"Fossies" - the Fresh Open Source Software Archive

Member "bind-9.16.21/CHANGES" (7 Sep 2021, 650672 Bytes) of package /linux/misc/dns/bind9/9.16.21/bind-9.16.21.tar.xz:


As a special service "Fossies" has tried to format the requested text file into HTML format (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file. See also the latest Fossies "Diffs" side-by-side code changes report for "CHANGES": 9.16.20_vs_9.16.21.

    1 	--- 9.16.21 released ---
    2 
    3 5711.	[bug]		"map" files exceeding 2GB in size failed to load due to
    4 			a size comparison that incorrectly treated the file size
    5 			as a signed integer. [GL #2878]
    6 
    7 5710.	[port]		win32: incorrect parentheses resulted in the wrong
    8 			sizeof() tests being used to pick the appropriate
    9 			Windows atomic operations for the object's size.
   10 			[GL #2891]
   11 
   12 5709.	[cleanup]	Enum values throughout the code have been updated
   13 			to use the terms "primary" and "secondary" instead of
   14 			"master" and "slave", respectively. [GL #1944]
   15 
   16 5708.	[bug]		The thread-local isc_tid_v variable was not properly
   17 			initialized when running BIND 9 as a Windows Service,
   18 			leading to a crash on startup. [GL #2837]
   19 
   20 5705.	[bug]		Change #5686 altered the internal memory structure of
   21 			zone databases, but neglected to update the MAPAPI value
   22 			for zone files in "map" format. This caused named to
   23 			attempt to load incompatible map files, triggering an
   24 			assertion failure on startup. The MAPAPI value has now
   25 			been updated, so named rejects outdated files when
   26 			encountering them. [GL #2872]
   27 
   28 5704.	[bug]		Change #5317 caused the EDNS TCP Keepalive option to be
   29 			ignored inadvertently in client requests. It has now
   30 			been fixed and this option is handled properly again.
   31 			[GL #1927]
   32 
   33 5701.	[bug]		named-checkconf failed to detect syntactically invalid
   34 			values of the "key" and "tls" parameters used to define
   35 			members of remote server lists. [GL #2461]
   36 
   37 5700.	[bug]		When a member zone was removed from a catalog zone,
   38 			journal files for the former were not deleted.
   39 			[GL #2842]
   40 
   41 5699.	[func]		Data structures holding DNSSEC signing statistics are
   42 			now grown and shrunk as necessary upon key rollover
   43 			events. [GL #1721]
   44 
   45 5698.	[bug]		When a DNSSEC-signed zone which only has a single
   46 			signing key available is migrated to use KASP, that key
   47 			is now treated as a Combined Signing Key (CSK).
   48 			[GL #2857]
   49 
   50 5696.	[protocol]	Support for HTTPS and SVCB record types has been added.
   51 			(This does not include ADDITIONAL section processing for
   52 			these record types, only basic support for RR type
   53 			parsing and printing.) [GL #1132]
   54 
   55 5694.	[bug]		Stale data in the cache could cause named to send
   56 			non-minimized queries despite QNAME minimization being
   57 			enabled. [GL #2665]
   58 
   59 5691.	[bug]		When a dynamic zone was made available in another view
   60 			using the "in-view" statement, running "rndc freeze"
   61 			always reported an "already frozen" error even though
   62 			the zone was successfully frozen. [GL #2844]
   63 
   64 5690.	[func]		dnssec-signzone now honors Predecessor and Successor
   65 			metadata found in private key files: if a signature for
   66 			an RRset generated by the inactive predecessor exists
   67 			and does not need to be replaced, no additional
   68 			signature is now created for that RRset using the
   69 			successor key. This enables dnssec-signzone to gradually
   70 			replace RRSIGs during a ZSK rollover. [GL #1551]
   71 
   72 	--- 9.16.20 released ---
   73 
   74 5689.	[security]	An assertion failure occurred when named attempted to
   75 			send a UDP packet that exceeded the MTU size, if
   76 			Response Rate Limiting (RRL) was enabled.
   77 			(CVE-2021-25218) [GL #2856]
   78 
   79 5688.	[bug]		Zones using KASP and inline-signed zones failed to apply
   80 			changes from the unsigned zone to the signed zone under
   81 			certain circumstances. This has been fixed. [GL #2735]
   82 
   83 5687.	[bug]		"rndc reload <zonename>" could trigger a redundant
   84 			reload for an inline-signed zone whose zone file was not
   85 			modified since the last "rndc reload". This has been
   86 			fixed. [GL #2855]
   87 
   88 5686.	[func]		The number of internal data structures allocated for
   89 			each zone was reduced. [GL #2829]
   90 
   91 5685.	[bug]		named failed to check the opcode of responses when
   92 			performing zone refreshes, stub zone updates, and UPDATE
   93 			forwarding. This has been fixed. [GL #2762]
   94 
   95 5682.	[bug]		Some changes to "zone-statistics" settings were not
   96 			properly processed by "rndc reconfig". This has been
   97 			fixed. [GL #2820]
   98 
   99 5681.	[func]		Relax the checks in the dns_zone_cdscheck() function to
  100 			allow CDS and CDNSKEY records in the zone that do not
  101 			match an existing DNSKEY record, as long as the
  102 			algorithm matches. This allows a clean rollover from one
  103 			provider to another in a multi-signer DNSSEC
  104 			configuration. [GL #2710]
  105 
  106 5679.	[func]		Thread affinity is no longer set. [GL #2822]
  107 
  108 5678.	[bug]		The "check DS" code failed to release all resources upon
  109 			named shutdown when a refresh was in progress. This has
  110 			been fixed. [GL #2811]
  111 
  112 5672.	[bug]		Authentication of rndc messages could fail if a
  113 			"controls" statement was configured with multiple key
  114 			algorithms for the same listener. This has been fixed.
  115 			[GL #2756]
  116 
  117 	--- 9.16.19 released ---
  118 
  119 5671.	[bug]		A race condition could occur where two threads were
  120 			competing for the same set of key file locks, leading to
  121 			a deadlock. This has been fixed. [GL #2786]
  122 
  123 5670.	[bug]		create_keydata() created an invalid placeholder keydata
  124 			record upon a refresh failure, which prevented the
  125 			database of managed keys from subsequently being read
  126 			back. This has been fixed. [GL #2686]
  127 
  128 5669.	[func]		KASP support was extended with the "check DS" feature.
  129 			Zones with "dnssec-policy" and "parental-agents"
  130 			configured now check for DS presence and can perform
  131 			automatic KSK rollovers. [GL #1126]
  132 
  133 5668.	[bug]		Rescheduling a setnsec3param() task when a zone failed
  134 			to load on startup caused a hang on shutdown. This has
  135 			been fixed. [GL #2791]
  136 
  137 5667.	[bug]		The configuration-checking code failed to account for
  138 			the inheritance rules of the "dnssec-policy" option.
  139 			This has been fixed. [GL #2780]
  140 
  141 5666.	[doc]		The safe "edns-udp-size" value was tweaked to match the
  142 			probing value from BIND 9.16 for better compatibility.
  143 			[GL #2183]
  144 
  145 5665.	[bug]		If nsupdate sends an SOA request and receives a REFUSED
  146 			response, it now fails over to the next available
  147 			server. [GL #2758]
  148 
  149 5664.	[func]		For UDP messages larger than the path MTU, named now
  150 			sends an empty response with the TC (TrunCated) bit set.
  151 			In addition, setting the DF (Don't Fragment) flag on
  152 			outgoing UDP sockets was re-enabled. [GL #2790]
  153 
  154 5662.	[bug]		Views with recursion disabled are now configured with a
  155 			default cache size of 2 MB unless "max-cache-size" is
  156 			explicitly set. This prevents cache RBT hash tables from
  157 			being needlessly preallocated for such views. [GL #2777]
  158 
  159 5661.	[bug]		Change 5644 inadvertently introduced a deadlock: when
  160 			locking the key file mutex for each zone structure in a
  161 			different view, the "in-view" logic was not considered.
  162 			This has been fixed. [GL #2783]
  163 
  164 5658.	[bug]		Increasing "max-cache-size" for a running named instance
  165 			(using "rndc reconfig") did not cause the hash tables
  166 			used by cache databases to be grown accordingly. This
  167 			has been fixed. [GL #2770]
  168 
  169 5655.	[bug]		Signed, insecure delegation responses prepared by named
  170 			either lacked the necessary NSEC records or contained
  171 			duplicate NSEC records when both wildcard expansion and
  172 			CNAME chaining were required to prepare the response.
  173 			This has been fixed. [GL #2759]
  174 
  175 5653.	[bug]		A bug that caused the NSEC3 salt to be changed on every
  176 			restart for zones using KASP has been fixed. [GL #2725]
  177 
  178 	--- 9.16.18 released ---
  179 
  180 5660.	[bug]		The configuration-checking code failed to account for
  181 			the inheritance rules of the "key-directory" option.
  182 			[GL #2778]
  183 
  184 5659.	[bug]		When preparing DNS responses, named could replace the
  185 			letters 'W' (uppercase) and 'w' (lowercase) with '\000'.
  186 			This has been fixed. [GL #2779]
  187 
  188 	--- 9.16.17 released ---
  189 
  190 5652.	[bug]		A copy-and-paste error in change 5584 caused the
  191 			IP_DONTFRAG socket option to be enabled instead of
  192 			disabled. This has been fixed. [GL #2746]
  193 
  194 5651.	[func]		Refactor zone dumping to be processed asynchronously via
  195 			the uv_work_t thread pool API. [GL #2732]
  196 
  197 5650.	[bug]		Prevent a crash that could occur if serve-stale was
  198 			enabled and a prefetch was triggered during a query
  199 			restart. [GL #2733]
  200 
  201 5649.	[bug]		If a query was answered with stale data on a server with
  202 			DNS64 enabled, an assertion could occur if a non-stale
  203 			answer arrived afterward. [GL #2731]
  204 
  205 5648.	[bug]		The calculation of the estimated IXFR transaction size
  206 			in dns_journal_iter_init() was invalid. [GL #2685]
  207 
  208 5644.	[bug]		Fix a race condition in reading and writing key files
  209 			for zones using KASP and configured in multiple views.
  210 			[GL #1875]
  211 
  212 5643.	[cleanup]	"make install" no longer creates an empty
  213 			${localstatedir}/run directory. [GL #2709]
  214 
  215 5642.	[bug]		Zones which are configured in multiple views with
  216 			different values set for "dnssec-policy" and with
  217 			identical values set for "key-directory" are now
  218 			detected and treated as a configuration error.
  219 			[GL #2463]
  220 
  221 5641.	[bug]		Address a potential memory leak in
  222 			dst_key_fromnamedfile(). [GL #2689]
  223 
  224 5639.	[bug]		Check that the first and last SOA record of an AXFR are
  225 			consistent. [GL #2528]
  226 
  227 5638.	[bug]		Improvements related to network manager/task manager
  228 			integration:
  229 			- isc_managers_create() and isc_managers_destroy()
  230 			  functions were added to handle setup and teardown of
  231 			  netmgr, taskmgr, timermgr, and socketmgr, since these
  232 			  require a precise order of operations now.
  233 			- Event queue processing is now quantized to prevent
  234 			  infinite looping.
  235 			- The netmgr can now be paused from within a netmgr
  236 			  thread.
  237 			- Deadlocks due to a conflict between netmgr's
  238 			  pause/resume and listen/stoplistening operations were
  239 			  fixed.
  240 			[GL #2654]
  241 
  242 5633.	[doc]		The "inline-signing" option was incorrectly described as
  243 			being inherited from the "options"/"view" levels and was
  244 			incorrectly accepted at those levels without effect.
  245 			This has been fixed. [GL #2536]
  246 
  247 5624.	[func]		Task manager events are now processed inside network
  248 			manager loops. The task manager no longer needs its own
  249 			set of worker threads, which improves resolver
  250 			performance. [GL #2638]
  251 
  252 	--- 9.16.16 released ---
  253 
  254 5637.	[func]		Change the default value of the "max-ixfr-ratio" option
  255 			to "unlimited". [GL #2671]
  256 
  257 5636.	[bug]		named and named-checkconf did not report an error when
  258 			multiple zones with the "dnssec-policy" option set were
  259 			using the same zone file. This has been fixed.
  260 			[GL #2603]
  261 
  262 5635.	[bug]		Journal compaction could fail when a journal with
  263 			invalid transaction headers was not detected at startup.
  264 			This has been fixed. [GL #2670]
  265 
  266 5634.	[bug]		If "dnssec-policy" was active and a private key file was
  267 			temporarily offline during a rekey event, named could
  268 			incorrectly introduce replacement keys and break a
  269 			signed zone. This has been fixed. [GL #2596]
  270 
  271 5633.	[doc]		The "inline-signing" option was incorrectly described as
  272 			being inherited from the "options"/"view" levels and was
  273 			incorrectly accepted at those levels without effect.
  274 			This has been fixed. [GL #2536]
  275 
  276 5632.	[func]		Add a new built-in KASP, "insecure", which is used to
  277 			transition a zone from a signed to an unsigned state.
  278 			The existing built-in KASP "none" should no longer be
  279 			used to unsign a zone. [GL #2645]
  280 
  281 5631.	[protocol]	Update the implementation of the ZONEMD RR type to match
  282 			RFC 8976. [GL #2658]
  283 
  284 5630.	[func]		Treat DNSSEC responses containing NSEC3 records with
  285 			iteration counts greater than 150 as insecure.
  286 			[GL #2445]
  287 
  288 5629.	[func]		Reduce the maximum supported number of NSEC3 iterations
  289 			that can be configured for a zone to 150. [GL #2642]
  290 
  291 5627.	[bug]		RRSIG(SOA) RRsets placed anywhere other than at the zone
  292 			apex were triggering infinite resigning loops. This has
  293 			been fixed. [GL #2650]
  294 
  295 5626.	[bug]		When generating zone signing keys, KASP now also checks
  296 			for key ID conflicts among newly created keys, rather
  297 			than just between new and existing ones. [GL #2628]
  298 
  299 5625.	[bug]		A deadlock could occur when multiple "rndc addzone",
  300 			"rndc delzone", and/or "rndc modzone" commands were
  301 			invoked simultaneously for different zones. This has
  302 			been fixed. [GL #2626]
  303 
  304 5622.	[cleanup]	The lib/samples/ directory has been removed, as export
  305 			versions of libraries are no longer maintained.
  306 			[GL !4835]
  307 
  308 5619.	[protocol]	Implement draft-vandijk-dnsop-nsec-ttl, updating the
  309 			protocol such that NSEC(3) TTL values are set to the
  310 			minimum of the SOA MINIMUM value or the SOA TTL.
  311 			[GL #2347]
  312 
  313 5618.	[bug]		Change 5149 introduced some inconsistencies in the way
  314 			record TTLs were presented in cache dumps. These
  315 			inconsistencies have been eliminated. [GL #389]
  316 			[GL #2289]
  317 
  318 	--- 9.16.15 released ---
  319 
  320 5621.	[bug]		Due to a backporting mistake in change 5609, named
  321 			binaries built against a Kerberos/GSSAPI library whose
  322 			header files did not define the GSS_SPNEGO_MECHANISM
  323 			preprocessor macro were not able to start if their
  324 			configuration included the "tkey-gssapi-credential"
  325 			option. This has been fixed. [GL #2634]
  326 
  327 5620.	[bug]		If zone journal files written by BIND 9.16.11 or earlier
  328 			were present when BIND was upgraded, the zone file for
  329 			that zone could have been inadvertently rewritten with
  330 			the current zone contents. This caused the original zone
  331 			file structure (e.g. comments, $INCLUDE directives) to
  332 			be lost, although the zone data itself was preserved.
  333 			This has been fixed. [GL #2623]
  334 
  335 	--- 9.16.14 released ---
  336 
  337 5617.	[security]	A specially crafted GSS-TSIG query could cause a buffer
  338 			overflow in the ISC implementation of SPNEGO.
  339 			(CVE-2021-25216) [GL #2604]
  340 
  341 5616.	[security]	named crashed when a DNAME record placed in the ANSWER
  342 			section during DNAME chasing turned out to be the final
  343 			answer to a client query. (CVE-2021-25215) [GL #2540]
  344 
  345 5615.	[security]	Insufficient IXFR checks could result in named serving a
  346 			zone without an SOA record at the apex, leading to a
  347 			RUNTIME_CHECK assertion failure when the zone was
  348 			subsequently refreshed. This has been fixed by adding an
  349 			owner name check for all SOA records which are included
  350 			in a zone transfer. (CVE-2021-25214) [GL #2467]
  351 
  352 5614.	[bug]		Ensure all resources are properly cleaned up when a call
  353 			to gss_accept_sec_context() fails. [GL #2620]
  354 
  355 5613.	[bug]		It was possible to write an invalid transaction header
  356 			in the journal file for a managed-keys database after
  357 			upgrading. This has been fixed. Invalid headers in
  358 			existing journal files are detected and named is able
  359 			to recover from them. [GL #2600]
  360 
  361 5611.	[func]		Set "stale-answer-client-timeout" to "off" by default.
  362 			[GL #2608]
  363 
  364 5610.	[bug]		Prevent a crash which could happen when a lookup
  365 			triggered by "stale-answer-client-timeout" was attempted
  366 			right after recursion for a client query finished.
  367 			[GL #2594]
  368 
  369 5609.	[func]		The ISC implementation of SPNEGO was removed from BIND 9
  370 			source code. It was no longer necessary as all major
  371 			contemporary Kerberos/GSSAPI libraries include support
  372 			for SPNEGO. [GL #2607]
  373 
  374 5608.	[bug]		When sending queries over TCP, dig now properly handles
  375 			"+tries=1 +retry=0" by not retrying the connection when
  376 			the remote server closes the connection prematurely.
  377 			[GL #2490]
  378 
  379 5607.	[bug]		As "rndc dnssec -checkds" and "rndc dnssec -rollover"
  380 			commands may affect the next scheduled key event,
  381 			reconfiguration of zone keys is now triggered after
  382 			receiving either of these commands to prevent
  383 			unnecessary key rollover delays. [GL #2488]
  384 
  385 5606.	[bug]		CDS/CDNSKEY DELETE records are now removed when a zone
  386 			transitions from a secure to an insecure state.
  387 			named-checkzone also no longer reports an error when
  388 			such records are found in an unsigned zone. [GL #2517]
  389 
  390 5605.	[bug]		"dig -u" now uses the CLOCK_REALTIME clock source for
  391 			more accurate time reporting. [GL #2592]
  392 
  393 5603.	[bug]		Fix a memory leak that occurred when named failed to
  394 			bind a UDP socket to a network interface. [GL #2575]
  395 
  396 5602.	[bug]		Fix TCPDNS and TLSDNS timers in Network Manager. This
  397 			makes the "tcp-initial-timeout" and "tcp-idle-timeout"
  398 			options work correctly again. [GL #2583]
  399 
  400 5601.	[bug]		Zones using KASP could not be thawed after they were
  401 			frozen using "rndc freeze". This has been fixed.
  402 			[GL #2523]
  403 
  404 	--- 9.16.13 released ---
  405 
  406 5597.	[bug]		When serve-stale was enabled and starting the recursive
  407 			resolution process for a query failed, a named instance
  408 			could crash if it was configured as both a recursive and
  409 			authoritative server. This problem was introduced by
  410 			change 5573 and has now been fixed. [GL #2565]
  411 
  412 5595.	[cleanup]	Public header files for BIND 9 libraries no longer
  413 			directly include third-party library headers. This
  414 			prevents the need to include paths to third-party header
  415 			files in CFLAGS whenever BIND 9 public header files are
  416 			used, which could cause build-time issues on hosts with
  417 			older versions of BIND 9 installed. [GL #2357]
  418 
  419 5594.	[bug]		Building with --enable-dnsrps --enable-dnsrps-dl failed.
  420 			[GL #2298]
  421 
  422 5593.	[bug]		Journal files written by older versions of named can now
  423 			be read when loading zones, so that journal
  424 			incompatibility does not cause problems on upgrade.
  425 			Outdated journals are updated to the new format after
  426 			loading. [GL #2505]
  427 
  428 5592.	[bug]		Prevent hazard pointer table overflows on machines with
  429 			many cores, by allowing the thread IDs (serving as
  430 			indices into hazard pointer tables) of finished threads
  431 			to be reused by those created later. [GL #2396]
  432 
  433 5591.	[bug]		Fix a crash that occurred when
  434 			"stale-answer-client-timeout" was triggered without any
  435 			(stale) data available in the cache to answer the query.
  436 			[GL #2503]
  437 
  438 5590.	[bug]		NSEC3 records were not immediately created for dynamic
  439 			zones using NSEC3 with "dnssec-policy", resulting in
  440 			such zones going bogus. Add code to process the
  441 			NSEC3PARAM queue at zone load time so that NSEC3 records
  442 			for such zones are created immediately. [GL #2498]
  443 
  444 5588.	[func]		Add a new "purge-keys" option for "dnssec-policy". This
  445 			option determines the period of time for which key files
  446 			are retained after they become obsolete. [GL #2408]
  447 
  448 5586.	[bug]		An invalid direction field in a LOC record resulted in
  449 			an INSIST failure when a zone file containing such a
  450 			record was loaded. [GL #2499]
  451 
  452 5584.	[bug]		No longer set the IP_DONTFRAG option on UDP sockets, to
  453 			prevent dropping outgoing packets exceeding
  454 			"max-udp-size". [GL #2466]
  455 
  456 5582.	[bug]		BIND 9 failed to build when static OpenSSL libraries
  457 			were used and the pkg-config files for libssl and/or
  458 			libcrypto were unavailable. This has been fixed by
  459 			ensuring that the correct linking order for libssl and
  460 			libcrypto is always used. [GL #2402]
  461 
  462 5581.	[bug]		Fix a memory leak that occurred when inline-signed zones
  463 			were added to the configuration, followed by a
  464 			reconfiguration of named. [GL #2041]
  465 
  466 5580.	[test]		The system test framework no longer differentiates
  467 			between SKIPPED and UNTESTED system test results. Any
  468 			system test which is not run is now marked as SKIPPED.
  469 			[GL !4517]
  470 
  471 5573.	[func]		When serve-stale is enabled and stale data is available,
  472 			named now returns stale answers upon encountering any
  473 			unexpected error in the query resolution process.
  474 			However, the "stale-refresh-time" window is still only
  475 			started upon a timeout. [GL #2434]
  476 
  477 5564.	[cleanup]	Network manager's TLSDNS module was refactored to use
  478 			libuv and libssl directly instead of a stack of TCP/TLS
  479 			sockets. [GL #2335]
  480 
  481 	--- 9.16.12 released ---
  482 
  483 5578.	[protocol]	Make "check-names" accept A records below "_spf",
  484 			"_spf_rate", and "_spf_verify" labels in order to cater
  485 			for the "exists" SPF mechanism specified in RFC 7208
  486 			section 5.7 and appendix D.1. [GL #2377]
  487 
  488 5577.	[bug]		Fix the "three is a crowd" key rollover bug in KASP by
  489 			correctly implementing Equation (2) of the "Flexible and
  490 			Robust Key Rollover" paper. [GL #2375]
  491 
  492 5575.	[bug]		When migrating to KASP, BIND 9 considered keys with the
  493 			"Inactive" and/or "Delete" timing metadata to be
  494 			possible active keys. This has been fixed. [GL #2406]
  495 
  496 5572.	[bug]		Address potential double free in generatexml().
  497 			[GL #2420]
  498 
  499 5571.	[bug]		named failed to start when its configuration included a
  500 			zone with a non-builtin "allow-update" ACL attached.
  501 			[GL #2413]
  502 
  503 5570.	[bug]		Improve performance of the DNSSEC verification code by
  504 			reducing the number of repeated calls to
  505 			dns_dnssec_keyfromrdata(). [GL #2073]
  506 
  507 5569.	[bug]		Emit useful error message when "rndc retransfer" is
  508 			applied to a zone of inappropriate type. [GL #2342]
  509 
  510 5568.	[bug]		Fixed a crash in "dnssec-keyfromlabel" when using ECDSA
  511 			keys. [GL #2178]
  512 
  513 5567.	[bug]		Dig now reports unknown dash options while pre-parsing
  514 			the options. This prevents "-multi" instead of "+multi"
  515 			from reporting memory usage before ending option parsing
  516 			with "Invalid option: -lti". [GL #2403]
  517 
  518 5566.	[func]		Add "stale-answer-client-timeout" option, which is the
  519 			amount of time a recursive resolver waits before
  520 			attempting to answer the query using stale data from
  521 			cache. [GL #2247]
  522 
  523 5565.	[func]		The SONAMEs for BIND 9 libraries now include the current
  524 			BIND 9 version number, in an effort to tightly couple
  525 			internal libraries with a specific release. [GL #2387]
  526 
  527 5562.	[security]	Fix off-by-one bug in ISC SPNEGO implementation.
  528 			(CVE-2020-8625) [GL #2354]
  529 
  530 5561.	[bug]		KASP incorrectly set signature validity to the value of
  531 			the DNSKEY signature validity. This is now fixed.
  532 			[GL #2383]
  533 
  534 5560.	[func]		The default value of "max-stale-ttl" has been changed
  535 			from 12 hours to 1 day and the default value of
  536 			"stale-answer-ttl" has been changed from 1 second to 30
  537 			seconds, following RFC 8767 recommendations. [GL #2248]
  538 
  539 5456.	[func]		Added "primaries" as a synonym for "masters" in
  540 			named.conf, and "primary-only" as a synonym for
  541 			"master-only" in the parameters to "notify", to bring
  542 			terminology up-to-date with RFC 8499. [GL #1948]
  543 
  544 5362.	[func]		Limit the size of IXFR responses so that AXFR will
  545 			be used instead if it would be smaller. This is
  546 			controlled by the "max-ixfr-ratio" option, which
  547 			is a percentage representing the ratio of IXFR size
  548 			to the size of the entire zone. This value cannot
  549 			exceed 100%, which is the default. [GL #1515]
  550 
  551 	--- 9.16.11 released ---
  552 
  553 5559.	[bug]		The --with-maxminddb=PATH form of the build-time option
  554 			enabling support for libmaxminddb was not working
  555 			correctly. This has been fixed. [GL #2366]
  556 
  557 5557.	[bug]		Prevent RBTDB instances from being destroyed by multiple
  558 			threads at the same time. [GL #2317]
  559 
  560 5556.	[bug]		Further tweak newline printing in dnssec-signzone and
  561 			dnssec-verify. [GL #2359]
  562 
  563 5555.	[bug]		server->reload_status was not properly initialized.
  564 			[GL #2361]
  565 
  566 5554.	[bug]		dnssec-signzone and dnssec-verify were missing newlines
  567 			between log messages. [GL #2359]
  568 
  569 5553.	[bug]		When reconfiguring named, removing "auto-dnssec" did not
  570 			turn off DNSSEC maintenance. [GL #2341]
  571 
  572 5552.	[func]		When switching to "dnssec-policy none;", named now
  573 			permits a safe transition to insecure mode and publishes
  574 			the CDS and CDNSKEY DELETE records, as described in RFC
  575 			8078. [GL #1750]
  576 
  577 5551.	[bug]		named no longer attempts to assign threads to CPUs
  578 			outside the CPU affinity set. Thanks to Ole Bjørn
  579 			Hessen. [GL #2245]
  580 
  581 5550.	[func]		dnssec-signzone and named now log a warning when falling
  582 			back to the "increment" SOA serial method. [GL #2058]
  583 
  584 5545.	[func]		OS support for load-balanced sockets is no longer
  585 			required to receive incoming queries in multiple netmgr
  586 			threads. [GL #2137]
  587 
  588 5543.	[bug]		Fix UDP performance issues caused by making netmgr
  589 			callbacks asynchronous-only. [GL #2320]
  590 
  591 5542.	[bug]		Refactor netmgr. [GL #1920] [GL #2034] [GL #2061]
  592 			[GL #2194] [GL #2221] [GL #2266] [GL #2283] [GL #2318]
  593 			[GL #2321]
  594 
  595 	--- 9.16.10 released ---
  596 
  597 5544.	[func]		Restore the default value of "nocookie-udp-size" to 4096
  598 			bytes. [GL #2250]
  599 
  600 5541.	[func]		Adjust the "max-recursion-queries" default from 75 to
  601 			100. [GL #2305]
  602 
  603 5540.	[port]		Fix building with native PKCS#11 support for AEP Keyper.
  604 			[GL #2315]
  605 
  606 5539.	[bug]		Tighten handling of missing DNS COOKIE responses over
  607 			UDP by falling back to TCP. [GL #2275]
  608 
  609 5538.	[func]		Add NSEC3 support to KASP. A new option for
  610 			"dnssec-policy", "nsec3param", can be used to set the
  611 			desired NSEC3 parameters. NSEC3 salt collisions are
  612 			automatically prevented during resalting. Salt
  613 			generation is now logged with zone context. [GL #1620]
  614 
  615 5534.	[bug]		The CNAME synthesized from a DNAME was incorrectly
  616 			followed when the QTYPE was CNAME or ANY. [GL #2280]
  617 
  618 	--- 9.16.9 released ---
  619 
  620 5533.	[func]		Add the "stale-refresh-time" option, a time window that
  621 			starts after a failed lookup, during which a stale RRset
  622 			is served directly from cache before a new attempt to
  623 			refresh it is made. [GL #2066]
  624 
  625 5530.	[bug]		dnstap did not capture responses to forwarded UPDATE
  626 			requests. [GL #2252]
  627 
  628 5527.	[bug]		A NULL pointer dereference occurred when creating an NTA
  629 			recheck query failed. [GL #2244]
  630 
  631 5525.	[bug]		Change 5503 inadvertently broke cross-compilation by
  632 			replacing a call to AC_LINK_IFELSE() with a call to
  633 			AC_RUN_IFELSE() in configure.ac.  This has been fixed,
  634 			making cross-compilation possible again. [GL #2237]
  635 
  636 5523.	[bug]		The initial lookup in a zone transitioning to/from a
  637 			signed state could fail if the DNSKEY RRset was not
  638 			found. [GL #2236]
  639 
  640 5522.	[bug]		Fixed a race/NULL dereference in TCPDNS send. [GL #2227]
  641 
  642 5520.	[bug]		Fixed a number of shutdown races, reference counting
  643 			errors, and spurious log messages that could occur
  644 			in the network manager. [GL #2221]
  645 
  646 5518.	[bug]		Stub zones now work correctly with primary servers using
  647 			"minimal-responses yes". [GL #1736]
  648 
  649 5517.	[bug]		Do not treat UV_EOF as a TCP4RecvErr or a TCP6RecvErr.
  650 			[GL #2208]
  651 
  652 	--- 9.16.8 released ---
  653 
  654 5516.	[func]		The default EDNS buffer size has been changed from 4096
  655 			to 1232 bytes. [GL #2183]
  656 
  657 5515.	[func]		Add 'rndc dnssec -rollover' command to trigger a manual
  658 			rollover for a specific key. [GL #1749]
  659 
  660 5514.	[bug]		Fix KASP expected key size for Ed25519 and Ed448.
  661 			[GL #2171]
  662 
  663 5513.	[doc]		The ARM section describing the "rrset-order" statement
  664 			was rewritten to make it unambiguous and up-to-date with
  665 			the source code. [GL #2139]
  666 
  667 5512.	[bug]		"rrset-order" rules using "order none" were causing
  668 			named to crash despite named-checkconf treating them as
  669 			valid. [GL #2139]
  670 
  671 5511.	[bug]		'dig -u +yaml' failed to display timestamps to the
  672 			microsecond. [GL #2190]
  673 
  674 5510.	[bug]		Implement the attach/detach semantics for dns_message_t
  675 			to fix a data race in accessing an already-destroyed
  676 			fctx->rmessage. [GL #2124]
  677 
  678 5509.	[bug]		filter-aaaa: named crashed upon shutdown if it was in
  679 			the process of recursing for A RRsets. [GL #1040]
  680 
  681 5508.	[func]		Added new parameter "-expired" for "rndc dumpdb" that
  682 			also prints expired RRsets (awaiting cleanup) to the
  683 			dump file. [GL #1870]
  684 
  685 5507.	[bug]		Named could compute incorrect SIG(0) responses.
  686 			[GL #2109]
  687 
  688 5506.	[bug]		Properly handle failed sysconf() calls, so we don't
  689 			report invalid memory size. [GL #2166]
  690 
  691 5505.	[bug]		Updating contents of a mixed-case RPZ could cause some
  692 			rules to be ignored. [GL #2169]
  693 
  694 5503.	[bug]		Cleaned up reference counting of network manager
  695 			handles, now using isc_nmhandle_attach() and _detach()
  696 			instead of _ref() and _unref(). [GL #2122]
  697 
  698 	--- 9.16.7 released ---
  699 
  700 5501.	[func]		Log CDS/CDNSKEY publication. [GL #1748]
  701 
  702 5500.	[bug]		Fix (non-)publication of CDS and CDNSKEY records.
  703 			[GL #2103]
  704 
  705 5499.	[func]		Add '-P ds' and '-D ds' arguments to dnssec-settime.
  706 			[GL #1748]
  707 
  708 5497.	[bug]		'dig +bufsize=0' failed to disable EDNS. [GL #2054]
  709 
  710 5496.	[bug]		Address a TSAN report by ensuring each rate limiter
  711 			object holds a reference to its task. [GL #2081]
  712 
  713 5495.	[bug]		With query minimization enabled, named failed to
  714 			resolve ip6.arpa. names that had extra labels to the
  715 			left of the IPv6 part. [GL #1847]
  716 
  717 5494.	[bug]		Silence the EPROTO syslog message on older systems.
  718 			[GL #1928]
  719 
  720 5493.	[bug]		Fix off-by-one error when calculating new hash table
  721 			size. [GL #2104]
  722 
  723 5492.	[bug]		Tighten LOC parsing to reject a period (".") and/or "m"
  724 			as a value. Fix handling of negative altitudes which are
  725 			not whole meters. [GL #2074]
  726 
  727 5491.	[bug]		rbtversion->glue_table_size could be read without the
  728 			appropriate lock being held. [GL #2080]
  729 
  730 5489.	[bug]		Named erroneously accepted certain invalid resource
  731 			records that were incorrectly processed after
  732 			subsequently being written to disk and loaded back, as
  733 			the wire format differed. Such records include: CERT,
  734 			IPSECKEY, NSEC3, NSEC3PARAM, NXT, SIG, TLSA, WKS, and
  735 			X25. [GL !3953]
  736 
  737 5488.	[bug]		NTA code needed to have a weak reference on its
  738 			associated view to prevent the latter from being deleted
  739 			while NTA tests were being performed. [GL #2067]
  740 
  741 5486.	[func]		Add 'rndc dnssec -checkds' command, which signals to
  742 			named that the DS record for a given zone or key has
  743 			been updated in the parent zone. [GL #1613]
  744 
  745 	--- 9.16.6 released ---
  746 
  747 5484.	[func]		Expire zero TTL records quickly rather than using them
  748 			for stale answers. [GL #1829]
  749 
  750 5483.	[func]		A new configuration option "stale-cache-enable" has been
  751 			introduced to enable or disable keeping stale answers in
  752 			cache. [GL #1712]
  753 
  754 5482.	[bug]		If the Duplicate Address Detection (DAD) mechanism had
  755 			not yet finished after adding a new IPv6 address to the
  756 			system, BIND 9 would fail to bind to IPv6 addresses in a
  757 			tentative state. [GL #2038]
  758 
  759 5481.	[security]	"update-policy" rules of type "subdomain" were
  760 			incorrectly treated as "zonesub" rules, which allowed
  761 			keys used in "subdomain" rules to update names outside
  762 			of the specified subdomains. The problem was fixed by
  763 			making sure "subdomain" rules are again processed as
  764 			described in the ARM. (CVE-2020-8624) [GL #2055]
  765 
  766 5480.	[security]	When BIND 9 was compiled with native PKCS#11 support, it
  767 			was possible to trigger an assertion failure in code
  768 			determining the number of bits in the PKCS#11 RSA public
  769 			key with a specially crafted packet. (CVE-2020-8623)
  770 			[GL #2037]
  771 
  772 5479.	[security]	named could crash in certain query resolution scenarios
  773 			where QNAME minimization and forwarding were both
  774 			enabled. (CVE-2020-8621) [GL #1997]
  775 
  776 5478.	[security]	It was possible to trigger an assertion failure by
  777 			sending a specially crafted large TCP DNS message.
  778 			(CVE-2020-8620) [GL #1996]
  779 
  780 5477.	[bug]		The idle timeout for connected TCP sockets, which was
  781 			previously set to a high fixed value, is now derived
  782 			from the client query processing timeout configured for
  783 			a resolver. [GL #2024]
  784 
  785 5476.	[security]	It was possible to trigger an assertion failure when
  786 			verifying the response to a TSIG-signed request.
  787 			(CVE-2020-8622) [GL #2028]
  788 
  789 5475.	[bug]		Wildcard RPZ passthru rules could incorrectly be
  790 			overridden by other rules that were loaded from RPZ
  791 			zones which appeared later in the "response-policy"
  792 			statement. This has been fixed. [GL #1619]
  793 
  794 5474.	[bug]		dns_rdata_hip_next() failed to return ISC_R_NOMORE
  795 			when it should have. [GL !3880]
  796 
  797 5473.	[func]		The RBT hash table implementation has been changed
  798 			to use a faster hash function (HalfSipHash2-4) and
  799 			Fibonacci hashing for better distribution. Setting
  800 			"max-cache-size" now preallocates a fixed-size hash
  801 			table so that rehashing does not cause resolution
  802 			brownouts while the hash table is grown. [GL #1775]
  803 
  804 5471.	[bug]		The introduction of KASP support inadvertently caused
  805 			the second field of "sig-validity-interval" to always be
  806 			calculated in hours, even in cases when it should have
  807 			been calculated in days. This has been fixed. (Thanks to
  808 			Tony Finch.) [GL !3735]
  809 
  810 5469.	[port]		On illumos, a constant called SEC is already defined in
  811 			<sys/time.h>, which conflicts with an identically named
  812 			constant in libbind9. This conflict has been resolved.
  813 			[GL #1993]
  814 
  815 5468.	[bug]		Addressed potential double unlock in process_fd().
  816 			[GL #2005]
  817 
  818 5466.	[bug]		Addressed an error in recursive clients stats reporting.
  819 			[GL #1719]
  820 
  821 5465.	[func]		Added fallback to built-in trust-anchors, managed-keys,
  822 			or trusted-keys if the bindkeys-file (bind.keys) cannot
  823 			be parsed. [GL #1235]
  824 
  825 5464.	[bug]		Requesting more than 128 files to be saved when rolling
  826 			dnstap log files caused a buffer overflow. This has been
  827 			fixed. [GL #1989]
  828 
  829 5462.	[bug]		Move LMDB locking from LMDB itself to named. [GL #1976]
  830 
  831 5461.	[bug]		The STALE rdataset header attribute was updated while
  832 			the write lock was not being held, leading to incorrect
  833 			statistics. The header attributes are now converted to
  834 			use atomic operations. [GL #1475]
  835 
  836 	--- 9.16.5 released ---
  837 
  838 5458.	[bug]		Prevent a theoretically possible NULL dereference caused
  839 			by a data race between zone_maintenance() and
  840 			dns_zone_setview_helper(). [GL #1627]
  841 
  842 5455.	[bug]		named could crash when cleaning dead nodes in
  843 			lib/dns/rbtdb.c that were being reused. [GL #1968]
  844 
  845 5454.	[bug]		Address a startup crash that occurred when the server
  846 			was under load and the root zone had not yet been
  847 			loaded. [GL #1862]
  848 
  849 5453.	[bug]		named crashed on shutdown when a new rndc connection was
  850 			received during shutdown. [GL #1747]
  851 
  852 5452.	[bug]		The "blackhole" ACL was accidentally disabled for client
  853 			queries. [GL #1936]
  854 
  855 5451.	[func]		Add 'rndc dnssec -status' command. [GL #1612]
  856 
  857 5449.	[bug]		Fix a socket shutdown race in netmgr udp. [GL #1938]
  858 
  859 5448.	[bug]		Fix a race condition in isc__nm_tcpdns_send().
  860 			[GL #1937]
  861 
  862 5447.	[bug]		IPv6 addresses ending in "::" could break YAML
  863 			parsing. A "0" is now appended to such addresses
  864 			in YAML output from dig, mdig, delv, and dnstap-read.
  865 			[GL #1952]
  866 
  867 5446.	[bug]		The validator could fail to accept a properly signed
  868 			RRset if an unsupported algorithm appeared earlier in
  869 			the DNSKEY RRset than a supported algorithm. It could
  870 			also stop if it detected a malformed public key.
  871 			[GL #1689]
  872 
  873 5444.	[bug]		'rndc dnstap -roll <value>' did not limit the number of
  874 			saved files to <value>. [GL !3728]
  875 
  876 5443.	[bug]		The "primary" and "secondary" keywords, when used
  877 			as parameters for "check-names", were not
  878 			processed correctly and were being ignored. [GL #1949]
  879 
  880 5441.	[bug]		${LMDB_CFLAGS} was missing from make/includes.in.
  881 			[GL #1955]
  882 
  883 5440.	[test]		Properly handle missing kyua. [GL #1950]
  884 
  885 5439.	[bug]		The DS RRset returned by dns_keynode_dsset() was used in
  886 			a non-thread-safe manner. [GL #1926]
  887 
  888 	--- 9.16.4 released ---
  889 
  890 5438.	[bug]		Fix a race in TCP accepting code. [GL #1930]
  891 
  892 5437.	[bug]		Fix a data race in lib/dns/resolver.c:log_formerr().
  893 			[GL #1808]
  894 
  895 5436.	[security]	It was possible to trigger an INSIST when determining
  896 			whether a record would fit into a TCP message buffer.
  897 			(CVE-2020-8618) [GL #1850]
  898 
  899 5435.	[tests]		Add RFC 4592 responses examples to the wildcard system
  900 			test. [GL #1718]
  901 
  902 5434.	[security]	It was possible to trigger an INSIST in
  903 			lib/dns/rbtdb.c:new_reference() with a particular zone
  904 			content and query patterns. (CVE-2020-8619) [GL #1111]
  905 			[GL #1718]
  906 
  907 5431.	[func]		Reject DS records at the zone apex when loading
  908 			master files. Log but otherwise ignore attempts to
  909 			add DS records at the zone apex via UPDATE. [GL #1798]
  910 
  911 5430.	[doc]		Update docs - with netmgr, a separate listening socket
  912 			is created for each IPv6 interface (just as with IPv4).
  913 			[GL #1782]
  914 
  915 5428.	[bug]		Clean up GSSAPI resources in nsupdate only after taskmgr
  916 			has been destroyed. Thanks to Petr Menšík. [GL !3316]
  917 
  918 5426.	[bug]		Don't abort() when setting SO_INCOMING_CPU on the socket
  919 			fails. [GL #1911]
  920 
  921 5425.	[func]		The default value of "max-stale-ttl" has been changed
  922 			from 1 week to 12 hours. [GL #1877]
  923 
  924 5424.	[bug]		With KASP, when creating a successor key, the "goal"
  925 			state of the current active key (predecessor) was not
  926 			changed and thus never removed from the zone. [GL #1846]
  927 
  928 5423.	[bug]		Fix a bug in keymgr_key_has_successor(): it incorrectly
  929 			returned true if any other key in the keyring had a
  930 			successor. [GL #1845]
  931 
  932 5422.	[bug]		When using dnssec-policy, print correct key timing
  933 			metadata. [GL #1843]
  934 
  935 5421.	[bug]		Fix a race that could cause named to crash when looking
  936 			up the nodename of an RBT node if the tree was modified.
  937 			[GL #1857]
  938 
  939 5420.	[bug]		Add missing isc_{mutex,conditional}_destroy() calls
  940 			that caused a memory leak on FreeBSD. [GL #1893]
  941 
  942 5418.	[bug]		delv failed to parse deprecated trusted-keys-style
  943 			trust anchors. [GL #1860]
  944 
  945 5416.	[bug]		Fix a lock order inversion in lib/isc/unix/socket.c.
  946 			[GL #1859]
  947 
  948 5415.	[test]		Address race in dnssec system test that led to
  949 			test failures. [GL #1852]
  950 
  951 5414.	[test]		Adjust time allowed for journal truncation to occur
  952 			in nsupdate system test to avoid test failure.
  953 			[GL #1855]
  954 
  955 5413.	[test]		Address race in autosign system test that led to
  956 			test failures. [GL #1852]
  957 
  958 5412.	[bug]		'provide-ixfr no;' failed to return up-to-date responses
  959 			when the serial was greater than or equal to the
  960 			current serial. [GL #1714]
  961 
  962 5411.	[cleanup]	TCP accept code has been refactored to use a single
  963 			accept() and pass the accepted socket to child threads
  964 			for processing. [GL !3320]
  965 
  966 5409.	[performance]	When looking up NSEC3 data in a zone database, skip the
  967 			check for empty non-terminal nodes; the NSEC3 tree does
  968 			not have any. [GL #1834]
  969 
  970 5408.	[protocol]	Print Extended DNS Errors if present in OPT record.
  971 			[GL #1835]
  972 
  973 5407.	[func]		Zone timers are now exported via statistics channel.
  974 			Thanks to Paul Frieden, Verizon Media. [GL #1232]
  975 
  976 5405.	[bug]		'named-checkconf -p' could include spurious text in
  977 			server-addresses statements due to an uninitialized DSCP
  978 			value. [GL #1812]
  979 
  980 	--- 9.16.3 released ---
  981 
  982 5404.	[bug]		'named-checkconf -z' could incorrectly indicate
  983 			success if errors were found in one view but not in a
  984 			subsequent one. [GL #1807]
  985 
  986 5403.	[func]		Do not set UDP receive/send buffer sizes - use system
  987 			defaults. [GL #1713]
  988 
  989 5402.	[bug]		On FreeBSD, use SO_REUSEPORT_LB instead of SO_REUSEPORT.
  990 			Enable use of SO_REUSEADDR on all platforms which
  991 			support it. [GL !3365]
  992 
  993 5401.	[bug]		The number of input queues allocated during dnstap
  994 			initialization was too low, which could prevent some
  995 			dnstap data from being logged. [GL #1795]
  996 
  997 5400.	[func]		Add engine support to OpenSSL EdDSA implementation.
  998 			[GL #1763]
  999 
 1000 5399.	[func]		Add engine support to OpenSSL ECDSA implementation.
 1001 			[GL #1534]
 1002 
 1003 5398.	[bug]		Named could fail to restart if a zone with a double
 1004 			quote (") in its name was added with 'rndc addzone'.
 1005 			[GL #1695]
 1006 
 1007 5397.	[func]		Update PKCS#11 EdDSA implementation to PKCS#11 v3.0.
 1008 			Thanks to Aaron Thompson. [GL !3326]
 1009 
 1010 5396.	[func]		When necessary (i.e. in libuv >= 1.37), use the
 1011 			UV_UDP_RECVMMSG flag to enable recvmmsg() support in
 1012 			libuv. [GL #1797]
 1013 
 1014 5395.	[security]	Further limit the number of queries that can be
 1015 			triggered from a request.  Root and TLD servers
 1016 			are no longer exempt from max-recursion-queries.
 1017 			Fetches for missing name server address records
 1018 			are limited to 4 for any domain. (CVE-2020-8616)
 1019 			[GL #1388]
 1020 
 1021 5394.	[cleanup]	Named formerly attempted to change the effective UID and
 1022 			GID in named_os_openfile(), which could trigger a
 1023 			spurious log message if they were already set to the
 1024 			desired values. This has been fixed. [GL #1042]
 1025 			[GL #1090]
 1026 
 1027 5392.	[bug]		It was possible for named to crash during shutdown
 1028 			or reconfiguration if an RPZ zone was still being
 1029 			updated. [GL #1779]
 1030 
 1031 5390.	[security]	Replaying a TSIG BADTIME response as a request could
 1032 			trigger an assertion failure. (CVE-2020-8617)
 1033 			[GL #1703]
 1034 
 1035 5389.	[bug]		Finish PKCS#11 code cleanup, fix a couple of smaller
 1036 			bugs and use PKCS#11 v3.0 EdDSA macros and constants.
 1037 			Thanks to Aaron Thompson. [GL !3391]
 1038 
 1039 5387.	[func]		Warn about AXFR streams with inconsistent message IDs.
 1040 			[GL #1674]
 1041 
 1042 5386.	[cleanup]	Address Coverity warnings in lib/dns/keymgr.c.
 1043 			[GL #1737]
 1044 
 1045 5385.	[func]		Make ISC rwlock implementation the default again.
 1046 			[GL #1753]
 1047 
 1048 5384.	[bug]		With "dnssec-policy" in effect, "inline-signing" was
 1049 			implicitly set to "yes". Now "inline-signing" is only
 1050 			set to "yes" if the zone is not dynamic. [GL #1709]
 1051 
 1052 	--- 9.16.2 released ---
 1053 
 1054 5383.	[func]		Add a quota attach function with a callback and clean up
 1055 			the isc_quota API. [GL !3280]
 1056 
 1057 5382.	[bug]		Use clock_gettime() instead of gettimeofday() for
 1058 			isc_stdtime() function. [GL #1679]
 1059 
 1060 5381.	[bug]		Fix logging API data race by adding rwlock and caching
 1061 			logging levels in stdatomic variables to restore
 1062 			performance to original levels. [GL #1675] [GL #1717]
 1063 
 1064 5380.	[contrib]	Fix building MySQL DLZ modules against MySQL 8
 1065 			libraries. [GL #1678]
 1066 
 1067 5378.	[bug]		Receiving invalid DNS data was triggering an assertion
 1068 			failure in nslookup. [GL #1652]
 1069 
 1070 5376.	[bug]		Fix ineffective DNS rebinding protection when BIND is
 1071 			configured as a forwarding DNS server. Thanks to Tobias
 1072 			Klein. [GL #1574]
 1073 
 1074 5375.	[test]		Fix timing issues in the "kasp" system test. [GL #1669]
 1075 
 1076 5374.	[bug]		Statistics counters tracking recursive clients and
 1077 			active connections could underflow. [GL #1087]
 1078 
 1079 5373.	[bug]		Collecting statistics for DNSSEC signing operations
 1080 			(change 5254) caused an array of significant size (over
 1081 			100 kB) to be allocated for each configured zone. Each
 1082 			of these arrays is tracking all possible key IDs; this
 1083 			could trigger an out-of-memory condition on servers with
 1084 			a high enough number of zones configured. Fixed by
 1085 			tracking up to four keys per zone and rotating counters
 1086 			when keys are replaced. This fixes the immediate problem
 1087 			of high memory usage, but should be improved in a future
 1088 			release by growing or shrinking the number of keys to
 1089 			track upon key rollover events. [GL #1179]
 1090 
 1091 5372.	[bug]		Fix migration from existing DNSSEC key files
 1092 			("auto-dnssec maintain") to "dnssec-policy". [GL #1706]
 1093 
 1094 5371.	[bug]		Improve incremental updates of the RPZ summary
 1095 			database to reduce delays that could occur when
 1096 			a policy zone update included a large number of
 1097 			record deletions. [GL #1447]
 1098 
 1099 5370.	[bug]		Deactivation of a netmgr handle associated with a
 1100 			socket could be skipped in some circumstances.
 1101 			Fixed by deactivating the netmgr handle before
 1102 			scheduling the asynchronous close routine. [GL #1700]
 1103 
 1104 5368.	[bug]		Named failed to restart if 'rndc addzone' names
 1105 			contained special characters (e.g. '/'). [GL #1655]
 1106 
 1107 5367.	[bug]		Fixed a flaw in the calculation of the zone database
 1108 			size so that "max-journal-size default" uses the correct
 1109 			limit. [GL #1661]
 1110 
 1111 	--- 9.16.1 released ---
 1112 
 1113 5366.	[bug]		Fix a race condition with the keymgr when the same
 1114 			zone plus dnssec-policy is configured in multiple
 1115 			views. [GL #1653]
 1116 
 1117 5365.	[bug]		Algorithm rollover was stuck on submitting DS
 1118 			because keymgr thought it would move to an invalid
 1119 			state.  Fixed by checking the current key against
 1120 			the desired state, not the existing state. [GL #1626]
 1121 
 1122 5364.	[bug]		Algorithm rollover waited too long before introducing
 1123 			zone signatures.  It waited to make sure all signatures
 1124 			were regenerated, but when introducing a new algorithm,
 1125 			all signatures are regenerated immediately.  Only
 1126 			add the sign delay if there is a predecessor key.
 1127 			[GL #1625]
 1128 
 1129 5363.	[bug]		When changing a dnssec-policy, existing keys with
 1130 			properties that no longer match were not being retired.
 1131 			[GL #1624]
 1132 
 1133 5361.	[bug]		named might not accept new connections after
 1134 			hitting tcp-clients quota. [GL #1643]
 1135 
 1136 5360.	[bug]		delv could fail to load trust anchors in DNSKEY
 1137 			format. [GL #1647]
 1138 
 1139 5358.	[bug]		Inline master zones whose master files were touched
 1140 			but otherwise unchanged and were subsequently reloaded
 1141 			may have stopped re-signing. [GL !3135]
 1142 
 1143 5357.	[bug]		Newly added RRSIG records with expiry times before
 1144 			the previous earliest expiry times might not be
 1145 			re-signed in time.  This was a side effect of 5315.
 1146 			[GL !3137]
 1147 
 1148 	--- 9.16.0 released ---
 1149 
 1150 5356.	[func]		Update dnssec-policy configuration statements:
 1151 			- Rename "zone-max-ttl" dnssec-policy option to
 1152 			  "max-zone-ttl" for consistency with the existing
 1153 			  zone option.
 1154 			- Allow for "lifetime unlimited" as a synonym for
 1155 			  "lifetime PT0S".
 1156 			- Make "key-directory" optional.
 1157 			- Warn if specifying a key length does not make
 1158 			  sense; fail if key length is out of range for
 1159 			  the algorithm.
 1160 			- Allow use of mnemonics when specifying key
 1161 			  algorithm (e.g. "rsasha256", "ecdsa384", etc.).
 1162 			- Make ISO 8601 durations case-insensitive.
 1163 			[GL #1598]
 1164 
 1165 5355.	[func]		What was set with --with-tuning=large option in
 1166 			older BIND9 versions is now a default, and
 1167 			a --with-tuning=small option was added for small
 1168 			(e.g. OpenWRT) systems. [GL !2989]
 1169 
 1170 5354.	[bug]		dnssec-policy created new KSK keys for zones in the
 1171 			initial stage of signing (with the DS not yet in the
 1172 			rumoured or omnipresent states).  Fix by checking the
 1173 			key goals rather than the active state when determining
 1174 			whether new keys are needed. [GL #1593]
 1175 
 1176 5353.	[doc]		Document port and dscp parameters in forwarders
 1177 			configuration option. [GL #914]
 1178 
 1179 5352.	[bug]		Correctly handle catalog zone entries containing
 1180 			characters that aren't legal in filenames. [GL #1592]
 1181 
 1182 5351.	[bug]		CDS / CDNSKEY consistency checks failed to handle
 1183 			removal records. [GL #1554]
 1184 
 1185 5350.	[bug]		When a view was configured with class CHAOS, the
 1186 			server could crash while processing a query for a
 1187 			non-existent record. [GL #1540]
 1188 
 1189 5349.	[bug]		Fix a race in task_pause/unpause. [GL #1571]
 1190 
 1191 5348.	[bug]		dnssec-settime -Psync was not being honoured.
 1192 			[GL !2925]
 1193 
 1194 	--- 9.15.8 released ---
 1195 
 1196 5347.	[bug]		Fixed a bug that could cause an intermittent crash
 1197 			in validator.c when validating a negative cache
 1198 			entry. [GL #1561]
 1199 
 1200 5346.	[bug]		Make hazard pointer array allocations dynamic, fixing
 1201 			a bug that caused named to crash on machines with more
 1202 			than 40 cores. [GL #1493]
 1203 
 1204 5345.	[func]		Key-style trust anchors and DS-style trust anchors
 1205 			can now both be used for the same name. [GL #1237]
 1206 
 1207 5344.	[bug]		Handle accept() errors properly in netmgr. [GL !2880]
 1208 
 1209 5343.	[func]		Add statistics counters to the netmgr. [GL #1311]
 1210 
 1211 5342.	[bug]		Disable pktinfo for IPv6 and bind to each interface
 1212 			explicitly instead, because libuv doesn't support
 1213 			pktinfo control messages. [GL #1558]
 1214 
 1215 5341.	[func]		Simplify passing the bound TCP socket to child
 1216 			threads by using isc_uv_export/import functions.
 1217 			[GL !2825]
 1218 
 1219 5340.	[bug]		Don't deadlock when binding to a TCP socket fails.
 1220 			[GL #1499]
 1221 
 1222 5339.	[bug]		With some libmaxminddb versions, named could erroneously
 1223 			match an IP address not belonging to any subnet defined
 1224 			in a given GeoIP2 database to one of the existing
 1225 			entries in that database. [GL #1552]
 1226 
 1227 5338.	[bug]		Fix line spacing in `rndc secroots`.
 1228 			Thanks to Tony Finch. [GL !2478]
 1229 
 1230 5337.	[func]		'named -V' now reports maxminddb and protobuf-c
 1231 			versions. [GL !2686]
 1232 
 1233 	--- 9.15.7 released ---
 1234 
 1235 5336.	[bug]		The TCP high-water statistic could report an
 1236 			incorrect value on startup. [GL #1392]
 1237 
 1238 5335.	[func]		Make TCP listening code multithreaded. [GL !2659]
 1239 
 1240 5334.	[doc]		Update documentation with dnssec-policy clarifications.
 1241 			Also change some defaults. [GL !2711]
 1242 
 1243 5333.	[bug]		Fix duration printing on Solaris when value is not
 1244 			an ISO 8601 duration. [GL #1460]
 1245 
 1246 5332.	[func]		Renamed "dnssec-keys" configuration statement
 1247 			to the more descriptive "trust-anchors". [GL !2702]
 1248 
 1249 5331.	[func]		Use compiler-provided mechanisms for thread local
 1250 			storage, and make the requirement for such mechanisms
 1251 			explicit in configure. [GL #1444]
 1252 
 1253 5330.	[bug]		'configure --without-python' was ineffective if
 1254 			PYTHON was set in the environment. [GL #1434]
 1255 
 1256 5329.	[bug]		Reconfiguring named caused memory to be leaked when any
 1257 			GeoIP2 database was in use. [GL #1445]
 1258 
 1259 5328.	[bug]		rbtdb.c:rdataset_{get,set}ownercase failed to obtain
 1260 			a node lock. [GL #1417]
 1261 
 1262 5327.	[func]		Added a statistics counter to track queries
 1263 			dropped because the recursive-clients quota was
 1264 			exceeded. [GL #1399]
 1265 
 1266 5326.	[bug]		Add Python dependency on 'distutils.core' to configure.
 1267 			'distutils.core' is required for installation.
 1268 			[GL #1397]
 1269 
 1270 5325.	[bug]		Addressed several issues with TCP connections in
 1271 			the netmgr: restored support for TCP connection
 1272 			timeouts, restored TCP backlog support, actively
 1273 			close all open sockets during shutdown. [GL #1312]
 1274 
 1275 5324.	[bug]		Change the category of some log messages from general
 1276 			to the more appropriate catergory of xfer-in. [GL #1394]
 1277 
 1278 5323.	[bug]		Fix a bug in DNSSEC trust anchor verification.
 1279 			[GL !2609]
 1280 
 1281 5322.	[placeholder]
 1282 
 1283 5321.	[bug]		Obtain write lock before updating version->records
 1284 			and version->bytes. [GL #1341]
 1285 
 1286 5320.	[cleanup]	Silence TSAN on header->count. [GL #1344]
 1287 
 1288 	--- 9.15.6 released ---
 1289 
 1290 5319.	[func]		Trust anchors can now be configured using DS
 1291 			format to represent a key digest, by using the
 1292 			new "initial-ds" or "static-ds" keywords in
 1293 			the "dnssec-keys" statement.
 1294 
 1295 			Note: DNSKEY-format and DS-format trust anchors
 1296 			cannot both be used for the same domain name.
 1297 			[GL #622]
 1298 
 1299 5318.	[cleanup]	The DNSSEC validation code has been refactored
 1300 			for clarity and to reduce code duplication.
 1301 			[GL #622]
 1302 
 1303 5317.	[func]		A new asynchronous network communications system
 1304 			based on libuv is now used for listening for
 1305 			incoming requests and responding to them. (The
 1306 			old isc_socket API remains in use for sending
 1307 			iterative queries and processing responses; this
 1308 			will be changed too in a later release.)
 1309 
 1310 			This change will make it easier to improve
 1311 			performance and implement new protocol layers
 1312 			(e.g., DNS over TLS) in the future. [GL #29]
 1313 
 1314 5316.	[func]		A new "dnssec-policy" option has been added to
 1315 			named.conf to implement a key and signing policy
 1316 			(KASP) for zones. When this option is in use,
 1317 			named can generate new keys as needed and
 1318 			automatically roll both ZSK and KSK keys. (Note
 1319 			that the syntax for this statement differs from
 1320 			the dnssec policy used by dnssec-keymgr.)
 1321 
 1322 			See the ARM for configuration details. [GL #1134]
 1323 
 1324 5315.	[bug]		Apply the initial RRSIG expiration spread fixed
 1325 			to all dynamically created records in the zone
 1326 			including NSEC3. Also fix the signature clusters
 1327 			when the server has been offline for prolonged
 1328 			period of times. [GL #1256]
 1329 
 1330 5314.	[func]		Added a new statistics variable "tcp-highwater"
 1331 			that reports the maximum number of simultaneous TCP
 1332 			clients BIND has handled while running. [GL #1206]
 1333 
 1334 5313.	[bug]		The default GeoIP2 database location did not match
 1335 			the ARM.  'named -V' now reports the default
 1336 			location. [GL #1301]
 1337 
 1338 5312.	[bug]		Do not flush the cache for `rndc validation status`.
 1339 			Thanks to Tony Finch. [GL !2462]
 1340 
 1341 5311.	[cleanup]	Include all views in output of `rndc validation status`.
 1342 			Thanks to Tony Finch. [GL !2461]
 1343 
 1344 5310.	[bug]		TCP failures were affecting EDNS statistics. [GL #1059]
 1345 
 1346 5309.	[placeholder]
 1347 
 1348 5308.	[bug]		Don't log DNS_R_UNCHANGED from sync_secure_journal()
 1349 			at ERROR level in receive_secure_serial(). [GL #1288]
 1350 
 1351 5307.	[bug]		Fix hang when named-compilezone output is sent to pipe.
 1352 			Thanks to Tony Finch. [GL !2481]
 1353 
 1354 5306.	[security]	Set a limit on number of simultaneous pipelined TCP
 1355 			queries. (CVE-2019-6477) [GL #1264]
 1356 
 1357 5305.	[bug]		NSEC Aggressive Cache ("synth-from-dnssec") has been
 1358 			disabled by default because it was found to have
 1359 			a significant performance impact on the recursive
 1360 			service. [GL #1265]
 1361 
 1362 5304.	[bug]		"dnskey-sig-validity 0;" was not being accepted.
 1363 			[GL #876]
 1364 
 1365 5303.	[placeholder]
 1366 
 1367 5302.	[bug]		Fix checking that "dnstap-output" is defined when
 1368 			"dnstap" is specified in a view. [GL #1281]
 1369 
 1370 5301.	[bug]		Detect partial prefixes / incomplete IPv4 address in
 1371 			acls. [GL #1143]
 1372 
 1373 5300.	[bug]		dig/mdig/delv: Add a colon after EDNS option names,
 1374 			even when the option is empty, to improve
 1375 			readability and allow correct parsing of YAML
 1376 			output. [GL #1226]
 1377 
 1378 	--- 9.15.5 released ---
 1379 
 1380 5299.	[security]	A flaw in DNSSEC verification when transferring
 1381 			mirror zones could allow data to be incorrectly
 1382 			marked valid. (CVE-2019-6475) [GL #1252]
 1383 
 1384 5298.	[security]	Named could assert if a forwarder returned a
 1385 			referral, rather than resolving the query, when QNAME
 1386 			minimization was enabled. (CVE-2019-6476) [GL #1051]
 1387 
 1388 5297.	[bug]		Check whether a previous QNAME minimization fetch
 1389 			is still running before starting a new one; return
 1390 			SERVFAIL and log an error if so. [GL #1191]
 1391 
 1392 5296.	[placeholder]
 1393 
 1394 5295.	[cleanup]	Split dns_name_copy() calls into dns_name_copy() and
 1395 			dns_name_copynf() for those calls that can potentially
 1396 			fail and those that should not fail respectively.
 1397 			[GL !2265]
 1398 
 1399 5294.	[func]		Fallback to ACE name on output in locale, which does not
 1400 			support converting it to unicode.  [GL #846]
 1401 
 1402 5293.	[bug]		On Windows, named crashed upon any attempt to fetch XML
 1403 			statistics from it. [GL #1245]
 1404 
 1405 5292.	[bug]		Queue 'rndc nsec3param' requests while signing inline
 1406 			zone changes. [GL #1205]
 1407 
 1408 	--- 9.15.4 released ---
 1409 
 1410 5291.	[placeholder]
 1411 
 1412 5290.	[placeholder]
 1413 
 1414 5289.	[bug]		Address NULL pointer dereference in rpz.c:rpz_detach.
 1415 			[GL #1210]
 1416 
 1417 5288.	[bug]		dnssec-must-be-secure was not always honored.
 1418 			[GL #1209]
 1419 
 1420 5287.	[placeholder]
 1421 
 1422 5286.	[contrib]	Address potential NULL pointer dereferences in
 1423 			dlz_mysqldyn_mod.c. [GL #1207]
 1424 
 1425 5285.	[port]		win32: implement "-T maxudpXXX". [GL #837]
 1426 
 1427 5284.	[func]		Added +unexpected command line option to dig.
 1428 			By default, dig won't accept a reply from a source
 1429 			other than the one to which it sent the query.
 1430 			Invoking dig with +unexpected argument will allow it
 1431 			to process replies from unexpected sources.
 1432 
 1433 5283.	[bug]		When a response-policy zone expires, ensure that
 1434 			its policies are removed from the RPZ summary
 1435 			database. [GL #1146]
 1436 
 1437 5282.	[bug]		Fixed a bug in searching for possible wildcard matches
 1438 			for query names in the RPZ summary database. [GL #1146]
 1439 
 1440 5281.	[cleanup]	Don't escape commas when reporting named's command
 1441 			line. [GL #1189]
 1442 
 1443 5280.	[protocol]	Add support for displaying EDNS option LLQ. [GL #1201]
 1444 
 1445 5279.	[bug]		When loading, reject zones containing CDS or CDNSKEY
 1446 			RRsets at the zone apex if they would cause DNSSEC
 1447 			validation failures if published in the parent zone
 1448 			as the DS RRset.  [GL #1187]
 1449 
 1450 5278.	[func]		Add YAML output formats for dig, mdig and delv;
 1451 			use the "+yaml" option to enable. [GL #1145]
 1452 
 1453 	--- 9.15.3 released ---
 1454 
 1455 5277.	[bug]		Cache DB statistics could underflow when serve-stale
 1456 			was in use, because of a bug in counter maintenance
 1457 			when RRsets become stale.
 1458 
 1459 			Functions for dumping statistics have been updated
 1460 			to dump active, stale, and ancient statistic
 1461 			counters.  Ancient RRset counters are prefixed
 1462 			with '~'; stale RRset counters are still prefixed
 1463 			with '#'. [GL #602]
 1464 
 1465 5276.	[func]		DNSSEC Lookaside Validation (DLV) is now obsolete;
 1466 			all code enabling its use has been removed from the
 1467 			validator, "delv", and the DNSSEC tools. [GL #7]
 1468 
 1469 5275.	[bug]		Mark DS records included in referral messages
 1470 			with trust level "pending" so that they can be
 1471 			validated and cached immediately, with no need to
 1472 			re-query. [GL #964]
 1473 
 1474 5274.	[bug]		Address potential use after free race when shutting
 1475 			down rpz. [GL #1175]
 1476 
 1477 5273.	[bug]		Check that bits [64..71] of a dns64 prefix are zero.
 1478 			[GL #1159]
 1479 
 1480 5272.	[cleanup]	Remove isc-config.sh script as the BIND 9 libraries
 1481 			are now purely internal. [GL #1123]
 1482 
 1483 5271.	[func]		The normal (non-debugging) output of dnssec-signzone
 1484 			and dnssec-verify tools now goes to stdout, instead of
 1485 			the combination of stderr and stdout.
 1486 
 1487 5270.	[bug]		'dig +expandaaaa +short' did not work. [GL #1152]
 1488 
 1489 5269.	[port]		cygwin: can return ETIMEDOUT on connect() with a
 1490 			non-blocking socket. [GL #1133]
 1491 
 1492 5268.	[placeholder]
 1493 
 1494 5267.	[func]		Allow statistics groups display to be toggle-able.
 1495 			[GL #1030]
 1496 
 1497 5266.	[bug]		named-checkconf failed to report dnstap-output
 1498 			missing from named.conf when dnstap was specified.
 1499 			[GL #1136]
 1500 
 1501 5265.	[bug]		DNS64 and RPZ nodata (CNAME *.) rules interacted badly
 1502 			[GL #1106]
 1503 
 1504 5264.	[func]		New DNS Cookie algorithm - siphash24 - has been added
 1505 			to BIND 9, and the old HMAC-SHA DNS Cookie algorithms
 1506 			have been removed. [GL #605]
 1507 
 1508 	--- 9.15.2 released ---
 1509 
 1510 5263.	[cleanup]	Use atomics and isc_refcount_t wherever possible.
 1511 			[GL #1038]
 1512 
 1513 5262.	[func]		Removed support for the legacy GeoIP API. [GL #1112]
 1514 
 1515 5261.	[cleanup]	Remove SO_BSDCOMPAT socket option usage.
 1516 
 1517 5260.	[bug]		dnstap-read was producing malformed output for large
 1518 			packets. [GL #1093]
 1519 
 1520 5259.	[func]		New option '-i' for 'named-checkconf' to ignore
 1521 			warnings about deprecated options. [GL #1101]
 1522 
 1523 5258.	[func]		Added support for the GeoIP2 API from MaxMind. This
 1524 			will be compiled in by default if the "libmaxminddb"
 1525 			library is found at compile time, but can be
 1526 			suppressed using "configure --disable-geoip".
 1527 
 1528 			Certain geoip ACL settings that were available with
 1529 			legacy GeoIP are not available when using GeoIP2.
 1530 			[GL #182]
 1531 
 1532 5257.	[bug]		Some statistics data was not being displayed.
 1533 			Add shading to the zone tables. [GL #1030]
 1534 
 1535 5256.	[bug]		Ensure that glue records are included in root
 1536 			priming responses if "minimal-responses" is not
 1537 			set to "yes". [GL #1092]
 1538 
 1539 5255.	[bug]		Errors encountered while reloading inline-signing
 1540 			zones could be ignored, causing the zone content to
 1541 			be left in an incompletely updated state rather than
 1542 			reverted. [GL #1109]
 1543 
 1544 5254.	[func]		Collect metrics to report to the statistics-channel
 1545 			DNSSEC signing operations (dnssec-sign) and refresh
 1546 			operations (dnssec-refresh) per zone and per keytag.
 1547 			[GL #513]
 1548 
 1549 5253.	[port]		Support platforms that don't define ULLONG_MAX.
 1550 			[GL #1098]
 1551 
 1552 5252.	[func]		Report if the last 'rndc reload/reconfig' failed in
 1553 			rndc status. [GL !2040]
 1554 
 1555 5251.	[bug]		Statistics were broken in x86 Windows builds.
 1556 			[GL #1081]
 1557 
 1558 5250.	[func]		The default size for RSA keys is now 2048 bits,
 1559 			for both ZSKs and KSKs. [GL #1097]
 1560 
 1561 5249.	[bug]		Fix a possible underflow in recursion clients
 1562 			statistics when hitting recursive clients
 1563 			soft quota. [GL #1067]
 1564 
 1565 	--- 9.15.1 released ---
 1566 
 1567 5248.	[func]		To clarify the configuration of DNSSEC keys,
 1568 			the "managed-keys" and "trusted-keys" options
 1569 			have both been deprecated.  The new "dnssec-keys"
 1570 			statement can now be used for all trust anchors,
 1571 			with the keywords "iniital-key" or "static-key"
 1572 			to indicate whether the configured trust anchor
 1573 			should be used for initialization of RFC 5011 key
 1574 			management, or as a permanent trust anchor.
