unlimited support.
 9293 
 9294 2403.	[bug]		TSIG context leak. [RT #18341]
 9295 
 9296 2402.	[port]		Support Solaris 2.11 and over. [RT #18362]
 9297 
 9298 2401.	[bug]		Expect to get E[MN]FILE errno internal_accept()
 9299 			(from accept() or fcntl() system calls). [RT #18358]
 9300 
 9301 2400.	[bug]		Log if kqueue()/epoll_create()/open(/dev/poll) fails.
 9302 			[RT #18297]
 9303 
 9304 2399.	[placeholder]
 9305 
 9306 2398.	[bug]		Improve file descriptor management.  New,
 9307 			temporary, named.conf option reserved-sockets,
 9308 			default 512. [RT #18344]
 9309 
 9310 2397.	[bug]		gssapi_functions had too many elements. [RT #18355]
 9311 
 9312 2396.	[bug]		Don't set SO_REUSEADDR for randomized ports.
 9313 			[RT #18336]
 9314 
 9315 2395.	[port]		Avoid warning and no effect from "files unlimited"
 9316 			on Linux when running as root. [RT #18335]
 9317 
 9318 2394.	[bug]		Default configuration options set the limit for
 9319 			open files to 'unlimited' as described in the
 9320 			documentation. [RT #18331]
 9321 
 9322 2393.	[bug]		nested acls containing keys could trigger an
 9323 			assertion in acl.c. [RT #18166]
 9324 
 9325 2392.	[bug]		remove 'grep -q' from acl test script, some platforms
 9326 			don't support it. [RT #18253]
 9327 
 9328 2391.	[port]		hpux: cover additional recvmsg() error codes.
 9329 			[RT #18301]
 9330 
 9331 2390.	[bug]		dispatch.c could make a false warning on 'odd socket'.
 9332 			[RT #18301].
 9333 
 9334 2389.	[bug]		Move the "working directory writable" check to after
 9335 			the ns_os_changeuser() call. [RT #18326]
 9336 
 9337 2388.	[bug]		Avoid using tables for layout purposes in
 9338 			statistics XSL [RT #18159].
 9339 
 9340 2387.	[bug]		Silence compiler warnings in lib/isc/radix.c.
 9341 			[RT #18147] [RT #18258]
 9342 
 9343 2386.	[func]		Add warning about too small 'open files' limit.
 9344 			[RT #18269]
 9345 
 9346 2385.	[bug]		A condition variable in socket.c could leak in
 9347 			rare error handling [RT #17968].
 9348 
 9349 2384.	[security]	Fully randomize UDP query ports to improve
 9350 			forgery resilience. [RT #17949, #18098]
 9351 
 9352 2383.	[bug]		named could double queries when they resulted in
 9353 			SERVFAIL due to overkilling EDNS0 failure detection.
 9354 			[RT #18182]
 9355 
 9356 2382.	[doc]		Add descriptions of DHCID, IPSECKEY, SPF and SSHFP
 9357 			to ARM.
 9358 
 9359 2381.	[port]		dlz/mysql: support multiple install layouts for
 9360 			mysql.  <prefix>/include/{,mysql/}mysql.h and
 9361 			<prefix>/lib/{,mysql/}. [RT #18152]
 9362 
 9363 2380.	[bug]		dns_view_find() was not returning NXDOMAIN/NXRRSET
 9364 			proofs which, in turn, caused validation failures
 9365 			for insecure zones immediately below a secure zone
 9366 			the server was authoritative for. [RT #18112]
 9367 
 9368 2379.	[contrib]	queryperf/gen-data-queryperf.py: removed redundant
 9369 			TLDs and supported RRs with TTLs [RT #17972]
 9370 
 9371 2378.	[bug]		gssapi_functions{} had a redundant member in BIND 9.5.
 9372 			[RT #18169]
 9373 
 9374 2377.	[bug]		Address race condition in dnssec-signzone. [RT #18142]
 9375 
 9376 2376.	[bug]		Change #2144 was not complete.
 9377 
 9378 2375.	[placeholder]
 9379 
 9380 2374.	[bug]		"blackhole" ACLs could cause named to segfault due
 9381 			to some uninitialized memory. [RT #18095]
 9382 
 9383 2373.	[bug]		Default values of zone ACLs were re-parsed each time a
 9384 			new zone was configured, causing an overconsumption
 9385 			of memory. [RT #18092]
 9386 
 9387 2372.	[bug]		Fixed incorrect TAG_HMACSHA256_BITS value [RT #18047]
 9388 
 9389 2371.	[doc]		Add +nsid option to dig man page. [RT #18039]
 9390 
 9391 2370.	[bug]		"rndc freeze" could trigger an assertion in named
 9392 			when called on a nonexistent zone. [RT #18050]
 9393 
 9394 2369.	[bug]		libbind: Array bounds overrun on read in bitncmp().
 9395 			[RT #18054]
 9396 
 9397 2368.	[port]		Linux: use libcap for capability management if
 9398 			possible. [RT #18026]
 9399 
 9400 2367.	[bug]		Improve counting of dns_resstatscounter_retry
 9401 			[RT #18030]
 9402 
 9403 2366.	[bug]		Adb shutdown race. [RT #18021]
 9404 
 9405 2365.	[bug]		Fix a bug that caused dns_acl_isany() to return
 9406 			spurious results. [RT #18000]
 9407 
 9408 2364.	[bug]		named could trigger a assertion when serving a
 9409 			malformed signed zone. [RT #17828]
 9410 
 9411 2363.	[port]		sunos: pre-set "lt_cv_sys_max_cmd_len=4096;".
 9412 			[RT #17513]
 9413 
 9414 2362.	[cleanup]	Make "rrset-order fixed" a compile-time option.
 9415 			settable by "./configure --enable-fixed-rrset".
 9416 			Disabled by default. [RT #17977]
 9417 
 9418 2361.	[bug]		"recursion" statistics counter could be counted
 9419 			multiple times for a single query.  [RT #17990]
 9420 
 9421 2360.	[bug]		Fix a condition where we release a database version
 9422 			(which may acquire a lock) while holding the lock.
 9423 
 9424 2359.	[bug]		Fix NSID bug. [RT #17942]
 9425 
 9426 2358.	[doc]		Update host's default query description. [RT #17934]
 9427 
 9428 2357.	[port]		Don't use OpenSSL's engine support in versions before
 9429 			OpenSSL 0.9.7f. [RT #17922]
 9430 
 9431 2356.	[bug]		Built in mutex profiler was not scalable enough.
 9432 			[RT #17436]
 9433 
 9434 2355.	[func]		Extend the number statistics counters available.
 9435 			[RT #17590]
 9436 
 9437 2354.	[bug]		Failed to initialize some rdatasetheader_t elements.
 9438 			[RT #17927]
 9439 
 9440 2353.	[func]		Add support for Name Server ID (RFC 5001).
 9441 			'dig +nsid' requests NSID from server.
 9442 			'request-nsid yes;' causes recursive server to send
 9443 			NSID requests to upstream servers.  Server responds
 9444 			to NSID requests with the string configured by
 9445 			'server-id' option.  [RT #17091]
 9446 
 9447 2352.	[bug]		Various GSS_API fixups. [RT #17729]
 9448 
 9449 2351.	[bug]		convertxsl.pl generated very long lines. [RT #17906]
 9450 
 9451 2350.	[port]		win32: IPv6 support. [RT #17797]
 9452 
 9453 2349.	[func]		Provide incremental re-signing support for secure
 9454 			dynamic zones. [RT #1091]
 9455 
 9456 2348.	[func]		Use the EVP interface to OpenSSL. Add PKCS#11 support.
 9457 			Documentation is in the new README.pkcs11 file.
 9458 			New tool, dnssec-keyfromlabel, which takes the
 9459 			label of a key pair in a HSM and constructs a DNS
 9460 			key pair for use by named and dnssec-signzone.
 9461 			[RT #16844]
 9462 
 9463 2347.	[bug]		Delete now traverses the RB tree in the canonical
 9464 			order. [RT #17451]
 9465 
 9466 2346.	[func]		Memory statistics now cover all active memory contexts
 9467 			in increased detail. [RT #17580]
 9468 
 9469 2345.	[bug]		named-checkconf failed to detect when forwarders
 9470 			were set at both the options/view level and in
 9471 			a root zone. [RT #17671]
 9472 
 9473 2344.	[bug]		Improve "logging{ file ...; };" documentation.
 9474 			[RT #17888]
 9475 
 9476 2343.	[bug]		(Seemingly) duplicate IPv6 entries could be
 9477 			created in ADB. [RT #17837]
 9478 
 9479 2342.	[func]		Use getifaddrs() if available under Linux. [RT #17224]
 9480 
 9481 2341.	[bug]		libbind: add missing -I../include for off source
 9482 			tree builds. [RT #17606]
 9483 
 9484 2340.	[port]		openbsd: interface configuration. [RT #17700]
 9485 
 9486 2339.	[port]		tru64: support for libbind. [RT #17589]
 9487 
 9488 2338.	[bug]		check_ds() could be called with a non DS rdataset.
 9489 			[RT #17598]
 9490 
 9491 2337.	[bug]		BUILD_LDFLAGS was not being correctly set.  [RT #17614]
 9492 
 9493 2336.	[func]		If "named -6" is specified then listen on all IPv6
 9494 			interfaces if there are not listen-on-v6 clauses in
 9495 			named.conf.  [RT #17581]
 9496 
 9497 2335.	[port]		sunos:  libbind and *printf() support for long long.
 9498 			[RT #17513]
 9499 
 9500 2334.	[bug]		Bad REQUIRES in fromstruct_in_naptr(),  off by one
 9501 			bug in fromstruct_txt(). [RT #17609]
 9502 
 9503 2333.	[bug]		Fix off by one error in isc_time_nowplusinterval().
 9504 			[RT #17608]
 9505 
 9506 2332.	[contrib]	query-loc-0.4.0. [RT #17602]
 9507 
 9508 2331.	[bug]		Failure to regenerate any signatures was not being
 9509 			reported nor being past back to the UPDATE client.
 9510 			[RT #17570]
 9511 
 9512 2330.	[bug]		Remove potential race condition when handling
 9513 			over memory events. [RT #17572]
 9514 
 9515 			WARNING: API CHANGE: over memory callback
 9516 			function now needs to call isc_mem_waterack().
 9517 			See <isc/mem.h> for details.
 9518 
 9519 2329.	[bug]		Clearer help text for dig's '-x' and '-i' options.
 9520 
 9521 2328.	[maint]		Add AAAA addresses for A.ROOT-SERVERS.NET,
 9522 			F.ROOT-SERVERS.NET, H.ROOT-SERVERS.NET,
 9523 			J.ROOT-SERVERS.NET, K.ROOT-SERVERS.NET and
 9524 			M.ROOT-SERVERS.NET.
 9525 
 9526 2327.	[bug]		It was possible to dereference a NULL pointer in
 9527 			rbtdb.c.  Implement dead node processing in zones as
 9528 			we do for caches. [RT #17312]
 9529 
 9530 2326.	[bug]		It was possible to trigger a INSIST in the acache
 9531 			processing.
 9532 
 9533 2325.	[port]		Linux: use capset() function if available. [RT #17557]
 9534 
 9535 2324.	[bug]		Fix IPv6 matching against "any;". [RT #17533]
 9536 
 9537 2323.	[port]		tru64: namespace clash. [RT #17547]
 9538 
 9539 2322.	[port]		MacOS: work around the limitation of setrlimit()
 9540 			for RLIMIT_NOFILE. [RT #17526]
 9541 
 9542 2321.	[placeholder]
 9543 
 9544 2320.	[func]		Make statistics counters thread-safe for platforms
 9545 			that support certain atomic operations. [RT #17466]
 9546 
 9547 2319.	[bug]		Silence Coverity warnings in
 9548 			lib/dns/rdata/in_1/apl_42.c. [RT #17469]
 9549 
 9550 2318.	[port]		sunos fixes for libbind.  [RT #17514]
 9551 
 9552 2317.	[bug]		"make distclean" removed bind9.xsl.h. [RT #17518]
 9553 
 9554 2316.	[port]		Missing #include <isc/print.h> in lib/dns/gssapictx.c.
 9555 			[RT #17513]
 9556 
 9557 2315.	[bug]		Used incorrect address family for mapped IPv4
 9558 			addresses in acl.c. [RT #17519]
 9559 
 9560 2314.	[bug]		Uninitialized memory use on error path in
 9561 			bin/named/lwdnoop.c.  [RT #17476]
 9562 
 9563 2313.	[cleanup]	Silence Coverity warnings. Handle private stacks.
 9564 			[RT #17447] [RT #17478]
 9565 
 9566 2312.	[cleanup]	Silence Coverity warning in lib/isc/unix/socket.c.
 9567 			[RT #17458]
 9568 
 9569 2311.	[bug]		IPv6 addresses could match IPv4 ACL entries and
 9570 			vice versa. [RT #17462]
 9571 
 9572 2310.	[bug]		dig, host, nslookup: flush stdout before emitting
 9573 			debug/fatal messages.  [RT #17501]
 9574 
 9575 2309.	[cleanup]	Fix Coverity warnings in lib/dns/acl.c and iptable.c.
 9576 			[RT #17455]
 9577 
 9578 2308.	[cleanup]	Silence Coverity warning in bin/named/controlconf.c.
 9579 			[RT #17495]
 9580 
 9581 2307.	[bug]		Remove infinite loop from lib/dns/sdb.c. [RT #17496]
 9582 
 9583 2306.	[bug]		Remove potential race from lib/dns/resolver.c.
 9584 			[RT #17470]
 9585 
 9586 2305.	[security]	inet_network() buffer overflow. CVE-2008-0122.
 9587 
 9588 2304.	[bug]		Check returns from all dns_rdata_tostruct() calls.
 9589 			[RT #17460]
 9590 
 9591 2303.	[bug]		Remove unnecessary code from bin/named/lwdgnba.c.
 9592 			[RT #17471]
 9593 
 9594 2302.	[bug]		Fix memset() calls in lib/tests/t_api.c. [RT #17472]
 9595 
 9596 2301.	[bug]		Remove resource leak and fix error messages in
 9597 			bin/tests/system/lwresd/lwtest.c. [RT #17474]
 9598 
 9599 2300.	[bug]		Fixed failure to close open file in
 9600 			bin/tests/names/t_names.c. [RT #17473]
 9601 
 9602 2299.	[bug]		Remove unnecessary NULL check in
 9603 			bin/nsupdate/nsupdate.c. [RT #17475]
 9604 
 9605 2298.	[bug]		isc_mutex_lock() failure not caught in
 9606 			bin/tests/timers/t_timers.c. [RT #17468]
 9607 
 9608 2297.	[bug]		isc_entropy_createfilesource() failure not caught in
 9609 			bin/tests/dst/t_dst.c. [RT #17467]
 9610 
 9611 2296.	[port]		Allow docbook stylesheet location to be specified to
 9612 			configure. [RT #17457]
 9613 
 9614 2295.	[bug]		Silence static overrun error in bin/named/lwaddr.c.
 9615 			[RT #17459]
 9616 
 9617 2294.	[func]		Allow the experimental statistics channels to have
 9618 			multiple connections and ACL.
 9619 			Note: the stats-server and stats-server-v6 options
 9620 			available in the previous beta releases are replaced
 9621 			with the generic statistics-channels statement.
 9622 
 9623 2293.	[func]		Add ACL regression test. [RT #17375]
 9624 
 9625 2292.	[bug]		Log if the working directory is not writable.
 9626 			[RT #17312]
 9627 
 9628 2291.	[bug]		PR_SET_DUMPABLE may be set too late.  Also report
 9629 			failure to set PR_SET_DUMPABLE. [RT #17312]
 9630 
 9631 2290.	[bug]		Let AD in the query signal that the client wants AD
 9632 			set in the response. [RT #17301]
 9633 
 9634 2289.	[func]		named-checkzone now reports the out-of-zone CNAME
 9635 			found. [RT #17309]
 9636 
 9637 2288.	[port]		win32: mark service as running when we have finished
 9638 			loading.  [RT #17441]
 9639 
 9640 2287.	[bug]		Use 'volatile' if the compiler supports it. [RT #17413]
 9641 
 9642 2286.	[func]		Allow a TCP connection to be used as a weak
 9643 			authentication method for reverse zones.
 9644 			New update-policy methods tcp-self and 6to4-self.
 9645 			[RT #17378]
 9646 
 9647 2285.	[func]		Test framework for client memory context management.
 9648 			[RT #17377]
 9649 
 9650 2284.	[bug]		Memory leak in UPDATE prerequisite processing.
 9651 			[RT #17377]
 9652 
 9653 2283.	[bug]		TSIG keys were not attaching to the memory
 9654 			context.  TSIG keys should use the rings
 9655 			memory context rather than the clients memory
 9656 			context. [RT #17377]
 9657 
 9658 2282.	[bug]		Acl code fixups. [RT #17346] [RT #17374]
 9659 
 9660 2281.	[bug]		Attempts to use undefined acls were not being logged.
 9661 			[RT #17307]
 9662 
 9663 2280.	[func]		Allow the experimental http server to be reached
 9664 			over IPv6 as well as IPv4. [RT #17332]
 9665 
 9666 2279.	[bug]		Use setsockopt(SO_NOSIGPIPE), when available,
 9667 			to protect applications from receiving spurious
 9668 			SIGPIPE signals when using the resolver.
 9669 
 9670 2278.	[bug]		win32: handle the case where Windows returns no
 9671 			search list or DNS suffix. [RT #17354]
 9672 
 9673 2277.	[bug]		Empty zone names were not correctly being caught at
 9674 			in the post parse checks. [RT #17357]
 9675 
 9676 2276.	[bug]		Install <dst/gssapi.h>.  [RT #17359]
 9677 
 9678 2275.	[func]		Add support to dig to perform IXFR queries over UDP.
 9679 			[RT #17235]
 9680 
 9681 2274.	[func]		Log zone transfer statistics. [RT #17336]
 9682 
 9683 2273.	[bug]		Adjust log level to WARNING when saving inconsistent
 9684 			stub/slave master and journal files. [RT #17279]
 9685 
 9686 2272.	[bug]		Handle illegal dnssec-lookaside trust-anchor names.
 9687 			[RT #17262]
 9688 
 9689 2271.	[bug]		Fix a memory leak in http server code [RT #17100]
 9690 
 9691 2270.	[bug]		dns_db_closeversion() version->writer could be reset
 9692 			before it is tested. [RT #17290]
 9693 
 9694 2269.	[contrib]	dbus memory leaks and missing va_end calls. [RT #17232]
 9695 
 9696 2268.	[bug]		0.IN-ADDR.ARPA was missing from the empty zones
 9697 			list.
 9698 
 9699 	--- 9.5.0b1 released ---
 9700 
 9701 2267.	[bug]		Radix tree node_num value could be set incorrectly,
 9702 			causing positive ACL matches to look like negative
 9703 			ones.  [RT #17311]
 9704 
 9705 2266.	[bug]		client.c:get_clientmctx() returned the same mctx
 9706 			once the pool of mctx's was filled. [RT #17218]
 9707 
 9708 2265.	[bug]		Test that the memory context's basic_table is non NULL
 9709 			before freeing.  [RT #17265]
 9710 
 9711 2264.	[bug]		Server prefix length was being ignored. [RT #17308]
 9712 
 9713 2263.	[bug]		"named-checkconf -z" failed to set default value
 9714 			for "check-integrity".  [RT #17306]
 9715 
 9716 2262.	[bug]		Error status from all but the last view could be
 9717 			lost. [RT #17292]
 9718 
 9719 2261.	[bug]		Fix memory leak with "any" and "none" ACLs [RT #17272]
 9720 
 9721 2260.	[bug]		Reported wrong clients-per-query when increasing the
 9722 			value. [RT #17236]
 9723 
 9724 2259.	[placeholder]
 9725 
 9726 	--- 9.5.0a7 released ---
 9727 
 9728 2258.	[bug]		Fallback from IXFR/TSIG to SOA/AXFR/TSIG broken.
