"Fossies" - the Fresh Open Source Software Archive

Member "bind-9.17.18/CHANGES" (7 Sep 2021, 663116 Bytes) of package /linux/misc/dns/bind9/9.17.18/bind-9.17.18.tar.xz:


As a special service "Fossies" has tried to format the requested text file into HTML format (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file. See also the latest Fossies "Diffs" side-by-side code changes report for "CHANGES": 9.17.17_vs_9.17.18.

    1 	--- 9.17.18 released ---
    2 
    3 5711.	[bug]		"map" files exceeding 2GB in size failed to load due to
    4 			a size comparison that incorrectly treated the file size
    5 			as a signed integer. [GL #2878]
    6 
    7 5710.	[placeholder]
    8 
    9 5709.	[func]		When reporting zone types in the statistics channel, the
   10 			terms "primary" and "secondary" are now used instead of
   11 			"master" and "slave", respectively. Enum values
   12 			throughout the code have been updated to use this
   13 			terminology as well. [GL #1944]
   14 
   15 5708.	[placeholder]
   16 
   17 5707.	[bug]		A bug was fixed which prevented dig from querying
   18 			DNS-over-HTTPS (DoH) servers via IPv6. [GL #2860]
   19 
   20 5706.	[cleanup]	Support for external applications to register with
   21 			libisc and use it has been removed. Export versions of
   22 			BIND 9 libraries have not been supported for some time,
   23 			but the isc_lib_register() function was still available;
   24 			it has now been removed. [GL !2420]
   25 
   26 5705.	[bug]		Change #5686 altered the internal memory structure of
   27 			zone databases, but neglected to update the MAPAPI value
   28 			for zone files in "map" format. This caused named to
   29 			attempt to load incompatible map files, triggering an
   30 			assertion failure on startup. The MAPAPI value has now
   31 			been updated, so named rejects outdated files when
   32 			encountering them. [GL #2872]
   33 
   34 5704.	[bug]		Change #5317 caused the EDNS TCP Keepalive option to be
   35 			ignored inadvertently in client requests. It has now
   36 			been fixed and this option is handled properly again.
   37 			[GL #1927]
   38 
   39 5703.	[bug]		Fix a crash in dig caused by closing an HTTP/2 socket
   40 			associated with an unused HTTP/2 session. [GL #2858]
   41 
   42 5702.	[bug]		Improve compatibility with DNS-over-HTTPS (DoH) clients
   43 			by allowing HTTP/2 request headers in any order.
   44 			[GL #2875]
   45 
   46 5701.	[bug]		named-checkconf failed to detect syntactically invalid
   47 			values of the "key" and "tls" parameters used to define
   48 			members of remote server lists. [GL #2461]
   49 
   50 5700.	[bug]		When a member zone was removed from a catalog zone,
   51 			journal files for the former were not deleted.
   52 			[GL #2842]
   53 
   54 5699.	[func]		Data structures holding DNSSEC signing statistics are
   55 			now grown and shrunk as necessary upon key rollover
   56 			events. [GL #1721]
   57 
   58 5698.	[bug]		When a DNSSEC-signed zone which only has a single
   59 			signing key available is migrated to use KASP, that key
   60 			is now treated as a Combined Signing Key (CSK).
   61 			[GL #2857]
   62 
   63 5697.	[func]		dnssec-cds now only generates SHA-2 DS records by
   64 			default and avoids copying deprecated SHA-1 records from
   65 			a child zone to its delegation in the parent. If the
   66 			child zone does not publish SHA-2 CDS records,
   67 			dnssec-cds will generate them from the CDNSKEY records.
   68 			The "-a algorithm" option now affects the process of
   69 			generating DS digest records from both CDS and CDNSKEY
   70 			records. Thanks to Tony Finch. [GL #2871]
   71 
   72 5696.	[protocol]	Support for HTTPS and SVCB record types has been added.
   73 			[GL #1132]
   74 
   75 5695.	[func]		Add a new dig command-line option, "+showbadcookie",
   76 			which causes a BADCOOKIE response message to be
   77 			displayed when it is received from the server.
   78 			[GL #2319]
   79 
   80 5694.	[bug]		Stale data in the cache could cause named to send
   81 			non-minimized queries despite QNAME minimization being
   82 			enabled. [GL #2665]
   83 
   84 5693.	[func]		Restore support for reading "timeout" and "attempts"
   85 			options from /etc/resolv.conf, and use their values in
   86 			dig, host, and nslookup. (This was previously supported
   87 			by liblwres, and was still mentioned in the man pages,
   88 			but had stopped working after liblwres was deprecated in
   89 			favor of libirs.) [GL #2785]
   90 
   91 5692.	[bug]		Fix a rare crash in DNS-over-HTTPS (DoH) code caused by
   92 			detaching from an HTTP/2 session handle too early when
   93 			sending data. [GL #2851]
   94 
   95 5691.	[bug]		When a dynamic zone was made available in another view
   96 			using the "in-view" statement, running "rndc freeze"
   97 			always reported an "already frozen" error even though
   98 			the zone was successfully frozen. [GL #2844]
   99 
  100 5690.	[func]		dnssec-signzone now honors Predecessor and Successor
  101 			metadata found in private key files: if a signature for
  102 			an RRset generated by the inactive predecessor exists
  103 			and does not need to be replaced, no additional
  104 			signature is now created for that RRset using the
  105 			successor key. This enables dnssec-signzone to gradually
  106 			replace RRSIGs during a ZSK rollover. [GL #1551]
  107 
  108 	--- 9.17.17 released ---
  109 
  110 5689.	[security]	An assertion failure occurred when named attempted to
  111 			send a UDP packet that exceeded the MTU size, if
  112 			Response Rate Limiting (RRL) was enabled.
  113 			(CVE-2021-25218) [GL #2856]
  114 
  115 5688.	[bug]		Zones using KASP and inline-signed zones failed to apply
  116 			changes from the unsigned zone to the signed zone under
  117 			certain circumstances. This has been fixed. [GL #2735]
  118 
  119 5687.	[bug]		"rndc reload <zonename>" could trigger a redundant
  120 			reload for an inline-signed zone whose zone file was not
  121 			modified since the last "rndc reload". This has been
  122 			fixed. [GL #2855]
  123 
  124 5686.	[func]		The number of internal data structures allocated for
  125 			each zone was reduced. [GL #2829]
  126 
  127 5685.	[bug]		named failed to check the opcode of responses when
  128 			performing zone refreshes, stub zone updates, and UPDATE
  129 			forwarding. This has been fixed. [GL #2762]
  130 
  131 5684.	[func]		The DNS-over-HTTP (DoH) configuration syntax was
  132 			extended:
  133 			- The maximum number of active DoH connections can now
  134 			  be set using the "http-listener-clients" option. The
  135 			  default is 300.
