"Fossies" - the Fresh Open Source Software Archive

Member "bind-9.16.7/CHANGES" (4 Sep 2020, 623190 Bytes) of package /linux/misc/dns/bind9/9.16.7/bind-9.16.7.tar.xz:


As a special service "Fossies" has tried to format the requested text file into HTML format (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file. See also the latest Fossies "Diffs" side-by-side code changes report for "CHANGES": 9.16.6_vs_9.16.7.

    1 	--- 9.16.7 released ---
    2 
    3 5501.	[func]		Log CDS/CDNSKEY publication. [GL #1748]
    4 
    5 5500.	[bug]		Fix (non-)publication of CDS and CDNSKEY records.
    6 			[GL #2103]
    7 
    8 5499.	[func]		Add '-P ds' and '-D ds' arguments to dnssec-settime.
    9 			[GL #1748]
   10 
   11 5497.	[bug]		'dig +bufsize=0' failed to disable EDNS. [GL #2054]
   12 
   13 5496.	[bug]		Address a TSAN report by ensuring each rate limiter
   14 			object holds a reference to its task. [GL #2081]
   15 
   16 5495.	[bug]		With query minimization enabled, named failed to
   17 			resolve ip6.arpa. names that had extra labels to the
   18 			left of the IPv6 part. [GL #1847]
   19 
   20 5494.	[bug]		Silence the EPROTO syslog message on older systems.
   21 			[GL #1928]
   22 
   23 5493.	[bug]		Fix off-by-one error when calculating new hash table
   24 			size. [GL #2104]
   25 
   26 5492.	[bug]		Tighten LOC parsing to reject a period (".") and/or "m"
   27 			as a value. Fix handling of negative altitudes which are
   28 			not whole meters. [GL #2074]
   29 
   30 5491.	[bug]		rbtversion->glue_table_size could be read without the
   31 			appropriate lock being held. [GL #2080]
   32 
   33 5489.	[bug]		Named erroneously accepted certain invalid resource
   34 			records that were incorrectly processed after
   35 			subsequently being written to disk and loaded back, as
   36 			the wire format differed. Such records include: CERT,
   37 			IPSECKEY, NSEC3, NSEC3PARAM, NXT, SIG, TLSA, WKS, and
   38 			X25. [GL !3953]
   39 
   40 5488.	[bug]		NTA code needed to have a weak reference on its
   41 			associated view to prevent the latter from being deleted
   42 			while NTA tests were being performed. [GL #2067]
   43 
   44 5486.	[func]		Add 'rndc dnssec -checkds' command, which signals to
   45 			named that the DS record for a given zone or key has
   46 			been updated in the parent zone. [GL #1613]
   47 
   48 	--- 9.16.6 released ---
   49 
   50 5484.	[func]		Expire zero TTL records quickly rather than using them
   51 			for stale answers. [GL #1829]
   52 
   53 5483.	[func]		A new configuration option "stale-cache-enable" has been
   54 			introduced to enable or disable keeping stale answers in
   55 			cache. [GL #1712]
   56 
   57 5482.	[bug]		If the Duplicate Address Detection (DAD) mechanism had
   58 			not yet finished after adding a new IPv6 address to the
   59 			system, BIND 9 would fail to bind to IPv6 addresses in a
   60 			tentative state. [GL #2038]
   61 
   62 5481.	[security]	"update-policy" rules of type "subdomain" were
   63 			incorrectly treated as "zonesub" rules, which allowed
   64 			keys used in "subdomain" rules to update names outside
   65 			of the specified subdomains. The problem was fixed by
   66 			making sure "subdomain" rules are again processed as
   67 			described in the ARM. (CVE-2020-8624) [GL #2055]
   68 
   69 5480.	[security]	When BIND 9 was compiled with native PKCS#11 support, it
   70 			was possible to trigger an assertion failure in code
   71 			determining the number of bits in the PKCS#11 RSA public
   72 			key with a specially crafted packet. (CVE-2020-8623)
   73 			[GL #2037]
   74 
   75 5479.	[security]	named could crash in certain query resolution scenarios
   76 			where QNAME minimization and forwarding were both
   77 			enabled. (CVE-2020-8621) [GL #1997]
   78 
   79 5478.	[security]	It was possible to trigger an assertion failure by
   80 			sending a specially crafted large TCP DNS message.
   81 			(CVE-2020-8620) [GL #1996]
   82 
   83 5477.	[bug]		The idle timeout for connected TCP sockets, which was
   84 			previously set to a high fixed value, is now derived
   85 			from the client query processing timeout configured for
   86 			a resolver. [GL #2024]
   87 
   88 5476.	[security]	It was possible to trigger an assertion failure when
   89 			verifying the response to a TSIG-signed request.
   90 			(CVE-2020-8622) [GL #2028]
   91 
   92 5475.	[bug]		Wildcard RPZ passthru rules could incorrectly be
   93 			overridden by other rules that were loaded from RPZ
   94 			zones which appeared later in the "response-policy"
   95 			statement. This has been fixed. [GL #1619]
   96 
   97 5474.	[bug]		dns_rdata_hip_next() failed to return ISC_R_NOMORE
   98 			when it should have. [GL !3880]
   99 
  100 5473.	[func]		The RBT hash table implementation has been changed
  101 			to use a faster hash function (HalfSipHash2-4) and
  102 			Fibonacci hashing for better distribution. Setting
  103 			"max-cache-size" now preallocates a fixed-size hash
  104 			table so that rehashing does not cause resolution
  105 			brownouts while the hash table is grown. [GL #1775]
  106 
  107 5471.	[bug]		The introduction of KASP support inadvertently caused
  108 			the second field of "sig-validity-interval" to always be
  109 			calculated in hours, even in cases when it should have
  110 			been calculated in days. This has been fixed. (Thanks to
  111 			Tony Finch.) [GL !3735]
  112 
  113 5469.	[port]		On illumos, a constant called SEC is already defined in
  114 			<sys/time.h>, which conflicts with an identically named
  115 			constant in libbind9. This conflict has been resolved.
  116 			[GL #1993]
  117 
  118 5468.	[bug]		Addressed potential double unlock in process_fd().
  119 			[GL #2005]
  120 
  121 5466.	[bug]		Addressed an error in recursive clients stats reporting.
  122 			[GL #1719]
  123 
  124 5465.	[func]		Added fallback to built-in trust-anchors, managed-keys,
  125 			or trusted-keys if the bindkeys-file (bind.keys) cannot
  126 			be parsed. [GL #1235]
  127 
  128 5464.	[bug]		Requesting more than 128 files to be saved when rolling
  129 			dnstap log files caused a buffer overflow. This has been
  130 			fixed. [GL #1989]
  131 
  132 5462.	[bug]		Move LMDB locking from LMDB itself to named. [GL #1976]
  133 
  134 5461.	[bug]		The STALE rdataset header attribute was updated while
  135 			the write lock was not being held, leading to incorrect
  136 			statistics. The header attributes are now converted to
  137 			use atomic operations. [GL #1475]
  138 
  139 	--- 9.16.5 released ---
  140 
  141 5458.	[bug]		Prevent a theoretically possible NULL dereference caused
  142 			by a data race between zone_maintenance() and
  143 			dns_zone_setview_helper(). [GL #1627]
  144 
  145 5455.	[bug]		named could crash when cleaning dead nodes in
  146 			lib/dns/rbtdb.c that were being reused. [GL #1968]
  147 
  148 5454.	[bug]		Address a startup crash that occurred when the server
  149 			was under load and the root zone had not yet been
  150 			loaded. [GL #1862]
  151 
  152 5453.	[bug]		named crashed on shutdown when a new rndc connection was
  153 			received during shutdown. [GL #1747]
  154 
  155 5452.	[bug]		The "blackhole" ACL was accidentally disabled for client
  156 			queries. [GL #1936]
  157 
  158 5451.	[func]		Add 'rndc dnssec -status' command. [GL #1612]
  159 
  160 5449.	[bug]		Fix a socket shutdown race in netmgr udp. [GL #1938]
  161 
  162 5448.	[bug]		Fix a race condition in isc__nm_tcpdns_send().
  163 			[GL #1937]
  164 
  165 5447.	[bug]		IPv6 addresses ending in "::" could break YAML
  166 			parsing. A "0" is now appended to such addresses
  167 			in YAML output from dig, mdig, delv, and dnstap-read.
  168 			[GL #1952]
  169 
  170 5446.	[bug]		The validator could fail to accept a properly signed
  171 			RRset if an unsupported algorithm appeared earlier in
  172 			the DNSKEY RRset than a supported algorithm. It could
  173 			also stop if it detected a malformed public key.
  174 			[GL #1689]
  175 
  176 5444.	[bug]		'rndc dnstap -roll <value>' did not limit the number of
  177 			saved files to <value>. [GL !3728]
  178 
  179 5443.	[bug]		The "primary" and "secondary" keywords, when used
  180 			as parameters for "check-names", were not
  181 			processed correctly and were being ignored. [GL #1949]
  182 
  183 5441.	[bug]		${LMDB_CFLAGS} was missing from make/includes.in.
  184 			[GL #1955]
  185 
  186 5440.	[test]		Properly handle missing kyua. [GL #1950]
  187 
  188 5439.	[bug]		The DS RRset returned by dns_keynode_dsset() was used in
  189 			a non-thread-safe manner. [GL #1926]
  190 
  191 	--- 9.16.4 released ---
  192 
  193 5438.	[bug]		Fix a race in TCP accepting code. [GL #1930]
  194 
  195 5437.	[bug]		Fix a data race in lib/dns/resolver.c:log_formerr().
  196 			[GL #1808]
  197 
  198 5436.	[security]	It was possible to trigger an INSIST when determining
  199 			whether a record would fit into a TCP message buffer.
  200 			(CVE-2020-8618) [GL #1850]
  201 
  202 5435.	[tests]		Add RFC 4592 responses examples to the wildcard system
  203 			test. [GL #1718]
  204 
  205 5434.	[security]	It was possible to trigger an INSIST in
  206 			lib/dns/rbtdb.c:new_reference() with a particular zone
  207 			content and query patterns. (CVE-2020-8619) [GL #1111]
  208 			[GL #1718]
  209 
  210 5431.	[func]		Reject DS records at the zone apex when loading
  211 			master files. Log but otherwise ignore attempts to
  212 			add DS records at the zone apex via UPDATE. [GL #1798]
  213 
  214 5430.	[doc]		Update docs - with netmgr, a separate listening socket
  215 			is created for each IPv6 interface (just as with IPv4).
  216 			[GL #1782]
  217 
  218 5428.	[bug]		Clean up GSSAPI resources in nsupdate only after taskmgr
  219 			has been destroyed. Thanks to Petr Menšík. [GL !3316]
  220 
  221 5426.	[bug]		Don't abort() when setting SO_INCOMING_CPU on the socket
  222 			fails. [GL #1911]
  223 
  224 5425.	[func]		The default value of "max-stale-ttl" has been changed
  225 			from 1 week to 12 hours. [GL #1877]
  226 
  227 5424.	[bug]		With KASP, when creating a successor key, the "goal"
  228 			state of the current active key (predecessor) was not
  229 			changed and thus never removed from the zone. [GL #1846]
  230 
  231 5423.	[bug]		Fix a bug in keymgr_key_has_successor(): it incorrectly
  232 			returned true if any other key in the keyring had a
  233 			successor. [GL #1845]
  234 
  235 5422.	[bug]		When using dnssec-policy, print correct key timing
  236 			metadata. [GL #1843]
  237 
  238 5421.	[bug]		Fix a race that could cause named to crash when looking
  239 			up the nodename of an RBT node if the tree was modified.
  240 			[GL #1857]
  241 
  242 5420.	[bug]		Add missing isc_{mutex,conditional}_destroy() calls
  243 			that caused a memory leak on FreeBSD. [GL #1893]
  244 
  245 5418.	[bug]		delv failed to parse deprecated trusted-keys-style
  246 			trust anchors. [GL #1860]
  247 
  248 5416.	[bug]		Fix a lock order inversion in lib/isc/unix/socket.c.
  249 			[GL #1859]
  250 
  251 5415.	[test]		Address race in dnssec system test that led to
  252 			test failures. [GL #1852]
  253 
  254 5414.	[test]		Adjust time allowed for journal truncation to occur
  255 			in nsupdate system test to avoid test failure.
  256 			[GL #1855]
  257 
  258 5413.	[test]		Address race in autosign system test that led to
  259 			test failures. [GL #1852]
  260 
  261 5412.	[bug]		'provide-ixfr no;' failed to return up-to-date responses
  262 			when the serial was greater than or equal to the
  263 			current serial. [GL #1714]
  264 
  265 5411.	[cleanup]	TCP accept code has been refactored to use a single
  266 			accept() and pass the accepted socket to child threads
  267 			for processing. [GL !3320]
  268 
  269 5409.	[performance]	When looking up NSEC3 data in a zone database, skip the
  270 			check for empty non-terminal nodes; the NSEC3 tree does
  271 			not have any. [GL #1834]
  272 
  273 5408.	[protocol]	Print Extended DNS Errors if present in OPT record.
  274 			[GL #1835]
  275 
  276 5407.	[func]		Zone timers are now exported via statistics channel.
  277 			Thanks to Paul Frieden, Verizon Media. [GL #1232]
  278 
  279 5405.	[bug]		'named-checkconf -p' could include spurious text in
  280 			server-addresses statements due to an uninitialized DSCP
  281 			value. [GL #1812]
  282 
  283 	--- 9.16.3 released ---
  284 
  285 5404.	[bug]		'named-checkconf -z' could incorrectly indicate
  286 			success if errors were found in one view but not in a
  287 			subsequent one. [GL #1807]
  288 
  289 5403.	[func]		Do not set UDP receive/send buffer sizes - use system
  290 			defaults. [GL #1713]
  291 
  292 5402.	[bug]		On FreeBSD, use SO_REUSEPORT_LB instead of SO_REUSEPORT.
  293 			Enable use of SO_REUSEADDR on all platforms which
  294 			support it. [GL !3365]
  295 
  296 5401.	[bug]		The number of input queues allocated during dnstap
  297 			initialization was too low, which could prevent some
  298 			dnstap data from being logged. [GL #1795]
  299 
  300 5400.	[func]		Add engine support to OpenSSL EdDSA implementation.
  301 			[GL #1763]
  302 
  303 5399.	[func]		Add engine support to OpenSSL ECDSA implementation.
  304 			[GL #1534]
  305 
  306 5398.	[bug]		Named could fail to restart if a zone with a double
  307 			quote (") in its name was added with 'rndc addzone'.
  308 			[GL #1695]
  309 
  310 5397.	[func]		Update PKCS#11 EdDSA implementation to PKCS#11 v3.0.
  311 			Thanks to Aaron Thompson. [GL !3326]
  312 
  313 5396.	[func]		When necessary (i.e. in libuv >= 1.37), use the
  314 			UV_UDP_RECVMMSG flag to enable recvmmsg() support in
  315 			libuv. [GL #1797]
  316 
  317 5395.	[security]	Further limit the number of queries that can be
  318 			triggered from a request.  Root and TLD servers
  319 			are no longer exempt from max-recursion-queries.
  320 			Fetches for missing name server address records
  321 			are limited to 4 for any domain. (CVE-2020-8616)
  322 			[GL #1388]
  323 
  324 5394.	[cleanup]	Named formerly attempted to change the effective UID and
  325 			GID in named_os_openfile(), which could trigger a
  326 			spurious log message if they were already set to the
  327 			desired values. This has been fixed. [GL #1042]
  328 			[GL #1090]
  329 
  330 5392.	[bug]		It was possible for named to crash during shutdown
  331 			or reconfiguration if an RPZ zone was still being
  332 			updated. [GL #1779]
  333 
  334 5390.	[security]	Replaying a TSIG BADTIME response as a request could
  335 			trigger an assertion failure. (CVE-2020-8617)
  336 			[GL #1703]
  337 
  338 5389.	[bug]		Finish PKCS#11 code cleanup, fix a couple of smaller
  339 			bugs and use PKCS#11 v3.0 EdDSA macros and constants.
  340 			Thanks to Aaron Thompson. [GL !3391]
  341 
  342 5387.	[func]		Warn about AXFR streams with inconsistent message IDs.
  343 			[GL #1674]
  344 
  345 5386.	[cleanup]	Address Coverity warnings in lib/dns/keymgr.c.
  346 			[GL #1737]
  347 
  348 5385.	[func]		Make ISC rwlock implementation the default again.
  349 			[GL #1753]
  350 
  351 5384.	[bug]		With "dnssec-policy" in effect, "inline-signing" was
  352 			implicitly set to "yes". Now "inline-signing" is only
  353 			set to "yes" if the zone is not dynamic. [GL #1709]
  354 
  355 	--- 9.16.2 released ---
  356 
  357 5383.	[func]		Add a quota attach function with a callback and clean up
  358 			the isc_quota API. [GL !3280]
  359 
  360 5382.	[bug]		Use clock_gettime() instead of gettimeofday() for
  361 			isc_stdtime() function. [GL #1679]
  362 
  363 5381.	[bug]		Fix logging API data race by adding rwlock and caching
  364 			logging levels in stdatomic variables to restore
  365 			performance to original levels. [GL #1675] [GL #1717]
  366 
  367 5380.	[contrib]	Fix building MySQL DLZ modules against MySQL 8
  368 			libraries. [GL #1678]
  369 
  370 5378.	[bug]		Receiving invalid DNS data was triggering an assertion
  371 			failure in nslookup. [GL #1652]
  372 
  373 5376.	[bug]		Fix ineffective DNS rebinding protection when BIND is
  374 			configured as a forwarding DNS server. Thanks to Tobias
  375 			Klein. [GL #1574]
  376 
  377 5375.	[test]		Fix timing issues in the "kasp" system test. [GL #1669]
  378 
  379 5374.	[bug]		Statistics counters tracking recursive clients and
  380 			active connections could underflow. [GL #1087]
  381 
  382 5373.	[bug]		Collecting statistics for DNSSEC signing operations
  383 			(change 5254) caused an array of significant size (over
  384 			100 kB) to be allocated for each configured zone. Each
  385 			of these arrays is tracking all possible key IDs; this
  386 			could trigger an out-of-memory condition on servers with
  387 			a high enough number of zones configured. Fixed by
  388 			tracking up to four keys per zone and rotating counters
  389 			when keys are replaced. This fixes the immediate problem
  390 			of high memory usage, but should be improved in a future
  391 			release by growing or shrinking the number of keys to
  392 			track upon key rollover events. [GL #1179]
  393 
  394 5372.	[bug]		Fix migration from existing DNSSEC key files
  395 			("auto-dnssec maintain") to "dnssec-policy". [GL #1706]
  396 
  397 5371.	[bug]		Improve incremental updates of the RPZ summary
  398 			database to reduce delays that could occur when
  399 			a policy zone update included a large number of
  400 			record deletions. [GL #1447]
  401 
  402 5370.	[bug]		Deactivation of a netmgr handle associated with a
  403 			socket could be skipped in some circumstances.
  404 			Fixed by deactivating the netmgr handle before
  405 			scheduling the asynchronous close routine. [GL #1700]
  406 
  407 5368.	[bug]		Named failed to restart if 'rndc addzone' names
  408 			contained special characters (e.g. '/'). [GL #1655]
  409 
  410 5367.	[bug]		Fixed a flaw in the calculation of the zone database
  411 			size so that "max-journal-size default" uses the correct
  412 			limit. [GL #1661]
  413 
  414 	--- 9.16.1 released ---
  415 
  416 5366.	[bug]		Fix a race condition with the keymgr when the same
  417 			zone plus dnssec-policy is configured in multiple
  418 			views. [GL #1653]
  419 
  420 5365.	[bug]		Algorithm rollover was stuck on submitting DS
  421 			because keymgr thought it would move to an invalid
  422 			state.  Fixed by checking the current key against
  423 			the desired state, not the existing state. [GL #1626]
  424 
  425 5364.	[bug]		Algorithm rollover waited too long before introducing
  426 			zone signatures.  It waited to make sure all signatures
  427 			were regenerated, but when introducing a new algorithm,
  428 			all signatures are regenerated immediately.  Only
  429 			add the sign delay if there is a predecessor key.
  430 			[GL #1625]
  431 
  432 5363.	[bug]		When changing a dnssec-policy, existing keys with
  433 			properties that no longer match were not being retired.
  434 			[GL #1624]
  435 
  436 5361.	[bug]		named might not accept new connections after
  437 			hitting tcp-clients quota. [GL #1643]
  438 
  439 5360.	[bug]		delv could fail to load trust anchors in DNSKEY
  440 			format. [GL #1647]
  441 
  442 5358.	[bug]		Inline master zones whose master files were touched
  443 			but otherwise unchanged and were subsequently reloaded
  444 			may have stopped re-signing. [GL !3135]
  445 
  446 5357.	[bug]		Newly added RRSIG records with expiry times before
  447 			the previous earliest expiry times might not be
  448 			re-signed in time.  This was a side effect of 5315.
  449 			[GL !3137]
  450 
  451 	--- 9.16.0 released ---
  452 
  453 5356.	[func]		Update dnssec-policy configuration statements:
  454 			- Rename "zone-max-ttl" dnssec-policy option to
  455 			  "max-zone-ttl" for consistency with the existing
  456 			  zone option.
  457 			- Allow for "lifetime unlimited" as a synonym for
  458 			  "lifetime PT0S".
  459 			- Make "key-directory" optional.
  460 			- Warn if specifying a key length does not make
  461 			  sense; fail if key length is out of range for
  462 			  the algorithm.
  463 			- Allow use of mnemonics when specifying key
  464 			  algorithm (e.g. "rsasha256", "ecdsa384", etc.).
  465 			- Make ISO 8601 durations case-insensitive.
  466 			[GL #1598]
  467 
  468 5355.	[func]		What was set with --with-tuning=large option in
  469 			older BIND9 versions is now a default, and
  470 			a --with-tuning=small option was added for small
  471 			(e.g. OpenWRT) systems. [GL !2989]
  472 
  473 5354.	[bug]		dnssec-policy created new KSK keys for zones in the
  474 			initial stage of signing (with the DS not yet in the
  475 			rumoured or omnipresent states).  Fix by checking the
  476 			key goals rather than the active state when determining
  477 			whether new keys are needed. [GL #1593]
  478 
  479 5353.	[doc]		Document port and dscp parameters in forwarders
  480 			configuration option. [GL #914]
  481 
  482 5352.	[bug]		Correctly handle catalog zone entries containing
  483 			characters that aren't legal in filenames. [GL #1592]
  484 
  485 5351.	[bug]		CDS / CDNSKEY consistency checks failed to handle
  486 			removal records. [GL #1554]
  487 
  488 5350.	[bug]		When a view was configured with class CHAOS, the
  489 			server could crash while processing a query for a
  490 			non-existent record. [GL #1540]
  491 
  492 5349.	[bug]		Fix a race in task_pause/unpause. [GL #1571]
  493 
  494 5348.	[bug]		dnssec-settime -Psync was not being honoured.
  495 			[GL !2925]
  496 
  497 	--- 9.15.8 released ---
  498 
  499 5347.	[bug]		Fixed a bug that could cause an intermittent crash
  500 			in validator.c when validating a negative cache
  501 			entry. [GL #1561]
  502 
  503 5346.	[bug]		Make hazard pointer array allocations dynamic, fixing
  504 			a bug that caused named to crash on machines with more
  505 			than 40 cores. [GL #1493]
  506 
  507 5345.	[func]		Key-style trust anchors and DS-style trust anchors
  508 			can now both be used for the same name. [GL #1237]
  509 
  510 5344.	[bug]		Handle accept() errors properly in netmgr. [GL !2880]
  511 
  512 5343.	[func]		Add statistics counters to the netmgr. [GL #1311]
  513 
  514 5342.	[bug]		Disable pktinfo for IPv6 and bind to each interface
  515 			explicitly instead, because libuv doesn't support
  516 			pktinfo control messages. [GL #1558]
  517 
  518 5341.	[func]		Simplify passing the bound TCP socket to child
  519 			threads by using isc_uv_export/import functions.
  520 			[GL !2825]
  521 
  522 5340.	[bug]		Don't deadlock when binding to a TCP socket fails.
  523 			[GL #1499]
  524 
  525 5339.	[bug]		With some libmaxminddb versions, named could erroneously
  526 			match an IP address not belonging to any subnet defined
  527 			in a given GeoIP2 database to one of the existing
  528 			entries in that database. [GL #1552]
  529 
  530 5338.	[bug]		Fix line spacing in `rndc secroots`.
  531 			Thanks to Tony Finch. [GL !2478]
  532 
  533 5337.	[func]		'named -V' now reports maxminddb and protobuf-c
  534 			versions. [GL !2686]
  535 
  536 	--- 9.15.7 released ---
  537 
  538 5336.	[bug]		The TCP high-water statistic could report an
  539 			incorrect value on startup. [GL #1392]
  540 
  541 5335.	[func]		Make TCP listening code multithreaded. [GL !2659]
  542 
  543 5334.	[doc]		Update documentation with dnssec-policy clarifications.
  544 			Also change some defaults. [GL !2711]
  545 
  546 5333.	[bug]		Fix duration printing on Solaris when value is not
  547 			an ISO 8601 duration. [GL #1460]
  548 
  549 5332.	[func]		Renamed "dnssec-keys" configuration statement
  550 			to the more descriptive "trust-anchors". [GL !2702]
  551 
  552 5331.	[func]		Use compiler-provided mechanisms for thread local
  553 			storage, and make the requirement for such mechanisms
  554 			explicit in configure. [GL #1444]
  555 
  556 5330.	[bug]		'configure --without-python' was ineffective if
  557 			PYTHON was set in the environment. [GL #1434]
  558 
  559 5329.	[bug]		Reconfiguring named caused memory to be leaked when any
  560 			GeoIP2 database was in use. [GL #1445]
  561 
  562 5328.	[bug]		rbtdb.c:rdataset_{get,set}ownercase failed to obtain
  563 			a node lock. [GL #1417]
  564 
  565 5327.	[func]		Added a statistics counter to track queries
  566 			dropped because the recursive-clients quota was
  567 			exceeded. [GL #1399]
  568 
  569 5326.	[bug]		Add Python dependency on 'distutils.core' to configure.
  570 			'distutils.core' is required for installation.
  571 			[GL #1397]
  572 
  573 5325.	[bug]		Addressed several issues with TCP connections in
  574 			the netmgr: restored support for TCP connection
  575 			timeouts, restored TCP backlog support, actively
  576 			close all open sockets during shutdown. [GL #1312]
  577 
  578 5324.	[bug]		Change the category of some log messages from general
  579 			to the more appropriate catergory of xfer-in. [GL #1394]
  580 
  581 5323.	[bug]		Fix a bug in DNSSEC trust anchor verification.
  582 			[GL !2609]
  583 
  584 5322.	[placeholder]
  585 
  586 5321.	[bug]		Obtain write lock before updating version->records
  587 			and version->bytes. [GL #1341]
  588 
  589 5320.	[cleanup]	Silence TSAN on header->count. [GL #1344]
  590 
  591 	--- 9.15.6 released ---
  592 
  593 5319.	[func]		Trust anchors can now be configured using DS
  594 			format to represent a key digest, by using the
  595 			new "initial-ds" or "static-ds" keywords in
  596 			the "dnssec-keys" statement.
  597 
  598 			Note: DNSKEY-format and DS-format trust anchors
  599 			cannot both be used for the same domain name.
  600 			[GL #622]
  601 
  602 5318.	[cleanup]	The DNSSEC validation code has been refactored
  603 			for clarity and to reduce code duplication.
  604 			[GL #622]
  605 
  606 5317.	[func]		A new asynchronous network communications system
  607 			based on libuv is now used for listening for
  608 			incoming requests and responding to them. (The
  609 			old isc_socket API remains in use for sending
  610 			iterative queries and processing responses; this
  611 			will be changed too in a later release.)
  612 
  613 			This change will make it easier to improve
  614 			performance and implement new protocol layers
  615 			(e.g., DNS over TLS) in the future. [GL #29]
  616 
  617 5316.	[func]		A new "dnssec-policy" option has been added to
  618 			named.conf to implement a key and signing policy
  619 			(KASP) for zones. When this option is in use,
  620 			named can generate new keys as needed and
  621 			automatically roll both ZSK and KSK keys. (Note
  622 			that the syntax for this statement differs from
  623 			the dnssec policy used by dnssec-keymgr.)
  624 
  625 			See the ARM for configuration details. [GL #1134]
  626 
  627 5315.	[bug]		Apply the initial RRSIG expiration spread fixed
  628 			to all dynamically created records in the zone
  629 			including NSEC3. Also fix the signature clusters
  630 			when the server has been offline for prolonged
  631 			period of times. [GL #1256]
  632 
  633 5314.	[func]		Added a new statistics variable "tcp-highwater"
  634 			that reports the maximum number of simultaneous TCP
  635 			clients BIND has handled while running. [GL #1206]
  636 
  637 5313.	[bug]		The default GeoIP2 database location did not match
  638 			the ARM.  'named -V' now reports the default
  639 			location. [GL #1301]
  640 
  641 5312.	[bug]		Do not flush the cache for `rndc validation status`.
  642 			Thanks to Tony Finch. [GL !2462]
  643 
  644 5311.	[cleanup]	Include all views in output of `rndc validation status`.
  645 			Thanks to Tony Finch. [GL !2461]
  646 
  647 5310.	[bug]		TCP failures were affecting EDNS statistics. [GL #1059]
  648 
  649 5309.	[placeholder]
  650 
  651 5308.	[bug]		Don't log DNS_R_UNCHANGED from sync_secure_journal()
  652 			at ERROR level in receive_secure_serial(). [GL #1288]
  653 
  654 5307.	[bug]		Fix hang when named-compilezone output is sent to pipe.
  655 			Thanks to Tony Finch. [GL !2481]
  656 
  657 5306.	[security]	Set a limit on number of simultaneous pipelined TCP
  658 			queries. (CVE-2019-6477) [GL #1264]
  659 
  660 5305.	[bug]		NSEC Aggressive Cache ("synth-from-dnssec") has been
  661 			disabled by default because it was found to have
  662 			a significant performance impact on the recursive
  663 			service. [GL #1265]
  664 
  665 5304.	[bug]		"dnskey-sig-validity 0;" was not being accepted.
  666 			[GL #876]
  667 
  668 5303.	[placeholder]
  669 
  670 5302.	[bug]		Fix checking that "dnstap-output" is defined when
  671 			"dnstap" is specified in a view. [GL #1281]
  672 
  673 5301.	[bug]		Detect partial prefixes / incomplete IPv4 address in
  674 			acls. [GL #1143]
  675 
  676 5300.	[bug]		dig/mdig/delv: Add a colon after EDNS option names,
  677 			even when the option is empty, to improve
  678 			readability and allow correct parsing of YAML
  679 			output. [GL #1226]
  680 
  681 	--- 9.15.5 released ---
  682 
  683 5299.	[security]	A flaw in DNSSEC verification when transferring
  684 			mirror zones could allow data to be incorrectly
  685 			marked valid. (CVE-2019-6475) [GL #1252]
  686 
  687 5298.	[security]	Named could assert if a forwarder returned a
  688 			referral, rather than resolving the query, when QNAME
  689 			minimization was enabled. (CVE-2019-6476) [GL #1051]
  690 
  691 5297.	[bug]		Check whether a previous QNAME minimization fetch
  692 			is still running before starting a new one; return
  693 			SERVFAIL and log an error if so. [GL #1191]
  694 
  695 5296.	[placeholder]
  696 
  697 5295.	[cleanup]	Split dns_name_copy() calls into dns_name_copy() and
  698 			dns_name_copynf() for those calls that can potentially
  699 			fail and those that should not fail respectively.
  700 			[GL !2265]
  701 
  702 5294.	[func]		Fallback to ACE name on output in locale, which does not
  703 			support converting it to unicode.  [GL #846]
  704 
  705 5293.	[bug]		On Windows, named crashed upon any attempt to fetch XML
  706 			statistics from it. [GL #1245]
  707 
  708 5292.	[bug]		Queue 'rndc nsec3param' requests while signing inline
  709 			zone changes. [GL #1205]
  710 
  711 	--- 9.15.4 released ---
  712 
  713 5291.	[placeholder]
  714 
  715 5290.	[placeholder]
  716 
  717 5289.	[bug]		Address NULL pointer dereference in rpz.c:rpz_detach.
  718 			[GL #1210]
  719 
  720 5288.	[bug]		dnssec-must-be-secure was not always honored.
  721 			[GL #1209]
  722 
  723 5287.	[placeholder]
  724 
  725 5286.	[contrib]	Address potential NULL pointer dereferences in
  726 			dlz_mysqldyn_mod.c. [GL #1207]
  727 
  728 5285.	[port]		win32: implement "-T maxudpXXX". [GL #837]
  729 
  730 5284.	[func]		Added +unexpected command line option to dig.
  731 			By default, dig won't accept a reply from a source
  732 			other than the one to which it sent the query.
  733 			Invoking dig with +unexpected argument will allow it
  734 			to process replies from unexpected sources.
  735 
  736 5283.	[bug]		When a response-policy zone expires, ensure that
  737 			its policies are removed from the RPZ summary
  738 			database. [GL #1146]
  739 
  740 5282.	[bug]		Fixed a bug in searching for possible wildcard matches
  741 			for query names in the RPZ summary database. [GL #1146]
  742 
  743 5281.	[cleanup]	Don't escape commas when reporting named's command
  744 			line. [GL #1189]
  745 
  746 5280.	[protocol]	Add support for displaying EDNS option LLQ. [GL #1201]
  747 
  748 5279.	[bug]		When loading, reject zones containing CDS or CDNSKEY
  749 			RRsets at the zone apex if they would cause DNSSEC
  750 			validation failures if published in the parent zone
  751 			as the DS RRset.  [GL #1187]
  752 
  753 5278.	[func]		Add YAML output formats for dig, mdig and delv;
  754 			use the "+yaml" option to enable. [GL #1145]
  755 
  756 	--- 9.15.3 released ---
  757 
  758 5277.	[bug]		Cache DB statistics could underflow when serve-stale
  759 			was in use, because of a bug in counter maintenance
  760 			when RRsets become stale.
  761 
  762 			Functions for dumping statistics have been updated
  763 			to dump active, stale, and ancient statistic
  764 			counters.  Ancient RRset counters are prefixed
  765 			with '~'; stale RRset counters are still prefixed
  766 			with '#'. [GL #602]
  767 
  768 5276.	[func]		DNSSEC Lookaside Validation (DLV) is now obsolete;
  769 			all code enabling its use has been removed from the
  770 			validator, "delv", and the DNSSEC tools. [GL #7]
  771 
  772 5275.	[bug]		Mark DS records included in referral messages
  773 			with trust level "pending" so that they can be
  774 			validated and cached immediately, with no need to
  775 			re-query. [GL #964]
  776 
  777 5274.	[bug]		Address potential use after free race when shutting
  778 			down rpz. [GL #1175]
  779 
  780 5273.	[bug]		Check that bits [64..71] of a dns64 prefix are zero.
  781 			[GL #1159]
  782 
  783 5272.	[cleanup]	Remove isc-config.sh script as the BIND 9 libraries
  784 			are now purely internal. [GL #1123]
  785 
  786 5271.	[func]		The normal (non-debugging) output of dnssec-signzone
  787 			and dnssec-verify tools now goes to stdout, instead of
  788 			the combination of stderr and stdout.
  789 
  790 5270.	[bug]		'dig +expandaaaa +short' did not work. [GL #1152]
  791 
  792 5269.	[port]		cygwin: can return ETIMEDOUT on connect() with a
  793 			non-blocking socket. [GL #1133]
  794 
  795 5268.	[placeholder]
  796 
  797 5267.	[func]		Allow statistics groups display to be toggle-able.
  798 			[GL #1030]
  799 
  800 5266.	[bug]		named-checkconf failed to report dnstap-output
  801 			missing from named.conf when dnstap was specified.
  802 			[GL #1136]
  803 
  804 5265.	[bug]		DNS64 and RPZ nodata (CNAME *.) rules interacted badly
  805 			[GL #1106]
  806 
  807 5264.	[func]		New DNS Cookie algorithm - siphash24 - has been added
  808 			to BIND 9, and the old HMAC-SHA DNS Cookie algorithms
  809 			have been removed. [GL #605]
  810 
  811 	--- 9.15.2 released ---
  812 
  813 5263.	[cleanup]	Use atomics and isc_refcount_t wherever possible.
  814 			[GL #1038]
  815 
  816 5262.	[func]		Removed support for the legacy GeoIP API. [GL #1112]
  817 
  818 5261.	[cleanup]	Remove SO_BSDCOMPAT socket option usage.
  819 
  820 5260.	[bug]		dnstap-read was producing malformed output for large
  821 			packets. [GL #1093]
  822 
  823 5259.	[func]		New option '-i' for 'named-checkconf' to ignore
  824 			warnings about deprecated options. [GL #1101]
  825 
  826 5258.	[func]		Added support for the GeoIP2 API from MaxMind. This
  827 			will be compiled in by default if the "libmaxminddb"
  828 			library is found at compile time, but can be
  829 			suppressed using "configure --disable-geoip".
  830 
  831 			Certain geoip ACL settings that were available with
  832 			legacy GeoIP are not available when using GeoIP2.
  833 			[GL #182]
  834 
  835 5257.	[bug]		Some statistics data was not being displayed.
  836 			Add shading to the zone tables. [GL #1030]
  837 
  838 5256.	[bug]		Ensure that glue records are included in root
  839 			priming responses if "minimal-responses" is not
  840 			set to "yes". [GL #1092]
  841 
  842 5255.	[bug]		Errors encountered while reloading inline-signing
  843 			zones could be ignored, causing the zone content to
  844 			be left in an incompletely updated state rather than
  845 			reverted. [GL #1109]
  846 
  847 5254.	[func]		Collect metrics to report to the statistics-channel
  848 			DNSSEC signing operations (dnssec-sign) and refresh
  849 			operations (dnssec-refresh) per zone and per keytag.
  850 			[GL #513]
  851 
  852 5253.	[port]		Support platforms that don't define ULLONG_MAX.
  853 			[GL #1098]
  854 
  855 5252.	[func]		Report if the last 'rndc reload/reconfig' failed in
  856 			rndc status. [GL !2040]
  857 
  858 5251.	[bug]		Statistics were broken in x86 Windows builds.
  859 			[GL #1081]
  860 
  861 5250.	[func]		The default size for RSA keys is now 2048 bits,
  862 			for both ZSKs and KSKs. [GL #1097]
  863 
  864 5249.	[bug]		Fix a possible underflow in recursion clients
  865 			statistics when hitting recursive clients
  866 			soft quota. [GL #1067]
  867 
  868 	--- 9.15.1 released ---
  869 
  870 5248.	[func]		To clarify the configuration of DNSSEC keys,
  871 			the "managed-keys" and "trusted-keys" options
  872 			have both been deprecated.  The new "dnssec-keys"
  873 			statement can now be used for all trust anchors,
  874 			with the keywords "iniital-key" or "static-key"
  875 			to indicate whether the configured trust anchor
  876 			should be used for initialization of RFC 5011 key
  877 			management, or as a permanent trust anchor.
  878 
  879 			The "static-key" keyword will generate a warning if
  880 			used for the root zone.
  881 
  882 			Configurations using "trusted-keys" or "managed-keys"
  883 			will continue to work with no changes, but will
  884 			generate warnings in the log. In a future release,
  885 			these options will be marked obsolete. [GL #6]
  886 
  887 5247.	[cleanup]	The 'cleaning-interval' option has been removed.
  888 			[GL !1731]
  889 
  890 5246.	[func]		Log TSIG if appropriate in 'sending notify to' message.
  891 			[GL #1058]
  892 
  893 5245.	[cleanup]	Reduce logging level for IXFR up-to-date poll
  894 			responses. [GL #1009]
  895 
  896 5244.	[security]	Fixed a race condition in dns_dispatch_getnext()
  897 			that could cause an assertion failure if a
  898 			significant number of incoming packets were
  899 			rejected. (CVE-2019-6471) [GL #942]
  900 
  901 5243.	[bug]		Fix a possible race between dispatcher and socket
  902 			code in a high-load cold-cache resolver scenario.
  903 			[GL #943]
  904 
  905 5242.	[bug]		In relaxed qname minimization mode, fall back to
  906 			normal resolution when encountering a lame
  907 			delegation, and use _.domain/A queries rather
  908 			than domain/NS. [GL #1055]
  909 
  910 5241.	[bug]		Fix Ed448 private and public key ASN.1 prefix blobs.
  911 			[GL #225]
  912 
  913 5240.	[bug]		Remove key id calculation for RSAMD5. [GL #996]
  914 
  915 5239.	[func]		Change the json-c detection to pkg-config. [GL #855]
  916 
  917 5238.	[bug]		Fix a possible deadlock in TCP code. [GL #1046]
  918 
  919 5237.	[bug]		Recurse to find the root server list with 'dig +trace'.
  920 			[GL #1028]
  921 
  922 5236.	[func]		Add SipHash 2-4 implementation in lib/isc/siphash.c
  923 			and switch isc_hash_function() to use SipHash 2-4.
  924 			[GL #605]
  925 
  926 5235.	[cleanup]	Refactor lib/isc/app.c to be thread-safe, unused
  927 			parts of the API has been removed and the
  928 			isc_appctx_t data type has been changed to be
  929 			fully opaque. [GL #1023]
  930 
  931 5234.	[port]		arm: just use the compiler's default support for
  932 			yield. [GL #981]
  933 
  934 	--- 9.15.0 released ---
  935 
  936 5233.	[bug]		Negative trust anchors did not work with "forward only;"
  937 			to validating resolvers. [GL #997]
  938 
  939 5232.	[placeholder]
  940 
  941 5231.	[protocol]	Add support for displaying CLIENT-TAG and SERVER-TAG.
  942 			[GL #960]
  943 
  944 5230.	[protocol]	The SHA-1 hash algorithm is no longer used when
  945 			generating DS and CDS records. [GL #1015]
  946 
  947 5229.	[protocol]	Enforce known SSHFP fingerprint lengths. [GL #852]
  948 
  949 5228.	[func]		If trusted-keys and managed-keys were configured
  950 			simultaneously for the same name, the key could
  951 			not be be rolled automatically. This is now
  952 			a fatal configuration error. [GL #868]
  953 
  954 5227.	[placeholder]
  955 
  956 5226.	[placeholder]
  957 
  958 5225.	[func]		Allow dig to print out AAAA record fully expanded.
  959 			with +[no]expandaaaa. [GL #765]
  960 
  961 5224.	[bug]		Only test provide-ixfr on TCP streams. [GL #991]
  962 
  963 5223.	[bug]		Fixed a race in the filter-aaaa plugin accessing
  964 			the hash table. [GL #1005]
  965 
  966 5222.	[bug]		'delv -t ANY' could leak memory. [GL #983]
  967 
  968 5221.	[test]		Enable parallel execution of system tests on
  969 			Windows. [GL !4101]
  970 
  971 5220.	[cleanup]	Refactor the isc_stat structure to take advantage
  972 			of stdatomic. [GL !1493]
  973 
  974 5219.	[bug]		Fixed a race in the filter-aaaa plugin that could
  975 			trigger a crash when returning an instance object
  976 			to the memory pool. [GL #982]
  977 
  978 5218.	[bug]		Conditionally include <dlfcn.h>. [GL #995]
  979 
  980 5217.	[bug]		Restore key id calculation for RSAMD5. [GL #996]
  981 
  982 5216.	[bug]		Fetches-per-zone counter wasn't updated correctly
  983 			when doing qname minimization. [GL #992]
  984 
  985 5215.	[bug]		Change #5124 was incomplete; named could still
  986 			return FORMERR instead of SERVFAIL in some cases.
  987 			[GL #990]
  988 
  989 5214.	[bug]		win32: named now removes its lock file upon shutdown.
  990 			[GL #979]
  991 
  992 5213.	[bug]		win32: Eliminated a race which allowed named.exe running
  993 			as a service to be killed prematurely during shutdown.
  994 			[GL #978]
  995 
  996 5212.	[placeholder]
  997 
  998 5211.	[bug]		Allow out-of-zone additional data to be included
  999 			in authoritative responses if recursion is allowed
 1000 			and "minimal-responses" is disabled.  This behavior
 1001 			was inadvertently removed in change #4605. [GL #817]
 1002 
 1003 5210.	[bug]		When dnstap is enabled and recursion is not
 1004 			available, incoming queries are now logged
 1005 			as "auth". Previously, this depended on whether
 1006 			recursion was requested by the client, not on
 1007 			whether recursion was available. [GL #963]
 1008 
 1009 5209.	[bug]		When update-check-ksk is true, add_sigs was not
 1010 			considering offline keys, leaving record sets signed
 1011 			with the incorrect type key. [GL #763]
 1012 
 1013 5208.	[test]		Run valid rdata wire encodings through totext+fromtext
 1014 			and tofmttext+fromtext methods to check these methods.
 1015 			[GL #899]
 1016 
 1017 5207.	[test]		Check delv and dig TTL values. [GL #965]
 1018 
 1019 5206.	[bug]		Delv could print out bad TTLs. [GL #965]
 1020 
 1021 5205.	[bug]		Enforce that a DS hash exists. [GL #899]
 1022 
 1023 5204.	[test]		Check that dns_rdata_fromtext() produces a record that
 1024 			will be accepted by dns_rdata_fromwire(). [GL #852]
 1025 
 1026 5203.	[bug]		Enforce whether key rdata exists or not in KEY,
 1027 			DNSKEY, CDNSKEY and RKEY. [GL #899]
 1028 
 1029 5202.	[bug]		<dns/ecs.h> was missing ISC_LANG_ENDDECLS. [GL #976]
 1030 
 1031 5201.	[bug]		Fix a possible deadlock in RPZ update code. [GL #973]
 1032 
 1033 5200.	[security]	tcp-clients settings could be exceeded in some cases,
 1034 			which could lead to exhaustion of file descriptors.
 1035 			(CVE-2018-5743) [GL #615]
 1036 
 1037 5199.	[security]	In certain configurations, named could crash
 1038 			if nxdomain-redirect was in use and a redirected
 1039 			query resulted in an NXDOMAIN from the cache.
 1040 			(CVE-2019-6467) [GL #880]
 1041 
 1042 5198.	[bug]		If a fetch context was being shut down and, at the same
 1043 			time, we returned from qname minimization, an INSIST
 1044 			could be hit. [GL #966]
 1045 
 1046 5197.	[bug]		dig could die in best effort mode on multiple SIG(0)
 1047 			records. Similarly on multiple OPT and multiple TSIG
 1048 			records. [GL #920]
 1049 
 1050 5196.	[bug]		make install failed with --with-dlopen=no. [GL #955]
 1051 
 1052 5195.	[bug]		"allow-update" and "allow-update-forwarding" were
 1053 			treated as configuration errors if used at the
 1054 			options or view level. [GL #913]
 1055 
 1056 5194.	[bug]		Enforce non empty ZOMEMD hash. [GL #899]
 1057 
 1058 5193.	[bug]		EID and NIMLOC failed to do multi-line output
 1059 			correctly. [GL #899]
 1060 
 1061 5192.	[placeholder]
 1062 
 1063 5191.	[placeholder]
 1064 
 1065 5190.	[bug]		Ignore trust anchors using disabled algorithms.
 1066 			[GL #806]
 1067 
 1068 5189.	[cleanup]	Remove revoked root DNSKEY from bind.keys. [GL #945]
 1069 
 1070 5188.	[func]		The "dnssec-enable" option is deprecated and no
 1071 			longer has any effect; DNSSEC responses are
 1072 			always enabled. [GL #866]
 1073 
 1074 5187.	[test]		Set time zone before running any tests in dnstap_test.
 1075 			[GL #940]
 1076 
 1077 5186.	[cleanup]	More dnssec-keygen manual tidying. [GL !1678]
 1078 
 1079 5185.	[placeholder]
 1080 
 1081 5184.	[bug]		Missing unlocks in sdlz.c. [GL #936]
 1082 
 1083 5183.	[bug]		Reinitialize ECS data before reusing client
 1084 			structures. [GL #881]
 1085 
 1086 5182.	[bug]		Fix a high-load race/crash in handling of
 1087 			isc_socket_close() in resolver. [GL #834]
 1088 
 1089 5181.	[func]		Add a mechanism for a DLZ module to signal that
 1090 			the view's allow-transfer ACL should be used to
 1091 			determine whether transfers are allowed. [GL #803]
 1092 
 1093 5180.	[bug]		delv now honors the operating system's preferred
 1094 			ephemeral port range. [GL #925]
 1095 
 1096 5179.	[cleanup]	Replace some vague type declarations with the more
 1097 			specific dns_secalg_t and dns_dsdigest_t.
 1098 			Thanks to Tony Finch. [GL !1498]
 1099 
 1100 5178.	[bug]		Handle EDQUOT (disk quota) and ENOSPC (disk full)
 1101 			errors when writing files. [GL #902]
 1102 
 1103 5177.	[func]		Add the ability to specify in named.conf whether a
 1104 			response-policy zone's SOA record should be added
 1105 			to the additional section (add-soa yes/no). [GL #865]
 1106 
 1107 5176.	[tests]		Remove a dependency on libxml in statschannel system
 1108 			test. [GL #926]
 1109 
 1110 5175.	[bug]		Fixed a problem with file input in dnssec-keymgr,
 1111 			dnssec-coverage and dnssec-checkds when using
 1112 			python3. [GL #882]
 1113 
 1114 5174.	[doc]		Tidy dnssec-keygen manual. [GL !1557]
 1115 
 1116 5173.	[bug]		Fixed a race in socket code that could occur when
 1117 			accept, send, or recv were called from an event
 1118 			loop but the socket had been closed by another
 1119 			thread. [RT #874]
 1120 
 1121 5172.	[bug]		nsupdate now honors the operating system's preferred
 1122 			ephemeral port range. [GL #905]
 1123 
 1124 5171.	[func]		named plugins are now installed into a separate
 1125 			directory.  Supplying a filename (a string without path
 1126 			separators) in a "plugin" configuration stanza now
 1127 			causes named to look for that plugin in that directory.
 1128 			[GL #878]
 1129 
 1130 5170.	[test]		Added --with-dlz-filesystem to feature-test. [GL !1587]
 1131 
 1132 5169.	[bug]		The presence of certain types in an otherwise
 1133 			empty node could cause a crash while processing a
 1134 			type ANY query. [GL #901]
 1135 
 1136 5168.	[bug]		Do not crash on shutdown when RPZ fails to load.  Also,
 1137 			keep previous version of the database if RPZ fails to
 1138 			load. [GL #813]
 1139 
 1140 5167.	[bug]		nxdomain-redirect could sometimes lookup the wrong
 1141 			redirect name. [GL #892]
 1142 
 1143 5166.	[placeholder]
 1144 
 1145 5165.	[contrib]	Removed SDB drivers from contrib; they're obsolete.
 1146 			[GL #428]
 1147 
 1148 5164.	[bug]		Correct errno to result translation in dlz filesystem
 1149 			modules. [GL #884]
 1150 
 1151 5163.	[cleanup]	Out-of-tree builds failed --enable-dnstap. [GL #836]
 1152 
 1153 5162.	[cleanup]	Improve dnssec-keymgr manual. Thanks to Tony Finch.
 1154 			[GL !1518]
 1155 
 1156 5161.	[bug]		Do not require the SEP bit to be set for mirror zone
 1157 			trust anchors. [GL #873]
 1158 
 1159 5160.	[contrib]	Added DNAME support to the DLZ LDAP schema. Also
 1160 			fixed a compilation bug affecting several DLZ
 1161 			modules. [GL #872]
 1162 
 1163 5159.	[bug]		dnssec-coverage was incorrectly ignoring
 1164 			names specified on the command line without
 1165 			trailing dots. [GL !1478]
 1166 
 1167 5158.	[protocol]	Add support for AMTRELAY and ZONEMD. [GL #867]
 1168 
 1169 5157.	[bug]		Nslookup now errors out if there are extra command
 1170 			line arguments. [GL #207]
 1171 
 1172 5156.	[doc]		Extended and refined the section of the ARM describing
 1173 			mirror zones. [GL #774]
 1174 
 1175 5155.	[func]		"named -V" now outputs the default paths to
 1176 			named.conf, rndc.conf, bind.keys, and other
 1177 			files used or created by named and other tools, so
 1178 			that the correct paths to these files can quickly be
 1179 			determined regardless of the configure settings
 1180 			used when BIND was built. [GL #859]
 1181 
 1182 5154.	[bug]		dig: process_opt could be called twice on the same
 1183 			message leading to a assertion failure. [GL #860]
 1184 
 1185 5153.	[func]		Zone transfer statistics (size, number of records, and
 1186 			number of messages) are now logged for outgoing
 1187 			transfers as well as incoming ones. [GL #513]
 1188 
 1189 5152.	[func]		Improved logging of DNSSEC key events:
 1190 			- Zone signing and DNSKEY maintenance events are
 1191 			  now logged to the "dnssec" category
 1192 			- Messages are now logged when DNSSEC keys are
 1193 			  published, activated, inactivated, deleted,
 1194 			  or revoked.
 1195 			[GL #714]
 1196 
 1197 5151.	[func]		Options that have been been marked as obsolete in
 1198 			named.conf for a very long time are now fatal
 1199 			configuration errors. [GL #358]
 1200 
 1201 5150.	[cleanup]	Remove the ability to compile BIND with assertions
 1202 			disabled. [GL #735]
 1203 
 1204 5149.	[func]		"rndc dumpdb" now prints a line above a stale RRset
 1205 			indicating how long the data will be retained in the
 1206 			cache for emergency use. [GL #101]
 1207 
 1208 5148.	[bug]		named did not sign the TKEY response. [GL #821]
 1209 
 1210 5147.	[bug]		dnssec-keymgr: Add a five-minute margin to better
 1211 			handle key events close to 'now'. [GL #848]
 1212 
 1213 5146.	[placeholder]
 1214 
 1215 5145.	[func]		Use atomics instead of locked variables for isc_quota
 1216 			and isc_counter. [GL !1389]
 1217 
 1218 5144.	[bug]		dig now returns a non-zero exit code when a TCP
 1219 			connection is prematurely closed by a peer more than
 1220 			once for the same lookup.  [GL #820]
 1221 
 1222 5143.	[bug]		dnssec-keymgr and dnssec-coverage failed to find
 1223 			key files for zone names ending in ".". [GL #560]
 1224 
 1225 5142.	[cleanup]	Removed "configure --disable-rpz-nsip" and
 1226 			"--disable-rpz-nsdname" options. "nsip-enable"
 1227 			and "nsdname-enable" both now default to yes,
 1228 			regardless of compile-time settings. [GL #824]
 1229 
 1230 5141.	[security]	Zone transfer controls for writable DLZ zones were
 1231 			not effective as the allowzonexfr method was not being
 1232 			called for such zones. (CVE-2019-6465) [GL #790]
 1233 
 1234 5140.	[bug]		Don't immediately mark existing keys as inactive and
 1235 			deleted when running dnssec-keymgr for the first
 1236 			time. [GL #117]
 1237 
 1238 5139.	[bug]		If possible, don't use forwarders when priming.
 1239 			This ensures we can get root server IP addresses
 1240 			from priming query response glue, which may not
 1241 			be present if the forwarding server is returning
 1242 			minimal responses. [GL #752]
 1243 
 1244 5138.	[bug]		Under some circumstances named could hit an assertion
 1245 			failure when doing qname minimization when using
 1246 			forwarders. [GL #797]
 1247 
 1248 5137.	[func]		named now logs messages whenever a mirror zone becomes
 1249 			usable or unusable for resolution purposes. [GL #818]
 1250 
 1251 5136.	[cleanup]	Check in named-checkconf that allow-update and
 1252 			allow-update-forwarding are not set at the
 1253 			view/options level; fix documentation. [GL #512]
 1254 
 1255 5135.	[port]		sparc: Use smt_pause() instead of pause. [GL #816]
 1256 
 1257 5134.	[bug]		win32: WSAStartup was not called before getservbyname
 1258 			was called. [GL #590]
 1259 
 1260 5133.	[bug]		'rndc managed-keys' didn't handle class and view
 1261 			correctly and failed to add new lines between each
 1262 			view. [GL !1327]
 1263 
 1264 5132.	[bug]		Fix race condition in cleanup part of dns_dt_create().
 1265 			[GL !1323]
 1266 
 1267 5131.	[cleanup]	Address Coverity warnings. [GL #801]
 1268 
 1269 5130.	[cleanup]	Remove support for l10n message catalogs. [GL #709]
 1270 
 1271 5129.	[contrib]	sdlz_helper.c:build_querylist was not properly
 1272 			splitting the query string. [GL #798]
 1273 
 1274 5128.	[bug]		Refreshkeytime was not being updated for managed
 1275 			keys zones. [GL #784]
 1276 
 1277 5127.	[bug]		rcode.c:maybe_numeric failed to handle NUL in text
 1278 			regions. [GL #807]
 1279 
 1280 5126.	[bug]		Named incorrectly accepted empty base64 and hex encoded
 1281 			fields when reading master files. [GL #807]
 1282 
 1283 5125.	[bug]		Allow for up to 100 records or 64k of data when caching
 1284 			a negative response. [GL #804]
 1285 
 1286 5124.	[bug]		Named could incorrectly return FORMERR rather than
 1287 			SERVFAIL. [GL #804]
 1288 
 1289 5123.	[bug]		dig could hang indefinitely after encountering an error
 1290 			before creating a TCP socket. [GL #692]
 1291 
 1292 5122.	[bug]		In a "forward first;" configuration, a forwarder
 1293 			timeout did not prevent that forwarder from being
 1294 			queried again after falling back to full recursive
 1295 			resolution. [GL #315]
 1296 
 1297 5121.	[contrib]	dlz_stub_driver.c fails to return ISC_R_NOTFOUND on none
 1298 			matching zone names. [GL !1299]
 1299 
 1300 5120.	[placeholder]
 1301 
 1302 5119.	[placeholder]
 1303 
 1304 5118.	[security]	Named could crash if it is managing a key with
 1305 			`managed-keys` and the authoritative zone is rolling
 1306 			the key to an unsupported algorithm. (CVE-2018-5745)
 1307 			[GL #780]
 1308 
 1309 5117.	[placeholder]
 1310 
 1311 5116.	[bug]		Named/named-checkconf triggered a assertion when
 1312 			a mirror zone's name is bad. [GL #778]
 1313 
 1314 5115.	[bug]		Allow unsupported algorithms in zone when not used for
 1315 			signing with dnssec-signzone. [GL #783]
 1316 
 1317 5114.	[func]		Include a 'reconfig/reload in progress' status line
 1318 			in rndc status, use it in tests.
 1319 
 1320 5113.	[port]		Fixed a Windows build error.
 1321 
 1322 5112.	[bug]		Named/named-checkconf could dump core if there was
 1323 			a missing masters clause and a bad notify clause.
 1324 			[GL #779]
 1325 
 1326 5111.	[bug]		Occluded DNSKEY records could make it into the
 1327 			delegating NSEC/NSEC3 bitmap. [GL #742]
 1328 
 1329 5110.	[security]	Named leaked memory if there were multiple Key Tag
 1330 			EDNS options present. (CVE-2018-5744) [GL #772]
 1331 
 1332 5109.	[cleanup]	Remove support for RSAMD5 algorithm. [GL #628]
 1333 
 1334 	--- 9.13.5 released ---
 1335 
 1336 5108.	[bug]		Named could fail to determine bottom of zone when
 1337 			removing out of date keys leading to invalid NSEC
 1338 			and NSEC3 records being added to the zone. [GL #771]
 1339 
 1340 5107.	[bug]		'host -U' did not work. [GL #769]
 1341 
 1342 5106.	[experimental]	A new "plugin" mechanism has been added to allow
 1343 			extension of query processing functionality through
 1344 			the use of dynamically loadable libraries. A
 1345 			"filter-aaaa.so" plugin has been implemented,
 1346 			replacing the filter-aaaa feature that was formerly
 1347 			implemented as a native part of BIND.
 1348 
 1349 			The "filter-aaaa", "filter-aaaa-on-v4" and
 1350 			"filter-aaaa-on-v6" options can no longer be
 1351 			configured using native named.conf syntax. However,
 1352 			loading the filter-aaaa.so plugin and setting its
 1353 			parameters provides identical functionality.
 1354 
 1355 			Note that the plugin API is a work in progress and
 1356 			is likely to evolve as further plugins are
 1357 			implemented. [GL #15]
 1358 
 1359 5105.	[bug]		Fix a race between process_fd and socketclose in
 1360 			unix socket code. [GL #744]
 1361 
 1362 5104.	[cleanup]	Log clearer informational message when a catz zone
 1363 			is overridden by a zone in named.conf.
 1364 			Thanks to Tony Finch. [GL !1157]
 1365 
 1366 5103.	[bug]		Add missing design by contract tests to dns_catz*.
 1367 			[GL #748]
 1368 
 1369 5102.	[bug]		dnssec-coverage failed to use the default TTL when
 1370 			checking KSK deletion times leading to a exception.
 1371 			[GL #585]
 1372 
 1373 5101.	[bug]		Fix default installation path for Python modules and
 1374 			remove the dnspython dependency accidentally introduced
 1375 			by change 4970. [GL #730]
 1376 
 1377 5100.	[func]		Pin resolver tasks to specific task queues. [GL !1117]
 1378 
 1379 5099.	[func]		Failed mutex and conditional creations are always
 1380 			fatal. [GL #674]
 1381 
 1382 	--- 9.13.4 released ---
 1383 
 1384 5098.	[func]		Failed memory allocations are now fatal. [GL #674]
 1385 
 1386 5097.	[cleanup]	Remove embedded ATF unit testing framework
 1387 			from BIND source distribution.  [GL !875]
 1388 
 1389 5096.	[func]		Use multiple event loops in socket code, and
 1390 			make network threads CPU-affinitive.  This
 1391 			significantly improves performance on large
 1392 			systems. [GL #666]
 1393 
 1394 5095.	[test]		Converted all unit tests from ATF to CMocka;
 1395 			removed the source code for the ATF libraries.
 1396 			Build with "configure --with-cmocka" to enable
 1397 			unit testing. [GL #620]
 1398 
 1399 5094.	[func]		Add 'dig -r' to disable reading of .digrc. [GL !970]
 1400 
 1401 5093.	[bug]		Log lame qname-minimization servers only if they're
 1402 			really lame. [GL #671]
 1403 
 1404 5092.	[bug]		Address memory leak on SIGTERM in nsupdate when using
 1405 			GSS-TSIG. [GL #558]
 1406 
 1407 5091.	[func]		Two new global and per-view options min-cache-ttl
 1408 			and min-ncache-ttl [GL #613]
 1409 
 1410 5090.	[bug]		dig and mdig failed to properly pre-parse dash value
 1411 			pairs when value was a separate argument and started
 1412 			with a dash. [GL #584]
 1413 
 1414 5089.	[bug]		Restore localhost fallback in dig and host which is
 1415 			used when no nameserver addresses present in
 1416 			/etc/resolv.conf are usable due to the requested
 1417 			address family restrictions. [GL #433]
 1418 
 1419 5088.	[bug]		dig/host/nslookup could crash when interrupted close to
 1420 			a query timeout. [GL #599]
 1421 
 1422 5087.	[test]		Check that result tables are complete. [GL #676]
 1423 
 1424 5086.	[func]		Log of RPZ now includes the QTYPE and QCLASS. [GL #623]
 1425 
 1426 5085.	[bug]		win32: Restore looking up nameservers, search list,
 1427 			etc. [GL #186]
 1428 
 1429 5084.	[placeholder]
 1430 
 1431 5083.	[func]		Add autoconf macro AX_POSIX_SHELL, so we
 1432 			can use POSIX-compatible shell features
 1433 			in the scripts.
 1434 
 1435 5082.	[bug]		Fixed a race that could cause a crash in
 1436 			dig/host/nslookup. [GL #650]
 1437 
 1438 5081.	[func]		Use per-worker queues in task manager, make task
 1439 			runners CPU-affine. [GL #659]
 1440 
 1441 5080.	[func]		Improvements to "rndc nta" user interface:
 1442 			- catch and report invalid command line options
 1443 			- when removing an NTA from all views, do not
 1444 			  abort with an error if the NTA was not found
 1445 			  in one of the views
 1446 			- include the view name in "rndc nta -dump"
 1447 			  output, for consistency with the add and remove
 1448 			  actions
 1449 			Thanks to Tony Finch. [GL !816]
 1450 
 1451 5079.	[func]		Disable IDN processing in dig and nslookup
 1452 			when not on a tty. [GL #653]
 1453 
 1454 5078.	[cleanup]	Require python components to be explicitly disabled if
 1455 			python is not available on unix platforms. [GL #601]
 1456 
 1457 5077.	[cleanup]	Remove ip6.int support (-i) from dig and mdig.
 1458 			[GL !969]
 1459 
 1460 5076.	[bug]		"require-server-cookie" was not effective if
 1461 			"rate-limit" was configured. [GL #617]
 1462 
 1463 5075.	[bug]		Refresh nameservers from cache when sending final
 1464 			query in qname minimization. [GL #16]
 1465 
 1466 5074.	[cleanup]	Remove vector socket functions - isc_socket_recvv(),
 1467 			isc_socket_sendtov(), isc_socket_sendtov2(),
 1468 			isc_socket_sendv() - in order to simplify socket code.
 1469 			[GL #645]
 1470 
 1471 5073.	[bug]		Destroy a task first when destroying rpzs and catzs.
 1472 			[GL #84]
 1473 
 1474 5072.	[bug]		Add unit tests for isc_buffer_copyregion() and fix its
 1475 			behavior for auto-reallocated buffers. [GL #644]
 1476 
 1477 5071.	[bug]		Comparison of NXT records was broken. [GL #631]
 1478 
 1479 5070.	[bug]		Record types which support a empty rdata field were
 1480 			not handling the empty rdata field case. [GL #638]
 1481 
 1482 5069.	[bug]		Fix a hang on in RPZ when named is shutdown during RPZ
 1483 			zone update. [GL !907]
 1484 
 1485 5068.	[bug]		Fix a race in RPZ with min-update-interval set to 0.
 1486 			[GL #643]
 1487 
 1488 5067.	[bug]		Don't minimize qname when sending the query
 1489 			to a forwarder. [GL #361]
 1490 
 1491 5066.	[cleanup]	Allow unquoted strings to be used as a zone names
 1492 			in response-policy statements. [GL #641]
 1493 
 1494 5065.	[bug]		Only set IPV6_USE_MIN_MTU on IPv6. [GL #553]
 1495 
 1496 5064.	[test]		Initialize TZ environment variable before calling
 1497 			dns_test_begin in dnstap_test. [GL #624]
 1498 
 1499 5063.	[test]		In statschannel test try a few times before failing
 1500 			when checking if the compressed output is the same as
 1501 			uncompressed. [GL !909]
 1502 
 1503 5062.	[func]		Use non-crypto-secure PRNG to generate nonces for
 1504 			cookies. [GL !887]
 1505 
 1506 5061.	[protocol]	Add support for EID and NIMLOC. [GL #626]
 1507 
 1508 5060.	[bug]		GID, UID and UINFO could not be loaded using unknown
 1509 			record format. [GL #627]
 1510 
 1511 5059.	[bug]		Display a per-view list of zones in the web interface.
 1512 			[GL #427]
 1513 
 1514 5058.	[func]		Replace old message digest and hmac APIs with more
 1515 			generic isc_md and isc_hmac APIs, and convert their
 1516 			respective tests to cmocka. [GL #305]
 1517 
 1518 5057.	[protocol]	Add support for ATMA. [GL #619]
 1519 
 1520 5056.	[placeholder]
 1521 
 1522 5055.	[func]		A default list of primary servers for the root zone is
 1523 			now built into named, allowing the "masters" statement
 1524 			to be omitted when configuring an IANA root zone
 1525 			mirror. [GL #564]
 1526 
 1527 5054.	[func]		Attempts to use mirror zones with recursion disabled
 1528 			are now considered a configuration error. [GL #564]
 1529 
 1530 5053.	[func]		The only valid zone-level NOTIFY settings for mirror
 1531 			zones are now "notify no;" and "notify explicit;".
 1532 			[GL #564]
 1533 
 1534 5052.	[func]		Mirror zones are now configured using "type mirror;"
 1535 			rather than "mirror yes;". [GL #564]
 1536 
 1537 5051.	[doc]		Documentation incorrectly stated that the
 1538 			"server-addresses" static-stub zone option accepts
 1539 			custom port numbers. [GL #582]
 1540 
 1541 5050.	[bug]		The libirs version of getaddrinfo() was unable to parse
 1542 			scoped IPv6 addresses present in /etc/resolv.conf.
 1543 			[GL #187]
 1544 
 1545 5049.	[cleanup]	QNAME minimization has been deeply refactored. [GL #16]
 1546 
 1547 5048.	[func]		Add configure option to enable and enforce FIPS mode
 1548 			in BIND 9. [GL #506]
 1549 
 1550 5047.	[bug]		Messages logged for certain query processing failures
 1551 			now include a more specific error description if it is
 1552 			available. [GL #572]
 1553 
 1554 5046.	[bug]		named could crash during shutdown if an RPZ
 1555 			reload was in progress. [RT #46210]
 1556 
 1557 5045.	[func]		Remove support for DNSSEC algorithms 3 (DSA)
 1558 			and 6 (DSA-NSEC3-SHA1). [GL #22]
 1559 
 1560 5044.	[cleanup]	If "dnssec-enable" is no, then "dnssec-validation"
 1561 			now also defaults to no.  [GL #388]
 1562 
 1563 5043.	[bug]		Fix creating and validating EdDSA signatures. [GL #579]
 1564 
 1565 5042.	[test]		Make the chained delegations in reclimit behave
 1566 			like they would in a regular name server. [GL #578]
 1567 
 1568 5041.	[test]		The chain test contains a incomplete delegation.
 1569 			[GL #568]
 1570 
 1571 5040.	[func]		Extended dnstap so that it can log UPDATE requests
 1572 			and responses as separate message types. Thanks
 1573 			to Greg Rabil. [GL #570]
 1574 
 1575 5039.	[bug]		Named could fail to preserve owner name case of new
 1576 			RRset. [GL #420]
 1577 
 1578 5038.	[bug]		Chaosnet addresses were compared incorrectly.
 1579 			[GL #562]
 1580 
 1581 5037.	[func]		"allow-recursion-on" and "allow-query-cache-on"
 1582 			each now default to the other if only one of them
 1583 			is set, in order to be more consistent with the way
 1584 			"allow-recursion" and "allow-query-cache" work.
 1585 			Also we now ensure that both query-cache ACLs are
 1586 			checked when determining cache access. [GL #319]
 1587 
 1588 5036.	[cleanup]	Fixed a spacing/formatting error in some RPZ-related
 1589 			error messages in the log. [GL !805]
 1590 
 1591 5035.	[test]		Fixed errors that prevented the DNSRPS subtests
 1592 			from running in the rpz and rpzrecurse system
 1593 			tests. [GL #503]
 1594 
 1595 5034.	[bug]		A race between threads could prevent zone maintenance
 1596 			scheduled immediately after zone load from being
 1597 			performed. [GL #542]
 1598 
 1599 5033.	[bug]		When adding NTAs to multiple views using "rndc nta",
 1600 			the text returned via rndc was incorrectly terminated
 1601 			after the first line, making it look as if only one
 1602 			NTA had been added. Also, it was not possible to
 1603 			differentiate between views with the same name but
 1604 			different classes; this has been corrected with the
 1605 			addition of a "-class" option. [GL #105]
 1606 
 1607 5032.	[func]		Add krb5-selfsub and ms-selfsub update policy rules.
 1608 			[GL #511]
 1609 
 1610 5031.	[cleanup]	Various defines in platform.h has been either dropped
 1611 			if always or never triggered on supported platforms
 1612 			or replaced with config.h equivalents if the defines
 1613 			didn't have any impact on public headers.  Workarounds
 1614 			for LinuxThreads have been removed because NPTL is
 1615 			available since Linux kernel 2.6.0.  [GL #525]
 1616 
 1617 5030.	[bug]		Align CMSG buffers to a 64-bit boundary, fixes crash
 1618 			on architectures with strict alignment. [GL #521]
 1619 
 1620 	--- 9.13.3 released ---
 1621 
 1622 5029.	[func]		Workarounds for servers that misbehave when queried
 1623 			with EDNS have been removed, because these broken
 1624 			servers and the workarounds for their noncompliance
 1625 			cause unnecessary delays, increase code complexity,
 1626 			and prevent deployment of new DNS features. See
 1627 			https://dnsflagday.net for further details. [GL #150]
 1628 
 1629 5028.	[bug]		Spread the initial RRSIG expiration times over the
 1630 			entire working sig-validity-interval when signing a
 1631 			zone in named to even out re-signing and transfer
 1632 			loads. [GL #418]
 1633 
 1634 5027.	[func]		Set SO_SNDBUF size on sockets. [GL #74]
 1635 
 1636 5026.	[bug]		rndc reconfig should not touch already loaded zones.