 1575 
 1576 			The "static-key" keyword will generate a warning if
 1577 			used for the root zone.
 1578 
 1579 			Configurations using "trusted-keys" or "managed-keys"
 1580 			will continue to work with no changes, but will
 1581 			generate warnings in the log. In a future release,
 1582 			these options will be marked obsolete. [GL #6]
 1583 
 1584 5247.	[cleanup]	The 'cleaning-interval' option has been removed.
 1585 			[GL !1731]
 1586 
 1587 5246.	[func]		Log TSIG if appropriate in 'sending notify to' message.
 1588 			[GL #1058]
 1589 
 1590 5245.	[cleanup]	Reduce logging level for IXFR up-to-date poll
 1591 			responses. [GL #1009]
 1592 
 1593 5244.	[security]	Fixed a race condition in dns_dispatch_getnext()
 1594 			that could cause an assertion failure if a
 1595 			significant number of incoming packets were
 1596 			rejected. (CVE-2019-6471) [GL #942]
 1597 
 1598 5243.	[bug]		Fix a possible race between dispatcher and socket
 1599 			code in a high-load cold-cache resolver scenario.
 1600 			[GL #943]
 1601 
 1602 5242.	[bug]		In relaxed qname minimization mode, fall back to
 1603 			normal resolution when encountering a lame
 1604 			delegation, and use _.domain/A queries rather
 1605 			than domain/NS. [GL #1055]
 1606 
 1607 5241.	[bug]		Fix Ed448 private and public key ASN.1 prefix blobs.
 1608 			[GL #225]
 1609 
 1610 5240.	[bug]		Remove key id calculation for RSAMD5. [GL #996]
 1611 
 1612 5239.	[func]		Change the json-c detection to pkg-config. [GL #855]
 1613 
 1614 5238.	[bug]		Fix a possible deadlock in TCP code. [GL #1046]
 1615 
 1616 5237.	[bug]		Recurse to find the root server list with 'dig +trace'.
 1617 			[GL #1028]
 1618 
 1619 5236.	[func]		Add SipHash 2-4 implementation in lib/isc/siphash.c
 1620 			and switch isc_hash_function() to use SipHash 2-4.
 1621 			[GL #605]
 1622 
 1623 5235.	[cleanup]	Refactor lib/isc/app.c to be thread-safe, unused
 1624 			parts of the API has been removed and the
 1625 			isc_appctx_t data type has been changed to be
 1626 			fully opaque. [GL #1023]
 1627 
 1628 5234.	[port]		arm: just use the compiler's default support for
 1629 			yield. [GL #981]
 1630 
 1631 	--- 9.15.0 released ---
 1632 
 1633 5233.	[bug]		Negative trust anchors did not work with "forward only;"
 1634 			to validating resolvers. [GL #997]
 1635 
 1636 5232.	[placeholder]
 1637 
 1638 5231.	[protocol]	Add support for displaying CLIENT-TAG and SERVER-TAG.
 1639 			[GL #960]
 1640 
 1641 5230.	[protocol]	The SHA-1 hash algorithm is no longer used when
 1642 			generating DS and CDS records. [GL #1015]
 1643 
 1644 5229.	[protocol]	Enforce known SSHFP fingerprint lengths. [GL #852]
 1645 
 1646 5228.	[func]		If trusted-keys and managed-keys were configured
 1647 			simultaneously for the same name, the key could
 1648 			not be be rolled automatically. This is now
 1649 			a fatal configuration error. [GL #868]
 1650 
 1651 5227.	[placeholder]
 1652 
 1653 5226.	[placeholder]
 1654 
 1655 5225.	[func]		Allow dig to print out AAAA record fully expanded.
 1656 			with +[no]expandaaaa. [GL #765]
 1657 
 1658 5224.	[bug]		Only test provide-ixfr on TCP streams. [GL #991]
 1659 
 1660 5223.	[bug]		Fixed a race in the filter-aaaa plugin accessing
 1661 			the hash table. [GL #1005]
 1662 
 1663 5222.	[bug]		'delv -t ANY' could leak memory. [GL #983]
 1664 
 1665 5221.	[test]		Enable parallel execution of system tests on
 1666 			Windows. [GL !4101]
 1667 
 1668 5220.	[cleanup]	Refactor the isc_stat structure to take advantage
 1669 			of stdatomic. [GL !1493]
 1670 
 1671 5219.	[bug]		Fixed a race in the filter-aaaa plugin that could
 1672 			trigger a crash when returning an instance object
 1673 			to the memory pool. [GL #982]
 1674 
 1675 5218.	[bug]		Conditionally include <dlfcn.h>. [GL #995]
 1676 
 1677 5217.	[bug]		Restore key id calculation for RSAMD5. [GL #996]
 1678 
 1679 5216.	[bug]		Fetches-per-zone counter wasn't updated correctly
 1680 			when doing qname minimization. [GL #992]
 1681 
 1682 5215.	[bug]		Change #5124 was incomplete; named could still
 1683 			return FORMERR instead of SERVFAIL in some cases.
 1684 			[GL #990]
 1685 
 1686 5214.	[bug]		win32: named now removes its lock file upon shutdown.
 1687 			[GL #979]
 1688 
 1689 5213.	[bug]		win32: Eliminated a race which allowed named.exe running
 1690 			as a service to be killed prematurely during shutdown.
 1691 			[GL #978]
 1692 
 1693 5212.	[placeholder]
 1694 
 1695 5211.	[bug]		Allow out-of-zone additional data to be included
 1696 			in authoritative responses if recursion is allowed
 1697 			and "minimal-responses" is disabled.  This behavior
 1698 			was inadvertently removed in change #4605. [GL #817]
 1699 
 1700 5210.	[bug]		When dnstap is enabled and recursion is not
 1701 			available, incoming queries are now logged
 1702 			as "auth". Previously, this depended on whether
 1703 			recursion was requested by the client, not on
 1704 			whether recursion was available. [GL #963]
 1705 
 1706 5209.	[bug]		When update-check-ksk is true, add_sigs was not
 1707 			considering offline keys, leaving record sets signed
 1708 			with the incorrect type key. [GL #763]
 1709 
 1710 5208.	[test]		Run valid rdata wire encodings through totext+fromtext
 1711 			and tofmttext+fromtext methods to check these methods.
 1712 			[GL #899]
 1713 
 1714 5207.	[test]		Check delv and dig TTL values. [GL #965]
 1715 
 1716 5206.	[bug]		Delv could print out bad TTLs. [GL #965]
 1717 
 1718 5205.	[bug]		Enforce that a DS hash exists. [GL #899]
 1719 
 1720 5204.	[test]		Check that dns_rdata_fromtext() produces a record that
 1721 			will be accepted by dns_rdata_fromwire(). [GL #852]
 1722 
 1723 5203.	[bug]		Enforce whether key rdata exists or not in KEY,
 1724 			DNSKEY, CDNSKEY and RKEY. [GL #899]
 1725 
 1726 5202.	[bug]		<dns/ecs.h> was missing ISC_LANG_ENDDECLS. [GL #976]
 1727 
 1728 5201.	[bug]		Fix a possible deadlock in RPZ update code. [GL #973]
 1729 
 1730 5200.	[security]	tcp-clients settings could be exceeded in some cases,
 1731 			which could lead to exhaustion of file descriptors.
 1732 			(CVE-2018-5743) [GL #615]
 1733 
 1734 5199.	[security]	In certain configurations, named could crash
 1735 			if nxdomain-redirect was in use and a redirected
 1736 			query resulted in an NXDOMAIN from the cache.
 1737 			(CVE-2019-6467) [GL #880]
 1738 
 1739 5198.	[bug]		If a fetch context was being shut down and, at the same
 1740 			time, we returned from qname minimization, an INSIST
 1741 			could be hit. [GL #966]
 1742 
 1743 5197.	[bug]		dig could die in best effort mode on multiple SIG(0)
 1744 			records. Similarly on multiple OPT and multiple TSIG
 1745 			records. [GL #920]
 1746 
 1747 5196.	[bug]		make install failed with --with-dlopen=no. [GL #955]
 1748 
 1749 5195.	[bug]		"allow-update" and "allow-update-forwarding" were
 1750 			treated as configuration errors if used at the
 1751 			options or view level. [GL #913]
 1752 
 1753 5194.	[bug]		Enforce non empty ZOMEMD hash. [GL #899]
 1754 
 1755 5193.	[bug]		EID and NIMLOC failed to do multi-line output
 1756 			correctly. [GL #899]
 1757 
 1758 5192.	[placeholder]
 1759 
 1760 5191.	[placeholder]
 1761 
 1762 5190.	[bug]		Ignore trust anchors using disabled algorithms.
 1763 			[GL #806]
 1764 
 1765 5189.	[cleanup]	Remove revoked root DNSKEY from bind.keys. [GL #945]
 1766 
 1767 5188.	[func]		The "dnssec-enable" option is deprecated and no
 1768 			longer has any effect; DNSSEC responses are
 1769 			always enabled. [GL #866]
 1770 
 1771 5187.	[test]		Set time zone before running any tests in dnstap_test.
 1772 			[GL #940]
 1773 
 1774 5186.	[cleanup]	More dnssec-keygen manual tidying. [GL !1678]
 1775 
 1776 5185.	[placeholder]
 1777 
 1778 5184.	[bug]		Missing unlocks in sdlz.c. [GL #936]
 1779 
 1780 5183.	[bug]		Reinitialize ECS data before reusing client
 1781 			structures. [GL #881]
 1782 
 1783 5182.	[bug]		Fix a high-load race/crash in handling of
 1784 			isc_socket_close() in resolver. [GL #834]
 1785 
 1786 5181.	[func]		Add a mechanism for a DLZ module to signal that
 1787 			the view's allow-transfer ACL should be used to
 1788 			determine whether transfers are allowed. [GL #803]
 1789 
 1790 5180.	[bug]		delv now honors the operating system's preferred
 1791 			ephemeral port range. [GL #925]
 1792 
 1793 5179.	[cleanup]	Replace some vague type declarations with the more
 1794 			specific dns_secalg_t and dns_dsdigest_t.
 1795 			Thanks to Tony Finch. [GL !1498]
 1796 
 1797 5178.	[bug]		Handle EDQUOT (disk quota) and ENOSPC (disk full)
 1798 			errors when writing files. [GL #902]
 1799 
 1800 5177.	[func]		Add the ability to specify in named.conf whether a
 1801 			response-policy zone's SOA record should be added
 1802 			to the additional section (add-soa yes/no). [GL #865]
 1803 
 1804 5176.	[tests]		Remove a dependency on libxml in statschannel system
 1805 			test. [GL #926]
 1806 
 1807 5175.	[bug]		Fixed a problem with file input in dnssec-keymgr,
 1808 			dnssec-coverage and dnssec-checkds when using
 1809 			python3. [GL #882]
 1810 
 1811 5174.	[doc]		Tidy dnssec-keygen manual. [GL !1557]
 1812 
 1813 5173.	[bug]		Fixed a race in socket code that could occur when
 1814 			accept, send, or recv were called from an event
 1815 			loop but the socket had been closed by another
 1816 			thread. [RT #874]
 1817 
 1818 5172.	[bug]		nsupdate now honors the operating system's preferred
 1819 			ephemeral port range. [GL #905]
 1820 
 1821 5171.	[func]		named plugins are now installed into a separate
 1822 			directory.  Supplying a filename (a string without path
 1823 			separators) in a "plugin" configuration stanza now
 1824 			causes named to look for that plugin in that directory.
 1825 			[GL #878]
 1826 
 1827 5170.	[test]		Added --with-dlz-filesystem to feature-test. [GL !1587]
 1828 
 1829 5169.	[bug]		The presence of certain types in an otherwise
 1830 			empty node could cause a crash while processing a
 1831 			type ANY query. [GL #901]
 1832 
 1833 5168.	[bug]		Do not crash on shutdown when RPZ fails to load.  Also,
 1834 			keep previous version of the database if RPZ fails to
 1835 			load. [GL #813]
 1836 
 1837 5167.	[bug]		nxdomain-redirect could sometimes lookup the wrong
 1838 			redirect name. [GL #892]
 1839 
 1840 5166.	[placeholder]
 1841 
 1842 5165.	[contrib]	Removed SDB drivers from contrib; they're obsolete.
 1843 			[GL #428]
 1844 
 1845 5164.	[bug]		Correct errno to result translation in dlz filesystem
 1846 			modules. [GL #884]
 1847 
 1848 5163.	[cleanup]	Out-of-tree builds failed --enable-dnstap. [GL #836]
 1849 
 1850 5162.	[cleanup]	Improve dnssec-keymgr manual. Thanks to Tony Finch.
 1851 			[GL !1518]
 1852 
 1853 5161.	[bug]		Do not require the SEP bit to be set for mirror zone
 1854 			trust anchors. [GL #873]
 1855 
 1856 5160.	[contrib]	Added DNAME support to the DLZ LDAP schema. Also
 1857 			fixed a compilation bug affecting several DLZ
 1858 			modules. [GL #872]
 1859 
 1860 5159.	[bug]		dnssec-coverage was incorrectly ignoring
 1861 			names specified on the command line without
 1862 			trailing dots. [GL !1478]
 1863 
 1864 5158.	[protocol]	Add support for AMTRELAY and ZONEMD. [GL #867]
 1865 
 1866 5157.	[bug]		Nslookup now errors out if there are extra command
 1867 			line arguments. [GL #207]
 1868 
 1869 5156.	[doc]		Extended and refined the section of the ARM describing
 1870 			mirror zones. [GL #774]
 1871 
 1872 5155.	[func]		"named -V" now outputs the default paths to
 1873 			named.conf, rndc.conf, bind.keys, and other
 1874 			files used or created by named and other tools, so
 1875 			that the correct paths to these files can quickly be
 1876 			determined regardless of the configure settings
 1877 			used when BIND was built. [GL #859]
 1878 
 1879 5154.	[bug]		dig: process_opt could be called twice on the same
 1880 			message leading to a assertion failure. [GL #860]
 1881 
 1882 5153.	[func]		Zone transfer statistics (size, number of records, and
 1883 			number of messages) are now logged for outgoing
 1884 			transfers as well as incoming ones. [GL #513]
 1885 
 1886 5152.	[func]		Improved logging of DNSSEC key events:
 1887 			- Zone signing and DNSKEY maintenance events are
 1888 			  now logged to the "dnssec" category
 1889 			- Messages are now logged when DNSSEC keys are
 1890 			  published, activated, inactivated, deleted,
 1891 			  or revoked.
 1892 			[GL #714]
 1893 
 1894 5151.	[func]		Options that have been been marked as obsolete in
 1895 			named.conf for a very long time are now fatal
 1896 			configuration errors. [GL #358]
 1897 
 1898 5150.	[cleanup]	Remove the ability to compile BIND with assertions
 1899 			disabled. [GL #735]
 1900 
 1901 5149.	[func]		"rndc dumpdb" now prints a line above a stale RRset
 1902 			indicating how long the data will be retained in the
 1903 			cache for emergency use. [GL #101]
 1904 
 1905 5148.	[bug]		named did not sign the TKEY response. [GL #821]
 1906 
 1907 5147.	[bug]		dnssec-keymgr: Add a five-minute margin to better
 1908 			handle key events close to 'now'. [GL #848]
 1909 
 1910 5146.	[placeholder]
 1911 
 1912 5145.	[func]		Use atomics instead of locked variables for isc_quota
 1913 			and isc_counter. [GL !1389]
 1914 
 1915 5144.	[bug]		dig now returns a non-zero exit code when a TCP
 1916 			connection is prematurely closed by a peer more than
 1917 			once for the same lookup.  [GL #820]
 1918 
 1919 5143.	[bug]		dnssec-keymgr and dnssec-coverage failed to find
 1920 			key files for zone names ending in ".". [GL #560]
 1921 
 1922 5142.	[cleanup]	Removed "configure --disable-rpz-nsip" and
 1923 			"--disable-rpz-nsdname" options. "nsip-enable"
 1924 			and "nsdname-enable" both now default to yes,
 1925 			regardless of compile-time settings. [GL #824]
 1926 
 1927 5141.	[security]	Zone transfer controls for writable DLZ zones were
 1928 			not effective as the allowzonexfr method was not being
 1929 			called for such zones. (CVE-2019-6465) [GL #790]
 1930 
 1931 5140.	[bug]		Don't immediately mark existing keys as inactive and
 1932 			deleted when running dnssec-keymgr for the first
 1933 			time. [GL #117]
 1934 
 1935 5139.	[bug]		If possible, don't use forwarders when priming.
 1936 			This ensures we can get root server IP addresses
 1937 			from priming query response glue, which may not
 1938 			be present if the forwarding server is returning
 1939 			minimal responses. [GL #752]
 1940 
 1941 5138.	[bug]		Under some circumstances named could hit an assertion
 1942 			failure when doing qname minimization when using
 1943 			forwarders. [GL #797]
 1944 
 1945 5137.	[func]		named now logs messages whenever a mirror zone becomes
 1946 			usable or unusable for resolution purposes. [GL #818]
 1947 
 1948 5136.	[cleanup]	Check in named-checkconf that allow-update and
 1949 			allow-update-forwarding are not set at the
 1950 			view/options level; fix documentation. [GL #512]
 1951 
 1952 5135.	[port]		sparc: Use smt_pause() instead of pause. [GL #816]
 1953 
 1954 5134.	[bug]		win32: WSAStartup was not called before getservbyname
 1955 			was called. [GL #590]
 1956 
 1957 5133.	[bug]		'rndc managed-keys' didn't handle class and view
 1958 			correctly and failed to add new lines between each
 1959 			view. [GL !1327]
 1960 
 1961 5132.	[bug]		Fix race condition in cleanup part of dns_dt_create().
 1962 			[GL !1323]
 1963 
 1964 5131.	[cleanup]	Address Coverity warnings. [GL #801]
 1965 
 1966 5130.	[cleanup]	Remove support for l10n message catalogs. [GL #709]
 1967 
 1968 5129.	[contrib]	sdlz_helper.c:build_querylist was not properly
 1969 			splitting the query string. [GL #798]
 1970 
 1971 5128.	[bug]		Refreshkeytime was not being updated for managed
 1972 			keys zones. [GL #784]
 1973 
 1974 5127.	[bug]		rcode.c:maybe_numeric failed to handle NUL in text
 1975 			regions. [GL #807]
 1976 
 1977 5126.	[bug]		Named incorrectly accepted empty base64 and hex encoded
 1978 			fields when reading master files. [GL #807]
 1979 
 1980 5125.	[bug]		Allow for up to 100 records or 64k of data when caching
 1981 			a negative response. [GL #804]
 1982 
 1983 5124.	[bug]		Named could incorrectly return FORMERR rather than
 1984 			SERVFAIL. [GL #804]
 1985 
 1986 5123.	[bug]		dig could hang indefinitely after encountering an error
 1987 			before creating a TCP socket. [GL #692]
 1988 
 1989 5122.	[bug]		In a "forward first;" configuration, a forwarder
 1990 			timeout did not prevent that forwarder from being
 1991 			queried again after falling back to full recursive
 1992 			resolution. [GL #315]
 1993 
 1994 5121.	[contrib]	dlz_stub_driver.c fails to return ISC_R_NOTFOUND on none
 1995 			matching zone names. [GL !1299]
 1996 
 1997 5120.	[placeholder]
 1998 
 1999 5119.	[placeholder]
 2000 
 2001 5118.	[security]	Named could crash if it is managing a key with
 2002 			`managed-keys` and the authoritative zone is rolling
 2003 			the key to an unsupported algorithm. (CVE-2018-5745)
 2004 			[GL #780]
 2005 
 2006 5117.	[placeholder]
 2007 
 2008 5116.	[bug]		Named/named-checkconf triggered a assertion when
 2009 			a mirror zone's name is bad. [GL #778]
 2010 
 2011 5115.	[bug]		Allow unsupported algorithms in zone when not used for
 2012 			signing with dnssec-signzone. [GL #783]
 2013 
 2014 5114.	[func]		Include a 'reconfig/reload in progress' status line
 2015 			in rndc status, use it in tests.
 2016 
 2017 5113.	[port]		Fixed a Windows build error.
 2018 
 2019 5112.	[bug]		Named/named-checkconf could dump core if there was
 2020 			a missing masters clause and a bad notify clause.
 2021 			[GL #779]
 2022 
 2023 5111.	[bug]		Occluded DNSKEY records could make it into the
 2024 			delegating NSEC/NSEC3 bitmap. [GL #742]
 2025 
 2026 5110.	[security]	Named leaked memory if there were multiple Key Tag
 2027 			EDNS options present. (CVE-2018-5744) [GL #772]
 2028 
 2029 5109.	[cleanup]	Remove support for RSAMD5 algorithm. [GL #628]
 2030 
 2031 	--- 9.13.5 released ---
 2032 
 2033 5108.	[bug]		Named could fail to determine bottom of zone when
 2034 			removing out of date keys leading to invalid NSEC
 2035 			and NSEC3 records being added to the zone. [GL #771]
 2036 
 2037 5107.	[bug]		'host -U' did not work. [GL #769]
 2038 
 2039 5106.	[experimental]	A new "plugin" mechanism has been added to allow
 2040 			extension of query processing functionality through
 2041 			the use of dynamically loadable libraries. A
 2042 			"filter-aaaa.so" plugin has been implemented,
 2043 			replacing the filter-aaaa feature that was formerly
 2044 			implemented as a native part of BIND.
 2045 
 2046 			The "filter-aaaa", "filter-aaaa-on-v4" and
 2047 			"filter-aaaa-on-v6" options can no longer be
 2048 			configured using native named.conf syntax. However,
 2049 			loading the filter-aaaa.so plugin and setting its
 2050 			parameters provides identical functionality.
 2051 
 2052 			Note that the plugin API is a work in progress and
 2053 			is likely to evolve as further plugins are
 2054 			implemented. [GL #15]
 2055 
 2056 5105.	[bug]		Fix a race between process_fd and socketclose in
 2057 			unix socket code. [GL #744]
 2058 
 2059 5104.	[cleanup]	Log clearer informational message when a catz zone
 2060 			is overridden by a zone in named.conf.
 2061 			Thanks to Tony Finch. [GL !1157]
 2062 
 2063 5103.	[bug]		Add missing design by contract tests to dns_catz*.
 2064 			[GL #748]
 2065 
 2066 5102.	[bug]		dnssec-coverage failed to use the default TTL when
 2067 			checking KSK deletion times leading to a exception.
 2068 			[GL #585]
 2069 
 2070 5101.	[bug]		Fix default installation path for Python modules and
 2071 			remove the dnspython dependency accidentally introduced
 2072 			by change 4970. [GL #730]
 2073 
 2074 5100.	[func]		Pin resolver tasks to specific task queues. [GL !1117]
 2075 
 2076 5099.	[func]		Failed mutex and conditional creations are always
 2077 			fatal. [GL #674]
 2078 
 2079 	--- 9.13.4 released ---
 2080 
 2081 5098.	[func]		Failed memory allocations are now fatal. [GL #674]
 2082 
 2083 5097.	[cleanup]	Remove embedded ATF unit testing framework
 2084 			from BIND source distribution.  [GL !875]
 2085 
 2086 5096.	[func]		Use multiple event loops in socket code, and
 2087 			make network threads CPU-affinitive.  This
 2088 			significantly improves performance on large
 2089 			systems. [GL #666]
 2090 
 2091 5095.	[test]		Converted all unit tests from ATF to CMocka;
 2092 			removed the source code for the ATF libraries.
 2093 			Build with "configure --with-cmocka" to enable
 2094 			unit testing. [GL #620]
 2095 
 2096 5094.	[func]		Add 'dig -r' to disable reading of .digrc. [GL !970]
 2097 
 2098 5093.	[bug]		Log lame qname-minimization servers only if they're
 2099 			really lame. [GL #671]
 2100 
 2101 5092.	[bug]		Address memory leak on SIGTERM in nsupdate when using
 2102 			GSS-TSIG. [GL #558]
 2103 
 2104 5091.	[func]		Two new global and per-view options min-cache-ttl
 2105 			and min-ncache-ttl [GL #613]
 2106 
 2107 5090.	[bug]		dig and mdig failed to properly pre-parse dash value
 2108 			pairs when value was a separate argument and started
 2109 			with a dash. [GL #584]
 2110 
 2111 5089.	[bug]		Restore localhost fallback in dig and host which is
 2112 			used when no nameserver addresses present in
 2113 			/etc/resolv.conf are usable due to the requested
 2114 			address family restrictions. [GL #433]
 2115 
 2116 5088.	[bug]		dig/host/nslookup could crash when interrupted close to
 2117 			a query timeout. [GL #599]
 2118 
 2119 5087.	[test]		Check that result tables are complete. [GL #676]
 2120 
 2121 5086.	[func]		Log of RPZ now includes the QTYPE and QCLASS. [GL #623]
 2122 
 2123 5085.	[bug]		win32: Restore looking up nameservers, search list,
 2124 			etc. [GL #186]
 2125 
 2126 5084.	[placeholder]
 2127 
 2128 5083.	[func]		Add autoconf macro AX_POSIX_SHELL, so we
 2129 			can use POSIX-compatible shell features
 2130 			in the scripts.
 2131 
 2132 5082.	[bug]		Fixed a race that could cause a crash in
 2133 			dig/host/nslookup. [GL #650]
 2134 
 2135 5081.	[func]		Use per-worker queues in task manager, make task
 2136 			runners CPU-affine. [GL #659]
 2137 
 2138 5080.	[func]		Improvements to "rndc nta" user interface:
 2139 			- catch and report invalid command line options
 2140 			- when removing an NTA from all views, do not
 2141 			  abort with an error if the NTA was not found
 2142 			  in one of the views
 2143 			- include the view name in "rndc nta -dump"
 2144 			  output, for consistency with the add and remove
 2145 			  actions
 2146 			Thanks to Tony Finch. [GL !816]
 2147 
 2148 5079.	[func]		Disable IDN processing in dig and nslookup
 2149 			when not on a tty. [GL #653]
 2150 
 2151 5078.	[cleanup]	Require python components to be explicitly disabled if
 2152 			python is not available on unix platforms. [GL #601]
 2153 
 2154 5077.	[cleanup]	Remove ip6.int support (-i) from dig and mdig.
 2155 			[GL !969]
 2156 
 2157 5076.	[bug]		"require-server-cookie" was not effective if
 2158 			"rate-limit" was configured. [GL #617]
 2159 
 2160 5075.	[bug]		Refresh nameservers from cache when sending final
 2161 			query in qname minimization. [GL #16]
 2162 
 2163 5074.	[cleanup]	Remove vector socket functions - isc_socket_recvv(),
 2164 			isc_socket_sendtov(), isc_socket_sendtov2(),
 2165 			isc_socket_sendv() - in order to simplify socket code.
 2166 			[GL #645]
 2167 
 2168 5073.	[bug]		Destroy a task first when destroying rpzs and catzs.
 2169 			[GL #84]
 2170 
 2171 5072.	[bug]		Add unit tests for isc_buffer_copyregion() and fix its
 2172 			behavior for auto-reallocated buffers. [GL #644]
 2173 
 2174 5071.	[bug]		Comparison of NXT records was broken. [GL #631]
 2175 
 2176 5070.	[bug]		Record types which support a empty rdata field were
 2177 			not handling the empty rdata field case. [GL #638]
 2178 
 2179 5069.	[bug]		Fix a hang on in RPZ when named is shutdown during RPZ
 2180 			zone update. [GL !907]
 2181 
 2182 5068.	[bug]		Fix a race in RPZ with min-update-interval set to 0.
 2183 			[GL #643]
 2184 
 2185 5067.	[bug]		Don't minimize qname when sending the query
 2186 			to a forwarder. [GL #361]
 2187 
 2188 5066.	[cleanup]	Allow unquoted strings to be used as a zone names
 2189 			in response-policy statements. [GL #641]
 2190 
 2191 5065.	[bug]		Only set IPV6_USE_MIN_MTU on IPv6. [GL #553]
 2192 
 2193 5064.	[test]		Initialize TZ environment variable before calling
 2194 			dns_test_begin in dnstap_test. [GL #624]
 2195 
 2196 5063.	[test]		In statschannel test try a few times before failing
 2197 			when checking if the compressed output is the same as
 2198 			uncompressed. [GL !909]
 2199 
 2200 5062.	[func]		Use non-crypto-secure PRNG to generate nonces for
 2201 			cookies. [GL !887]
 2202 
 2203 5061.	[protocol]	Add support for EID and NIMLOC. [GL #626]
 2204 
 2205 5060.	[bug]		GID, UID and UINFO could not be loaded using unknown
 2206 			record format. [GL #627]
 2207 
 2208 5059.	[bug]		Display a per-view list of zones in the web interface.
 2209 			[GL #427]
 2210 
 2211 5058.	[func]		Replace old message digest and hmac APIs with more
 2212 			generic isc_md and isc_hmac APIs, and convert their
 2213 			respective tests to cmocka. [GL #305]
 2214 
 2215 5057.	[protocol]	Add support for ATMA. [GL #619]
 2216 
 2217 5056.	[placeholder]
 2218 
 2219 5055.	[func]		A default list of primary servers for the root zone is
 2220 			now built into named, allowing the "masters" statement
 2221 			to be omitted when configuring an IANA root zone
 2222 			mirror. [GL #564]
 2223 
 2224 5054.	[func]		Attempts to use mirror zones with recursion disabled
 2225 			are now considered a configuration error. [GL #564]
 2226 
 2227 5053.	[func]		The only valid zone-level NOTIFY settings for mirror
 2228 			zones are now "notify no;" and "notify explicit;".
 2229 			[GL #564]
 2230 
 2231 5052.	[func]		Mirror zones are now configured using "type mirror;"
 2232 			rather than "mirror yes;". [GL #564]
 2233 
 2234 5051.	[doc]		Documentation incorrectly stated that the
 2235 			"server-addresses" static-stub zone option accepts
 2236 			custom port numbers. [GL #582]
 2237 
 2238 5050.	[bug]		The libirs version of getaddrinfo() was unable to parse
 2239 			scoped IPv6 addresses present in /etc/resolv.conf.
 2240 			[GL #187]
 2241 
 2242 5049.	[cleanup]	QNAME minimization has been deeply refactored. [GL #16]
 2243 
 2244 5048.	[func]		Add configure option to enable and enforce FIPS mode
 2245 			in BIND 9. [GL #506]
 2246 
 2247 5047.	[bug]		Messages logged for certain query processing failures
 2248 			now include a more specific error description if it is
 2249 			available. [GL #572]
 2250 
 2251 5046.	[bug]		named could crash during shutdown if an RPZ
 2252 			reload was in progress. [RT #46210]
 2253 
 2254 5045.	[func]		Remove support for DNSSEC algorithms 3 (DSA)
 2255 			and 6 (DSA-NSEC3-SHA1). [GL #22]
 2256 
 2257 5044.	[cleanup]	If "dnssec-enable" is no, then "dnssec-validation"
 2258 			now also defaults to no.  [GL #388]
 2259 
 2260 5043.	[bug]		Fix creating and validating EdDSA signatures. [GL #579]
 2261 
 2262 5042.	[test]		Make the chained delegations in reclimit behave
 2263 			like they would in a regular name server. [GL #578]
 2264 
 2265 5041.	[test]		The chain test contains a incomplete delegation.
 2266 			[GL #568]
 2267 
 2268 5040.	[func]		Extended dnstap so that it can log UPDATE requests
 2269 			and responses as separate message types. Thanks
 2270 			to Greg Rabil. [GL #570]
 2271 
 2272 5039.	[bug]		Named could fail to preserve owner name case of new
 2273 			RRset. [GL #420]
 2274 
 2275 5038.	[bug]		Chaosnet addresses were compared incorrectly.
 2276 			[GL #562]
 2277 
 2278 5037.	[func]		"allow-recursion-on" and "allow-query-cache-on"
 2279 			each now default to the other if only one of them
 2280 			is set, in order to be more consistent with the way
 2281 			"allow-recursion" and "allow-query-cache" work.
 2282 			Also we now ensure that both query-cache ACLs are
 2283 			checked when determining cache access. [GL #319]
 2284 
 2285 5036.	[cleanup]	Fixed a spacing/formatting error in some RPZ-related
 2286 			error messages in the log. [GL !805]
 2287 
 2288 5035.	[test]		Fixed errors that prevented the DNSRPS subtests
 2289 			from running in the rpz and rpzrecurse system
 2290 			tests. [GL #503]
 2291 
 2292 5034.	[bug]		A race between threads could prevent zone maintenance
 2293 			scheduled immediately after zone load from being
 2294 			performed. [GL #542]
 2295 
 2296 5033.	[bug]		When adding NTAs to multiple views using "rndc nta",
 2297 			the text returned via rndc was incorrectly terminated
 2298 			after the first line, making it look as if only one
 2299 			NTA had been added. Also, it was not possible to
 2300 			differentiate between views with the same name but
 2301 			different classes; this has been corrected with the
 2302 			addition of a "-class" option. [GL #105]
 2303 
 2304 5032.	[func]		Add krb5-selfsub and ms-selfsub update policy rules.
 2305 			[GL #511]
 2306 
 2307 5031.	[cleanup]	Various defines in platform.h has been either dropped
 2308 			if always or never triggered on supported platforms
 2309 			or replaced with config.h equivalents if the defines
 2310 			didn't have any impact on public headers.  Workarounds
 2311 			for LinuxThreads have been removed because NPTL is
 2312 			available since Linux kernel 2.6.0.  [GL #525]
 2313 
 2314 5030.	[bug]		Align CMSG buffers to a 64-bit boundary, fixes crash
 2315 			on architectures with strict alignment. [GL #521]
 2316 
 2317 	--- 9.13.3 released ---
 2318 
 2319 5029.	[func]		Workarounds for servers that misbehave when queried
 2320 			with EDNS have been removed, because these broken
 2321 			servers and the workarounds for their noncompliance
 2322 			cause unnecessary delays, increase code complexity,
 2323 			and prevent deployment of new DNS features. See
 2324 			https://dnsflagday.net for further details. [GL #150]
 2325 
 2326 5028.	[bug]		Spread the initial RRSIG expiration times over the
 2327 			entire working sig-validity-interval when signing a
 2328 			zone in named to even out re-signing and transfer
 2329 			loads. [GL #418]
 2330 
 2331 5027.	[func]		Set SO_SNDBUF size on sockets. [GL #74]
 2332 
 2333 5026.	[bug]		rndc reconfig should not touch already loaded zones.
 2334 			[GL #276]
 2335 
 2336 5025.	[cleanup]	Remove isc_keyboard family of functions. [GL #178]
 2337 
 2338 5024.	[func]		Replace custom assembly for atomic operations with
 2339 			atomic support from the compiler. The code will now use
 2340 			C11 stdatomic, or __atomic, or __sync builtins with GCC
 2341 			or Clang compilers, and Interlocked functions with MSVC.
 2342 			[GL #10]
 2343 
 2344 5023.	[cleanup]	Remove wrappers that try to fix broken or incomplete
 2345 			implementations of IPv6, pthreads and other core
 2346 			functionality required and used by BIND. [GL #192]
 2347 
 2348 5022.	[doc]		Update ms-self, ms-subdomain, krb5-self, and
 2349 			krb5-subdomain documentation. [GL !708]
 2350 
 2351 5021.	[bug]		dig returned a non-zero exit code when it received a
 2352 			reply over TCP after a retry. [GL #487]
 2353 
 2354 5020.	[func]		RNG uses thread-local storage instead of locks, if
 2355 			supported by platform. [GL #496]
 2356 
 2357 5019.	[cleanup]	A message is now logged when ixfr-from-differences is
 2358 			set at zone level for an inline-signed zone. [GL #470]
 2359 
 2360 5018.	[bug]		Fix incorrect sizeof arguments in lib/isc/pk11.c.
 2361 			[GL !588]
 2362 
 2363 5017.	[bug]		lib/isc/pk11.c failed to unlink the session before
 2364 			releasing the lock which is unsafe. [GL !589]
 2365 
 2366 5016.	[bug]		Named could assert with overlapping filter-aaaa and
 2367 			dns64 acls. [GL #445]
 2368 
 2369 5015.	[bug]		Reloading all zones caused zone maintenance to cease
 2370 			for inline-signed zones. [GL #435]
 2371 
 2372 5014.	[bug]		Signatures loaded from the journal for the signed
 2373 			version of an inline-signed zone were not scheduled for
 2374 			refresh. [GL #482]
 2375 
 2376 5013.	[bug]		A referral response with a non-empty ANSWER section was
 2377 			inadvertently being treated as an error. [GL #390]
 2378 
 2379 5012.	[bug]		Fix lock order reversal in pk11_initialize. [GL !590]
 2380 
 2381 5011.	[func]		Remove support for unthreaded named. [GL #478]
 2382 
 2383 5010.	[func]		New "validate-except" option specifies a list of
 2384 			domains beneath which DNSSEC validation should not
 2385 			be performed. [GL #237]
 2386 
 2387 5009.	[bug]		Upon an OpenSSL failure, the first error in the OpenSSL
 2388 			error queue was not logged. [GL #476]
 2389 
 2390 5008.	[bug]		"rndc signing -nsec3param ..." requests were silently
 2391 			ignored for zones which were not yet loaded or
 2392 			transferred. [GL #468]
 2393 
 2394 5007.	[cleanup]	Replace custom ISC boolean and integer data types
 2395 			with C99 stdint.h and stdbool.h types. [GL #9]
 2396 
 2397 5006.	[cleanup]	Code preparing a delegation response was extracted from
 2398 			query_delegation() and query_zone_delegation() into a
 2399 			separate function in order to decrease code
 2400 			duplication. [GL #431]
 2401 
 2402 5005.	[bug]		dnssec-verify, and dnssec-signzone at the verification
 2403 			step, failed on some validly signed zones. [GL #442]
 2404 
 2405 5004.	[bug]		'rndc reconfig' could cause inline zones to stop
 2406 			re-signing. [GL #439]
 2407 
 2408 5003.	[bug]		dns_acl_isinsecure did not handle geoip elements.
 2409 			[GL #406]
 2410 
 2411 5002.	[bug]		mdig: Handle malformed +ednsopt option, support 100
 2412 			+ednsopt options per query rather than 100 total and
 2413 			address memory leaks if +ednsopt was specified.
 2414 			[GL #410]
 2415 
 2416 5001.	[bug]		Fix refcount errors on error paths. [GL !563]
 2417 
 2418 5000.	[bug]		named_server_servestale() could leave the server in
 2419 			exclusive mode if an error occurred. [GL #441]
 2420 
 2421 4999.	[cleanup]	Remove custom printf implementation in lib/isc/print.c.
 2422 			[GL #261]
 2423 
 2424 4998.	[test]		Make resolver and cacheclean tests more civilized.
 2425 
 2426 4997.	[security]	named could crash during recursive processing
 2427 			of DNAME records when "deny-answer-aliases" was
 2428 			in use. (CVE-2018-5740) [GL #387]
 2429 
 2430 4996.	[bug]		dig: Handle malformed +ednsopt option. [GL #403]
 2431 
 2432 4995.	[test]		Add tests for "tcp-self" update policy. [GL !282]
 2433 
 2434 4994.	[bug]		Trust anchor telemetry queries were not being sent
 2435 			upstream for locally served zones. [GL #392]
 2436 
 2437 4993.	[cleanup]	Remove support for silently ignoring 'no-change' deltas
 2438 			from BIND 8 when processing an IXFR stream. 'no-change'
 2439 			deltas will now trigger a fallback to AXFR as the
 2440 			recovery mechanism. [GL #369]
 2441 
 2442 4992.	[bug]		The wrong address was being logged for trust anchor
 2443 			telemetry queries. [GL #379]
 2444 
 2445 4991.	[bug]		"rndc reconfig" was incorrectly handling zones whose
 2446 			"mirror" setting was changed. [GL #381]
 2447 
 2448 4990.	[bug]		Prevent a possible NULL reference in pkcs11-keygen.
 2449 			[GL #401]
 2450 
 2451 4989.	[cleanup]	IDN support in dig has been reworked.  IDNA2003
 2452 			fallbacks were removed in the process. [GL #384]
 2453 
 2454 4988.	[bug]		Don't synthesize NXDOMAIN from NSEC for records under
 2455 			a DNAME.
 2456 
 2457 	--- 9.13.2 released ---
 2458 
 2459 4987.	[cleanup]	dns_rdataslab_tordataset() and its related
 2460 			dns_rdatasetmethods_t callbacks were removed as they
 2461 			were not being used by anything in BIND. [GL #371]
 2462 
 2463 4986.	[func]		When built on Linux, BIND now requires the libcap
 2464 			library to set process privileges, unless capability
 2465 			support is explicitly overridden with "configure
 2466 			--disable-linux-caps". [GL #321]
 2467 
 2468 4985.	[func]		Add a new slave zone option, "mirror", to enable
 2469 			serving a non-authoritative copy of a zone that
 2470 			is subject to DNSSEC validation before being
 2471 			used.  For now, this option is only meant to
 2472 			facilitate deployment of an RFC 7706-style local
 2473 			copy of the root zone. [GL #33]
 2474 
 2475 4984.	[bug]		Improve handling of very large incremental
 2476 			zone transfers to prevent journal corruption. [GL #339]
 2477 
 2478 4983.	[func]		Add the ability to not return a DNS COOKIE option
 2479 			when one is present in the request (answer-cookie no;).
 2480 			[GL #173]
 2481 
 2482 4982.	[cleanup]	Return FORMERR if the question section is empty
 2483 			and no COOKIE option is present; this restores
 2484 			older behavior except in the newly specified
 2485 			COOKIE case. [GL #260]
 2486 
 2487 4981.	[bug]		Fix race in cmsg buffer usage in socket code.
 2488 			[GL #180]
 2489 
 2490 4980.	[bug]		Named-checkconf failed to detect bad in-view targets.
 2491 			[GL #288]
 2492 
 2493 4979.	[placeholder]
 2494 
 2495 4978.	[test]		Fix error handling and resolver configuration in the
 2496 			"rpz" system test. [GL #312]
 2497 
 2498 4977.	[func]		When starting up, log the same details that
 2499 			would be reported by 'named -V'. [GL #247]
 2500 
 2501 4976.	[bug]		Log the label with invalid prefix length correctly
 2502 			when loading RPZ zones. [GL #254]
 2503 
 2504 4975.	[bug]		The server cookie computation for sha1 and sha256 did
 2505 			not match the method described in RFC 7873. [GL #356]
 2506 
 2507 4974.	[bug]		Restore default rrset-order to random. [GL #336]
 2508 
 2509 4973.	[func]		verifyzone() and the functions it uses were moved to
 2510 			libdns and refactored to prevent exit() from being
 2511 			called upon failure.  A side effect of that is that
 2512 			dnssec-signzone and dnssec-verify now check for memory
 2513 			leaks upon shutdown. [GL #266]
 2514 
 2515 4972.	[func]		Declare the 'rdata' argument for dns_rdata_tostruct()
 2516 			to be const. [GL #341]
 2517 
 2518 4971.	[bug]		dnssec-signzone and dnssec-verify did not treat records
 2519 			below a DNAME as out-of-zone data. [GL #298]
 2520 
 2521 4970.	[func]		Add QNAME minimization option to resolver. [GL #16]
 2522 
 2523 4969.	[cleanup]	Refactor zone logging functions. [GL #269]
 2524 
 2525 	--- 9.13.1 released ---
 2526 
 2527 4968.	[bug]		If glue records are signed, attempt to validate them.
 2528 			[GL #209]
 2529 
 2530 4967.	[cleanup]	Add "answer-cookie" to the parser, marked obsolete.
 2531 
 2532 4966.	[placeholder]
 2533 
 2534 4965.	[func]		Add support for marking options as deprecated.
 2535 			[GL #322]
 2536 
 2537 4964.	[bug]		Reduce the probability of double signature when deleting
 2538 			a DNSKEY by checking if the node is otherwise signed
 2539 			by the algorithm of the key to be deleted. [GL #240]
 2540 
 2541 4963.	[test]		ifconfig.sh now uses "ip" instead of "ifconfig",
 2542 			if available, to configure the test interfaces on
 2543 			linux.  [GL #302]
 2544 
 2545 4962.	[cleanup]	Move 'named -T' processing to its own function.
 2546 			[GL #316]
 2547 
 2548 4961.	[protocol]	Remove support for ECC-GOST (GOST R 34.11-94).
 2549 			[GL #295]
 2550 
 2551 4960.	[security]	When recursion is enabled, but the "allow-recursion"
 2552 			and "allow-query-cache" ACLs are not specified,
 2553 			they should be limited to local networks,
 2554 			but were inadvertently set to match the default
 2555 			"allow-query", thus allowing remote queries.
 2556 			(CVE-2018-5738) [GL #309]
 2557 
 2558 4959.	[func]		NSID logging (enabled by the "request-nsid" option)
 2559 			now has its own "nsid" category, instead of using the
 2560 			"resolver" category. [GL !332]
 2561 
 2562 4958.	[bug]		Remove redundant space from NSEC3 record. [GL #281]
 2563 
 2564 4957.	[func]		The default setting for "dnssec-validation" is now
 2565 			"auto", which activates DNSSEC validation using the
 2566 			IANA root key. (The default can be changed back to
 2567 			"yes", which activates DNSSEC validation only when keys
 2568 			are explicitly configured in named.conf, by building
 2569 			BIND with "configure --disable-auto-validation".)
 2570 			[GL #30]
 2571 
 2572 4956.	[func]		Change isc_random() to be just PRNG using xoshiro128**,
 2573 			and add isc_nonce_buf() that uses CSPRNG. [GL #289]
 2574 
 2575 4955.	[cleanup]	Silence cppcheck warnings in lib/dns/master.c.
 2576 			[GL #286]
 2577 
 2578 4954.	[func]		Messages about serving of stale answers are now
 2579 			directed to the "serve-stale" logging category.
 2580 			Also clarified serve-stale documentation. [GL !323]
 2581 
 2582 4953.	[bug]		Removed the option to build the red black tree
 2583 			database without a hash table; the non-hashing
 2584 			version was buggy and is not needed. [GL #184]
 2585 
 2586 4952.	[func]		Authoritative server support in named for the
 2587 			EDNS CLIENT-SUBNET option (which was experimental
 2588 			and not practical to deploy) has been removed.
 2589 
 2590 			The ECS option is still supported in dig and mdig
 2591 			via the +subnet option, and can be parsed and logged
 2592 			when received by named, but it is no longer used
 2593 			for ACL processing. The "geoip-use-ecs" option
 2594 			is now obsolete; a warning will be logged if it is
 2595 			used in named.conf. "ecs" tags in an ACL definition
 2596 			are also obsolete and will cause the configuration
 2597 			to fail to load.  [GL #32]
 2598 
 2599 4951.	[protocol]	Add "HOME.ARPA" to list of built in empty zones as
 2600 			per RFC 8375. [GL #273]
 2601 
 2602 	--- 9.13.0 released ---
 2603 
 2604 4950.	[bug]		ISC_SOCKEVENTATTR_TRUNC was not be set. [GL #238]
 2605 
 2606 4949.	[placeholder]
 2607 
 2608 4948.	[bug]		When request-nsid is turned on, EDNS NSID options
 2609 			should be logged at level info. Since change 3741
 2610 			they have been logged at debug(3) by mistake.
 2611 			[GL !290]
 2612 
 2613 4947.	[func]		Replace all random functions with isc_random(),
 2614 			isc_random_buf() and isc_random_uniform() API.
 2615 			[GL #221]
 2616 
 2617 4946.	[bug]		Additional glue was not being returned by resolver
 2618 			for unsigned zones since change 4596. [GL #209]
 2619 
 2620 4945.	[func]		BIND can no longer be built without DNSSEC support.
 2621 			A cryptography provider (i.e., OpenSSL or a hardware
 2622 			service module with PKCS#11 support) must be
 2623 			available. [GL #244]
 2624 
 2625 4944.	[cleanup]	Silence cppcheck portability warnings in
 2626 			lib/isc/tests/buffer_test.c. [GL #239]
 2627 
 2628 4943.	[bug]		Change 4687 consumed too much memory when running
 2629 			system tests with --with-tuning=large.  Reduced the
 2630 			hash table size to 512 entries for 'named -m record'
 2631 			restoring the previous memory footprint. [GL #248]
 2632 
 2633 4942.	[cleanup]	Consolidate multiple instances of splitting of
 2634 			batchline in dig into a single function. [GL #196]
 2635 
 2636 4941.	[cleanup]	Silence clang static analyzer warnings. [GL #196]
 2637 
 2638 4940.	[cleanup]	Extract the loop in dns__zone_updatesigs() into
 2639 			separate functions to improve code readability.
 2640 			[GL #135]
 2641 
 2642 4939.	[test]		Add basic unit tests for update_sigs(). [GL #135]
 2643 
 2644 4938.	[placeholder]
 2645 
 2646 4937.	[func]		Remove support for OpenSSL < 1.0.0 [GL #191]
 2647 
 2648 4936.	[func]		Always use OpenSSL or PKCS#11 random data providers,
 2649 			and remove the --{enable,disable}-crypto-rand configure
 2650 			options. [GL #165]
 2651 
 2652 4935.	[func]		Add support for LibreSSL >= 2.7.0 (some OpenSSL 1.1.0
 2653 			call were added). [GL #191]
 2654 
 2655 4934.	[security]	The serve-stale feature could cause an assertion failure
 2656 			in rbtdb.c even when stale-answer-enable was false.
 2657 			Simultaneous use of stale cache records and NSEC
 2658 			aggressive negative caching could trigger a recursion
 2659 			loop. (CVE-2018-5737) [GL #185]
 2660 
 2661 4933.	[bug]		Not creating signing keys for an inline signed zone
 2662 			prevented changes applied to the raw zone from being
 2663 			reflected in the secure zone until signing keys were
 2664 			made available. [GL #159]
 2665 
 2666 4932.	[bug]		Bumped signed serial of an inline signed zone was
 2667 			logged even when an error occurred while updating
 2668 			signatures. [GL #159]
 2669 
 2670 4931.	[func]		Removed the "rbtdb64" database implementation.
 2671 			[GL #217]
 2672 
 2673 4930.	[bug]		Remove a bogus check in nslookup command line
 2674 			argument processing. [GL #206]
 2675 
 2676 4929.	[func]		Add the ability to set RA and TC in queries made by
 2677 			dig (+[no]raflag, +[no]tcflag). [GL #213]
 2678 
 2679 4928.	[func]		The "dnskey-sig-validity" option allows
 2680 			"sig-validity-interval" to be overridden for signatures
 2681 			covering DNSKEY RRsets. [GL #145]
 2682 
 2683 4927.	[placeholder]
 2684 
 2685 4926.	[func]		Add root key sentinel support.  To disable, add
 2686 			'root-key-sentinel no;' to named.conf. [GL #37]
 2687 
 2688 4925.	[func]		Several configuration options that define intervals
 2689 			can now take TTL value suffixes (for example, 2h or 1d)
 2690 			in addition to integer parameters. These include
 2691 			max-cache-ttl, max-ncache-ttl, max-policy-ttl,
 2692 			fstrm-set-reopen-interval, interface-interval, and
 2693 			min-update-interval. [GL #203]
 2694 
 2695 4924.	[cleanup]	Clean up the isc_string_* namespace and leave
 2696 			only strlcpy and strlcat. [GL #178]
 2697 
 2698 4923.	[cleanup]	Refactor socket and socket event options into
 2699 			enum types. [GL !135]
 2700 
 2701 4922.	[bug]		dnstap: Log the destination address of client
 2702 			packets rather than the interface address.
 2703 			[GL #197]
 2704 
 2705 4921.	[cleanup]	Add dns_fixedname_initname() and refactor the caller
 2706 			code to make usage of the new function, as a part of
 2707 			refactoring dns_fixedname_*() macros were turned into
 2708 			functions. [GL #183]
 2709 
 2710 4920.	[cleanup]	Clean up libdns removing most of the backwards
 2711 			compatibility wrappers.
 2712 
 2713 4919.	[cleanup]	Clean up the isc_hash_* namespace and leave only
 2714 			the FNV-1a hash implementation. [GL #178]
 2715 
 2716 4918.	[bug]		Fix double free after keygen error in dnssec-keygen
 2717 			when OpenSSL >= 1.1.0 is used and RSA_generate_key_ex
 2718 			fails. [GL #109]
 2719 
 2720 4917.	[func]		Support 64 RPZ policy zones by default. [GL #123]
 2721 
 2722 4916.	[func]		Remove IDNA2003 support and the bundled idnkit-1.0
 2723 			library.
 2724 
 2725 4915.	[func]		Implement IDNA2008 support in dig by adding support
 2726 			for libidn2.  New dig option +idnin has been added,
 2727 			which allows to process invalid domain names much
 2728 			like dig without IDN support.  libidn2 version 2.0
 2729 			or higher is needed for +idnout enabled by default.
 2730 
 2731 4914.	[security]	A bug in zone database reference counting could lead to
 2732 			a crash when multiple versions of a slave zone were
 2733 			transferred from a master in close succession.
 2734 			(CVE-2018-5736) [GL #134]
 2735 
 2736 4913.	[test]		Re-implemented older unit tests in bin/tests as ATF,
 2737 			removed the lib/tests unit testing library. [GL #115]
 2738 
 2739 4912.	[test]		Improved the reliability of the 'cds' system test.
 2740 			[GL #136]
 2741 
 2742 4911.	[test]		Improved the reliability of the 'mkeys' system test.
 2743 			[GL #128]
 2744 
 2745 4910.	[func]		Update util/check-changes to work on release branches.
 2746 			[GL #113]
 2747 
 2748 4909.	[bug]		named-checkconf did not detect in-view zone collisions.
 2749 			[GL #125]
 2750 
 2751 4908.	[test]		Eliminated unnecessary waiting in the allow_query
 2752 			system test. Also changed its name to allow-query.
 2753 			[GL #81]
 2754 
 2755 4907.	[test]		Improved the reliability of the 'notify' system
 2756 			test. [GL #59]
 2757 
 2758 4906.	[func]		Replace getquad() with inet_pton(), completing
 2759 			change #4900. [GL #56]
 2760 
 2761 4905.	[bug]		irs_resconf_load() ignored resolv.conf syntax errors
 2762 			when "domain" or "search" options were present in that
 2763 			file. [GL #110]
 2764 
 2765 4904.	[bug]		Temporarily revert change #4859. [GL #124]
 2766 
 2767 4903.	[bug]		"check-mx fail;" did not prevent MX records containing
 2768 			IP addresses from being added to a zone by a dynamic
 2769 			update. [GL #112]
 2770 
 2771 4902.	[test]		Improved the reliability of the 'ixfr' system
 2772 			test. [GL #66]
 2773 
 2774 4901.	[func]		"dig +nssearch" now lists the name servers
 2775 			for a domain that time out, as well as the servers
 2776 			that respond. [GL #64]
 2777 
 2778 4900.	[func]		Remove all uses of inet_aton().  As a result of this
 2779 			change, IPv4 addresses are now only accepted in
 2780 			dotted-quad format. [GL #13]
 2781 
 2782 4899.	[test]		Convert most of the remaining system tests to be able
 2783 			to run in parallel, continuing the work from change
 2784 			#4895. To take advantage of this, use "make -jN check",
 2785 			where N is the number of processors to use. [GL #91]
 2786 
 2787 4898.	[func]		Remove libseccomp based system-call filtering. [GL #93]
 2788 
 2789 4897.	[test]		Update to rpz system test so that it doesn't recurse.
 2790 			[GL #68]
 2791 
 2792 4896.	[test]		cacheclean system test was not robust. [GL #82]
 2793 
 2794 4895.	[test]		Allow some system tests to run in parallel.
 2795 			[RT #46602]
 2796 
 2797 4894.	[bug]		named could crash while rolling a dnstap output file.
 2798 			[RT #46942]
 2799 
 2800 4893.	[bug]		Address various issues reported by cppcheck. [GL #51]
 2801 
 2802 4892.	[bug]		named could leak memory when "rndc reload" was invoked
 2803 			before all zone loading actions triggered by a previous
 2804 			"rndc reload" command were completed. [RT #47076]
 2805 
 2806 4891.	[placeholder]
 2807 
 2808 4890.	[func]		Remove unused ondestroy callback from libisc.
 2809 			[isc-projects/bind9!3]
 2810 
 2811 4889.	[func]		Warn about the use of old root keys without the new
 2812 			root key being present.  Warn about dlv.isc.org's
 2813 			key being present. Warn about both managed and
 2814 			trusted root keys being present. [RT #43670]
 2815 
 2816 4888.	[test]		Initialize sockets correctly in sample-update so
 2817 			that the nsupdate system test will run on Windows.
 2818 			[RT #47097]
 2819 
 2820 4887.	[test]		Enable the rpzrecurse test to run on Windows.
 2821 			[RT #47093]
 2822 
 2823 4886.	[doc]		Document dig -u in manpage. [RT #47150]
 2824 
 2825 4885.	[security]	update-policy rules that otherwise ignore the name
 2826 			field now require that it be set to "." to ensure
 2827 			that any type list present is properly interpreted.
 2828 			[RT #47126]
 2829 
 2830 4884.	[bug]		named could crash on shutdown due to a race between
 2831 			shutdown_server() and ns__client_request(). [RT #47120]
 2832 
 2833 4883.	[cleanup]	Improved debugging output from dnssec-cds. [RT #47026]
 2834 
 2835 4882.	[bug]		Address potential memory leak in
 2836 			dns_update_signaturesinc. [RT #47084]
 2837 
 2838 4881.	[bug]		Only include dst_openssl.h when OpenSSL is required.
 2839 			[RT #47068]
 2840 
 2841 4880.	[bug]		Named wasn't returning the target of a cross-zone
 2842 			CNAME between two served zones when recursion was
 2843 			desired and available (RD=1, RA=1). (When this is
 2844 			not the case, the CNAME target is deliberately
 2845 			withheld to prevent accidental cache poisoning.)
 2846 			[RT #47078]
 2847 
 2848 4879.	[bug]		dns_rdata_caa:value_len field was too small.
 2849 			[RT #47086]
 2850 
 2851 4878.	[bug]		List 'ply' as a requirement for the 'isc' python
 2852 			package. [RT #47065]
 2853 
 2854 4877.	[bug]		Address integer overflow when exponentially
 2855 			backing off retry intervals. [RT #47041]
 2856 
 2857 4876.	[bug]		Address deadlock with accessing a keytable. [RT #47000]
 2858 
 2859 4875.	[bug]		Address compile failures on older systems. [RT #47015]
 2860 
 2861 4874.	[bug]		Wrong time display when reporting new keywarntime.
 2862 			[RT #47042]
 2863 
 2864 4873.	[doc]		Grammars for named.conf included in the ARM are now
 2865 			automatically generated by the configuration parser
 2866 			itself.  As a side effect of the work needed to
 2867 			separate zone type grammars from each other, this
 2868 			also makes checking of zone statements in
 2869 			named-checkconf more correct and consistent.
 2870 			[RT #36957]
 2871 
 2872 4872.	[bug]		Don't permit loading meta RR types such as TKEY
 2873 			from master files. [RT #47009]
 2874 
 2875 4871.	[bug]		Fix configure glitch in detecting stdatomic.h
 2876 			support on systems with multiple compilers.
 2877 			[RT #46959]
 2878 
 2879 4870.	[test]		Update included ATF library to atf-0.21 preserving
 2880 			the ATF tool. [RT #46967]
 2881 
 2882 4869.	[bug]		Address some cases where NULL with zero length could
 2883 			be passed to memmove which is undefined behavior and
 2884 			can lead to bad optimization. [RT #46888]
 2885 
 2886 4868.	[func]		dnssec-keygen can no longer generate HMAC keys.
 2887 			Use tsig-keygen instead. [RT #46404]
 2888 
 2889 4867.	[cleanup]	Normalize rndc on/off commands (validation,
 2890 			querylog, serve-stale) so they all accept the
 2891 			same synonyms for on/off (yes/no, true/false,
 2892 			enable/disable). Thanks to Tony Finch. [RT #47022]
 2893 
 2894 4866.	[port]		DST library initialization verifies MD5 (when MD5
 2895 			was not disabled) and SHA-1 hash and HMAC support.
 2896 			[RT #46764]
 2897 
 2898 4865.	[cleanup]	Simplify handling isc_socket_sendto2() return values.
 2899 			[RT #46986]
 2900 
 2901 4864.	[bug]		named acting as a slave for a catalog zone crashed if
 2902 			the latter contained a master definition without an IP
 2903 			address. [RT #45999]
 2904 
 2905 4863.	[bug]		Fix various other bugs reported by Valgrind's
 2906 			memcheck tool. [RT #46978]
 2907 
 2908 4862.	[bug]		The rdata flags for RRSIG were not being properly set
 2909 			when constructing a rdataslab. [RT #46978]
 2910 
 2911 4861.	[bug]		The isc_crc64 unit test was not endian independent.
 2912 			[RT #46973]
 2913 
 2914 4860.	[bug]		isc_int8_t should be signed char.  [RT #46973]
 2915 
 2916 4859.	[bug]		A loop was possible when attempting to validate
 2917 			unsigned CNAME responses from secure zones;
 2918 			this caused a delay in returning SERVFAIL and
 2919 			also increased the chances of encountering
 2920 			CVE-2017-3145. [RT #46839]
 2921 
 2922 4858.	[security]	Addresses could be referenced after being freed
 2923 			in resolver.c, causing an assertion failure.
 2924 			(CVE-2017-3145) [RT #46839]
 2925 
 2926 4857.	[bug]		Maintain attach/detach semantics for event->db,
 2927 			event->node, event->rdataset and event->sigrdataset
 2928 			in query.c. [RT #46891]
 2929 
 2930 4856.	[bug]		'rndc zonestatus' reported the wrong underlying type
 2931 			for a inline slave zone. [RT #46875]
 2932 
 2933 4855.	[bug]		isc_time_formatshorttimestamp produced incorrect
 2934 			output. [RT #46938]
 2935 
 2936 4854.	[bug]		query_synthcnamewildcard should stop generating the
 2937 			response if query_synthwildcard fails. [RT #46939]
 2938 
 2939 4853.	[bug]		Add REQUIRE's and INSIST's to isc_time_formatISO8601L
 2940 			and isc_time_formatISO8601Lms. [RT #46916]
 2941 
 2942 4852.	[bug]		Handle strftime() failing in isc_time_formatISO8601ms.
 2943 			Add REQUIRE's and INSIST's to isc_time_formattimestamp,
 2944 			isc_time_formathttptimestamp, isc_time_formatISO8601,
 2945 			isc_time_formatISO8601ms. [RT #46892]
 2946 
 2947 4851.	[port]		Support using kyua as well as atf-run to run the unit
 2948 			tests. [RT #46853]
 2949 
 2950 4850.	[bug]		Named failed to restart with multiple added zones in
 2951 			lmdb database. [RT #46889]
 2952 
 2953 4849.	[bug]		Duplicate zones could appear in the .nzf file if
 2954 			addzone failed. [RT #46435]
 2955 
 2956 4848.	[func]		Zone types "primary" and "secondary" can now be used
 2957 			as synonyms for "master" and "slave" in named.conf.
 2958 			[RT #46713]
 2959 
 2960 4847.	[bug]		dnssec-dnskey-kskonly was not being honored for
 2961 			CDS and CDNSKEY. [RT #46755]
 2962 
 2963 4846.	[test]		Adjust timing values in runtime system test. Address
 2964 			named.pid removal races in runtime system test.
 2965 			[RT #46800]
 2966 
 2967 4845.	[bug]		Dig (non iOS) should exit on malformed names.
 2968 			[RT #46806]
 2969 
 2970 4844.	[test]		Address memory leaks in libatf-c. [RT #46798]
 2971 
 2972 4843.	[bug]		dnssec-signzone free hashlist on exit. [RT #46791]
 2973 
 2974 4842.	[bug]		Conditionally compile opensslecdsa_link.c to avoid
 2975 			warnings about unused function. [RT #46790]
 2976 
 2977 	--- 9.12.0rc1 released ---
 2978 
 2979 4841.	[bug]		Address -fsanitize=undefined warnings. [RT #46786]
 2980 
 2981 4840.	[test]		Add tests to cover fallback to using ZSK on inactive
 2982 			KSK. [RT #46787]
 2983 
 2984 4839.	[bug]		zone.c:zone_sign was not properly determining
 2985 			if there were active KSK and ZSK keys for
 2986 			a algorithm when update-check-ksk is true
 2987 			(default) leaving records unsigned with one or
 2988 			more DNSKEY algorithms. [RT #46774]
 2989 
 2990 4838.	[bug]		zone.c:add_sigs was not properly determining
 2991 			if there were active KSK and ZSK keys for
 2992 			a algorithm when update-check-ksk is true
 2993 			(default) leaving records unsigned with one or
 2994 			more DNSKEY algorithms. [RT #46754]
 2995 
 2996 4837.	[bug]		dns_update_signatures{inc} (add_sigs) was not
 2997 			properly determining if there were active KSK and
 2998 			ZSK keys for a algorithm when update-check-ksk is
 2999 			true (default) leaving records unsigned when there
 3000 			were multiple DNSKEY algorithms for the zone.
 3001 			[RT #46743]
 3002 
 3003 4836.	[bug]		Zones created using "rndc addzone" could
 3004 			temporarily fail to inherit an "allow-transfer"
 3005 			ACL that had been configured in the options
 3006 			statement. [RT #46603]
 3007 
 3008 4835.	[cleanup]	Clean up and refactor LMDB-related code. [RT #46718]
 3009 
 3010 4834.	[port]		Fix LMDB support on OpenBSD. [RT #46718]
 3011 
 3012 4833.	[bug]		isc_event_free should check that the event is not
 3013 			linked when called. [RT #46725]
 3014 
 3015 4832.	[bug]		Events were not being removed from zone->rss_events.
 3016 			[RT #46725]
 3017 
 3018 4831.	[bug]		Convert the RRSIG expirytime to 64 bits for
 3019 			comparisons in diff.c:resign. [RT #46710]
 3020 
 3021 4830.	[bug]		Failure to configure ATF when requested did not cause
 3022 			an error in top-level configure script. [RT #46655]
 3023 
 3024 4829.	[bug]		isc_heap_delete did not zero the index value when
 3025 			the heap was created with a callback to do that.
 3026 			[RT #46709]
 3027 
 3028 4828.	[bug]		Do not use thread-local storage for storing LMDB reader
 3029 			locktable slots. [RT #46556]
 3030 
 3031 4827.	[misc]		Add a precommit check script util/checklibs.sh
 3032 			[RT #46215]
 3033 
 3034 4826.	[cleanup]	Prevent potential build failures in bin/confgen/ and
 3035 			bin/named/ when using parallel make. [RT #46648]
 3036 
 3037 4825.	[bug]		Prevent a bogus "error during managed-keys processing
 3038 			(no more)" warning from being logged. [RT #46645]
 3039 
 3040 4824.	[port]		Add iOS hooks to dig. [RT #42011]
 3041 
 3042 4823.	[test]		Refactor reclimit system test to improve its
 3043 			reliability and speed. [RT #46632]
 3044 
 3045 4822.	[bug]		Use resign_sooner in dns_db_setsigningtime. [RT #46473]
 3046 
 3047 4821.	[bug]		When resigning ensure that the SOA's expire time is
 3048 			always later that the resigning time of other records.
 3049 			[RT #46473]
 3050 
 3051 4820.	[bug]		dns_db_subtractrdataset should transfer the resigning
 3052 			information to the new header. [RT #46473]
 3053 
 3054 4819.	[bug]		Fully backout the transaction when adding a RRset
 3055 			to the resigning / removal heaps fails. [RT #46473]
 3056 
 3057 4818.	[test]		The logfileconfig system test could intermittently
 3058 			report false negatives on some platforms. [RT #46615]
 3059 
 3060 4817.	[cleanup]	Use DNS_NAME_INITABSOLUTE and DNS_NAME_INITNONABSOLUTE.
 3061 			[RT #45433]
 3062 
 3063 4816.	[bug]		Don't use a common array for storing EDNS options
 3064 			in DiG as it could fill up. [RT #45611]
 3065 
 3066 4815.	[bug]		rbt_test.c:insert_and_delete needed to call
 3067 			dns_rbt_addnode instead of dns_rbt_addname. [RT #46553]
 3068 
 3069 4814.	[cleanup]	Use AS_HELP_STRING for consistent help text. [RT #46521]
 3070 
 3071 4813.	[bug]		Address potential read after free errors from
 3072 			query_synthnodata, query_synthwildcard and
 3073 			query_synthnxdomain. [RT #46547]
 3074 
 3075 4812.	[bug]		Minor improvements to stability and consistency of code
 3076 			handling managed keys. [RT #46468]
 3077 
 3078 4811.	[bug]		Revert api changes to use <isc/buffer.h> inline
 3079 			macros.  Provide a alternative mechanism to turn
 3080 			on the use of inline macros when building BIND.
 3081 			[RT #46520]
 3082 
 3083 4810.	[test]		The chain system test failed if the IPv6 interfaces
 3084 			were not configured. [RT #46508]
 3085 
 3086 	--- 9.12.0b2 released ---
 3087 
 3088 4809.	[port]		Check at configure time whether -latomic is needed
 3089 			for stdatomic.h. [RT #46324]
 3090 
 3091 4808.	[bug]		Properly test for zlib.h. [RT #46504]
 3092 
 3093 4807.	[cleanup]	isc_rng_randombytes() returns a specified number of
 3094 			bytes from the PRNG; this is now used instead of
 3095 			calling isc_rng_random() multiple times. [RT #46230]
 3096 
 3097 4806.	[func]		Log messages related to loading of zones are now
 3098 			directed to the "zoneload" logging category.
 3099 			[RT #41640]
 3100 
 3101 4805.	[bug]		TCP4Active and TCP6Active weren't being updated
 3102 			correctly. [RT #46454]
 3103 
 3104 4804.	[port]		win32: access() does not work on directories as
 3105 			required by POSIX.  Supply a alternative in
 3106 			isc_file_isdirwritable. [RT #46394]
 3107 
 3108 4803.	[placeholder]
 3109 
 3110 4802.	[test]		Refactor mkeys system test to make it quicker and more
 3111 			reliable. [RT #45293]
 3112 
 3113 4801.	[func]		'dnssec-lookaside auto;' and 'dnssec-lookaside .
 3114 			trust-anchor dlv.isc.org;' now elicit warnings rather
 3115 			than being fatal configuration errors. [RT #46410]
 3116 
 3117 4800.	[bug]		When processing delzone, write one zone config per
 3118 			line to the NZF. [RT #46323]
 3119 
 3120 4799.	[cleanup]	Improve clarity of keytable unit tests. [RT #46407]
 3121 
 3122 4798.	[func]		Keys specified in "managed-keys" statements
 3123 			are tagged as "initializing" until they have been
 3124 			updated by a key refresh query. If initialization
 3125 			fails it will be visible from "rndc secroots".
 3126 			[RT #46267]
 3127 
 3128 4797.	[func]		Removed "isc-hmac-fixup", as the versions of BIND that
 3129 			had the bug it worked around are long past end of
 3130 			life. [RT #46411]
 3131 
 3132 4796.	[bug]		Increase the maximum configurable TCP keepalive
 3133 			timeout to 65535. [RT #44710]
 3134 
 3135 4795.	[func]		A new statistics counter has been added to track
 3136 			priming queries. [RT #46313]
 3137 
 3138 4794.	[func]		"dnssec-checkds -s" specifies a file from which
 3139 			to read a DS set rather than querying the parent.
 3140 			[RT #44667]
 3141 
 3142 4793.	[bug]		nsupdate -[46] could overflow the array of server
 3143 			addresses. [RT #46402]
 3144 
 3145 4792.	[bug]		Fix map file header correctness check. [RT #38418]
 3146 
 3147 4791.	[doc]		Fixed outdated documentation about export libraries.
 3148 			[RT #46341]
 3149 
 3150 4790.	[bug]		nsupdate could trigger a require when sending a
 3151 			update to the second address of the server.
 3152 			[RT #45731]
 3153 
 3154 4789.	[cleanup]	Check writability of new-zones-directory. [RT #46308]
 3155 
 3156 4788.	[cleanup]	When using "update-policy local", log a warning
 3157 			when an update matching the session key is received
 3158 			from a remote host. [RT #46213]
 3159 
 3160 4787.	[cleanup]	Turn nsec3param_salt_totext() into a public function,
 3161 			dns_nsec3param_salttotext(), and add unit tests for it.