  136 			- The maximum number of concurrent HTTP/2 streams per
  137 			  connection can now be set using the
  138 			  "http-streams-per-connection" option. The default is
  139 			  100.
  140 			- Both of these values can also be set on a per-listener
  141 			  basis using the "listener-clients" and
  142 			  "streams-per-connection" parameters in an "http"
  143 			  statement.
  144 			[GL #2809]
  145 
  146 5683.	[bug]		The configuration-checking code now verifies HTTP paths.
  147 			[GL !5231]
  148 
  149 5682.	[bug]		Some changes to "zone-statistics" settings were not
  150 			properly processed by "rndc reconfig". This has been
  151 			fixed. [GL #2820]
  152 
  153 5681.	[func]		Relax the checks in the dns_zone_cdscheck() function to
  154 			allow CDS and CDNSKEY records in the zone that do not
  155 			match an existing DNSKEY record, as long as the
  156 			algorithm matches. This allows a clean rollover from one
  157 			provider to another in a multi-signer DNSSEC
  158 			configuration. [GL #2710]
  159 
  160 5680.	[bug]		HTTP GET requests without query strings caused a crash
  161 			in DoH code. This has been fixed. [GL !5268]
  162 
  163 5679.	[func]		Thread affinity is no longer set. [GL #2822]
  164 
  165 5678.	[bug]		The "check DS" code failed to release all resources upon
  166 			named shutdown when a refresh was in progress. This has
  167 			been fixed. [GL #2811]
  168 
  169 5677.	[func]		Previously, named accepted FORMERR responses both with
  170 			and without an OPT record, as an indication that a given
  171 			server did not support EDNS. To implement full
  172 			compliance with RFC 6891, only FORMERR responses without
  173 			an OPT record are now accepted. This intentionally
  174 			breaks communication with servers that do not support
  175 			EDNS and that incorrectly echo back the query message
  176 			with the RCODE field set to FORMERR and the QR bit set
  177 			to 1. [GL #2249]
  178 
  179 5676.	[func]		Memory allocation has been substantially refactored; it
  180 			is now based on the memory allocation API provided by
  181 			the jemalloc library, which is a new optional build
  182 			dependency for BIND 9. [GL #2433]
  183 
  184 5675.	[bug]		Compatibility with DoH clients has been improved by
  185 			ignoring the value of the "Accept" HTTP header.
  186 			[GL !5246]
  187 
  188 5674.	[bug]		A shutdown hang was triggered by DoH clients prematurely
  189 			aborting HTTP/2 streams. This has been fixed. [GL !5245]
  190 
  191 5673.	[func]		Add a new build-time option, --disable-doh, to allow
  192 			building BIND 9 without the libnghttp2 library.
  193 			[GL #2478]
  194 
  195 5672.	[bug]		Authentication of rndc messages could fail if a
  196 			"controls" statement was configured with multiple key
  197 			algorithms for the same listener. This has been fixed.
  198 			[GL #2756]
  199 
  200 	--- 9.17.16 released ---
  201 
  202 5671.	[bug]		A race condition could occur where two threads were
  203 			competing for the same set of key file locks, leading to
  204 			a deadlock. This has been fixed. [GL #2786]
  205 
  206 5670.	[bug]		create_keydata() created an invalid placeholder keydata
  207 			record upon a refresh failure, which prevented the
  208 			database of managed keys from subsequently being read
  209 			back. This has been fixed. [GL #2686]
  210 
  211 5669.	[func]		KASP support was extended with the "check DS" feature.
  212 			Zones with "dnssec-policy" and "parental-agents"
  213 			configured now check for DS presence and can perform
  214 			automatic KSK rollovers. [GL #1126]
  215 
  216 5668.	[bug]		Rescheduling a setnsec3param() task when a zone failed
  217 			to load on startup caused a hang on shutdown. This has
  218 			been fixed. [GL #2791]
  219 
  220 5667.	[bug]		The configuration-checking code failed to account for
  221 			the inheritance rules of the "dnssec-policy" option.
  222 			This has been fixed. [GL #2780]
  223 
  224 5666.	[doc]		The safe "edns-udp-size" value was tweaked to match the
  225 			probing value from BIND 9.16 for better compatibility.
  226 			[GL #2183]
  227 
  228 5665.	[bug]		If nsupdate sends an SOA request and receives a REFUSED
  229 			response, it now fails over to the next available
  230 			server. [GL #2758]
  231 
  232 5664.	[func]		For UDP messages larger than the path MTU, named now
  233 			sends an empty response with the TC (TrunCated) bit set.
  234 			In addition, setting the DF (Don't Fragment) flag on
  235 			outgoing UDP sockets was re-enabled. [GL #2790]
  236 
  237 5663.	[bug]		Non-zero OPCODEs are now properly handled when receiving
  238 			queries over DNS-over-TLS (DoT) and DNS-over-HTTPS (DoH)
  239 			channels. [GL #2787]
  240 
  241 5662.	[bug]		Views with recursion disabled are now configured with a
  242 			default cache size of 2 MB unless "max-cache-size" is
  243 			explicitly set. This prevents cache RBT hash tables from
  244 			being needlessly preallocated for such views. [GL #2777]
  245 
  246 5661.	[bug]		Change 5644 inadvertently introduced a deadlock: when
  247 			locking the key file mutex for each zone structure in a
  248 			different view, the "in-view" logic was not considered.
  249 			This has been fixed. [GL #2783]
  250 
  251 5660.	[bug]		The configuration-checking code failed to account for
  252 			the inheritance rules of the "key-directory" option.
  253 			[GL #2778]
  254 
  255 			This change was included in BIND 9.17.15.
  256 
  257 5659.	[bug]		When preparing DNS responses, named could replace the
  258 			letters 'W' (uppercase) and 'w' (lowercase) with '\000'.