 1637 			[GL #276]
 1638 
 1639 5025.	[cleanup]	Remove isc_keyboard family of functions. [GL #178]
 1640 
 1641 5024.	[func]		Replace custom assembly for atomic operations with
 1642 			atomic support from the compiler. The code will now use
 1643 			C11 stdatomic, or __atomic, or __sync builtins with GCC
 1644 			or Clang compilers, and Interlocked functions with MSVC.
 1645 			[GL #10]
 1646 
 1647 5023.	[cleanup]	Remove wrappers that try to fix broken or incomplete
 1648 			implementations of IPv6, pthreads and other core
 1649 			functionality required and used by BIND. [GL #192]
 1650 
 1651 5022.	[doc]		Update ms-self, ms-subdomain, krb5-self, and
 1652 			krb5-subdomain documentation. [GL !708]
 1653 
 1654 5021.	[bug]		dig returned a non-zero exit code when it received a
 1655 			reply over TCP after a retry. [GL #487]
 1656 
 1657 5020.	[func]		RNG uses thread-local storage instead of locks, if
 1658 			supported by platform. [GL #496]
 1659 
 1660 5019.	[cleanup]	A message is now logged when ixfr-from-differences is
 1661 			set at zone level for an inline-signed zone. [GL #470]
 1662 
 1663 5018.	[bug]		Fix incorrect sizeof arguments in lib/isc/pk11.c.
 1664 			[GL !588]
 1665 
 1666 5017.	[bug]		lib/isc/pk11.c failed to unlink the session before
 1667 			releasing the lock which is unsafe. [GL !589]
 1668 
 1669 5016.	[bug]		Named could assert with overlapping filter-aaaa and
 1670 			dns64 acls. [GL #445]
 1671 
 1672 5015.	[bug]		Reloading all zones caused zone maintenance to cease
 1673 			for inline-signed zones. [GL #435]
 1674 
 1675 5014.	[bug]		Signatures loaded from the journal for the signed
 1676 			version of an inline-signed zone were not scheduled for
 1677 			refresh. [GL #482]
 1678 
 1679 5013.	[bug]		A referral response with a non-empty ANSWER section was
 1680 			inadvertently being treated as an error. [GL #390]
 1681 
 1682 5012.	[bug]		Fix lock order reversal in pk11_initialize. [GL !590]
 1683 
 1684 5011.	[func]		Remove support for unthreaded named. [GL #478]
 1685 
 1686 5010.	[func]		New "validate-except" option specifies a list of
 1687 			domains beneath which DNSSEC validation should not
 1688 			be performed. [GL #237]
 1689 
 1690 5009.	[bug]		Upon an OpenSSL failure, the first error in the OpenSSL
 1691 			error queue was not logged. [GL #476]
 1692 
 1693 5008.	[bug]		"rndc signing -nsec3param ..." requests were silently
 1694 			ignored for zones which were not yet loaded or
 1695 			transferred. [GL #468]
 1696 
 1697 5007.	[cleanup]	Replace custom ISC boolean and integer data types
 1698 			with C99 stdint.h and stdbool.h types. [GL #9]
 1699 
 1700 5006.	[cleanup]	Code preparing a delegation response was extracted from
 1701 			query_delegation() and query_zone_delegation() into a
 1702 			separate function in order to decrease code
 1703 			duplication. [GL #431]
 1704 
 1705 5005.	[bug]		dnssec-verify, and dnssec-signzone at the verification
 1706 			step, failed on some validly signed zones. [GL #442]
 1707 
 1708 5004.	[bug]		'rndc reconfig' could cause inline zones to stop
 1709 			re-signing. [GL #439]
 1710 
 1711 5003.	[bug]		dns_acl_isinsecure did not handle geoip elements.
 1712 			[GL #406]
 1713 
 1714 5002.	[bug]		mdig: Handle malformed +ednsopt option, support 100
 1715 			+ednsopt options per query rather than 100 total and
 1716 			address memory leaks if +ednsopt was specified.
 1717 			[GL #410]
 1718 
 1719 5001.	[bug]		Fix refcount errors on error paths. [GL !563]
 1720 
 1721 5000.	[bug]		named_server_servestale() could leave the server in
 1722 			exclusive mode if an error occurred. [GL #441]
 1723 
 1724 4999.	[cleanup]	Remove custom printf implementation in lib/isc/print.c.
 1725 			[GL #261]
 1726 
 1727 4998.	[test]		Make resolver and cacheclean tests more civilized.
 1728 
 1729 4997.	[security]	named could crash during recursive processing
 1730 			of DNAME records when "deny-answer-aliases" was
 1731 			in use. (CVE-2018-5740) [GL #387]
 1732 
 1733 4996.	[bug]		dig: Handle malformed +ednsopt option. [GL #403]
 1734 
 1735 4995.	[test]		Add tests for "tcp-self" update policy. [GL !282]
 1736 
 1737 4994.	[bug]		Trust anchor telemetry queries were not being sent
 1738 			upstream for locally served zones. [GL #392]
 1739 
 1740 4993.	[cleanup]	Remove support for silently ignoring 'no-change' deltas
 1741 			from BIND 8 when processing an IXFR stream. 'no-change'
 1742 			deltas will now trigger a fallback to AXFR as the
 1743 			recovery mechanism. [GL #369]
 1744 
 1745 4992.	[bug]		The wrong address was being logged for trust anchor
 1746 			telemetry queries. [GL #379]
 1747 
 1748 4991.	[bug]		"rndc reconfig" was incorrectly handling zones whose
 1749 			"mirror" setting was changed. [GL #381]
 1750 
 1751 4990.	[bug]		Prevent a possible NULL reference in pkcs11-keygen.
 1752 			[GL #401]
 1753 
 1754 4989.	[cleanup]	IDN support in dig has been reworked.  IDNA2003
 1755 			fallbacks were removed in the process. [GL #384]
 1756 
 1757 4988.	[bug]		Don't synthesize NXDOMAIN from NSEC for records under
 1758 			a DNAME.
 1759 
 1760 	--- 9.13.2 released ---
 1761 
 1762 4987.	[cleanup]	dns_rdataslab_tordataset() and its related
 1763 			dns_rdatasetmethods_t callbacks were removed as they
 1764 			were not being used by anything in BIND. [GL #371]
 1765 
 1766 4986.	[func]		When built on Linux, BIND now requires the libcap
 1767 			library to set process privileges, unless capability
 1768 			support is explicitly overridden with "configure
 1769 			--disable-linux-caps". [GL #321]
 1770 
 1771 4985.	[func]		Add a new slave zone option, "mirror", to enable
 1772 			serving a non-authoritative copy of a zone that
 1773 			is subject to DNSSEC validation before being
 1774 			used.  For now, this option is only meant to
 1775 			facilitate deployment of an RFC 7706-style local
 1776 			copy of the root zone. [GL #33]
 1777 
 1778 4984.	[bug]		Improve handling of very large incremental
 1779 			zone transfers to prevent journal corruption. [GL #339]
 1780 
 1781 4983.	[func]		Add the ability to not return a DNS COOKIE option
 1782 			when one is present in the request (answer-cookie no;).
 1783 			[GL #173]
 1784 
 1785 4982.	[cleanup]	Return FORMERR if the question section is empty
 1786 			and no COOKIE option is present; this restores
 1787 			older behavior except in the newly specified
 1788 			COOKIE case. [GL #260]
 1789 
 1790 4981.	[bug]		Fix race in cmsg buffer usage in socket code.
 1791 			[GL #180]
 1792 
 1793 4980.	[bug]		Named-checkconf failed to detect bad in-view targets.
 1794 			[GL #288]
 1795 
 1796 4979.	[placeholder]
 1797 
 1798 4978.	[test]		Fix error handling and resolver configuration in the
 1799 			"rpz" system test. [GL #312]
 1800 
 1801 4977.	[func]		When starting up, log the same details that
 1802 			would be reported by 'named -V'. [GL #247]
 1803 
 1804 4976.	[bug]		Log the label with invalid prefix length correctly
 1805 			when loading RPZ zones. [GL #254]
 1806 
 1807 4975.	[bug]		The server cookie computation for sha1 and sha256 did
 1808 			not match the method described in RFC 7873. [GL #356]
 1809 
 1810 4974.	[bug]		Restore default rrset-order to random. [GL #336]
 1811 
 1812 4973.	[func]		verifyzone() and the functions it uses were moved to
 1813 			libdns and refactored to prevent exit() from being
 1814 			called upon failure.  A side effect of that is that
 1815 			dnssec-signzone and dnssec-verify now check for memory
 1816 			leaks upon shutdown. [GL #266]
 1817 
 1818 4972.	[func]		Declare the 'rdata' argument for dns_rdata_tostruct()
 1819 			to be const. [GL #341]
 1820 
 1821 4971.	[bug]		dnssec-signzone and dnssec-verify did not treat records
 1822 			below a DNAME as out-of-zone data. [GL #298]
 1823 
 1824 4970.	[func]		Add QNAME minimization option to resolver. [GL #16]
 1825 
 1826 4969.	[cleanup]	Refactor zone logging functions. [GL #269]
 1827 
 1828 	--- 9.13.1 released ---
 1829 
 1830 4968.	[bug]		If glue records are signed, attempt to validate them.
 1831 			[GL #209]
 1832 
 1833 4967.	[cleanup]	Add "answer-cookie" to the parser, marked obsolete.
 1834 
 1835 4966.	[placeholder]
 1836 
 1837 4965.	[func]		Add support for marking options as deprecated.
 1838 			[GL #322]
 1839 
 1840 4964.	[bug]		Reduce the probability of double signature when deleting
 1841 			a DNSKEY by checking if the node is otherwise signed
 1842 			by the algorithm of the key to be deleted. [GL #240]
 1843 
 1844 4963.	[test]		ifconfig.sh now uses "ip" instead of "ifconfig",
 1845 			if available, to configure the test interfaces on
 1846 			linux.  [GL #302]
 1847 
 1848 4962.	[cleanup]	Move 'named -T' processing to its own function.
 1849 			[GL #316]
 1850 
 1851 4961.	[protocol]	Remove support for ECC-GOST (GOST R 34.11-94).
 1852 			[GL #295]
 1853 
 1854 4960.	[security]	When recursion is enabled, but the "allow-recursion"
 1855 			and "allow-query-cache" ACLs are not specified,
 1856 			they should be limited to local networks,
 1857 			but were inadvertently set to match the default
 1858 			"allow-query", thus allowing remote queries.
 1859 			(CVE-2018-5738) [GL #309]
 1860 
 1861 4959.	[func]		NSID logging (enabled by the "request-nsid" option)
 1862 			now has its own "nsid" category, instead of using the
 1863 			"resolver" category. [GL !332]
 1864 
 1865 4958.	[bug]		Remove redundant space from NSEC3 record. [GL #281]
 1866 
 1867 4957.	[func]		The default setting for "dnssec-validation" is now
 1868 			"auto", which activates DNSSEC validation using the
 1869 			IANA root key. (The default can be changed back to
 1870 			"yes", which activates DNSSEC validation only when keys
 1871 			are explicitly configured in named.conf, by building
 1872 			BIND with "configure --disable-auto-validation".)
 1873 			[GL #30]
 1874 
 1875 4956.	[func]		Change isc_random() to be just PRNG using xoshiro128**,
 1876 			and add isc_nonce_buf() that uses CSPRNG. [GL #289]
 1877 
 1878 4955.	[cleanup]	Silence cppcheck warnings in lib/dns/master.c.
 1879 			[GL #286]
 1880 
 1881 4954.	[func]		Messages about serving of stale answers are now
 1882 			directed to the "serve-stale" logging category.
 1883 			Also clarified serve-stale documentation. [GL !323]
 1884 
 1885 4953.	[bug]		Removed the option to build the red black tree
 1886 			database without a hash table; the non-hashing
 1887 			version was buggy and is not needed. [GL #184]
 1888 
 1889 4952.	[func]		Authoritative server support in named for the
 1890 			EDNS CLIENT-SUBNET option (which was experimental
 1891 			and not practical to deploy) has been removed.
 1892 
 1893 			The ECS option is still supported in dig and mdig
 1894 			via the +subnet option, and can be parsed and logged
 1895 			when received by named, but it is no longer used
 1896 			for ACL processing. The "geoip-use-ecs" option
 1897 			is now obsolete; a warning will be logged if it is
 1898 			used in named.conf. "ecs" tags in an ACL definition
 1899 			are also obsolete and will cause the configuration
 1900 			to fail to load.  [GL #32]
 1901 
 1902 4951.	[protocol]	Add "HOME.ARPA" to list of built in empty zones as
 1903 			per RFC 8375. [GL #273]
 1904 
 1905 	--- 9.13.0 released ---
 1906 
 1907 4950.	[bug]		ISC_SOCKEVENTATTR_TRUNC was not be set. [GL #238]
 1908 
 1909 4949.	[placeholder]
 1910 
 1911 4948.	[bug]		When request-nsid is turned on, EDNS NSID options
 1912 			should be logged at level info. Since change 3741
 1913 			they have been logged at debug(3) by mistake.
 1914 			[GL !290]
 1915 
 1916 4947.	[func]		Replace all random functions with isc_random(),
 1917 			isc_random_buf() and isc_random_uniform() API.
 1918 			[GL #221]
 1919 
 1920 4946.	[bug]		Additional glue was not being returned by resolver
 1921 			for unsigned zones since change 4596. [GL #209]
 1922 
 1923 4945.	[func]		BIND can no longer be built without DNSSEC support.
 1924 			A cryptography provider (i.e., OpenSSL or a hardware
 1925 			service module with PKCS#11 support) must be
 1926 			available. [GL #244]
 1927 
 1928 4944.	[cleanup]	Silence cppcheck portability warnings in
 1929 			lib/isc/tests/buffer_test.c. [GL #239]
 1930 
 1931 4943.	[bug]		Change 4687 consumed too much memory when running
 1932 			system tests with --with-tuning=large.  Reduced the
 1933 			hash table size to 512 entries for 'named -m record'
 1934 			restoring the previous memory footprint. [GL #248]
 1935 
 1936 4942.	[cleanup]	Consolidate multiple instances of splitting of
 1937 			batchline in dig into a single function. [GL #196]
 1938 
 1939 4941.	[cleanup]	Silence clang static analyzer warnings. [GL #196]
 1940 
 1941 4940.	[cleanup]	Extract the loop in dns__zone_updatesigs() into
 1942 			separate functions to improve code readability.
 1943 			[GL #135]
 1944 
 1945 4939.	[test]		Add basic unit tests for update_sigs(). [GL #135]
 1946 
 1947 4938.	[placeholder]
 1948 
 1949 4937.	[func]		Remove support for OpenSSL < 1.0.0 [GL #191]
 1950 
 1951 4936.	[func]		Always use OpenSSL or PKCS#11 random data providers,
 1952 			and remove the --{enable,disable}-crypto-rand configure
 1953 			options. [GL #165]
 1954 
 1955 4935.	[func]		Add support for LibreSSL >= 2.7.0 (some OpenSSL 1.1.0
 1956 			call were added). [GL #191]
 1957 
 1958 4934.	[security]	The serve-stale feature could cause an assertion failure
 1959 			in rbtdb.c even when stale-answer-enable was false.
 1960 			Simultaneous use of stale cache records and NSEC
 1961 			aggressive negative caching could trigger a recursion
 1962 			loop. (CVE-2018-5737) [GL #185]
 1963 
 1964 4933.	[bug]		Not creating signing keys for an inline signed zone
 1965 			prevented changes applied to the raw zone from being
 1966 			reflected in the secure zone until signing keys were
 1967 			made available. [GL #159]
 1968 
 1969 4932.	[bug]		Bumped signed serial of an inline signed zone was
 1970 			logged even when an error occurred while updating
 1971 			signatures. [GL #159]
 1972 
 1973 4931.	[func]		Removed the "rbtdb64" database implementation.
 1974 			[GL #217]
 1975 
 1976 4930.	[bug]		Remove a bogus check in nslookup command line
 1977 			argument processing. [GL #206]
 1978 
 1979 4929.	[func]		Add the ability to set RA and TC in queries made by
 1980 			dig (+[no]raflag, +[no]tcflag). [GL #213]
 1981 
 1982 4928.	[func]		The "dnskey-sig-validity" option allows
 1983 			"sig-validity-interval" to be overridden for signatures
 1984 			covering DNSKEY RRsets. [GL #145]
 1985 
 1986 4927.	[placeholder]
 1987 
 1988 4926.	[func]		Add root key sentinel support.  To disable, add
 1989 			'root-key-sentinel no;' to named.conf. [GL #37]
 1990 
 1991 4925.	[func]		Several configuration options that define intervals
 1992 			can now take TTL value suffixes (for example, 2h or 1d)
 1993 			in addition to integer parameters. These include
 1994 			max-cache-ttl, max-ncache-ttl, max-policy-ttl,
 1995 			fstrm-set-reopen-interval, interface-interval, and
 1996 			min-update-interval. [GL #203]
 1997 
 1998 4924.	[cleanup]	Clean up the isc_string_* namespace and leave
 1999 			only strlcpy and strlcat. [GL #178]
 2000 
 2001 4923.	[cleanup]	Refactor socket and socket event options into
 2002 			enum types. [GL !135]
 2003 
 2004 4922.	[bug]		dnstap: Log the destination address of client
 2005 			packets rather than the interface address.
 2006 			[GL #197]
 2007 
 2008 4921.	[cleanup]	Add dns_fixedname_initname() and refactor the caller
 2009 			code to make usage of the new function, as a part of
 2010 			refactoring dns_fixedname_*() macros were turned into
 2011 			functions. [GL #183]
 2012 
 2013 4920.	[cleanup]	Clean up libdns removing most of the backwards
 2014 			compatibility wrappers.
 2015 
 2016 4919.	[cleanup]	Clean up the isc_hash_* namespace and leave only
 2017 			the FNV-1a hash implementation. [GL #178]
 2018 
 2019 4918.	[bug]		Fix double free after keygen error in dnssec-keygen
 2020 			when OpenSSL >= 1.1.0 is used and RSA_generate_key_ex
 2021 			fails. [GL #109]
 2022 
 2023 4917.	[func]		Support 64 RPZ policy zones by default. [GL #123]
 2024 
 2025 4916.	[func]		Remove IDNA2003 support and the bundled idnkit-1.0
 2026 			library.
 2027 
 2028 4915.	[func]		Implement IDNA2008 support in dig by adding support
 2029 			for libidn2.  New dig option +idnin has been added,
 2030 			which allows to process invalid domain names much
 2031 			like dig without IDN support.  libidn2 version 2.0
 2032 			or higher is needed for +idnout enabled by default.
 2033 
 2034 4914.	[security]	A bug in zone database reference counting could lead to
 2035 			a crash when multiple versions of a slave zone were
 2036 			transferred from a master in close succession.
 2037 			(CVE-2018-5736) [GL #134]
 2038 
 2039 4913.	[test]		Re-implemented older unit tests in bin/tests as ATF,
 2040 			removed the lib/tests unit testing library. [GL #115]
 2041 
 2042 4912.	[test]		Improved the reliability of the 'cds' system test.
 2043 			[GL #136]
 2044 
 2045 4911.	[test]		Improved the reliability of the 'mkeys' system test.
 2046 			[GL #128]
 2047 
 2048 4910.	[func]		Update util/check-changes to work on release branches.
 2049 			[GL #113]
 2050 
 2051 4909.	[bug]		named-checkconf did not detect in-view zone collisions.
 2052 			[GL #125]
 2053 
 2054 4908.	[test]		Eliminated unnecessary waiting in the allow_query
 2055 			system test. Also changed its name to allow-query.
 2056 			[GL #81]
 2057 
 2058 4907.	[test]		Improved the reliability of the 'notify' system
 2059 			test. [GL #59]
 2060 
 2061 4906.	[func]		Replace getquad() with inet_pton(), completing
 2062 			change #4900. [GL #56]
 2063 
 2064 4905.	[bug]		irs_resconf_load() ignored resolv.conf syntax errors
 2065 			when "domain" or "search" options were present in that
 2066 			file. [GL #110]
 2067 
 2068 4904.	[bug]		Temporarily revert change #4859. [GL #124]
 2069 
 2070 4903.	[bug]		"check-mx fail;" did not prevent MX records containing
 2071 			IP addresses from being added to a zone by a dynamic
 2072 			update. [GL #112]
 2073 
 2074 4902.	[test]		Improved the reliability of the 'ixfr' system
 2075 			test. [GL #66]
 2076 
 2077 4901.	[func]		"dig +nssearch" now lists the name servers
 2078 			for a domain that time out, as well as the servers
 2079 			that respond. [GL #64]
 2080 
 2081 4900.	[func]		Remove all uses of inet_aton().  As a result of this
 2082 			change, IPv4 addresses are now only accepted in
 2083 			dotted-quad format. [GL #13]
 2084 
 2085 4899.	[test]		Convert most of the remaining system tests to be able
 2086 			to run in parallel, continuing the work from change
 2087 			#4895. To take advantage of this, use "make -jN check",
 2088 			where N is the number of processors to use. [GL #91]
 2089 
 2090 4898.	[func]		Remove libseccomp based system-call filtering. [GL #93]
 2091 
 2092 4897.	[test]		Update to rpz system test so that it doesn't recurse.
 2093 			[GL #68]
 2094 
 2095 4896.	[test]		cacheclean system test was not robust. [GL #82]
 2096 
 2097 4895.	[test]		Allow some system tests to run in parallel.
 2098 			[RT #46602]
 2099 
 2100 4894.	[bug]		named could crash while rolling a dnstap output file.
 2101 			[RT #46942]
 2102 
 2103 4893.	[bug]		Address various issues reported by cppcheck. [GL #51]
 2104 
 2105 4892.	[bug]		named could leak memory when "rndc reload" was invoked
 2106 			before all zone loading actions triggered by a previous
 2107 			"rndc reload" command were completed. [RT #47076]
 2108 
 2109 4891.	[placeholder]
 2110 
 2111 4890.	[func]		Remove unused ondestroy callback from libisc.
 2112 			[isc-projects/bind9!3]
 2113 
 2114 4889.	[func]		Warn about the use of old root keys without the new
 2115 			root key being present.  Warn about dlv.isc.org's
 2116 			key being present. Warn about both managed and
 2117 			trusted root keys being present. [RT #43670]
 2118 
 2119 4888.	[test]		Initialize sockets correctly in sample-update so
 2120 			that the nsupdate system test will run on Windows.
 2121 			[RT #47097]
 2122 
 2123 4887.	[test]		Enable the rpzrecurse test to run on Windows.
 2124 			[RT #47093]
 2125 
 2126 4886.	[doc]		Document dig -u in manpage. [RT #47150]
 2127 
 2128 4885.	[security]	update-policy rules that otherwise ignore the name
 2129 			field now require that it be set to "." to ensure
 2130 			that any type list present is properly interpreted.
 2131 			[RT #47126]
 2132 
 2133 4884.	[bug]		named could crash on shutdown due to a race between
 2134 			shutdown_server() and ns__client_request(). [RT #47120]
 2135 
 2136 4883.	[cleanup]	Improved debugging output from dnssec-cds. [RT #47026]
 2137 
 2138 4882.	[bug]		Address potential memory leak in
 2139 			dns_update_signaturesinc. [RT #47084]
 2140 
 2141 4881.	[bug]		Only include dst_openssl.h when OpenSSL is required.
 2142 			[RT #47068]
 2143 
 2144 4880.	[bug]		Named wasn't returning the target of a cross-zone
 2145 			CNAME between two served zones when recursion was
 2146 			desired and available (RD=1, RA=1). (When this is
 2147 			not the case, the CNAME target is deliberately
 2148 			withheld to prevent accidental cache poisoning.)
 2149 			[RT #47078]
 2150 
 2151 4879.	[bug]		dns_rdata_caa:value_len field was too small.
 2152 			[RT #47086]
 2153 
 2154 4878.	[bug]		List 'ply' as a requirement for the 'isc' python
 2155 			package. [RT #47065]
 2156 
 2157 4877.	[bug]		Address integer overflow when exponentially
 2158 			backing off retry intervals. [RT #47041]
 2159 
 2160 4876.	[bug]		Address deadlock with accessing a keytable. [RT #47000]
 2161 
 2162 4875.	[bug]		Address compile failures on older systems. [RT #47015]
 2163 
 2164 4874.	[bug]		Wrong time display when reporting new keywarntime.
 2165 			[RT #47042]
 2166 
 2167 4873.	[doc]		Grammars for named.conf included in the ARM are now
 2168 			automatically generated by the configuration parser
 2169 			itself.  As a side effect of the work needed to
 2170 			separate zone type grammars from each other, this
 2171 			also makes checking of zone statements in
 2172 			named-checkconf more correct and consistent.
 2173 			[RT #36957]
 2174 
 2175 4872.	[bug]		Don't permit loading meta RR types such as TKEY
 2176 			from master files. [RT #47009]
 2177 
 2178 4871.	[bug]		Fix configure glitch in detecting stdatomic.h
 2179 			support on systems with multiple compilers.
 2180 			[RT #46959]
 2181 
 2182 4870.	[test]		Update included ATF library to atf-0.21 preserving
 2183 			the ATF tool. [RT #46967]
 2184 
 2185 4869.	[bug]		Address some cases where NULL with zero length could
 2186 			be passed to memmove which is undefined behavior and
 2187 			can lead to bad optimization. [RT #46888]
 2188 
 2189 4868.	[func]		dnssec-keygen can no longer generate HMAC keys.
 2190 			Use tsig-keygen instead. [RT #46404]
 2191 
 2192 4867.	[cleanup]	Normalize rndc on/off commands (validation,
 2193 			querylog, serve-stale) so they all accept the
 2194 			same synonyms for on/off (yes/no, true/false,
 2195 			enable/disable). Thanks to Tony Finch. [RT #47022]
 2196 
 2197 4866.	[port]		DST library initialization verifies MD5 (when MD5
 2198 			was not disabled) and SHA-1 hash and HMAC support.
 2199 			[RT #46764]
 2200 
 2201 4865.	[cleanup]	Simplify handling isc_socket_sendto2() return values.
 2202 			[RT #46986]
 2203 
 2204 4864.	[bug]		named acting as a slave for a catalog zone crashed if
 2205 			the latter contained a master definition without an IP
 2206 			address. [RT #45999]
 2207 
 2208 4863.	[bug]		Fix various other bugs reported by Valgrind's
 2209 			memcheck tool. [RT #46978]
 2210 
 2211 4862.	[bug]		The rdata flags for RRSIG were not being properly set
 2212 			when constructing a rdataslab. [RT #46978]
 2213 
 2214 4861.	[bug]		The isc_crc64 unit test was not endian independent.
 2215 			[RT #46973]
 2216 
 2217 4860.	[bug]		isc_int8_t should be signed char.  [RT #46973]
 2218 
 2219 4859.	[bug]		A loop was possible when attempting to validate
 2220 			unsigned CNAME responses from secure zones;
 2221 			this caused a delay in returning SERVFAIL and
 2222 			also increased the chances of encountering
 2223 			CVE-2017-3145. [RT #46839]
 2224 
 2225 4858.	[security]	Addresses could be referenced after being freed
 2226 			in resolver.c, causing an assertion failure.
 2227 			(CVE-2017-3145) [RT #46839]
 2228 
 2229 4857.	[bug]		Maintain attach/detach semantics for event->db,
 2230 			event->node, event->rdataset and event->sigrdataset
 2231 			in query.c. [RT #46891]
 2232 
 2233 4856.	[bug]		'rndc zonestatus' reported the wrong underlying type
 2234 			for a inline slave zone. [RT #46875]
 2235 
 2236 4855.	[bug]		isc_time_formatshorttimestamp produced incorrect
 2237 			output. [RT #46938]
 2238 
 2239 4854.	[bug]		query_synthcnamewildcard should stop generating the
 2240 			response if query_synthwildcard fails. [RT #46939]
 2241 
 2242 4853.	[bug]		Add REQUIRE's and INSIST's to isc_time_formatISO8601L
 2243 			and isc_time_formatISO8601Lms. [RT #46916]
 2244 
 2245 4852.	[bug]		Handle strftime() failing in isc_time_formatISO8601ms.
 2246 			Add REQUIRE's and INSIST's to isc_time_formattimestamp,
 2247 			isc_time_formathttptimestamp, isc_time_formatISO8601,
 2248 			isc_time_formatISO8601ms. [RT #46892]
 2249 
 2250 4851.	[port]		Support using kyua as well as atf-run to run the unit
 2251 			tests. [RT #46853]
 2252 
 2253 4850.	[bug]		Named failed to restart with multiple added zones in
 2254 			lmdb database. [RT #46889]
 2255 
 2256 4849.	[bug]		Duplicate zones could appear in the .nzf file if
 2257 			addzone failed. [RT #46435]
 2258 
 2259 4848.	[func]		Zone types "primary" and "secondary" can now be used
 2260 			as synonyms for "master" and "slave" in named.conf.
 2261 			[RT #46713]
 2262 
 2263 4847.	[bug]		dnssec-dnskey-kskonly was not being honored for
 2264 			CDS and CDNSKEY. [RT #46755]
 2265 
 2266 4846.	[test]		Adjust timing values in runtime system test. Address
 2267 			named.pid removal races in runtime system test.
 2268 			[RT #46800]
 2269 
 2270 4845.	[bug]		Dig (non iOS) should exit on malformed names.
 2271 			[RT #46806]
 2272 
 2273 4844.	[test]		Address memory leaks in libatf-c. [RT #46798]
 2274 
 2275 4843.	[bug]		dnssec-signzone free hashlist on exit. [RT #46791]
 2276 
 2277 4842.	[bug]		Conditionally compile opensslecdsa_link.c to avoid
 2278 			warnings about unused function. [RT #46790]
 2279 
 2280 	--- 9.12.0rc1 released ---
 2281 
 2282 4841.	[bug]		Address -fsanitize=undefined warnings. [RT #46786]
 2283 
 2284 4840.	[test]		Add tests to cover fallback to using ZSK on inactive
 2285 			KSK. [RT #46787]
 2286 
 2287 4839.	[bug]		zone.c:zone_sign was not properly determining
 2288 			if there were active KSK and ZSK keys for
 2289 			a algorithm when update-check-ksk is true
 2290 			(default) leaving records unsigned with one or
 2291 			more DNSKEY algorithms. [RT #46774]
 2292 
 2293 4838.	[bug]		zone.c:add_sigs was not properly determining
 2294 			if there were active KSK and ZSK keys for
 2295 			a algorithm when update-check-ksk is true
 2296 			(default) leaving records unsigned with one or
 2297 			more DNSKEY algorithms. [RT #46754]
 2298 
 2299 4837.	[bug]		dns_update_signatures{inc} (add_sigs) was not
 2300 			properly determining if there were active KSK and
 2301 			ZSK keys for a algorithm when update-check-ksk is
 2302 			true (default) leaving records unsigned when there
 2303 			were multiple DNSKEY algorithms for the zone.
 2304 			[RT #46743]
 2305 
 2306 4836.	[bug]		Zones created using "rndc addzone" could
 2307 			temporarily fail to inherit an "allow-transfer"
 2308 			ACL that had been configured in the options
 2309 			statement. [RT #46603]
 2310 
 2311 4835.	[cleanup]	Clean up and refactor LMDB-related code. [RT #46718]
 2312 
 2313 4834.	[port]		Fix LMDB support on OpenBSD. [RT #46718]
 2314 
 2315 4833.	[bug]		isc_event_free should check that the event is not
 2316 			linked when called. [RT #46725]
 2317 
 2318 4832.	[bug]		Events were not being removed from zone->rss_events.
 2319 			[RT #46725]
 2320 
 2321 4831.	[bug]		Convert the RRSIG expirytime to 64 bits for
 2322 			comparisons in diff.c:resign. [RT #46710]
 2323 
 2324 4830.	[bug]		Failure to configure ATF when requested did not cause
 2325 			an error in top-level configure script. [RT #46655]
 2326 
 2327 4829.	[bug]		isc_heap_delete did not zero the index value when
 2328 			the heap was created with a callback to do that.
 2329 			[RT #46709]
 2330 
 2331 4828.	[bug]		Do not use thread-local storage for storing LMDB reader
 2332 			locktable slots. [RT #46556]
 2333 
 2334 4827.	[misc]		Add a precommit check script util/checklibs.sh
 2335 			[RT #46215]
 2336 
 2337 4826.	[cleanup]	Prevent potential build failures in bin/confgen/ and
 2338 			bin/named/ when using parallel make. [RT #46648]
 2339 
 2340 4825.	[bug]		Prevent a bogus "error during managed-keys processing
 2341 			(no more)" warning from being logged. [RT #46645]
 2342 
 2343 4824.	[port]		Add iOS hooks to dig. [RT #42011]
 2344 
 2345 4823.	[test]		Refactor reclimit system test to improve its
 2346 			reliability and speed. [RT #46632]
 2347 
 2348 4822.	[bug]		Use resign_sooner in dns_db_setsigningtime. [RT #46473]
 2349 
 2350 4821.	[bug]		When resigning ensure that the SOA's expire time is
 2351 			always later that the resigning time of other records.
 2352 			[RT #46473]
 2353 
 2354 4820.	[bug]		dns_db_subtractrdataset should transfer the resigning
 2355 			information to the new header. [RT #46473]
 2356 
 2357 4819.	[bug]		Fully backout the transaction when adding a RRset
 2358 			to the resigning / removal heaps fails. [RT #46473]
 2359 
 2360 4818.	[test]		The logfileconfig system test could intermittently
 2361 			report false negatives on some platforms. [RT #46615]
 2362 
 2363 4817.	[cleanup]	Use DNS_NAME_INITABSOLUTE and DNS_NAME_INITNONABSOLUTE.
 2364 			[RT #45433]
 2365 
 2366 4816.	[bug]		Don't use a common array for storing EDNS options
 2367 			in DiG as it could fill up. [RT #45611]
 2368 
 2369 4815.	[bug]		rbt_test.c:insert_and_delete needed to call
 2370 			dns_rbt_addnode instead of dns_rbt_addname. [RT #46553]
 2371 
 2372 4814.	[cleanup]	Use AS_HELP_STRING for consistent help text. [RT #46521]
 2373 
 2374 4813.	[bug]		Address potential read after free errors from
 2375 			query_synthnodata, query_synthwildcard and
 2376 			query_synthnxdomain. [RT #46547]
 2377 
 2378 4812.	[bug]		Minor improvements to stability and consistency of code
 2379 			handling managed keys. [RT #46468]
 2380 
 2381 4811.	[bug]		Revert api changes to use <isc/buffer.h> inline
 2382 			macros.  Provide a alternative mechanism to turn
 2383 			on the use of inline macros when building BIND.
 2384 			[RT #46520]
 2385 
 2386 4810.	[test]		The chain system test failed if the IPv6 interfaces
 2387 			were not configured. [RT #46508]
 2388 
 2389 	--- 9.12.0b2 released ---
 2390 
 2391 4809.	[port]		Check at configure time whether -latomic is needed
 2392 			for stdatomic.h. [RT #46324]
 2393 
 2394 4808.	[bug]		Properly test for zlib.h. [RT #46504]
 2395 
 2396 4807.	[cleanup]	isc_rng_randombytes() returns a specified number of
 2397 			bytes from the PRNG; this is now used instead of
 2398 			calling isc_rng_random() multiple times. [RT #46230]
 2399 
 2400 4806.	[func]		Log messages related to loading of zones are now
 2401 			directed to the "zoneload" logging category.
 2402 			[RT #41640]
 2403 
 2404 4805.	[bug]		TCP4Active and TCP6Active weren't being updated
 2405 			correctly. [RT #46454]
 2406 
 2407 4804.	[port]		win32: access() does not work on directories as
 2408 			required by POSIX.  Supply a alternative in
 2409 			isc_file_isdirwritable. [RT #46394]
 2410 
 2411 4803.	[placeholder]
 2412 
 2413 4802.	[test]		Refactor mkeys system test to make it quicker and more
 2414 			reliable. [RT #45293]
 2415 
 2416 4801.	[func]		'dnssec-lookaside auto;' and 'dnssec-lookaside .
 2417 			trust-anchor dlv.isc.org;' now elicit warnings rather
 2418 			than being fatal configuration errors. [RT #46410]
 2419 
 2420 4800.	[bug]		When processing delzone, write one zone config per
 2421 			line to the NZF. [RT #46323]
 2422 
 2423 4799.	[cleanup]	Improve clarity of keytable unit tests. [RT #46407]
 2424 
 2425 4798.	[func]		Keys specified in "managed-keys" statements
 2426 			are tagged as "initializing" until they have been
 2427 			updated by a key refresh query. If initialization
 2428 			fails it will be visible from "rndc secroots".
 2429 			[RT #46267]
 2430 
 2431 4797.	[func]		Removed "isc-hmac-fixup", as the versions of BIND that
 2432 			had the bug it worked around are long past end of
 2433 			life. [RT #46411]
 2434 
 2435 4796.	[bug]		Increase the maximum configurable TCP keepalive
 2436 			timeout to 65535. [RT #44710]
 2437 
 2438 4795.	[func]		A new statistics counter has been added to track
 2439 			priming queries. [RT #46313]
 2440 
 2441 4794.	[func]		"dnssec-checkds -s" specifies a file from which
 2442 			to read a DS set rather than querying the parent.
 2443 			[RT #44667]
 2444 
 2445 4793.	[bug]		nsupdate -[46] could overflow the array of server
 2446 			addresses. [RT #46402]
 2447 
 2448 4792.	[bug]		Fix map file header correctness check. [RT #38418]
 2449 
 2450 4791.	[doc]		Fixed outdated documentation about export libraries.
 2451 			[RT #46341]
 2452 
 2453 4790.	[bug]		nsupdate could trigger a require when sending a
 2454 			update to the second address of the server.
 2455 			[RT #45731]
 2456 
 2457 4789.	[cleanup]	Check writability of new-zones-directory. [RT #46308]
 2458 
 2459 4788.	[cleanup]	When using "update-policy local", log a warning
 2460 			when an update matching the session key is received
 2461 			from a remote host. [RT #46213]
 2462 
 2463 4787.	[cleanup]	Turn nsec3param_salt_totext() into a public function,
 2464 			dns_nsec3param_salttotext(), and add unit tests for it.
 2465 			[RT #46289]
 2466 
 2467 4786.	[func]		The "filter-aaaa-on-v4" and "filter-aaaa-on-v6"
 2468 			options are no longer conditionally compiled.
 2469 			[RT #46340]
 2470 
 2471 4785.	[func]		The hmac-md5 algorithm is no longer recommended for
 2472 			use with RNDC keys.  The default in rndc-confgen
 2473 			is now hmac-sha256. [RT #42272]
 2474 
 2475 4784.	[func]		The use of dnssec-keygen to generate HMAC keys is
 2476 			deprecated in favor of tsig-keygen.  dnssec-keygen
 2477 			will print a warning when used for this purpose.
 2478 			All HMAC algorithms will be removed from
 2479 			dnssec-keygen in a future release. [RT #42272]
 2480 
 2481 4783.	[test]		dnssec: 'check that NOTIFY is sent at the end of
 2482 			NSEC3 chain generation failed' required more time
 2483 			on some machines for the IXFR to complete. [RT #46388]
 2484 
 2485 4782.	[test]		dnssec: 'checking positive and negative validation
 2486 			with negative trust anchors' required more time to
 2487 			complete on some machines. [RT #46386]
 2488 
 2489 4781.	[maint]		B.ROOT-SERVERS.NET is now 199.9.14.201. [RT #45889]
 2490 
 2491 4780.	[bug]		When answering ANY queries, don't include the NS
 2492 			RRset in the authority section if it was already
 2493 			in the answer section. [RT #44543]
 2494 
 2495 4779.	[bug]		Expire NTA at the start of the second. Don't update
 2496 			the expiry value if the record has already expired
 2497 			after a successful check. [RT #46368]
 2498 
 2499 4778.	[test]		Improve synth-from-dnssec testing. [RT #46352]
 2500 
 2501 4777.	[cleanup]	Removed a redundant call to configure_view_acl().
 2502 			[RT #46369]
 2503 
 2504 4776.	[bug]		Improve portability of ht_test. [RT #46333]
 2505 
 2506 4775.	[bug]		Address Coverity warnings in ht_test.c and mem_test.c
 2507 			[RT #46281]
 2508 
 2509 4774.	[bug]		<isc/util.h> was incorrectly included in several
 2510 			header files. [RT #46311]
 2511 
 2512 4773.	[doc]		Fixed generating Doxygen documentation for functions
 2513 			annotated using certain macros.  Miscellaneous
 2514 			Doxygen-related cleanups. [RT #46276]
 2515 
 2516 	--- 9.12.0b1 released ---
 2517 
 2518 4772.	[test]		Expanded unit testing framework for libns, using
 2519 			hooks to interrupt query flow and inspect state
 2520 			at specified locations. [RT #46173]
 2521 
 2522 4771.	[bug]		When sending RFC 5011 refresh queries, disregard
 2523 			cached DNSKEY rrsets. [RT #46251]
 2524 
 2525 4770.	[bug]		Cache additional data from priming queries as glue.
 2526 			Previously they were ignored as unsigned
 2527 			non-answer data from a secure zone, and never
 2528 			actually got added to the cache, causing hints
 2529 			to be used frequently for root-server
 2530 			addresses, which triggered re-priming. [RT #45241]
 2531 
 2532 4769.	[func]		The working directory and managed-keys directory has
 2533 			to be writeable (and seekable). [RT #46077]
 2534 
 2535 4768.	[func]		By default, memory is no longer filled with tag values
 2536 			when it is allocated or freed; this improves
 2537 			performance but makes debugging of certain memory
 2538 			issues more difficult. "named -M fill" turns memory
 2539 			filling back on. (Building "configure
 2540 			--enable-developer", turns memory fill on by
 2541 			default again; it can then be disabled with
 2542 			"named -M nofill".) [RT #45123]
 2543 
 2544 4767.	[func]		Add a new function, isc_buffer_printf(), which can be
 2545 			used to append a formatted string to the used region of
 2546 			a buffer. [RT #46201]
 2547 
 2548 4766.	[cleanup]	Address Coverity warnings. [RT #46150]
 2549 
 2550 4765.	[bug]		Address potential INSIST in dnssec-cds. [RT #46150]
 2551 
 2552 4764.	[bug]		Address portability issues in cds system test.
 2553 			[RT #46214]
 2554 
 2555 4763.	[contrib]	Improve compatibility when building MySQL DLZ
 2556 			module by using mysql_config if available.
 2557 			[RT #45558]
 2558 
 2559 4762.	[func]		"update-policy local" is now restricted to updates
 2560 			from local addresses. (Previously, other addresses
 2561 			were allowed so long as updates were signed by the
 2562 			local session key.) [RT #45492]
 2563 
 2564 4761.	[protocol]	Add support for DOA. [RT #45612]
 2565 
 2566 4760.	[func]		Add glue cache statistics counters. [RT #46028]
 2567 
 2568 4759.	[func]		Add logging channel "trust-anchor-telemetry" to
 2569 			record trust-anchor-telemetry in incoming requests.
 2570 			Both _ta-XXXX.<anchor>/NULL and EDNS KEY-TAG options
 2571 			are logged.  [RT #46124]
 2572 
 2573 4758.	[doc]		Remove documentation of unimplemented "topology".
 2574 			[RT #46161]
 2575 
 2576 4757.	[func]		New "dnssec-cds" command creates a new parent DS
 2577 			RRset based on CDS or CDNSKEY RRsets found in
 2578 			a child zone, and generates either a dsset file
 2579 			or stream of nsupdate commands to update the
 2580 			parent. Thanks to Tony Finch. [RT #46090]
 2581 
 2582 4756.	[bug]		Interrupting dig could lead to an INSIST failure after
 2583 			certain errors were encountered while querying a host
 2584 			whose name resolved to more than one address.  Change
 2585 			4537 increased the odds of triggering this issue by
 2586 			causing dig to hang indefinitely when certain error
 2587 			paths were evaluated.  dig now also retries TCP queries
 2588 			(once) if the server gracefully closes the connection
 2589 			before sending a response. [RT #42832, #45159]
 2590 
 2591 4755.	[cleanup]	Silence unnecessary log message when NZF file doesn't
 2592 			exist. [RT #46186]
 2593 
 2594 4754.	[bug]		dns_zone_setview needs a two stage commit to properly
 2595 			handle errors. [RT #45841]
 2596 
 2597 4753.	[contrib]	Software obtainable from known upstream locations
 2598 			(i.e., zkt, nslint, query-loc) has been removed.
 2599 			Links to these and other packages can be found at
 2600 			https://www.isc.org/community/tools [RT #46182]
 2601 
 2602 4752.	[test]		Add unit test for isc_net_pton. [RT #46171]
 2603 
 2604 4751.	[func]		"dnssec-signzone -S" can now automatically add parent
 2605 			synchronization records (CDS and CDNSKEY) according
 2606 			to key metadata set using the -Psync and -Dsync
 2607 			options to dnssec-keygen and dnssec-settime.
 2608 			[RT #46149]
 2609 
 2610 4750.	[func]		"rndc managed-keys destroy" shuts down RFC 5011 key
 2611 			maintenance and deletes the managed-keys database.
 2612 			If followed by "rndc reconfig" or a server restart,
 2613 			key maintenance is reinitialized from scratch.
 2614 			This is primarily intended for testing. [RT #32456]
 2615 
 2616 4749.	[func]		The ISC DLV service has been shut down, and all
 2617 			DLV records have been removed from dlv.isc.org.
 2618 			- Removed references to ISC DLV in documentation
 2619 			- Removed DLV key from bind.keys
 2620 			- No longer use ISC DLV by default in delv
 2621 			- "dnssec-lookaside auto" and configuration of
 2622 			  "dnssec-lookaide" with dlv.isc.org as the trust
 2623 			  anchor are both now fatal errors.
 2624 			[RT #46155]
 2625 
 2626 4748.	[cleanup]	Sprintf to snprintf coversions. [RT #46132]
 2627 
 2628 4747.	[func]		Synthesis of responses from DNSSEC-verified records.
 2629 			Stage 3 - synthesize NODATA responses. [RT #40138]
 2630 
 2631 4746.	[cleanup]	Add configured prefixes to configure summary
 2632 			output. [RT #46153]
 2633 
 2634 4745.	[test]		Add color-coded pass/fail messages to system
 2635 			tests when running on terminals that support them.
 2636 			[RT #45977]
 2637 
 2638 4744.	[bug]		Suppress trust-anchor-telemetry queries if
 2639 			validation is disabled. [RT #46131]
 2640 
 2641 4743.	[func]		Exclude trust-anchor-telemetry queries from
 2642 			synth-from-dnssec processing. [RT #46123]
 2643 
 2644 4742.	[func]		Synthesis of responses from DNSSEC-verified records.
 2645 			Stage 2 - synthesis of records from wildcard data.
 2646 			If the dns64 or filter-aaaa* is configured then the
 2647 			involved lookups are currently excluded. [RT #40138]
 2648 
 2649 4741.	[bug]		Make isc_refcount_current() atomically read the
 2650 			counter value. [RT #46074]
 2651 
 2652 4740.	[cleanup]	Avoid triggering format-truncated warnings. [RT #46107]
 2653 
 2654 4739.	[cleanup]	Address clang static analysis warnings. [RT #45952]
 2655 
 2656 4738.	[port]		win32: strftime mishandles %Z. [RT #46039]
 2657 
 2658 4737.	[cleanup]	Address Coverity warnings. [RT #46012]
 2659 
 2660 4736.	[cleanup]	(a) Added comments to NSEC3-related functions in
 2661 			lib/dns/zone.c.  (b) Refactored NSEC3 salt formatting
 2662 			code.  (c) Minor tweaks to lock and result handling.
 2663 			[RT #46053]
 2664 
 2665 4735.	[bug]		Add @ISC_OPENSSL_LIBS@ to isc-config. [RT #46078]
 2666 
 2667 4734.	[contrib]	Added sample configuration for DNS-over-TLS in
 2668 			contrib/dnspriv.
 2669 
 2670 4733.	[bug]		Change #4706 introduced a bug causing TCP clients
 2671 			not be reused correctly, leading to unconstrained
 2672 			memory growth. [RT #46029]
 2673 
 2674 4732.	[func]		Change default minimal-responses setting to
 2675 			no-auth-recursive. [RT #46016]
 2676 
 2677 4731.	[bug]		Fix use after free when closing an LMDB. [RT #46000]
 2678 
 2679 4730.	[bug]		Fix out of bounds access in DHCID totext() method.
 2680 			[RT #46001]
 2681 
 2682 4729.	[bug]		Don't use memset() to wipe memory, as it may be
 2683 			removed by compiler optimizations when the
 2684 			memset() occurs on automatic stack allocation
 2685 			just before function return. [RT #45947]
 2686 
 2687 4728.	[func]		Use C11's stdatomic.h instead of isc_atomic
 2688 			where available. [RT #40668]
 2689 
 2690 4727.	[bug]		Retransferring an inline-signed slave using NSEC3
 2691 			around the time its NSEC3 salt was changed could result
 2692 			in an infinite signing loop. [RT #45080]
 2693 
 2694 4726.	[port]		Prevent setsockopt() errors related to TCP_FASTOPEN
 2695 			from being logged on FreeBSD if the kernel does not
 2696 			support it.  Notify the user when the kernel does
 2697 			support TCP_FASTOPEN, but it is disabled by sysctl.
 2698 			Add a new configure option, --disable-tcp-fastopen, to
 2699 			disable use of TCP_FASTOPEN altogether. [RT #44754]
 2700 
 2701 4725.	[bug]		Nsupdate: "recvsoa" was incorrectly reported for
 2702 			failures in sending the update message.  The correct
 2703 			location to be reported is "update_completed".
 2704 			[RT #46014]
 2705 
 2706 4724.	[func]		By default, BIND now uses the random number
 2707 			functions provided by the crypto library (i.e.,
 2708 			OpenSSL or a PKCS#11 provider) as a source of
 2709 			randomness rather than /dev/random.  This is
 2710 			suitable for virtual machine environments
 2711 			which have limited entropy pools and lack
 2712 			hardware random number generators.
 2713 
 2714 			This can be overridden by specifying another
 2715 			entropy source via the "random-device" option
 2716 			in named.conf, or via the -r command line option;
 2717 			however, for functions requiring full cryptographic
 2718 			strength, such as DNSSEC key generation, this
 2719 			cannot be overridden. In particular, the -r
 2720 			command line option no longer has any effect on
 2721 			dnssec-keygen.
 2722 
 2723 			This can be disabled by building with
 2724 			"configure --disable-crypto-rand".
 2725 			[RT #31459] [RT #46047]
 2726 
 2727 4723.	[bug]		Statistics counter DNSTAPdropped was misidentified
 2728 			as DNSSECdropped. [RT #46002]
 2729 
 2730 4722.	[cleanup]	Clean up uses of strcpy() and strcat() in favor of
 2731 			strlcpy() and strlcat() for safety. [RT #45981]
 2732 
 2733 4721.	[func]		'dnssec-signzone -x' and 'dnssec-dnskey-kskonly'
 2734 			options now apply to CDNSKEY and DS records as well
 2735 			as DNSKEY. Thanks to Tony Finch. [RT #45689]
 2736 
 2737 4720.	[func]		Added a statistics counter to track prefetch
 2738 			queries. [RT #45847]
 2739 
 2740 4719.	[bug]		Address PVS static analyzer warnings. [RT #45946]
 2741 
 2742 4718.	[func]		Avoid searching for a owner name compression pointer
 2743 			more than once when writing out a RRset. [RT #45802]
 2744 
 2745 4717.	[bug]		Treat replies with QCOUNT=0 as truncated if TC=1,
 2746 			FORMERR if TC=0, and log the error correctly.
 2747 			[RT #45836]
 2748 
 2749 4716.	[placeholder]
 2750 
 2751 	--- 9.12.0a1 released ---
 2752 
 2753 4715.	[bug]		TreeMemMax was mis-identified as a second HeapMemMax
 2754 			in the Json cache statistics. [RT #45980]
 2755 
 2756 4714.	[port]		openbsd/libressl: add support for building with
 2757 			--enable-openssl-hash. [RT #45982]
 2758 
 2759 4713.	[func]		Added support for the DNS Response Policy Service
 2760 			(DNSRPS) API, which allows named to use an external
 2761 			response policy daemon when built with
 2762 			"configure --enable-dnsrps". Thanks to Farsight
 2763 			Security. [RT #43376]
 2764 
 2765 4712.	[bug]		"dig +domain" and "dig +search" didn't retain the
 2766 			search domain when retrying with TCP. [RT #45547]
 2767 
 2768 4711.	[test]		Some RR types were missing from genzones.sh.
 2769 			[RT #45782]
 2770 
 2771 4710.	[cleanup]	Changed the --enable-openssl-hash default to yes.
 2772 			[RT #45019]
 2773 
 2774 4709.	[cleanup]	Use dns_name_fullhash() to hash names for RRL.
 2775 			[RT #45435]
 2776 
 2777 4708.	[cleanup]	Legacy Windows builds (i.e. for XP and earlier)
 2778 			are no longer supported. [RT #45186]
 2779 
 2780 4707.	[func]		The lightweight resolver daemon and library (lwresd
 2781 			and liblwres) have been removed. [RT #45186]
 2782 
 2783 4706.	[func]		Code implementing name server query processing has
 2784 			been moved from bin/named to a new library "libns".
 2785 			Functions remaining in bin/named are now prefixed
 2786 			with "named_" rather than "ns_".  This will make it
 2787 			easier to write unit tests for name server code, or
 2788 			link name server functionality into new tools.
 2789 			[RT #45186]
 2790 
 2791 4705.	[placeholder]
 2792 
 2793 4704.	[cleanup]	Silence Visual Studio compiler warnings. [RT #45898]
 2794 
 2795 4703.	[bug]		BINDInstall.exe was missing some buffer length checks.
 2796 			[RT #45898]
 2797 
 2798 4702.	[func]		Update function declarations to use
 2799 			dns_masterstyle_flags_t for style flags. [RT #45924]
 2800 
 2801 4701.	[cleanup]	Refactored lib/dns/tsig.c to reduce code
 2802 			duplication and simplify the disabling of MD5.
 2803 			[RT #45490]
 2804 
 2805 4700.	[func]		Serving of stale answers is now supported. This
 2806 			allows named to provide stale cached answers when
 2807 			the authoritative server is under attack.
 2808 			See max-stale-ttl, stale-answer-enable,
 2809 			stale-answer-ttl. [RT #44790]
 2810 
 2811 4699.	[func]		Multiple cookie-secret clauses can now be specified.
 2812 			The first one specified is used to generate new
 2813 			server cookies.  [RT #45672]
 2814 
 2815 4698.	[port]		Add --with-python-install-dir configure option to allow
 2816 			specifying a nonstandard installation directory for
 2817 			Python modules. [RT #45407]
 2818 
 2819 4697.	[bug]		Restore workaround for Microsoft Windows TSIG hash
 2820 			computation bug. [RT #45854]
 2821 
 2822 4696.	[port]		Enable filter-aaaa support by default on Windows
 2823 			builds. [RT #45883]
 2824 
 2825 4695.	[bug]		cookie-secrets were not being properly checked by
 2826 			named-checkconf. [RT #45886]
 2827 
 2828 4694.	[func]		dnssec-keygen no longer uses RSASHA1 by default;
 2829 			the signing algorithm must be specified on
 2830 			the command line with the "-a" option.  Signing
 2831 			scripts that rely on the existing default behavior
 2832 			will break; use "dnssec-keygen -a RSASHA1" to
 2833 			repair them. (The goal of this change is to make
 2834 			it easier to find scripts using RSASHA1 so they
 2835 			can be changed in the event of that algorithm
 2836 			being deprecated in the future.) [RT #44755]
 2837 
 2838 4693.	[func]		Synthesis of responses from DNSSEC-verified records.
 2839 			Stage 1 covers NXDOMAIN synthesis from NSEC records.
 2840 			This is controlled by synth-from-dnssec and is enabled
 2841 			by default. [RT #40138]
 2842 
 2843 4692.	[bug]		Fix build failures with libressl introduced in 4676.
 2844 			[RT #45879]
 2845 
 2846 4691.	[func]		Add -4/-6 command line options to nsupdate and rndc.
 2847 			[RT #45632]
 2848 
 2849 4690.	[bug]		Command line options -4/-6 were handled inconsistently
 2850 			between tools. [RT #45632]
 2851 
 2852 4689.	[cleanup]	Turn on minimal responses for CDNSKEY and CDS in
 2853 			addition to DNSKEY and DS. Thanks to Tony Finch.
 2854 			[RT #45690]
 2855 
 2856 4688.	[protocol]	Check and display EDNS KEY TAG options (RFC 8145) in
 2857 			messages. [RT #44804]
 2858 
 2859 4687.	[func]		Refactor tracklines code. [RT #45126]
 2860 
 2861 4686.	[bug]		dnssec-settime -p could print a bogus warning about
 2862 			key deletion scheduled before its inactivation when a
 2863 			key had an inactivation date set but no deletion date
 2864 			set. [RT #45807]
 2865 
 2866 4685.	[bug]		dnssec-settime incorrectly calculated publication and
 2867 			activation dates for a successor key. [RT #45806]
 2868 
 2869 4684.	[bug]		delv could send bogus DNS queries when an explicit
 2870 			server address was specified on the command line along
 2871 			with -4/-6. [RT #45804]
 2872 
 2873 4683.	[bug]		Prevent nsupdate from immediately exiting on invalid
 2874 			user input in interactive mode. [RT #28194]
 2875 
 2876 4682.	[bug]		Don't report errors on records below a DNAME.
 2877 			[RT #44880]
 2878 
 2879 4681.	[bug]		Log messages from the validator now include the
 2880 			associated view unless the view is "_default/IN"
 2881 			or "_dnsclient/IN". [RT #45770]
 2882 
 2883 4680.	[bug]		Fix failing over to another master server address when
 2884 			nsupdate is used with GSS-API. [RT #45380]
 2885 
 2886 4679.	[cleanup]	Suggest using -o when dnssec-verify finds a SOA record
 2887 			not at top of zone and -o is not used. [RT #45519]
 2888 
 2889 4678.	[bug]		geoip-use-ecs has the wrong type when geoip support
 2890 			is disabled at configure time. [RT #45763]
 2891 
 2892 4677.	[cleanup]	Split up the main function in dig to better support
 2893 			the iOS app version. [RT #45508]
 2894 
 2895 4676.	[cleanup]	Allow BIND to be built using OpenSSL 1.0.X with
 2896 			deprecated functions removed. [RT #45706]
 2897 
 2898 4675.	[cleanup]	Don't use C++ keyword class. [RT #45726]
 2899 
 2900 4674.	[func]		"dig +sigchase", and related options "+topdown" and
 2901 			"+trusted-keys", have been removed. Use "delv" for
 2902 			queries with DNSSEC validation. [RT #42793]
 2903 
 2904 4673.	[port]		Silence GCC 7 warnings. [RT #45592]
 2905 
 2906 4672.	[placeholder]
 2907 
 2908 4671.	[bug]		Fix a race condition that could cause the
 2909 			resolver to crash with assertion failure when
 2910 			chasing DS in specific conditions with a very
 2911 			short RTT to the upstream nameserver. [RT #45168]
 2912 
 2913 4670.	[cleanup]	Ensure that a request MAC is never sent back
 2914 			in an XFR response unless the signature was
 2915 			verified. [RT #45494]
 2916 
 2917 4669.	[func]		Iterative query logic in resolver.c has been
 2918 			refactored into smaller functions and commented,
 2919 			for improved readability, maintainability and
 2920 			testability. [RT #45362]
 2921 
 2922 4668.	[bug]		Use localtime_r and gmtime_r for thread safety.
 2923 			[RT #45664]
 2924 
 2925 4667.	[cleanup]	Refactor RDATA unit tests. [RT #45610]
 2926 
 2927 4666.	[bug]		dnssec-keymgr: Domain names beginning with digits (0-9)
 2928 			could cause a parser error when reading the policy
 2929 			file. This now works correctly so long as the domain
 2930 			name is quoted. [RT #45641]
 2931 
 2932 4665.	[protocol]	Added support for ED25519 and ED448 DNSSEC signing
 2933 			algorithms (RFC 8080). (Note: these algorithms
 2934 			depend on code currently in the development branch
 2935 			of OpenSSL which has not yet been released.)
 2936 			[RT #44696]
 2937 
 2938 4664.	[func]		Add a "glue-cache" option to enable or disable the
 2939 			glue cache. The default is "yes". [RT #45125]
 2940 
 2941 4663.	[cleanup]	Clarify error message printed by dnssec-dsfromkey.
 2942 			[RT #21731]
 2943 
 2944 4662.	[performance]	Improve cache memory cleanup of zero TTL records
 2945 			by putting them at the tail of LRU header lists.
 2946 			[RT #45274]
 2947 
 2948 4661.	[bug]		A race condition could occur if a zone was reloaded
 2949 			while resigning, triggering a crash in
 2950 			rbtdb.c:closeversion(). [RT #45276]
 2951 
 2952 4660.	[bug]		Remove spurious "peer" from Windows socket log
 2953 			messages. [RT #45617]
 2954 
 2955 4659.	[bug]		Remove spurious log message about lmdb-mapsize
 2956 			not being supported when parsing builtin
 2957 			configuration file. [RT #45618]
 2958 
 2959 4658.	[bug]		Clean up build directory created by "setup.py install"
 2960 			immediately.  [RT #45628]
 2961 
 2962 4657.	[bug]		rrchecker system test result could be improperly
 2963 			determined. [RT #45602]
 2964 
 2965 4656.	[bug]		Apply "port" and "dscp" values specified in catalog
 2966 			zone's "default-masters" option to the generated
 2967 			configuration of its member zones. [RT #45545]
 2968 
 2969 4655.	[bug]		Lack of seccomp could be falsely reported. [RT #45599]
 2970 
 2971 4654.	[cleanup]	Don't use C++ keywords delete, new and namespace.
 2972 			[RT #45538]
 2973 
 2974 4653.	[bug]		Reorder includes to move @DST_OPENSSL_INC@ and
 2975 			@ISC_OPENSSL_INC@ after shipped include directories.
 2976 			[RT #45581]
 2977 
 2978 4652.	[bug]		Nsupdate could attempt to use a zeroed address on
 2979 			server timeout. [RT #45417]
 2980 
 2981 4651.	[test]		Silence coverity warnings in tsig_test.c. [RT #45528]
 2982 
 2983 4650.	[placeholder]
 2984 
 2985 4649.	[bug]		The wrong zone was logged when a catalog zone is added.
 2986 			[RT #45520]
 2987 
 2988 4648.	[bug]		"rndc reconfig" on a slave no longer causes all member
 2989 			zones of configured catalog zones to be removed from
 2990 			configuration. [RT #45310]
 2991 
 2992 4647.	[bug]		Change 4643 broke verification of TSIG signed TCP
 2993 			message sequences where not all the messages contain
 2994 			TSIG records.  These may be used in AXFR and IXFR
 2995 			responses. [RT #45509]
 2996 
 2997 4646.	[placeholder]
 2998 
 2999 4645.	[bug]		Fix PKCS#11 RSA parsing when MD5 is disabled.
 3000 			[RT #45300]
 3001 
 3002 4644.	[placeholder]
 3003 
 3004 4643.	[security]	An error in TSIG handling could permit unauthorized
 3005 			zone transfers or zone updates. (CVE-2017-3142)
 3006 			(CVE-2017-3143) [RT #45383]
 3007 
 3008 4642.	[cleanup]	Add more logging of RFC 5011 events affecting the
 3009 			status of managed keys: newly observed keys,
 3010 			deletion of revoked keys, etc. [RT #45354]
 3011 
 3012 4641.	[cleanup]	Parallel builds (make -j) could fail with --with-atf /
 3013 			--enable-developer. [RT #45373]
 3014 
 3015 4640.	[bug]		If query_findversion failed in query_getdb due to
 3016 			memory failure the error status was incorrectly
 3017 			discarded. [RT #45331]
 3018 
 3019 4639.	[bug]		Fix a regression in --with-tuning reporting introduced
 3020 			by change 4488. [RT #45396]
 3021 
 3022 4638.	[bug]		Reloading or reconfiguring named could fail on
 3023 			some platforms when LMDB was in use. [RT #45203]
 3024 
 3025 4637.	[func]		"nsec3hash -r" option ("rdata order") takes arguments
 3026 			in the same order as they appear in NSEC3 or
 3027 			NSEC3PARAM records, so that NSEC3 parameters can
 3028 			be cut and pasted from an existing record. Thanks
 3029 			to Tony Finch for the contribution. [RT #45183]
 3030 
 3031 4636.	[bug]		Normalize rpz policy zone names when checking for
 3032 			existence. [RT #45358]
 3033 
 3034 4635.	[bug]		Fix RPZ NSDNAME logging that was logging
 3035 			failures as NSIP. [RT #45052]
 3036 
 3037 4634.	[contrib]	check5011.pl needs to handle optional space before
 3038 			semi-colon in +multi-line output. [RT #45352]
 3039 
 3040 4633.	[maint]		Updated AAAA (2001:500:200::b) for B.ROOT-SERVERS.NET.
 3041 
 3042 4632.	[security]	The BIND installer on Windows used an unquoted
 3043 			service path, which can enable privilege escalation.
 3044 			(CVE-2017-3141) [RT #45229]
 3045 
 3046 4631.	[security]	Some RPZ configurations could go into an infinite
 3047 			query loop when encountering responses with TTL=0.
 3048 			(CVE-2017-3140) [RT #45181]
 3049 
 3050 4630.	[bug]		"dyndb" is dependent on dlopen existing / being
 3051 			enabled. [RT #45291]
 3052 
 3053 4629.	[bug]		dns_client_startupdate could not be called with a
 3054 			running client. [RT #45277]
 3055 
 3056 4628.	[bug]		Fixed a potential reference leak in query_getdb().
 3057 			[RT #45247]
 3058 
 3059 4627.	[placeholder]
 3060 
 3061 4626.	[test]		Added more tests for handling of different record
 3062 			ordering in CNAME and DNAME responses. [QA #430]
 3063 
 3064 4625.	[bug]		Running "rndc addzone" and "rndc delzone" at close
 3065 			to the same time could trigger a deadlock if using
 3066 			LMDB. [RT #45209]
 3067 
 3068 4624.	[placeholder]
 3069 
 3070 4623.	[bug]		Use --with-protobuf-c and --with-libfstrm to find
 3071 			protoc-c and fstrm_capture. [RT #45187]
 3072 
 3073 4622.	[bug]		Remove unnecessary escaping of semicolon in CAA and
 3074 			URI records. [RT #45216]
 3075 
 3076 4621.	[port]		Force alignment of oid arrays to silence loader
 3077 			warnings. [RT #45131]
 3078 
 3079 4620.	[port]		Handle EPFNOSUPPORT being returned when probing
 3080 			to see if a socket type is supported. [RT #45214]
 3081 
 3082 4619.	[bug]		Call isc_mem_put instead of isc_mem_free in
 3083 			bin/named/server.c:setup_newzones. [RT #45202]
 3084 
 3085 4618.	[bug]		Check isc_mem_strdup results in dns_view_setnewzones.
 3086 			Add logging for lmdb call failures. [RT #45204]
 3087 
 3088 4617.	[test]		Update rndc system test to be more delay tolerant.
 3089 			[RT #45177]
 3090 
 3091 4616.	[bug]		When using LMDB, zones deleted using "rndc delzone"
 3092 			were not correctly removed from the new-zone
 3093 			database. [RT #45185]
 3094 
 3095 4615.	[bug]		AD could be set on truncated answer with no records
 3096 			present in the answer and authority sections.
 3097 			[RT #45140]
 3098 
 3099 4614.	[test]		Fixed an error in the sockaddr unit test. [RT #45146]
 3100 
 3101 4613.	[func]		By default, the maximum size of a zone journal file
 3102 			is now twice the size of the zone's contents (there
 3103 			is little benefit to a journal larger than this).
 3104 			This can be overridden by setting "max-journal-size"
 3105 			to "unlimited" or to an explicit value up to 2G.
 3106 			Thanks to Tony Finch. [RT #38324]
 3107 
 3108 4612.	[bug]		Silence 'may be use uninitalised' warning and simplify
 3109 			the code in lwres/getaddinfo:process_answer.
 3110 			[RT #45158]
 3111 
 3112 4611.	[bug]		The default LMDB mapsize was too low and caused
 3113 			errors after few thousand zones were added using
 3114 			rndc addzone. A new config option "lmdb-mapsize"
 3115 			has been introduced to configure the LMDB
 3116 			mapsize depending on operational needs.
 3117 			[RT #44954]
 3118 
 3119 4610.	[func]		The "new-zones-directory" option specifies the
 3120 			location of NZF or NZD files for storing
 3121 			configuration of zones added by "rndc addzone".
 3122 			Thanks to Petr Menšík. [RT #44853]
 3123 
 3124 4609.	[cleanup]	Rearrange makefiles to enable parallel execution
 3125 			(i.e. "make -j"). [RT #45078]
 3126 
 3127 4608.	[func]		DiG now warns about .local queries which are reserved
 3128 			for Multicast DNS. [RT #44783]
 3129 
 3130 4607.	[bug]		The memory context's malloced and maxmalloced counters
 3131 			were being updated without the appropriate lock being
 3132 			held.  [RT #44869]
 3133 
 3134 4606.	[port]		Stop using experimental "Experimental keys on scalar"
 3135 			feature of perl as it has been removed. [RT #45012]
 3136 
 3137 4605.	[performance]	Improve performance for delegation heavy answers
 3138 			and also general query performance. Removes the
 3139 			acache feature that didn't significantly improve
 3140 			performance. Adds a glue cache. Removes
 3141 			additional-from-cache and additional-from-auth
 3142 			features. Enables minimal-responses by
 3143 			default. Improves performance of compression
 3144 			code, owner case restoration, hash function,
 3145 			etc. Uses inline buffer implementation by
 3146 			default. Many other performance changes and fixes.
 3147 			[RT #44029]
 3148 
 3149 4604.	[bug]		Don't use ERR_load_crypto_strings() when building
 3150 			with OpenSSL 1.1.0. [RT #45117]
 3151 
 3152 4603.	[doc]		Automatically generate named.conf(5) man page
 3153 			from doc/misc/options. Thanks to Tony Finch.
 3154 			[RT #43525]
 3155 
 3156 4602.	[func]		Threads are now set to human-readable
 3157 			names to assist debugging, when supported by
 3158 			the OS. [RT #43234]
 3159 
 3160 4601.	[bug]		Reject incorrect RSA key lengths during key
 3161 			generation and and sign/verify context
 3162 			creation. [RT #45043]
 3163 
 3164 4600.	[bug]		Adjust RPZ trigger counts only when the entry
 3165 			being deleted exists. [RT #43386]
 3166 
 3167 4599.	[bug]		Fix inconsistencies in inline signing time
 3168 			comparison that were introduced with the
 3169 			introduction of rdatasetheader->resign_lsb.
 3170 			[RT #42112]
 3171 
 3172 4598.	[func]		Update fuzzing code to (1) reply to a DNSKEY
 3173 			query from named with appropriate DNSKEY used in
 3174 			fuzzing; (2) patch the QTYPE correctly in
 3175 			resolver fuzzing; (3) comment things so the rest
 3176 			of us are able to understand how fuzzing is
 3177 			implemented in named; (4) Coding style changes,
 3178 			cleanup, etc. [RT #44787]
 3179 
 3180 4597.	[bug]		The validator now ignores SHA-1 DS digest type
 3181 			when a DS record with SHA-384 digest type is
 3182 			present and is a supported digest type.
 3183 			[RT #45017]
 3184 
 3185 4596.	[bug]		Validate glue before adding it to the additional
 3186 			section. This also fixes incorrect TTL capping
 3187 			when the RRSIG expired earlier than the TTL.
 3188 			[RT #45062]
 3189 
 3190 4595.	[func]		dnssec-keygen will no longer generate RSA keys
 3191 			less than 1024 bits in length. dnssec-keymgr
 3192 			was similarly updated. [RT #36895]
 3193 
 3194 4594.	[func]		"dnstap-read -x" prints a hex dump of the wire
 3195 			format of each logged DNS message. [RT #44816]
 3196 
 3197 4593.	[doc]		Update README using markdown, remove outdated FAQ
 3198 			file in favor of the knowledge base.