 9729 			[RT #17241]
 9730 
 9731 2257.	[bug]		win32: Use the full path to vcredist_x86.exe when
 9732 			calling it. [RT #17222]
 9733 
 9734 2256.	[bug]		win32: Correctly register the installation location of
 9735 			bindevt.dll. [RT #17159]
 9736 
 9737 2255.	[maint]		L.ROOT-SERVERS.NET is now 199.7.83.42.
 9738 
 9739 2254.	[bug]		timer.c:dispatch() failed to lock timer->lock
 9740 			when reading timer->idle allowing it to see
 9741 			intermediate values as timer->idle was reset by
 9742 			isc_timer_touch(). [RT #17243]
 9743 
 9744 2253.	[func]		"max-cache-size" defaults to 32M.
 9745 			"max-acache-size" defaults to 16M.
 9746 
 9747 2252.	[bug]		Fixed errors in sortlist code [RT #17216]
 9748 
 9749 2251.	[placeholder]
 9750 
 9751 2250.	[func]		New flag 'memstatistics' to state whether the
 9752 			memory statistics file should be written or not.
 9753 			Additionally named's -m option will cause the
 9754 			statistics file to be written. [RT #17113]
 9755 
 9756 2249.	[bug]		Only set Authentic Data bit if client requested
 9757 			DNSSEC, per RFC 3655 [RT #17175]
 9758 
 9759 2248.	[cleanup]	Fix several errors reported by Coverity. [RT #17160]
 9760 
 9761 2247.	[doc]		Sort doc/misc/options. [RT #17067]
 9762 
 9763 2246.	[bug]		Make the startup of test servers (ans.pl) more
 9764 			robust. [RT #17147]
 9765 
 9766 2245.	[bug]		Validating lack of DS records at trust anchors wasn't
 9767 			working. [RT #17151]
 9768 
 9769 2244.	[func]		Allow the check of nameserver names against the
 9770 			SOA MNAME field to be disabled by specifying
 9771 			'notify-to-soa yes;'.  [RT #17073]
 9772 
 9773 2243.	[func]		Configuration files without a newline at the end now
 9774 			parse without error. [RT #17120]
 9775 
 9776 2242.	[bug]		nsupdate: GSS-TSIG support using the Heimdal Kerberos
 9777 			library could require a source of random data.
 9778 			[RT #17127]
 9779 
 9780 2241.	[func]		nsupdate: add a interactive 'help' command. [RT #17099]
 9781 
 9782 2240.	[bug]		Cleanup nsupdates GSS-TSIG support.  Convert
 9783 			a number of INSIST()s into plain fatal() errors
 9784 			which report the triggering result code.
 9785 			The 'key' command wasn't disabling GSS-TSIG.
 9786 			[RT #17099]
 9787 
 9788 2239.	[func]		Ship a pre built bin/named/bind9.xsl.h. [RT #17114]
 9789 
 9790 2238.	[bug]		It was possible to trigger a REQUIRE when a
 9791 			validation was canceled. [RT #17106]
 9792 
 9793 2237.	[bug]		libbind: res_init() was not thread aware. [RT #17123]
 9794 
 9795 2236.	[bug]		dnssec-signzone failed to preserve the case of
 9796 			of wildcard owner names. [RT #17085]
 9797 
 9798 2235.	[bug]		<isc/atomic.h> was not being installed. [RT #17135]
 9799 
 9800 2234.	[port]		Correct some compiler warnings on SCO OSr5 [RT #17134]
 9801 
 9802 2233.	[func]		Add support for O(1) ACL processing, based on
 9803 			radix tree code originally written by Kevin
 9804 			Brintnall. [RT #16288]
 9805 
 9806 2232.	[bug]		dns_adb_findaddrinfo() could fail and return
 9807 			ISC_R_SUCCESS. [RT #17137]
 9808 
 9809 2231.	[bug]		Building dlzbdb (contrib/dlz/bin/dlzbdb) was broken.
 9810 			[RT #17088]
 9811 
 9812 2230.	[bug]		We could INSIST reading a corrupted journal.
 9813 			[RT #17132]
 9814 
 9815 2229.	[bug]		Null pointer dereference on query pool creation
 9816 			failure. [RT #17133]
 9817 
 9818 2228.	[contrib]	contrib: Change 2188 was incomplete.
 9819 
 9820 2227.	[cleanup]	Tidied up the FAQ. [RT #17121]
 9821 
 9822 2226.	[placeholder]
 9823 
 9824 2225.	[bug]		More support for systems with no IPv4 addresses.
 9825 			[RT #17111]
 9826 
 9827 2224.	[bug]		Defer journal compaction if a xfrin is in progress.
 9828 			[RT #17119]
 9829 
 9830 2223.	[bug]		Make a new journal when compacting. [RT #17119]
 9831 
 9832 2222.	[func]		named-checkconf now checks server key references.
 9833 			[RT #17097]
 9834 
 9835 2221.	[bug]		Set the event result code to reflect the actual
 9836 			record turned to caller when a cache update is
 9837 			rejected due to a more credible answer existing.
 9838 			[RT #17017]
 9839 
 9840 2220.	[bug]		win32: Address a race condition in final shutdown of
 9841 			the Windows socket code. [RT #17028]
 9842 
 9843 2219.	[bug]		Apply zone consistency checks to additions, not
 9844 			removals, when updating. [RT #17049]
 9845 
 9846 2218.	[bug]		Remove unnecessary REQUIRE from dns_validator_create().
 9847 			[RT #16976]
 9848 
 9849 2217.	[func]		Adjust update log levels. [RT #17092]
 9850 
 9851 2216.	[cleanup]	Fix a number of errors reported by Coverity.
 9852 			[RT #17094]
 9853 
 9854 2215.	[bug]		Bad REQUIRE check isc_hmacsha1_verify(). [RT #17094]
 9855 
 9856 2214.	[bug]		Deregister OpenSSL lock callback when cleaning
 9857 			up.  Reorder OpenSSL cleanup so that RAND_cleanup()
 9858 			is called before the locks are destroyed. [RT #17098]
 9859 
 9860 2213.	[bug]		SIG0 diagnostic failure messages were looking at the
 9861 			wrong status code. [RT #17101]
 9862 
 9863 2212.	[func]		'host -m' now causes memory statistics and active
 9864 			memory to be printed at exit. [RT 17028]
 9865 
 9866 2211.	[func]		Update "dynamic update temporarily disabled" message.
 9867 			[RT #17065]
 9868 
 9869 2210.	[bug]		Deleting class specific records via UPDATE could
 9870 			fail.  [RT #17074]
 9871 
 9872 2209.	[port]		osx: linking against user supplied static OpenSSL
 9873 			libraries failed as the system ones were still being
 9874 			found. [RT #17078]
 9875 
 9876 2208.	[port]		win32: make sure both build methods produce the
 9877 			same output. [RT #17058]
 9878 
 9879 2207.	[port]		Some implementations of getaddrinfo() fail to set
 9880 			ai_canonname correctly. [RT #17061]
 9881 
 9882 	--- 9.5.0a6 released ---
 9883 
 9884 2206.	[security]	"allow-query-cache" and "allow-recursion" now
 9885 			cross inherit from each other.
 9886 
 9887 			If allow-query-cache is not set in named.conf then
 9888 			allow-recursion is used if set, otherwise allow-query
 9889 			is used if set, otherwise the default (localnets;
 9890 			localhost;) is used.
 9891 
 9892 			If allow-recursion is not set in named.conf then
 9893 			allow-query-cache is used if set, otherwise allow-query
 9894 			is used if set, otherwise the default (localnets;
 9895 			localhost;) is used.
 9896 
 9897 			[RT #16987]
 9898 
 9899 2205.	[bug]		libbind: change #2119 broke thread support. [RT #16982]
 9900 
 9901 2204.	[bug]		"rndc flushname name unknown-view" caused named
 9902 			to crash. [RT #16984]
 9903 
 9904 2203.	[security]	Query id generation was cryptographically weak.
 9905 			[RT # 16915]
 9906 
 9907 2202.	[security]	The default acls for allow-query-cache and
 9908 			allow-recursion were not being applied. [RT #16960]
 9909 
 9910 2201.	[bug]		The build failed in a separate object directory.
 9911 			[RT #16943]
 9912 
 9913 2200.	[bug]		The search for cached NSEC records was stopping to
 9914 			early leading to excessive DLV queries. [RT #16930]
 9915 
 9916 2199.	[bug]		win32: don't call WSAStartup() while loading dlls.
 9917 			[RT #16911]
 9918 
 9919 2198.	[bug]		win32: RegCloseKey() could be called when
 9920 			RegOpenKeyEx() failed. [RT #16911]
 9921 
 9922 2197.	[bug]		Add INSIST to catch negative responses which are
 9923 			not setting the event result code appropriately.
 9924 			[RT #16909]
 9925 
 9926 2196.	[port]		win32: yield processor while waiting for once to
 9927 			to complete. [RT #16958]
 9928 
 9929 2195.	[func]		dnssec-keygen now defaults to nametype "ZONE"
 9930 			when generating DNSKEYs. [RT #16954]
 9931 
 9932 2194.	[bug]		Close journal before calling 'done' in xfrin.c.
 9933 
 9934 	--- 9.5.0a5 released ---
 9935 
 9936 2193.	[port]		win32: BINDInstall.exe is now linked statically.
 9937 			[RT #16906]
 9938 
 9939 2192.	[port]		win32: use vcredist_x86.exe to install Visual
 9940 			Studio's redistributable dlls if building with
 9941 			Visual Stdio 2005 or later.
 9942 
 9943 2191.	[func]		named-checkzone now allows dumping to stdout (-).
 9944 			named-checkconf now has -h for help.
 9945 			named-checkzone now has -h for help.
 9946 			rndc now has -h for help.
 9947 			Better handling of '-?' for usage summaries.
 9948 			[RT #16707]
 9949 
 9950 2190.	[func]		Make fallback to plain DNS from EDNS due to timeouts
 9951 			more visible.  New logging category "edns-disabled".
 9952 			[RT #16871]
 9953 
 9954 2189.	[bug]		Handle socket() returning EINTR. [RT #15949]
 9955 
 9956 2188.	[contrib]	queryperf: autoconf changes to make the search for
 9957 			libresolv or libbind more robust. [RT #16299]
 9958 
 9959 2187.	[bug]		query_addds(), query_addwildcardproof() and
 9960 			query_addnxrrsetnsec() should take a version
 9961 			argument. [RT #16368]
 9962 
 9963 2186.	[port]		cygwin: libbind: check for struct sockaddr_storage
 9964 			independently of IPv6. [RT #16482]
 9965 
 9966 2185.	[port]		sunos: libbind: check for ssize_t, memmove() and
 9967 			memchr(). [RT #16463]
 9968 
 9969 2184.	[bug]		bind9.xsl.h didn't build out of the source tree.
 9970 			[RT #16830]
 9971 
 9972 2183.	[bug]		dnssec-signzone didn't handle offline private keys
 9973 			well.  [RT #16832]
 9974 
 9975 2182.	[bug]		dns_dispatch_createtcp() and dispatch_createudp()
 9976 			could return ISC_R_SUCCESS when they ran out of
 9977 			memory. [RT #16365]
 9978 
 9979 2181.	[port]		sunos: libbind: add paths.h from BIND 8. [RT #16462]
 9980 
 9981 2180.	[cleanup]	Remove bit test from 'compress_test' as they
 9982 			are no longer needed. [RT #16497]
 9983 
 9984 2179.	[func]		'rndc command zone' will now find 'zone' if it is
 9985 			unique to all the views. [RT #16821]
 9986 
 9987 2178.	[bug]		'rndc reload' of a slave or stub zone resulted in
 9988 			a reference leak. [RT #16867]
 9989 
 9990 2177.	[bug]		Array bounds overrun on read (rcodetext) at
 9991 			debug level 10+. [RT #16798]
 9992 
 9993 2176.	[contrib]	dbus update to handle race condition during
 9994 			initialization (Bugzilla 235809). [RT #16842]
 9995 
 9996 2175.	[bug]		win32: windows broadcast condition variable support
 9997 			was broken. [RT #16592]
 9998 
 9999 2174.	[bug]		I/O errors should always be fatal when reading
10000 			master files. [RT #16825]
10001 
10002 2173.	[port]		win32: When compiling with MSVS 2005 SP1 we also
10003 			need to ship Microsoft.VC80.MFCLOC.
10004 
10005 	--- 9.5.0a4 released ---
10006 
10007 2172.	[bug]		query_addsoa() was being called with a non zone db.
10008 			[RT #16834]
10009 
10010 2171.	[bug]		Handle breaks in DNSSEC trust chains where the parent
10011 			servers are not DS aware (DS queries to the parent
10012 			return a referral to the child).
10013 
10014 2170.	[func]		Add acache processing to test suite. [RT #16711]
10015 
10016 2169.	[bug]		host, nslookup: when reporting NXDOMAIN report the
10017 			given name and not the last name searched for.
10018 			[RT #16763]
10019 
10020 2168.	[bug]		nsupdate: in non-interactive mode treat syntax errors
10021 			as fatal errors. [RT #16785]
10022 
10023 2167.	[bug]		When re-using a automatic zone named failed to
10024 			attach it to the new view. [RT #16786]
10025 
10026 	--- 9.5.0a3 released ---
10027 
10028 2166.	[bug]		When running in batch mode, dig could misinterpret
10029 			a server address as a name to be looked up, causing
10030 			unexpected output. [RT #16743]
10031 
10032 2165.	[func]		Allow the destination address of a query to determine
10033 			if we will answer the query or recurse.
10034 			allow-query-on, allow-recursion-on and
10035 			allow-query-cache-on. [RT #16291]
10036 
10037 2164.	[bug]		The code to determine how named-checkzone /
10038 			named-compilezone was called failed under windows.
10039 			[RT #16764]
10040 
10041 2163.	[bug]		If only one of query-source and query-source-v6
10042 			specified a port the query pools code broke (change
10043 			2129).  [RT #16768]
10044 
10045 2162.	[func]		Allow "rrset-order fixed" to be disabled at compile
10046 			time. [RT #16665]
10047 
10048 2161.	[bug]		Fix which log messages are emitted for 'rndc flush'.
10049 			[RT #16698]
10050 
10051 2160.	[bug]		libisc wasn't handling NULL ifa_addr pointers returned
10052 			from getifaddrs(). [RT #16708]
10053 
10054 	--- 9.5.0a2 released ---
10055 
10056 2159.	[bug]		Array bounds overrun in acache processing. [RT #16710]
10057 
10058 2158.	[bug]		ns_client_isself() failed to initialize key
10059 			leading to a REQUIRE failure. [RT #16688]
10060 
10061 2157.	[func]		dns_db_transfernode() created. [RT #16685]
10062 
10063 2156.	[bug]		Fix node reference leaks in lookup.c:lookup_find(),
10064 			resolver.c:validated() and resolver.c:cache_name().
10065 			Fix a memory leak in rbtdb.c:free_noqname().
10066 			Make lookup.c:lookup_find() robust against
10067 			event leaks. [RT #16685]
10068 
10069 2155.	[contrib]	SQLite sdb module from jaboydjr@netwalk.com.
10070 			[RT #16694]
10071 
10072 2154.	[func]		Scoped (e.g. IPv6 link-local) addresses may now be
10073 			matched in acls by omitting the scope. [RT #16599]
10074 
10075 2153.	[bug]		nsupdate could leak memory. [RT #16691]
10076 
10077 2152.	[cleanup]	Use sizeof(buf) instead of fixed number in
10078 			dighost.c:get_trusted_key(). [RT #16678]
10079 
10080 2151.	[bug]		Missing newline in usage message for journalprint.
10081 			[RT #16679]
10082 
10083 2150.	[bug]		'rrset-order cyclic' uniformly distribute the
10084 			starting point for the first response for a given
10085 			RRset. [RT #16655]
10086 
10087 2149.	[bug]		isc_mem_checkdestroyed() failed to abort on
10088 			if there were still active memory contexts.
10089 			[RT #16672]
10090 
10091 2148.	[func]		Add positive logging for rndc commands. [RT #14623]
10092 
10093 2147.	[bug]		libbind: remove potential buffer overflow from
10094 			hmac_link.c. [RT #16437]
10095 
10096 2146.	[cleanup]	Silence Linux's spurious "obsolete setsockopt
10097 			SO_BSDCOMPAT" message. [RT #16641]
10098 
10099 2145.	[bug]		Check DS/DLV digest lengths for known digests.
10100 			[RT #16622]
10101 
10102 2144.	[cleanup]	Suppress logging of SERVFAIL from forwarders.
10103 			[RT #16619]
10104 
10105 2143.	[bug]		We failed to restart the IPv6 client when the
10106 			kernel failed to return the destination the
10107 			packet was sent to. [RT #16613]
10108 
10109 2142.	[bug]		Handle master files with a modification time that
10110 			matches the epoch. [RT #16612]
10111 
10112 2141.	[bug]		dig/host should not be setting IDN_ASCCHECK (IDN
10113 			equivalent of LDH checks).  [RT #16609]
10114 
10115 2140.	[bug]		libbind: missing unlock on pthread_key_create()
10116 			failures. [RT #16654]
10117 
10118 2139.	[bug]		dns_view_find() was being called with wrong type
10119 			in adb.c. [RT #16670]
10120 
10121 2138.	[bug]		Lock order reversal in resolver.c. [RT #16653]
10122 
10123 2137.	[port]		Mips little endian and/or mips 64 bit are now
10124 			supported for atomic operations. [RT #16648]
10125 
10126 2136.	[bug]		nslookup/host looped if there was no search list
10127 			and the host didn't exist. [RT #16657]
10128 
10129 2135.	[bug]		Uninitialized rdataset in sdlz.c. [RT #16656]
10130 
10131 2134.	[func]		Additional statistics support. [RT #16666]
10132 
10133 2133.	[port]		powerpc:  Support both IBM and MacOS Power PC
10134 			assembler syntaxes. [RT #16647]
10135 
10136 2132.	[bug]		Missing unlock on out of memory in
10137 			dns_dispatchmgr_setudp().
10138 
10139 2131.	[contrib]	dlz/mysql: AXFR was broken. [RT #16630]
10140 
10141 2130.	[func]		Log if CD or DO were set. [RT #16640]
10142 
10143 2129.	[func]		Provide a pool of UDP sockets for queries to be
10144 			made over. See use-queryport-pool, queryport-pool-ports
10145 			and queryport-pool-updateinterval.  [RT #16415]
10146 
10147 2128.	[doc]		xsltproc --nonet, update DTD versions.  [RT #16635]
10148 
10149 2127.	[port]		Improved OpenSSL 0.9.8 support. [RT #16563]
10150 
10151 2126.	[security]	Serialize validation of type ANY responses. [RT #16555]
10152 
10153 2125.	[bug]		dns_zone_getzeronosoattl() REQUIRE failure if DLZ
10154 			was defined. [RT #16574]
10155 
10156 2124.	[security]	It was possible to dereference a freed fetch
10157 			context. [RT #16584]
10158 
10159 	--- 9.5.0a1 released ---
10160 
10161 2123.	[func]		Use Doxygen to generate internal documentation.
10162 			[RT #11398]
10163 
10164 2122.	[func]		Experimental http server and statistics support
10165 			for named via xml.
10166 
10167 2121.	[func]		Add a 10 slot dead masters cache (LRU) with a 600
10168 			second timeout. [RT #16553]
10169 
10170 2120.	[doc]		Fix markup on nsupdate man page. [RT #16556]
10171 
10172 2119.	[compat]	libbind: allow res_init() to succeed enough to
10173 			return the default domain even if it was unable
10174 			to allocate memory.