 3162 			[RT #46289]
 3163 
 3164 4786.	[func]		The "filter-aaaa-on-v4" and "filter-aaaa-on-v6"
 3165 			options are no longer conditionally compiled.
 3166 			[RT #46340]
 3167 
 3168 4785.	[func]		The hmac-md5 algorithm is no longer recommended for
 3169 			use with RNDC keys.  The default in rndc-confgen
 3170 			is now hmac-sha256. [RT #42272]
 3171 
 3172 4784.	[func]		The use of dnssec-keygen to generate HMAC keys is
 3173 			deprecated in favor of tsig-keygen.  dnssec-keygen
 3174 			will print a warning when used for this purpose.
 3175 			All HMAC algorithms will be removed from
 3176 			dnssec-keygen in a future release. [RT #42272]
 3177 
 3178 4783.	[test]		dnssec: 'check that NOTIFY is sent at the end of
 3179 			NSEC3 chain generation failed' required more time
 3180 			on some machines for the IXFR to complete. [RT #46388]
 3181 
 3182 4782.	[test]		dnssec: 'checking positive and negative validation
 3183 			with negative trust anchors' required more time to
 3184 			complete on some machines. [RT #46386]
 3185 
 3186 4781.	[maint]		B.ROOT-SERVERS.NET is now 199.9.14.201. [RT #45889]
 3187 
 3188 4780.	[bug]		When answering ANY queries, don't include the NS
 3189 			RRset in the authority section if it was already
 3190 			in the answer section. [RT #44543]
 3191 
 3192 4779.	[bug]		Expire NTA at the start of the second. Don't update
 3193 			the expiry value if the record has already expired
 3194 			after a successful check. [RT #46368]
 3195 
 3196 4778.	[test]		Improve synth-from-dnssec testing. [RT #46352]
 3197 
 3198 4777.	[cleanup]	Removed a redundant call to configure_view_acl().
 3199 			[RT #46369]
 3200 
 3201 4776.	[bug]		Improve portability of ht_test. [RT #46333]
 3202 
 3203 4775.	[bug]		Address Coverity warnings in ht_test.c and mem_test.c
 3204 			[RT #46281]
 3205 
 3206 4774.	[bug]		<isc/util.h> was incorrectly included in several
 3207 			header files. [RT #46311]
 3208 
 3209 4773.	[doc]		Fixed generating Doxygen documentation for functions
 3210 			annotated using certain macros.  Miscellaneous
 3211 			Doxygen-related cleanups. [RT #46276]
 3212 
 3213 	--- 9.12.0b1 released ---
 3214 
 3215 4772.	[test]		Expanded unit testing framework for libns, using
 3216 			hooks to interrupt query flow and inspect state
 3217 			at specified locations. [RT #46173]
 3218 
 3219 4771.	[bug]		When sending RFC 5011 refresh queries, disregard
 3220 			cached DNSKEY rrsets. [RT #46251]
 3221 
 3222 4770.	[bug]		Cache additional data from priming queries as glue.
 3223 			Previously they were ignored as unsigned
 3224 			non-answer data from a secure zone, and never
 3225 			actually got added to the cache, causing hints
 3226 			to be used frequently for root-server
 3227 			addresses, which triggered re-priming. [RT #45241]
 3228 
 3229 4769.	[func]		The working directory and managed-keys directory has
 3230 			to be writeable (and seekable). [RT #46077]
 3231 
 3232 4768.	[func]		By default, memory is no longer filled with tag values
 3233 			when it is allocated or freed; this improves
 3234 			performance but makes debugging of certain memory
 3235 			issues more difficult. "named -M fill" turns memory
 3236 			filling back on. (Building "configure
 3237 			--enable-developer", turns memory fill on by
 3238 			default again; it can then be disabled with
 3239 			"named -M nofill".) [RT #45123]
 3240 
 3241 4767.	[func]		Add a new function, isc_buffer_printf(), which can be
 3242 			used to append a formatted string to the used region of
 3243 			a buffer. [RT #46201]
 3244 
 3245 4766.	[cleanup]	Address Coverity warnings. [RT #46150]
 3246 
 3247 4765.	[bug]		Address potential INSIST in dnssec-cds. [RT #46150]
 3248 
 3249 4764.	[bug]		Address portability issues in cds system test.
 3250 			[RT #46214]
 3251 
 3252 4763.	[contrib]	Improve compatibility when building MySQL DLZ
 3253 			module by using mysql_config if available.
 3254 			[RT #45558]
 3255 
 3256 4762.	[func]		"update-policy local" is now restricted to updates
 3257 			from local addresses. (Previously, other addresses
 3258 			were allowed so long as updates were signed by the
 3259 			local session key.) [RT #45492]
 3260 
 3261 4761.	[protocol]	Add support for DOA. [RT #45612]
 3262 
 3263 4760.	[func]		Add glue cache statistics counters. [RT #46028]
 3264 
 3265 4759.	[func]		Add logging channel "trust-anchor-telemetry" to
 3266 			record trust-anchor-telemetry in incoming requests.
 3267 			Both _ta-XXXX.<anchor>/NULL and EDNS KEY-TAG options
 3268 			are logged.  [RT #46124]
 3269 
 3270 4758.	[doc]		Remove documentation of unimplemented "topology".
 3271 			[RT #46161]
 3272 
 3273 4757.	[func]		New "dnssec-cds" command creates a new parent DS
 3274 			RRset based on CDS or CDNSKEY RRsets found in
 3275 			a child zone, and generates either a dsset file
 3276 			or stream of nsupdate commands to update the
 3277 			parent. Thanks to Tony Finch. [RT #46090]
 3278 
 3279 4756.	[bug]		Interrupting dig could lead to an INSIST failure after
 3280 			certain errors were encountered while querying a host
 3281 			whose name resolved to more than one address.  Change
 3282 			4537 increased the odds of triggering this issue by
 3283 			causing dig to hang indefinitely when certain error
 3284 			paths were evaluated.  dig now also retries TCP queries
 3285 			(once) if the server gracefully closes the connection
 3286 			before sending a response. [RT #42832, #45159]
 3287 
 3288 4755.	[cleanup]	Silence unnecessary log message when NZF file doesn't
 3289 			exist. [RT #46186]
 3290 
 3291 4754.	[bug]		dns_zone_setview needs a two stage commit to properly
 3292 			handle errors. [RT #45841]
 3293 
 3294 4753.	[contrib]	Software obtainable from known upstream locations
 3295 			(i.e., zkt, nslint, query-loc) has been removed.
 3296 			Links to these and other packages can be found at
 3297 			https://www.isc.org/community/tools [RT #46182]
 3298 
 3299 4752.	[test]		Add unit test for isc_net_pton. [RT #46171]
 3300 
 3301 4751.	[func]		"dnssec-signzone -S" can now automatically add parent
 3302 			synchronization records (CDS and CDNSKEY) according
 3303 			to key metadata set using the -Psync and -Dsync
 3304 			options to dnssec-keygen and dnssec-settime.
 3305 			[RT #46149]
 3306 
 3307 4750.	[func]		"rndc managed-keys destroy" shuts down RFC 5011 key
 3308 			maintenance and deletes the managed-keys database.
 3309 			If followed by "rndc reconfig" or a server restart,
 3310 			key maintenance is reinitialized from scratch.
 3311 			This is primarily intended for testing. [RT #32456]
 3312 
 3313 4749.	[func]		The ISC DLV service has been shut down, and all
 3314 			DLV records have been removed from dlv.isc.org.
 3315 			- Removed references to ISC DLV in documentation
 3316 			- Removed DLV key from bind.keys
 3317 			- No longer use ISC DLV by default in delv
 3318 			- "dnssec-lookaside auto" and configuration of
 3319 			  "dnssec-lookaide" with dlv.isc.org as the trust
 3320 			  anchor are both now fatal errors.
 3321 			[RT #46155]
 3322 
 3323 4748.	[cleanup]	Sprintf to snprintf coversions. [RT #46132]
 3324 
 3325 4747.	[func]		Synthesis of responses from DNSSEC-verified records.
 3326 			Stage 3 - synthesize NODATA responses. [RT #40138]
 3327 
 3328 4746.	[cleanup]	Add configured prefixes to configure summary
 3329 			output. [RT #46153]
 3330 
 3331 4745.	[test]		Add color-coded pass/fail messages to system
 3332 			tests when running on terminals that support them.
 3333 			[RT #45977]
 3334 
 3335 4744.	[bug]		Suppress trust-anchor-telemetry queries if
 3336 			validation is disabled. [RT #46131]
 3337 
 3338 4743.	[func]		Exclude trust-anchor-telemetry queries from
 3339 			synth-from-dnssec processing. [RT #46123]
 3340 
 3341 4742.	[func]		Synthesis of responses from DNSSEC-verified records.
 3342 			Stage 2 - synthesis of records from wildcard data.
 3343 			If the dns64 or filter-aaaa* is configured then the
 3344 			involved lookups are currently excluded. [RT #40138]
 3345 
 3346 4741.	[bug]		Make isc_refcount_current() atomically read the
 3347 			counter value. [RT #46074]
 3348 
 3349 4740.	[cleanup]	Avoid triggering format-truncated warnings. [RT #46107]
 3350 
 3351 4739.	[cleanup]	Address clang static analysis warnings. [RT #45952]
 3352 
 3353 4738.	[port]		win32: strftime mishandles %Z. [RT #46039]
 3354 
 3355 4737.	[cleanup]	Address Coverity warnings. [RT #46012]
 3356 
 3357 4736.	[cleanup]	(a) Added comments to NSEC3-related functions in
 3358 			lib/dns/zone.c.  (b) Refactored NSEC3 salt formatting
 3359 			code.  (c) Minor tweaks to lock and result handling.
 3360 			[RT #46053]
 3361 
 3362 4735.	[bug]		Add @ISC_OPENSSL_LIBS@ to isc-config. [RT #46078]
 3363 
 3364 4734.	[contrib]	Added sample configuration for DNS-over-TLS in
 3365 			contrib/dnspriv.
 3366 
 3367 4733.	[bug]		Change #4706 introduced a bug causing TCP clients
 3368 			not be reused correctly, leading to unconstrained
 3369 			memory growth. [RT #46029]
 3370 
 3371 4732.	[func]		Change default minimal-responses setting to
 3372 			no-auth-recursive. [RT #46016]
 3373 
 3374 4731.	[bug]		Fix use after free when closing an LMDB. [RT #46000]
 3375 
 3376 4730.	[bug]		Fix out of bounds access in DHCID totext() method.
 3377 			[RT #46001]
 3378 
 3379 4729.	[bug]		Don't use memset() to wipe memory, as it may be
 3380 			removed by compiler optimizations when the
 3381 			memset() occurs on automatic stack allocation
 3382 			just before function return. [RT #45947]
 3383 
 3384 4728.	[func]		Use C11's stdatomic.h instead of isc_atomic
 3385 			where available. [RT #40668]
 3386 
 3387 4727.	[bug]		Retransferring an inline-signed slave using NSEC3
 3388 			around the time its NSEC3 salt was changed could result
 3389 			in an infinite signing loop. [RT #45080]
 3390 
 3391 4726.	[port]		Prevent setsockopt() errors related to TCP_FASTOPEN
 3392 			from being logged on FreeBSD if the kernel does not
 3393 			support it.  Notify the user when the kernel does
 3394 			support TCP_FASTOPEN, but it is disabled by sysctl.
 3395 			Add a new configure option, --disable-tcp-fastopen, to
 3396 			disable use of TCP_FASTOPEN altogether. [RT #44754]
 3397 
 3398 4725.	[bug]		Nsupdate: "recvsoa" was incorrectly reported for
 3399 			failures in sending the update message.  The correct
 3400 			location to be reported is "update_completed".
 3401 			[RT #46014]
 3402 
 3403 4724.	[func]		By default, BIND now uses the random number
 3404 			functions provided by the crypto library (i.e.,
 3405 			OpenSSL or a PKCS#11 provider) as a source of
 3406 			randomness rather than /dev/random.  This is
 3407 			suitable for virtual machine environments
 3408 			which have limited entropy pools and lack
 3409 			hardware random number generators.
 3410 
 3411 			This can be overridden by specifying another
 3412 			entropy source via the "random-device" option
 3413 			in named.conf, or via the -r command line option;
 3414 			however, for functions requiring full cryptographic
 3415 			strength, such as DNSSEC key generation, this
 3416 			cannot be overridden. In particular, the -r
 3417 			command line option no longer has any effect on
 3418 			dnssec-keygen.
 3419 
 3420 			This can be disabled by building with
 3421 			"configure --disable-crypto-rand".
 3422 			[RT #31459] [RT #46047]
 3423 
 3424 4723.	[bug]		Statistics counter DNSTAPdropped was misidentified
 3425 			as DNSSECdropped. [RT #46002]
 3426 
 3427 4722.	[cleanup]	Clean up uses of strcpy() and strcat() in favor of
 3428 			strlcpy() and strlcat() for safety. [RT #45981]
 3429 
 3430 4721.	[func]		'dnssec-signzone -x' and 'dnssec-dnskey-kskonly'
 3431 			options now apply to CDNSKEY and DS records as well
 3432 			as DNSKEY. Thanks to Tony Finch. [RT #45689]
 3433 
 3434 4720.	[func]		Added a statistics counter to track prefetch
 3435 			queries. [RT #45847]
 3436 
 3437 4719.	[bug]		Address PVS static analyzer warnings. [RT #45946]
 3438 
 3439 4718.	[func]		Avoid searching for a owner name compression pointer
 3440 			more than once when writing out a RRset. [RT #45802]
 3441 
 3442 4717.	[bug]		Treat replies with QCOUNT=0 as truncated if TC=1,
 3443 			FORMERR if TC=0, and log the error correctly.
 3444 			[RT #45836]
 3445 
 3446 4716.	[placeholder]
 3447 
 3448 	--- 9.12.0a1 released ---
 3449 
 3450 4715.	[bug]		TreeMemMax was mis-identified as a second HeapMemMax
 3451 			in the Json cache statistics. [RT #45980]
 3452 
 3453 4714.	[port]		openbsd/libressl: add support for building with
 3454 			--enable-openssl-hash. [RT #45982]
 3455 
 3456 4713.	[func]		Added support for the DNS Response Policy Service
 3457 			(DNSRPS) API, which allows named to use an external
 3458 			response policy daemon when built with
 3459 			"configure --enable-dnsrps". Thanks to Farsight
 3460 			Security. [RT #43376]
 3461 
 3462 4712.	[bug]		"dig +domain" and "dig +search" didn't retain the
 3463 			search domain when retrying with TCP. [RT #45547]
 3464 
 3465 4711.	[test]		Some RR types were missing from genzones.sh.
 3466 			[RT #45782]
 3467 
 3468 4710.	[cleanup]	Changed the --enable-openssl-hash default to yes.
 3469 			[RT #45019]
 3470 
 3471 4709.	[cleanup]	Use dns_name_fullhash() to hash names for RRL.
 3472 			[RT #45435]
 3473 
 3474 4708.	[cleanup]	Legacy Windows builds (i.e. for XP and earlier)
 3475 			are no longer supported. [RT #45186]
 3476 
 3477 4707.	[func]		The lightweight resolver daemon and library (lwresd
 3478 			and liblwres) have been removed. [RT #45186]
 3479 
 3480 4706.	[func]		Code implementing name server query processing has
 3481 			been moved from bin/named to a new library "libns".
 3482 			Functions remaining in bin/named are now prefixed
 3483 			with "named_" rather than "ns_".  This will make it
 3484 			easier to write unit tests for name server code, or
 3485 			link name server functionality into new tools.
 3486 			[RT #45186]
 3487 
 3488 4705.	[placeholder]
 3489 
 3490 4704.	[cleanup]	Silence Visual Studio compiler warnings. [RT #45898]
 3491 
 3492 4703.	[bug]		BINDInstall.exe was missing some buffer length checks.
 3493 			[RT #45898]
 3494 
 3495 4702.	[func]		Update function declarations to use
 3496 			dns_masterstyle_flags_t for style flags. [RT #45924]
 3497 
 3498 4701.	[cleanup]	Refactored lib/dns/tsig.c to reduce code
 3499 			duplication and simplify the disabling of MD5.
 3500 			[RT #45490]
 3501 
 3502 4700.	[func]		Serving of stale answers is now supported. This
 3503 			allows named to provide stale cached answers when
 3504 			the authoritative server is under attack.
 3505 			See max-stale-ttl, stale-answer-enable,
 3506 			stale-answer-ttl. [RT #44790]
 3507 
 3508 4699.	[func]		Multiple cookie-secret clauses can now be specified.
 3509 			The first one specified is used to generate new
 3510 			server cookies.  [RT #45672]
 3511 
 3512 4698.	[port]		Add --with-python-install-dir configure option to allow
 3513 			specifying a nonstandard installation directory for
 3514 			Python modules. [RT #45407]
 3515 
 3516 4697.	[bug]		Restore workaround for Microsoft Windows TSIG hash
 3517 			computation bug. [RT #45854]
 3518 
 3519 4696.	[port]		Enable filter-aaaa support by default on Windows
 3520 			builds. [RT #45883]
 3521 
 3522 4695.	[bug]		cookie-secrets were not being properly checked by
 3523 			named-checkconf. [RT #45886]
 3524 
 3525 4694.	[func]		dnssec-keygen no longer uses RSASHA1 by default;
 3526 			the signing algorithm must be specified on
 3527 			the command line with the "-a" option.  Signing
 3528 			scripts that rely on the existing default behavior
 3529 			will break; use "dnssec-keygen -a RSASHA1" to
 3530 			repair them. (The goal of this change is to make
 3531 			it easier to find scripts using RSASHA1 so they
 3532 			can be changed in the event of that algorithm
 3533 			being deprecated in the future.) [RT #44755]
 3534 
 3535 4693.	[func]		Synthesis of responses from DNSSEC-verified records.
 3536 			Stage 1 covers NXDOMAIN synthesis from NSEC records.
 3537 			This is controlled by synth-from-dnssec and is enabled
 3538 			by default. [RT #40138]
 3539 
 3540 4692.	[bug]		Fix build failures with libressl introduced in 4676.
 3541 			[RT #45879]
 3542 
 3543 4691.	[func]		Add -4/-6 command line options to nsupdate and rndc.
 3544 			[RT #45632]
 3545 
 3546 4690.	[bug]		Command line options -4/-6 were handled inconsistently
 3547 			between tools. [RT #45632]
 3548 
 3549 4689.	[cleanup]	Turn on minimal responses for CDNSKEY and CDS in
 3550 			addition to DNSKEY and DS. Thanks to Tony Finch.
 3551 			[RT #45690]
 3552 
 3553 4688.	[protocol]	Check and display EDNS KEY TAG options (RFC 8145) in
 3554 			messages. [RT #44804]
 3555 
 3556 4687.	[func]		Refactor tracklines code. [RT #45126]
 3557 
 3558 4686.	[bug]		dnssec-settime -p could print a bogus warning about
 3559 			key deletion scheduled before its inactivation when a
 3560 			key had an inactivation date set but no deletion date
 3561 			set. [RT #45807]
 3562 
 3563 4685.	[bug]		dnssec-settime incorrectly calculated publication and
 3564 			activation dates for a successor key. [RT #45806]
 3565 
 3566 4684.	[bug]		delv could send bogus DNS queries when an explicit
 3567 			server address was specified on the command line along
 3568 			with -4/-6. [RT #45804]
 3569 
 3570 4683.	[bug]		Prevent nsupdate from immediately exiting on invalid
 3571 			user input in interactive mode. [RT #28194]
 3572 
 3573 4682.	[bug]		Don't report errors on records below a DNAME.
 3574 			[RT #44880]
 3575 
 3576 4681.	[bug]		Log messages from the validator now include the
 3577 			associated view unless the view is "_default/IN"
 3578 			or "_dnsclient/IN". [RT #45770]
 3579 
 3580 4680.	[bug]		Fix failing over to another master server address when
 3581 			nsupdate is used with GSS-API. [RT #45380]
 3582 
 3583 4679.	[cleanup]	Suggest using -o when dnssec-verify finds a SOA record
 3584 			not at top of zone and -o is not used. [RT #45519]
 3585 
 3586 4678.	[bug]		geoip-use-ecs has the wrong type when geoip support
 3587 			is disabled at configure time. [RT #45763]
 3588 
 3589 4677.	[cleanup]	Split up the main function in dig to better support
 3590 			the iOS app version. [RT #45508]
 3591 
 3592 4676.	[cleanup]	Allow BIND to be built using OpenSSL 1.0.X with
 3593 			deprecated functions removed. [RT #45706]
 3594 
 3595 4675.	[cleanup]	Don't use C++ keyword class. [RT #45726]
 3596 
 3597 4674.	[func]		"dig +sigchase", and related options "+topdown" and
 3598 			"+trusted-keys", have been removed. Use "delv" for
 3599 			queries with DNSSEC validation. [RT #42793]
 3600 
 3601 4673.	[port]		Silence GCC 7 warnings. [RT #45592]
 3602 
 3603 4672.	[placeholder]
 3604 
 3605 4671.	[bug]		Fix a race condition that could cause the
 3606 			resolver to crash with assertion failure when
 3607 			chasing DS in specific conditions with a very
 3608 			short RTT to the upstream nameserver. [RT #45168]
 3609 
 3610 4670.	[cleanup]	Ensure that a request MAC is never sent back
 3611 			in an XFR response unless the signature was
 3612 			verified. [RT #45494]
 3613 
 3614 4669.	[func]		Iterative query logic in resolver.c has been
 3615 			refactored into smaller functions and commented,
 3616 			for improved readability, maintainability and
 3617 			testability. [RT #45362]
 3618 
 3619 4668.	[bug]		Use localtime_r and gmtime_r for thread safety.
 3620 			[RT #45664]
 3621 
 3622 4667.	[cleanup]	Refactor RDATA unit tests. [RT #45610]
 3623 
 3624 4666.	[bug]		dnssec-keymgr: Domain names beginning with digits (0-9)
 3625 			could cause a parser error when reading the policy
 3626 			file. This now works correctly so long as the domain
 3627 			name is quoted. [RT #45641]
 3628 
 3629 4665.	[protocol]	Added support for ED25519 and ED448 DNSSEC signing
 3630 			algorithms (RFC 8080). (Note: these algorithms
 3631 			depend on code currently in the development branch
 3632 			of OpenSSL which has not yet been released.)
 3633 			[RT #44696]
 3634 
 3635 4664.	[func]		Add a "glue-cache" option to enable or disable the
 3636 			glue cache. The default is "yes". [RT #45125]
 3637 
 3638 4663.	[cleanup]	Clarify error message printed by dnssec-dsfromkey.
 3639 			[RT #21731]
 3640 
 3641 4662.	[performance]	Improve cache memory cleanup of zero TTL records
 3642 			by putting them at the tail of LRU header lists.
 3643 			[RT #45274]
 3644 
 3645 4661.	[bug]		A race condition could occur if a zone was reloaded
 3646 			while resigning, triggering a crash in
 3647 			rbtdb.c:closeversion(). [RT #45276]
 3648 
 3649 4660.	[bug]		Remove spurious "peer" from Windows socket log
 3650 			messages. [RT #45617]
 3651 
 3652 4659.	[bug]		Remove spurious log message about lmdb-mapsize
 3653 			not being supported when parsing builtin
 3654 			configuration file. [RT #45618]
 3655 
 3656 4658.	[bug]		Clean up build directory created by "setup.py install"
 3657 			immediately.  [RT #45628]
 3658 
 3659 4657.	[bug]		rrchecker system test result could be improperly
 3660 			determined. [RT #45602]
 3661 
 3662 4656.	[bug]		Apply "port" and "dscp" values specified in catalog
 3663 			zone's "default-masters" option to the generated
 3664 			configuration of its member zones. [RT #45545]
 3665 
 3666 4655.	[bug]		Lack of seccomp could be falsely reported. [RT #45599]
 3667 
 3668 4654.	[cleanup]	Don't use C++ keywords delete, new and namespace.
 3669 			[RT #45538]
 3670 
 3671 4653.	[bug]		Reorder includes to move @DST_OPENSSL_INC@ and
 3672 			@ISC_OPENSSL_INC@ after shipped include directories.
 3673 			[RT #45581]
 3674 
 3675 4652.	[bug]		Nsupdate could attempt to use a zeroed address on
 3676 			server timeout. [RT #45417]
 3677 
 3678 4651.	[test]		Silence coverity warnings in tsig_test.c. [RT #45528]
 3679 
 3680 4650.	[placeholder]
 3681 
 3682 4649.	[bug]		The wrong zone was logged when a catalog zone is added.
 3683 			[RT #45520]
 3684 
 3685 4648.	[bug]		"rndc reconfig" on a slave no longer causes all member
 3686 			zones of configured catalog zones to be removed from
 3687 			configuration. [RT #45310]
 3688 
 3689 4647.	[bug]		Change 4643 broke verification of TSIG signed TCP
 3690 			message sequences where not all the messages contain
 3691 			TSIG records.  These may be used in AXFR and IXFR
 3692 			responses. [RT #45509]
 3693 
 3694 4646.	[placeholder]
 3695 
 3696 4645.	[bug]		Fix PKCS#11 RSA parsing when MD5 is disabled.
 3697 			[RT #45300]
 3698 
 3699 4644.	[placeholder]
 3700 
 3701 4643.	[security]	An error in TSIG handling could permit unauthorized
 3702 			zone transfers or zone updates. (CVE-2017-3142)
 3703 			(CVE-2017-3143) [RT #45383]
 3704 
 3705 4642.	[cleanup]	Add more logging of RFC 5011 events affecting the
 3706 			status of managed keys: newly observed keys,
 3707 			deletion of revoked keys, etc. [RT #45354]
 3708 
 3709 4641.	[cleanup]	Parallel builds (make -j) could fail with --with-atf /
 3710 			--enable-developer. [RT #45373]
 3711 
 3712 4640.	[bug]		If query_findversion failed in query_getdb due to
 3713 			memory failure the error status was incorrectly
 3714 			discarded. [RT #45331]
 3715 
 3716 4639.	[bug]		Fix a regression in --with-tuning reporting introduced
 3717 			by change 4488. [RT #45396]
 3718 
 3719 4638.	[bug]		Reloading or reconfiguring named could fail on
 3720 			some platforms when LMDB was in use. [RT #45203]
 3721 
 3722 4637.	[func]		"nsec3hash -r" option ("rdata order") takes arguments
 3723 			in the same order as they appear in NSEC3 or
 3724 			NSEC3PARAM records, so that NSEC3 parameters can
 3725 			be cut and pasted from an existing record. Thanks
 3726 			to Tony Finch for the contribution. [RT #45183]
 3727 
 3728 4636.	[bug]		Normalize rpz policy zone names when checking for
 3729 			existence. [RT #45358]
 3730 
 3731 4635.	[bug]		Fix RPZ NSDNAME logging that was logging
 3732 			failures as NSIP. [RT #45052]
 3733 
 3734 4634.	[contrib]	check5011.pl needs to handle optional space before
 3735 			semi-colon in +multi-line output. [RT #45352]
 3736 
 3737 4633.	[maint]		Updated AAAA (2001:500:200::b) for B.ROOT-SERVERS.NET.
 3738 
 3739 4632.	[security]	The BIND installer on Windows used an unquoted
 3740 			service path, which can enable privilege escalation.
 3741 			(CVE-2017-3141) [RT #45229]
 3742 
 3743 4631.	[security]	Some RPZ configurations could go into an infinite
 3744 			query loop when encountering responses with TTL=0.
 3745 			(CVE-2017-3140) [RT #45181]
 3746 
 3747 4630.	[bug]		"dyndb" is dependent on dlopen existing / being
 3748 			enabled. [RT #45291]
 3749 
 3750 4629.	[bug]		dns_client_startupdate could not be called with a
 3751 			running client. [RT #45277]
 3752 
 3753 4628.	[bug]		Fixed a potential reference leak in query_getdb().
 3754 			[RT #45247]
 3755 
 3756 4627.	[placeholder]
 3757 
 3758 4626.	[test]		Added more tests for handling of different record
 3759 			ordering in CNAME and DNAME responses. [QA #430]
 3760 
 3761 4625.	[bug]		Running "rndc addzone" and "rndc delzone" at close
 3762 			to the same time could trigger a deadlock if using
 3763 			LMDB. [RT #45209]
 3764 
 3765 4624.	[placeholder]
 3766 
 3767 4623.	[bug]		Use --with-protobuf-c and --with-libfstrm to find
 3768 			protoc-c and fstrm_capture. [RT #45187]
 3769 
 3770 4622.	[bug]		Remove unnecessary escaping of semicolon in CAA and
 3771 			URI records. [RT #45216]
 3772 
 3773 4621.	[port]		Force alignment of oid arrays to silence loader
 3774 			warnings. [RT #45131]
 3775 
 3776 4620.	[port]		Handle EPFNOSUPPORT being returned when probing
 3777 			to see if a socket type is supported. [RT #45214]
 3778 
 3779 4619.	[bug]		Call isc_mem_put instead of isc_mem_free in
 3780 			bin/named/server.c:setup_newzones. [RT #45202]
 3781 
 3782 4618.	[bug]		Check isc_mem_strdup results in dns_view_setnewzones.
 3783 			Add logging for lmdb call failures. [RT #45204]
 3784 
 3785 4617.	[test]		Update rndc system test to be more delay tolerant.
 3786 			[RT #45177]
 3787 
 3788 4616.	[bug]		When using LMDB, zones deleted using "rndc delzone"
 3789 			were not correctly removed from the new-zone
 3790 			database. [RT #45185]
 3791 
 3792 4615.	[bug]		AD could be set on truncated answer with no records
 3793 			present in the answer and authority sections.
 3794 			[RT #45140]
 3795 
 3796 4614.	[test]		Fixed an error in the sockaddr unit test. [RT #45146]
 3797 
 3798 4613.	[func]		By default, the maximum size of a zone journal file
 3799 			is now twice the size of the zone's contents (there
 3800 			is little benefit to a journal larger than this).
 3801 			This can be overridden by setting "max-journal-size"
 3802 			to "unlimited" or to an explicit value up to 2G.
 3803 			Thanks to Tony Finch. [RT #38324]
 3804 
 3805 4612.	[bug]		Silence 'may be use uninitalised' warning and simplify
 3806 			the code in lwres/getaddinfo:process_answer.
 3807 			[RT #45158]
 3808 
 3809 4611.	[bug]		The default LMDB mapsize was too low and caused
 3810 			errors after few thousand zones were added using
 3811 			rndc addzone. A new config option "lmdb-mapsize"
 3812 			has been introduced to configure the LMDB
 3813 			mapsize depending on operational needs.
 3814 			[RT #44954]
 3815 
 3816 4610.	[func]		The "new-zones-directory" option specifies the
 3817 			location of NZF or NZD files for storing
 3818 			configuration of zones added by "rndc addzone".
 3819 			Thanks to Petr Menšík. [RT #44853]
 3820 
 3821 4609.	[cleanup]	Rearrange makefiles to enable parallel execution
 3822 			(i.e. "make -j"). [RT #45078]
 3823 
 3824 4608.	[func]		DiG now warns about .local queries which are reserved
 3825 			for Multicast DNS. [RT #44783]
 3826 
 3827 4607.	[bug]		The memory context's malloced and maxmalloced counters
 3828 			were being updated without the appropriate lock being
 3829 			held.  [RT #44869]
 3830 
 3831 4606.	[port]		Stop using experimental "Experimental keys on scalar"
 3832 			feature of perl as it has been removed. [RT #45012]
 3833 
 3834 4605.	[performance]	Improve performance for delegation heavy answers
 3835 			and also general query performance. Removes the
 3836 			acache feature that didn't significantly improve
 3837 			performance. Adds a glue cache. Removes
 3838 			additional-from-cache and additional-from-auth
 3839 			features. Enables minimal-responses by
 3840 			default. Improves performance of compression
 3841 			code, owner case restoration, hash function,
 3842 			etc. Uses inline buffer implementation by
 3843 			default. Many other performance changes and fixes.
 3844 			[RT #44029]
 3845 
 3846 4604.	[bug]		Don't use ERR_load_crypto_strings() when building
 3847 			with OpenSSL 1.1.0. [RT #45117]
 3848 
 3849 4603.	[doc]		Automatically generate named.conf(5) man page
 3850 			from doc/misc/options. Thanks to Tony Finch.
 3851 			[RT #43525]
 3852 
 3853 4602.	[func]		Threads are now set to human-readable
 3854 			names to assist debugging, when supported by
 3855 			the OS. [RT #43234]
 3856 
 3857 4601.	[bug]		Reject incorrect RSA key lengths during key
 3858 			generation and and sign/verify context
 3859 			creation. [RT #45043]
 3860 
 3861 4600.	[bug]		Adjust RPZ trigger counts only when the entry
 3862 			being deleted exists. [RT #43386]
 3863 
 3864 4599.	[bug]		Fix inconsistencies in inline signing time
 3865 			comparison that were introduced with the
 3866 			introduction of rdatasetheader->resign_lsb.
 3867 			[RT #42112]
 3868 
 3869 4598.	[func]		Update fuzzing code to (1) reply to a DNSKEY
 3870 			query from named with appropriate DNSKEY used in
 3871 			fuzzing; (2) patch the QTYPE correctly in
 3872 			resolver fuzzing; (3) comment things so the rest
 3873 			of us are able to understand how fuzzing is
 3874 			implemented in named; (4) Coding style changes,
 3875 			cleanup, etc. [RT #44787]
 3876 
 3877 4597.	[bug]		The validator now ignores SHA-1 DS digest type
 3878 			when a DS record with SHA-384 digest type is
 3879 			present and is a supported digest type.
 3880 			[RT #45017]
 3881 
 3882 4596.	[bug]		Validate glue before adding it to the additional
 3883 			section. This also fixes incorrect TTL capping
 3884 			when the RRSIG expired earlier than the TTL.
 3885 			[RT #45062]
 3886 
 3887 4595.	[func]		dnssec-keygen will no longer generate RSA keys
 3888 			less than 1024 bits in length. dnssec-keymgr
 3889 			was similarly updated. [RT #36895]
 3890 
 3891 4594.	[func]		"dnstap-read -x" prints a hex dump of the wire
 3892 			format of each logged DNS message. [RT #44816]
 3893 
 3894 4593.	[doc]		Update README using markdown, remove outdated FAQ
 3895 			file in favor of the knowledge base.
 3896 
 3897 4592.	[bug]		A race condition on shutdown could trigger an
 3898 			assertion failure in dispatch.c. [RT #43822]
 3899 
 3900 4591.	[port]		Addressed some python 3 compatibility issues.
 3901 			Thanks to Ville Skytta. [RT #44955] [RT #44956]
 3902 
 3903 4590.	[bug]		Support for PTHREAD_MUTEX_ADAPTIVE_NP was not being
 3904 			properly detected. [RT #44871]
 3905 
 3906 4589.	[cleanup]	"configure -q" is now silent. [RT #44829]
 3907 
 3908 4588.	[bug]		nsupdate could send queries for TKEY to the wrong
 3909 			server when using GSSAPI. Thanks to Tomas Hozza.
 3910 			[RT #39893]
 3911 
 3912 4587.	[bug]		named-checkzone failed to handle occulted data below
 3913 			DNAMEs correctly. [RT #44877]
 3914 
 3915 4586.	[func]		dig, host and nslookup now use TCP for ANY queries.
 3916 			[RT #44687]
 3917 
 3918 4585.	[port]		win32: Set CompileAS value. [RT #42474]
 3919 
 3920 4584.	[bug]		A number of memory usage statistics were not properly
 3921 			reported when they exceeded 4G.  [RT #44750]
 3922 
 3923 4583.	[func]		"host -A" returns most records for a name but
 3924 			omits RRSIG, NSEC and NSEC3. (Thanks to Tony Finch.)
 3925 			[RT #43032]
 3926 
 3927 4582.	[security]	'rndc ""' could trigger a assertion failure in named.
 3928 			(CVE-2017-3138) [RT #44924]
 3929 
 3930 4581.	[port]		Linux: Add getpid and getrandom to the list of system
 3931 			calls named uses for seccomp. [RT #44883]
 3932 
 3933 4580.	[bug]		4578 introduced a regression when handling CNAME to
 3934 			referral below the current domain. [RT #44850]
 3935 
 3936 4579.	[func]		Logging channels and dnstap output files can now
 3937 			be configured with a "suffix" option, set to
 3938 			either "increment" or "timestamp", indicating
 3939 			whether to use incrementing numbers or timestamps
 3940 			as the file suffix when rolling over a log file.
 3941 			[RT #42838]
 3942 
 3943 4578.	[security]	Some chaining (CNAME or DNAME) responses to upstream
 3944 			queries could trigger assertion failures.
 3945 			(CVE-2017-3137) [RT #44734]
 3946 
 3947 4577.	[func]		Make qtype of resolver fuzzing packet configurable
 3948 			via command line. [RT #43540]
 3949 
 3950 4576.	[func]		The RPZ implementation has been substantially
 3951 			refactored for improved performance and reliability.
 3952 			[RT #43449]
 3953 
 3954 4575.	[security]	DNS64 with "break-dnssec yes;" can result in an
 3955 			assertion failure. (CVE-2017-3136) [RT #44653]
 3956 
 3957 4574.	[bug]		Dig leaked memory with multiple +subnet options.
 3958 			[RT #44683]
 3959 
 3960 4573.	[func]		Query logic has been substantially refactored (e.g.
 3961 			query_find function has been split into smaller
 3962 			functions) for improved readability, maintainability
 3963 			and testability. [RT #43929]
 3964 
 3965 4572.	[func]		The "dnstap-output" option can now take "size" and
 3966 			"versions" parameters to indicate the maximum size
 3967 			a dnstap log file can grow before rolling to a new
 3968 			file, and how many old files to retain. [RT #44502]
 3969 
 3970 4571.	[bug]		Out-of-tree builds of backtrace_test failed.
 3971 
 3972 4570.	[cleanup]	named did not correctly fall back to the built-in
 3973 			initializing keys if the bind.keys file was present
 3974 			but empty. [RT #44531]
 3975 
 3976 4569.	[func]		Store both local and remote addresses in dnstap
 3977 			logging, and modify dnstap-read output format to
 3978 			print them. [RT #43595]
 3979 
 3980 4568.	[contrib]	Added a --with-bind option to the dnsperf configure
 3981 			script to specify BIND prefix path.
 3982 
 3983 4567.	[port]		Call getprotobyname and getservbyname prior to calling
 3984 			chroot so that shared libraries get loaded. [RT #44537]
 3985 
 3986 4566.	[func]		Query logging now includes the ECS option if one
 3987 			was included in the query. [RT #44476]
 3988 
 3989 4565.	[cleanup]	The inline macro versions of isc_buffer_put*()
 3990 			did not implement automatic buffer reallocation.
 3991 			[RT #44216]
 3992 
 3993 4564.	[maint]		Update the built in managed keys to include the
 3994 			upcoming root KSK. [RT #44579]
 3995 
 3996 4563.	[bug]		Modified zones would occasionally fail to reload.
 3997 			[RT #39424]
 3998 
 3999 4562.	[func]		Add additional memory statistics currently malloced
 4000 			and maxmalloced per memory context. [RT #43593]
 4001 
 4002 4561.	[port]		Silence a warning in strict C99 compilers. [RT #44414]
 4003 
 4004 4560.	[bug]		mdig: add -m option to enable memory debugging rather
 4005 			than having it on all the time. [RT #44509]
 4006 
 4007 4559.	[bug]		openssl_link.c didn't compile if ISC_MEM_TRACKLINES
 4008 			was turned off.  [RT #44509]
 4009 
 4010 4558.	[bug]		Synthesised CNAME before matching DNAME was still
 4011 			being cached when it should not have been.  [RT #44318]
 4012 
 4013 4557.	[security]	Combining dns64 and rpz can result in dereferencing
 4014 			a NULL pointer (read).  (CVE-2017-3135) [RT#44434]
 4015 
 4016 4556.	[bug]		Sending an EDNS Padding option using "dig
 4017 			+ednsopt" could cause a crash in dig. [RT #44462]
 4018 
 4019 4555.	[func]		dig +ednsopt: EDNS options can now be specified by
 4020 			name in addition to numeric value. [RT #44461]
 4021 
 4022 4554.	[bug]		Remove double unlock in dns_dispatchmgr_setudp.
 4023 			[RT #44336]
 4024 
 4025 4553.	[bug]		Named could deadlock there were multiple changes to
 4026 			NSEC/NSEC3 parameters for a zone being processed at
 4027 			the same time. [RT #42770]
 4028 
 4029 4552.	[bug]		Named could trigger a assertion when sending notify
 4030 			messages. [RT #44019]
 4031 
 4032 4551.	[test]		Add system tests for integrity checks of MX and
 4033 			SRV records. [RT #43953]
 4034 
 4035 4550.	[cleanup]	Increased the number of available master file
 4036 			output style flags from 32 to 64. [RT #44043]
 4037 
 4038 4549.	[func]		Added support for the EDNS TCP Keepalive option
 4039 			(RFC 7828). [RT #42126]
 4040 
 4041 4548.	[func]		Added support for the EDNS Padding option (RFC 7830).
 4042 			[RT #42094]
 4043 
 4044 4547.	[port]		Add support for --enable-native-pkcs11 on the AEP
 4045 			Keyper HSM. [RT #42463]
 4046 
 4047 4546.	[func]		Extend the use of const declarations. [RT #43379]
 4048 
 4049 4545.	[func]		Expand YAML output from dnstap-read to include
 4050 			a detailed breakdown of the DNS message contents.
 4051 			[RT #43642]
 4052 
 4053 4544.	[bug]		Add message/payload size to dnstap-read YAML output.
 4054 			[RT #43622]
 4055 
 4056 4543.	[bug]		dns_client_startupdate now delays sending the update
 4057 			request until isc_app_ctxrun has been called.
 4058 			[RT #43976]
 4059 
 4060 4542.	[func]		Allow rndc to manipulate redirect zones with using
 4061 			-redirect as the zone name (use "-redirect." to
 4062 			manipulate a zone named "-redirect"). [RT #43971]
 4063 
 4064 4541.	[bug]		rndc addzone should properly reject non master/slave
 4065 			zones. [RT #43665]
 4066 
 4067 4540.	[bug]		Correctly handle ecs entries in dns_acl_isinsecure.
 4068 			[RT #43601]
 4069 
 4070 4539.	[bug]		Referencing a nonexistent zone with RPZ could lead
 4071 			to a assertion failure when configuring. [RT #43787]
 4072 
 4073 4538.	[bug]		Call dns_client_startresolve from client->task.
 4074 			[RT #43896]
 4075 
 4076 4537.	[bug]		Handle timeouts better in dig/host/nslookup. [RT #43576]
 4077 
 4078 4536.	[bug]		ISC_SOCKEVENTATTR_USEMINMTU was not being cleared
 4079 			when reusing the event structure. [RT #43885]
 4080 
 4081 4535.	[bug]		Address race condition in setting / testing of
 4082 			DNS_REQUEST_F_SENDING. [RT #43889]
 4083 
 4084 4534.	[bug]		Only set RD, RA and CD in QUERY responses. [RT #43879]
 4085 
 4086 4533.	[bug]		dns_client_update should terminate on prerequisite
 4087 			failures (NXDOMAIN, YXDOMAIN, NXRRSET, YXRRSET)
 4088 			and also on BADZONE.  [RT #43865]
 4089 
 4090 4532.	[contrib]	Make gen-data-queryperf.py python 3 compatible.
 4091 			[RT #43836]
 4092 
 4093 4531.	[security]	'is_zone' was not being properly updated by redirect2
 4094 			and subsequently preserved leading to an assertion
 4095 			failure. (CVE-2016-9778) [RT #43837]
 4096 
 4097 4530.	[bug]		Change 4489 broke the handling of CNAME -> DNAME
 4098 			in responses resulting in SERVFAIL being returned.
 4099 			[RT #43779]
 4100 
 4101 4529.	[cleanup]	Silence noisy log warning when DSCP probe fails
 4102 			due to firewall rules. [RT #43847]
 4103 
 4104 4528.	[bug]		Only set the flag bits for the i/o we are waiting
 4105 			for on EPOLLERR or EPOLLHUP. [RT #43617]
 4106 
 4107 4527.	[doc]		Support DocBook XSL Stylesheets v1.79.1. [RT #43831]
 4108 
 4109 4526.	[doc]		Corrected errors and improved formatting of
 4110 			grammar definitions in the ARM. [RT #43739]
 4111 
 4112 4525.	[doc]		Fixed outdated documentation on managed-keys.
 4113 			[RT #43810]
 4114 
 4115 4524.	[bug]		The net zero test was broken causing IPv4 servers
 4116 			with addresses ending in .0 to be rejected. [RT #43776]
 4117 
 4118 4523.	[doc]		Expand config doc for <querysource4> and
 4119 			<querysource6>. [RT #43768]
 4120 
 4121 4522.	[bug]		Handle big gaps in log file version numbers better.
 4122 			[RT #38688]
 4123 
 4124 4521.	[cleanup]	Log it as an error if an entropy source is not
 4125 			found and there is no fallback available. [RT #43659]
 4126 
 4127 4520.	[cleanup]	Alphabetize more of the grammar when printing it
 4128 			out. Fix unbalanced indenting. [RT #43755]
 4129 
 4130 4519.	[port]		win32: handle ERROR_MORE_DATA. [RT #43534]
 4131 
 4132 4518.	[func]		The "print-time" option in the logging configuration
 4133 			can now take arguments "local", "iso8601" or
 4134 			"iso8601-utc" to indicate the format in which the
 4135 			date and time should be logged. For backward
 4136 			compatibility, "yes" is a synonym for "local".
 4137 			[RT #42585]
 4138 
 4139 4517.	[security]	Named could mishandle authority sections that were
 4140 			missing RRSIGs triggering an assertion failure.
 4141 			(CVE-2016-9444) [RT # 43632]
 4142 
 4143 4516.	[bug]		isc_socketmgr_renderjson was missing from the
 4144 			windows build. [RT #43602]
 4145 
 4146 4515.	[port]		FreeBSD: Find readline headers when they are in
 4147 			edit/readline/ instead of readline/. [RT #43658]
 4148 
 4149 4514.	[port]		NetBSD: strip -WL, from ld command line. [RT #43204]
 4150 
 4151 4513.	[cleanup]	Minimum Python versions are now 2.7 and 3.2.
 4152 			[RT #43566]
 4153 
 4154 4512.	[bug]		win32: @GEOIP_INC@ missing from delv.vcxproj.in.
 4155 			[RT #43556]
 4156 
 4157 4511.	[bug]		win32: mdig.exe-BNFT was missing Configure. [RT #43554]
 4158 
 4159 4510.	[security]	Named mishandled some responses where covering RRSIG
 4160 			records are returned without the requested data
 4161 			resulting in a assertion failure. (CVE-2016-9147)
 4162 			[RT #43548]
 4163 
 4164 4509.	[test]		Make the rrl system test more reliable on slower
 4165 			machines by using mdig instead of dig. [RT #43280]
 4166 
 4167 4508.	[security]	Named incorrectly tried to cache TKEY records which
 4168 			could trigger a assertion failure when there was
 4169 			a class mismatch. (CVE-2016-9131) [RT #43522]
 4170 
 4171 4507.	[bug]		Named could incorrectly log 'allows updates by IP
 4172 			address, which is insecure' [RT #43432]
 4173 
 4174 4506.	[func]		'named-checkconf -l' will now list the zones found in
 4175 			named.conf. [RT #43154]
 4176 
 4177 4505.	[port]		Use IP_PMTUDISC_OMIT if available. [RT #35494]
 4178 
 4179 4504.	[security]	Allow the maximum number of records in a zone to
 4180 			be specified.  This provides a control for issues
 4181 			raised in CVE-2016-6170. [RT #42143]
 4182 
 4183 4503.	[cleanup]	"make uninstall" now removes files installed by
 4184 			BIND. (This currently excludes Python files
 4185 			due to lack of support in setup.py.) [RT #42192]
 4186 
 4187 4502.	[func]		Report multiple and experimental options when printing
 4188 			grammar. [RT #43134]
 4189 
 4190 4501.	[placeholder]
 4191 
 4192 4500.	[bug]		Support modifier I64 in isc__print_printf. [RT #43526]
 4193 
 4194 4499.	[port]		MacOSX: silence deprecated function warning
 4195 			by using arc4random_stir() when available
 4196 			instead of arc4random_addrandom(). [RT #43503]
 4197 
 4198 4498.	[test]		Simplify prerequisite checks in system tests.
 4199 			[RT #43516]
 4200 
 4201 4497.	[port]		Add support for OpenSSL 1.1.0. [RT #41284]
 4202 
 4203 4496.	[func]		dig: add +idnout to control whether labels are
 4204 			display in punycode or not.  Requires idn support
 4205 			to be enabled at compile time. [RT #43398]
 4206 
 4207 4495.	[bug]		A isc_mutex_init call was not being checked.
 4208 			[RT #43391]
 4209 
 4210 4494.	[bug]		Look for <editline/readline.h>. [RT #43429]
 4211 
 4212 4493.	[bug]		bin/tests/system/dyndb/driver/Makefile.in should use
 4213 			SO_TARGETS. [RT# 43336]
 4214 
 4215 4492.	[bug]		irs_resconf_load failed to initialize sortlistnxt
 4216 			causing bad writes if resolv.conf contained a
 4217 			sortlist directive. [RT #43459]
 4218 
 4219 4491.	[bug]		Improve message emitted when testing whether sendmsg
 4220 			works with TOS/TCLASS fails. [RT #43483]
 4221 
 4222 4490.	[maint]		Added AAAA (2001:500:12::d0d) for G.ROOT-SERVERS.NET.
 4223 
 4224 4489.	[security]	It was possible to trigger assertions when processing
 4225 			a response containing a DNAME answer. (CVE-2016-8864)
 4226 			[RT #43465]
 4227 
 4228 4488.	[port]		Darwin: use -framework for Kerberos. [RT #43418]
 4229 
 4230 4487.	[test]		Make system tests work on Windows. [RT #42931]
 4231 
 4232 4486.	[bug]		Look in $prefix/lib/pythonX.Y/site-packages for
 4233 			the python modules we install. [RT #43330]
 4234 
 4235 4485.	[bug]		Failure to find readline when requested should be
 4236 			fatal to configure. [RT #43328]
 4237 
 4238 4484.	[func]		Check prefixes in acls to make sure the address and
 4239 			prefix lengths are consistent.  Warn only in
 4240 			BIND 9.11 and earlier. [RT #43367]
 4241 
 4242 4483.	[bug]		Address use before require check and remove extraneous
 4243 			dns_message_gettsigkey call in dns_tsig_sign.
 4244 			[RT #43374]
 4245 
 4246 4482.	[cleanup]	Change #4455 was incomplete. [RT #43252]
 4247 
 4248 4481.	[func]		dig: make +class, +crypto, +multiline, +rrcomments,
 4249 			+onesoa, +qr, +ttlid, +ttlunits and -u per lookup
 4250 			rather than global. [RT #42450]
 4251 
 4252 4480.	[placeholder]
 4253 
 4254 4479.	[placeholder]
 4255 
 4256 4478.	[func]		Add +continue option to mdig, allow continue on socket
 4257 			errors. [RT #43281]
 4258 
 4259 4477.	[test]		Fix mkeys test timing issues. [RT #41028]
 4260 
 4261 4476.	[test]		Fix reclimit test on slower machines. [RT #43283]
 4262 
 4263 4475.	[doc]		Update named-checkconf documentation. [RT #43153]
 4264 
 4265 4474.	[bug]		win32: call WSAStartup in fromtext_in_wks so that
 4266 			getprotobyname and getservbyname work.  [RT #43197]
 4267 
 4268 4473.	[bug]		Only call fsync / _commit on regular files. [RT #43196]
 4269 
 4270 4472.	[bug]		Named could fail to find the correct NSEC3 records when
 4271 			a zone was updated between looking for the answer and
 4272 			looking for the NSEC3 records proving nonexistence
 4273 			of the answer. [RT #43247]
 4274 
 4275 	--- 9.11.0 released ---
 4276 
 4277 	--- 9.11.0rc3 released ---
 4278 
 4279 4471.	[cleanup]	Render client/query logging format consistent for
 4280 			ease of log file parsing. (Note that this affects
 4281 			"querylog" format: there is now an additional field
 4282 			indicating the client object address.) [RT #43238]
 4283 
 4284 4470.	[bug]		Reset message with intent parse before
 4285 			calling dns_dispatch_getnext. [RT #43229]
 4286 
 4287 4469.	[placeholder]
 4288 
 4289 	--- 9.11.0rc2 released ---
 4290 
 4291 4468.	[bug]		Address ECS option handling issues. [RT #43191]
 4292 
 4293 4467.	[security]	It was possible to trigger an assertion when
 4294 			rendering a message. (CVE-2016-2776) [RT #43139]
 4295 
 4296 4466.	[bug]		Interface scanning didn't work on a Windows system
 4297 			without a non local IPv6 addresses. [RT #43130]
 4298 
 4299 4465.	[bug]		Don't use "%z" as Windows doesn't support it.
 4300 			[RT #43131]
 4301 
 4302 4464.	[bug]		Fix windows python support. [RT #43173]
 4303 
 4304 4463.	[bug]		The dnstap system test failed on some systems.
 4305 			[RT #43129]
 4306 
 4307 4462.	[bug]		Don't describe a returned EDNS COOKIE as "good"
 4308 			when there isn't a valid server cookie. [RT #43167]
 4309 
 4310 4461.	[bug]		win32: not all external data was properly marked
 4311 			as external data for windows dll. [RT #43161]
 4312 
 4313 	--- 9.11.0rc1 released ---
 4314 
 4315 4460.	[test]		Add system test for dnstap using unix domain sockets.
 4316 			[RT #42926]
 4317 
 4318 4459.	[bug]		TCP client objects created to handle pipeline queries
 4319 			were not cleaned up correctly, causing uncontrolled
 4320 			memory growth. [RT #43106]
 4321 
 4322 4458.	[cleanup]	Update assertions to be more correct, and also remove
 4323 			use of a reserved word. [RT #43090]
 4324 
 4325 4457.	[maint]		Added AAAA (2001:500:a8::e) for E.ROOT-SERVERS.NET.
 4326 
 4327 4456.	[doc]		Add DOCTYPE and lang attribute to <html> tags.
 4328 			[RT #42587]
 4329 
 4330 4455.	[cleanup]	Allow dyndb modules to correctly log the filename
 4331 			and line number when processing configuration text
 4332 			from named.conf. [RT #43050]
 4333 
 4334 4454.	[bug]		'rndc dnstap -reopen' had a race issue. [RT #43089]
 4335 
 4336 4453.	[bug]		Prefetching of DS records failed to update their
 4337 			RRSIGs. [RT #42865]
 4338 
 4339 4452.	[bug]		The default key manager policy file is now
 4340 			<sysdir>/dnssec-policy.conf (usually
 4341 			/etc/dnssec-policy.conf). [RT #43064]
 4342 
 4343 4451.	[cleanup]	Log more useful information if a PKCS#11 provider
 4344 			library cannot be loaded. [RT #43076]
 4345 
 4346 4450.	[port]		Provide more nuanced HSM support which better matches
 4347 			the specific PKCS11 providers capabilities. [RT #42458]
 4348 
 4349 4449.	[test]		Fix catalog zones test on slower systems. [RT #42997]
 4350 
 4351 4448.	[bug]		win32: ::1 was not being found when iterating
 4352 			interfaces. [RT #42993]
 4353 
 4354 4447.	[tuning]	Allow the fstrm_iothr_init() options to be set using
 4355 			named.conf to control how dnstap manages the data
 4356 			flow. [RT #42974]
 4357 
 4358 4446.	[bug]		The cache_find() and _findrdataset() functions
 4359 			could find rdatasets that had been marked stale.
 4360 			[RT #42853]
 4361 
 4362 4445.	[cleanup]	isc_errno_toresult() can now be used to call the
 4363 			formerly private function isc__errno2result().
 4364 			[RT #43050]
 4365 
 4366 4444.	[bug]		Fixed some issues related to dyndb: A bug caused
 4367 			braces to be omitted when passing configuration text
 4368 			from named.conf to a dyndb driver, and there was a
 4369 			use-after-free in the sample dyndb driver. [RT #43050]
 4370 
 4371 4443.	[func]		Set TCP_MAXSEG in addition to IPV6_USE_MIN_MTU on
 4372 			TCP sockets. [RT #42864]
 4373 
 4374 4442.	[bug]		Fix RPZ CIDR tree insertion bug that corrupted
 4375 			tree data structure with overlapping networks
 4376 			(longest prefix match was ineffective).
 4377 			[RT #43035]
 4378 
 4379 4441.	[cleanup]	Alphabetize host's help output. [RT #43031]
 4380 
 4381 4440.	[func]		Enable TCP fast open support when available on the
 4382 			server side. [RT #42866]
 4383 
 4384 4439.	[bug]		Address race conditions getting ownernames of nodes.
 4385 			[RT #43005]
 4386 
 4387 4438.	[func]		Use LIFO rather than FIFO when processing startup
 4388 			notify and refresh queries. [RT #42825]
 4389 
 4390 4437.	[func]		Minimal-responses now has two additional modes
 4391 			no-auth and no-auth-recursive which suppress
 4392 			adding the NS records to the authority section
 4393 			as well as the associated address records for the
 4394 			nameservers. [RT #42005]
 4395 
 4396 4436.	[func]		Return TLSA records as additional data for MX and SRV
 4397 			lookups. [RT #42894]
 4398 
 4399 4435.	[tuning]	Only set IPV6_USE_MIN_MTU for UDP when the message
 4400 			will not fit into a single IPv4 encapsulated IPv6
 4401 			UDP packet when transmitted over a Ethernet link.
 4402 			[RT #42871]
 4403 
 4404 4434.	[protocol]	Return EDNS EXPIRE option for master zones in addition
 4405 			to slave zones. [RT #43008]
 4406 
 4407 4433.	[cleanup]	Report an error when passing an invalid option or
 4408 			view name to "rndc dumpdb". [RT #42958]
 4409 
 4410 4432.	[test]		Hide rndc output on expected failures in logfileconfig
 4411 			system test. [RT #27996]
 4412 
 4413 4431.	[bug]		named-checkconf now checks the rate-limit clause.
 4414 			[RT #42970]
 4415 
 4416 4430.	[bug]		Lwresd died if a search list was not defined.
 4417 			Found by 0x710DDDD At Alibaba Security. [RT #42895]
 4418 
 4419 4429.	[bug]		Address potential use after free on fclose() error.
 4420 			[RT #42976]
 4421 
 4422 4428.	[bug]		The "test dispatch getnext" unit test could fail
 4423 			in a threaded build. [RT #42979]
 4424 
 4425 4427.	[bug]		The "query" and "response" parameters to the
 4426 			"dnstap" option had their functions reversed.
 4427 
 4428 	--- 9.11.0b3 released ---
 4429 
 4430 4426.	[bug]		Addressed Coverity warnings. [RT #42908]
 4431 
 4432 4425.	[bug]		arpaname, dnstap-read and named-rrchecker were not
 4433 			being installed into ${prefix}/bin.  Tidy up
 4434 			installation issues with CHANGE 4421. [RT #42910]
 4435 
 4436 4424.	[experimental]	Named now sends _ta-XXXX.<trust-anchor>/NULL queries
 4437 			to provide feedback to the trust-anchor administrators
 4438 			about how key rollovers are progressing as per
 4439 			draft-ietf-dnsop-edns-key-tag-02.  This can be
 4440 			disabled using 'trust-anchor-telemetry no;'.
 4441 			[RT #40583]
 4442 
 4443 4423.	[maint]		Added missing IPv6 address 2001:500:84::b for
 4444 			B.ROOT-SERVERS.NET. [RT #42898]
 4445 
 4446 4422.	[port]		Silence clang warnings in dig.c and dighost.c.
 4447 			[RT #42451]
 4448 
 4449 4421.	[func]		When built with LMDB (Lightning Memory-mapped
 4450 			Database), named will now use a database to store
 4451 			the configuration for zones added by "rndc addzone"
 4452 			instead of using a flat NZF file. This improves
 4453 			performance of "rndc delzone" and "rndc modzone"
 4454 			significantly. Existing NZF files will
 4455 			automatically by converted to NZD databases.
 4456 			To view the contents of an NZD or to roll back to
 4457 			NZF format, use "named-nzd2nzf". To disable
 4458 			this feature, use "configure --without-lmdb".
 4459 			[RT #39837]
 4460 
 4461 4420.	[func]		nslookup now looks for AAAA as well as A by default.
 4462 			[RT #40420]
 4463 
 4464 4419.	[bug]		Don't cause undefined result if the label of an
 4465 			entry in catalog zone is changed. [RT #42708]
 4466 
 4467 4418.	[bug]		Fix a compiler warning in GSSAPI code. [RT #42879]
 4468 
 4469 4417.	[bug]		dnssec-keymgr could fail to create successor keys
 4470 			if the prepublication interval was set to a value
 4471 			smaller than the default. [RT #42820]
 4472 
 4473 4416.	[bug]		dnssec-keymgr: Domain names in policy files could
 4474 			fail to match due to trailing dots. [RT #42807]
 4475 
 4476 4415.	[bug]		dnssec-keymgr: Expired/deleted keys were not always
 4477 			excluded. [RT #42884]
 4478 
 4479 4414.	[bug]		Corrected a bug in the MIPS implementation of
 4480 			isc_atomic_xadd(). [RT #41965]
 4481 
 4482 4413.	[bug]		GSSAPI negotiation could fail if GSS_S_CONTINUE_NEEDED
 4483 			was returned. [RT #42733]
 4484 
 4485 	--- 9.11.0b2 released ---
 4486 
 4487 4412.	[cleanup]	Make fixes for GCC 6. ISC_OFFSET_MAXIMUM macro was
 4488 			removed. [RT #42721]
 4489 
 4490 4411.	[func]		"rndc dnstap -roll" automatically rolls the
 4491 			dnstap output file; the previous version is
 4492 			saved with ".0" suffix, and earlier versions
 4493 			with ".1" and so on. An optional numeric argument
 4494 			indicates how many prior files to save. [RT #42830]
 4495 
 4496 4410.	[bug]		Address use after free and memory leak with dnstap.
 4497 			[RT #42746]
 4498 
 4499 4409.	[bug]		DNS64 should exclude mapped addresses by default when
 4500 			an exclude acl is not defined. [RT #42810]
 4501 
 4502 4408.	[func]		Continue waiting for expected response when we the
 4503 			response we get does not match the request. [RT #41026]
 4504 
 4505 4407.	[performance]	Use GCC builtin for clz in RPZ lookup code.
 4506 			[RT #42818]
 4507 
 4508 4406.	[security]	getrrsetbyname with a non absolute name could
 4509 			trigger an infinite recursion bug in lwresd
 4510 			and named with lwres configured if when combined
 4511 			with a search list entry the resulting name is
 4512 			too long. (CVE-2016-2775) [RT #42694]
 4513 
 4514 4405.	[bug]		Change 4342 introduced a regression where you could
 4515 			not remove a delegation in a NSEC3 signed zone using
 4516 			OPTOUT via nsupdate. [RT #42702]
 4517 
 4518 4404.	[misc]		Allow krb5-config to be used when configuring gssapi.
 4519 			[RT #42580]
 4520 
 4521 4403.	[bug]		Rename variables and arguments that shadow: basename,
 4522 			clone and gai_error.
 4523 
 4524 4402.	[bug]		protoc-c is now a hard requirement for --enable-dnstap.
 4525 
 4526 	--- 9.11.0b1 released ---
 4527 
 4528 4401.	[misc]		Change LICENSE to MPL 2.0.
 4529 
 4530 4400.	[bug]		ttl policy was not being inherited in policy.py.
 4531 			[RT #42718]
 4532 
 4533 4399.	[bug]		policy.py 'ECCGOST', 'ECDSAP256SHA256', and
 4534 			'ECDSAP384SHA384' don't have settable keysize.
 4535 			[RT #42718]
 4536 
 4537 4398.	[bug]		Correct spelling of ECDSAP256SHA256 in policy.py.
 4538 			[RT #42718]
 4539 
 4540 4397.	[bug]		Update Windows python support. [RT #42538]
 4541 
 4542 4396.	[func]		dnssec-keymgr now takes a '-r randomfile' option.
 4543 			[RT #42455]
 4544 
 4545 4395.	[bug]		Improve out-of-tree installation of python modules.
 4546 			[RT #42586]
 4547 
 4548 4394.	[func]		Add rndc command "dnstap-reopen" to close and
 4549 			reopen dnstap output files. [RT #41803]
 4550 
 4551 4393.	[bug]		Address potential NULL pointer dereferences in
 4552 			dnstap code.
 4553 
 4554 4392.	[func]		Collect statistics for RSSAC02v3 traffic-volume,
 4555 			traffic-sizes and rcode-volume reporting. [RT #41475]
 4556 
 4557 4391.	[contrib]	Fix leaks in contrib DLZ code. [RT #42707]
 4558 
 4559 4390.	[doc]		Description of masters with TSIG, allow-query and
 4560 			allow-transfer options in catalog zones. [RT #42692]
 4561 
 4562 4389.	[test]		Rewritten test suite for catalog zones. [RT #42676]
 4563 
 4564 4388.	[func]		Support for master entries with TSIG keys in catalog
 4565 			zones. [RT #42577]
 4566 
 4567 4387.	[bug]		Change 4336 was not complete leading to SERVFAIL
 4568 			being return as NS records expired. [RT #42683]
 4569 
 4570 4386.	[bug]		Remove shadowed overmem function/variable. [RT #42706]
 4571 
 4572 4385.	[func]		Add support for allow-query and allow-transfer ACLs
 4573 			to catalog zones. [RT #42578]
 4574 
 4575 4384.	[bug]		Change 4256 accidentally disabled logging of the
 4576 			rndc command. [RT #42654]
 4577 
 4578 4383.	[bug]		Correct spelling error in stats channel description of
 4579 			"EDNS client subnet option received". [RT #42633]
 4580 
 4581 4382.	[bug]		rndc {addzone,modzone,delzone,showzone} should all
 4582 			compare the zone name using a canonical format.
 4583 			[RT #42630]
 4584 
 4585 4381.	[bug]		Missing "zone-directory" option in catalog zone
 4586 			definition caused BIND to crash. [RT #42579]
 4587 
 4588 	--- 9.11.0a3 released ---
 4589 
 4590 4380.	[experimental]	Added a "zone-directory" option to "catalog-zones"
 4591 			syntax, allowing local masterfiles for slaves
 4592 			that are provisioned by catalog zones to be stored
 4593 			in a directory other than the server's working
 4594 			directory. [RT #42527]
 4595 
 4596 4379.	[bug]		An INSIST could be triggered if a zone contains
 4597 			RRSIG records with expiry fields that loop
 4598 			using serial number arithmetic. [RT #40571]
 4599 
 4600 4378.	[contrib]	#include <isc/string.h> for strlcat in zone2ldap.c.
 4601 			[RT #42525]
 4602 
 4603 4377.	[bug]		Don't reuse zero TTL responses beyond the current
 4604 			client set (excludes ANY/SIG/RRSIG queries).
 4605 			[RT #42142]
 4606 
 4607 4376.	[experimental]	Added support for Catalog Zones, a new method for
 4608 			provisioning secondary servers in which a list of
 4609 			zones to be served is stored in a DNS zone and can
 4610 			be propagated to slaves via AXFR/IXFR. [RT #41581]
 4611 
 4612 4375.	[func]		Add support for automatic reallocation of isc_buffer
 4613 			to isc_buffer_put* functions. [RT #42394]
 4614 
 4615 4374.	[bug]		Use SAVE/RESTORE macros in query.c to reduce the
 4616 			probability of reference counting errors as seen
 4617 			in 4365. [RT #42405]
 4618 
 4619 4373.	[bug]		Address undefined behavior in getaddrinfo. [RT #42479]
 4620 
 4621 4372.	[bug]		Address undefined behavior in libt_api. [RT #42480]
 4622 
 4623 4371.	[func]		New "minimal-any" option reduces the size of UDP
 4624 			responses for qtype ANY by returning a single
 4625 			arbitrarily selected RRset instead of all RRsets.
 4626 			Thanks to Tony Finch. [RT #41615]
 4627 
 4628 4370.	[bug]		Address python3 compatibility issues with RNDC module.
 4629 			[RT #42499] [RT #42506]
 4630 
 4631 	--- 9.11.0a2 released ---
 4632 
 4633 4369.	[bug]		Fix 'make' and 'make install' out-of-tree python
 4634 			support. [RT #42484]
 4635 
 4636 4368.	[bug]		Fix a crash when calling "rndc stats" on some
 4637 			Windows builds because some Visual Studio compilers
 4638 			generated crashing code for the "%z" printf()
 4639 			format specifier. [RT #42380]
 4640 
 4641 4367.	[bug]		Remove unnecessary assignment of loadtime in
 4642 			zone_touched. [RT #42440]
 4643 
 4644 4366.	[bug]		Address race condition when updating rbtnode bit
 4645 			fields. [RT #42379]
 4646 
 4647 4365.	[bug]		Address zone reference counting errors involving
 4648 			nxdomain-redirect. [RT #42258]
 4649 
 4650 4364.	[port]		freebsd: add -Wl,-E to loader flags [RT #41690]
 4651 
 4652 4363.	[port]		win32: Disable explicit triggering UAC when running
 4653 			BINDInstall.
 4654 
 4655 4362.	[func]		Changed rndc reconfig behavior so that newly added
 4656 			zones are loaded asynchronously and the loading does
 4657 			not block the server. [RT #41934]
 4658 
 4659 4361.	[cleanup]	Where supported, file modification times returned
 4660 			by isc_file_getmodtime() are now accurate to the
 4661 			nanosecond. [RT #41968]
 4662 
 4663 4360.	[bug]		Silence spurious 'bad key type' message when there is
 4664 			a existing TSIG key. [RT #42195]
 4665 
 4666 4359.	[bug]		Inherited 'also-notify' lists were not being checked
 4667 			by named-checkconf. [RT #42174]
 4668 
 4669 4358.	[test]		Added American Fuzzy Lop harness that allows
 4670 			feeding fuzzed packets into BIND.
 4671 			[RT #41723]
 4672 
 4673 4357.	[func]		Add the python RNDC module. [RT #42093]
 4674 
 4675 4356.	[func]		Add the ability to specify whether to wait for
 4676 			nameserver addresses to be looked up or not to
 4677 			RPZ with a new modifying directive 'nsip-wait-recurse'.
 4678 			[RT #35009]
 4679 
 4680 4355.	[func]		"pkcs11-list" now displays the extractability
 4681 			attribute of private or secret keys stored in
 4682 			an HSM, as either "true", "false", or "never"
 4683 			Thanks to Daniel Stirnimann. [RT #36557]
 4684 
 4685 4354.	[bug]		Check that the received HMAC length matches the
 4686 			expected length prior to check the contents on the
 4687 			control channel.  This prevents a OOB read error.
 4688 			This was reported by Lian Yihan, <lianyihan@360.cn>.
 4689 			[RT #42215]
 4690 
 4691 4353.	[cleanup]	Update PKCS#11 header files. [RT #42175]
 4692 
 4693 4352.	[cleanup]	The ISC DNSSEC Lookaside Validation (DLV) service
 4694 			is scheduled to be disabled in 2017.  A warning is
 4695 			now logged when named is configured to use it,
 4696 			either explicitly or via "dnssec-lookaside auto;"
 4697 			[RT #42207]
 4698 
 4699 4351.	[bug]		'dig +noignore' didn't work. [RT #42273]
 4700 
 4701 4350.	[contrib]	Declare result in  dlz_filesystem_dynamic.c.
 4702 
 4703 4349.	[contrib]	kasp2policy: A python script to create a DNSSEC
 4704 			policy file from an OpenDNSSEC KASP XML file.
 4705 
 4706 4348.	[func]		dnssec-keymgr: A new python-based DNSSEC key
 4707 			management utility, which reads a policy definition
 4708 			file and can create or update DNSSEC keys as needed
 4709 			to ensure that a zone's keys match policy, roll over
 4710 			correctly on schedule, etc.  Thanks to Sebastian
 4711 			Castro for assistance in development. [RT #39211]
 4712 
 4713 4347.	[port]		Corrected a build error on x86_64 Solaris. [RT #42150]
 4714 
 4715 4346.	[bug]		Fixed a regression introduced in change #4337 which
 4716 			caused signed domains with revoked KSKs to fail
 4717 			validation. [RT #42147]
 4718 
 4719 4345.	[contrib]	perftcpdns mishandled the return values from
 4720 			clock_nanosleep. [RT #42131]
 4721 
 4722 4344.	[port]		Address openssl version differences. [RT #42059]
 4723 
 4724 4343.	[bug]		dns_dnssec_syncupdate mis-declared in <dns/dnssec.h>.