  259 			This has been fixed. [GL #2779]
  260 
  261 			This change was included in BIND 9.17.15.
  262 
  263 5658.	[bug]		Increasing "max-cache-size" for a running named instance
  264 			(using "rndc reconfig") did not cause the hash tables
  265 			used by cache databases to be grown accordingly. This
  266 			has been fixed. [GL #2770]
  267 
  268 5657.	[cleanup]	Support was removed for both built-in atomics in old
  269 			versions of Clang (< 3.6.0) and GCC (< 4.7.0), and
  270 			atomics emulated with a mutex. [GL #2606]
  271 
  272 5656.	[bug]		Named now ensures that large responses work correctly
  273 			over DNS-over-HTTPS (DoH), and that zone transfer
  274 			requests over DoH are explicitly rejected. [GL !5148]
  275 
  276 5655.	[bug]		Signed, insecure delegation responses prepared by named
  277 			either lacked the necessary NSEC records or contained
  278 			duplicate NSEC records when both wildcard expansion and
  279 			CNAME chaining were required to prepare the response.
  280 			This has been fixed. [GL #2759]
  281 
  282 5654.	[port]		Windows support has been removed. [GL #2690]
  283 
  284 5653.	[bug]		A bug that caused the NSEC3 salt to be changed on every
  285 			restart for zones using KASP has been fixed. [GL #2725]
  286 
  287 	--- 9.17.14 released ---
  288 
  289 5652.	[bug]		A copy-and-paste error in change 5584 caused the
  290 			IP_DONTFRAG socket option to be enabled instead of
  291 			disabled. This has been fixed. [GL #2746]
  292 
  293 5651.	[func]		Refactor zone dumping to be processed asynchronously via
  294 			the uv_work_t thread pool API. [GL #2732]
  295 
  296 5650.	[bug]		Prevent a crash that could occur if serve-stale was
  297 			enabled and a prefetch was triggered during a query
  298 			restart. [GL #2733]
  299 
  300 5649.	[bug]		If a query was answered with stale data on a server with
  301 			DNS64 enabled, an assertion could occur if a non-stale
  302 			answer arrived afterward. [GL #2731]
  303 
  304 5648.	[bug]		The calculation of the estimated IXFR transaction size
  305 			in dns_journal_iter_init() was invalid. [GL #2685]
  306 
  307 5647.	[func]		The interface manager has been refactored to use fewer
  308 			client manager objects, which in turn use fewer memory
  309 			contexts and tasks. This should result in less
  310 			fragmented memory and better startup performance.
  311 			[GL #2433]
  312 
  313 5646.	[bug]		The default TCP timeout for rndc has been increased to
  314 			60 seconds. This was its original value, but it had been
  315 			inadvertently lowered to 10 when rndc was updated to use
  316 			the network manager. [GL #2643]
  317 
  318 5645.	[cleanup]	Remove the rarely-used dns_name_copy() function and
  319 			rename dns_name_copynf() to dns_name_copy(). [GL !5081]
  320 
  321 5644.	[bug]		Fix a race condition in reading and writing key files
  322 			for zones using KASP and configured in multiple views.
  323 			[GL #1875]
  324 
  325 5643.	[placeholder]
  326 
  327 5642.	[bug]		Zones which are configured in multiple views with
  328 			different values set for "dnssec-policy" and with
  329 			identical values set for "key-directory" are now
  330 			detected and treated as a configuration error.
  331 			[GL #2463]
  332 
  333 5641.	[bug]		Address a potential memory leak in
  334 			dst_key_fromnamedfile(). [GL #2689]
  335 
  336 5640.	[func]		Add new configuration options for setting the size of
  337 			receive and send buffers in the operating system:
  338 			"tcp-receive-buffer", "tcp-send-buffer",
  339 			"udp-receive-buffer", and "udp-send-buffer". [GL #2313]
  340 
  341 5639.	[bug]		Check that the first and last SOA record of an AXFR are
  342 			consistent. [GL #2528]
  343 
  344 	--- 9.17.13 released ---
  345 
  346 5638.	[bug]		Improvements related to network manager/task manager
  347 			integration:
  348 			- isc_managers_create() and isc_managers_destroy()
  349 			  functions were added to handle setup and teardown of
  350 			  netmgr, taskmgr, timermgr, and socketmgr, since these
  351 			  require a precise order of operations now.
  352 			- Event queue processing is now quantized to prevent
  353 			  infinite looping.
  354 			- The netmgr can now be paused from within a netmgr
  355 			  thread.
  356 			- Deadlocks due to a conflict between netmgr's
  357 			  pause/resume and listen/stoplistening operations were
  358 			  fixed.
  359 			[GL #2654]
  360 
  361 5637.	[placeholder]
  362 
  363 5636.	[bug]		named and named-checkconf did not report an error when
  364 			multiple zones with the "dnssec-policy" option set were
  365 			using the same zone file. This has been fixed.
  366 			[GL #2603]
  367 
  368 5635.	[bug]		Journal compaction could fail when a journal with
  369 			invalid transaction headers was not detected at startup.
  370 			This has been fixed. [GL #2670]
  371 
  372 5634.	[bug]		If "dnssec-policy" was active and a private key file was
  373 			temporarily offline during a rekey event, named could
  374 			incorrectly introduce replacement keys and break a
  375 			signed zone. This has been fixed. [GL #2596]
  376 
  377 5633.	[doc]		The "inline-signing" option was incorrectly described as
  378 			being inherited from the "options"/"view" levels and was
  379 			incorrectly accepted at those levels without effect.
  380 			This has been fixed. [GL #2536]
  381 
  382 5632.	[func]		Add a new built-in KASP, "insecure", which is used to
  383 			transition a zone from a signed to an unsigned state.
  384 			The existing built-in KASP "none" should no longer be
  385 			used to unsign a zone. [GL #2645]
  386 
  387 5631.	[protocol]	Update the implementation of the ZONEMD RR type to match
  388 			RFC 8976. [GL #2658]
  389 
  390 5630.	[func]		Treat DNSSEC responses containing NSEC3 records with
  391 			iteration counts greater than 150 as insecure.