10175 
10176 2118.	[bug]		Handle response with long chains of domain name
10177 			compression pointers which point to other compression
10178 			pointers. [RT #16427]
10179 
10180 2117.	[bug]		DNSSEC fixes: named could fail to cache NSEC records
10181 			which could lead to validation failures.  named didn't
10182 			handle negative DS responses that were in the process
10183 			of being validated.  Check CNAME bit before accepting
10184 			NODATA proof. To be able to ignore a child NSEC there
10185 			must be SOA (and NS) set in the bitmap. [RT #16399]
10186 
10187 2116.	[bug]		'rndc reload' could cause the cache to continually
10188 			be cleaned. [RT #16401]
10189 
10190 2115.	[bug]		'rndc reconfig' could trigger a INSIST if the
10191 			number of masters for a zone was reduced. [RT #16444]
10192 
10193 2114.	[bug]		dig/host/nslookup: searches for names with multiple
10194 			labels were failing. [RT #16447]
10195 
10196 2113.	[bug]		nsupdate: if a zone is specified it should be used
10197 			for server discover. [RT #16455]
10198 
10199 2112.	[security]	Warn if weak RSA exponent is used. [RT #16460]
10200 
10201 2111.	[bug]		Fix a number of errors reported by Coverity.
10202 			[RT #16507]
10203 
10204 2110.	[bug]		"minimal-responses yes;" interacted badly with BIND 8
10205 			priming queries. [RT #16491]
10206 
10207 2109.	[port]		libbind: silence aix 5.3 compiler warnings. [RT #16502]
10208 
10209 2108.	[func]		DHCID support. [RT #16456]
10210 
10211 2107.	[bug]		dighost.c: more cleanup of buffers. [RT #16499]
10212 
10213 2106.	[func]		'rndc status' now reports named's version. [RT #16426]
10214 
10215 2105.	[func]		GSS-TSIG support (RFC 3645).
10216 
10217 2104.	[port]		Fix Solaris SMF error message.
10218 
10219 2103.	[port]		Add /usr/sfw to list of locations for OpenSSL
10220 			under Solaris.
10221 
10222 2102.	[port]		Silence Solaris 10 warnings.
10223 
10224 2101.	[bug]		OpenSSL version checks were not quite right.
10225 			[RT #16476]
10226 
10227 2100.	[port]		win32: copy libeay32.dll to Build\Debug.
10228 			Copy Debug\named-checkzone to Debug\named-compilezone.
10229 
10230 2099.	[port]		win32: more manifest issues.
10231 
10232 2098.	[bug]		Race in rbtdb.c:no_references(), which occasionally
10233 			triggered an INSIST failure about the node lock
10234 			reference.  [RT #16411]
10235 
10236 2097.	[bug]		named could reference a destroyed memory context
10237 			after being reloaded / reconfigured. [RT #16428]
10238 
10239 2096.	[bug]		libbind: handle applications that fail to detect
10240 			res_init() failures better.
10241 
10242 2095.	[port]		libbind: always prototype inet_cidr_ntop_ipv6() and
10243 			net_cidr_ntop_ipv6(). [RT #16388]
10244 
10245 2094.	[contrib]	Update named-bootconf.  [RT #16404]
10246 
10247 2093.	[bug]		named-checkzone -s was broken.
10248 
10249 2092.	[bug]		win32: dig, host, nslookup.  Use registry config
10250 			if resolv.conf does not exist or no nameservers
10251 			listed. [RT #15877]
10252 
10253 2091.	[port]		dighost.c: race condition on cleanup. [RT #16417]
10254 
10255 2090.	[port]		win32: Visual C++ 2005 command line manifest support.
10256 			[RT #16417]
10257 
10258 2089.	[security]	Raise the minimum safe OpenSSL versions to
10259 			OpenSSL 0.9.7l and OpenSSL 0.9.8d.  Versions
10260 			prior to these have known security flaws which
10261 			are (potentially) exploitable in named. [RT #16391]
10262 
10263 2088.	[security]	Change the default RSA exponent from 3 to 65537.
10264 			[RT #16391]
10265 
10266 2087.	[port]		libisc failed to compile on OS's w/o a vsnprintf.
10267 			[RT #16382]
10268 
10269 2086.	[port]		libbind: FreeBSD now has get*by*_r() functions.
10270 			[RT #16403]
10271 
10272 2085.	[doc]		win32: added index.html and README to zip. [RT #16201]
10273 
10274 2084.	[contrib]	dbus update for 9.3.3rc2.
10275 
10276 2083.	[port]		win32: Visual C++ 2005 support.
10277 
10278 2082.	[doc]		Document 'cache-file' as a test only option.
10279 
10280 2081.	[port]		libbind: minor 64-bit portability fix in memcluster.c.
10281 			[RT #16360]
10282 
10283 2080.	[port]		libbind: res_init.c did not compile on older versions
10284 			of Solaris. [RT #16363]
10285 
10286 2079.	[bug]		The lame cache was not handling multiple types
10287 			correctly. [RT #16361]
10288 
10289 2078.	[bug]		dnssec-checkzone output style "default" was badly
10290 			named.  It is now called "relative". [RT #16326]
10291 
10292 2077.	[bug]		'dnssec-signzone -O raw' wasn't outputting the
10293 			complete signed zone. [RT #16326]
10294 
10295 2076.	[bug]		Several files were missing #include <config.h>
10296 			causing build failures on OSF. [RT #16341]
10297 
10298 2075.	[bug]		The spillat timer event handler could leak memory.
10299 			[RT #16357]
10300 
10301 2074.	[bug]		dns_request_createvia2(), dns_request_createvia3(),
10302 			dns_request_createraw2() and dns_request_createraw3()
10303 			failed to send multiple UDP requests. [RT #16349]
10304 
10305 2073.	[bug]		Incorrect semantics check for update policy "wildcard".
10306 			[RT #16353]
10307 
10308 2072.	[bug]		We were not generating valid HMAC SHA digests.
10309 			[RT #16320]
10310 
10311 2071.	[port]		Test whether gcc accepts -fno-strict-aliasing.
10312 			[RT #16324]
10313 
10314 2070.	[bug]		The remote address was not always displayed when
10315 			reporting dispatch failures. [RT #16315]
10316 
10317 2069.	[bug]		Cross compiling was not working. [RT #16330]
10318 
10319 2068.	[cleanup]	Lower incremental tuning message to debug 1.
10320 			[RT #16319]
10321 
10322 2067.	[bug]		'rndc' could close the socket too early triggering
10323 			a INSIST under Windows. [RT #16317]
10324 
10325 2066.	[security]	Handle SIG queries gracefully. [RT #16300]
10326 
10327 2065.	[bug]		libbind: probe for HPUX prototypes for
10328 			endprotoent_r() and endservent_r().  [RT 16313]
10329 
10330 2064.	[bug]		libbind: silence AIX compiler warnings. [RT #16218]
10331 
10332 2063.	[bug]		Change #1955 introduced a bug which caused the first
10333 			'rndc flush' call to not free memory. [RT #16244]
10334 
10335 2062.	[bug]		'dig +nssearch' was reusing a buffer before it had
10336 			been returned by the socket code. [RT #16307]
10337 
10338 2061.	[bug]		Accept expired wildcard message reversed. [RT #16296]
10339 
10340 2060.	[bug]		Enabling DLZ support could leave views partially
10341 			configured. [RT #16295]
10342 
10343 2059.	[bug]		Search into cache rbtdb could trigger an INSIST
10344 			failure while cleaning up a stale rdataset.
10345 			[RT #16292]
10346 
10347 2058.	[bug]		Adjust how we calculate rtt estimates in the presence
10348 			of authoritative servers that drop EDNS and/or CD
10349 			requests.  Also fallback to EDNS/512 and plain DNS
10350 			faster for zones with less than 3 servers.  [RT #16187]
10351 
10352 2057.	[bug]		Make setting "ra" dependent on both allow-query-cache
10353 			and allow-recursion. [RT #16290]
10354 
10355 2056.	[bug]		dig: ixfr= was not being treated case insensitively
10356 			at all times. [RT #15955]
10357 
10358 2055.	[bug]		Missing goto after dropping multicast query.
10359 			[RT #15944]
10360 
10361 2054.	[port]		freebsd: do not explicitly link against -lpthread.
10362 			[RT #16170]
10363 
10364 2053.	[port]		netbsd:libbind: silence compiler warnings. [RT #16220]
10365 
10366 2052.	[bug]		'rndc' improve connect failed message to report
10367 			the failing address. [RT #15978]
10368 
10369 2051.	[port]		More strtol() fixes. [RT #16249]
10370 
10371 2050.	[bug]		Parsing of NSAP records was not case insensitive.
10372 			[RT #16287]
10373 
10374 2049.	[bug]		Restore SOA before AXFR when falling back from
10375 			a attempted IXFR when transferring in a zone.
10376 			Allow a initial SOA query before attempting
10377 			a AXFR to be requested. [RT #16156]
10378 
10379 2048.	[bug]		It was possible to loop forever when using
10380 			avoid-v4-udp-ports / avoid-v6-udp-ports when
10381 			the OS always returned the same local port.
10382 			[RT #16182]
10383 
10384 2047.	[bug]		Failed to initialize the interface flags to zero.
10385 			[RT #16245]
10386 
10387 2046.	[bug]		rbtdb.c:rdataset_setadditional() could cause duplicate
10388 			cleanup [RT #16247].
10389 
10390 2045.	[func]		Use lock buckets for acache entries to limit memory
10391 			consumption. [RT #16183]
10392 
10393 2044.	[port]		Add support for atomic operations for Itanium.
10394 			[RT #16179]
10395 
10396 2043.	[port]		nsupdate/nslookup: Force the flushing of the prompt
10397 			for interactive sessions. [RT #16148]
10398 
10399 2042.	[bug]		named-checkconf was incorrectly rejecting the
10400 			logging category "config". [RT #16117]
10401 
10402 2041.	[bug]		"configure --with-dlz-bdb=yes" produced a bad
10403 			set of libraries to be linked. [RT #16129]
10404 
10405 2040.	[bug]		rbtdb no_references() could trigger an INSIST
10406 			failure with --enable-atomic.  [RT #16022]
10407 
10408 2039.	[func]		Check that all buffers passed to the socket code
10409 			have been retrieved when the socket event is freed.
10410 			[RT #16122]
10411 
10412 2038.	[bug]		dig/nslookup/host was unlinking from wrong list
10413 			when handling errors. [RT #16122]
10414 
10415 2037.	[func]		When unlinking the first or last element in a list
10416 			check that the list head points to the element to
10417 			be unlinked. [RT #15959]
10418 
10419 2036.	[bug]		'rndc recursing' could cause trigger a REQUIRE.
10420 			[RT #16075]
10421 
10422 2035.	[func]		Make falling back to TCP on UDP refresh failure
10423 			optional. Default "try-tcp-refresh yes;" for BIND 8
10424 			compatibility. [RT #16123]
10425 
10426 2034.	[bug]		gcc: set -fno-strict-aliasing. [RT #16124]
10427 
10428 2033.	[bug]		We weren't creating multiple client memory contexts
10429 			on demand as expected. [RT #16095]
10430 
10431 2032.	[bug]		Remove a INSIST in query_addadditional2(). [RT #16074]
10432 
10433 2031.	[bug]		Emit a error message when "rndc refresh" is called on
10434 			a non slave/stub zone. [RT # 16073]
10435 
10436 2030.	[bug]		We were being overly conservative when disabling
10437 			openssl engine support. [RT #16030]
10438 
10439 2029.	[bug]		host printed out the server multiple times when
10440 			specified on the command line. [RT #15992]
10441 
10442 2028.	[port]		linux: socket.c compatibility for old systems.
10443 			[RT #16015]
10444 
10445 2027.	[port]		libbind: Solaris x86 support. [RT #16020]
10446 
10447 2026.	[bug]		Rate limit the two recursive client exceeded messages.
10448 			[RT #16044]
10449 
10450 2025.	[func]		Update "zone serial unchanged" message. [RT #16026]
10451 
10452 2024.	[bug]		named emitted spurious "zone serial unchanged"
10453 			messages on reload. [RT #16027]
10454 
10455 2023.	[bug]		"make install" should create ${localstatedir}/run and
10456 			${sysconfdir} if they do not exist. [RT #16033]
10457 
10458 2022.	[bug]		If dnssec validation is disabled only assert CD if
10459 			CD was requested. [RT #16037]
10460 
10461 2021.	[bug]		dnssec-enable no; triggered a REQUIRE. [RT #16037]
10462 
10463 2020.	[bug]		rdataset_setadditional() could leak memory. [RT #16034]
10464 
10465 2019.	[tuning]	Reduce the amount of work performed per quantum
10466 			when cleaning the cache. [RT #15986]
10467 
10468 2018.	[bug]		Checking if the HMAC MD5 private file was broken.
10469 			[RT #15960]
10470 
10471 2017.	[bug]		allow-query default was not correct. [RT #15946]
10472 
10473 2016.	[bug]		Return a partial answer if recursion is not
10474 			allowed but requested and we had the answer
10475 			to the original qname. [RT #15945]
10476 
10477 2015.	[cleanup]	use-additional-cache is now acache-enable for
10478 			consistency.  Default acache-enable off in BIND 9.4
10479 			as it requires memory usage to be configured.
10480 			It may be enabled by default in BIND 9.5 once we
10481 			have more experience with it.
10482 
10483 2014.	[func]		Statistics about acache now recorded and sent
10484 			to log. [RT #15976]
10485 
10486 2013.	[bug]		Handle unexpected TSIGs on unsigned AXFR/IXFR
10487 			responses more gracefully. [RT #15941]
10488 
10489 2012.	[func]		Don't insert new acache entries if acache is full.
10490 			[RT #15970]
10491 
10492 2011.	[func]		dnssec-signzone can now update the SOA record of
10493 			the signed zone, either as an increment or as the
10494 			system time(). [RT #15633]
10495 
10496 2010.	[placeholder]	rt15958
10497 
10498 2009.	[bug]		libbind: Coverity fixes. [RT #15808]
10499 
10500 2008.	[func]		It is now possible to enable/disable DNSSEC
10501 			validation from rndc.  This is useful for the
10502 			mobile hosts where the current connection point
10503 			breaks DNSSEC (firewall/proxy).  [RT #15592]
10504 
10505 				rndc validation newstate [view]
10506 
10507 2007.	[func]		It is now possible to explicitly enable DNSSEC
10508 			validation.  default dnssec-validation no; to
10509 			be changed to yes in 9.5.0.  [RT #15674]
10510 
10511 2006.	[security]	Allow-query-cache and allow-recursion now default
10512 			to the built in acls "localnets" and "localhost".
10513 
10514 			This is being done to make caching servers less
10515 			attractive as reflective amplifying targets for
10516 			spoofed traffic.  This still leave authoritative
10517 			servers exposed.
10518 
10519 			The best fix is for full BCP 38 deployment to
10520 			remove spoofed traffic.
10521 
10522 2005.	[bug]		libbind: Retransmission timeouts should be
10523 			based on which attempt it is to the nameserver
10524 			and not the nameserver itself. [RT #13548]
10525 
10526 2004.	[bug]		dns_tsig_sign() could pass a NULL pointer to
10527 			dst_context_destroy() when cleaning up after a
10528 			error. [RT #15835]
10529 
10530 2003.	[bug]		libbind: The DNS name/address lookup functions could
10531 			occasionally follow a random pointer due to
10532 			structures not being completely zeroed. [RT #15806]
10533 
10534 2002.	[bug]		libbind: tighten the constraints on when
10535 			struct addrinfo._ai_pad exists.  [RT #15783]
10536 
10537 2001.	[func]		Check the KSK flag when updating a secure dynamic zone.
10538 			New zone option "update-check-ksk yes;".  [RT #15817]
10539 
10540 2000.	[bug]		memmove()/strtol() fix was incomplete. [RT #15812]
10541 
10542 1999.	[func]		Implement "rrset-order fixed". [RT #13662]
10543 
10544 1998.	[bug]		Restrict handling of fifos as sockets to just SunOS.
10545 			This allows named to connect to entropy gathering
10546 			daemons that use fifos instead of sockets. [RT #15840]
10547 
10548 1997.	[bug]		Named was failing to replace negative cache entries
10549 			when a positive one for the type was learnt.
10550 			[RT #15818]
10551 
10552 1996.	[bug]		nsupdate: if a zone has been specified it should
10553 			appear in the output of 'show'. [RT #15797]
10554 
10555 1995.	[bug]		'host' was reporting multiple "is an alias" messages.
10556 			[RT #15702]
10557 
10558 1994.	[port]		OpenSSL 0.9.8 support. [RT #15694]
10559 
10560 1993.	[bug]		Log messages, via syslog, were missing the space
10561 			after the timestamp if "print-time yes" was specified.
10562 			[RT #15844]
10563 
10564 1992.	[bug]		Not all incoming zone transfer messages included the
10565 			view.  [RT #15825]
10566 
10567 1991.	[cleanup]	The configuration data, once read, should be treated
10568 			as read only.  Expand the use of const to enforce this
10569 			at compile time. [RT #15813]
10570 
10571 1990.	[bug]		libbind:  isc's override of broken gettimeofday()
10572 			implementations was not always effective.
10573 			[RT #15709]
10574 
10575 1989.	[bug]		win32: don't check the service password when
10576 			re-installing. [RT #15882]
10577 
10578 1988.	[bug]		Remove a bus error from the SHA256/SHA512 support.
10579 			[RT #15878]
10580 
10581 1987.	[func]		DS/DLV SHA256 digest algorithm support. [RT #15608]
10582 
10583 1986.	[func]		Report when a zone is removed. [RT #15849]
10584 
10585 1985.	[protocol]	DLV has now been assigned a official type code of
10586 			32769. [RT #15807]
10587 
10588 			Note: care should be taken to ensure you upgrade
10589 			both named and dnssec-signzone at the same time for
10590 			zones with DLV records where named is the master
10591 			server for the zone.  Also any zones that contain
10592 			DLV records should be removed when upgrading a slave
10593 			zone.  You do not however have to upgrade all
10594 			servers for a zone with DLV records simultaneously.
10595 
10596 1984.	[func]		dig, nslookup and host now advertise a 4096 byte
10597 			EDNS UDP buffer size by default. [RT #15855]
10598 
10599 1983.	[func]		Two new update policies.  "selfsub" and "selfwild".
10600 			[RT #12895]
10601 
10602 1982.	[bug]		DNSKEY was being accepted on the parent side of
10603 			a delegation.  KEY is still accepted there for
10604 			RFC 3007 validated updates. [RT #15620]
10605 
10606 1981.	[bug]		win32: condition.c:wait() could fail to reattain
10607 			the mutex lock.
10608 
10609 1980.	[func]		dnssec-signzone: output the SOA record as the
10610 			first record in the signed zone. [RT #15758]
10611 
10612 1979.	[port]		linux: allow named to drop core after changing
10613 			user ids. [RT #15753]
10614 
10615 1978.	[port]		Handle systems which have a broken recvmsg().
10616 			[RT #15742]
10617 
10618 1977.	[bug]		Silence noisy log message. [RT #15704]
10619 
10620 1976.	[bug]		Handle systems with no IPv4 addresses. [RT #15695]
10621 
10622 1975.	[bug]		libbind: isc_gethexstring() could misparse multi-line
10623 			hex strings with comments. [RT #15814]
10624 
10625 1974.	[doc]		List each of the zone types and associated zone
10626 			options separately in the ARM.