 4725 			[RT #42090]
 4726 
 4727 4342.	[bug]		'rndc flushtree' could fail to clean the tree if there
 4728 			wasn't a node at the specified name. [RT #41846]
 4729 
 4730 	--- 9.11.0a1 released ---
 4731 
 4732 4341.	[bug]		Correct the handling of ECS options with
 4733 			address family 0. [RT #41377]
 4734 
 4735 4340.	[performance]	Implement adaptive read-write locks, reducing the
 4736 			overhead of locks that are only held briefly.
 4737 			[RT #37329]
 4738 
 4739 4339.	[test]		Use "mdig" to test pipelined queries. [RT #41929]
 4740 
 4741 4338.	[bug]		Reimplement change 4324 as it wasn't properly doing
 4742 			all the required book keeping. [RT #41941]
 4743 
 4744 4337.	[bug]		The previous change exposed a latent flaw in
 4745 			key refresh queries for managed-keys when
 4746 			a cached DNSKEY had TTL 0. [RT #41986]
 4747 
 4748 4336.	[bug]		Don't emit records with zero ttl unless the records
 4749 			were learnt with a zero ttl. [RT #41687]
 4750 
 4751 4335.	[bug]		zone->view could be detached too early. [RT #41942]
 4752 
 4753 4334.	[func]		'named -V' now reports zlib version. [RT #41913]
 4754 
 4755 4333.	[maint]		L.ROOT-SERVERS.NET is now 199.7.83.42 and
 4756 			2001:500:9f::42.
 4757 
 4758 4332.	[placeholder]
 4759 
 4760 4331.	[func]		When loading managed signed zones detect if the
 4761 			RRSIG's inception time is in the future and regenerate
 4762 			the RRSIG immediately. [RT #41808]
 4763 
 4764 4330.	[protocol]	Identify the PAD option as "PAD" when printing out
 4765 			a message.
 4766 
 4767 4329.	[func]		Warn about a common misconfiguration when forwarding
 4768 			RFC 1918 zones. [RT #41441]
 4769 
 4770 4328.	[performance]	Add dns_name_fromwire() benchmark test. [RT #41694]
 4771 
 4772 4327.	[func]		Log query and depth counters during fetches when
 4773 			querytrace (./configure --enable-querytrace) is
 4774 			enabled (helps in diagnosing).  [RT #41787]
 4775 
 4776 4326.	[protocol]	Add support for AVC. [RT #41819]
 4777 
 4778 4325.	[func]		Add a line to "rndc status" indicating the
 4779 			hostname and operating system details. [RT #41610]
 4780 
 4781 4324.	[bug]		When deleting records from a zone database, interior
 4782 			nodes could be left empty but not deleted, damaging
 4783 			search performance afterward. [RT #40997]
 4784 
 4785 4323.	[bug]		Improve HTTP header processing on statschannel.
 4786 			[RT #41674]
 4787 
 4788 4322.	[security]	Duplicate EDNS COOKIE options in a response could
 4789 			trigger an assertion failure. (CVE-2016-2088)
 4790 			[RT #41809]
 4791 
 4792 4321.	[bug]		Zones using mapped files containing out-of-zone data
 4793 			could return SERVFAIL instead of the expected NODATA
 4794 			or NXDOMAIN results. [RT #41596]
 4795 
 4796 4320.	[bug]		Insufficient memory allocation when handling
 4797 			"none" ACL could cause an assertion failure in
 4798 			named when parsing ACL configuration. [RT #41745]
 4799 
 4800 4319.	[security]	Fix resolver assertion failure due to improper
 4801 			DNAME handling when parsing fetch reply messages.
 4802 			(CVE-2016-1286) [RT #41753]
 4803 
 4804 4318.	[security]	Malformed control messages can trigger assertions
 4805 			in named and rndc. (CVE-2016-1285) [RT #41666]
 4806 
 4807 4317.	[bug]		Age all unused servers on fetch timeout. [RT #41597]
 4808 
 4809 4316.	[func]		Add option to tools to print RRs in unknown
 4810 			presentation format [RT #41595].
 4811 
 4812 4315.	[bug]		Check that configured view class isn't a meta class.
 4813 			[RT #41572].
 4814 
 4815 4314.	[contrib]	Added 'dnsperf-2.1.0.0-1', a set of performance
 4816 			testing tools provided by Nominum, Inc.
 4817 
 4818 4313.	[bug]		Handle ns_client_replace failures in test mode.
 4819 			[RT #41190]
 4820 
 4821 4312.	[bug]		dig's unknown DNS and EDNS flags (MBZ value) logging
 4822 			was not consistent. [RT #41600]
 4823 
 4824 4311.	[bug]		Prevent "rndc delzone" from being used on
 4825 			response-policy zones. [RT #41593]
 4826 
 4827 4310.	[performance]	Use __builtin_expect() where available to annotate
 4828 			conditions with known behavior. [RT #41411]
 4829 
 4830 4309.	[cleanup]	Remove the spurious "none" filename from log messages
 4831 			when processing built-in configuration. [RT #41594]
 4832 
 4833 4308.	[func]		Added operating system details to "named -V"
 4834 			output. [RT #41452]
 4835 
 4836 4307.	[bug]		"dig +subnet" and "mdig +subnet" could send
 4837 			incorrectly-formatted Client Subnet options
 4838 			if the prefix length was not divisible by 8.
 4839 			Also fixed a memory leak in "mdig". [RT #45178]
 4840 
 4841 4306.	[maint]		Added a PKCS#11 openssl patch supporting
 4842 			version 1.0.2f [RT #38312]
 4843 
 4844 4305.	[bug]		dnssec-signzone was not removing unnecessary rrsigs
 4845 			from the zone's apex. [RT #41483]
 4846 
 4847 4304.	[port]		xfer system test failed as 'tail -n +value' is not
 4848 			portable. [RT #41315]
 4849 
 4850 4303.	[bug]		"dig +subnet" was unable to send a prefix length of
 4851 			zero, as it was incorrectly changed to 32 for v4
 4852 			prefixes or 128 for v6 prefixes. In addition to
 4853 			fixing this, "dig +subnet=0" has been added as a
 4854 			short form for 0.0.0.0/0. The same changes have
 4855 			also been made in "mdig". [RT #41553]
 4856 
 4857 4302.	[port]		win32: fixed a build error in VS 2015. [RT #41426]
 4858 
 4859 4301.	[bug]		dnssec-settime -p [DP]sync was not working. [RT #41534]
 4860 
 4861 4300.	[bug]		A flag could be set in the wrong field when setting
 4862 			up non-recursive queries; this could cause the
 4863 			SERVFAIL cache to cache responses it shouldn't.
 4864 			New querytrace logging has been added which
 4865 			identified this error. [RT #41155]
 4866 
 4867 4299.	[bug]		Check that exactly totallen bytes are read when
 4868 			reading a RRset from raw files in both single read
 4869 			and incremental modes. [RT #41402]
 4870 
 4871 4298.	[bug]		dns_rpz_add errors in loadzone were not being
 4872 			propagated up the call stack. [RT #41425]
 4873 
 4874 4297.	[test]		Ensure delegations in RPZ zones fail robustly.
 4875 			[RT #41518]
 4876 
 4877 4296.	[bug]		TCP packet sizes were calculated incorrectly in the
 4878 			stats channel; they could be counted in the wrong
 4879 			histogram bucket. [RT #40587]
 4880 
 4881 4295.	[bug]		An unchecked result in dns_message_pseudosectiontotext()
 4882 			could allow incorrect text formatting of EDNS EXPIRE
 4883 			options. [RT #41437]
 4884 
 4885 4294.	[bug]		Fixed a regression in which "rndc stop -p" failed
 4886 			to print the PID. [RT #41513]
 4887 
 4888 4293.	[bug]		Address memory leak on priming query creation failure.
 4889 			[RT #41512]
 4890 
 4891 4292.	[placeholder]
 4892 
 4893 4291.	[cleanup]	Added a required include to dns/forward.h. [RT #41474]
 4894 
 4895 4290.	[func]		The timers returned by the statistics channel
 4896 			(indicating current time, server boot time, and
 4897 			most recent reconfiguration time) are now reported
 4898 			with millisecond accuracy. [RT #40082]
 4899 
 4900 4289.	[bug]		The server could crash due to memory being used
 4901 			after it was freed if a zone transfer timed out.
 4902 			[RT #41297]
 4903 
 4904 4288.	[bug]		Fixed a regression in resolver.c:possibly_mark()
 4905 			which caused known-bogus servers to be queried
 4906 			anyway. [RT #41321]
 4907 
 4908 4287.	[bug]		Silence an overly noisy log message when message
 4909 			parsing fails. [RT #41374]
 4910 
 4911 4286.	[security]	render_ecs errors were mishandled when printing out
 4912 			a OPT record resulting in a assertion failure.
 4913 			(CVE-2015-8705) [RT #41397]
 4914 
 4915 4285.	[security]	Specific APL data could trigger a INSIST.
 4916 			(CVE-2015-8704) [RT #41396]
 4917 
 4918 4284.	[bug]		Some GeoIP options were incorrectly documented
 4919 			using abbreviated forms which were not accepted by
 4920 			named.  The code has been updated to allow both
 4921 			long and abbreviated forms. [RT #41381]
 4922 
 4923 4283.	[bug]		OPENSSL_config is no longer re-callable. [RT #41348]
 4924 
 4925 4282.	[func]		'dig +[no]mapped' determine whether the use of mapped
 4926 			IPv4 addresses over IPv6 is permitted or not.  The
 4927 			default is +mapped.  [RT #41307]
 4928 
 4929 4281.	[bug]		Teach dns_message_totext about BADCOOKIE. [RT #41257]
 4930 
 4931 4280.	[performance]	Use optimal message sizes to improve compression
 4932 			in AXFRs. This reduces network traffic. [RT #40996]
 4933 
 4934 4279.	[test]		Don't use fixed ports when unit testing. [RT #41194]
 4935 
 4936 4278.	[bug]		'delv +short +[no]split[=##]' didn't work as expected.
 4937 			[RT #41238]
 4938 
 4939 4277.	[performance]	Improve performance of the RBT, the central zone
 4940 			datastructure: The aux hashtable was improved,
 4941 			hash function was updated to perform more
 4942 			uniform mapping, uppernode was added to
 4943 			dns_rbtnode, and other cleanups and performance
 4944 			improvements were made. [RT #41165]
 4945 
 4946 4276.	[protocol]	Add support for SMIMEA. [RT #40513]
 4947 
 4948 4275.	[performance]	Lazily initialize dns_compress->table only when
 4949 			compression is enabled. [RT #41189]
 4950 
 4951 4274.	[performance]	Speed up typemap processing from text. [RT #41196]
 4952 
 4953 4273.	[bug]		Only call dns_test_begin() and dns_test_end() once each
 4954 			in nsec3_test as it fails with GOST if called multiple
 4955 			times.
 4956 
 4957 4272.	[bug]		dig: the +norrcomments option didn't work with +multi.
 4958 			[RT #41234]
 4959 
 4960 4271.	[test]		Unit tests could deadlock in isc__taskmgr_pause().
 4961 			[RT #41235]
 4962 
 4963 4270.	[security]	Update allowed OpenSSL versions as named is
 4964 			potentially vulnerable to CVE-2015-3193.
 4965 
 4966 4269.	[bug]		Zones using "map" format master files currently
 4967 			don't work as policy zones.  This limitation has
 4968 			now been documented; attempting to use such zones
 4969 			in "response-policy" statements is now a
 4970 			configuration error.  [RT #38321]
 4971 
 4972 4268.	[func]		"rndc status" now reports the path to the
 4973 			configuration file. [RT #36470]
 4974 
 4975 4267.	[test]		Check sdlz error handling. [RT #41142]
 4976 
 4977 4266.	[placeholder]
 4978 
 4979 4265.	[bug]		Address unchecked isc_mem_get calls. [RT #41187]
 4980 
 4981 4264.	[bug]		Check const of strchr/strrchr assignments match
 4982 			argument's const status. [RT #41150]
 4983 
 4984 4263.	[contrib]	Address compiler warnings in mysqldyn module.
 4985 			[RT #41130]
 4986 
 4987 4262.	[bug]		Fixed a bug in epoll socket code that caused
 4988 			sockets to not be registered for ready
 4989 			notification in some cases, causing named to not
 4990 			read from or write to them, resulting in what
 4991 			appear to the user as blocked connections.
 4992 			[RT #41067]
 4993 
 4994 4261.	[maint]		H.ROOT-SERVERS.NET is 198.97.190.53 and 2001:500:1::53.
 4995 			[RT #40556]
 4996 
 4997 4260.	[security]	Insufficient testing when parsing a message allowed
 4998 			records with an incorrect class to be be accepted,
 4999 			triggering a REQUIRE failure when those records
 5000 			were subsequently cached. (CVE-2015-8000) [RT #40987]
 5001 
 5002 4259.	[func]		Add an option for non-destructive control channel
 5003 			access using a "read-only" clause. In such
 5004 			cases, a restricted set of rndc commands are
 5005 			allowed for querying information from named.
 5006 			[RT #40498]
 5007 
 5008 4258.	[bug]		Limit rndc query message sizes to 32 KiB. This should
 5009 			not break any legitimate rndc commands, but will
 5010 			prevent a rogue rndc query from allocating too
 5011 			much memory. [RT #41073]
 5012 
 5013 4257.	[cleanup]	Python scripts reported incorrect version. [RT #41080]
 5014 
 5015 4256.	[bug]		Allow rndc command arguments to be quoted so as
 5016 			to allow spaces. [RT #36665]
 5017 
 5018 4255.	[performance]	Add 'message-compression' option to disable DNS
 5019 			compression in responses. [RT #40726]
 5020 
 5021 4254.	[bug]		Address missing lock when getting zone's serial.
 5022 			[RT #41072]
 5023 
 5024 4253.	[security]	Address fetch context reference count handling error
 5025 			on socket error. (CVE-2015-8461)  [RT#40945]
 5026 
 5027 4252.	[func]		Add support for automating the generation CDS and
 5028 			CDNSKEY rrsets to named and dnssec-signzone.
 5029 			[RT #40424]
 5030 
 5031 4251.	[bug]		NTAs were deleted when the server was reconfigured
 5032 			or reloaded. [RT #41058]
 5033 
 5034 4250.	[func]		Log the TSIG key in use during inbound zone
 5035 			transfers. [RT #41075]
 5036 
 5037 4249.	[func]		Improve error reporting of TSIG / SIG(0) records in
 5038 			the wrong location. [RT #41030]
 5039 
 5040 4248.	[performance]	Add an isc_atomic_storeq() function, use it in
 5041 			stats counters to improve performance.
 5042 			[RT #39972] [RT #39979]
 5043 
 5044 4247.	[port]		Require both HAVE_JSON and JSON_C_VERSION to be
 5045 			defined to report json library version. [RT #41045]
 5046 
 5047 4246.	[test]		Ensure the statschannel system test runs when BIND
 5048 			is not built with libjson. [RT #40944]
 5049 
 5050 4245.	[placeholder]
 5051 
 5052 4244.	[bug]		The parser was not reporting that use-ixfr is obsolete.
 5053 			[RT #41010]
 5054 
 5055 4243.	[func]		Improved stats reporting from Timothe Litt. [RT #38941]
 5056 
 5057 4242.	[bug]		Replace the client if not already replaced when
 5058 			prefetching. [RT #41001]
 5059 
 5060 4241.	[doc]		Improved the TSIG, TKEY, and SIG(0) sections in
 5061 			the ARM. [RT #40955]
 5062 
 5063 4240.	[port]		Fix LibreSSL compatibility. [RT #40977]
 5064 
 5065 4239.	[func]		Changed default servfail-ttl value to 1 second from 10.
 5066 			Also, the maximum value is now 30 instead of 300.
 5067 			[RT #37556]
 5068 
 5069 4238.	[bug]		Don't send to servers on net zero (0.0.0.0/8).
 5070 			[RT #40947]
 5071 
 5072 4237.	[doc]		Upgraded documentation toolchain to use DocBook 5
 5073 			and dblatex. [RT #40766]
 5074 
 5075 4236.	[performance]	On machines with 2 or more processors (CPU), the
 5076 			default value for the number of UDP listeners
 5077 			has been changed to the number of detected
 5078 			processors minus one. [RT #40761]
 5079 
 5080 4235.	[func]		Added support in named for "dnstap", a fast method of
 5081 			capturing and logging DNS traffic, and a new command
 5082 			"dnstap-read" to read a dnstap log file.  Use
 5083 			"configure --enable-dnstap" to enable this
 5084 			feature (note that this requires libprotobuf-c
 5085 			and libfstrm). See the ARM for configuration details.
 5086 
 5087 			Thanks to Robert Edmonds of Farsight Security.
 5088 			[RT #40211]
 5089 
 5090 4234.	[func]		Add deflate compression in statistics channel HTTP
 5091 			server. [RT #40861]
 5092 
 5093 4233.	[test]		Add tests for CDS and CDNSKEY with delegation-only.
 5094 			[RT #40597]
 5095 
 5096 4232.	[contrib]	Address unchecked memory allocation calls in
 5097 			query-loc and zone2ldap. [RT #40789]
 5098 
 5099 4231.	[contrib]	Address unchecked calloc call in dlz_mysqldyn_mod.c.
 5100 			[RT #40840]
 5101 
 5102 4230.	[contrib]	dlz_wildcard_dynamic.c:dlz_create could return a
 5103 			uninitialized result. [RT #40839]
 5104 
 5105 4229.	[bug]		A variable could be used uninitialized in
 5106 			dns_update_signaturesinc. [RT #40784]
 5107 
 5108 4228.	[bug]		Address race condition in dns_client_destroyrestrans.
 5109 			[RT #40605]
 5110 
 5111 4227.	[bug]		Silence static analysis warnings. [RT #40828]
 5112 
 5113 4226.	[bug]		Address a theoretical shutdown race in
 5114 			zone.c:notify_send_queue(). [RT #38958]
 5115 
 5116 4225.	[port]		freebsd/openbsd:  Use '${CC} -shared' for building
 5117 			shared libraries. [RT #39557]
 5118 
 5119 4224.	[func]		Added support for "dyndb", a new interface for loading
 5120 			zone data from an external database, developed by
 5121 			Red Hat for the FreeIPA project.
 5122 
 5123 			DynDB drivers fully implement the BIND database
 5124 			API, and are capable of significantly better
 5125 			performance and functionality than DLZ drivers,
 5126 			while taking advantage of advanced database
 5127 			features not available in BIND such as multi-master
 5128 			replication.
 5129 
 5130 			Thanks to Adam Tkac and Petr Spacek of Red Hat.
 5131 			[RT #35271]
 5132 
 5133 4223.	[func]		Add support for setting max-cache-size to percentage
 5134 			of available physical memory, set default to 90%.
 5135 			[RT #38442]
 5136 
 5137 4222.	[func]		Bias IPv6 servers when selecting the next server to
 5138 			query. [RT #40836]
 5139 
 5140 4221.	[bug]		Resource leak on DNS_R_NXDOMAIN in fctx_create.
 5141 			[RT #40583]
 5142 
 5143 4220.	[doc]		Improve documentation for zone-statistics.
 5144 			[RT #36955]
 5145 
 5146 4219.	[bug]		Set event->result to ISC_R_WOULDBLOCK on EWOULDBLOCK,
 5147 			EGAIN when these soft error are not retried for
 5148 			isc_socket_send*().
 5149 
 5150 4218.	[bug]		Potential null pointer dereference on out of memory
 5151 			if mmap is not supported. [RT #40777]
 5152 
 5153 4217.	[protocol]	Add support for CSYNC. [RT #40532]
 5154 
 5155 4216.	[cleanup]	Silence static analysis warnings. [RT #40649]
 5156 
 5157 4215.	[bug]		nsupdate: skip to next request on GSSTKEY create
 5158 			failure. [RT #40685]
 5159 
 5160 4214.	[protocol]	Add support for TALINK.  [RT #40544]
 5161 
 5162 4213.	[bug]		Don't reuse a cache across multiple classes.
 5163 			[RT #40205]
 5164 
 5165 4212.	[func]		Re-query if we get a bad client cookie returned over
 5166 			UDP. [RT #40748]
 5167 
 5168 4211.	[bug]		Ensure that lwresd gets at least one task to work
 5169 			with if enabled. [RT #40652]
 5170 
 5171 4210.	[cleanup]	Silence use after free false positive. [RT #40743]
 5172 
 5173 4209.	[bug]		Address resource leaks in dlz modules. [RT #40654]
 5174 
 5175 4208.	[bug]		Address null pointer dereferences on out of memory.
 5176 			[RT #40764]
 5177 
 5178 4207.	[bug]		Handle class mismatches with raw zone files.
 5179 			[RT #40746]
 5180 
 5181 4206.	[bug]		contrib: fixed a possible NULL dereference in
 5182 			DLZ wildcard module. [RT #40745]
 5183 
 5184 4205.	[bug]		'named-checkconf -p' could include unwanted spaces
 5185 			when printing tuples with unset optional fields.
 5186 			[RT #40731]
 5187 
 5188 4204.	[bug]		'dig +trace' failed to lookup the correct type if
 5189 			the initial root NS query was retried. [RT #40296]
 5190 
 5191 4203.	[test]		The rrchecker system test now tests conversion
 5192 			to and from unknown-type format. [RT #40584]
 5193 
 5194 4202.	[bug]		isccc_cc_fromwire() could return an incorrect
 5195 			result. [RT #40614]
 5196 
 5197 4201.	[func]		The default preferred-glue is now the address record
 5198 			type of the transport the query was received
 5199 			over.  [RT #40468]
 5200 
 5201 4200.	[cleanup]	win32: update BINDinstall to be BIND release
 5202 			independent. [RT #38915]
 5203 
 5204 4199.	[protocol]	Add support for NINFO, RKEY, SINK, TA.
 5205 			[RT #40545] [RT #40547] [RT #40561] [RT #40563]
 5206 
 5207 4198.	[placeholder]
 5208 
 5209 4197.	[bug]		'named-checkconf -z' didn't handle 'in-view' clauses.
 5210 			[RT #40603]
 5211 
 5212 4196.	[doc]		Improve how "enum + other" types are documented.
 5213 			[RT #40608]
 5214 
 5215 4195.	[bug]		'max-zone-ttl unlimited;' was broken. [RT #40608]
 5216 
 5217 4194.	[bug]		named-checkconf -p failed to properly print a port
 5218 			range.  [RT #40634]
 5219 
 5220 4193.	[bug]		Handle broken servers that return BADVERS incorrectly.
 5221 			[RT #40427]
 5222 
 5223 4192.	[bug]		The default rrset-order of random was not always being
 5224 			applied. [RT #40456]
 5225 
 5226 4191.	[protocol]	Accept DNS-SD non LDH PTR records in reverse zones
 5227 			as per RFC 6763. [RT #37889]
 5228 
 5229 4190.	[protocol]	Accept Active Directory gc._msdcs.<forest> name as
 5230 			valid with check-names.  <forest> still needs to be
 5231 			LDH. [RT #40399]
 5232 
 5233 4189.	[cleanup]	Don't exit on overly long tokens in named.conf.
 5234 			[RT #40418]
 5235 
 5236 4188.	[bug]		Support HTTP/1.0 client properly on the statistics
 5237 			channel. [RT #40261]
 5238 
 5239 4187.	[func]		When any RR type implementation doesn't
 5240 			implement totext() for the RDATA's wire
 5241 			representation and returns ISC_R_NOTIMPLEMENTED,
 5242 			such RDATA is now printed in unknown
 5243 			presentation format (RFC 3597). RR types affected
 5244 			include LOC(29) and APL(42). [RT #40317].
 5245 
 5246 4186.	[bug]		Fixed an RPZ bug where a QNAME would be matched
 5247 			against a policy RR with wildcard owner name
 5248 			(trigger) where the QNAME was the wildcard owner
 5249 			name's parent. For example, the bug caused a query
 5250 			with QNAME "example.com" to match a policy RR with
 5251 			"*.example.com" as trigger. [RT #40357]
 5252 
 5253 4185.	[bug]		Fixed an RPZ bug where a policy RR with wildcard
 5254 			owner name (trigger) would prevent another policy RR
 5255 			with its parent owner name from being
 5256 			loaded. For example, the bug caused a policy RR
 5257 			with trigger "example.com" to not have any
 5258 			effect when a previous policy RR with trigger
 5259 			"*.example.com" existed in that RPZ zone.
 5260 			[RT #40357]
 5261 
 5262 4184.	[bug]		Fixed a possible memory leak in name compression
 5263 			when rendering long messages. (Also, improved
 5264 			wire_test for testing such messages.) [RT #40375]
 5265 
 5266 4183.	[cleanup]	Use timing-safe memory comparisons in cryptographic
 5267 			code. Also, the timing-safe comparison functions have
 5268 			been renamed to avoid possible confusion with
 5269 			memcmp(). Thanks to Loganaden Velvindron of
 5270 			AFRINIC. [RT #40148]
 5271 
 5272 4182.	[cleanup]	Use mnemonics for RR class and type comparisons.
 5273 			[RT #40297]
 5274 
 5275 4181.	[bug]		Queued notify messages could be dequeued from the
 5276 			wrong rate limiter queue. [RT #40350]
 5277 
 5278 4180.	[bug]		Error responses in pipelined queries could
 5279 			cause a crash in client.c. [RT #40289]
 5280 
 5281 4179.	[bug]		Fix double frees in getaddrinfo() in libirs.
 5282 			[RT #40209]
 5283 
 5284 4178.	[bug]		Fix assertion failure in parsing UNSPEC(103) RR from
 5285 			text. [RT #40274]
 5286 
 5287 4177.	[bug]		Fix assertion failure in parsing NSAP records from
 5288 			text. [RT #40285]
 5289 
 5290 4176.	[bug]		Address race issues with lwresd. [RT #40284]
 5291 
 5292 4175.	[bug]		TKEY with GSS-API keys needed bigger buffers.
 5293 			[RT #40333]
 5294 
 5295 4174.	[bug]		"dnssec-coverage -r" didn't handle time unit
 5296 			suffixes correctly. [RT #38444]
 5297 
 5298 4173.	[bug]		dig +sigchase was not properly matching the trusted
 5299 			key. [RT #40188]
 5300 
 5301 4172.	[bug]		Named / named-checkconf didn't handle a view of CLASS0.
 5302 			[RT #40265]
 5303 
 5304 4171.	[bug]		Fixed incorrect class checks in TSIG RR
 5305 			implementation. [RT #40287]
 5306 
 5307 4170.	[security]	An incorrect boundary check in the OPENPGPKEY
 5308 			rdatatype could trigger an assertion failure.
 5309 			(CVE-2015-5986) [RT #40286]
 5310 
 5311 4169.	[test]		Added a 'wire_test -d' option to read input as
 5312 			raw binary data, for use as a fuzzing harness.
 5313 			[RT #40312]
 5314 
 5315 4168.	[security]	A buffer accounting error could trigger an
 5316 			assertion failure when parsing certain malformed
 5317 			DNSSEC keys. (CVE-2015-5722) [RT #40212]
 5318 
 5319 4167.	[func]		Update rndc's usage output to include recently added
 5320 			commands. Thanks to Tony Finch for submitting a
 5321 			patch. [RT #40010]
 5322 
 5323 4166.	[func]		Print informative output from rndc showzone when
 5324 			allow-new-zones is not enabled for a view. Thanks to
 5325 			Tony Finch for submitting a patch. [RT #40009]
 5326 
 5327 4165.	[security]	A failure to reset a value to NULL in tkey.c could
 5328 			result in an assertion failure. (CVE-2015-5477)
 5329 			[RT #40046]
 5330 
 5331 4164.	[bug]		Don't rename slave files and journals on out of memory.
 5332 			[RT #40033]
 5333 
 5334 4163.	[bug]		Address compiler warnings. [RT #40024]
 5335 
 5336 4162.	[bug]		httpdmgr->flags was not being initialized. [RT #40017]
 5337 
 5338 4161.	[test]		Add JSON test for traffic size stats; also test
 5339 			for consistency between "rndc stats" and the XML
 5340 			and JSON statistics channel contents. [RT #38700]
 5341 
 5342 4160.	[placeholder]
 5343 
 5344 4159.	[cleanup]	Alphabetize dig's help output. [RT #39966]
 5345 
 5346 4158.	[placeholder]
 5347 
 5348 4157.	[placeholder]
 5349 
 5350 4156.	[func]		Added statistics counters to track the sizes
 5351 			of incoming queries and outgoing responses in
 5352 			histogram buckets, as specified in RSSAC002.
 5353 			[RT #39049]
 5354 
 5355 4155.	[func]		Allow RPZ rewrite logging to be configured on a
 5356 			per-zone basis using a newly introduced log clause in
 5357 			the response-policy option. [RT #39754]
 5358 
 5359 4154.	[bug]		A OPT record should be included with the FORMERR
 5360 			response when there is a malformed EDNS option.
 5361 			[RT #39647]
 5362 
 5363 4153.	[bug]		Dig should zero non significant +subnet bits.  Check
 5364 			that non significant ECS bits are zero on receipt.
 5365 			[RT #39647]
 5366 
 5367 4152.	[func]		Implement DNS COOKIE option.  This replaces the
 5368 			experimental SIT option of BIND 9.10.  The following
 5369 			named.conf directives are available: send-cookie,
 5370 			cookie-secret, cookie-algorithm, nocookie-udp-size
 5371 			and require-server-cookie.  The following dig options
 5372 			are available: +[no]cookie[=value] and +[no]badcookie.
 5373 			[RT #39928]
 5374 
 5375 4151.	[bug]		'rndc flush' could cause a deadlock. [RT #39835]
 5376 
 5377 4150.	[bug]		win32: listen-on-v6 { any; }; was not working.  Apply
 5378 			minimal fix.  [RT #39667]
 5379 
 5380 4149.	[bug]		Fixed a race condition in the getaddrinfo()
 5381 			implementation in libirs, which caused the delv
 5382 			utility to crash with an assertion failure when using
 5383 			the '@server' syntax with a hostname argument.
 5384 			[RT #39899]
 5385 
 5386 4148.	[bug]		Fix a bug when printing zone names with '/' character
 5387 			in XML and JSON statistics output. [RT #39873]
 5388 
 5389 4147.	[bug]		Filter-aaaa / filter-aaaa-on-v4 / filter-aaaa-on-v6
 5390 			was returning referrals rather than nodata responses
 5391 			when the AAAA records were filtered.  [RT #39843]
 5392 
 5393 4146.	[bug]		Address reference leak that could prevent a clean
 5394 			shutdown. [RT #37125]
 5395 
 5396 4145.	[bug]		Not all unassociated adb entries where being printed.
 5397 			[RT #37125]
 5398 
 5399 4144.	[func]		Add statistics counters for nxdomain redirections.
 5400 			[RT #39790]
 5401 
 5402 4143.	[placeholder]
 5403 
 5404 4142.	[bug]		rndc addzone with view specified saved NZF config
 5405 			that could not be read back by named. This has now
 5406 			been fixed. [RT #39845]
 5407 
 5408 4141.	[bug]		A formatting bug caused rndc zonestatus to print
 5409 			negative numbers for large serial values. This has
 5410 			now been fixed. [RT #39854]
 5411 
 5412 4140.	[cleanup]	Remove redundant nzf_remove() call during delzone.
 5413 			[RT #39844]
 5414 
 5415 4139.	[doc]		Fix rpz-client-ip documentation. [RT #39783]
 5416 
 5417 4138.	[security]	An uninitialized value in validator.c could result
 5418 			in an assertion failure. (CVE-2015-4620) [RT #39795]
 5419 
 5420 4137.	[bug]		Make rndc reconfig report configuration errors the
 5421 			same way rndc reload does. [RT #39635]
 5422 
 5423 4136.	[bug]		Stale statistics counters with the leading
 5424 			'#' prefix (such as #NXDOMAIN) were not being
 5425 			updated correctly. This has been fixed. [RT #39141]
 5426 
 5427 4135.	[cleanup]	Log expired NTA at startup. [RT #39680]
 5428 
 5429 4134.	[cleanup]	Include client-ip rules when logging the number
 5430 			of RPZ rules of each type. [RT #39670]
 5431 
 5432 4133.	[port]		Update how various json libraries are handled.
 5433 			[RT #39646]
 5434 
 5435 4132.	[cleanup]	dig: added +rd as a synonym for +recurse,
 5436 			added +class as an unabbreviated alternative
 5437 			to +cl. [RT #39686]
 5438 
 5439 4131.	[bug]		Addressed further problems with reloading RPZ
 5440 			zones. [RT #39649]
 5441 
 5442 4130.	[bug]		The compatibility shim for *printf() misprinted some
 5443 			large numbers. [RT #39586]
 5444 
 5445 4129.	[port]		Address API changes in OpenSSL 1.1.0. [RT #39532]
 5446 
 5447 4128.	[bug]		Address issues raised by Coverity 7.6. [RT #39537]
 5448 
 5449 4127.	[protocol]	CDS and CDNSKEY need to be signed by the key signing
 5450 			key as per RFC 7344, Section 4.1. [RT #37215]
 5451 
 5452 4126.	[bug]		Addressed a regression introduced in change #4121.
 5453 			[RT #39611]
 5454 
 5455 4125.	[test]		Added tests for dig, renamed delv test to digdelv.
 5456 			[RT #39490]
 5457 
 5458 4124.	[func]		Log errors or warnings encountered when parsing the
 5459 			internal default configuration.  Clarify the logging
 5460 			of errors and warnings encountered in rndc
 5461 			addzone or modzone parameters. [RT #39440]
 5462 
 5463 4123.	[port]		Added %z (size_t) format options to the portable
 5464 			internal printf/sprintf implementation. [RT #39586]
 5465 
 5466 4122.	[bug]		The server could match a shorter prefix than what was
 5467 			available in CLIENT-IP policy triggers, and so, an
 5468 			unexpected action could be taken. This has been
 5469 			corrected. [RT #39481]
 5470 
 5471 4121.	[bug]		On servers with one or more policy zones
 5472 			configured as slaves, if a policy zone updated
 5473 			during regular operation (rather than at
 5474 			startup) using a full zone reload, such as via
 5475 			AXFR, a bug could allow the RPZ summary data to
 5476 			fall out of sync, potentially leading to an
 5477 			assertion failure in rpz.c when further
 5478 			incremental updates were made to the zone, such
 5479 			as via IXFR. [RT #39567]
 5480 
 5481 4120.	[bug]		A bug in RPZ could cause the server to crash if
 5482 			policy zones were updated while recursion was
 5483 			pending for RPZ processing of an active query.
 5484 			[RT #39415]
 5485 
 5486 4119.	[test]		Allow dig to set the message opcode. [RT #39550]
 5487 
 5488 4118.	[bug]		Teach isc-config.sh about irs. [RT #39213]
 5489 
 5490 4117.	[protocol]	Add EMPTY.AS112.ARPA as per RFC 7534.
 5491 
 5492 4116.	[bug]		Fix a bug in RPZ that could cause some policy
 5493 			zones that did not specifically require
 5494 			recursion to be treated as if they did;
 5495 			consequently, setting qname-wait-recurse no; was
 5496 			sometimes ineffective. [RT #39229]
 5497 
 5498 4115.	[func]		"rndc -r" now prints the result code (e.g.,
 5499 			ISC_R_SUCCESS, ISC_R_TIMEOUT, etc) after
 5500 			running the requested command. [RT #38913]
 5501 
 5502 4114.	[bug]		Fix a regression in radix tree implementation
 5503 			introduced by ECS code. This bug was never
 5504 			released, but it was reported by a user testing
 5505 			master. [RT #38983]
 5506 
 5507 4113.	[test]		Check for Net::DNS is some system test
 5508 			prerequisites. [RT #39369]
 5509 
 5510 4112.	[bug]		Named failed to load when "root-delegation-only"
 5511 			was used without a list of domains to exclude.
 5512 			[RT #39380]
 5513 
 5514 4111.	[doc]		Alphabetize rndc man page. [RT #39360]
 5515 
 5516 4110.	[bug]		Address memory leaks / null pointer dereferences
 5517 			on out of memory. [RT #39310]
 5518 
 5519 4109.	[port]		linux: support reading the local port range from
 5520 			net.ipv4.ip_local_port_range. [RT # 39379]
 5521 
 5522 4108.	[func]		An additional NXDOMAIN redirect method (option
 5523 			"nxdomain-redirect") has been added, allowing
 5524 			redirection to a specified DNS namespace instead
 5525 			of a single redirect zone. [RT #37989]
 5526 
 5527 4107.	[bug]		Address potential deadlock when updating zone content.
 5528 			[RT #39269]
 5529 
 5530 4106.	[port]		Improve readline support. [RT #38938]
 5531 
 5532 4105.	[port]		Misc fixes for Microsoft Visual Studio
 5533 			2015 CTP6 in 64 bit mode. [RT #39308]
 5534 
 5535 4104.	[bug]		Address uninitialized elements. [RT #39252]
 5536 
 5537 4103.	[port]		Misc fixes for Microsoft Visual Studio
 5538 			2015 CTP6. [RT #39267]
 5539 
 5540 4102.	[bug]		Fix a use after free bug introduced in change
 5541 			#4094.  [RT #39281]
 5542 
 5543 4101.	[bug]		dig: the +split and +rrcomments options didn't
 5544 			work with +short. [RT #39291]
 5545 
 5546 4100.	[bug]		Inherited owernames on the line immediately following
 5547 			a $INCLUDE were not working.  [RT #39268]
 5548 
 5549 4099.	[port]		clang: make unknown commandline options hard errors
 5550 			when determining what options are supported.
 5551 			[RT #39273]
 5552 
 5553 4098.	[bug]		Address use-after-free issue when using a
 5554 			predecessor key with dnssec-settime. [RT #39272]
 5555 
 5556 4097.	[func]		Add additional logging about xfrin transfer status.
 5557 			[RT #39170]
 5558 
 5559 4096.	[bug]		Fix a use after free of query->sendevent.
 5560 			[RT #39132]
 5561 
 5562 4095.	[bug]		zone->options2 was not being properly initialized.
 5563 			[RT #39228]
 5564 
 5565 4094.	[bug]		A race during shutdown or reconfiguration could
 5566 			cause an assertion in mem.c. [RT #38979]
 5567 
 5568 4093.	[func]		Dig now learns the SIT value from truncated
 5569 			responses when it retries over TCP. [RT #39047]
 5570 
 5571 4092.	[bug]		'in-view' didn't work for zones beneath a empty zone.
 5572 			[RT #39173]
 5573 
 5574 4091.	[cleanup]	Some cleanups in isc mem code. [RT #38896]
 5575 
 5576 4090.	[bug]		Fix a crash while parsing malformed CAA RRs in
 5577 			presentation format, i.e., from text such as
 5578 			from master files. Thanks to John Van de
 5579 			Meulebrouck Brendgard for discovering and
 5580 			reporting this problem. [RT #39003]
 5581 
 5582 4089.	[bug]		Send notifies immediately for slave zones during
 5583 			startup. [RT #38843]
 5584 
 5585 4088.	[port]		Fixed errors when building with libressl. [RT #38899]
 5586 
 5587 4087.	[bug]		Fix a crash due to use-after-free due to sequencing
 5588 			of tasks actions. [RT #38495]
 5589 
 5590 4086.	[bug]		Fix out-of-srcdir build with native pkcs11. [RT #38831]
 5591 
 5592 4085.	[bug]		ISC_PLATFORM_HAVEXADDQ could be inconsistently set.
 5593 			[RT #38828]
 5594 
 5595 4084.	[bug]		Fix a possible race in updating stats counters.
 5596 			[RT #38826]
 5597 
 5598 4083.	[cleanup]	Print the number of CPUs and UDP listeners
 5599 			consistently in the log and in "rndc status"
 5600 			output; indicate whether threads are supported
 5601 			in "named -V" output. [RT #38811]
 5602 
 5603 4082.	[bug]		Incrementally sign large inline zone deltas.
 5604 			[RT #37927]
 5605 
 5606 4081.	[cleanup]	Use dns_rdatalist_init consistently. [RT #38759]
 5607 
 5608 4080.	[func]		Completed change #4022, adding a "lock-file" option
 5609 			to named.conf to override the default lock file,
 5610 			in addition to the "named -X <filename>" command
 5611 			line option.  Setting the lock file to "none"
 5612 			using either method disables the check completely.
 5613 			[RT #37908]
 5614 
 5615 4079.	[func]		Preserve the case of the owner name of records to
 5616 			the RRset level. [RT #37442]
 5617 
 5618 4078.	[bug]		Handle the case where CMSG_SPACE(sizeof(int)) !=
 5619 			CMSG_SPACE(sizeof(char)). [RT #38621]
 5620 
 5621 4077.	[test]		Add static-stub regression test for DS NXDOMAIN
 5622 			return making the static stub disappear. [RT #38564]
 5623 
 5624 4076.	[bug]		Named could crash on shutdown with outstanding
 5625 			reload / reconfig events. [RT #38622]
 5626 
 5627 4075.	[placeholder]
 5628 
 5629 4074.	[cleanup]	Cleaned up more warnings from gcc -Wshadow. [RT #38708]
 5630 
 5631 4073.	[cleanup]	Add libjson-c version number reporting to
 5632 			"named -V"; normalize version number formatting.
 5633 			[RT #38056]
 5634 
 5635 4072.	[func]		Add a --enable-querytrace configure switch for
 5636 			very verbose query trace logging. (This option
 5637 			has a negative performance impact and should be
 5638 			used only for debugging.) [RT #37520]
 5639 
 5640 4071.	[cleanup]	Initialize pthread mutex attrs just once, instead of
 5641 			doing it per mutex creation. [RT #38547]
 5642 
 5643 4070.	[bug]		Fix a segfault in nslookup in a query such as
 5644 			"nslookup isc.org AMS.SNS-PB.ISC.ORG -all".
 5645 			[RT #38548]
 5646 
 5647 4069.	[doc]		Reorganize options in the nsupdate man page.
 5648 			[RT #38515]
 5649 
 5650 4068.	[bug]		Omit unknown serial number from JSON zone statistics.
 5651 			[RT #38604]
 5652 
 5653 4067.	[cleanup]	Reduce noise from RRL when query logging is
 5654 			disabled. [RT #38648]
 5655 
 5656 4066.	[doc]		Reorganize options in the dig man page. [RT #38516]
 5657 
 5658 4065.	[test]		Additional RFC 5011 tests. [RT #38569]
 5659 
 5660 4064.	[contrib]	dnssec-keyset.sh: Generates a specified number
 5661 			of DNSSEC keys with timing set to implement a
 5662 			pre-publication key rollover strategy. Thanks
 5663 			to Jeffry A. Spain. [RT #38459]
 5664 
 5665 4063.	[bug]		Asynchronous zone loads were not handled
 5666 			correctly when the zone load was already in
 5667 			progress; this could trigger a crash in zt.c.
 5668 			[RT #37573]
 5669 
 5670 4062.	[bug]		Fix an out-of-bounds read in RPZ code. If the
 5671 			read succeeded, it doesn't result in a bug
 5672 			during operation. If the read failed, named
 5673 			could segfault. [RT #38559]
 5674 
 5675 4061.	[bug]		Handle timeout in legacy system test. [RT #38573]
 5676 
 5677 4060.	[bug]		dns_rdata_freestruct could be called on a
 5678 			uninitialized structure when handling a error.
 5679 			[RT #38568]
 5680 
 5681 4059.	[bug]		Addressed valgrind warnings. [RT #38549]
 5682 
 5683 4058.	[bug]		UDP dispatches could use the wrong pseudorandom
 5684 			number generator context. [RT #38578]
 5685 
 5686 4057.	[bug]		'dnssec-dsfromkey -T 0' failed to add ttl field.
 5687 			[RT #38565]
 5688 
 5689 4056.	[bug]		Expanded automatic testing of trust anchor
 5690 			management and fixed several small bugs including
 5691 			a memory leak and a possible loss of key state
 5692 			information. [RT #38458]
 5693 
 5694 4055.	[func]		"rndc managed-keys" can be used to check status
 5695 			of trust anchors or to force keys to be refreshed,
 5696 			Also, the managed keys data file has easier-to-read
 5697 			comments.  [RT #38458]
 5698 
 5699 4054.	[func]		Added a new tool 'mdig', a lightweight clone of
 5700 			dig able to send multiple pipelined queries.
 5701 			[RT #38261]
 5702 
 5703 4053.	[security]	Revoking a managed trust anchor and supplying
 5704 			an untrusted replacement could cause named
 5705 			to crash with an assertion failure.
 5706 			(CVE-2015-1349) [RT #38344]
 5707 
 5708 4052.	[bug]		Fix a leak of query fetchlock. [RT #38454]
 5709 
 5710 4051.	[bug]		Fix a leak of pthread_mutexattr_t. [RT #38454]
 5711 
 5712 4050.	[bug]		RPZ could send spurious SERVFAILs in response
 5713 			to duplicate queries. [RT #38510]
 5714 
 5715 4049.	[bug]		CDS and CDNSKEY had the wrong attributes. [RT #38491]
 5716 
 5717 4048.	[bug]		adb hash table was not being grown. [RT #38470]
 5718 
 5719 4047.	[cleanup]	"named -V" now reports the current running versions
 5720 			of OpenSSL and the libxml2 libraries, in addition to
 5721 			the versions that were in use at build time.
 5722 
 5723 4046.	[bug]		Accounting of "total use" in memory context
 5724 			statistics was not correct. [RT #38370]
 5725 
 5726 4045.	[bug]		Skip to next master on dns_request_createvia4 failure.
 5727 			[RT #25185]
 5728 
 5729 4044.	[bug]		Change 3955 was not complete, resulting in an assertion
 5730 			failure if the timing was just right. [RT #38352]
 5731 
 5732 4043.	[func]		"rndc modzone" can be used to modify the
 5733 			configuration of an existing zone, using similar
 5734 			syntax to "rndc addzone". [RT #37895]
 5735 
 5736 4042.	[bug]		zone.c:iszonesecure was being called too late.
 5737 			[RT #38371]
 5738 
 5739 4041.	[func]		TCP sockets can now be shared while connecting.
 5740 			(This will be used to enable client-side support
 5741 			of pipelined queries.) [RT #38231]
 5742 
 5743 4040.	[func]		Added server-side support for pipelined TCP
 5744 			queries. Clients may continue sending queries via
 5745 			TCP while previous queries are being processed
 5746 			in parallel.  (The new "keep-response-order"
 5747 			option allows clients to be specified for which
 5748 			the old behavior will still be used.) [RT #37821]
 5749 
 5750 4039.	[cleanup]	Cleaned up warnings from gcc -Wshadow. [RT #37381]
 5751 
 5752 4038.	[bug]		Add 'rpz' flag to node and use it to determine whether
 5753 			to call dns_rpz_delete.  This should prevent unbalanced
 5754 			add / delete calls. [RT #36888]
 5755 
 5756 4037.	[bug]		also-notify was ignoring the tsig key when checking
 5757 			for duplicates resulting in some expected notify
 5758 			messages not being sent. [RT #38369]
 5759 
 5760 4036.	[bug]		Make call to open a temporary file name safe during
 5761 			NZF creation. [RT #38331]
 5762 
 5763 4035.	[bug]		Close temporary and NZF FILE pointers before moving
 5764 			the former into the latter's place, as required on
 5765 			Windows. [RT #38332]
 5766 
 5767 4034.	[func]		When added, negative trust anchors (NTA) are now
 5768 			saved to files (viewname.nta), in order to
 5769 			persist across restarts of the named server.
 5770 			[RT #37087]
 5771 
 5772 4033.	[bug]		Missing out of memory check in request.c:req_send.
 5773 			[RT #38311]
 5774 
 5775 4032.	[bug]		Built-in "empty" zones did not correctly inherit the
 5776 			"allow-transfer" ACL from the options or view.
 5777 			[RT #38310]
 5778 
 5779 4031.	[bug]		named-checkconf -z failed to report a missing file
 5780 			with a hint zone. [RT #38294]
 5781 
 5782 4030.	[func]		"rndc delzone" is now applicable to zones that were
 5783 			configured in named.conf, as well as zones that
 5784 			were added via "rndc addzone". (Note, however, that
 5785 			if named.conf is not also modified, the deleted zone
 5786 			will return when named is reloaded.) [RT #37887]
 5787 
 5788 4029.	[func]		"rndc showzone" displays the current configuration
 5789 			of a specified zone. [RT #37887]
 5790 
 5791 4028.	[bug]		$GENERATE with a zero step was not being caught as a
 5792 			error.  A $GENERATE with a / but no step was not being
 5793 			caught as a error. [RT #38262]
 5794 
 5795 4027.	[port]		Net::DNS 0.81 compatibility. [RT #38165]
 5796 
 5797 4026.	[bug]		Fix RFC 3658 reference in dig +sigchase. [RT #38173]
 5798 
 5799 4025.	[port]		bsdi: failed to build. [RT #38047]
 5800 
 5801 4024.	[bug]		dns_rdata_opt_first, dns_rdata_opt_next,
 5802 			dns_rdata_opt_current, dns_rdata_txt_first,
 5803 			dns_rdata_txt_next and dns_rdata_txt_current were
 5804 			documented but not implemented.  These have now been
 5805 			implemented.
 5806 
 5807 			dns_rdata_spf_first, dns_rdata_spf_next and
 5808 			dns_rdata_spf_current were documented but not
 5809 			implemented.  The prototypes for these
 5810 			functions have been removed. [RT #38068]
 5811 
 5812 4023.	[bug]		win32: socket handling with explicit ports and
 5813 			invoking named with -4 was broken for some
 5814 			configurations. [RT #38068]
 5815 
 5816 4022.	[func]		Stop multiple spawns of named by limiting number of
 5817 			processes to 1. This is done by using a lockfile and
 5818 			checking whether we can listen on any configured
 5819 			TCP interfaces. [RT #37908]
 5820 
 5821 4021.	[bug]		Adjust max-recursion-queries to accommodate
 5822 			the need for more queries when the cache is
 5823 			empty. [RT #38104]
 5824 
 5825 4020.	[bug]		Change 3736 broke nsupdate's SOA MNAME discovery
 5826 			resulting in updates being sent to the wrong server.
 5827 			[RT #37925]
 5828 
 5829 4019.	[func]		If named is not configured to validate the answer
 5830 			then allow fallback to plain DNS on timeout even
 5831 			when we know the server supports EDNS. [RT #37978]
 5832 
 5833 4018.	[placeholder]
 5834 
 5835 4017.	[test]		Add system test to check lookups to legacy servers
 5836 			with broken DNS behavior. [RT #37965]
 5837 
 5838 4016.	[bug]		Fix a dig segfault due to bad linked list usage.
 5839 			[RT #37591]
 5840 
 5841 4015.	[bug]		Nameservers that are skipped due to them being
 5842 			CNAMEs were not being logged. They are now logged
 5843 			to category 'cname' as per BIND 8. [RT #37935]
 5844 
 5845 4014.	[bug]		When including a master file origin_changed was
 5846 			not being properly set leading to a potentially
 5847 			spurious 'inherited owner' warning. [RT #37919]
 5848 
 5849 4013.	[func]		Add a new tcp-only option to server (config) /
 5850 			peer (struct) to use TCP transport to send
 5851 			queries (in place of UDP transport with a
 5852 			TCP fallback on truncated (TC set) response).
 5853 			[RT #37800]
 5854 
 5855 4012.	[cleanup]	Check returned status of OpenSSL digest and HMAC
 5856 			functions when they return one. Note this applies
 5857 			only to FIPS capable OpenSSL libraries put in
 5858 			FIPS mode and MD5. [RT #37944]
 5859 
 5860 4011.	[bug]		master's list port and dscp inheritance was not
 5861 			properly implemented. [RT #37792]
 5862 
 5863 4010.	[cleanup]	Clear the prefetchable state when initiating a
 5864 			prefetch. [RT #37399]
 5865 
 5866 4009.	[func]		delv: added a +tcp option. [RT #37855]
 5867 
 5868 4008.	[contrib]	Updated zkt to latest version (1.1.3). [RT #37886]
 5869 
 5870 4007.	[doc]		Remove acl forward reference restriction. [RT #37772]
 5871 
 5872 4006.	[security]	A flaw in delegation handling could be exploited
 5873 			to put named into an infinite loop.  This has
 5874 			been addressed by placing limits on the number
 5875 			of levels of recursion named will allow (default 7),
 5876 			and the number of iterative queries that it will
 5877 			send (default 50) before terminating a recursive
 5878 			query (CVE-2014-8500).
 5879 
 5880 			The recursion depth limit is configured via the
 5881 			"max-recursion-depth" option, and the query limit
 5882 			via the "max-recursion-queries" option.  [RT #37580]
 5883 
 5884 4005.	[func]		The buffer used for returning text from rndc
 5885 			commands is now dynamically resizable, allowing
 5886 			arbitrarily large amounts of text to be sent back
 5887 			to the client. (Prior to this change, it was
 5888 			possible for the output of "rndc tsig-list" to be
 5889 			truncated.) [RT #37731]
 5890 
 5891 4004.	[bug]		When delegations had AAAA glue but not A, a
 5892 			reference could be leaked causing an assertion
 5893 			failure on shutdown. [RT #37796]
 5894 
 5895 4003.	[security]	When geoip-directory was reconfigured during
 5896 			named run-time, the previously loaded GeoIP
 5897 			data could remain, potentially causing wrong
 5898 			ACLs to be used or wrong results to be served
 5899 			based on geolocation (CVE-2014-8680). [RT #37720]
 5900 
 5901 4002.	[security]	Lookups in GeoIP databases that were not
 5902 			loaded could cause an assertion failure
 5903 			(CVE-2014-8680). [RT #37679]
 5904 
 5905 4001.	[security]	The caching of GeoIP lookups did not always
 5906 			handle address families correctly, potentially
 5907 			resulting in an assertion failure (CVE-2014-8680).
 5908 			[RT #37672]
 5909 
 5910 4000.	[bug]		NXDOMAIN redirection incorrectly handled NXRRSET
 5911 			from the redirect zone. [RT #37722]
 5912 
 5913 3999.	[func]		"mkeys" and "nzf" files are now named after
 5914 			their corresponding views, unless the view name
 5915 			contains characters that would be incompatible
 5916 			with use in a filename (i.e., slash, backslash,
 5917 			or capital letters). If a view name does contain
 5918 			these characters, the files will still be named
 5919 			using a cryptographic hash of the view name.
 5920 			Regardless of this, if a file using the old name
 5921 			format is found to exist, it will continue to be
 5922 			used. [RT #37704]
 5923 
 5924 3998.	[bug]		isc_radix_search was returning matches that were
 5925 			too precise. [RT #37680]
 5926 
 5927 3997.	[protocol]	Add OPENGPGKEY record. [RT# 37671]
 5928 
 5929 3996.	[bug]		Address use after free on out of memory error in
 5930 			keyring_add. [RT #37639]
 5931 
 5932 3995.	[bug]		receive_secure_serial holds the zone lock for too
 5933 			long. [RT #37626]
 5934 
 5935 3994.	[func]		Dig now supports setting the last unassigned DNS
 5936 			header flag bit (dig +zflag). [RT #37421]
 5937 
 5938 3993.	[func]		Dig now supports EDNS negotiation by default.
 5939 			(dig +[no]ednsnegotiation).
 5940 
 5941 			Note:  This is disabled by default in BIND 9.10
 5942 			and enabled by default in BIND 9.11.  [RT #37604]
 5943 
 5944 3992.	[func]		DiG can now send queries without questions
 5945 			(dig +header-only). [RT #37599]
 5946 
 5947 3991.	[func]		Add the ability to buffer logging output by specifying
 5948 			"buffered yes;" when defining a channel. [RT #26561]
 5949 
 5950 3990.	[test]		Add tests for unknown DNSSEC algorithm handling.
 5951 			[RT #37541]
 5952 
 5953 3989.	[cleanup]	Remove redundant dns_db_resigned calls. [RT #35748]
 5954 
 5955 3988.	[func]		Allow the zone serial of a dynamically updatable
 5956 			zone to be updated via "rndc signing -serial".
 5957 			[RT #37404]
 5958 
 5959 3987.	[port]		Handle future Visual Studio 14 incompatible changes.
 5960 			[RT #37380]
 5961 
 5962 3986.	[doc]		Add the BIND version number to page footers
 5963 			in the ARM. [RT #37398]
 5964 
 5965 3985.	[doc]		Describe how +ndots and +search interact in dig.
 5966 			[RT #37529]
 5967 
 5968 3984.	[func]		Accept 256 byte long PINs in native PKCS#11
 5969 			crypto. [RT #37410]
 5970 
 5971 3983.	[bug]		Change #3940 was incomplete: negative trust anchors
 5972 			could be set to last up to a week, but the
 5973 			"nta-lifetime" and "nta-recheck" options were
 5974 			still limited to one day. [RT #37522]
 5975 
 5976 3982.	[doc]		Include release notes in product documentation.
 5977 			[RT #37272]
 5978 
 5979 3981.	[bug]		Cache DS/NXDOMAIN independently of other query types.
 5980 			[RT #37467]
 5981 
 5982 3980.	[bug]		Improve --with-tuning=large by self tuning of SO_RCVBUF
 5983 			size. [RT #37187]
 5984 
 5985 3979.	[bug]		Negative trust anchor fetches were not properly
 5986 			managed. [RT #37488]
 5987 
 5988 3978.	[test]		Added a unit test for Diffie-Hellman key
 5989 			computation, completing change #3974. [RT #37477]
 5990 
 5991 3977.	[cleanup]	"rndc secroots" reported a "not found" error when
 5992 			there were no negative trust anchors set. [RT #37506]
 5993 
 5994 3976.	[bug]		When refreshing managed-key trust anchors, clear
 5995 			any cached trust so that they will always be
 5996 			revalidated with the current set of secure
 5997 			roots. [RT #37506]
 5998 
 5999 3975.	[bug]		Don't populate or use the bad cache for queries that
 6000 			don't request or use recursion. [RT #37466]
 6001 
 6002 3974.	[bug]		Handle DH_compute_key() failure correctly in
 6003 			openssldh_link.c. [RT #37477]
 6004 
 6005 3973.	[test]		Added hooks for Google Performance Tools CPU profiler,
 6006 			including real-time/wall-clock profiling. Use
 6007 			"configure --with-gperftools-profiler" to enable.
 6008 			[RT #37339]
 6009 
 6010 3972.	[bug]		Fix host's usage statement. [RT #37397]
 6011 
 6012 3971.	[bug]		Reduce the cascading failures due to a bad $TTL line
 6013 			in named-checkconf / named-checkzone. [RT #37138]
 6014 
 6015 3970.	[contrib]	Fixed a use after free bug in the SDB LDAP driver.
 6016 			[RT #37237]
 6017 
 6018 3969.	[test]		Added 'delv' system test. [RT #36901]
 6019 
 6020 3968.	[bug]		Silence spurious log messages when using 'named -[46]'.
 6021 			[RT #37308]
 6022 
 6023 3967.	[test]		Add test for inlined signed zone in multiple views
 6024 			with different DNSKEY sets. [RT #35759]
 6025 
 6026 3966.	[bug]		Missing dns_db_closeversion call in receive_secure_db.
 6027 			[RT #35746]
 6028 
 6029 3965.	[func]		Log outgoing packets and improve packet logging to
 6030 			support logging the remote address. [RT #36624]
 6031 
 6032 3964.	[func]		nsupdate now performs check-names processing.
 6033 			[RT #36266]
 6034 
 6035 3963.	[test]		Added NXRRSET test cases to the "dlzexternal"
 6036 			system test. [RT #37344]
 6037 
 6038 3962.	[bug]		'dig +topdown +trace +sigchase' address unhandled error
 6039 			conditions. [RT #34663]
 6040 
 6041 3961.	[bug]		Forwarding of SIG(0) signed UPDATE messages failed with
 6042 			BADSIG.  [RT #37216]
 6043 
 6044 3960.	[bug]		'dig +sigchase' could loop forever. [RT #37220]
 6045 
 6046 3959.	[bug]		Updates could be lost if they arrived immediately
 6047 			after a rndc thaw. [RT #37233]
 6048 
 6049 3958.	[bug]		Detect when writeable files have multiple references
 6050 			in named.conf. [RT #37172]
 6051 
 6052 3957.	[bug]		"dnssec-keygen -S" failed for ECCGOST, ECDSAP256SHA256
 6053 			and ECDSAP384SHA384. [RT #37183]
 6054 
 6055 3956.	[func]		Notify messages are now rate limited by notify-rate and
 6056 			startup-notify-rate instead of serial-query-rate.
 6057 			[RT #24454]
 6058 
 6059 3955.	[bug]		Notify messages due to changes are no longer queued
 6060 			behind startup notify messages. [RT #24454]
 6061 
 6062 3954.	[bug]		Unchecked mutex init in dlz_dlopen_driver.c [RT #37112]
 6063 
 6064 3953.	[bug]		Don't escape semi-colon in TXT fields. [RT #37159]
 6065 
 6066 3952.	[bug]		dns_name_fullcompare failed to set *nlabelsp when the
 6067 			two name pointers were the same. [RT #37176]
 6068 
 6069 3951.	[func]		Add the ability to set yet-to-be-defined EDNS flags
 6070 			to dig (+ednsflags=#). [RT #37142]
 6071 
 6072 3950.	[port]		Changed the bin/python Makefile to work around a
 6073 			bmake bug in FreeBSD 10 and NetBSD 6. [RT #36993]
 6074 
 6075 3949.	[experimental]	Experimental support for draft-andrews-edns1 by sending
 6076 			EDNS(1) queries (define DRAFT_ANDREWS_EDNS1 when
 6077 			building).  Add support for limiting the EDNS version
 6078 			advertised to servers: server { edns-version 0; };
 6079 			Log the EDNS version received in the query log.
 6080 			[RT #35864]
 6081 
 6082 3948.	[port]		solaris: RCVBUFSIZE was too large on Solaris with
 6083 			--with-tuning=large. [RT #37059]
 6084 
 6085 3947.	[cleanup]	Set the executable bit on libraries when using
 6086 			libtool. [RT #36786]
 6087 
 6088 3946.	[cleanup]	Improved "configure" search for a python interpreter.
 6089 			[RT #36992]
 6090 
 6091 3945.	[bug]		Invalid wildcard expansions could be incorrectly
 6092 			accepted by the validator. [RT #37093]
 6093 
 6094 3944.	[test]		Added a regression test for "server-id". [RT #37057]
 6095 
 6096 3943.	[func]		SERVFAIL responses can now be cached for a
 6097 			limited time (configured by "servfail-ttl",
 6098 			default 10 seconds, limit 30). This can reduce
 6099 			the frequency of retries when an authoritative
 6100 			server is known to be failing, e.g., due to
 6101 			ongoing DNSSEC validation problems. [RT #21347]
 6102 
 6103 3942.	[bug]		Wildcard responses from a optout range should be
 6104 			marked as insecure. [RT #37072]
 6105 
 6106 3941.	[doc]		Include the BIND version number in the ARM. [RT #37067]
 6107 
 6108 3940.	[func]		"rndc nta" now allows negative trust anchors to be
 6109 			set for up to one week. [RT #37069]
 6110 
 6111 3939.	[func]		Improve UPDATE forwarding performance by allowing TCP
 6112 			connections to be shared. [RT #37039]
 6113 
 6114 3938.	[func]		Added quotas to be used in recursive resolvers
 6115 			that are under high query load for names in zones
 6116 			whose authoritative servers are nonresponsive or
 6117 			are experiencing a denial of service attack.
 6118 
 6119 			- "fetches-per-server" limits the number of
 6120 			  simultaneous queries that can be sent to any
 6121 			  single authoritative server.  The configured
 6122 			  value is a starting point; it is automatically
 6123 			  adjusted downward if the server is partially or
 6124 			  completely non-responsive. The algorithm used to
 6125 			  adjust the quota can be configured via the
 6126 			  "fetch-quota-params" option.
 6127 			- "fetches-per-zone" limits the number of
 6128 			  simultaneous queries that can be sent for names
 6129 			  within a single domain.  (Note: Unlike
 6130 			  "fetches-per-server", this value is not
 6131 			  self-tuning.)
 6132 			- New stats counters have been added to count
 6133 			  queries spilled due to these quotas.
 6134 
 6135 			See the ARM for details of these options. [RT #37125]
 6136 
 6137 3937.	[func]		Added some debug logging to better indicate the
 6138 			conditions causing SERVFAILs when resolving.
 6139 			[RT #35538]
 6140 
 6141 3936.	[func]		Added authoritative support for the EDNS Client
 6142 			Subnet (ECS) option.
 6143 
 6144 			ACLs can now include "ecs" elements which specify
 6145 			an address or network prefix; if an ECS option is
 6146 			included in a DNS query, then the address encoded
 6147 			in the option will be matched against "ecs" ACL
 6148 			elements.
 6149 
 6150 			Also, if an ECS address is included in a query,
 6151 			then it will be used instead of the client source
 6152 			address when matching "geoip" ACL elements.  This
 6153 			behavior can be overridden with "geoip-use-ecs no;".
 6154 			(Note: to enable "geoip" ACLs, use "configure
 6155 			--with-geoip". This requires libGeoIP version
 6156 			1.5.0 or higher.)
 6157 
 6158 			When "ecs" or "geoip" ACL elements are used to
 6159 			select a view for a query, the response will include
 6160 			an ECS option to indicate which client network the
 6161 			answer is valid for.
 6162 
 6163 			(Thanks to Vincent Bernat.) [RT #36781]
 6164 
 6165 3935.	[bug]		"geoip asnum" ACL elements would not match unless
 6166 			the full organization name was specified.  They
 6167 			can now match against the AS number alone (e.g.,
 6168 			AS1234). [RT #36945]
 6169 
 6170 3934.	[bug]		Catch bad 'sit-secret' in named-checkconf.  Improve
 6171 			sit-secret documentation. [RT #36980]
 6172 
 6173 3933.	[bug]		Corrected the implementation of dns_rdata_casecompare()
 6174 			for the HIP rdata type.  [RT #36911]
 6175 
 6176 3932.	[test]		Improved named-checkconf tests. [RT #36911]
 6177 
 6178 3931.	[cleanup]	Cleanup how dlz grammar is defined. [RT #36879]
 6179 
 6180 3930.	[bug]		"rndc nta -r" could cause a server hang if the
 6181 			NTA was not found. [RT #36909]
 6182 
 6183 3929.	[bug]		'host -a' needed to clear idnoptions. [RT #36963]
 6184 
 6185 3928.	[test]		Improve rndc system test. [RT #36898]
 6186 
 6187 3927.	[bug]		dig: report PKCS#11 error codes correctly when
 6188 			compiled with --enable-native-pkcs11. [RT #36956]
 6189 
 6190 3926.	[doc]		Added doc for geoip-directory. [RT #36877]
 6191 
 6192 3925.	[bug]		DS lookup of RFC 1918 empty zones failed. [RT #36917]
 6193 
 6194 3924.	[bug]		Improve 'rndc addzone' error reporting. [RT #35187]
 6195 
 6196 3923.	[bug]		Sanity check the xml2-config output. [RT #22246]
 6197 
 6198 3922.	[bug]		When resigning, dnssec-signzone was removing
 6199 			all signatures from delegation nodes. It now
 6200 			retains DS and (if applicable) NSEC signatures.
 6201 			[RT #36946]
 6202 
 6203 3921.	[bug]		AD was inappropriately set on RPZ responses. [RT #36833]
 6204 
 6205 3920.	[doc]		Added doc for masterfile-style. [RT #36823]
 6206 
 6207 3919.	[bug]		dig: continue to next line if a address lookup fails
 6208 			in batch mode. [RT #36755]
 6209 
 6210 3918.	[doc]		Update check-spf documentation. [RT #36910]
 6211 
 6212 3917.	[bug]		dig, nslookup and host now continue on names that are
 6213 			too long after applying a search list elements.
 6214 			[RT #36892]
 6215 
 6216 3916.	[contrib]	zone2sqlite checked wrong result code.  Address
 6217 			compiler warnings. [RT #36931]
 6218 
 6219 3915.	[bug]		Address a assertion if a route event arrived while
 6220 			shutting down. [RT #36887]
 6221 
 6222 3914.	[bug]		Allow the URI target and CAA value fields to
 6223 			be zero length. [RT #36737]
 6224 
 6225 3913.	[bug]		Address race issue in dispatch. [RT #36731]
 6226 
 6227 3912.	[bug]		Address some unrecoverable lookup failures. [RT #36330]
 6228 
 6229 3911.	[func]		Implement EDNS EXPIRE option client side, allowing
 6230 			a slave server to set the expiration timer correctly
 6231 			when transferring zone data from another slave
 6232 			server. [RT #35925]
 6233 
 6234 3910.	[bug]		Fix races to free event during shutdown. [RT #36720]
 6235 
 6236 3909.	[bug]		When computing the number of elements required for a
 6237 			acl count_acl_elements could have a short count leading
 6238 			to a assertion failure.  Also zero out new acl elements
 6239 			in dns_acl_merge.  [RT #36675]
 6240 
 6241 3908.	[bug]		rndc now differentiates between a zone in multiple
 6242 			views and a zone that doesn't exist at all. [RT #36691]
 6243 
 6244 3907.	[cleanup]	Alphabetize rndc help. [RT #36683]
 6245 
 6246 3906.	[protocol]	Update URI record format to comply with
 6247 			draft-faltstrom-uri-08. [RT #36642]
 6248 
 6249 3905.	[bug]		Address deadlock between view.c and adb.c. [RT #36341]
 6250 
 6251 3904.	[func]		Add the RPZ SOA to the additional section. [RT36507]
 6252 
 6253 3903.	[bug]		Improve the accuracy of DiG's reported round trip
 6254 			time. [RT 36611]
 6255 
 6256 3902.	[bug]		liblwres wasn't handling link-local addresses in
 6257 			nameserver clauses in resolv.conf. [RT #36039]
 6258 
 6259 3901.	[protocol]	Added support for CAA record type (RFC 6844).
 6260 			[RT #36625]
 6261 
 6262 3900.	[bug]		Fix a crash in PostgreSQL DLZ driver. [RT #36637]
 6263 
 6264 3899.	[bug]		"request-ixfr" is only applicable to slave and redirect
 6265 			zones. [RT #36608]
 6266 
 6267 3898.	[bug]		Too small a buffer in tohexstr() calls in test code.
 6268 			[RT #36598]
 6269 
 6270 3897.	[bug]		RPZ summary information was not properly being updated
 6271 			after a AXFR resulting in changes sometimes being
 6272 			ignored.  [RT #35885]
 6273 
 6274 3896.	[bug]		Address performance issues with DSCP code on some
 6275 			platforms. [RT #36534]
 6276 
 6277 3895.	[func]		Add the ability to set the DSCP code point to dig.
 6278 			[RT #36546]
 6279 
 6280 3894.	[bug]		Buffers in isc_print_vsnprintf were not properly
 6281 			initialized leading to potential overflows when
 6282 			printing out quad values. [RT #36505]
 6283 
 6284 3893.	[bug]		Peer DSCP values could be returned without being set.
 6285 			[RT #36538]
 6286 
 6287 3892.	[bug]		Setting '-t aaaa' in .digrc had unintended side
 6288 			effects. [RT #36452]
 6289 
 6290 3891.	[bug]		Use ${INSTALL_SCRIPT} rather than ${INSTALL_PROGRAM}
 6291 			to install python programs.
 6292 
 6293 3890.	[bug]		RRSIG sets that were not loaded in a single transaction
 6294 			at start up where not being correctly added to
 6295 			re-signing heaps.  [RT #36302]
 6296 
 6297 3889.	[port]		hurd: configure fixes as per:
 6298 			https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=746540
 6299 
 6300 3888.	[func]		'rndc status' now reports the number of automatic
 6301 			zones. [RT #36015]
 6302 
 6303 3887.	[cleanup]	Make all static symbols in rbtdb64 end in "64" so
 6304 			they are easier to use in a debugger. [RT #36373]
 6305 
 6306 3886.	[bug]		rbtdb_write_header should use a once to initialize
 6307 			FILE_VERSION. [RT #36374]
 6308 
 6309 3885.	[port]		Use 'open()' rather than 'file()' to open files in
 6310 			python.