 3199 
 3200 4592.	[bug]		A race condition on shutdown could trigger an
 3201 			assertion failure in dispatch.c. [RT #43822]
 3202 
 3203 4591.	[port]		Addressed some python 3 compatibility issues.
 3204 			Thanks to Ville Skytta. [RT #44955] [RT #44956]
 3205 
 3206 4590.	[bug]		Support for PTHREAD_MUTEX_ADAPTIVE_NP was not being
 3207 			properly detected. [RT #44871]
 3208 
 3209 4589.	[cleanup]	"configure -q" is now silent. [RT #44829]
 3210 
 3211 4588.	[bug]		nsupdate could send queries for TKEY to the wrong
 3212 			server when using GSSAPI. Thanks to Tomas Hozza.
 3213 			[RT #39893]
 3214 
 3215 4587.	[bug]		named-checkzone failed to handle occulted data below
 3216 			DNAMEs correctly. [RT #44877]
 3217 
 3218 4586.	[func]		dig, host and nslookup now use TCP for ANY queries.
 3219 			[RT #44687]
 3220 
 3221 4585.	[port]		win32: Set CompileAS value. [RT #42474]
 3222 
 3223 4584.	[bug]		A number of memory usage statistics were not properly
 3224 			reported when they exceeded 4G.  [RT #44750]
 3225 
 3226 4583.	[func]		"host -A" returns most records for a name but
 3227 			omits RRSIG, NSEC and NSEC3. (Thanks to Tony Finch.)
 3228 			[RT #43032]
 3229 
 3230 4582.	[security]	'rndc ""' could trigger a assertion failure in named.
 3231 			(CVE-2017-3138) [RT #44924]
 3232 
 3233 4581.	[port]		Linux: Add getpid and getrandom to the list of system
 3234 			calls named uses for seccomp. [RT #44883]
 3235 
 3236 4580.	[bug]		4578 introduced a regression when handling CNAME to
 3237 			referral below the current domain. [RT #44850]
 3238 
 3239 4579.	[func]		Logging channels and dnstap output files can now
 3240 			be configured with a "suffix" option, set to
 3241 			either "increment" or "timestamp", indicating
 3242 			whether to use incrementing numbers or timestamps
 3243 			as the file suffix when rolling over a log file.
 3244 			[RT #42838]
 3245 
 3246 4578.	[security]	Some chaining (CNAME or DNAME) responses to upstream
 3247 			queries could trigger assertion failures.
 3248 			(CVE-2017-3137) [RT #44734]
 3249 
 3250 4577.	[func]		Make qtype of resolver fuzzing packet configurable
 3251 			via command line. [RT #43540]
 3252 
 3253 4576.	[func]		The RPZ implementation has been substantially
 3254 			refactored for improved performance and reliability.
 3255 			[RT #43449]
 3256 
 3257 4575.	[security]	DNS64 with "break-dnssec yes;" can result in an
 3258 			assertion failure. (CVE-2017-3136) [RT #44653]
 3259 
 3260 4574.	[bug]		Dig leaked memory with multiple +subnet options.
 3261 			[RT #44683]
 3262 
 3263 4573.	[func]		Query logic has been substantially refactored (e.g.
 3264 			query_find function has been split into smaller
 3265 			functions) for improved readability, maintainability
 3266 			and testability. [RT #43929]
 3267 
 3268 4572.	[func]		The "dnstap-output" option can now take "size" and
 3269 			"versions" parameters to indicate the maximum size
 3270 			a dnstap log file can grow before rolling to a new
 3271 			file, and how many old files to retain. [RT #44502]
 3272 
 3273 4571.	[bug]		Out-of-tree builds of backtrace_test failed.
 3274 
 3275 4570.	[cleanup]	named did not correctly fall back to the built-in
 3276 			initializing keys if the bind.keys file was present
 3277 			but empty. [RT #44531]
 3278 
 3279 4569.	[func]		Store both local and remote addresses in dnstap
 3280 			logging, and modify dnstap-read output format to
 3281 			print them. [RT #43595]
 3282 
 3283 4568.	[contrib]	Added a --with-bind option to the dnsperf configure
 3284 			script to specify BIND prefix path.
 3285 
 3286 4567.	[port]		Call getprotobyname and getservbyname prior to calling
 3287 			chroot so that shared libraries get loaded. [RT #44537]
 3288 
 3289 4566.	[func]		Query logging now includes the ECS option if one
 3290 			was included in the query. [RT #44476]
 3291 
 3292 4565.	[cleanup]	The inline macro versions of isc_buffer_put*()
 3293 			did not implement automatic buffer reallocation.
 3294 			[RT #44216]
 3295 
 3296 4564.	[maint]		Update the built in managed keys to include the
 3297 			upcoming root KSK. [RT #44579]
 3298 
 3299 4563.	[bug]		Modified zones would occasionally fail to reload.
 3300 			[RT #39424]
 3301 
 3302 4562.	[func]		Add additional memory statistics currently malloced
 3303 			and maxmalloced per memory context. [RT #43593]
 3304 
 3305 4561.	[port]		Silence a warning in strict C99 compilers. [RT #44414]
 3306 
 3307 4560.	[bug]		mdig: add -m option to enable memory debugging rather
 3308 			than having it on all the time. [RT #44509]
 3309 
 3310 4559.	[bug]		openssl_link.c didn't compile if ISC_MEM_TRACKLINES
 3311 			was turned off.  [RT #44509]
 3312 
 3313 4558.	[bug]		Synthesised CNAME before matching DNAME was still
 3314 			being cached when it should not have been.  [RT #44318]
 3315 
 3316 4557.	[security]	Combining dns64 and rpz can result in dereferencing
 3317 			a NULL pointer (read).  (CVE-2017-3135) [RT#44434]
 3318 
 3319 4556.	[bug]		Sending an EDNS Padding option using "dig
 3320 			+ednsopt" could cause a crash in dig. [RT #44462]
 3321 
 3322 4555.	[func]		dig +ednsopt: EDNS options can now be specified by
 3323 			name in addition to numeric value. [RT #44461]
 3324 
 3325 4554.	[bug]		Remove double unlock in dns_dispatchmgr_setudp.
 3326 			[RT #44336]
 3327 
 3328 4553.	[bug]		Named could deadlock there were multiple changes to
 3329 			NSEC/NSEC3 parameters for a zone being processed at
 3330 			the same time. [RT #42770]
 3331 
 3332 4552.	[bug]		Named could trigger a assertion when sending notify
 3333 			messages. [RT #44019]
 3334 
 3335 4551.	[test]		Add system tests for integrity checks of MX and
 3336 			SRV records. [RT #43953]
 3337 
 3338 4550.	[cleanup]	Increased the number of available master file
 3339 			output style flags from 32 to 64. [RT #44043]
 3340 
 3341 4549.	[func]		Added support for the EDNS TCP Keepalive option
 3342 			(RFC 7828). [RT #42126]
 3343 
 3344 4548.	[func]		Added support for the EDNS Padding option (RFC 7830).
 3345 			[RT #42094]
 3346 
 3347 4547.	[port]		Add support for --enable-native-pkcs11 on the AEP
 3348 			Keyper HSM. [RT #42463]
 3349 
 3350 4546.	[func]		Extend the use of const declarations. [RT #43379]
 3351 
 3352 4545.	[func]		Expand YAML output from dnstap-read to include
 3353 			a detailed breakdown of the DNS message contents.
 3354 			[RT #43642]
 3355 
 3356 4544.	[bug]		Add message/payload size to dnstap-read YAML output.
 3357 			[RT #43622]
 3358 
 3359 4543.	[bug]		dns_client_startupdate now delays sending the update
 3360 			request until isc_app_ctxrun has been called.
 3361 			[RT #43976]
 3362 
 3363 4542.	[func]		Allow rndc to manipulate redirect zones with using
 3364 			-redirect as the zone name (use "-redirect." to
 3365 			manipulate a zone named "-redirect"). [RT #43971]
 3366 
 3367 4541.	[bug]		rndc addzone should properly reject non master/slave
 3368 			zones. [RT #43665]
 3369 
 3370 4540.	[bug]		Correctly handle ecs entries in dns_acl_isinsecure.
 3371 			[RT #43601]
 3372 
 3373 4539.	[bug]		Referencing a nonexistent zone with RPZ could lead
 3374 			to a assertion failure when configuring. [RT #43787]
 3375 
 3376 4538.	[bug]		Call dns_client_startresolve from client->task.
 3377 			[RT #43896]
 3378 
 3379 4537.	[bug]		Handle timeouts better in dig/host/nslookup. [RT #43576]
 3380 
 3381 4536.	[bug]		ISC_SOCKEVENTATTR_USEMINMTU was not being cleared
 3382 			when reusing the event structure. [RT #43885]
 3383 
 3384 4535.	[bug]		Address race condition in setting / testing of
 3385 			DNS_REQUEST_F_SENDING. [RT #43889]
 3386 
 3387 4534.	[bug]		Only set RD, RA and CD in QUERY responses. [RT #43879]
 3388 
 3389 4533.	[bug]		dns_client_update should terminate on prerequisite
 3390 			failures (NXDOMAIN, YXDOMAIN, NXRRSET, YXRRSET)
 3391 			and also on BADZONE.  [RT #43865]
 3392 
 3393 4532.	[contrib]	Make gen-data-queryperf.py python 3 compatible.
 3394 			[RT #43836]
 3395 
 3396 4531.	[security]	'is_zone' was not being properly updated by redirect2
 3397 			and subsequently preserved leading to an assertion
 3398 			failure. (CVE-2016-9778) [RT #43837]
 3399 
 3400 4530.	[bug]		Change 4489 broke the handling of CNAME -> DNAME
 3401 			in responses resulting in SERVFAIL being returned.
 3402 			[RT #43779]
 3403 
 3404 4529.	[cleanup]	Silence noisy log warning when DSCP probe fails
 3405 			due to firewall rules. [RT #43847]
 3406 
 3407 4528.	[bug]		Only set the flag bits for the i/o we are waiting
 3408 			for on EPOLLERR or EPOLLHUP. [RT #43617]
 3409 
 3410 4527.	[doc]		Support DocBook XSL Stylesheets v1.79.1. [RT #43831]
 3411 
 3412 4526.	[doc]		Corrected errors and improved formatting of
 3413 			grammar definitions in the ARM. [RT #43739]
 3414 
 3415 4525.	[doc]		Fixed outdated documentation on managed-keys.
 3416 			[RT #43810]
 3417 
 3418 4524.	[bug]		The net zero test was broken causing IPv4 servers
 3419 			with addresses ending in .0 to be rejected. [RT #43776]
 3420 
 3421 4523.	[doc]		Expand config doc for <querysource4> and
 3422 			<querysource6>. [RT #43768]
 3423 
 3424 4522.	[bug]		Handle big gaps in log file version numbers better.
 3425 			[RT #38688]
 3426 
 3427 4521.	[cleanup]	Log it as an error if an entropy source is not
 3428 			found and there is no fallback available. [RT #43659]
 3429 
 3430 4520.	[cleanup]	Alphabetize more of the grammar when printing it
 3431 			out. Fix unbalanced indenting. [RT #43755]
 3432 
 3433 4519.	[port]		win32: handle ERROR_MORE_DATA. [RT #43534]
 3434 
 3435 4518.	[func]		The "print-time" option in the logging configuration
 3436 			can now take arguments "local", "iso8601" or
 3437 			"iso8601-utc" to indicate the format in which the
 3438 			date and time should be logged. For backward
 3439 			compatibility, "yes" is a synonym for "local".
 3440 			[RT #42585]
 3441 
 3442 4517.	[security]	Named could mishandle authority sections that were
 3443 			missing RRSIGs triggering an assertion failure.
 3444 			(CVE-2016-9444) [RT # 43632]
 3445 
 3446 4516.	[bug]		isc_socketmgr_renderjson was missing from the
 3447 			windows build. [RT #43602]
 3448 
 3449 4515.	[port]		FreeBSD: Find readline headers when they are in
 3450 			edit/readline/ instead of readline/. [RT #43658]
 3451 
 3452 4514.	[port]		NetBSD: strip -WL, from ld command line. [RT #43204]
 3453 
 3454 4513.	[cleanup]	Minimum Python versions are now 2.7 and 3.2.
 3455 			[RT #43566]
 3456 
 3457 4512.	[bug]		win32: @GEOIP_INC@ missing from delv.vcxproj.in.
 3458 			[RT #43556]
 3459 
 3460 4511.	[bug]		win32: mdig.exe-BNFT was missing Configure. [RT #43554]
 3461 
 3462 4510.	[security]	Named mishandled some responses where covering RRSIG
 3463 			records are returned without the requested data
 3464 			resulting in a assertion failure. (CVE-2016-9147)
 3465 			[RT #43548]
 3466 
 3467 4509.	[test]		Make the rrl system test more reliable on slower
 3468 			machines by using mdig instead of dig. [RT #43280]
 3469 
 3470 4508.	[security]	Named incorrectly tried to cache TKEY records which
 3471 			could trigger a assertion failure when there was
 3472 			a class mismatch. (CVE-2016-9131) [RT #43522]
 3473 
 3474 4507.	[bug]		Named could incorrectly log 'allows updates by IP
 3475 			address, which is insecure' [RT #43432]
 3476 
 3477 4506.	[func]		'named-checkconf -l' will now list the zones found in
 3478 			named.conf. [RT #43154]
 3479 
 3480 4505.	[port]		Use IP_PMTUDISC_OMIT if available. [RT #35494]
 3481 
 3482 4504.	[security]	Allow the maximum number of records in a zone to
 3483 			be specified.  This provides a control for issues
 3484 			raised in CVE-2016-6170. [RT #42143]
 3485 
 3486 4503.	[cleanup]	"make uninstall" now removes files installed by
 3487 			BIND. (This currently excludes Python files
 3488 			due to lack of support in setup.py.) [RT #42192]
 3489 
 3490 4502.	[func]		Report multiple and experimental options when printing
 3491 			grammar. [RT #43134]
 3492 
 3493 4501.	[placeholder]
 3494 
 3495 4500.	[bug]		Support modifier I64 in isc__print_printf. [RT #43526]
 3496 
 3497 4499.	[port]		MacOSX: silence deprecated function warning
 3498 			by using arc4random_stir() when available
 3499 			instead of arc4random_addrandom(). [RT #43503]
 3500 
 3501 4498.	[test]		Simplify prerequisite checks in system tests.
 3502 			[RT #43516]
 3503 
 3504 4497.	[port]		Add support for OpenSSL 1.1.0. [RT #41284]
 3505 
 3506 4496.	[func]		dig: add +idnout to control whether labels are
 3507 			display in punycode or not.  Requires idn support
 3508 			to be enabled at compile time. [RT #43398]
 3509 
 3510 4495.	[bug]		A isc_mutex_init call was not being checked.
 3511 			[RT #43391]
 3512 
 3513 4494.	[bug]		Look for <editline/readline.h>. [RT #43429]
 3514 
 3515 4493.	[bug]		bin/tests/system/dyndb/driver/Makefile.in should use
 3516 			SO_TARGETS. [RT# 43336]
 3517 
 3518 4492.	[bug]		irs_resconf_load failed to initialize sortlistnxt
 3519 			causing bad writes if resolv.conf contained a
 3520 			sortlist directive. [RT #43459]
 3521 
 3522 4491.	[bug]		Improve message emitted when testing whether sendmsg
 3523 			works with TOS/TCLASS fails. [RT #43483]
 3524 
 3525 4490.	[maint]		Added AAAA (2001:500:12::d0d) for G.ROOT-SERVERS.NET.
 3526 
 3527 4489.	[security]	It was possible to trigger assertions when processing
 3528 			a response containing a DNAME answer. (CVE-2016-8864)
 3529 			[RT #43465]
 3530 
 3531 4488.	[port]		Darwin: use -framework for Kerberos. [RT #43418]
 3532 
 3533 4487.	[test]		Make system tests work on Windows. [RT #42931]
 3534 
 3535 4486.	[bug]		Look in $prefix/lib/pythonX.Y/site-packages for
 3536 			the python modules we install. [RT #43330]
 3537 
 3538 4485.	[bug]		Failure to find readline when requested should be
 3539 			fatal to configure. [RT #43328]
 3540 
 3541 4484.	[func]		Check prefixes in acls to make sure the address and
 3542 			prefix lengths are consistent.  Warn only in
 3543 			BIND 9.11 and earlier. [RT #43367]
 3544 
 3545 4483.	[bug]		Address use before require check and remove extraneous
 3546 			dns_message_gettsigkey call in dns_tsig_sign.
 3547 			[RT #43374]
 3548 
 3549 4482.	[cleanup]	Change #4455 was incomplete. [RT #43252]
 3550 
 3551 4481.	[func]		dig: make +class, +crypto, +multiline, +rrcomments,
 3552 			+onesoa, +qr, +ttlid, +ttlunits and -u per lookup
 3553 			rather than global. [RT #42450]
 3554 
 3555 4480.	[placeholder]
 3556 
 3557 4479.	[placeholder]
 3558 
 3559 4478.	[func]		Add +continue option to mdig, allow continue on socket
 3560 			errors. [RT #43281]
 3561 
 3562 4477.	[test]		Fix mkeys test timing issues. [RT #41028]
 3563 
 3564 4476.	[test]		Fix reclimit test on slower machines. [RT #43283]
 3565 
 3566 4475.	[doc]		Update named-checkconf documentation. [RT #43153]
 3567 
 3568 4474.	[bug]		win32: call WSAStartup in fromtext_in_wks so that
 3569 			getprotobyname and getservbyname work.  [RT #43197]
 3570 
 3571 4473.	[bug]		Only call fsync / _commit on regular files. [RT #43196]
 3572 
 3573 4472.	[bug]		Named could fail to find the correct NSEC3 records when
 3574 			a zone was updated between looking for the answer and
 3575 			looking for the NSEC3 records proving nonexistence
 3576 			of the answer. [RT #43247]
 3577 
 3578 	--- 9.11.0 released ---
 3579 
 3580 	--- 9.11.0rc3 released ---
 3581 
 3582 4471.	[cleanup]	Render client/query logging format consistent for
 3583 			ease of log file parsing. (Note that this affects
 3584 			"querylog" format: there is now an additional field
 3585 			indicating the client object address.) [RT #43238]
 3586 
 3587 4470.	[bug]		Reset message with intent parse before
 3588 			calling dns_dispatch_getnext. [RT #43229]
 3589 
 3590 4469.	[placeholder]
 3591 
 3592 	--- 9.11.0rc2 released ---
 3593 
 3594 4468.	[bug]		Address ECS option handling issues. [RT #43191]
 3595 
 3596 4467.	[security]	It was possible to trigger an assertion when
 3597 			rendering a message. (CVE-2016-2776) [RT #43139]
 3598 
 3599 4466.	[bug]		Interface scanning didn't work on a Windows system
 3600 			without a non local IPv6 addresses. [RT #43130]
 3601 
 3602 4465.	[bug]		Don't use "%z" as Windows doesn't support it.
 3603 			[RT #43131]
 3604 
 3605 4464.	[bug]		Fix windows python support. [RT #43173]
 3606 
 3607 4463.	[bug]		The dnstap system test failed on some systems.
 3608 			[RT #43129]
 3609 
 3610 4462.	[bug]		Don't describe a returned EDNS COOKIE as "good"
 3611 			when there isn't a valid server cookie. [RT #43167]
 3612 
 3613 4461.	[bug]		win32: not all external data was properly marked
 3614 			as external data for windows dll. [RT #43161]
 3615 
 3616 	--- 9.11.0rc1 released ---
 3617 
 3618 4460.	[test]		Add system test for dnstap using unix domain sockets.
 3619 			[RT #42926]
 3620 
 3621 4459.	[bug]		TCP client objects created to handle pipeline queries
 3622 			were not cleaned up correctly, causing uncontrolled
 3623 			memory growth. [RT #43106]
 3624 
 3625 4458.	[cleanup]	Update assertions to be more correct, and also remove
 3626 			use of a reserved word. [RT #43090]
 3627 
 3628 4457.	[maint]		Added AAAA (2001:500:a8::e) for E.ROOT-SERVERS.NET.
 3629 
 3630 4456.	[doc]		Add DOCTYPE and lang attribute to <html> tags.
 3631 			[RT #42587]
 3632 
 3633 4455.	[cleanup]	Allow dyndb modules to correctly log the filename
 3634 			and line number when processing configuration text
 3635 			from named.conf. [RT #43050]
 3636 
 3637 4454.	[bug]		'rndc dnstap -reopen' had a race issue. [RT #43089]
 3638 
 3639 4453.	[bug]		Prefetching of DS records failed to update their
 3640 			RRSIGs. [RT #42865]
 3641 
 3642 4452.	[bug]		The default key manager policy file is now
 3643 			<sysdir>/dnssec-policy.conf (usually
 3644 			/etc/dnssec-policy.conf). [RT #43064]
 3645 
 3646 4451.	[cleanup]	Log more useful information if a PKCS#11 provider
 3647 			library cannot be loaded. [RT #43076]
 3648 
 3649 4450.	[port]		Provide more nuanced HSM support which better matches
 3650 			the specific PKCS11 providers capabilities. [RT #42458]
 3651 
 3652 4449.	[test]		Fix catalog zones test on slower systems. [RT #42997]
 3653 
 3654 4448.	[bug]		win32: ::1 was not being found when iterating
 3655 			interfaces. [RT #42993]
 3656 
 3657 4447.	[tuning]	Allow the fstrm_iothr_init() options to be set using
 3658 			named.conf to control how dnstap manages the data
 3659 			flow. [RT #42974]
 3660 
 3661 4446.	[bug]		The cache_find() and _findrdataset() functions
 3662 			could find rdatasets that had been marked stale.
 3663 			[RT #42853]
 3664 
 3665 4445.	[cleanup]	isc_errno_toresult() can now be used to call the
 3666 			formerly private function isc__errno2result().
 3667 			[RT #43050]
 3668 
 3669 4444.	[bug]		Fixed some issues related to dyndb: A bug caused
 3670 			braces to be omitted when passing configuration text
 3671 			from named.conf to a dyndb driver, and there was a
 3672 			use-after-free in the sample dyndb driver. [RT #43050]
 3673 
 3674 4443.	[func]		Set TCP_MAXSEG in addition to IPV6_USE_MIN_MTU on
 3675 			TCP sockets. [RT #42864]
 3676 
 3677 4442.	[bug]		Fix RPZ CIDR tree insertion bug that corrupted
 3678 			tree data structure with overlapping networks
 3679 			(longest prefix match was ineffective).
 3680 			[RT #43035]
 3681 
 3682 4441.	[cleanup]	Alphabetize host's help output. [RT #43031]
 3683 
 3684 4440.	[func]		Enable TCP fast open support when available on the
 3685 			server side. [RT #42866]
 3686 
 3687 4439.	[bug]		Address race conditions getting ownernames of nodes.
 3688 			[RT #43005]
 3689 
 3690 4438.	[func]		Use LIFO rather than FIFO when processing startup
 3691 			notify and refresh queries. [RT #42825]
 3692 
 3693 4437.	[func]		Minimal-responses now has two additional modes
 3694 			no-auth and no-auth-recursive which suppress
 3695 			adding the NS records to the authority section
 3696 			as well as the associated address records for the
 3697 			nameservers. [RT #42005]
 3698 
 3699 4436.	[func]		Return TLSA records as additional data for MX and SRV
 3700 			lookups. [RT #42894]
 3701 
 3702 4435.	[tuning]	Only set IPV6_USE_MIN_MTU for UDP when the message
 3703 			will not fit into a single IPv4 encapsulated IPv6
 3704 			UDP packet when transmitted over a Ethernet link.
 3705 			[RT #42871]
 3706 
 3707 4434.	[protocol]	Return EDNS EXPIRE option for master zones in addition
 3708 			to slave zones. [RT #43008]
 3709 
 3710 4433.	[cleanup]	Report an error when passing an invalid option or
 3711 			view name to "rndc dumpdb". [RT #42958]
 3712 
 3713 4432.	[test]		Hide rndc output on expected failures in logfileconfig
 3714 			system test. [RT #27996]
 3715 
 3716 4431.	[bug]		named-checkconf now checks the rate-limit clause.
 3717 			[RT #42970]
 3718 
 3719 4430.	[bug]		Lwresd died if a search list was not defined.
 3720 			Found by 0x710DDDD At Alibaba Security. [RT #42895]
 3721 
 3722 4429.	[bug]		Address potential use after free on fclose() error.
 3723 			[RT #42976]
 3724 
 3725 4428.	[bug]		The "test dispatch getnext" unit test could fail
 3726 			in a threaded build. [RT #42979]
 3727 
 3728 4427.	[bug]		The "query" and "response" parameters to the
 3729 			"dnstap" option had their functions reversed.
 3730 
 3731 	--- 9.11.0b3 released ---
 3732 
 3733 4426.	[bug]		Addressed Coverity warnings. [RT #42908]
 3734 
 3735 4425.	[bug]		arpaname, dnstap-read and named-rrchecker were not
 3736 			being installed into ${prefix}/bin.  Tidy up
 3737 			installation issues with CHANGE 4421. [RT #42910]
 3738 
 3739 4424.	[experimental]	Named now sends _ta-XXXX.<trust-anchor>/NULL queries
 3740 			to provide feedback to the trust-anchor administrators
 3741 			about how key rollovers are progressing as per
 3742 			draft-ietf-dnsop-edns-key-tag-02.  This can be
 3743 			disabled using 'trust-anchor-telemetry no;'.
 3744 			[RT #40583]
 3745 
 3746 4423.	[maint]		Added missing IPv6 address 2001:500:84::b for
 3747 			B.ROOT-SERVERS.NET. [RT #42898]
 3748 
 3749 4422.	[port]		Silence clang warnings in dig.c and dighost.c.
 3750 			[RT #42451]
 3751 
 3752 4421.	[func]		When built with LMDB (Lightning Memory-mapped
 3753 			Database), named will now use a database to store
 3754 			the configuration for zones added by "rndc addzone"
 3755 			instead of using a flat NZF file. This improves
 3756 			performance of "rndc delzone" and "rndc modzone"
 3757 			significantly. Existing NZF files will
 3758 			automatically by converted to NZD databases.
 3759 			To view the contents of an NZD or to roll back to
 3760 			NZF format, use "named-nzd2nzf". To disable
 3761 			this feature, use "configure --without-lmdb".
 3762 			[RT #39837]
 3763 
 3764 4420.	[func]		nslookup now looks for AAAA as well as A by default.
 3765 			[RT #40420]
 3766 
 3767 4419.	[bug]		Don't cause undefined result if the label of an
 3768 			entry in catalog zone is changed. [RT #42708]
 3769 
 3770 4418.	[bug]		Fix a compiler warning in GSSAPI code. [RT #42879]
 3771 
 3772 4417.	[bug]		dnssec-keymgr could fail to create successor keys
 3773 			if the prepublication interval was set to a value
 3774 			smaller than the default. [RT #42820]
 3775 
 3776 4416.	[bug]		dnssec-keymgr: Domain names in policy files could
 3777 			fail to match due to trailing dots. [RT #42807]
 3778 
 3779 4415.	[bug]		dnssec-keymgr: Expired/deleted keys were not always
 3780 			excluded. [RT #42884]
 3781 
 3782 4414.	[bug]		Corrected a bug in the MIPS implementation of
 3783 			isc_atomic_xadd(). [RT #41965]
 3784 
 3785 4413.	[bug]		GSSAPI negotiation could fail if GSS_S_CONTINUE_NEEDED
 3786 			was returned. [RT #42733]
 3787 
 3788 	--- 9.11.0b2 released ---
 3789 
 3790 4412.	[cleanup]	Make fixes for GCC 6. ISC_OFFSET_MAXIMUM macro was
 3791 			removed. [RT #42721]
 3792 
 3793 4411.	[func]		"rndc dnstap -roll" automatically rolls the
 3794 			dnstap output file; the previous version is
 3795 			saved with ".0" suffix, and earlier versions
 3796 			with ".1" and so on. An optional numeric argument
 3797 			indicates how many prior files to save. [RT #42830]
 3798 
 3799 4410.	[bug]		Address use after free and memory leak with dnstap.
 3800 			[RT #42746]
 3801 
 3802 4409.	[bug]		DNS64 should exclude mapped addresses by default when
 3803 			an exclude acl is not defined. [RT #42810]
 3804 
 3805 4408.	[func]		Continue waiting for expected response when we the
 3806 			response we get does not match the request. [RT #41026]
 3807 
 3808 4407.	[performance]	Use GCC builtin for clz in RPZ lookup code.
 3809 			[RT #42818]
 3810 
 3811 4406.	[security]	getrrsetbyname with a non absolute name could
 3812 			trigger an infinite recursion bug in lwresd
 3813 			and named with lwres configured if when combined
 3814 			with a search list entry the resulting name is
 3815 			too long. (CVE-2016-2775) [RT #42694]
 3816 
 3817 4405.	[bug]		Change 4342 introduced a regression where you could
 3818 			not remove a delegation in a NSEC3 signed zone using
 3819 			OPTOUT via nsupdate. [RT #42702]
 3820 
 3821 4404.	[misc]		Allow krb5-config to be used when configuring gssapi.
 3822 			[RT #42580]
 3823 
 3824 4403.	[bug]		Rename variables and arguments that shadow: basename,
 3825 			clone and gai_error.
 3826 
 3827 4402.	[bug]		protoc-c is now a hard requirement for --enable-dnstap.
 3828 
 3829 	--- 9.11.0b1 released ---
 3830 
 3831 4401.	[misc]		Change LICENSE to MPL 2.0.
 3832 
 3833 4400.	[bug]		ttl policy was not being inherited in policy.py.
 3834 			[RT #42718]
 3835 
 3836 4399.	[bug]		policy.py 'ECCGOST', 'ECDSAP256SHA256', and
 3837 			'ECDSAP384SHA384' don't have settable keysize.
 3838 			[RT #42718]
 3839 
 3840 4398.	[bug]		Correct spelling of ECDSAP256SHA256 in policy.py.
 3841 			[RT #42718]
 3842 
 3843 4397.	[bug]		Update Windows python support. [RT #42538]
 3844 
 3845 4396.	[func]		dnssec-keymgr now takes a '-r randomfile' option.
 3846 			[RT #42455]
 3847 
 3848 4395.	[bug]		Improve out-of-tree installation of python modules.
 3849 			[RT #42586]
 3850 
 3851 4394.	[func]		Add rndc command "dnstap-reopen" to close and
 3852 			reopen dnstap output files. [RT #41803]
 3853 
 3854 4393.	[bug]		Address potential NULL pointer dereferences in
 3855 			dnstap code.
 3856 
 3857 4392.	[func]		Collect statistics for RSSAC02v3 traffic-volume,
 3858 			traffic-sizes and rcode-volume reporting. [RT #41475]
 3859 
 3860 4391.	[contrib]	Fix leaks in contrib DLZ code. [RT #42707]
 3861 
 3862 4390.	[doc]		Description of masters with TSIG, allow-query and
 3863 			allow-transfer options in catalog zones. [RT #42692]
 3864 
 3865 4389.	[test]		Rewritten test suite for catalog zones. [RT #42676]
 3866 
 3867 4388.	[func]		Support for master entries with TSIG keys in catalog
 3868 			zones. [RT #42577]
 3869 
 3870 4387.	[bug]		Change 4336 was not complete leading to SERVFAIL
 3871 			being return as NS records expired. [RT #42683]
 3872 
 3873 4386.	[bug]		Remove shadowed overmem function/variable. [RT #42706]
 3874 
 3875 4385.	[func]		Add support for allow-query and allow-transfer ACLs
 3876 			to catalog zones. [RT #42578]
 3877 
 3878 4384.	[bug]		Change 4256 accidentally disabled logging of the
 3879 			rndc command. [RT #42654]
 3880 
 3881 4383.	[bug]		Correct spelling error in stats channel description of
 3882 			"EDNS client subnet option received". [RT #42633]
 3883 
 3884 4382.	[bug]		rndc {addzone,modzone,delzone,showzone} should all
 3885 			compare the zone name using a canonical format.
 3886 			[RT #42630]
 3887 
 3888 4381.	[bug]		Missing "zone-directory" option in catalog zone
 3889 			definition caused BIND to crash. [RT #42579]
 3890 
 3891 	--- 9.11.0a3 released ---
 3892 
 3893 4380.	[experimental]	Added a "zone-directory" option to "catalog-zones"
 3894 			syntax, allowing local masterfiles for slaves
 3895 			that are provisioned by catalog zones to be stored
 3896 			in a directory other than the server's working
 3897 			directory. [RT #42527]
 3898 
 3899 4379.	[bug]		An INSIST could be triggered if a zone contains
 3900 			RRSIG records with expiry fields that loop
 3901 			using serial number arithmetic. [RT #40571]
 3902 
 3903 4378.	[contrib]	#include <isc/string.h> for strlcat in zone2ldap.c.
 3904 			[RT #42525]
 3905 
 3906 4377.	[bug]		Don't reuse zero TTL responses beyond the current
 3907 			client set (excludes ANY/SIG/RRSIG queries).
 3908 			[RT #42142]
 3909 
 3910 4376.	[experimental]	Added support for Catalog Zones, a new method for
 3911 			provisioning secondary servers in which a list of
 3912 			zones to be served is stored in a DNS zone and can
 3913 			be propagated to slaves via AXFR/IXFR. [RT #41581]
 3914 
 3915 4375.	[func]		Add support for automatic reallocation of isc_buffer
 3916 			to isc_buffer_put* functions. [RT #42394]
 3917 
 3918 4374.	[bug]		Use SAVE/RESTORE macros in query.c to reduce the
 3919 			probability of reference counting errors as seen
 3920 			in 4365. [RT #42405]
 3921 
 3922 4373.	[bug]		Address undefined behavior in getaddrinfo. [RT #42479]
 3923 
 3924 4372.	[bug]		Address undefined behavior in libt_api. [RT #42480]
 3925 
 3926 4371.	[func]		New "minimal-any" option reduces the size of UDP
 3927 			responses for qtype ANY by returning a single
 3928 			arbitrarily selected RRset instead of all RRsets.
 3929 			Thanks to Tony Finch. [RT #41615]
 3930 
 3931 4370.	[bug]		Address python3 compatibility issues with RNDC module.
 3932 			[RT #42499] [RT #42506]
 3933 
 3934 	--- 9.11.0a2 released ---
 3935 
 3936 4369.	[bug]		Fix 'make' and 'make install' out-of-tree python
 3937 			support. [RT #42484]
 3938 
 3939 4368.	[bug]		Fix a crash when calling "rndc stats" on some
 3940 			Windows builds because some Visual Studio compilers
 3941 			generated crashing code for the "%z" printf()
 3942 			format specifier. [RT #42380]
 3943 
 3944 4367.	[bug]		Remove unnecessary assignment of loadtime in
 3945 			zone_touched. [RT #42440]
 3946 
 3947 4366.	[bug]		Address race condition when updating rbtnode bit
 3948 			fields. [RT #42379]
 3949 
 3950 4365.	[bug]		Address zone reference counting errors involving
 3951 			nxdomain-redirect. [RT #42258]
 3952 
 3953 4364.	[port]		freebsd: add -Wl,-E to loader flags [RT #41690]
 3954 
 3955 4363.	[port]		win32: Disable explicit triggering UAC when running
 3956 			BINDInstall.
 3957 
 3958 4362.	[func]		Changed rndc reconfig behavior so that newly added
 3959 			zones are loaded asynchronously and the loading does
 3960 			not block the server. [RT #41934]
 3961 
 3962 4361.	[cleanup]	Where supported, file modification times returned
 3963 			by isc_file_getmodtime() are now accurate to the
 3964 			nanosecond. [RT #41968]
 3965 
 3966 4360.	[bug]		Silence spurious 'bad key type' message when there is
 3967 			a existing TSIG key. [RT #42195]
 3968 
 3969 4359.	[bug]		Inherited 'also-notify' lists were not being checked
 3970 			by named-checkconf. [RT #42174]
 3971 
 3972 4358.	[test]		Added American Fuzzy Lop harness that allows
 3973 			feeding fuzzed packets into BIND.
 3974 			[RT #41723]
 3975 
 3976 4357.	[func]		Add the python RNDC module. [RT #42093]
 3977 
 3978 4356.	[func]		Add the ability to specify whether to wait for
 3979 			nameserver addresses to be looked up or not to
 3980 			RPZ with a new modifying directive 'nsip-wait-recurse'.
 3981 			[RT #35009]
 3982 
 3983 4355.	[func]		"pkcs11-list" now displays the extractability
 3984 			attribute of private or secret keys stored in
 3985 			an HSM, as either "true", "false", or "never"
 3986 			Thanks to Daniel Stirnimann. [RT #36557]
 3987 
 3988 4354.	[bug]		Check that the received HMAC length matches the
 3989 			expected length prior to check the contents on the
 3990 			control channel.  This prevents a OOB read error.
 3991 			This was reported by Lian Yihan, <lianyihan@360.cn>.
 3992 			[RT #42215]
 3993 
 3994 4353.	[cleanup]	Update PKCS#11 header files. [RT #42175]
 3995 
 3996 4352.	[cleanup]	The ISC DNSSEC Lookaside Validation (DLV) service
 3997 			is scheduled to be disabled in 2017.  A warning is
 3998 			now logged when named is configured to use it,
 3999 			either explicitly or via "dnssec-lookaside auto;"
 4000 			[RT #42207]
 4001 
 4002 4351.	[bug]		'dig +noignore' didn't work. [RT #42273]
 4003 
 4004 4350.	[contrib]	Declare result in  dlz_filesystem_dynamic.c.
 4005 
 4006 4349.	[contrib]	kasp2policy: A python script to create a DNSSEC
 4007 			policy file from an OpenDNSSEC KASP XML file.
 4008 
 4009 4348.	[func]		dnssec-keymgr: A new python-based DNSSEC key
 4010 			management utility, which reads a policy definition
 4011 			file and can create or update DNSSEC keys as needed
 4012 			to ensure that a zone's keys match policy, roll over
 4013 			correctly on schedule, etc.  Thanks to Sebastian
 4014 			Castro for assistance in development. [RT #39211]
 4015 
 4016 4347.	[port]		Corrected a build error on x86_64 Solaris. [RT #42150]
 4017 
 4018 4346.	[bug]		Fixed a regression introduced in change #4337 which
 4019 			caused signed domains with revoked KSKs to fail
 4020 			validation. [RT #42147]
 4021 
 4022 4345.	[contrib]	perftcpdns mishandled the return values from
 4023 			clock_nanosleep. [RT #42131]
 4024 
 4025 4344.	[port]		Address openssl version differences. [RT #42059]
 4026 
 4027 4343.	[bug]		dns_dnssec_syncupdate mis-declared in <dns/dnssec.h>.
 4028 			[RT #42090]
 4029 
 4030 4342.	[bug]		'rndc flushtree' could fail to clean the tree if there
 4031 			wasn't a node at the specified name. [RT #41846]
 4032 
 4033 	--- 9.11.0a1 released ---
 4034 
 4035 4341.	[bug]		Correct the handling of ECS options with
 4036 			address family 0. [RT #41377]
 4037 
 4038 4340.	[performance]	Implement adaptive read-write locks, reducing the
 4039 			overhead of locks that are only held briefly.
 4040 			[RT #37329]
 4041 
 4042 4339.	[test]		Use "mdig" to test pipelined queries. [RT #41929]
 4043 
 4044 4338.	[bug]		Reimplement change 4324 as it wasn't properly doing
 4045 			all the required book keeping. [RT #41941]
 4046 
 4047 4337.	[bug]		The previous change exposed a latent flaw in
 4048 			key refresh queries for managed-keys when
 4049 			a cached DNSKEY had TTL 0. [RT #41986]
 4050 
 4051 4336.	[bug]		Don't emit records with zero ttl unless the records
 4052 			were learnt with a zero ttl. [RT #41687]
 4053 
 4054 4335.	[bug]		zone->view could be detached too early. [RT #41942]
 4055 
 4056 4334.	[func]		'named -V' now reports zlib version. [RT #41913]
 4057 
 4058 4333.	[maint]		L.ROOT-SERVERS.NET is now 199.7.83.42 and
 4059 			2001:500:9f::42.
 4060 
 4061 4332.	[placeholder]
 4062 
 4063 4331.	[func]		When loading managed signed zones detect if the
 4064 			RRSIG's inception time is in the future and regenerate
 4065 			the RRSIG immediately. [RT #41808]
 4066 
 4067 4330.	[protocol]	Identify the PAD option as "PAD" when printing out
 4068 			a message.
 4069 
 4070 4329.	[func]		Warn about a common misconfiguration when forwarding
 4071 			RFC 1918 zones. [RT #41441]
 4072 
 4073 4328.	[performance]	Add dns_name_fromwire() benchmark test. [RT #41694]
 4074 
 4075 4327.	[func]		Log query and depth counters during fetches when
 4076 			querytrace (./configure --enable-querytrace) is
 4077 			enabled (helps in diagnosing).  [RT #41787]
 4078 
 4079 4326.	[protocol]	Add support for AVC. [RT #41819]
 4080 
 4081 4325.	[func]		Add a line to "rndc status" indicating the
 4082 			hostname and operating system details. [RT #41610]
 4083 
 4084 4324.	[bug]		When deleting records from a zone database, interior
 4085 			nodes could be left empty but not deleted, damaging
 4086 			search performance afterward. [RT #40997]
 4087 
 4088 4323.	[bug]		Improve HTTP header processing on statschannel.
 4089 			[RT #41674]
 4090 
 4091 4322.	[security]	Duplicate EDNS COOKIE options in a response could
 4092 			trigger an assertion failure. (CVE-2016-2088)
 4093 			[RT #41809]
 4094 
 4095 4321.	[bug]		Zones using mapped files containing out-of-zone data
 4096 			could return SERVFAIL instead of the expected NODATA
 4097 			or NXDOMAIN results. [RT #41596]
 4098 
 4099 4320.	[bug]		Insufficient memory allocation when handling
 4100 			"none" ACL could cause an assertion failure in
 4101 			named when parsing ACL configuration. [RT #41745]
 4102 
 4103 4319.	[security]	Fix resolver assertion failure due to improper
 4104 			DNAME handling when parsing fetch reply messages.
 4105 			(CVE-2016-1286) [RT #41753]
 4106 
 4107 4318.	[security]	Malformed control messages can trigger assertions
 4108 			in named and rndc. (CVE-2016-1285) [RT #41666]
 4109 
 4110 4317.	[bug]		Age all unused servers on fetch timeout. [RT #41597]
 4111 
 4112 4316.	[func]		Add option to tools to print RRs in unknown
 4113 			presentation format [RT #41595].
 4114 
 4115 4315.	[bug]		Check that configured view class isn't a meta class.
 4116 			[RT #41572].
 4117 
 4118 4314.	[contrib]	Added 'dnsperf-2.1.0.0-1', a set of performance
 4119 			testing tools provided by Nominum, Inc.
 4120 
 4121 4313.	[bug]		Handle ns_client_replace failures in test mode.
 4122 			[RT #41190]
 4123 
 4124 4312.	[bug]		dig's unknown DNS and EDNS flags (MBZ value) logging
 4125 			was not consistent. [RT #41600]
 4126 
 4127 4311.	[bug]		Prevent "rndc delzone" from being used on
 4128 			response-policy zones. [RT #41593]
 4129 
 4130 4310.	[performance]	Use __builtin_expect() where available to annotate
 4131 			conditions with known behavior. [RT #41411]
 4132 
 4133 4309.	[cleanup]	Remove the spurious "none" filename from log messages
 4134 			when processing built-in configuration. [RT #41594]
 4135 
 4136 4308.	[func]		Added operating system details to "named -V"
 4137 			output. [RT #41452]
 4138 
 4139 4307.	[bug]		"dig +subnet" and "mdig +subnet" could send
 4140 			incorrectly-formatted Client Subnet options
 4141 			if the prefix length was not divisible by 8.
 4142 			Also fixed a memory leak in "mdig". [RT #45178]
 4143 
 4144 4306.	[maint]		Added a PKCS#11 openssl patch supporting
 4145 			version 1.0.2f [RT #38312]
 4146 
 4147 4305.	[bug]		dnssec-signzone was not removing unnecessary rrsigs
 4148 			from the zone's apex. [RT #41483]
 4149 
 4150 4304.	[port]		xfer system test failed as 'tail -n +value' is not
 4151 			portable. [RT #41315]
 4152 
 4153 4303.	[bug]		"dig +subnet" was unable to send a prefix length of
 4154 			zero, as it was incorrectly changed to 32 for v4
 4155 			prefixes or 128 for v6 prefixes. In addition to
 4156 			fixing this, "dig +subnet=0" has been added as a
 4157 			short form for 0.0.0.0/0. The same changes have
 4158 			also been made in "mdig". [RT #41553]
 4159 
 4160 4302.	[port]		win32: fixed a build error in VS 2015. [RT #41426]
 4161 
 4162 4301.	[bug]		dnssec-settime -p [DP]sync was not working. [RT #41534]
 4163 
 4164 4300.	[bug]		A flag could be set in the wrong field when setting
 4165 			up non-recursive queries; this could cause the
 4166 			SERVFAIL cache to cache responses it shouldn't.
 4167 			New querytrace logging has been added which
 4168 			identified this error. [RT #41155]
 4169 
 4170 4299.	[bug]		Check that exactly totallen bytes are read when
 4171 			reading a RRset from raw files in both single read
 4172 			and incremental modes. [RT #41402]
 4173 
 4174 4298.	[bug]		dns_rpz_add errors in loadzone were not being
 4175 			propagated up the call stack. [RT #41425]
 4176 
 4177 4297.	[test]		Ensure delegations in RPZ zones fail robustly.
 4178 			[RT #41518]
 4179 
 4180 4296.	[bug]		TCP packet sizes were calculated incorrectly in the
 4181 			stats channel; they could be counted in the wrong
 4182 			histogram bucket. [RT #40587]
 4183 
 4184 4295.	[bug]		An unchecked result in dns_message_pseudosectiontotext()
 4185 			could allow incorrect text formatting of EDNS EXPIRE
 4186 			options. [RT #41437]
 4187 
 4188 4294.	[bug]		Fixed a regression in which "rndc stop -p" failed
 4189 			to print the PID. [RT #41513]
 4190 
 4191 4293.	[bug]		Address memory leak on priming query creation failure.
 4192 			[RT #41512]
 4193 
 4194 4292.	[placeholder]
 4195 
 4196 4291.	[cleanup]	Added a required include to dns/forward.h. [RT #41474]
 4197 
 4198 4290.	[func]		The timers returned by the statistics channel
 4199 			(indicating current time, server boot time, and
 4200 			most recent reconfiguration time) are now reported
 4201 			with millisecond accuracy. [RT #40082]
 4202 
 4203 4289.	[bug]		The server could crash due to memory being used
 4204 			after it was freed if a zone transfer timed out.
 4205 			[RT #41297]
 4206 
 4207 4288.	[bug]		Fixed a regression in resolver.c:possibly_mark()
 4208 			which caused known-bogus servers to be queried
 4209 			anyway. [RT #41321]
 4210 
 4211 4287.	[bug]		Silence an overly noisy log message when message
 4212 			parsing fails. [RT #41374]
 4213 
 4214 4286.	[security]	render_ecs errors were mishandled when printing out
 4215 			a OPT record resulting in a assertion failure.
 4216 			(CVE-2015-8705) [RT #41397]
 4217 
 4218 4285.	[security]	Specific APL data could trigger a INSIST.
 4219 			(CVE-2015-8704) [RT #41396]
 4220 
 4221 4284.	[bug]		Some GeoIP options were incorrectly documented
 4222 			using abbreviated forms which were not accepted by
 4223 			named.  The code has been updated to allow both
 4224 			long and abbreviated forms. [RT #41381]
 4225 
 4226 4283.	[bug]		OPENSSL_config is no longer re-callable. [RT #41348]
 4227 
 4228 4282.	[func]		'dig +[no]mapped' determine whether the use of mapped
 4229 			IPv4 addresses over IPv6 is permitted or not.  The
 4230 			default is +mapped.  [RT #41307]
 4231 
 4232 4281.	[bug]		Teach dns_message_totext about BADCOOKIE. [RT #41257]
 4233 
 4234 4280.	[performance]	Use optimal message sizes to improve compression
 4235 			in AXFRs. This reduces network traffic. [RT #40996]
 4236 
 4237 4279.	[test]		Don't use fixed ports when unit testing. [RT #41194]
 4238 
 4239 4278.	[bug]		'delv +short +[no]split[=##]' didn't work as expected.
 4240 			[RT #41238]
 4241 
 4242 4277.	[performance]	Improve performance of the RBT, the central zone
 4243 			datastructure: The aux hashtable was improved,
 4244 			hash function was updated to perform more
 4245 			uniform mapping, uppernode was added to
 4246 			dns_rbtnode, and other cleanups and performance
 4247 			improvements were made. [RT #41165]
 4248 
 4249 4276.	[protocol]	Add support for SMIMEA. [RT #40513]
 4250 
 4251 4275.	[performance]	Lazily initialize dns_compress->table only when
 4252 			compression is enabled. [RT #41189]
 4253 
 4254 4274.	[performance]	Speed up typemap processing from text. [RT #41196]
 4255 
 4256 4273.	[bug]		Only call dns_test_begin() and dns_test_end() once each
 4257 			in nsec3_test as it fails with GOST if called multiple
 4258 			times.
 4259 
 4260 4272.	[bug]		dig: the +norrcomments option didn't work with +multi.
 4261 			[RT #41234]
 4262 
 4263 4271.	[test]		Unit tests could deadlock in isc__taskmgr_pause().
 4264 			[RT #41235]
 4265 
 4266 4270.	[security]	Update allowed OpenSSL versions as named is
 4267 			potentially vulnerable to CVE-2015-3193.
 4268 
 4269 4269.	[bug]		Zones using "map" format master files currently
 4270 			don't work as policy zones.  This limitation has
 4271 			now been documented; attempting to use such zones
 4272 			in "response-policy" statements is now a
 4273 			configuration error.  [RT #38321]
 4274 
 4275 4268.	[func]		"rndc status" now reports the path to the
 4276 			configuration file. [RT #36470]
 4277 
 4278 4267.	[test]		Check sdlz error handling. [RT #41142]
 4279 
 4280 4266.	[placeholder]
 4281 
 4282 4265.	[bug]		Address unchecked isc_mem_get calls. [RT #41187]
 4283 
 4284 4264.	[bug]		Check const of strchr/strrchr assignments match
 4285 			argument's const status. [RT #41150]
 4286 
 4287 4263.	[contrib]	Address compiler warnings in mysqldyn module.
 4288 			[RT #41130]
 4289 
 4290 4262.	[bug]		Fixed a bug in epoll socket code that caused
 4291 			sockets to not be registered for ready
 4292 			notification in some cases, causing named to not
 4293 			read from or write to them, resulting in what
 4294 			appear to the user as blocked connections.
 4295 			[RT #41067]
 4296 
 4297 4261.	[maint]		H.ROOT-SERVERS.NET is 198.97.190.53 and 2001:500:1::53.
 4298 			[RT #40556]
 4299 
 4300 4260.	[security]	Insufficient testing when parsing a message allowed
 4301 			records with an incorrect class to be be accepted,
 4302 			triggering a REQUIRE failure when those records
 4303 			were subsequently cached. (CVE-2015-8000) [RT #40987]
 4304 
 4305 4259.	[func]		Add an option for non-destructive control channel
 4306 			access using a "read-only" clause. In such
 4307 			cases, a restricted set of rndc commands are
 4308 			allowed for querying information from named.
 4309 			[RT #40498]
 4310 
 4311 4258.	[bug]		Limit rndc query message sizes to 32 KiB. This should
 4312 			not break any legitimate rndc commands, but will
 4313 			prevent a rogue rndc query from allocating too
 4314 			much memory. [RT #41073]
 4315 
 4316 4257.	[cleanup]	Python scripts reported incorrect version. [RT #41080]
 4317 
 4318 4256.	[bug]		Allow rndc command arguments to be quoted so as
 4319 			to allow spaces. [RT #36665]
 4320 
 4321 4255.	[performance]	Add 'message-compression' option to disable DNS
 4322 			compression in responses. [RT #40726]
 4323 
 4324 4254.	[bug]		Address missing lock when getting zone's serial.
 4325 			[RT #41072]
 4326 
 4327 4253.	[security]	Address fetch context reference count handling error
 4328 			on socket error. (CVE-2015-8461)  [RT#40945]
 4329 
 4330 4252.	[func]		Add support for automating the generation CDS and
 4331 			CDNSKEY rrsets to named and dnssec-signzone.
 4332 			[RT #40424]
 4333 
 4334 4251.	[bug]		NTAs were deleted when the server was reconfigured
 4335 			or reloaded. [RT #41058]
 4336 
 4337 4250.	[func]		Log the TSIG key in use during inbound zone
 4338 			transfers. [RT #41075]
 4339 
 4340 4249.	[func]		Improve error reporting of TSIG / SIG(0) records in
 4341 			the wrong location. [RT #41030]
 4342 
 4343 4248.	[performance]	Add an isc_atomic_storeq() function, use it in
 4344 			stats counters to improve performance.
 4345 			[RT #39972] [RT #39979]
 4346 
 4347 4247.	[port]		Require both HAVE_JSON and JSON_C_VERSION to be
 4348 			defined to report json library version. [RT #41045]
 4349 
 4350 4246.	[test]		Ensure the statschannel system test runs when BIND
 4351 			is not built with libjson. [RT #40944]
 4352 
 4353 4245.	[placeholder]
 4354 
 4355 4244.	[bug]		The parser was not reporting that use-ixfr is obsolete.
 4356 			[RT #41010]
 4357 
 4358 4243.	[func]		Improved stats reporting from Timothe Litt. [RT #38941]
 4359 
 4360 4242.	[bug]		Replace the client if not already replaced when
 4361 			prefetching. [RT #41001]
 4362 
 4363 4241.	[doc]		Improved the TSIG, TKEY, and SIG(0) sections in
 4364 			the ARM. [RT #40955]
 4365 
 4366 4240.	[port]		Fix LibreSSL compatibility. [RT #40977]
 4367 
 4368 4239.	[func]		Changed default servfail-ttl value to 1 second from 10.
 4369 			Also, the maximum value is now 30 instead of 300.
 4370 			[RT #37556]
 4371 
 4372 4238.	[bug]		Don't send to servers on net zero (0.0.0.0/8).
 4373 			[RT #40947]
 4374 
 4375 4237.	[doc]		Upgraded documentation toolchain to use DocBook 5
 4376 			and dblatex. [RT #40766]
 4377 
 4378 4236.	[performance]	On machines with 2 or more processors (CPU), the
 4379 			default value for the number of UDP listeners
 4380 			has been changed to the number of detected
 4381 			processors minus one. [RT #40761]
 4382 
 4383 4235.	[func]		Added support in named for "dnstap", a fast method of
 4384 			capturing and logging DNS traffic, and a new command
 4385 			"dnstap-read" to read a dnstap log file.  Use
 4386 			"configure --enable-dnstap" to enable this
 4387 			feature (note that this requires libprotobuf-c
 4388 			and libfstrm). See the ARM for configuration details.
 4389 
 4390 			Thanks to Robert Edmonds of Farsight Security.
 4391 			[RT #40211]
 4392 
 4393 4234.	[func]		Add deflate compression in statistics channel HTTP
 4394 			server. [RT #40861]
 4395 
 4396 4233.	[test]		Add tests for CDS and CDNSKEY with delegation-only.
 4397 			[RT #40597]
 4398 
 4399 4232.	[contrib]	Address unchecked memory allocation calls in
 4400 			query-loc and zone2ldap. [RT #40789]
 4401 
 4402 4231.	[contrib]	Address unchecked calloc call in dlz_mysqldyn_mod.c.
 4403 			[RT #40840]
 4404 
 4405 4230.	[contrib]	dlz_wildcard_dynamic.c:dlz_create could return a
 4406 			uninitialized result. [RT #40839]
 4407 
 4408 4229.	[bug]		A variable could be used uninitialized in
 4409 			dns_update_signaturesinc. [RT #40784]
 4410 
 4411 4228.	[bug]		Address race condition in dns_client_destroyrestrans.
 4412 			[RT #40605]
 4413 
 4414 4227.	[bug]		Silence static analysis warnings. [RT #40828]
 4415 
 4416 4226.	[bug]		Address a theoretical shutdown race in
 4417 			zone.c:notify_send_queue(). [RT #38958]
 4418 
 4419 4225.	[port]		freebsd/openbsd:  Use '${CC} -shared' for building
 4420 			shared libraries. [RT #39557]
 4421 
 4422 4224.	[func]		Added support for "dyndb", a new interface for loading
 4423 			zone data from an external database, developed by
 4424 			Red Hat for the FreeIPA project.
 4425 
 4426 			DynDB drivers fully implement the BIND database
 4427 			API, and are capable of significantly better
 4428 			performance and functionality than DLZ drivers,
 4429 			while taking advantage of advanced database
 4430 			features not available in BIND such as multi-master
 4431 			replication.
 4432 
 4433 			Thanks to Adam Tkac and Petr Spacek of Red Hat.
 4434 			[RT #35271]
 4435 
 4436 4223.	[func]		Add support for setting max-cache-size to percentage
 4437 			of available physical memory, set default to 90%.
 4438 			[RT #38442]
 4439 
 4440 4222.	[func]		Bias IPv6 servers when selecting the next server to
 4441 			query. [RT #40836]
 4442 
 4443 4221.	[bug]		Resource leak on DNS_R_NXDOMAIN in fctx_create.
 4444 			[RT #40583]
 4445 
 4446 4220.	[doc]		Improve documentation for zone-statistics.
 4447 			[RT #36955]
 4448 
 4449 4219.	[bug]		Set event->result to ISC_R_WOULDBLOCK on EWOULDBLOCK,
 4450 			EGAIN when these soft error are not retried for
 4451 			isc_socket_send*().
 4452 
 4453 4218.	[bug]		Potential null pointer dereference on out of memory
 4454 			if mmap is not supported. [RT #40777]
 4455 
 4456 4217.	[protocol]	Add support for CSYNC. [RT #40532]
 4457 
 4458 4216.	[cleanup]	Silence static analysis warnings. [RT #40649]
 4459 
 4460 4215.	[bug]		nsupdate: skip to next request on GSSTKEY create
 4461 			failure. [RT #40685]
 4462 
 4463 4214.	[protocol]	Add support for TALINK.  [RT #40544]
 4464 
 4465 4213.	[bug]		Don't reuse a cache across multiple classes.
 4466 			[RT #40205]
 4467 
 4468 4212.	[func]		Re-query if we get a bad client cookie returned over
 4469 			UDP. [RT #40748]
 4470 
 4471 4211.	[bug]		Ensure that lwresd gets at least one task to work
 4472 			with if enabled. [RT #40652]
 4473 
 4474 4210.	[cleanup]	Silence use after free false positive. [RT #40743]
 4475 
 4476 4209.	[bug]		Address resource leaks in dlz modules. [RT #40654]
 4477 
 4478 4208.	[bug]		Address null pointer dereferences on out of memory.
 4479 			[RT #40764]
 4480 
 4481 4207.	[bug]		Handle class mismatches with raw zone files.
 4482 			[RT #40746]
 4483 
 4484 4206.	[bug]		contrib: fixed a possible NULL dereference in
 4485 			DLZ wildcard module. [RT #40745]
 4486 
 4487 4205.	[bug]		'named-checkconf -p' could include unwanted spaces
 4488 			when printing tuples with unset optional fields.
 4489 			[RT #40731]
 4490 
 4491 4204.	[bug]		'dig +trace' failed to lookup the correct type if
 4492 			the initial root NS query was retried. [RT #40296]
 4493 
 4494 4203.	[test]		The rrchecker system test now tests conversion
 4495 			to and from unknown-type format. [RT #40584]
 4496 
 4497 4202.	[bug]		isccc_cc_fromwire() could return an incorrect
 4498 			result. [RT #40614]
 4499 
 4500 4201.	[func]		The default preferred-glue is now the address record
 4501 			type of the transport the query was received
 4502 			over.  [RT #40468]
 4503 
 4504 4200.	[cleanup]	win32: update BINDinstall to be BIND release
 4505 			independent. [RT #38915]
 4506 
 4507 4199.	[protocol]	Add support for NINFO, RKEY, SINK, TA.
 4508 			[RT #40545] [RT #40547] [RT #40561] [RT #40563]
 4509 
 4510 4198.	[placeholder]
 4511 
 4512 4197.	[bug]		'named-checkconf -z' didn't handle 'in-view' clauses.
 4513 			[RT #40603]
 4514 
 4515 4196.	[doc]		Improve how "enum + other" types are documented.
 4516 			[RT #40608]
 4517 
 4518 4195.	[bug]		'max-zone-ttl unlimited;' was broken. [RT #40608]
 4519 
 4520 4194.	[bug]		named-checkconf -p failed to properly print a port
 4521 			range.  [RT #40634]
 4522 
 4523 4193.	[bug]		Handle broken servers that return BADVERS incorrectly.
 4524 			[RT #40427]
 4525 
 4526 4192.	[bug]		The default rrset-order of random was not always being
 4527 			applied. [RT #40456]
 4528 
 4529 4191.	[protocol]	Accept DNS-SD non LDH PTR records in reverse zones
 4530 			as per RFC 6763. [RT #37889]
 4531 
 4532 4190.	[protocol]	Accept Active Directory gc._msdcs.<forest> name as
 4533 			valid with check-names.  <forest> still needs to be
 4534 			LDH. [RT #40399]
 4535 
 4536 4189.	[cleanup]	Don't exit on overly long tokens in named.conf.
 4537 			[RT #40418]
 4538 
 4539 4188.	[bug]		Support HTTP/1.0 client properly on the statistics
 4540 			channel. [RT #40261]
 4541 
 4542 4187.	[func]		When any RR type implementation doesn't
 4543 			implement totext() for the RDATA's wire
 4544 			representation and returns ISC_R_NOTIMPLEMENTED,
 4545 			such RDATA is now printed in unknown
 4546 			presentation format (RFC 3597). RR types affected
 4547 			include LOC(29) and APL(42). [RT #40317].
 4548 
 4549 4186.	[bug]		Fixed an RPZ bug where a QNAME would be matched
 4550 			against a policy RR with wildcard owner name
 4551 			(trigger) where the QNAME was the wildcard owner
 4552 			name's parent. For example, the bug caused a query
 4553 			with QNAME "example.com" to match a policy RR with
 4554 			"*.example.com" as trigger. [RT #40357]
 4555 
 4556 4185.	[bug]		Fixed an RPZ bug where a policy RR with wildcard
 4557 			owner name (trigger) would prevent another policy RR
 4558 			with its parent owner name from being
 4559 			loaded. For example, the bug caused a policy RR
 4560 			with trigger "example.com" to not have any
 4561 			effect when a previous policy RR with trigger
 4562 			"*.example.com" existed in that RPZ zone.
 4563 			[RT #40357]
 4564 
 4565 4184.	[bug]		Fixed a possible memory leak in name compression
 4566 			when rendering long messages. (Also, improved
 4567 			wire_test for testing such messages.) [RT #40375]
 4568 
 4569 4183.	[cleanup]	Use timing-safe memory comparisons in cryptographic
 4570 			code. Also, the timing-safe comparison functions have
 4571 			been renamed to avoid possible confusion with
 4572 			memcmp(). Thanks to Loganaden Velvindron of
 4573 			AFRINIC. [RT #40148]
 4574 
 4575 4182.	[cleanup]	Use mnemonics for RR class and type comparisons.
 4576 			[RT #40297]
 4577 
 4578 4181.	[bug]		Queued notify messages could be dequeued from the
 4579 			wrong rate limiter queue. [RT #40350]
 4580 
 4581 4180.	[bug]		Error responses in pipelined queries could
 4582 			cause a crash in client.c. [RT #40289]
 4583 
 4584 4179.	[bug]		Fix double frees in getaddrinfo() in libirs.
 4585 			[RT #40209]
 4586 
 4587 4178.	[bug]		Fix assertion failure in parsing UNSPEC(103) RR from
 4588 			text. [RT #40274]
 4589 
 4590 4177.	[bug]		Fix assertion failure in parsing NSAP records from
 4591 			text. [RT #40285]
 4592 
 4593 4176.	[bug]		Address race issues with lwresd. [RT #40284]
 4594 
 4595 4175.	[bug]		TKEY with GSS-API keys needed bigger buffers.
 4596 			[RT #40333]
 4597 
 4598 4174.	[bug]		"dnssec-coverage -r" didn't handle time unit
 4599 			suffixes correctly. [RT #38444]
 4600 
 4601 4173.	[bug]		dig +sigchase was not properly matching the trusted
 4602 			key. [RT #40188]
 4603 
 4604 4172.	[bug]		Named / named-checkconf didn't handle a view of CLASS0.
 4605 			[RT #40265]
 4606 
 4607 4171.	[bug]		Fixed incorrect class checks in TSIG RR
 4608 			implementation. [RT #40287]
 4609 
 4610 4170.	[security]	An incorrect boundary check in the OPENPGPKEY
 4611 			rdatatype could trigger an assertion failure.
 4612 			(CVE-2015-5986) [RT #40286]
 4613 
 4614 4169.	[test]		Added a 'wire_test -d' option to read input as
 4615 			raw binary data, for use as a fuzzing harness.
 4616 			[RT #40312]
 4617 
 4618 4168.	[security]	A buffer accounting error could trigger an
 4619 			assertion failure when parsing certain malformed
 4620 			DNSSEC keys. (CVE-2015-5722) [RT #40212]
 4621 
 4622 4167.	[func]		Update rndc's usage output to include recently added
 4623 			commands. Thanks to Tony Finch for submitting a
 4624 			patch. [RT #40010]
 4625 
 4626 4166.	[func]		Print informative output from rndc showzone when
 4627 			allow-new-zones is not enabled for a view. Thanks to
 4628 			Tony Finch for submitting a patch. [RT #40009]
 4629 
 4630 4165.	[security]	A failure to reset a value to NULL in tkey.c could
 4631 			result in an assertion failure. (CVE-2015-5477)
 4632 			[RT #40046]
 4633 
 4634 4164.	[bug]		Don't rename slave files and journals on out of memory.
 4635 			[RT #40033]
 4636 
 4637 4163.	[bug]		Address compiler warnings. [RT #40024]
 4638 
 4639 4162.	[bug]		httpdmgr->flags was not being initialized. [RT #40017]
 4640 
 4641 4161.	[test]		Add JSON test for traffic size stats; also test
 4642 			for consistency between "rndc stats" and the XML
 4643 			and JSON statistics channel contents. [RT #38700]
 4644 
 4645 4160.	[placeholder]
 4646 
 4647 4159.	[cleanup]	Alphabetize dig's help output. [RT #39966]
 4648 
 4649 4158.	[placeholder]
 4650 
 4651 4157.	[placeholder]
 4652 
 4653 4156.	[func]		Added statistics counters to track the sizes
 4654 			of incoming queries and outgoing responses in
 4655 			histogram buckets, as specified in RSSAC002.
 4656 			[RT #39049]
 4657 
 4658 4155.	[func]		Allow RPZ rewrite logging to be configured on a
 4659 			per-zone basis using a newly introduced log clause in
 4660 			the response-policy option. [RT #39754]
 4661 
 4662 4154.	[bug]		A OPT record should be included with the FORMERR
 4663 			response when there is a malformed EDNS option.
 4664 			[RT #39647]
 4665 
 4666 4153.	[bug]		Dig should zero non significant +subnet bits.  Check
 4667 			that non significant ECS bits are zero on receipt.
 4668 			[RT #39647]
 4669 
 4670 4152.	[func]		Implement DNS COOKIE option.  This replaces the
 4671 			experimental SIT option of BIND 9.10.  The following
 4672 			named.conf directives are available: send-cookie,
 4673 			cookie-secret, cookie-algorithm, nocookie-udp-size
 4674 			and require-server-cookie.  The following dig options
 4675 			are available: +[no]cookie[=value] and +[no]badcookie.
 4676 			[RT #39928]
 4677 
 4678 4151.	[bug]		'rndc flush' could cause a deadlock. [RT #39835]
 4679 
 4680 4150.	[bug]		win32: listen-on-v6 { any; }; was not working.  Apply
 4681 			minimal fix.  [RT #39667]
 4682 
 4683 4149.	[bug]		Fixed a race condition in the getaddrinfo()
 4684 			implementation in libirs, which caused the delv
 4685 			utility to crash with an assertion failure when using
 4686 			the '@server' syntax with a hostname argument.
 4687 			[RT #39899]
 4688 
 4689 4148.	[bug]		Fix a bug when printing zone names with '/' character
 4690 			in XML and JSON statistics output. [RT #39873]
 4691 
 4692 4147.	[bug]		Filter-aaaa / filter-aaaa-on-v4 / filter-aaaa-on-v6
 4693 			was returning referrals rather than nodata responses
 4694 			when the AAAA records were filtered.  [RT #39843]
 4695 
 4696 4146.	[bug]		Address reference leak that could prevent a clean
 4697 			shutdown. [RT #37125]
 4698 
 4699 4145.	[bug]		Not all unassociated adb entries where being printed.
 4700 			[RT #37125]
 4701 
 4702 4144.	[func]		Add statistics counters for nxdomain redirections.
 4703 			[RT #39790]
 4704 
 4705 4143.	[placeholder]
 4706 
 4707 4142.	[bug]		rndc addzone with view specified saved NZF config
 4708 			that could not be read back by named. This has now
 4709 			been fixed. [RT #39845]
 4710 
 4711 4141.	[bug]		A formatting bug caused rndc zonestatus to print
 4712 			negative numbers for large serial values. This has
 4713 			now been fixed. [RT #39854]
 4714 
 4715 4140.	[cleanup]	Remove redundant nzf_remove() call during delzone.
 4716 			[RT #39844]
 4717 
 4718 4139.	[doc]		Fix rpz-client-ip documentation. [RT #39783]
 4719 
 4720 4138.	[security]	An uninitialized value in validator.c could result
 4721 			in an assertion failure. (CVE-2015-4620) [RT #39795]
 4722 
 4723 4137.	[bug]		Make rndc reconfig report configuration errors the
 4724 			same way rndc reload does. [RT #39635]
 4725 
 4726 4136.	[bug]		Stale statistics counters with the leading
 4727 			'#' prefix (such as #NXDOMAIN) were not being
 4728 			updated correctly. This has been fixed. [RT #39141]
 4729 
 4730 4135.	[cleanup]	Log expired NTA at startup. [RT #39680]
 4731 
 4732 4134.	[cleanup]	Include client-ip rules when logging the number
 4733 			of RPZ rules of each type. [RT #39670]
 4734 
 4735 4133.	[port]		Update how various json libraries are handled.
 4736 			[RT #39646]
 4737 
 4738 4132.	[cleanup]	dig: added +rd as a synonym for +recurse,
 4739 			added +class as an unabbreviated alternative
 4740 			to +cl. [RT #39686]
 4741 
 4742 4131.	[bug]		Addressed further problems with reloading RPZ
 4743 			zones. [RT #39649]
 4744 
 4745 4130.	[bug]		The compatibility shim for *printf() misprinted some
 4746 			large numbers. [RT #39586]
 4747 
 4748 4129.	[port]		Address API changes in OpenSSL 1.1.0. [RT #39532]
 4749 
 4750 4128.	[bug]		Address issues raised by Coverity 7.6. [RT #39537]
 4751 
 4752 4127.	[protocol]	CDS and CDNSKEY need to be signed by the key signing
 4753 			key as per RFC 7344, Section 4.1. [RT #37215]
 4754 
 4755 4126.	[bug]		Addressed a regression introduced in change #4121.
 4756 			[RT #39611]
 4757 
 4758 4125.	[test]		Added tests for dig, renamed delv test to digdelv.