10627 
10628 1973.	[func]		TSIG HMACSHA1, HMACSHA224, HMACSHA256, HMACSHA384 and
10629 			HMACSHA512 support. [RT #13606]
10630 
10631 1972.	[contrib]	DBUS dynamic forwarders integration from
10632 			Jason Vas Dias <jvdias@redhat.com>.
10633 
10634 1971.	[port]		linux: make detection of missing IF_NAMESIZE more
10635 			robust. [RT #15443]
10636 
10637 1970.	[bug]		nsupdate: adjust UDP timeout when falling back to
10638 			unsigned SOA query. [RT #15775]
10639 
10640 1969.	[bug]		win32: the socket code was freeing the socket
10641 			structure too early. [RT #15776]
10642 
10643 1968.	[bug]		Missing lock in resolver.c:validated(). [RT #15739]
10644 
10645 1967.	[func]		dig/nslookup/host: warn about missing "QR". [RT #15779]
10646 
10647 1966.	[bug]		Don't set CD when we have fallen back to plain DNS.
10648 			[RT #15727]
10649 
10650 1965.	[func]		Suppress spurious "recursion requested but not
10651 			available" warning with 'dig +qr'. [RT #15780].
10652 
10653 1964.	[func]		Separate out MX and SRV to CNAME checks. [RT #15723]
10654 
10655 1963.	[port]		Tru64 4.0E doesn't support send() and recv().
10656 			[RT #15586]
10657 
10658 1962.	[bug]		Named failed to clear old update-policy when it
10659 			was removed. [RT #15491]
10660 
10661 1961.	[bug]		Check the port and address of responses forwarded
10662 			to dispatch. [RT #15474]
10663 
10664 1960.	[bug]		Update code should set NSEC ttls from SOA MINIMUM.
10665 			[RT #15465]
10666 
10667 1959.	[func]		Control the zeroing of the negative response TTL to
10668 			a soa query.  Defaults "zero-no-soa-ttl yes;" and
10669 			"zero-no-soa-ttl-cache no;". [RT #15460]
10670 
10671 1958.	[bug]		Named failed to update the zone's secure state
10672 			until the zone was reloaded. [RT #15412]
10673 
10674 1957.	[bug]		Dig mishandled responses to class ANY queries.
10675 			[RT #15402]
10676 
10677 1956.	[bug]		Improve cross compile support, 'gen' is now built
10678 			by native compiler.  See README for additional
10679 			cross compile support information. [RT #15148]
10680 
10681 1955.	[bug]		Pre-allocate the cache cleaning iterator. [RT #14998]
10682 
10683 1954.	[func]		Named now falls back to advertising EDNS with a
10684 			512 byte receive buffer if the initial EDNS queries
10685 			fail.  [RT #14852]
10686 
10687 1953.	[func]		The maximum EDNS UDP response named will send can
10688 			now be set in named.conf (max-udp-size).  This is
10689 			independent of the advertised receive buffer
10690 			(edns-udp-size). [RT #14852]
10691 
10692 1952.	[port]		hpux: tell the linker to build a runtime link
10693 			path "-Wl,+b:". [RT #14816].
10694 
10695 1951.	[security]	Drop queries from particular well known ports.
10696 			Don't return FORMERR to queries from particular
10697 			well known ports.  [RT #15636]
10698 
10699 1950.	[port]		Solaris 2.5.1 and earlier cannot bind() then connect()
10700 			a TCP socket. This prevents the source address being
10701 			set for TCP connections. [RT #15628]
10702 
10703 1949.	[func]		Addition memory leakage checks. [RT #15544]
10704 
10705 1948.	[bug]		If was possible to trigger a REQUIRE failure in
10706 			xfrin.c:maybe_free() if named ran out of memory.
10707 			[RT #15568]
10708 
10709 1947.	[func]		It is now possible to configure named to accept
10710 			expired RRSIGs.  Default "dnssec-accept-expired no;".
10711 			Setting "dnssec-accept-expired yes;" leaves named
10712 			vulnerable to replay attacks.  [RT #14685]
10713 
10714 1946.	[bug]		resume_dslookup() could trigger a REQUIRE failure
10715 			when using forwarders. [RT #15549]
10716 
10717 1945.	[cleanup]	dnssec-keygen: RSA (RSAMD5) is no longer recommended.
10718 			To generate a RSAMD5 key you must explicitly request
10719 			RSAMD5. [RT #13780]
10720 
10721 1944.	[cleanup]	isc_hash_create() does not need a read/write lock.
10722 			[RT #15522]
10723 
10724 1943.	[bug]		Set the loadtime after rolling forward the journal.
10725 			[RT #15647]
10726 
10727 1942.	[bug]		If the name of a DNSKEY match that of one in
10728 			trusted-keys do not attempt to validate the DNSKEY
10729 			using the parents DS RRset. [RT #15649]
10730 
10731 1941.	[bug]		ncache_adderesult() should set eresult even if no
10732 			rdataset is passed to it. [RT #15642]
10733 
10734 1940.	[bug]		Fixed a number of error conditions reported by
10735 			Coverity.
10736 
10737 1939.	[bug]		The resolver could dereference a null pointer after
10738 			validation if all the queries have timed out.
10739 			[RT #15528]
10740 
10741 1938.	[bug]		The validator was not correctly handling unsecure
10742 			negative responses at or below a SEP. [RT #15528]
10743 
10744 1937.	[bug]		sdlz doesn't handle RRSIG records. [RT #15564]
10745 
10746 1936.	[bug]		The validator could leak memory. [RT #15544]
10747 
10748 1935.	[bug]		'acache' was DO sensitive. [RT #15430]
10749 
10750 1934.	[func]		Validate pending NS RRsets, in the authority section,
10751 			prior to returning them if it can be done without
10752 			requiring DNSKEYs to be fetched.  [RT #15430]
10753 
10754 1933.	[bug]		dump_rdataset_raw() had a incorrect INSIST. [RT #15534]
10755 
10756 1932.	[bug]		hpux: LDFLAGS was getting corrupted. [RT #15530]
10757 
10758 1931.	[bug]		Per-client mctx could require a huge amount of memory,
10759 			particularly for a busy caching server. [RT #15519]
10760 
10761 1930.	[port]		HPUX: ia64 support. [RT #15473]
10762 
10763 1929.	[port]		FreeBSD: extend use of PTHREAD_SCOPE_SYSTEM.
10764 
10765 1928.	[bug]		Race in rbtdb.c:currentversion(). [RT #15517]
10766 
10767 1927.	[bug]		Access to soanode or nsnode in rbtdb violated the
10768 			lock order rule and could cause a dead lock.
10769 			[RT #15518]
10770 
10771 1926.	[bug]		The Windows installer did not check for empty
10772 			passwords.  BINDinstall was being installed in
10773 			the wrong place. [RT #15483]
10774 
10775 1925.	[port]		All outer level AC_TRY_RUNs need cross compiling
10776 			defaults. [RT #15469]
10777 
10778 1924.	[port]		libbind: hpux ia64 support. [RT #15473]
10779 
10780 1923.	[bug]		ns_client_detach() called too early. [RT #15499]
10781 
10782 1922.	[bug]		check-tool.c:setup_logging() missing call to
10783 			dns_log_setcontext().
10784 
10785 1921.	[bug]		Client memory contexts were not using internal
10786 			malloc. [RT #15434]
10787 
10788 1920.	[bug]		The cache rbtdb lock array was too small to
10789 			have the desired performance characteristics.
10790 			[RT #15454]
10791 
10792 1919.	[contrib]	queryperf: a set of new features: collecting/printing
10793 			response delays, printing intermediate results, and
10794 			adjusting query rate for the "target" qps.
10795 
10796 1918.	[bug]		Memory leak when checking acls. [RT #15391]
10797 
10798 1917.	[doc]		funcsynopsisinfo wasn't being treated as verbatim
10799 			when generating man pages. [RT #15385]
10800 
10801 1916.	[func]		Integrate contributed IDN code from JPNIC. [RT #15383]
10802 
10803 1915.	[bug]		dig +ndots was broken. [RT #15215]
10804 
10805 1914.	[protocol]	DS is required to accept mnemonic algorithms
10806 			(RFC 4034).  Still emit numeric algorithms for
10807 			compatibility with RFC 3658. [RT #15354]
10808 
10809 1913.	[func]		Integrate contributed DLZ code into named. [RT #11382]
10810 
10811 1912.	[port]		aix: atomic locking for powerpc. [RT #15020]
10812 
10813 1911.	[bug]		Update windows socket code. [RT #14965]
10814 
10815 1910.	[bug]		dig's +sigchase code overhauled. [RT #14933]
10816 
10817 1909.	[bug]		The DLV code has been re-worked to make no longer
10818 			query order sensitive. [RT #14933]
10819 
10820 1908.	[func]		dig now warns if 'RA' is not set in the answer when
10821 			'RD' was set in the query.  host/nslookup skip servers
10822 			that fail to set 'RA' when 'RD' is set unless a server
10823 			is explicitly set.  [RT #15005]
10824 
10825 1907.	[func]		host/nslookup now continue (default)/fail on SERVFAIL.
10826 			[RT #15006]
10827 
10828 1906.	[func]		dig now has a '-q queryname' and '+showsearch' options.
10829 			[RT #15034]
10830 
10831 1905.	[bug]		Strings returned from cfg_obj_asstring() should be
10832 			treated as read-only.  The prototype for
10833 			cfg_obj_asstring() has been updated to reflect this.
10834 			[RT #15256]
10835 
10836 1904.	[func]		Automatic empty zone creation for D.F.IP6.ARPA and
10837 			friends.  Note: RFC 1918 zones are not yet covered by
10838 			this but are likely to be in a future release.
10839 
10840 			New options: empty-server, empty-contact,
10841 			empty-zones-enable and disable-empty-zone.
10842 
10843 1903.	[func]		ISC string copy API.
10844 
10845 1902.	[func]		Attempt to make the amount of work performed in a
10846 			iteration self tuning.  The covers nodes clean from
10847 			the cache per iteration, nodes written to disk when
10848 			rewriting a master file and nodes destroyed per
10849 			iteration when destroying a zone or a cache.
10850 			[RT #14996]
10851 
10852 1901.	[cleanup]	Don't add DNSKEY records to the additional section.
10853 
10854 1900.	[bug]		ixfr-from-differences failed to ensure that the
10855 			serial number increased. [RT #15036]
10856 
10857 1899.	[func]		named-checkconf now validates update-policy entries.
10858 			[RT #14963]
10859 
10860 1898.	[bug]		Extend ISC_SOCKADDR_FORMATSIZE and
10861 			ISC_NETADDR_FORMATSIZE to allow for scope details.
10862 
10863 1897.	[func]		x86 and x86_64 now have separate atomic locking
10864 			implementations.
10865 
10866 1896.	[bug]		Recursive clients soft quota support wasn't working
10867 			as expected. [RT #15103]
10868 
10869 1895.	[bug]		A escaped character is, potentially, converted to
10870 			the output character set too early. [RT #14666]
10871 
10872 1894.	[doc]		Review ARM for BIND 9.4.
10873 
10874 1893.	[port]		Use uintptr_t if available. [RT #14606]
10875 
10876 1892.	[func]		Support for SPF rdata type. [RT #15033]
10877 
10878 1891.	[port]		freebsd: pthread_mutex_init can fail if it runs out
10879 			of memory. [RT #14995]
10880 
10881 1890.	[func]		Raise the UDP receive buffer size to 32k if it is
10882 			less than 32k. [RT #14953]
10883 
10884 1889.	[port]		sunos: non blocking i/o support. [RT #14951]
10885 
10886 1888.	[func]		Support for IPSECKEY rdata type. [RT #14967]
10887 
10888 1887.	[bug]		The cache could delete expired records too fast for
10889 			clients with a virtual time in the past. [RT #14991]
10890 
10891 1886.	[bug]		fctx_create() could return success even though it
10892 			failed. [RT #14993]
10893 
10894 1885.	[func]		dig: report the number of extra bytes still left in
10895 			the packet after processing all the records.
10896 
10897 1884.	[cleanup]	dighost.c: move external declarations into <dig/dig.h>.
10898 
10899 1883.	[bug]		dnssec-signzone, dnssec-keygen: handle negative debug
10900 			levels. [RT #14962]
10901 
10902 1882.	[func]		Limit the number of recursive clients that can be
10903 			waiting for a single query (<qname,qtype,qclass>) to
10904 			resolve.  New options clients-per-query and
10905 			max-clients-per-query.
10906 
10907 1881.	[func]		Add a system test for named-checkconf. [RT #14931]
10908 
10909 1880.	[func]		The lame cache is now done on a <qname,qclass,qtype>
10910 			basis as some servers only appear to be lame for
10911 			certain query types.  [RT #14916]
10912 
10913 1879.	[func]		"USE INTERNAL MALLOC" is now runtime selectable.
10914 			[RT #14892]
10915 
10916 1878.	[func]		Detect duplicates of UDP queries we are recursing on
10917 			and drop them.  New stats category "duplicate".
10918 			[RT #2471]
10919 
10920 1877.	[bug]		Fix unreasonably low quantum on call to
10921 			dns_rbt_destroy2().  Remove unnecessary unhash_node()
10922 			call. [RT #14919]
10923 
10924 1876.	[func]		Additional memory debugging support to track size
10925 			and mctx arguments. [RT #14814]
10926 
10927 1875.	[bug]		process_dhtkey() was using the wrong memory context
10928 			to free some memory. [RT #14890]
10929 
10930 1874.	[port]		sunos: portability fixes. [RT #14814]
10931 
10932 1873.	[port]		win32: isc__errno2result() now reports its caller.
10933 			[RT #13753]
10934 
10935 1872.	[port]		win32: Handle ERROR_NETNAME_DELETED.  [RT #13753]
10936 
10937 1871.	[placeholder]
10938 
10939 1870.	[func]		Added framework for handling multiple EDNS versions.
10940 			[RT #14873]
10941 
10942 1869.	[func]		dig can now specify the EDNS version when making
10943 			a query. [RT #14873]
10944 
10945 1868.	[func]		edns-udp-size can now be overridden on a per
10946 			server basis. [RT #14851]
10947 
10948 1867.	[bug]		It was possible to trigger a INSIST in
10949 			dlv_validatezonekey(). [RT #14846]
10950 
10951 1866.	[bug]		resolv.conf parse errors were being ignored by
10952 			dig/host/nslookup. [RT #14841]
10953 
10954 1865.	[bug]		Silently ignore nameservers in /etc/resolv.conf with
10955 			bad addresses. [RT #14841]
10956 
10957 1864.	[bug]		Don't try the alternative transfer source if you
10958 			got a answer / transfer with the main source
10959 			address. [RT #14802]
10960 
10961 1863.	[bug]		rrset-order "fixed" error messages not complete.
10962 
10963 1862.	[func]		Add additional zone data constancy checks.
10964 			named-checkzone has extended checking of NS, MX and
10965 			SRV record and the hosts they reference.
10966 			named has extended post zone load checks.
10967 			New zone options: check-mx and integrity-check.
10968 			[RT #4940]
10969 
10970 1861.	[bug]		dig could trigger a INSIST on certain malformed
10971 			responses. [RT #14801]
10972 
10973 1860.	[port]		solaris 2.8: hack_shutup_pthreadmutexinit was
10974 			incorrectly set. [RT #14775]
10975 
10976 1859.	[func]		Add support for CH A record. [RT #14695]
10977 
10978 1858.	[bug]		The flush-zones-on-shutdown option wasn't being
10979 			parsed. [RT #14686]
10980 
10981 1857.	[bug]		named could trigger a INSIST() if reconfigured /
10982 			reloaded too fast.  [RT #14673]
10983 
10984 1856.	[doc]		Switch Docbook toolchain from DSSSL to XSL.
10985 			[RT #11398]
10986 
10987 1855.	[bug]		ixfr-from-differences was failing to detect changes
10988 			of ttl due to dns_diff_subtract() was ignoring the ttl
10989 			of records.  [RT #14616]
10990 
10991 1854.	[bug]		lwres also needs to know the print format for
10992 			(long long).  [RT #13754]
10993 
10994 1853.	[bug]		Rework how DLV interacts with proveunsecure().
10995 			[RT #13605]
10996 
10997 1852.	[cleanup]	Remove last vestiges of dnssec-signkey and
10998 			dnssec-makekeyset (removed from Makefile years ago).
10999 
11000 1851.	[doc]		Doxygen comment markup. [RT #11398]
11001 
11002 1850.	[bug]		Memory leak in lwres_getipnodebyaddr(). [RT #14591]
11003 
11004 1849.	[doc]		All forms of the man pages (docbook, man, html) should
11005 			have consistent copyright dates.
11006 
11007 1848.	[bug]		Improve SMF integration. [RT #13238]
11008 
11009 1847.	[bug]		isc_ondestroy_init() is called too late in
11010 			dns_rbtdb_create()/dns_rbtdb64_create().
11011 			[RT #13661]
11012 
11013 1846.	[contrib]	query-loc-0.3.0 from Stephane Bortzmeyer
11014 			<bortzmeyer@nic.fr>.
11015 
11016 1845.	[bug]		Improve error reporting to distinguish between
11017 			accept()/fcntl() and socket()/fcntl() errors.
11018 			[RT #13745]
11019 
11020 1844.	[bug]		inet_pton() accepted more that 4 hexadecimal digits
11021 			for each 16 bit piece of the IPv6 address.  The text
11022 			representation of a IPv6 address has been tightened
11023 			to disallow this (draft-ietf-ipv6-addr-arch-v4-02.txt).
11024 			[RT #5662]
11025 
11026 1843.	[cleanup]	CINCLUDES takes precedence over CFLAGS.  This helps
11027 			when CFLAGS contains "-I /usr/local/include"
11028 			resulting in old header files being used.
11029 
11030 1842.	[port]		cmsg_len() could produce incorrect results on
11031 			some platform. [RT #13744]
11032 
11033 1841.	[bug]		"dig +nssearch" now makes a recursive query to
11034 			find the list of nameservers to query. [RT #13694]
11035 
11036 1840.	[func]		dnssec-signzone can now randomize signature end times
11037 			(dnssec-signzone -j jitter). [RT #13609]
11038 
11039 1839.	[bug]		<isc/hash.h> was not being installed.
11040 
11041 1838.	[cleanup]	Don't allow Linux capabilities to be inherited.
11042 			[RT #13707]
11043 
11044 1837.	[bug]		Compile time option ISC_FACILITY was not effective
11045 			for 'named -u <user>'.  [RT #13714]
11046 
11047 1836.	[cleanup]	Silence compiler warnings in hash_test.c.
11048 
11049 1835.	[bug]		Update dnssec-signzone's usage message. [RT #13657]
11050 
11051 1834.	[bug]		Bad memset in rdata_test.c. [RT #13658]
11052 
11053 1833.	[bug]		Race condition in isc_mutex_lock_profile(). [RT #13660]
11054 
11055 1832.	[bug]		named fails to return BADKEY on unknown TSIG algorithm.
11056 			[RT #13620]
11057 
11058 1831.	[doc]		Update named-checkzone documentation. [RT #13604]
11059 
11060 1830.	[bug]		adb lame cache has sense of test reversed. [RT #13600]
11061 
11062 1829.	[bug]		win32: "pid-file none;" broken. [RT #13563]
11063 
11064 1828.	[bug]		isc_rwlock_init() failed to properly cleanup if it
11065 			encountered a error. [RT #13549]
11066 
11067 1827.	[bug]		host: update usage message for '-a'. [RT #37116]
11068 
11069 1826.	[bug]		Missing DESTROYLOCK() in isc_mem_createx() on out
11070 			of memory error. [RT #13537]
11071 
11072 1825.	[bug]		Missing UNLOCK() on out of memory error from in
11073 			rbtdb.c:subtractrdataset(). [RT #13519]
11074 
11075 1824.	[bug]		Memory leak on dns_zone_setdbtype() failure.
11076 			[RT #13510]
11077 
11078 1823.	[bug]		Wrong macro used to check for point to point interface.