 6311 
 6312 3884.	[protocol]	Add CDS and CDNSKEY record types. [RT #36333]
 6313 
 6314 3883.	[placeholder]
 6315 
 6316 3882.	[func]		By default, negative trust anchors will be tested
 6317 			periodically to see whether data below them can be
 6318 			validated, and if so, they will be allowed to
 6319 			expire early. The "rndc nta -force" option
 6320 			overrides this behavior.  The default NTA lifetime
 6321 			and the recheck frequency can be configured by the
 6322 			"nta-lifetime" and "nta-recheck" options. [RT #36146]
 6323 
 6324 3881.	[bug]		Address memory leak with UPDATE error handling.
 6325 			[RT #36303]
 6326 
 6327 3880.	[test]		Update ans.pl to work with new TSIG support in
 6328 			Net::DNS; add additional Net::DNS version prerequisite
 6329 			checks. [RT #36327]
 6330 
 6331 3879.	[func]		Add version printing option to various BIND utilities.
 6332 			[RT #10686]
 6333 
 6334 3878.	[bug]		Using the incorrect filename for a DLZ module
 6335 			caused a segmentation fault on startup. [RT #36286]
 6336 
 6337 3877.	[bug]		Inserting and deleting parent and child nodes
 6338 			in response policy zones could trigger an assertion
 6339 			failure. [RT #36272]
 6340 
 6341 3876.	[bug]		Improve efficiency of DLZ redirect zones by
 6342 			suppressing unnecessary database lookups. [RT #35835]
 6343 
 6344 3875.	[cleanup]	Clarify log message when unable to read private
 6345 			key files. [RT #24702]
 6346 
 6347 3874.	[test]		Check that only "check-names master" is needed for
 6348 			updates to be accepted.
 6349 
 6350 3873.	[protocol]	Only warn for SPF without TXT spf record. [RT #36210]
 6351 
 6352 3872.	[bug]		Address issues found by static analysis. [RT #36209]
 6353 
 6354 3871.	[bug]		Don't publish an activated key automatically before
 6355 			its publish time. [RT #35063]
 6356 
 6357 3870.	[func]		Updated the random number generator used in
 6358 			the resolver to use the updated ChaCha based one
 6359 			(similar to OpenBSD's changes). Also moved the
 6360 			RNG to libisc and added unit tests for it.
 6361 			[RT #35942]
 6362 
 6363 3869.	[doc]		Document that in-view zones cannot be used for
 6364 			response policy zones. [RT #35941]
 6365 
 6366 3868.	[bug]		isc_mem_setwater incorrectly cleared hi_called
 6367 			potentially leaving over memory cleaner running.
 6368 			[RT #35270]
 6369 
 6370 3867.	[func]		"rndc nta" can now be used to set a temporary
 6371 			negative trust anchor, which disables DNSSEC
 6372 			validation below a specified name for a specified
 6373 			period of time (not exceeding 24 hours).  This
 6374 			can be used when validation for a domain is known
 6375 			to be failing due to a configuration error on
 6376 			the part of the domain owner rather than a
 6377 			spoofing attack. [RT #29358]
 6378 
 6379 3866.	[bug]		Named could die on disk full in generate_session_key.
 6380 			[RT #36119]
 6381 
 6382 3865.	[test]		Improved testability of the red-black tree
 6383 			implementation and added unit tests. [RT #35904]
 6384 
 6385 3864.	[bug]		RPZ didn't work well when being used as forwarder.
 6386 			[RT #36060]
 6387 
 6388 3863.	[bug]		The "E" flag was missing from the query log as a
 6389 			unintended side effect of code rearrangement to
 6390 			support EDNS EXPIRE. [RT #36117]
 6391 
 6392 3862.	[cleanup]	Return immediately if we are not going to log the
 6393 			message in ns_client_dumpmessage.
 6394 
 6395 3861.	[security]	Missing isc_buffer_availablelength check results
 6396 			in a REQUIRE assertion when printing out a packet
 6397 			(CVE-2014-3859).  [RT #36078]
 6398 
 6399 3860.	[bug]		ioctl(DP_POLL) array size needs to be determined
 6400 			at run time as it is limited to {OPEN_MAX}.
 6401 			[RT #35878]
 6402 
 6403 3859.	[placeholder]
 6404 
 6405 3858.	[bug]		Disable GCC 4.9 "delete null pointer check".
 6406 			[RT #35968]
 6407 
 6408 3857.	[bug]		Make it harder for a incorrect NOEDNS classification
 6409 			to be made. [RT #36020]
 6410 
 6411 3856.	[bug]		Configuring libjson without also configuring libxml
 6412 			resulted in a REQUIRE assertion when retrieving
 6413 			statistics using json. [RT #36009]
 6414 
 6415 3855.	[bug]		Limit smoothed round trip time aging to no more than
 6416 			once a second. [RT #32909]
 6417 
 6418 3854.	[cleanup]	Report unrecognized options, if any, in the final
 6419 			configure summary. [RT #36014]
 6420 
 6421 3853.	[cleanup]	Refactor dns_rdataslab_fromrdataset to separate out
 6422 			the handling of a rdataset with no records. [RT #35968]
 6423 
 6424 3852.	[func]		Increase the default number of clients available
 6425 			for servicing lightweight resolver queries, and
 6426 			make them configurable via the "lwres-tasks" and
 6427 			"lwres-clients" options.  (Thanks to Tomas Hozza.)
 6428 			[RT #35857]
 6429 
 6430 3851.	[func]		Allow libseccomp based system-call filtering
 6431 			on Linux; use "configure --enable-seccomp" to
 6432 			turn it on.  Thanks to Loganaden Velvindron
 6433 			of AFRINIC for the contribution. [RT #35347]
 6434 
 6435 3850.	[bug]		Disabling forwarding could trigger a REQUIRE assertion.
 6436 			[RT #35979]
 6437 
 6438 3849.	[doc]		Alphabetized dig's +options. [RT #35992]
 6439 
 6440 3848.	[bug]		Adjust 'statistics-channels specified but not effective'
 6441 			error message to account for JSON support. [RT #36008]
 6442 
 6443 3847.	[bug]		'configure --with-dlz-postgres' failed to fail when
 6444 			there is not support available.
 6445 
 6446 3846.	[bug]		"dig +notcp ixfr=<serial>" should result in a UDP
 6447 			ixfr query. [RT #35980]
 6448 
 6449 3845.	[placeholder]
 6450 
 6451 3844.	[bug]		Use the x64 version of the Microsoft Visual C++
 6452 			Redistributable when built for 64 bit Windows.
 6453 			[RT #35973]
 6454 
 6455 3843.	[protocol]	Check EDNS EXPIRE option in dns_rdata_fromwire.
 6456 			[RT #35969]
 6457 
 6458 3842.	[bug]		Adjust RRL log-only logging category. [RT #35945]
 6459 
 6460 3841.	[cleanup]	Refactor zone.c:add_opt to use dns_message_buildopt.
 6461 			[RT #35924]
 6462 
 6463 3840.	[port]		Check for arc4random_addrandom() before using it;
 6464 			it's been removed from OpenBSD 5.5. [RT #35907]
 6465 
 6466 3839.	[test]		Use only posix-compatible shell in system tests.
 6467 			[RT #35625]
 6468 
 6469 3838.	[protocol]	EDNS EXPIRE as been assigned a code point of 9.
 6470 
 6471 3837.	[security]	A NULL pointer is passed to query_prefetch resulting
 6472 			a REQUIRE assertion failure when a fetch is actually
 6473 			initiated (CVE-2014-3214).  [RT #35899]
 6474 
 6475 3836.	[bug]		Address C++ keyword usage in header file.
 6476 
 6477 3835.	[bug]		Geoip ACL elements didn't work correctly when
 6478 			referenced via named or nested ACLs. [RT #35879]
 6479 
 6480 3834.	[bug]		The re-signing heaps were not being updated soon enough
 6481 			leading to multiple re-generations of the same RRSIG
 6482 			when a zone transfer was in progress. [RT #35273]
 6483 
 6484 3833.	[bug]		Cross compiling was broken due to calling genrandom at
 6485 			build time. [RT #35869]
 6486 
 6487 3832.	[func]		"named -L <filename>" causes named to send log
 6488 			messages to the specified file by default instead
 6489 			of to the system log. (Thanks to Tony Finch.)
 6490 			[RT #35845]
 6491 
 6492 3831.	[cleanup]	Reduce logging noise when EDNS state changes occur.
 6493 			[RT #35843]
 6494 
 6495 3830.	[func]		When query logging is enabled, log query errors at
 6496 			the same level ('info') as the queries themselves.
 6497 			[RT #35844]
 6498 
 6499 3829.	[func]		"dig +ttlunits" causes dig to print TTL values
 6500 			with time-unit suffixes: w, d, h, m, s for
 6501 			weeks, days, hours, minutes, and seconds. (Thanks
 6502 			to Tony Finch.) [RT #35823]
 6503 
 6504 3828.	[func]		"dnssec-signzone -N date" updates serial number
 6505 			to the current date in YYYYMMDDNN format.
 6506 			[RT #35800]
 6507 
 6508 3827.	[placeholder]
 6509 
 6510 3826.	[bug]		Corrected bad INSIST logic in isc_radix_remove().
 6511 			[RT #35870]
 6512 
 6513 3825.	[bug]		Address sign extension bug in isc_regex_validate.
 6514 			[RT #35758]
 6515 
 6516 3824.	[bug]		A collision between two flag values could cause
 6517 			problems with cache cleaning when SIT was enabled.
 6518 			[RT #35858]
 6519 
 6520 3823.	[func]		Log the rpz cname target when rewriting. [RT #35667]
 6521 
 6522 3822.	[bug]		Log the correct type of static-stub zones when
 6523 			removing them. [RT #35842]
 6524 
 6525 3821.	[contrib]	Added a new "mysqldyn" DLZ module with dynamic
 6526 			update and transaction support. Thanks to Marty
 6527 			Lee for the contribution. [RT #35656]
 6528 
 6529 3820.	[func]		The DLZ API doesn't pass the database version to
 6530 			the lookup() function; this can cause DLZ modules
 6531 			that allow dynamic updates to mishandle prerequisite
 6532 			checks. This has been corrected by adding a
 6533 			'dbversion' field to the dns_clientinfo_t
 6534 			structure. [RT #35656]
 6535 
 6536 3819.	[bug]		NSEC3 hashes need to be able to be entered and
 6537 			displayed without padding.  This is not a issue for
 6538 			currently defined algorithms but may be for future
 6539 			hash algorithms. [RT #27925]
 6540 
 6541 3818.	[bug]		Stop lying to the optimizer that 'void *arg' is a
 6542 			constant in isc_event_allocate.
 6543 
 6544 3817.	[func]		The "delve" command is now spelled "delv" to avoid
 6545 			a namespace collision with the Xapian project.
 6546 			[RT #35801]
 6547 
 6548 3816.	[func]		"dig +qr" now reports query size. (Thanks to
 6549 			Tony Finch.) [RT #35822]
 6550 
 6551 3815.	[doc]		Clarify "nsupdate -y" usage in man page. [RT #35808]
 6552 
 6553 3814.	[func]		The "masterfile-style" zone option controls the
 6554 			formatting of dumped zone files. Options are
 6555 			"relative" (multiline format) and "full" (one
 6556 			record per line). The default is "relative".
 6557 			[RT #20798]
 6558 
 6559 3813.	[func]		"host" now recognizes the "timeout", "attempts" and
 6560 			"debug" options when set in /etc/resolv.conf.
 6561 			(Thanks to Adam Tkac at RedHat.) [RT #21885]
 6562 
 6563 3812.	[func]		Dig now supports sending arbitrary EDNS options from
 6564 			the command line (+ednsopt=code[:value]). [RT #35584]
 6565 
 6566 3811.	[func]		"serial-update-method date;" sets serial number
 6567 			on dynamic update to today's date in YYYYMMDDNN
 6568 			format. (Thanks to Bradley Forschinger.) [RT #24903]
 6569 
 6570 3810.	[bug]		Work around broken nameservers that fail to ignore
 6571 			unknown EDNS options. [RT #35766]
 6572 
 6573 3809.	[doc]		Fix SIT and NSID documentation.
 6574 
 6575 3808.	[doc]		Clean up "prefetch" documentation. [RT #35751]
 6576 
 6577 3807.	[bug]		Fix sign extension bug in dns_name_fromtext when
 6578 			lowercase is set. [RT #35743]
 6579 
 6580 3806.	[test]		Improved system test portability. [RT #35625]
 6581 
 6582 3805.	[contrib]	Added contrib/perftcpdns, a performance testing tool
 6583 			for DNS over TCP. [RT #35710]
 6584 
 6585 	--- 9.10.0rc1 released ---
 6586 
 6587 3804.	[bug]		Corrected a race condition in dispatch.c in which
 6588 			portentry could be reset leading to an assertion
 6589 			failure in socket_search(). (Change #3708
 6590 			addressed the same issue but was incomplete.)
 6591 			[RT #35128]
 6592 
 6593 3803.	[bug]		"named-checkconf -z" incorrectly rejected zones
 6594 			using alternate data sources for not having a "file"
 6595 			option. [RT #35685]
 6596 
 6597 3802.	[bug]		Various header files were not being installed.
 6598 
 6599 3801.	[port]		Fix probing for gssapi support on FreeBSD. [RT #35615]
 6600 
 6601 3800.	[bug]		A pending event on the route socket could cause an
 6602 			assertion failure when shutting down named. [RT #35674]
 6603 
 6604 3799.	[bug]		Improve named's command line error reporting.
 6605 			[RT #35603]
 6606 
 6607 3798.	[bug]		'rndc zonestatus' was reporting the wrong re-signing
 6608 			time. [RT #35659]
 6609 
 6610 3797.	[port]		netbsd: geoip support probing was broken. [RT #35642]
 6611 
 6612 3796.	[bug]		Register dns and pkcs#11 error codes. [RT #35629]
 6613 
 6614 3795.	[bug]		Make named-checkconf detect raw masterfiles for
 6615 			hint zones and reject them. [RT #35268]
 6616 
 6617 3794.	[maint]		Added AAAA for C.ROOT-SERVERS.NET.
 6618 
 6619 3793.	[bug]		zone.c:save_nsec3param() could assert when out of
 6620 			memory. [RT #35621]
 6621 
 6622 3792.	[func]		Provide links to the alternate statistics views when
 6623 			displaying in a browser.  [RT #35605]
 6624 
 6625 3791.	[placeholder]
 6626 
 6627 3790.	[bug]		Handle broken nameservers that send BADVERS in
 6628 			response to unknown EDNS options.  Maintain
 6629 			statistics on BADVERS responses.
 6630 
 6631 3789.	[bug]		Null pointer dereference on rbt creation failure.
 6632 
 6633 3788.	[bug]		dns_peer_getrequestsit was returning request_nsid by
 6634 			mistake.
 6635 
 6636 	--- 9.10.0b2 released ---
 6637 
 6638 3787.	[bug]		The code that checks whether "auto-dnssec" is
 6639 			allowed was ignoring "allow-update" ACLs set at
 6640 			the options or view level. [RT #29536]
 6641 
 6642 3786.	[func]		Provide more detailed error codes when using
 6643 			native PKCS#11. "pkcs11-tokens" now fails robustly
 6644 			rather than asserting when run against an HSM with
 6645 			an incomplete PKCS#11 API implementation. [RT #35479]
 6646 
 6647 3785.	[bug]		Debugging code dumphex didn't accept arbitrarily long
 6648 			input (only compiled with -DDEBUG). [RT #35544]
 6649 
 6650 3784.	[bug]		Using "rrset-order fixed" when it had not been
 6651 			enabled at compile time caused inconsistent
 6652 			results. It now works as documented, defaulting
 6653 			to cyclic mode. [RT #28104]
 6654 
 6655 3783.	[func]		"tsig-keygen" is now available as an alternate
 6656 			command name for "ddns-confgen".  It generates
 6657 			a TSIG key in named.conf format without comments.
 6658 			[RT #35503]
 6659 
 6660 3782.	[func]		Specifying "auto" as the salt when using
 6661 			"rndc signing -nsec3param" causes named to
 6662 			generate a 64-bit salt at random. [RT #35322]
 6663 
 6664 3781.	[tuning]	Use adaptive mutex locks when available; this
 6665 			has been found to improve performance under load
 6666 			on many systems. "configure --with-locktype=standard"
 6667 			restores conventional mutex locks. [RT #32576]
 6668 
 6669 3780.	[bug]		$GENERATE handled negative numbers incorrectly.
 6670 			[RT #25528]
 6671 
 6672 3779.	[cleanup]	Clarify the error message when using an option
 6673 			that was not enabled at compile time. [RT #35504]
 6674 
 6675 3778.	[bug]		Log a warning when the wrong address family is
 6676 			used in "listen-on" or "listen-on-v6". [RT #17848]
 6677 
 6678 3777.	[bug]		EDNS EXPIRE code could dump core when processing
 6679 			DLZ queries. [RT #35493]
 6680 
 6681 3776.	[func]		"rndc -q" suppresses output from successful
 6682 			rndc commands. Errors are printed on stderr.
 6683 			[RT #21393]
 6684 
 6685 3775.	[bug]		dlz_dlopen driver could return the wrong error
 6686 			code on API version mismatch, leading to a segfault.
 6687 			[RT #35495]
 6688 
 6689 3774.	[func]		When using "request-nsid", log the NSID value in
 6690 			printable form as well as hex. [RT #20864]
 6691 
 6692 3773.	[func]		"host", "nslookup" and "nsupdate" now have
 6693 			options to print the version number and exit.
 6694 			[RT #26057]
 6695 
 6696 3772.	[contrib]	Added sqlite3 dynamically-loadable DLZ module.
 6697 			(Based in part on a contribution from Tim Tessier.)
 6698 			[RT #20822]
 6699 
 6700 3771.	[cleanup]	Adjusted log level for "using built-in key"
 6701 			messages. [RT #24383]
 6702 
 6703 3770.	[bug]		"dig +trace" could fail with an assertion when it
 6704 			needed to fall back to TCP due to a truncated
 6705 			response. [RT #24660]
 6706 
 6707 3769.	[doc]		Improved documentation of "rndc signing -list".
 6708 			[RT #30652]
 6709 
 6710 3768.	[bug]		"dnssec-checkds" was missing the SHA-384 digest
 6711 			algorithm. [RT #34000]
 6712 
 6713 3767.	[func]		Log explicitly when using rndc.key to configure
 6714 			command channel. [RT #35316]
 6715 
 6716 3766.	[cleanup]	Fixed problems with building outside the source
 6717 			tree when using native PKCS#11. [RT #35459]
 6718 
 6719 3765.	[bug]		Fixed a bug in "rndc secroots" that could crash
 6720 			named when dumping an empty keynode. [RT #35469]
 6721 
 6722 3764.	[bug]		The dnssec-keygen/settime -S and -i options
 6723 			(to set up a successor key and set the prepublication
 6724 			interval) were missing from dnssec-keyfromlabel.
 6725 			[RT #35394]
 6726 
 6727 3763.	[bug]		delve: Cache DNSSEC records to avoid the need to
 6728 			re-fetch them when restarting validation. [RT #35476]
 6729 
 6730 3762.	[bug]		Address build problems with --pkcs11-native +
 6731 			--with-openssl with ECDSA support. [RT #35467]
 6732 
 6733 3761.	[bug]		Address dangling reference bug in dns_keytable_add.
 6734 			[RT #35471]
 6735 
 6736 3760.	[bug]		Improve SIT with native PKCS#11 and on Windows.
 6737 			[RT #35433]
 6738 
 6739 3759.	[port]		Enable delve on Windows. [RT #35441]
 6740 
 6741 3758.	[port]		Enable export library APIs on Windows. [RT #35382]
 6742 
 6743 3757.	[port]		Enable Python tools (dnssec-coverage,
 6744 			dnssec-checkds) to run on Windows. [RT #34355]
 6745 
 6746 3756.	[bug]		GSSAPI Kerberos realm checking was broken in
 6747 			check_config leading to spurious messages being
 6748 			logged.  [RT #35443]
 6749 
 6750 	--- 9.10.0b1 released ---
 6751 
 6752 3755.	[func]		Add stats counters for known EDNS options + others.
 6753 			[RT #35447]
 6754 
 6755 3754.	[cleanup]	win32: Installer now places files in the
 6756 			Program Files area rather than system services.
 6757 			[RT #35361]
 6758 
 6759 3753.	[bug]		allow-notify was ignoring keys. [RT #35425]
 6760 
 6761 3752.	[bug]		Address potential REQUIRE failure if
 6762 			DNS_STYLEFLAG_COMMENTDATA is set when printing out
 6763 			a rdataset.
 6764 
 6765 3751.	[tuning]	The default setting for the -U option (setting
 6766 			the number of UDP listeners per interface) has
 6767 			been adjusted to improve performance. [RT #35417]
 6768 
 6769 3750.	[experimental]	Partially implement EDNS EXPIRE option as described
 6770 			in draft-andrews-dnsext-expire-00.  Retrieval of
 6771 			the remaining time until expiry for slave zones
 6772 			is supported.
 6773 
 6774 			EXPIRE uses an experimental option code (65002),
 6775 			which is subject to change. [RT #35416]
 6776 
 6777 3749.	[func]		"dig +subnet" sends an EDNS client subnet option
 6778 			containing the specified address/prefix when
 6779 			querying. (Thanks to Wilmer van der Gaast.)
 6780 			[RT #35415]
 6781 
 6782 3748.	[test]		Use delve to test dns_client interfaces. [RT #35383]
 6783 
 6784 3747.	[bug]		A race condition could lead to a core dump when
 6785 			destroying a resolver fetch object. [RT #35385]
 6786 
 6787 3746.	[func]		New "max-zone-ttl" option enforces maximum
 6788 			TTLs for zones. If loading a zone containing a
 6789 			higher TTL, the load fails. DDNS updates with
 6790 			higher TTLs are accepted but the TTL is truncated.
 6791 			(Note: Currently supported for master zones only;
 6792 			inline-signing slaves will be added.) [RT #38405]
 6793 
 6794 3745.	[func]		"configure --with-tuning=large" adjusts various
 6795 			compiled-in constants and default settings to
 6796 			values suited to large servers with abundant
 6797 			memory. [RT #29538]
 6798 
 6799 3744.	[experimental]	SIT: send and process Source Identity Tokens
 6800 			(similar to DNS Cookies by Donald Eastlake 3rd),
 6801 			which are designed to help clients detect off-path
 6802 			spoofed responses and for servers to identify
 6803 			legitimate clients.
 6804 
 6805 			SIT uses an experimental EDNS option code (65001),
 6806 			which will be changed to an IANA-assigned value
 6807 			if the experiment is deemed a success.
 6808 
 6809 			SIT can be enabled via "configure --enable-sit" (or
 6810 			--enable-developer). It is enabled by default in
 6811 			Windows.
 6812 
 6813 			Servers can be configured to send smaller responses
 6814 			to clients that have not identified themselves via
 6815 			SIT.  RRL processing has also been updated;
 6816 			legitimate clients are not subject to rate
 6817 			limiting. [RT #35389]
 6818 
 6819 3743.	[bug]		delegation-only flag wasn't working in forward zone
 6820 			declarations despite being documented.  This is
 6821 			needed to support turning off forwarding and turning
 6822 			on delegation only at the same name.  [RT #35392]
 6823 
 6824 3742.	[port]		linux: libcap support: declare curval at start of
 6825 			block. [RT #35387]
 6826 
 6827 3741.	[func]		"delve" (domain entity lookup and validation engine):
 6828 			A new tool with dig-like semantics for performing DNS
 6829 			lookups, with internal DNSSEC validation, using the
 6830 			same resolver and validator logic as named. This
 6831 			allows easy validation of DNSSEC data in environments
 6832 			with untrustworthy resolvers, and assists with
 6833 			troubleshooting of DNSSEC problems. [RT #32406]
 6834 
 6835 3740.	[contrib]	Minor fixes to configure --with-dlz-bdb,
 6836 			--with-dlz-postgres and --with-dlz-odbc. [RT #35340]
 6837 
 6838 3739.	[func]		Added per-zone stats counters to track TCP and
 6839 			UDP queries. [RT #35375]
 6840 
 6841 3738.	[bug]		--enable-openssl-hash failed to build. [RT #35343]
 6842 
 6843 3737.	[bug]		'rndc retransfer' could trigger a assertion failure
 6844 			with inline zones. [RT #35353]
 6845 
 6846 3736.	[bug]		nsupdate: When specifying a server by name,
 6847 			fall back to alternate addresses if the first
 6848 			address for that name is not reachable. [RT #25784]
 6849 
 6850 3735.	[cleanup]	Merged the libiscpk11 library into libisc
 6851 			to simplify dependencies. [RT #35205]
 6852 
 6853 3734.	[bug]		Improve building with libtool. [RT #35314]
 6854 
 6855 3733.	[func]		Improve interface scanning support.  Interface
 6856 			information will be automatically updated if the
 6857 			OS supports routing sockets (MacOS, *BSD, Linux).
 6858 			Use "automatic-interface-scan no;" to disable.
 6859 
 6860 			Add "rndc scan" to trigger a scan. [RT #23027]
 6861 
 6862 3732.	[contrib]	Fixed a type mismatch causing the ODBC DLZ
 6863 			driver to dump core on 64-bit systems. [RT #35324]
 6864 
 6865 3731.	[func]		Added a "no-case-compress" ACL, which causes
 6866 			named to use case-insensitive compression
 6867 			(disabling change #3645) for specified
 6868 			clients. (This is useful when dealing
 6869 			with broken client implementations that
 6870 			use case-sensitive name comparisons,
 6871 			rejecting responses that fail to match the
 6872 			capitalization of the query that was sent.)
 6873 			[RT #35300]
 6874 
 6875 3730.	[cleanup]	Added "never" as a synonym for "none" when
 6876 			configuring key event dates in the dnssec tools.
 6877 			[RT #35277]
 6878 
 6879 3729.	[bug]		dnssec-keygen could set the publication date
 6880 			incorrectly when only the activation date was
 6881 			specified on the command line. [RT #35278]
 6882 
 6883 3728.	[doc]		Expanded native-PKCS#11 documentation,
 6884 			specifically pkcs11: URI labels. [RT #35287]
 6885 
 6886 3727.	[func]		The isc_bitstring API is no longer used and
 6887 			has been removed from libisc. [RT #35284]
 6888 
 6889 3726.	[cleanup]	Clarified the error message when attempting
 6890 			to configure more than 32 response-policy zones.
 6891 			[RT #35283]
 6892 
 6893 3725.	[contrib]	Updated zkt and nslint to newest versions,
 6894 			cleaned up and rearranged the contrib
 6895 			directory, and added a README.
 6896 
 6897 	--- 9.10.0a2 released ---
 6898 
 6899 3724.	[bug]		win32: Fixed a bug that prevented dig and
 6900 			host from exiting properly after completing
 6901 			a UDP query. [RT #35288]
 6902 
 6903 3723.	[cleanup]	Imported keys are now handled the same way
 6904 			regardless of DNSSEC algorithm. [RT #35215]
 6905 
 6906 3722.	[bug]		Using geoip ACLs in a blackhole statement
 6907 			could cause a segfault. [RT #35272]
 6908 
 6909 3721.	[doc]		Improved documentation of the EDNS processing
 6910 			enhancements introduced in change #3593. [RT #35275]
 6911 
 6912 3720.	[bug]		Address compiler warnings. [RT #35261]
 6913 
 6914 3719.	[bug]		Address memory leak in in peer.c. [RT #35255]
 6915 
 6916 3718.	[bug]		A missing ISC_LINK_INIT in log.c. [RT #35260]
 6917 
 6918 3717.	[port]		hpux: Treat EOPNOTSUPP as a expected error code when
 6919 			probing to see if it is possible to set dscp values
 6920 			on a per packet basis. [RT #35252]
 6921 
 6922 3716.	[bug]		The dns_request code was setting dcsp values when not
 6923 			requested.  [RT #35252]
 6924 
 6925 3715.	[bug]		The region and city databases could fail to
 6926 			initialize when using some versions of libGeoIP,
 6927 			causing assertion failures when named was
 6928 			configured to use them. [RT #35427]
 6929 
 6930 3714.	[test]		System tests that need to test for cryptography
 6931 			support before running can now use a common
 6932 			"testcrypto.sh" script to do so. [RT #35213]
 6933 
 6934 3713.	[bug]		Save memory by not storing "also-notify" addresses
 6935 			in zone objects that are configured not to send
 6936 			notify requests. [RT #35195]
 6937 
 6938 3712.	[placeholder]
 6939 
 6940 3711.	[placeholder]
 6941 
 6942 3710.	[bug]		Address double dns_zone_detach when switching to
 6943 			using automatic empty zones from regular zones.
 6944 			[RT #35177]
 6945 
 6946 3709.	[port]		Use built-in versions of strptime() and timegm()
 6947 			on all platforms to avoid portability issues.
 6948 			[RT #35183]
 6949 
 6950 3708.	[bug]		Address a portentry locking issue in dispatch.c.
 6951 			[RT #35128]
 6952 
 6953 3707.	[bug]		irs_resconf_load now returns ISC_R_FILENOTFOUND
 6954 			on a missing resolv.conf file and initializes the
 6955 			structure as if it had been configured with:
 6956 
 6957 				nameserver ::1
 6958 				nameserver 127.0.0.1
 6959 
 6960 			Note: Callers will need to be updated to treat
 6961 			ISC_R_FILENOTFOUND as a qualified success or else
 6962 			they will leak memory. The following code fragment
 6963 			will work with both old and new versions without
 6964 			changing the behaviour of the existing code.
 6965 
 6966 			resconf = NULL;
 6967 			result = irs_resconf_load(mctx, "/etc/resolv.conf",
 6968 						  &resconf);
 6969 			if (result != ISC_SUCCESS) {
 6970 				if (resconf != NULL)
 6971 					irs_resconf_destroy(&resconf);
 6972 				....
 6973 			}
 6974 
 6975 			[RT #35194]
 6976 
 6977 3706.	[contrib]	queryperf: Fixed a possible integer overflow when
 6978 			printing results. [RT #35182]
 6979 
 6980 3705.	[func]		"configure --enable-native-pkcs11" enables BIND
 6981 			to use the PKCS#11 API for all cryptographic
 6982 			functions, so that it can drive a hardware service
 6983 			module directly without the need to use a modified
 6984 			OpenSSL as intermediary (so long as the HSM's vendor
 6985 			provides a complete-enough implementation of the
 6986 			PKCS#11 interface). This has been tested successfully
 6987 			with the Thales nShield HSM and with SoftHSMv2 from
 6988 			the OpenDNSSEC project. [RT #29031]
 6989 
 6990 3704.	[protocol]	Accept integer timestamps in RRSIG records. [RT #35185]
 6991 
 6992 3703.	[func]		To improve recursive resolver performance, cache
 6993 			records which are still being requested by clients
 6994 			can now be automatically refreshed from the
 6995 			authoritative server before they expire, reducing
 6996 			or eliminating the time window in which no answer
 6997 			is available in the cache. See the "prefetch" option
 6998 			for more details. [RT #35041]
 6999 
 7000 3702.	[func]		'dnssec-coverage -l' option specifies a length
 7001 			of time to check for coverage; events further into
 7002 			the future are ignored.  'dnssec-coverage -z'
 7003 			checks only ZSK events, and 'dnssec-coverage -k'
 7004 			checks only KSK events.  (Thanks to Peter Palfrader.)
 7005 			[RT #35168]
 7006 
 7007 3701.	[func]		named-checkconf can now obscure shared secrets
 7008 			when printing by specifying '-x'. [RT #34465]
 7009 
 7010 3700.	[func]		Allow access to subgroups of XML statistics via
 7011 			special URLs http://<server>:<port>/xml/v3/server,
 7012 			/zones, /net, /tasks, /mem, and /status.  [RT #35115]
 7013 
 7014 3699.	[bug]		Improvements to statistics channel XSL stylesheet:
 7015 			the stylesheet can now be cached by the browser;
 7016 			section headers are omitted from the stats display
 7017 			when there is no data in those sections to be
 7018 			displayed; counters are now right-justified for
 7019 			easier readability. [RT #35117]
 7020 
 7021 3698.	[cleanup]	Replaced all uses of memcpy() with memmove().
 7022 			[RT #35120]
 7023 
 7024 3697.	[bug]		Handle "." as a search list element when IDN support
 7025 			is enabled. [RT #35133]
 7026 
 7027 3696.	[bug]		dig failed to handle AXFR style IXFR responses which
 7028 			span multiple messages. [RT #35137]
 7029 
 7030 3695.	[bug]		Address a possible race in dispatch.c. [RT #35107]
 7031 
 7032 3694.	[bug]		Warn when a key-directory is configured for a zone,
 7033 			but does not exist or is not a directory. [RT #35108]
 7034 
 7035 3693.	[security]	memcpy was incorrectly called with overlapping
 7036 			ranges resulting in malformed names being generated
 7037 			on some platforms.  This could cause INSIST failures
 7038 			when serving NSEC3 signed zones (CVE-2014-0591).
 7039 			[RT #35120]
 7040 
 7041 3692.	[bug]		Two calls to dns_db_getoriginnode were fatal if there
 7042 			was no data at the node. [RT #35080]
 7043 
 7044 3691.	[contrib]	Address null pointer dereference in LDAP and
 7045 			MySQL DLZ modules.
 7046 
 7047 3690.	[bug]		Iterative responses could be missed when the source
 7048 			port for an upstream query was the same as the
 7049 			listener port (53). [RT #34925]
 7050 
 7051 3689.	[bug]		Fixed a bug causing an insecure delegation from one
 7052 			static-stub zone to another to fail with a broken
 7053 			trust chain. [RT #35081]
 7054 
 7055 3688.	[bug]		loadnode could return a freed node on out of memory.
 7056 			[RT #35106]
 7057 
 7058 3687.	[bug]		Address null pointer dereference in zone_xfrdone.
 7059 			[RT #35042]
 7060 
 7061 3686.	[func]		"dnssec-signzone -Q" drops signatures from keys
 7062 			that are still published but no longer active.
 7063 			[RT #34990]
 7064 
 7065 3685.	[bug]		"rndc refresh" didn't work correctly with slave
 7066 			zones using inline-signing. [RT #35105]
 7067 
 7068 3684.	[bug]		The list of included files would grow on reload.
 7069 			[RT 35090]
 7070 
 7071 3683.	[cleanup]	Add a more detailed "not found" message to rndc
 7072 			commands which specify a zone name. [RT #35059]
 7073 
 7074 3682.	[bug]		Correct the behavior of rndc retransfer to allow
 7075 			inline-signing slave zones to retain NSEC3 parameters
 7076 			instead of reverting to NSEC. [RT #34745]
 7077 
 7078 3681.	[port]		Update the Windows build system to support feature
 7079 			selection and WIN64 builds.  This is a work in
 7080 			progress. [RT #34160]
 7081 
 7082 3680.	[bug]		Ensure buffer space is available in "rndc zonestatus".
 7083 			[RT #35084]
 7084 
 7085 3679.	[bug]		dig could fail to clean up TCP sockets still
 7086 			waiting on connect(). [RT #35074]
 7087 
 7088 3678.	[port]		Update config.guess and config.sub. [RT #35060]
 7089 
 7090 3677.	[bug]		'nsupdate' leaked memory if 'realm' was used multiple
 7091 			times.  [RT #35073]
 7092 
 7093 3676.	[bug]		"named-checkconf -z" now checks zones of type
 7094 			hint and redirect as well as master. [RT #35046]
 7095 
 7096 3675.	[misc]		Provide a place for third parties to add version
 7097 			information for their extensions in the version
 7098 			file by setting the EXTENSIONS variable.
 7099 
 7100 	--- 9.10.0a1 released ---
 7101 
 7102 3674.	[bug]		RPZ zeroed ttls if the query type was '*'. [RT #35026]
 7103 
 7104 3673.	[func]		New "in-view" zone option allows direct sharing
 7105 			of zones between views. [RT #32968]
 7106 
 7107 3672.	[func]		Local address can now be specified when using
 7108 			dns_client API. [RT #34811]
 7109 
 7110 3671.	[bug]		Don't allow dnssec-importkey overwrite a existing
 7111 			non-imported private key.
 7112 
 7113 3670.	[bug]		Address read after free in server side of
 7114 			lwres_getrrsetbyname. [RT #29075]
 7115 
 7116 3669.	[port]		freebsd: --with-gssapi needs -lhx509. [RT #35001]
 7117 
 7118 3668.	[bug]		Fix cast in lex.c which could see 0xff treated as eof.
 7119 			[RT #34993]
 7120 
 7121 3667.	[test]		dig: add support to keep the TCP socket open between
 7122 			successive queries (+[no]keepopen).  [RT #34918]
 7123 
 7124 3666.	[func]		Add a tool, named-rrchecker, for checking the syntax
 7125 			of individual resource records.  This tool is intended
 7126 			to be called by provisioning systems so that the front
 7127 			end does not need to be upgraded to support new DNS
 7128 			record types. [RT #34778]
 7129 
 7130 3665.	[bug]		Failure to release lock on error in receive_secure_db.
 7131 			[RT #34944]
 7132 
 7133 3664.	[bug]		Updated OpenSSL PKCS#11 patches to fix active list
 7134 			locking and other bugs. [RT #34855]
 7135 
 7136 3663.	[bug]		Address bugs in dns_rdata_fromstruct and
 7137 			dns_rdata_tostruct for WKS and ISDN types. [RT #34910]
 7138 
 7139 3662.	[bug]		'host' could die if a UDP query timed out. [RT #34870]
 7140 
 7141 3661.	[bug]		Address lock order reversal deadlock with inline zones.
 7142 			[RT #34856]
 7143 
 7144 3660.	[cleanup]	Changed the name of "isc-config.sh" to "bind9-config".
 7145 			[RT #23825]
 7146 
 7147 3659.	[port]		solaris: don't add explicit dependencies/rules for
 7148 			python programs as make won't use the implicit rules.
 7149 			[RT #34835]
 7150 
 7151 3658.	[port]		linux: Address platform specific compilation issue
 7152 			when libcap-devel is installed. [RT #34838]
 7153 
 7154 3657.	[port]		Some readline clones don't accept NULL pointers when
 7155 			calling add_history. [RT #34842]
 7156 
 7157 3656.	[security]	Treat an all zero netmask as invalid when generating
 7158 			the localnets acl. (The prior behavior could
 7159 			allow unexpected matches when using some versions
 7160 			of Winsock: CVE-2013-6320.) [RT #34687]
 7161 
 7162 3655.	[cleanup]	Simplify TCP message processing when requesting a
 7163 			zone transfer.  [RT #34825]
 7164 
 7165 3654.	[bug]		Address race condition with manual notify requests.
 7166 			[RT #34806]
 7167 
 7168 3653.	[func]		Create delegations for all "children" of empty zones
 7169 			except "forward first". [RT #34826]
 7170 
 7171 3652.	[bug]		Address bug with rpz-drop policy. [RT #34816]
 7172 
 7173 3651.	[tuning]	Adjust when a master server is deemed unreachable.
 7174 			[RT #27075]
 7175 
 7176 3650.	[tuning]	Use separate rate limiting queues for refresh and
 7177 			notify requests. [RT #30589]
 7178 
 7179 3649.	[cleanup]	Include a comment in .nzf files, giving the name of
 7180 			the associated view. [RT #34765]
 7181 
 7182 3648.	[test]		Updated the ATF test framework to version 0.17.
 7183 			[RT #25627]
 7184 
 7185 3647.	[bug]		Address a race condition when shutting down a zone.
 7186 			[RT #34750]
 7187 
 7188 3646.	[bug]		Journal filename string could be set incorrectly,
 7189 			causing garbage in log messages. [RT #34738]
 7190 
 7191 3645.	[protocol]	Use case sensitive compression when responding to
 7192 			queries. [RT #34737]
 7193 
 7194 3644.	[protocol]	Check that EDNS subnet client options are well formed.
 7195 			[RT #34718]
 7196 
 7197 3643.	[doc]		Clarify RRL "slip" documentation.
 7198 
 7199 3642.	[func]		Allow externally generated DNSKEY to be imported
 7200 			into the DNSKEY management framework.  A new tool
 7201 			dnssec-importkey is used to do this. [RT #34698]
 7202 
 7203 3641.	[bug]		Handle changes to sig-validity-interval settings
 7204 			better. [RT #34625]
 7205 
 7206 3640.	[bug]		ndots was not being checked when searching.  Only
 7207 			continue searching on NXDOMAIN responses.  Add the
 7208 			ability to specify ndots to nslookup. [RT #34711]
 7209 
 7210 3639.	[bug]		Treat type 65533 (KEYDATA) as opaque except when used
 7211 			in a key zone. [RT #34238]
 7212 
 7213 3638.	[cleanup]	Add the ability to handle ENOPROTOOPT in case it is
 7214 			encountered. [RT #34668]
 7215 
 7216 3637.	[bug]		'allow-query-on' was checking the source address
 7217 			rather than the destination address. [RT #34590]
 7218 
 7219 3636.	[bug]		Automatic empty zones now behave better with
 7220 			forward only "zones" beneath them. [RT #34583]
 7221 
 7222 3635.	[bug]		Signatures were not being removed from a zone with
 7223 			only KSK keys for a algorithm. [RT #34439]
 7224 
 7225 3634.	[func]		Report build-id in rndc status. Report build-id
 7226 			when building from a git repository. [RT #20422]
 7227 
 7228 3633.	[cleanup]	Refactor OPT processing in named to make it easier
 7229 			to support new EDNS options. [RT #34414]
 7230 
 7231 3632.	[bug]		Signature from newly inactive keys were not being
 7232 			removed. [RT #32178]
 7233 
 7234 3631.	[bug]		Remove spurious warning about missing signatures when
 7235 			qtype is SIG. [RT #34600]
 7236 
 7237 3630.	[bug]		Ensure correct ID computation for MD5 keys. [RT #33033]
 7238 
 7239 3629.	[func]		Allow the printing of cryptographic fields in DNSSEC
 7240 			records by dig to be suppressed (dig +nocrypto).
 7241 			[RT #34534]
 7242 
 7243 3628.	[func]		Report DNSKEY key id's when dumping the cache.
 7244 			[RT #34533]
 7245 
 7246 3627.	[bug]		RPZ changes were not effective on slaves. [RT #34450]
 7247 
 7248 3626.	[func]		dig: NSID output now easier to read. [RT #21160]
 7249 
 7250 3625.	[bug]		Don't send notify messages to machines outside of the
 7251 			test setup.
 7252 
 7253 3624.	[bug]		Look for 'json_object_new_int64' when looking for a
 7254 			the json library. [RT #34449]
 7255 
 7256 3623.	[placeholder]
 7257 
 7258 3622.	[tuning]	Eliminate an unnecessary lock when incrementing
 7259 			cache statistics. [RT #34339]
 7260 
 7261 3621.	[security]	Incorrect bounds checking on private type 'keydata'
 7262 			can lead to a remotely triggerable REQUIRE failure
 7263 			(CVE-2013-4854). [RT #34238]
 7264 
 7265 3620.	[func]		Added "rpz-client-ip" policy triggers, enabling
 7266 			RPZ responses to be configured on the basis of
 7267 			the client IP address; this can be used, for
 7268 			example, to blacklist misbehaving recursive
 7269 			or stub resolvers. [RT #33605]
 7270 
 7271 3619.	[bug]		Fixed a bug in RPZ with "recursive-only no;"
 7272 			[RT #33776]
 7273 
 7274 3618.	[func]		"rndc reload" now checks modification times of
 7275 			include files as well as master files to determine
 7276 			whether to skip reloading a zone. [RT #33936]
 7277 
 7278 3617.	[bug]		Named was failing to answer queries during
 7279 			"rndc reload" [RT #34098]
 7280 
 7281 3616.	[bug]		Change #3613 was incomplete. [RT #34177]
 7282 
 7283 3615.	[cleanup]	"configure" now finishes by printing a summary
 7284 			of optional BIND features and whether they are
 7285 			active or inactive. ("configure --enable-full-report"
 7286 			increases the verbosity of the summary.) [RT #31777]
 7287 
 7288 3614.	[port]		Check for <linux/types.h>. [RT #34162]
 7289 
 7290 3613.	[bug]		named could crash when deleting inline-signing
 7291 			zones with "rndc delzone". [RT #34066]
 7292 
 7293 3612.	[port]		Check whether to use -ljson or -ljson-c. [RT #34115]
 7294 
 7295 3611.	[bug]		Improved resistance to a theoretical authentication
 7296 			attack based on differential timing.  [RT #33939]
 7297 
 7298 3610.	[cleanup]	win32: Some executables had been omitted from the
 7299 			installer. [RT #34116]
 7300 
 7301 3609.	[bug]		Corrected a possible deadlock in applications using
 7302 			the export version of the isc_app API. [RT #33967]
 7303 
 7304 3608.	[port]		win32: added todos.pl script to ensure all text files
 7305 			the win32 build depends on are converted to DOS
 7306 			newline format. [RT #22067]
 7307 
 7308 3607.	[bug]		dnssec-keygen had broken 'Invalid keyfile' error
 7309 			message. [RT #34045]
 7310 
 7311 3606.	[func]		"rndc flushtree" now flushes matching
 7312 			records in the address database and bad cache
 7313 			as well as the DNS cache. (Previously only the
 7314 			DNS cache was flushed.) [RT #33970]
 7315 
 7316 3605.	[port]		win32: Addressed several compatibility issues
 7317 			with newer versions of Visual Studio. [RT #33916]
 7318 
 7319 3604.	[bug]		Fixed a compile-time error when building with
 7320 			JSON but not XML. [RT #33959]
 7321 
 7322 3603.	[bug]		Install <isc/stat.h>. [RT #33956]
 7323 
 7324 3602.	[contrib]	Added DLZ Perl module, allowing Perl scripts to
 7325 			integrate with named and serve DNS data.
 7326 			(Contributed by John Eaglesham of Yahoo.)
 7327 
 7328 3601.	[bug]		Added to PKCS#11 openssl patches a value len
 7329 			attribute in DH derive key. [RT #33928]
 7330 
 7331 3600.	[cleanup]	dig: Fixed a typo in the warning output when receiving
 7332 			an oversized response. [RT #33910]
 7333 
 7334 3599.	[tuning]	Check for pointer equivalence in name comparisons.
 7335 			[RT #18125]
 7336 
 7337 3598.	[cleanup]	Improved portability of map file code. [RT #33820]
 7338 
 7339 3597.	[bug]		Ensure automatic-resigning heaps are reconstructed
 7340 			when loading zones in map format. [RT #33381]
 7341 
 7342 3596.	[port]		Updated win32 build documentation, added
 7343 			dnssec-verify. [RT #22067]
 7344 
 7345 3595.	[port]		win32: Fix build problems introduced by change #3550.
 7346 			[RT #33807]
 7347 
 7348 3594.	[maint]		Update config.guess and config.sub. [RT #33816]
 7349 
 7350 3593.	[func]		Update EDNS processing to better track remote server
 7351 			capabilities. [RT #30655]
 7352 
 7353 3592.	[doc]		Moved documentation of rndc command options to the
 7354 			rndc man page. [RT #33506]
 7355 
 7356 3591.	[func]		Use CRC-64 to detect map file corruption at load
 7357 			time. [RT #33746]
 7358 
 7359 3590.	[bug]		When using RRL on recursive servers, defer
 7360 			rate-limiting until after recursion is complete;
 7361 			also, use correct rcode for slipped NXDOMAIN
 7362 			responses.  [RT #33604]
 7363 
 7364 3589.	[func]		Report serial numbers in when starting zone transfers.
 7365 			Report accepted NOTIFY requests including serial.
 7366 			[RT #33037]
 7367 
 7368 3588.	[bug]		dig: addressed a memory leak in the sigchase code
 7369 			that could cause a shutdown crash.  [RT #33733]
 7370 
 7371 3587.	[func]		'named -g' now checks the logging configuration but
 7372 			does not use it. [RT #33473]
 7373 
 7374 3586.	[bug]		Handle errors in xmlDocDumpFormatMemoryEnc. [RT #33706]
 7375 
 7376 3585.	[func]		"rndc delzone -clean" option removes zone files
 7377 			when deleting a zone. [RT #33570]
 7378 
 7379 3584.	[security]	Caching data from an incompletely signed zone could
 7380 			trigger an assertion failure in resolver.c
 7381 			(CVE-2013-3919). [RT #33690]
 7382 
 7383 3583.	[bug]		Address memory leak in GSS-API processing [RT #33574]
 7384 
 7385 3582.	[bug]		Silence false positive warning regarding missing file
 7386 			directive for inline slave zones.  [RT #33662]
 7387 
 7388 3581.	[bug]		Changed the tcp-listen-queue default to 10. [RT #33029]
 7389 
 7390 3580.	[bug]		Addressed a possible race in acache.c [RT #33602]
 7391 
 7392 3579.	[maint]		Updates to PKCS#11 openssl patches, supporting
 7393 			versions 0.9.8y, 1.0.0k, 1.0.1e [RT #33463]
 7394 
 7395 3578.	[bug]		'rndc -c file' now fails if 'file' does not exist.
 7396 			[RT #33571]
 7397 
 7398 3577.	[bug]		Handle zero TTL values better. [RT #33411]
 7399 
 7400 3576.	[bug]		Address a shutdown race when validating. [RT #33573]
 7401 
 7402 3575.	[func]		Changed the logging category for RRL events from
 7403 			'queries' to 'query-errors'. [RT #33540]
 7404 
 7405 3574.	[doc]		The 'hostname' keyword was missing from server-id
 7406 			description in the named.conf man page. [RT #33476]
 7407 
 7408 3573.	[bug]		"rndc addzone" and "rndc delzone" incorrectly handled
 7409 			zone names containing punctuation marks and other
 7410 			nonstandard characters. [RT #33419]
 7411 
 7412 3572.	[func]		Threads are now enabled by default on most
 7413 			operating systems. [RT #25483]
 7414 
 7415 3571.	[bug]		Address race condition in dns_client_startresolve().
 7416 			[RT #33234]
 7417 
 7418 3570.	[bug]		Check internal pointers are valid when loading map
 7419 			files. [RT #33403]
 7420 
 7421 3569.	[contrib]	Ported mysql DLZ driver to dynamically-loadable
 7422 			module, and added multithread support. [RT #33394]
 7423 
 7424 3568.	[cleanup]	Add a product description line to the version file,
 7425 			to be reported by named -v/-V. [RT #33366]
 7426 
 7427 3567.	[bug]		Silence clang static analyzer warnings. [RT #33365]
 7428 
 7429 3566.	[func]		Log when forwarding updates to master. [RT #33240]
 7430 
 7431 3565.	[placeholder]
 7432 
 7433 3564.	[bug]		Improved handling of corrupted map files. [RT #33380]
 7434 
 7435 3563.	[contrib]	zone2sqlite failed with some table names. [RT #33375]
 7436 
 7437 3562.	[func]		Update map file header format to include a SHA-1 hash
 7438 			of the database content, so that corrupted map files
 7439 			can be rejected at load time. [RT #32459]
 7440 
 7441 3561.	[bug]		dig: issue a warning if an EDNS query returns FORMERR
 7442 			or NOTIMP.  Adjust usage message. [RT #33363]
 7443 
 7444 3560.	[bug]		isc-config.sh did not honor includedir and libdir
 7445 			when set via configure. [RT #33345]
 7446 
 7447 3559.	[func]		Check that both forms of Sender Policy Framework
 7448 			records exist or do not exist. [RT #33355]
 7449 
 7450 3558.	[bug]		IXFR of a DLZ stored zone was broken. [RT #33331]
 7451 
 7452 3557.	[bug]		Reloading redirect zones was broken. [RT #33292]
 7453 
 7454 3556.	[maint]		Added AAAA for D.ROOT-SERVERS.NET.
 7455 
 7456 3555.	[bug]		Address theoretical race conditions in acache.c
 7457 			(change #3553 was incomplete). [RT #33252]
 7458 
 7459 3554.	[bug]		RRL failed to correctly rate-limit upward
 7460 			referrals and failed to count dropped error
 7461 			responses in the statistics. [RT #33225]
 7462 
 7463 3553.	[bug]		Address suspected double free in acache. [RT #33252]
 7464 
 7465 3552.	[bug]		Wrong getopt option string for 'nsupdate -r'.
 7466 			[RT #33280]
 7467 
 7468 3551.	[bug]		resolver.querydscp[46] were uninitialized.  [RT #32686]
 7469 
 7470 3550.	[func]		Unified the internal and export versions of the
 7471 			BIND libraries, allowing external clients to use
 7472 			the same libraries as BIND. [RT #33131]
 7473 
 7474 3549.	[doc]		Documentation for "request-nsid" was missing.
 7475 			[RT #33153]
 7476 
 7477 3548.	[bug]		The NSID request code in resolver.c was broken
 7478 			resulting in invalid EDNS options being sent.
 7479 			[RT #33153]
 7480 
 7481 3547.	[bug]		Some malformed unknown rdata records were not properly
 7482 			detected and rejected. [RT #33129]
 7483 
 7484 3546.	[func]		Add EUI48 and EUI64 types. [RT #33082]
 7485 
 7486 3545.	[bug]		RRL slip behavior was incorrect when set to 1.
 7487 			[RT #33111]
 7488 
 7489 3544.	[contrib]	check5011.pl: Script to report the status of
 7490 			managed keys as recorded in managed-keys.bind.
 7491 			Contributed by Tony Finch <dot@dotat.at>
 7492 
 7493 3543.	[bug]		Update socket structure before attaching to socket
 7494 			manager after accept. [RT #33084]
 7495 
 7496 3542.	[placeholder]
 7497 
 7498 3541.	[bug]		Parts of libdns were not properly initialized when
 7499 			built in libexport mode. [RT #33028]
 7500 
 7501 3540.	[test]		libt_api: t_info and t_assert were not thread safe.
 7502 
 7503 3539.	[port]		win32: timestamp format didn't match other platforms.
 7504 
 7505 3538.	[test]		Running "make test" now requires loopback interfaces
 7506 			to be set up. [RT #32452]
 7507 
 7508 3537.	[tuning]	Slave zones, when updated, now send NOTIFY messages
 7509 			to peers before being dumped to disk rather than
 7510 			after. [RT #27242]
 7511 
 7512 3536.	[func]		Add support for setting Differentiated Services Code
 7513 			Point (DSCP) values in named.  Most configuration
 7514 			options which take a "port" option (e.g.,
 7515 			listen-on, forwarders, also-notify, masters,
 7516 			notify-source, etc) can now also take a "dscp"
 7517 			option specifying a code point for use with
 7518 			outgoing traffic, if supported by the underlying
 7519 			OS. [RT #27596]
 7520 
 7521 3535.	[bug]		Minor win32 cleanups. [RT #32962]
 7522 
 7523 3534.	[bug]		Extra text after an embedded NULL was ignored when
 7524 			parsing zone files. [RT #32699]
 7525 
 7526 3533.	[contrib]	query-loc-0.4.0: memory leaks. [RT #32960]
 7527 
 7528 3532.	[contrib]	zkt: fixed buffer overrun, resource leaks. [RT #32960]
 7529 
 7530 3531.	[bug]		win32: A uninitialized value could be returned on out
 7531 			of memory. [RT #32960]
 7532 
 7533 3530.	[contrib]	Better RTT tracking in queryperf. [RT #30128]
 7534 
 7535 3529.	[func]		Named now listens on both IPv4 and IPv6 interfaces
 7536 			by default.  Named previously only listened on IPv4
 7537 			interfaces by default unless named was running in
 7538 			IPv6 only mode.  [RT #32945]
 7539 
 7540 3528.	[func]		New "dnssec-coverage" command scans the timing
 7541 			metadata for a set of DNSSEC keys and reports if a
 7542 			lapse in signing coverage has been scheduled
 7543 			inadvertently. (Note: This tool depends on python;
 7544 			it will not be built or installed on systems that
 7545 			do not have a python interpreter.) [RT #28098]
 7546 
 7547 3527.	[compat]	Add a URI to allow applications to explicitly
 7548 			request a particular XML schema from the statistics
 7549 			channel, returning 404 if not supported. [RT #32481]
 7550 
 7551 3526.	[cleanup]	Set up dependencies for unit tests correctly during
 7552 			build. [RT #32803]
 7553 
 7554 3525.	[func]		Support for additional signing algorithms in rndc:
 7555 			hmac-sha1, -sha224, -sha256, -sha384, and -sha512.
 7556 			The -A option to rndc-confgen can be used to
 7557 			select the algorithm for the generated key.
 7558 			(The default is still hmac-md5; this may
 7559 			change in a future release.) [RT #20363]
 7560 
 7561 3524.	[func]		Added an alternate statistics channel in JSON format,
 7562 			when the server is built with the json-c library:
 7563 			http://[address]:[port]/json. [RT #32630]
 7564 
 7565 3523.	[contrib]	Ported filesystem and ldap DLZ drivers to
 7566 			dynamically-loadable modules, and added the
 7567 			"wildcard" module based on a contribution from
 7568 			Vadim Goncharov <vgoncharov@nic.ru>. [RT #23569]
 7569 
 7570 3522.	[bug]		DLZ lookups could fail to return SERVFAIL when
 7571 			they ought to. [RT #32685]
 7572 
 7573 3521.	[bug]		Address memory leak in opensslecdsa_link.c. [RT #32249]
 7574 
 7575 3520.	[bug]		'mctx' was not being referenced counted in some places
 7576 			where it should have been.  [RT #32794]
 7577 
 7578 3519.	[func]		Full replay protection via four-way handshake is
 7579 			now mandatory for rndc clients. Very old versions
 7580 			of rndc will no longer work. [RT #32798]
 7581 
 7582 3518.	[bug]		Increase the size of dns_rrl_key.s.rtype by one bit
 7583 			so that all dns_rrl_rtype_t enum values fit regardless
 7584 			of whether it is treated as signed or unsigned by
 7585 			the compiler. [RT #32792]
 7586 
 7587 3517.	[bug]		Reorder destruction to avoid shutdown race. [RT #32777]
 7588 
 7589 3516.	[placeholder]
 7590 
 7591 3515.	[port]		'%T' is not portable in strftime(). [RT #32763]
 7592 
 7593 3514.	[bug]		The ranges for valid key sizes in ddns-confgen and
 7594 			rndc-confgen were too constrained. Keys up to 512
 7595 			bits are now allowed for most algorithms, and up
 7596 			to 1024 bits for hmac-sha384 and hmac-sha512.
 7597 			[RT #32753]
 7598 
 7599 3513.	[func]		"dig -u" prints times in microseconds rather than
 7600 			milliseconds. [RT #32704]
 7601 
 7602 3512.	[func]		"rndc validation check" reports the current status
 7603 			of DNSSEC validation. [RT #21397]
 7604 
 7605 3511.	[doc]		Improve documentation of redirect zones. [RT #32756]
 7606 
 7607 3510.	[func]		"rndc status" and XML statistics channel now report
 7608 			server start and reconfiguration times. [RT #21048]
 7609 
 7610 3509.	[cleanup]	Added a product line to version file to allow for
 7611 			easy naming of different products (BIND
 7612 			vs BIND ESV, for example). [RT #32755]
 7613 
 7614 3508.	[contrib]	queryperf was incorrectly rejecting the -T option.
 7615 			[RT #32338]
 7616 
 7617 3507.	[bug]		Statistics channel XSL had a glitch when attempting
 7618 			to chart query data before any queries had been
 7619 			received. [RT #32620]
 7620 
 7621 3506.	[func]		When setting "max-cache-size" and "max-acache-size",
 7622 			the keyword "unlimited" is no longer defined as equal
 7623 			to 4 gigabytes (except on 32-bit platforms); it
 7624 			means literally unlimited. [RT #32358]
 7625 
 7626 3505.	[bug]		When setting "max-cache-size" and "max-acache-size",
 7627 			larger values than 4 gigabytes could not be set
 7628 			explicitly, though larger sizes were available
 7629 			when setting cache size to 0. This has been
 7630 			corrected; the full range is now available.
 7631 			[RT #32358]
 7632 
 7633 3504.	[func]		Add support for ACLs based on geographic location,
 7634 			using MaxMind GeoIP databases. Based on code
 7635 			contributed by Ken Brownfield <kb@slide.com>.
 7636 			[RT #30681]
 7637 
 7638 3503.	[doc]		Clarify size_spec syntax. [RT #32449]
 7639 
 7640 3502.	[func]		zone-statistics: "no" is now a synonym for "none",
 7641 			instead of "terse". [RT #29165]
 7642 
 7643 3501.	[func]		zone-statistics now takes three options: full,
 7644 			terse, and none. "yes" and "no" are retained as
 7645 			synonyms for full and terse, respectively. [RT #29165]
 7646 
 7647 3500.	[security]	Support NAPTR regular expression validation on
 7648 			all platforms without using libregex, which
 7649 			can be vulnerable to memory exhaustion attack
 7650 			(CVE-2013-2266). [RT #32688]
 7651 
 7652 3499.	[doc]		Corrected ARM documentation of built-in zones.
 7653 			[RT #32694]
 7654 
 7655 3498.	[bug]		zone statistics for zones which matched a potential
 7656 			empty zone could have their zone-statistics setting
 7657 			overridden.
 7658 
 7659 3497.	[func]		When deleting a slave/stub zone using 'rndc delzone'
 7660 			report the files that were being used so they can
 7661 			be cleaned up if desired. [RT #27899]
 7662 
 7663 3496.	[placeholder]
 7664 
 7665 3495.	[func]		Support multiple response-policy zones (up to 32),
 7666 			while improving RPZ performance.  "response-policy"
 7667 			syntax now includes a "min-ns-dots" clause, with
 7668 			default 1, to exclude top-level domains from
 7669 			NSIP and NSDNAME checking. --enable-rpz-nsip and
 7670 			--enable-rpz-nsdname are now the default. [RT #32251]
 7671 
 7672 3494.	[func]		DNS RRL: Blunt the impact of DNS reflection and
 7673 			amplification attacks by rate-limiting substantially-
 7674 			identical responses. [RT #28130]
 7675 
 7676 3493.	[contrib]	Added BDBHPT dynamically-loadable DLZ module,
 7677 			contributed by Mark Goldfinch. [RT #32549]
 7678 
 7679 3492.	[bug]		Fixed a regression in zone loading performance
 7680 			due to lock contention. [RT #30399]
 7681 
 7682 3491.	[bug]		Slave zones using inline-signing must specify a
 7683 			file name. [RT #31946]
 7684 
 7685 3490.	[bug]		When logging RDATA during update, truncate if it's
 7686 			too long. [RT #32365]
 7687 
 7688 3489.	[bug]		--enable-developer now turns on ISC_LIST_CHECKINIT.
 7689 			dns_dlzcreate() failed to properly initialize
 7690 			dlzdb.link.  When cloning a rdataset do not copy
 7691 			the link contents.  [RT #32651]
 7692 
 7693 3488.	[bug]		Use after free error with DH generated keys. [RT #32649]
 7694 
 7695 3487.	[bug]		Change 3444 was not complete.  There was a additional
 7696 			place where the NOQNAME proof needed to be saved.
 7697 			[RT #32629]
 7698 
 7699 3486.	[bug]		named could crash when using TKEY-negotiated keys
 7700 			that had been deleted and then recreated. [RT #32506]
 7701 
 7702 3485.	[cleanup]	Only compile openssl_gostlink.c if we support GOST.
 7703 
 7704 3484.	[bug]		Some statistics were incorrectly rendered in XML.
 7705 			[RT #32587]
 7706 
 7707 3483.	[placeholder]
 7708 
 7709 3482.	[func]		dig +nssearch now prints name servers that don't
 7710 			have address records (missing AAAA or A, or the name
 7711 			doesn't exist). [RT #29348]
 7712 
 7713 3481.	[cleanup]	Removed use of const const in atf.
 7714 
 7715 3480.	[bug]		Silence logging noise when setting up zone
 7716 			statistics. [RT #32525]
 7717 
 7718 3479.	[bug]		Address potential memory leaks in gssapi support
 7719 			code. [RT #32405]
 7720 
 7721 3478.	[port]		Fix a build failure in strict C99 environments
 7722 			[RT #32475]
 7723 
 7724 3477.	[func]		Expand logging when adding records via DDNS update
 7725 			[RT #32365]
 7726 
 7727 3476.	[bug]		"rndc zonestatus" could report a spurious "not
 7728 			found" error on inline-signing zones. [RT #29226]
 7729 
 7730 3475.	[cleanup]	Changed name of 'map' zone file format (previously
 7731 			'fast'). [RT #32458]
 7732 
 7733 3474.	[bug]		nsupdate could assert when the local and remote
 7734 			address families didn't match. [RT #22897]
 7735 
 7736 3473.	[bug]		dnssec-signzone/verify could incorrectly report
 7737 			an error condition due to an empty node above an
 7738 			opt-out delegation lacking an NSEC3. [RT #32072]
 7739 
 7740 3472.	[bug]		The active-connections counter in the socket
 7741 			statistics could underflow. [RT #31747]
 7742 
 7743 3471.	[bug]		The number of UDP dispatches now defaults to
 7744 			the number of CPUs even if -n has been set to
 7745 			a higher value. [RT #30964]
 7746 
 7747 3470.	[bug]		Slave zones could fail to dump when successfully
 7748 			refreshing after an initial failure. [RT #31276]
 7749 
 7750 3469.	[bug]		Handle DLZ lookup failures more gracefully. Improve
 7751 			backward compatibility between versions of DLZ dlopen
 7752 			API. [RT #32275]
 7753 
 7754 3468.	[security]	RPZ rules to generate A records (but not AAAA records)
 7755 			could trigger an assertion failure when used in
 7756 			conjunction with DNS64 (CVE-2012-5689). [RT #32141]
 7757 
 7758 3467.	[bug]		Added checks in dnssec-keygen and dnssec-settime
 7759 			to check for delete date < inactive date. [RT #31719]
 7760 
 7761 3466.	[contrib]	Corrected the DNS_CLIENTINFOMETHODS_VERSION check
 7762 			in DLZ example driver. [RT #32275]
 7763 
 7764 3465.	[bug]		Handle isolated reserved ports. [RT #31778]
 7765 
 7766 3464.	[maint]		Updates to PKCS#11 openssl patches, supporting
 7767 			versions 0.9.8x, 1.0.0j, 1.0.1c [RT #29749]
 7768 
 7769 3463.	[doc]		Clarify managed-keys syntax in ARM. [RT #32232]
 7770 
 7771 3462.	[doc]		Clarify server selection behavior of dig when using
 7772 			-4 or -6 options. [RT #32181]
 7773 
 7774 3461.	[bug]		Negative responses could incorrectly have AD=1
 7775 			set. [RT #32237]
 7776 
 7777 3460.	[bug]		Only link against readline where needed. [RT #29810]
 7778 
 7779 3459.	[func]		Added -J option to named-checkzone/named-compilezone
 7780 			to specify the path to the journal file. [RT #30958]
 7781 
 7782 3458.	[bug]		Return FORMERR when presented with a overly long
 7783 			domain named in a request. [RT #29682]
 7784 
 7785 3457.	[protocol]	Add ILNP records (NID, LP, L32, L64). [RT #31836]
 7786 
 7787 3456.	[port]		g++47: ATF failed to compile. [RT #32012]
 7788 
 7789 3455.	[contrib]	queryperf: fix getopt option list. [RT #32338]
 7790 
 7791 3454.	[port]		sparc64: improve atomic support. [RT #25182]
 7792 
 7793 3453.	[bug]		'rndc addzone' of a zone with 'inline-signing yes;'
 7794 			failed. [RT #31960]
 7795 
 7796 3452.	[bug]		Accept duplicate singleton records. [RT #32329]
 7797 
 7798 3451.	[port]		Increase per thread stack size from 64K to 1M.
 7799 			[RT #32230]
 7800 
 7801 3450.	[bug]		Stop logfileconfig system test spam system logs.
 7802 			[RT #32315]
 7803 
 7804 3449.	[bug]		gen.c: use the pre-processor to construct format
 7805 			strings so that compiler can perform sanity checks;
 7806 			check the snprintf results. [RT #17576]
 7807 
 7808 3448.	[bug]		The allow-query-on ACL was not processed correctly.
 7809 			[RT #29486]
 7810 
 7811 3447.	[port]		Add support for libxml2-2.9.x [RT #32231]
 7812 
 7813 3446.	[port]		win32: Add source ID (see change #3400) to build.
 7814 			[RT #31683]
 7815 
 7816 3445.	[bug]		Warn about zone files with blank owner names
 7817 			immediately after $ORIGIN directives. [RT #31848]
 7818 
 7819 3444.	[bug]		The NOQNAME proof was not being returned from cached
 7820 			insecure responses. [RT #21409]
 7821 
 7822 3443.	[bug]		ddns-confgen: Some TSIG algorithms were incorrectly
 7823 			rejected when generating keys. [RT #31927]
 7824 
 7825 3442.	[port]		Net::DNS 0.69 introduced a non backwards compatible
 7826 			change. [RT #32216]
 7827 
 7828 3441.	[maint]		D.ROOT-SERVERS.NET is now 199.7.91.13.
 7829 
 7830 3440.	[bug]		Reorder get_key_struct to not trigger a assertion when
 7831 			cleaning up due to out of memory error. [RT #32131]
 7832 
 7833 3439.	[placeholder]
 7834 
 7835 3438.	[bug]		Don't accept unknown data escape in quotes. [RT #32031]
 7836 
 7837 3437.	[bug]		isc_buffer_init -> isc_buffer_constinit to initialize
 7838 			buffers with constant data. [RT #32064]
 7839 
 7840 3436.	[bug]		Check malloc/calloc return values. [RT #32088]
 7841 
 7842 3435.	[bug]		Cross compilation support in configure was broken.
 7843 			[RT #32078]
 7844 
 7845 3434.	[bug]		Pass client info to the DLZ findzone() entry
 7846 			point in addition to lookup().  This makes it
 7847 			possible for a database to answer differently
 7848 			whether it's authoritative for a name depending
 7849 			on the address of the client.  [RT #31775]
 7850 
 7851 3433.	[bug]		dlz_findzone() did not correctly handle
 7852 			ISC_R_NOMORE. [RT #31172]
 7853 
 7854 3432.	[func]		Multiple DLZ databases can now be configured.
 7855 			DLZ databases are searched in the order configured,
 7856 			unless set to "search no", in which case a
 7857 			zone can be configured to be retrieved from a
 7858 			particular DLZ database by using a "dlz <name>"
 7859 			option in the zone statement.  DLZ databases can
 7860 			support type "master" and "redirect" zones.
 7861 			[RT #27597]
 7862 
 7863 3431.	[bug]		ddns-confgen: Some valid key algorithms were
 7864 			not accepted. [RT #31927]
 7865 
 7866 3430.	[bug]		win32: isc_time_formatISO8601 was missing the
 7867 			'T' between the date and time. [RT #32044]
 7868 
 7869 3429.	[bug]		dns_zone_getserial2 could a return success without
 7870 			returning a valid serial. [RT #32007]
 7871 
 7872 3428.	[cleanup]	dig: Add timezone to date output. [RT #2269]
 7873 
 7874 3427.	[bug]		dig +trace incorrectly displayed name server
 7875 			addresses instead of names. [RT #31641]
 7876 
 7877 3426.	[bug]		dnssec-checkds: Clearer output when records are not
 7878 			found. [RT #31968]
 7879 
 7880 3425.	[bug]		"acacheentry" reference counting was broken resulting
 7881 			in use after free. [RT #31908]
 7882 
 7883 3424.	[func]		dnssec-dsfromkey now emits the hash without spaces.
 7884 			[RT #31951]
 7885 
 7886 3423.	[bug]		"rndc signing -nsec3param" didn't accept the full
 7887 			range of possible values.  Address portability issues.
 7888 			[RT #31938]
 7889 
 7890 3422.	[bug]		Added a clear error message for when the SOA does not
 7891 			match the referral. [RT #31281]
 7892 
 7893 3421.	[bug]		Named loops when re-signing if all keys are offline.
 7894 			[RT #31916]
 7895 
 7896 3420.	[bug]		Address VPATH compilation issues. [RT #31879]
 7897 
 7898 3419.	[bug]		Memory leak on validation cancel. [RT #31869]
 7899 
 7900 3418.	[func]		New XML schema (version 3.0) for the statistics channel
 7901 			adds query type statistics at the zone level, and
 7902 			flattens the XML tree and uses compressed format to
 7903 			optimize parsing. Includes new XSL that permits
 7904 			charting via the Google Charts API on browsers that
 7905 			support javascript in XSL.  The old XML schema has been
 7906 			deprecated. [RT #30023]
 7907 
 7908 3417.	[placeholder]
 7909 
 7910 3416.	[bug]		Named could die on shutdown if running with 128 UDP
 7911 			dispatches per interface. [RT #31743]
 7912 
 7913 3415.	[bug]		named could die with a REQUIRE failure if a validation
 7914 			was canceled. [RT #31804]
 7915 
 7916 3414.	[bug]		Address locking issues found by Coverity. [RT #31626]
 7917 
 7918 3413.	[func]		Record the number of DNS64 AAAA RRsets that have been
 7919 			synthesized. [RT #27636]
 7920 
 7921 3412.	[bug]		Copy timeval structure from control message data.