  392 			[GL #2445]
  393 
  394 5629.	[func]		Reduce the maximum supported number of NSEC3 iterations
  395 			that can be configured for a zone to 150. [GL #2642]
  396 
  397 5628.	[bug]		Host and nslookup could crash upon receiving a SERVFAIL
  398 			response. This has been fixed. [GL #2564]
  399 
  400 5627.	[bug]		RRSIG(SOA) RRsets placed anywhere other than at the zone
  401 			apex were triggering infinite resigning loops. This has
  402 			been fixed. [GL #2650]
  403 
  404 5626.	[bug]		When generating zone signing keys, KASP now also checks
  405 			for key ID conflicts among newly created keys, rather
  406 			than just between new and existing ones. [GL #2628]
  407 
  408 5625.	[bug]		A deadlock could occur when multiple "rndc addzone",
  409 			"rndc delzone", and/or "rndc modzone" commands were
  410 			invoked simultaneously for different zones. This has
  411 			been fixed. [GL #2626]
  412 
  413 5624.	[func]		Task manager events are now processed inside network
  414 			manager loops. The task manager no longer needs its own
  415 			set of worker threads, which improves resolver
  416 			performance. [GL #2638]
  417 
  418 5623.	[bug]		When named was shut down during an ongoing zone
  419 			transfer, xfrin_fail() could incorrectly be called
  420 			twice. This has been fixed. [GL #2630]
  421 
  422 5622.	[cleanup]	The lib/samples/ directory has been removed, as export
  423 			versions of libraries are no longer maintained.
  424 			[GL !4835]
  425 
  426 5621.	[placeholder]
  427 
  428 5620.	[bug]		If zone journal files written by BIND 9.16.11 or earlier
  429 			were present when BIND was upgraded, the zone file for
  430 			that zone could have been inadvertently rewritten with
  431 			the current zone contents. This caused the original zone
  432 			file structure (e.g. comments, $INCLUDE directives) to
  433 			be lost, although the zone data itself was preserved.
  434 			This has been fixed. [GL #2623]
  435 
  436 5619.	[protocol]	Implement draft-vandijk-dnsop-nsec-ttl, updating the
  437 			protocol such that NSEC(3) TTL values are set to the
  438 			minimum of the SOA MINIMUM value or the SOA TTL.
  439 			[GL #2347]
  440 
  441 5618.	[bug]		Change 5149 introduced some inconsistencies in the way
  442 			record TTLs were presented in cache dumps. These
  443 			inconsistencies have been eliminated. [GL #389]
  444 			[GL #2289]
  445 
  446 	--- 9.17.12 released ---
  447 
  448 5617.	[placeholder]
  449 
  450 5616.	[security]	named crashed when a DNAME record placed in the ANSWER
  451 			section during DNAME chasing turned out to be the final
  452 			answer to a client query. (CVE-2021-25215) [GL #2540]
  453 
  454 5615.	[security]	Insufficient IXFR checks could result in named serving a
  455 			zone without an SOA record at the apex, leading to a
  456 			RUNTIME_CHECK assertion failure when the zone was
  457 			subsequently refreshed. This has been fixed by adding an
  458 			owner name check for all SOA records which are included
  459 			in a zone transfer. (CVE-2021-25214) [GL #2467]
  460 
  461 5614.	[bug]		Ensure all resources are properly cleaned up when a call
  462 			to gss_accept_sec_context() fails. [GL #2620]
  463 
  464 5613.	[bug]		It was possible to write an invalid transaction header
  465 			in the journal file for a managed-keys database after
  466 			upgrading. This has been fixed. Invalid headers in
  467 			existing journal files are detected and named is able
  468 			to recover from them. [GL #2600]
  469 
  470 5612.	[bug]		Continued refactoring of the network manager:
  471 			- allow recovery from read and connect timeout events,
  472 			- ensure that calls to isc_nm_*connect() always
  473 			  return the connection status via a callback
  474 			  function.
  475 			[GL #2401]
  476 
  477 5611.	[func]		Set "stale-answer-client-timeout" to "off" by default.
  478 			[GL #2608]
  479 
  480 5610.	[bug]		Prevent a crash which could happen when a lookup
  481 			triggered by "stale-answer-client-timeout" was attempted
  482 			right after recursion for a client query finished.
  483 			[GL #2594]
  484 
  485 5609.	[func]		The ISC implementation of SPNEGO was removed from BIND 9
  486 			source code. It was no longer necessary as all major
  487 			contemporary Kerberos/GSSAPI libraries include support
  488 			for SPNEGO. [GL #2607]
  489 
  490 5608.	[bug]		When sending queries over TCP, dig now properly handles
  491 			"+tries=1 +retry=0" by not retrying the connection when
  492 			the remote server closes the connection prematurely.
  493 			[GL #2490]
  494 
  495 5607.	[bug]		As "rndc dnssec -checkds" and "rndc dnssec -rollover"
  496 			commands may affect the next scheduled key event,
  497 			reconfiguration of zone keys is now triggered after
  498 			receiving either of these commands to prevent
  499 			unnecessary key rollover delays. [GL #2488]
  500 
  501 5606.	[bug]		CDS/CDNSKEY DELETE records are now removed when a zone
  502 			transitions from a secure to an insecure state.
  503 			named-checkzone also no longer reports an error when
  504 			such records are found in an unsigned zone. [GL #2517]
  505 
  506 5605.	[bug]		"dig -u" now uses the CLOCK_REALTIME clock source for
  507 			more accurate time reporting. [GL #2592]
  508 
  509 5604.	[experimental]	A "filter-a.so" plugin, which is similar to the
  510 			"filter-aaaa.so" plugin but which omits A records
  511 			instead of AAAA records, has been added. Thanks to
  512 			GitLab user @treysis. [GL #2585]
  513 
  514 5603.	[placeholder]
  515 
  516 5602.	[bug]		Fix TCPDNS and TLSDNS timers in Network Manager. This
  517 			makes the "tcp-initial-timeout" and "tcp-idle-timeout"
  518 			options work correctly again. [GL #2583]
  519 
  520 5601.	[bug]		Zones using KASP could not be thawed after they were
  521 			frozen using "rndc freeze". This has been fixed.