11079 			[RT #13418]
11080 
11081 1822.	[bug]		check-names test for RT was reversed. [RT #13382]
11082 
11083 1821.	[placeholder]
11084 
11085 1820.	[bug]		Gracefully handle acl loops. [RT #13659]
11086 
11087 1819.	[bug]		The validator needed to check both the algorithm and
11088 			digest types of the DS to determine if it could be
11089 			used to introduce a secure zone. [RT #13593]
11090 
11091 1818.	[bug]		'named-checkconf -z' triggered an INSIST. [RT #13599]
11092 
11093 1817.	[func]		Add support for additional zone file formats for
11094 			improving loading performance.  The masterfile-format
11095 			option in named.conf can be used to specify a
11096 			non-default format.  A separate command
11097 			named-compilezone was provided to generate zone files
11098 			in the new format.  Additionally, the -I and -O options
11099 			for dnssec-signzone specify the input and output
11100 			formats.
11101 
11102 1816.	[port]		UnixWare: failed to compile lib/isc/unix/net.c.
11103 			[RT #13597]
11104 
11105 1815.	[bug]		nsupdate triggered a REQUIRE if the server was set
11106 			without also setting the zone and it encountered
11107 			a CNAME and was using TSIG.  [RT #13086]
11108 
11109 1814.	[func]		UNIX domain controls are now supported.
11110 
11111 1813.	[func]		Restructured the data locking framework using
11112 			architecture dependent atomic operations (when
11113 			available), improving response performance on
11114 			multi-processor machines significantly.
11115 			x86, x86_64, alpha, powerpc, and mips are currently
11116 			supported.
11117 
11118 1812.	[port]		win32: IN6_IS_ADDR_UNSPECIFIED macro is incorrect.
11119 			[RT #13453]
11120 
11121 1811.	[func]		Preserve the case of domain names in rdata during
11122 			zone transfers. [RT #13547]
11123 
11124 1810.	[bug]		configure, lib/bind/configure make different default
11125 			decisions about whether to do a threaded build.
11126 			[RT #13212]
11127 
11128 1809.	[bug]		"make distclean" failed for libbind if the platform
11129 			is not supported.
11130 
11131 1808.	[bug]		zone.c:notify_zone() contained a race condition,
11132 			zone->db could change underneath it.  [RT #13511]
11133 
11134 1807.	[bug]		When forwarding (forward only) set the active domain
11135 			from the forward zone name. [RT #13526]
11136 
11137 1806.	[bug]		The resolver returned the wrong result when a CNAME /
11138 			DNAME was encountered when fetching glue from a
11139 			secure namespace. [RT #13501]
11140 
11141 1805.	[bug]		Pending status was not being cleared when DLV was
11142 			active. [RT #13501]
11143 
11144 1804.	[bug]		Ensure that if we are queried for glue that it fits
11145 			in the additional section or TC is set to tell the
11146 			client to retry using TCP. [RT #10114]
11147 
11148 1803.	[bug]		dnssec-signzone sometimes failed to remove old
11149 			RRSIGs. [RT #13483]
11150 
11151 1802.	[bug]		Handle connection resets better. [RT #11280]
11152 
11153 1801.	[func]		Report differences between hints and real NS rrset
11154 			and associated address records.
11155 
11156 1800.	[bug]		Changes #1719 allowed a INSIST to be triggered.
11157 			[RT #13428]
11158 
11159 1799.	[bug]		'rndc flushname' failed to flush negative cache
11160 			entries. [RT #13438]
11161 
11162 1798.	[func]		The server syntax has been extended to support a
11163 			range of servers.  [RT #11132]
11164 
11165 1797.	[func]		named-checkconf now check acls to verify that they
11166 			only refer to existing acls. [RT #13101]
11167 
11168 1796.	[func]		"rndc freeze/thaw" now freezes/thaws all zones.
11169 
11170 1795.	[bug]		"rndc dumpdb" was not fully documented.  Minor
11171 			formatting issues with "rndc dumpdb -all".  [RT #13396]
11172 
11173 1794.	[func]		Named and named-checkzone can now both check for
11174 			non-terminal wildcard records.
11175 
11176 1793.	[func]		Extend adjusting TTL warning messages. [RT #13378]
11177 
11178 1792.	[func]		New zone option "notify-delay".  Specify a minimum
11179 			delay between sets of NOTIFY messages.
11180 
11181 1791.	[bug]		'host -t a' still printed out AAAA and MX records.
11182 			[RT #13230]
11183 
11184 1790.	[cleanup]	Move lib/dns/sec/dst up into lib/dns.  This should
11185 			allow parallel make to succeed.
11186 
11187 1789.	[bug]		Prerequisite test for tkey and dnssec could fail
11188 			with "configure --with-libtool".
11189 
11190 1788.	[bug]		libbind9.la/libbind9.so needs to link against
11191 			libisccfg.la/libisccfg.so.
11192 
11193 1787.	[port]		HPUX: both "cc" and "gcc" need -Wl,+vnocompatwarnings.
11194 
11195 1786.	[port]		AIX: libt_api needs to be taught to look for
11196 			T_testlist in the main executable (--with-libtool).
11197 			[RT #13239]
11198 
11199 1785.	[bug]		libbind9.la/libbind9.so needs to link against
11200 			libisc.la/libisc.so.
11201 
11202 1784.	[cleanup]	"libtool -allow-undefined" is the default.
11203 			Leave hooks in configure to allow it to be set
11204 			if needed in the future.
11205 
11206 1783.	[cleanup]	We only need one copy of libtool.m4, ltmain.sh in the
11207 			source tree.
11208 
11209 1782.	[port]		OSX: --with-libtool + --enable-libbind broke on
11210 			__evOptMonoTime.  [RT #13219]
11211 
11212 1781.	[port]		FreeBSD 5.3: set PTHREAD_SCOPE_SYSTEM. [RT #12810]
11213 
11214 1780.	[bug]		Update libtool to 1.5.10.
11215 
11216 1779.	[port]		OSF 5.1: libtool didn't handle -pthread correctly.
11217 
11218 1778.	[port]		HUX 11.11: fix broken IN6ADDR_ANY_INIT and
11219 			IN6ADDR_LOOPBACK_INIT macros.
11220 
11221 1777.	[port]		OSF 5.1: fix broken IN6ADDR_ANY_INIT and
11222 			IN6ADDR_LOOPBACK_INIT macros.
11223 
11224 1776.	[port]		Solaris 2.9: fix broken IN6ADDR_ANY_INIT and
11225 			IN6ADDR_LOOPBACK_INIT macros.
11226 
11227 1775.	[bug]		Only compile getnetent_r.c when threaded. [RT #13205]
11228 
11229 1774.	[port]		Aix: Silence compiler warnings / build failures.
11230 			[RT #13154]
11231 
11232 1773.	[bug]		Fast retry on host / net unreachable. [RT #13153]
11233 
11234 1772.	[placeholder]
11235 
11236 1771.	[placeholder]
11237 
11238 1770.	[bug]		named-checkconf failed to report missing a missing
11239 			file clause for rbt{64} master/hint zones. [RT #13009]
11240 
11241 1769.	[port]		win32: change compiler flags /MTd ==> /MDd,
11242 			/MT ==> /MD.
11243 
11244 1768.	[bug]		nsecnoexistnodata() could be called with a non-NSEC
11245 			rdataset. [RT #12907]
11246 
11247 1767.	[port]		Builds on IPv6 platforms without IPv6 Advanced API
11248 			support for (struct in6_pktinfo) failed.  [RT #13077]
11249 
11250 1766.	[bug]		Update the master file timestamp on successful refresh
11251 			as well as the journal's timestamp. [RT #13062]
11252 
11253 1765.	[bug]		configure --with-openssl=auto failed. [RT #12937]
11254 
11255 1764.	[bug]		dns_zone_replacedb failed to emit a error message
11256 			if there was no SOA record in the replacement db.
11257 			[RT #13016]
11258 
11259 1763.	[func]		Perform sanity checks on NS records which refer to
11260 			'in zone' names. [RT #13002]
11261 
11262 1762.	[bug]		isc_interfaceiter_create() could return ISC_R_SUCCESS
11263 			even when it failed. [RT #12995]
11264 
11265 1761.	[bug]		'rndc dumpdb' didn't report unassociated entries.
11266 			[RT #12971]
11267 
11268 1760.	[bug]		Host / net unreachable was not penalising rtt
11269 			estimates. [RT #12970]
11270 
11271 1759.	[bug]		Named failed to startup if the OS supported IPv6
11272 			but had no IPv6 interfaces configured. [RT #12942]
11273 
11274 1758.	[func]		Don't send notify messages to self. [RT #12933]
11275 
11276 1757.	[func]		host now can turn on memory debugging flags with '-m'.
11277 
11278 1756.	[func]		named-checkconf now checks the logging configuration.
11279 			[RT #12352]
11280 
11281 1755.	[func]		allow-update is now settable at the options / view
11282 			level. [RT #6636]
11283 
11284 1754.	[bug]		We weren't always attempting to query the parent
11285 			server for the DS records at the zone cut.
11286 			[RT #12774]
11287 
11288 1753.	[bug]		Don't serve a slave zone which has no NS records.
11289 			[RT #12894]
11290 
11291 1752.	[port]		Move isc_app_start() to after ns_os_daemonise()
11292 			as some fork() implementations unblock the signals
11293 			that are blocked by isc_app_start(). [RT #12810]
11294 
11295 1751.	[bug]		--enable-getifaddrs failed under linux. [RT #12867]
11296 
11297 1750.	[port]		lib/bind/make/rules.in:subdirs was not bash friendly.
11298 			[RT #12864]
11299 
11300 1749.	[bug]		'check-names response ignore;' failed to ignore.
11301 			[RT #12866]
11302 
11303 1748.	[func]		dig now returns the byte count for axfr/ixfr.
11304 
11305 1747.	[bug]		BIND 8 compatibility: named/named-checkconf failed
11306 			to parse "host-statistics-max" in named.conf.
11307 
11308 1746.	[func]		Make public the function to read a key file,
11309 			dst_key_read_public(). [RT #12450]
11310 
11311 1745.	[bug]		Dig/host/nslookup accept replies from link locals
11312 			regardless of scope if no scope was specified when
11313 			query was sent. [RT #12745]
11314 
11315 1744.	[bug]		If tuple2msgname() failed to convert a tuple to
11316 			a name a REQUIRE could be triggered. [RT #12796]
11317 
11318 1743.	[bug]		If isc_taskmgr_create() was not able to create the
11319 			requested number of worker threads then destruction
11320 			of the manager would trigger an INSIST() failure.
11321 			[RT #12790]
11322 
11323 1742.	[bug]		Deleting all records at a node then adding a
11324 			previously existing record, in a single UPDATE
11325 			transaction, failed to leave / regenerate the
11326 			associated RRSIG records. [RT #12788]
11327 
11328 1741.	[bug]		Deleting all records at a node in a secure zone
11329 			using a update-policy grant failed. [RT #12787]
11330 
11331 1740.	[bug]		Replace rbt's hash algorithm as it performed badly
11332 			with certain zones. [RT #12729]
11333 
11334 			NOTE: a hash context now needs to be established
11335 			via isc_hash_create() if the application was not
11336 			already doing this.
11337 
11338 1739.	[bug]		dns_rbt_deletetree() could incorrectly return
11339 			ISC_R_QUOTA.  [RT #12695]
11340 
11341 1738.	[bug]		Enable overrun checking by default. [RT #12695]
11342 
11343 1737.	[bug]		named failed if more than 16 masters were specified.
11344 			[RT #12627]
11345 
11346 1736.	[bug]		dst_key_fromnamedfile() could fail to read a
11347 			public key. [RT #12687]
11348 
11349 1735.	[bug]		'dig +sigtrace' could die with a REQUIRE failure.
11350 			[RE #12688]
11351 
11352 1734.	[cleanup]	'rndc-confgen -a -t' remove extra '/' in path.
11353 			[RT #12588]
11354 
11355 1733.	[bug]		Return non-zero exit status on initial load failure.
11356 			[RT #12658]
11357 
11358 1732.	[bug]		'rrset-order name "*"' wasn't being applied to ".".
11359 			[RT #12467]
11360 
11361 1731.	[port]		darwin: relax version test in ifconfig.sh.
11362 			[RT #12581]
11363 
11364 1730.	[port]		Determine the length type used by the socket API.
11365 			[RT #12581]
11366 
11367 1729.	[func]		Improve check-names error messages.
11368 
11369 1728.	[doc]		Update check-names documentation.
11370 
11371 1727.	[bug]		named-checkzone: check-names support didn't match
11372 			documentation.
11373 
11374 1726.	[port]		aix5: add support for aix5.
11375 
11376 1725.	[port]		linux: update error message on interaction of threads,
11377 			capabilities and setuid support (named -u). [RT #12541]
11378 
11379 1724.	[bug]		Look for DNSKEY records with "dig +sigtrace".
11380 			[RT #12557]
11381 
11382 1723.	[cleanup]	Silence compiler warnings from t_tasks.c. [RT #12493]
11383 
11384 1722.	[bug]		Don't commit the journal on malformed ixfr streams.
11385 			[RT #12519]
11386 
11387 1721.	[bug]		Error message from the journal processing were not
11388 			always identifying the relevant journal. [RT #12519]
11389 
11390 1720.	[bug]		'dig +chase' did not terminate on a RFC 2308 Type 1
11391 			negative response. [RT #12506]
11392 
11393 1719.	[bug]		named was not correctly caching a RFC 2308 Type 1
11394 			negative response. [RT #12506]
11395 
11396 1718.	[bug]		nsupdate was not handling RFC 2308 Type 3 negative
11397 			responses when looking for the zone / master server.
11398 			[RT #12506]
11399 
11400 1717.	[port]		solaris: ifconfig.sh did not support Solaris 10.
11401 			"ifconfig.sh down" didn't work for Solaris 9.
11402 
11403 1716.	[doc]		named.conf(5) was being installed in the wrong
11404 			location.  [RT #12441]
11405 
11406 1715.	[func]		'dig +trace' now randomly selects the next servers
11407 			to try.  Report if there is a bad delegation.
11408 
11409 1714.	[bug]		dig/host/nslookup were only trying the first
11410 			address when a nameserver was specified by name.
11411 			[RT #12286]
11412 
11413 1713.	[port]		linux: extend capset failure message to say:
11414 			please ensure that the capset kernel module is
11415 			loaded.  see insmod(8)
11416 
11417 1712.	[bug]		Missing FULLCHECK for "trusted-key" in dig.
11418 
11419 1711.	[func]		'rndc unfreeze' has been deprecated by 'rndc thaw'.
11420 
11421 1710.	[func]		'rndc notify zone [class [view]]' resend the NOTIFY
11422 			messages for the specified zone. [RT #9479]
11423 
11424 1709.	[port]		solaris: add SMF support from Sun.
11425 
11426 1708.	[cleanup]	Replaced dns_fullname_hash() with dns_name_fullhash()
11427 			for conformance to the name space convention.  Binary
11428 			backward compatibility to the old function name is
11429 			provided. [RT #12376]
11430 
11431 1707.	[contrib]	sdb/ldap updated to version 1.0-beta.
11432 
11433 1706.	[bug]		'rndc stop' failed to cause zones to be flushed
11434 			sometimes. [RT #12328]
11435 
11436 1705.	[func]		Allow the journal's name to be changed via named.conf.
11437 
11438 1704.	[port]		lwres needed a snprintf() implementation for
11439 			platforms without snprintf().  Add missing
11440 			"#include <isc/print.h>". [RT #12321]
11441 
11442 1703.	[bug]		named would loop sending NOTIFY messages when it
11443 			failed to receive a response. [RT #12322]
11444 
11445 1702.	[bug]		also-notify should not be applied to built in zones.
11446 			[RT #12323]
11447 
11448 1701.	[doc]		A minimal named.conf man page.
11449 
11450 1700.	[func]		nslookup is no longer to be treated as deprecated.
11451 			Remove "deprecated" warning message.  Add man page.
11452 
11453 1699.	[bug]		dnssec-signzone can generate "not exact" errors
11454 			when resigning. [RT #12281]
11455 
11456 1698.	[doc]		Use reserved IPv6 documentation prefix.
11457 
11458 1697.	[bug]		xxx-source{,-v6} was not effective when it
11459 			specified one of listening addresses and a
11460 			different port than the listening port. [RT #12257]
11461 
11462 1696.	[bug]		dnssec-signzone failed to clean out nodes that
11463 			consisted of only NSEC and RRSIG records.
11464 			[RT #12154]
11465 
11466 1695.	[bug]		DS records when forwarding require special handling.
11467 			[RT #12133]
11468 
11469 1694.	[bug]		Report if the builtin views of "_default" / "_bind"
11470 			are defined in named.conf. [RT #12023]
11471 
11472 1693.	[bug]		max-journal-size was not effective for master zones
11473 			with ixfr-from-differences set. [RT #12024]
11474 
11475 1692.	[bug]		Don't set -I, -L and -R flags when libcrypto is in
11476 			/usr/lib. [RT #11971]
11477 
11478 1691.	[bug]		sdb's attachversion was not complete. [RT #11990]
11479 
11480 1690.	[bug]		Delay detaching view from the client until UPDATE
11481 			processing completes when shutting down. [RT #11714]
11482 
11483 1689.	[bug]		DNS_NAME_TOREGION() and DNS_NAME_SPLIT() macros
11484 			contained gratuitous semicolons. [RT #11707]
11485 
11486 1688.	[bug]		LDFLAGS was not supported.
11487 
11488 1687.	[bug]		Race condition in dispatch. [RT #10272]
11489 
11490 1686.	[bug]		Named sent a extraneous NOTIFY when it received a
11491 			redundant UPDATE request. [RT #11943]
11492 
11493 1685.	[bug]		Change #1679 loop tests weren't quite right.
11494 
11495 1684.	[func]		ixfr-from-differences now takes master and slave in
11496 			addition to yes and no at the options and view levels.
11497 
11498 1683.	[bug]		dig +sigchase could leak memory. [RT #11445]
11499 
11500 1682.	[port]		Update configure test for (long long) printf format.
11501 			[RT #5066]
11502 
11503 1681.	[bug]		Only set SO_REUSEADDR when a port is specified in
11504 			isc_socket_bind(). [RT #11742]
11505 
11506 1680.	[func]		rndc: the source address can now be specified.
11507 
11508 1679.	[bug]		When there was a single nameserver with multiple
11509 			addresses for a zone not all addresses were tried.
11510 			[RT #11706]
11511 
11512 1678.	[bug]		RRSIG should use TYPEXXXXX for unknown types.
11513 
11514 1677.	[bug]		dig: +aaonly didn't work, +aaflag undocumented.
11515 
11516 1676.	[func]		New option "allow-query-cache".  This lets
11517 			allow-query be used to specify the default zone
11518 			access level rather than having to have every
11519 			zone override the global value.  allow-query-cache
11520 			can be set at both the options and view levels.
11521 			If allow-query-cache is not set allow-query applies.
11522 
11523 1675.	[bug]		named would sometimes add extra NSEC records to
11524 			the authority section.
11525 
11526 1674.	[port]		linux: increase buffer size used to scan
11527 			/proc/net/if_inet6.
11528 
11529 1673.	[port]		linux: issue a error messages if IPv6 interface
11530 			scans fails.
11531 
11532 1672.	[cleanup]	Tests which only function in a threaded build
11533 			now return R:THREADONLY (rather than R:UNTESTED)
11534 			in a non-threaded build.
11535 
11536 1671.	[contrib]	queryperf: add NAPTR to the list of known types.
11537 
11538 1670.	[func]		Log UPDATE requests to slave zones without an acl as
11539 			"disabled" at debug level 3. [RT #11657]
11540 
11541 1669.	[placeholder]
11542 
11543 1668.	[bug]		DIG_SIGCHASE was making bin/dig/host dump core.
11544 
11545 1667.	[port]		linux: not all versions have IF_NAMESIZE.