 7922 			[RT #31548]
 7923 
 7924 3411.	[tuning]	Use IPV6_USE_MIN_MTU or equivalent with TCP in addition
 7925 			to UDP. [RT #31690]
 7926 
 7927 3410.	[bug]		Addressed Coverity warnings. [RT #31626]
 7928 
 7929 3409.	[contrib]	contrib/dane/mkdane.sh: Tool to generate TLSA RR's
 7930 			from X.509 certificates, for use with DANE
 7931 			(DNS-based Authentication of Named Entities).
 7932 			[RT #30513]
 7933 
 7934 3408.	[bug]		Some DNSSEC-related options (update-check-ksk,
 7935 			dnssec-loadkeys-interval, dnssec-dnskey-kskonly)
 7936 			are now legal in slave zones as long as
 7937 			inline-signing is in use. [RT #31078]
 7938 
 7939 3407.	[placeholder]
 7940 
 7941 3406.	[bug]		mem.c: Fix compilation errors when building with
 7942 			ISC_MEM_TRACKLINES or ISC_MEMPOOL_NAMES disabled.
 7943 			Also, ISC_MEM_DEBUG is no longer optional. [RT #31559]
 7944 
 7945 3405.	[bug]		Handle time going backwards in acache. [RT #31253]
 7946 
 7947 3404.	[bug]		dnssec-signzone: When re-signing a zone, remove
 7948 			RRSIG and NSEC records from nodes that used to be
 7949 			in-zone but are now below a zone cut. [RT #31556]
 7950 
 7951 3403.	[bug]		Silence noisy OpenSSL logging. [RT #31497]
 7952 
 7953 3402.	[test]		The IPv6 interface numbers used for system
 7954 			tests were incorrect on some platforms. [RT #25085]
 7955 
 7956 3401.	[bug]		Addressed Coverity warnings. [RT #31484]
 7957 
 7958 3400.	[cleanup]	"named -V" can now report a source ID string, defined
 7959 			in the "srcid" file in the build tree and normally set
 7960 			to the most recent git hash.  [RT #31494]
 7961 
 7962 3399.	[port]		netbsd: rename 'bool' parameter to avoid namespace
 7963 			clash.  [RT #31515]
 7964 
 7965 3398.	[bug]		SOA parameters were not being updated with inline
 7966 			signed zones if the zone was modified while the
 7967 			server was offline. [RT #29272]
 7968 
 7969 3397.	[bug]		dig crashed when using +nssearch with +tcp. [RT #25298]
 7970 
 7971 3396.	[bug]		OPT records were incorrectly removed from signed,
 7972 			truncated responses. [RT #31439]
 7973 
 7974 3395.	[protocol]	Add RFC 6598 reverse zones to built in empty zones
 7975 			list, 64.100.IN-ADDR.ARPA ... 127.100.IN-ADDR.ARPA.
 7976 			[RT #31336]
 7977 
 7978 3394.	[bug]		Adjust 'successfully validated after lower casing
 7979 			signer' log level and category. [RT #31414]
 7980 
 7981 3393.	[bug]		'host -C' could core dump if REFUSED was received.
 7982 			[RT #31381]
 7983 
 7984 3392.	[func]		Keep statistics on REFUSED responses. [RT #31412]
 7985 
 7986 3391.	[bug]		A DNSKEY lookup that encountered a CNAME failed.
 7987 			[RT #31262]
 7988 
 7989 3390.	[bug]		Silence clang compiler warnings. [RT #30417]
 7990 
 7991 3389.	[bug]		Always return NOERROR (not 0) in TSIG. [RT #31275]
 7992 
 7993 3388.	[bug]		Fixed several Coverity warnings.
 7994 			Note: This change includes a fix for a bug that
 7995 			was subsequently determined to be an exploitable
 7996 			security vulnerability, CVE-2012-5688: named could
 7997 			die on specific queries with dns64 enabled.
 7998 			[RT #30996]
 7999 
 8000 3387.	[func]		DS digest can be disabled at runtime with
 8001 			disable-ds-digests. [RT #21581]
 8002 
 8003 3386.	[bug]		Address locking violation when generating new NSEC /
 8004 			NSEC3 chains. [RT #31224]
 8005 
 8006 3385.	[bug]		named-checkconf didn't detect missing master lists
 8007 			in also-notify clauses. [RT #30810]
 8008 
 8009 3384.	[bug]		Improved logging of crypto errors. [RT #30963]
 8010 
 8011 3383.	[security]	A certain combination of records in the RBT could
 8012 			cause named to hang while populating the additional
 8013 			section of a response. [RT #31090]
 8014 
 8015 3382.	[bug]		SOA query from slave used use-v6-udp-ports range,
 8016 			if set, regardless of the address family in use.
 8017 			[RT #24173]
 8018 
 8019 3381.	[contrib]	Update queryperf to support more RR types.
 8020 			[RT #30762]
 8021 
 8022 3380.	[bug]		named could die if a nonexistent master list was
 8023 			referenced in a also-notify. [RT #31004]
 8024 
 8025 3379.	[bug]		isc_interval_zero and isc_time_epoch should be
 8026 			"const (type)* const". [RT #31069]
 8027 
 8028 3378.	[bug]		Handle missing 'managed-keys-directory' better.
 8029 			[RT #30625]
 8030 
 8031 3377.	[bug]		Removed spurious newline from NSEC3 multiline
 8032 			output. [RT #31044]
 8033 
 8034 3376.	[bug]		Lack of EDNS support was being recorded without a
 8035 			successful response. [RT #30811]
 8036 
 8037 3375.	[bug]		'rndc dumpdb' failed on empty caches. [RT #30808]
 8038 
 8039 3374.	[bug]		isc_parse_uint32 failed to return a range error on
 8040 			systems with 64 bit longs. [RT #30232]
 8041 
 8042 3373.	[bug]		win32: open raw files in binary mode. [RT #30944]
 8043 
 8044 3372.	[bug]		Silence spurious "deleted from unreachable cache"
 8045 			messages.  [RT #30501]
 8046 
 8047 3371.	[bug]		AD=1 should behave like DO=1 when deciding whether to
 8048 			add NS RRsets to the additional section or not.
 8049 			[RT #30479]
 8050 
 8051 3370.	[bug]		Address use after free while shutting down. [RT #30241]
 8052 
 8053 3369.	[bug]		nsupdate terminated unexpectedly in interactive mode
 8054 			if built with readline support. [RT #29550]
 8055 
 8056 3368.	[bug]		<dns/iptable.h>, <dns/private.h> and <dns/zone.h>
 8057 			were not C++ safe.
 8058 
 8059 3367.	[bug]		dns_dnsseckey_create() result was not being checked.
 8060 			[RT #30685]
 8061 
 8062 3366.	[bug]		Fixed Read-After-Write dependency violation for IA64
 8063 			atomic operations. [RT #25181]
 8064 
 8065 3365.	[bug]		Removed spurious newlines from log messages in
 8066 			zone.c [RT #30675]
 8067 
 8068 3364.	[security]	Named could die on specially crafted record.
 8069 			[RT #30416]
 8070 
 8071 3363.	[bug]		Need to allow "forward" and "fowarders" options
 8072 			in static-stub zones; this had been overlooked.
 8073 			[RT #30482]
 8074 
 8075 3362.	[bug]		Setting some option values to 0 in named.conf
 8076 			could trigger an assertion failure on startup.
 8077 			[RT #27730]
 8078 
 8079 3361.	[bug]		"rndc signing -nsec3param" didn't work correctly
 8080 			when salt was set to '-' (no salt). [RT #30099]
 8081 
 8082 3360.	[bug]		'host -w' could die.  [RT #18723]
 8083 
 8084 3359.	[bug]		An improperly-formed TSIG secret could cause a
 8085 			memory leak. [RT #30607]
 8086 
 8087 3358.	[placeholder]
 8088 
 8089 3357.	[port]		Add support for libxml2-2.8.x [RT #30440]
 8090 
 8091 3356.	[bug]		Cap the TTL of signed RRsets when RRSIGs are
 8092 			approaching their expiry, so they don't remain
 8093 			in caches after expiry. [RT #26429]
 8094 
 8095 3355.	[port]		Use more portable awk in verify system test.
 8096 
 8097 3354.	[func]		Improve OpenSSL error logging. [RT #29932]
 8098 
 8099 3353.	[bug]		Use a single task for task exclusive operations.
 8100 			[RT #29872]
 8101 
 8102 3352.	[bug]		Ensure that learned server attributes timeout of the
 8103 			adb cache. [RT #29856]
 8104 
 8105 3351.	[bug]		isc_mem_put and isc_mem_putanddetach didn't report
 8106 			caller if either ISC_MEM_DEBUGSIZE or ISC_MEM_DEBUGCTX
 8107 			memory debugging flags are set. [RT #30243]
 8108 
 8109 3350.	[bug]		Memory read overrun in isc___mem_reallocate if
 8110 			ISC_MEM_DEBUGCTX memory debugging flag is set.
 8111 			[RT #30240]
 8112 
 8113 3349.	[bug]		Change #3345 was incomplete. [RT #30233]
 8114 
 8115 3348.	[bug]		Prevent RRSIG data from being cached if a negative
 8116 			record matching the covering type exists at a higher
 8117 			trust level. Such data already can't be retrieved from
 8118 			the cache since change 3218 -- this prevents it
 8119 			being inserted into the cache as well. [RT #26809]
 8120 
 8121 3347.	[bug]		dnssec-settime: Issue a warning when writing a new
 8122 			private key file would cause a change in the
 8123 			permissions of the existing file. [RT #27724]
 8124 
 8125 3346.	[security]	Bad-cache data could be used before it was
 8126 			initialized, causing an assert. [RT #30025]
 8127 
 8128 3345.	[bug]		Addressed race condition when removing the last item
 8129 			or inserting the first item in an ISC_QUEUE.
 8130 			[RT #29539]
 8131 
 8132 3344.	[func]		New "dnssec-checkds" command checks a zone to
 8133 			determine which DS records should be published
 8134 			in the parent zone, or which DLV records should be
 8135 			published in a DLV zone, and queries the DNS to
 8136 			ensure that it exists. (Note: This tool depends
 8137 			on python; it will not be built or installed on
 8138 			systems that do not have a python interpreter.)
 8139 			[RT #28099]
 8140 
 8141 3343.	[placeholder]
 8142 
 8143 3342.	[bug]		Change #3314 broke saving of stub zones to disk
 8144 			resulting in excessive cpu usage in some cases.
 8145 			[RT #29952]
 8146 
 8147 3341.	[func]		New "dnssec-verify" command checks a signed zone
 8148 			to ensure correctness of signatures and of NSEC/NSEC3
 8149 			chains. [RT #23673]
 8150 
 8151 3340.	[func]		Added new 'map' zone file format, which is an image
 8152 			of a zone database that can be loaded directly into
 8153 			memory via mmap(), allowing much faster zone loading.
 8154 			(Note: Because of pointer sizes and other
 8155 			considerations, this file format is platform-dependent;
 8156 			'map' zone files cannot always be transferred from one
 8157 			server to another.) [RT #25419]
 8158 
 8159 3339.	[func]		Allow the maximum supported rsa exponent size to be
 8160 			specified: "max-rsa-exponent-size <value>;" [RT #29228]
 8161 
 8162 3338.	[bug]		Address race condition in units tests: asyncload_zone
 8163 			and asyncload_zt. [RT #26100]
 8164 
 8165 3337.	[bug]		Change #3294 broke support for the multiple keys
 8166 			in controls. [RT #29694]
 8167 
 8168 3336.	[func]		Maintain statistics for RRsets tagged as "stale".
 8169 			[RT #29514]
 8170 
 8171 3335.	[func]		nslookup: return a nonzero exit code when unable
 8172 			to get an answer. [RT #29492]
 8173 
 8174 3334.	[bug]		Hold a zone table reference while performing a
 8175 			asynchronous load of a zone. [RT #28326]
 8176 
 8177 3333.	[bug]		Setting resolver-query-timeout too low can cause
 8178 			named to not recover if it loses connectivity.
 8179 			[RT #29623]
 8180 
 8181 3332.	[bug]		Re-use cached DS rrsets if possible. [RT #29446]
 8182 
 8183 3331.	[security]	dns_rdataslab_fromrdataset could produce bad
 8184 			rdataslabs. [RT #29644]
 8185 
 8186 3330.	[func]		Fix missing signatures on NOERROR results despite
 8187 			RPZ rewriting.  Also
 8188 			 - add optional "recursive-only yes|no" to the
 8189 			   response-policy statement
 8190 			 - add optional "max-policy-ttl" to the response-policy
 8191 			    statement to limit the false data that
 8192 			    "recursive-only no" can introduce into
 8193 			    resolvers' caches
 8194 			 - add a RPZ performance test to bin/tests/system/rpz
 8195 			     when queryperf is available.
 8196 			 - the encoding of PASSTHRU action to "rpz-passthru".
 8197 			     (The old encoding is still accepted.)
 8198 			[RT #26172]
 8199 
 8200 
 8201 3329.	[bug]		Handle RRSIG signer-name case consistently: We
 8202 			generate RRSIG records with the signer-name in
 8203 			lower case.  We accept them with any case, but if
 8204 			they fail to validate, we try again in lower case.
 8205 			[RT #27451]
 8206 
 8207 3328.	[bug]		Fixed inconsistent data checking in dst_parse.c.
 8208 			[RT #29401]
 8209 
 8210 3327.	[func]		Added 'filter-aaaa-on-v6' option; this is similar
 8211 			to 'filter-aaaa-on-v4' but applies to IPv6
 8212 			connections.  (Use "configure --enable-filter-aaaa"
 8213 			to enable this option.)  [RT #27308]
 8214 
 8215 3326.	[func]		Added task list statistics: task model, worker
 8216 			threads, quantum, tasks running, tasks ready.
 8217 			[RT #27678]
 8218 
 8219 3325.	[func]		Report cache statistics: memory use, number of
 8220 			nodes, number of hash buckets, hit and miss counts.
 8221 			[RT #27056]
 8222 
 8223 3324.	[test]		Add better tests for ADB stats [RT #27057]
 8224 
 8225 3323.	[func]		Report the number of buckets the resolver is using.
 8226 			[RT #27020]
 8227 
 8228 3322.	[func]		Monitor the number of active TCP and UDP dispatches.
 8229 			[RT #27055]
 8230 
 8231 3321.	[func]		Monitor the number of recursive fetches and the
 8232 			number of open sockets, and report these values in
 8233 			the statistics channel. [RT #27054]
 8234 
 8235 3320.	[func]		Added support for monitoring of recursing client
 8236 			count. [RT #27009]
 8237 
 8238 3319.	[func]		Added support for monitoring of ADB entry count and
 8239 			hash size. [RT #27057]
 8240 
 8241 3318.	[tuning]	Reduce the amount of work performed while holding a
 8242 			bucket lock when finished with a fetch context.
 8243 			[RT #29239]
 8244 
 8245 3317.	[func]		Add ECDSA support (RFC 6605). [RT #21918]
 8246 
 8247 3316.	[tuning]	Improved locking performance when recursing.
 8248 			[RT #28836]
 8249 
 8250 3315.	[tuning]	Use multiple dispatch objects for sending upstream
 8251 			queries; this can improve performance on busy
 8252 			multiprocessor systems by reducing lock contention.
 8253 			[RT #28605]
 8254 
 8255 3314.	[bug]		The masters list could be updated while stub_callback
 8256 			or refresh_callback were using it. [RT #26732]
 8257 
 8258 3313.	[protocol]	Add TLSA record type. [RT #28989]
 8259 
 8260 3312.	[bug]		named-checkconf didn't detect a bad dns64 clients acl.
 8261 			[RT #27631]
 8262 
 8263 3311.	[bug]		Abort the zone dump if zone->db is NULL in
 8264 			zone.c:zone_gotwritehandle. [RT #29028]
 8265 
 8266 3310.	[test]		Increase table size for mutex profiling. [RT #28809]
 8267 
 8268 3309.	[bug]		resolver.c:fctx_finddone() was not thread safe.
 8269 			[RT #27995]
 8270 
 8271 3308.	[placeholder]
 8272 
 8273 3307.	[bug]		Add missing ISC_LANG_BEGINDECLS and ISC_LANG_ENDDECLS.
 8274 			[RT #28956]
 8275 
 8276 3306.	[bug]		Improve DNS64 reverse zone performance. [RT #28563]
 8277 
 8278 3305.	[func]		Add wire format lookup method to sdb. [RT #28563]
 8279 
 8280 3304.	[bug]		Use hmctx, not mctx when freeing rbtdb->heaps.
 8281 			[RT #28571]
 8282 
 8283 3303.	[bug]		named could die when reloading. [RT #28606]
 8284 
 8285 3302.	[bug]		dns_dnssec_findmatchingkeys could fail to find
 8286 			keys if the zone name contained character that
 8287 			required special mappings. [RT #28600]
 8288 
 8289 3301.	[contrib]	Update queryperf to build on darwin.  Add -R flag
 8290 			for non-recursive queries. [RT #28565]
 8291 
 8292 3300.	[bug]		Named could die if gssapi was enabled in named.conf
 8293 			but was not compiled in. [RT #28338]
 8294 
 8295 3299.	[bug]		Make SDB handle errors from database drivers better.
 8296 			[RT #28534]
 8297 
 8298 3298.	[bug]		Named could dereference a NULL pointer in
 8299 			zmgr_start_xfrin_ifquota if the zone was being removed.
 8300 			[RT #28419]
 8301 
 8302 3297.	[bug]		Named could die on a malformed master file. [RT #28467]
 8303 
 8304 3296.	[bug]		Named could die with a INSIST failure in
 8305 			client.c:exit_check. [RT #28346]
 8306 
 8307 3295.	[bug]		Adjust isc_time_secondsastimet range check to be more
 8308 			portable. [RT # 26542]
 8309 
 8310 3294.	[bug]		isccc/cc.c:table_fromwire failed to free alist on
 8311 			error. [RT #28265]
 8312 
 8313 3293.	[func]		nsupdate: list supported type. [RT #28261]
 8314 
 8315 3292.	[func]		Log messages in the axfr stream at debug 10.
 8316 			[RT #28040]
 8317 
 8318 3291.	[port]		Fixed a build error on systems without ENOTSUP.
 8319 			[RT #28200]
 8320 
 8321 3290.	[bug]		<isc/hmacsha.h> was not being installed. [RT #28169]
 8322 
 8323 3289.	[bug]		'rndc retransfer' failed for inline zones. [RT #28036]
 8324 
 8325 3288.	[bug]		dlz_destroy() function wasn't correctly registered
 8326 			by the DLZ dlopen driver. [RT #28056]
 8327 
 8328 3287.	[port]		Update ans.pl to work with Net::DNS 0.68. [RT #28028]
 8329 
 8330 3286.	[bug]		Managed key maintenance timer could fail to start
 8331 			after 'rndc reconfig'. [RT #26786]
 8332 
 8333 3285.	[bug]		val-frdataset was incorrectly disassociated in
 8334 			proveunsecure after calling startfinddlvsep.
 8335 			[RT #27928]
 8336 
 8337 3284.	[bug]		Address race conditions with the handling of
 8338 			rbtnode.deadlink. [RT #27738]
 8339 
 8340 3283.	[bug]		Raw zones with with more than 512 records in a RRset
 8341 			failed to load. [RT #27863]
 8342 
 8343 3282.	[bug]		Restrict the TTL of NS RRset to no more than that
 8344 			of the old NS RRset when replacing it.
 8345 			[RT #27792] [RT #27884]
 8346 
 8347 3281.	[bug]		SOA refresh queries could be treated as cancelled
 8348 			despite succeeding over the loopback interface.
 8349 			[RT #27782]
 8350 
 8351 3280.	[bug]		Potential double free of a rdataset on out of memory
 8352 			with DNS64. [RT #27762]
 8353 
 8354 3279.	[bug]		Hold a internal reference to the zone while performing
 8355 			a asynchronous load.  Address potential memory leak
 8356 			if the asynchronous is cancelled. [RT #27750]
 8357 
 8358 3278.	[bug]		Make sure automatic key maintenance is started
 8359 			when "auto-dnssec maintain" is turned on during
 8360 			"rndc reconfig". [RT #26805]
 8361 
 8362 3277.	[bug]		win32: isc_socket_dup is not implemented. [RT #27696]
 8363 
 8364 3276.	[bug]		win32: ns_os_openfile failed to return NULL on
 8365 			safe_open failure. [RT #27696]
 8366 
 8367 3275.	[bug]		Corrected rndc -h output; the 'rndc sync -clean'
 8368 			option had been misspelled as '-clear'.  (To avoid
 8369 			future confusion, both options now work.) [RT #27173]
 8370 
 8371 3274.	[placeholder]
 8372 
 8373 3273.	[bug]		AAAA responses could be returned in the additional
 8374 			section even when filter-aaaa-on-v4 was in use.
 8375 			[RT #27292]
 8376 
 8377 3272.	[func]		New "rndc zonestatus" command prints information
 8378 			about the specified zone. [RT #21671]
 8379 
 8380 3271.	[port]		darwin: mksymtbl is not always stable, loop several
 8381 			times before giving up.  mksymtbl was using non
 8382 			portable perl to covert 64 bit hex strings. [RT #27653]
 8383 
 8384 	--- 9.9.0rc2 released ---
 8385 
 8386 3270.	[bug]		"rndc reload" didn't reuse existing zones correctly
 8387 			when inline-signing was in use. [RT #27650]
 8388 
 8389 3269.	[port]		darwin 11 and later now built threaded by default.
 8390 
 8391 3268.	[bug]		Convert RRSIG expiry times to 64 timestamps to work
 8392 			out the earliest expiry time. [RT #23311]
 8393 
 8394 3267.	[bug]		Memory allocation failures could be mis-reported as
 8395 			unexpected error.  New ISC_R_UNSET result code.
 8396 			[RT #27336]
 8397 
 8398 3266.	[bug]		The maximum number of NSEC3 iterations for a
 8399 			DNSKEY RRset was not being properly computed.
 8400 			[RT #26543]
 8401 
 8402 3265.	[bug]		Corrected a problem with lock ordering in the
 8403 			inline-signing code. [RT #27557]
 8404 
 8405 3264.	[bug]		Automatic regeneration of signatures in an
 8406 			inline-signing zone could stall when the server
 8407 			was restarted. [RT #27344]
 8408 
 8409 3263.	[bug]		"rndc sync" did not affect the unsigned side of an
 8410 			inline-signing zone. [RT #27337]
 8411 
 8412 3262.	[bug]		Signed responses were handled incorrectly by RPZ.
 8413 			[RT #27316]
 8414 
 8415 3261.	[func]		RRset ordering now defaults to random. [RT #27174]
 8416 
 8417 3260.	[bug]		"rrset-order cyclic" could appear not to rotate
 8418 			for some query patterns.  [RT #27170/27185]
 8419 
 8420 	--- 9.9.0rc1 released ---
 8421 
 8422 3259.	[bug]		named-compilezone: Suppress "dump zone to <file>"
 8423 			message when writing to stdout. [RT #27109]
 8424 
 8425 3258.	[test]		Add "forcing full sign with unreadable keys" test.
 8426 			[RT #27153]
 8427 
 8428 3257.	[bug]		Do not generate a error message when calling fsync()
 8429 			in a pipe or socket. [RT #27109]
 8430 
 8431 3256.	[bug]		Disable empty zones for lwresd -C. [RT #27139]
 8432 
 8433 3255.	[func]		No longer require that a empty zones be explicitly
 8434 			enabled or that a empty zone is disabled for
 8435 			RFC 1918 empty zones to be configured. [RT #27139]
 8436 
 8437 3254.	[bug]		Set isc_socket_ipv6only() on the IPv6 control channels.
 8438 			[RT #22249]
 8439 
 8440 3253.	[bug]		Return DNS_R_SYNTAX when the input to a text field is
 8441 			too long. [RT #26956]
 8442 
 8443 3252.	[bug]		When master zones using inline-signing were
 8444 			updated while the server was offline, the source
 8445 			zone could fall out of sync with the signed
 8446 			copy. They can now resynchronize. [RT #26676]
 8447 
 8448 3251.	[bug]		Enforce a upper bound (65535 bytes) on the amount of
 8449 			memory dns_sdlz_putrr() can allocate per record to
 8450 			prevent run away memory consumption on ISC_R_NOSPACE.
 8451 			[RT #26956]
 8452 
 8453 3250.	[func]		'configure --enable-developer'; turn on various
 8454 			configure options, normally off by default, that
 8455 			we want developers to build and test with. [RT #27103]
 8456 
 8457 3249.	[bug]		Update log message when saving slave zones files for
 8458 			analysis after load failures. [RT #27087]
 8459 
 8460 3248.	[bug]		Configure options --enable-fixed-rrset and
 8461 			--enable-exportlib were incompatible with each
 8462 			other. [RT #27087]
 8463 
 8464 3247.	[bug]		'raw' format zones failed to preserve load order
 8465 			breaking 'fixed' sort order. [RT #27087]
 8466 
 8467 3246.	[bug]		Named failed to start with a empty also-notify list.
 8468 			[RT #27087]
 8469 
 8470 3245.	[bug]		Don't report a error unchanged serials unless there
 8471 			were other changes when thawing a zone with
 8472 			ixfr-fromdifferences. [RT #26845]
 8473 
 8474 3244.	[func]		Added readline support to nslookup and nsupdate.
 8475 			Also simplified nsupdate syntax to make "update"
 8476 			and "prereq" optional. [RT #24659]
 8477 
 8478 3243.	[port]		freebsd,netbsd,bsdi: the thread defaults were not
 8479 			being properly set.
 8480 
 8481 3242.	[func]		Extended the header of raw-format master files to
 8482 			include the serial number of the zone from which
 8483 			they were generated, if different (as in the case
 8484 			of inline-signing zones).  This is to be used in
 8485 			inline-signing zones, to track changes between the
 8486 			unsigned and signed versions of the zone, which may
 8487 			have different serial numbers.
 8488 
 8489 			(Note: raw zonefiles generated by this version of
 8490 			BIND are no longer compatible with prior versions.
 8491 			To generate a backward-compatible raw zonefile
 8492 			using dnssec-signzone or named-compilezone, specify
 8493 			output format "raw=0" instead of simply "raw".)
 8494 			[RT #26587]
 8495 
 8496 3241.	[bug]		Address race conditions in the resolver code.
 8497 			[RT #26889]
 8498 
 8499 3240.	[bug]		DNSKEY state change events could be missed. [RT #26874]
 8500 
 8501 3239.	[bug]		dns_dnssec_findmatchingkeys needs to use a consistent
 8502 			timestamp. [RT #26883]
 8503 
 8504 3238.	[bug]		keyrdata was not being reinitialized in
 8505 			lib/dns/rbtdb.c:iszonesecure. [RT #26913]
 8506 
 8507 3237.	[bug]		dig -6 didn't work with +trace. [RT #26906]
 8508 
 8509 3236.	[bug]		Backed out changes #3182 and #3202, related to
 8510 			EDNS(0) fallback behavior. [RT #26416]
 8511 
 8512 3235.	[func]		dns_db_diffx, a extended dns_db_diff which returns
 8513 			the generated diff and optionally writes it to a
 8514 			journal. [RT #26386]
 8515 
 8516 3234.	[bug]		'make depend' produced invalid makefiles. [RT #26830]
 8517 
 8518 3233.	[bug]		'rndc freeze/thaw' didn't work for inline zones.
 8519 			[RT #26632]
 8520 
 8521 3232.	[bug]		Zero zone->curmaster before return in
 8522 			dns_zone_setmasterswithkeys(). [RT #26732]
 8523 
 8524 3231.	[bug]		named could fail to send a incompressible zone.
 8525 			[RT #26796]
 8526 
 8527 3230.	[bug]		'dig axfr' failed to properly handle a multi-message
 8528 			axfr with a serial of 0. [RT #26796]
 8529 
 8530 3229.	[bug]		Fix local variable to struct var assignment
 8531 			found by CLANG warning.
 8532 
 8533 3228.	[tuning]	Dynamically grow symbol table to improve zone
 8534 			loading performance. [RT #26523]
 8535 
 8536 3227.	[bug]		Interim fix to make WKS's use of getprotobyname()
 8537 			and getservbyname() self thread safe. [RT #26232]
 8538 
 8539 3226.	[bug]		Address minor resource leakages. [RT #26624]
 8540 
 8541 3225.	[bug]		Silence spurious "setsockopt(517, IPV6_V6ONLY) failed"
 8542 			messages. [RT #26507]
 8543 
 8544 3224.	[bug]		'rndc signing' argument parsing was broken. [RT #26684]
 8545 
 8546 3223.	[bug]		'task_test privilege_drop' generated false positives.
 8547 			[RT #26766]
 8548 
 8549 3222.	[cleanup]	Replace dns_journal_{get,set}_bitws with
 8550 			dns_journal_{get,set}_sourceserial. [RT #26634]
 8551 
 8552 3221.	[bug]		Fixed a potential core dump on shutdown due to
 8553 			referencing fetch context after it's been freed.
 8554 			[RT #26720]
 8555 
 8556 	--- 9.9.0b2 released ---
 8557 
 8558 3220.	[bug]		Change #3186 was incomplete; dns_db_rpz_findips()
 8559 			could fail to set the database version correctly,
 8560 			causing an assertion failure. [RT #26180]
 8561 
 8562 3219.	[bug]		Disable NOEDNS caching following a timeout.
 8563 
 8564 3218.	[security]	Cache lookup could return RRSIG data associated with
 8565 			nonexistent records, leading to an assertion
 8566 			failure. [RT #26590]
 8567 
 8568 3217.	[cleanup]	Fix build problem with --disable-static. [RT #26476]
 8569 
 8570 3216.	[bug]		resolver.c:validated() was not thread-safe. [RT #26478]
 8571 
 8572 3215.	[bug]		'rndc recursing' could cause a core dump. [RT #26495]
 8573 
 8574 3214.	[func]		Add 'named -U' option to set the number of UDP
 8575 			listener threads per interface. [RT #26485]
 8576 
 8577 3213.	[doc]		Clarify ixfr-from-differences behavior. [RT #25188]
 8578 
 8579 3212.	[bug]		rbtdb.c: failed to remove a node from the deadnodes
 8580 			list prior to adding a reference to it leading a
 8581 			possible assertion failure. [RT #23219]
 8582 
 8583 3211.	[func]		dnssec-signzone: "-f -" prints to stdout; "-O full"
 8584 			option prints in single-line-per-record format.
 8585 			[RT #20287]
 8586 
 8587 3210.	[bug]		Canceling the oldest query due to recursive-client
 8588 			overload could trigger an assertion failure. [RT #26463]
 8589 
 8590 3209.	[func]		Add "dnssec-lookaside 'no'".  [RT #24858]
 8591 
 8592 3208.	[bug]		'dig -y' handle unknown tsig algorithm better.
 8593 			[RT #25522]
 8594 
 8595 3207.	[contrib]	Fixed build error in Berkeley DB DLZ module. [RT #26444]
 8596 
 8597 3206.	[cleanup]	Add ISC information to log at start time. [RT #25484]
 8598 
 8599 3205.	[func]		Upgrade dig's defaults to better reflect modern
 8600 			nameserver behavior.  Enable "dig +adflag" and
 8601 			"dig +edns=0" by default.  Enable "+dnssec" when
 8602 			running "dig +trace". [RT #23497]
 8603 
 8604 3204.	[bug]		When a master server that has been marked as
 8605 			unreachable sends a NOTIFY, mark it reachable
 8606 			again. [RT #25960]
 8607 
 8608 3203.	[bug]		Increase log level to 'info' for validation failures
 8609 			from expired or not-yet-valid RRSIGs. [RT #21796]
 8610 
 8611 3202.	[bug]		NOEDNS caching on timeout was too aggressive.
 8612 			[RT #26416]
 8613 
 8614 3201.	[func]		'rndc querylog' can now be given an on/off parameter
 8615 			instead of only being used as a toggle. [RT #18351]
 8616 
 8617 3200.	[doc]		Some rndc functions were undocumented or were
 8618 			missing from 'rndc -h' output. [RT #25555]
 8619 
 8620 3199.	[func]		When logging client information, include the name
 8621 			being queried. [RT #25944]
 8622 
 8623 3198.	[doc]		Clarified that dnssec-settime can alter keyfile
 8624 			permissions. [RT #24866]
 8625 
 8626 3197.	[bug]		Don't try to log the filename and line number when
 8627 			the config parser can't open a file. [RT #22263]
 8628 
 8629 3196.	[bug]		nsupdate: return nonzero exit code when target zone
 8630 			doesn't exist. [RT #25783]
 8631 
 8632 3195.	[cleanup]	Silence "file not found" warnings when loading
 8633 			managed-keys zone. [RT #26340]
 8634 
 8635 3194.	[doc]		Updated RFC references in the 'empty-zones-enable'
 8636 			documentation. [RT #25203]
 8637 
 8638 3193.	[cleanup]	Changed MAXZONEKEYS to DNS_MAXZONEKEYS, moved to
 8639 			dnssec.h. [RT #26415]
 8640 
 8641 3192.	[bug]		A query structure could be used after being freed.
 8642 			[RT #22208]
 8643 
 8644 3191.	[bug]		Print NULL records using "unknown" format. [RT #26392]
 8645 
 8646 3190.	[bug]		Underflow in error handling in isc_mutexblock_init.
 8647 			[RT #26397]
 8648 
 8649 3189.	[test]		Added a summary report after system tests. [RT #25517]
 8650 
 8651 3188.	[bug]		zone.c:zone_refreshkeys() could fail to detach
 8652 			references correctly when errors occurred, causing
 8653 			a hang on shutdown. [RT #26372]
 8654 
 8655 3187.	[port]		win32: support for Visual Studio 2008.  [RT #26356]
 8656 
 8657 	--- 9.9.0b1 released ---
 8658 
 8659 3186.	[bug]		Version/db mismatch in rpz code. [RT #26180]
 8660 
 8661 3185.	[func]		New 'rndc signing' option for auto-dnssec zones:
 8662 			 - 'rndc signing -list' displays the current
 8663 			   state of signing operations
 8664 			 - 'rndc signing -clear' clears the signing state
 8665 			   records for keys that have fully signed the zone
 8666 			 - 'rndc signing -nsec3param' sets the NSEC3
 8667 			   parameters for the zone
 8668 			The 'rndc keydone' syntax is removed. [RT #23729]
 8669 
 8670 3184.	[bug]		named had excessive cpu usage when a redirect zone was
 8671 			configured. [RT #26013]
 8672 
 8673 3183.	[bug]		Added RTLD_GLOBAL flag to dlopen call. [RT #26301]
 8674 
 8675 3182.	[bug]		Auth servers behind firewalls which block packets
 8676 			greater than 512 bytes may cause other servers to
 8677 			perform poorly. Now, adb retains edns information
 8678 			and caches noedns servers. [RT #23392/24964]
 8679 
 8680 3181.	[func]		Inline-signing is now supported for master zones.
 8681 			[RT #26224]
 8682 
 8683 3180.	[func]		Local copies of slave zones are now saved in raw
 8684 			format by default, to improve startup performance.
 8685 			'masterfile-format text;' can be used to override
 8686 			the default, if desired. [RT #25867]
 8687 
 8688 3179.	[port]		kfreebsd: build issues. [RT #26273]
 8689 
 8690 3178.	[bug]		A race condition introduced by change #3163 could
 8691 			cause an assertion failure on shutdown. [RT #26271]
 8692 
 8693 3177.	[func]		'rndc keydone', remove the indicator record that
 8694 			named has finished signing the zone with the
 8695 			corresponding key.  [RT #26206]
 8696 
 8697 3176.	[doc]		Corrected example code and added a README to the
 8698 			sample external DLZ module in contrib/dlz/example.
 8699 			[RT #26215]
 8700 
 8701 3175.	[bug]		Fix how DNSSEC positive wildcard responses from a
 8702 			NSEC3 signed zone are validated.  Stop sending a
 8703 			unnecessary NSEC3 record when generating such
 8704 			responses. [RT #26200]
 8705 
 8706 3174.	[bug]		Always compute to revoked key tag from scratch.
 8707 			[RT #26186]
 8708 
 8709 3173.	[port]		Correctly validate root DS responses. [RT #25726]
 8710 
 8711 3172.	[port]		darwin 10.* and freebsd [89] are now built threaded by
 8712 			default.
 8713 
 8714 3171.	[bug]		Exclusively lock the task when adding a zone using
 8715 			'rndc addzone'.  [RT #25600]
 8716 
 8717 	--- 9.9.0a3 released ---
 8718 
 8719 3170.	[func]		RPZ update:
 8720 			- fix precedence among competing rules
 8721 			- improve ARM text including documenting rule precedence
 8722 			- try to rewrite CNAME chains until first hit
 8723 			- new "rpz" logging channel
 8724 			- RDATA for CNAME rules can include wildcards
 8725 			- replace "NO-OP" named.conf policy override with
 8726 			  "PASSTHRU" and add "DISABLED" override ("NO-OP"
 8727 			  is still recognized)
 8728 			[RT #25172]
 8729 
 8730 3169.	[func]		Catch db/version mis-matches when calling dns_db_*().
 8731 			[RT #26017]
 8732 
 8733 3168.	[bug]		Nxdomain redirection could trigger an assert with
 8734 			a ANY query. [RT #26017]
 8735 
 8736 3167.	[bug]		Negative answers from forwarders were not being
 8737 			correctly tagged making them appear to not be cached.
 8738 			[RT #25380]
 8739 
 8740 3166.	[bug]		Upgrading a zone to support inline-signing failed.
 8741 			[RT #26014]
 8742 
 8743 3165.	[bug]		dnssec-signzone could generate new signatures when
 8744 			resigning, even when valid signatures were already
 8745 			present. [RT #26025]
 8746 
 8747 3164.	[func]		Enable DLZ modules to retrieve client information,
 8748 			so that responses can be changed depending on the
 8749 			source address of the query. [RT #25768]
 8750 
 8751 3163.	[bug]		Use finer-grained locking in client.c to address
 8752 			concurrency problems with large numbers of threads.
 8753 			[RT #26044]
 8754 
 8755 3162.	[test]		start.pl: modified to allow for "named.args" in
 8756 			ns*/ subdirectory to override stock arguments to
 8757 			named. Largely from RT #26044, but no separate ticket.
 8758 
 8759 3161.	[bug]		zone.c:del_sigs failed to always reset rdata leading
 8760 			assertion failures. [RT #25880]
 8761 
 8762 3160.	[bug]		When printing out a NSEC3 record in multiline form
 8763 			the newline was not being printed causing type codes
 8764 			to be run together. [RT #25873]
 8765 
 8766 3159.	[bug]		On some platforms, named could assert on startup
 8767 			when running in a chrooted environment without
 8768 			/proc. [RT #25863]
 8769 
 8770 3158.	[bug]		Recursive servers would prefer a particular UDP
 8771 			socket instead of using all available sockets.
 8772 			[RT #26038]
 8773 
 8774 3157.	[tuning]	Reduce the time spent in "rndc reconfig" by parsing
 8775 			the config file before pausing the server. [RT #21373]
 8776 
 8777 3156.	[placeholder]
 8778 
 8779 	--- 9.9.0a2 released ---
 8780 
 8781 3155.	[bug]		Fixed a build failure when using contrib DLZ
 8782 			drivers (e.g., mysql, postgresql, etc). [RT #25710]
 8783 
 8784 3154.	[bug]		Attempting to print an empty rdataset could trigger
 8785 			an assert. [RT #25452]
 8786 
 8787 3153.	[func]		Extend request-ixfr to zone level and remove the
 8788 			side effect of forcing an AXFR. [RT #25156]
 8789 
 8790 3152.	[cleanup]	Some versions of gcc and clang failed due to
 8791 			incorrect use of __builtin_expect. [RT #25183]
 8792 
 8793 3151.	[bug]		Queries for type RRSIG or SIG could be handled
 8794 			incorrectly.  [RT #21050]
 8795 
 8796 3150.	[func]		Improved startup and reconfiguration time by
 8797 			enabling zones to load in multiple threads. [RT #25333]
 8798 
 8799 3149.	[placeholder]
 8800 
 8801 3148.	[bug]		Processing of normal queries could be stalled when
 8802 			forwarding a UPDATE message. [RT #24711]
 8803 
 8804 3147.	[func]		Initial inline signing support.  [RT #23657]
 8805 
 8806 	--- 9.9.0a1 released ---
 8807 
 8808 3146.	[test]		Fixed gcc4.6.0 errors in ATF. [RT #25598]
 8809 
 8810 3145.	[test]		Capture output of ATF unit tests in "./atf.out" if
 8811 			there were any errors while running them. [RT #25527]
 8812 
 8813 3144.	[bug]		dns_dbiterator_seek() could trigger an assert when
 8814 			used with a nonexistent database node. [RT #25358]
 8815 
 8816 3143.	[bug]		Silence clang compiler warnings. [RT #25174]
 8817 
 8818 3142.	[bug]		NAPTR is class agnostic. [RT #25429]
 8819 
 8820 3141.	[bug]		Silence spurious "zone serial (0) unchanged" messages
 8821 			associated with empty zones. [RT #25079]
 8822 
 8823 3140.	[func]		New command "rndc flushtree <name>" clears the
 8824 			specified name from the server cache along with
 8825 			all names under it. [RT #19970]
 8826 
 8827 3139.	[test]		Added tests from RFC 6234, RFC 2202, and RFC 1321
 8828 			for the hashing algorithms (md5, sha1 - sha512, and
 8829 			their hmac counterparts).  [RT #25067]
 8830 
 8831 3138.	[bug]		Address memory leaks and out-of-order operations when
 8832 			shutting named down. [RT #25210]
 8833 
 8834 3137.	[func]		Improve hardware scalability by allowing multiple
 8835 			worker threads to process incoming UDP packets.
 8836 			This can significantly increase query throughput
 8837 			on some systems.  [RT #22992]
 8838 
 8839 3136.	[func]		Add RFC 1918 reverse zones to the list of built-in
 8840 			empty zones switched on by the 'empty-zones-enable'
 8841 			option. [RT #24990]
 8842 
 8843 3135.	[port]		FreeBSD: workaround broken IPV6_USE_MIN_MTU processing.
 8844 			See http://www.freebsd.org/cgi/query-pr.cgi?pr=158307
 8845 			[RT #24950]
 8846 
 8847 3134.	[bug]		Improve the accuracy of dnssec-signzone's signing
 8848 			statistics. [RT #16030]
 8849 
 8850 3133.	[bug]		Change #3114 was incomplete. [RT #24577]
 8851 
 8852 3132.	[placeholder]
 8853 
 8854 3131.	[tuning]	Improve scalability by allocating one zone task
 8855 			per 100 zones at startup time, rather than using a
 8856 			fixed-size task table. [RT #24406]
 8857 
 8858 3130.	[func]		Support alternate methods for managing a dynamic
 8859 			zone's serial number.  Two methods are currently
 8860 			defined using serial-update-method, "increment"
 8861 			(default) and "unixtime".  [RT #23849]
 8862 
 8863 3129.	[bug]		Named could crash on 'rndc reconfig' when
 8864 			allow-new-zones was set to yes and named ACLs
 8865 			were used. [RT #22739]
 8866 
 8867 3128.	[func]		Inserting an NSEC3PARAM via dynamic update in an
 8868 			auto-dnssec zone that has not been signed yet
 8869 			will cause it to be signed with the specified NSEC3
 8870 			parameters when keys are activated.  The
 8871 			NSEC3PARAM record will not appear in the zone until
 8872 			it is signed, but the parameters will be stored.
 8873 			[RT #23684]
 8874 
 8875 3127.	[bug]		'rndc thaw' will now remove a zone's journal file
 8876 			if the zone serial number has been changed and
 8877 			ixfr-from-differences is not in use.  [RT #24687]
 8878 
 8879 3126.	[security]	Using DNAME record to generate replacements caused
 8880 			RPZ to exit with a assertion failure. [RT #24766]
 8881 
 8882 3125.	[security]	Using wildcard CNAME records as a replacement with
 8883 			RPZ caused named to exit with a assertion failure.
 8884 			[RT #24715]
 8885 
 8886 3124.	[bug]		Use an rdataset attribute flag to indicate
 8887 			negative-cache records rather than using rrtype 0;
 8888 			this will prevent problems when that rrtype is
 8889 			used in actual DNS packets. [RT #24777]
 8890 
 8891 3123.	[security]	Change #2912 exposed a latent flaw in
 8892 			dns_rdataset_totext() that could cause named to
 8893 			crash with an assertion failure. [RT #24777]
 8894 
 8895 3122.	[cleanup]	dnssec-settime: corrected usage message. [RT #24664]
 8896 
 8897 3121.	[security]	An authoritative name server sending a negative
 8898 			response containing a very large RRset could
 8899 			trigger an off-by-one error in the ncache code
 8900 			and crash named. [RT #24650]
 8901 
 8902 3120.	[bug]		Named could fail to validate zones listed in a DLV
 8903 			that validated insecure without using DLV and had
 8904 			DS records in the parent zone. [RT #24631]
 8905 
 8906 3119.	[bug]		When rolling to a new DNSSEC key, a private-type
 8907 			record could be created and never marked complete.
 8908 			[RT #23253]
 8909 
 8910 3118.	[bug]		nsupdate could dump core on shutdown when using
 8911 			SIG(0) keys. [RT #24604]
 8912 
 8913 3117.	[cleanup]	Remove doc and parser references to the
 8914 			never-implemented 'auto-dnssec create' option.
 8915 			[RT #24533]
 8916 
 8917 3116.	[func]		New 'dnssec-update-mode' option controls updates
 8918 			of DNSSEC records in signed dynamic zones.  Set to
 8919 			'no-resign' to disable automatic RRSIG regeneration
 8920 			while retaining the ability to sign new or changed
 8921 			data. [RT #24533]
 8922 
 8923 3115.	[bug]		Named could fail to return requested data when
 8924 			following a CNAME that points into the same zone.
 8925 			[RT #24455]
 8926 
 8927 3114.	[bug]		Retain expired RRSIGs in dynamic zones if key is
 8928 			inactive and there is no replacement key. [RT #23136]
 8929 
 8930 3113.	[doc]		Document the relationship between serial-query-rate
 8931 			and NOTIFY messages.
 8932 
 8933 3112.	[doc]		Add missing descriptions of the update policy name
 8934 			types "ms-self", "ms-subdomain", "krb5-self" and
 8935 			"krb5-subdomain", which allow machines to update
 8936 			their own records, to the BIND 9 ARM.
 8937 
 8938 3111.	[bug]		Improved consistency checks for dnssec-enable and
 8939 			dnssec-validation, added test cases to the
 8940 			checkconf system test. [RT #24398]
 8941 
 8942 3110.	[bug]		dnssec-signzone: Wrong error message could appear
 8943 			when attempting to sign with no KSK. [RT #24369]
 8944 
 8945 3109.	[func]		The also-notify option now uses the same syntax
 8946 			as a zone's masters clause.  This means it is
 8947 			now possible to specify a TSIG key to use when
 8948 			sending notifies to a given server, or to include
 8949 			an explicit named masters list in an also-notify
 8950 			statement.  [RT #23508]
 8951 
 8952 3108.	[cleanup]	dnssec-signzone: Clarified some error and
 8953 			warning messages; removed #ifdef ALLOW_KSKLESS_ZONES
 8954 			code (use -P instead). [RT #20852]
 8955 
 8956 3107.	[bug]		dnssec-signzone: Report the correct number of ZSKs
 8957 			when using -x. [RT #20852]
 8958 
 8959 3106.	[func]		When logging client requests, include the name of
 8960 			the TSIG key if any. [RT #23619]
 8961 
 8962 3105.	[bug]		GOST support can be suppressed by "configure
 8963 			--without-gost" [RT #24367]
 8964 
 8965 3104.	[bug]		Better support for cross-compiling. [RT #24367]
 8966 
 8967 3103.	[bug]		Configuring 'dnssec-validation auto' in a view
 8968 			instead of in the options statement could trigger
 8969 			an assertion failure in named-checkconf. [RT #24382]
 8970 
 8971 3102.	[func]		New 'dnssec-loadkeys-interval' option configures
 8972 			how often, in minutes, to check the key repository
 8973 			for updates when using automatic key maintenance.
 8974 			Default is every 60 minutes (formerly hard-coded
 8975 			to 12 hours). [RT #23744]
 8976 
 8977 3101.	[bug]		Zones using automatic key maintenance could fail
 8978 			to check the key repository for updates. [RT #23744]
 8979 
 8980 3100.	[security]	Certain response policy zone configurations could
 8981 			trigger an INSIST when receiving a query of type
 8982 			RRSIG. [RT #24280]
 8983 
 8984 3099.	[test]		"dlz" system test now runs but gives R:SKIPPED if
 8985 			not compiled with --with-dlz-filesystem.  [RT #24146]
 8986 
 8987 3098.	[bug]		DLZ zones were answering without setting the AA bit.
 8988 			[RT #24146]
 8989 
 8990 3097.	[test]		Add a tool to test handling of malformed packets.
 8991 			[RT #24096]
 8992 
 8993 3096.	[bug]		Set KRB5_KTNAME before calling log_cred() in
 8994 			dst_gssapi_acceptctx(). [RT #24004]
 8995 
 8996 3095.	[bug]		Handle isolated reserved ports in the port range.
 8997 			[RT #23957]
 8998 
 8999 3094.	[doc]		Expand dns64 documentation.
 9000 
 9001 3093.	[bug]		Fix gssapi/kerberos dependencies [RT #23836]
 9002 
 9003 3092.	[bug]		Signatures for records at the zone apex could go
 9004 			stale due to an incorrect timer setting. [RT #23769]
 9005 
 9006 3091.	[bug]		Fixed a bug in which zone keys that were published
 9007 			and then subsequently activated could fail to trigger
 9008 			automatic signing. [RT #22911]
 9009 
 9010 3090.	[func]		Make --with-gssapi default [RT #23738]
 9011 
 9012 3089.	[func]		dnssec-dsfromkey now supports reading keys from
 9013 			standard input "dnssec-dsfromkey -f -". [RT #20662]
 9014 
 9015 3088.	[bug]		Remove bin/tests/system/logfileconfig/ns1/named.conf
 9016 			and add setup.sh in order to resolve changing
 9017 			named.conf issue.  [RT #23687]
 9018 
 9019 3087.	[bug]		DDNS updates using SIG(0) with update-policy match
 9020 			type "external" could cause a crash. [RT #23735]
 9021 
 9022 3086.	[bug]		Running dnssec-settime -f on an old-style key will
 9023 			now force an update to the new key format even if no
 9024 			other change has been specified, using "-P now -A now"
 9025 			as default values.  [RT #22474]
 9026 
 9027 3085.	[func]		New '-R' option in dnssec-signzone forces removal
 9028 			of signatures which have not yet expired but
 9029 			were generated by a key that no longer exists.
 9030 			[RT #22471]
 9031 
 9032 3084.	[func]		A new command "rndc sync" dumps pending changes in
 9033 			a dynamic zone to disk; "rndc sync -clean" also
 9034 			removes the journal file after syncing.  Also,
 9035 			"rndc freeze" no longer removes journal files.
 9036 			[RT #22473]
 9037 
 9038 3083.	[bug]		NOTIFY messages were not being sent when generating
 9039 			a NSEC3 chain incrementally. [RT #23702]
 9040 
 9041 3082.	[port]		strtok_r is threads only. [RT #23747]
 9042 
 9043 3081.	[bug]		Failure of DNAME substitution did not return
 9044 			YXDOMAIN. [RT #23591]
 9045 
 9046 3080.	[cleanup]	Replaced compile time constant by STDTIME_ON_32BITS.
 9047 			[RT #23587]
 9048 
 9049 3079.	[bug]		Handle isc_event_allocate failures in t_tasks.
 9050 			[RT #23572]
 9051 
 9052 3078.	[func]		Added a new include file with function typedefs
 9053 			for the DLZ "dlopen" driver. [RT #23629]
 9054 
 9055 3077.	[bug]		zone.c:zone_refreshkeys() incorrectly called
 9056 			dns_zone_attach(), use zone->irefs instead. [RT #23303]
 9057 
 9058 3076.	[func]		New '-L' option in dnssec-keygen, dnsset-settime, and
 9059 			dnssec-keyfromlabel sets the default TTL of the
 9060 			key.  When possible, automatic signing will use that
 9061 			TTL when the key is published.  [RT #23304]
 9062 
 9063 3075.	[bug]		dns_dnssec_findzonekeys{2} used a inconsistent
 9064 			timestamp when determining which keys are active.
 9065 			[RT #23642]
 9066 
 9067 3074.	[bug]		Make the adb cache read through for zone data and
 9068 			glue learn for zone named is authoritative for.
 9069 			[RT #22842]
 9070 
 9071 3073.	[bug]		managed-keys changes were not properly being recorded.
 9072 			[RT #20256]
 9073 
 9074 3072.	[bug]		dns_dns64_aaaaok() potential NULL pointer dereference.
 9075 			[RT #20256]
 9076 
 9077 3071.	[bug]		has_nsec could be used uninitialized in
 9078 			update.c:next_active. [RT #20256]
 9079 
 9080 3070.	[bug]		dnssec-signzone potential NULL pointer dereference.
 9081 			[RT #20256]
 9082 
 9083 3069.	[cleanup]	Silence warnings messages from clang static analysis.
 9084 			[RT #20256]
 9085 
 9086 3068.	[bug]		Named failed to build with a OpenSSL without engine
 9087 			support. [RT #23473]
 9088 
 9089 3067.	[bug]		ixfr-from-differences {master|slave}; failed to
 9090 			select the master/slave zones.  [RT #23580]
 9091 
 9092 3066.	[func]		The DLZ "dlopen" driver is now built by default,
 9093 			no longer requiring a configure option.  To
 9094 			disable it, use "configure --without-dlopen".
 9095 			Driver also supported on win32.  [RT #23467]
 9096 
 9097 3065.	[bug]		RRSIG could have time stamps too far in the future.
 9098 			[RT #23356]
 9099 
 9100 3064.	[bug]		powerpc: add sync instructions to the end of atomic
 9101 			operations. [RT #23469]
 9102 
 9103 3063.	[contrib]	More verbose error reporting from DLZ LDAP. [RT #23402]
 9104 
 9105 3062.	[func]		Made several changes to enhance human readability
 9106 			of DNSSEC data in dig output and in generated
 9107 			zone files:
 9108 			 - DNSKEY record comments are more verbose, no
 9109 			   longer used in multiline mode only
 9110 			 - multiline RRSIG records reformatted
 9111 			 - multiline output mode for NSEC3PARAM records
 9112 			 - "dig +norrcomments" suppresses DNSKEY comments
 9113 			 - "dig +split=X" breaks hex/base64 records into
 9114 			   fields of width X; "dig +nosplit" disables this.
 9115 			[RT #22820]
 9116 
 9117 3061.	[func]		New option "dnssec-signzone -D", only write out
 9118 			generated DNSSEC records. [RT #22896]
 9119 
 9120 3060.	[func]		New option "dnssec-signzone -X <date>" allows
 9121 			specification of a separate expiration date
 9122 			for DNSKEY RRSIGs and other RRSIGs. [RT #22141]
 9123 
 9124 3059.	[test]		Added a regression test for change #3023.
 9125 
 9126 3058.	[bug]		Cause named to terminate at startup or rndc reconfig/
 9127 			reload to fail, if a log file specified in the conf
 9128 			file isn't a plain file. [RT #22771]
 9129 
 9130 3057.	[bug]		"rndc secroots" would abort after the first error
 9131 			and so could miss some views. [RT #23488]
 9132 
 9133 3056.	[func]		Added support for URI resource record. [RT #23386]
 9134 
 9135 3055.	[placeholder]
 9136 
 9137 3054.	[bug]		Added elliptic curve support check in
 9138 			GOST OpenSSL engine detection. [RT #23485]
 9139 
 9140 3053.	[bug]		Under a sustained high query load with a finite
 9141 			max-cache-size, it was possible for cache memory
 9142 			to be exhausted and not recovered. [RT #23371]
 9143 
 9144 3052.	[test]		Fixed last autosign test report. [RT #23256]
 9145 
 9146 3051.	[bug]		NS records obscure DNAME records at the bottom of the
 9147 			zone if both are present. [RT #23035]
 9148 
 9149 3050.	[bug]		The autosign system test was timing dependent.
 9150 			Wait for the initial autosigning to complete
 9151 			before running the rest of the test. [RT #23035]
 9152 
 9153 3049.	[bug]		Save and restore the gid when creating creating
 9154 			named.pid at startup. [RT #23290]
 9155 
 9156 3048.	[bug]		Fully separate view key management. [RT #23419]
 9157 
 9158 3047.	[bug]		DNSKEY NODATA responses not cached fixed in
 9159 			validator.c. Tests added to dnssec system test.
 9160 			[RT #22908]
 9161 
 9162 3046.	[bug]		Use RRSIG original TTL to compute validated RRset
 9163 			and RRSIG TTL. [RT #23332]
 9164 
 9165 3045.	[removed]	Replaced by change #3050.
 9166 
 9167 3044.	[bug]		Hold the socket manager lock while freeing the socket.
 9168 			[RT #23333]
 9169 
 9170 3043.	[test]		Merged in the NetBSD ATF test framework (currently
 9171 			version 0.12) for development of future unit tests.
 9172 			Use configure --with-atf to build ATF internally
 9173 			or configure --with-atf=prefix to use an external
 9174 			copy.  [RT #23209]
 9175 
 9176 3042.	[bug]		dig +trace could fail attempting to use IPv6
 9177 			addresses on systems with only IPv4 connectivity.
 9178 			[RT #23297]
 9179 
 9180 3041.	[bug]		dnssec-signzone failed to generate new signatures on
 9181 			ttl changes. [RT #23330]
 9182 
 9183 3040.	[bug]		Named failed to validate insecure zones where a node
 9184 			with a CNAME existed between the trust anchor and the
 9185 			top of the zone. [RT #23338]
 9186 
 9187 3039.	[func]		Redirect on NXDOMAIN support. [RT #23146]
 9188 
 9189 3038.	[bug]		Install <dns/rpz.h>.  [RT #23342]
 9190 
 9191 3037.	[doc]		Update COPYRIGHT to contain all the individual
 9192 			copyright notices that cover various parts.
 9193 
 9194 3036.	[bug]		Check built-in zone arguments to see if the zone
 9195 			is re-usable or not. [RT #21914]
 9196 
 9197 3035.	[cleanup]	Simplify by using strlcpy. [RT #22521]
 9198 
 9199 3034.	[cleanup]	nslookup: use strlcpy instead of safecopy. [RT #22521]
 9200 
 9201 3033.	[cleanup]	Add two INSIST(bucket != DNS_ADB_INVALIDBUCKET).
 9202 			[RT #22521]
 9203 
 9204 3032.	[bug]		rdatalist.c: add missing REQUIREs. [RT #22521]
 9205 
 9206 3031.	[bug]		dns_rdataclass_format() handle a zero sized buffer.
 9207 			[RT #22521]
 9208 
 9209 3030.	[bug]		dns_rdatatype_format() handle a zero sized buffer.
 9210 			[RT #22521]
 9211 
 9212 3029.	[bug]		isc_netaddr_format() handle a zero sized buffer.
 9213 			[RT #22521]
 9214 
 9215 3028.	[bug]		isc_sockaddr_format() handle a zero sized buffer.
 9216 			[RT #22521]
 9217 
 9218 3027.	[bug]		Add documented REQUIREs to cfg_obj_asnetprefix() to
 9219 			catch NULL pointer dereferences before they happen.
 9220 			[RT #22521]
 9221 
 9222 3026.	[bug]		lib/isc/httpd.c: check that we have enough space
 9223 			after calling grow_headerspace() and if not
 9224 			re-call grow_headerspace() until we do. [RT #22521]
 9225 
 9226 3025.	[bug]		Fixed a possible deadlock due to zone resigning.
 9227 			[RT #22964]
 9228 
 9229 3024.	[func]		RTT Banding removed due to minor security increase
 9230 			but major impact on resolver latency. [RT #23310]
 9231 
 9232 3023.	[bug]		Named could be left in an inconsistent state when
 9233 			receiving multiple AXFR response messages that were
 9234 			not all TSIG-signed. [RT #23254]
 9235 
 9236 3022.	[bug]		Fixed rpz SERVFAILs after failed zone transfers
 9237 			[RT #23246]
 9238 
 9239 3021.	[bug]		Change #3010 was incomplete. [RT #22296]
 9240 
 9241 3020.	[bug]		auto-dnssec failed to correctly update the zone when
 9242 			changing the DNSKEY RRset. [RT #23232]
 9243 
 9244 3019.	[test]		Test: check apex NSEC3 records after adding DNSKEY
 9245 			record via UPDATE. [RT #23229]
 9246 
 9247 3018.	[bug]		Named failed to check for the "none;" acl when deciding
 9248 			if a zone may need to be re-signed. [RT #23120]
 9249 
 9250 3017.	[doc]		dnssec-keyfromlabel -I was not properly documented.
 9251 			[RT #22887]
 9252 
 9253 3016.	[bug]		rndc usage missing '-b'. [RT #22937]
 9254 
 9255 3015.	[port]		win32: fix IN6_IS_ADDR_LINKLOCAL and
 9256 			IN6_IS_ADDR_SITELOCAL macros. [RT #22724]
 9257 
 9258 3014.	[placeholder]
 9259 
 9260 3013.	[bug]		The DNS64 ttl was not always being set as expected.
 9261 			[RT #23034]
 9262 
 9263 3012.	[bug]		Remove DNSKEY TTL change pairs before generating
 9264 			signing records for any remaining DNSKEY changes.
 9265 			[RT #22590]
 9266 
 9267 3011.	[func]		Change the default query timeout from 30 seconds
 9268 			to 10.  Allow setting this in named.conf using the new
 9269 			'resolver-query-timeout' option, which specifies a max
 9270 			time in seconds.  0 means 'default' and anything longer
 9271 			than 30 will be silently set to 30. [RT #22852]
 9272 
 9273 3010.	[bug]		Fixed a bug where "rndc reconfig" stopped the timer
 9274 			for refreshing managed-keys. [RT #22296]
 9275 
 9276 3009.	[bug]		clients-per-query code didn't work as expected with
 9277 			particular query patterns. [RT #22972]
 9278 
 9279 	--- 9.8.0b1 released ---
 9280 
 9281 3008.	[func]		Response policy zones (RPZ) support. [RT #21726]
 9282 
 9283 3007.	[bug]		Named failed to preserve the case of domain names in
 9284 			rdata which is not compressible when writing master
 9285 			files.  [RT #22863]
 9286 
 9287 3006.	[func]		Allow dynamically generated TSIG keys to be preserved
 9288 			across restarts of named.  Initially this is for
 9289 			TSIG keys generated using GSSAPI. [RT #22639]
 9290 
 9291 3005.	[port]		Solaris: Work around the lack of
 9292 			gsskrb5_register_acceptor_identity() by setting
 9293 			the KRB5_KTNAME environment variable to the
 9294 			contents of tkey-gssapi-keytab.  Also fixed
 9295 			test errors on MacOSX.  [RT #22853]
 9296 
 9297 3004.	[func]		DNS64 reverse support. [RT #22769]
 9298 
 9299 3003.	[experimental]	Added update-policy match type "external",
 9300 			enabling named to defer the decision of whether to
 9301 			allow a dynamic update to an external daemon.
 9302 			(Contributed by Andrew Tridgell.) [RT #22758]
 9303 
 9304 3002.	[bug]		isc_mutex_init_errcheck() failed to destroy attr.
 9305 			[RT #22766]
 9306 
 9307 3001.	[func]		Added a default trust anchor for the root zone, which
 9308 			can be switched on by setting "dnssec-validation auto;"
 9309 			in the named.conf options. [RT #21727]
 9310 
 9311 3000.	[bug]		More TKEY/GSS fixes:
 9312 			 - nsupdate can now get the default realm from
 9313 			   the user's Kerberos principal
 9314 			 - corrected gsstest compilation flags
 9315 			 - improved documentation
 9316 			 - fixed some NULL dereferences
 9317 			[RT #22795]
 9318 
 9319 2999.	[func]		Add GOST support (RFC 5933). [RT #20639]
 9320 
 9321 2998.	[func]		Add isc_task_beginexclusive and isc_task_endexclusive
 9322 			to the task api. [RT #22776]
 9323 
 9324 2997.	[func]		named -V now reports the OpenSSL and libxml2 versions
 9325 			it was compiled against. [RT #22687]
 9326 
 9327 2996.	[security]	Temporarily disable SO_ACCEPTFILTER support.
 9328 			[RT #22589]
 9329 
 9330 2995.	[bug]		The Kerberos realm was not being correctly extracted
 9331 			from the signer's identity. [RT #22770]
 9332 
 9333 2994.	[port]		NetBSD: use pthreads by default on NetBSD >= 5.0, and
 9334 			do not use threads on earlier versions.  Also kill
 9335 			the unproven-pthreads, mit-pthreads, and ptl2 support.
 9336 
 9337 2993.	[func]		Dynamically grow adb hash tables. [RT #21186]
 9338 
 9339 2992.	[contrib]	contrib/check-secure-delegation.pl:  A simple tool
 9340 			for looking at a secure delegation. [RT #22059]
 9341 
 9342 2991.	[contrib]	contrib/zone-edit.sh: A simple zone editing tool for
 9343 			dynamic zones. [RT #22365]
 9344 
 9345 2990.	[bug]		'dnssec-settime -S' no longer tests prepublication
 9346 			interval validity when the interval is set to 0.
 9347 			[RT #22761]
 9348 
 9349 2989.	[func]		Added support for writable DLZ zones. (Contributed
 9350 			by Andrew Tridgell of the Samba project.) [RT #22629]
 9351 
 9352 2988.	[experimental]	Added a "dlopen" DLZ driver, allowing the creation
 9353 			of external DLZ drivers that can be loaded as
 9354 			shared objects at runtime rather than linked with
 9355 			named.  Currently this is switched on via a
 9356 			compile-time option, "configure --with-dlz-dlopen".
 9357 			Note: the syntax for configuring DLZ zones
 9358 			is likely to be refined in future releases.
 9359 			(Contributed by Andrew Tridgell of the Samba
 9360 			project.) [RT #22629]
 9361 
 9362 2987.	[func]		Improve ease of configuring TKEY/GSS updates by
 9363 			adding a "tkey-gssapi-keytab" option.  If set,
 9364 			updates will be allowed with any key matching
 9365 			a principal in the specified keytab file.
 9366 			"tkey-gssapi-credential" is no longer required
 9367 			and is expected to be deprecated.  (Contributed
 9368 			by Andrew Tridgell of the Samba project.)
 9369 			[RT #22629]
 9370 
 9371 2986.	[func]		Add new zone type "static-stub".  It's like a stub
 9372 			zone, but the nameserver names and/or their IP
 9373 			addresses are statically configured. [RT #21474]
 9374 
 9375 2985.	[bug]		Add a regression test for change #2896. [RT #21324]
 9376 
 9377 2984.	[bug]		Don't run MX checks when the target of the MX record
 9378 			is ".".  [RT #22645]
 9379 
 9380 2983.	[bug]		Include "loadkeys" in rndc help output. [RT #22493]
 9381 
 9382 	--- 9.8.0a1 released ---
 9383 
 9384 2982.	[bug]		Reference count dst keys.  dst_key_attach() can be used
 9385 			increment the reference count.
 9386 
 9387 			Note: dns_tsigkey_createfromkey() callers should now
 9388 			always call dst_key_free() rather than setting it
 9389 			to NULL on success. [RT #22672]
 9390 
 9391 2981.	[func]		Partial DNS64 support (AAAA synthesis). [RT #21991]
 9392 
 9393 2980.	[bug]		named didn't properly handle UPDATES that changed the
 9394 			TTL of the NSEC3PARAM RRset. [RT #22363]
 9395 
 9396 2979.	[bug]		named could deadlock during shutdown if two
 9397 			"rndc stop" commands were issued at the same
 9398 			time. [RT #22108]
 9399 
 9400 2978.	[port]		hpux: look for <devpoll.h> [RT #21919]
 9401 
 9402 2977.	[bug]		'nsupdate -l' report if the session key is missing.
 9403 			[RT #21670]
 9404 
 9405 2976.	[bug]		named could die on exit after negotiating a GSS-TSIG
 9406 			key. [RT #22573]
 9407 
 9408 2975.	[bug]		rbtdb.c:cleanup_dead_nodes_callback() acquired the
 9409 			wrong lock which could lead to server deadlock.
 9410 			[RT #22614]
 9411 
 9412 2974.	[bug]		Some valid UPDATE requests could fail due to a
 9413 			consistency check examining the existing version
 9414 			of the zone rather than the new version resulting
 9415 			from the UPDATE. [RT #22413]
 9416 
 9417 2973.	[bug]		bind.keys.h was being removed by the "make clean"
 9418 			at the end of configure resulting in build failures
 9419 			where there is very old version of perl installed.
 9420 			Move it to "make maintainer-clean". [RT #22230]
 9421 
 9422 2972.	[bug]		win32: address windows socket errors. [RT #21906]
 9423 
 9424 2971.	[bug]		Fixed a bug that caused journal files not to be
 9425 			compacted on Windows systems as a result of
 9426 			non-POSIX-compliant rename() semantics. [RT #22434]
 9427 
 9428 2970.	[security]	Adding a NO DATA negative cache entry failed to clear
 9429 			any matching RRSIG records.  A subsequent lookup of
 9430 			of NO DATA cache entry could trigger a INSIST when the
 9431 			unexpected RRSIG was also returned with the NO DATA
 9432 			cache entry.
 9433 
 9434 			CVE-2010-3613, VU#706148. [RT #22288]
 9435 
 9436 2969.	[security]	Fix acl type processing so that allow-query works
 9437 			in options and view statements.  Also add a new
 9438 			set of tests to verify proper functioning.
 9439 
 9440 			CVE-2010-3615, VU#510208. [RT #22418]
 9441 
 9442 2968.	[security]	Named could fail to prove a data set was insecure
 9443 			before marking it as insecure.  One set of conditions
 9444 			that can trigger this occurs naturally when rolling
 9445 			DNSKEY algorithms.
 9446 
 9447 			CVE-2010-3614, VU#837744. [RT #22309]
 9448 
 9449 2967.	[bug]		'host -D' now turns on debugging messages earlier.
 9450 			[RT #22361]
 9451 
 9452 2966.	[bug]		isc_print_vsnprintf() failed to check if there was
 9453 			space available in the buffer when adding a left
 9454 			justified character with a non zero width,
 9455 			(e.g. "%-1c"). [RT #22270]
 9456 
 9457 2965.	[func]		Test HMAC functions using test data from RFC 2104 and
 9458 			RFC 4634. [RT #21702]
 9459 
 9460 2964.	[placeholder]
 9461 
 9462 2963.	[security]	The allow-query acl was being applied instead of the
 9463 			allow-query-cache acl to cache lookups. [RT #22114]
 9464 
 9465 2962.	[port]		win32: add more dependencies to BINDBuild.dsw.
 9466 			[RT #22062]
 9467 
 9468 2961.	[bug]		Be still more selective about the non-authoritative
 9469 			answers we apply change 2748 to. [RT #22074]
 9470 
 9471 2960.	[func]		Check that named accepts non-authoritative answers.
 9472 			[RT #21594]
 9473 
 9474 2959.	[func]		Check that named starts with a missing masterfile.
 9475 			[RT #22076]
 9476 
 9477 2958.	[bug]		named failed to start with a missing master file.