  522 			[GL #2523]
  523 
  524 5600.	[bug]		Send a full certificate chain instead of just the leaf
  525 			certificate to DNS-over-TLS (DoT) and DNS-over-HTTPS
  526 			(DoH) clients. This makes BIND 9 DoT/DoH servers
  527 			compatible with a broader set of clients. [GL #2514]
  528 
  529 5599.	[bug]		Fix a named crash which occurred after skipping a
  530 			primary server while transferring a zone over TLS.
  531 			[GL #2562]
  532 
  533 5598.	[port]		Silence -Wchar-subscripts compiler warnings triggered on
  534 			some platforms due to calling character classification
  535 			functions declared in the <ctype.h> header with
  536 			arguments of type char. [GL #2567]
  537 
  538 	--- 9.17.11 released ---
  539 
  540 5597.	[bug]		When serve-stale was enabled and starting the recursive
  541 			resolution process for a query failed, a named instance
  542 			could crash if it was configured as both a recursive and
  543 			authoritative server. This problem was introduced by
  544 			change 5573 and has now been fixed. [GL #2565]
  545 
  546 5596.	[func]		Client-side support for DNS-over-HTTPS (DoH) has been
  547 			added to dig. "dig +https" can now query a server via
  548 			HTTP/2. [GL #1641]
  549 
  550 5595.	[cleanup]	Public header files for BIND 9 libraries no longer
  551 			directly include third-party library headers. This
  552 			prevents the need to include paths to third-party header
  553 			files in CFLAGS whenever BIND 9 public header files are
  554 			used, which could cause build-time issues on hosts with
  555 			older versions of BIND 9 installed. [GL #2357]
  556 
  557 5594.	[bug]		Building with --enable-dnsrps --enable-dnsrps-dl failed.
  558 			[GL #2298]
  559 
  560 5593.	[bug]		Journal files written by older versions of named can now
  561 			be read when loading zones, so that journal
  562 			incompatibility does not cause problems on upgrade.
  563 			Outdated journals are updated to the new format after
  564 			loading. [GL #2505]
  565 
  566 5592.	[bug]		Prevent hazard pointer table overflows on machines with
  567 			many cores, by allowing the thread IDs (serving as
  568 			indices into hazard pointer tables) of finished threads
  569 			to be reused by those created later. [GL #2396]
  570 
  571 5591.	[bug]		Fix a crash that occurred when
  572 			"stale-answer-client-timeout" was triggered without any
  573 			(stale) data available in the cache to answer the query.
  574 			[GL #2503]
  575 
  576 5590.	[bug]		NSEC3 records were not immediately created for dynamic
  577 			zones using NSEC3 with "dnssec-policy", resulting in
  578 			such zones going bogus. Add code to process the
  579 			NSEC3PARAM queue at zone load time so that NSEC3 records
  580 			for such zones are created immediately. [GL #2498]
  581 
  582 5589.	[placeholder]
  583 
  584 5588.	[func]		Add a new "purge-keys" option for "dnssec-policy". This
  585 			option determines the period of time for which key files
  586 			are retained after they become obsolete. [GL #2408]
  587 
  588 5587.	[bug]		A standalone libtool script no longer needs to be
  589 			present in PATH to build BIND 9 from a source tarball
  590 			prepared using "make dist". [GL #2504]
  591 
  592 5586.	[bug]		An invalid direction field in a LOC record resulted in
  593 			an INSIST failure when a zone file containing such a
  594 			record was loaded. [GL #2499]
  595 
  596 5585.	[func]		Memory contexts and memory pool implementations were
  597 			refactored to reduce lock contention for shared memory
  598 			contexts by replacing mutexes with atomic operations.
  599 			The internal memory allocator was simplified so that it
  600 			is only a thin wrapper around the system allocator. This
  601 			change made the "-M external" named option redundant and
  602 			it was therefore removed. [GL #2433]
  603 
  604 5584.	[bug]		No longer set the IP_DONTFRAG option on UDP sockets, to
  605 			prevent dropping outgoing packets exceeding
  606 			"max-udp-size". [GL #2466]
  607 
  608 5583.	[func]		Changes to DNS-over-HTTPS (DoH) configuration syntax:
  609 			- When "http" is specified in "listen-on" or
  610 			  "listen-on-v6" statements, "tls" must also now be
  611 			  specified. If an unencrypted connection is desired
  612 			  (for example, when running behind a reverse proxy),
  613 			  use "tls none".
  614 			- "http default" can now be specified in "listen-on" and
  615 			  "listen-on-v6" statements to use the default HTTP
  616 			  endpoint of "/dns-query". It is no longer necessary to
  617 			  include an "http" statement in named.conf unless
  618 			  overriding this value.
  619 			[GL #2472]
  620 
  621 5582.	[bug]		BIND 9 failed to build when static OpenSSL libraries
  622 			were used and the pkg-config files for libssl and/or
  623 			libcrypto were unavailable. This has been fixed by
  624 			ensuring that the correct linking order for libssl and
  625 			libcrypto is always used. [GL #2402]
  626 
  627 5581.	[bug]		Fix a memory leak that occurred when inline-signed zones
  628 			were added to the configuration, followed by a
  629 			reconfiguration of named. [GL #2041]
  630 
  631 5580.	[test]		The system test framework no longer differentiates
  632 			between SKIPPED and UNTESTED system test results. Any
  633 			system test which is not run is now marked as SKIPPED.