11546 
11547 1666.	[bug]		The optional port on hostnames in dual-stack-servers
11548 			was being ignored.
11549 
11550 1665.	[func]		rndc now allows addresses to be set in the
11551 			server clauses.
11552 
11553 1664.	[bug]		nsupdate needed KEY for SIG(0), not DNSKEY.
11554 
11555 1663.	[func]		Look for OpenSSL by default.
11556 
11557 1662.	[bug]		Change #1658 failed to change one use of 'type'
11558 			to 'keytype'.
11559 
11560 1661.	[bug]		Restore dns_name_concatenate() call in
11561 			adb.c:set_target().  [RT #11582]
11562 
11563 1660.	[bug]		win32: connection_reset_fix() was being called
11564 			unconditionally.  [RT #11595]
11565 
11566 1659.	[cleanup]	Cleanup some messages that were referring to KEY vs
11567 			DNSKEY, NXT vs NSEC and SIG vs RRSIG.
11568 
11569 1658.	[func]		Update dnssec-keygen to default to KEY for HMAC-MD5
11570 			and DH.  Tighten which options apply to KEY and
11571 			DNSKEY records.
11572 
11573 1657.	[doc]		ARM: document query log output.
11574 
11575 1656.	[doc]		Update DNSSEC description in ARM to cover DS, NSEC
11576 			DNSKEY and RRSIG.  [RT #11542]
11577 
11578 1655.	[bug]		Logging multiple versions w/o a size was broken.
11579 			[RT #11446]
11580 
11581 1654.	[bug]		isc_result_totext() contained array bounds read
11582 			error.
11583 
11584 1653.	[func]		Add key type checking to dst_key_fromfilename(),
11585 			DST_TYPE_KEY should be used to read TSIG, TKEY and
11586 			SIG(0) keys.
11587 
11588 1652.	[bug]		TKEY still uses KEY.
11589 
11590 1651.	[bug]		dig: process multiple dash options.
11591 
11592 1650.	[bug]		dig, nslookup: flush standard out after each command.
11593 
11594 1649.	[bug]		Silence "unexpected non-minimal diff" message.
11595 			[RT #11206]
11596 
11597 1648.	[func]		Update dnssec-lookaside named.conf syntax to support
11598 			multiple dnssec-lookaside namespaces (not yet
11599 			implemented).
11600 
11601 1647.	[bug]		It was possible trigger a INSIST when chasing a DS
11602 			record that required walking back over a empty node.
11603 			[RT #11445]
11604 
11605 1646.	[bug]		win32: logging file versions didn't work with
11606 			non-UNC filenames.  [RT #11486]
11607 
11608 1645.	[bug]		named could trigger a REQUIRE failure if multiple
11609 			masters with keys are specified.
11610 
11611 1644.	[bug]		Update the journal modification time after a
11612 			successful refresh query. [RT #11436]
11613 
11614 1643.	[bug]		dns_db_closeversion() could leak memory / node
11615 			references. [RT #11163]
11616 
11617 1642.	[port]		Support OpenSSL implementations which don't have
11618 			DSA support. [RT #11360]
11619 
11620 1641.	[bug]		Update the check-names description in ARM. [RT #11389]
11621 
11622 1640.	[bug]		win32: isc_socket_cancel(ISC_SOCKCANCEL_ACCEPT) was
11623 			incorrectly closing the socket.  [RT #11291]
11624 
11625 1639.	[func]		Initial dlv system test.
11626 
11627 1638.	[bug]		"ixfr-from-differences" could generate a REQUIRE
11628 			failure if the journal open failed. [RT #11347]
11629 
11630 1637.	[bug]		Node reference leak on error in addnoqname().
11631 
11632 1636.	[bug]		The dump done callback could get ISC_R_SUCCESS even if
11633 			a error had occurred.  The database version no longer
11634 			matched the version of the database that was dumped.
11635 
11636 1635.	[bug]		Memory leak on error in query_addds().
11637 
11638 1634.	[bug]		named didn't supply a useful error message when it
11639 			detected duplicate views.  [RT #11208]
11640 
11641 1633.	[bug]		named should return NOTIMP to update requests to a
11642 			slaves without a allow-update-forwarding acl specified.
11643 			[RT #11331]
11644 
11645 1632.	[bug]		nsupdate failed to send prerequisite only UPDATE
11646 			messages. [RT #11288]
11647 
11648 1631.	[bug]		dns_journal_compact() could sometimes corrupt the
11649 			journal. [RT #11124]
11650 
11651 1630.	[contrib]	queryperf: add support for IPv6 transport.
11652 
11653 1629.	[func]		dig now supports IPv6 scoped addresses with the
11654 			extended format in the local-server part. [RT #8753]
11655 
11656 1628.	[bug]		Typo in Compaq Trucluster support. [RT #11264]
11657 
11658 1627.	[bug]		win32: sockets were not being closed when the
11659 			last external reference was removed. [RT #11179]
11660 
11661 1626.	[bug]		--enable-getifaddrs was broken. [RT #11259]
11662 
11663 1625.	[bug]		named failed to load/transfer RFC2535 signed zones
11664 			which contained CNAMES. [RT #11237]
11665 
11666 1624.	[bug]		zonemgr_putio() call should be locked. [RT #11163]
11667 
11668 1623.	[bug]		A serial number of zero was being displayed in the
11669 			"sending notifies" log message when also-notify was
11670 			used. [RT #11177]
11671 
11672 1622.	[func]		probe the system to see if IPV6_(RECV)PKTINFO is
11673 			available, and suppress wildcard binding if not.
11674 
11675 1621.	[bug]		match-destinations did not work for IPv6 TCP queries.
11676 			[RT #11156]
11677 
11678 1620.	[func]		When loading a zone report if it is signed. [RT #11149]
11679 
11680 1619.	[bug]		Missing ISC_LIST_UNLINK in end_reserved_dispatches().
11681 			[RT #11118]
11682 
11683 1618.	[bug]		Fencepost errors in dns_name_ishostname() and
11684 			dns_name_ismailbox() could trigger a INSIST().
11685 
11686 1617.	[port]		win32: VC++ 6.0 support.
11687 
11688 1616.	[compat]	Ensure that named's version is visible in the core
11689 			dump. [RT #11127]
11690 
11691 1615.	[port]		Define ISC_SOCKADDR_LEN_T based on _BSD_SOCKLEN_T_ if
11692 			it is defined.
11693 
11694 1614.	[port]		win32: silence resource limit messages. [RT #11101]
11695 
11696 1613.	[bug]		Builds would fail on machines w/o a if_nametoindex().
11697 			Missing #ifdef ISC_PLATFORM_HAVEIFNAMETOINDEX/#endif.
11698 			[RT #11119]
11699 
11700 1612.	[bug]		check-names at the option/view level could trigger
11701 			an INSIST. [RT #11116]
11702 
11703 1611.	[bug]		solaris: IPv6 interface scanning failed to cope with
11704 			no active IPv6 interfaces.
11705 
11706 1610.	[bug]		On dual stack machines "dig -b" failed to set the
11707 			address type to be looked up with "@server".
11708 			[RT #11069]
11709 
11710 1609.	[func]		dig now has support to chase DNSSEC signature chains.
11711 			Requires -DDIG_SIGCHASE=1 to be set in STD_CDEFINES.
11712 
11713 			DNSSEC validation code in dig coded by Olivier Courtay
11714 			(olivier.courtay@irisa.fr) for the IDsA project
11715 			(http://idsa.irisa.fr).
11716 
11717 1608.	[func]		dig and host now accept -4/-6 to select IP transport
11718 			to use when making queries.
11719 
11720 1607.	[bug]		dig, host and nslookup were still using random()
11721 			to generate query ids. [RT #11013]
11722 
11723 1606.	[bug]		DLV insecurity proof was failing.
11724 
11725 1605.	[func]		New dns_db_find() option DNS_DBFIND_COVERINGNSEC.
11726 
11727 1604.	[bug]		A xfrout_ctx_create() failure would result in
11728 			xfrout_ctx_destroy() being called with a
11729 			partially initialized structure.
11730 
11731 1603.	[bug]		nsupdate: set interactive based on isatty().
11732 			[RT #10929]
11733 
11734 1602.	[bug]		Logging to a file failed unless a size was specified.
11735 			[RT #10925]
11736 
11737 1601.	[bug]		Silence spurious warning 'both "recursion no;" and
11738 			"allow-recursion" active' warning from view "_bind".
11739 			[RT #10920]
11740 
11741 1600.	[bug]		Duplicate zone pre-load checks were not case
11742 			insensitive.
11743 
11744 1599.	[bug]		Fix memory leak on error path when checking named.conf.
11745 
11746 1598.	[func]		Specify that certain parts of the namespace must
11747 			be secure (dnssec-must-be-secure).
11748 
11749 1597.	[func]		Allow notify-source and query-source to be specified
11750 			on a per server basis similar to transfer-source.
11751 			[RT #6496]
11752 
11753 1596.	[func]		Accept 'notify-source' style syntax for query-source.
11754 
11755 1595.	[func]		New notify type 'master-only'.  Enable notify for
11756 			master zones only.
11757 
11758 1594.	[bug]		'rndc dumpdb' could prevent named from answering
11759 			queries while the dump was in progress.  [RT #10565]
11760 
11761 1593.	[bug]		rndc should return "unknown command" to unknown
11762 			commands. [RT #10642]
11763 
11764 1592.	[bug]		configure_view() could leak a dispatch. [RT #10675]
11765 
11766 1591.	[bug]		libbind: updated to BIND 8.4.5.
11767 
11768 1590.	[port]		netbsd: update thread support.
11769 
11770 1589.	[func]		DNSSEC lookaside validation.
11771 
11772 1588.	[bug]		win32: TCP sockets could become blocked. [RT #10115]
11773 
11774 1587.	[bug]		dns_message_settsigkey() failed to clear existing key.
11775 			[RT #10590]
11776 
11777 1586.	[func]		"check-names" is now implemented.
11778 
11779 1585.	[placeholder]
11780 
11781 1584.	[bug]		"make test" failed with a read only source tree.
11782 			[RT #10461]
11783 
11784 1583.	[bug]		Records add via UPDATE failed to get the correct trust
11785 			level. [RT #10452]
11786 
11787 1582.	[bug]		rrset-order failed to work on RRsets with more
11788 			than 32 elements. [RT #10381]
11789 
11790 1581.	[func]		Disable DNSSEC support by default.  To enable
11791 			DNSSEC specify "dnssec-enable yes;" in named.conf.
11792 
11793 1580.	[bug]		Zone destruction on final detach takes a long time.
11794 			[RT #3746]
11795 
11796 1579.	[bug]		Multiple task managers could not be created.
11797 
11798 1578.	[bug]		Don't use CLASS E IPv4 addresses when resolving.
11799 			[RT #10346]
11800 
11801 1577.	[bug]		Use isc_uint32_t in ultrasparc optimizer bug
11802 			workaround code. [RT #10331]
11803 
11804 1576.	[bug]		Race condition in dns_dispatch_addresponse().
11805 			[RT #10272]
11806 
11807 1575.	[func]		Log TSIG name on TSIG verify failure. [RT #4404]
11808 
11809 1574.	[bug]		Don't attempt to open the controls socket(s) when
11810 			running tests. [RT #9091]
11811 
11812 1573.	[port]		linux: update to libtool 1.5.2 so that
11813 			"make install DESTDIR=/xx" works with
11814 			"configure --with-libtool".  [RT #9941]
11815 
11816 1572.	[bug]		nsupdate: sign the soa query to find the enclosing
11817 			zone if the server is specified. [RT #10148]
11818 
11819 1571.	[bug]		rbt:hash_node() could fail leaving the hash table
11820 			in an inconsistent state.  [RT #10208]
11821 
11822 1570.	[bug]		nsupdate failed to handle classes other than IN.
11823 			New keyword 'class' which sets the default class.
11824 			[RT #10202]
11825 
11826 1569.	[func]		nsupdate new command 'answer' which displays the
11827 			complete answer message to the last update.
11828 
11829 1568.	[bug]		nsupdate now reports that the update failed in
11830 			interactive mode. [RT #10236]
11831 
11832 1567.	[maint]		B.ROOT-SERVERS.NET is now 192.228.79.201.
11833 
11834 1566.	[port]		Support for the cmsg framework on Solaris and HP/UX.
11835 			This also solved the problem that match-destinations
11836 			for IPv6 addresses did not work on these systems.
11837 			[RT #10221]
11838 
11839 1565.	[bug]		CD flag should be copied to outgoing queries unless
11840 			the query is under a secure entry point in which case
11841 			CD should be set.
11842 
11843 1564.	[func]		Attempt to provide a fallback entropy source to be
11844 			used if named is running chrooted and named is unable
11845 			to open entropy source within the chroot area.
11846 			[RT #10133]
11847 
11848 1563.	[bug]		Gracefully fail when unable to obtain neither an IPv4
11849 			nor an IPv6 dispatch. [RT #10230]
11850 
11851 1562.	[bug]		isc_socket_create() and isc_socket_accept() could
11852 			leak memory under error conditions. [RT #10230]
11853 
11854 1561.	[bug]		It was possible to release the same name twice if
11855 			named ran out of memory. [RT #10197]
11856 
11857 1560.	[port]		FreeBSD: work around FreeBSD 5.2 mapping EAI_NODATA
11858 			and EAI_NONAME to the same value.
11859 
11860 1559.	[port]		named should ignore SIGFSZ.
11861 
11862 1558.	[func]		New DNSSEC 'disable-algorithms'.  Support entry into
11863 			child zones for which we don't have a supported
11864 			algorithm.  Such child zones are treated as unsigned.
11865 
11866 1557.	[func]		Implement missing DNSSEC tests for
11867 			* NOQNAME proof with wildcard answers.
11868 			* NOWILDARD proof with NXDOMAIN.
11869 			Cache and return NOQNAME with wildcard answers.
11870 
11871 1556.	[bug]		nsupdate now treats all names as fully qualified.
11872 			[RT #6427]
11873 
11874 1555.	[func]		'rrset-order cyclic' no longer has a random starting
11875 			point per query. [RT #7572]
11876 
11877 1554.	[bug]		dig, host, nslookup failed when no nameservers
11878 			were specified in /etc/resolv.conf. [RT #8232]
11879 
11880 1553.	[bug]		The windows socket code could stop accepting
11881 			connections. [RT #10115]
11882 
11883 1552.	[bug]		Accept NOTIFY requests from mapped masters if
11884 			matched-mapped is set. [RT #10049]
11885 
11886 1551.	[port]		Open "/dev/null" before calling chroot().
11887 
11888 1550.	[port]		Call tzset(), if available, before calling chroot().
11889 
11890 1549.	[func]		named-checkzone can now write out the zone contents
11891 			in a easily parsable format (-D and -o).
11892 
11893 1548.	[bug]		When parsing APL records it was possible to silently
11894 			accept out of range ADDRESSFAMILY values. [RT #9979]
11895 
11896 1547.	[bug]		Named wasted memory recording duplicate lame zone
11897 			entries. [RT #9341]
11898 
11899 1546.	[bug]		We were rejecting valid secure CNAME to negative
11900 			answers.
11901 
11902 1545.	[bug]		It was possible to leak memory if named was unable to
11903 			bind to the specified transfer source and TSIG was
11904 			being used. [RT #10120]
11905 
11906 1544.	[bug]		Named would logged a single entry to a file despite it
11907 			being over the specified size limit.
11908 
11909 1543.	[bug]		Logging using "versions unlimited" did not work.
11910 
11911 1542.	[placeholder]
11912 
11913 1541.	[func]		NSEC now uses new bitmap format.
11914 
11915 1540.	[bug]		"rndc reload <dynamiczone>" was silently accepted.
11916 			[RT #8934]
11917 
11918 1539.	[bug]		Open UDP sockets for notify-source and transfer-source
11919 			that use reserved ports at startup. [RT #9475]
11920 
11921 1538.	[placeholder]	rt9997
11922 
11923 1537.	[func]		New option "querylog".  If set specify whether query
11924 			logging is to be enabled or disabled at startup.
11925 
11926 1536.	[bug]		Windows socket code failed to log a error description
11927 			when returning ISC_R_UNEXPECTED. [RT #9998]
11928 
11929 1535.	[placeholder]
11930 
11931 1534.	[bug]		Race condition when priming cache. [RT #9940]
11932 
11933 1533.	[func]		Warn if both "recursion no;" and "allow-recursion"
11934 			are active. [RT #4389]
11935 
11936 1532.	[port]		netbsd: the configure test for <sys/sysctl.h>
11937 			requires <sys/param.h>.
11938 
11939 1531.	[port]		AIX more libtool fixes.
11940 
11941 1530.	[bug]		It was possible to trigger a INSIST() failure if a
11942 			slave master file was removed at just the correct
11943 			moment. [RT #9462]
11944 
11945 1529.	[bug]		"notify explicit;" failed to log that NOTIFY messages
11946 			were being sent for the zone. [RT #9442]
11947 
11948 1528.	[cleanup]	Simplify some dns_name_ functions based on the
11949 			deprecation of bitstring labels.
11950 
11951 1527.	[cleanup]	Reduce the number of gettimeofday() calls without
11952 			losing necessary timer granularity.
11953 
11954 1526.	[func]		Implemented "additional section caching (or acache)",
11955 			an internal cache framework for additional section
11956 			content to improve response performance.  Several
11957 			configuration options were provided to control the
11958 			behavior.
11959 
11960 1525.	[bug]		dns_cache_create() could trigger a REQUIRE
11961 			failure in isc_mem_put() during error cleanup.
11962 			[RT #9360]
11963 
11964 1524.	[port]		AIX needs to be able to resolve all symbols when
11965 			creating shared libraries (--with-libtool).
11966 
11967 1523.	[bug]		Fix race condition in rbtdb. [RT #9189]
11968 
11969 1522.	[bug]		dns_db_findnode() relax the requirements on 'name'.
11970 			[RT #9286]
11971 
11972 1521.	[bug]		dns_view_createresolver() failed to check the
11973 			result from isc_mem_create(). [RT #9294]
11974 
11975 1520.	[protocol]	Add SSHFP (SSH Finger Print) type.
11976 
11977 1519.	[bug]		dnssec-signzone:nsec_setbit() computed the wrong
11978 			length of the new bitmap.
11979 
11980 1518.	[bug]		dns_nsec_buildrdata(), and hence dns_nsec_build(),
11981 			contained a off-by-one error when working out the
11982 			number of octets in the bitmap.
11983 
11984 1517.	[port]		Support for IPv6 interface scanning on HP/UX and
11985 			TrueUNIX 5.1.
11986 
11987 1516.	[func]		Roll the DNSSEC types to RRSIG, NSEC and DNSKEY.
11988 
11989 1515.	[func]		Allow transfer source to be set in a server statement.
11990 			[RT #6496]
11991 
11992 1514.	[bug]		named: isc_hash_destroy() was being called too early.
11993 			[RT #9160]
11994 
11995 1513.	[doc]		Add "US" to root-delegation-only exclude list.
11996 
11997 1512.	[bug]		Extend the delegation-only logging to return query
11998 			type, class and responding nameserver.
11999 
12000 1511.	[bug]		delegation-only was generating false positives
12001 			on negative answers from sub-zones.
12002 
12003 1510.	[func]		New view option "root-delegation-only".  Apply
12004 			delegation-only check to all TLDs and root.
12005 			Note there are some TLDs that are NOT delegation
12006 			only (e.g. DE, LV, US and MUSEUM) these can be excluded
12007 			from the checks by using exclude.
12008 
12009 			root-delegation-only exclude {
12010 				"DE"; "LV"; "US"; "MUSEUM";
12011 			};
12012 
12013 1509.	[bug]		Hint zones should accept delegation-only.  Forward
12014 			zone should not accept delegation-only.