 9478 			[RT #22076]
 9479 
 9480 2957.	[bug]		entropy_get() and entropy_getpseudo() failed to match
 9481 			the API for RAND_bytes() and RAND_pseudo_bytes()
 9482 			respectively. [RT #21962]
 9483 
 9484 2956.	[port]		Enable atomic operations on the PowerPC64. [RT #21899]
 9485 
 9486 2955.	[func]		Provide more detail in the recursing log. [RT #22043]
 9487 
 9488 2954.	[bug]		contrib: dlz_mysql_driver.c bad error handling on
 9489 			build_sqldbinstance failure. [RT #21623]
 9490 
 9491 2953.	[bug]		Silence spurious "expected covering NSEC3, got an
 9492 			exact match" message when returning a wildcard
 9493 			no data response. [RT #21744]
 9494 
 9495 2952.	[port]		win32: named-checkzone and named-checkconf failed
 9496 			to initialize winsock. [RT #21932]
 9497 
 9498 2951.	[bug]		named failed to generate a correct signed response
 9499 			in a optout, delegation only zone with no secure
 9500 			delegations. [RT #22007]
 9501 
 9502 2950.	[bug]		named failed to perform a SOA up to date check when
 9503 			falling back to TCP on UDP timeouts when
 9504 			ixfr-from-differences was set. [RT #21595]
 9505 
 9506 2949.	[bug]		dns_view_setnewzones() contained a memory leak if
 9507 			it was called multiple times. [RT #21942]
 9508 
 9509 2948.	[port]		MacOS: provide a mechanism to configure the test
 9510 			interfaces at reboot. See bin/tests/system/README
 9511 			for details.
 9512 
 9513 2947.	[placeholder]
 9514 
 9515 2946.	[doc]		Document the default values for the minimum and maximum
 9516 			zone refresh and retry values in the ARM. [RT #21886]
 9517 
 9518 2945.	[doc]		Update empty-zones list in ARM. [RT #21772]
 9519 
 9520 2944.	[maint]		Remove ORCHID prefix from built in empty zones.
 9521 			[RT #21772]
 9522 
 9523 2943.	[func]		Add support to load new keys into managed zones
 9524 			without signing immediately with "rndc loadkeys".
 9525 			Add support to link keys with "dnssec-keygen -S"
 9526 			and "dnssec-settime -S".  [RT #21351]
 9527 
 9528 2942.	[contrib]	zone2sqlite failed to setup the entropy sources.
 9529 			[RT #21610]
 9530 
 9531 2941.	[bug]		sdb and sdlz (dlz's zone database) failed to support
 9532 			DNAME at the zone apex.  [RT #21610]
 9533 
 9534 2940.	[port]		Remove connection aborted error message on
 9535 			Windows. [RT #21549]
 9536 
 9537 2939.	[func]		Check that named successfully skips NSEC3 records
 9538 			that fail to match the NSEC3PARAM record currently
 9539 			in use. [RT #21868]
 9540 
 9541 2938.	[bug]		When generating signed responses, from a signed zone
 9542 			that uses NSEC3, named would use a uninitialized
 9543 			pointer if it needed to skip a NSEC3 record because
 9544 			it didn't match the selected NSEC3PARAM record for
 9545 			zone. [RT #21868]
 9546 
 9547 2937.	[bug]		Worked around an apparent race condition in over
 9548 			memory conditions.  Without this fix a DNS cache DB or
 9549 			ADB could incorrectly stay in an over memory state,
 9550 			effectively refusing further caching, which
 9551 			subsequently made a BIND 9 caching server unworkable.
 9552 			This fix prevents this problem from happening by
 9553 			polling the state of the memory context, rather than
 9554 			making a copy of the state, which appeared to cause
 9555 			a race.  This is a "workaround" in that it doesn't
 9556 			solve the possible race per se, but several experiments
 9557 			proved this change solves the symptom.  Also, the
 9558 			polling overhead hasn't been reported to be an issue.
 9559 			This bug should only affect a caching server that
 9560 			specifies a finite max-cache-size.  It's also quite
 9561 			likely that the bug happens only when enabling threads,
 9562 			but it's not confirmed yet. [RT #21818]
 9563 
 9564 2936.	[func]		Improved configuration syntax and multiple-view
 9565 			support for addzone/delzone feature (see change
 9566 			#2930).  Removed "new-zone-file" option, replaced
 9567 			with "allow-new-zones (yes|no)".  The new-zone-file
 9568 			for each view is now created automatically, with
 9569 			a filename generated from a hash of the view name.
 9570 			It is no longer necessary to "include" the
 9571 			new-zone-file in named.conf; this happens
 9572 			automatically.  Zones that were not added via
 9573 			"rndc addzone" can no longer be removed with
 9574 			"rndc delzone". [RT #19447]
 9575 
 9576 2935.	[bug]		nsupdate: improve 'file not found' error message.
 9577 			[RT #21871]
 9578 
 9579 2934.	[bug]		Use ANSI C compliant shift range in lib/isc/entropy.c.
 9580 			[RT #21871]
 9581 
 9582 2933.	[bug]		'dig +nsid' used stack memory after it went out of
 9583 			scope.  This could potentially result in a unknown,
 9584 			potentially malformed, EDNS option being sent instead
 9585 			of the desired NSID option. [RT #21781]
 9586 
 9587 2932.	[cleanup]	Corrected a numbering error in the "dnssec" test.
 9588 			[RT #21597]
 9589 
 9590 2931.	[bug]		Temporarily and partially disable change 2864
 9591 			because it would cause infinite attempts of RRSIG
 9592 			queries.  This is an urgent care fix; we'll
 9593 			revisit the issue and complete the fix later.
 9594 			[RT #21710]
 9595 
 9596 2930.	[experimental]	New "rndc addzone" and "rndc delzone" commands
 9597 			allow dynamic addition and deletion of zones.
 9598 			To enable this feature, specify a "new-zone-file"
 9599 			option at the view or options level in named.conf.
 9600 			Zone configuration information for the new zones
 9601 			will be written into that file.  To make the new
 9602 			zones persist after a restart, "include" the file
 9603 			into named.conf in the appropriate view.  (Note:
 9604 			This feature is not yet documented, and its syntax
 9605 			is expected to change.) [RT #19447]
 9606 
 9607 2929.	[bug]		Improved handling of GSS security contexts:
 9608 			 - added LRU expiration for generated TSIGs
 9609 			 - added the ability to use a non-default realm
 9610 			 - added new "realm" keyword in nsupdate
 9611 			 - limited lifetime of generated keys to 1 hour
 9612 			   or the lifetime of the context (whichever is
 9613 			   smaller)
 9614 			[RT #19737]
 9615 
 9616 2928.	[bug]		Be more selective about the non-authoritative
 9617 			answer we apply change 2748 to. [RT #21594]
 9618 
 9619 2927.	[placeholder]
 9620 
 9621 2926.	[placeholder]
 9622 
 9623 2925.	[bug]		Named failed to accept uncachable negative responses
 9624 			from insecure zones. [RT #21555]
 9625 
 9626 2924.	[func]		'rndc  secroots'  dump a combined summary of the
 9627 			current managed keys combined with trusted keys.
 9628 			[RT #20904]
 9629 
 9630 2923.	[bug]		'dig +trace' could drop core after "connection
 9631 			timeout". [RT #21514]
 9632 
 9633 2922.	[contrib]	Update zkt to version 1.0.
 9634 
 9635 2921.	[bug]		The resolver could attempt to destroy a fetch context
 9636 			too soon.  [RT #19878]
 9637 
 9638 2920.	[func]		Allow 'filter-aaaa-on-v4' to be applied selectively
 9639 			to IPv4 clients.  New acl 'filter-aaaa' (default any).
 9640 
 9641 2919.	[func]		Add autosign-ksk and autosign-zsk virtual time tests.
 9642 			[RT #20840]
 9643 
 9644 2918.	[maint]		Add AAAA address for I.ROOT-SERVERS.NET.
 9645 
 9646 2917.	[func]		Virtual time test framework. [RT #20801]
 9647 
 9648 2916.	[func]		Add framework to use IPv6 in tests.
 9649 			fd92:7065:b8e:ffff::1 ... fd92:7065:b8e:ffff::7
 9650 
 9651 2915.	[cleanup]	Be smarter about which objects we attempt to compile
 9652 			based on configure options. [RT #21444]
 9653 
 9654 2914.	[bug]		Make the "autosign" system test more portable.
 9655 			[RT #20997]
 9656 
 9657 2913.	[func]		Add pkcs#11 system tests. [RT #20784]
 9658 
 9659 2912.	[func]		Windows clients don't like UPDATE responses that clear
 9660 			the zone section. [RT #20986]
 9661 
 9662 2911.	[bug]		dnssec-signzone didn't handle out of zone records well.
 9663 			[RT #21367]
 9664 
 9665 2910.	[func]		Sanity check Kerberos credentials. [RT #20986]
 9666 
 9667 2909.	[bug]		named-checkconf -p could die if "update-policy local;"
 9668 			was specified in named.conf. [RT #21416]
 9669 
 9670 2908.	[bug]		It was possible for re-signing to stop after removing
 9671 			a DNSKEY. [RT #21384]
 9672 
 9673 2907.	[bug]		The export version of libdns had undefined references.
 9674 			[RT #21444]
 9675 
 9676 2906.	[bug]		Address RFC 5011 implementation issues. [RT #20903]
 9677 
 9678 2905.	[port]		aix: set use_atomic=yes with native compiler.
 9679 			[RT #21402]
 9680 
 9681 2904.	[bug]		When using DLV, sub-zones of the zones in the DLV,
 9682 			could be incorrectly marked as insecure instead of
 9683 			secure leading to negative proofs failing.  This was
 9684 			a unintended outcome from change 2890. [RT #21392]
 9685 
 9686 2903.	[bug]		managed-keys-directory missing from namedconf.c.
 9687 			[RT #21370]
 9688 
 9689 2902.	[func]		Add regression test for change 2897. [RT #21040]
 9690 
 9691 2901.	[port]		Use AC_C_FLEXIBLE_ARRAY_MEMBER. [RT #21316]
 9692 
 9693 2900.	[bug]		The placeholder negative caching element was not
 9694 			properly constructed triggering a INSIST in
 9695 			dns_ncache_towire(). [RT #21346]
 9696 
 9697 2899.	[port]		win32: Support linking against OpenSSL 1.0.0.
 9698 
 9699 2898.	[bug]		nslookup leaked memory when -domain=value was
 9700 			specified. [RT #21301]
 9701 
 9702 2897.	[bug]		NSEC3 chains could be left behind when transitioning
 9703 			to insecure. [RT #21040]
 9704 
 9705 2896.	[bug]		"rndc sign" failed to properly update the zone
 9706 			when adding a DNSKEY for publication only. [RT #21045]
 9707 
 9708 2895.	[func]		genrandom: add support for the generation of multiple
 9709 			files.  [RT #20917]
 9710 
 9711 2894.	[contrib]	DLZ LDAP support now use '$' not '%'. [RT #21294]
 9712 
 9713 2893.	[bug]		Improve managed keys support.  New named.conf option
 9714 			managed-keys-directory. [RT #20924]
 9715 
 9716 2892.	[bug]		Handle REVOKED keys better. [RT #20961]
 9717 
 9718 2891.	[maint]		Update empty-zones list to match
 9719 			draft-ietf-dnsop-default-local-zones-13. [RT #21099]
 9720 
 9721 2890.	[bug]		Handle the introduction of new trusted-keys and
 9722 			DS, DLV RRsets better. [RT #21097]
 9723 
 9724 2889.	[bug]		Elements of the grammar where not properly reported.
 9725 			[RT #21046]
 9726 
 9727 2888.	[bug]		Only the first EDNS option was displayed. [RT #21273]
 9728 
 9729 2887.	[bug]		Report the keytag times in UTC in the .key file,
 9730 			local time is presented as a comment within the
 9731 			comment.  [RT #21223]
 9732 
 9733 2886.	[bug]		ctime() is not thread safe. [RT #21223]
 9734 
 9735 2885.	[bug]		Improve -fno-strict-aliasing support probing in
 9736 			configure. [RT #21080]
 9737 
 9738 2884.	[bug]		Insufficient validation in dns_name_getlabelsequence().
 9739 			[RT #21283]
 9740 
 9741 2883.	[bug]		'dig +short' failed to handle really large datasets.
 9742 			[RT #21113]
 9743 
 9744 2882.	[bug]		Remove memory context from list of active contexts
 9745 			before clearing 'magic'. [RT #21274]
 9746 
 9747 2881.	[bug]		Reduce the amount of time the rbtdb write lock
 9748 			is held when closing a version. [RT #21198]
 9749 
 9750 2880.	[cleanup]	Make the output of dnssec-keygen and dnssec-revoke
 9751 			consistent. [RT #21078]
 9752 
 9753 2879.	[contrib]	DLZ bdbhpt driver fails to close correct cursor.
 9754 			[RT #21106]
 9755 
 9756 2878.	[func]		Incrementally write the master file after performing
 9757 			a AXFR.  [RT #21010]
 9758 
 9759 2877.	[bug]		The validator failed to skip obviously mismatching
 9760 			RRSIGs. [RT #21138]
 9761 
 9762 2876.	[bug]		Named could return SERVFAIL for negative responses
 9763 			from unsigned zones. [RT #21131]
 9764 
 9765 2875.	[bug]		dns_time64_fromtext() could accept non digits.
 9766 			[RT #21033]
 9767 
 9768 2874.	[bug]		Cache lack of EDNS support only after the server
 9769 			successfully responds to the query using plain DNS.
 9770 			[RT #20930]
 9771 
 9772 2873.	[bug]		Canceling a dynamic update via the dns/client module
 9773 			could trigger an assertion failure. [RT #21133]
 9774 
 9775 2872.	[bug]		Modify dns/client.c:dns_client_createx() to only
 9776 			require one of IPv4 or IPv6 rather than both.
 9777 			[RT #21122]
 9778 
 9779 2871.	[bug]		Type mismatch in mem_api.c between the definition and
 9780 			the header file, causing build failure with
 9781 			--enable-exportlib. [RT #21138]
 9782 
 9783 2870.	[maint]		Add AAAA address for L.ROOT-SERVERS.NET.
 9784 
 9785 2869.	[bug]		Fix arguments to dns_keytable_findnextkeynode() call.
 9786 			[RT #20877]
 9787 
 9788 2868.	[cleanup]	Run "make clean" at the end of configure to ensure
 9789 			any changes made by configure are integrated.
 9790 			Use --with-make-clean=no to disable.  [RT #20994]
 9791 
 9792 2867.	[bug]		Don't set GSS_C_SEQUENCE_FLAG as Windows DNS servers
 9793 			don't like it.  [RT #20986]
 9794 
 9795 2866.	[bug]		Windows does not like the TSIG name being compressed.
 9796 			[RT #20986]
 9797 
 9798 2865.	[bug]		memset to zero event.data.  [RT #20986]
 9799 
 9800 2864.	[bug]		Direct SIG/RRSIG queries were not handled correctly.
 9801 			[RT #21050]
 9802 
 9803 2863.	[port]		linux: disable IPv6 PMTUD and use network minimum MTU.
 9804 			[RT #21056]
 9805 
 9806 2862.	[bug]		nsupdate didn't default to the parent zone when
 9807 			updating DS records. [RT #20896]
 9808 
 9809 2861.	[doc]		dnssec-settime man pages didn't correctly document the
 9810 			inactivation time. [RT #21039]
 9811 
 9812 2860.	[bug]		named-checkconf's usage was out of date. [RT #21039]
 9813 
 9814 2859.	[bug]		When canceling validation it was possible to leak
 9815 			memory. [RT #20800]
 9816 
 9817 2858.	[bug]		RTT estimates were not being adjusted on ICMP errors.
 9818 			[RT #20772]
 9819 
 9820 2857.	[bug]		named-checkconf did not fail on a bad trusted key.
 9821 			[RT #20705]
 9822 
 9823 2856.	[bug]		The size of a memory allocation was not always properly
 9824 			recorded. [RT #20927]
 9825 
 9826 2855.	[func]		nsupdate will now preserve the entered case of domain
 9827 			names in update requests it sends. [RT #20928]
 9828 
 9829 2854.	[func]		dig: allow the final soa record in a axfr response to
 9830 			be suppressed, dig +onesoa. [RT #20929]
 9831 
 9832 2853.	[bug]		add_sigs() could run out of scratch space. [RT #21015]
 9833 
 9834 2852.	[bug]		Handle broken DNSSEC trust chains better. [RT #15619]
 9835 
 9836 2851.	[doc]		nslookup.1, removed <informalexample> from the docbook
 9837 			source as it produced bad nroff.  [RT #21007]
 9838 
 9839 2850.	[bug]		If isc_heap_insert() failed due to memory shortage
 9840 			the heap would have corrupted entries. [RT #20951]
 9841 
 9842 2849.	[bug]		Don't treat errors from the xml2 library as fatal.
 9843 			[RT #20945]
 9844 
 9845 2848.	[doc]		Moved README.dnssec, README.libdns, README.pkcs11 and
 9846 			README.rfc5011 into the ARM. [RT #20899]
 9847 
 9848 2847.	[cleanup]	Corrected usage message in dnssec-settime. [RT #20921]
 9849 
 9850 2846.	[bug]		EOF on unix domain sockets was not being handled
 9851 			correctly. [RT #20731]
 9852 
 9853 2845.	[bug]		RFC 5011 client could crash on shutdown. [RT #20903]
 9854 
 9855 2844.	[doc]		notify-delay default in ARM was wrong.  It should have
 9856 			been five (5) seconds.
 9857 
 9858 2843.	[func]		Prevent dnssec-keygen and dnssec-keyfromlabel from
 9859 			creating key files if there is a chance that the new
 9860 			key ID will collide with an existing one after
 9861 			either of the keys has been revoked.  (To override
 9862 			this in the case of dnssec-keyfromlabel, use the -y
 9863 			option.  dnssec-keygen will simply create a
 9864 			different, non-colliding key, so an override is
 9865 			not necessary.) [RT #20838]
 9866 
 9867 2842.	[func]		Added "smartsign" and improved "autosign" and
 9868 			"dnssec" regression tests. [RT #20865]
 9869 
 9870 2841.	[bug]		Change 2836 was not complete. [RT #20883]
 9871 
 9872 2840.	[bug]		Temporary fixed pkcs11-destroy usage check.
 9873 			[RT #20760]
 9874 
 9875 2839.	[bug]		A KSK revoked by named could not be deleted.
 9876 			[RT #20881]
 9877 
 9878 2838.	[placeholder]
 9879 
 9880 2837.	[port]		Prevent Linux spurious warnings about fwrite().
 9881 			[RT #20812]
 9882 
 9883 2836.	[bug]		Keys that were scheduled to become active could
 9884 			be delayed. [RT #20874]
 9885 
 9886 2835.	[bug]		Key inactivity dates were inadvertently stored in
 9887 			the private key file with the outdated tag
 9888 			"Unpublish" rather than "Inactive".  This has been
 9889 			fixed; however, any existing keys that had Inactive
 9890 			dates set will now need to have them reset, using
 9891 			'dnssec-settime -I'. [RT #20868]
 9892 
 9893 2834.	[bug]		HMAC-SHA* keys that were longer than the algorithm
 9894 			digest length were used incorrectly, leading to
 9895 			interoperability problems with other DNS
 9896 			implementations.  This has been corrected.
 9897 			(Note: If an oversize key is in use, and
 9898 			compatibility is needed with an older release of
 9899 			BIND, the new tool "isc-hmac-fixup" can convert
 9900 			the key secret to a form that will work with all
 9901 			versions.) [RT #20751]
 9902 
 9903 2833.	[cleanup]	Fix usage messages in dnssec-keygen and dnssec-settime.
 9904 			[RT #20851]
 9905 
 9906 2832.	[bug]		Modify "struct stat" in lib/export/samples/nsprobe.c
 9907 			to avoid redefinition in some OSs [RT 20831]
 9908 
 9909 2831.	[security]	Do not attempt to validate or cache
 9910 			out-of-bailiwick data returned with a secure
 9911 			answer; it must be re-fetched from its original
 9912 			source and validated in that context. [RT #20819]
 9913 
 9914 2830.	[bug]		Changing the OPTOUT setting could take multiple
 9915 			passes. [RT #20813]
 9916 
 9917 2829.	[bug]		Fixed potential node inconsistency in rbtdb.c.
 9918 			[RT #20808]
 9919 
 9920 2828.	[security]	Cached CNAME or DNAME RR could be returned to clients
 9921 			without DNSSEC validation. [RT #20737]
 9922 
 9923 2827.	[security]	Bogus NXDOMAIN could be cached as if valid. [RT #20712]
 9924 
 9925 2826.	[bug]		NSEC3->NSEC transitions could fail due to a lock not
 9926 			being released.  [RT #20740]
 9927 
 9928 2825.	[bug]		Changing the setting of OPTOUT in a NSEC3 chain that
 9929 			was in the process of being created was not properly
 9930 			recorded in the zone. [RT #20786]
 9931 
 9932 2824.	[bug]		"rndc sign" was not being run by the correct task.
 9933 			[RT #20759]
 9934 
 9935 2823.	[bug]		rbtdb.c:getsigningtime() was missing locks. [RT #20781]
 9936 
 9937 2822.	[bug]		rbtdb.c:loadnode() could return the wrong result.
 9938 			[RT #20802]
 9939 
 9940 2821.	[doc]		Add note that named-checkconf doesn't automatically
 9941 			read rndc.key and bind.keys [RT #20758]
 9942 
 9943 2820.	[func]		Handle read access failure of OpenSSL configuration
 9944 			file more user friendly (PKCS#11 engine patch).
 9945 			[RT #20668]
 9946 
 9947 2819.	[cleanup]	Removed unnecessary DNS_POINTER_MAXHOPS define.
 9948 			[RT #20771]
 9949 
 9950 2818.	[cleanup]	rndc could return an incorrect error code
 9951 			when a zone was not found. [RT #20767]
 9952 
 9953 2817.	[cleanup]	Removed unnecessary isc_task_endexclusive() calls.
 9954 			[RT #20768]
 9955 
 9956 2816.	[bug]		previous_closest_nsec() could fail to return
 9957 			data for NSEC3 nodes [RT #29730]
 9958 
 9959 2815.	[bug]		Exclusively lock the task when freezing a zone.
 9960 			[RT #19838]
 9961 
 9962 2814.	[func]		Provide a definitive error message when a master
 9963 			zone is not loaded. [RT #20757]
 9964 
 9965 2813.	[bug]		Better handling of unreadable DNSSEC key files.
 9966 			[RT #20710]
 9967 
 9968 2812.	[bug]		Make sure updates can't result in a zone with
 9969 			NSEC-only keys and NSEC3 records. [RT #20748]
 9970 
 9971 2811.	[cleanup]	Add "rndc sign" to list of commands in rndc usage
 9972 			output. [RT #20733]
 9973 
 9974 2810.	[doc]		Clarified the process of transitioning an NSEC3 zone
 9975 			to insecure. [RT #20746]
 9976 
 9977 2809.	[cleanup]	Restored accidentally-deleted text in usage output
 9978 			in dnssec-settime and dnssec-revoke [RT #20739]
 9979 
 9980 2808.	[bug]		Remove the attempt to install atomic.h from lib/isc.
 9981 			atomic.h is correctly installed by the architecture
 9982 			specific subdirectories.  [RT #20722]
 9983 
 9984 2807.	[bug]		Fixed a possible ASSERT when reconfiguring zone
 9985 			keys. [RT #20720]
 9986 
 9987 	--- 9.7.0rc1 released ---
 9988 
 9989 2806.	[bug]		"rdnc sign" could delay re-signing the DNSKEY
 9990 			when it had changed. [RT #20703]
 9991 
 9992 2805.	[bug]		Fixed namespace problems encountered when building
 9993 			external programs using non-exported BIND9 libraries
 9994 			(i.e., built without --enable-exportlib). [RT #20679]
 9995 
 9996 2804.	[bug]		Send notifies when a zone is signed with "rndc sign"
 9997 			or as a result of a scheduled key change. [RT #20700]
 9998 
 9999 2803.	[port]		win32: Install named-journalprint, nsec3hash, arpaname
10000 			and genrandom under windows. [RT #20670]
10001 
10002 2802.	[cleanup]	Rename journalprint to named-journalprint. [RT #20670]
10003 
10004 2801.	[func]		Detect and report records that are different according
10005 			to DNSSEC but are semantically equal according to plain
10006 			DNS.  Apply plain DNS comparisons rather than DNSSEC
10007 			comparisons when processing UPDATE requests.
10008 			dnssec-signzone now removes such semantically duplicate
10009 			records prior to signing the RRset.
10010 
10011 			named-checkzone -r {ignore|warn|fail} (default warn)
10012 			named-compilezone -r {ignore|warn|fail} (default warn)
10013 
10014 			named.conf: check-dup-records {ignore|warn|fail};
10015 
10016 2800.	[func]		Reject zones which have NS records which refer to
10017 			CNAMEs, DNAMEs or don't have address record (class IN
10018 			only).  Reject UPDATEs which would cause the zone
10019 			to fail the above checks if committed. [RT #20678]
10020 
10021 2799.	[cleanup]	Changed the "secure-to-insecure" option to
10022 			"dnssec-secure-to-insecure", and "dnskey-ksk-only"
10023 			to "dnssec-dnskey-kskonly", for clarity. [RT #20586]
10024 
10025 2798.	[bug]		Addressed bugs in managed-keys initialization
10026 			and rollover. [RT #20683]
10027 
10028 2797.	[bug]		Don't decrement the dispatch manager's maxbuffers.
10029 			[RT #20613]
10030 
10031 2796.	[bug]		Missing dns_rdataset_disassociate() call in
10032 			dns_nsec3_delnsec3sx(). [RT #20681]
10033 
10034 2795.	[cleanup]	Add text to differentiate "update with no effect"
10035 			log messages. [RT #18889]
10036 
10037 2794.	[bug]		Install <isc/namespace.h>.  [RT #20677]
10038 
10039 2793.	[func]		Add "autosign" and "metadata" tests to the
10040 			automatic tests. [RT #19946]
10041 
10042 2792.	[func]		"filter-aaaa-on-v4" can now be set in view
10043 			options (if compiled in).  [RT #20635]
10044 
10045 2791.	[bug]		The installation of isc-config.sh was broken.
10046 			[RT #20667]
10047 
10048 2790.	[bug]		Handle DS queries to stub zones. [RT #20440]
10049 
10050 2789.	[bug]		Fixed an INSIST in dispatch.c [RT #20576]
10051 
10052 2788.	[bug]		dnssec-signzone could sign with keys that were
10053 			not requested [RT #20625]
10054 
10055 2787.	[bug]		Spurious log message when zone keys were
10056 			dynamically reconfigured. [RT #20659]
10057 
10058 2786.	[bug]		Additional could be promoted to answer. [RT #20663]
10059 
10060 	--- 9.7.0b3 released ---
10061 
10062 2785.	[bug]		Revoked keys could fail to self-sign [RT #20652]
10063 
10064 2784.	[bug]		TC was not always being set when required glue was
10065 			dropped. [RT #20655]
10066 
10067 2783.	[func]		Return minimal responses to EDNS/UDP queries with a UDP
10068 			buffer size of 512 or less.  [RT #20654]
10069 
10070 2782.	[port]		win32: use getaddrinfo() for hostname lookups.
10071 			[RT #20650]
10072 
10073 2781.	[bug]		Inactive keys could be used for signing. [RT #20649]
10074 
10075 2780.	[bug]		dnssec-keygen -A none didn't properly unset the
10076 			activation date in all cases. [RT #20648]
10077 
10078 2779.	[bug]		Dynamic key revocation could fail. [RT #20644]
10079 
10080 2778.	[bug]		dnssec-signzone could fail when a key was revoked
10081 			without deleting the unrevoked version. [RT #20638]
10082 
10083 2777.	[contrib]	DLZ MYSQL auto reconnect support discovery was wrong.
10084 
10085 2776.	[bug]		Change #2762 was not correct. [RT #20647]
10086 
10087 2775.	[bug]		Accept RSASHA256 and RSASHA512 as NSEC3 compatible
10088 			in dnssec-keyfromlabel. [RT #20643]
10089 
10090 2774.	[bug]		Existing cache DB wasn't being reused after
10091 			reconfiguration. [RT #20629]
10092 
10093 2773.	[bug]		In autosigned zones, the SOA could be signed
10094 			with the KSK. [RT #20628]
10095 
10096 2772.	[security]	When validating, track whether pending data was from
10097 			the additional section or not and only return it if
10098 			validates as secure. [RT #20438]
10099 
10100 2771.	[bug]		dnssec-signzone: DNSKEY records could be
10101 			corrupted when importing from key files [RT #20624]
10102 
10103 2770.	[cleanup]	Add log messages to resolver.c to indicate events
10104 			causing FORMERR responses. [RT #20526]
10105 
10106 2769.	[cleanup]	Change #2742 was incomplete. [RT #19589]
10107 
10108 2768.	[bug]		dnssec-signzone: -S no longer implies -g [RT #20568]
10109 
10110 2767.	[bug]		named could crash on startup if a zone was
10111 			configured with auto-dnssec and there was no
10112 			key-directory. [RT #20615]
10113 
10114 2766.	[bug]		isc_socket_fdwatchpoke() should only update the
10115 			socketmgr state if the socket is not pending on a
10116 			read or write.  [RT #20603]
10117 
10118 2765.	[bug]		Skip masters for which the TSIG key cannot be found.
10119 			[RT #20595]
10120 
10121 2764.	[bug]		"rndc-confgen -a" could trigger a REQUIRE. [RT #20610]
10122 
10123 2763.	[bug]		"rndc sign" didn't create an NSEC chain. [RT #20591]
10124 
10125 2762.	[bug]		DLV validation failed with a local slave DLV zone.
10126 			[RT #20577]
10127 
10128 2761.	[cleanup]	Enable internal symbol table for backtrace only for
10129 			systems that are known to work.  Currently, BSD
10130 			variants, Linux and Solaris are supported. [RT #20202]
10131 
10132 2760.	[cleanup]	Corrected named-compilezone usage summary. [RT #20533]
10133 
10134 2759.	[doc]		Add information about .jbk/.jnw files to
10135 			the ARM. [RT #20303]
10136 
10137 2758.	[bug]		win32: Added a workaround for a windows 2008 bug
10138 			that could cause the UDP client handler to shut
10139 			down. [RT #19176]
10140 
10141 2757.	[bug]		dig: assertion failure could occur in connect
10142 			timeout. [RT #20599]
10143 
10144 2756.	[bug]		Fixed corrupt logfile message in update.c. [RT #20597]
10145 
10146 2755.	[placeholder]
10147 
10148 2754.	[bug]		Secure-to-insecure transitions failed when zone
10149 			was signed with NSEC3. [RT #20587]
10150 
10151 2753.	[bug]		Removed an unnecessary warning that could appear when
10152 			building an NSEC chain. [RT #20589]
10153 
10154 2752.	[bug]		Locking violation. [RT #20587]
10155 
10156 2751.	[bug]		Fixed a memory leak in dnssec-keyfromlabel. [RT #20588]
10157 
10158 2750.	[bug]		dig: assertion failure could occur when a server
10159 			didn't have an address. [RT #20579]
10160 
10161 2749.	[bug]		ixfr-from-differences generated a non-minimal ixfr
10162 			for NSEC3 signed zones. [RT #20452]
10163 
10164 2748.	[func]		Identify bad answers from GTLD servers and treat them
10165 			as referrals. [RT #18884]
10166 
10167 2747.	[bug]		Journal roll forwards failed to set the re-signing
10168 			time of RRSIGs correctly. [RT #20541]
10169 
10170 2746.	[port]		hpux: address signed/unsigned expansion mismatch of
10171 			dns_rbtnode_t.nsec. [RT #20542]
10172 
10173 2745.	[bug]		configure script didn't probe the return type of
10174 			gai_strerror(3) correctly. [RT #20573]
10175 
10176 2744.	[func]		Log if a query was over TCP. [RT #19961]
10177 
10178 2743.	[bug]		RRSIG could be incorrectly set in the NSEC3 record
10179 			for a insecure delegation.
10180 
10181 	--- 9.7.0b2 released ---
10182 
10183 2742.	[cleanup]	Clarify some DNSSEC-related log messages in
10184 			validator.c. [RT #19589]
10185 
10186 2741.	[func]		Allow the dnssec-keygen progress messages to be
10187 			suppressed (dnssec-keygen -q).  Automatically
10188 			suppress the progress messages when stdin is not
10189 			a tty. [RT #20474]
10190 
10191 2740.	[placeholder]
10192 
10193 2739.	[cleanup]	Clean up API for initializing and clearing trust
10194 			anchors for a view. [RT #20211]
10195 
10196 2738.	[func]		Add RSASHA256 and RSASHA512 tests to the dnssec system
10197 			test. [RT #20453]
10198 
10199 2737.	[func]		UPDATE requests can leak existence information.
10200 			[RT #17261]
10201 
10202 2736.	[func]		Improve the performance of NSEC signed zones with
10203 			more than a normal amount of glue below a delegation.
10204 			[RT #20191]
10205 
10206 2735.	[bug]		dnssec-signzone could fail to read keys
10207 			that were specified on the command line with
10208 			full paths, but weren't in the current
10209 			directory. [RT #20421]
10210 
10211 2734.	[port]		cygwin: arpaname did not compile. [RT #20473]
10212 
10213 2733.	[cleanup]	Clean up coding style in pkcs11-* tools. [RT #20355]
10214 
10215 2732.	[func]		Add optional filter-aaaa-on-v4 option, available
10216 			if built with './configure --enable-filter-aaaa'.
10217 			Filters out AAAA answers to clients connecting
10218 			via IPv4.  (This is NOT recommended for general
10219 			use.) [RT #20339]
10220 
10221 2731.	[func]		Additional work on change 2709.  The key parser
10222 			will now ignore unrecognized fields when the
10223 			minor version number of the private key format
10224 			has been increased.  It will reject any key with
10225 			the major version number increased. [RT #20310]
10226 
10227 2730.	[func]		Have dnssec-keygen display a progress indication
10228 			a la 'openssl genrsa' on standard error. Note
10229 			when the first '.' is followed by a long stop
10230 			one has the choice between slow generation vs.
10231 			poor random quality, i.e., '-r /dev/urandom'.
10232 			[RT #20284]
10233 
10234 2729.	[func]		When constructing a CNAME from a DNAME use the DNAME
10235 			TTL. [RT #20451]
10236 
10237 2728.	[bug]		dnssec-keygen, dnssec-keyfromlabel and
10238 			dnssec-signzone now warn immediately if asked to
10239 			write into a nonexistent directory. [RT #20278]
10240 
10241 2727.	[func]		The 'key-directory' option can now specify a relative
10242 			path. [RT #20154]
10243 
10244 2726.	[func]		Added support for SHA-2 DNSSEC algorithms,
10245 			RSASHA256 and RSASHA512. [RT #20023]
10246 
10247 2725.	[doc]		Added information about the file "managed-keys.bind"
10248 			to the ARM. [RT #20235]
10249 
10250 2724.	[bug]		Updates to a existing node in secure zone using NSEC
10251 			were failing. [RT #20448]
10252 
10253 2723.	[bug]		isc_base32_totext(), isc_base32hex_totext(), and
10254 			isc_base64_totext(), didn't always mark regions of
10255 			memory as fully consumed after conversion.  [RT #20445]
10256 
10257 2722.	[bug]		Ensure that the memory associated with the name of
10258 			a node in a rbt tree is not altered during the life
10259 			of the node. [RT #20431]
10260 
10261 2721.	[port]		Have dst__entropy_status() prime the random number
10262 			generator. [RT #20369]
10263 
10264 2720.	[bug]		RFC 5011 trust anchor updates could trigger an
10265 			assert if the DNSKEY record was unsigned. [RT #20406]
10266 
10267 2719.	[func]		Skip trusted/managed keys for unsupported algorithms.
10268 			[RT #20392]
10269 
10270 2718.	[bug]		The space calculations in opensslrsa_todns() were
10271 			incorrect. [RT #20394]
10272 
10273 2717.	[bug]		named failed to update the NSEC/NSEC3 record when
10274 			the last private type record was removed as a result
10275 			of completing the signing the zone with a key.
10276 			[RT #20399]
10277 
10278 2716.	[bug]		nslookup debug mode didn't return the ttl. [RT #20414]
10279 
10280 	--- 9.7.0b1 released ---
10281 
10282 2715.	[bug]		Require OpenSSL support to be explicitly disabled.
10283 			[RT #20288]
10284 
10285 2714.	[port]		aix/powerpc: 'asm("ics");' needs non standard assembler
10286 			flags.
10287 
10288 2713.	[bug]		powerpc: atomic operations missing asm("ics") /
10289 			__isync() calls.
10290 
10291 2712.	[func]		New 'auto-dnssec' zone option allows zone signing
10292 			to be fully automated in zones configured for
10293 			dynamic DNS.  'auto-dnssec allow;' permits a zone
10294 			to be signed by creating keys for it in the
10295 			key-directory and using 'rndc sign <zone>'.
10296 			'auto-dnssec maintain;' allows that too, plus it
10297 			also keeps the zone's DNSSEC keys up to date
10298 			according to their timing metadata. [RT #19943]
10299 
10300 2711.	[port]		win32: Add the bin/pkcs11 tools into the full
10301 			build. [RT #20372]
10302 
10303 2710.	[func]		New 'dnssec-signzone -x' flag and 'dnskey-ksk-only'
10304 			zone option cause a zone to be signed with only KSKs
10305 			signing the DNSKEY RRset, not ZSKs.  This reduces
10306 			the size of a DNSKEY answer.  [RT #20340]
10307 
10308 2709.	[func]		Added some data fields, currently unused, to the
10309 			private key file format, to allow implementation
10310 			of explicit key rollover in a future release
10311 			without impairing backward or forward compatibility.
10312 			[RT #20310]
10313 
10314 2708.	[func]		Insecure to secure and NSEC3 parameter changes via
10315 			update are now fully supported and no longer require
10316 			defines to enable.  We now no longer overload the
10317 			NSEC3PARAM flag field, nor the NSEC OPT bit at the
10318 			apex.  Secure to insecure changes are controlled by
10319 			by the named.conf option 'secure-to-insecure'.
10320 
10321 			Warning: If you had previously enabled support by
10322 			adding defines at compile time to BIND 9.6 you should
10323 			ensure that all changes that are in progress have
10324 			completed prior to upgrading to BIND 9.7.  BIND 9.7
10325 			is not backwards compatible.
10326 
10327 2707.	[func]		dnssec-keyfromlabel no longer require engine name
10328 			to be specified in the label if there is a default
10329 			engine or the -E option has been used.  Also, it
10330 			now uses default algorithms as dnssec-keygen does
10331 			(i.e., RSASHA1, or NSEC3RSASHA1 if -3 is used).
10332 			[RT #20371]
10333 
10334 2706.	[bug]		Loading a zone with a very large NSEC3 salt could
10335 			trigger an assert. [RT #20368]
10336 
10337 2705.	[placeholder]
10338 
10339 2704.	[bug]		Serial of dynamic and stub zones could be inconsistent
10340 			with their SOA serial.  [RT #19387]
10341 
10342 2703.	[func]		Introduce an OpenSSL "engine" argument with -E
10343 			for all binaries which can take benefit of
10344 			crypto hardware. [RT #20230]
10345 
10346 2702.	[func]		Update PKCS#11 tools (bin/pkcs11) [RT #20225 & all]
10347 
10348 2701.	[doc]		Correction to ARM: hmac-md5 is no longer the only
10349 			supported TSIG key algorithm. [RT #18046]
10350 
10351 2700.	[doc]		The match-mapped-addresses option is discouraged.
10352 			[RT #12252]
10353 
10354 2699.	[bug]		Missing lock in rbtdb.c. [RT #20037]
10355 
10356 2698.	[placeholder]
10357 
10358 2697.	[port]		win32: ensure that S_IFMT, S_IFDIR, S_IFCHR and
10359 			S_IFREG are defined after including <isc/stat.h>.
10360 			[RT #20309]
10361 
10362 2696.	[bug]		named failed to successfully process some valid
10363 			acl constructs. [RT #20308]
10364 
10365 2695.	[func]		DHCP/DDNS - update fdwatch code for use by
10366 			DHCP.  Modify the api to isc_sockfdwatch_t (the
10367 			callback function for isc_socket_fdwatchcreate)
10368 			to include information about the direction (read
10369 			or write) and add isc_socket_fdwatchpoke.
10370 			[RT #20253]
10371 
10372 2694.	[bug]		Reduce default NSEC3 iterations from 100 to 10.
10373 			[RT #19970]
10374 
10375 2693.	[port]		Add some noreturn attributes. [RT #20257]
10376 
10377 2692.	[port]		win32: 32/64 bit cleanups. [RT #20335]
10378 
10379 2691.	[func]		dnssec-signzone: retain the existing NSEC or NSEC3
10380 			chain when re-signing a previously-signed zone.
10381 			Use -u to modify NSEC3 parameters or switch
10382 			between NSEC and NSEC3. [RT #20304]
10383 
10384 2690.	[bug]		win32: fix isc_thread_key_getspecific() prototype.
10385 			[RT #20315]
10386 
10387 2689.	[bug]		Correctly handle snprintf result. [RT #20306]
10388 
10389 2688.	[bug]		Use INTERFACE_F_POINTTOPOINT, not IFF_POINTOPOINT,
10390 			to decide to fetch the destination address. [RT #20305]
10391 
10392 2687.	[bug]		Fixed dnssec-signzone -S handling of revoked keys.
10393 			Also, added warnings when revoking a ZSK, as this is
10394 			not defined by protocol (but is legal).  [RT #19943]
10395 
10396 2686.	[bug]		dnssec-signzone should clean the old NSEC chain when
10397 			signing with NSEC3 and vice versa. [RT #20301]
10398 
10399 2685.	[contrib]	Update contrib/zkt to version 0.99c. [RT #20054]
10400 
10401 2684.	[cleanup]	dig: formalize +ad and +cd as synonyms for
10402 			+adflag and +cdflag.  [RT #19305]
10403 
10404 2683.	[bug]		dnssec-signzone should clean out old NSEC3 chains when
10405 			the NSEC3 parameters used to sign the zone change.
10406 			[RT #20246]
10407 
10408 2682.	[bug]		"configure --enable-symtable=all" failed to
10409 			build. [RT #20282]
10410 
10411 2681.	[bug]		IPSECKEY RR of gateway type 3 was not correctly
10412 			decoded. [RT #20269]
10413 
10414 2680.	[func]		Move contrib/pkcs11-keygen to bin/pkcs11. [RT #20067]
10415 
10416 2679.	[func]		dig -k can now accept TSIG keys in named.conf
10417 			format.  [RT #20031]
10418 
10419 2678.	[func]		Treat DS queries as if "minimal-response yes;"
10420 			was set. [RT #20258]
10421 
10422 2677.	[func]		Changes to key metadata behavior:
10423 			- Keys without "publish" or "active" dates set will
10424 			  no longer be used for smart signing.  However,
10425 			  those dates will be set to "now" by default when
10426 			  a key is created; to generate a key but not use
10427 			  it yet, use dnssec-keygen -G.
10428 			- New "inactive" date (dnssec-keygen/settime -I)
10429 			  sets the time when a key is no longer used for
10430 			  signing but is still published.
10431 			- The "unpublished" date (-U) is deprecated in
10432 			  favor of "deleted" (-D).
10433 			[RT #20247]
10434 
10435 2676.	[bug]		--with-export-installdir should have been
10436 			--with-export-includedir. [RT #20252]
10437 
10438 2675.	[bug]		dnssec-signzone could crash if the key directory
10439 			did not exist. [RT #20232]
10440 
10441 	--- 9.7.0a3 released ---
10442 
10443 2674.	[bug]		"dnssec-lookaside auto;" crashed if named was built
10444 			without openssl. [RT #20231]
10445 
10446 2673.	[bug]		The managed-keys.bind zone file could fail to
10447 			load due to a spurious result from sync_keyzone()
10448 			[RT #20045]
10449 
10450 2672.	[bug]		Don't enable searching in 'host' when doing reverse
10451 			lookups. [RT #20218]
10452 
10453 2671.	[bug]		Add support for PKCS#11 providers not returning
10454 			the public exponent in RSA private keys
10455 			(OpenCryptoki for instance) in
10456 			dnssec-keyfromlabel. [RT #19294]
10457 
10458 2670.	[bug]		Unexpected connect failures failed to log enough
10459 			information to be useful. [RT #20205]
10460 
10461 2669.	[func]		Update PKCS#11 support to support Keyper HSM.
10462 			Update PKCS#11 patch to be against openssl-0.9.8i.
10463 
10464 2668.	[func]		Several improvements to dnssec-* tools, including:
10465 			- dnssec-keygen and dnssec-settime can now set key
10466 			  metadata fields 0 (to unset a value, use "none")
10467 			- dnssec-revoke sets the revocation date in
10468 			  addition to the revoke bit
10469 			- dnssec-settime can now print individual metadata
10470 			  fields instead of always printing all of them,
10471 			  and can print them in unix epoch time format for
10472 			  use by scripts
10473 			[RT #19942]
10474 
10475 2667.	[func]		Add support for logging stack backtrace on assertion
10476 			failure (not available for all platforms). [RT #19780]
10477 
10478 2666.	[func]		Added an 'options' argument to dns_name_fromstring()
10479 			(API change from 9.7.0a2). [RT #20196]
10480 
10481 2665.	[func]		Clarify syntax for managed-keys {} statement, add
10482 			ARM documentation about RFC 5011 support. [RT #19874]
10483 
10484 2664.	[bug]		create_keydata() and minimal_update() in zone.c
10485 			didn't properly check return values for some
10486 			functions.  [RT #19956]
10487 
10488 2663.	[func]		win32:  allow named to run as a service using
10489 			"NT AUTHORITY\LocalService" as the account. [RT #19977]
10490 
10491 2662.	[bug]		lwres_getipnodebyname() and lwres_getipnodebyaddr()
10492 			returned a misleading error code when lwresd was
10493 			down. [RT #20028]
10494 
10495 2661.	[bug]		Check whether socket fd exceeds FD_SETSIZE when
10496 			creating lwres context. [RT #20029]
10497 
10498 2660.	[func]		Add a new set of DNS libraries for non-BIND9
10499 			applications.  See README.libdns. [RT #19369]
10500 
10501 2659.	[doc]		Clarify dnssec-keygen doc: key name must match zone
10502 			name for DNSSEC keys. [RT #19938]
10503 
10504 2658.	[bug]		dnssec-settime and dnssec-revoke didn't process
10505 			key file paths correctly. [RT #20078]
10506 
10507 2657.	[cleanup]	Lower "journal file <path> does not exist, creating it"
10508 			log level to debug 1. [RT #20058]
10509 
10510 2656.	[func]		win32: add a "tools only" check box to the installer
10511 			which causes it to only install dig, host, nslookup,
10512 			nsupdate and relevant DLLs.  [RT #19998]
10513 
10514 2655.	[doc]		Document that key-directory does not affect
10515 			bind.keys, rndc.key or session.key.  [RT #20155]
10516 
10517 2654.	[bug]		Improve error reporting on duplicated names for
10518 			deny-answer-xxx. [RT #20164]
10519 
10520 2653.	[bug]		Treat ENGINE_load_private_key() failures as key
10521 			not found rather than out of memory.  [RT #18033]
10522 
10523 2652.	[func]		Provide more detail about what record is being
10524 			deleted. [RT #20061]
10525 
10526 2651.	[bug]		Dates could print incorrectly in K*.key files on
10527 			64-bit systems. [RT #20076]
10528 
10529 2650.	[bug]		Assertion failure in dnssec-signzone when trying
10530 			to read keyset-* files. [RT #20075]
10531 
10532 2649.	[bug]		Set the domain for forward only zones. [RT #19944]
10533 
10534 2648.	[port]		win32: isc_time_seconds() was broken. [RT #19900]
10535 
10536 2647.	[bug]		Remove unnecessary SOA updates when a new KSK is
10537 			added. [RT #19913]
10538 
10539 2646.	[bug]		Incorrect cleanup on error in socket.c. [RT #19987]
10540 
10541 2645.	[port]		"gcc -m32" didn't work on amd64 and x86_64 platforms
10542 			which default to 64 bits. [RT #19927]
10543 
10544 	--- 9.7.0a2 released ---
10545 
10546 2644.	[bug]		Change #2628 caused a regression on some systems;
10547 			named was unable to write the PID file and would
10548 			fail on startup. [RT #20001]
10549 
10550 2643.	[bug]		Stub zones interacted badly with NSEC3 support.
10551 			[RT #19777]
10552 
10553 2642.	[bug]		nsupdate could dump core on solaris when reading
10554 			improperly formatted key files.  [RT #20015]
10555 
10556 2641.	[bug]		Fixed an error in parsing update-policy syntax,
10557 			added a regression test to check it. [RT #20007]
10558 
10559 2640.	[security]	A specially crafted update packet will cause named
10560 			to exit. [RT #20000]
10561 
10562 2639.	[bug]		Silence compiler warnings in gssapi code. [RT #19954]
10563 
10564 2638.	[bug]		Install arpaname. [RT #19957]
10565 
10566 2637.	[func]		Rationalize dnssec-signzone's signwithkey() calling.
10567 			[RT #19959]
10568 
10569 2636.	[func]		Simplify zone signing and key maintenance with the
10570 			dnssec-* tools.  Major changes:
10571 			- all dnssec-* tools now take a -K option to
10572 			  specify a directory in which key files will be
10573 			  stored
10574 			- DNSSEC can now store metadata indicating when
10575 			  they are scheduled to be published, activated,
10576 			  revoked or removed; these values can be set by
10577 			  dnssec-keygen or overwritten by the new
10578 			  dnssec-settime command
10579 			- dnssec-signzone -S (for "smart") option reads key
10580 			  metadata and uses it to determine automatically
10581 			  which keys to publish to the zone, use for
10582 			  signing, revoke, or remove from the zone
10583 			[RT #19816]
10584 
10585 2635.	[bug]		isc_inet_ntop() incorrectly handled 0.0/16 addresses.
10586 			[RT #19716]
10587 
10588 2634.	[port]		win32: Add support for libxml2, enable
10589 			statschannel. [RT #19773]
10590 
10591 2633.	[bug]		Handle 15 bit rand() functions. [RT #19783]
10592 
10593 2632.	[func]		util/kit.sh: warn if documentation appears to be out of
10594 			date.  [RT #19922]
10595 
10596 2631.	[bug]		Handle "//", "/./" and "/../" in mkdirpath().
10597 			[RT #19926 ]
10598 
10599 2630.	[func]		Improved syntax for DDNS autoconfiguration:  use
10600 			"update-policy local;" to switch on local DDNS in a
10601 			zone. (The "ddns-autoconf" option has been removed.)
10602 			[RT #19875]
10603 
10604 2629.	[port]		Check for seteuid()/setegid(), use setresuid()/
10605 			setresgid() if not present. [RT #19932]
10606 
10607 2628.	[port]		linux: Allow /var/run/named/named.pid to be opened
10608 			at startup with reduced capabilities in operation.
10609 			[RT #19884]
10610 
10611 2627.	[bug]		Named aborted if the same key was included in
10612 			trusted-keys more than once. [RT #19918]
10613 
10614 2626.	[bug]		Multiple trusted-keys could trigger an assertion
10615 			failure. [RT #19914]
10616 
10617 2625.	[bug]		Missing UNLOCK in rbtdb.c. [RT #19865]
10618 
10619 2624.	[func]		'named-checkconf -p' will print out the parsed
10620 			configuration. [RT #18871]
10621 
10622 2623.	[bug]		Named started searches for DS non-optimally. [RT #19915]
10623 
10624 2622.	[bug]		Printing of named.conf grammar was broken. [RT #19919]
10625 
10626 2621.	[doc]		Made copyright boilerplate consistent.  [RT #19833]
10627 
10628 2620.	[bug]		Delay thawing the zone until the reload of it has
10629 			completed successfully.  [RT #19750]
10630 
10631 2619.	[func]		Add support for RFC 5011, automatic trust anchor
10632 			maintenance.  The new "managed-keys" statement can
10633 			be used in place of "trusted-keys" for zones which
10634 			support this protocol.  (Note: this syntax is
10635 			expected to change prior to 9.7.0 final.) [RT #19248]
10636 
10637 2618.	[bug]		The sdb and sdlz db_interator_seek() methods could
10638 			loop infinitely. [RT #19847]
10639 
10640 2617.	[bug]		ifconfig.sh failed to emit an error message when
10641 			run from the wrong location. [RT #19375]
10642 
10643 2616.	[bug]		'host' used the nameservers from resolv.conf even
10644 			when a explicit nameserver was specified. [RT #19852]
10645 
10646 2615.	[bug]		"__attribute__((unused))" was in the wrong place
10647 			for ia64 gcc builds. [RT #19854]
10648 
10649 2614.	[port]		win32: 'named -v' should automatically be executed
10650 			in the foreground. [RT #19844]
10651 
10652 2613.	[placeholder]
10653 
10654 	--- 9.7.0a1 released ---
10655 
10656 2612.	[func]		Add default values for the arguments to
10657 			dnssec-keygen.  Without arguments, it will now
10658 			generate a 1024-bit RSASHA1 zone-signing key,
10659 			or with the -f KSK option, a 2048-bit RSASHA1
10660 			key-signing key. [RT #19300]
10661 
10662 2611.	[func]		Add -l option to dnssec-dsfromkey to generate
10663 			DLV records instead of DS records. [RT #19300]
10664 
10665 2610.	[port]		sunos: Change #2363 was not complete. [RT #19796]
10666 
10667 2609.	[func]		Simplify the configuration of dynamic zones:
10668 			- add ddns-confgen command to generate
10669 			  configuration text for named.conf
10670 			- add zone option "ddns-autoconf yes;", which
10671 			  causes named to generate a TSIG session key
10672 			  and allow updates to the zone using that key
10673 			- add '-l' (localhost) option to nsupdate, which
10674 			  causes nsupdate to connect to a locally-running
10675 			  named process using the session key generated
10676 			  by named
10677 			[RT #19284]
10678 
10679 2608.	[func]		Perform post signing verification checks in
10680 			dnssec-signzone.  These can be disabled with -P.
10681 
10682 			The post sign verification test ensures that for each
10683 			algorithm in use there is at least one non revoked
10684 			self signed KSK key.  That all revoked KSK keys are
10685 			self signed.  That all records in the zone are signed
10686 			by the algorithm.  [RT #19653]
10687 
10688 2607.	[bug]		named could incorrectly delete NSEC3 records for
10689 			empty nodes when processing a update request.
10690 			[RT #19749]
10691 
10692 2606.	[bug]		"delegation-only" was not being accepted in
10693 			delegation-only type zones. [RT #19717]
10694 
10695 2605.	[bug]		Accept DS responses from delegation only zones.
10696 			[RT # 19296]
10697 
10698 2604.	[func]		Add support for DNS rebinding attack prevention through
10699 			new options, deny-answer-addresses and
10700 			deny-answer-aliases.  Based on contributed code from
10701 			JD Nurmi, Google. [RT #18192]
10702 
10703 2603.	[port]		win32: handle .exe extension of named-checkzone and
10704 			named-comilezone argv[0] names under windows.
10705 			[RT #19767]
10706 
10707 2602.	[port]		win32: fix debugging command line build of libisccfg.
10708 			[RT #19767]
10709 
10710 2601.	[doc]		Mention file creation mode mask in the
10711 			named manual page.
10712 
10713 2600.	[doc]		ARM: miscellaneous reformatting for different
10714 			page widths. [RT #19574]
10715 
10716 2599.	[bug]		Address rapid memory growth when validation fails.
10717 			[RT #19654]
10718 
10719 2598.	[func]		Reserve the -F flag. [RT #19657]
10720 
10721 2597.	[bug]		Handle a validation failure with a insecure delegation
10722 			from a NSEC3 signed master/slave zone.  [RT #19464]
10723 
10724 2596.	[bug]		Stale tree nodes of cache/dynamic rbtdb could stay
10725 			long, leading to inefficient memory usage or rejecting
10726 			newer cache entries in the worst case. [RT #19563]
10727 
10728 2595.	[bug]		Fix unknown extended rcodes in dig. [RT #19625]
10729 
10730 2594.	[func]		Have rndc warn if using its default configuration
10731 			file when the key file also exists. [RT #19424]
10732 
10733 2593.	[bug]		Improve a corner source of SERVFAILs [RT #19632]
10734 
10735 2592.	[bug]		Treat "any" as a type in nsupdate. [RT #19455]
10736 
10737 2591.	[bug]		named could die when processing a update in
10738 			removed_orphaned_ds(). [RT #19507]
10739 
10740 2590.	[func]		Report zone/class of "update with no effect".
10741 			[RT #19542]
10742 
10743 2589.	[bug]		dns_db_unregister() failed to clear '*dbimp'.
10744 			[RT #19626]
10745 
10746 2588.	[bug]		SO_REUSEADDR could be set unconditionally after failure
10747 			of bind(2) call.  This should be rare and mostly
10748 			harmless, but may cause interference with other
10749 			processes that happen to use the same port. [RT #19642]
10750 
10751 2587.	[func]		Improve logging by reporting serial numbers for
10752 			when zone serial has gone backwards or unchanged.
10753 			[RT #19506]
10754 
10755 2586.	[bug]		Missing cleanup of SIG rdataset in searching a DLZ DB
10756 			or SDB. [RT #19577]
10757 
10758 2585.	[bug]		Uninitialized socket name could be referenced via a
10759 			statistics channel, triggering an assertion failure in
10760 			XML rendering. [RT #19427]
10761 
10762 2584.	[bug]		alpha: gcc optimization could break atomic operations.
10763 			[RT #19227]
10764 
10765 2583.	[port]		netbsd: provide a control to not add the compile
10766 			date to the version string, -DNO_VERSION_DATE.
10767 
10768 2582.	[bug]		Don't emit warning log message when we attempt to
10769 			remove non-existent journal. [RT #19516]
10770 
10771 2581.	[contrib]	dlz/mysql set MYSQL_OPT_RECONNECT option on connection.
10772 			Requires MySQL 5.0.19 or later. [RT #19084]
10773 
10774 2580.	[bug]		UpdateRej statistics counter could be incremented twice
10775 			for one rejection. [RT #19476]
10776 
10777 2579.	[bug]		DNSSEC lookaside validation failed to handle unknown
10778 			algorithms. [RT #19479]
10779 
10780 2578.	[bug]		Changed default sig-signing-type to 65534, because
10781 			65535 turns out to be reserved.  [RT #19477]
10782 
10783 2577.	[doc]		Clarified some statistics counters. [RT #19454]
10784 
10785 2576.	[bug]		NSEC record were not being correctly signed when
10786 			a zone transitions from insecure to secure.
10787 			Handle such incorrectly signed zones. [RT #19114]
10788 
10789 2575.	[func]		New functions dns_name_fromstring() and
10790 			dns_name_tostring(), to simplify conversion
10791 			of a string to a dns_name structure and vice
10792 			versa. [RT #19451]
10793 
10794 2574.	[doc]		Document nsupdate -g and -o. [RT #19351]
10795 
10796 2573.	[bug]		Replacing a non-CNAME record with a CNAME record in a
10797 			single transaction in a signed zone failed. [RT #19397]
10798 
10799 2572.	[func]		Simplify DLV configuration, with a new option
10800 			"dnssec-lookaside auto;"  This is the equivalent
10801 			of "dnssec-lookaside . trust-anchor dlv.isc.org;"
10802 			plus setting a trusted-key for dlv.isc.org.
10803 
10804 			Note: The trusted key is hard-coded into named,
10805 			but is also stored in (and can be overridden
10806 			by) $sysconfdir/bind.keys.  As the ISC DLV key
10807 			rolls over it can be kept up to date by replacing
10808 			the bind.keys file with a key downloaded from
10809 			https://www.isc.org/solutions/dlv. [RT #18685]
10810 
10811 2571.	[func]		Add a new tool "arpaname" which translates IP addresses
10812 			to the corresponding IN-ADDR.ARPA or IP6.ARPA name.
10813 			[RT #18976]
10814 
10815 2570.	[func]		Log the destination address the query was sent to.
10816 			[RT #19209]
10817 
10818 2569.	[func]		Move journalprint, nsec3hash, and genrandom
10819 			commands from bin/tests into bin/tools;
10820 			"make install" will put them in $sbindir. [RT #19301]
10821 
10822 2568.	[bug]		Report when the write to indicate a otherwise
10823 			successful start fails. [RT #19360]
10824 
10825 2567.	[bug]		dst__privstruct_writefile() could miss write errors.
10826 			write_public_key() could miss write errors.
10827 			dnssec-dsfromkey could miss write errors.
10828 			[RT #19360]
10829 
10830 2566.	[cleanup]	Clarify logged message when an insecure DNSSEC
10831 			response arrives from a zone thought to be secure:
10832 			"insecurity proof failed" instead of "not
10833 			insecure". [RT #19400]
10834 
10835 2565.	[func]		Add support for HIP record.  Includes new functions
10836 			dns_rdata_hip_first(), dns_rdata_hip_next()
10837 			and dns_rdata_hip_current().  [RT #19384]
10838 
10839 2564.	[bug]		Only take EDNS fallback steps when processing timeouts.
10840 			[RT #19405]
10841 
10842 2563.	[bug]		Dig could leak a socket causing it to wait forever
10843 			to exit. [RT #19359]
10844 
10845 2562.	[doc]		ARM: miscellaneous improvements, reorganization,
10846 			and some new content.
10847 
10848 2561.	[doc]		Add isc-config.sh(1) man page. [RT #16378]
10849 
10850 2560.	[bug]		Add #include <config.h> to iptable.c. [RT #18258]
10851 
10852 2559.	[bug]		dnssec-dsfromkey could compute bad DS records when
10853 			reading from a K* files.  [RT #19357]
10854 
10855 2558.	[func]		Set the ownership of missing directories created
10856 			for pid-file if -u has been specified on the command
10857 			line. [RT #19328]
10858 
10859 2557.	[cleanup]	PCI compliance:
10860 			* new libisc log module file
10861 			* isc_dir_chroot() now also changes the working
10862 			  directory to "/".
10863 			* additional INSISTs
10864 			* additional logging when files can't be removed.
10865 
10866 2556.	[port]		Solaris: mkdir(2) on tmpfs filesystems does not do the
10867 			error checks in the correct order resulting in the
10868 			wrong error code sometimes being returned. [RT #19249]
10869 
10870 2555.	[func]		dig: when emitting a hex dump also display the
10871 			corresponding characters. [RT #19258]
10872 
10873 2554.	[bug]		Validation of uppercase queries from NSEC3 zones could
10874 			fail. [RT #19297]
10875 
10876 2553.	[bug]		Reference leak on DNSSEC validation errors. [RT #19291]
10877 
10878 2552.	[bug]		zero-no-soa-ttl-cache was not being honored.
10879 			[RT #19340]
10880 
10881 2551.	[bug]		Potential Reference leak on return. [RT #19341]
10882 
10883 2550.	[bug]		Check --with-openssl=<path> finds <openssl/opensslv.h>.
10884 			[RT #19343]
10885 
10886 2549.	[port]		linux: define NR_OPEN if not currently defined.
10887 			[RT #19344]
10888 
10889 2548.	[bug]		Install iterated_hash.h. [RT #19335]
10890 
10891 2547.	[bug]		openssl_link.c:mem_realloc() could reference an
10892 			out-of-range area of the source buffer.  New public
10893 			function isc_mem_reallocate() was introduced to address
10894 			this bug. [RT #19313]
10895 
10896 2546.	[func]		Add --enable-openssl-hash configure flag to use
10897 			OpenSSL (in place of internal routine) for hash
10898 			functions (MD5, SHA[12] and HMAC). [RT #18815]
10899 
10900 2545.	[doc]		ARM: Legal hostname checking (check-names) is
10901 			for SRV RDATA too. [RT #19304]
10902 
10903 2544.	[cleanup]	Removed unused structure members in adb.c. [RT #19225]
10904 
10905 2543.	[contrib]	Update contrib/zkt to version 0.98. [RT #19113]
10906 
10907 2542.	[doc]		Update the description of dig +adflag. [RT #19290]
10908 
10909 2541.	[bug]		Conditionally update dispatch manager statistics.
10910 			[RT #19247]
10911 
10912 2540.	[func]		Add a nibble mode to $GENERATE. [RT #18872]
10913 
10914 2539.	[security]	Update the interaction between recursion, allow-query,
10915 			allow-query-cache and allow-recursion.  [RT #19198]
10916 
10917 2538.	[bug]		cache/ADB memory could grow over max-cache-size,
10918 			especially with threads and smaller max-cache-size
10919 			values. [RT #19240]
10920 
10921 2537.	[func]		Added more statistics counters including those on socket
10922 			I/O events and query RTT histograms. [RT #18802]
10923 
10924 2536.	[cleanup]	Silence some warnings when -Werror=format-security is
10925 			specified. [RT #19083]
10926 
10927 2535.	[bug]		dig +showsearch and +trace interacted badly. [RT #19091]
10928 
10929 2534.	[func]		Check NAPTR records regular expressions and
10930 			replacement strings to ensure they are syntactically
10931 			valid and consistent. [RT #18168]
10932 
10933 2533.	[doc]		ARM: document @ (at-sign). [RT #17144]
10934 
10935 2532.	[bug]		dig: check the question section of the response to
10936 			see if it matches the asked question. [RT #18495]
10937 
10938 2531.	[bug]		Change #2207 was incomplete. [RT #19098]
10939 
10940 2530.	[bug]		named failed to reject insecure to secure transitions
10941 			via UPDATE. [RT #19101]
10942 
10943 2529.	[cleanup]	Upgrade libtool to silence complaints from recent
10944 			version of autoconf. [RT #18657]
10945 
10946 2528.	[cleanup]	Silence spurious configure warning about
10947 			--datarootdir [RT #19096]
10948 
10949 2527.	[placeholder]
10950 
10951 2526.	[func]		New named option "attach-cache" that allows multiple
10952 			views to share a single cache to save memory and
10953 			improve lookup efficiency.  Based on contributed code
10954 			from Barclay Osborn, Google. [RT #18905]
10955 
10956 2525.	[func]		New logging category "query-errors" to provide detailed
10957 			internal information about query failures, especially
10958 			about server failures. [RT #19027]
10959 
10960 2524.	[port]		sunos: dnssec-signzone needs strtoul(). [RT #19129]
10961 
10962 2523.	[bug]		Random type rdata freed by dns_nsec_typepresent().
10963 			[RT #19112]
10964 
10965 2522.	[security]	Handle -1 from DSA_do_verify() and EVP_VerifyFinal().
10966 
10967 2521.	[bug]		Improve epoll cross compilation support. [RT #19047]
10968 
10969 2520.	[bug]		Update xml statistics version number to 2.0 as change
10970 			#2388 made the schema incompatible to the previous
10971 			version. [RT #19080]
10972 
10973 2519.	[bug]		dig/host with -4 or -6 didn't work if more than two
10974 			nameserver addresses of the excluded address family
10975 			preceded in resolv.conf. [RT #19081]
10976 
10977 2518.	[func]		Add support for the new CERT types from RFC 4398.
10978 			[RT #19077]
10979 
10980 2517.	[bug]		dig +trace with -4 or -6 failed when it chose a
10981 			nameserver address of the excluded address type.
10982 			[RT #18843]
10983 
10984 2516.	[bug]		glue sort for responses was performed even when not
10985 			needed. [RT #19039]
10986 
10987 2515.	[port]		win32: build dnssec-dsfromkey and dnssec-keyfromlabel.
10988 			[RT #19063]
10989 
10990 2514.	[bug]		dig/host failed with -4 or -6 when resolv.conf contains
10991 			a nameserver of the excluded address family.
10992 			[RT #18848]
10993 
10994 2513.	[bug]		Fix windows cli build. [RT #19062]
10995 
10996 2512.	[func]		Print a summary of the cached records which make up
10997 			the negative response.  [RT #18885]
10998 
10999 2511.	[cleanup]	dns_rdata_tofmttext() add const to linebreak.
11000 			[RT #18885]
11001 
11002 2510.	[bug]		"dig +sigchase" could trigger REQUIRE failures.
11003 			[RT #19033]
11004 
11005 2509.	[bug]		Specifying a fixed query source port was broken.
11006 			[RT #19051]
11007 
11008 2508.	[placeholder]
11009 
11010 2507.	[func]		Log the recursion quota values when killing the
11011 			oldest query or refusing to recurse due to quota.
11012 			[RT #19022]
11013 
11014 2506.	[port]		solaris: Check at configure time if
11015 			hack_shutup_pthreadonceinit is needed. [RT #19037]
11016 
11017 2505.	[port]		Treat amd64 similarly to x86_64 when determining
11018 			atomic operation support. [RT #19031]
11019 
11020 2504.	[bug]		Address race condition in the socket code. [RT #18899]
11021 
11022 2503.	[port]		linux: improve compatibility with Linux Standard
11023 			Base. [RT #18793]
11024 
11025 2502.	[cleanup]	isc_radix: Improve compliance with coding style,
11026 			document function in <isc/radix.h>. [RT #18534]
11027 
11028 2501.	[func]		$GENERATE now supports all rdata types.  Multi-field
11029 			rdata types need to be quoted.  See the ARM for
11030 			details. [RT #18368]
11031 
11032 2500.	[contrib]	contrib/sdb/pgsql/zonetodb.c called non-existent
11033 			function. [RT #18582]
11034 
11035 2499.	[port]		solaris: lib/lwres/getaddrinfo.c namespace clash.
11036 			[RT #18837]
11037 
11038 	--- 9.6.0rc1 released ---
11039 
11040 2498.	[bug]		Removed a bogus function argument used with
11041 			ISC_SOCKET_USE_POLLWATCH: it could cause compiler
11042 			warning or crash named with the debug 1 level
11043 			of logging. [RT #18917]
11044 
11045 2497.	[bug]		Don't add RRSIG bit to NSEC3 bit map for insecure
11046 			delegation.
11047 
11048 2496.	[bug]		Add sanity length checks to NSID option. [RT #18813]
11049 
11050 2495.	[bug]		Tighten RRSIG checks. [RT #18795]
11051 
11052 2494.	[bug]		isc/radix.h, dns/sdlz.h and dns/dlz.h were not being
11053 			installed. [RT #18826]
11054 
11055 2493.	[bug]		The linux capabilities code was not correctly cleaning
11056 			up after itself. [RT #18767]
11057 
11058 2492.	[func]		Rndc status now reports the number of cpus discovered
11059 			and the number of worker threads when running
11060 			multi-threaded. [RT #18273]
11061 
11062 2491.	[func]		Attempt to re-use a local port if we are already using
11063 			the port. [RT #18548]
11064 
11065 2490.	[port]		aix: work around a kernel bug where IPV6_RECVPKTINFO
11066 			is cleared when IPV6_V6ONLY is set. [RT #18785]
11067 
11068 2489.	[port]		solaris: Workaround Solaris's kernel bug about
11069 			/dev/poll:
11070 			http://bugs.opensolaris.org/view_bug.do?bug_id=6724237
11071 			Define ISC_SOCKET_USE_POLLWATCH at build time to enable
11072 			this workaround. [RT #18870]
11073 
11074 2488.	[func]		Added a tool, dnssec-dsfromkey, to generate DS records
11075 			from keyset and .key files. [RT #18694]
11076 
11077 2487.	[bug]		Give TCP connections longer to complete. [RT #18675]
11078 
11079 2486.	[func]		The default locations for named.pid and lwresd.pid
11080 			are now /var/run/named/named.pid and
11081 			/var/run/lwresd/lwresd.pid respectively.