 4759 			[RT #39490]
 4760 
 4761 4124.	[func]		Log errors or warnings encountered when parsing the
 4762 			internal default configuration.  Clarify the logging
 4763 			of errors and warnings encountered in rndc
 4764 			addzone or modzone parameters. [RT #39440]
 4765 
 4766 4123.	[port]		Added %z (size_t) format options to the portable
 4767 			internal printf/sprintf implementation. [RT #39586]
 4768 
 4769 4122.	[bug]		The server could match a shorter prefix than what was
 4770 			available in CLIENT-IP policy triggers, and so, an
 4771 			unexpected action could be taken. This has been
 4772 			corrected. [RT #39481]
 4773 
 4774 4121.	[bug]		On servers with one or more policy zones
 4775 			configured as slaves, if a policy zone updated
 4776 			during regular operation (rather than at
 4777 			startup) using a full zone reload, such as via
 4778 			AXFR, a bug could allow the RPZ summary data to
 4779 			fall out of sync, potentially leading to an
 4780 			assertion failure in rpz.c when further
 4781 			incremental updates were made to the zone, such
 4782 			as via IXFR. [RT #39567]
 4783 
 4784 4120.	[bug]		A bug in RPZ could cause the server to crash if
 4785 			policy zones were updated while recursion was
 4786 			pending for RPZ processing of an active query.
 4787 			[RT #39415]
 4788 
 4789 4119.	[test]		Allow dig to set the message opcode. [RT #39550]
 4790 
 4791 4118.	[bug]		Teach isc-config.sh about irs. [RT #39213]
 4792 
 4793 4117.	[protocol]	Add EMPTY.AS112.ARPA as per RFC 7534.
 4794 
 4795 4116.	[bug]		Fix a bug in RPZ that could cause some policy
 4796 			zones that did not specifically require
 4797 			recursion to be treated as if they did;
 4798 			consequently, setting qname-wait-recurse no; was
 4799 			sometimes ineffective. [RT #39229]
 4800 
 4801 4115.	[func]		"rndc -r" now prints the result code (e.g.,
 4802 			ISC_R_SUCCESS, ISC_R_TIMEOUT, etc) after
 4803 			running the requested command. [RT #38913]
 4804 
 4805 4114.	[bug]		Fix a regression in radix tree implementation
 4806 			introduced by ECS code. This bug was never
 4807 			released, but it was reported by a user testing
 4808 			master. [RT #38983]
 4809 
 4810 4113.	[test]		Check for Net::DNS is some system test
 4811 			prerequisites. [RT #39369]
 4812 
 4813 4112.	[bug]		Named failed to load when "root-delegation-only"
 4814 			was used without a list of domains to exclude.
 4815 			[RT #39380]
 4816 
 4817 4111.	[doc]		Alphabetize rndc man page. [RT #39360]
 4818 
 4819 4110.	[bug]		Address memory leaks / null pointer dereferences
 4820 			on out of memory. [RT #39310]
 4821 
 4822 4109.	[port]		linux: support reading the local port range from
 4823 			net.ipv4.ip_local_port_range. [RT # 39379]
 4824 
 4825 4108.	[func]		An additional NXDOMAIN redirect method (option
 4826 			"nxdomain-redirect") has been added, allowing
 4827 			redirection to a specified DNS namespace instead
 4828 			of a single redirect zone. [RT #37989]
 4829 
 4830 4107.	[bug]		Address potential deadlock when updating zone content.
 4831 			[RT #39269]
 4832 
 4833 4106.	[port]		Improve readline support. [RT #38938]
 4834 
 4835 4105.	[port]		Misc fixes for Microsoft Visual Studio
 4836 			2015 CTP6 in 64 bit mode. [RT #39308]
 4837 
 4838 4104.	[bug]		Address uninitialized elements. [RT #39252]
 4839 
 4840 4103.	[port]		Misc fixes for Microsoft Visual Studio
 4841 			2015 CTP6. [RT #39267]
 4842 
 4843 4102.	[bug]		Fix a use after free bug introduced in change
 4844 			#4094.  [RT #39281]
 4845 
 4846 4101.	[bug]		dig: the +split and +rrcomments options didn't
 4847 			work with +short. [RT #39291]
 4848 
 4849 4100.	[bug]		Inherited owernames on the line immediately following
 4850 			a $INCLUDE were not working.  [RT #39268]
 4851 
 4852 4099.	[port]		clang: make unknown commandline options hard errors
 4853 			when determining what options are supported.
 4854 			[RT #39273]
 4855 
 4856 4098.	[bug]		Address use-after-free issue when using a
 4857 			predecessor key with dnssec-settime. [RT #39272]
 4858 
 4859 4097.	[func]		Add additional logging about xfrin transfer status.
 4860 			[RT #39170]
 4861 
 4862 4096.	[bug]		Fix a use after free of query->sendevent.
 4863 			[RT #39132]
 4864 
 4865 4095.	[bug]		zone->options2 was not being properly initialized.
 4866 			[RT #39228]
 4867 
 4868 4094.	[bug]		A race during shutdown or reconfiguration could
 4869 			cause an assertion in mem.c. [RT #38979]
 4870 
 4871 4093.	[func]		Dig now learns the SIT value from truncated
 4872 			responses when it retries over TCP. [RT #39047]
 4873 
 4874 4092.	[bug]		'in-view' didn't work for zones beneath a empty zone.
 4875 			[RT #39173]
 4876 
 4877 4091.	[cleanup]	Some cleanups in isc mem code. [RT #38896]
 4878 
 4879 4090.	[bug]		Fix a crash while parsing malformed CAA RRs in
 4880 			presentation format, i.e., from text such as
 4881 			from master files. Thanks to John Van de
 4882 			Meulebrouck Brendgard for discovering and
 4883 			reporting this problem. [RT #39003]
 4884 
 4885 4089.	[bug]		Send notifies immediately for slave zones during
 4886 			startup. [RT #38843]
 4887 
 4888 4088.	[port]		Fixed errors when building with libressl. [RT #38899]
 4889 
 4890 4087.	[bug]		Fix a crash due to use-after-free due to sequencing
 4891 			of tasks actions. [RT #38495]
 4892 
 4893 4086.	[bug]		Fix out-of-srcdir build with native pkcs11. [RT #38831]
 4894 
 4895 4085.	[bug]		ISC_PLATFORM_HAVEXADDQ could be inconsistently set.
 4896 			[RT #38828]
 4897 
 4898 4084.	[bug]		Fix a possible race in updating stats counters.
 4899 			[RT #38826]
 4900 
 4901 4083.	[cleanup]	Print the number of CPUs and UDP listeners
 4902 			consistently in the log and in "rndc status"
 4903 			output; indicate whether threads are supported
 4904 			in "named -V" output. [RT #38811]
 4905 
 4906 4082.	[bug]		Incrementally sign large inline zone deltas.
 4907 			[RT #37927]
 4908 
 4909 4081.	[cleanup]	Use dns_rdatalist_init consistently. [RT #38759]
 4910 
 4911 4080.	[func]		Completed change #4022, adding a "lock-file" option
 4912 			to named.conf to override the default lock file,
 4913 			in addition to the "named -X <filename>" command
 4914 			line option.  Setting the lock file to "none"
 4915 			using either method disables the check completely.
 4916 			[RT #37908]
 4917 
 4918 4079.	[func]		Preserve the case of the owner name of records to
 4919 			the RRset level. [RT #37442]
 4920 
 4921 4078.	[bug]		Handle the case where CMSG_SPACE(sizeof(int)) !=
 4922 			CMSG_SPACE(sizeof(char)). [RT #38621]
 4923 
 4924 4077.	[test]		Add static-stub regression test for DS NXDOMAIN
 4925 			return making the static stub disappear. [RT #38564]
 4926 
 4927 4076.	[bug]		Named could crash on shutdown with outstanding
 4928 			reload / reconfig events. [RT #38622]
 4929 
 4930 4075.	[placeholder]
 4931 
 4932 4074.	[cleanup]	Cleaned up more warnings from gcc -Wshadow. [RT #38708]
 4933 
 4934 4073.	[cleanup]	Add libjson-c version number reporting to
 4935 			"named -V"; normalize version number formatting.
 4936 			[RT #38056]
 4937 
 4938 4072.	[func]		Add a --enable-querytrace configure switch for
 4939 			very verbose query trace logging. (This option
 4940 			has a negative performance impact and should be
 4941 			used only for debugging.) [RT #37520]
 4942 
 4943 4071.	[cleanup]	Initialize pthread mutex attrs just once, instead of
 4944 			doing it per mutex creation. [RT #38547]
 4945 
 4946 4070.	[bug]		Fix a segfault in nslookup in a query such as
 4947 			"nslookup isc.org AMS.SNS-PB.ISC.ORG -all".
 4948 			[RT #38548]
 4949 
 4950 4069.	[doc]		Reorganize options in the nsupdate man page.
 4951 			[RT #38515]
 4952 
 4953 4068.	[bug]		Omit unknown serial number from JSON zone statistics.
 4954 			[RT #38604]
 4955 
 4956 4067.	[cleanup]	Reduce noise from RRL when query logging is
 4957 			disabled. [RT #38648]
 4958 
 4959 4066.	[doc]		Reorganize options in the dig man page. [RT #38516]
 4960 
 4961 4065.	[test]		Additional RFC 5011 tests. [RT #38569]
 4962 
 4963 4064.	[contrib]	dnssec-keyset.sh: Generates a specified number
 4964 			of DNSSEC keys with timing set to implement a
 4965 			pre-publication key rollover strategy. Thanks
 4966 			to Jeffry A. Spain. [RT #38459]
 4967 
 4968 4063.	[bug]		Asynchronous zone loads were not handled
 4969 			correctly when the zone load was already in
 4970 			progress; this could trigger a crash in zt.c.
 4971 			[RT #37573]
 4972 
 4973 4062.	[bug]		Fix an out-of-bounds read in RPZ code. If the
 4974 			read succeeded, it doesn't result in a bug
 4975 			during operation. If the read failed, named
 4976 			could segfault. [RT #38559]
 4977 
 4978 4061.	[bug]		Handle timeout in legacy system test. [RT #38573]
 4979 
 4980 4060.	[bug]		dns_rdata_freestruct could be called on a
 4981 			uninitialized structure when handling a error.
 4982 			[RT #38568]
 4983 
 4984 4059.	[bug]		Addressed valgrind warnings. [RT #38549]
 4985 
 4986 4058.	[bug]		UDP dispatches could use the wrong pseudorandom
 4987 			number generator context. [RT #38578]
 4988 
 4989 4057.	[bug]		'dnssec-dsfromkey -T 0' failed to add ttl field.
 4990 			[RT #38565]
 4991 
 4992 4056.	[bug]		Expanded automatic testing of trust anchor
 4993 			management and fixed several small bugs including
 4994 			a memory leak and a possible loss of key state
 4995 			information. [RT #38458]
 4996 
 4997 4055.	[func]		"rndc managed-keys" can be used to check status
 4998 			of trust anchors or to force keys to be refreshed,
 4999 			Also, the managed keys data file has easier-to-read
 5000 			comments.  [RT #38458]
 5001 
 5002 4054.	[func]		Added a new tool 'mdig', a lightweight clone of
 5003 			dig able to send multiple pipelined queries.
 5004 			[RT #38261]
 5005 
 5006 4053.	[security]	Revoking a managed trust anchor and supplying
 5007 			an untrusted replacement could cause named
 5008 			to crash with an assertion failure.
 5009 			(CVE-2015-1349) [RT #38344]
 5010 
 5011 4052.	[bug]		Fix a leak of query fetchlock. [RT #38454]
 5012 
 5013 4051.	[bug]		Fix a leak of pthread_mutexattr_t. [RT #38454]
 5014 
 5015 4050.	[bug]		RPZ could send spurious SERVFAILs in response
 5016 			to duplicate queries. [RT #38510]
 5017 
 5018 4049.	[bug]		CDS and CDNSKEY had the wrong attributes. [RT #38491]
 5019 
 5020 4048.	[bug]		adb hash table was not being grown. [RT #38470]
 5021 
 5022 4047.	[cleanup]	"named -V" now reports the current running versions
 5023 			of OpenSSL and the libxml2 libraries, in addition to
 5024 			the versions that were in use at build time.
 5025 
 5026 4046.	[bug]		Accounting of "total use" in memory context
 5027 			statistics was not correct. [RT #38370]
 5028 
 5029 4045.	[bug]		Skip to next master on dns_request_createvia4 failure.
 5030 			[RT #25185]
 5031 
 5032 4044.	[bug]		Change 3955 was not complete, resulting in an assertion
 5033 			failure if the timing was just right. [RT #38352]
 5034 
 5035 4043.	[func]		"rndc modzone" can be used to modify the
 5036 			configuration of an existing zone, using similar
 5037 			syntax to "rndc addzone". [RT #37895]
 5038 
 5039 4042.	[bug]		zone.c:iszonesecure was being called too late.
 5040 			[RT #38371]
 5041 
 5042 4041.	[func]		TCP sockets can now be shared while connecting.
 5043 			(This will be used to enable client-side support
 5044 			of pipelined queries.) [RT #38231]
 5045 
 5046 4040.	[func]		Added server-side support for pipelined TCP
 5047 			queries. Clients may continue sending queries via
 5048 			TCP while previous queries are being processed
 5049 			in parallel.  (The new "keep-response-order"
 5050 			option allows clients to be specified for which
 5051 			the old behavior will still be used.) [RT #37821]
 5052 
 5053 4039.	[cleanup]	Cleaned up warnings from gcc -Wshadow. [RT #37381]
 5054 
 5055 4038.	[bug]		Add 'rpz' flag to node and use it to determine whether
 5056 			to call dns_rpz_delete.  This should prevent unbalanced
 5057 			add / delete calls. [RT #36888]
 5058 
 5059 4037.	[bug]		also-notify was ignoring the tsig key when checking
 5060 			for duplicates resulting in some expected notify
 5061 			messages not being sent. [RT #38369]
 5062 
 5063 4036.	[bug]		Make call to open a temporary file name safe during
 5064 			NZF creation. [RT #38331]
 5065 
 5066 4035.	[bug]		Close temporary and NZF FILE pointers before moving
 5067 			the former into the latter's place, as required on
 5068 			Windows. [RT #38332]
 5069 
 5070 4034.	[func]		When added, negative trust anchors (NTA) are now
 5071 			saved to files (viewname.nta), in order to
 5072 			persist across restarts of the named server.
 5073 			[RT #37087]
 5074 
 5075 4033.	[bug]		Missing out of memory check in request.c:req_send.
 5076 			[RT #38311]
 5077 
 5078 4032.	[bug]		Built-in "empty" zones did not correctly inherit the
 5079 			"allow-transfer" ACL from the options or view.
 5080 			[RT #38310]
 5081 
 5082 4031.	[bug]		named-checkconf -z failed to report a missing file
 5083 			with a hint zone. [RT #38294]
 5084 
 5085 4030.	[func]		"rndc delzone" is now applicable to zones that were
 5086 			configured in named.conf, as well as zones that
 5087 			were added via "rndc addzone". (Note, however, that
 5088 			if named.conf is not also modified, the deleted zone
 5089 			will return when named is reloaded.) [RT #37887]
 5090 
 5091 4029.	[func]		"rndc showzone" displays the current configuration
 5092 			of a specified zone. [RT #37887]
 5093 
 5094 4028.	[bug]		$GENERATE with a zero step was not being caught as a
 5095 			error.  A $GENERATE with a / but no step was not being
 5096 			caught as a error. [RT #38262]
 5097 
 5098 4027.	[port]		Net::DNS 0.81 compatibility. [RT #38165]
 5099 
 5100 4026.	[bug]		Fix RFC 3658 reference in dig +sigchase. [RT #38173]
 5101 
 5102 4025.	[port]		bsdi: failed to build. [RT #38047]
 5103 
 5104 4024.	[bug]		dns_rdata_opt_first, dns_rdata_opt_next,
 5105 			dns_rdata_opt_current, dns_rdata_txt_first,
 5106 			dns_rdata_txt_next and dns_rdata_txt_current were
 5107 			documented but not implemented.  These have now been
 5108 			implemented.
 5109 
 5110 			dns_rdata_spf_first, dns_rdata_spf_next and
 5111 			dns_rdata_spf_current were documented but not
 5112 			implemented.  The prototypes for these
 5113 			functions have been removed. [RT #38068]
 5114 
 5115 4023.	[bug]		win32: socket handling with explicit ports and
 5116 			invoking named with -4 was broken for some
 5117 			configurations. [RT #38068]
 5118 
 5119 4022.	[func]		Stop multiple spawns of named by limiting number of
 5120 			processes to 1. This is done by using a lockfile and
 5121 			checking whether we can listen on any configured
 5122 			TCP interfaces. [RT #37908]
 5123 
 5124 4021.	[bug]		Adjust max-recursion-queries to accommodate
 5125 			the need for more queries when the cache is
 5126 			empty. [RT #38104]
 5127 
 5128 4020.	[bug]		Change 3736 broke nsupdate's SOA MNAME discovery
 5129 			resulting in updates being sent to the wrong server.
 5130 			[RT #37925]
 5131 
 5132 4019.	[func]		If named is not configured to validate the answer
 5133 			then allow fallback to plain DNS on timeout even
 5134 			when we know the server supports EDNS. [RT #37978]
 5135 
 5136 4018.	[placeholder]
 5137 
 5138 4017.	[test]		Add system test to check lookups to legacy servers
 5139 			with broken DNS behavior. [RT #37965]
 5140 
 5141 4016.	[bug]		Fix a dig segfault due to bad linked list usage.
 5142 			[RT #37591]
 5143 
 5144 4015.	[bug]		Nameservers that are skipped due to them being
 5145 			CNAMEs were not being logged. They are now logged
 5146 			to category 'cname' as per BIND 8. [RT #37935]
 5147 
 5148 4014.	[bug]		When including a master file origin_changed was
 5149 			not being properly set leading to a potentially
 5150 			spurious 'inherited owner' warning. [RT #37919]
 5151 
 5152 4013.	[func]		Add a new tcp-only option to server (config) /
 5153 			peer (struct) to use TCP transport to send
 5154 			queries (in place of UDP transport with a
 5155 			TCP fallback on truncated (TC set) response).
 5156 			[RT #37800]
 5157 
 5158 4012.	[cleanup]	Check returned status of OpenSSL digest and HMAC
 5159 			functions when they return one. Note this applies
 5160 			only to FIPS capable OpenSSL libraries put in
 5161 			FIPS mode and MD5. [RT #37944]
 5162 
 5163 4011.	[bug]		master's list port and dscp inheritance was not
 5164 			properly implemented. [RT #37792]
 5165 
 5166 4010.	[cleanup]	Clear the prefetchable state when initiating a
 5167 			prefetch. [RT #37399]
 5168 
 5169 4009.	[func]		delv: added a +tcp option. [RT #37855]
 5170 
 5171 4008.	[contrib]	Updated zkt to latest version (1.1.3). [RT #37886]
 5172 
 5173 4007.	[doc]		Remove acl forward reference restriction. [RT #37772]
 5174 
 5175 4006.	[security]	A flaw in delegation handling could be exploited
 5176 			to put named into an infinite loop.  This has
 5177 			been addressed by placing limits on the number
 5178 			of levels of recursion named will allow (default 7),
 5179 			and the number of iterative queries that it will
 5180 			send (default 50) before terminating a recursive
 5181 			query (CVE-2014-8500).
 5182 
 5183 			The recursion depth limit is configured via the
 5184 			"max-recursion-depth" option, and the query limit
 5185 			via the "max-recursion-queries" option.  [RT #37580]
 5186 
 5187 4005.	[func]		The buffer used for returning text from rndc
 5188 			commands is now dynamically resizable, allowing
 5189 			arbitrarily large amounts of text to be sent back
 5190 			to the client. (Prior to this change, it was
 5191 			possible for the output of "rndc tsig-list" to be
 5192 			truncated.) [RT #37731]
 5193 
 5194 4004.	[bug]		When delegations had AAAA glue but not A, a
 5195 			reference could be leaked causing an assertion
 5196 			failure on shutdown. [RT #37796]
 5197 
 5198 4003.	[security]	When geoip-directory was reconfigured during
 5199 			named run-time, the previously loaded GeoIP
 5200 			data could remain, potentially causing wrong
 5201 			ACLs to be used or wrong results to be served
 5202 			based on geolocation (CVE-2014-8680). [RT #37720]
 5203 
 5204 4002.	[security]	Lookups in GeoIP databases that were not
 5205 			loaded could cause an assertion failure
 5206 			(CVE-2014-8680). [RT #37679]
 5207 
 5208 4001.	[security]	The caching of GeoIP lookups did not always
 5209 			handle address families correctly, potentially
 5210 			resulting in an assertion failure (CVE-2014-8680).
 5211 			[RT #37672]
 5212 
 5213 4000.	[bug]		NXDOMAIN redirection incorrectly handled NXRRSET
 5214 			from the redirect zone. [RT #37722]
 5215 
 5216 3999.	[func]		"mkeys" and "nzf" files are now named after
 5217 			their corresponding views, unless the view name
 5218 			contains characters that would be incompatible
 5219 			with use in a filename (i.e., slash, backslash,
 5220 			or capital letters). If a view name does contain
 5221 			these characters, the files will still be named
 5222 			using a cryptographic hash of the view name.
 5223 			Regardless of this, if a file using the old name
 5224 			format is found to exist, it will continue to be
 5225 			used. [RT #37704]
 5226 
 5227 3998.	[bug]		isc_radix_search was returning matches that were
 5228 			too precise. [RT #37680]
 5229 
 5230 3997.	[protocol]	Add OPENGPGKEY record. [RT# 37671]
 5231 
 5232 3996.	[bug]		Address use after free on out of memory error in
 5233 			keyring_add. [RT #37639]
 5234 
 5235 3995.	[bug]		receive_secure_serial holds the zone lock for too
 5236 			long. [RT #37626]
 5237 
 5238 3994.	[func]		Dig now supports setting the last unassigned DNS
 5239 			header flag bit (dig +zflag). [RT #37421]
 5240 
 5241 3993.	[func]		Dig now supports EDNS negotiation by default.
 5242 			(dig +[no]ednsnegotiation).
 5243 
 5244 			Note:  This is disabled by default in BIND 9.10
 5245 			and enabled by default in BIND 9.11.  [RT #37604]
 5246 
 5247 3992.	[func]		DiG can now send queries without questions
 5248 			(dig +header-only). [RT #37599]
 5249 
 5250 3991.	[func]		Add the ability to buffer logging output by specifying
 5251 			"buffered yes;" when defining a channel. [RT #26561]
 5252 
 5253 3990.	[test]		Add tests for unknown DNSSEC algorithm handling.
 5254 			[RT #37541]
 5255 
 5256 3989.	[cleanup]	Remove redundant dns_db_resigned calls. [RT #35748]
 5257 
 5258 3988.	[func]		Allow the zone serial of a dynamically updatable
 5259 			zone to be updated via "rndc signing -serial".
 5260 			[RT #37404]
 5261 
 5262 3987.	[port]		Handle future Visual Studio 14 incompatible changes.
 5263 			[RT #37380]
 5264 
 5265 3986.	[doc]		Add the BIND version number to page footers
 5266 			in the ARM. [RT #37398]
 5267 
 5268 3985.	[doc]		Describe how +ndots and +search interact in dig.
 5269 			[RT #37529]
 5270 
 5271 3984.	[func]		Accept 256 byte long PINs in native PKCS#11
 5272 			crypto. [RT #37410]
 5273 
 5274 3983.	[bug]		Change #3940 was incomplete: negative trust anchors
 5275 			could be set to last up to a week, but the
 5276 			"nta-lifetime" and "nta-recheck" options were
 5277 			still limited to one day. [RT #37522]
 5278 
 5279 3982.	[doc]		Include release notes in product documentation.
 5280 			[RT #37272]
 5281 
 5282 3981.	[bug]		Cache DS/NXDOMAIN independently of other query types.
 5283 			[RT #37467]
 5284 
 5285 3980.	[bug]		Improve --with-tuning=large by self tuning of SO_RCVBUF
 5286 			size. [RT #37187]
 5287 
 5288 3979.	[bug]		Negative trust anchor fetches were not properly
 5289 			managed. [RT #37488]
 5290 
 5291 3978.	[test]		Added a unit test for Diffie-Hellman key
 5292 			computation, completing change #3974. [RT #37477]
 5293 
 5294 3977.	[cleanup]	"rndc secroots" reported a "not found" error when
 5295 			there were no negative trust anchors set. [RT #37506]
 5296 
 5297 3976.	[bug]		When refreshing managed-key trust anchors, clear
 5298 			any cached trust so that they will always be
 5299 			revalidated with the current set of secure
 5300 			roots. [RT #37506]
 5301 
 5302 3975.	[bug]		Don't populate or use the bad cache for queries that
 5303 			don't request or use recursion. [RT #37466]
 5304 
 5305 3974.	[bug]		Handle DH_compute_key() failure correctly in
 5306 			openssldh_link.c. [RT #37477]
 5307 
 5308 3973.	[test]		Added hooks for Google Performance Tools CPU profiler,
 5309 			including real-time/wall-clock profiling. Use
 5310 			"configure --with-gperftools-profiler" to enable.
 5311 			[RT #37339]
 5312 
 5313 3972.	[bug]		Fix host's usage statement. [RT #37397]
 5314 
 5315 3971.	[bug]		Reduce the cascading failures due to a bad $TTL line
 5316 			in named-checkconf / named-checkzone. [RT #37138]
 5317 
 5318 3970.	[contrib]	Fixed a use after free bug in the SDB LDAP driver.
 5319 			[RT #37237]
 5320 
 5321 3969.	[test]		Added 'delv' system test. [RT #36901]
 5322 
 5323 3968.	[bug]		Silence spurious log messages when using 'named -[46]'.
 5324 			[RT #37308]
 5325 
 5326 3967.	[test]		Add test for inlined signed zone in multiple views
 5327 			with different DNSKEY sets. [RT #35759]
 5328 
 5329 3966.	[bug]		Missing dns_db_closeversion call in receive_secure_db.
 5330 			[RT #35746]
 5331 
 5332 3965.	[func]		Log outgoing packets and improve packet logging to
 5333 			support logging the remote address. [RT #36624]
 5334 
 5335 3964.	[func]		nsupdate now performs check-names processing.
 5336 			[RT #36266]
 5337 
 5338 3963.	[test]		Added NXRRSET test cases to the "dlzexternal"
 5339 			system test. [RT #37344]
 5340 
 5341 3962.	[bug]		'dig +topdown +trace +sigchase' address unhandled error
 5342 			conditions. [RT #34663]
 5343 
 5344 3961.	[bug]		Forwarding of SIG(0) signed UPDATE messages failed with
 5345 			BADSIG.  [RT #37216]
 5346 
 5347 3960.	[bug]		'dig +sigchase' could loop forever. [RT #37220]
 5348 
 5349 3959.	[bug]		Updates could be lost if they arrived immediately
 5350 			after a rndc thaw. [RT #37233]
 5351 
 5352 3958.	[bug]		Detect when writeable files have multiple references
 5353 			in named.conf. [RT #37172]
 5354 
 5355 3957.	[bug]		"dnssec-keygen -S" failed for ECCGOST, ECDSAP256SHA256
 5356 			and ECDSAP384SHA384. [RT #37183]
 5357 
 5358 3956.	[func]		Notify messages are now rate limited by notify-rate and
 5359 			startup-notify-rate instead of serial-query-rate.
 5360 			[RT #24454]
 5361 
 5362 3955.	[bug]		Notify messages due to changes are no longer queued
 5363 			behind startup notify messages. [RT #24454]
 5364 
 5365 3954.	[bug]		Unchecked mutex init in dlz_dlopen_driver.c [RT #37112]
 5366 
 5367 3953.	[bug]		Don't escape semi-colon in TXT fields. [RT #37159]
 5368 
 5369 3952.	[bug]		dns_name_fullcompare failed to set *nlabelsp when the
 5370 			two name pointers were the same. [RT #37176]
 5371 
 5372 3951.	[func]		Add the ability to set yet-to-be-defined EDNS flags
 5373 			to dig (+ednsflags=#). [RT #37142]
 5374 
 5375 3950.	[port]		Changed the bin/python Makefile to work around a
 5376 			bmake bug in FreeBSD 10 and NetBSD 6. [RT #36993]
 5377 
 5378 3949.	[experimental]	Experimental support for draft-andrews-edns1 by sending
 5379 			EDNS(1) queries (define DRAFT_ANDREWS_EDNS1 when
 5380 			building).  Add support for limiting the EDNS version
 5381 			advertised to servers: server { edns-version 0; };
 5382 			Log the EDNS version received in the query log.
 5383 			[RT #35864]
 5384 
 5385 3948.	[port]		solaris: RCVBUFSIZE was too large on Solaris with
 5386 			--with-tuning=large. [RT #37059]
 5387 
 5388 3947.	[cleanup]	Set the executable bit on libraries when using
 5389 			libtool. [RT #36786]
 5390 
 5391 3946.	[cleanup]	Improved "configure" search for a python interpreter.
 5392 			[RT #36992]
 5393 
 5394 3945.	[bug]		Invalid wildcard expansions could be incorrectly
 5395 			accepted by the validator. [RT #37093]
 5396 
 5397 3944.	[test]		Added a regression test for "server-id". [RT #37057]
 5398 
 5399 3943.	[func]		SERVFAIL responses can now be cached for a
 5400 			limited time (configured by "servfail-ttl",
 5401 			default 10 seconds, limit 30). This can reduce
 5402 			the frequency of retries when an authoritative
 5403 			server is known to be failing, e.g., due to
 5404 			ongoing DNSSEC validation problems. [RT #21347]
 5405 
 5406 3942.	[bug]		Wildcard responses from a optout range should be
 5407 			marked as insecure. [RT #37072]
 5408 
 5409 3941.	[doc]		Include the BIND version number in the ARM. [RT #37067]
 5410 
 5411 3940.	[func]		"rndc nta" now allows negative trust anchors to be
 5412 			set for up to one week. [RT #37069]
 5413 
 5414 3939.	[func]		Improve UPDATE forwarding performance by allowing TCP
 5415 			connections to be shared. [RT #37039]
 5416 
 5417 3938.	[func]		Added quotas to be used in recursive resolvers
 5418 			that are under high query load for names in zones
 5419 			whose authoritative servers are nonresponsive or
 5420 			are experiencing a denial of service attack.
 5421 
 5422 			- "fetches-per-server" limits the number of
 5423 			  simultaneous queries that can be sent to any
 5424 			  single authoritative server.  The configured
 5425 			  value is a starting point; it is automatically
 5426 			  adjusted downward if the server is partially or
 5427 			  completely non-responsive. The algorithm used to
 5428 			  adjust the quota can be configured via the
 5429 			  "fetch-quota-params" option.
 5430 			- "fetches-per-zone" limits the number of
 5431 			  simultaneous queries that can be sent for names
 5432 			  within a single domain.  (Note: Unlike
 5433 			  "fetches-per-server", this value is not
 5434 			  self-tuning.)
 5435 			- New stats counters have been added to count
 5436 			  queries spilled due to these quotas.
 5437 
 5438 			See the ARM for details of these options. [RT #37125]
 5439 
 5440 3937.	[func]		Added some debug logging to better indicate the
 5441 			conditions causing SERVFAILs when resolving.
 5442 			[RT #35538]
 5443 
 5444 3936.	[func]		Added authoritative support for the EDNS Client
 5445 			Subnet (ECS) option.
 5446 
 5447 			ACLs can now include "ecs" elements which specify
 5448 			an address or network prefix; if an ECS option is
 5449 			included in a DNS query, then the address encoded
 5450 			in the option will be matched against "ecs" ACL
 5451 			elements.
 5452 
 5453 			Also, if an ECS address is included in a query,
 5454 			then it will be used instead of the client source
 5455 			address when matching "geoip" ACL elements.  This
 5456 			behavior can be overridden with "geoip-use-ecs no;".
 5457 			(Note: to enable "geoip" ACLs, use "configure
 5458 			--with-geoip". This requires libGeoIP version
 5459 			1.5.0 or higher.)
 5460 
 5461 			When "ecs" or "geoip" ACL elements are used to
 5462 			select a view for a query, the response will include
 5463 			an ECS option to indicate which client network the
 5464 			answer is valid for.
 5465 
 5466 			(Thanks to Vincent Bernat.) [RT #36781]
 5467 
 5468 3935.	[bug]		"geoip asnum" ACL elements would not match unless
 5469 			the full organization name was specified.  They
 5470 			can now match against the AS number alone (e.g.,
 5471 			AS1234). [RT #36945]
 5472 
 5473 3934.	[bug]		Catch bad 'sit-secret' in named-checkconf.  Improve
 5474 			sit-secret documentation. [RT #36980]
 5475 
 5476 3933.	[bug]		Corrected the implementation of dns_rdata_casecompare()
 5477 			for the HIP rdata type.  [RT #36911]
 5478 
 5479 3932.	[test]		Improved named-checkconf tests. [RT #36911]
 5480 
 5481 3931.	[cleanup]	Cleanup how dlz grammar is defined. [RT #36879]
 5482 
 5483 3930.	[bug]		"rndc nta -r" could cause a server hang if the
 5484 			NTA was not found. [RT #36909]
 5485 
 5486 3929.	[bug]		'host -a' needed to clear idnoptions. [RT #36963]
 5487 
 5488 3928.	[test]		Improve rndc system test. [RT #36898]
 5489 
 5490 3927.	[bug]		dig: report PKCS#11 error codes correctly when
 5491 			compiled with --enable-native-pkcs11. [RT #36956]
 5492 
 5493 3926.	[doc]		Added doc for geoip-directory. [RT #36877]
 5494 
 5495 3925.	[bug]		DS lookup of RFC 1918 empty zones failed. [RT #36917]
 5496 
 5497 3924.	[bug]		Improve 'rndc addzone' error reporting. [RT #35187]
 5498 
 5499 3923.	[bug]		Sanity check the xml2-config output. [RT #22246]
 5500 
 5501 3922.	[bug]		When resigning, dnssec-signzone was removing
 5502 			all signatures from delegation nodes. It now
 5503 			retains DS and (if applicable) NSEC signatures.
 5504 			[RT #36946]
 5505 
 5506 3921.	[bug]		AD was inappropriately set on RPZ responses. [RT #36833]
 5507 
 5508 3920.	[doc]		Added doc for masterfile-style. [RT #36823]
 5509 
 5510 3919.	[bug]		dig: continue to next line if a address lookup fails
 5511 			in batch mode. [RT #36755]
 5512 
 5513 3918.	[doc]		Update check-spf documentation. [RT #36910]
 5514 
 5515 3917.	[bug]		dig, nslookup and host now continue on names that are
 5516 			too long after applying a search list elements.
 5517 			[RT #36892]
 5518 
 5519 3916.	[contrib]	zone2sqlite checked wrong result code.  Address
 5520 			compiler warnings. [RT #36931]
 5521 
 5522 3915.	[bug]		Address a assertion if a route event arrived while
 5523 			shutting down. [RT #36887]
 5524 
 5525 3914.	[bug]		Allow the URI target and CAA value fields to
 5526 			be zero length. [RT #36737]
 5527 
 5528 3913.	[bug]		Address race issue in dispatch. [RT #36731]
 5529 
 5530 3912.	[bug]		Address some unrecoverable lookup failures. [RT #36330]
 5531 
 5532 3911.	[func]		Implement EDNS EXPIRE option client side, allowing
 5533 			a slave server to set the expiration timer correctly
 5534 			when transferring zone data from another slave
 5535 			server. [RT #35925]
 5536 
 5537 3910.	[bug]		Fix races to free event during shutdown. [RT #36720]
 5538 
 5539 3909.	[bug]		When computing the number of elements required for a
 5540 			acl count_acl_elements could have a short count leading
 5541 			to a assertion failure.  Also zero out new acl elements
 5542 			in dns_acl_merge.  [RT #36675]
 5543 
 5544 3908.	[bug]		rndc now differentiates between a zone in multiple
 5545 			views and a zone that doesn't exist at all. [RT #36691]
 5546 
 5547 3907.	[cleanup]	Alphabetize rndc help. [RT #36683]
 5548 
 5549 3906.	[protocol]	Update URI record format to comply with
 5550 			draft-faltstrom-uri-08. [RT #36642]
 5551 
 5552 3905.	[bug]		Address deadlock between view.c and adb.c. [RT #36341]
 5553 
 5554 3904.	[func]		Add the RPZ SOA to the additional section. [RT36507]
 5555 
 5556 3903.	[bug]		Improve the accuracy of DiG's reported round trip
 5557 			time. [RT 36611]
 5558 
 5559 3902.	[bug]		liblwres wasn't handling link-local addresses in
 5560 			nameserver clauses in resolv.conf. [RT #36039]
 5561 
 5562 3901.	[protocol]	Added support for CAA record type (RFC 6844).
 5563 			[RT #36625]
 5564 
 5565 3900.	[bug]		Fix a crash in PostgreSQL DLZ driver. [RT #36637]
 5566 
 5567 3899.	[bug]		"request-ixfr" is only applicable to slave and redirect
 5568 			zones. [RT #36608]
 5569 
 5570 3898.	[bug]		Too small a buffer in tohexstr() calls in test code.
 5571 			[RT #36598]
 5572 
 5573 3897.	[bug]		RPZ summary information was not properly being updated
 5574 			after a AXFR resulting in changes sometimes being
 5575 			ignored.  [RT #35885]
 5576 
 5577 3896.	[bug]		Address performance issues with DSCP code on some
 5578 			platforms. [RT #36534]
 5579 
 5580 3895.	[func]		Add the ability to set the DSCP code point to dig.
 5581 			[RT #36546]
 5582 
 5583 3894.	[bug]		Buffers in isc_print_vsnprintf were not properly
 5584 			initialized leading to potential overflows when
 5585 			printing out quad values. [RT #36505]
 5586 
 5587 3893.	[bug]		Peer DSCP values could be returned without being set.
 5588 			[RT #36538]
 5589 
 5590 3892.	[bug]		Setting '-t aaaa' in .digrc had unintended side
 5591 			effects. [RT #36452]
 5592 
 5593 3891.	[bug]		Use ${INSTALL_SCRIPT} rather than ${INSTALL_PROGRAM}
 5594 			to install python programs.
 5595 
 5596 3890.	[bug]		RRSIG sets that were not loaded in a single transaction
 5597 			at start up where not being correctly added to
 5598 			re-signing heaps.  [RT #36302]
 5599 
 5600 3889.	[port]		hurd: configure fixes as per:
 5601 			https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=746540
 5602 
 5603 3888.	[func]		'rndc status' now reports the number of automatic
 5604 			zones. [RT #36015]
 5605 
 5606 3887.	[cleanup]	Make all static symbols in rbtdb64 end in "64" so
 5607 			they are easier to use in a debugger. [RT #36373]
 5608 
 5609 3886.	[bug]		rbtdb_write_header should use a once to initialize
 5610 			FILE_VERSION. [RT #36374]
 5611 
 5612 3885.	[port]		Use 'open()' rather than 'file()' to open files in
 5613 			python.
 5614 
 5615 3884.	[protocol]	Add CDS and CDNSKEY record types. [RT #36333]
 5616 
 5617 3883.	[placeholder]
 5618 
 5619 3882.	[func]		By default, negative trust anchors will be tested
 5620 			periodically to see whether data below them can be
 5621 			validated, and if so, they will be allowed to
 5622 			expire early. The "rndc nta -force" option
 5623 			overrides this behavior.  The default NTA lifetime
 5624 			and the recheck frequency can be configured by the
 5625 			"nta-lifetime" and "nta-recheck" options. [RT #36146]
 5626 
 5627 3881.	[bug]		Address memory leak with UPDATE error handling.
 5628 			[RT #36303]
 5629 
 5630 3880.	[test]		Update ans.pl to work with new TSIG support in
 5631 			Net::DNS; add additional Net::DNS version prerequisite
 5632 			checks. [RT #36327]
 5633 
 5634 3879.	[func]		Add version printing option to various BIND utilities.
 5635 			[RT #10686]
 5636 
 5637 3878.	[bug]		Using the incorrect filename for a DLZ module
 5638 			caused a segmentation fault on startup. [RT #36286]
 5639 
 5640 3877.	[bug]		Inserting and deleting parent and child nodes
 5641 			in response policy zones could trigger an assertion
 5642 			failure. [RT #36272]
 5643 
 5644 3876.	[bug]		Improve efficiency of DLZ redirect zones by
 5645 			suppressing unnecessary database lookups. [RT #35835]
 5646 
 5647 3875.	[cleanup]	Clarify log message when unable to read private
 5648 			key files. [RT #24702]
 5649 
 5650 3874.	[test]		Check that only "check-names master" is needed for
 5651 			updates to be accepted.
 5652 
 5653 3873.	[protocol]	Only warn for SPF without TXT spf record. [RT #36210]
 5654 
 5655 3872.	[bug]		Address issues found by static analysis. [RT #36209]
 5656 
 5657 3871.	[bug]		Don't publish an activated key automatically before
 5658 			its publish time. [RT #35063]
 5659 
 5660 3870.	[func]		Updated the random number generator used in
 5661 			the resolver to use the updated ChaCha based one
 5662 			(similar to OpenBSD's changes). Also moved the
 5663 			RNG to libisc and added unit tests for it.
 5664 			[RT #35942]
 5665 
 5666 3869.	[doc]		Document that in-view zones cannot be used for
 5667 			response policy zones. [RT #35941]
 5668 
 5669 3868.	[bug]		isc_mem_setwater incorrectly cleared hi_called
 5670 			potentially leaving over memory cleaner running.
 5671 			[RT #35270]
 5672 
 5673 3867.	[func]		"rndc nta" can now be used to set a temporary
 5674 			negative trust anchor, which disables DNSSEC
 5675 			validation below a specified name for a specified
 5676 			period of time (not exceeding 24 hours).  This
 5677 			can be used when validation for a domain is known
 5678 			to be failing due to a configuration error on
 5679 			the part of the domain owner rather than a
 5680 			spoofing attack. [RT #29358]
 5681 
 5682 3866.	[bug]		Named could die on disk full in generate_session_key.
 5683 			[RT #36119]
 5684 
 5685 3865.	[test]		Improved testability of the red-black tree
 5686 			implementation and added unit tests. [RT #35904]
 5687 
 5688 3864.	[bug]		RPZ didn't work well when being used as forwarder.
 5689 			[RT #36060]
 5690 
 5691 3863.	[bug]		The "E" flag was missing from the query log as a
 5692 			unintended side effect of code rearrangement to
 5693 			support EDNS EXPIRE. [RT #36117]
 5694 
 5695 3862.	[cleanup]	Return immediately if we are not going to log the
 5696 			message in ns_client_dumpmessage.
 5697 
 5698 3861.	[security]	Missing isc_buffer_availablelength check results
 5699 			in a REQUIRE assertion when printing out a packet
 5700 			(CVE-2014-3859).  [RT #36078]
 5701 
 5702 3860.	[bug]		ioctl(DP_POLL) array size needs to be determined
 5703 			at run time as it is limited to {OPEN_MAX}.
 5704 			[RT #35878]
 5705 
 5706 3859.	[placeholder]
 5707 
 5708 3858.	[bug]		Disable GCC 4.9 "delete null pointer check".
 5709 			[RT #35968]
 5710 
 5711 3857.	[bug]		Make it harder for a incorrect NOEDNS classification
 5712 			to be made. [RT #36020]
 5713 
 5714 3856.	[bug]		Configuring libjson without also configuring libxml
 5715 			resulted in a REQUIRE assertion when retrieving
 5716 			statistics using json. [RT #36009]
 5717 
 5718 3855.	[bug]		Limit smoothed round trip time aging to no more than
 5719 			once a second. [RT #32909]
 5720 
 5721 3854.	[cleanup]	Report unrecognized options, if any, in the final
 5722 			configure summary. [RT #36014]
 5723 
 5724 3853.	[cleanup]	Refactor dns_rdataslab_fromrdataset to separate out
 5725 			the handling of a rdataset with no records. [RT #35968]
 5726 
 5727 3852.	[func]		Increase the default number of clients available
 5728 			for servicing lightweight resolver queries, and
 5729 			make them configurable via the "lwres-tasks" and
 5730 			"lwres-clients" options.  (Thanks to Tomas Hozza.)
 5731 			[RT #35857]
 5732 
 5733 3851.	[func]		Allow libseccomp based system-call filtering
 5734 			on Linux; use "configure --enable-seccomp" to
 5735 			turn it on.  Thanks to Loganaden Velvindron
 5736 			of AFRINIC for the contribution. [RT #35347]
 5737 
 5738 3850.	[bug]		Disabling forwarding could trigger a REQUIRE assertion.
 5739 			[RT #35979]
 5740 
 5741 3849.	[doc]		Alphabetized dig's +options. [RT #35992]
 5742 
 5743 3848.	[bug]		Adjust 'statistics-channels specified but not effective'
 5744 			error message to account for JSON support. [RT #36008]
 5745 
 5746 3847.	[bug]		'configure --with-dlz-postgres' failed to fail when
 5747 			there is not support available.
 5748 
 5749 3846.	[bug]		"dig +notcp ixfr=<serial>" should result in a UDP
 5750 			ixfr query. [RT #35980]
 5751 
 5752 3845.	[placeholder]
 5753 
 5754 3844.	[bug]		Use the x64 version of the Microsoft Visual C++
 5755 			Redistributable when built for 64 bit Windows.
 5756 			[RT #35973]
 5757 
 5758 3843.	[protocol]	Check EDNS EXPIRE option in dns_rdata_fromwire.
 5759 			[RT #35969]
 5760 
 5761 3842.	[bug]		Adjust RRL log-only logging category. [RT #35945]
 5762 
 5763 3841.	[cleanup]	Refactor zone.c:add_opt to use dns_message_buildopt.
 5764 			[RT #35924]
 5765 
 5766 3840.	[port]		Check for arc4random_addrandom() before using it;
 5767 			it's been removed from OpenBSD 5.5. [RT #35907]
 5768 
 5769 3839.	[test]		Use only posix-compatible shell in system tests.
 5770 			[RT #35625]
 5771 
 5772 3838.	[protocol]	EDNS EXPIRE as been assigned a code point of 9.
 5773 
 5774 3837.	[security]	A NULL pointer is passed to query_prefetch resulting
 5775 			a REQUIRE assertion failure when a fetch is actually
 5776 			initiated (CVE-2014-3214).  [RT #35899]
 5777 
 5778 3836.	[bug]		Address C++ keyword usage in header file.
 5779 
 5780 3835.	[bug]		Geoip ACL elements didn't work correctly when
 5781 			referenced via named or nested ACLs. [RT #35879]
 5782 
 5783 3834.	[bug]		The re-signing heaps were not being updated soon enough
 5784 			leading to multiple re-generations of the same RRSIG
 5785 			when a zone transfer was in progress. [RT #35273]
 5786 
 5787 3833.	[bug]		Cross compiling was broken due to calling genrandom at
 5788 			build time. [RT #35869]
 5789 
 5790 3832.	[func]		"named -L <filename>" causes named to send log
 5791 			messages to the specified file by default instead
 5792 			of to the system log. (Thanks to Tony Finch.)
 5793 			[RT #35845]
 5794 
 5795 3831.	[cleanup]	Reduce logging noise when EDNS state changes occur.
 5796 			[RT #35843]
 5797 
 5798 3830.	[func]		When query logging is enabled, log query errors at
 5799 			the same level ('info') as the queries themselves.
 5800 			[RT #35844]
 5801 
 5802 3829.	[func]		"dig +ttlunits" causes dig to print TTL values
 5803 			with time-unit suffixes: w, d, h, m, s for
 5804 			weeks, days, hours, minutes, and seconds. (Thanks
 5805 			to Tony Finch.) [RT #35823]
 5806 
 5807 3828.	[func]		"dnssec-signzone -N date" updates serial number
 5808 			to the current date in YYYYMMDDNN format.
 5809 			[RT #35800]
 5810 
 5811 3827.	[placeholder]
 5812 
 5813 3826.	[bug]		Corrected bad INSIST logic in isc_radix_remove().
 5814 			[RT #35870]
 5815 
 5816 3825.	[bug]		Address sign extension bug in isc_regex_validate.
 5817 			[RT #35758]
 5818 
 5819 3824.	[bug]		A collision between two flag values could cause
 5820 			problems with cache cleaning when SIT was enabled.
 5821 			[RT #35858]
 5822 
 5823 3823.	[func]		Log the rpz cname target when rewriting. [RT #35667]
 5824 
 5825 3822.	[bug]		Log the correct type of static-stub zones when
 5826 			removing them. [RT #35842]
 5827 
 5828 3821.	[contrib]	Added a new "mysqldyn" DLZ module with dynamic
 5829 			update and transaction support. Thanks to Marty
 5830 			Lee for the contribution. [RT #35656]
 5831 
 5832 3820.	[func]		The DLZ API doesn't pass the database version to
 5833 			the lookup() function; this can cause DLZ modules
 5834 			that allow dynamic updates to mishandle prerequisite
 5835 			checks. This has been corrected by adding a
 5836 			'dbversion' field to the dns_clientinfo_t
 5837 			structure. [RT #35656]
 5838 
 5839 3819.	[bug]		NSEC3 hashes need to be able to be entered and
 5840 			displayed without padding.  This is not a issue for
 5841 			currently defined algorithms but may be for future
 5842 			hash algorithms. [RT #27925]
 5843 
 5844 3818.	[bug]		Stop lying to the optimizer that 'void *arg' is a
 5845 			constant in isc_event_allocate.
 5846 
 5847 3817.	[func]		The "delve" command is now spelled "delv" to avoid
 5848 			a namespace collision with the Xapian project.
 5849 			[RT #35801]
 5850 
 5851 3816.	[func]		"dig +qr" now reports query size. (Thanks to
 5852 			Tony Finch.) [RT #35822]
 5853 
 5854 3815.	[doc]		Clarify "nsupdate -y" usage in man page. [RT #35808]
 5855 
 5856 3814.	[func]		The "masterfile-style" zone option controls the
 5857 			formatting of dumped zone files. Options are
 5858 			"relative" (multiline format) and "full" (one
 5859 			record per line). The default is "relative".
 5860 			[RT #20798]
 5861 
 5862 3813.	[func]		"host" now recognizes the "timeout", "attempts" and
 5863 			"debug" options when set in /etc/resolv.conf.
 5864 			(Thanks to Adam Tkac at RedHat.) [RT #21885]
 5865 
 5866 3812.	[func]		Dig now supports sending arbitrary EDNS options from
 5867 			the command line (+ednsopt=code[:value]). [RT #35584]
 5868 
 5869 3811.	[func]		"serial-update-method date;" sets serial number
 5870 			on dynamic update to today's date in YYYYMMDDNN
 5871 			format. (Thanks to Bradley Forschinger.) [RT #24903]
 5872 
 5873 3810.	[bug]		Work around broken nameservers that fail to ignore
 5874 			unknown EDNS options. [RT #35766]
 5875 
 5876 3809.	[doc]		Fix SIT and NSID documentation.
 5877 
 5878 3808.	[doc]		Clean up "prefetch" documentation. [RT #35751]
 5879 
 5880 3807.	[bug]		Fix sign extension bug in dns_name_fromtext when
 5881 			lowercase is set. [RT #35743]
 5882 
 5883 3806.	[test]		Improved system test portability. [RT #35625]
 5884 
 5885 3805.	[contrib]	Added contrib/perftcpdns, a performance testing tool
 5886 			for DNS over TCP. [RT #35710]
 5887 
 5888 	--- 9.10.0rc1 released ---
 5889 
 5890 3804.	[bug]		Corrected a race condition in dispatch.c in which
 5891 			portentry could be reset leading to an assertion
 5892 			failure in socket_search(). (Change #3708
 5893 			addressed the same issue but was incomplete.)
 5894 			[RT #35128]
 5895 
 5896 3803.	[bug]		"named-checkconf -z" incorrectly rejected zones
 5897 			using alternate data sources for not having a "file"
 5898 			option. [RT #35685]
 5899 
 5900 3802.	[bug]		Various header files were not being installed.
 5901 
 5902 3801.	[port]		Fix probing for gssapi support on FreeBSD. [RT #35615]
 5903 
 5904 3800.	[bug]		A pending event on the route socket could cause an
 5905 			assertion failure when shutting down named. [RT #35674]
 5906 
 5907 3799.	[bug]		Improve named's command line error reporting.
 5908 			[RT #35603]
 5909 
 5910 3798.	[bug]		'rndc zonestatus' was reporting the wrong re-signing
 5911 			time. [RT #35659]
 5912 
 5913 3797.	[port]		netbsd: geoip support probing was broken. [RT #35642]
 5914 
 5915 3796.	[bug]		Register dns and pkcs#11 error codes. [RT #35629]
 5916 
 5917 3795.	[bug]		Make named-checkconf detect raw masterfiles for
 5918 			hint zones and reject them. [RT #35268]
 5919 
 5920 3794.	[maint]		Added AAAA for C.ROOT-SERVERS.NET.
 5921 
 5922 3793.	[bug]		zone.c:save_nsec3param() could assert when out of
 5923 			memory. [RT #35621]
 5924 
 5925 3792.	[func]		Provide links to the alternate statistics views when
 5926 			displaying in a browser.  [RT #35605]
 5927 
 5928 3791.	[placeholder]
 5929 
 5930 3790.	[bug]		Handle broken nameservers that send BADVERS in
 5931 			response to unknown EDNS options.  Maintain
 5932 			statistics on BADVERS responses.
 5933 
 5934 3789.	[bug]		Null pointer dereference on rbt creation failure.
 5935 
 5936 3788.	[bug]		dns_peer_getrequestsit was returning request_nsid by
 5937 			mistake.
 5938 
 5939 	--- 9.10.0b2 released ---
 5940 
 5941 3787.	[bug]		The code that checks whether "auto-dnssec" is
 5942 			allowed was ignoring "allow-update" ACLs set at
 5943 			the options or view level. [RT #29536]
 5944 
 5945 3786.	[func]		Provide more detailed error codes when using
 5946 			native PKCS#11. "pkcs11-tokens" now fails robustly
 5947 			rather than asserting when run against an HSM with
 5948 			an incomplete PKCS#11 API implementation. [RT #35479]
 5949 
 5950 3785.	[bug]		Debugging code dumphex didn't accept arbitrarily long
 5951 			input (only compiled with -DDEBUG). [RT #35544]
 5952 
 5953 3784.	[bug]		Using "rrset-order fixed" when it had not been
 5954 			enabled at compile time caused inconsistent
 5955 			results. It now works as documented, defaulting
 5956 			to cyclic mode. [RT #28104]
 5957 
 5958 3783.	[func]		"tsig-keygen" is now available as an alternate
 5959 			command name for "ddns-confgen".  It generates
 5960 			a TSIG key in named.conf format without comments.
 5961 			[RT #35503]
 5962 
 5963 3782.	[func]		Specifying "auto" as the salt when using
 5964 			"rndc signing -nsec3param" causes named to
 5965 			generate a 64-bit salt at random. [RT #35322]
 5966 
 5967 3781.	[tuning]	Use adaptive mutex locks when available; this
 5968 			has been found to improve performance under load
 5969 			on many systems. "configure --with-locktype=standard"
 5970 			restores conventional mutex locks. [RT #32576]
 5971 
 5972 3780.	[bug]		$GENERATE handled negative numbers incorrectly.
 5973 			[RT #25528]
 5974 
 5975 3779.	[cleanup]	Clarify the error message when using an option
 5976 			that was not enabled at compile time. [RT #35504]
 5977 
 5978 3778.	[bug]		Log a warning when the wrong address family is
 5979 			used in "listen-on" or "listen-on-v6". [RT #17848]
 5980 
 5981 3777.	[bug]		EDNS EXPIRE code could dump core when processing
 5982 			DLZ queries. [RT #35493]
 5983 
 5984 3776.	[func]		"rndc -q" suppresses output from successful
 5985 			rndc commands. Errors are printed on stderr.
 5986 			[RT #21393]
 5987 
 5988 3775.	[bug]		dlz_dlopen driver could return the wrong error
 5989 			code on API version mismatch, leading to a segfault.
 5990 			[RT #35495]
 5991 
 5992 3774.	[func]		When using "request-nsid", log the NSID value in
 5993 			printable form as well as hex. [RT #20864]
 5994 
 5995 3773.	[func]		"host", "nslookup" and "nsupdate" now have
 5996 			options to print the version number and exit.
 5997 			[RT #26057]
 5998 
 5999 3772.	[contrib]	Added sqlite3 dynamically-loadable DLZ module.
 6000 			(Based in part on a contribution from Tim Tessier.)
 6001 			[RT #20822]
 6002 
 6003 3771.	[cleanup]	Adjusted log level for "using built-in key"
 6004 			messages. [RT #24383]
 6005 
 6006 3770.	[bug]		"dig +trace" could fail with an assertion when it
 6007 			needed to fall back to TCP due to a truncated
 6008 			response. [RT #24660]
 6009 
 6010 3769.	[doc]		Improved documentation of "rndc signing -list".
 6011 			[RT #30652]
 6012 
 6013 3768.	[bug]		"dnssec-checkds" was missing the SHA-384 digest
 6014 			algorithm. [RT #34000]
 6015 
 6016 3767.	[func]		Log explicitly when using rndc.key to configure
 6017 			command channel. [RT #35316]
 6018 
 6019 3766.	[cleanup]	Fixed problems with building outside the source
 6020 			tree when using native PKCS#11. [RT #35459]
 6021 
 6022 3765.	[bug]		Fixed a bug in "rndc secroots" that could crash
 6023 			named when dumping an empty keynode. [RT #35469]
 6024 
 6025 3764.	[bug]		The dnssec-keygen/settime -S and -i options
 6026 			(to set up a successor key and set the prepublication
 6027 			interval) were missing from dnssec-keyfromlabel.
 6028 			[RT #35394]
 6029 
 6030 3763.	[bug]		delve: Cache DNSSEC records to avoid the need to
 6031 			re-fetch them when restarting validation. [RT #35476]
 6032 
 6033 3762.	[bug]		Address build problems with --pkcs11-native +
 6034 			--with-openssl with ECDSA support. [RT #35467]
 6035 
 6036 3761.	[bug]		Address dangling reference bug in dns_keytable_add.
 6037 			[RT #35471]
 6038 
 6039 3760.	[bug]		Improve SIT with native PKCS#11 and on Windows.
 6040 			[RT #35433]
 6041 
 6042 3759.	[port]		Enable delve on Windows. [RT #35441]
 6043 
 6044 3758.	[port]		Enable export library APIs on Windows. [RT #35382]
 6045 
 6046 3757.	[port]		Enable Python tools (dnssec-coverage,
 6047 			dnssec-checkds) to run on Windows. [RT #34355]
 6048 
 6049 3756.	[bug]		GSSAPI Kerberos realm checking was broken in
 6050 			check_config leading to spurious messages being
 6051 			logged.  [RT #35443]
 6052 
 6053 	--- 9.10.0b1 released ---
 6054 
 6055 3755.	[func]		Add stats counters for known EDNS options + others.
 6056 			[RT #35447]
 6057 
 6058 3754.	[cleanup]	win32: Installer now places files in the
 6059 			Program Files area rather than system services.
 6060 			[RT #35361]
 6061 
 6062 3753.	[bug]		allow-notify was ignoring keys. [RT #35425]
 6063 
 6064 3752.	[bug]		Address potential REQUIRE failure if
 6065 			DNS_STYLEFLAG_COMMENTDATA is set when printing out
 6066 			a rdataset.
 6067 
 6068 3751.	[tuning]	The default setting for the -U option (setting
 6069 			the number of UDP listeners per interface) has
 6070 			been adjusted to improve performance. [RT #35417]
 6071 
 6072 3750.	[experimental]	Partially implement EDNS EXPIRE option as described
 6073 			in draft-andrews-dnsext-expire-00.  Retrieval of
 6074 			the remaining time until expiry for slave zones
 6075 			is supported.
 6076 
 6077 			EXPIRE uses an experimental option code (65002),
 6078 			which is subject to change. [RT #35416]
 6079 
 6080 3749.	[func]		"dig +subnet" sends an EDNS client subnet option
 6081 			containing the specified address/prefix when
 6082 			querying. (Thanks to Wilmer van der Gaast.)
 6083 			[RT #35415]
 6084 
 6085 3748.	[test]		Use delve to test dns_client interfaces. [RT #35383]
 6086 
 6087 3747.	[bug]		A race condition could lead to a core dump when
 6088 			destroying a resolver fetch object. [RT #35385]
 6089 
 6090 3746.	[func]		New "max-zone-ttl" option enforces maximum
 6091 			TTLs for zones. If loading a zone containing a
 6092 			higher TTL, the load fails. DDNS updates with
 6093 			higher TTLs are accepted but the TTL is truncated.
 6094 			(Note: Currently supported for master zones only;
 6095 			inline-signing slaves will be added.) [RT #38405]
 6096 
 6097 3745.	[func]		"configure --with-tuning=large" adjusts various
 6098 			compiled-in constants and default settings to
 6099 			values suited to large servers with abundant
 6100 			memory. [RT #29538]
 6101 
 6102 3744.	[experimental]	SIT: send and process Source Identity Tokens
 6103 			(similar to DNS Cookies by Donald Eastlake 3rd),
 6104 			which are designed to help clients detect off-path
 6105 			spoofed responses and for servers to identify
 6106 			legitimate clients.
 6107 
 6108 			SIT uses an experimental EDNS option code (65001),
 6109 			which will be changed to an IANA-assigned value
 6110 			if the experiment is deemed a success.
 6111 
 6112 			SIT can be enabled via "configure --enable-sit" (or
 6113 			--enable-developer). It is enabled by default in
 6114 			Windows.
 6115 
 6116 			Servers can be configured to send smaller responses
 6117 			to clients that have not identified themselves via
 6118 			SIT.  RRL processing has also been updated;
 6119 			legitimate clients are not subject to rate
 6120 			limiting. [RT #35389]
 6121 
 6122 3743.	[bug]		delegation-only flag wasn't working in forward zone
 6123 			declarations despite being documented.  This is
 6124 			needed to support turning off forwarding and turning
 6125 			on delegation only at the same name.  [RT #35392]
 6126 
 6127 3742.	[port]		linux: libcap support: declare curval at start of
 6128 			block. [RT #35387]
 6129 
 6130 3741.	[func]		"delve" (domain entity lookup and validation engine):
 6131 			A new tool with dig-like semantics for performing DNS
 6132 			lookups, with internal DNSSEC validation, using the
 6133 			same resolver and validator logic as named. This
 6134 			allows easy validation of DNSSEC data in environments
 6135 			with untrustworthy resolvers, and assists with
 6136 			troubleshooting of DNSSEC problems. [RT #32406]
 6137 
 6138 3740.	[contrib]	Minor fixes to configure --with-dlz-bdb,
 6139 			--with-dlz-postgres and --with-dlz-odbc. [RT #35340]
 6140 
 6141 3739.	[func]		Added per-zone stats counters to track TCP and
 6142 			UDP queries. [RT #35375]
 6143 
 6144 3738.	[bug]		--enable-openssl-hash failed to build. [RT #35343]
 6145 
 6146 3737.	[bug]		'rndc retransfer' could trigger a assertion failure
 6147 			with inline zones. [RT #35353]
 6148 
 6149 3736.	[bug]		nsupdate: When specifying a server by name,
 6150 			fall back to alternate addresses if the first
 6151 			address for that name is not reachable. [RT #25784]
 6152 
 6153 3735.	[cleanup]	Merged the libiscpk11 library into libisc
 6154 			to simplify dependencies. [RT #35205]
 6155 
 6156 3734.	[bug]		Improve building with libtool. [RT #35314]
 6157 
 6158 3733.	[func]		Improve interface scanning support.  Interface
 6159 			information will be automatically updated if the
 6160 			OS supports routing sockets (MacOS, *BSD, Linux).
 6161 			Use "automatic-interface-scan no;" to disable.
 6162 
 6163 			Add "rndc scan" to trigger a scan. [RT #23027]
 6164 
 6165 3732.	[contrib]	Fixed a type mismatch causing the ODBC DLZ
 6166 			driver to dump core on 64-bit systems. [RT #35324]
 6167 
 6168 3731.	[func]		Added a "no-case-compress" ACL, which causes
 6169 			named to use case-insensitive compression
 6170 			(disabling change #3645) for specified
 6171 			clients. (This is useful when dealing
 6172 			with broken client implementations that
 6173 			use case-sensitive name comparisons,
 6174 			rejecting responses that fail to match the
 6175 			capitalization of the query that was sent.)
 6176 			[RT #35300]
 6177 
 6178 3730.	[cleanup]	Added "never" as a synonym for "none" when
 6179 			configuring key event dates in the dnssec tools.
 6180 			[RT #35277]
 6181 
 6182 3729.	[bug]		dnssec-keygen could set the publication date
 6183 			incorrectly when only the activation date was
 6184 			specified on the command line. [RT #35278]
 6185 
 6186 3728.	[doc]		Expanded native-PKCS#11 documentation,
 6187 			specifically pkcs11: URI labels. [RT #35287]
 6188 
 6189 3727.	[func]		The isc_bitstring API is no longer used and
 6190 			has been removed from libisc. [RT #35284]
 6191 
 6192 3726.	[cleanup]	Clarified the error message when attempting
 6193 			to configure more than 32 response-policy zones.
 6194 			[RT #35283]
 6195 
 6196 3725.	[contrib]	Updated zkt and nslint to newest versions,
 6197 			cleaned up and rearranged the contrib
 6198 			directory, and added a README.
 6199 
 6200 	--- 9.10.0a2 released ---
 6201 
 6202 3724.	[bug]		win32: Fixed a bug that prevented dig and
 6203 			host from exiting properly after completing
 6204 			a UDP query. [RT #35288]
 6205 
 6206 3723.	[cleanup]	Imported keys are now handled the same way
 6207 			regardless of DNSSEC algorithm. [RT #35215]
 6208 
 6209 3722.	[bug]		Using geoip ACLs in a blackhole statement
 6210 			could cause a segfault. [RT #35272]
 6211 
 6212 3721.	[doc]		Improved documentation of the EDNS processing
 6213 			enhancements introduced in change #3593. [RT #35275]
 6214 
 6215 3720.	[bug]		Address compiler warnings. [RT #35261]
 6216 
 6217 3719.	[bug]		Address memory leak in in peer.c. [RT #35255]
 6218 
 6219 3718.	[bug]		A missing ISC_LINK_INIT in log.c. [RT #35260]
 6220 
 6221 3717.	[port]		hpux: Treat EOPNOTSUPP as a expected error code when
 6222 			probing to see if it is possible to set dscp values
 6223 			on a per packet basis. [RT #35252]
 6224 
 6225 3716.	[bug]		The dns_request code was setting dcsp values when not
 6226 			requested.  [RT #35252]
 6227 
 6228 3715.	[bug]		The region and city databases could fail to
 6229 			initialize when using some versions of libGeoIP,
 6230 			causing assertion failures when named was
 6231 			configured to use them. [RT #35427]
 6232 
 6233 3714.	[test]		System tests that need to test for cryptography
 6234 			support before running can now use a common
 6235 			"testcrypto.sh" script to do so. [RT #35213]
 6236 
 6237 3713.	[bug]		Save memory by not storing "also-notify" addresses
 6238 			in zone objects that are configured not to send
 6239 			notify requests. [RT #35195]
 6240 
 6241 3712.	[placeholder]
 6242 
 6243 3711.	[placeholder]
 6244 
 6245 3710.	[bug]		Address double dns_zone_detach when switching to
 6246 			using automatic empty zones from regular zones.
 6247 			[RT #35177]
 6248 
 6249 3709.	[port]		Use built-in versions of strptime() and timegm()
 6250 			on all platforms to avoid portability issues.
 6251 			[RT #35183]
 6252 
 6253 3708.	[bug]		Address a portentry locking issue in dispatch.c.
 6254 			[RT #35128]
 6255 
 6256 3707.	[bug]		irs_resconf_load now returns ISC_R_FILENOTFOUND
 6257 			on a missing resolv.conf file and initializes the
 6258 			structure as if it had been configured with:
 6259 
 6260 				nameserver ::1
 6261 				nameserver 127.0.0.1
 6262 
 6263 			Note: Callers will need to be updated to treat
 6264 			ISC_R_FILENOTFOUND as a qualified success or else
 6265 			they will leak memory. The following code fragment
 6266 			will work with both old and new versions without
 6267 			changing the behaviour of the existing code.
 6268 
 6269 			resconf = NULL;
 6270 			result = irs_resconf_load(mctx, "/etc/resolv.conf",
 6271 						  &resconf);
 6272 			if (result != ISC_SUCCESS) {
 6273 				if (resconf != NULL)
 6274 					irs_resconf_destroy(&resconf);
 6275 				....
 6276 			}
 6277 
 6278 			[RT #35194]
 6279 
 6280 3706.	[contrib]	queryperf: Fixed a possible integer overflow when
 6281 			printing results. [RT #35182]
 6282 
 6283 3705.	[func]		"configure --enable-native-pkcs11" enables BIND
 6284 			to use the PKCS#11 API for all cryptographic
 6285 			functions, so that it can drive a hardware service
 6286 			module directly without the need to use a modified
 6287 			OpenSSL as intermediary (so long as the HSM's vendor
 6288 			provides a complete-enough implementation of the
 6289 			PKCS#11 interface). This has been tested successfully
 6290 			with the Thales nShield HSM and with SoftHSMv2 from
 6291 			the OpenDNSSEC project. [RT #29031]
 6292 
 6293 3704.	[protocol]	Accept integer timestamps in RRSIG records. [RT #35185]
 6294 
 6295 3703.	[func]		To improve recursive resolver performance, cache
 6296 			records which are still being requested by clients
 6297 			can now be automatically refreshed from the
 6298 			authoritative server before they expire, reducing
 6299 			or eliminating the time window in which no answer
 6300 			is available in the cache. See the "prefetch" option
 6301 			for more details. [RT #35041]
 6302 
 6303 3702.	[func]		'dnssec-coverage -l' option specifies a length
 6304 			of time to check for coverage; events further into
 6305 			the future are ignored.  'dnssec-coverage -z'
 6306 			checks only ZSK events, and 'dnssec-coverage -k'
 6307 			checks only KSK events.  (Thanks to Peter Palfrader.)
 6308 			[RT #35168]
 6309 
 6310 3701.	[func]		named-checkconf can now obscure shared secrets
 6311 			when printing by specifying '-x'. [RT #34465]
 6312 
 6313 3700.	[func]		Allow access to subgroups of XML statistics via
 6314 			special URLs http://<server>:<port>/xml/v3/server,
 6315 			/zones, /net, /tasks, /mem, and /status.  [RT #35115]
 6316 
 6317 3699.	[bug]		Improvements to statistics channel XSL stylesheet:
 6318 			the stylesheet can now be cached by the browser;
 6319 			section headers are omitted from the stats display
 6320 			when there is no data in those sections to be
 6321 			displayed; counters are now right-justified for
 6322 			easier readability. [RT #35117]
 6323 
 6324 3698.	[cleanup]	Replaced all uses of memcpy() with memmove().
 6325 			[RT #35120]
 6326 
 6327 3697.	[bug]		Handle "." as a search list element when IDN support
 6328 			is enabled. [RT #35133]
 6329 
 6330 3696.	[bug]		dig failed to handle AXFR style IXFR responses which
 6331 			span multiple messages. [RT #35137]
 6332 
 6333 3695.	[bug]		Address a possible race in dispatch.c. [RT #35107]
 6334 
 6335 3694.	[bug]		Warn when a key-directory is configured for a zone,
 6336 			but does not exist or is not a directory. [RT #35108]
 6337 
 6338 3693.	[security]	memcpy was incorrectly called with overlapping
 6339 			ranges resulting in malformed names being generated
 6340 			on some platforms.  This could cause INSIST failures
 6341 			when serving NSEC3 signed zones (CVE-2014-0591).
 6342 			[RT #35120]
 6343 
 6344 3692.	[bug]		Two calls to dns_db_getoriginnode were fatal if there
 6345 			was no data at the node. [RT #35080]
 6346 
 6347 3691.	[contrib]	Address null pointer dereference in LDAP and
 6348 			MySQL DLZ modules.
 6349 
 6350 3690.	[bug]		Iterative responses could be missed when the source
 6351 			port for an upstream query was the same as the
 6352 			listener port (53). [RT #34925]
 6353 
 6354 3689.	[bug]		Fixed a bug causing an insecure delegation from one
 6355 			static-stub zone to another to fail with a broken
 6356 			trust chain. [RT #35081]
 6357 
 6358 3688.	[bug]		loadnode could return a freed node on out of memory.
 6359 			[RT #35106]
 6360 
 6361 3687.	[bug]		Address null pointer dereference in zone_xfrdone.
 6362 			[RT #35042]
 6363 
 6364 3686.	[func]		"dnssec-signzone -Q" drops signatures from keys
 6365 			that are still published but no longer active.
 6366 			[RT #34990]
 6367 
 6368 3685.	[bug]		"rndc refresh" didn't work correctly with slave
 6369 			zones using inline-signing. [RT #35105]
 6370 
 6371 3684.	[bug]		The list of included files would grow on reload.