  634 			[GL !4517]
  635 
  636 5579.	[bug]		If an invalid key name (e.g. "a..b") was specified in a
  637 			primaries list in named.conf, the wrong size was passed
  638 			to isc_mem_put(), resulting in the returned memory being
  639 			put on the wrong free list. This prevented named from
  640 			starting up. [GL #2460]
  641 
  642 	--- 9.17.10 released ---
  643 
  644 5578.	[protocol]	Make "check-names" accept A records below "_spf",
  645 			"_spf_rate", and "_spf_verify" labels in order to cater
  646 			for the "exists" SPF mechanism specified in RFC 7208
  647 			section 5.7 and appendix D.1. [GL #2377]
  648 
  649 5577.	[bug]		Fix the "three is a crowd" key rollover bug in KASP by
  650 			correctly implementing Equation (2) of the "Flexible and
  651 			Robust Key Rollover" paper. [GL #2375]
  652 
  653 5576.	[experimental]	Initial server-side implementation of DNS-over-HTTPS
  654 			(DoH). Support for both TLS-encrypted and unencrypted
  655 			HTTP/2 connections has been added to the network manager
  656 			and integrated into named. (Note: there is currently no
  657 			client-side support for DNS-over-HTTPS; this will be
  658 			added to dig in a future release.) [GL #1144]
  659 
  660 5575.	[bug]		When migrating to KASP, BIND 9 considered keys with the
  661 			"Inactive" and/or "Delete" timing metadata to be
  662 			possible active keys. This has been fixed. [GL #2406]
  663 
  664 5574.	[func]		Incoming zone transfers can now use TLS. Addresses in a
  665 			"primaries" list take an optional "tls" argument,
  666 			specifying either a previously configured "tls" block or
  667 			"ephemeral"; SOA queries and zone transfer requests are
  668 			then sent via TLS. [GL #2392]
  669 
  670 5573.	[func]		When serve-stale is enabled and stale data is available,
  671 			named now returns stale answers upon encountering any
  672 			unexpected error in the query resolution process.
  673 			However, the "stale-refresh-time" window is still only
  674 			started upon a timeout. [GL #2434]
  675 
  676 5572.	[bug]		Address potential double free in generatexml().
  677 			[GL #2420]
  678 
  679 5571.	[bug]		named failed to start when its configuration included a
  680 			zone with a non-builtin "allow-update" ACL attached.
  681 			[GL #2413]
  682 
  683 5570.	[bug]		Improve performance of the DNSSEC verification code by
  684 			reducing the number of repeated calls to
  685 			dns_dnssec_keyfromrdata(). [GL #2073]
  686 
  687 5569.	[bug]		Emit useful error message when "rndc retransfer" is
  688 			applied to a zone of inappropriate type. [GL #2342]
  689 
  690 5568.	[bug]		Fixed a crash in "dnssec-keyfromlabel" when using ECDSA
  691 			keys. [GL #2178]
  692 
  693 5567.	[bug]		Dig now reports unknown dash options while pre-parsing
  694 			the options. This prevents "-multi" instead of "+multi"
  695 			from reporting memory usage before ending option parsing
  696 			with "Invalid option: -lti". [GL #2403]
  697 
  698 5566.	[func]		Add "stale-answer-client-timeout" option, which is the
  699 			amount of time a recursive resolver waits before
  700 			attempting to answer the query using stale data from
  701 			cache. [GL #2247]
  702 
  703 5565.	[func]		The SONAMEs for BIND 9 libraries now include the current
  704 			BIND 9 version number, in an effort to tightly couple
  705 			internal libraries with a specific release. [GL #2387]
  706 
  707 5564.	[cleanup]	Network manager's TLSDNS module was refactored to use
  708 			libuv and libssl directly instead of a stack of TCP/TLS
  709 			sockets. [GL #2335]
  710 
  711 5563.	[cleanup]	Changed several obsolete configuration options to
  712 			ancient, making them fatal errors. Also cleaned up the
  713 			number of clause flags in the configuration parser.
  714 			[GL #1086]
  715 
  716 5562.	[placeholder]
  717 
  718 5561.	[bug]		KASP incorrectly set signature validity to the value of
  719 			the DNSKEY signature validity. This is now fixed.
  720 			[GL #2383]
  721 
  722 5560.	[func]		The default value of "max-stale-ttl" has been changed
  723 			from 12 hours to 1 day and the default value of
  724 			"stale-answer-ttl" has been changed from 1 second to 30
  725 			seconds, following RFC 8767 recommendations. [GL #2248]
  726 
  727 	--- 9.17.9 released ---
  728 
  729 5559.	[bug]		The --with-maxminddb=PATH form of the build-time option
  730 			enabling support for libmaxminddb was not working
  731 			correctly. This has been fixed. [GL #2366]
  732 
  733 5558.	[bug]		Asynchronous hook modules could trigger an assertion
  734 			failure when the fetch handle was detached too late.
  735 			Thanks to Jinmei Tatuya at Infoblox. [GL #2379]
  736 
  737 5557.	[bug]		Prevent RBTDB instances from being destroyed by multiple
  738 			threads at the same time. [GL #2317]
  739 
  740 5556.	[bug]		Further tweak newline printing in dnssec-signzone and
  741 			dnssec-verify. [GL #2359]
  742 
  743 5555.	[placeholder]
  744 
  745 5554.	[bug]		dnssec-signzone and dnssec-verify were missing newlines
  746 			between log messages. [GL #2359]
  747 
  748 5553.	[bug]		When reconfiguring named, removing "auto-dnssec" did not
  749 			turn off DNSSEC maintenance. [GL #2341]
  750 
  751 5552.	[func]		When switching to "dnssec-policy none;", named now
  752 			permits a safe transition to insecure mode and publishes
  753 			the CDS and CDNSKEY DELETE records, as described in RFC
  754 			8078. [GL #1750]
  755 
  756 5551.	[bug]		named no longer attempts to assign threads to CPUs
  757 			outside the CPU affinity set. Thanks to Ole Bjørn
  758 			Hessen. [GL #2245]
  759 
  760 5550.	[func]		dnssec-signzone and named now log a warning when falling
  761 			back to the "increment" SOA serial method. [GL #2058]
  762 
  763 5549.	[protocol]	ipv4only.arpa is now served when DNS64 is configured.
  764 			[GL #385]
  765 
  766 5548.	[placeholder]
  767 
  768 5547.	[placeholder]
  769 
  770 	--- 9.17.8 released ---
  771 
  772 5546.	[placeholder]
  773 
  774 5545.	[func]		OS support for load-balanced sockets is no longer
  775 			required to receive incoming queries in multiple netmgr
  776 			threads. [GL #2137]
  777 
  778 5544.	[func]		Restore the default value of "nocookie-udp-size" to 4096
  779 			bytes. [GL #2250]
  780 
  781 5543.	[bug]		Fix UDP performance issues caused by making netmgr
  782 			callbacks asynchronous-only. [GL #2320]
  783 
  784 5542.	[bug]		Refactor netmgr. [GL #1920] [GL #2034] [GL #2061]
  785 			[GL #2194] [GL #2221] [GL #2266] [GL #2283] [GL #2318]
  786 			[GL #2321]
  787 
  788 5541.	[func]		Adjust the "max-recursion-queries" default from 75 to
  789 			100. [GL #2305]
  790 
  791 5540.	[port]		Fix building with native PKCS#11 support for AEP Keyper.