12015 
12016 1508.	[bug]		Don't apply delegation-only checks to answers from
12017 			forwarders.
12018 
12019 1507.	[bug]		Handle BIND 8 style returns to NS queries to parents
12020 			when making delegation-only checks.
12021 
12022 1506.	[bug]		Wrong return type for dns_view_isdelegationonly().
12023 
12024 1505.	[bug]		Uninitialized rdataset in sdb. [RT #8750]
12025 
12026 1504.	[func]		New zone type "delegation-only".
12027 
12028 1503.	[port]		win32: install libeay32.dll outside of system32.
12029 
12030 1502.	[bug]		nsupdate: adjust timeouts for UPDATE requests over TCP.
12031 
12032 1501.	[func]		Allow TCP queue length to be specified via
12033 			named.conf, tcp-listen-queue.
12034 
12035 1500.	[bug]		host failed to lookup MX records.  Also look up
12036 			AAAA records.
12037 
12038 1499.	[bug]		isc_random need to be seeded better if arc4random()
12039 			is not used.
12040 
12041 1498.	[port]		bsdos: 5.x support.
12042 
12043 1497.	[placeholder]
12044 
12045 1496.	[port]		test for pthread_attr_setstacksize().
12046 
12047 1495.	[cleanup]	Replace hash functions with universal hash.
12048 
12049 1494.	[security]	Turn on RSA BLINDING as a precaution.
12050 
12051 1493.	[placeholder]
12052 
12053 1492.	[cleanup]	Preserve rwlock quota context when upgrading /
12054 			downgrading. [RT #5599]
12055 
12056 1491.	[bug]		dns_master_dump*() would produce extraneous $ORIGIN
12057 			lines. [RT #6206]
12058 
12059 1490.	[bug]		Accept reading state as well as working state in
12060 			ns_client_next(). [RT #6813]
12061 
12062 1489.	[compat]	Treat 'allow-update' on slave zones as a warning.
12063 			[RT #3469]
12064 
12065 1488.	[bug]		Don't override trust levels for glue addresses.
12066 			[RT #5764]
12067 
12068 1487.	[bug]		A REQUIRE() failure could be triggered if a zone was
12069 			queued for transfer and the zone was then removed.
12070 			[RT #6189]
12071 
12072 1486.	[bug]		isc_print_snprintf() '%%' consumed one too many format
12073 			characters. [RT #8230]
12074 
12075 1485.	[bug]		gen failed to handle high type values. [RT #6225]
12076 
12077 1484.	[bug]		The number of records reported after a AXFR was wrong.
12078 			[RT #6229]
12079 
12080 1483.	[bug]		dig axfr failed if the message id in the answer failed
12081 			to match that in the request.  Only the id in the first
12082 			message is required to match. [RT #8138]
12083 
12084 1482.	[bug]		named could fail to start if the kernel supports
12085 			IPv6 but no interfaces are configured.  Similarly
12086 			for IPv4. [RT #6229]
12087 
12088 1481.	[bug]		Refresh and stub queries failed to use masters keys
12089 			if specified. [RT #7391]
12090 
12091 1480.	[bug]		Provide replay protection for rndc commands.  Full
12092 			replay protection requires both rndc and named to
12093 			be updated.  Partial replay protection (limited
12094 			exposure after restart) is provided if just named
12095 			is updated.
12096 
12097 1479.	[bug]		cfg_create_tuple() failed to handle out of
12098 			memory cleanup.  parse_list() would leak memory
12099 			on syntax errors.
12100 
12101 1478.	[port]		ifconfig.sh didn't account for other virtual
12102 			interfaces.  It now takes a optional argument
12103 			to specify the first interface number. [RT #3907]
12104 
12105 1477.	[bug]		memory leak using stub zones and TSIG.
12106 
12107 1476.	[placeholder]
12108 
12109 1475.	[port]		Probe for old sprintf().
12110 
12111 1474.	[port]		Provide strtoul() and memmove() for platforms
12112 			without them.
12113 
12114 1473.	[bug]		create_map() and create_string() failed to handle out
12115 			of memory cleanup.  [RT #6813]
12116 
12117 1472.	[contrib]	idnkit-1.0 from JPNIC, replaces mdnkit.
12118 
12119 1471.	[bug]		libbind: updated to BIND 8.4.0.
12120 
12121 1470.	[bug]		Incorrect length passed to snprintf. [RT #5966]
12122 
12123 1469.	[func]		Log end of outgoing zone transfer at same level
12124 			as the start of transfer is logged. [RT #4441]
12125 
12126 1468.	[func]		Internal zones are no longer counted for
12127 			'rndc status'.  [RT #4706]
12128 
12129 1467.	[func]		$GENERATES now supports optional class and ttl.
12130 
12131 1466.	[bug]		lwresd configuration errors resulted in memory
12132 			and lock leaks.  [RT #5228]
12133 
12134 1465.	[bug]		isc_base64_decodestring() and isc_base64_tobuffer()
12135 			failed to check that trailing bits were zero allowing
12136 			some invalid base64 strings to be accepted.  [RT #5397]
12137 
12138 1464.	[bug]		Preserve "out of zone" data for outgoing zone
12139 			transfers. [RT #5192]
12140 
12141 1463.	[bug]		dns_rdata_from{wire,struct}() failed to catch bad
12142 			NXT bit maps. [RT #5577]
12143 
12144 1462.	[bug]		parse_sizeval() failed to check the token type.
12145 			[RT #5586]
12146 
12147 1461.	[bug]		Remove deadlock from rbtdb code. [RT #5599]
12148 
12149 1460.	[bug]		inet_pton() failed to reject certain malformed
12150 			IPv6 literals.
12151 
12152 1459.	[placeholder]
12153 
12154 1458.	[cleanup]	sprintf() -> snprintf().
12155 
12156 1457.	[port]		Provide strlcat() and strlcpy() for platforms without
12157 			them.
12158 
12159 1456.	[contrib]	gen-data-queryperf.py from Stephane Bortzmeyer.
12160 
12161 1455.	[bug]		<netaddr> missing from server grammar in
12162 			doc/misc/options. [RT #5616]
12163 
12164 1454.	[port]		Use getifaddrs() if available for interface scanning.
12165 			--disable-getifaddrs to override.  Glibc currently
12166 			has a getifaddrs() that does not support IPv6.
12167 			Use --enable-getifaddrs=glibc to force the use of
12168 			this version under linux machines.
12169 
12170 1453.	[doc]		ARM: $GENERATE example wasn't accurate. [RT #5298]
12171 
12172 1452.	[placeholder]
12173 
12174 1451.	[bug]		rndc-confgen didn't exit with a error code for all
12175 			failures. [RT #5209]
12176 
12177 1450.	[bug]		Fetching expired glue failed under certain
12178 			circumstances.  [RT #5124]
12179 
12180 1449.	[bug]		query_addbestns() didn't handle running out of memory
12181 			gracefully.
12182 
12183 1448.	[bug]		Handle empty wildcards labels.
12184 
12185 1447.	[bug]		We were casting (unsigned int) to and from (void *).
12186 			rdataset->private4 is now rdataset->privateuint4
12187 			to reflect a type change.
12188 
12189 1446.	[func]		Implemented undocumented alternate transfer sources
12190 			from BIND 8.  See use-alt-transfer-source,
12191 			alt-transfer-source and alt-transfer-source-v6.
12192 
12193 			SECURITY: use-alt-transfer-source is ENABLED unless
12194 			you are using views.  This may cause a security risk
12195 			resulting in accidental disclosure of wrong zone
12196 			content if the master supplying different source
12197 			content based on IP address.  If you are not certain
12198 			ISC recommends setting use-alt-transfer-source no;
12199 
12200 1445.	[bug]		DNS_ADBFIND_STARTATROOT broke stub zones.  This has
12201 			been replaced with DNS_ADBFIND_STARTATZONE which
12202 			causes the search to start using the closest zone.
12203 
12204 1444.	[func]		dns_view_findzonecut2() allows you to specify if the
12205 			cache should be searched for zone cuts.
12206 
12207 1443.	[func]		Masters lists can now be specified and referenced
12208 			in zone masters clauses and other masters lists.
12209 
12210 1442.	[func]		New functions for manipulating port lists:
12211 			dns_portlist_create(), dns_portlist_add(),
12212 			dns_portlist_remove(), dns_portlist_match(),
12213 			dns_portlist_attach() and dns_portlist_detach().
12214 
12215 1441.	[func]		It is now possible to tell dig to bind to a specific
12216 			source port.
12217 
12218 1440.	[func]		It is now possible to tell named to avoid using
12219 			certain source ports (avoid-v4-udp-ports,
12220 			avoid-v6-udp-ports).
12221 
12222 1439.	[bug]		Named could return NOERROR with certain NOTIFY
12223 			failures.  Return NOTAUTH if the NOTIFY zone is
12224 			not being served.
12225 
12226 1438.	[func]		Log TSIG (if any) when logging NOTIFY requests.
12227 
12228 1437.	[bug]		Leave space for stdio to work in. [RT #5033]
12229 
12230 1436.	[func]		dns_zonemgr_resumexfrs() can be used to restart
12231 			stalled transfers.
12232 
12233 1435.	[bug]		zmgr_resume_xfrs() was being called read locked
12234 			rather than write locked.  zmgr_resume_xfrs()
12235 			was not being called if the zone was being
12236 			shutdown.
12237 
12238 1434.	[bug]		"rndc reconfig" failed to initiate the initial
12239 			zone transfer of new slave zones.
12240 
12241 1433.	[bug]		named could trigger a REQUIRE failure if it could
12242 			not get a file descriptor when attempting to write
12243 			a master file. [RT #4347]
12244 
12245 1432.	[func]		The advertised EDNS UDP buffer size can now be set
12246 			via named.conf (edns-udp-size).
12247 
12248 1431.	[bug]		isc_print_snprintf() "%s" with precision could walk off
12249 			end of argument. [RT #5191]
12250 
12251 1430.	[port]		linux: IPv6 interface scanning support.
12252 
12253 1429.	[bug]		Prevent the cache getting locked to old servers.
12254 
12255 1428.	[placeholder]
12256 
12257 1427.	[bug]		Race condition in adb with threaded build.
12258 
12259 1426.	[placeholder]
12260 
12261 1425.	[port]		linux/libbind: define __USE_MISC when testing *_r()
12262 			function prototypes in netdb.h.  [RT #4921]
12263 
12264 1424.	[bug]		EDNS version not being correctly printed.
12265 
12266 1423.	[contrib]	queryperf: added A6 and SRV.
12267 
12268 1422.	[func]		Log name/type/class when denying a query.  [RT #4663]
12269 
12270 1421.	[func]		Differentiate updates that don't succeed due to
12271 			prerequisites (unsuccessful) vs other reasons
12272 			(failed).
12273 
12274 1420.	[port]		solaris: work around gcc optimizer bug.
12275 
12276 1419.	[port]		openbsd: use /dev/arandom. [RT #4950]
12277 
12278 1418.	[bug]		'rndc reconfig' did not cause new slaves to load.
12279 
12280 1417.	[func]		ID.SERVER/CHAOS is now a built in zone.
12281 			See "server-id" for how to configure.
12282 
12283 1416.	[bug]		Empty node should return NOERROR NODATA, not NXDOMAIN.
12284 			[RT #4715]
12285 
12286 1415.	[func]		DS TTL now derived from NS ttl.  NXT TTL now derived
12287 			from SOA MINIMUM.
12288 
12289 1414.	[func]		Support for KSK flag.
12290 
12291 1413.	[func]		Explicitly request the (re-)generation of DS records
12292 			from keysets (dnssec-signzone -g).
12293 
12294 1412.	[func]		You can now specify servers to be tried if a nameserver
12295 			has IPv6 address and you only support IPv4 or the
12296 			reverse. See dual-stack-servers.
12297 
12298 1411.	[bug]		empty nodes should stop wildcard matches. [RT #4802]
12299 
12300 1410.	[func]		Handle records that live in the parent zone, e.g. DS.
12301 
12302 1409.	[bug]		DS should have attribute DNS_RDATATYPEATTR_DNSSEC.
12303 
12304 1408.	[bug]		"make distclean" was not complete. [RT #4700]
12305 
12306 1407.	[bug]		lfsr incorrectly implements the shift register.
12307 			[RT #4617]
12308 
12309 1406.	[bug]		dispatch initializes one of the LFSR's with a incorrect
12310 			polynomial.  [RT #4617]
12311 
12312 1405.	[func]		Use arc4random() if available.
12313 
12314 1404.	[bug]		libbind: ns_name_ntol() could overwrite a zero length
12315 			buffer.
12316 
12317 1403.	[func]		dnssec-signzone, dnssec-keygen, dnssec-makekeyset
12318 			dnssec-signkey now report their version in the
12319 			usage message.
12320 
12321 1402.	[cleanup]	A6 has been moved to experimental and is no longer
12322 			fully supported.
12323 
12324 1401.	[bug]		adb wasn't clearing state when the timer expired.
12325 
12326 1400.	[bug]		Block the addition of wildcard NS records by IXFR
12327 			or UPDATE. [RT #3502]
12328 
12329 1399.	[bug]		Use serial number arithmetic when testing SIG
12330 			timestamps. [RT #4268]
12331 
12332 1398.	[doc]		ARM: notify-also should have been also-notify.
12333 			[RT #4345]
12334 
12335 1397.	[maint]		J.ROOT-SERVERS.NET is now 192.58.128.30.
12336 
12337 1396.	[func]		dnssec-signzone: adjust the default signing time by
12338 			1 hour to allow for clock skew.
12339 
12340 1395.	[port]		OpenSSL 0.9.7 defines CRYPTO_LOCK_ENGINE but doesn't
12341 			have a working implementation.  [RT #4079]
12342 
12343 1394.	[func]		It is now possible to check if a particular element is
12344 			in a acl.  Remove duplicate entries from the localnets
12345 			acl.
12346 
12347 1393.	[port]		Bind to individual IPv6 interfaces if IPV6_IPV6ONLY
12348 			is not available in the kernel to prevent accidentally
12349 			listening on IPv4 interfaces.
12350 
12351 1392.	[bug]		named-checkzone: update usage.
12352 
12353 1391.	[func]		Add support for IPv6 scoped addresses in named.
12354 
12355 1390.	[func]		host now supports ixfr.
12356 
12357 1389.	[bug]		named could fail to rotate long log files.  [RT #3666]
12358 
12359 1388.	[port]		irix: check for sys/sysctl.h and NET_RT_IFLIST before
12360 			defining HAVE_IFLIST_SYSCTL. [RT #3770]
12361 
12362 1387.	[bug]		named could crash due to an access to invalid memory
12363 			space (which caused an assertion failure) in
12364 			incremental cleaning.  [RT #3588]
12365 
12366 1386.	[bug]		named-checkzone -z stopped on errors in a zone.
12367 			[RT #3653]
12368 
12369 1385.	[bug]		Setting serial-query-rate to 10 would trigger a
12370 			REQUIRE failure.
12371 
12372 1384.	[bug]		host was incompatible with BIND 8 in its exit code and
12373 			in the output with the -l option.  [RT #3536]
12374 
12375 1383.	[func]		Track the serial number in a IXFR response and log if
12376 			a mismatch occurs.  This is a more specific error than
12377 			"not exact". [RT #3445]
12378 
12379 1382.	[bug]		make install failed with --enable-libbind. [RT #3656]
12380 
12381 1381.	[bug]		named failed to correctly process answers that
12382 			contained DNAME records where the resulting CNAME
12383 			resulted in a negative answer.
12384 
12385 1380.	[func]		'rndc recursing' dump recursing queries to
12386 			'recursing-file = "named.recursing";'.
12387 
12388 1379.	[func]		'rndc status' now reports tcp and recursion quota
12389 			states.
12390 
12391 1378.	[func]		Improved positive feedback for 'rndc {reload|refresh}.
12392 
12393 1377.	[func]		dns_zone_load{new}() now reports if the zone was
12394 			loaded, queued for loading to up to date.
12395 
12396 1376.	[func]		New function dns_zone_logc() to log to specified
12397 			category.
12398 
12399 1375.	[func]		'rndc dumpdb' now dumps the adb cache along with the
12400 			data cache.
12401 
12402 1374.	[func]		dns_adb_dump() now logs the lame zones associated
12403 			with each server.
12404 
12405 1373.	[bug]		Recovery from expired glue failed under certain
12406 			circumstances.
12407 
12408 1372.	[bug]		named crashes with an assertion failure on exit when
12409 			sharing the same port for listening and querying, and
12410 			changing listening addresses several times. [RT #3509]
12411 
12412 1371.	[bug]		notify-source-v6, transfer-source-v6 and
12413 			query-source-v6 with explicit addresses and using the
12414 			same ports as named was listening on could interfere
12415 			with named's ability to answer queries sent to those
12416 			addresses.
12417 
12418 1370.	[bug]		dig '+[no]recurse' was incorrectly documented.
12419 
12420 1369.	[bug]		Adding an NS record as the lexicographically last
12421 			record in a secure zone didn't work.
12422 
12423 1368.	[func]		remove support for bitstring labels.
12424 
12425 1367.	[func]		Use response times to select forwarders.
12426 
12427 1366.	[contrib]	queryperf usage was incomplete.  Add '-h' for help.
12428 
12429 1365.	[func]		"localhost" and "localnets" acls now include IPv6
12430 			addresses / prefixes.
12431 
12432 1364.	[func]		Log file name when unable to open memory statistics
12433 			and dump database files. [RT #3437]
12434 
12435 1363.	[func]		Listen-on-v6 now supports specific addresses.
12436 
12437 1362.	[bug]		remove IFF_RUNNING test when scanning interfaces.
12438 
12439 1361.	[func]		log the reason for rejecting a server when resolving
12440 			queries.
12441 
12442 1360.	[bug]		--enable-libbind would fail when not built in the
12443 			source tree for certain OS's.
12444 
12445 1359.	[security]	Support patches OpenSSL libraries.
12446 			http://www.cert.org/advisories/CA-2002-23.html
12447 
12448 1358.	[bug]		It was possible to trigger a INSIST when debugging
12449 			large dynamic updates. [RT #3390]
12450 
12451 1357.	[bug]		nsupdate was extremely wasteful of memory.
12452 
12453 1356.	[tuning]	Reduce the number of events / quantum for zone tasks.
12454 
12455 1355.	[bug]		Fix DNSSEC wildcard proof for CNAME/DNAME.
12456 
12457 1354.	[doc]		lwres man pages had illegal nroff.
12458 
12459 1353.	[contrib]	sdb/ldap to version 0.9.
12460 
12461 1352.	[bug]		dig, host, nslookup when falling back to TCP use the
12462 			current search entry (if any). [RT #3374]
12463 
12464 1351.	[bug]		lwres_getipnodebyname() returned the wrong name
12465 			when given a IPv4 literal, af=AF_INET6 and AI_MAPPED
12466 			was set.
12467 
12468 1350.	[bug]		dns_name_fromtext() failed to handle too many labels
12469 			gracefully.
12470 
12471 1349.	[security]	Minimum OpenSSL version now 0.9.6e (was 0.9.5a).
12472 			http://www.cert.org/advisories/CA-2002-23.html
12473 
12474 1348.	[port]		win32: Rewrote code to use I/O Completion Ports
12475 			in socket.c and eliminating a host of socket
12476 			errors. Performance is enhanced.
12477 
12478 1347.	[placeholder]
12479 
12480 1346.	[placeholder]
12481 
12482 1345.	[port]		Use a explicit -Wformat with gcc.  Not all versions
12483 			include it in -Wall.
12484 
12485 1344.	[func]		Log if the serial number on the master has gone
12486 			backwards.
12487 			If you have multiple machines specified in the masters
12488 			clause you may want to set 'multi-master yes;' to
12489 			suppress this warning.
12490 
12491 1343.	[func]		Log successful notifies received (info).  Adjust log
12492 			level for failed notifies to notice.