 6372 			[RT 35090]
 6373 
 6374 3683.	[cleanup]	Add a more detailed "not found" message to rndc
 6375 			commands which specify a zone name. [RT #35059]
 6376 
 6377 3682.	[bug]		Correct the behavior of rndc retransfer to allow
 6378 			inline-signing slave zones to retain NSEC3 parameters
 6379 			instead of reverting to NSEC. [RT #34745]
 6380 
 6381 3681.	[port]		Update the Windows build system to support feature
 6382 			selection and WIN64 builds.  This is a work in
 6383 			progress. [RT #34160]
 6384 
 6385 3680.	[bug]		Ensure buffer space is available in "rndc zonestatus".
 6386 			[RT #35084]
 6387 
 6388 3679.	[bug]		dig could fail to clean up TCP sockets still
 6389 			waiting on connect(). [RT #35074]
 6390 
 6391 3678.	[port]		Update config.guess and config.sub. [RT #35060]
 6392 
 6393 3677.	[bug]		'nsupdate' leaked memory if 'realm' was used multiple
 6394 			times.  [RT #35073]
 6395 
 6396 3676.	[bug]		"named-checkconf -z" now checks zones of type
 6397 			hint and redirect as well as master. [RT #35046]
 6398 
 6399 3675.	[misc]		Provide a place for third parties to add version
 6400 			information for their extensions in the version
 6401 			file by setting the EXTENSIONS variable.
 6402 
 6403 	--- 9.10.0a1 released ---
 6404 
 6405 3674.	[bug]		RPZ zeroed ttls if the query type was '*'. [RT #35026]
 6406 
 6407 3673.	[func]		New "in-view" zone option allows direct sharing
 6408 			of zones between views. [RT #32968]
 6409 
 6410 3672.	[func]		Local address can now be specified when using
 6411 			dns_client API. [RT #34811]
 6412 
 6413 3671.	[bug]		Don't allow dnssec-importkey overwrite a existing
 6414 			non-imported private key.
 6415 
 6416 3670.	[bug]		Address read after free in server side of
 6417 			lwres_getrrsetbyname. [RT #29075]
 6418 
 6419 3669.	[port]		freebsd: --with-gssapi needs -lhx509. [RT #35001]
 6420 
 6421 3668.	[bug]		Fix cast in lex.c which could see 0xff treated as eof.
 6422 			[RT #34993]
 6423 
 6424 3667.	[test]		dig: add support to keep the TCP socket open between
 6425 			successive queries (+[no]keepopen).  [RT #34918]
 6426 
 6427 3666.	[func]		Add a tool, named-rrchecker, for checking the syntax
 6428 			of individual resource records.  This tool is intended
 6429 			to be called by provisioning systems so that the front
 6430 			end does not need to be upgraded to support new DNS
 6431 			record types. [RT #34778]
 6432 
 6433 3665.	[bug]		Failure to release lock on error in receive_secure_db.
 6434 			[RT #34944]
 6435 
 6436 3664.	[bug]		Updated OpenSSL PKCS#11 patches to fix active list
 6437 			locking and other bugs. [RT #34855]
 6438 
 6439 3663.	[bug]		Address bugs in dns_rdata_fromstruct and
 6440 			dns_rdata_tostruct for WKS and ISDN types. [RT #34910]
 6441 
 6442 3662.	[bug]		'host' could die if a UDP query timed out. [RT #34870]
 6443 
 6444 3661.	[bug]		Address lock order reversal deadlock with inline zones.
 6445 			[RT #34856]
 6446 
 6447 3660.	[cleanup]	Changed the name of "isc-config.sh" to "bind9-config".
 6448 			[RT #23825]
 6449 
 6450 3659.	[port]		solaris: don't add explicit dependencies/rules for
 6451 			python programs as make won't use the implicit rules.
 6452 			[RT #34835]
 6453 
 6454 3658.	[port]		linux: Address platform specific compilation issue
 6455 			when libcap-devel is installed. [RT #34838]
 6456 
 6457 3657.	[port]		Some readline clones don't accept NULL pointers when
 6458 			calling add_history. [RT #34842]
 6459 
 6460 3656.	[security]	Treat an all zero netmask as invalid when generating
 6461 			the localnets acl. (The prior behavior could
 6462 			allow unexpected matches when using some versions
 6463 			of Winsock: CVE-2013-6320.) [RT #34687]
 6464 
 6465 3655.	[cleanup]	Simplify TCP message processing when requesting a
 6466 			zone transfer.  [RT #34825]
 6467 
 6468 3654.	[bug]		Address race condition with manual notify requests.
 6469 			[RT #34806]
 6470 
 6471 3653.	[func]		Create delegations for all "children" of empty zones
 6472 			except "forward first". [RT #34826]
 6473 
 6474 3652.	[bug]		Address bug with rpz-drop policy. [RT #34816]
 6475 
 6476 3651.	[tuning]	Adjust when a master server is deemed unreachable.
 6477 			[RT #27075]
 6478 
 6479 3650.	[tuning]	Use separate rate limiting queues for refresh and
 6480 			notify requests. [RT #30589]
 6481 
 6482 3649.	[cleanup]	Include a comment in .nzf files, giving the name of
 6483 			the associated view. [RT #34765]
 6484 
 6485 3648.	[test]		Updated the ATF test framework to version 0.17.
 6486 			[RT #25627]
 6487 
 6488 3647.	[bug]		Address a race condition when shutting down a zone.
 6489 			[RT #34750]
 6490 
 6491 3646.	[bug]		Journal filename string could be set incorrectly,
 6492 			causing garbage in log messages. [RT #34738]
 6493 
 6494 3645.	[protocol]	Use case sensitive compression when responding to
 6495 			queries. [RT #34737]
 6496 
 6497 3644.	[protocol]	Check that EDNS subnet client options are well formed.
 6498 			[RT #34718]
 6499 
 6500 3643.	[doc]		Clarify RRL "slip" documentation.
 6501 
 6502 3642.	[func]		Allow externally generated DNSKEY to be imported
 6503 			into the DNSKEY management framework.  A new tool
 6504 			dnssec-importkey is used to do this. [RT #34698]
 6505 
 6506 3641.	[bug]		Handle changes to sig-validity-interval settings
 6507 			better. [RT #34625]
 6508 
 6509 3640.	[bug]		ndots was not being checked when searching.  Only
 6510 			continue searching on NXDOMAIN responses.  Add the
 6511 			ability to specify ndots to nslookup. [RT #34711]
 6512 
 6513 3639.	[bug]		Treat type 65533 (KEYDATA) as opaque except when used
 6514 			in a key zone. [RT #34238]
 6515 
 6516 3638.	[cleanup]	Add the ability to handle ENOPROTOOPT in case it is
 6517 			encountered. [RT #34668]
 6518 
 6519 3637.	[bug]		'allow-query-on' was checking the source address
 6520 			rather than the destination address. [RT #34590]
 6521 
 6522 3636.	[bug]		Automatic empty zones now behave better with
 6523 			forward only "zones" beneath them. [RT #34583]
 6524 
 6525 3635.	[bug]		Signatures were not being removed from a zone with
 6526 			only KSK keys for a algorithm. [RT #34439]
 6527 
 6528 3634.	[func]		Report build-id in rndc status. Report build-id
 6529 			when building from a git repository. [RT #20422]
 6530 
 6531 3633.	[cleanup]	Refactor OPT processing in named to make it easier
 6532 			to support new EDNS options. [RT #34414]
 6533 
 6534 3632.	[bug]		Signature from newly inactive keys were not being
 6535 			removed. [RT #32178]
 6536 
 6537 3631.	[bug]		Remove spurious warning about missing signatures when
 6538 			qtype is SIG. [RT #34600]
 6539 
 6540 3630.	[bug]		Ensure correct ID computation for MD5 keys. [RT #33033]
 6541 
 6542 3629.	[func]		Allow the printing of cryptographic fields in DNSSEC
 6543 			records by dig to be suppressed (dig +nocrypto).
 6544 			[RT #34534]
 6545 
 6546 3628.	[func]		Report DNSKEY key id's when dumping the cache.
 6547 			[RT #34533]
 6548 
 6549 3627.	[bug]		RPZ changes were not effective on slaves. [RT #34450]
 6550 
 6551 3626.	[func]		dig: NSID output now easier to read. [RT #21160]
 6552 
 6553 3625.	[bug]		Don't send notify messages to machines outside of the
 6554 			test setup.
 6555 
 6556 3624.	[bug]		Look for 'json_object_new_int64' when looking for a
 6557 			the json library. [RT #34449]
 6558 
 6559 3623.	[placeholder]
 6560 
 6561 3622.	[tuning]	Eliminate an unnecessary lock when incrementing
 6562 			cache statistics. [RT #34339]
 6563 
 6564 3621.	[security]	Incorrect bounds checking on private type 'keydata'
 6565 			can lead to a remotely triggerable REQUIRE failure
 6566 			(CVE-2013-4854). [RT #34238]
 6567 
 6568 3620.	[func]		Added "rpz-client-ip" policy triggers, enabling
 6569 			RPZ responses to be configured on the basis of
 6570 			the client IP address; this can be used, for
 6571 			example, to blacklist misbehaving recursive
 6572 			or stub resolvers. [RT #33605]
 6573 
 6574 3619.	[bug]		Fixed a bug in RPZ with "recursive-only no;"
 6575 			[RT #33776]
 6576 
 6577 3618.	[func]		"rndc reload" now checks modification times of
 6578 			include files as well as master files to determine
 6579 			whether to skip reloading a zone. [RT #33936]
 6580 
 6581 3617.	[bug]		Named was failing to answer queries during
 6582 			"rndc reload" [RT #34098]
 6583 
 6584 3616.	[bug]		Change #3613 was incomplete. [RT #34177]
 6585 
 6586 3615.	[cleanup]	"configure" now finishes by printing a summary
 6587 			of optional BIND features and whether they are
 6588 			active or inactive. ("configure --enable-full-report"
 6589 			increases the verbosity of the summary.) [RT #31777]
 6590 
 6591 3614.	[port]		Check for <linux/types.h>. [RT #34162]
 6592 
 6593 3613.	[bug]		named could crash when deleting inline-signing
 6594 			zones with "rndc delzone". [RT #34066]
 6595 
 6596 3612.	[port]		Check whether to use -ljson or -ljson-c. [RT #34115]
 6597 
 6598 3611.	[bug]		Improved resistance to a theoretical authentication
 6599 			attack based on differential timing.  [RT #33939]
 6600 
 6601 3610.	[cleanup]	win32: Some executables had been omitted from the
 6602 			installer. [RT #34116]
 6603 
 6604 3609.	[bug]		Corrected a possible deadlock in applications using
 6605 			the export version of the isc_app API. [RT #33967]
 6606 
 6607 3608.	[port]		win32: added todos.pl script to ensure all text files
 6608 			the win32 build depends on are converted to DOS
 6609 			newline format. [RT #22067]
 6610 
 6611 3607.	[bug]		dnssec-keygen had broken 'Invalid keyfile' error
 6612 			message. [RT #34045]
 6613 
 6614 3606.	[func]		"rndc flushtree" now flushes matching
 6615 			records in the address database and bad cache
 6616 			as well as the DNS cache. (Previously only the
 6617 			DNS cache was flushed.) [RT #33970]
 6618 
 6619 3605.	[port]		win32: Addressed several compatibility issues
 6620 			with newer versions of Visual Studio. [RT #33916]
 6621 
 6622 3604.	[bug]		Fixed a compile-time error when building with
 6623 			JSON but not XML. [RT #33959]
 6624 
 6625 3603.	[bug]		Install <isc/stat.h>. [RT #33956]
 6626 
 6627 3602.	[contrib]	Added DLZ Perl module, allowing Perl scripts to
 6628 			integrate with named and serve DNS data.
 6629 			(Contributed by John Eaglesham of Yahoo.)
 6630 
 6631 3601.	[bug]		Added to PKCS#11 openssl patches a value len
 6632 			attribute in DH derive key. [RT #33928]
 6633 
 6634 3600.	[cleanup]	dig: Fixed a typo in the warning output when receiving
 6635 			an oversized response. [RT #33910]
 6636 
 6637 3599.	[tuning]	Check for pointer equivalence in name comparisons.
 6638 			[RT #18125]
 6639 
 6640 3598.	[cleanup]	Improved portability of map file code. [RT #33820]
 6641 
 6642 3597.	[bug]		Ensure automatic-resigning heaps are reconstructed
 6643 			when loading zones in map format. [RT #33381]
 6644 
 6645 3596.	[port]		Updated win32 build documentation, added
 6646 			dnssec-verify. [RT #22067]
 6647 
 6648 3595.	[port]		win32: Fix build problems introduced by change #3550.
 6649 			[RT #33807]
 6650 
 6651 3594.	[maint]		Update config.guess and config.sub. [RT #33816]
 6652 
 6653 3593.	[func]		Update EDNS processing to better track remote server
 6654 			capabilities. [RT #30655]
 6655 
 6656 3592.	[doc]		Moved documentation of rndc command options to the
 6657 			rndc man page. [RT #33506]
 6658 
 6659 3591.	[func]		Use CRC-64 to detect map file corruption at load
 6660 			time. [RT #33746]
 6661 
 6662 3590.	[bug]		When using RRL on recursive servers, defer
 6663 			rate-limiting until after recursion is complete;
 6664 			also, use correct rcode for slipped NXDOMAIN
 6665 			responses.  [RT #33604]
 6666 
 6667 3589.	[func]		Report serial numbers in when starting zone transfers.
 6668 			Report accepted NOTIFY requests including serial.
 6669 			[RT #33037]
 6670 
 6671 3588.	[bug]		dig: addressed a memory leak in the sigchase code
 6672 			that could cause a shutdown crash.  [RT #33733]
 6673 
 6674 3587.	[func]		'named -g' now checks the logging configuration but
 6675 			does not use it. [RT #33473]
 6676 
 6677 3586.	[bug]		Handle errors in xmlDocDumpFormatMemoryEnc. [RT #33706]
 6678 
 6679 3585.	[func]		"rndc delzone -clean" option removes zone files
 6680 			when deleting a zone. [RT #33570]
 6681 
 6682 3584.	[security]	Caching data from an incompletely signed zone could
 6683 			trigger an assertion failure in resolver.c
 6684 			(CVE-2013-3919). [RT #33690]
 6685 
 6686 3583.	[bug]		Address memory leak in GSS-API processing [RT #33574]
 6687 
 6688 3582.	[bug]		Silence false positive warning regarding missing file
 6689 			directive for inline slave zones.  [RT #33662]
 6690 
 6691 3581.	[bug]		Changed the tcp-listen-queue default to 10. [RT #33029]
 6692 
 6693 3580.	[bug]		Addressed a possible race in acache.c [RT #33602]
 6694 
 6695 3579.	[maint]		Updates to PKCS#11 openssl patches, supporting
 6696 			versions 0.9.8y, 1.0.0k, 1.0.1e [RT #33463]
 6697 
 6698 3578.	[bug]		'rndc -c file' now fails if 'file' does not exist.
 6699 			[RT #33571]
 6700 
 6701 3577.	[bug]		Handle zero TTL values better. [RT #33411]
 6702 
 6703 3576.	[bug]		Address a shutdown race when validating. [RT #33573]
 6704 
 6705 3575.	[func]		Changed the logging category for RRL events from
 6706 			'queries' to 'query-errors'. [RT #33540]
 6707 
 6708 3574.	[doc]		The 'hostname' keyword was missing from server-id
 6709 			description in the named.conf man page. [RT #33476]
 6710 
 6711 3573.	[bug]		"rndc addzone" and "rndc delzone" incorrectly handled
 6712 			zone names containing punctuation marks and other
 6713 			nonstandard characters. [RT #33419]
 6714 
 6715 3572.	[func]		Threads are now enabled by default on most
 6716 			operating systems. [RT #25483]
 6717 
 6718 3571.	[bug]		Address race condition in dns_client_startresolve().
 6719 			[RT #33234]
 6720 
 6721 3570.	[bug]		Check internal pointers are valid when loading map
 6722 			files. [RT #33403]
 6723 
 6724 3569.	[contrib]	Ported mysql DLZ driver to dynamically-loadable
 6725 			module, and added multithread support. [RT #33394]
 6726 
 6727 3568.	[cleanup]	Add a product description line to the version file,
 6728 			to be reported by named -v/-V. [RT #33366]
 6729 
 6730 3567.	[bug]		Silence clang static analyzer warnings. [RT #33365]
 6731 
 6732 3566.	[func]		Log when forwarding updates to master. [RT #33240]
 6733 
 6734 3565.	[placeholder]
 6735 
 6736 3564.	[bug]		Improved handling of corrupted map files. [RT #33380]
 6737 
 6738 3563.	[contrib]	zone2sqlite failed with some table names. [RT #33375]
 6739 
 6740 3562.	[func]		Update map file header format to include a SHA-1 hash
 6741 			of the database content, so that corrupted map files
 6742 			can be rejected at load time. [RT #32459]
 6743 
 6744 3561.	[bug]		dig: issue a warning if an EDNS query returns FORMERR
 6745 			or NOTIMP.  Adjust usage message. [RT #33363]
 6746 
 6747 3560.	[bug]		isc-config.sh did not honor includedir and libdir
 6748 			when set via configure. [RT #33345]
 6749 
 6750 3559.	[func]		Check that both forms of Sender Policy Framework
 6751 			records exist or do not exist. [RT #33355]
 6752 
 6753 3558.	[bug]		IXFR of a DLZ stored zone was broken. [RT #33331]
 6754 
 6755 3557.	[bug]		Reloading redirect zones was broken. [RT #33292]
 6756 
 6757 3556.	[maint]		Added AAAA for D.ROOT-SERVERS.NET.
 6758 
 6759 3555.	[bug]		Address theoretical race conditions in acache.c
 6760 			(change #3553 was incomplete). [RT #33252]
 6761 
 6762 3554.	[bug]		RRL failed to correctly rate-limit upward
 6763 			referrals and failed to count dropped error
 6764 			responses in the statistics. [RT #33225]
 6765 
 6766 3553.	[bug]		Address suspected double free in acache. [RT #33252]
 6767 
 6768 3552.	[bug]		Wrong getopt option string for 'nsupdate -r'.
 6769 			[RT #33280]
 6770 
 6771 3551.	[bug]		resolver.querydscp[46] were uninitialized.  [RT #32686]
 6772 
 6773 3550.	[func]		Unified the internal and export versions of the
 6774 			BIND libraries, allowing external clients to use
 6775 			the same libraries as BIND. [RT #33131]
 6776 
 6777 3549.	[doc]		Documentation for "request-nsid" was missing.
 6778 			[RT #33153]
 6779 
 6780 3548.	[bug]		The NSID request code in resolver.c was broken
 6781 			resulting in invalid EDNS options being sent.
 6782 			[RT #33153]
 6783 
 6784 3547.	[bug]		Some malformed unknown rdata records were not properly
 6785 			detected and rejected. [RT #33129]
 6786 
 6787 3546.	[func]		Add EUI48 and EUI64 types. [RT #33082]
 6788 
 6789 3545.	[bug]		RRL slip behavior was incorrect when set to 1.
 6790 			[RT #33111]
 6791 
 6792 3544.	[contrib]	check5011.pl: Script to report the status of
 6793 			managed keys as recorded in managed-keys.bind.
 6794 			Contributed by Tony Finch <dot@dotat.at>
 6795 
 6796 3543.	[bug]		Update socket structure before attaching to socket
 6797 			manager after accept. [RT #33084]
 6798 
 6799 3542.	[placeholder]
 6800 
 6801 3541.	[bug]		Parts of libdns were not properly initialized when
 6802 			built in libexport mode. [RT #33028]
 6803 
 6804 3540.	[test]		libt_api: t_info and t_assert were not thread safe.
 6805 
 6806 3539.	[port]		win32: timestamp format didn't match other platforms.
 6807 
 6808 3538.	[test]		Running "make test" now requires loopback interfaces
 6809 			to be set up. [RT #32452]
 6810 
 6811 3537.	[tuning]	Slave zones, when updated, now send NOTIFY messages
 6812 			to peers before being dumped to disk rather than
 6813 			after. [RT #27242]
 6814 
 6815 3536.	[func]		Add support for setting Differentiated Services Code
 6816 			Point (DSCP) values in named.  Most configuration
 6817 			options which take a "port" option (e.g.,
 6818 			listen-on, forwarders, also-notify, masters,
 6819 			notify-source, etc) can now also take a "dscp"
 6820 			option specifying a code point for use with
 6821 			outgoing traffic, if supported by the underlying
 6822 			OS. [RT #27596]
 6823 
 6824 3535.	[bug]		Minor win32 cleanups. [RT #32962]
 6825 
 6826 3534.	[bug]		Extra text after an embedded NULL was ignored when
 6827 			parsing zone files. [RT #32699]
 6828 
 6829 3533.	[contrib]	query-loc-0.4.0: memory leaks. [RT #32960]
 6830 
 6831 3532.	[contrib]	zkt: fixed buffer overrun, resource leaks. [RT #32960]
 6832 
 6833 3531.	[bug]		win32: A uninitialized value could be returned on out
 6834 			of memory. [RT #32960]
 6835 
 6836 3530.	[contrib]	Better RTT tracking in queryperf. [RT #30128]
 6837 
 6838 3529.	[func]		Named now listens on both IPv4 and IPv6 interfaces
 6839 			by default.  Named previously only listened on IPv4
 6840 			interfaces by default unless named was running in
 6841 			IPv6 only mode.  [RT #32945]
 6842 
 6843 3528.	[func]		New "dnssec-coverage" command scans the timing
 6844 			metadata for a set of DNSSEC keys and reports if a
 6845 			lapse in signing coverage has been scheduled
 6846 			inadvertently. (Note: This tool depends on python;
 6847 			it will not be built or installed on systems that
 6848 			do not have a python interpreter.) [RT #28098]
 6849 
 6850 3527.	[compat]	Add a URI to allow applications to explicitly
 6851 			request a particular XML schema from the statistics
 6852 			channel, returning 404 if not supported. [RT #32481]
 6853 
 6854 3526.	[cleanup]	Set up dependencies for unit tests correctly during
 6855 			build. [RT #32803]
 6856 
 6857 3525.	[func]		Support for additional signing algorithms in rndc:
 6858 			hmac-sha1, -sha224, -sha256, -sha384, and -sha512.
 6859 			The -A option to rndc-confgen can be used to
 6860 			select the algorithm for the generated key.
 6861 			(The default is still hmac-md5; this may
 6862 			change in a future release.) [RT #20363]
 6863 
 6864 3524.	[func]		Added an alternate statistics channel in JSON format,
 6865 			when the server is built with the json-c library:
 6866 			http://[address]:[port]/json. [RT #32630]
 6867 
 6868 3523.	[contrib]	Ported filesystem and ldap DLZ drivers to
 6869 			dynamically-loadable modules, and added the
 6870 			"wildcard" module based on a contribution from
 6871 			Vadim Goncharov <vgoncharov@nic.ru>. [RT #23569]
 6872 
 6873 3522.	[bug]		DLZ lookups could fail to return SERVFAIL when
 6874 			they ought to. [RT #32685]
 6875 
 6876 3521.	[bug]		Address memory leak in opensslecdsa_link.c. [RT #32249]
 6877 
 6878 3520.	[bug]		'mctx' was not being referenced counted in some places
 6879 			where it should have been.  [RT #32794]
 6880 
 6881 3519.	[func]		Full replay protection via four-way handshake is
 6882 			now mandatory for rndc clients. Very old versions
 6883 			of rndc will no longer work. [RT #32798]
 6884 
 6885 3518.	[bug]		Increase the size of dns_rrl_key.s.rtype by one bit
 6886 			so that all dns_rrl_rtype_t enum values fit regardless
 6887 			of whether it is treated as signed or unsigned by
 6888 			the compiler. [RT #32792]
 6889 
 6890 3517.	[bug]		Reorder destruction to avoid shutdown race. [RT #32777]
 6891 
 6892 3516.	[placeholder]
 6893 
 6894 3515.	[port]		'%T' is not portable in strftime(). [RT #32763]
 6895 
 6896 3514.	[bug]		The ranges for valid key sizes in ddns-confgen and
 6897 			rndc-confgen were too constrained. Keys up to 512
 6898 			bits are now allowed for most algorithms, and up
 6899 			to 1024 bits for hmac-sha384 and hmac-sha512.
 6900 			[RT #32753]
 6901 
 6902 3513.	[func]		"dig -u" prints times in microseconds rather than
 6903 			milliseconds. [RT #32704]
 6904 
 6905 3512.	[func]		"rndc validation check" reports the current status
 6906 			of DNSSEC validation. [RT #21397]
 6907 
 6908 3511.	[doc]		Improve documentation of redirect zones. [RT #32756]
 6909 
 6910 3510.	[func]		"rndc status" and XML statistics channel now report
 6911 			server start and reconfiguration times. [RT #21048]
 6912 
 6913 3509.	[cleanup]	Added a product line to version file to allow for
 6914 			easy naming of different products (BIND
 6915 			vs BIND ESV, for example). [RT #32755]
 6916 
 6917 3508.	[contrib]	queryperf was incorrectly rejecting the -T option.
 6918 			[RT #32338]
 6919 
 6920 3507.	[bug]		Statistics channel XSL had a glitch when attempting
 6921 			to chart query data before any queries had been
 6922 			received. [RT #32620]
 6923 
 6924 3506.	[func]		When setting "max-cache-size" and "max-acache-size",
 6925 			the keyword "unlimited" is no longer defined as equal
 6926 			to 4 gigabytes (except on 32-bit platforms); it
 6927 			means literally unlimited. [RT #32358]
 6928 
 6929 3505.	[bug]		When setting "max-cache-size" and "max-acache-size",
 6930 			larger values than 4 gigabytes could not be set
 6931 			explicitly, though larger sizes were available
 6932 			when setting cache size to 0. This has been
 6933 			corrected; the full range is now available.
 6934 			[RT #32358]
 6935 
 6936 3504.	[func]		Add support for ACLs based on geographic location,
 6937 			using MaxMind GeoIP databases. Based on code
 6938 			contributed by Ken Brownfield <kb@slide.com>.
 6939 			[RT #30681]
 6940 
 6941 3503.	[doc]		Clarify size_spec syntax. [RT #32449]
 6942 
 6943 3502.	[func]		zone-statistics: "no" is now a synonym for "none",
 6944 			instead of "terse". [RT #29165]
 6945 
 6946 3501.	[func]		zone-statistics now takes three options: full,
 6947 			terse, and none. "yes" and "no" are retained as
 6948 			synonyms for full and terse, respectively. [RT #29165]
 6949 
 6950 3500.	[security]	Support NAPTR regular expression validation on
 6951 			all platforms without using libregex, which
 6952 			can be vulnerable to memory exhaustion attack
 6953 			(CVE-2013-2266). [RT #32688]
 6954 
 6955 3499.	[doc]		Corrected ARM documentation of built-in zones.
 6956 			[RT #32694]
 6957 
 6958 3498.	[bug]		zone statistics for zones which matched a potential
 6959 			empty zone could have their zone-statistics setting
 6960 			overridden.
 6961 
 6962 3497.	[func]		When deleting a slave/stub zone using 'rndc delzone'
 6963 			report the files that were being used so they can
 6964 			be cleaned up if desired. [RT #27899]
 6965 
 6966 3496.	[placeholder]
 6967 
 6968 3495.	[func]		Support multiple response-policy zones (up to 32),
 6969 			while improving RPZ performance.  "response-policy"
 6970 			syntax now includes a "min-ns-dots" clause, with
 6971 			default 1, to exclude top-level domains from
 6972 			NSIP and NSDNAME checking. --enable-rpz-nsip and
 6973 			--enable-rpz-nsdname are now the default. [RT #32251]
 6974 
 6975 3494.	[func]		DNS RRL: Blunt the impact of DNS reflection and
 6976 			amplification attacks by rate-limiting substantially-
 6977 			identical responses. [RT #28130]
 6978 
 6979 3493.	[contrib]	Added BDBHPT dynamically-loadable DLZ module,
 6980 			contributed by Mark Goldfinch. [RT #32549]
 6981 
 6982 3492.	[bug]		Fixed a regression in zone loading performance
 6983 			due to lock contention. [RT #30399]
 6984 
 6985 3491.	[bug]		Slave zones using inline-signing must specify a
 6986 			file name. [RT #31946]
 6987 
 6988 3490.	[bug]		When logging RDATA during update, truncate if it's
 6989 			too long. [RT #32365]
 6990 
 6991 3489.	[bug]		--enable-developer now turns on ISC_LIST_CHECKINIT.
 6992 			dns_dlzcreate() failed to properly initialize
 6993 			dlzdb.link.  When cloning a rdataset do not copy
 6994 			the link contents.  [RT #32651]
 6995 
 6996 3488.	[bug]		Use after free error with DH generated keys. [RT #32649]
 6997 
 6998 3487.	[bug]		Change 3444 was not complete.  There was a additional
 6999 			place where the NOQNAME proof needed to be saved.
 7000 			[RT #32629]
 7001 
 7002 3486.	[bug]		named could crash when using TKEY-negotiated keys
 7003 			that had been deleted and then recreated. [RT #32506]
 7004 
 7005 3485.	[cleanup]	Only compile openssl_gostlink.c if we support GOST.
 7006 
 7007 3484.	[bug]		Some statistics were incorrectly rendered in XML.
 7008 			[RT #32587]
 7009 
 7010 3483.	[placeholder]
 7011 
 7012 3482.	[func]		dig +nssearch now prints name servers that don't
 7013 			have address records (missing AAAA or A, or the name
 7014 			doesn't exist). [RT #29348]
 7015 
 7016 3481.	[cleanup]	Removed use of const const in atf.
 7017 
 7018 3480.	[bug]		Silence logging noise when setting up zone
 7019 			statistics. [RT #32525]
 7020 
 7021 3479.	[bug]		Address potential memory leaks in gssapi support
 7022 			code. [RT #32405]
 7023 
 7024 3478.	[port]		Fix a build failure in strict C99 environments
 7025 			[RT #32475]
 7026 
 7027 3477.	[func]		Expand logging when adding records via DDNS update
 7028 			[RT #32365]
 7029 
 7030 3476.	[bug]		"rndc zonestatus" could report a spurious "not
 7031 			found" error on inline-signing zones. [RT #29226]
 7032 
 7033 3475.	[cleanup]	Changed name of 'map' zone file format (previously
 7034 			'fast'). [RT #32458]
 7035 
 7036 3474.	[bug]		nsupdate could assert when the local and remote
 7037 			address families didn't match. [RT #22897]
 7038 
 7039 3473.	[bug]		dnssec-signzone/verify could incorrectly report
 7040 			an error condition due to an empty node above an
 7041 			opt-out delegation lacking an NSEC3. [RT #32072]
 7042 
 7043 3472.	[bug]		The active-connections counter in the socket
 7044 			statistics could underflow. [RT #31747]
 7045 
 7046 3471.	[bug]		The number of UDP dispatches now defaults to
 7047 			the number of CPUs even if -n has been set to
 7048 			a higher value. [RT #30964]
 7049 
 7050 3470.	[bug]		Slave zones could fail to dump when successfully
 7051 			refreshing after an initial failure. [RT #31276]
 7052 
 7053 3469.	[bug]		Handle DLZ lookup failures more gracefully. Improve
 7054 			backward compatibility between versions of DLZ dlopen
 7055 			API. [RT #32275]
 7056 
 7057 3468.	[security]	RPZ rules to generate A records (but not AAAA records)
 7058 			could trigger an assertion failure when used in
 7059 			conjunction with DNS64 (CVE-2012-5689). [RT #32141]
 7060 
 7061 3467.	[bug]		Added checks in dnssec-keygen and dnssec-settime
 7062 			to check for delete date < inactive date. [RT #31719]
 7063 
 7064 3466.	[contrib]	Corrected the DNS_CLIENTINFOMETHODS_VERSION check
 7065 			in DLZ example driver. [RT #32275]
 7066 
 7067 3465.	[bug]		Handle isolated reserved ports. [RT #31778]
 7068 
 7069 3464.	[maint]		Updates to PKCS#11 openssl patches, supporting
 7070 			versions 0.9.8x, 1.0.0j, 1.0.1c [RT #29749]
 7071 
 7072 3463.	[doc]		Clarify managed-keys syntax in ARM. [RT #32232]
 7073 
 7074 3462.	[doc]		Clarify server selection behavior of dig when using
 7075 			-4 or -6 options. [RT #32181]
 7076 
 7077 3461.	[bug]		Negative responses could incorrectly have AD=1
 7078 			set. [RT #32237]
 7079 
 7080 3460.	[bug]		Only link against readline where needed. [RT #29810]
 7081 
 7082 3459.	[func]		Added -J option to named-checkzone/named-compilezone
 7083 			to specify the path to the journal file. [RT #30958]
 7084 
 7085 3458.	[bug]		Return FORMERR when presented with a overly long
 7086 			domain named in a request. [RT #29682]
 7087 
 7088 3457.	[protocol]	Add ILNP records (NID, LP, L32, L64). [RT #31836]
 7089 
 7090 3456.	[port]		g++47: ATF failed to compile. [RT #32012]
 7091 
 7092 3455.	[contrib]	queryperf: fix getopt option list. [RT #32338]
 7093 
 7094 3454.	[port]		sparc64: improve atomic support. [RT #25182]
 7095 
 7096 3453.	[bug]		'rndc addzone' of a zone with 'inline-signing yes;'
 7097 			failed. [RT #31960]
 7098 
 7099 3452.	[bug]		Accept duplicate singleton records. [RT #32329]
 7100 
 7101 3451.	[port]		Increase per thread stack size from 64K to 1M.
 7102 			[RT #32230]
 7103 
 7104 3450.	[bug]		Stop logfileconfig system test spam system logs.
 7105 			[RT #32315]
 7106 
 7107 3449.	[bug]		gen.c: use the pre-processor to construct format
 7108 			strings so that compiler can perform sanity checks;
 7109 			check the snprintf results. [RT #17576]
 7110 
 7111 3448.	[bug]		The allow-query-on ACL was not processed correctly.
 7112 			[RT #29486]
 7113 
 7114 3447.	[port]		Add support for libxml2-2.9.x [RT #32231]
 7115 
 7116 3446.	[port]		win32: Add source ID (see change #3400) to build.
 7117 			[RT #31683]
 7118 
 7119 3445.	[bug]		Warn about zone files with blank owner names
 7120 			immediately after $ORIGIN directives. [RT #31848]
 7121 
 7122 3444.	[bug]		The NOQNAME proof was not being returned from cached
 7123 			insecure responses. [RT #21409]
 7124 
 7125 3443.	[bug]		ddns-confgen: Some TSIG algorithms were incorrectly
 7126 			rejected when generating keys. [RT #31927]
 7127 
 7128 3442.	[port]		Net::DNS 0.69 introduced a non backwards compatible
 7129 			change. [RT #32216]
 7130 
 7131 3441.	[maint]		D.ROOT-SERVERS.NET is now 199.7.91.13.
 7132 
 7133 3440.	[bug]		Reorder get_key_struct to not trigger a assertion when
 7134 			cleaning up due to out of memory error. [RT #32131]
 7135 
 7136 3439.	[placeholder]
 7137 
 7138 3438.	[bug]		Don't accept unknown data escape in quotes. [RT #32031]
 7139 
 7140 3437.	[bug]		isc_buffer_init -> isc_buffer_constinit to initialize
 7141 			buffers with constant data. [RT #32064]
 7142 
 7143 3436.	[bug]		Check malloc/calloc return values. [RT #32088]
 7144 
 7145 3435.	[bug]		Cross compilation support in configure was broken.
 7146 			[RT #32078]
 7147 
 7148 3434.	[bug]		Pass client info to the DLZ findzone() entry
 7149 			point in addition to lookup().  This makes it
 7150 			possible for a database to answer differently
 7151 			whether it's authoritative for a name depending
 7152 			on the address of the client.  [RT #31775]
 7153 
 7154 3433.	[bug]		dlz_findzone() did not correctly handle
 7155 			ISC_R_NOMORE. [RT #31172]
 7156 
 7157 3432.	[func]		Multiple DLZ databases can now be configured.
 7158 			DLZ databases are searched in the order configured,
 7159 			unless set to "search no", in which case a
 7160 			zone can be configured to be retrieved from a
 7161 			particular DLZ database by using a "dlz <name>"
 7162 			option in the zone statement.  DLZ databases can
 7163 			support type "master" and "redirect" zones.
 7164 			[RT #27597]
 7165 
 7166 3431.	[bug]		ddns-confgen: Some valid key algorithms were
 7167 			not accepted. [RT #31927]
 7168 
 7169 3430.	[bug]		win32: isc_time_formatISO8601 was missing the
 7170 			'T' between the date and time. [RT #32044]
 7171 
 7172 3429.	[bug]		dns_zone_getserial2 could a return success without
 7173 			returning a valid serial. [RT #32007]
 7174 
 7175 3428.	[cleanup]	dig: Add timezone to date output. [RT #2269]
 7176 
 7177 3427.	[bug]		dig +trace incorrectly displayed name server
 7178 			addresses instead of names. [RT #31641]
 7179 
 7180 3426.	[bug]		dnssec-checkds: Clearer output when records are not
 7181 			found. [RT #31968]
 7182 
 7183 3425.	[bug]		"acacheentry" reference counting was broken resulting
 7184 			in use after free. [RT #31908]
 7185 
 7186 3424.	[func]		dnssec-dsfromkey now emits the hash without spaces.
 7187 			[RT #31951]
 7188 
 7189 3423.	[bug]		"rndc signing -nsec3param" didn't accept the full
 7190 			range of possible values.  Address portability issues.
 7191 			[RT #31938]
 7192 
 7193 3422.	[bug]		Added a clear error message for when the SOA does not
 7194 			match the referral. [RT #31281]
 7195 
 7196 3421.	[bug]		Named loops when re-signing if all keys are offline.
 7197 			[RT #31916]
 7198 
 7199 3420.	[bug]		Address VPATH compilation issues. [RT #31879]
 7200 
 7201 3419.	[bug]		Memory leak on validation cancel. [RT #31869]
 7202 
 7203 3418.	[func]		New XML schema (version 3.0) for the statistics channel
 7204 			adds query type statistics at the zone level, and
 7205 			flattens the XML tree and uses compressed format to
 7206 			optimize parsing. Includes new XSL that permits
 7207 			charting via the Google Charts API on browsers that
 7208 			support javascript in XSL.  The old XML schema has been
 7209 			deprecated. [RT #30023]
 7210 
 7211 3417.	[placeholder]
 7212 
 7213 3416.	[bug]		Named could die on shutdown if running with 128 UDP
 7214 			dispatches per interface. [RT #31743]
 7215 
 7216 3415.	[bug]		named could die with a REQUIRE failure if a validation
 7217 			was canceled. [RT #31804]
 7218 
 7219 3414.	[bug]		Address locking issues found by Coverity. [RT #31626]
 7220 
 7221 3413.	[func]		Record the number of DNS64 AAAA RRsets that have been
 7222 			synthesized. [RT #27636]
 7223 
 7224 3412.	[bug]		Copy timeval structure from control message data.
 7225 			[RT #31548]
 7226 
 7227 3411.	[tuning]	Use IPV6_USE_MIN_MTU or equivalent with TCP in addition
 7228 			to UDP. [RT #31690]
 7229 
 7230 3410.	[bug]		Addressed Coverity warnings. [RT #31626]
 7231 
 7232 3409.	[contrib]	contrib/dane/mkdane.sh: Tool to generate TLSA RR's
 7233 			from X.509 certificates, for use with DANE
 7234 			(DNS-based Authentication of Named Entities).
 7235 			[RT #30513]
 7236 
 7237 3408.	[bug]		Some DNSSEC-related options (update-check-ksk,
 7238 			dnssec-loadkeys-interval, dnssec-dnskey-kskonly)
 7239 			are now legal in slave zones as long as
 7240 			inline-signing is in use. [RT #31078]
 7241 
 7242 3407.	[placeholder]
 7243 
 7244 3406.	[bug]		mem.c: Fix compilation errors when building with
 7245 			ISC_MEM_TRACKLINES or ISC_MEMPOOL_NAMES disabled.
 7246 			Also, ISC_MEM_DEBUG is no longer optional. [RT #31559]
 7247 
 7248 3405.	[bug]		Handle time going backwards in acache. [RT #31253]
 7249 
 7250 3404.	[bug]		dnssec-signzone: When re-signing a zone, remove
 7251 			RRSIG and NSEC records from nodes that used to be
 7252 			in-zone but are now below a zone cut. [RT #31556]
 7253 
 7254 3403.	[bug]		Silence noisy OpenSSL logging. [RT #31497]
 7255 
 7256 3402.	[test]		The IPv6 interface numbers used for system
 7257 			tests were incorrect on some platforms. [RT #25085]
 7258 
 7259 3401.	[bug]		Addressed Coverity warnings. [RT #31484]
 7260 
 7261 3400.	[cleanup]	"named -V" can now report a source ID string, defined
 7262 			in the "srcid" file in the build tree and normally set
 7263 			to the most recent git hash.  [RT #31494]
 7264 
 7265 3399.	[port]		netbsd: rename 'bool' parameter to avoid namespace
 7266 			clash.  [RT #31515]
 7267 
 7268 3398.	[bug]		SOA parameters were not being updated with inline
 7269 			signed zones if the zone was modified while the
 7270 			server was offline. [RT #29272]
 7271 
 7272 3397.	[bug]		dig crashed when using +nssearch with +tcp. [RT #25298]
 7273 
 7274 3396.	[bug]		OPT records were incorrectly removed from signed,
 7275 			truncated responses. [RT #31439]
 7276 
 7277 3395.	[protocol]	Add RFC 6598 reverse zones to built in empty zones
 7278 			list, 64.100.IN-ADDR.ARPA ... 127.100.IN-ADDR.ARPA.
 7279 			[RT #31336]
 7280 
 7281 3394.	[bug]		Adjust 'successfully validated after lower casing
 7282 			signer' log level and category. [RT #31414]
 7283 
 7284 3393.	[bug]		'host -C' could core dump if REFUSED was received.
 7285 			[RT #31381]
 7286 
 7287 3392.	[func]		Keep statistics on REFUSED responses. [RT #31412]
 7288 
 7289 3391.	[bug]		A DNSKEY lookup that encountered a CNAME failed.
 7290 			[RT #31262]
 7291 
 7292 3390.	[bug]		Silence clang compiler warnings. [RT #30417]
 7293 
 7294 3389.	[bug]		Always return NOERROR (not 0) in TSIG. [RT #31275]
 7295 
 7296 3388.	[bug]		Fixed several Coverity warnings.
 7297 			Note: This change includes a fix for a bug that
 7298 			was subsequently determined to be an exploitable
 7299 			security vulnerability, CVE-2012-5688: named could
 7300 			die on specific queries with dns64 enabled.
 7301 			[RT #30996]
 7302 
 7303 3387.	[func]		DS digest can be disabled at runtime with
 7304 			disable-ds-digests. [RT #21581]
 7305 
 7306 3386.	[bug]		Address locking violation when generating new NSEC /
 7307 			NSEC3 chains. [RT #31224]
 7308 
 7309 3385.	[bug]		named-checkconf didn't detect missing master lists
 7310 			in also-notify clauses. [RT #30810]
 7311 
 7312 3384.	[bug]		Improved logging of crypto errors. [RT #30963]
 7313 
 7314 3383.	[security]	A certain combination of records in the RBT could
 7315 			cause named to hang while populating the additional
 7316 			section of a response. [RT #31090]
 7317 
 7318 3382.	[bug]		SOA query from slave used use-v6-udp-ports range,
 7319 			if set, regardless of the address family in use.
 7320 			[RT #24173]
 7321 
 7322 3381.	[contrib]	Update queryperf to support more RR types.
 7323 			[RT #30762]
 7324 
 7325 3380.	[bug]		named could die if a nonexistent master list was
 7326 			referenced in a also-notify. [RT #31004]
 7327 
 7328 3379.	[bug]		isc_interval_zero and isc_time_epoch should be
 7329 			"const (type)* const". [RT #31069]
 7330 
 7331 3378.	[bug]		Handle missing 'managed-keys-directory' better.
 7332 			[RT #30625]
 7333 
 7334 3377.	[bug]		Removed spurious newline from NSEC3 multiline
 7335 			output. [RT #31044]
 7336 
 7337 3376.	[bug]		Lack of EDNS support was being recorded without a
 7338 			successful response. [RT #30811]
 7339 
 7340 3375.	[bug]		'rndc dumpdb' failed on empty caches. [RT #30808]
 7341 
 7342 3374.	[bug]		isc_parse_uint32 failed to return a range error on
 7343 			systems with 64 bit longs. [RT #30232]
 7344 
 7345 3373.	[bug]		win32: open raw files in binary mode. [RT #30944]
 7346 
 7347 3372.	[bug]		Silence spurious "deleted from unreachable cache"
 7348 			messages.  [RT #30501]
 7349 
 7350 3371.	[bug]		AD=1 should behave like DO=1 when deciding whether to
 7351 			add NS RRsets to the additional section or not.
 7352 			[RT #30479]
 7353 
 7354 3370.	[bug]		Address use after free while shutting down. [RT #30241]
 7355 
 7356 3369.	[bug]		nsupdate terminated unexpectedly in interactive mode
 7357 			if built with readline support. [RT #29550]
 7358 
 7359 3368.	[bug]		<dns/iptable.h>, <dns/private.h> and <dns/zone.h>
 7360 			were not C++ safe.
 7361 
 7362 3367.	[bug]		dns_dnsseckey_create() result was not being checked.
 7363 			[RT #30685]
 7364 
 7365 3366.	[bug]		Fixed Read-After-Write dependency violation for IA64
 7366 			atomic operations. [RT #25181]
 7367 
 7368 3365.	[bug]		Removed spurious newlines from log messages in
 7369 			zone.c [RT #30675]
 7370 
 7371 3364.	[security]	Named could die on specially crafted record.
 7372 			[RT #30416]
 7373 
 7374 3363.	[bug]		Need to allow "forward" and "fowarders" options
 7375 			in static-stub zones; this had been overlooked.
 7376 			[RT #30482]
 7377 
 7378 3362.	[bug]		Setting some option values to 0 in named.conf
 7379 			could trigger an assertion failure on startup.
 7380 			[RT #27730]
 7381 
 7382 3361.	[bug]		"rndc signing -nsec3param" didn't work correctly
 7383 			when salt was set to '-' (no salt). [RT #30099]
 7384 
 7385 3360.	[bug]		'host -w' could die.  [RT #18723]
 7386 
 7387 3359.	[bug]		An improperly-formed TSIG secret could cause a
 7388 			memory leak. [RT #30607]
 7389 
 7390 3358.	[placeholder]
 7391 
 7392 3357.	[port]		Add support for libxml2-2.8.x [RT #30440]
 7393 
 7394 3356.	[bug]		Cap the TTL of signed RRsets when RRSIGs are
 7395 			approaching their expiry, so they don't remain
 7396 			in caches after expiry. [RT #26429]
 7397 
 7398 3355.	[port]		Use more portable awk in verify system test.
 7399 
 7400 3354.	[func]		Improve OpenSSL error logging. [RT #29932]
 7401 
 7402 3353.	[bug]		Use a single task for task exclusive operations.
 7403 			[RT #29872]
 7404 
 7405 3352.	[bug]		Ensure that learned server attributes timeout of the
 7406 			adb cache. [RT #29856]
 7407 
 7408 3351.	[bug]		isc_mem_put and isc_mem_putanddetach didn't report
 7409 			caller if either ISC_MEM_DEBUGSIZE or ISC_MEM_DEBUGCTX
 7410 			memory debugging flags are set. [RT #30243]
 7411 
 7412 3350.	[bug]		Memory read overrun in isc___mem_reallocate if
 7413 			ISC_MEM_DEBUGCTX memory debugging flag is set.
 7414 			[RT #30240]
 7415 
 7416 3349.	[bug]		Change #3345 was incomplete. [RT #30233]
 7417 
 7418 3348.	[bug]		Prevent RRSIG data from being cached if a negative
 7419 			record matching the covering type exists at a higher
 7420 			trust level. Such data already can't be retrieved from
 7421 			the cache since change 3218 -- this prevents it
 7422 			being inserted into the cache as well. [RT #26809]
 7423 
 7424 3347.	[bug]		dnssec-settime: Issue a warning when writing a new
 7425 			private key file would cause a change in the
 7426 			permissions of the existing file. [RT #27724]
 7427 
 7428 3346.	[security]	Bad-cache data could be used before it was
 7429 			initialized, causing an assert. [RT #30025]
 7430 
 7431 3345.	[bug]		Addressed race condition when removing the last item
 7432 			or inserting the first item in an ISC_QUEUE.
 7433 			[RT #29539]
 7434 
 7435 3344.	[func]		New "dnssec-checkds" command checks a zone to
 7436 			determine which DS records should be published
 7437 			in the parent zone, or which DLV records should be
 7438 			published in a DLV zone, and queries the DNS to
 7439 			ensure that it exists. (Note: This tool depends
 7440 			on python; it will not be built or installed on
 7441 			systems that do not have a python interpreter.)
 7442 			[RT #28099]
 7443 
 7444 3343.	[placeholder]
 7445 
 7446 3342.	[bug]		Change #3314 broke saving of stub zones to disk
 7447 			resulting in excessive cpu usage in some cases.
 7448 			[RT #29952]
 7449 
 7450 3341.	[func]		New "dnssec-verify" command checks a signed zone
 7451 			to ensure correctness of signatures and of NSEC/NSEC3
 7452 			chains. [RT #23673]
 7453 
 7454 3340.	[func]		Added new 'map' zone file format, which is an image
 7455 			of a zone database that can be loaded directly into
 7456 			memory via mmap(), allowing much faster zone loading.
 7457 			(Note: Because of pointer sizes and other
 7458 			considerations, this file format is platform-dependent;
 7459 			'map' zone files cannot always be transferred from one
 7460 			server to another.) [RT #25419]
 7461 
 7462 3339.	[func]		Allow the maximum supported rsa exponent size to be
 7463 			specified: "max-rsa-exponent-size <value>;" [RT #29228]
 7464 
 7465 3338.	[bug]		Address race condition in units tests: asyncload_zone
 7466 			and asyncload_zt. [RT #26100]
 7467 
 7468 3337.	[bug]		Change #3294 broke support for the multiple keys
 7469 			in controls. [RT #29694]
 7470 
 7471 3336.	[func]		Maintain statistics for RRsets tagged as "stale".
 7472 			[RT #29514]
 7473 
 7474 3335.	[func]		nslookup: return a nonzero exit code when unable
 7475 			to get an answer. [RT #29492]
 7476 
 7477 3334.	[bug]		Hold a zone table reference while performing a
 7478 			asynchronous load of a zone. [RT #28326]
 7479 
 7480 3333.	[bug]		Setting resolver-query-timeout too low can cause
 7481 			named to not recover if it loses connectivity.
 7482 			[RT #29623]
 7483 
 7484 3332.	[bug]		Re-use cached DS rrsets if possible. [RT #29446]
 7485 
 7486 3331.	[security]	dns_rdataslab_fromrdataset could produce bad
 7487 			rdataslabs. [RT #29644]
 7488 
 7489 3330.	[func]		Fix missing signatures on NOERROR results despite
 7490 			RPZ rewriting.  Also
 7491 			 - add optional "recursive-only yes|no" to the
 7492 			   response-policy statement
 7493 			 - add optional "max-policy-ttl" to the response-policy
 7494 			    statement to limit the false data that
 7495 			    "recursive-only no" can introduce into
 7496 			    resolvers' caches
 7497 			 - add a RPZ performance test to bin/tests/system/rpz
 7498 			     when queryperf is available.
 7499 			 - the encoding of PASSTHRU action to "rpz-passthru".
 7500 			     (The old encoding is still accepted.)
 7501 			[RT #26172]
 7502 
 7503 
 7504 3329.	[bug]		Handle RRSIG signer-name case consistently: We
 7505 			generate RRSIG records with the signer-name in
 7506 			lower case.  We accept them with any case, but if
 7507 			they fail to validate, we try again in lower case.
 7508 			[RT #27451]
 7509 
 7510 3328.	[bug]		Fixed inconsistent data checking in dst_parse.c.
 7511 			[RT #29401]
 7512 
 7513 3327.	[func]		Added 'filter-aaaa-on-v6' option; this is similar
 7514 			to 'filter-aaaa-on-v4' but applies to IPv6
 7515 			connections.  (Use "configure --enable-filter-aaaa"
 7516 			to enable this option.)  [RT #27308]
 7517 
 7518 3326.	[func]		Added task list statistics: task model, worker
 7519 			threads, quantum, tasks running, tasks ready.
 7520 			[RT #27678]
 7521 
 7522 3325.	[func]		Report cache statistics: memory use, number of
 7523 			nodes, number of hash buckets, hit and miss counts.
 7524 			[RT #27056]
 7525 
 7526 3324.	[test]		Add better tests for ADB stats [RT #27057]
 7527 
 7528 3323.	[func]		Report the number of buckets the resolver is using.
 7529 			[RT #27020]
 7530 
 7531 3322.	[func]		Monitor the number of active TCP and UDP dispatches.
 7532 			[RT #27055]
 7533 
 7534 3321.	[func]		Monitor the number of recursive fetches and the
 7535 			number of open sockets, and report these values in
 7536 			the statistics channel. [RT #27054]
 7537 
 7538 3320.	[func]		Added support for monitoring of recursing client
 7539 			count. [RT #27009]
 7540 
 7541 3319.	[func]		Added support for monitoring of ADB entry count and
 7542 			hash size. [RT #27057]
 7543 
 7544 3318.	[tuning]	Reduce the amount of work performed while holding a
 7545 			bucket lock when finished with a fetch context.
 7546 			[RT #29239]
 7547 
 7548 3317.	[func]		Add ECDSA support (RFC 6605). [RT #21918]
 7549 
 7550 3316.	[tuning]	Improved locking performance when recursing.
 7551 			[RT #28836]
 7552 
 7553 3315.	[tuning]	Use multiple dispatch objects for sending upstream
 7554 			queries; this can improve performance on busy
 7555 			multiprocessor systems by reducing lock contention.
 7556 			[RT #28605]
 7557 
 7558 3314.	[bug]		The masters list could be updated while stub_callback
 7559 			or refresh_callback were using it. [RT #26732]
 7560 
 7561 3313.	[protocol]	Add TLSA record type. [RT #28989]
 7562 
 7563 3312.	[bug]		named-checkconf didn't detect a bad dns64 clients acl.
 7564 			[RT #27631]
 7565 
 7566 3311.	[bug]		Abort the zone dump if zone->db is NULL in
 7567 			zone.c:zone_gotwritehandle. [RT #29028]
 7568 
 7569 3310.	[test]		Increase table size for mutex profiling. [RT #28809]
 7570 
 7571 3309.	[bug]		resolver.c:fctx_finddone() was not thread safe.
 7572 			[RT #27995]
 7573 
 7574 3308.	[placeholder]
 7575 
 7576 3307.	[bug]		Add missing ISC_LANG_BEGINDECLS and ISC_LANG_ENDDECLS.
 7577 			[RT #28956]
 7578 
 7579 3306.	[bug]		Improve DNS64 reverse zone performance. [RT #28563]
 7580 
 7581 3305.	[func]		Add wire format lookup method to sdb. [RT #28563]
 7582 
 7583 3304.	[bug]		Use hmctx, not mctx when freeing rbtdb->heaps.
 7584 			[RT #28571]
 7585 
 7586 3303.	[bug]		named could die when reloading. [RT #28606]
 7587 
 7588 3302.	[bug]		dns_dnssec_findmatchingkeys could fail to find
 7589 			keys if the zone name contained character that
 7590 			required special mappings. [RT #28600]
 7591 
 7592 3301.	[contrib]	Update queryperf to build on darwin.  Add -R flag
 7593 			for non-recursive queries. [RT #28565]
 7594 
 7595 3300.	[bug]		Named could die if gssapi was enabled in named.conf
 7596 			but was not compiled in. [RT #28338]
 7597 
 7598 3299.	[bug]		Make SDB handle errors from database drivers better.
 7599 			[RT #28534]
 7600 
 7601 3298.	[bug]		Named could dereference a NULL pointer in
 7602 			zmgr_start_xfrin_ifquota if the zone was being removed.
 7603 			[RT #28419]
 7604 
 7605 3297.	[bug]		Named could die on a malformed master file. [RT #28467]
 7606 
 7607 3296.	[bug]		Named could die with a INSIST failure in
 7608 			client.c:exit_check. [RT #28346]
 7609 
 7610 3295.	[bug]		Adjust isc_time_secondsastimet range check to be more
 7611 			portable. [RT # 26542]
 7612 
 7613 3294.	[bug]		isccc/cc.c:table_fromwire failed to free alist on
 7614 			error. [RT #28265]
 7615 
 7616 3293.	[func]		nsupdate: list supported type. [RT #28261]
 7617 
 7618 3292.	[func]		Log messages in the axfr stream at debug 10.
 7619 			[RT #28040]
 7620 
 7621 3291.	[port]		Fixed a build error on systems without ENOTSUP.
 7622 			[RT #28200]
 7623 
 7624 3290.	[bug]		<isc/hmacsha.h> was not being installed. [RT #28169]
 7625 
 7626 3289.	[bug]		'rndc retransfer' failed for inline zones. [RT #28036]
 7627 
 7628 3288.	[bug]		dlz_destroy() function wasn't correctly registered
 7629 			by the DLZ dlopen driver. [RT #28056]
 7630 
 7631 3287.	[port]		Update ans.pl to work with Net::DNS 0.68. [RT #28028]
 7632 
 7633 3286.	[bug]		Managed key maintenance timer could fail to start
 7634 			after 'rndc reconfig'. [RT #26786]
 7635 
 7636 3285.	[bug]		val-frdataset was incorrectly disassociated in
 7637 			proveunsecure after calling startfinddlvsep.
 7638 			[RT #27928]
 7639 
 7640 3284.	[bug]		Address race conditions with the handling of
 7641 			rbtnode.deadlink. [RT #27738]
 7642 
 7643 3283.	[bug]		Raw zones with with more than 512 records in a RRset
 7644 			failed to load. [RT #27863]
 7645 
 7646 3282.	[bug]		Restrict the TTL of NS RRset to no more than that
 7647 			of the old NS RRset when replacing it.
 7648 			[RT #27792] [RT #27884]
 7649 
 7650 3281.	[bug]		SOA refresh queries could be treated as cancelled
 7651 			despite succeeding over the loopback interface.
 7652 			[RT #27782]
 7653 
 7654 3280.	[bug]		Potential double free of a rdataset on out of memory
 7655 			with DNS64. [RT #27762]
 7656 
 7657 3279.	[bug]		Hold a internal reference to the zone while performing
 7658 			a asynchronous load.  Address potential memory leak
 7659 			if the asynchronous is cancelled. [RT #27750]
 7660 
 7661 3278.	[bug]		Make sure automatic key maintenance is started
 7662 			when "auto-dnssec maintain" is turned on during
 7663 			"rndc reconfig". [RT #26805]
 7664 
 7665 3277.	[bug]		win32: isc_socket_dup is not implemented. [RT #27696]
 7666 
 7667 3276.	[bug]		win32: ns_os_openfile failed to return NULL on
 7668 			safe_open failure. [RT #27696]
 7669 
 7670 3275.	[bug]		Corrected rndc -h output; the 'rndc sync -clean'
 7671 			option had been misspelled as '-clear'.  (To avoid
 7672 			future confusion, both options now work.) [RT #27173]
 7673 
 7674 3274.	[placeholder]
 7675 
 7676 3273.	[bug]		AAAA responses could be returned in the additional
 7677 			section even when filter-aaaa-on-v4 was in use.
 7678 			[RT #27292]
 7679 
 7680 3272.	[func]		New "rndc zonestatus" command prints information
 7681 			about the specified zone. [RT #21671]
 7682 
 7683 3271.	[port]		darwin: mksymtbl is not always stable, loop several
 7684 			times before giving up.  mksymtbl was using non
 7685 			portable perl to covert 64 bit hex strings. [RT #27653]
 7686 
 7687 	--- 9.9.0rc2 released ---
 7688 
 7689 3270.	[bug]		"rndc reload" didn't reuse existing zones correctly
 7690 			when inline-signing was in use. [RT #27650]
 7691 
 7692 3269.	[port]		darwin 11 and later now built threaded by default.
 7693 
 7694 3268.	[bug]		Convert RRSIG expiry times to 64 timestamps to work
 7695 			out the earliest expiry time. [RT #23311]
 7696 
 7697 3267.	[bug]		Memory allocation failures could be mis-reported as
 7698 			unexpected error.  New ISC_R_UNSET result code.
 7699 			[RT #27336]
 7700 
 7701 3266.	[bug]		The maximum number of NSEC3 iterations for a
 7702 			DNSKEY RRset was not being properly computed.
 7703 			[RT #26543]
 7704 
 7705 3265.	[bug]		Corrected a problem with lock ordering in the
 7706 			inline-signing code. [RT #27557]
 7707 
 7708 3264.	[bug]		Automatic regeneration of signatures in an
 7709 			inline-signing zone could stall when the server
 7710 			was restarted. [RT #27344]
 7711 
 7712 3263.	[bug]		"rndc sync" did not affect the unsigned side of an
 7713 			inline-signing zone. [RT #27337]
 7714 
 7715 3262.	[bug]		Signed responses were handled incorrectly by RPZ.
 7716 			[RT #27316]
 7717 
 7718 3261.	[func]		RRset ordering now defaults to random. [RT #27174]
 7719 
 7720 3260.	[bug]		"rrset-order cyclic" could appear not to rotate
 7721 			for some query patterns.  [RT #27170/27185]
 7722 
 7723 	--- 9.9.0rc1 released ---
 7724 
 7725 3259.	[bug]		named-compilezone: Suppress "dump zone to <file>"
 7726 			message when writing to stdout. [RT #27109]
 7727 
 7728 3258.	[test]		Add "forcing full sign with unreadable keys" test.
 7729 			[RT #27153]
 7730 
 7731 3257.	[bug]		Do not generate a error message when calling fsync()
 7732 			in a pipe or socket. [RT #27109]
 7733 
 7734 3256.	[bug]		Disable empty zones for lwresd -C. [RT #27139]
 7735 
 7736 3255.	[func]		No longer require that a empty zones be explicitly
 7737 			enabled or that a empty zone is disabled for
 7738 			RFC 1918 empty zones to be configured. [RT #27139]
 7739 
 7740 3254.	[bug]		Set isc_socket_ipv6only() on the IPv6 control channels.
 7741 			[RT #22249]
 7742 
 7743 3253.	[bug]		Return DNS_R_SYNTAX when the input to a text field is
 7744 			too long. [RT #26956]
 7745 
 7746 3252.	[bug]		When master zones using inline-signing were
 7747 			updated while the server was offline, the source
 7748 			zone could fall out of sync with the signed
 7749 			copy. They can now resynchronize. [RT #26676]
 7750 
 7751 3251.	[bug]		Enforce a upper bound (65535 bytes) on the amount of
 7752 			memory dns_sdlz_putrr() can allocate per record to
 7753 			prevent run away memory consumption on ISC_R_NOSPACE.
 7754 			[RT #26956]
 7755 
 7756 3250.	[func]		'configure --enable-developer'; turn on various
 7757 			configure options, normally off by default, that
 7758 			we want developers to build and test with. [RT #27103]
 7759 
 7760 3249.	[bug]		Update log message when saving slave zones files for
 7761 			analysis after load failures. [RT #27087]
 7762 
 7763 3248.	[bug]		Configure options --enable-fixed-rrset and
 7764 			--enable-exportlib were incompatible with each
 7765 			other. [RT #27087]
 7766 
 7767 3247.	[bug]		'raw' format zones failed to preserve load order
 7768 			breaking 'fixed' sort order. [RT #27087]
 7769 
 7770 3246.	[bug]		Named failed to start with a empty also-notify list.
 7771 			[RT #27087]
 7772 
 7773 3245.	[bug]		Don't report a error unchanged serials unless there
 7774 			were other changes when thawing a zone with
 7775 			ixfr-fromdifferences. [RT #26845]
 7776 
 7777 3244.	[func]		Added readline support to nslookup and nsupdate.
 7778 			Also simplified nsupdate syntax to make "update"
 7779 			and "prereq" optional. [RT #24659]
 7780 
 7781 3243.	[port]		freebsd,netbsd,bsdi: the thread defaults were not
 7782 			being properly set.
 7783 
 7784 3242.	[func]		Extended the header of raw-format master files to
 7785 			include the serial number of the zone from which
 7786 			they were generated, if different (as in the case
 7787 			of inline-signing zones).  This is to be used in
 7788 			inline-signing zones, to track changes between the
 7789 			unsigned and signed versions of the zone, which may
 7790 			have different serial numbers.
 7791 
 7792 			(Note: raw zonefiles generated by this version of
 7793 			BIND are no longer compatible with prior versions.
 7794 			To generate a backward-compatible raw zonefile
 7795 			using dnssec-signzone or named-compilezone, specify
 7796 			output format "raw=0" instead of simply "raw".)
 7797 			[RT #26587]
 7798 
 7799 3241.	[bug]		Address race conditions in the resolver code.
 7800 			[RT #26889]
 7801 
 7802 3240.	[bug]		DNSKEY state change events could be missed. [RT #26874]
 7803 
 7804 3239.	[bug]		dns_dnssec_findmatchingkeys needs to use a consistent
 7805 			timestamp. [RT #26883]
 7806 
 7807 3238.	[bug]		keyrdata was not being reinitialized in
 7808 			lib/dns/rbtdb.c:iszonesecure. [RT #26913]
 7809 
 7810 3237.	[bug]		dig -6 didn't work with +trace. [RT #26906]
 7811 
 7812 3236.	[bug]		Backed out changes #3182 and #3202, related to
 7813 			EDNS(0) fallback behavior. [RT #26416]
 7814 
 7815 3235.	[func]		dns_db_diffx, a extended dns_db_diff which returns
 7816 			the generated diff and optionally writes it to a
 7817 			journal. [RT #26386]
 7818 
 7819 3234.	[bug]		'make depend' produced invalid makefiles. [RT #26830]
 7820 
 7821 3233.	[bug]		'rndc freeze/thaw' didn't work for inline zones.
 7822 			[RT #26632]
 7823 
 7824 3232.	[bug]		Zero zone->curmaster before return in
 7825 			dns_zone_setmasterswithkeys(). [RT #26732]
 7826 
 7827 3231.	[bug]		named could fail to send a incompressible zone.
 7828 			[RT #26796]
 7829 
 7830 3230.	[bug]		'dig axfr' failed to properly handle a multi-message
 7831 			axfr with a serial of 0. [RT #26796]
 7832 
 7833 3229.	[bug]		Fix local variable to struct var assignment
 7834 			found by CLANG warning.
 7835 
 7836 3228.	[tuning]	Dynamically grow symbol table to improve zone
 7837 			loading performance. [RT #26523]
 7838 
 7839 3227.	[bug]		Interim fix to make WKS's use of getprotobyname()
 7840 			and getservbyname() self thread safe. [RT #26232]
 7841 
 7842 3226.	[bug]		Address minor resource leakages. [RT #26624]
 7843 
 7844 3225.	[bug]		Silence spurious "setsockopt(517, IPV6_V6ONLY) failed"
 7845 			messages. [RT #26507]
 7846 
 7847 3224.	[bug]		'rndc signing' argument parsing was broken. [RT #26684]
 7848 
 7849 3223.	[bug]		'task_test privilege_drop' generated false positives.
 7850 			[RT #26766]
 7851 
 7852 3222.	[cleanup]	Replace dns_journal_{get,set}_bitws with
 7853 			dns_journal_{get,set}_sourceserial. [RT #26634]
 7854 
 7855 3221.	[bug]		Fixed a potential core dump on shutdown due to
 7856 			referencing fetch context after it's been freed.
 7857 			[RT #26720]
 7858 
 7859 	--- 9.9.0b2 released ---
 7860 
 7861 3220.	[bug]		Change #3186 was incomplete; dns_db_rpz_findips()
 7862 			could fail to set the database version correctly,
 7863 			causing an assertion failure. [RT #26180]
 7864 
 7865 3219.	[bug]		Disable NOEDNS caching following a timeout.
 7866 
 7867 3218.	[security]	Cache lookup could return RRSIG data associated with
 7868 			nonexistent records, leading to an assertion
 7869 			failure. [RT #26590]
 7870 
 7871 3217.	[cleanup]	Fix build problem with --disable-static. [RT #26476]
 7872 
 7873 3216.	[bug]		resolver.c:validated() was not thread-safe. [RT #26478]
 7874 
 7875 3215.	[bug]		'rndc recursing' could cause a core dump. [RT #26495]
 7876 
 7877 3214.	[func]		Add 'named -U' option to set the number of UDP
 7878 			listener threads per interface. [RT #26485]
 7879 
 7880 3213.	[doc]		Clarify ixfr-from-differences behavior. [RT #25188]
 7881 
 7882 3212.	[bug]		rbtdb.c: failed to remove a node from the deadnodes
 7883 			list prior to adding a reference to it leading a
 7884 			possible assertion failure. [RT #23219]
 7885 
 7886 3211.	[func]		dnssec-signzone: "-f -" prints to stdout; "-O full"
 7887 			option prints in single-line-per-record format.
 7888 			[RT #20287]
 7889 
 7890 3210.	[bug]		Canceling the oldest query due to recursive-client
 7891 			overload could trigger an assertion failure. [RT #26463]
 7892 
 7893 3209.	[func]		Add "dnssec-lookaside 'no'".  [RT #24858]
 7894 
 7895 3208.	[bug]		'dig -y' handle unknown tsig algorithm better.
 7896 			[RT #25522]
 7897 
 7898 3207.	[contrib]	Fixed build error in Berkeley DB DLZ module. [RT #26444]
 7899 
 7900 3206.	[cleanup]	Add ISC information to log at start time. [RT #25484]
 7901 
 7902 3205.	[func]		Upgrade dig's defaults to better reflect modern
 7903 			nameserver behavior.  Enable "dig +adflag" and
 7904 			"dig +edns=0" by default.  Enable "+dnssec" when
 7905 			running "dig +trace". [RT #23497]
 7906 
 7907 3204.	[bug]		When a master server that has been marked as
 7908 			unreachable sends a NOTIFY, mark it reachable
 7909 			again. [RT #25960]
 7910 
 7911 3203.	[bug]		Increase log level to 'info' for validation failures
 7912 			from expired or not-yet-valid RRSIGs. [RT #21796]
 7913 
 7914 3202.	[bug]		NOEDNS caching on timeout was too aggressive.
 7915 			[RT #26416]
 7916 
 7917 3201.	[func]		'rndc querylog' can now be given an on/off parameter
 7918 			instead of only being used as a toggle. [RT #18351]
 7919 
 7920 3200.	[doc]		Some rndc functions were undocumented or were
 7921 			missing from 'rndc -h' output. [RT #25555]
 7922 
 7923 3199.	[func]		When logging client information, include the name
 7924 			being queried. [RT #25944]
 7925 
 7926 3198.	[doc]		Clarified that dnssec-settime can alter keyfile
 7927 			permissions. [RT #24866]
 7928 
 7929 3197.	[bug]		Don't try to log the filename and line number when
 7930 			the config parser can't open a file. [RT #22263]
 7931 
 7932 3196.	[bug]		nsupdate: return nonzero exit code when target zone
 7933 			doesn't exist. [RT #25783]
 7934 
 7935 3195.	[cleanup]	Silence "file not found" warnings when loading
 7936 			managed-keys zone. [RT #26340]
 7937 
 7938 3194.	[doc]		Updated RFC references in the 'empty-zones-enable'
 7939 			documentation. [RT #25203]
 7940 
 7941 3193.	[cleanup]	Changed MAXZONEKEYS to DNS_MAXZONEKEYS, moved to
 7942 			dnssec.h. [RT #26415]
 7943 
 7944 3192.	[bug]		A query structure could be used after being freed.
 7945 			[RT #22208]
 7946 
 7947 3191.	[bug]		Print NULL records using "unknown" format. [RT #26392]
 7948 
 7949 3190.	[bug]		Underflow in error handling in isc_mutexblock_init.