  792 			[GL #2315]
  793 
  794 5539.	[bug]		Tighten handling of missing DNS COOKIE responses over
  795 			UDP by falling back to TCP. [GL #2275]
  796 
  797 5538.	[func]		Add NSEC3 support to KASP. A new option for
  798 			"dnssec-policy", "nsec3param", can be used to set the
  799 			desired NSEC3 parameters. NSEC3 salt collisions are
  800 			automatically prevented during resalting. Salt
  801 			generation is now logged with zone context. [GL #1620]
  802 
  803 5537.	[func]		The query plugin mechanism has been extended
  804 			to support asynchronous operations. For example, a
  805 			plugin can now trigger recursion and resume
  806 			processing when it is complete. Thanks to Jinmei
  807 			Tatuya at Infoblox. [GL #2141]
  808 
  809 5536.	[func]		Dig can now report the DNS64 prefixes in use
  810 			(+dns64prefix). [GL #1154]
  811 
  812 5535.	[bug]		dig/nslookup/host could crash on shutdown after an
  813 			interrupt. [GL #2287] [GL #2288]
  814 
  815 5534.	[bug]		The CNAME synthesized from a DNAME was incorrectly
  816 			followed when the QTYPE was CNAME or ANY. [GL #2280]
  817 
  818 	--- 9.17.7 released ---
  819 
  820 5533.	[func]		Add the "stale-refresh-time" option, a time window that
  821 			starts after a failed lookup, during which a stale RRset
  822 			is served directly from cache before a new attempt to
  823 			refresh it is made. [GL #2066]
  824 
  825 5532.	[cleanup]	Unused header files were removed:
  826 			bin/rndc/include/rndc/os.h, lib/isc/timer_p.h,
  827 			lib/isccfg/include/isccfg/dnsconf.h and code related
  828 			to those files. [GL #1913]
  829 
  830 5531.	[func]		Add support for DNS over TLS (DoT) to dig and named.
  831 			dig output now includes the transport protocol used.
  832 			[GL #1816] [GL #1840]
  833 
  834 5530.	[bug]		dnstap did not capture responses to forwarded UPDATE
  835 			requests. [GL #2252]
  836 
  837 5529.	[func]		The network manager API is now used by named to send
  838 			zone transfer requests. [GL #2016]
  839 
  840 5528.	[func]		Convert dig, host, and nslookup to use the network
  841 			manager API. As a side effect of this change, "dig
  842 			+unexpected" no longer works, and has been disabled.
  843 			[GL #2140]
  844 
  845 5527.	[bug]		A NULL pointer dereference occurred when creating an NTA
  846 			recheck query failed. [GL #2244]
  847 
  848 5526.	[bug]		Fix a race/NULL dereference in TCPDNS read. [GL #2227]
  849 
  850 5525.	[placeholder]
  851 
  852 5524.	[func]		Added functionality to the network manager to support
  853 			outgoing DNS queries in addition to incoming ones.
  854 			[GL #2235]
  855 
  856 5523.	[bug]		The initial lookup in a zone transitioning to/from a
  857 			signed state could fail if the DNSKEY RRset was not
  858 			found. [GL #2236]
  859 
  860 5522.	[bug]		Fixed a race/NULL dereference in TCPDNS send. [GL #2227]
  861 
  862 5521.	[func]		All use of libltdl was dropped. libuv's shared library
  863 			handling interface is now used instead. [GL !4278]
  864 
  865 5520.	[bug]		Fixed a number of shutdown races, reference counting
  866 			errors, and spurious log messages that could occur
  867 			in the network manager. [GL #2221]
  868 
  869 5519.	[cleanup]	Unused source code was removed: lib/dns/dbtable.c,
  870 			lib/dns/portlist.c, lib/isc/bufferlist.c, and code
  871 			related to those files. [GL #2060]
  872 
  873 5518.	[bug]		Stub zones now work correctly with primary servers using
  874 			"minimal-responses yes". [GL #1736]
  875 
  876 5517.	[bug]		Do not treat UV_EOF as a TCP4RecvErr or a TCP6RecvErr.
  877 			[GL #2208]
  878 
  879 	--- 9.17.6 released ---
  880 
  881 5516.	[func]		The default EDNS buffer size has been changed from 4096
  882 			to 1232 bytes, the EDNS buffer size probing has been
  883 			removed, and named now sets the DF (Don't Fragment) flag
  884 			on outgoing UDP packets. [GL #2183]
  885 
  886 5515.	[func]		Add 'rndc dnssec -rollover' command to trigger a manual
  887 			rollover for a specific key. [GL #1749]
  888 
  889 5514.	[bug]		Fix KASP expected key size for Ed25519 and Ed448.
  890 			[GL #2171]
  891 
  892 5513.	[doc]		The ARM section describing the "rrset-order" statement
  893 			was rewritten to make it unambiguous and up-to-date with
  894 			the source code. [GL #2139]
  895 
  896 5512.	[bug]		"rrset-order" rules using "order none" were causing
  897 			named to crash despite named-checkconf treating them as
  898 			valid. [GL #2139]
  899 
  900 5511.	[bug]		'dig -u +yaml' failed to display timestamps to the
  901 			microsecond. [GL #2190]
  902 
  903 5510.	[bug]		Implement the attach/detach semantics for dns_message_t
  904 			to fix a data race in accessing an already-destroyed
  905 			fctx->rmessage. [GL #2124]
  906 
  907 5509.	[bug]		filter-aaaa: named crashed upon shutdown if it was in
  908 			the process of recursing for A RRsets. [GL #1040]
  909 
  910 5508.	[func]		Added new parameter "-expired" for "rndc dumpdb" that
  911 			also prints expired RRsets (awaiting cleanup) to the
  912 			dump file. [GL #1870]
  913 
  914 5507.	[bug]		Named could compute incorrect SIG(0) responses.