12493 
12494 1342.	[func]		Log remote address with TCP dispatch failures.
12495 
12496 1341.	[func]		Allow a rate limiter to be stalled.
12497 
12498 1340.	[bug]		Delay and spread out the startup refresh load.
12499 
12500 1339.	[func]		dig, host and nslookup now use IP6.ARPA for nibble
12501 			lookups.  Bit string lookups are no longer attempted.
12502 
12503 1338.	[placeholder]
12504 
12505 1337.	[placeholder]
12506 
12507 1336.	[func]		Nibble lookups under IP6.ARPA are now supported by
12508 			dns_byaddr_create().  dns_byaddr_createptrname() is
12509 			deprecated, use dns_byaddr_createptrname2() instead.
12510 
12511 1335.	[bug]		When performing a nonexistence proof, the validator
12512 			should discard parent NXTs from higher in the DNS.
12513 
12514 1334.	[bug]		When signing/verifying rdatasets, duplicate rdatas
12515 			need to be suppressed.
12516 
12517 1333.	[contrib]	queryperf now reports a summary of returned
12518 			rcodes (-c), rcodes are printed in mnemonic form (-v).
12519 
12520 1332.	[func]		Report the current serial with periodic commits when
12521 			rolling forward the journal.
12522 
12523 1331.	[func]		Generate DNSSEC wildcard proofs.
12524 
12525 1330.	[bug]		When processing events (non-threaded) only allow
12526 			the task one chance to use to use its quantum.
12527 
12528 1329.	[func]		named-checkzone will now check if nameservers that
12529 			appear to be IP addresses.  Available modes "fail",
12530 			"warn" (default) and "ignore" the results of the
12531 			check.
12532 
12533 1328.	[bug]		The validator could incorrectly verify an invalid
12534 			negative proof.
12535 
12536 1327.	[bug]		The validator would incorrectly mark data as insecure
12537 			when seeing a bogus signature before a correct
12538 			signature.
12539 
12540 1326.	[bug]		DNAME/CNAME signatures were not being cached when
12541 			validation was not being performed. [RT #3284]
12542 
12543 1325.	[bug]		If the tcpquota was exhausted it was possible to
12544 			to trigger a INSIST() failure.
12545 
12546 1324.	[port]		darwin: ifconfig.sh now supports darwin.
12547 
12548 1323.	[port]		linux: Slackware 4.0 needs <asm/unistd.h>. [RT #3205]
12549 
12550 1322.	[bug]		dnssec-signzone usage message was misleading.
12551 
12552 1321.	[bug]		If the last RRset in a zone is glue, dnssec-signzone
12553 			would incorrectly duplicate its output and sign it.
12554 
12555 1320.	[doc]		query-source-v6 was missing from options section.
12556 			[RT #3218]
12557 
12558 1319.	[func]		libbind: log attempts to exploit #1318.
12559 
12560 1318.	[bug]		libbind: Remote buffer overrun.
12561 
12562 1317.	[port]		libbind: TrueUNIX 5.1 does not like __align as a
12563 			element name.
12564 
12565 1316.	[bug]		libbind: gethostans() could get out of sync parsing
12566 			the response if there was a very long CNAME chain.
12567 
12568 1315.	[bug]		Options should apply to the internal _bind view.
12569 
12570 1314.	[port]		Handle ECONNRESET from sendmsg() [unix].
12571 
12572 1313.	[func]		Query log now says if the query was signed (S) or
12573 			if EDNS was used (E).
12574 
12575 1312.	[func]		Log TSIG key used w/ outgoing zone transfers.
12576 
12577 1311.	[bug]		lwres_getrrsetbyname leaked memory.  [RT #3159]
12578 
12579 1310.	[bug]		'rndc stop' failed to cause zones to be flushed
12580 			sometimes. [RT #3157]
12581 
12582 1309.	[func]		Log that a zone transfer was covered by a TSIG.
12583 
12584 1308.	[func]		DS (delegation signer) support.
12585 
12586 1307.	[bug]		nsupdate: allow white space base64 key data.
12587 
12588 1306.	[bug]		Badly encoded LOC record when the size, horizontal
12589 			precision or vertical precision was 0.1m.
12590 
12591 1305.	[bug]		Document that internal zones are included in the
12592 			rndc status results.
12593 
12594 1304.	[func]		New function: dns_zone_name().
12595 
12596 1303.	[func]		Option 'flush-zones-on-shutdown <boolean>;'.
12597 
12598 1302.	[func]		Extended rndc dumpdb to support dumping of zones and
12599 			view selection: 'dumpdb [-all|-zones|-cache] [view]'.
12600 
12601 1301.	[func]		New category 'update-security'.
12602 
12603 1300.	[port]		Compaq Trucluster support.
12604 
12605 1299.	[bug]		Set AI_ADDRCONFIG when looking up addresses
12606 			via getaddrinfo() (affects dig, host, nslookup, rndc
12607 			and nsupdate).
12608 
12609 1298.	[bug]		The CINCLUDES macro in lib/dns/sec/dst/Makefile
12610 			could be left with a trailing "\" after configure
12611 			has been run.
12612 
12613 1297.	[port]		linux: make handling EINVAL from socket() no longer
12614 			conditional on #ifdef LINUX.
12615 
12616 1296.	[bug]		isc_log_closefilelogs() needed to lock the log
12617 			context.
12618 
12619 1295.	[bug]		isc_log_setdebuglevel() needed to lock the log
12620 			context.
12621 
12622 1294.	[func]		libbind: no longer attempts bit string labels for
12623 			IPv6 reverse resolution.  Try IP6.ARPA then IP6.INT
12624 			for nibble style resolution.
12625 
12626 1293.	[func]		Entropy can now be retrieved from EGDs. [RT #2438]
12627 
12628 1292.	[func]		Enable IPv6 support when using ioctl style interface
12629 			scanning and OS supports SIOCGLIFADDR using struct
12630 			if_laddrreq.
12631 
12632 1291.	[func]		Enable IPv6 support when using sysctl style interface
12633 			scanning.
12634 
12635 1290.	[func]		"dig axfr" now reports the number of messages
12636 			as well as the number of records.
12637 
12638 1289.	[port]		See if -ldl is required for OpenSSL? [RT #2672]
12639 
12640 1288.	[bug]		Adjusted REQUIRE's in lib/dns/name.c to better
12641 			reflect written requirements.
12642 
12643 1287.	[bug]		REQUIRE that DNS_DBADD_MERGE only be set when adding
12644 			a rdataset to a zone db in the rbtdb implementation of
12645 			addrdataset.
12646 
12647 1286.	[bug]		dns_name_downcase() enforce requirement that
12648 			target != NULL or name->buffer != NULL.
12649 
12650 1285.	[func]		lwres: probe the system to see what address families
12651 			are currently in use.
12652 
12653 1284.	[bug]		The RTT estimate on unused servers was not aged.
12654 			[RT #2569]
12655 
12656 1283.	[func]		Use "dataready" accept filter if available.
12657 
12658 1282.	[port]		libbind: hpux 11.11 interface scanning.
12659 
12660 1281.	[func]		Log zone when unable to get private keys to update
12661 			zone.  Log zone when NXT records are missing from
12662 			secure zone.
12663 
12664 1280.	[bug]		libbind: escape '(' and ')' when converting to
12665 			presentation form.
12666 
12667 1279.	[port]		Darwin uses (unsigned long) for size_t. [RT #2590]
12668 
12669 1278.	[func]		dig: now supports +[no]cl +[no]ttlid.
12670 
12671 1277.	[func]		You can now create your own customized printing
12672 			styles: dns_master_stylecreate() and
12673 			dns_master_styledestroy().
12674 
12675 1276.	[bug]		libbind: const pointer conflicts in res_debug.c.
12676 
12677 1275.	[port]		libbind: hpux: treat all hpux systems as BIG_ENDIAN.
12678 
12679 1274.	[bug]		Memory leak in lwres_gnbarequest_parse().
12680 
12681 1273.	[port]		libbind: solaris: 64 bit binary compatibility.
12682 
12683 1272.	[contrib]	Berkeley DB 4.0 sdb implementation from
12684 			Nuno Miguel Rodrigues <nmr@co.sapo.pt>.
12685 
12686 1271.	[bug]		"recursion available: {denied,approved}" was too
12687 			confusing.
12688 
12689 1270.	[bug]		Check that system inet_pton() and inet_ntop() support
12690 			AF_INET6.
12691 
12692 1269.	[port]		Openserver: ifconfig.sh support.
12693 
12694 1268.	[port]		Openserver: the value FD_SETSIZE depends on whether
12695 			<sys/param.h> is included or not.  Be consistent.
12696 
12697 1267.	[func]		isc_file_openunique() now creates file using mode
12698 			0666 rather than 0600.
12699 
12700 1266.	[bug]		ISC_LINK_INIT, ISC_LINK_UNLINK, ISC_LIST_DEQUEUE,
12701 			__ISC_LINK_UNLINKUNSAFE and __ISC_LIST_DEQUEUEUNSAFE
12702 			are not C++ compatible, use *_TYPE versions instead.
12703 
12704 1265.	[bug]		libbind: LINK_INIT and UNLINK were not compatible with
12705 			C++, use LINK_INIT_TYPE and UNLINK_TYPE instead.
12706 
12707 1264.	[placeholder]
12708 
12709 1263.	[bug]		Reference after free error if dns_dispatchmgr_create()
12710 			failed.
12711 
12712 1262.	[bug]		ns_server_destroy() failed to set *serverp to NULL.
12713 
12714 1261.	[func]		libbind: ns_sign2() and ns_sign_tcp() now provide
12715 			support for compressed TSIG owner names.
12716 
12717 1260.	[func]		libbind: res_update can now update IPv6 servers,
12718 			new function res_findzonecut2().
12719 
12720 1259.	[bug]		libbind: get_salen() IPv6 support was broken for OSs
12721 			w/o sa_len.
12722 
12723 1258.	[bug]		libbind: res_nametotype() and res_nametoclass() were
12724 			broken.
12725 
12726 1257.	[bug]		Failure to write pid-file should not be fatal on
12727 			reload. [RT #2861]
12728 
12729 1256.	[contrib]	'queryperf' now has EDNS (-e) + DNSSEC DO (-D) support.
12730 
12731 1255.	[bug]		When verifying that an NXT proves nonexistence, check
12732 			the rcode of the message and only do the matching NXT
12733 			check.  That is, for NXDOMAIN responses, check that
12734 			the name is in the range between the NXT owner and
12735 			next name, and for NOERROR NODATA responses, check
12736 			that the type is not present in the NXT bitmap.
12737 
12738 1254.	[func]		preferred-glue option from BIND 8.3.
12739 
12740 1253.	[bug]		The dnssec system test failed to remove the correct
12741 			files.
12742 
12743 1252.	[bug]		Dig, host and nslookup were not checking the address
12744 			the answer was coming from against the address it was
12745 			sent to. [RT #2692]
12746 
12747 1251.	[port]		win32: a make file contained absolute version specific
12748 			references.
12749 
12750 1250.	[func]		Nsupdate will report the address the update was
12751 			sent to.
12752 
12753 1249.	[bug]		Missing masters clause was not handled gracefully.
12754 			[RT #2703]
12755 
12756 1248.	[bug]		DESTDIR was not being propagated between makes.
12757 
12758 1247.	[bug]		Don't reset the interface index for link/site local
12759 			addresses. [RT #2576]
12760 
12761 1246.	[func]		New functions isc_sockaddr_issitelocal(),
12762 			isc_sockaddr_islinklocal(), isc_netaddr_issitelocal()
12763 			and isc_netaddr_islinklocal().
12764 
12765 1245.	[bug]		Treat ENOBUFS, ENOMEM and ENFILE as soft errors for
12766 			accept().
12767 
12768 1244.	[bug]		Receiving a TCP message from a blackhole address would
12769 			prevent further messages being received over that
12770 			interface.
12771 
12772 1243.	[bug]		It was possible to trigger a REQUIRE() in
12773 			dns_message_findtype(). [RT #2659]
12774 
12775 1242.	[bug]		named-checkzone failed if a journal existed. [RT #2657]
12776 
12777 1241.	[bug]		Drop received UDP messages with a zero source port
12778 			as these are invariably forged. [RT #2621]
12779 
12780 1240.	[bug]		It was possible to leak zone references by
12781 			specifying an incorrect zone to rndc.
12782 
12783 1239.	[bug]		Under certain circumstances named could continue to
12784 			use a name after it had been freed triggering
12785 			INSIST() failures.  [RT #2614]
12786 
12787 1238.	[bug]		It is possible to lockup the server when shutting down
12788 			if notifies were being processed. [RT #2591]
12789 
12790 1237.	[bug]		nslookup: "set q=type" failed.
12791 
12792 1236.	[bug]		dns_rdata{class,type}_fromtext() didn't handle non
12793 			NULL terminated text regions. [RT #2588]
12794 
12795 1235.	[func]		Report 'out of memory' errors from openssl.
12796 
12797 1234.	[bug]		contrib/sdb: 'zonetodb' failed to call
12798 			dns_result_register().  DNS_R_SEENINCLUDE should not
12799 			be fatal.
12800 
12801 1233.	[bug]		The flags field of a KEY record can be expressed in
12802 			hex as well as decimal.
12803 
12804 1232.	[bug]		unix/errno2result() didn't handle EADDRNOTAVAIL.
12805 
12806 1231.	[port]		HPUX 11.11 recvmsg() can return spurious EADDRNOTAVAIL.
12807 
12808 1230.	[bug]		isccc_cc_isreply() and isccc_cc_isack() were broken.
12809 
12810 1229.	[bug]		named would crash if it received a TSIG signed
12811 			query as part of an AXFR response. [RT #2570]
12812 
12813 1228.	[bug]		'make install' did not depend on 'make all'. [RT #2559]
12814 
12815 1227.	[bug]		dns_lex_getmastertoken() now returns ISC_R_BADNUMBER
12816 			if a number was expected and some other token was
12817 			found. [RT #2532]
12818 
12819 1226.	[func]		Use EDNS for zone refresh queries. [RT #2551]
12820 
12821 1225.	[func]		dns_message_setopt() no longer requires that
12822 			dns_message_renderbegin() to have been called.
12823 
12824 1224.	[bug]		'rrset-order' and 'sortlist' should be additive
12825 			not exclusive.
12826 
12827 1223.	[func]		'rrset-order' partially works 'cyclic' and 'random'
12828 			are supported.
12829 
12830 1222.	[bug]		Specifying 'port *' did not always result in a system
12831 			selected (non-reserved) port being used. [RT #2537]
12832 
12833 1221.	[bug]		Zone types 'master', 'slave' and 'stub' were not being
12834 			compared case insensitively. [RT #2542]
12835 
12836 1220.	[func]		Support for APL rdata type.
12837 
12838 1219.	[func]		Named now reports the TSIG extended error code when
12839 			signature verification fails. [RT #1651]
12840 
12841 1218.	[bug]		Named incorrectly returned SERVFAIL rather than
12842 			NOTAUTH when there was a TSIG BADTIME error. [RT #2519]
12843 
12844 1217.	[func]		Report locations of previous key definition when a
12845 			duplicate is detected.
12846 
12847 1216.	[bug]		Multiple server clauses for the same server were not
12848 			reported.  [RT #2514]
12849 
12850 1215.	[port]		solaris: add support to ifconfig.sh for x86 2.5.1
12851 
12852 1214.	[bug]		Win32: isc_file_renameunique() could leave zero length
12853 			files behind.
12854 
12855 1213.	[func]		Report view associated with client if it is not a
12856 			standard view (_default or _bind).
12857 
12858 1212.	[port]		libbind: 64k answer buffers were causing stack space
12859 			to be exceeded for certain OS.  Use heap space instead.
12860 
12861 1211.	[bug]		dns_name_fromtext() incorrectly handled certain
12862 			valid octal bitlabels. [RT #2483]
12863 
12864 1210.	[bug]		libbind: getnameinfo() failed to lookup IPv4 mapped /
12865 			compatible addresses. [RT #2461]
12866 
12867 1209.	[bug]		Dig, host, nslookup were not checking the message ids
12868 			on the responses. [RT #2454]
12869 
12870 1208.	[bug]		dns_master_load*() failed to log a error message if
12871 			an error was detected when parsing the owner name of
12872 			a record.  [RT #2448]
12873 
12874 1207.	[bug]		libbind: getaddrinfo() could call freeaddrinfo() with
12875 			an invalid pointer.
12876 
12877 1206.	[bug]		SERVFAIL and NOTIMP responses to an EDNS query should
12878 			trigger a non-EDNS retry.
12879 
12880 1205.	[bug]		OPT, TSIG and TKEY cannot be used to set the "class"
12881 			of the message. [RT #2449]
12882 
12883 1204.	[bug]		libbind: res_nupdate() failed to update the name
12884 			server addresses before sending the update.
12885 
12886 1203.	[func]		Report locations of previous acl and zone definitions
12887 			when a duplicate is detected.
12888 
12889 1202.	[func]		New functions: cfg_obj_line() and cfg_obj_file().
12890 
12891 1201.	[bug]		Require that if 'callbacks' is passed to
12892 			dns_rdata_fromtext(), callbacks->error and
12893 			callbacks->warn are initialized.
12894 
12895 1200.	[bug]		Log 'errno' that we are unable to convert to
12896 			isc_result_t. [RT #2404]
12897 
12898 1199.	[doc]		ARM reference to RFC 2157 should have been RFC 1918.
12899 			[RT #2436]
12900 
12901 1198.	[bug]		OPT printing style was not consistent with the way the
12902 			header fields are printed.  The DO bit was not reported
12903 			if set.  Report if any of the MBZ bits are set.
12904 
12905 1197.	[bug]		Attempts to define the same acl multiple times were not
12906 			detected.
12907 
12908 1196.	[contrib]	update mdnkit to 2.2.3.
12909 
12910 1195.	[bug]		Attempts to redefine builtin acls should be caught.
12911 			[RT #2403]
12912 
12913 1194.	[bug]		Not all duplicate zone definitions were being detected
12914 			at the named.conf checking stage. [RT #2431]
12915 
12916 1193.	[bug]		dig +besteffort parsing didn't handle packet
12917 			truncation.  dns_message_parse() has new flag
12918 			DNS_MESSAGE_IGNORETRUNCATION.
12919 
12920 1192.	[bug]		The seconds fields in LOC records were restricted
12921 			to three decimal places.  More decimal places should
12922 			be allowed but warned about.
12923 
12924 1191.	[bug]		A dynamic update removing the last non-apex name in
12925 			a secure zone would fail. [RT #2399]
12926 
12927 1190.	[func]		Add the "rndc freeze" and "rndc unfreeze" commands.
12928 			[RT #2394]
12929 
12930 1189.	[bug]		On some systems, malloc(0) returns NULL, which
12931 			could cause the caller to report an out of memory
12932 			error. [RT #2398]
12933 
12934 1188.	[bug]		Dynamic updates of a signed zone would fail if
12935 			some of the zone private keys were unavailable.
12936 
12937 1187.	[bug]		named was incorrectly returning DNSSEC records
12938 			in negative responses when the DO bit was not set.
12939 
12940 1186.	[bug]		isc_hex_tobuffer(,,length = 0) failed to unget the
12941 			EOL token when reading to end of line.
12942 
12943 1185.	[bug]		libbind: don't assume statp->_u._ext.ext is valid
12944 			unless RES_INIT is set when calling res_*init().
12945 
12946 1184.	[bug]		libbind: call res_ndestroy() if RES_INIT is set
12947 			when res_*init() is called.
12948 
12949 1183.	[bug]		Handle ENOSR error when writing to the internal
12950 			control pipe. [RT #2395]
12951 
12952 1182.	[bug]		The server could throw an assertion failure when
12953 			constructing a negative response packet.