 7950 			[RT #26397]
 7951 
 7952 3189.	[test]		Added a summary report after system tests. [RT #25517]
 7953 
 7954 3188.	[bug]		zone.c:zone_refreshkeys() could fail to detach
 7955 			references correctly when errors occurred, causing
 7956 			a hang on shutdown. [RT #26372]
 7957 
 7958 3187.	[port]		win32: support for Visual Studio 2008.  [RT #26356]
 7959 
 7960 	--- 9.9.0b1 released ---
 7961 
 7962 3186.	[bug]		Version/db mismatch in rpz code. [RT #26180]
 7963 
 7964 3185.	[func]		New 'rndc signing' option for auto-dnssec zones:
 7965 			 - 'rndc signing -list' displays the current
 7966 			   state of signing operations
 7967 			 - 'rndc signing -clear' clears the signing state
 7968 			   records for keys that have fully signed the zone
 7969 			 - 'rndc signing -nsec3param' sets the NSEC3
 7970 			   parameters for the zone
 7971 			The 'rndc keydone' syntax is removed. [RT #23729]
 7972 
 7973 3184.	[bug]		named had excessive cpu usage when a redirect zone was
 7974 			configured. [RT #26013]
 7975 
 7976 3183.	[bug]		Added RTLD_GLOBAL flag to dlopen call. [RT #26301]
 7977 
 7978 3182.	[bug]		Auth servers behind firewalls which block packets
 7979 			greater than 512 bytes may cause other servers to
 7980 			perform poorly. Now, adb retains edns information
 7981 			and caches noedns servers. [RT #23392/24964]
 7982 
 7983 3181.	[func]		Inline-signing is now supported for master zones.
 7984 			[RT #26224]
 7985 
 7986 3180.	[func]		Local copies of slave zones are now saved in raw
 7987 			format by default, to improve startup performance.
 7988 			'masterfile-format text;' can be used to override
 7989 			the default, if desired. [RT #25867]
 7990 
 7991 3179.	[port]		kfreebsd: build issues. [RT #26273]
 7992 
 7993 3178.	[bug]		A race condition introduced by change #3163 could
 7994 			cause an assertion failure on shutdown. [RT #26271]
 7995 
 7996 3177.	[func]		'rndc keydone', remove the indicator record that
 7997 			named has finished signing the zone with the
 7998 			corresponding key.  [RT #26206]
 7999 
 8000 3176.	[doc]		Corrected example code and added a README to the
 8001 			sample external DLZ module in contrib/dlz/example.
 8002 			[RT #26215]
 8003 
 8004 3175.	[bug]		Fix how DNSSEC positive wildcard responses from a
 8005 			NSEC3 signed zone are validated.  Stop sending a
 8006 			unnecessary NSEC3 record when generating such
 8007 			responses. [RT #26200]
 8008 
 8009 3174.	[bug]		Always compute to revoked key tag from scratch.
 8010 			[RT #26186]
 8011 
 8012 3173.	[port]		Correctly validate root DS responses. [RT #25726]
 8013 
 8014 3172.	[port]		darwin 10.* and freebsd [89] are now built threaded by
 8015 			default.
 8016 
 8017 3171.	[bug]		Exclusively lock the task when adding a zone using
 8018 			'rndc addzone'.  [RT #25600]
 8019 
 8020 	--- 9.9.0a3 released ---
 8021 
 8022 3170.	[func]		RPZ update:
 8023 			- fix precedence among competing rules
 8024 			- improve ARM text including documenting rule precedence
 8025 			- try to rewrite CNAME chains until first hit
 8026 			- new "rpz" logging channel
 8027 			- RDATA for CNAME rules can include wildcards
 8028 			- replace "NO-OP" named.conf policy override with
 8029 			  "PASSTHRU" and add "DISABLED" override ("NO-OP"
 8030 			  is still recognized)
 8031 			[RT #25172]
 8032 
 8033 3169.	[func]		Catch db/version mis-matches when calling dns_db_*().
 8034 			[RT #26017]
 8035 
 8036 3168.	[bug]		Nxdomain redirection could trigger an assert with
 8037 			a ANY query. [RT #26017]
 8038 
 8039 3167.	[bug]		Negative answers from forwarders were not being
 8040 			correctly tagged making them appear to not be cached.
 8041 			[RT #25380]
 8042 
 8043 3166.	[bug]		Upgrading a zone to support inline-signing failed.
 8044 			[RT #26014]
 8045 
 8046 3165.	[bug]		dnssec-signzone could generate new signatures when
 8047 			resigning, even when valid signatures were already
 8048 			present. [RT #26025]
 8049 
 8050 3164.	[func]		Enable DLZ modules to retrieve client information,
 8051 			so that responses can be changed depending on the
 8052 			source address of the query. [RT #25768]
 8053 
 8054 3163.	[bug]		Use finer-grained locking in client.c to address
 8055 			concurrency problems with large numbers of threads.
 8056 			[RT #26044]
 8057 
 8058 3162.	[test]		start.pl: modified to allow for "named.args" in
 8059 			ns*/ subdirectory to override stock arguments to
 8060 			named. Largely from RT #26044, but no separate ticket.
 8061 
 8062 3161.	[bug]		zone.c:del_sigs failed to always reset rdata leading
 8063 			assertion failures. [RT #25880]
 8064 
 8065 3160.	[bug]		When printing out a NSEC3 record in multiline form
 8066 			the newline was not being printed causing type codes
 8067 			to be run together. [RT #25873]
 8068 
 8069 3159.	[bug]		On some platforms, named could assert on startup
 8070 			when running in a chrooted environment without
 8071 			/proc. [RT #25863]
 8072 
 8073 3158.	[bug]		Recursive servers would prefer a particular UDP
 8074 			socket instead of using all available sockets.
 8075 			[RT #26038]
 8076 
 8077 3157.	[tuning]	Reduce the time spent in "rndc reconfig" by parsing
 8078 			the config file before pausing the server. [RT #21373]
 8079 
 8080 3156.	[placeholder]
 8081 
 8082 	--- 9.9.0a2 released ---
 8083 
 8084 3155.	[bug]		Fixed a build failure when using contrib DLZ
 8085 			drivers (e.g., mysql, postgresql, etc). [RT #25710]
 8086 
 8087 3154.	[bug]		Attempting to print an empty rdataset could trigger
 8088 			an assert. [RT #25452]
 8089 
 8090 3153.	[func]		Extend request-ixfr to zone level and remove the
 8091 			side effect of forcing an AXFR. [RT #25156]
 8092 
 8093 3152.	[cleanup]	Some versions of gcc and clang failed due to
 8094 			incorrect use of __builtin_expect. [RT #25183]
 8095 
 8096 3151.	[bug]		Queries for type RRSIG or SIG could be handled
 8097 			incorrectly.  [RT #21050]
 8098 
 8099 3150.	[func]		Improved startup and reconfiguration time by
 8100 			enabling zones to load in multiple threads. [RT #25333]
 8101 
 8102 3149.	[placeholder]
 8103 
 8104 3148.	[bug]		Processing of normal queries could be stalled when
 8105 			forwarding a UPDATE message. [RT #24711]
 8106 
 8107 3147.	[func]		Initial inline signing support.  [RT #23657]
 8108 
 8109 	--- 9.9.0a1 released ---
 8110 
 8111 3146.	[test]		Fixed gcc4.6.0 errors in ATF. [RT #25598]
 8112 
 8113 3145.	[test]		Capture output of ATF unit tests in "./atf.out" if
 8114 			there were any errors while running them. [RT #25527]
 8115 
 8116 3144.	[bug]		dns_dbiterator_seek() could trigger an assert when
 8117 			used with a nonexistent database node. [RT #25358]
 8118 
 8119 3143.	[bug]		Silence clang compiler warnings. [RT #25174]
 8120 
 8121 3142.	[bug]		NAPTR is class agnostic. [RT #25429]
 8122 
 8123 3141.	[bug]		Silence spurious "zone serial (0) unchanged" messages
 8124 			associated with empty zones. [RT #25079]
 8125 
 8126 3140.	[func]		New command "rndc flushtree <name>" clears the
 8127 			specified name from the server cache along with
 8128 			all names under it. [RT #19970]
 8129 
 8130 3139.	[test]		Added tests from RFC 6234, RFC 2202, and RFC 1321
 8131 			for the hashing algorithms (md5, sha1 - sha512, and
 8132 			their hmac counterparts).  [RT #25067]
 8133 
 8134 3138.	[bug]		Address memory leaks and out-of-order operations when
 8135 			shutting named down. [RT #25210]
 8136 
 8137 3137.	[func]		Improve hardware scalability by allowing multiple
 8138 			worker threads to process incoming UDP packets.
 8139 			This can significantly increase query throughput
 8140 			on some systems.  [RT #22992]
 8141 
 8142 3136.	[func]		Add RFC 1918 reverse zones to the list of built-in
 8143 			empty zones switched on by the 'empty-zones-enable'
 8144 			option. [RT #24990]
 8145 
 8146 3135.	[port]		FreeBSD: workaround broken IPV6_USE_MIN_MTU processing.
 8147 			See http://www.freebsd.org/cgi/query-pr.cgi?pr=158307
 8148 			[RT #24950]
 8149 
 8150 3134.	[bug]		Improve the accuracy of dnssec-signzone's signing
 8151 			statistics. [RT #16030]
 8152 
 8153 3133.	[bug]		Change #3114 was incomplete. [RT #24577]
 8154 
 8155 3132.	[placeholder]
 8156 
 8157 3131.	[tuning]	Improve scalability by allocating one zone task
 8158 			per 100 zones at startup time, rather than using a
 8159 			fixed-size task table. [RT #24406]
 8160 
 8161 3130.	[func]		Support alternate methods for managing a dynamic
 8162 			zone's serial number.  Two methods are currently
 8163 			defined using serial-update-method, "increment"
 8164 			(default) and "unixtime".  [RT #23849]
 8165 
 8166 3129.	[bug]		Named could crash on 'rndc reconfig' when
 8167 			allow-new-zones was set to yes and named ACLs
 8168 			were used. [RT #22739]
 8169 
 8170 3128.	[func]		Inserting an NSEC3PARAM via dynamic update in an
 8171 			auto-dnssec zone that has not been signed yet
 8172 			will cause it to be signed with the specified NSEC3
 8173 			parameters when keys are activated.  The
 8174 			NSEC3PARAM record will not appear in the zone until
 8175 			it is signed, but the parameters will be stored.
 8176 			[RT #23684]
 8177 
 8178 3127.	[bug]		'rndc thaw' will now remove a zone's journal file
 8179 			if the zone serial number has been changed and
 8180 			ixfr-from-differences is not in use.  [RT #24687]
 8181 
 8182 3126.	[security]	Using DNAME record to generate replacements caused
 8183 			RPZ to exit with a assertion failure. [RT #24766]
 8184 
 8185 3125.	[security]	Using wildcard CNAME records as a replacement with
 8186 			RPZ caused named to exit with a assertion failure.
 8187 			[RT #24715]
 8188 
 8189 3124.	[bug]		Use an rdataset attribute flag to indicate
 8190 			negative-cache records rather than using rrtype 0;
 8191 			this will prevent problems when that rrtype is
 8192 			used in actual DNS packets. [RT #24777]
 8193 
 8194 3123.	[security]	Change #2912 exposed a latent flaw in
 8195 			dns_rdataset_totext() that could cause named to
 8196 			crash with an assertion failure. [RT #24777]
 8197 
 8198 3122.	[cleanup]	dnssec-settime: corrected usage message. [RT #24664]
 8199 
 8200 3121.	[security]	An authoritative name server sending a negative
 8201 			response containing a very large RRset could
 8202 			trigger an off-by-one error in the ncache code
 8203 			and crash named. [RT #24650]
 8204 
 8205 3120.	[bug]		Named could fail to validate zones listed in a DLV
 8206 			that validated insecure without using DLV and had
 8207 			DS records in the parent zone. [RT #24631]
 8208 
 8209 3119.	[bug]		When rolling to a new DNSSEC key, a private-type
 8210 			record could be created and never marked complete.
 8211 			[RT #23253]
 8212 
 8213 3118.	[bug]		nsupdate could dump core on shutdown when using
 8214 			SIG(0) keys. [RT #24604]
 8215 
 8216 3117.	[cleanup]	Remove doc and parser references to the
 8217 			never-implemented 'auto-dnssec create' option.
 8218 			[RT #24533]
 8219 
 8220 3116.	[func]		New 'dnssec-update-mode' option controls updates
 8221 			of DNSSEC records in signed dynamic zones.  Set to
 8222 			'no-resign' to disable automatic RRSIG regeneration
 8223 			while retaining the ability to sign new or changed
 8224 			data. [RT #24533]
 8225 
 8226 3115.	[bug]		Named could fail to return requested data when
 8227 			following a CNAME that points into the same zone.
 8228 			[RT #24455]
 8229 
 8230 3114.	[bug]		Retain expired RRSIGs in dynamic zones if key is
 8231 			inactive and there is no replacement key. [RT #23136]
 8232 
 8233 3113.	[doc]		Document the relationship between serial-query-rate
 8234 			and NOTIFY messages.
 8235 
 8236 3112.	[doc]		Add missing descriptions of the update policy name
 8237 			types "ms-self", "ms-subdomain", "krb5-self" and
 8238 			"krb5-subdomain", which allow machines to update
 8239 			their own records, to the BIND 9 ARM.
 8240 
 8241 3111.	[bug]		Improved consistency checks for dnssec-enable and
 8242 			dnssec-validation, added test cases to the
 8243 			checkconf system test. [RT #24398]
 8244 
 8245 3110.	[bug]		dnssec-signzone: Wrong error message could appear
 8246 			when attempting to sign with no KSK. [RT #24369]
 8247 
 8248 3109.	[func]		The also-notify option now uses the same syntax
 8249 			as a zone's masters clause.  This means it is
 8250 			now possible to specify a TSIG key to use when
 8251 			sending notifies to a given server, or to include
 8252 			an explicit named masters list in an also-notify
 8253 			statement.  [RT #23508]
 8254 
 8255 3108.	[cleanup]	dnssec-signzone: Clarified some error and
 8256 			warning messages; removed #ifdef ALLOW_KSKLESS_ZONES
 8257 			code (use -P instead). [RT #20852]
 8258 
 8259 3107.	[bug]		dnssec-signzone: Report the correct number of ZSKs
 8260 			when using -x. [RT #20852]
 8261 
 8262 3106.	[func]		When logging client requests, include the name of
 8263 			the TSIG key if any. [RT #23619]
 8264 
 8265 3105.	[bug]		GOST support can be suppressed by "configure
 8266 			--without-gost" [RT #24367]
 8267 
 8268 3104.	[bug]		Better support for cross-compiling. [RT #24367]
 8269 
 8270 3103.	[bug]		Configuring 'dnssec-validation auto' in a view
 8271 			instead of in the options statement could trigger
 8272 			an assertion failure in named-checkconf. [RT #24382]
 8273 
 8274 3102.	[func]		New 'dnssec-loadkeys-interval' option configures
 8275 			how often, in minutes, to check the key repository
 8276 			for updates when using automatic key maintenance.
 8277 			Default is every 60 minutes (formerly hard-coded
 8278 			to 12 hours). [RT #23744]
 8279 
 8280 3101.	[bug]		Zones using automatic key maintenance could fail
 8281 			to check the key repository for updates. [RT #23744]
 8282 
 8283 3100.	[security]	Certain response policy zone configurations could
 8284 			trigger an INSIST when receiving a query of type
 8285 			RRSIG. [RT #24280]
 8286 
 8287 3099.	[test]		"dlz" system test now runs but gives R:SKIPPED if
 8288 			not compiled with --with-dlz-filesystem.  [RT #24146]
 8289 
 8290 3098.	[bug]		DLZ zones were answering without setting the AA bit.
 8291 			[RT #24146]
 8292 
 8293 3097.	[test]		Add a tool to test handling of malformed packets.
 8294 			[RT #24096]
 8295 
 8296 3096.	[bug]		Set KRB5_KTNAME before calling log_cred() in
 8297 			dst_gssapi_acceptctx(). [RT #24004]
 8298 
 8299 3095.	[bug]		Handle isolated reserved ports in the port range.
 8300 			[RT #23957]
 8301 
 8302 3094.	[doc]		Expand dns64 documentation.
 8303 
 8304 3093.	[bug]		Fix gssapi/kerberos dependencies [RT #23836]
 8305 
 8306 3092.	[bug]		Signatures for records at the zone apex could go
 8307 			stale due to an incorrect timer setting. [RT #23769]
 8308 
 8309 3091.	[bug]		Fixed a bug in which zone keys that were published
 8310 			and then subsequently activated could fail to trigger
 8311 			automatic signing. [RT #22911]
 8312 
 8313 3090.	[func]		Make --with-gssapi default [RT #23738]
 8314 
 8315 3089.	[func]		dnssec-dsfromkey now supports reading keys from
 8316 			standard input "dnssec-dsfromkey -f -". [RT #20662]
 8317 
 8318 3088.	[bug]		Remove bin/tests/system/logfileconfig/ns1/named.conf
 8319 			and add setup.sh in order to resolve changing
 8320 			named.conf issue.  [RT #23687]
 8321 
 8322 3087.	[bug]		DDNS updates using SIG(0) with update-policy match
 8323 			type "external" could cause a crash. [RT #23735]
 8324 
 8325 3086.	[bug]		Running dnssec-settime -f on an old-style key will
 8326 			now force an update to the new key format even if no
 8327 			other change has been specified, using "-P now -A now"
 8328 			as default values.  [RT #22474]
 8329 
 8330 3085.	[func]		New '-R' option in dnssec-signzone forces removal
 8331 			of signatures which have not yet expired but
 8332 			were generated by a key that no longer exists.
 8333 			[RT #22471]
 8334 
 8335 3084.	[func]		A new command "rndc sync" dumps pending changes in
 8336 			a dynamic zone to disk; "rndc sync -clean" also
 8337 			removes the journal file after syncing.  Also,
 8338 			"rndc freeze" no longer removes journal files.
 8339 			[RT #22473]
 8340 
 8341 3083.	[bug]		NOTIFY messages were not being sent when generating
 8342 			a NSEC3 chain incrementally. [RT #23702]
 8343 
 8344 3082.	[port]		strtok_r is threads only. [RT #23747]
 8345 
 8346 3081.	[bug]		Failure of DNAME substitution did not return
 8347 			YXDOMAIN. [RT #23591]
 8348 
 8349 3080.	[cleanup]	Replaced compile time constant by STDTIME_ON_32BITS.
 8350 			[RT #23587]
 8351 
 8352 3079.	[bug]		Handle isc_event_allocate failures in t_tasks.
 8353 			[RT #23572]
 8354 
 8355 3078.	[func]		Added a new include file with function typedefs
 8356 			for the DLZ "dlopen" driver. [RT #23629]
 8357 
 8358 3077.	[bug]		zone.c:zone_refreshkeys() incorrectly called
 8359 			dns_zone_attach(), use zone->irefs instead. [RT #23303]
 8360 
 8361 3076.	[func]		New '-L' option in dnssec-keygen, dnsset-settime, and
 8362 			dnssec-keyfromlabel sets the default TTL of the
 8363 			key.  When possible, automatic signing will use that
 8364 			TTL when the key is published.  [RT #23304]
 8365 
 8366 3075.	[bug]		dns_dnssec_findzonekeys{2} used a inconsistent
 8367 			timestamp when determining which keys are active.
 8368 			[RT #23642]
 8369 
 8370 3074.	[bug]		Make the adb cache read through for zone data and
 8371 			glue learn for zone named is authoritative for.
 8372 			[RT #22842]
 8373 
 8374 3073.	[bug]		managed-keys changes were not properly being recorded.
 8375 			[RT #20256]
 8376 
 8377 3072.	[bug]		dns_dns64_aaaaok() potential NULL pointer dereference.
 8378 			[RT #20256]
 8379 
 8380 3071.	[bug]		has_nsec could be used uninitialized in
 8381 			update.c:next_active. [RT #20256]
 8382 
 8383 3070.	[bug]		dnssec-signzone potential NULL pointer dereference.
 8384 			[RT #20256]
 8385 
 8386 3069.	[cleanup]	Silence warnings messages from clang static analysis.
 8387 			[RT #20256]
 8388 
 8389 3068.	[bug]		Named failed to build with a OpenSSL without engine
 8390 			support. [RT #23473]
 8391 
 8392 3067.	[bug]		ixfr-from-differences {master|slave}; failed to
 8393 			select the master/slave zones.  [RT #23580]
 8394 
 8395 3066.	[func]		The DLZ "dlopen" driver is now built by default,
 8396 			no longer requiring a configure option.  To
 8397 			disable it, use "configure --without-dlopen".
 8398 			Driver also supported on win32.  [RT #23467]
 8399 
 8400 3065.	[bug]		RRSIG could have time stamps too far in the future.
 8401 			[RT #23356]
 8402 
 8403 3064.	[bug]		powerpc: add sync instructions to the end of atomic
 8404 			operations. [RT #23469]
 8405 
 8406 3063.	[contrib]	More verbose error reporting from DLZ LDAP. [RT #23402]
 8407 
 8408 3062.	[func]		Made several changes to enhance human readability
 8409 			of DNSSEC data in dig output and in generated
 8410 			zone files:
 8411 			 - DNSKEY record comments are more verbose, no
 8412 			   longer used in multiline mode only
 8413 			 - multiline RRSIG records reformatted
 8414 			 - multiline output mode for NSEC3PARAM records
 8415 			 - "dig +norrcomments" suppresses DNSKEY comments
 8416 			 - "dig +split=X" breaks hex/base64 records into
 8417 			   fields of width X; "dig +nosplit" disables this.
 8418 			[RT #22820]
 8419 
 8420 3061.	[func]		New option "dnssec-signzone -D", only write out
 8421 			generated DNSSEC records. [RT #22896]
 8422 
 8423 3060.	[func]		New option "dnssec-signzone -X <date>" allows
 8424 			specification of a separate expiration date
 8425 			for DNSKEY RRSIGs and other RRSIGs. [RT #22141]
 8426 
 8427 3059.	[test]		Added a regression test for change #3023.
 8428 
 8429 3058.	[bug]		Cause named to terminate at startup or rndc reconfig/
 8430 			reload to fail, if a log file specified in the conf
 8431 			file isn't a plain file. [RT #22771]
 8432 
 8433 3057.	[bug]		"rndc secroots" would abort after the first error
 8434 			and so could miss some views. [RT #23488]
 8435 
 8436 3056.	[func]		Added support for URI resource record. [RT #23386]
 8437 
 8438 3055.	[placeholder]
 8439 
 8440 3054.	[bug]		Added elliptic curve support check in
 8441 			GOST OpenSSL engine detection. [RT #23485]
 8442 
 8443 3053.	[bug]		Under a sustained high query load with a finite
 8444 			max-cache-size, it was possible for cache memory
 8445 			to be exhausted and not recovered. [RT #23371]
 8446 
 8447 3052.	[test]		Fixed last autosign test report. [RT #23256]
 8448 
 8449 3051.	[bug]		NS records obscure DNAME records at the bottom of the
 8450 			zone if both are present. [RT #23035]
 8451 
 8452 3050.	[bug]		The autosign system test was timing dependent.
 8453 			Wait for the initial autosigning to complete
 8454 			before running the rest of the test. [RT #23035]
 8455 
 8456 3049.	[bug]		Save and restore the gid when creating creating
 8457 			named.pid at startup. [RT #23290]
 8458 
 8459 3048.	[bug]		Fully separate view key management. [RT #23419]
 8460 
 8461 3047.	[bug]		DNSKEY NODATA responses not cached fixed in
 8462 			validator.c. Tests added to dnssec system test.
 8463 			[RT #22908]
 8464 
 8465 3046.	[bug]		Use RRSIG original TTL to compute validated RRset
 8466 			and RRSIG TTL. [RT #23332]
 8467 
 8468 3045.	[removed]	Replaced by change #3050.
 8469 
 8470 3044.	[bug]		Hold the socket manager lock while freeing the socket.
 8471 			[RT #23333]
 8472 
 8473 3043.	[test]		Merged in the NetBSD ATF test framework (currently
 8474 			version 0.12) for development of future unit tests.
 8475 			Use configure --with-atf to build ATF internally
 8476 			or configure --with-atf=prefix to use an external
 8477 			copy.  [RT #23209]
 8478 
 8479 3042.	[bug]		dig +trace could fail attempting to use IPv6
 8480 			addresses on systems with only IPv4 connectivity.
 8481 			[RT #23297]
 8482 
 8483 3041.	[bug]		dnssec-signzone failed to generate new signatures on
 8484 			ttl changes. [RT #23330]
 8485 
 8486 3040.	[bug]		Named failed to validate insecure zones where a node
 8487 			with a CNAME existed between the trust anchor and the
 8488 			top of the zone. [RT #23338]
 8489 
 8490 3039.	[func]		Redirect on NXDOMAIN support. [RT #23146]
 8491 
 8492 3038.	[bug]		Install <dns/rpz.h>.  [RT #23342]
 8493 
 8494 3037.	[doc]		Update COPYRIGHT to contain all the individual
 8495 			copyright notices that cover various parts.
 8496 
 8497 3036.	[bug]		Check built-in zone arguments to see if the zone
 8498 			is re-usable or not. [RT #21914]
 8499 
 8500 3035.	[cleanup]	Simplify by using strlcpy. [RT #22521]
 8501 
 8502 3034.	[cleanup]	nslookup: use strlcpy instead of safecopy. [RT #22521]
 8503 
 8504 3033.	[cleanup]	Add two INSIST(bucket != DNS_ADB_INVALIDBUCKET).
 8505 			[RT #22521]
 8506 
 8507 3032.	[bug]		rdatalist.c: add missing REQUIREs. [RT #22521]
 8508 
 8509 3031.	[bug]		dns_rdataclass_format() handle a zero sized buffer.
 8510 			[RT #22521]
 8511 
 8512 3030.	[bug]		dns_rdatatype_format() handle a zero sized buffer.
 8513 			[RT #22521]
 8514 
 8515 3029.	[bug]		isc_netaddr_format() handle a zero sized buffer.
 8516 			[RT #22521]
 8517 
 8518 3028.	[bug]		isc_sockaddr_format() handle a zero sized buffer.
 8519 			[RT #22521]
 8520 
 8521 3027.	[bug]		Add documented REQUIREs to cfg_obj_asnetprefix() to
 8522 			catch NULL pointer dereferences before they happen.
 8523 			[RT #22521]
 8524 
 8525 3026.	[bug]		lib/isc/httpd.c: check that we have enough space
 8526 			after calling grow_headerspace() and if not
 8527 			re-call grow_headerspace() until we do. [RT #22521]
 8528 
 8529 3025.	[bug]		Fixed a possible deadlock due to zone resigning.
 8530 			[RT #22964]
 8531 
 8532 3024.	[func]		RTT Banding removed due to minor security increase
 8533 			but major impact on resolver latency. [RT #23310]
 8534 
 8535 3023.	[bug]		Named could be left in an inconsistent state when
 8536 			receiving multiple AXFR response messages that were
 8537 			not all TSIG-signed. [RT #23254]
 8538 
 8539 3022.	[bug]		Fixed rpz SERVFAILs after failed zone transfers
 8540 			[RT #23246]
 8541 
 8542 3021.	[bug]		Change #3010 was incomplete. [RT #22296]
 8543 
 8544 3020.	[bug]		auto-dnssec failed to correctly update the zone when
 8545 			changing the DNSKEY RRset. [RT #23232]
 8546 
 8547 3019.	[test]		Test: check apex NSEC3 records after adding DNSKEY
 8548 			record via UPDATE. [RT #23229]
 8549 
 8550 3018.	[bug]		Named failed to check for the "none;" acl when deciding
 8551 			if a zone may need to be re-signed. [RT #23120]
 8552 
 8553 3017.	[doc]		dnssec-keyfromlabel -I was not properly documented.
 8554 			[RT #22887]
 8555 
 8556 3016.	[bug]		rndc usage missing '-b'. [RT #22937]
 8557 
 8558 3015.	[port]		win32: fix IN6_IS_ADDR_LINKLOCAL and
 8559 			IN6_IS_ADDR_SITELOCAL macros. [RT #22724]
 8560 
 8561 3014.	[placeholder]
 8562 
 8563 3013.	[bug]		The DNS64 ttl was not always being set as expected.
 8564 			[RT #23034]
 8565 
 8566 3012.	[bug]		Remove DNSKEY TTL change pairs before generating
 8567 			signing records for any remaining DNSKEY changes.
 8568 			[RT #22590]
 8569 
 8570 3011.	[func]		Change the default query timeout from 30 seconds
 8571 			to 10.  Allow setting this in named.conf using the new
 8572 			'resolver-query-timeout' option, which specifies a max
 8573 			time in seconds.  0 means 'default' and anything longer
 8574 			than 30 will be silently set to 30. [RT #22852]
 8575 
 8576 3010.	[bug]		Fixed a bug where "rndc reconfig" stopped the timer
 8577 			for refreshing managed-keys. [RT #22296]
 8578 
 8579 3009.	[bug]		clients-per-query code didn't work as expected with
 8580 			particular query patterns. [RT #22972]
 8581 
 8582 	--- 9.8.0b1 released ---
 8583 
 8584 3008.	[func]		Response policy zones (RPZ) support. [RT #21726]
 8585 
 8586 3007.	[bug]		Named failed to preserve the case of domain names in
 8587 			rdata which is not compressible when writing master
 8588 			files.  [RT #22863]
 8589 
 8590 3006.	[func]		Allow dynamically generated TSIG keys to be preserved
 8591 			across restarts of named.  Initially this is for
 8592 			TSIG keys generated using GSSAPI. [RT #22639]
 8593 
 8594 3005.	[port]		Solaris: Work around the lack of
 8595 			gsskrb5_register_acceptor_identity() by setting
 8596 			the KRB5_KTNAME environment variable to the
 8597 			contents of tkey-gssapi-keytab.  Also fixed
 8598 			test errors on MacOSX.  [RT #22853]
 8599 
 8600 3004.	[func]		DNS64 reverse support. [RT #22769]
 8601 
 8602 3003.	[experimental]	Added update-policy match type "external",
 8603 			enabling named to defer the decision of whether to
 8604 			allow a dynamic update to an external daemon.
 8605 			(Contributed by Andrew Tridgell.) [RT #22758]
 8606 
 8607 3002.	[bug]		isc_mutex_init_errcheck() failed to destroy attr.
 8608 			[RT #22766]
 8609 
 8610 3001.	[func]		Added a default trust anchor for the root zone, which
 8611 			can be switched on by setting "dnssec-validation auto;"
 8612 			in the named.conf options. [RT #21727]
 8613 
 8614 3000.	[bug]		More TKEY/GSS fixes:
 8615 			 - nsupdate can now get the default realm from
 8616 			   the user's Kerberos principal
 8617 			 - corrected gsstest compilation flags
 8618 			 - improved documentation
 8619 			 - fixed some NULL dereferences
 8620 			[RT #22795]
 8621 
 8622 2999.	[func]		Add GOST support (RFC 5933). [RT #20639]
 8623 
 8624 2998.	[func]		Add isc_task_beginexclusive and isc_task_endexclusive
 8625 			to the task api. [RT #22776]
 8626 
 8627 2997.	[func]		named -V now reports the OpenSSL and libxml2 versions
 8628 			it was compiled against. [RT #22687]
 8629 
 8630 2996.	[security]	Temporarily disable SO_ACCEPTFILTER support.
 8631 			[RT #22589]
 8632 
 8633 2995.	[bug]		The Kerberos realm was not being correctly extracted
 8634 			from the signer's identity. [RT #22770]
 8635 
 8636 2994.	[port]		NetBSD: use pthreads by default on NetBSD >= 5.0, and
 8637 			do not use threads on earlier versions.  Also kill
 8638 			the unproven-pthreads, mit-pthreads, and ptl2 support.
 8639 
 8640 2993.	[func]		Dynamically grow adb hash tables. [RT #21186]
 8641 
 8642 2992.	[contrib]	contrib/check-secure-delegation.pl:  A simple tool
 8643 			for looking at a secure delegation. [RT #22059]
 8644 
 8645 2991.	[contrib]	contrib/zone-edit.sh: A simple zone editing tool for
 8646 			dynamic zones. [RT #22365]
 8647 
 8648 2990.	[bug]		'dnssec-settime -S' no longer tests prepublication
 8649 			interval validity when the interval is set to 0.
 8650 			[RT #22761]
 8651 
 8652 2989.	[func]		Added support for writable DLZ zones. (Contributed
 8653 			by Andrew Tridgell of the Samba project.) [RT #22629]
 8654 
 8655 2988.	[experimental]	Added a "dlopen" DLZ driver, allowing the creation
 8656 			of external DLZ drivers that can be loaded as
 8657 			shared objects at runtime rather than linked with
 8658 			named.  Currently this is switched on via a
 8659 			compile-time option, "configure --with-dlz-dlopen".
 8660 			Note: the syntax for configuring DLZ zones
 8661 			is likely to be refined in future releases.
 8662 			(Contributed by Andrew Tridgell of the Samba
 8663 			project.) [RT #22629]
 8664 
 8665 2987.	[func]		Improve ease of configuring TKEY/GSS updates by
 8666 			adding a "tkey-gssapi-keytab" option.  If set,
 8667 			updates will be allowed with any key matching
 8668 			a principal in the specified keytab file.
 8669 			"tkey-gssapi-credential" is no longer required
 8670 			and is expected to be deprecated.  (Contributed
 8671 			by Andrew Tridgell of the Samba project.)
 8672 			[RT #22629]
 8673 
 8674 2986.	[func]		Add new zone type "static-stub".  It's like a stub
 8675 			zone, but the nameserver names and/or their IP
 8676 			addresses are statically configured. [RT #21474]
 8677 
 8678 2985.	[bug]		Add a regression test for change #2896. [RT #21324]
 8679 
 8680 2984.	[bug]		Don't run MX checks when the target of the MX record
 8681 			is ".".  [RT #22645]
 8682 
 8683 2983.	[bug]		Include "loadkeys" in rndc help output. [RT #22493]
 8684 
 8685 	--- 9.8.0a1 released ---
 8686 
 8687 2982.	[bug]		Reference count dst keys.  dst_key_attach() can be used
 8688 			increment the reference count.
 8689 
 8690 			Note: dns_tsigkey_createfromkey() callers should now
 8691 			always call dst_key_free() rather than setting it
 8692 			to NULL on success. [RT #22672]
 8693 
 8694 2981.	[func]		Partial DNS64 support (AAAA synthesis). [RT #21991]
 8695 
 8696 2980.	[bug]		named didn't properly handle UPDATES that changed the
 8697 			TTL of the NSEC3PARAM RRset. [RT #22363]
 8698 
 8699 2979.	[bug]		named could deadlock during shutdown if two
 8700 			"rndc stop" commands were issued at the same
 8701 			time. [RT #22108]
 8702 
 8703 2978.	[port]		hpux: look for <devpoll.h> [RT #21919]
 8704 
 8705 2977.	[bug]		'nsupdate -l' report if the session key is missing.
 8706 			[RT #21670]
 8707 
 8708 2976.	[bug]		named could die on exit after negotiating a GSS-TSIG
 8709 			key. [RT #22573]
 8710 
 8711 2975.	[bug]		rbtdb.c:cleanup_dead_nodes_callback() acquired the
 8712 			wrong lock which could lead to server deadlock.
 8713 			[RT #22614]
 8714 
 8715 2974.	[bug]		Some valid UPDATE requests could fail due to a
 8716 			consistency check examining the existing version
 8717 			of the zone rather than the new version resulting
 8718 			from the UPDATE. [RT #22413]
 8719 
 8720 2973.	[bug]		bind.keys.h was being removed by the "make clean"
 8721 			at the end of configure resulting in build failures
 8722 			where there is very old version of perl installed.
 8723 			Move it to "make maintainer-clean". [RT #22230]
 8724 
 8725 2972.	[bug]		win32: address windows socket errors. [RT #21906]
 8726 
 8727 2971.	[bug]		Fixed a bug that caused journal files not to be
 8728 			compacted on Windows systems as a result of
 8729 			non-POSIX-compliant rename() semantics. [RT #22434]
 8730 
 8731 2970.	[security]	Adding a NO DATA negative cache entry failed to clear
 8732 			any matching RRSIG records.  A subsequent lookup of
 8733 			of NO DATA cache entry could trigger a INSIST when the
 8734 			unexpected RRSIG was also returned with the NO DATA
 8735 			cache entry.
 8736 
 8737 			CVE-2010-3613, VU#706148. [RT #22288]
 8738 
 8739 2969.	[security]	Fix acl type processing so that allow-query works
 8740 			in options and view statements.  Also add a new
 8741 			set of tests to verify proper functioning.
 8742 
 8743 			CVE-2010-3615, VU#510208. [RT #22418]
 8744 
 8745 2968.	[security]	Named could fail to prove a data set was insecure
 8746 			before marking it as insecure.  One set of conditions
 8747 			that can trigger this occurs naturally when rolling
 8748 			DNSKEY algorithms.
 8749 
 8750 			CVE-2010-3614, VU#837744. [RT #22309]
 8751 
 8752 2967.	[bug]		'host -D' now turns on debugging messages earlier.
 8753 			[RT #22361]
 8754 
 8755 2966.	[bug]		isc_print_vsnprintf() failed to check if there was
 8756 			space available in the buffer when adding a left
 8757 			justified character with a non zero width,
 8758 			(e.g. "%-1c"). [RT #22270]
 8759 
 8760 2965.	[func]		Test HMAC functions using test data from RFC 2104 and
 8761 			RFC 4634. [RT #21702]
 8762 
 8763 2964.	[placeholder]
 8764 
 8765 2963.	[security]	The allow-query acl was being applied instead of the
 8766 			allow-query-cache acl to cache lookups. [RT #22114]
 8767 
 8768 2962.	[port]		win32: add more dependencies to BINDBuild.dsw.
 8769 			[RT #22062]
 8770 
 8771 2961.	[bug]		Be still more selective about the non-authoritative
 8772 			answers we apply change 2748 to. [RT #22074]
 8773 
 8774 2960.	[func]		Check that named accepts non-authoritative answers.
 8775 			[RT #21594]
 8776 
 8777 2959.	[func]		Check that named starts with a missing masterfile.
 8778 			[RT #22076]
 8779 
 8780 2958.	[bug]		named failed to start with a missing master file.
 8781 			[RT #22076]
 8782 
 8783 2957.	[bug]		entropy_get() and entropy_getpseudo() failed to match
 8784 			the API for RAND_bytes() and RAND_pseudo_bytes()
 8785 			respectively. [RT #21962]
 8786 
 8787 2956.	[port]		Enable atomic operations on the PowerPC64. [RT #21899]
 8788 
 8789 2955.	[func]		Provide more detail in the recursing log. [RT #22043]
 8790 
 8791 2954.	[bug]		contrib: dlz_mysql_driver.c bad error handling on
 8792 			build_sqldbinstance failure. [RT #21623]
 8793 
 8794 2953.	[bug]		Silence spurious "expected covering NSEC3, got an
 8795 			exact match" message when returning a wildcard
 8796 			no data response. [RT #21744]
 8797 
 8798 2952.	[port]		win32: named-checkzone and named-checkconf failed
 8799 			to initialize winsock. [RT #21932]
 8800 
 8801 2951.	[bug]		named failed to generate a correct signed response
 8802 			in a optout, delegation only zone with no secure
 8803 			delegations. [RT #22007]
 8804 
 8805 2950.	[bug]		named failed to perform a SOA up to date check when
 8806 			falling back to TCP on UDP timeouts when
 8807 			ixfr-from-differences was set. [RT #21595]
 8808 
 8809 2949.	[bug]		dns_view_setnewzones() contained a memory leak if
 8810 			it was called multiple times. [RT #21942]
 8811 
 8812 2948.	[port]		MacOS: provide a mechanism to configure the test
 8813 			interfaces at reboot. See bin/tests/system/README
 8814 			for details.
 8815 
 8816 2947.	[placeholder]
 8817 
 8818 2946.	[doc]		Document the default values for the minimum and maximum
 8819 			zone refresh and retry values in the ARM. [RT #21886]
 8820 
 8821 2945.	[doc]		Update empty-zones list in ARM. [RT #21772]
 8822 
 8823 2944.	[maint]		Remove ORCHID prefix from built in empty zones.
 8824 			[RT #21772]
 8825 
 8826 2943.	[func]		Add support to load new keys into managed zones
 8827 			without signing immediately with "rndc loadkeys".
 8828 			Add support to link keys with "dnssec-keygen -S"
 8829 			and "dnssec-settime -S".  [RT #21351]
 8830 
 8831 2942.	[contrib]	zone2sqlite failed to setup the entropy sources.
 8832 			[RT #21610]
 8833 
 8834 2941.	[bug]		sdb and sdlz (dlz's zone database) failed to support
 8835 			DNAME at the zone apex.  [RT #21610]
 8836 
 8837 2940.	[port]		Remove connection aborted error message on
 8838 			Windows. [RT #21549]
 8839 
 8840 2939.	[func]		Check that named successfully skips NSEC3 records
 8841 			that fail to match the NSEC3PARAM record currently
 8842 			in use. [RT #21868]
 8843 
 8844 2938.	[bug]		When generating signed responses, from a signed zone
 8845 			that uses NSEC3, named would use a uninitialized
 8846 			pointer if it needed to skip a NSEC3 record because
 8847 			it didn't match the selected NSEC3PARAM record for
 8848 			zone. [RT #21868]
 8849 
 8850 2937.	[bug]		Worked around an apparent race condition in over
 8851 			memory conditions.  Without this fix a DNS cache DB or
 8852 			ADB could incorrectly stay in an over memory state,
 8853 			effectively refusing further caching, which
 8854 			subsequently made a BIND 9 caching server unworkable.
 8855 			This fix prevents this problem from happening by
 8856 			polling the state of the memory context, rather than
 8857 			making a copy of the state, which appeared to cause
 8858 			a race.  This is a "workaround" in that it doesn't
 8859 			solve the possible race per se, but several experiments
 8860 			proved this change solves the symptom.  Also, the
 8861 			polling overhead hasn't been reported to be an issue.
 8862 			This bug should only affect a caching server that
 8863 			specifies a finite max-cache-size.  It's also quite
 8864 			likely that the bug happens only when enabling threads,
 8865 			but it's not confirmed yet. [RT #21818]
 8866 
 8867 2936.	[func]		Improved configuration syntax and multiple-view
 8868 			support for addzone/delzone feature (see change
 8869 			#2930).  Removed "new-zone-file" option, replaced
 8870 			with "allow-new-zones (yes|no)".  The new-zone-file
 8871 			for each view is now created automatically, with
 8872 			a filename generated from a hash of the view name.
 8873 			It is no longer necessary to "include" the
 8874 			new-zone-file in named.conf; this happens
 8875 			automatically.  Zones that were not added via
 8876 			"rndc addzone" can no longer be removed with
 8877 			"rndc delzone". [RT #19447]
 8878 
 8879 2935.	[bug]		nsupdate: improve 'file not found' error message.
 8880 			[RT #21871]
 8881 
 8882 2934.	[bug]		Use ANSI C compliant shift range in lib/isc/entropy.c.
 8883 			[RT #21871]
 8884 
 8885 2933.	[bug]		'dig +nsid' used stack memory after it went out of
 8886 			scope.  This could potentially result in a unknown,
 8887 			potentially malformed, EDNS option being sent instead
 8888 			of the desired NSID option. [RT #21781]
 8889 
 8890 2932.	[cleanup]	Corrected a numbering error in the "dnssec" test.
 8891 			[RT #21597]
 8892 
 8893 2931.	[bug]		Temporarily and partially disable change 2864
 8894 			because it would cause infinite attempts of RRSIG
 8895 			queries.  This is an urgent care fix; we'll
 8896 			revisit the issue and complete the fix later.
 8897 			[RT #21710]
 8898 
 8899 2930.	[experimental]	New "rndc addzone" and "rndc delzone" commands
 8900 			allow dynamic addition and deletion of zones.
 8901 			To enable this feature, specify a "new-zone-file"
 8902 			option at the view or options level in named.conf.
 8903 			Zone configuration information for the new zones
 8904 			will be written into that file.  To make the new
 8905 			zones persist after a restart, "include" the file
 8906 			into named.conf in the appropriate view.  (Note:
 8907 			This feature is not yet documented, and its syntax
 8908 			is expected to change.) [RT #19447]
 8909 
 8910 2929.	[bug]		Improved handling of GSS security contexts:
 8911 			 - added LRU expiration for generated TSIGs
 8912 			 - added the ability to use a non-default realm
 8913 			 - added new "realm" keyword in nsupdate
 8914 			 - limited lifetime of generated keys to 1 hour
 8915 			   or the lifetime of the context (whichever is
 8916 			   smaller)
 8917 			[RT #19737]
 8918 
 8919 2928.	[bug]		Be more selective about the non-authoritative
 8920 			answer we apply change 2748 to. [RT #21594]
 8921 
 8922 2927.	[placeholder]
 8923 
 8924 2926.	[placeholder]
 8925 
 8926 2925.	[bug]		Named failed to accept uncachable negative responses
 8927 			from insecure zones. [RT #21555]
 8928 
 8929 2924.	[func]		'rndc  secroots'  dump a combined summary of the
 8930 			current managed keys combined with trusted keys.
 8931 			[RT #20904]
 8932 
 8933 2923.	[bug]		'dig +trace' could drop core after "connection
 8934 			timeout". [RT #21514]
 8935 
 8936 2922.	[contrib]	Update zkt to version 1.0.
 8937 
 8938 2921.	[bug]		The resolver could attempt to destroy a fetch context
 8939 			too soon.  [RT #19878]
 8940 
 8941 2920.	[func]		Allow 'filter-aaaa-on-v4' to be applied selectively
 8942 			to IPv4 clients.  New acl 'filter-aaaa' (default any).
 8943 
 8944 2919.	[func]		Add autosign-ksk and autosign-zsk virtual time tests.
 8945 			[RT #20840]
 8946 
 8947 2918.	[maint]		Add AAAA address for I.ROOT-SERVERS.NET.
 8948 
 8949 2917.	[func]		Virtual time test framework. [RT #20801]
 8950 
 8951 2916.	[func]		Add framework to use IPv6 in tests.
 8952 			fd92:7065:b8e:ffff::1 ... fd92:7065:b8e:ffff::7
 8953 
 8954 2915.	[cleanup]	Be smarter about which objects we attempt to compile
 8955 			based on configure options. [RT #21444]
 8956 
 8957 2914.	[bug]		Make the "autosign" system test more portable.
 8958 			[RT #20997]
 8959 
 8960 2913.	[func]		Add pkcs#11 system tests. [RT #20784]
 8961 
 8962 2912.	[func]		Windows clients don't like UPDATE responses that clear
 8963 			the zone section. [RT #20986]
 8964 
 8965 2911.	[bug]		dnssec-signzone didn't handle out of zone records well.
 8966 			[RT #21367]
 8967 
 8968 2910.	[func]		Sanity check Kerberos credentials. [RT #20986]
 8969 
 8970 2909.	[bug]		named-checkconf -p could die if "update-policy local;"
 8971 			was specified in named.conf. [RT #21416]
 8972 
 8973 2908.	[bug]		It was possible for re-signing to stop after removing
 8974 			a DNSKEY. [RT #21384]
 8975 
 8976 2907.	[bug]		The export version of libdns had undefined references.
 8977 			[RT #21444]
 8978 
 8979 2906.	[bug]		Address RFC 5011 implementation issues. [RT #20903]
 8980 
 8981 2905.	[port]		aix: set use_atomic=yes with native compiler.
 8982 			[RT #21402]
 8983 
 8984 2904.	[bug]		When using DLV, sub-zones of the zones in the DLV,
 8985 			could be incorrectly marked as insecure instead of
 8986 			secure leading to negative proofs failing.  This was
 8987 			a unintended outcome from change 2890. [RT #21392]
 8988 
 8989 2903.	[bug]		managed-keys-directory missing from namedconf.c.
 8990 			[RT #21370]
 8991 
 8992 2902.	[func]		Add regression test for change 2897. [RT #21040]
 8993 
 8994 2901.	[port]		Use AC_C_FLEXIBLE_ARRAY_MEMBER. [RT #21316]
 8995 
 8996 2900.	[bug]		The placeholder negative caching element was not
 8997 			properly constructed triggering a INSIST in
 8998 			dns_ncache_towire(). [RT #21346]
 8999 
 9000 2899.	[port]		win32: Support linking against OpenSSL 1.0.0.
 9001 
 9002 2898.	[bug]		nslookup leaked memory when -domain=value was
 9003 			specified. [RT #21301]
 9004 
 9005 2897.	[bug]		NSEC3 chains could be left behind when transitioning
 9006 			to insecure. [RT #21040]
 9007 
 9008 2896.	[bug]		"rndc sign" failed to properly update the zone
 9009 			when adding a DNSKEY for publication only. [RT #21045]
 9010 
 9011 2895.	[func]		genrandom: add support for the generation of multiple
 9012 			files.  [RT #20917]
 9013 
 9014 2894.	[contrib]	DLZ LDAP support now use '$' not '%'. [RT #21294]
 9015 
 9016 2893.	[bug]		Improve managed keys support.  New named.conf option
 9017 			managed-keys-directory. [RT #20924]
 9018 
 9019 2892.	[bug]		Handle REVOKED keys better. [RT #20961]
 9020 
 9021 2891.	[maint]		Update empty-zones list to match
 9022 			draft-ietf-dnsop-default-local-zones-13. [RT #21099]
 9023 
 9024 2890.	[bug]		Handle the introduction of new trusted-keys and
 9025 			DS, DLV RRsets better. [RT #21097]
 9026 
 9027 2889.	[bug]		Elements of the grammar where not properly reported.
 9028 			[RT #21046]
 9029 
 9030 2888.	[bug]		Only the first EDNS option was displayed. [RT #21273]
 9031 
 9032 2887.	[bug]		Report the keytag times in UTC in the .key file,
 9033 			local time is presented as a comment within the
 9034 			comment.  [RT #21223]
 9035 
 9036 2886.	[bug]		ctime() is not thread safe. [RT #21223]
 9037 
 9038 2885.	[bug]		Improve -fno-strict-aliasing support probing in
 9039 			configure. [RT #21080]
 9040 
 9041 2884.	[bug]		Insufficient validation in dns_name_getlabelsequence().
 9042 			[RT #21283]
 9043 
 9044 2883.	[bug]		'dig +short' failed to handle really large datasets.
 9045 			[RT #21113]
 9046 
 9047 2882.	[bug]		Remove memory context from list of active contexts
 9048 			before clearing 'magic'. [RT #21274]
 9049 
 9050 2881.	[bug]		Reduce the amount of time the rbtdb write lock
 9051 			is held when closing a version. [RT #21198]
 9052 
 9053 2880.	[cleanup]	Make the output of dnssec-keygen and dnssec-revoke
 9054 			consistent. [RT #21078]
 9055 
 9056 2879.	[contrib]	DLZ bdbhpt driver fails to close correct cursor.
 9057 			[RT #21106]
 9058 
 9059 2878.	[func]		Incrementally write the master file after performing
 9060 			a AXFR.  [RT #21010]
 9061 
 9062 2877.	[bug]		The validator failed to skip obviously mismatching
 9063 			RRSIGs. [RT #21138]
 9064 
 9065 2876.	[bug]		Named could return SERVFAIL for negative responses
 9066 			from unsigned zones. [RT #21131]
 9067 
 9068 2875.	[bug]		dns_time64_fromtext() could accept non digits.
 9069 			[RT #21033]
 9070 
 9071 2874.	[bug]		Cache lack of EDNS support only after the server
 9072 			successfully responds to the query using plain DNS.
 9073 			[RT #20930]
 9074 
 9075 2873.	[bug]		Canceling a dynamic update via the dns/client module
 9076 			could trigger an assertion failure. [RT #21133]
 9077 
 9078 2872.	[bug]		Modify dns/client.c:dns_client_createx() to only
 9079 			require one of IPv4 or IPv6 rather than both.
 9080 			[RT #21122]
 9081 
 9082 2871.	[bug]		Type mismatch in mem_api.c between the definition and
 9083 			the header file, causing build failure with
 9084 			--enable-exportlib. [RT #21138]
 9085 
 9086 2870.	[maint]		Add AAAA address for L.ROOT-SERVERS.NET.
 9087 
 9088 2869.	[bug]		Fix arguments to dns_keytable_findnextkeynode() call.
 9089 			[RT #20877]
 9090 
 9091 2868.	[cleanup]	Run "make clean" at the end of configure to ensure
 9092 			any changes made by configure are integrated.
 9093 			Use --with-make-clean=no to disable.  [RT #20994]
 9094 
 9095 2867.	[bug]		Don't set GSS_C_SEQUENCE_FLAG as Windows DNS servers
 9096 			don't like it.  [RT #20986]
 9097 
 9098 2866.	[bug]		Windows does not like the TSIG name being compressed.
 9099 			[RT #20986]
 9100 
 9101 2865.	[bug]		memset to zero event.data.  [RT #20986]
 9102 
 9103 2864.	[bug]		Direct SIG/RRSIG queries were not handled correctly.
 9104 			[RT #21050]
 9105 
 9106 2863.	[port]		linux: disable IPv6 PMTUD and use network minimum MTU.
 9107 			[RT #21056]
 9108 
 9109 2862.	[bug]		nsupdate didn't default to the parent zone when
 9110 			updating DS records. [RT #20896]
 9111 
 9112 2861.	[doc]		dnssec-settime man pages didn't correctly document the
 9113 			inactivation time. [RT #21039]
 9114 
 9115 2860.	[bug]		named-checkconf's usage was out of date. [RT #21039]
 9116 
 9117 2859.	[bug]		When canceling validation it was possible to leak
 9118 			memory. [RT #20800]
 9119 
 9120 2858.	[bug]		RTT estimates were not being adjusted on ICMP errors.
 9121 			[RT #20772]
 9122 
 9123 2857.	[bug]		named-checkconf did not fail on a bad trusted key.
 9124 			[RT #20705]
 9125 
 9126 2856.	[bug]		The size of a memory allocation was not always properly
 9127 			recorded. [RT #20927]
 9128 
 9129 2855.	[func]		nsupdate will now preserve the entered case of domain
 9130 			names in update requests it sends. [RT #20928]
 9131 
 9132 2854.	[func]		dig: allow the final soa record in a axfr response to
 9133 			be suppressed, dig +onesoa. [RT #20929]
 9134 
 9135 2853.	[bug]		add_sigs() could run out of scratch space. [RT #21015]
 9136 
 9137 2852.	[bug]		Handle broken DNSSEC trust chains better. [RT #15619]
 9138 
 9139 2851.	[doc]		nslookup.1, removed <informalexample> from the docbook
 9140 			source as it produced bad nroff.  [RT #21007]
 9141 
 9142 2850.	[bug]		If isc_heap_insert() failed due to memory shortage
 9143 			the heap would have corrupted entries. [RT #20951]
 9144 
 9145 2849.	[bug]		Don't treat errors from the xml2 library as fatal.
 9146 			[RT #20945]
 9147 
 9148 2848.	[doc]		Moved README.dnssec, README.libdns, README.pkcs11 and
 9149 			README.rfc5011 into the ARM. [RT #20899]
 9150 
 9151 2847.	[cleanup]	Corrected usage message in dnssec-settime. [RT #20921]
 9152 
 9153 2846.	[bug]		EOF on unix domain sockets was not being handled
 9154 			correctly. [RT #20731]
 9155 
 9156 2845.	[bug]		RFC 5011 client could crash on shutdown. [RT #20903]
 9157 
 9158 2844.	[doc]		notify-delay default in ARM was wrong.  It should have
 9159 			been five (5) seconds.
 9160 
 9161 2843.	[func]		Prevent dnssec-keygen and dnssec-keyfromlabel from
 9162 			creating key files if there is a chance that the new
 9163 			key ID will collide with an existing one after
 9164 			either of the keys has been revoked.  (To override
 9165 			this in the case of dnssec-keyfromlabel, use the -y
 9166 			option.  dnssec-keygen will simply create a
 9167 			different, non-colliding key, so an override is
 9168 			not necessary.) [RT #20838]
 9169 
 9170 2842.	[func]		Added "smartsign" and improved "autosign" and
 9171 			"dnssec" regression tests. [RT #20865]
 9172 
 9173 2841.	[bug]		Change 2836 was not complete. [RT #20883]
 9174 
 9175 2840.	[bug]		Temporary fixed pkcs11-destroy usage check.
 9176 			[RT #20760]
 9177 
 9178 2839.	[bug]		A KSK revoked by named could not be deleted.
 9179 			[RT #20881]
 9180 
 9181 2838.	[placeholder]
 9182 
 9183 2837.	[port]		Prevent Linux spurious warnings about fwrite().
 9184 			[RT #20812]
 9185 
 9186 2836.	[bug]		Keys that were scheduled to become active could
 9187 			be delayed. [RT #20874]
 9188 
 9189 2835.	[bug]		Key inactivity dates were inadvertently stored in
 9190 			the private key file with the outdated tag
 9191 			"Unpublish" rather than "Inactive".  This has been
 9192 			fixed; however, any existing keys that had Inactive
 9193 			dates set will now need to have them reset, using
 9194 			'dnssec-settime -I'. [RT #20868]
 9195 
 9196 2834.	[bug]		HMAC-SHA* keys that were longer than the algorithm
 9197 			digest length were used incorrectly, leading to
 9198 			interoperability problems with other DNS
 9199 			implementations.  This has been corrected.
 9200 			(Note: If an oversize key is in use, and
 9201 			compatibility is needed with an older release of
 9202 			BIND, the new tool "isc-hmac-fixup" can convert
 9203 			the key secret to a form that will work with all
 9204 			versions.) [RT #20751]
 9205 
 9206 2833.	[cleanup]	Fix usage messages in dnssec-keygen and dnssec-settime.
 9207 			[RT #20851]
 9208 
 9209 2832.	[bug]		Modify "struct stat" in lib/export/samples/nsprobe.c
 9210 			to avoid redefinition in some OSs [RT 20831]
 9211 
 9212 2831.	[security]	Do not attempt to validate or cache
 9213 			out-of-bailiwick data returned with a secure
 9214 			answer; it must be re-fetched from its original
 9215 			source and validated in that context. [RT #20819]
 9216 
 9217 2830.	[bug]		Changing the OPTOUT setting could take multiple
 9218 			passes. [RT #20813]
 9219 
 9220 2829.	[bug]		Fixed potential node inconsistency in rbtdb.c.
 9221 			[RT #20808]
 9222 
 9223 2828.	[security]	Cached CNAME or DNAME RR could be returned to clients
 9224 			without DNSSEC validation. [RT #20737]
 9225 
 9226 2827.	[security]	Bogus NXDOMAIN could be cached as if valid. [RT #20712]
 9227 
 9228 2826.	[bug]		NSEC3->NSEC transitions could fail due to a lock not
 9229 			being released.  [RT #20740]
 9230 
 9231 2825.	[bug]		Changing the setting of OPTOUT in a NSEC3 chain that
 9232 			was in the process of being created was not properly
 9233 			recorded in the zone. [RT #20786]
 9234 
 9235 2824.	[bug]		"rndc sign" was not being run by the correct task.
 9236 			[RT #20759]
 9237 
 9238 2823.	[bug]		rbtdb.c:getsigningtime() was missing locks. [RT #20781]
 9239 
 9240 2822.	[bug]		rbtdb.c:loadnode() could return the wrong result.
 9241 			[RT #20802]
 9242 
 9243 2821.	[doc]		Add note that named-checkconf doesn't automatically
 9244 			read rndc.key and bind.keys [RT #20758]
 9245 
 9246 2820.	[func]		Handle read access failure of OpenSSL configuration
 9247 			file more user friendly (PKCS#11 engine patch).
 9248 			[RT #20668]
 9249 
 9250 2819.	[cleanup]	Removed unnecessary DNS_POINTER_MAXHOPS define.
 9251 			[RT #20771]
 9252 
 9253 2818.	[cleanup]	rndc could return an incorrect error code
 9254 			when a zone was not found. [RT #20767]
 9255 
 9256 2817.	[cleanup]	Removed unnecessary isc_task_endexclusive() calls.
 9257 			[RT #20768]
 9258 
 9259 2816.	[bug]		previous_closest_nsec() could fail to return
 9260 			data for NSEC3 nodes [RT #29730]
 9261 
 9262 2815.	[bug]		Exclusively lock the task when freezing a zone.
 9263 			[RT #19838]
 9264 
 9265 2814.	[func]		Provide a definitive error message when a master
 9266 			zone is not loaded. [RT #20757]
 9267 
 9268 2813.	[bug]		Better handling of unreadable DNSSEC key files.
 9269 			[RT #20710]
 9270 
 9271 2812.	[bug]		Make sure updates can't result in a zone with
 9272 			NSEC-only keys and NSEC3 records. [RT #20748]
 9273 
 9274 2811.	[cleanup]	Add "rndc sign" to list of commands in rndc usage
 9275 			output. [RT #20733]
 9276 
 9277 2810.	[doc]		Clarified the process of transitioning an NSEC3 zone
 9278 			to insecure. [RT #20746]
 9279 
 9280 2809.	[cleanup]	Restored accidentally-deleted text in usage output
 9281 			in dnssec-settime and dnssec-revoke [RT #20739]
 9282 
 9283 2808.	[bug]		Remove the attempt to install atomic.h from lib/isc.
 9284 			atomic.h is correctly installed by the architecture
 9285 			specific subdirectories.  [RT #20722]
 9286 
 9287 2807.	[bug]		Fixed a possible ASSERT when reconfiguring zone
 9288 			keys. [RT #20720]
 9289 
 9290 	--- 9.7.0rc1 released ---
 9291 
 9292 2806.	[bug]		"rdnc sign" could delay re-signing the DNSKEY
 9293 			when it had changed. [RT #20703]
 9294 
 9295 2805.	[bug]		Fixed namespace problems encountered when building
 9296 			external programs using non-exported BIND9 libraries
 9297 			(i.e., built without --enable-exportlib). [RT #20679]
 9298 
 9299 2804.	[bug]		Send notifies when a zone is signed with "rndc sign"
 9300 			or as a result of a scheduled key change. [RT #20700]
 9301 
 9302 2803.	[port]		win32: Install named-journalprint, nsec3hash, arpaname
 9303 			and genrandom under windows. [RT #20670]
 9304 
 9305 2802.	[cleanup]	Rename journalprint to named-journalprint. [RT #20670]
 9306 
 9307 2801.	[func]		Detect and report records that are different according
 9308 			to DNSSEC but are semantically equal according to plain
 9309 			DNS.  Apply plain DNS comparisons rather than DNSSEC
 9310 			comparisons when processing UPDATE requests.
 9311 			dnssec-signzone now removes such semantically duplicate
 9312 			records prior to signing the RRset.
 9313 
 9314 			named-checkzone -r {ignore|warn|fail} (default warn)
 9315 			named-compilezone -r {ignore|warn|fail} (default warn)
 9316 
 9317 			named.conf: check-dup-records {ignore|warn|fail};
 9318 
 9319 2800.	[func]		Reject zones which have NS records which refer to
 9320 			CNAMEs, DNAMEs or don't have address record (class IN
 9321 			only).  Reject UPDATEs which would cause the zone
 9322 			to fail the above checks if committed. [RT #20678]
 9323 
 9324 2799.	[cleanup]	Changed the "secure-to-insecure" option to
 9325 			"dnssec-secure-to-insecure", and "dnskey-ksk-only"
 9326 			to "dnssec-dnskey-kskonly", for clarity. [RT #20586]
 9327 
 9328 2798.	[bug]		Addressed bugs in managed-keys initialization
 9329 			and rollover. [RT #20683]
 9330 
 9331 2797.	[bug]		Don't decrement the dispatch manager's maxbuffers.
 9332 			[RT #20613]
 9333 
 9334 2796.	[bug]		Missing dns_rdataset_disassociate() call in
 9335 			dns_nsec3_delnsec3sx(). [RT #20681]
 9336 
 9337 2795.	[cleanup]	Add text to differentiate "update with no effect"
 9338 			log messages. [RT #18889]
 9339 
 9340 2794.	[bug]		Install <isc/namespace.h>.  [RT #20677]
 9341 
 9342 2793.	[func]		Add "autosign" and "metadata" tests to the
 9343 			automatic tests. [RT #19946]
 9344 
 9345 2792.	[func]		"filter-aaaa-on-v4" can now be set in view
 9346 			options (if compiled in).  [RT #20635]
 9347 
 9348 2791.	[bug]		The installation of isc-config.sh was broken.
 9349 			[RT #20667]
 9350 
 9351 2790.	[bug]		Handle DS queries to stub zones. [RT #20440]
 9352 
 9353 2789.	[bug]		Fixed an INSIST in dispatch.c [RT #20576]
 9354 
 9355 2788.	[bug]		dnssec-signzone could sign with keys that were
 9356 			not requested [RT #20625]
 9357 
 9358 2787.	[bug]		Spurious log message when zone keys were
 9359 			dynamically reconfigured. [RT #20659]
 9360 
 9361 2786.	[bug]		Additional could be promoted to answer. [RT #20663]
 9362 
 9363 	--- 9.7.0b3 released ---
 9364 
 9365 2785.	[bug]		Revoked keys could fail to self-sign [RT #20652]
 9366 
 9367 2784.	[bug]		TC was not always being set when required glue was
 9368 			dropped. [RT #20655]
 9369 
 9370 2783.	[func]		Return minimal responses to EDNS/UDP queries with a UDP
 9371 			buffer size of 512 or less.  [RT #20654]
 9372 
 9373 2782.	[port]		win32: use getaddrinfo() for hostname lookups.
 9374 			[RT #20650]
 9375 
 9376 2781.	[bug]		Inactive keys could be used for signing. [RT #20649]
 9377 
 9378 2780.	[bug]		dnssec-keygen -A none didn't properly unset the
 9379 			activation date in all cases. [RT #20648]
 9380 
 9381 2779.	[bug]		Dynamic key revocation could fail. [RT #20644]
 9382 
 9383 2778.	[bug]		dnssec-signzone could fail when a key was revoked
 9384 			without deleting the unrevoked version. [RT #20638]
 9385 
 9386 2777.	[contrib]	DLZ MYSQL auto reconnect support discovery was wrong.
 9387 
 9388 2776.	[bug]		Change #2762 was not correct. [RT #20647]
 9389 
 9390 2775.	[bug]		Accept RSASHA256 and RSASHA512 as NSEC3 compatible
 9391 			in dnssec-keyfromlabel. [RT #20643]
 9392 
 9393 2774.	[bug]		Existing cache DB wasn't being reused after
 9394 			reconfiguration. [RT #20629]
 9395 
 9396 2773.	[bug]		In autosigned zones, the SOA could be signed
 9397 			with the KSK. [RT #20628]
 9398 
 9399 2772.	[security]	When validating, track whether pending data was from
 9400 			the additional section or not and only return it if
 9401 			validates as secure. [RT #20438]
 9402 
 9403 2771.	[bug]		dnssec-signzone: DNSKEY records could be
 9404 			corrupted when importing from key files [RT #20624]
 9405 
 9406 2770.	[cleanup]	Add log messages to resolver.c to indicate events
 9407 			causing FORMERR responses. [RT #20526]
 9408 
 9409 2769.	[cleanup]	Change #2742 was incomplete. [RT #19589]
 9410 
 9411 2768.	[bug]		dnssec-signzone: -S no longer implies -g [RT #20568]
 9412 
 9413 2767.	[bug]		named could crash on startup if a zone was
 9414 			configured with auto-dnssec and there was no
 9415 			key-directory. [RT #20615]
 9416 
 9417 2766.	[bug]		isc_socket_fdwatchpoke() should only update the
 9418 			socketmgr state if the socket is not pending on a
 9419 			read or write.  [RT #20603]
 9420 
 9421 2765.	[bug]		Skip masters for which the TSIG key cannot be found.
 9422 			[RT #20595]
 9423 
 9424 2764.	[bug]		"rndc-confgen -a" could trigger a REQUIRE. [RT #20610]
 9425 
 9426 2763.	[bug]		"rndc sign" didn't create an NSEC chain. [RT #20591]
 9427 
 9428 2762.	[bug]		DLV validation failed with a local slave DLV zone.
 9429 			[RT #20577]
 9430 
 9431 2761.	[cleanup]	Enable internal symbol table for backtrace only for
 9432 			systems that are known to work.  Currently, BSD
 9433 			variants, Linux and Solaris are supported. [RT #20202]
 9434 
 9435 2760.	[cleanup]	Corrected named-compilezone usage summary. [RT #20533]
 9436 
 9437 2759.	[doc]		Add information about .jbk/.jnw files to
 9438 			the ARM. [RT #20303]
 9439 
 9440 2758.	[bug]		win32: Added a workaround for a windows 2008 bug
 9441 			that could cause the UDP client handler to shut
 9442 			down. [RT #19176]
 9443 
 9444 2757.	[bug]		dig: assertion failure could occur in connect
 9445 			timeout. [RT #20599]
 9446 
 9447 2756.	[bug]		Fixed corrupt logfile message in update.c. [RT #20597]
 9448 
 9449 2755.	[placeholder]
 9450 
 9451 2754.	[bug]		Secure-to-insecure transitions failed when zone
 9452 			was signed with NSEC3. [RT #20587]
 9453 
 9454 2753.	[bug]		Removed an unnecessary warning that could appear when
 9455 			building an NSEC chain. [RT #20589]
 9456 
 9457 2752.	[bug]		Locking violation. [RT #20587]
 9458 
 9459 2751.	[bug]		Fixed a memory leak in dnssec-keyfromlabel. [RT #20588]
 9460 
 9461 2750.	[bug]		dig: assertion failure could occur when a server
 9462 			didn't have an address. [RT #20579]
 9463 
 9464 2749.	[bug]		ixfr-from-differences generated a non-minimal ixfr
 9465 			for NSEC3 signed zones. [RT #20452]
 9466 
 9467 2748.	[func]		Identify bad answers from GTLD servers and treat them
 9468 			as referrals. [RT #18884]
 9469 
 9470 2747.	[bug]		Journal roll forwards failed to set the re-signing
 9471 			time of RRSIGs correctly. [RT #20541]
 9472 
 9473 2746.	[port]		hpux: address signed/unsigned expansion mismatch of
 9474 			dns_rbtnode_t.nsec. [RT #20542]
 9475 
 9476 2745.	[bug]		configure script didn't probe the return type of
 9477 			gai_strerror(3) correctly. [RT #20573]
 9478 
 9479 2744.	[func]		Log if a query was over TCP. [RT #19961]
 9480 
 9481 2743.	[bug]		RRSIG could be incorrectly set in the NSEC3 record
 9482 			for a insecure delegation.
 9483 
 9484 	--- 9.7.0b2 released ---
 9485 
 9486 2742.	[cleanup]	Clarify some DNSSEC-related log messages in
 9487 			validator.c. [RT #19589]
 9488 
 9489 2741.	[func]		Allow the dnssec-keygen progress messages to be
 9490 			suppressed (dnssec-keygen -q).  Automatically
 9491 			suppress the progress messages when stdin is not
 9492 			a tty. [RT #20474]
 9493 
 9494 2740.	[placeholder]
 9495 
 9496 2739.	[cleanup]	Clean up API for initializing and clearing trust
 9497 			anchors for a view. [RT #20211]
 9498 
 9499 2738.	[func]		Add RSASHA256 and RSASHA512 tests to the dnssec system
 9500 			test. [RT #20453]
 9501 
 9502 2737.	[func]		UPDATE requests can leak existence information.
 9503 			[RT #17261]
 9504 
 9505 2736.	[func]		Improve the performance of NSEC signed zones with
 9506 			more than a normal amount of glue below a delegation.
 9507 			[RT #20191]
 9508 
 9509 2735.	[bug]		dnssec-signzone could fail to read keys
 9510 			that were specified on the command line with
 9511 			full paths, but weren't in the current
 9512 			directory. [RT #20421]
 9513 
 9514 2734.	[port]		cygwin: arpaname did not compile. [RT #20473]
 9515 
 9516 2733.	[cleanup]	Clean up coding style in pkcs11-* tools. [RT #20355]
 9517 
 9518 2732.	[func]		Add optional filter-aaaa-on-v4 option, available
 9519 			if built with './configure --enable-filter-aaaa'.
 9520 			Filters out AAAA answers to clients connecting
 9521 			via IPv4.  (This is NOT recommended for general
 9522 			use.) [RT #20339]
 9523 
 9524 2731.	[func]		Additional work on change 2709.  The key parser
 9525 			will now ignore unrecognized fields when the
 9526 			minor version number of the private key format
 9527 			has been increased.  It will reject any key with
 9528 			the major version number increased. [RT #20310]
 9529 
 9530 2730.	[func]		Have dnssec-keygen display a progress indication
 9531 			a la 'openssl genrsa' on standard error. Note
 9532 			when the first '.' is followed by a long stop
 9533 			one has the choice between slow generation vs.