11082 
11083 			This allows the owner of the containing directory
11084 			to be set, for "named -u" support, and allows there
11085 			to be a permanent symbolic link in the path, for
11086 			"named -t" support.  [RT #18306]
11087 
11088 2485.	[bug]		Change update's the handling of obscured RRSIG
11089 			records.  Not all orphaned DS records were being
11090 			removed. [RT #18828]
11091 
11092 2484.	[bug]		It was possible to trigger a REQUIRE failure when
11093 			adding NSEC3 proofs to the response in
11094 			query_addwildcardproof().  [RT #18828]
11095 
11096 2483.	[port]		win32: chroot() is not supported. [RT #18805]
11097 
11098 2482.	[port]		libxml2: support versions 2.7.* in addition
11099 			to 2.6.*. [RT #18806]
11100 
11101 	--- 9.6.0b1 released ---
11102 
11103 2481.	[bug]		rbtdb.c:matchparams() failed to handle NSEC3 chain
11104 			collisions.  [RT #18812]
11105 
11106 2480.	[bug]		named could fail to emit all the required NSEC3
11107 			records.  [RT #18812]
11108 
11109 2479.	[bug]		xfrout:covers was not properly initialized. [RT #18801]
11110 
11111 2478.	[bug]		'addresses' could be used uninitialized in
11112 			configure_forward(). [RT #18800]
11113 
11114 2477.	[bug]		dig: the global option to print the command line is
11115 			+cmd not print_cmd.  Update the output to reflect
11116 			this. [RT #17008]
11117 
11118 2476.	[doc]		ARM: improve documentation for max-journal-size and
11119 			ixfr-from-differences. [RT #15909] [RT #18541]
11120 
11121 2475.	[bug]		LRU cache cleanup under overmem condition could purge
11122 			particular entries more aggressively. [RT #17628]
11123 
11124 2474.	[bug]		ACL structures could be allocated with insufficient
11125 			space, causing an array overrun. [RT #18765]
11126 
11127 2473.	[port]		linux: raise the limit on open files to the possible
11128 			maximum value before spawning threads; 'files'
11129 			specified in named.conf doesn't seem to work with
11130 			threads as expected. [RT #18784]
11131 
11132 2472.	[port]		linux: check the number of available cpu's before
11133 			calling chroot as it depends on "/proc". [RT #16923]
11134 
11135 2471.	[bug]		named-checkzone was not reporting missing mandatory
11136 			glue when sibling checks were disabled. [RT #18768]
11137 
11138 2470.	[bug]		Elements of the isc_radix_node_t could be incorrectly
11139 			overwritten.  [RT #18719]
11140 
11141 2469.	[port]		solaris: Work around Solaris's select() limitations.
11142 			[RT #18769]
11143 
11144 2468.	[bug]		Resolver could try unreachable servers multiple times.
11145 			[RT #18739]
11146 
11147 2467.	[bug]		Failure of fcntl(F_DUPFD) wasn't logged. [RT #18740]
11148 
11149 2466.	[doc]		ARM: explain max-cache-ttl 0 SERVFAIL issue.
11150 			[RT #18302]
11151 
11152 2465.	[bug]		Adb's handling of lame addresses was different
11153 			for IPv4 and IPv6. [RT #18738]
11154 
11155 2464.	[port]		linux: check that a capability is present before
11156 			trying to set it. [RT #18135]
11157 
11158 2463.	[port]		linux: POSIX doesn't include the IPv6 Advanced Socket
11159 			API and glibc hides parts of the IPv6 Advanced Socket
11160 			API as a result.  This is stupid as it breaks how the
11161 			two halves (Basic and Advanced) of the IPv6 Socket API
11162 			were designed to be used but we have to live with it.
11163 			Define _GNU_SOURCE to pull in the IPv6 Advanced Socket
11164 			API. [RT #18388]
11165 
11166 2462.	[doc]		Document -m (enable memory usage debugging)
11167 			option for dig. [RT #18757]
11168 
11169 2461.	[port]		sunos: Change #2363 was not complete. [RT #17513]
11170 
11171 	--- 9.6.0a1 released ---
11172 
11173 2460.	[bug]		Don't call dns_db_getnsec3parameters() on the cache.
11174 			[RT #18697]
11175 
11176 2459.	[contrib]	Import dnssec-zkt to contrib/zkt. [RT #18448]
11177 
11178 2458.	[doc]		ARM: update and correction for max-cache-size.
11179 			[RT #18294]
11180 
11181 2457.	[tuning]	max-cache-size is reverted to 0, the previous
11182 			default.  It should be safe because expired cache
11183 			entries are also purged. [RT #18684]
11184 
11185 2456.	[bug]		In ACLs, ::/0 and 0.0.0.0/0 would both match any
11186 			address, regardless of family.  They now correctly
11187 			distinguish IPv4 from IPv6.  [RT #18559]
11188 
11189 2455.	[bug]		Stop metadata being transferred via axfr/ixfr.
11190 			[RT #18639]
11191 
11192 2454.	[func]		nsupdate: you can now set a default ttl. [RT #18317]
11193 
11194 2453.	[bug]		Remove NULL pointer dereference in dns_journal_print().
11195 			[RT #18316]
11196 
11197 2452.	[func]		Improve bin/test/journalprint. [RT #18316]
11198 
11199 2451.	[port]		solaris: handle runtime linking better. [RT #18356]
11200 
11201 2450.	[doc]		Fix lwresd docbook problem for manual page.
11202 			[RT #18672]
11203 
11204 2449.	[placeholder]
11205 
11206 2448.	[func]		Add NSEC3 support. [RT #15452]
11207 
11208 2447.	[cleanup]	libbind has been split out as a separate product.
11209 
11210 2446.	[func]		Add a new log message about build options on startup.
11211 			A new command-line option '-V' for named is also
11212 			provided to show this information. [RT #18645]
11213 
11214 2445.	[doc]		ARM out-of-date on empty reverse zones (list includes
11215 			RFC1918 address, but these are not yet compiled in).
11216 			[RT #18578]
11217 
11218 2444.	[port]		Linux, FreeBSD, AIX: Turn off path mtu discovery
11219 			(clear DF) for UDP responses and requests.
11220 
11221 2443.	[bug]		win32: UDP connect() would not generate an event,
11222 			and so connected UDP sockets would never clean up.
11223 			Fix this by doing an immediate WSAConnect() rather
11224 			than an io completion port type for UDP.
11225 
11226 2442.	[bug]		A lock could be destroyed twice. [RT #18626]
11227 
11228 2441.	[bug]		isc_radix_insert() could copy radix tree nodes
11229 			incompletely. [RT #18573]
11230 
11231 2440.	[bug]		named-checkconf used an incorrect test to determine
11232 			if an ACL was set to none.
11233 
11234 2439.	[bug]		Potential NULL dereference in dns_acl_isanyornone().
11235 			[RT #18559]
11236 
11237 2438.	[bug]		Timeouts could be logged incorrectly under win32.
11238 
11239 2437.	[bug]		Sockets could be closed too early, leading to
11240 			inconsistent states in the socket module. [RT #18298]
11241 
11242 2436.	[security]	win32: UDP client handler can be shutdown. [RT #18576]
11243 
11244 2435.	[bug]		Fixed an ACL memory leak affecting win32.
11245 
11246 2434.	[bug]		Fixed a minor error-reporting bug in
11247 			lib/isc/win32/socket.c.
11248 
11249 2433.	[tuning]	Set initial timeout to 800ms.
11250 
11251 2432.	[bug]		More Windows socket handling improvements.  Stop
11252 			using I/O events and use IO Completion Ports
11253 			throughout.  Rewrite the receive path logic to make
11254 			it easier to support multiple simultaneous
11255 			requesters in the future.  Add stricter consistency
11256 			checking as a compile-time option (define
11257 			ISC_SOCKET_CONSISTENCY_CHECKS; defaults to off).
11258 
11259 2431.	[bug]		Acl processing could leak memory. [RT #18323]
11260 
11261 2430.	[bug]		win32: isc_interval_set() could round down to
11262 			zero if the input was less than NS_INTERVAL
11263 			nanoseconds.  Round up instead. [RT #18549]
11264 
11265 2429.	[doc]		nsupdate should be in section 1 of the man pages.
11266 			[RT #18283]
11267 
11268 2428.	[bug]		dns_iptable_merge() mishandled merges of negative
11269 			tables. [RT #18409]
11270 
11271 2427.	[func]		Treat DNSKEY queries as if "minimal-response yes;"
11272 			was set. [RT #18528]
11273 
11274 2426.	[bug]		libbind: inet_net_pton() can sometimes return the
11275 			wrong value if excessively large net masks are
11276 			supplied. [RT #18512]
11277 
11278 2425.	[bug]		named didn't detect unavailable query source addresses
11279 			at load time. [RT #18536]
11280 
11281 2424.	[port]		configure now probes for a working epoll
11282 			implementation.  Allow the use of kqueue,
11283 			epoll and /dev/poll to be selected at compile
11284 			time. [RT #18277]
11285 
11286 2423.	[security]	Randomize server selection on queries, so as to
11287 			make forgery a little more difficult.  Instead of
11288 			always preferring the server with the lowest RTT,
11289 			pick a server with RTT within the same 128
11290 			millisecond band.  [RT #18441]
11291 
11292 2422.	[bug]		Handle the special return value of a empty node as
11293 			if it was a NXRRSET in the validator. [RT #18447]
11294 
11295 2421.	[func]		Add new command line option '-S' for named to specify
11296 			the max number of sockets. [RT #18493]
11297 			Use caution: this option may not work for some
11298 			operating systems without rebuilding named.
11299 
11300 2420.	[bug]		Windows socket handling cleanup.  Let the io
11301 			completion event send out canceled read/write
11302 			done events, which keeps us from writing to memory
11303 			we no longer have ownership of.  Add debugging
11304 			socket_log() function.  Rework TCP socket handling
11305 			to not leak sockets.
11306 
11307 2419.	[cleanup]	Document that isc_socket_create() and isc_socket_open()
11308 			should not be used for isc_sockettype_fdwatch sockets.
11309 			[RT #18521]
11310 
11311 2418.	[bug]		AXFR request on a DLZ could trigger a REQUIRE failure
11312 			[RT #18430]
11313 
11314 2417.	[bug]		Connecting UDP sockets for outgoing queries could
11315 			unexpectedly fail with an 'address already in use'
11316 			error. [RT #18411]
11317 
11318 2416.	[func]		Log file descriptors that cause exceeding the
11319 			internal maximum. [RT #18460]
11320 
11321 2415.	[bug]		'rndc dumpdb' could trigger various assertion failures
11322 			in rbtdb.c. [RT #18455]
11323 
11324 2414.	[bug]		A masterdump context held the database lock too long,
11325 			causing various troubles such as dead lock and
11326 			recursive lock acquisition. [RT #18311, #18456]
11327 
11328 2413.	[bug]		Fixed an unreachable code path in socket.c. [RT #18442]
11329 
11330 2412.	[bug]		win32: address a resource leak. [RT #18374]
11331 
11332 2411.	[bug]		Allow using a larger number of sockets than FD_SETSIZE
11333 			for select().  To enable this, set ISC_SOCKET_MAXSOCKETS
11334 			at compilation time.  [RT #18433]
11335 
11336 			Note: with changes #2469 and #2421 above, there is no
11337 			need to tweak ISC_SOCKET_MAXSOCKETS at compilation time
11338 			any more.
11339 
11340 2410.	[bug]		Correctly delete m_versionInfo. [RT #18432]
11341 
11342 2409.	[bug]		Only log that we disabled EDNS processing if we were
11343 			subsequently successful.  [RT #18029]
11344 
11345 2408.	[bug]		A duplicate TCP dispatch event could be sent, which
11346 			could then trigger an assertion failure in
11347 			resquery_response().  [RT #18275]
11348 
11349 2407.	[port]		hpux: test for sys/dyntune.h. [RT #18421]
11350 
11351 2406.	[placeholder]
11352 
11353 2405.	[cleanup]	The default value for dnssec-validation was changed to
11354 			"yes" in 9.5.0-P1 and all subsequent releases; this
11355 			was inadvertently omitted from CHANGES at the time.
11356 
11357 2404.	[port]		hpux: files unlimited support.
11358 
11359 2403.	[bug]		TSIG context leak. [RT #18341]
11360 
11361 2402.	[port]		Support Solaris 2.11 and over. [RT #18362]
11362 
11363 2401.	[bug]		Expect to get E[MN]FILE errno internal_accept()
11364 			(from accept() or fcntl() system calls). [RT #18358]
11365 
11366 2400.	[bug]		Log if kqueue()/epoll_create()/open(/dev/poll) fails.
11367 			[RT #18297]
11368 
11369 2399.	[placeholder]
11370 
11371 2398.	[bug]		Improve file descriptor management.  New,
11372 			temporary, named.conf option reserved-sockets,
11373 			default 512. [RT #18344]
11374 
11375 2397.	[bug]		gssapi_functions had too many elements. [RT #18355]
11376 
11377 2396.	[bug]		Don't set SO_REUSEADDR for randomized ports.
11378 			[RT #18336]
11379 
11380 2395.	[port]		Avoid warning and no effect from "files unlimited"
11381 			on Linux when running as root. [RT #18335]
11382 
11383 2394.	[bug]		Default configuration options set the limit for
11384 			open files to 'unlimited' as described in the
11385 			documentation. [RT #18331]
11386 
11387 2393.	[bug]		nested acls containing keys could trigger an
11388 			assertion in acl.c. [RT #18166]
11389 
11390 2392.	[bug]		remove 'grep -q' from acl test script, some platforms
11391 			don't support it. [RT #18253]
11392 
11393 2391.	[port]		hpux: cover additional recvmsg() error codes.
11394 			[RT #18301]
11395 
11396 2390.	[bug]		dispatch.c could make a false warning on 'odd socket'.
11397 			[RT #18301].
11398 
11399 2389.	[bug]		Move the "working directory writable" check to after
11400 			the ns_os_changeuser() call. [RT #18326]
11401 
11402 2388.	[bug]		Avoid using tables for layout purposes in
11403 			statistics XSL [RT #18159].
11404 
11405 2387.	[bug]		Silence compiler warnings in lib/isc/radix.c.
11406 			[RT #18147] [RT #18258]
11407 
11408 2386.	[func]		Add warning about too small 'open files' limit.
11409 			[RT #18269]
11410 
11411 2385.	[bug]		A condition variable in socket.c could leak in
11412 			rare error handling [RT #17968].
11413 
11414 2384.	[security]	Fully randomize UDP query ports to improve
11415 			forgery resilience. [RT #17949, #18098]
11416 
11417 2383.	[bug]		named could double queries when they resulted in
11418 			SERVFAIL due to overkilling EDNS0 failure detection.
11419 			[RT #18182]
11420 
11421 2382.	[doc]		Add descriptions of DHCID, IPSECKEY, SPF and SSHFP
11422 			to ARM.
11423 
11424 2381.	[port]		dlz/mysql: support multiple install layouts for
11425 			mysql.  <prefix>/include/{,mysql/}mysql.h and
11426 			<prefix>/lib/{,mysql/}. [RT #18152]
11427 
11428 2380.	[bug]		dns_view_find() was not returning NXDOMAIN/NXRRSET
11429 			proofs which, in turn, caused validation failures
11430 			for insecure zones immediately below a secure zone
11431 			the server was authoritative for. [RT #18112]
11432 
11433 2379.	[contrib]	queryperf/gen-data-queryperf.py: removed redundant
11434 			TLDs and supported RRs with TTLs [RT #17972]
11435 
11436 2378.	[bug]		gssapi_functions{} had a redundant member in BIND 9.5.
11437 			[RT #18169]
11438 
11439 2377.	[bug]		Address race condition in dnssec-signzone. [RT #18142]
11440 
11441 2376.	[bug]		Change #2144 was not complete.
11442 
11443 2375.	[placeholder]
11444 
11445 2374.	[bug]		"blackhole" ACLs could cause named to segfault due
11446 			to some uninitialized memory. [RT #18095]
11447 
11448 2373.	[bug]		Default values of zone ACLs were re-parsed each time a
11449 			new zone was configured, causing an overconsumption
11450 			of memory. [RT #18092]
11451 
11452 2372.	[bug]		Fixed incorrect TAG_HMACSHA256_BITS value [RT #18047]
11453 
11454 2371.	[doc]		Add +nsid option to dig man page. [RT #18039]
11455 
11456 2370.	[bug]		"rndc freeze" could trigger an assertion in named
11457 			when called on a nonexistent zone. [RT #18050]
11458 
11459 2369.	[bug]		libbind: Array bounds overrun on read in bitncmp().
11460 			[RT #18054]
11461 
11462 2368.	[port]		Linux: use libcap for capability management if
11463 			possible. [RT #18026]
11464 
11465 2367.	[bug]		Improve counting of dns_resstatscounter_retry
11466 			[RT #18030]
11467 
11468 2366.	[bug]		Adb shutdown race. [RT #18021]
11469 
11470 2365.	[bug]		Fix a bug that caused dns_acl_isany() to return
11471 			spurious results. [RT #18000]
11472 
11473 2364.	[bug]		named could trigger a assertion when serving a
11474 			malformed signed zone. [RT #17828]
11475 
11476 2363.	[port]		sunos: pre-set "lt_cv_sys_max_cmd_len=4096;".
11477 			[RT #17513]
11478 
11479 2362.	[cleanup]	Make "rrset-order fixed" a compile-time option.
11480 			settable by "./configure --enable-fixed-rrset".
11481 			Disabled by default. [RT #17977]
11482 
11483 2361.	[bug]		"recursion" statistics counter could be counted
11484 			multiple times for a single query.  [RT #17990]
11485 
11486 2360.	[bug]		Fix a condition where we release a database version
11487 			(which may acquire a lock) while holding the lock.
11488 
11489 2359.	[bug]		Fix NSID bug. [RT #17942]
11490 
11491 2358.	[doc]		Update host's default query description. [RT #17934]
11492 
11493 2357.	[port]		Don't use OpenSSL's engine support in versions before
11494 			OpenSSL 0.9.7f. [RT #17922]
11495 
11496 2356.	[bug]		Built in mutex profiler was not scalable enough.
11497 			[RT #17436]
11498 
11499 2355.	[func]		Extend the number statistics counters available.
11500 			[RT #17590]
11501 
11502 2354.	[bug]		Failed to initialize some rdatasetheader_t elements.
11503 			[RT #17927]
11504 
11505 2353.	[func]		Add support for Name Server ID (RFC 5001).
11506 			'dig +nsid' requests NSID from server.
11507 			'request-nsid yes;' causes recursive server to send
11508 			NSID requests to upstream servers.  Server responds
11509 			to NSID requests with the string configured by
11510 			'server-id' option.  [RT #17091]
11511 
11512 2352.	[bug]		Various GSS_API fixups. [RT #17729]
11513 
11514 2351.	[bug]		convertxsl.pl generated very long lines. [RT #17906]
11515 
11516 2350.	[port]		win32: IPv6 support. [RT #17797]
11517 
11518 2349.	[func]		Provide incremental re-signing support for secure
11519 			dynamic zones. [RT #1091]
11520 
11521 2348.	[func]		Use the EVP interface to OpenSSL. Add PKCS#11 support.
11522 			Documentation is in the new README.pkcs11 file.
11523 			New tool, dnssec-keyfromlabel, which takes the
11524 			label of a key pair in a HSM and constructs a DNS
11525 			key pair for use by named and dnssec-signzone.
11526 			[RT #16844]
11527 
11528 2347.	[bug]		Delete now traverses the RB tree in the canonical
11529 			order. [RT #17451]
11530 
11531 2346.	[func]		Memory statistics now cover all active memory contexts
11532 			in increased detail. [RT #17580]
11533 
11534 2345.	[bug]		named-checkconf failed to detect when forwarders
11535 			were set at both the options/view level and in
11536 			a root zone. [RT #17671]
11537 
11538 2344.	[bug]		Improve "logging{ file ...; };" documentation.
11539 			[RT #17888]
11540 
11541 2343.	[bug]		(Seemingly) duplicate IPv6 entries could be
11542 			created in ADB. [RT #17837]
11543 
11544 2342.	[func]		Use getifaddrs() if available under Linux. [RT #17224]
11545 
11546 2341.	[bug]		libbind: add missing -I../include for off source
11547 			tree builds. [RT #17606]
11548 
11549 2340.	[port]		openbsd: interface configuration. [RT #17700]
11550 
11551 2339.	[port]		tru64: support for libbind. [RT #17589]
11552 
11553 2338.	[bug]		check_ds() could be called with a non DS rdataset.
11554 			[RT #17598]
11555 
11556 2337.	[bug]		BUILD_LDFLAGS was not being correctly set.  [RT #17614]
11557 
11558 2336.	[func]		If "named -6" is specified then listen on all IPv6
11559 			interfaces if there are not listen-on-v6 clauses in
11560 			named.conf.  [RT #17581]
11561 
11562 2335.	[port]		sunos:  libbind and *printf() support for long long.
11563 			[RT #17513]
11564 
11565 2334.	[bug]		Bad REQUIRES in fromstruct_in_naptr(),  off by one
11566 			bug in fromstruct_txt(). [RT #17609]
11567 
11568 2333.	[bug]		Fix off by one error in isc_time_nowplusinterval().
11569 			[RT #17608]
11570 
11571 2332.	[contrib]	query-loc-0.4.0. [RT #17602]
11572 
11573 2331.	[bug]		Failure to regenerate any signatures was not being
11574 			reported nor being past back to the UPDATE client.
11575 			[RT #17570]
11576 
11577 2330.	[bug]		Remove potential race condition when handling
11578 			over memory events. [RT #17572]
11579 
11580 			WARNING: API CHANGE: over memory callback
11581 			function now needs to call isc_mem_waterack().
11582 			See <isc/mem.h> for details.
11583 
11584 2329.	[bug]		Clearer help text for dig's '-x' and '-i' options.
11585 
11586 2328.	[maint]		Add AAAA addresses for A.ROOT-SERVERS.NET,
11587 			F.ROOT-SERVERS.NET, H.ROOT-SERVERS.NET,
11588 			J.ROOT-SERVERS.NET, K.ROOT-SERVERS.NET and
11589 			M.ROOT-SERVERS.NET.
11590 
11591 2327.	[bug]		It was possible to dereference a NULL pointer in
11592 			rbtdb.c.  Implement dead node processing in zones as
11593 			we do for caches. [RT #17312]
11594 
11595 2326.	[bug]		It was possible to trigger a INSIST in the acache
11596 			processing.
11597 
11598 2325.	[port]		Linux: use capset() function if available. [RT #17557]
11599 
11600 2324.	[bug]		Fix IPv6 matching against "any;". [RT #17533]
11601 
11602 2323.	[port]		tru64: namespace clash. [RT #17547]
11603 
11604 2322.	[port]		MacOS: work around the limitation of setrlimit()
11605 			for RLIMIT_NOFILE. [RT #17526]
11606 
11607 2321.	[placeholder]
11608 
11609 2320.	[func]		Make statistics counters thread-safe for platforms
11610 			that support certain atomic operations. [RT #17466]
11611 
11612 2319.	[bug]		Silence Coverity warnings in
11613 			lib/dns/rdata/in_1/apl_42.c. [RT #17469]
11614 
11615 2318.	[port]		sunos fixes for libbind.  [RT #17514]
11616 
11617 2317.	[bug]		"make distclean" removed bind9.xsl.h. [RT #17518]
11618 
11619 2316.	[port]		Missing #include <isc/print.h> in lib/dns/gssapictx.c.
11620 			[RT #17513]
11621 
11622 2315.	[bug]		Used incorrect address family for mapped IPv4
11623 			addresses in acl.c. [RT #17519]
11624 
11625 2314.	[bug]		Uninitialized memory use on error path in
11626 			bin/named/lwdnoop.c.  [RT #17476]
11627 
11628 2313.	[cleanup]	Silence Coverity warnings. Handle private stacks.
11629 			[RT #17447] [RT #17478]
11630 
11631 2312.	[cleanup]	Silence Coverity warning in lib/isc/unix/socket.c.
11632 			[RT #17458]
11633 
11634 2311.	[bug]		IPv6 addresses could match IPv4 ACL entries and
11635 			vice versa. [RT #17462]
11636 
11637 2310.	[bug]		dig, host, nslookup: flush stdout before emitting
11638 			debug/fatal messages.  [RT #17501]
11639 
11640 2309.	[cleanup]	Fix Coverity warnings in lib/dns/acl.c and iptable.c.
11641 			[RT #17455]
11642 
11643 2308.	[cleanup]	Silence Coverity warning in bin/named/controlconf.c.
11644 			[RT #17495]
11645 
11646 2307.	[bug]		Remove infinite loop from lib/dns/sdb.c. [RT #17496]
11647 
11648 2306.	[bug]		Remove potential race from lib/dns/resolver.c.
11649 			[RT #17470]
11650 
11651 2305.	[security]	inet_network() buffer overflow. CVE-2008-0122.
11652 
11653 2304.	[bug]		Check returns from all dns_rdata_tostruct() calls.
11654 			[RT #17460]
11655 
11656 2303.	[bug]		Remove unnecessary code from bin/named/lwdgnba.c.
11657 			[RT #17471]
11658 
11659 2302.	[bug]		Fix memset() calls in lib/tests/t_api.c. [RT #17472]
11660 
11661 2301.	[bug]		Remove resource leak and fix error messages in
11662 			bin/tests/system/lwresd/lwtest.c. [RT #17474]
11663 
11664 2300.	[bug]		Fixed failure to close open file in
11665 			bin/tests/names/t_names.c. [RT #17473]
11666 
11667 2299.	[bug]		Remove unnecessary NULL check in
11668 			bin/nsupdate/nsupdate.c. [RT #17475]
11669 
11670 2298.	[bug]		isc_mutex_lock() failure not caught in
11671 			bin/tests/timers/t_timers.c. [RT #17468]
11672 
11673 2297.	[bug]		isc_entropy_createfilesource() failure not caught in
11674 			bin/tests/dst/t_dst.c. [RT #17467]
11675 
11676 2296.	[port]		Allow docbook stylesheet location to be specified to
11677 			configure. [RT #17457]
11678 
11679 2295.	[bug]		Silence static overrun error in bin/named/lwaddr.c.
11680 			[RT #17459]
11681 
11682 2294.	[func]		Allow the experimental statistics channels to have
11683 			multiple connections and ACL.
11684 			Note: the stats-server and stats-server-v6 options
11685 			available in the previous beta releases are replaced
11686 			with the generic statistics-channels statement.
11687 
11688 2293.	[func]		Add ACL regression test. [RT #17375]
11689 
11690 2292.	[bug]		Log if the working directory is not writable.
11691 			[RT #17312]
11692 
11693 2291.	[bug]		PR_SET_DUMPABLE may be set too late.  Also report
11694 			failure to set PR_SET_DUMPABLE. [RT #17312]
11695 
11696 2290.	[bug]		Let AD in the query signal that the client wants AD
11697 			set in the response. [RT #17301]
11698 
11699 2289.	[func]		named-checkzone now reports the out-of-zone CNAME
11700 			found. [RT #17309]
11701 
11702 2288.	[port]		win32: mark service as running when we have finished
11703 			loading.  [RT #17441]
11704 
11705 2287.	[bug]		Use 'volatile' if the compiler supports it. [RT #17413]
11706 
11707 2286.	[func]		Allow a TCP connection to be used as a weak
11708 			authentication method for reverse zones.
11709 			New update-policy methods tcp-self and 6to4-self.
11710 			[RT #17378]
11711 
11712 2285.	[func]		Test framework for client memory context management.
11713 			[RT #17377]
11714 
11715 2284.	[bug]		Memory leak in UPDATE prerequisite processing.
11716 			[RT #17377]
11717 
11718 2283.	[bug]		TSIG keys were not attaching to the memory
11719 			context.  TSIG keys should use the rings
11720 			memory context rather than the clients memory
11721 			context. [RT #17377]
11722 
11723 2282.	[bug]		Acl code fixups. [RT #17346] [RT #17374]
11724 
11725 2281.	[bug]		Attempts to use undefined acls were not being logged.
11726 			[RT #17307]
11727 
11728 2280.	[func]		Allow the experimental http server to be reached
11729 			over IPv6 as well as IPv4. [RT #17332]
11730 
11731 2279.	[bug]		Use setsockopt(SO_NOSIGPIPE), when available,
11732 			to protect applications from receiving spurious
11733 			SIGPIPE signals when using the resolver.
11734 
11735 2278.	[bug]		win32: handle the case where Windows returns no
11736 			search list or DNS suffix. [RT #17354]
11737 
11738 2277.	[bug]		Empty zone names were not correctly being caught at
11739 			in the post parse checks. [RT #17357]
11740 
11741 2276.	[bug]		Install <dst/gssapi.h>.  [RT #17359]
11742 
11743 2275.	[func]		Add support to dig to perform IXFR queries over UDP.
11744 			[RT #17235]
11745 
11746 2274.	[func]		Log zone transfer statistics. [RT #17336]
11747 
11748 2273.	[bug]		Adjust log level to WARNING when saving inconsistent
11749 			stub/slave master and journal files. [RT #17279]
11750 
11751 2272.	[bug]		Handle illegal dnssec-lookaside trust-anchor names.
11752 			[RT #17262]
11753 
11754 2271.	[bug]		Fix a memory leak in http server code [RT #17100]
11755 
11756 2270.	[bug]		dns_db_closeversion() version->writer could be reset
11757 			before it is tested. [RT #17290]
11758 
11759 2269.	[contrib]	dbus memory leaks and missing va_end calls. [RT #17232]
11760 
11761 2268.	[bug]		0.IN-ADDR.ARPA was missing from the empty zones
11762 			list.
11763 
11764 	--- 9.5.0b1 released ---
11765 
11766 2267.	[bug]		Radix tree node_num value could be set incorrectly,
11767 			causing positive ACL matches to look like negative
11768 			ones.  [RT #17311]
11769 
11770 2266.	[bug]		client.c:get_clientmctx() returned the same mctx
11771 			once the pool of mctx's was filled. [RT #17218]
11772 
11773 2265.	[bug]		Test that the memory context's basic_table is non NULL
11774 			before freeing.  [RT #17265]
11775 
11776 2264.	[bug]		Server prefix length was being ignored. [RT #17308]
11777 
11778 2263.	[bug]		"named-checkconf -z" failed to set default value
11779 			for "check-integrity".  [RT #17306]
11780 
11781 2262.	[bug]		Error status from all but the last view could be
11782 			lost. [RT #17292]
11783 
11784 2261.	[bug]		Fix memory leak with "any" and "none" ACLs [RT #17272]
11785 
11786 2260.	[bug]		Reported wrong clients-per-query when increasing the
11787 			value. [RT #17236]
11788 
11789 2259.	[placeholder]
11790 
11791 	--- 9.5.0a7 released ---
11792 
11793 2258.	[bug]		Fallback from IXFR/TSIG to SOA/AXFR/TSIG broken.
11794 			[RT #17241]
11795 
11796 2257.	[bug]		win32: Use the full path to vcredist_x86.exe when
11797 			calling it. [RT #17222]
11798 
11799 2256.	[bug]		win32: Correctly register the installation location of
11800 			bindevt.dll. [RT #17159]
11801 
11802 2255.	[maint]		L.ROOT-SERVERS.NET is now 199.7.83.42.
11803 
11804 2254.	[bug]		timer.c:dispatch() failed to lock timer->lock
11805 			when reading timer->idle allowing it to see
11806 			intermediate values as timer->idle was reset by
11807 			isc_timer_touch(). [RT #17243]
11808 
11809 2253.	[func]		"max-cache-size" defaults to 32M.
11810 			"max-acache-size" defaults to 16M.
11811 
11812 2252.	[bug]		Fixed errors in sortlist code [RT #17216]
11813 
11814 2251.	[placeholder]
11815 
11816 2250.	[func]		New flag 'memstatistics' to state whether the
11817 			memory statistics file should be written or not.
11818 			Additionally named's -m option will cause the
11819 			statistics file to be written. [RT #17113]
11820 
11821 2249.	[bug]		Only set Authentic Data bit if client requested
11822 			DNSSEC, per RFC 3655 [RT #17175]
11823 
11824 2248.	[cleanup]	Fix several errors reported by Coverity. [RT #17160]
11825 
11826 2247.	[doc]		Sort doc/misc/options. [RT #17067]
11827 
11828 2246.	[bug]		Make the startup of test servers (ans.pl) more
11829 			robust. [RT #17147]
11830 
11831 2245.	[bug]		Validating lack of DS records at trust anchors wasn't
11832 			working. [RT #17151]
11833 
11834 2244.	[func]		Allow the check of nameserver names against the
11835 			SOA MNAME field to be disabled by specifying
11836 			'notify-to-soa yes;'.  [RT #17073]
11837 
11838 2243.	[func]		Configuration files without a newline at the end now
11839 			parse without error. [RT #17120]
11840 
11841 2242.	[bug]		nsupdate: GSS-TSIG support using the Heimdal Kerberos
11842 			library could require a source of random data.
11843 			[RT #17127]
11844 
11845 2241.	[func]		nsupdate: add a interactive 'help' command. [RT #17099]
11846 
11847 2240.	[bug]		Cleanup nsupdates GSS-TSIG support.  Convert
11848 			a number of INSIST()s into plain fatal() errors
11849 			which report the triggering result code.
11850 			The 'key' command wasn't disabling GSS-TSIG.
11851 			[RT #17099]
11852 
11853 2239.	[func]		Ship a pre built bin/named/bind9.xsl.h. [RT #17114]
11854 
11855 2238.	[bug]		It was possible to trigger a REQUIRE when a
11856 			validation was canceled. [RT #17106]
11857 
11858 2237.	[bug]		libbind: res_init() was not thread aware. [RT #17123]
11859 
11860 2236.	[bug]		dnssec-signzone failed to preserve the case of
11861 			of wildcard owner names. [RT #17085]
11862 
11863 2235.	[bug]		<isc/atomic.h> was not being installed. [RT #17135]
11864 
11865 2234.	[port]		Correct some compiler warnings on SCO OSr5 [RT #17134]
11866 
11867 2233.	[func]		Add support for O(1) ACL processing, based on
11868 			radix tree code originally written by Kevin
11869 			Brintnall. [RT #16288]
11870 
11871 2232.	[bug]		dns_adb_findaddrinfo() could fail and return
11872 			ISC_R_SUCCESS. [RT #17137]
11873 
11874 2231.	[bug]		Building dlzbdb (contrib/dlz/bin/dlzbdb) was broken.
11875 			[RT #17088]
11876 
11877 2230.	[bug]		We could INSIST reading a corrupted journal.
11878 			[RT #17132]
11879 
11880 2229.	[bug]		Null pointer dereference on query pool creation
11881 			failure. [RT #17133]
11882 
11883 2228.	[contrib]	contrib: Change 2188 was incomplete.
11884 
11885 2227.	[cleanup]	Tidied up the FAQ. [RT #17121]
11886 
11887 2226.	[placeholder]
11888 
11889 2225.	[bug]		More support for systems with no IPv4 addresses.
11890 			[RT #17111]
11891 
11892 2224.	[bug]		Defer journal compaction if a xfrin is in progress.
11893 			[RT #17119]
11894 
11895 2223.	[bug]		Make a new journal when compacting. [RT #17119]
11896 
11897 2222.	[func]		named-checkconf now checks server key references.
11898 			[RT #17097]
11899 
11900 2221.	[bug]		Set the event result code to reflect the actual
11901 			record turned to caller when a cache update is
11902 			rejected due to a more credible answer existing.
11903 			[RT #17017]
11904 
11905 2220.	[bug]		win32: Address a race condition in final shutdown of
11906 			the Windows socket code. [RT #17028]
11907 
11908 2219.	[bug]		Apply zone consistency checks to additions, not
11909 			removals, when updating. [RT #17049]
11910 
11911 2218.	[bug]		Remove unnecessary REQUIRE from dns_validator_create().
11912 			[RT #16976]
11913 
11914 2217.	[func]		Adjust update log levels. [RT #17092]
11915 
11916 2216.	[cleanup]	Fix a number of errors reported by Coverity.
11917 			[RT #17094]
11918 
11919 2215.	[bug]		Bad REQUIRE check isc_hmacsha1_verify(). [RT #17094]
11920 
11921 2214.	[bug]		Deregister OpenSSL lock callback when cleaning
11922 			up.  Reorder OpenSSL cleanup so that RAND_cleanup()
11923 			is called before the locks are destroyed. [RT #17098]
11924 
11925 2213.	[bug]		SIG0 diagnostic failure messages were looking at the
11926 			wrong status code. [RT #17101]
11927 
11928 2212.	[func]		'host -m' now causes memory statistics and active
11929 			memory to be printed at exit. [RT 17028]
11930 
11931 2211.	[func]		Update "dynamic update temporarily disabled" message.
11932 			[RT #17065]
11933 
11934 2210.	[bug]		Deleting class specific records via UPDATE could
11935 			fail.  [RT #17074]
11936 
11937 2209.	[port]		osx: linking against user supplied static OpenSSL
11938 			libraries failed as the system ones were still being
11939 			found. [RT #17078]
11940 
11941 2208.	[port]		win32: make sure both build methods produce the
11942 			same output. [RT #17058]
11943 
11944 2207.	[port]		Some implementations of getaddrinfo() fail to set
11945 			ai_canonname correctly. [RT #17061]
11946 
11947 	--- 9.5.0a6 released ---
11948 
11949 2206.	[security]	"allow-query-cache" and "allow-recursion" now
11950 			cross inherit from each other.
11951 
11952 			If allow-query-cache is not set in named.conf then
11953 			allow-recursion is used if set, otherwise allow-query
11954 			is used if set, otherwise the default (localnets;
11955 			localhost;) is used.
11956 
11957 			If allow-recursion is not set in named.conf then
11958 			allow-query-cache is used if set, otherwise allow-query
11959 			is used if set, otherwise the default (localnets;
11960 			localhost;) is used.
11961 
11962 			[RT #16987]
11963 
11964 2205.	[bug]		libbind: change #2119 broke thread support. [RT #16982]
11965 
11966 2204.	[bug]		"rndc flushname name unknown-view" caused named
11967 			to crash. [RT #16984]
11968 
11969 2203.	[security]	Query id generation was cryptographically weak.
11970 			[RT # 16915]
11971 
11972 2202.	[security]	The default acls for allow-query-cache and
11973 			allow-recursion were not being applied. [RT #16960]
11974 
11975 2201.	[bug]		The build failed in a separate object directory.
11976 			[RT #16943]
11977 
11978 2200.	[bug]		The search for cached NSEC records was stopping to
11979 			early leading to excessive DLV queries. [RT #16930]
11980 
11981 2199.	[bug]		win32: don't call WSAStartup() while loading dlls.
11982 			[RT #16911]
11983 
11984 2198.	[bug]		win32: RegCloseKey() could be called when
11985 			RegOpenKeyEx() failed. [RT #16911]
11986 
11987 2197.	[bug]		Add INSIST to catch negative responses which are
11988 			not setting the event result code appropriately.
11989 			[RT #16909]
11990 
11991 2196.	[port]		win32: yield processor while waiting for once to
11992 			to complete. [RT #16958]
11993 
11994 2195.	[func]		dnssec-keygen now defaults to nametype "ZONE"
11995 			when generating DNSKEYs. [RT #16954]
11996 
11997 2194.	[bug]		Close journal before calling 'done' in xfrin.c.
11998 
11999 	--- 9.5.0a5 released ---
12000 
12001 2193.	[port]		win32: BINDInstall.exe is now linked statically.
12002 			[RT #16906]
12003 
12004 2192.	[port]		win32: use vcredist_x86.exe to install Visual
12005 			Studio's redistributable dlls if building with
12006 			Visual Stdio 2005 or later.
12007 
12008 2191.	[func]		named-checkzone now allows dumping to stdout (-).
12009 			named-checkconf now has -h for help.
12010 			named-checkzone now has -h for help.
12011 			rndc now has -h for help.
12012 			Better handling of '-?' for usage summaries.
12013 			[RT #16707]
12014 
12015 2190.	[func]		Make fallback to plain DNS from EDNS due to timeouts
12016 			more visible.  New logging category "edns-disabled".
12017 			[RT #16871]
12018 
12019 2189.	[bug]		Handle socket() returning EINTR. [RT #15949]
12020 
12021 2188.	[contrib]	queryperf: autoconf changes to make the search for
12022 			libresolv or libbind more robust. [RT #16299]
12023 
12024 2187.	[bug]		query_addds(), query_addwildcardproof() and
12025 			query_addnxrrsetnsec() should take a version
12026 			argument. [RT #16368]
12027 
12028 2186.	[port]		cygwin: libbind: check for struct sockaddr_storage
12029 			independently of IPv6. [RT #16482]
12030 
12031 2185.	[port]		sunos: libbind: check for ssize_t, memmove() and
12032 			memchr(). [RT #16463]
12033 
12034 2184.	[bug]		bind9.xsl.h didn't build out of the source tree.
12035 			[RT #16830]
12036 
12037 2183.	[bug]		dnssec-signzone didn't handle offline private keys
12038 			well.  [RT #16832]
12039 
12040 2182.	[bug]		dns_dispatch_createtcp() and dispatch_createudp()
12041 			could return ISC_R_SUCCESS when they ran out of
12042 			memory. [RT #16365]
12043 
12044 2181.	[port]		sunos: libbind: add paths.h from BIND 8. [RT #16462]
12045 
12046 2180.	[cleanup]	Remove bit test from 'compress_test' as they
12047 			are no longer needed. [RT #16497]
12048 
12049 2179.	[func]		'rndc command zone' will now find 'zone' if it is
12050 			unique to all the views. [RT #16821]
12051 
12052 2178.	[bug]		'rndc reload' of a slave or stub zone resulted in
12053 			a reference leak. [RT #16867]
12054 
12055 2177.	[bug]		Array bounds overrun on read (rcodetext) at
12056 			debug level 10+. [RT #16798]
12057 
12058 2176.	[contrib]	dbus update to handle race condition during
12059 			initialization (Bugzilla 235809). [RT #16842]
12060 
12061 2175.	[bug]		win32: windows broadcast condition variable support
12062 			was broken. [RT #16592]
12063 
12064 2174.	[bug]		I/O errors should always be fatal when reading
12065 			master files. [RT #16825]
12066 
12067 2173.	[port]		win32: When compiling with MSVS 2005 SP1 we also
12068 			need to ship Microsoft.VC80.MFCLOC.
12069 
12070 	--- 9.5.0a4 released ---
12071 
12072 2172.	[bug]		query_addsoa() was being called with a non zone db.
12073 			[RT #16834]
12074 
12075 2171.	[bug]		Handle breaks in DNSSEC trust chains where the parent
12076 			servers are not DS aware (DS queries to the parent
12077 			return a referral to the child).
12078 
12079 2170.	[func]		Add acache processing to test suite. [RT #16711]
12080 
12081 2169.	[bug]		host, nslookup: when reporting NXDOMAIN report the
12082 			given name and not the last name searched for.
12083 			[RT #16763]
12084 
12085 2168.	[bug]		nsupdate: in non-interactive mode treat syntax errors
12086 			as fatal errors. [RT #16785]
12087 
12088 2167.	[bug]		When re-using a automatic zone named failed to
12089 			attach it to the new view. [RT #16786]
12090 
12091 	--- 9.5.0a3 released ---
12092 
12093 2166.	[bug]		When running in batch mode, dig could misinterpret
12094 			a server address as a name to be looked up, causing
12095 			unexpected output. [RT #16743]
12096 
12097 2165.	[func]		Allow the destination address of a query to determine
12098 			if we will answer the query or recurse.
12099 			allow-query-on, allow-recursion-on and
12100 			allow-query-cache-on. [RT #16291]
12101 
12102 2164.	[bug]		The code to determine how named-checkzone /
12103 			named-compilezone was called failed under windows.
12104 			[RT #16764]
12105 
12106 2163.	[bug]		If only one of query-source and query-source-v6
12107 			specified a port the query pools code broke (change
12108 			2129).  [RT #16768]
12109 
12110 2162.	[func]		Allow "rrset-order fixed" to be disabled at compile
12111 			time. [RT #16665]
12112 
12113 2161.	[bug]		Fix which log messages are emitted for 'rndc flush'.
12114 			[RT #16698]
12115 
12116 2160.	[bug]		libisc wasn't handling NULL ifa_addr pointers returned
12117 			from getifaddrs(). [RT #16708]
12118 
12119 	--- 9.5.0a2 released ---
12120 
12121 2159.	[bug]		Array bounds overrun in acache processing. [RT #16710]
12122 
12123 2158.	[bug]		ns_client_isself() failed to initialize key
12124 			leading to a REQUIRE failure. [RT #16688]
12125 
12126 2157.	[func]		dns_db_transfernode() created. [RT #16685]
12127 
12128 2156.	[bug]		Fix node reference leaks in lookup.c:lookup_find(),
12129 			resolver.c:validated() and resolver.c:cache_name().
12130 			Fix a memory leak in rbtdb.c:free_noqname().
12131 			Make lookup.c:lookup_find() robust against
12132 			event leaks. [RT #16685]
12133 
12134 2155.	[contrib]	SQLite sdb module from jaboydjr@netwalk.com.
12135 			[RT #16694]
12136 
12137 2154.	[func]		Scoped (e.g. IPv6 link-local) addresses may now be
12138 			matched in acls by omitting the scope. [RT #16599]
12139 
12140 2153.	[bug]		nsupdate could leak memory. [RT #16691]
12141 
12142 2152.	[cleanup]	Use sizeof(buf) instead of fixed number in
12143 			dighost.c:get_trusted_key(). [RT #16678]
12144 
12145 2151.	[bug]		Missing newline in usage message for journalprint.
12146 			[RT #16679]
12147 
12148 2150.	[bug]		'rrset-order cyclic' uniformly distribute the
12149 			starting point for the first response for a given
12150 			RRset. [RT #16655]
12151 
12152 2149.	[bug]		isc_mem_checkdestroyed() failed to abort on
12153 			if there were still active memory contexts.
12154 			[RT #16672]
12155 
12156 2148.	[func]		Add positive logging for rndc commands. [RT #14623]
12157 
12158 2147.	[bug]		libbind: remove potential buffer overflow from
12159 			hmac_link.c. [RT #16437]
12160 
12161 2146.	[cleanup]	Silence Linux's spurious "obsolete setsockopt
12162 			SO_BSDCOMPAT" message. [RT #16641]
12163 
12164 2145.	[bug]		Check DS/DLV digest lengths for known digests.
12165 			[RT #16622]
12166 
12167 2144.	[cleanup]	Suppress logging of SERVFAIL from forwarders.
12168 			[RT #16619]
12169 
12170 2143.	[bug]		We failed to restart the IPv6 client when the
12171 			kernel failed to return the destination the
12172 			packet was sent to. [RT #16613]
12173 
12174 2142.	[bug]		Handle master files with a modification time that
12175 			matches the epoch. [RT #16612]
12176 
12177 2141.	[bug]		dig/host should not be setting IDN_ASCCHECK (IDN
12178 			equivalent of LDH checks).  [RT #16609]
12179 
12180 2140.	[bug]		libbind: missing unlock on pthread_key_create()
12181 			failures. [RT #16654]
12182 
12183 2139.	[bug]		dns_view_find() was being called with wrong type
12184 			in adb.c. [RT #16670]
12185 
12186 2138.	[bug]		Lock order reversal in resolver.c. [RT #16653]
12187 
12188 2137.	[port]		Mips little endian and/or mips 64 bit are now
12189 			supported for atomic operations. [RT #16648]
12190 
12191 2136.	[bug]		nslookup/host looped if there was no search list
12192 			and the host didn't exist. [RT #16657]
12193 
12194 2135.	[bug]		Uninitialized rdataset in sdlz.c. [RT #16656]
12195 
12196 2134.	[func]		Additional statistics support. [RT #16666]
12197 
12198 2133.	[port]		powerpc:  Support both IBM and MacOS Power PC
12199 			assembler syntaxes. [RT #16647]
12200 
12201 2132.	[bug]		Missing unlock on out of memory in
12202 			dns_dispatchmgr_setudp().
12203 
12204 2131.	[contrib]	dlz/mysql: AXFR was broken. [RT #16630]
12205 
12206 2130.	[func]		Log if CD or DO were set. [RT #16640]
12207 
12208 2129.	[func]		Provide a pool of UDP sockets for queries to be
12209 			made over. See use-queryport-pool, queryport-pool-ports
12210 			and queryport-pool-updateinterval.  [RT #16415]
12211 
12212 2128.	[doc]		xsltproc --nonet, update DTD versions.  [RT #16635]
12213 
12214 2127.	[port]		Improved OpenSSL 0.9.8 support. [RT #16563]
12215 
12216 2126.	[security]	Serialize validation of type ANY responses. [RT #16555]
12217 
12218 2125.	[bug]		dns_zone_getzeronosoattl() REQUIRE failure if DLZ
12219 			was defined. [RT #16574]
12220 
12221 2124.	[security]	It was possible to dereference a freed fetch
12222 			context. [RT #16584]
12223 
12224 	--- 9.5.0a1 released ---
12225 
12226 2123.	[func]		Use Doxygen to generate internal documentation.
12227 			[RT #11398]
12228 
12229 2122.	[func]		Experimental http server and statistics support
12230 			for named via xml.
12231 
12232 2121.	[func]		Add a 10 slot dead masters cache (LRU) with a 600
12233 			second timeout. [RT #16553]
12234 
12235 2120.	[doc]		Fix markup on nsupdate man page. [RT #16556]
12236 
12237 2119.	[compat]	libbind: allow res_init() to succeed enough to
12238 			return the default domain even if it was unable
12239 			to allocate memory.
12240 
12241 2118.	[bug]		Handle response with long chains of domain name
12242 			compression pointers which point to other compression
12243 			pointers. [RT #16427]
12244 
12245 2117.	[bug]		DNSSEC fixes: named could fail to cache NSEC records
12246 			which could lead to validation failures.  named didn't
12247 			handle negative DS responses that were in the process
12248 			of being validated.  Check CNAME bit before accepting
12249 			NODATA proof. To be able to ignore a child NSEC there
12250 			must be SOA (and NS) set in the bitmap. [RT #16399]
12251 
12252 2116.	[bug]		'rndc reload' could cause the cache to continually
12253 			be cleaned. [RT #16401]
12254 
12255 2115.	[bug]		'rndc reconfig' could trigger a INSIST if the
12256 			number of masters for a zone was reduced. [RT #16444]
12257 
12258 2114.	[bug]		dig/host/nslookup: searches for names with multiple
12259 			labels were failing. [RT #16447]
12260 
12261 2113.	[bug]		nsupdate: if a zone is specified it should be used
12262 			for server discover. [RT #16455]
12263 
12264 2112.	[security]	Warn if weak RSA exponent is used. [RT #16460]
12265 
12266 2111.	[bug]		Fix a number of errors reported by Coverity.
12267 			[RT #16507]
12268 
12269 2110.	[bug]		"minimal-responses yes;" interacted badly with BIND 8
12270 			priming queries. [RT #16491]
12271 
12272 2109.	[port]		libbind: silence aix 5.3 compiler warnings. [RT #16502]
12273 
12274 2108.	[func]		DHCID support. [RT #16456]
12275 
12276 2107.	[bug]		dighost.c: more cleanup of buffers. [RT #16499]
12277 
12278 2106.	[func]		'rndc status' now reports named's version. [RT #16426]
12279 
12280 2105.	[func]		GSS-TSIG support (RFC 3645).
12281 
12282 2104.	[port]		Fix Solaris SMF error message.
12283 
12284 2103.	[port]		Add /usr/sfw to list of locations for OpenSSL
12285 			under Solaris.
12286 
12287 2102.	[port]		Silence Solaris 10 warnings.
12288 
12289 2101.	[bug]		OpenSSL version checks were not quite right.
12290 			[RT #16476]
12291 
12292 2100.	[port]		win32: copy libeay32.dll to Build\Debug.
12293 			Copy Debug\named-checkzone to Debug\named-compilezone.
12294 
12295 2099.	[port]		win32: more manifest issues.
12296 
12297 2098.	[bug]		Race in rbtdb.c:no_references(), which occasionally
12298 			triggered an INSIST failure about the node lock
12299 			reference.  [RT #16411]
12300 
12301 2097.	[bug]		named could reference a destroyed memory context
12302 			after being reloaded / reconfigured. [RT #16428]
12303 
12304 2096.	[bug]		libbind: handle applications that fail to detect
12305 			res_init() failures better.
12306 
12307 2095.	[port]		libbind: always prototype inet_cidr_ntop_ipv6() and
12308 			net_cidr_ntop_ipv6(). [RT #16388]
12309 
12310 2094.	[contrib]	Update named-bootconf.  [RT #16404]
12311 
12312 2093.	[bug]		named-checkzone -s was broken.
12313 
12314 2092.	[bug]		win32: dig, host, nslookup.  Use registry config
12315 			if resolv.conf does not exist or no nameservers
12316 			listed. [RT #15877]
12317 
12318 2091.	[port]		dighost.c: race condition on cleanup. [RT #16417]
12319 
12320 2090.	[port]		win32: Visual C++ 2005 command line manifest support.
12321 			[RT #16417]
12322 
12323 2089.	[security]	Raise the minimum safe OpenSSL versions to
12324 			OpenSSL 0.9.7l and OpenSSL 0.9.8d.  Versions
12325 			prior to these have known security flaws which
12326 			are (potentially) exploitable in named. [RT #16391]
12327 
12328 2088.	[security]	Change the default RSA exponent from 3 to 65537.
12329 			[RT #16391]
12330 
12331 2087.	[port]		libisc failed to compile on OS's w/o a vsnprintf.
12332 			[RT #16382]
12333 
12334 2086.	[port]		libbind: FreeBSD now has get*by*_r() functions.
12335 			[RT #16403]
12336 
12337 2085.	[doc]		win32: added index.html and README to zip. [RT #16201]
12338 
12339 2084.	[contrib]	dbus update for 9.3.3rc2.
12340 
12341 2083.	[port]		win32: Visual C++ 2005 support.
12342 
12343 2082.	[doc]		Document 'cache-file' as a test only option.
12344 
12345 2081.	[port]		libbind: minor 64-bit portability fix in memcluster.c.
12346 			[RT #16360]
12347 
12348 2080.	[port]		libbind: res_init.c did not compile on older versions
12349 			of Solaris. [RT #16363]
12350 
12351 2079.	[bug]		The lame cache was not handling multiple types
12352 			correctly. [RT #16361]
12353 
12354 2078.	[bug]		dnssec-checkzone output style "default" was badly
12355 			named.  It is now called "relative". [RT #16326]
12356 
12357 2077.	[bug]		'dnssec-signzone -O raw' wasn't outputting the
12358 			complete signed zone. [RT #16326]
12359 
12360 2076.	[bug]		Several files were missing #include <config.h>
12361 			causing build failures on OSF. [RT #16341]
12362 
12363 2075.	[bug]		The spillat timer event handler could leak memory.
12364 			[RT #16357]
12365 
12366 2074.	[bug]		dns_request_createvia2(), dns_request_createvia3(),
12367 			dns_request_createraw2() and dns_request_createraw3()
12368 			failed to send multiple UDP requests. [RT #16349]
12369 
12370 2073.	[bug]		Incorrect semantics check for update policy "wildcard".
12371 			[RT #16353]
12372 
12373 2072.	[bug]		We were not generating valid HMAC SHA digests.
12374 			[RT #16320]
12375 
12376 2071.	[port]		Test whether gcc accepts -fno-strict-aliasing.
12377 			[RT #16324]
12378 
12379 2070.	[bug]		The remote address was not always displayed when
12380 			reporting dispatch failures. [RT #16315]
12381 
12382 2069.	[bug]		Cross compiling was not working. [RT #16330]
12383 
12384 2068.	[cleanup]	Lower incremental tuning message to debug 1.
12385 			[RT #16319]
12386 
12387 2067.	[bug]		'rndc' could close the socket too early triggering
12388 			a INSIST under Windows. [RT #16317]
12389 
12390 2066.	[security]	Handle SIG queries gracefully. [RT #16300]
12391 
12392 2065.	[bug]		libbind: probe for HPUX prototypes for
12393 			endprotoent_r() and endservent_r().  [RT 16313]
12394 
12395 2064.	[bug]		libbind: silence AIX compiler warnings. [RT #16218]
12396 
12397 2063.	[bug]		Change #1955 introduced a bug which caused the first
12398 			'rndc flush' call to not free memory. [RT #16244]
12399 
12400 2062.	[bug]		'dig +nssearch' was reusing a buffer before it had
12401 			been returned by the socket code. [RT #16307]
12402 
12403 2061.	[bug]		Accept expired wildcard message reversed. [RT #16296]
12404 
12405 2060.	[bug]		Enabling DLZ support could leave views partially
12406 			configured. [RT #16295]
12407 
12408 2059.	[bug]		Search into cache rbtdb could trigger an INSIST
12409 			failure while cleaning up a stale rdataset.
12410 			[RT #16292]
12411 
12412 2058.	[bug]		Adjust how we calculate rtt estimates in the presence
12413 			of authoritative servers that drop EDNS and/or CD
12414 			requests.  Also fallback to EDNS/512 and plain DNS
12415 			faster for zones with less than 3 servers.  [RT #16187]
12416 
12417 2057.	[bug]		Make setting "ra" dependent on both allow-query-cache
12418 			and allow-recursion. [RT #16290]
12419 
12420 2056.	[bug]		dig: ixfr= was not being treated case insensitively
12421 			at all times. [RT #15955]
12422 
12423 2055.	[bug]		Missing goto after dropping multicast query.
12424 			[RT #15944]
12425 
12426 2054.	[port]		freebsd: do not explicitly link against -lpthread.
12427 			[RT #16170]
12428 
12429 2053.	[port]		netbsd:libbind: silence compiler warnings. [RT #16220]
12430 
12431 2052.	[bug]		'rndc' improve connect failed message to report
12432 			the failing address. [RT #15978]
12433 
12434 2051.	[port]		More strtol() fixes. [RT #16249]
12435 
12436 2050.	[bug]		Parsing of NSAP records was not case insensitive.
12437 			[RT #16287]
12438 
12439 2049.	[bug]		Restore SOA before AXFR when falling back from
12440 			a attempted IXFR when transferring in a zone.
12441 			Allow a initial SOA query before attempting
12442 			a AXFR to be requested. [RT #16156]
12443 
12444 2048.	[bug]		It was possible to loop forever when using
12445 			avoid-v4-udp-ports / avoid-v6-udp-ports when
12446 			the OS always returned the same local port.
12447 			[RT #16182]
12448 
12449 2047.	[bug]		Failed to initialize the interface flags to zero.
12450 			[RT #16245]
12451 
12452 2046.	[bug]		rbtdb.c:rdataset_setadditional() could cause duplicate
12453 			cleanup [RT #16247].
12454 
12455 2045.	[func]		Use lock buckets for acache entries to limit memory
12456 			consumption. [RT #16183]
12457 
12458 2044.	[port]		Add support for atomic operations for Itanium.
12459 			[RT #16179]
12460 
12461 2043.	[port]		nsupdate/nslookup: Force the flushing of the prompt
12462 			for interactive sessions. [RT #16148]
12463 
12464 2042.	[bug]		named-checkconf was incorrectly rejecting the
12465 			logging category "config". [RT #16117]
12466 
12467 2041.	[bug]		"configure --with-dlz-bdb=yes" produced a bad
12468 			set of libraries to be linked. [RT #16129]
12469 
12470 2040.	[bug]		rbtdb no_references() could trigger an INSIST
12471 			failure with --enable-atomic.  [RT #16022]
12472 
12473 2039.	[func]		Check that all buffers passed to the socket code
12474 			have been retrieved when the socket event is freed.
12475 			[RT #16122]
12476 
12477 2038.	[bug]		dig/nslookup/host was unlinking from wrong list
12478 			when handling errors. [RT #16122]
12479 
12480 2037.	[func]		When unlinking the first or last element in a list
12481 			check that the list head points to the element to
12482 			be unlinked. [RT #15959]
12483 
12484 2036.	[bug]		'rndc recursing' could cause trigger a REQUIRE.
12485 			[RT #16075]
12486 
12487 2035.	[func]		Make falling back to TCP on UDP refresh failure
12488 			optional. Default "try-tcp-refresh yes;" for BIND 8
12489 			compatibility. [RT #16123]
12490 
12491 2034.	[bug]		gcc: set -fno-strict-aliasing. [RT #16124]
12492 
12493 2033.	[bug]		We weren't creating multiple client memory contexts
12494 			on demand as expected. [RT #16095]
12495 
12496 2032.	[bug]		Remove a INSIST in query_addadditional2(). [RT #16074]
12497 
12498 2031.	[bug]		Emit a error message when "rndc refresh" is called on
12499 			a non slave/stub zone. [RT # 16073]
12500 
12501 2030.	[bug]		We were being overly conservative when disabling
12502 			openssl engine support. [RT #16030]
12503 
12504 2029.	[bug]		host printed out the server multiple times when
12505 			specified on the command line. [RT #15992]
12506 
12507 2028.	[port]		linux: socket.c compatibility for old systems.
12508 			[RT #16015]
12509 
12510 2027.	[port]		libbind: Solaris x86 support. [RT #16020]
12511 
12512 2026.	[bug]		Rate limit the two recursive client exceeded messages.
12513 			[RT #16044]
12514 
12515 2025.	[func]		Update "zone serial unchanged" message. [RT #16026]
12516 
12517 2024.	[bug]		named emitted spurious "zone serial unchanged"
12518 			messages on reload. [RT #16027]
12519 
12520 2023.	[bug]		"make install" should create ${localstatedir}/run and
12521 			${sysconfdir} if they do not exist. [RT #16033]
12522 
12523 2022.	[bug]		If dnssec validation is disabled only assert CD if
12524 			CD was requested. [RT #16037]
12525 
12526 2021.	[bug]		dnssec-enable no; triggered a REQUIRE. [RT #16037]
12527 
12528 2020.	[bug]		rdataset_setadditional() could leak memory. [RT #16034]
12529 
12530 2019.	[tuning]	Reduce the amount of work performed per quantum
12531 			when cleaning the cache. [RT #15986]
12532 
12533 2018.	[bug]		Checking if the HMAC MD5 private file was broken.
12534 			[RT #15960]
12535 
12536 2017.	[bug]		allow-query default was not correct. [RT #15946]
12537 
12538 2016.	[bug]		Return a partial answer if recursion is not
12539 			allowed but requested and we had the answer
12540 			to the original qname. [RT #15945]
12541 
12542 2015.	[cleanup]	use-additional-cache is now acache-enable for
12543 			consistency.  Default acache-enable off in BIND 9.4
12544 			as it requires memory usage to be configured.
12545 			It may be enabled by default in BIND 9.5 once we
12546 			have more experience with it.
12547 
12548 2014.	[func]		Statistics about acache now recorded and sent
12549 			to log. [RT #15976]
12550 
12551 2013.	[bug]		Handle unexpected TSIGs on unsigned AXFR/IXFR
12552 			responses more gracefully. [RT #15941]
12553 
12554 2012.	[func]		Don't insert new acache entries if acache is full.
12555 			[RT #15970]
12556 
12557 2011.	[func]		dnssec-signzone can now update the SOA record of
12558 			the signed zone, either as an increment or as the
12559 			system time(). [RT #15633]
12560 
12561 2010.	[placeholder]	rt15958
12562 
12563 2009.	[bug]		libbind: Coverity fixes. [RT #15808]
12564 
12565 2008.	[func]		It is now possible to enable/disable DNSSEC
12566 			validation from rndc.  This is useful for the
12567 			mobile hosts where the current connection point
12568 			breaks DNSSEC (firewall/proxy).  [RT #15592]
12569 
12570 				rndc validation newstate [view]
12571 
12572 2007.	[func]		It is now possible to explicitly enable DNSSEC
12573 			validation.  default dnssec-validation no; to
12574 			be changed to yes in 9.5.0.  [RT #15674]
12575 
12576 2006.	[security]	Allow-query-cache and allow-recursion now default
12577 			to the built in acls "localnets" and "localhost".
12578 
12579 			This is being done to make caching servers less
12580 			attractive as reflective amplifying targets for
12581 			spoofed traffic.  This still leave authoritative
12582 			servers exposed.
12583 
12584 			The best fix is for full BCP 38 deployment to
12585 			remove spoofed traffic.
12586 
12587 2005.	[bug]		libbind: Retransmission timeouts should be
12588 			based on which attempt it is to the nameserver
12589 			and not the nameserver itself. [RT #13548]
12590 
12591 2004.	[bug]		dns_tsig_sign() could pass a NULL pointer to
12592 			dst_context_destroy() when cleaning up after a
12593 			error. [RT #15835]
12594 
12595 2003.	[bug]		libbind: The DNS name/address lookup functions could
12596 			occasionally follow a random pointer due to
12597 			structures not being completely zeroed. [RT #15806]
12598 
12599 2002.	[bug]		libbind: tighten the constraints on when
12600 			struct addrinfo._ai_pad exists.  [RT #15783]
12601 
12602 2001.	[func]		Check the KSK flag when updating a secure dynamic zone.
12603 			New zone option "update-check-ksk yes;".  [RT #15817]
12604 
12605 2000.	[bug]		memmove()/strtol() fix was incomplete. [RT #15812]
12606 
12607 1999.	[func]		Implement "rrset-order fixed". [RT #13662]
12608 
12609 1998.	[bug]		Restrict handling of fifos as sockets to just SunOS.
12610 			This allows named to connect to entropy gathering
12611 			daemons that use fifos instead of sockets. [RT #15840]
12612 
12613 1997.	[bug]		Named was failing to replace negative cache entries
12614 			when a positive one for the type was learnt.
12615 			[RT #15818]
12616 
12617 1996.	[bug]		nsupdate: if a zone has been specified it should
12618 			appear in the output of 'show'. [RT #15797]
12619 
12620 1995.	[bug]		'host' was reporting multiple "is an alias" messages.
12621 			[RT #15702]
12622 
12623 1994.	[port]		OpenSSL 0.9.8 support. [RT #15694]
12624 
12625 1993.	[bug]		Log messages, via syslog, were missing the space
12626 			after the timestamp if "print-time yes" was specified.
12627 			[RT #15844]
12628 
12629 1992.	[bug]		Not all incoming zone transfer messages included the
12630 			view.  [RT #15825]
12631 
12632 1991.	[cleanup]	The configuration data, once read, should be treated
12633 			as read only.  Expand the use of const to enforce this
12634 			at compile time. [RT #15813]
12635 
12636 1990.	[bug]		libbind:  isc's override of broken gettimeofday()
12637 			implementations was not always effective.
12638 			[RT #15709]
12639 
12640 1989.	[bug]		win32: don't check the service password when
12641 			re-installing. [RT #15882]
12642 
12643 1988.	[bug]		Remove a bus error from the SHA256/SHA512 support.
12644 			[RT #15878]
12645 
12646 1987.	[func]		DS/DLV SHA256 digest algorithm support. [RT #15608]
12647 
12648 1986.	[func]		Report when a zone is removed. [RT #15849]
12649 
12650 1985.	[protocol]	DLV has now been assigned a official type code of
12651 			32769. [RT #15807]
12652 
12653 			Note: care should be taken to ensure you upgrade
12654 			both named and dnssec-signzone at the same time for
12655 			zones with DLV records where named is the master
12656 			server for the zone.  Also any zones that contain
12657 			DLV records should be removed when upgrading a slave
12658 			zone.  You do not however have to upgrade all
12659 			servers for a zone with DLV records simultaneously.
12660 
12661 1984.	[func]		dig, nslookup and host now advertise a 4096 byte
12662 			EDNS UDP buffer size by default. [RT #15855]
12663 
12664 1983.	[func]		Two new update policies.  "selfsub" and "selfwild".
12665 			[RT #12895]
12666 
12667 1982.	[bug]		DNSKEY was being accepted on the parent side of
12668 			a delegation.  KEY is still accepted there for
12669 			RFC 3007 validated updates. [RT #15620]
12670 
12671 1981.	[bug]		win32: condition.c:wait() could fail to reattain
12672 			the mutex lock.
12673 
12674 1980.	[func]		dnssec-signzone: output the SOA record as the
12675 			first record in the signed zone. [RT #15758]
12676 
12677 1979.	[port]		linux: allow named to drop core after changing
12678 			user ids. [RT #15753]
12679 
12680 1978.	[port]		Handle systems which have a broken recvmsg().
12681 			[RT #15742]
12682 
12683 1977.	[bug]		Silence noisy log message. [RT #15704]
12684 
12685 1976.	[bug]		Handle systems with no IPv4 addresses. [RT #15695]
12686 
12687 1975.	[bug]		libbind: isc_gethexstring() could misparse multi-line
12688 			hex strings with comments. [RT #15814]
12689 
12690 1974.	[doc]		List each of the zone types and associated zone
12691 			options separately in the ARM.
12692 
12693 1973.	[func]		TSIG HMACSHA1, HMACSHA224, HMACSHA256, HMACSHA384 and
12694 			HMACSHA512 support. [RT #13606]
12695 
12696 1972.	[contrib]	DBUS dynamic forwarders integration from
12697 			Jason Vas Dias <jvdias@redhat.com>.
12698 
12699 1971.	[port]		linux: make detection of missing IF_NAMESIZE more
12700 			robust. [RT #15443]
12701 
12702 1970.	[bug]		nsupdate: adjust UDP timeout when falling back to
12703 			unsigned SOA query. [RT #15775]
12704 
12705 1969.	[bug]		win32: the socket code was freeing the socket
12706 			structure too early. [RT #15776]
12707 
12708 1968.	[bug]		Missing lock in resolver.c:validated(). [RT #15739]
12709 
12710 1967.	[func]		dig/nslookup/host: warn about missing "QR". [RT #15779]
12711 
12712 1966.	[bug]		Don't set CD when we have fallen back to plain DNS.
12713 			[RT #15727]
12714 
12715 1965.	[func]		Suppress spurious "recursion requested but not
12716 			available" warning with 'dig +qr'. [RT #15780].
12717 
12718 1964.	[func]		Separate out MX and SRV to CNAME checks. [RT #15723]
12719 
12720 1963.	[port]		Tru64 4.0E doesn't support send() and recv().
12721 			[RT #15586]
12722 
12723 1962.	[bug]		Named failed to clear old update-policy when it
12724 			was removed. [RT #15491]
12725 
12726 1961.	[bug]		Check the port and address of responses forwarded
12727 			to dispatch. [RT #15474]
12728 
12729 1960.	[bug]		Update code should set NSEC ttls from SOA MINIMUM.
12730 			[RT #15465]
12731 
12732 1959.	[func]		Control the zeroing of the negative response TTL to
12733 			a soa query.  Defaults "zero-no-soa-ttl yes;" and
12734 			"zero-no-soa-ttl-cache no;". [RT #15460]
12735 
12736 1958.	[bug]		Named failed to update the zone's secure state
12737 			until the zone was reloaded. [RT #15412]
12738 
12739 1957.	[bug]		Dig mishandled responses to class ANY queries.
12740 			[RT #15402]
12741 
12742 1956.	[bug]		Improve cross compile support, 'gen' is now built
12743 			by native compiler.  See README for additional
12744 			cross compile support information. [RT #15148]
12745 
12746 1955.	[bug]		Pre-allocate the cache cleaning iterator. [RT #14998]
12747 
12748 1954.	[func]		Named now falls back to advertising EDNS with a
12749 			512 byte receive buffer if the initial EDNS queries
12750 			fail.  [RT #14852]
12751 
12752 1953.	[func]		The maximum EDNS UDP response named will send can
12753 			now be set in named.conf (max-udp-size).  This is
12754 			independent of the advertised receive buffer
12755 			(edns-udp-size). [RT #14852]
12756 
12757 1952.	[port]		hpux: tell the linker to build a runtime link
12758 			path "-Wl,+b:". [RT #14816].
12759 
12760 1951.	[security]	Drop queries from particular well known ports.
12761 			Don't return FORMERR to queries from particular
12762 			well known ports.  [RT #15636]
12763 
12764 1950.	[port]		Solaris 2.5.1 and earlier cannot bind() then connect()
12765 			a TCP socket. This prevents the source address being
12766 			set for TCP connections. [RT #15628]
12767 
12768 1949.	[func]		Addition memory leakage checks. [RT #15544]
12769 
12770 1948.	[bug]		If was possible to trigger a REQUIRE failure in
12771 			xfrin.c:maybe_free() if named ran out of memory.
12772 			[RT #15568]
12773 
12774 1947.	[func]		It is now possible to configure named to accept
12775 			expired RRSIGs.  Default "dnssec-accept-expired no;".
12776 			Setting "dnssec-accept-expired yes;" leaves named
12777 			vulnerable to replay attacks.  [RT #14685]
12778 
12779 1946.	[bug]		resume_dslookup() could trigger a REQUIRE failure
12780 			when using forwarders. [RT #15549]
12781 
12782 1945.	[cleanup]	dnssec-keygen: RSA (RSAMD5) is no longer recommended.
12783 			To generate a RSAMD5 key you must explicitly request
12784 			RSAMD5. [RT #13780]
12785 
12786 1944.	[cleanup]	isc_hash_create() does not need a read/write lock.
12787 			[RT #15522]
12788 
12789 1943.	[bug]		Set the loadtime after rolling forward the journal.
12790 			[RT #15647]
12791 
12792 1942.	[bug]		If the name of a DNSKEY match that of one in
12793 			trusted-keys do not attempt to validate the DNSKEY
12794 			using the parents DS RRset. [RT #15649]
12795 
12796 1941.	[bug]		ncache_adderesult() should set eresult even if no
12797 			rdataset is passed to it. [RT #15642]
12798 
12799 1940.	[bug]		Fixed a number of error conditions reported by
12800 			Coverity.
12801 
12802 1939.	[bug]		The r