 9534 			poor random quality, i.e., '-r /dev/urandom'.
 9535 			[RT #20284]
 9536 
 9537 2729.	[func]		When constructing a CNAME from a DNAME use the DNAME
 9538 			TTL. [RT #20451]
 9539 
 9540 2728.	[bug]		dnssec-keygen, dnssec-keyfromlabel and
 9541 			dnssec-signzone now warn immediately if asked to
 9542 			write into a nonexistent directory. [RT #20278]
 9543 
 9544 2727.	[func]		The 'key-directory' option can now specify a relative
 9545 			path. [RT #20154]
 9546 
 9547 2726.	[func]		Added support for SHA-2 DNSSEC algorithms,
 9548 			RSASHA256 and RSASHA512. [RT #20023]
 9549 
 9550 2725.	[doc]		Added information about the file "managed-keys.bind"
 9551 			to the ARM. [RT #20235]
 9552 
 9553 2724.	[bug]		Updates to a existing node in secure zone using NSEC
 9554 			were failing. [RT #20448]
 9555 
 9556 2723.	[bug]		isc_base32_totext(), isc_base32hex_totext(), and
 9557 			isc_base64_totext(), didn't always mark regions of
 9558 			memory as fully consumed after conversion.  [RT #20445]
 9559 
 9560 2722.	[bug]		Ensure that the memory associated with the name of
 9561 			a node in a rbt tree is not altered during the life
 9562 			of the node. [RT #20431]
 9563 
 9564 2721.	[port]		Have dst__entropy_status() prime the random number
 9565 			generator. [RT #20369]
 9566 
 9567 2720.	[bug]		RFC 5011 trust anchor updates could trigger an
 9568 			assert if the DNSKEY record was unsigned. [RT #20406]
 9569 
 9570 2719.	[func]		Skip trusted/managed keys for unsupported algorithms.
 9571 			[RT #20392]
 9572 
 9573 2718.	[bug]		The space calculations in opensslrsa_todns() were
 9574 			incorrect. [RT #20394]
 9575 
 9576 2717.	[bug]		named failed to update the NSEC/NSEC3 record when
 9577 			the last private type record was removed as a result
 9578 			of completing the signing the zone with a key.
 9579 			[RT #20399]
 9580 
 9581 2716.	[bug]		nslookup debug mode didn't return the ttl. [RT #20414]
 9582 
 9583 	--- 9.7.0b1 released ---
 9584 
 9585 2715.	[bug]		Require OpenSSL support to be explicitly disabled.
 9586 			[RT #20288]
 9587 
 9588 2714.	[port]		aix/powerpc: 'asm("ics");' needs non standard assembler
 9589 			flags.
 9590 
 9591 2713.	[bug]		powerpc: atomic operations missing asm("ics") /
 9592 			__isync() calls.
 9593 
 9594 2712.	[func]		New 'auto-dnssec' zone option allows zone signing
 9595 			to be fully automated in zones configured for
 9596 			dynamic DNS.  'auto-dnssec allow;' permits a zone
 9597 			to be signed by creating keys for it in the
 9598 			key-directory and using 'rndc sign <zone>'.
 9599 			'auto-dnssec maintain;' allows that too, plus it
 9600 			also keeps the zone's DNSSEC keys up to date
 9601 			according to their timing metadata. [RT #19943]
 9602 
 9603 2711.	[port]		win32: Add the bin/pkcs11 tools into the full
 9604 			build. [RT #20372]
 9605 
 9606 2710.	[func]		New 'dnssec-signzone -x' flag and 'dnskey-ksk-only'
 9607 			zone option cause a zone to be signed with only KSKs
 9608 			signing the DNSKEY RRset, not ZSKs.  This reduces
 9609 			the size of a DNSKEY answer.  [RT #20340]
 9610 
 9611 2709.	[func]		Added some data fields, currently unused, to the
 9612 			private key file format, to allow implementation
 9613 			of explicit key rollover in a future release
 9614 			without impairing backward or forward compatibility.
 9615 			[RT #20310]
 9616 
 9617 2708.	[func]		Insecure to secure and NSEC3 parameter changes via
 9618 			update are now fully supported and no longer require
 9619 			defines to enable.  We now no longer overload the
 9620 			NSEC3PARAM flag field, nor the NSEC OPT bit at the
 9621 			apex.  Secure to insecure changes are controlled by
 9622 			by the named.conf option 'secure-to-insecure'.
 9623 
 9624 			Warning: If you had previously enabled support by
 9625 			adding defines at compile time to BIND 9.6 you should
 9626 			ensure that all changes that are in progress have
 9627 			completed prior to upgrading to BIND 9.7.  BIND 9.7
 9628 			is not backwards compatible.
 9629 
 9630 2707.	[func]		dnssec-keyfromlabel no longer require engine name
 9631 			to be specified in the label if there is a default
 9632 			engine or the -E option has been used.  Also, it
 9633 			now uses default algorithms as dnssec-keygen does
 9634 			(i.e., RSASHA1, or NSEC3RSASHA1 if -3 is used).
 9635 			[RT #20371]
 9636 
 9637 2706.	[bug]		Loading a zone with a very large NSEC3 salt could
 9638 			trigger an assert. [RT #20368]
 9639 
 9640 2705.	[placeholder]
 9641 
 9642 2704.	[bug]		Serial of dynamic and stub zones could be inconsistent
 9643 			with their SOA serial.  [RT #19387]
 9644 
 9645 2703.	[func]		Introduce an OpenSSL "engine" argument with -E
 9646 			for all binaries which can take benefit of
 9647 			crypto hardware. [RT #20230]
 9648 
 9649 2702.	[func]		Update PKCS#11 tools (bin/pkcs11) [RT #20225 & all]
 9650 
 9651 2701.	[doc]		Correction to ARM: hmac-md5 is no longer the only
 9652 			supported TSIG key algorithm. [RT #18046]
 9653 
 9654 2700.	[doc]		The match-mapped-addresses option is discouraged.
 9655 			[RT #12252]
 9656 
 9657 2699.	[bug]		Missing lock in rbtdb.c. [RT #20037]
 9658 
 9659 2698.	[placeholder]
 9660 
 9661 2697.	[port]		win32: ensure that S_IFMT, S_IFDIR, S_IFCHR and
 9662 			S_IFREG are defined after including <isc/stat.h>.
 9663 			[RT #20309]
 9664 
 9665 2696.	[bug]		named failed to successfully process some valid
 9666 			acl constructs. [RT #20308]
 9667 
 9668 2695.	[func]		DHCP/DDNS - update fdwatch code for use by
 9669 			DHCP.  Modify the api to isc_sockfdwatch_t (the
 9670 			callback function for isc_socket_fdwatchcreate)
 9671 			to include information about the direction (read
 9672 			or write) and add isc_socket_fdwatchpoke.
 9673 			[RT #20253]
 9674 
 9675 2694.	[bug]		Reduce default NSEC3 iterations from 100 to 10.
 9676 			[RT #19970]
 9677 
 9678 2693.	[port]		Add some noreturn attributes. [RT #20257]
 9679 
 9680 2692.	[port]		win32: 32/64 bit cleanups. [RT #20335]
 9681 
 9682 2691.	[func]		dnssec-signzone: retain the existing NSEC or NSEC3
 9683 			chain when re-signing a previously-signed zone.
 9684 			Use -u to modify NSEC3 parameters or switch
 9685 			between NSEC and NSEC3. [RT #20304]
 9686 
 9687 2690.	[bug]		win32: fix isc_thread_key_getspecific() prototype.
 9688 			[RT #20315]
 9689 
 9690 2689.	[bug]		Correctly handle snprintf result. [RT #20306]
 9691 
 9692 2688.	[bug]		Use INTERFACE_F_POINTTOPOINT, not IFF_POINTOPOINT,
 9693 			to decide to fetch the destination address. [RT #20305]
 9694 
 9695 2687.	[bug]		Fixed dnssec-signzone -S handling of revoked keys.
 9696 			Also, added warnings when revoking a ZSK, as this is
 9697 			not defined by protocol (but is legal).  [RT #19943]
 9698 
 9699 2686.	[bug]		dnssec-signzone should clean the old NSEC chain when
 9700 			signing with NSEC3 and vice versa. [RT #20301]
 9701 
 9702 2685.	[contrib]	Update contrib/zkt to version 0.99c. [RT #20054]
 9703 
 9704 2684.	[cleanup]	dig: formalize +ad and +cd as synonyms for
 9705 			+adflag and +cdflag.  [RT #19305]
 9706 
 9707 2683.	[bug]		dnssec-signzone should clean out old NSEC3 chains when
 9708 			the NSEC3 parameters used to sign the zone change.
 9709 			[RT #20246]
 9710 
 9711 2682.	[bug]		"configure --enable-symtable=all" failed to
 9712 			build. [RT #20282]
 9713 
 9714 2681.	[bug]		IPSECKEY RR of gateway type 3 was not correctly
 9715 			decoded. [RT #20269]
 9716 
 9717 2680.	[func]		Move contrib/pkcs11-keygen to bin/pkcs11. [RT #20067]
 9718 
 9719 2679.	[func]		dig -k can now accept TSIG keys in named.conf
 9720 			format.  [RT #20031]
 9721 
 9722 2678.	[func]		Treat DS queries as if "minimal-response yes;"
 9723 			was set. [RT #20258]
 9724 
 9725 2677.	[func]		Changes to key metadata behavior:
 9726 			- Keys without "publish" or "active" dates set will
 9727 			  no longer be used for smart signing.  However,
 9728 			  those dates will be set to "now" by default when
 9729 			  a key is created; to generate a key but not use
 9730 			  it yet, use dnssec-keygen -G.
 9731 			- New "inactive" date (dnssec-keygen/settime -I)
 9732 			  sets the time when a key is no longer used for
 9733 			  signing but is still published.
 9734 			- The "unpublished" date (-U) is deprecated in
 9735 			  favor of "deleted" (-D).
 9736 			[RT #20247]
 9737 
 9738 2676.	[bug]		--with-export-installdir should have been
 9739 			--with-export-includedir. [RT #20252]
 9740 
 9741 2675.	[bug]		dnssec-signzone could crash if the key directory
 9742 			did not exist. [RT #20232]
 9743 
 9744 	--- 9.7.0a3 released ---
 9745 
 9746 2674.	[bug]		"dnssec-lookaside auto;" crashed if named was built
 9747 			without openssl. [RT #20231]
 9748 
 9749 2673.	[bug]		The managed-keys.bind zone file could fail to
 9750 			load due to a spurious result from sync_keyzone()
 9751 			[RT #20045]
 9752 
 9753 2672.	[bug]		Don't enable searching in 'host' when doing reverse
 9754 			lookups. [RT #20218]
 9755 
 9756 2671.	[bug]		Add support for PKCS#11 providers not returning
 9757 			the public exponent in RSA private keys
 9758 			(OpenCryptoki for instance) in
 9759 			dnssec-keyfromlabel. [RT #19294]
 9760 
 9761 2670.	[bug]		Unexpected connect failures failed to log enough
 9762 			information to be useful. [RT #20205]
 9763 
 9764 2669.	[func]		Update PKCS#11 support to support Keyper HSM.
 9765 			Update PKCS#11 patch to be against openssl-0.9.8i.
 9766 
 9767 2668.	[func]		Several improvements to dnssec-* tools, including:
 9768 			- dnssec-keygen and dnssec-settime can now set key
 9769 			  metadata fields 0 (to unset a value, use "none")
 9770 			- dnssec-revoke sets the revocation date in
 9771 			  addition to the revoke bit
 9772 			- dnssec-settime can now print individual metadata
 9773 			  fields instead of always printing all of them,
 9774 			  and can print them in unix epoch time format for
 9775 			  use by scripts
 9776 			[RT #19942]
 9777 
 9778 2667.	[func]		Add support for logging stack backtrace on assertion
 9779 			failure (not available for all platforms). [RT #19780]
 9780 
 9781 2666.	[func]		Added an 'options' argument to dns_name_fromstring()
 9782 			(API change from 9.7.0a2). [RT #20196]
 9783 
 9784 2665.	[func]		Clarify syntax for managed-keys {} statement, add
 9785 			ARM documentation about RFC 5011 support. [RT #19874]
 9786 
 9787 2664.	[bug]		create_keydata() and minimal_update() in zone.c
 9788 			didn't properly check return values for some
 9789 			functions.  [RT #19956]
 9790 
 9791 2663.	[func]		win32:  allow named to run as a service using
 9792 			"NT AUTHORITY\LocalService" as the account. [RT #19977]
 9793 
 9794 2662.	[bug]		lwres_getipnodebyname() and lwres_getipnodebyaddr()
 9795 			returned a misleading error code when lwresd was
 9796 			down. [RT #20028]
 9797 
 9798 2661.	[bug]		Check whether socket fd exceeds FD_SETSIZE when
 9799 			creating lwres context. [RT #20029]
 9800 
 9801 2660.	[func]		Add a new set of DNS libraries for non-BIND9
 9802 			applications.  See README.libdns. [RT #19369]
 9803 
 9804 2659.	[doc]		Clarify dnssec-keygen doc: key name must match zone
 9805 			name for DNSSEC keys. [RT #19938]
 9806 
 9807 2658.	[bug]		dnssec-settime and dnssec-revoke didn't process
 9808 			key file paths correctly. [RT #20078]
 9809 
 9810 2657.	[cleanup]	Lower "journal file <path> does not exist, creating it"
 9811 			log level to debug 1. [RT #20058]
 9812 
 9813 2656.	[func]		win32: add a "tools only" check box to the installer
 9814 			which causes it to only install dig, host, nslookup,
 9815 			nsupdate and relevant DLLs.  [RT #19998]
 9816 
 9817 2655.	[doc]		Document that key-directory does not affect
 9818 			bind.keys, rndc.key or session.key.  [RT #20155]
 9819 
 9820 2654.	[bug]		Improve error reporting on duplicated names for
 9821 			deny-answer-xxx. [RT #20164]
 9822 
 9823 2653.	[bug]		Treat ENGINE_load_private_key() failures as key
 9824 			not found rather than out of memory.  [RT #18033]
 9825 
 9826 2652.	[func]		Provide more detail about what record is being
 9827 			deleted. [RT #20061]
 9828 
 9829 2651.	[bug]		Dates could print incorrectly in K*.key files on
 9830 			64-bit systems. [RT #20076]
 9831 
 9832 2650.	[bug]		Assertion failure in dnssec-signzone when trying
 9833 			to read keyset-* files. [RT #20075]
 9834 
 9835 2649.	[bug]		Set the domain for forward only zones. [RT #19944]
 9836 
 9837 2648.	[port]		win32: isc_time_seconds() was broken. [RT #19900]
 9838 
 9839 2647.	[bug]		Remove unnecessary SOA updates when a new KSK is
 9840 			added. [RT #19913]
 9841 
 9842 2646.	[bug]		Incorrect cleanup on error in socket.c. [RT #19987]
 9843 
 9844 2645.	[port]		"gcc -m32" didn't work on amd64 and x86_64 platforms
 9845 			which default to 64 bits. [RT #19927]
 9846 
 9847 	--- 9.7.0a2 released ---
 9848 
 9849 2644.	[bug]		Change #2628 caused a regression on some systems;
 9850 			named was unable to write the PID file and would
 9851 			fail on startup. [RT #20001]
 9852 
 9853 2643.	[bug]		Stub zones interacted badly with NSEC3 support.
 9854 			[RT #19777]
 9855 
 9856 2642.	[bug]		nsupdate could dump core on solaris when reading
 9857 			improperly formatted key files.  [RT #20015]
 9858 
 9859 2641.	[bug]		Fixed an error in parsing update-policy syntax,
 9860 			added a regression test to check it. [RT #20007]
 9861 
 9862 2640.	[security]	A specially crafted update packet will cause named
 9863 			to exit. [RT #20000]
 9864 
 9865 2639.	[bug]		Silence compiler warnings in gssapi code. [RT #19954]
 9866 
 9867 2638.	[bug]		Install arpaname. [RT #19957]
 9868 
 9869 2637.	[func]		Rationalize dnssec-signzone's signwithkey() calling.
 9870 			[RT #19959]
 9871 
 9872 2636.	[func]		Simplify zone signing and key maintenance with the
 9873 			dnssec-* tools.  Major changes:
 9874 			- all dnssec-* tools now take a -K option to
 9875 			  specify a directory in which key files will be
 9876 			  stored
 9877 			- DNSSEC can now store metadata indicating when
 9878 			  they are scheduled to be published, activated,
 9879 			  revoked or removed; these values can be set by
 9880 			  dnssec-keygen or overwritten by the new
 9881 			  dnssec-settime command
 9882 			- dnssec-signzone -S (for "smart") option reads key
 9883 			  metadata and uses it to determine automatically
 9884 			  which keys to publish to the zone, use for
 9885 			  signing, revoke, or remove from the zone
 9886 			[RT #19816]
 9887 
 9888 2635.	[bug]		isc_inet_ntop() incorrectly handled 0.0/16 addresses.
 9889 			[RT #19716]
 9890 
 9891 2634.	[port]		win32: Add support for libxml2, enable
 9892 			statschannel. [RT #19773]
 9893 
 9894 2633.	[bug]		Handle 15 bit rand() functions. [RT #19783]
 9895 
 9896 2632.	[func]		util/kit.sh: warn if documentation appears to be out of
 9897 			date.  [RT #19922]
 9898 
 9899 2631.	[bug]		Handle "//", "/./" and "/../" in mkdirpath().
 9900 			[RT #19926 ]
 9901 
 9902 2630.	[func]		Improved syntax for DDNS autoconfiguration:  use
 9903 			"update-policy local;" to switch on local DDNS in a
 9904 			zone. (The "ddns-autoconf" option has been removed.)
 9905 			[RT #19875]
 9906 
 9907 2629.	[port]		Check for seteuid()/setegid(), use setresuid()/
 9908 			setresgid() if not present. [RT #19932]
 9909 
 9910 2628.	[port]		linux: Allow /var/run/named/named.pid to be opened
 9911 			at startup with reduced capabilities in operation.
 9912 			[RT #19884]
 9913 
 9914 2627.	[bug]		Named aborted if the same key was included in
 9915 			trusted-keys more than once. [RT #19918]
 9916 
 9917 2626.	[bug]		Multiple trusted-keys could trigger an assertion
 9918 			failure. [RT #19914]
 9919 
 9920 2625.	[bug]		Missing UNLOCK in rbtdb.c. [RT #19865]
 9921 
 9922 2624.	[func]		'named-checkconf -p' will print out the parsed
 9923 			configuration. [RT #18871]
 9924 
 9925 2623.	[bug]		Named started searches for DS non-optimally. [RT #19915]
 9926 
 9927 2622.	[bug]		Printing of named.conf grammar was broken. [RT #19919]
 9928 
 9929 2621.	[doc]		Made copyright boilerplate consistent.  [RT #19833]
 9930 
 9931 2620.	[bug]		Delay thawing the zone until the reload of it has
 9932 			completed successfully.  [RT #19750]
 9933 
 9934 2619.	[func]		Add support for RFC 5011, automatic trust anchor
 9935 			maintenance.  The new "managed-keys" statement can
 9936 			be used in place of "trusted-keys" for zones which
 9937 			support this protocol.  (Note: this syntax is
 9938 			expected to change prior to 9.7.0 final.) [RT #19248]
 9939 
 9940 2618.	[bug]		The sdb and sdlz db_interator_seek() methods could
 9941 			loop infinitely. [RT #19847]
 9942 
 9943 2617.	[bug]		ifconfig.sh failed to emit an error message when
 9944 			run from the wrong location. [RT #19375]
 9945 
 9946 2616.	[bug]		'host' used the nameservers from resolv.conf even
 9947 			when a explicit nameserver was specified. [RT #19852]
 9948 
 9949 2615.	[bug]		"__attribute__((unused))" was in the wrong place
 9950 			for ia64 gcc builds. [RT #19854]
 9951 
 9952 2614.	[port]		win32: 'named -v' should automatically be executed
 9953 			in the foreground. [RT #19844]
 9954 
 9955 2613.	[placeholder]
 9956 
 9957 	--- 9.7.0a1 released ---
 9958 
 9959 2612.	[func]		Add default values for the arguments to
 9960 			dnssec-keygen.  Without arguments, it will now
 9961 			generate a 1024-bit RSASHA1 zone-signing key,
 9962 			or with the -f KSK option, a 2048-bit RSASHA1
 9963 			key-signing key. [RT #19300]
 9964 
 9965 2611.	[func]		Add -l option to dnssec-dsfromkey to generate
 9966 			DLV records instead of DS records. [RT #19300]
 9967 
 9968 2610.	[port]		sunos: Change #2363 was not complete. [RT #19796]
 9969 
 9970 2609.	[func]		Simplify the configuration of dynamic zones:
 9971 			- add ddns-confgen command to generate
 9972 			  configuration text for named.conf
 9973 			- add zone option "ddns-autoconf yes;", which
 9974 			  causes named to generate a TSIG session key
 9975 			  and allow updates to the zone using that key
 9976 			- add '-l' (localhost) option to nsupdate, which
 9977 			  causes nsupdate to connect to a locally-running
 9978 			  named process using the session key generated
 9979 			  by named
 9980 			[RT #19284]
 9981 
 9982 2608.	[func]		Perform post signing verification checks in
 9983 			dnssec-signzone.  These can be disabled with -P.
 9984 
 9985 			The post sign verification test ensures that for each
 9986 			algorithm in use there is at least one non revoked
 9987 			self signed KSK key.  That all revoked KSK keys are
 9988 			self signed.  That all records in the zone are signed
 9989 			by the algorithm.  [RT #19653]
 9990 
 9991 2607.	[bug]		named could incorrectly delete NSEC3 records for
 9992 			empty nodes when processing a update request.
 9993 			[RT #19749]
 9994 
 9995 2606.	[bug]		"delegation-only" was not being accepted in
 9996 			delegation-only type zones. [RT #19717]
 9997 
 9998 2605.	[bug]		Accept DS responses from delegation only zones.
 9999 			[RT # 19296]
10000 
10001 2604.	[func]		Add support for DNS rebinding attack prevention through
10002 			new options, deny-answer-addresses and
10003 			deny-answer-aliases.  Based on contributed code from
10004 			JD Nurmi, Google. [RT #18192]
10005 
10006 2603.	[port]		win32: handle .exe extension of named-checkzone and
10007 			named-comilezone argv[0] names under windows.
10008 			[RT #19767]
10009 
10010 2602.	[port]		win32: fix debugging command line build of libisccfg.
10011 			[RT #19767]
10012 
10013 2601.	[doc]		Mention file creation mode mask in the
10014 			named manual page.
10015 
10016 2600.	[doc]		ARM: miscellaneous reformatting for different
10017 			page widths. [RT #19574]
10018 
10019 2599.	[bug]		Address rapid memory growth when validation fails.
10020 			[RT #19654]
10021 
10022 2598.	[func]		Reserve the -F flag. [RT #19657]
10023 
10024 2597.	[bug]		Handle a validation failure with a insecure delegation
10025 			from a NSEC3 signed master/slave zone.  [RT #19464]
10026 
10027 2596.	[bug]		Stale tree nodes of cache/dynamic rbtdb could stay
10028 			long, leading to inefficient memory usage or rejecting
10029 			newer cache entries in the worst case. [RT #19563]
10030 
10031 2595.	[bug]		Fix unknown extended rcodes in dig. [RT #19625]
10032 
10033 2594.	[func]		Have rndc warn if using its default configuration
10034 			file when the key file also exists. [RT #19424]
10035 
10036 2593.	[bug]		Improve a corner source of SERVFAILs [RT #19632]
10037 
10038 2592.	[bug]		Treat "any" as a type in nsupdate. [RT #19455]
10039 
10040 2591.	[bug]		named could die when processing a update in
10041 			removed_orphaned_ds(). [RT #19507]
10042 
10043 2590.	[func]		Report zone/class of "update with no effect".
10044 			[RT #19542]
10045 
10046 2589.	[bug]		dns_db_unregister() failed to clear '*dbimp'.
10047 			[RT #19626]
10048 
10049 2588.	[bug]		SO_REUSEADDR could be set unconditionally after failure
10050 			of bind(2) call.  This should be rare and mostly
10051 			harmless, but may cause interference with other
10052 			processes that happen to use the same port. [RT #19642]
10053 
10054 2587.	[func]		Improve logging by reporting serial numbers for
10055 			when zone serial has gone backwards or unchanged.
10056 			[RT #19506]
10057 
10058 2586.	[bug]		Missing cleanup of SIG rdataset in searching a DLZ DB
10059 			or SDB. [RT #19577]
10060 
10061 2585.	[bug]		Uninitialized socket name could be referenced via a
10062 			statistics channel, triggering an assertion failure in
10063 			XML rendering. [RT #19427]
10064 
10065 2584.	[bug]		alpha: gcc optimization could break atomic operations.
10066 			[RT #19227]
10067 
10068 2583.	[port]		netbsd: provide a control to not add the compile
10069 			date to the version string, -DNO_VERSION_DATE.
10070 
10071 2582.	[bug]		Don't emit warning log message when we attempt to
10072 			remove non-existent journal. [RT #19516]
10073 
10074 2581.	[contrib]	dlz/mysql set MYSQL_OPT_RECONNECT option on connection.
10075 			Requires MySQL 5.0.19 or later. [RT #19084]
10076 
10077 2580.	[bug]		UpdateRej statistics counter could be incremented twice
10078 			for one rejection. [RT #19476]
10079 
10080 2579.	[bug]		DNSSEC lookaside validation failed to handle unknown
10081 			algorithms. [RT #19479]
10082 
10083 2578.	[bug]		Changed default sig-signing-type to 65534, because
10084 			65535 turns out to be reserved.  [RT #19477]
10085 
10086 2577.	[doc]		Clarified some statistics counters. [RT #19454]
10087 
10088 2576.	[bug]		NSEC record were not being correctly signed when
10089 			a zone transitions from insecure to secure.
10090 			Handle such incorrectly signed zones. [RT #19114]
10091 
10092 2575.	[func]		New functions dns_name_fromstring() and
10093 			dns_name_tostring(), to simplify conversion
10094 			of a string to a dns_name structure and vice
10095 			versa. [RT #19451]
10096 
10097 2574.	[doc]		Document nsupdate -g and -o. [RT #19351]
10098 
10099 2573.	[bug]		Replacing a non-CNAME record with a CNAME record in a
10100 			single transaction in a signed zone failed. [RT #19397]
10101 
10102 2572.	[func]		Simplify DLV configuration, with a new option
10103 			"dnssec-lookaside auto;"  This is the equivalent
10104 			of "dnssec-lookaside . trust-anchor dlv.isc.org;"
10105 			plus setting a trusted-key for dlv.isc.org.
10106 
10107 			Note: The trusted key is hard-coded into named,
10108 			but is also stored in (and can be overridden
10109 			by) $sysconfdir/bind.keys.  As the ISC DLV key
10110 			rolls over it can be kept up to date by replacing
10111 			the bind.keys file with a key downloaded from
10112 			https://www.isc.org/solutions/dlv. [RT #18685]
10113 
10114 2571.	[func]		Add a new tool "arpaname" which translates IP addresses
10115 			to the corresponding IN-ADDR.ARPA or IP6.ARPA name.
10116 			[RT #18976]
10117 
10118 2570.	[func]		Log the destination address the query was sent to.
10119 			[RT #19209]
10120 
10121 2569.	[func]		Move journalprint, nsec3hash, and genrandom
10122 			commands from bin/tests into bin/tools;
10123 			"make install" will put them in $sbindir. [RT #19301]
10124 
10125 2568.	[bug]		Report when the write to indicate a otherwise
10126 			successful start fails. [RT #19360]
10127 
10128 2567.	[bug]		dst__privstruct_writefile() could miss write errors.
10129 			write_public_key() could miss write errors.
10130 			dnssec-dsfromkey could miss write errors.
10131 			[RT #19360]
10132 
10133 2566.	[cleanup]	Clarify logged message when an insecure DNSSEC
10134 			response arrives from a zone thought to be secure:
10135 			"insecurity proof failed" instead of "not
10136 			insecure". [RT #19400]
10137 
10138 2565.	[func]		Add support for HIP record.  Includes new functions
10139 			dns_rdata_hip_first(), dns_rdata_hip_next()
10140 			and dns_rdata_hip_current().  [RT #19384]
10141 
10142 2564.	[bug]		Only take EDNS fallback steps when processing timeouts.
10143 			[RT #19405]
10144 
10145 2563.	[bug]		Dig could leak a socket causing it to wait forever
10146 			to exit. [RT #19359]
10147 
10148 2562.	[doc]		ARM: miscellaneous improvements, reorganization,
10149 			and some new content.
10150 
10151 2561.	[doc]		Add isc-config.sh(1) man page. [RT #16378]
10152 
10153 2560.	[bug]		Add #include <config.h> to iptable.c. [RT #18258]
10154 
10155 2559.	[bug]		dnssec-dsfromkey could compute bad DS records when
10156 			reading from a K* files.  [RT #19357]
10157 
10158 2558.	[func]		Set the ownership of missing directories created
10159 			for pid-file if -u has been specified on the command
10160 			line. [RT #19328]
10161 
10162 2557.	[cleanup]	PCI compliance:
10163 			* new libisc log module file
10164 			* isc_dir_chroot() now also changes the working
10165 			  directory to "/".
10166 			* additional INSISTs
10167 			* additional logging when files can't be removed.
10168 
10169 2556.	[port]		Solaris: mkdir(2) on tmpfs filesystems does not do the
10170 			error checks in the correct order resulting in the
10171 			wrong error code sometimes being returned. [RT #19249]
10172 
10173 2555.	[func]		dig: when emitting a hex dump also display the
10174 			corresponding characters. [RT #19258]
10175 
10176 2554.	[bug]		Validation of uppercase queries from NSEC3 zones could
10177 			fail. [RT #19297]
10178 
10179 2553.	[bug]		Reference leak on DNSSEC validation errors. [RT #19291]
10180 
10181 2552.	[bug]		zero-no-soa-ttl-cache was not being honored.
10182 			[RT #19340]
10183 
10184 2551.	[bug]		Potential Reference leak on return. [RT #19341]
10185 
10186 2550.	[bug]		Check --with-openssl=<path> finds <openssl/opensslv.h>.
10187 			[RT #19343]
10188 
10189 2549.	[port]		linux: define NR_OPEN if not currently defined.
10190 			[RT #19344]
10191 
10192 2548.	[bug]		Install iterated_hash.h. [RT #19335]
10193 
10194 2547.	[bug]		openssl_link.c:mem_realloc() could reference an
10195 			out-of-range area of the source buffer.  New public
10196 			function isc_mem_reallocate() was introduced to address
10197 			this bug. [RT #19313]
10198 
10199 2546.	[func]		Add --enable-openssl-hash configure flag to use
10200 			OpenSSL (in place of internal routine) for hash
10201 			functions (MD5, SHA[12] and HMAC). [RT #18815]
10202 
10203 2545.	[doc]		ARM: Legal hostname checking (check-names) is
10204 			for SRV RDATA too. [RT #19304]
10205 
10206 2544.	[cleanup]	Removed unused structure members in adb.c. [RT #19225]
10207 
10208 2543.	[contrib]	Update contrib/zkt to version 0.98. [RT #19113]
10209 
10210 2542.	[doc]		Update the description of dig +adflag. [RT #19290]
10211 
10212 2541.	[bug]		Conditionally update dispatch manager statistics.
10213 			[RT #19247]
10214 
10215 2540.	[func]		Add a nibble mode to $GENERATE. [RT #18872]
10216 
10217 2539.	[security]	Update the interaction between recursion, allow-query,
10218 			allow-query-cache and allow-recursion.  [RT #19198]
10219 
10220 2538.	[bug]		cache/ADB memory could grow over max-cache-size,
10221 			especially with threads and smaller max-cache-size
10222 			values. [RT #19240]
10223 
10224 2537.	[func]		Added more statistics counters including those on socket
10225 			I/O events and query RTT histograms. [RT #18802]
10226 
10227 2536.	[cleanup]	Silence some warnings when -Werror=format-security is
10228 			specified. [RT #19083]
10229 
10230 2535.	[bug]		dig +showsearch and +trace interacted badly. [RT #19091]
10231 
10232 2534.	[func]		Check NAPTR records regular expressions and
10233 			replacement strings to ensure they are syntactically
10234 			valid and consistent. [RT #18168]
10235 
10236 2533.	[doc]		ARM: document @ (at-sign). [RT #17144]
10237 
10238 2532.	[bug]		dig: check the question section of the response to
10239 			see if it matches the asked question. [RT #18495]
10240 
10241 2531.	[bug]		Change #2207 was incomplete. [RT #19098]
10242 
10243 2530.	[bug]		named failed to reject insecure to secure transitions
10244 			via UPDATE. [RT #19101]
10245 
10246 2529.	[cleanup]	Upgrade libtool to silence complaints from recent
10247 			version of autoconf. [RT #18657]
10248 
10249 2528.	[cleanup]	Silence spurious configure warning about
10250 			--datarootdir [RT #19096]
10251 
10252 2527.	[placeholder]
10253 
10254 2526.	[func]		New named option "attach-cache" that allows multiple
10255 			views to share a single cache to save memory and
10256 			improve lookup efficiency.  Based on contributed code
10257 			from Barclay Osborn, Google. [RT #18905]
10258 
10259 2525.	[func]		New logging category "query-errors" to provide detailed
10260 			internal information about query failures, especially
10261 			about server failures. [RT #19027]
10262 
10263 2524.	[port]		sunos: dnssec-signzone needs strtoul(). [RT #19129]
10264 
10265 2523.	[bug]		Random type rdata freed by dns_nsec_typepresent().
10266 			[RT #19112]
10267 
10268 2522.	[security]	Handle -1 from DSA_do_verify() and EVP_VerifyFinal().
10269 
10270 2521.	[bug]		Improve epoll cross compilation support. [RT #19047]
10271 
10272 2520.	[bug]		Update xml statistics version number to 2.0 as change
10273 			#2388 made the schema incompatible to the previous
10274 			version. [RT #19080]
10275 
10276 2519.	[bug]		dig/host with -4 or -6 didn't work if more than two
10277 			nameserver addresses of the excluded address family
10278 			preceded in resolv.conf. [RT #19081]
10279 
10280 2518.	[func]		Add support for the new CERT types from RFC 4398.
10281 			[RT #19077]
10282 
10283 2517.	[bug]		dig +trace with -4 or -6 failed when it chose a
10284 			nameserver address of the excluded address type.
10285 			[RT #18843]
10286 
10287 2516.	[bug]		glue sort for responses was performed even when not
10288 			needed. [RT #19039]
10289 
10290 2515.	[port]		win32: build dnssec-dsfromkey and dnssec-keyfromlabel.
10291 			[RT #19063]
10292 
10293 2514.	[bug]		dig/host failed with -4 or -6 when resolv.conf contains
10294 			a nameserver of the excluded address family.
10295 			[RT #18848]
10296 
10297 2513.	[bug]		Fix windows cli build. [RT #19062]
10298 
10299 2512.	[func]		Print a summary of the cached records which make up
10300 			the negative response.  [RT #18885]
10301 
10302 2511.	[cleanup]	dns_rdata_tofmttext() add const to linebreak.
10303 			[RT #18885]
10304 
10305 2510.	[bug]		"dig +sigchase" could trigger REQUIRE failures.
10306 			[RT #19033]
10307 
10308 2509.	[bug]		Specifying a fixed query source port was broken.
10309 			[RT #19051]
10310 
10311 2508.	[placeholder]
10312 
10313 2507.	[func]		Log the recursion quota values when killing the
10314 			oldest query or refusing to recurse due to quota.
10315 			[RT #19022]
10316 
10317 2506.	[port]		solaris: Check at configure time if
10318 			hack_shutup_pthreadonceinit is needed. [RT #19037]
10319 
10320 2505.	[port]		Treat amd64 similarly to x86_64 when determining
10321 			atomic operation support. [RT #19031]
10322 
10323 2504.	[bug]		Address race condition in the socket code. [RT #18899]
10324 
10325 2503.	[port]		linux: improve compatibility with Linux Standard
10326 			Base. [RT #18793]
10327 
10328 2502.	[cleanup]	isc_radix: Improve compliance with coding style,
10329 			document function in <isc/radix.h>. [RT #18534]
10330 
10331 2501.	[func]		$GENERATE now supports all rdata types.  Multi-field
10332 			rdata types need to be quoted.  See the ARM for
10333 			details. [RT #18368]
10334 
10335 2500.	[contrib]	contrib/sdb/pgsql/zonetodb.c called non-existent
10336 			function. [RT #18582]
10337 
10338 2499.	[port]		solaris: lib/lwres/getaddrinfo.c namespace clash.
10339 			[RT #18837]
10340 
10341 	--- 9.6.0rc1 released ---
10342 
10343 2498.	[bug]		Removed a bogus function argument used with
10344 			ISC_SOCKET_USE_POLLWATCH: it could cause compiler
10345 			warning or crash named with the debug 1 level
10346 			of logging. [RT #18917]
10347 
10348 2497.	[bug]		Don't add RRSIG bit to NSEC3 bit map for insecure
10349 			delegation.
10350 
10351 2496.	[bug]		Add sanity length checks to NSID option. [RT #18813]
10352 
10353 2495.	[bug]		Tighten RRSIG checks. [RT #18795]
10354 
10355 2494.	[bug]		isc/radix.h, dns/sdlz.h and dns/dlz.h were not being
10356 			installed. [RT #18826]
10357 
10358 2493.	[bug]		The linux capabilities code was not correctly cleaning
10359 			up after itself. [RT #18767]
10360 
10361 2492.	[func]		Rndc status now reports the number of cpus discovered
10362 			and the number of worker threads when running
10363 			multi-threaded. [RT #18273]
10364 
10365 2491.	[func]		Attempt to re-use a local port if we are already using
10366 			the port. [RT #18548]
10367 
10368 2490.	[port]		aix: work around a kernel bug where IPV6_RECVPKTINFO
10369 			is cleared when IPV6_V6ONLY is set. [RT #18785]
10370 
10371 2489.	[port]		solaris: Workaround Solaris's kernel bug about
10372 			/dev/poll:
10373 			http://bugs.opensolaris.org/view_bug.do?bug_id=6724237
10374 			Define ISC_SOCKET_USE_POLLWATCH at build time to enable
10375 			this workaround. [RT #18870]
10376 
10377 2488.	[func]		Added a tool, dnssec-dsfromkey, to generate DS records
10378 			from keyset and .key files. [RT #18694]
10379 
10380 2487.	[bug]		Give TCP connections longer to complete. [RT #18675]
10381 
10382 2486.	[func]		The default locations for named.pid and lwresd.pid
10383 			are now /var/run/named/named.pid and
10384 			/var/run/lwresd/lwresd.pid respectively.
10385 
10386 			This allows the owner of the containing directory
10387 			to be set, for "named -u" support, and allows there
10388 			to be a permanent symbolic link in the path, for
10389 			"named -t" support.  [RT #18306]
10390 
10391 2485.	[bug]		Change update's the handling of obscured RRSIG
10392 			records.  Not all orphaned DS records were being
10393 			removed. [RT #18828]
10394 
10395 2484.	[bug]		It was possible to trigger a REQUIRE failure when
10396 			adding NSEC3 proofs to the response in
10397 			query_addwildcardproof().  [RT #18828]
10398 
10399 2483.	[port]		win32: chroot() is not supported. [RT #18805]
10400 
10401 2482.	[port]		libxml2: support versions 2.7.* in addition
10402 			to 2.6.*. [RT #18806]
10403 
10404 	--- 9.6.0b1 released ---
10405 
10406 2481.	[bug]		rbtdb.c:matchparams() failed to handle NSEC3 chain
10407 			collisions.  [RT #18812]
10408 
10409 2480.	[bug]		named could fail to emit all the required NSEC3
10410 			records.  [RT #18812]
10411 
10412 2479.	[bug]		xfrout:covers was not properly initialized. [RT #18801]
10413 
10414 2478.	[bug]		'addresses' could be used uninitialized in
10415 			configure_forward(). [RT #18800]
10416 
10417 2477.	[bug]		dig: the global option to print the command line is
10418 			+cmd not print_cmd.  Update the output to reflect
10419 			this. [RT #17008]
10420 
10421 2476.	[doc]		ARM: improve documentation for max-journal-size and
10422 			ixfr-from-differences. [RT #15909] [RT #18541]
10423 
10424 2475.	[bug]		LRU cache cleanup under overmem condition could purge
10425 			particular entries more aggressively. [RT #17628]
10426 
10427 2474.	[bug]		ACL structures could be allocated with insufficient
10428 			space, causing an array overrun. [RT #18765]
10429 
10430 2473.	[port]		linux: raise the limit on open files to the possible
10431 			maximum value before spawning threads; 'files'
10432 			specified in named.conf doesn't seem to work with
10433 			threads as expected. [RT #18784]
10434 
10435 2472.	[port]		linux: check the number of available cpu's before
10436 			calling chroot as it depends on "/proc". [RT #16923]
10437 
10438 2471.	[bug]		named-checkzone was not reporting missing mandatory
10439 			glue when sibling checks were disabled. [RT #18768]
10440 
10441 2470.	[bug]		Elements of the isc_radix_node_t could be incorrectly
10442 			overwritten.  [RT #18719]
10443 
10444 2469.	[port]		solaris: Work around Solaris's select() limitations.
10445 			[RT #18769]
10446 
10447 2468.	[bug]		Resolver could try unreachable servers multiple times.
10448 			[RT #18739]
10449 
10450 2467.	[bug]		Failure of fcntl(F_DUPFD) wasn't logged. [RT #18740]
10451 
10452 2466.	[doc]		ARM: explain max-cache-ttl 0 SERVFAIL issue.
10453 			[RT #18302]
10454 
10455 2465.	[bug]		Adb's handling of lame addresses was different
10456 			for IPv4 and IPv6. [RT #18738]
10457 
10458 2464.	[port]		linux: check that a capability is present before
10459 			trying to set it. [RT #18135]
10460 
10461 2463.	[port]		linux: POSIX doesn't include the IPv6 Advanced Socket
10462 			API and glibc hides parts of the IPv6 Advanced Socket
10463 			API as a result.  This is stupid as it breaks how the
10464 			two halves (Basic and Advanced) of the IPv6 Socket API
10465 			were designed to be used but we have to live with it.
10466 			Define _GNU_SOURCE to pull in the IPv6 Advanced Socket
10467 			API. [RT #18388]
10468 
10469 2462.	[doc]		Document -m (enable memory usage debugging)
10470 			option for dig. [RT #18757]
10471 
10472 2461.	[port]		sunos: Change #2363 was not complete. [RT #17513]
10473 
10474 	--- 9.6.0a1 released ---
10475 
10476 2460.	[bug]		Don't call dns_db_getnsec3parameters() on the cache.
10477 			[RT #18697]
10478 
10479 2459.	[contrib]	Import dnssec-zkt to contrib/zkt. [RT #18448]
10480 
10481 2458.	[doc]		ARM: update and correction for max-cache-size.
10482 			[RT #18294]
10483 
10484 2457.	[tuning]	max-cache-size is reverted to 0, the previous
10485 			default.  It should be safe because expired cache
10486 			entries are also purged. [RT #18684]
10487 
10488 2456.	[bug]		In ACLs, ::/0 and 0.0.0.0/0 would both match any
10489 			address, regardless of family.  They now correctly
10490 			distinguish IPv4 from IPv6.  [RT #18559]
10491 
10492 2455.	[bug]		Stop metadata being transferred via axfr/ixfr.
10493 			[RT #18639]
10494 
10495 2454.	[func]		nsupdate: you can now set a default ttl. [RT #18317]
10496 
10497 2453.	[bug]		Remove NULL pointer dereference in dns_journal_print().
10498 			[RT #18316]
10499 
10500 2452.	[func]		Improve bin/test/journalprint. [RT #18316]
10501 
10502 2451.	[port]		solaris: handle runtime linking better. [RT #18356]
10503 
10504 2450.	[doc]		Fix lwresd docbook problem for manual page.
10505 			[RT #18672]
10506 
10507 2449.	[placeholder]
10508 
10509 2448.	[func]		Add NSEC3 support. [RT #15452]
10510 
10511 2447.	[cleanup]	libbind has been split out as a separate product.
10512 
10513 2446.	[func]		Add a new log message about build options on startup.
10514 			A new command-line option '-V' for named is also
10515 			provided to show this information. [RT #18645]
10516 
10517 2445.	[doc]		ARM out-of-date on empty reverse zones (list includes
10518 			RFC1918 address, but these are not yet compiled in).
10519 			[RT #18578]
10520 
10521 2444.	[port]		Linux, FreeBSD, AIX: Turn off path mtu discovery
10522 			(clear DF) for UDP responses and requests.
10523 
10524 2443.	[bug]		win32: UDP connect() would not generate an event,
10525 			and so connected UDP sockets would never clean up.
10526 			Fix this by doing an immediate WSAConnect() rather
10527 			than an io completion port type for UDP.
10528 
10529 2442.	[bug]		A lock could be destroyed twice. [RT #18626]
10530 
10531 2441.	[bug]		isc_radix_insert() could copy radix tree nodes
10532 			incompletely. [RT #18573]
10533 
10534 2440.	[bug]		named-checkconf used an incorrect test to determine
10535 			if an ACL was set to none.
10536 
10537 2439.	[bug]		Potential NULL dereference in dns_acl_isanyornone().
10538 			[RT #18559]
10539 
10540 2438.	[bug]		Timeouts could be logged incorrectly under win32.
10541 
10542 2437.	[bug]		Sockets could be closed too early, leading to
10543 			inconsistent states in the socket module. [RT #18298]
10544 
10545 2436.	[security]	win32: UDP client handler can be shutdown. [RT #18576]
10546 
10547 2435.	[bug]		Fixed an ACL memory leak affecting win32.
10548 
10549 2434.	[bug]		Fixed a minor error-reporting bug in
10550 			lib/isc/win32/socket.c.
10551 
10552 2433.	[tuning]	Set initial timeout to 800ms.
10553 
10554 2432.	[bug]		More Windows socket handling improvements.  Stop
10555 			using I/O events and use IO Completion Ports
10556 			throughout.  Rewrite the receive path logic to make
10557 			it easier to support multiple simultaneous
10558 			requesters in the future.  Add stricter consistency
10559 			checking as a compile-time option (define
10560 			ISC_SOCKET_CONSISTENCY_CHECKS; defaults to off).
10561 
10562 2431.	[bug]		Acl processing could leak memory. [RT #18323]
10563 
10564 2430.	[bug]		win32: isc_interval_set() could round down to
10565 			zero if the input was less than NS_INTERVAL
10566 			nanoseconds.  Round up instead. [RT #18549]
10567 
10568 2429.	[doc]		nsupdate should be in section 1 of the man pages.
10569 			[RT #18283]
10570 
10571 2428.	[bug]		dns_iptable_merge() mishandled merges of negative
10572 			tables. [RT #18409]
10573 
10574 2427.	[func]		Treat DNSKEY queries as if "minimal-response yes;"
10575 			was set. [RT #18528]
10576 
10577 2426.	[bug]		libbind: inet_net_pton() can sometimes return the
10578 			wrong value if excessively large net masks are
10579 			supplied. [RT #18512]
10580 
10581 2425.	[bug]		named didn't detect unavailable query source addresses
10582 			at load time. [RT #18536]
10583 
10584 2424.	[port]		configure now probes for a working epoll
10585 			implementation.  Allow the use of kqueue,
10586 			epoll and /dev/poll to be selected at compile
10587 			time. [RT #18277]
10588 
10589 2423.	[security]	Randomize server selection on queries, so as to
10590 			make forgery a little more difficult.  Instead of
10591 			always preferring the server with the lowest RTT,
10592 			pick a server with RTT within the same 128
10593 			millisecond band.  [RT #18441]
10594 
10595 2422.	[bug]		Handle the special return value of a empty node as
10596 			if it was a NXRRSET in the validator. [RT #18447]
10597 
10598 2421.	[func]		Add new command line option '-S' for named to specify
10599 			the max number of sockets. [RT #18493]
10600 			Use caution: this option may not work for some
10601 			operating systems without rebuilding named.
10602 
10603 2420.	[bug]		Windows socket handling cleanup.  Let the io
10604 			completion event send out canceled read/write
10605 			done events, which keeps us from writing to memory
10606 			we no longer have ownership of.  Add debugging
10607 			socket_log() function.  Rework TCP socket handling
10608 			to not leak sockets.
10609 
10610 2419.	[cleanup]	Document that isc_socket_create() and isc_socket_open()
10611 			should not be used for isc_sockettype_fdwatch sockets.
10612 			[RT #18521]
10613 
10614 2418.	[bug]		AXFR request on a DLZ could trigger a REQUIRE failure
10615 			[RT #18430]
10616 
10617 2417.	[bug]		Connecting UDP sockets for outgoing queries could
10618 			unexpectedly fail with an 'address already in use'
10619 			error. [RT #18411]
10620 
10621 2416.	[func]		Log file descriptors that cause exceeding the
10622 			internal maximum. [RT #18460]
10623 
10624 2415.	[bug]		'rndc dumpdb' could trigger various assertion failures
10625 			in rbtdb.c. [RT #18455]
10626 
10627 2414.	[bug]		A masterdump context held the database lock too long,
10628 			causing various troubles such as dead lock and
10629 			recursive lock acquisition. [RT #18311, #18456]
10630 
10631 2413.	[bug]		Fixed an unreachable code path in socket.c. [RT #18442]
10632 
10633 2412.	[bug]		win32: address a resource leak. [RT #18374]
10634 
10635 2411.	[bug]		Allow using a larger number of sockets than FD_SETSIZE
10636 			for select().  To enable this, set ISC_SOCKET_MAXSOCKETS
10637 			at compilation time.  [RT #18433]
10638 
10639 			Note: with changes #2469 and #2421 above, there is no
10640 			need to tweak ISC_SOCKET_MAXSOCKETS at compilation time
10641 			any more.
10642 
10643 2410.	[bug]		Correctly delete m_versionInfo. [RT #18432]
10644 
10645 2409.	[bug]		Only log that we disabled EDNS processing if we were
10646 			subsequently successful.  [RT #18029]
10647 
10648 2408.	[bug]		A duplicate TCP dispatch event could be sent, which
10649 			could then trigger an assertion failure in
10650 			resquery_response().  [RT #18275]
10651 
10652 2407.	[port]		hpux: test for sys/dyntune.h. [RT #18421]
10653 
10654 2406.	[placeholder]
10655 
10656 2405.	[cleanup]	The default value for dnssec-validation was changed to
10657 			"yes" in 9.5.0-P1 and all subsequent releases; this
10658 			was inadvertently omitted from CHANGES at the time.
10659 
10660 2404.	[port]		hpux: files unlimited support.
10661 
10662 2403.	[bug]		TSIG context leak. [RT #18341]
10663 
10664 2402.	[port]		Support Solaris 2.11 and over. [RT #18362]
10665 
10666 2401.	[bug]		Expect to get E[MN]FILE errno internal_accept()
10667 			(from accept() or fcntl() system calls). [RT #18358]
10668 
10669 2400.	[bug]		Log if kqueue()/epoll_create()/open(/dev/poll) fails.
10670 			[RT #18297]
10671 
10672 2399.	[placeholder]
10673 
10674 2398.	[bug]		Improve file descriptor management.  New,
10675 			temporary, named.conf option reserved-sockets,
10676 			default 512. [RT #18344]
10677 
10678 2397.	[bug]		gssapi_functions had too many elements. [RT #18355]
10679 
10680 2396.	[bug]		Don't set SO_REUSEADDR for randomized ports.
10681 			[RT #18336]
10682 
10683 2395.	[port]		Avoid warning and no effect from "files unlimited"
10684 			on Linux when running as root. [RT #18335]
10685 
10686 2394.	[bug]		Default configuration options set the limit for
10687 			open files to 'unlimited' as described in the
10688 			documentation. [RT #18331]
10689 
10690 2393.	[bug]		nested acls containing keys could trigger an
10691 			assertion in acl.c. [RT #18166]
10692 
10693 2392.	[bug]		remove 'grep -q' from acl test script, some platforms
10694 			don't support it. [RT #18253]
10695 
10696 2391.	[port]		hpux: cover additional recvmsg() error codes.
10697 			[RT #18301]
10698 
10699 2390.	[bug]		dispatch.c could make a false warning on 'odd socket'.
10700 			[RT #18301].
10701 
10702 2389.	[bug]		Move the "working directory writable" check to after
10703 			the ns_os_changeuser() call. [RT #18326]
10704 
10705 2388.	[bug]		Avoid using tables for layout purposes in
10706 			statistics XSL [RT #18159].
10707 
10708 2387.	[bug]		Silence compiler warnings in lib/isc/radix.c.
10709 			[RT #18147] [RT #18258]
10710 
10711 2386.	[func]		Add warning about too small 'open files' limit.
10712 			[RT #18269]
10713 
10714 2385.	[bug]		A condition variable in socket.c could leak in
10715 			rare error handling [RT #17968].
10716 
10717 2384.	[security]	Fully randomize UDP query ports to improve
10718 			forgery resilience. [RT #17949, #18098]
10719 
10720 2383.	[bug]		named could double queries when they resulted in
10721 			SERVFAIL due to overkilling EDNS0 failure detection.
10722 			[RT #18182]
10723 
10724 2382.	[doc]		Add descriptions of DHCID, IPSECKEY, SPF and SSHFP
10725 			to ARM.
10726 
10727 2381.	[port]		dlz/mysql: support multiple install layouts for
10728 			mysql.  <prefix>/include/{,mysql/}mysql.h and
10729 			<prefix>/lib/{,mysql/}. [RT #18152]
10730 
10731 2380.	[bug]		dns_view_find() was not returning NXDOMAIN/NXRRSET
10732 			proofs which, in turn, caused validation failures
10733 			for insecure zones immediately below a secure zone
10734 			the server was authoritative for. [RT #18112]
10735 
10736 2379.	[contrib]	queryperf/gen-data-queryperf.py: removed redundant
10737 			TLDs and supported RRs with TTLs [RT #17972]
10738 
10739 2378.	[bug]		gssapi_functions{} had a redundant member in BIND 9.5.
10740 			[RT #18169]
10741 
10742 2377.	[bug]		Address race condition in dnssec-signzone. [RT #18142]
10743 
10744 2376.	[bug]		Change #2144 was not complete.
10745 
10746 2375.	[placeholder]
10747 
10748 2374.	[bug]		"blackhole" ACLs could cause named to segfault due
10749 			to some uninitialized memory. [RT #18095]
10750 
10751 2373.	[bug]		Default values of zone ACLs were re-parsed each time a
10752 			new zone was configured, causing an overconsumption
10753 			of memory. [RT #18092]
10754 
10755 2372.	[bug]		Fixed incorrect TAG_HMACSHA256_BITS value [RT #18047]
10756 
10757 2371.	[doc]		Add +nsid option to dig man page. [RT #18039]
10758 
10759 2370.	[bug]		"rndc freeze" could trigger an assertion in named
10760 			when called on a nonexistent zone. [RT #18050]
10761 
10762 2369.	[bug]		libbind: Array bounds overrun on read in bitncmp().
10763 			[RT #18054]
10764 
10765 2368.	[port]		Linux: use libcap for capability management if
10766 			possible. [RT #18026]
10767 
10768 2367.	[bug]		Improve counting of dns_resstatscounter_retry
10769 			[RT #18030]
10770 
10771 2366.	[bug]		Adb shutdown race. [RT #18021]
10772 
10773 2365.	[bug]		Fix a bug that caused dns_acl_isany() to return
10774 			spurious results. [RT #18000]
10775 
10776 2364.	[bug]		named could trigger a assertion when serving a
10777 			malformed signed zone. [RT #17828]
10778 
10779 2363.	[port]		sunos: pre-set "lt_cv_sys_max_cmd_len=4096;".
10780 			[RT #17513]
10781 
10782 2362.	[cleanup]	Make "rrset-order fixed" a compile-time option.
10783 			settable by "./configure --enable-fixed-rrset".
10784 			Disabled by default. [RT #17977]
10785 
10786 2361.	[bug]		"recursion" statistics counter could be counted
10787 			multiple times for a single query.  [RT #17990]
10788 
10789 2360.	[bug]		Fix a condition where we release a database version
10790 			(which may acquire a lock) while holding the lock.
10791 
10792 2359.	[bug]		Fix NSID bug. [RT #17942]
10793 
10794 2358.	[doc]		Update host's default query description. [RT #17934]
10795 
10796 2357.	[port]		Don't use OpenSSL's engine support in versions before
10797 			OpenSSL 0.9.7f. [RT #17922]
10798 
10799 2356.	[bug]		Built in mutex profiler was not scalable enough.
10800 			[RT #17436]
10801 
10802 2355.	[func]		Extend the number statistics counters available.
10803 			[RT #17590]
10804 
10805 2354.	[bug]		Failed to initialize some rdatasetheader_t elements.
10806 			[RT #17927]
10807 
10808 2353.	[func]		Add support for Name Server ID (RFC 5001).
10809 			'dig +nsid' requests NSID from server.
10810 			'request-nsid yes;' causes recursive server to send
10811 			NSID requests to upstream servers.  Server responds
10812 			to NSID requests with the string configured by
10813 			'server-id' option.  [RT #17091]
10814 
10815 2352.	[bug]		Various GSS_API fixups. [RT #17729]
10816 
10817 2351.	[bug]		convertxsl.pl generated very long lines. [RT #17906]
10818 
10819 2350.	[port]		win32: IPv6 support. [RT #17797]
10820 
10821 2349.	[func]		Provide incremental re-signing support for secure
10822 			dynamic zones. [RT #1091]
10823 
10824 2348.	[func]		Use the EVP interface to OpenSSL. Add PKCS#11 support.
10825 			Documentation is in the new README.pkcs11 file.
10826 			New tool, dnssec-keyfromlabel, which takes the
10827 			label of a key pair in a HSM and constructs a DNS
10828 			key pair for use by named and dnssec-signzone.
10829 			[RT #16844]
10830 
10831 2347.	[bug]		Delete now traverses the RB tree in the canonical
10832 			order. [RT #17451]
10833 
10834 2346.	[func]		Memory statistics now cover all active memory contexts
10835 			in increased detail. [RT #17580]
10836 
10837 2345.	[bug]		named-checkconf failed to detect when forwarders
10838 			were set at both the options/view level and in
10839 			a root zone. [RT #17671]
10840 
10841 2344.	[bug]		Improve "logging{ file ...; };" documentation.
10842 			[RT #17888]
10843 
10844 2343.	[bug]		(Seemingly) duplicate IPv6 entries could be
10845 			created in ADB. [RT #17837]
10846 
10847 2342.	[func]		Use getifaddrs() if available under Linux. [RT #17224]
10848 
10849 2341.	[bug]		libbind: add missing -I../include for off source
10850 			tree builds. [RT #17606]
10851 
10852 2340.	[port]		openbsd: interface configuration. [RT #17700]
10853 
10854 2339.	[port]		tru64: support for libbind. [RT #17589]
10855 
10856 2338.	[bug]		check_ds() could be called with a non DS rdataset.
10857 			[RT #17598]
10858 
10859 2337.	[bug]		BUILD_LDFLAGS was not being correctly set.  [RT #17614]
10860 
10861 2336.	[func]		If "named -6" is specified then listen on all IPv6
10862 			interfaces if there are not listen-on-v6 clauses in
10863 			named.conf.  [RT #17581]
10864 
10865 2335.	[port]		sunos:  libbind and *printf() support for long long.
10866 			[RT #17513]
10867 
10868 2334.	[bug]		Bad REQUIRES in fromstruct_in_naptr(),  off by one
10869 			bug in fromstruct_txt(). [RT #17609]
10870 
10871 2333.	[bug]		Fix off by one error in isc_time_nowplusinterval().
10872 			[RT #17608]
10873 
10874 2332.	[contrib]	query-loc-0.4.0. [RT #17602]
10875 
10876 2331.	[bug]		Failure to regenerate any signatures was not being
10877 			reported nor being past back to the UPDATE client.
10878 			[RT #17570]
10879 
10880 2330.	[bug]		Remove potential race condition when handling
10881 			over memory events. [RT #17572]
10882 
10883 			WARNING: API CHANGE: over memory callback
10884 			function now needs to call isc_mem_waterack().
10885 			See <isc/mem.h> for details.
10886 
10887 2329.	[bug]		Clearer help text for dig's '-x' and '-i' options.
10888 
10889 2328.	[maint]		Add AAAA addresses for A.ROOT-SERVERS.NET,
10890 			F.ROOT-SERVERS.NET, H.ROOT-SERVERS.NET,
10891 			J.ROOT-SERVERS.NET, K.ROOT-SERVERS.NET and
10892 			M.ROOT-SERVERS.NET.
10893 
10894 2327.	[bug]		It was possible to dereference a NULL pointer in
10895 			rbtdb.c.  Implement dead node processing in zones as
10896 			we do for caches. [RT #17312]
10897 
10898 2326.	[bug]		It was possible to trigger a INSIST in the acache
10899 			processing.
10900 
10901 2325.	[port]		Linux: use capset() function if available. [RT #17557]
10902 
10903 2324.	[bug]		Fix IPv6 matching against "any;". [RT #17533]
10904 
10905 2323.	[port]		tru64: namespace clash. [RT #17547]
10906 
10907 2322.	[port]		MacOS: work around the limitation of setrlimit()
10908 			for RLIMIT_NOFILE. [RT #17526]
10909 
10910 2321.	[placeholder]
10911 
10912 2320.	[func]		Make statistics counters thread-safe for platforms
10913 			that support certain atomic operations. [RT #17466]
10914 
10915 2319.	[bug]		Silence Coverity warnings in
10916 			lib/dns/rdata/in_1/apl_42.c. [RT #17469]
10917 
10918 2318.	[port]		sunos fixes for libbind.  [RT #17514]
10919 
10920 2317.	[bug]		"make distclean" removed bind9.xsl.h. [RT #17518]
10921 
10922 2316.	[port]		Missing #include <isc/print.h> in lib/dns/gssapictx.c.
10923 			[RT #17513]
10924 
10925 2315.	[bug]		Used incorrect address family for mapped IPv4
10926 			addresses in acl.c. [RT #17519]
10927 
10928 2314.	[bug]		Uninitialized memory use on error path in
10929 			bin/named/lwdnoop.c.  [RT #17476]
10930 
10931 2313.	[cleanup]	Silence Coverity warnings. Handle private stacks.
10932 			[RT #17447] [RT #17478]
10933 
10934 2312.	[cleanup]	Silence Coverity warning in lib/isc/unix/socket.c.
10935 			[RT #17458]
10936 
10937 2311.	[bug]		IPv6 addresses could match IPv4 ACL entries and
10938 			vice versa. [RT #17462]
10939 
10940 2310.	[bug]		dig, host, nslookup: flush stdout before emitting
10941 			debug/fatal messages.  [RT #17501]
10942 
10943 2309.	[cleanup]	Fix Coverity warnings in lib/dns/acl.c and iptable.c.
10944 			[RT #17455]
10945 
10946 2308.	[cleanup]	Silence Coverity warning in bin/named/controlconf.c.
10947 			[RT #17495]
10948 
10949 2307.	[bug]		Remove infinite loop from lib/dns/sdb.c. [RT #17496]
10950 
10951 2306.	[bug]		Remove potential race from lib/dns/resolver.c.
10952 			[RT #17470]
10953 
10954 2305.	[security]	inet_network() buffer overflow. CVE-2008-0122.
10955 
10956 2304.	[bug]		Check returns from all dns_rdata_tostruct() calls.
10957 			[RT #17460]
10958 
10959 2303.	[bug]		Remove unnecessary code from bin/named/lwdgnba.c.
10960 			[RT #17471]
10961 
10962 2302.	[bug]		Fix memset() calls in lib/tests/t_api.c. [RT #17472]
10963 
10964 2301.	[bug]		Remove resource leak and fix error messages in
10965 			bin/tests/system/lwresd/lwtest.c. [RT #17474]
10966 
10967 2300.	[bug]		Fixed failure to close open file in
10968 			bin/tests/names/t_names.c. [RT #17473]
10969 
10970 2299.	[bug]		Remove unnecessary NULL check in
10971 			bin/nsupdate/nsupdate.c. [RT #17475]
10972 
10973 2298.	[bug]		isc_mutex_lock() failure not caught in
10974 			bin/tests/timers/t_timers.c. [RT #17468]
10975 
10976 2297.	[bug]		isc_entropy_createfilesource() failure not caught in
10977 			bin/tests/dst/t_dst.c. [RT #17467]
10978 
10979 2296.	[port]		Allow docbook stylesheet location to be specified to
10980 			configure. [RT #17457]
10981 
10982 2295.	[bug]		Silence static overrun error in bin/named/lwaddr.c.
10983 			[RT #17459]
10984 
10985 2294.	[func]		Allow the experimental statistics channels to have
10986 			multiple connections and ACL.
10987 			Note: the stats-server and stats-server-v6 options
10988 			available in the previous beta releases are replaced
10989 			with the generic statistics-channels statement.
10990 
10991 2293.	[func]		Add ACL regression test. [RT #17375]
10992 
10993 2292.	[bug]		Log if the working directory is not writable.
10994 			[RT #17312]
10995 
10996 2291.	[bug]		PR_SET_DUMPABLE may be set too late.  Also report
10997 			failure to set PR_SET_DUMPABLE. [RT #17312]
10998 
10999 2290.	[bug]		Let AD in the query signal that the client wants AD
11000 			set in the response. [RT #17301]
11001 
11002 2289.	[func]		named-checkzone now reports the out-of-zone CNAME
11003 			found. [RT #17309]
11004 
11005 2288.	[port]		win32: mark service as running when we have finished
11006 			loading.  [RT #17441]
11007 
11008 2287.	[bug]		Use 'volatile' if the compiler supports it. [RT #17413]
11009 
11010 2286.	[func]		Allow a TCP connection to be used as a weak
11011 			authentication method for reverse zones.
11012 			New update-policy methods tcp-self and 6to4-self.
11013 			[RT #17378]
11014 
11015 2285.	[func]		Test framework for client memory context management.
11016 			[RT #17377]
11017 
11018 2284.	[bug]		Memory leak in UPDATE prerequisite processing.
11019 			[RT #17377]
11020 
11021 2283.	[bug]		TSIG keys were not attaching to the memory
11022 			context.  TSIG keys should use the rings
11023 			memory context rather than the clients memory
11024 			context. [RT #17377]
11025 
11026 2282.	[bug]		Acl code fixups. [RT #17346] [RT #17374]
11027 
11028 2281.	[bug]		Attempts to use undefined acls were not being logged.
11029 			[RT #17307]
11030 
11031 2280.	[func]		Allow the experimental http server to be reached
11032 			over IPv6 as well as IPv4. [RT #17332]
11033 
11034 2279.	[bug]		Use setsockopt(SO_NOSIGPIPE), when available,
11035 			to protect applications from receiving spurious
11036 			SIGPIPE signals when using the resolver.
11037 
11038 2278.	[bug]		win32: handle the case where Windows returns no
11039 			search list or DNS suffix. [RT #17354]
11040 
11041 2277.	[bug]		Empty zone names were not correctly being caught at
11042 			in the post parse checks. [RT #17357]
11043 
11044 2276.	[bug]		Install <dst/gssapi.h>.  [RT #17359]
11045 
11046 2275.	[func]		Add support to dig to perform IXFR queries over UDP.
11047 			[RT #17235]
11048 
11049 2274.	[func]		Log zone transfer statistics. [RT #17336]
11050 
11051 2273.	[bug]		Adjust log level to WARNING when saving inconsistent
11052 			stub/slave master and journal files. [RT #17279]
11053 
11054 2272.	[bug]		Handle illegal dnssec-lookaside trust-anchor names.
11055 			[RT #17262]
11056 
11057 2271.	[bug]		Fix a memory leak in http server code [RT #17100]
11058 
11059 2270.	[bug]		dns_db_closeversion() version->writer could be reset
11060 			before it is tested. [RT #17290]
11061 
11062 2269.	[contrib]	dbus memory leaks and missing va_end calls. [RT #17232]
11063 
11064 2268.	[bug]		0.IN-ADDR.ARPA was missing from the empty zones
11065 			list.
11066 
11067 	--- 9.5.0b1 released ---
11068 
11069 2267.	[bug]		Radix tree node_num value could be set incorrectly,
11070 			causing positive ACL matches to look like negative
11071 			ones.  [RT #17311]
11072 
11073 2266.	[bug]		client.c:get_clientmctx() returned the same mctx
11074 			once the pool of mctx's was filled. [RT #17218]
11075 
11076 2265.	[bug]		Test that the memory context's basic_table is non NULL
11077 			before freeing.  [RT #17265]
11078 
11079 2264.	[bug]		Server prefix length was being ignored. [RT #17308]
11080 
11081 2263.	[bug]		"named-checkconf -z" failed to set default value
11082 			for "check-integrity".  [RT #17306]
11083 
11084 2262.	[bug]		Error status from all but the last view could be
11085 			lost. [RT #17292]
11086 
11087 2261.	[bug]		Fix memory leak with "any" and "none" ACLs [RT #17272]
11088 
11089 2260.	[bug]		Reported wrong clients-per-query when increasing the
11090 			value. [RT #17236]
11091 
11092 2259.	[placeholder]
11093 
11094 	--- 9.5.0a7 released ---
11095 
11096 2258.	[bug]		Fallback from IXFR/TSIG to SOA/AXFR/TSIG broken.
11097 			[RT #17241]
11098 
11099 2257.	[bug]		win32: Use the full path to vcredist_x86.exe when
11100 			calling it. [RT #17222]
11101 
11102 2256.	[bug]		win32: Correctly register the installation location of
11103 			bindevt.dll. [RT #17159]
11104 
11105 2255.	[maint]		L.ROOT-SERVERS.NET is now 199.7.83.42.
11106 
11107 2254.	[bug]		timer.c:dispatch() failed to lock timer->lock
11108 			when reading timer->idle allowing it to see
11109 			intermediate values as timer->idle was reset by
11110 			isc_timer_touch(). [RT #17243]
11111 
11112 2253.	[func]		"max-cache-size" defaults to 32M.
11113 			"max-acache-size" defaults to 16M.
11114 
11115 2252.	[bug]		Fixed errors in sortlist code [RT #17216]
11116 
11117 2251.	[placeholder]
11118 
11119 2250.	[func]		New flag 'memstatistics' to state whether the
11120 			memory statistics file should be written or not.
11121 			Additionally named's -m option will cause the
11122 			statistics file to be written. [RT #17113]
11123 
11124 2249.	[bug]		Only set Authentic Data bit if client requested
11125 			DNSSEC, per RFC 3655 [RT #17175]
11126 
11127 2248.	[cleanup]	Fix several errors reported by Coverity. [RT #17160]
11128 
11129 2247.	[doc]		Sort doc/misc/options. [RT #17067]
11130 
11131 2246.	[bug]		Make the startup of test servers (ans.pl) more
11132 			robust. [RT #17147]
11133 
11134 2245.	[bug]		Validating lack of DS records at trust anchors wasn't
11135 			working. [RT #17151]
11136 
11137 2244.	[func]		Allow the check of nameserver names against the
11138 			SOA MNAME field to be disabled by specifying
11139 			'notify-to-soa yes;'.  [RT #17073]
11140 
11141 2243.	[func]		Configuration files without a newline at the end now
11142 			parse without error. [RT #17120]
11143 
11144 2242.	[bug]		nsupdate: GSS-TSIG support using the Heimdal Kerberos
11145 			library could require a source of random data.
11146 			[RT #17127]
11147 
11148 2241.	[func]		nsupdate: add a interactive 'help' command. [RT #17099]
11149 
11150 2240.	[bug]		Cleanup nsupdates GSS-TSIG support.  Convert
11151 			a number of INSIST()s into plain fatal() errors
11152 			which report the triggering result code.
11153 			The 'key' command wasn't disabling GSS-TSIG.
11154 			[RT #17099]
11155 
11156 2239.	[func]		Ship a pre built bin/named/bind9.xsl.h. [RT #17114]
11157 
11158 2238.	[bug]		It was possible to trigger a REQUIRE when a
11159 			validation was canceled. [RT #17106]
11160 
11161 2237.	[bug]		libbind: res_init() was not thread aware. [RT #17123]
11162 
11163 2236.	[bug]		dnssec-signzone failed to preserve the case of
11164 			of wildcard owner names. [RT #17085]
11165 
11166 2235.	[bug]		<isc/atomic.h> was not being installed. [RT #17135]
11167 
11168 2234.	[port]		Correct some compiler warnings on SCO OSr5 [RT #17134]
11169 
11170 2233.	[func]		Add support for O(1) ACL processing, based on
11171 			radix tree code originally written by Kevin
11172 			Brintnall. [RT #16288]
11173 
11174 2232.	[bug]		dns_adb_findaddrinfo() could fail and return
11175 			ISC_R_SUCCESS. [RT #17137]
11176 
11177 2231.	[bug]		Building dlzbdb (contrib/dlz/bin/dlzbdb) was broken.
11178 			[RT #17088]
11179 
11180 2230.	[bug]		We could INSIST reading a corrupted journal.
11181 			[RT #17132]
11182 
11183 2229.	[bug]		Null pointer dereference on query pool creation
11184 			failure. [RT #17133]
11185 
11186 2228.	[contrib]	contrib: Change 2188 was incomplete.
11187 
11188 2227.	[cleanup]	Tidied up the FAQ. [RT #17121]
11189 
11190 2226.	[placeholder]
11191 
11192 2225.	[bug]		More support for systems with no IPv4 addresses.
11193 			[RT #17111]
11194 
11195 2224.	[bug]		Defer journal compaction if a xfrin is in progress.
11196 			[RT #17119]
11197 
11198 2223.	[bug]		Make a new journal when compacting. [RT #17119]
11199 
11200 2222.	[func]		named-checkconf now checks server key references.
11201 			[RT #17097]
11202 
11203 2221.	[bug]		Set the event result code to reflect the actual
11204 			record turned to caller when a cache update is
11205 			rejected due to a more credible answer existing.
11206 			[RT #17017]
11207 
11208 2220.	[bug]		win32: Address a race condition in final shutdown of
11209 			the Windows socket code. [RT #17028]
11210 
11211 2219.	[bug]		Apply zone consistency checks to additions, not
11212 			removals, when updating. [RT #17049]
11213 
11214 2218.	[bug]		Remove unnecessary REQUIRE from dns_validator_create().
11215 			[RT #16976]
11216 
11217 2217.	[func]		Adjust update log levels. [RT #17092]
11218 
11219 2216.	[cleanup]	Fix a number of errors reported by Coverity.
11220 			[RT #17094]
11221 
11222 2215.	[bug]		Bad REQUIRE check isc_hmacsha1_verify(). [RT #17094]
11223 
11224 2214.	[bug]		Deregister OpenSSL lock callback when cleaning
11225 			up.  Reorder OpenSSL cleanup so that RAND_cleanup()
11226 			is called before the locks are destroyed. [RT #17098]
11227 
11228 2213.	[bug]		SIG0 diagnostic failure messages were looking at the
11229 			wrong status code. [RT #17101]
11230 
11231 2212.	[func]		'host -m' now causes memory statistics and active
11232 			memory to be printed at exit. [RT 17028]
11233 
11234 2211.	[func]		Update "dynamic update temporarily disabled" message.
11235 			[RT #17065]
11236 
11237 2210.	[bug]		Deleting class specific records via UPDATE could
11238 			fail.  [RT #17074]
11239 
11240 2209.	[port]		osx: linking against user supplied static OpenSSL
11241 			libraries failed as the system ones were still being
11242 			found. [RT #17078]
11243 
11244 2208.	[port]		win32: make sure both build methods produce the
11245 			same output. [RT #17058]
11246 
11247 2207.	[port]		Some implementations of getaddrinfo() fail to set
11248 			ai_canonname correctly. [RT #17061]
11249 
11250 	--- 9.5.0a6 released ---
11251 
11252 2206.	[security]	"allow-query-cache" and "allow-recursion" now
11253 			cross inherit from each other.
11254 
11255 			If allow-query-cache is not set in named.conf then
11256 			allow-recursion is used if set, otherwise allow-query
11257 			is used if set, otherwise the default (localnets;
11258 			localhost;) is used.
11259 
11260 			If allow-recursion is not set in named.conf then
11261 			allow-query-cache is used if set, otherwise allow-query
11262 			is used if set, otherwise the default (localnets;
11263 			localhost;) is used.
11264 
11265 			[RT #16987]
11266 
11267 2205.	[bug]		libbind: change #2119 broke thread support. [RT #16982]
11268 
11269 2204.	[bug]		"rndc flushname name unknown-view" caused named
11270 			to crash. [RT #16984]
11271 
11272 2203.	[security]	Query id generation was cryptographically weak.
11273 			[RT # 16915]
11274 
11275 2202.	[security]	The default acls for allow-query-cache and
11276 			allow-recursion were not being applied. [RT #16960]
11277 
11278 2201.	[bug]		The build failed in a separate object directory.
11279 			[RT #16943]
11280 
11281 2200.	[bug]		The search for cached NSEC records was stopping to
11282 			early leading to excessive DLV queries. [RT #16930]
11283 
11284 2199.	[bug]		win32: don't call WSAStartup() while loading dlls.
11285 			[RT #16911]
11286 
11287 2198.	[bug]		win32: RegCloseKey() could be called when
11288 			RegOpenKeyEx() failed. [RT #16911]
11289 
11290 2197.	[bug]		Add INSIST to catch negative responses which are
11291 			not setting the event result code appropriately.
11292 			[RT #16909]
11293 
11294 2196.	[port]		win32: yield processor while waiting for once to
11295 			to complete. [RT #16958]
11296 
11297 2195.	[func]		dnssec-keygen now defaults to nametype "ZONE"
11298 			when generating DNSKEYs. [RT #16954]
11299 
11300 2194.	[bug]		Close journal before calling 'done' in xfrin.c.
11301 
11302 	--- 9.5.0a5 released ---
11303 
11304 2193.	[port]		win32: BINDInstall.exe is now linked statically.
11305 			[RT #16906]
11306 
11307 2192.	[port]		win32: use vcredist_x86.exe to install Visual
11308 			Studio's redistributable dlls if building with
11309 			Visual Stdio 2005 or later.
11310 
11311 2191.	[func]		named-checkzone now allows dumping to stdout (-).
11312 			named-checkconf now has -h for help.
11313 			named-checkzone now has -h for help.
11314 			rndc now has -h for help.
11315 			Better handling of '-?' for usage summaries.
11316 			[RT #16707]
11317 
11318 2190.	[func]		Make fallback to plain DNS from EDNS due to timeouts
11319 			more visible.  New logging category "edns-disabled".
11320 			[RT #16871]
11321 
11322 2189.	[bug]		Handle socket() returning EINTR. [RT #15949]
11323 
11324 2188.	[contrib]	queryperf: autoconf changes to make the search for
11325 			libresolv or libbind more robust. [RT #16299]
11326 
11327 2187.	[bug]		query_addds(), query_addwildcardproof() and
11328 			query_addnxrrsetnsec() should take a version
11329 			argument. [RT #16368]
11330 
11331 2186.	[port]		cygwin: libbind: check for struct sockaddr_storage
11332 			independently of IPv6. [RT #16482]
11333 
11334 2185.	[port]		sunos: libbind: check for ssize_t, memmove() and
11335 			memchr(). [RT #16463]
11336 
11337 2184.	[bug]		bind9.xsl.h didn't build out of the source tree.
11338 			[RT #16830]
11339 
11340 2183.	[bug]		dnssec-signzone didn't handle offline private keys
11341 			well.  [RT #16832]
11342 
11343 2182.	[bug]		dns_dispatch_createtcp() and dispatch_createudp()
11344 			could return ISC_R_SUCCESS when they ran out of
11345 			memory. [RT #16365]
11346 
11347 2181.	[port]		sunos: libbind: add paths.h from BIND 8. [RT #16462]
11348 
11349 2180.	[cleanup]	Remove bit test from 'compress_test' as they
11350 			are no longer needed. [RT #16497]
11351 
11352 2179.	[func]		'rndc command zone' will now find 'zone' if it is
11353 			unique to all the views. [RT #16821]
11354 
11355 2178.	[bug]		'rndc reload' of a slave or stub zone resulted in
11356 			a reference leak. [RT #16867]
11357 
11358 2177.	[bug]		Array bounds overrun on read (rcodetext) at
11359 			debug level 10+. [RT #16798]
11360 
11361 2176.	[contrib]	dbus update to handle race condition during
11362 			initialization (Bugzilla 235809). [RT #16842]
11363 
11364 2175.	[bug]		win32: windows broadcast condition variable support
11365 			was broken. [RT #16592]
11366 
11367 2174.	[bug]		I/O errors should always be fatal when reading
11368 			master files. [RT #16825]
11369 
11370 2173.	[port]		win32: When compiling with MSVS 2005 SP1 we also
11371 			need to ship Microsoft.VC80.MFCLOC.
11372 
11373 	--- 9.5.0a4 released ---
11374 
11375 2172.	[bug]		query_addsoa() was being called with a non zone db.
11376 			[RT #16834]
11377 
11378 2171.	[bug]		Handle breaks in DNSSEC trust chains where the parent
11379 			servers are not DS aware (DS queries to the parent
11380 			return a referral to the child).
11381 
11382 2170.	[func]		Add acache processing to test suite. [RT #16711]
11383 
11384 2169.	[bug]		host, nslookup: when reporting NXDOMAIN report the
11385 			given name and not the last name searched for.
11386 			[RT #16763]
11387 
11388 2168.	[bug]		nsupdate: in non-interactive mode treat syntax errors
11389 			as fatal errors. [RT #16785]
11390 
11391 2167.	[bug]		When re-using a automatic zone named failed to
11392 			attach it to the new view. [RT #16786]
11393 
11394 	--- 9.5.0a3 released ---
11395 
11396 2166.	[bug]		When running in batch mode, dig could misinterpret
11397 			a server address as a name to be looked up, causing
11398 			unexpected output. [RT #16743]
11399 
11400 2165.	[func]		Allow the destination address of a query to determine
11401 			if we will answer the query or recurse.
11402 			allow-query-on, allow-recursion-on and
11403 			allow-query-cache-on. [RT #16291]
11404 
11405 2164.	[bug]		The code to determine how named-checkzone /
11406 			named-compilezone was called failed under windows.
11407 			[RT #16764]
11408 
11409 2163.	[bug]		If only one of query-source and query-source-v6
11410 			specified a port the query pools code broke (change
11411 			2129).  [RT #16768]
11412 
11413 2162.	[func]		Allow "rrset-order fixed" to be disabled at compile
11414 			time. [RT #16665]
11415 
11416 2161.	[bug]		Fix which log messages are emitted for 'rndc flush'.
11417 			[RT #16698]
11418 
11419 2160.	[bug]		libisc wasn't handling NULL ifa_addr pointers returned
11420 			from getifaddrs(). [RT #16708]
11421 
11422 	--- 9.5.0a2 released ---
11423 
11424 2159.	[bug]		Array bounds overrun in acache processing. [RT #16710]
11425 
11426 2158.	[bug]		ns_client_isself() failed to initialize key
11427 			leading to a REQUIRE failure. [RT #16688]
11428 
11429 2157.	[func]		dns_db_transfernode() created. [RT #16685]
11430 
11431 2156.	[bug]		Fix node reference leaks in lookup.c:lookup_find(),
11432 			resolver.c:validated() and resolver.c:cache_name().
11433 			Fix a memory leak in rbtdb.c:free_noqname().
11434 			Make lookup.c:lookup_find() robust against
11435 			event leaks. [RT #16685]
11436 
11437 2155.	[contrib]	SQLite sdb module from jaboydjr@netwalk.com.
11438 			[RT #16694]
11439 
11440 2154.	[func]		Scoped (e.g. IPv6 link-local) addresses may now be
11441 			matched in acls by omitting the scope. [RT #16599]
11442 
11443 2153.	[bug]		nsupdate could leak memory. [RT #16691]
11444 
11445 2152.	[cleanup]	Use sizeof(buf) instead of fixed number in
11446 			dighost.c:get_trusted_key(). [RT #16678]
11447 
11448 2151.	[bug]		Missing newline in usage message for journalprint.
11449 			[RT #16679]
11450 
11451 2150.	[bug]		'rrset-order cyclic' uniformly distribute the
11452 			starting point for the first response for a given
11453 			RRset. [RT #16655]
11454 
11455 2149.	[bug]		isc_mem_checkdestroyed() failed to abort on
11456 			if there were still active memory contexts.
11457 			[RT #16672]
11458 
11459 2148.	[func]		Add positive logging for rndc commands. [RT #14623]
11460 
11461 2147.	[bug]		libbind: remove potential buffer overflow from
11462 			hmac_link.c. [RT #16437]
11463 
11464 2146.	[cleanup]	Silence Linux's spurious "obsolete setsockopt
11465 			SO_BSDCOMPAT" message. [RT #16641]
11466 
11467 2145.	[bug]		Check DS/DLV digest lengths for known digests.
11468 			[RT #16622]
11469 
11470 2144.	[cleanup]	Suppress logging of SERVFAIL from forwarders.
11471 			[RT #16619]
11472 
11473 2143.	[bug]		We failed to restart the IPv6 client when the
11474 			kernel failed to return the destination the
11475 			packet was sent to. [RT #16613]
11476 
11477 2142.	[bug]		Handle master files with a modification time that
11478 			matches the epoch. [RT #16612]
11479 
11480 2141.	[bug]		dig/host should not be setting IDN_ASCCHECK (IDN
11481 			equivalent of LDH checks).  [RT #16609]
11482 
11483 2140.	[bug]		libbind: missing unlock on pthread_key_create()
11484 			failures. [RT #16654]
11485 
11486 2139.	[bug]		dns_view_find() was being called with wrong type
11487 			in adb.c. [RT #16670]
11488 
11489 2138.	[bug]		Lock order reversal in resolver.c. [RT #16653]
11490 
11491 2137.	[port]		Mips little endian and/or mips 64 bit are now
11492 			supported for atomic operations. [RT #16648]
11493 
11494 2136.	[bug]		nslookup/host looped if there was no search list
11495 			and the host didn't exist. [RT #16657]
11496 
11497 2135.	[bug]		Uninitialized rdataset in sdlz.c. [RT #16656]
11498 
11499 2134.	[func]		Additional statistics support. [RT #16666]
11500 
11501 2133.	[port]		powerpc:  Support both IBM and MacOS Power PC
11502 			assembler syntaxes. [RT #16647]
11503 
11504 2132.	[bug]		Missing unlock on out of memory in
11505 			dns_dispatchmgr_setudp().
11506 
11507 2131.	[contrib]	dlz/mysql: AXFR was broken. [RT #16630]
11508 
11509 2130.	[func]		Log if CD or DO were set. [RT #16640]
11510 
11511 2129.	[func]		Provide a pool of UDP sockets for queries to be
11512 			made over. See use-queryport-pool, queryport-pool-ports
11513 			and queryport-pool-updateinterval.  [RT #16415]
11514 
11515 2128.	[doc]		xsltproc --nonet, update DTD versions.  [RT #16635]
11516 
11517 2127.	[port]		Improved OpenSSL 0.9.8 support. [RT #16563]
11518 
11519 2126.	[security]	Serialize validation of type ANY responses. [RT #16555]
11520 
11521 2125.	[bug]		dns_zone_getzeronosoattl() REQUIRE failure if DLZ
11522 			was defined. [RT #16574]
11523 
11524 2124.	[security]	It was possible to dereference a freed fetch
11525 			context. [RT #16584]
11526 
11527 	--- 9.5.0a1 released ---
11528 
11529 2123.	[func]		Use Doxygen to generate internal documentation.
11530 			[RT #11398]
11531 
11532 2122.	[func]		Experimental http server and statistics support
11533 			for named via xml.
11534 
11535 2121.	[func]		Add a 10 slot dead masters cache (LRU) with a 600
11536 			second timeout. [RT #16553]
11537 
11538 2120.	[doc]		Fix markup on nsupdate man page. [RT #16556]
11539 
11540 2119.	[compat]	libbind: allow res_init() to succeed enough to
11541 			return the default domain even if it was unable
11542 			to allocate memory.
11543 
11544 2118.	[bug]		Handle response with long chains of domain name
11545 			compression pointers which point to other compression
11546 			pointers. [RT #16427]
11547 
11548 2117.	[bug]		DNSSEC fixes: named could fail to cache NSEC records
11549 			which could lead to validation failures.  named didn't
11550 			handle negative DS responses that were in the process
11551 			of being validated.  Check CNAME bit before accepting
11552 			NODATA proof. To be able to ignore a child NSEC there
11553 			must be SOA (and NS) set in the bitmap. [RT #16399]
11554 
11555 2116.	[bug]		'rndc reload' could cause the cache to continually
11556 			be cleaned. [RT #16401]
11557 
11558 2115.	[bug]		'rndc reconfig' could trigger a INSIST if the
11559 			number of masters for a zone was reduced. [RT #16444]
11560 
11561 2114.	[bug]		dig/host/nslookup: searches for names with multiple
11562 			labels were failing. [RT #16447]
11563 
11564 2113.	[bug]		nsupdate: if a zone is specified it should be used
11565 			for server discover. [RT #16455]
11566 
11567 2112.	[security]	Warn if weak RSA exponent is used. [RT #16460]
11568 
11569 2111.	[bug]		Fix a number of errors reported by Coverity.
11570 			[RT #16507]
11571 
11572 2110.	[bug]		"minimal-responses yes;" interacted badly with BIND 8
11573 			priming queries. [RT #16491]
11574 
11575 2109.	[port]		libbind: silence aix 5.3 compiler warnings. [RT #16502]
11576 
11577 2108.	[func]		DHCID support. [RT #16456]
11578 
11579 2107.	[bug]		dighost.c: more cleanup of buffers. [RT #16499]
11580 
11581 2106.	[func]		'rndc status' now reports named's version. [RT #16426]
11582 
11583 2105.	[func]		GSS-TSIG support (RFC 3645).
11584 
11585 2104.	[port]		Fix Solaris SMF error message.
11586 
11587 2103.	[port]		Add /usr/sfw to list of locations for OpenSSL
11588 			under Solaris.
11589 
11590 2102.	[port]		Silence Solaris 10 warnings.
11591 
11592 2101.	[bug]		OpenSSL version checks were not quite right.
11593 			[RT #16476]
11594 
11595 2100.	[port]		win32: copy libeay32.dll to Build\Debug.
11596 			Copy Debug\named-checkzone to Debug\named-compilezone.
11597 
11598 2099.	[port]		win32: more manifest issues.
11599 
11600 2098.	[bug]		Race in rbtdb.c:no_references(), which occasionally
11601 			triggered an INSIST failure about the node lock
11602 			reference.  [RT #16411]
11603 
11604 2097.	[bug]		named could reference a destroyed memory context
11605 			after being reloaded / reconfigured. [RT #16428]
11606 
11607 2096.	[bug]		libbind: handle applications that fail to detect
11608 			res_init() failures better.
11609 
11610 2095.	[port]		libbind: always prototype inet_cidr_ntop_ipv6() and
11611 			net_cidr_ntop_ipv6(). [RT #16388]
11612 
11613 2094.	[contrib]	Update named-bootconf.  [RT #16404]
11614 
11615 2093.	[bug]		named-checkzone -s was broken.
11616 
11617 2092.	[bug]		win32: dig, host, nslookup.  Use registry config
11618 			if resolv.conf does not exist or no nameservers
11619 			listed. [RT #15877]
11620 
11621 2091.	[port]		dighost.c: race condition on cleanup. [RT #16417]
11622 
11623 2090.	[port]		win32: Visual C++ 2005 command line manifest support.
11624 			[RT #16417]
11625 
11626 2089.	[security]	Raise the minimum safe OpenSSL versions to
11627 			OpenSSL 0.9.7l and OpenSSL 0.9.8d.  Versions
11628 			prior to these have known security flaws which
11629 			are (potentially) exploitable in named. [RT #16391]
11630 
11631 2088.	[security]	Change the default RSA exponent from 3 to 65537.
11632 			[RT #16391]
11633 
11634 2087.	[port]		libisc failed to compile on OS's w/o a vsnprintf.
11635 			[RT #16382]
11636 
11637 2086.	[port]		libbind: FreeBSD now has get*by*_r() functions.
11638 			[RT #16403]
11639 
11640 2085.	[doc]		win32: added index.html and README to zip. [RT #16201]
11641 
11642 2084.	[contrib]	dbus update for 9.3.3rc2.
11643 
11644 2083.	[port]		win32: Visual C++ 2005 support.
11645 
11646 2082.	[doc]		Document 'cache-file' as a test only option.
11647 
11648 2081.	[port]		libbind: minor 64-bit portability fix in memcluster.c.
11649 			[RT #16360]
11650 
11651 2080.	[port]		libbind: res_init.c did not compile on older versions
11652 			of Solaris. [RT #16363]
11653 
11654 2079.	[bug]		The lame cache was not handling multiple types
11655 			correctly. [RT #16361]
11656 
11657 2078.	[bug]		dnssec-checkzone output style "default" was badly
11658 			named.  It is now called "relative". [RT #16326]
11659 
11660 2077.	[bug]		'dnssec-signzone -O raw' wasn't outputting the
11661 			complete signed zone. [RT #16326]
11662 
11663 2076.	[bug]		Several files were missing #include <config.h>
11664 			causing build failures on OSF. [RT #16341]
11665 
11666 2075.	[bug]		The spillat timer event handler could leak memory.
11667 			[RT #16357]
11668 
11669 2074.	[bug]		dns_request_createvia2(), dns_request_createvia3(),
11670 			dns_request_createraw2() and dns_request_createraw3()
11671 			failed to send multiple UDP requests. [RT #16349]
11672 
11673 2073.	[bug]		Incorrect semantics check for update policy "wildcard".
11674 			[RT #16353]
11675 
11676 2072.	[bug]		We were not generating valid HMAC SHA digests.
11677 			[RT #16320]
11678 
11679 2071.	[port]		Test whether gcc accepts -fno-strict-aliasing.
11680 			[RT #16324]
11681 
11682 2070.	[bug]		The remote address was not always displayed when
11683 			reporting dispatch failures. [RT #16315]
11684 
11685 2069.	[bug]		Cross compiling was not working. [RT #16330]
11686 
11687 2068.	[cleanup]	Lower incremental tuning message to debug 1.
11688 			[RT #16319]
11689 
11690 2067.	[bug]		'rndc' could close the socket too early triggering
11691 			a INSIST under Windows. [RT #16317]
11692 
11693 2066.	[security]	Handle SIG queries gracefully. [RT #16300]
11694 
11695 2065.	[bug]		libbind: probe for HPUX prototypes for
11696 			endprotoent_r() and endservent_r().  [RT 16313]
11697 
11698 2064.	[bug]		libbind: silence AIX compiler warnings. [RT #16218]
11699 
11700 2063.	[bug]		Change #1955 introduced a bug which caused the first
11701 			'rndc flush' call to not free memory. [RT #16244]
11702 
11703 2062.	[bug]		'dig +nssearch' was reusing a buffer before it had
11704 			been returned by the socket code. [RT #16307]
11705 
11706 2061.	[bug]		Accept expired wildcard message reversed. [RT #16296]
11707 
11708 2060.	[bug]		Enabling DLZ support could leave views partially
11709 			configured. [RT #16295]
11710 
11711 2059.	[bug]		Search into cache rbtdb could trigger an INSIST
11712 			failure while cleaning up a stale rdataset.
11713 			[RT #16292]
11714 
11715 2058.	[bug]		Adjust how we calculate rtt estimates in the presence
11716 			of authoritative servers that drop EDNS and/or CD
11717 			requests.  Also fallback to EDNS/512 and plain DNS
11718 			faster for zones with less than 3 servers.  [RT #16187]
11719 
11720 2057.	[bug]		Make setting "ra" dependent on both allow-query-cache
11721 			and allow-recursion. [RT #16290]
11722 
11723 2056.	[bug]		dig: ixfr= was not being treated case insensitively
11724 			at all times. [RT #15955]
11725 
11726 2055.	[bug]		Missing goto after dropping multicast query.
11727 			[RT #15944]
11728 
11729 2054.	[port]		freebsd: do not explicitly link against -lpthread.
11730 			[RT #16170]
11731 
11732 2053.	[port]		netbsd:libbind: silence compiler warnings. [RT #16220]
11733 
11734 2052.	[bug]		'rndc' improve connect failed message to report
11735 			the failing address. [RT #15978]
11736 
11737 2051.	[port]		More strtol() fixes. [RT #16249]
11738 
11739 2050.	[bug]		Parsing of NSAP records was not case insensitive.
11740 			[RT #16287]
11741 
11742 2049.	[bug]		Restore SOA before AXFR when falling back from
11743 			a attempted IXFR when transferring in a zone.
11744 			Allow a initial SOA query before attempting
11745 			a AXFR to be requested. [RT #16156]
11746 
11747 2048.	[bug]		It was possible to loop forever when using
11748 			avoid-v4-udp-ports / avoid-v6-udp-ports when
11749 			the OS always returned the same local port.
11750 			[RT #16182]
11751 
11752 2047.	[bug]		Failed to initialize the interface flags to zero.
11753 			[RT #16245]
11754 
11755 2046.	[bug]		rbtdb.c:rdataset_setadditional() could cause duplicate
11756 			cleanup [RT #16247].
11757 
11758 2045.	[func]		Use lock buckets for acache entries to limit memory
11759 			consumption. [RT #16183]
11760 
11761 2044.	[port]		Add support for atomic operations for Itanium.
11762 			[RT #16179]
11763 
11764 2043.	[port]		nsupdate/nslookup: Force the flushing of the prompt
11765 			for interactive sessions. [RT #16148]
11766 
11767 2042.	[bug]		named-checkconf was incorrectly rejecting the
11768 			logging category "config". [RT #16117]
11769 
11770 2041.	[bug]		"configure --with-dlz-bdb=yes" produced a bad
11771 			set of libraries to be linked. [RT #16129]
11772 
11773 2040.	[bug]		rbtdb no_references() could trigger an INSIST
11774 			failure with --enable-atomic.  [RT #16022]
11775 
11776 2039.	[func]		Check that all buffers passed to the socket code
11777 			have been retrieved when the socket event is freed.
11778 			[RT #16122]
11779 
11780 2038.	[bug]		dig/nslookup/host was unlinking from wrong list
11781 			when handling errors. [RT #16122]
11782 
11783 2037.	[func]		When unlinking the first or last element in a list
11784 			check that the list head points to the element to
11785 			be unlinked. [RT #15959]
11786 
11787 2036.	[bug]		'rndc recursing' could cause trigger a REQUIRE.
11788 			[RT #16075]
11789 
11790 2035.	[func]		Make falling back to TCP on UDP refresh failure
11791 			optional. Default "try-tcp-refresh yes;" for BIND 8
11792 			compatibility. [RT #16123]
11793 
11794 2034.	[bug]		gcc: set -fno-strict-aliasing. [RT #16124]
11795 
11796 2033.	[bug]		We weren't creating multiple client memory contexts
11797 			on demand as expected. [RT #16095]
11798 
11799 2032.	[bug]		Remove a INSIST in query_addadditional2(). [RT #16074]
11800 
11801 2031.	[bug]		Emit a error message when "rndc refresh" is called on
11802 			a non slave/stub zone. [RT # 16073]
11803 
11804 2030.	[bug]		We were being overly conservative when disabling
11805 			openssl engine support. [RT #16030]
11806 
11807 2029.	[bug]		host printed out the server multiple times when
11808 			specified on the command line. [RT #15992]
11809 
11810 2028.	[port]		linux: socket.c compatibility for old systems.
11811 			[RT #16015]
11812 
11813 2027.	[port]		libbind: Solaris x86 support. [RT #16020]
11814 
11815 2026.	[bug]		Rate limit the two recursive client exceeded messages.
11816 			[RT #16044]
11817 
11818 2025.	[func]		Update "zone serial unchanged" message. [RT #16026]
11819 
11820 2024.	[bug]		named emitted spurious "zone serial unchanged"
11821 			messages on reload. [RT #16027]
11822 
11823 2023.	[bug]		"make install" should create ${localstatedir}/run and
11824 			${sysconfdir} if they do not exist. [RT #16033]
11825 
11826 2022.	[bug]		If dnssec validation is disabled only assert CD if
11827 			CD was requested. [RT #16037]
11828 
11829 2021.	[bug]		dnssec-enable no; triggered a REQUIRE. [RT #16037]
11830 
11831 2020.	[bug]		rdataset_setadditional() could leak memory. [RT #16034]
11832 
11833 2019.	[tuning]	Reduce the amount of work performed per quantum
11834 			when cleaning the cache. [RT #15986]
11835 
11836 2018.	[bug]		Checking if the HMAC MD5 private file was broken.
11837 			[RT #15960]
11838 
11839 2017.	[bug]		allow-query default was not correct. [RT #15946]
11840 
11841 2016.	[bug]		Return a partial answer if recursion is not
11842 			allowed but requested and we had the answer
11843 			to the original qname. [RT #15945]
11844 
11845 2015.	[cleanup]	use-additional-cache is now acache-enable for
11846 			consistency.  Default acache-enable off in BIND 9.4
11847 			as it requires memory usage to be configured.
11848 			It may be enabled by default in BIND 9.5 once we
11849 			have more experience with it.
11850 
11851 2014.	[func]		Statistics about acache now recorded and sent
11852 			to log. [RT #15976]
11853 
11854 2013.	[bug]		Handle unexpected TSIGs on unsigned AXFR/IXFR
11855 			responses more gracefully. [RT #15941]
11856 
11857 2012.	[func]		Don't insert new acache entries if acache is full.
11858 			[RT #15970]
11859 
11860 2011.	[func]		dnssec-signzone can now update the SOA record of
11861 			the signed zone, either as an increment or as the
11862 			system time(). [RT #15633]
11863 
11864 2010.	[placeholder]	rt15958
11865 
11866 2009.	[bug]		libbind: Coverity fixes. [RT #15808]
11867 
11868 2008.	[func]		It is now possible to enable/disable DNSSEC
11869 			validation from rndc.  This is useful for the
11870 			mobile hosts where the current connection point
11871 			breaks DNSSEC (firewall/proxy).  [RT #15592]
11872 
11873 				rndc validation newstate [view]
11874 
11875 2007.	[func]		It is now possible to explicitly enable DNSSEC
11876 			validation.  default dnssec-validation no; to
11877 			be changed to yes in 9.5.0.  [RT #15674]
11878 
11879 2006.	[security]	Allow-query-cache and allow-recursion now default
11880 			to the built in acls "localnets" and "localhost".
11881 
11882 			This is being done to make caching servers less
11883 			attractive as reflective amplifying targets for
11884 			spoofed traffic.  This still leave authoritative
11885 			servers exposed.
11886 
11887 			The best fix is for full BCP 38 deployment to
11888 			remove spoofed traffic.
11889 
11890 2005.	[bug]		libbind: Retransmission timeouts should be
11891 			based on which attempt it is to the nameserver
11892 			and not the nameserver itself. [RT #13548]
11893 
11894 2004.	[bug]		dns_tsig_sign() could pass a NULL pointer to
11895 			dst_context_destroy() when cleaning up after a
11896 			error. [RT #15835]
11897 
11898 2003.	[bug]		libbind: The DNS name/address lookup functions could
11899 			occasionally follow a random pointer due to
11900 			structures not being completely zeroed. [RT #15806]
11901 
11902 2002.	[bug]		libbind: tighten the constraints on when
11903 			struct addrinfo._ai_pad exists.  [RT #15783]
11904 
11905 2001.	[func]		Check the KSK flag when updating a secure dynamic zone.
11906 			New zone option "update-check-ksk yes;".  [RT #15817]
11907 
11908 2000.	[bug]		memmove()/strtol() fix was incomplete. [RT #15812]
11909 
11910 1999.	[func]		Implement "rrset-order fixed". [RT #13662]
11911 
11912 1998.	[bug]		Restrict handling of fifos as sockets to just SunOS.
11913 			This allows named to connect to entropy gathering
11914 			daemons that use fifos instead of sockets. [RT #15840]
11915 
11916 1997.	[bug]		Named was failing to replace negative cache entries
11917 			when a positive one for the type was learnt.
11918 			[RT #15818]
11919 
11920 1996.	[bug]		nsupdate: if a zone has been specified it should
11921 			appear in the output of 'show'. [RT #15797]
11922 
11923 1995.	[bug]		'host' was reporting multiple "is an alias" messages.
11924 			[RT #15702]
11925 
11926 1994.	[port]		OpenSSL 0.9.8 support. [RT #15694]
11927 
11928 1993.	[bug]		Log messages, via syslog, were missing the space
11929 			after the timestamp if "print-time yes" was specified.
11930 			[RT #15844]
11931 
11932 1992.	[bug]		Not all incoming zone transfer messages included the
11933 			view.  [RT #15825]
11934 
11935 1991.	[cleanup]	The configuration data, once read, should be treated
11936 			as read only.  Expand the use of const to enforce this
11937 			at compile time. [RT #15813]
11938 
11939 1990.	[bug]		libbind:  isc's override of broken gettimeofday()
11940 			implementations was not always effective.
11941 			[RT #15709]
11942 
11943 1989.	[bug]		win32: don't check the service password when
11944 			re-installing. [RT #15882]
11945 
11946 1988.	[bug]		Remove a bus error from the SHA256/SHA512 support.
11947 			[RT #15878]
11948 
11949 1987.	[func]		DS/DLV SHA256 digest algorithm support. [RT #15608]
11950 
11951 1986.	[func]		Report when a zone is removed. [RT #15849]
11952 
11953 1985.	[protocol]	DLV has now been assigned a official type code of
11954 			32769. [RT #15807]
11955 
11956 			Note: care should be taken to ensure you upgrade
11957 			both named and dnssec-signzone at the same time for
11958 			zones with DLV records where named is the master
11959 			server for the zone.  Also any zones that contain
11960 			DLV records should be removed when upgrading a slave
11961 			zone.  You do not however have to upgrade all
11962 			servers for a zone with DLV records simultaneously.
11963 
11964 1984.	[func]		dig, nslookup and host now advertise a 4096 byte
11965 			EDNS UDP buffer size by default. [RT #15855]
11966 
11967 1983.	[func]		Two new update policies.  "selfsub" and "selfwild".
11968 			[RT #12895]
11969 
11970 1982.	[bug]		DNSKEY was being accepted on the parent side of
11971 			a delegation.  KEY is still accepted there for
11972 			RFC 3007 validated updates. [RT #15620]
11973 
11974 1981.	[bug]		win32: condition.c:wait() could fail to reattain
11975 			the mutex lock.
11976 
11977 1980.	[func]		dnssec-signzone: output the SOA record as the
11978 			first record in the signed zone. [RT #15758]
11979 
11980 1979.	[port]		linux: allow named to drop core after changing
11981 			user ids. [RT #15753]
11982 
11983 1978.	[port]		Handle systems which have a broken recvmsg().
11984 			[RT #15742]
11985 
11986 1977.	[bug]		Silence noisy log message. [RT #15704]
11987 
11988 1976.	[bug]		Handle systems with no IPv4 addresses. [RT #15695]
11989 
11990 1975.	[bug]		libbind: isc_gethexstring() could misparse multi-line
11991 			hex strings with comments. [RT #15814]
11992 
11993 1974.	[doc]		List each of the zone types and associated zone
11994 			options separately in the ARM.
11995 
11996 1973.	[func]		TSIG HMACSHA1, HMACSHA224, HMACSHA256, HMACSHA384 and
11997 			HMACSHA512 support. [RT #13606]
11998 
11999 1972.	[contrib]	DBUS dynamic forwarders integration from
12000 			Jason Vas Dias <jvdias@redhat.com>.
12001 
12002 1971.	[port]		linux: make detection of missing IF_NAMESIZE more
12003 			robust. [RT #15443]
12004 
12005 1970.	[bug]		nsupdate: adjust UDP timeout when falling back to
12006 			unsigned SOA query. [RT #15775]
12007 
12008 1969.	[bug]		win32: the socket code was freeing the socket
12009 			structure too early. [RT #15776]
12010 
12011 1968.	[bug]		Missing lock in resolver.c:validated(). [RT #15739]
12012 
12013 1967.	[func]		dig/nslookup/host: warn about missing "QR". [RT #15779]
12014 
12015 1966.	[bug]		Don't set CD when we have fallen back to plain DNS.
12016 			[RT #15727]
12017 
12018 1965.	[func]		Suppress spurious "recursion requested but not
12019 			available" warning with 'dig +qr'. [RT #15780].
12020 
12021 1964.	[func]		Separate out MX and SRV to CNAME checks. [RT #15723]
12022 
12023 1963.	[port]		Tru64 4.0E doesn't support send() and recv().
12024 			[RT #15586]
12025 
12026 1962.	[bug]		Named failed to clear old update-policy when it
12027 			was removed. [RT #15491]
12028 
12029 1961.	[bug]		Check the port and address of responses forwarded
12030 			to dispatch. [RT #15474]
12031 
12032 1960.	[bug]		Update code should set NSEC ttls from SOA MINIMUM.
12033 			[RT #15465]
12034 
12035 1959.	[func]		Control the zeroing of the negative response TTL to
12036 			a soa query.  Defaults "zero-no-soa-ttl yes;" and
12037 			"zero-no-soa-ttl-cache no;". [RT #15460]
12038 
12039 1958.	[bug]		Named failed to update the zone's secure state
12040 			until the zone was reloaded. [RT #15412]
12041 
12042 1957.	[bug]		Dig mishandled responses to class ANY queries.
12043 			[RT #15402]
12044 
12045 1956.	[bug]		Improve cross compile support, 'gen' is now built
12046 			by native compiler.  See README for additional
12047 			cross compile support information. [RT #15148]
12048 
12049 1955.	[bug]		Pre-allocate the cache cleaning iterator. [RT #14998]
12050 
12051 1954.	[func]		Named now falls back to advertising EDNS with a
12052 			512 byte receive buffer if the initial EDNS queries
12053 			fail.  [RT #14852]
12054 
12055 1953.	[func]		The maximum EDNS UDP response named will send can
12056 			now be set in named.conf (max-udp-size).  This is
12057 			independent of the advertised receive buffer
12058 			(edns-udp-size). [RT #14852]
12059 
12060 1952.	[port]		hpux: tell the linker to build a runtime link
12061 			path "-Wl,+b:". [RT #14816].
12062 
12063 1951.	[security]	Drop queries from particular well known ports.
12064 			Don't return FORMERR to queries from particular
12065 			well known ports.  [RT #15636]
12066 
12067 1950.	[port]		Solaris 2.5.1 and earlier cannot bind() then connect()
12068 			a TCP socket. This prevents the source address being
12069 			set for TCP connections. [RT #15628]
12070 
12071 1949.	[func]		Addition memory leakage checks. [RT #15544]
12072 
12073 1948.	[bug]		If was possible to trigger a REQUIRE failure in
12074 			xfrin.c:maybe_free() if named ran out of memory.
12075 			[RT #15568]
12076 
12077 1947.	[func]		It is now possible to configure named to accept
12078 			expired RRSIGs.  Default "dnssec-accept-expired no;".
12079 			Setting "dnssec-accept-expired yes;" leaves named
12080 			vulnerable to replay attacks.  [RT #14685]
12081 
12082 1946.	[bug]		resume_dslookup() could trigger a REQUIRE failure
12083 			when using forwarders. [RT #15549]
12084 
12085 1945.	[cleanup]	dnssec-keygen: RSA (RSAMD5) is no longer recommended.
12086 			To generate a RSAMD5 key you must explicitly request
12087 			RSAMD5. [RT #13780]
12088 
12089 1944.	[cleanup]	isc_hash_create() does not need a read/write lock.
12090 			[RT #15522]
12091 
12092 1943.	[bug]		Set the loadtime after rolling forward the journal.
12093 			[RT #15647]
12094 
12095 1942.	[bug]		If the name of a DNSKEY match that of one in
12096 			trusted-keys do not attempt to validate the DNSKEY
12097 			using the parents DS RRset. [RT #15649]
12098 
12099 1941.	[bug]		ncache_adderesult() should set eresult even if no
12100 			rdataset is passed to it. [RT #15642]
12101 
12102 1940.	[bug]		Fixed a number of error conditions reported by
12103 			Coverity.
12104 
12105 1939.	[bug]		The resolver could dereference a null pointer after
12106 			validation if all the queries have timed out.
12107 			[RT #15528]
12108 
12109 1938.	[bug]		The validator was not correctly handling unsecure
12110 			negative responses at or below a SEP. [RT #15528]
12111 
12112 1937.	[bug]		sdlz doesn't handle RRSIG records. [RT #15564]
12113 
12114 1936.	[bug]		The validator could leak memory. [RT #15544]
12115 
12116 1935.	[bug]		'acache' was DO sensitive. [RT #15430]
12117 
12118 1934.	[func]		Validate pending NS RRsets, in the authority section,
12119 			prior to returning them if it can be done without
12120 			requiring DNSKEYs to be fetched.  [RT #15430]
12121 
12122 1933.	[bug]		dump_rdataset_raw() had a incorrect INSIST. [RT #15534]
12123 
12124 1932.	[bug]		hpux: LDFLAGS was getting corrupted. [RT #15530]
12125 
12126 1931.	[bug]		Per-client mctx could require a huge amount of memory,
12127 			particularly for a busy caching server. [RT #15519]
12128 
12129 1930.	[port]		HPUX: ia64 support. [RT #15473]
12130 
12131 1929.	[port]		FreeBSD: extend use of PTHREAD_SCOPE_SYSTEM.
12132 
12133 1928.	[bug]		Race in rbtdb.c:currentversion(). [RT #15517]
12134 
12135 1927.	[bug]		Access to soanode or nsnode in rbtdb violated the
12136 			lock order rule and could cause a dead lock.
12137 			[RT #15518]
12138 
12139 1926.	[bug]		The Windows installer did not check for empty
12140 			passwords.  BINDinstall was being installed in
12141 			the wrong place. [RT #15483]
12142 
12143 1925.	[port]		All outer level AC_TRY_RUNs need cross compiling
12144 			defaults. [RT #15469]
12145 
12146 1924.	[port]		libbind: hpux ia64 support. [RT #15473]
12147 
12148 1923.	[bug]		ns_client_detach() called too early. [RT #15499]
12149 
12150 1922.	[bug]		check-tool.c:setup_logging() missing call to
12151 			dns_log_setcontext().
12152 
12153 1921.	[bug]		Client memory contexts were not using internal
12154 			malloc. [RT #15434]
12155 
12156 1920.	[bug]		The cache rbtdb lock array was too small to
12157 			have the desired performance characteristics.
12158 			[RT #15454]
12159 
12160 1919.	[contrib]	queryperf: a set of new features: collecting/printing
12161 			response delays, printing intermediate results, and
12162 			adjusting query rate for the "target" qps.
12163 
12164 1918.	[bug]		Memory leak when checking acls. [RT #15391]
12165 
12166 1917.	[doc]		funcsynopsisinfo wasn't being treated as verbatim
12167 			when generating man pages. [RT #15385]
12168 
12169 1916.	[func]		Integrate contributed IDN code from JPNIC. [RT #15383]
12170 
12171 1915.	[bug]		dig +ndots was broken. [RT #15215]
12172 
12173 1914.	[protocol]	DS is required to accept mnemonic algorithms
12174 			(RFC 4034).  Still emit numeric algorithms for
12175 			compatibility with RFC 3658. [RT #15354]
12176 
12177 1913.	[func]		Integrate contributed DLZ code into named. [RT #11382]
12178 
12179 1912.	[port]		aix: atomic locking for powerpc. [RT #15020]
12180 
12181 1911.	[bug]		Update windows socket code. [RT #14965]
12182 
12183 1910.	[bug]		dig's +sigchase code overhauled. [RT #14933]
12184 
12185 1909.	[bug]		The DLV code has been re-worked to make no longer
12186 			query order sensitive. [RT #14933]
12187 
12188 1908.	[func]		dig now warns if 'RA' is not set in the answer when
12189 			'RD' was set in the query.  host/nslookup skip servers
12190 			that fail to set 'RA' when 'RD' is set unless a server
12191 			is explicitly set.  [RT #15005]
12192 
12193 1907.	[func]		host/nslookup now continue (default)/fail on SERVFAIL.
12194 			[RT #15006]
12195 
12196 1906.	[func]		dig now has a '-q queryname' and '+showsearch' options.
12197 			[RT #15034]
12198 
12199 1905.	[bug]		Strings returned from cfg_obj_asstring() should be
12200 			treated as read-only.  The prototype for
12201 			cfg_obj_asstring() has been updated to reflect this.
12202 			[RT #15256]
12203 
12204 1904.	[func]		Automatic empty zone creation for D.F.IP6.ARPA and
12205 			friends.  Note: RFC 1918 zones are not yet covered by
12206 			this but are likely to be in a future release.
12207 
12208 			New options: empty-server, empty-contact,
12209 			empty-zones-enable and disable-empty-zone.
12210 
12211 1903.	[func]		ISC string copy API.
12212 
12213 1902.	[func]		Attempt to make the amount of work performed in a
12214 			iteration self tuning.  The covers nodes clean from
12215 			the cache per iteration, nodes written to disk when
12216 			rewriting a master file and nodes destroyed per
12217 			iteration when destroying a zone or a cache.
12218 			[RT #14996]
12219 
12220 1901.	[cleanup]	Don't add DNSKEY records to the additional section.
12221 
12222 1900.	[bug]		ixfr-from-differences failed to ensure that the
12223 			serial number increased. [RT #15036]
12224 
12225 1899.	[func]		named-checkconf now validates update-policy entries.
12226 			[RT #14963]
12227 
12228 1898.	[bug]		Extend ISC_SOCKADDR_FORMATSIZE and
12229 			ISC_NETADDR_FORMATSIZE to allow for scope details.
12230 
12231 1897.	[func]		x86 and x86_64 now have separate atomic locking
12232 			implementations.
12233 
12234 1896.	[bug]		Recursive clients soft quota support wasn't working
12235 			as expected. [RT #15103]
12236 
12237 1895.	[bug]		A escaped character is, potentially, converted to
12238 			the output character set too early. [RT #14666]
12239 
12240 1894.	[doc]		Review ARM for BIND 9.4.
12241 
12242 1893.	[port]		Use uintptr_t if available. [RT #14606]
12243 
12244 1892.	[func]		Support for SPF rdata type. [RT #15033]
12245 
12246 1891.	[port]		freebsd: pthread_mutex_init can fail if it runs out
12247 			of memory. [RT #14995]
12248 
12249 1890.	[func]		Raise the UDP receive buffer size to 32k if it is
12250 			less than 32k. [RT #14953]
12251 
12252 1889.	[port]		sunos: non blocking i/o support. [RT #14951]
12253 
12254 1888.	[func]		Support for IPSECKEY rdata type. [RT #14967]
12255 
12256 1887.	[bug]		The cache could delete expired records too fast for
12257 			clients with a virtual time in the past. [RT #14991]
12258 
12259 1886.	[bug]		fctx_create() could return success even though it
12260 			failed. [RT #14993]
12261 
12262 1885.	[func]		dig: report the number of extra bytes still left in
12263 			the packet after processing all the records.
12264 
12265 1884.	[cleanup]	dighost.c: move external declarations into <dig/dig.h>.
12266 
12267 1883.	[bug]		dnssec-signzone, dnssec-keygen: handle negative debug
12268 			levels. [RT #14962]
12269 
12270 1882.	[func]		Limit the number of recursive clients that can be
12271 			waiting for a single query (<qname,qtype,qclass>) to
12272 			resolve.  New options clients-per-query and
12273 			max-clients-per-query.
12274 
12275 1881.	[func]		Add a system test for named-checkconf. [RT #14931]
12276 
12277 1880.	[func]		The lame cache is now done on a <qname,qclass,qtype>
12278 			basis as some servers only appear to be lame for
12279 			certain query types.  [RT #14916]
12280 
12281 1879.	[func]		"USE INTERNAL MALLOC" is now runtime selectable.
12282 			[RT #14892]
12283 
12284 1878.	[func]		Detect duplicates of UDP queries we are recursing on
12285 			and drop them.  New stats category "duplicate".
12286 			[RT #2471]
12287 
12288 1877.	[bug]		Fix unreasonably low quantum on call to
12289 			dns_rbt_destroy2().  Remove unnecessary unhash_node()
12290 			call. [RT #14919]
12291 
12292 1876.	[func]		Additional memory debugging support to track size
12293 			and mctx arguments. [RT #14814]
12294 
12295 1875.	[bug]		process_dhtkey() was using the wrong memory context
12296 			to free some memory. [RT #14890]
12297 
12298 1874.	[port]		sunos: portability fixes. [RT #14814]
12299 
12300 1873.	[port]		win32: isc__errno2result() now reports its caller.
12301 			[RT #13753]
12302 
12303 1872.	[port]		win32: Handle ERROR_NETNAME_DELETED.  [RT #13753]
12304 
12305 1871.	[placeholder]
12306 
12307 1870.	[func]		Added framework for handling multiple EDNS versions.
12308 			[RT #14873]
12309 
12310 1869.	[func]		dig can now specify the EDNS version when making
12311 			a query. [RT #14873]
12312 
12313 1868.	[func]		edns-udp-size can now be overridden on a per
12314 			server basis. [RT #14851]
12315 
12316 1867.	[bug]		It was possible to trigger a INSIST in
12317 			dlv_validatezonekey(). [RT #14846]
12318 
12319 1866.	[bug]		resolv.conf parse errors were being ignored by
12320 			dig/host/nslookup. [RT #14841]
12321 
12322 1865.	[bug]		Silently ignore nameservers in /etc/resolv.conf with
12323 			bad addresses. [RT #14841]
12324 
12325 1864.	[bug]		Don't try the alternative transfer source if you
12326 			got a answer / transfer with the main source
12327 			address. [RT #14802]
12328 
12329 1863.	[bug]		rrset-order "fixed" error messages not complete.
12330 
12331 1862.	[func]		Add additional zone data constancy checks.
12332 			named-checkzone has extended checking of NS, MX and
12333 			SRV record and the hosts they reference.
12334 			named has extended post zone load checks.
12335 			New zone options: check-mx and integrity-check.
12336 			[RT #4940]
12337 
12338 1861.	[bug]		dig could trigger a INSIST on certain malformed
12339 			responses. [RT #14801]
12340 
12341 1860.	[port]		solaris 2.8: hack_shutup_pthreadmutexinit was
12342 			incorrectly set. [RT #14775]
12343 
12344 1859.	[func]		Add support for CH A record. [RT #14695]
12345 
12346 1858.	[bug]		The flush-zones-on-shutdown option wasn't being
12347 			parsed. [RT #14686]
12348 
12349 1857.	[bug]		named could trigger a INSIST() if reconfigured /
12350 			reloaded too fast.  [RT #14673]
12351 
12352 1856.	[doc]		Switch Docbook toolchain from DSSSL to XSL.
12353 			[RT #11398]
12354 
12355 1855.	[bug]		ixfr-from-differences was failing to detect changes
12356 			of ttl due to dns_diff_subtract() was ignoring the ttl
12357 			of records.  [RT #14616]
12358 
12359 1854.	[bug]		lwres also needs to know the print format for
12360 			(long long).  [RT #13754]
12361 
12362 1853.	[bug]		Rework how DLV interacts with proveunsecure().
12363 			[RT #13605]
12364 
12365 1852.	[cleanup]	Remove last vestiges of dnssec-signkey and
12366 			dnssec-makekeyset (removed from Makefile years ago).
12367 
12368 1851.	[doc]		Doxygen comment markup. [RT #11398]
12369 
12370 1850.	[bug]		Memory leak in lwres_getipnodebyaddr(). [RT #14591]
12371 
12372 1849.	[doc]		All forms of the man pages (docbook, man, html) should
12373 			have consistent copyright dates.
12374 
12375 1848.	[bug]		Improve SMF integration. [RT #13238]
12376 
12377 1847.	[bug]		isc_ondestroy_init() is called too late in
12378 			dns_rbtdb_create()/dns_rbtdb64_create().
12379 			[RT #13661]
12380 
12381 1846.	[contrib]	query-loc-0.3.0 from Stephane Bortzmeyer
12382 			<bortzmeyer@nic.fr>.
12383 
12384 1845.	[bug]		Improve error reporting to distinguish between
12385 			accept()/fcntl() and socket()/fcntl() errors.
12386 			[RT #13745]
12387 
12388 1844.	[bug]		inet_pton() accepted more that 4 hexadecimal digits
12389 			for each 16 bit piece of the IPv6 address.  The text
12390 			representation of a IPv6 address has been tightened
12391 			to disallow this (draft-ietf-ipv6-addr-arch-v4-02.txt).
12392 			[RT #5662]
12393 
12394 1843.	[cleanup]	CINCLUDES takes precedence over CFLAGS.  This helps
12395 			when CFLAGS contains "-I /usr/local/include"
12396 			resulting in old header files being used.
12397 
12398 1842.	[port]		cmsg_len() could produce incorrect results on
12399 			some platform. [RT #13744]
12400 
12401 1841.	[bug]		"dig +nssearch" now makes a recursive query to
12402 			find the list of nameservers to query. [RT #13694]
12403 
12404 1840.	[func]		dnssec-signzone can now randomize signature end times
12405 			(dnssec-signzone -j jitter). [RT #13609]
12406 
12407 1839.	[bug]		<isc/hash.h> was not being installed.
12408 
12409 1838.	[cleanup]	Don't allow Linux capabilities to be inherited.
12410 			[RT #13707]
12411 
12412 1837.	[bug]		Compile time option ISC_FACILITY was not effective
12413 			for 'named -u <user>'.  [RT #13714]
12414 
12415 1836.	[cleanup]	Silence compiler warnings in hash_test.c.
12416 
12417 1835.	[bug]		Update dnssec-signzone's usage message. [RT #13657]
12418 
12419 1834.	[bug]		Bad memset in rdata_test.c. [RT #13658]
12420 
12421 1833.	[bug]		Race condition in isc_mutex_lock_profile(). [RT #13660]
12422 
12423 1832.	[bug]		named fails to return BADKEY on unknown TSIG algorithm.
12424 			[RT #13620]
12425 
12426 1831.	[doc]		Update named-checkzone documentation. [RT #13604]
12427 
12428 1830.	[bug]		adb lame cache has sense of test reversed. [RT #13600]
12429 
12430 1829.	[bug]		win32: "pid-file none;" broken. [RT #13563]
12431 
12432 1828.	[bug]		isc_rwlock_init() failed to properly cleanup if it
12433 			encountered a error. [RT #13549]
12434 
12435 1827.	[bug]		host: update usage message for '-a'. [RT #37116]
12436 
12437 1826.	[bug]		Missing DESTROYLOCK() in isc_mem_createx() on out
12438 			of memory error. [RT #13537]
12439 
12440 1825.	[bug]		Missing UNLOCK() on out of memory error from in
12441 			rbtdb.c:subtractrdataset(). [RT #13519]
12442 
12443 1824.	[bug]		Memory leak on dns_zone_setdbtype() failure.
12444 			[RT #13510]
12445 
12446 1823.	[bug]		Wrong macro used to check for point to point interface.
12447 			[RT #13418]
12448 
12449 1822.	[bug]		check-names test for RT was reversed. [RT #13382]
12450 
12451 1821.	[placeholder]
12452 
12453 1820.	[bug]		Gracefully handle acl loops. [RT #13659]
12454 
12455 1819.	[bug]		The validator needed to check both the algorithm and
12456 			digest types of the DS to determine if it could be
12457 			used to introduce a secure zone. [RT #13593]
12458 
12459 1818.	[bug]		'named-checkconf -z' triggered an INSIST. [RT #13599]
12460 
12461 1817.	[func]		Add support for additional zone file formats for
12462 			improving loading performance.  The masterfile-format
12463 			option in named.conf can be used to specify a
12464 			non-default format.  A separate command
12465 			named-compilezone was provided to generate zone files
12466 			in the new format.  Additionally, the -I and -O options
12467 			for dnssec-signzone specify the input and output
12468 			formats.
12469 
12470 1816.	[port]		UnixWare: failed to compile lib/isc/unix/net.c.
12471 			[RT #13597]
12472 
12473 1815.	[bug]		nsupdate triggered a REQUIRE if the server was set
12474 			without also setting the zone and it encountered
12475 			a CNAME and was using TSIG.  [RT #13086]
12476 
12477 1814.	[func]		UNIX domain controls are now supported.
12478 
12479 1813.	[func]		Restructured the data locking framework using
12480 			architecture dependent atomic operations (when
12481 			available), improving response performance on
12482 			multi-processor machines significantly.
12483 			x86, x86_64, alpha, powerpc, and mips are currently
12484 			supported.
12485 
12486 1812.	[port]		win32: IN6_IS_ADDR_UNSPECIFIED macro is incorrect.
12487 			[RT #13453]
12488 
12489 1811.	[func]		Preserve the case of domain names in rdata during
12490 			zone transfers. [RT #13547]
12491 
12492 1810.	[bug]		configure, lib/bind/configure make different default
12493 			decisions about whether to do a threaded build.
12494 			[RT #13212]
12495 
12496 1809.	[bug]		"make distclean" failed for libbind if the platform
12497 			is not supported.
12498 
12499 1808.	[bug]		zone.c:notify_zone() contained a race condition,
12500 			zone->db could change underneath it.  [RT #13511]
12501 
12502 1807.	[bug]		When forwarding (forward only) set the active domain
12503 			from the forward zone name. [RT #13526]
12504 
12505 1806.	[bug]		The resolver returned the wrong result when a CNAME /
12506 			DNAME was encountered when fetching glue from a
12507 			secure namespace. [RT #13501]
12508 
12509 1805.	[bug]		Pending status was not being cleared when DLV was
12510 			active. [RT #13501]
12511 
12512 1804.	[bug]		Ensure that if we are queried for glue that it fits
12513 			in the additional section or TC is set to tell the
12514 			client to retry using TCP. [RT #10114]
12515 
12516 1803.	[bug]		dnssec-signzone sometimes failed to remove old
12517 			RRSIGs. [RT #13483]
12518 
12519 1802.	[bug]		Handle connection resets better. [RT #11280]
12520 
12521 1801.	[func]		Report differences between hints and real NS rrset
12522 			and associated address records.
12523 
12524 1800.	[bug]		Changes #1719 allowed a INSIST to be triggered.
12525 			[RT #13428]
12526 
12527 1799.	[bug]		'rndc flushname' failed to flush negative cache
12528 			entries. [RT #13438]
12529 
12530 1798.	[func]		The server syntax has been extended to support a
12531 			range of servers.  [RT #11132]
12532 
12533 1797.	[func]		named-checkconf now check acls to verify that they
12534 			only refer to existing acls. [RT #13101]
12535 
12536 1796.	[func]		"rndc freeze/thaw" now freezes/thaws all zones.
12537 
12538 1795.	[bug]		"rndc dumpdb" was not fully documented.  Minor
12539 			formatting issues with "rndc dumpdb -all".  [RT #13396]
12540 
12541 1794.	[func]		Named and named-checkzone can now both check for
12542 			non-terminal wildcard records.
12543 
12544 1793.	[func]		Extend adjusting TTL warning messages. [RT #13378]
12545 
12546 1792.	[func]		New zone option "notify-delay".  Specify a minimum
12547 			delay between sets of NOTIFY messages.
12548 
12549 1791.	[bug]		'host -t a' still printed out AAAA and MX records.
12550 			[RT #13230]
12551 
12552 1790.	[cleanup]	Move lib/dns/sec/dst up into lib/dns.  This should
12553 			allow parallel make to succeed.
12554 
12555 1789.	[bug]		Prerequisite test for tkey and dnssec could fail
12556 			with "configure --with-libtool".
12557 
12558 1788.	[bug]		libbind9.la/libbind9.so needs to link against
12559 			libisccfg.la/libisccfg.so.
12560 
12561 1787.	[port]		HPUX: both "cc" and "gcc" need -Wl,+vnocompatwarnings.
12562 
12563 1786.	[port]		AIX: libt_api needs to be taught to look for
12564 			T_testlist in the main executable (--with-libtool).
12565 			[RT #13239]
12566 
12567 1785.	[bug]		libbind9.la/libbind9.so needs to link against
12568 			libisc.la/libisc.so.
12569 
12570 1784.	[cleanup]	"libtool -allow-undefined" is the default.
12571 			Leave hooks in configure to allow it to be set
12572 			if needed in the future.
12573 
12574 1783.	[cleanup]	We only need one copy of libtool.m4, ltmain.sh in the
12575 			source tree.
12576 
12577 1782.	[port]		OSX: --with-libtool + --enable-libbind broke on
12578 			__evOptMonoTime.  [RT #13219]
12579 
12580 1781.	[port]		FreeBSD 5.3: set PTHREAD_SCOPE_SYSTEM. [RT #12810]
12581 
12582 1780.	[bug]		Update libtool to 1.5.10.
12583 
12584 1779.	[port]		OSF 5.1: libtool didn't handle -pthread correctly.
12585 
12586 1778.	[port]		HUX 11.11: fix broken IN6ADDR_ANY_INIT and
12587 			IN6ADDR_LOOPBACK_INIT macros.
12588 
12589 1777.	[port]		OSF 5.1: fix broken IN6ADDR_ANY_INIT and
12590 			IN6ADDR_LOOPBACK_INIT macros.
12591 
12592 1776.	[port]		Solaris 2.9: fix broken IN6ADDR_ANY_INIT and
12593 			IN6ADDR_LOOPBACK_INIT macros.
12594 
12595 1775.	[bug]		Only compile getnetent_r.c when threaded. [RT #13205]
12596 
12597 1774.	[port]		Aix: Silence compiler warnings / build failures.
12598 			[RT #13154]
12599 
12600 1773.	[bug]		Fast retry on host / net unreachable. [RT #13153]
12601 
12602 1772.	[placeholder]
12603 
12604 1771.	[placeholder]
12605 
12606 1770.	[bug]		named-checkconf failed to report missing a missing
12607 			file clause for rbt{64} master/hint zones. [RT #13009]
12608 
12609 1769.	[port]		win32: change compiler flags /MTd ==> /MDd,
12610 			/MT ==> /MD.
12611 
12612 1768.	[bug]		nsecnoexistnodata() could be called with a non-NSEC
12613 			rdataset. [RT #12907]
12614 
12615 1767.	[port]		Builds on IPv6 platforms without IPv6 Advanced API
12616 			support for (struct in6_pktinfo) failed.  [RT #13077]
12617 
12618 1766.	[bug]		Update the master file timestamp on successful refresh
12619 			as well as the journal's timestamp. [RT #13062]
12620 
12621 1765.	[bug]		configure --with-openssl=auto failed. [RT #12937]
12622 
12623 1764.	[bug]		dns_zone_replacedb failed to emit a error message
12624 			if there was no SOA record in the replacement db.
12625 			[RT #13016]
12626 
12627 1763.	[func]		Perform sanity checks on NS records which refer to
12628 			'in zone' names. [RT #13002]
12629 
12630 1762.	[bug]		isc_interfaceiter_create() could return ISC_R_SUCCESS
12631 			even when it failed. [RT #12995]
12632 
12633 1761.	[bug]		'rndc dumpdb' didn't report unassociated entries.
12634 			[RT #12971]
12635 
12636 1760.	[bug]		Host / net unreachable was not penalising rtt
12637 			estimates. [RT #12970]
12638 
12639 1759.	[bug]		Named failed to startup if the OS supported IPv6
12640 			but had no IPv6 interfaces configured. [RT #12942]
12641 
12642 1758.	[func]		Don't send notify messages to self. [RT #12933]
12643 
12644 1757.	[func]		host now can turn on memory debugging flags with '-m'.
12645 
12646 1756.	[func]		named-checkconf now checks the logging configuration.
12647 			[RT #12352]
12648 
12649 1755.	[func]		allow-update is now settable at the options / view
12650 			level. [RT #6636]
12651 
12652 1754.	[bug]		We weren't always attempting to query the parent
12653 			server for the DS records at the zone cut.
12654 			[RT #12774]
12655 
12656 1753.	[bug]		Don't serve a slave zone which has no NS records.
12657 			[RT #12894]
12658 
12659 1752.	[port]		Move isc_app_start() to after ns_os_daemonise()
12660 			as some fork() implementations unblock the signals
12661 			that are blocked by isc_app_start(). [RT #12810]
12662 
12663 1751.	[bug]		--enable-getifaddrs failed under linux. [RT #12867]
12664 
12665 1750.	[port]		lib/bind/make/rules.in:subdirs was not bash friendly.
12666 			[RT #12864]
12667 
12668 1749.	[bug]		'check-names response ignore;' failed to ignore.
12669 			[RT #12866]
12670 
12671 1748.	[func]		dig now returns the byte count for axfr/ixfr.
12672 
12673 1747.	[bug]		BIND 8 compatibility: named/named-checkconf failed
12674 			to parse "host-statistics-max" in named.conf.
12675 
12676 1746.	[func]		Make public the function to read a key file,
12677 			dst_key_read_public(). [RT #12450]
12678 
12679 1745.	[bug]		Dig/host/nslookup accept replies from link locals
12680 			regardless of scope if no scope was specified when
12681 			query was sent. [RT #12745]
12682 
12683 1744.	[bug]		If tuple2msgname() failed to convert a tuple to
12684 			a name a REQUIRE could be triggered. [RT #12796]
12685 
12686 1743.	[bug]		If isc_taskmgr_create() was not able to create the
12687 			requested number of worker threads then destruction
12688 			of the manager would trigger an INSIST() failure.
12689 			[RT #12790]
12690 
12691 1742.	[bug]		Deleting all records at a node then adding a
12692 			previously existing record, in a single UPDATE
12693 			transaction, failed to leave / regenerate the
12694 			associated RRSIG records. [RT #12788]
12695 
12696 1741.	[bug]		Deleting all records at a node in a secure zone
12697 			using a update-policy grant failed. [RT #12787]
12698 
12699 1740.	[bug]		Replace rbt's hash algorithm as it performed badly
12700 			with certain zones. [RT #12729]
12701 
12702 			NOTE: a hash context now needs to be established
12703 			via isc_hash_create() if the application was not
12704 			already doing this.
12705 
12706 1739.	[bug]		dns_rbt_deletetree() could incorrectly return
12707 			ISC_R_QUOTA.  [RT #12695]
12708 
12709 1738.	[bug]		Enable overrun checking by default. [RT #12695]
12710 
12711 1737.	[bug]		named failed if more than 16 masters were specified.
12712 			[RT #12627]
12713 
12714 1736.	[bug]		dst_key_fromnamedfile() could fail to read a
12715 			public key. [RT #12687]
12716 
12717 1735.	[bug]		'dig +sigtrace' could die with a REQUIRE failure.
12718 			[RE #12688]
12719 
12720 1734.	[cleanup]	'rndc-confgen -a -t' remove extra '/' in path.
12721 			[RT #12588]
12722 
12723 1733.	[bug]		Return non-zero exit status on initial load failure.
12724 			[RT #12658]
12725 
12726 1732.	[bug]		'rrset-order name "*"' wasn't being applied to ".".
12727 			[RT #12467]
12728 
12729 1731.	[port]		darwin: relax version test in ifconfig.sh.
12730 			[RT #12581]
12731 
12732 1730.	[port]		Determine the length type used by the socket API.
12733 			[RT #12581]
12734 
12735 1729.	[func]		Improve check-names error messages.
12736 
12737 1728.	[doc]		Update check-names documentation.
12738 
12739 1727.	[bug]		named-checkzone: check-names support didn't match
12740 			documentation.
12741 
12742 1726.	[port]		aix5: add support for aix5.
12743 
12744 1725.	[port]		linux: update error message on interaction of threads,
12745 			capabilities and setuid support (named -u). [RT #12541]
12746 
12747 1724.	[bug]		Look for DNSKEY records with "dig +sigtrace".
12748 			[RT #12557]
12749 
12750 1723.	[cleanup]	Silence compiler warnings from t_tasks.c. [RT #12493]
12751 
12752 1722.	[bug]		Don't commit the journal on malformed ixfr streams.
12753 			[RT #12519]
12754 
12755 1721.	[bug]		Error message from the journal processing were not
12756 			always identifying the relevant journal. [RT #12519]
12757 
12758 1720.	[bug]		'dig +chase' did not terminate on a RFC 2308 Type 1
12759 			negative response. [RT #12506]
12760 
12761 1719.	[bug]		named was not correctly caching a RFC 2308 Type 1
12762 			negative response. [RT #12506]
12763 
12764 1718.	[bug]		nsupdate was not handling RFC 2308 Type 3 negative
12765 			responses when looking for the zone / master server.
12766 			[RT #12506]
12767 
12768 1717.	[port]		solaris: ifconfig.sh did not support Solaris 10.
12769 			"ifconfig.sh down" didn't work for Solaris 9.
12770 
12771 1716.	[doc]		named.conf(5) was being installed in the wrong
12772 			location.  [RT #12441]
12773 
12774 1715.	[func]		'dig +trace' now randomly selects the next servers
12775 			to try.  Report if there is a bad delegation.
12776 
12777 1714.	[bug]		dig/host/nslookup were only trying the first
12778 			address when a nameserver was specified by name.
12779 			[RT #12286]
12780 
12781 1713.	[port]		linux: extend capset failure message to say:
12782 			please ensure that the capset kernel module is
12783 			loaded.  see insmod(8)
12784 
12785 1712.	[bug]		Missing FULLCHECK for "trusted-key" in dig.
12786 
12787 1711.	[func]		'rndc unfreeze' has been deprecated by 'rndc thaw'.
12788 
12789 1710.	[func]		'rndc notify zone [class [view]]' resend the NOTIFY
12790 			messages for the specified zone. [RT #9479]
12791 
12792 1709.	[port]		solaris: add SMF support from Sun.
12793 
12794 1708.	[cleanup]	Replaced dns_fullname_hash() with dns_name_fullhash()
12795 			for conformance to the name space convention.  Binary
12796 			backward compatibility to the old function name is
12797 			provided. [RT #12376]
12798 
12799 1707.	[contrib]	sdb/ldap updated to version 1.0-beta.
12800 
12801 1706.	[bug]		'rndc stop' failed to cause zones to be flushed
12802 			sometimes. [RT #12328]
12803 
12804 1705.	[func]		Allow the journal's name to be changed via named.conf.
12805 
12806 1704.	[port]		lwres needed a snprintf() implementation for
12807 			platforms without snprintf().  Add missing
12808 			"#include <isc/print.h>". [RT #12321]
12809 
12810 1703.	[bug]		named would loop sending NOTIFY messages when it
12811 			failed to receive a response. [RT #12322]
12812 
12813 1702.	[bug]		also-notify should not be applied to built in zones.
12814 			[RT #12323]
12815 
12816 1701.	[doc]		A minimal named.conf man page.
12817 
12818 1700.	[func]		nslookup is no longer to be treated as deprecated.
12819 			Remove "deprecated" warning message.  Add man page.
12820 
12821 1699.	[bug]		dnssec-signzone can generate "not exact" errors
12822 			when resigning. [RT #12281]
12823 
12824 1698.	[doc]		Use reserved IPv6 documentation prefix.
12825 
12826 1697.	[bug]		xxx-source{,-v6} was not effective when it
12827 			specified one of listening addresses and a
12828 			different port than the listening port. [RT #12257]
12829 
12830 1696.	[bug]		dnssec-signzone failed to clean out nodes that
12831 			consisted of only NSEC and RRSIG records.
12832 			[RT #12154]
12833 
12834 1695.	[bug]		DS records when forwarding require special handling.
12835 			[RT #12133]
12836 
12837 1694.	[bug]		Report if the builtin views of "_default" / "_bind"
12838 			are defined in named.conf. [RT #12023]
12839 
12840 1693.	[bug]		max-journal-size was not effective for master zones
12841 			with ixfr-from-differences set. [RT #12024]
12842 
12843 1692.	[bug]		Don't set -I, -L and -R flags when libcrypto is in
12844 			/usr/lib. [RT #11971]
12845 
12846 1691.	[bug]		sdb's attachversion was not complete. [RT #11990]
12847 
12848 1690.	[bug]		Delay detaching view from the client until UPDATE
12849 			processing completes when shutting down. [RT #11714]
12850 
12851 1689.	[bug]		DNS_NAME_TOREGION() and DNS_NAME_SPLIT() macros
12852 			contained gratuitous semicolons. [RT #11707]
12853 
12854 1688.	[bug]		LDFLAGS was not supported.
12855 
12856 1687.	[bug]		Race condition in dispatch. [RT #10272]
12857 
12858 1686.	[bug]		Named sent a extraneous NOTIFY when it received a
12859 			redundant UPDATE request. [RT #11943]
12860 
12861 1685.	[bug]		Change #1679 loop tests weren't quite right.
12862 
12863 1684.	[func]		ixfr-from-differences now takes master and slave in
12864 			addition to yes and no at the options and view levels.
12865 
12866 1683.	[bug]		dig +sigchase could leak memory. [RT #11445]
12867 
1