  915 			[GL #2109]
  916 
  917 5506.	[bug]		Properly handle failed sysconf() calls, so we don't
  918 			report invalid memory size. [GL #2166]
  919 
  920 5505.	[bug]		Updating contents of a mixed-case RPZ could cause some
  921 			rules to be ignored. [GL #2169]
  922 
  923 5504.	[func]		The "glue-cache" option has been marked as deprecated.
  924 			The glue cache feature will be permanently enabled in a
  925 			future release. [GL #2146]
  926 
  927 5503.	[bug]		Cleaned up reference counting of network manager
  928 			handles, now using isc_nmhandle_attach() and _detach()
  929 			instead of _ref() and _unref(). [GL #2122]
  930 
  931 	--- 9.17.5 released ---
  932 
  933 5502.	[func]		'dig +bufsize=0' no longer disables EDNS. [GL #2054]
  934 
  935 5501.	[func]		Log CDS/CDNSKEY publication. [GL #1748]
  936 
  937 5500.	[bug]		Fix (non-)publication of CDS and CDNSKEY records.
  938 			[GL #2103]
  939 
  940 5499.	[func]		Add '-P ds' and '-D ds' arguments to dnssec-settime.
  941 			[GL #1748]
  942 
  943 5498.	[test]		The --with-gperftools-profiler configure option was
  944 			removed. [GL !4045]
  945 
  946 5497.	[placeholder]
  947 
  948 5496.	[bug]		Address a TSAN report by ensuring each rate limiter
  949 			object holds a reference to its task. [GL #2081]
  950 
  951 5495.	[bug]		With query minimization enabled, named failed to
  952 			resolve ip6.arpa. names that had extra labels to the
  953 			left of the IPv6 part. [GL #1847]
  954 
  955 5494.	[bug]		Silence the EPROTO syslog message on older systems.
  956 			[GL #1928]
  957 
  958 5493.	[bug]		Fix off-by-one error when calculating new hash table
  959 			size. [GL #2104]
  960 
  961 5492.	[bug]		Tighten LOC parsing to reject a period (".") and/or "m"
  962 			as a value. Fix handling of negative altitudes which are
  963 			not whole meters. [GL #2074]
  964 
  965 5491.	[bug]		rbtversion->glue_table_size could be read without the
  966 			appropriate lock being held. [GL #2080]
  967 
  968 5490.	[func]		Refactor readline support to use pkg-config and add
  969 			support for the editline library. [GL !3942]
  970 
  971 5489.	[bug]		Named erroneously accepted certain invalid resource
  972 			records that were incorrectly processed after
  973 			subsequently being written to disk and loaded back, as
  974 			the wire format differed. Such records include: CERT,
  975 			IPSECKEY, NSEC3, NSEC3PARAM, NXT, SIG, TLSA, WKS, and
  976 			X25. [GL !3953]
  977 
  978 5488.	[bug]		NTA code needed to have a weak reference on its
  979 			associated view to prevent the latter from being deleted
  980 			while NTA tests were being performed. [GL #2067]
  981 
  982 5487.	[cleanup]	Update managed keys log messages to be less confusing.
  983 			[GL #2027]
  984 
  985 5486.	[func]		Add 'rndc dnssec -checkds' command, which signals to
  986 			named that the DS record for a given zone or key has
  987 			been updated in the parent zone. [GL #1613]
  988 
  989 	--- 9.17.4 released ---
  990 
  991 5485.	[placeholder]
  992 
  993 5484.	[func]		Expire zero TTL records quickly rather than using them
  994 			for stale answers. [GL #1829]
  995 
  996 5483.	[func]		Keeping "stale" answers in cache has been disabled by
  997 			default and can be re-enabled with a new configuration
  998 			option "stale-cache-enable". [GL #1712]
  999 
 1000 5482.	[bug]		If the Duplicate Address Detection (DAD) mechanism had
 1001 			not yet finished after adding a new IPv6 address to the
 1002 			system, BIND 9 would fail to bind to IPv6 addresses in a
 1003 			tentative state. [GL #2038]
 1004 
 1005 5481.	[security]	"update-policy" rules of type "subdomain" were
 1006 			incorrectly treated as "zonesub" rules, which allowed
 1007 			keys used in "subdomain" rules to update names outside
 1008 			of the specified subdomains. The problem was fixed by
 1009 			making sure "subdomain" rules are again processed as
 1010 			described in the ARM. (CVE-2020-8624) [GL #2055]
 1011 
 1012 5480.	[security]	When BIND 9 was compiled with native PKCS#11 support, it
 1013 			was possible to trigger an assertion failure in code
 1014 			determining the number of bits in the PKCS#11 RSA public
 1015 			key with a specially crafted packet. (CVE-2020-8623)
 1016 			[GL #2037]
 1017 
 1018 5479.	[security]	named could crash in certain query resolution scenarios
 1019 			where QNAME minimization and forwarding were both
 1020 			enabled. (CVE-2020-8621) [GL #1997]
 1021 
 1022 5478.	[security]	It was possible to trigger an assertion failure by
 1023 			sending a specially crafted large TCP DNS message.
 1024 			(CVE-2020-8620) [GL #1996]
 1025 
 1026 5477.	[bug]		The idle timeout for connected TCP sockets, which was
 1027 			previously set to a high fixed value, is now derived
 1028 			from the client query processing timeout configured for
 1029 			a resolver. [GL #2024]
 1030 
 1031 5476.	[security]	It was possible to trigger an assertion failure when
 1032 			verifying the response to a TSIG-signed request.
 1033 			(CVE-2020-8622) [GL #2028]
 1034 
 1035 5475.	[bug]		Wildcard RPZ passthru rules could incorrectly be
 1036 			overridden by other rules that were loaded from RPZ
 1037 			zones which appeared later in the "response-policy"
 1038 			statement. This has been fixed. [GL #1619]
 1039 
 1040 5474.	[bug]		dns_rdata_hip_next() failed to return ISC_R_NOMORE
 1041 			when it should have. [GL !3880]
 1042 
 1043 5473.	[func]		The RBT hash table implementation has been changed
 1044 			to use a faster hash function (HalfSipHash2-4) and
 1045 			Fibonacci hashing for better distribution. Setting
 1046 			"max-cache-size" now preallocates a fixed-size hash
 1047 			table so that rehashing does not cause resolution
 1048 			brownouts while the hash table is grown. [GL #1775]
 1049 
 1050 5472.	[func]		The statistics channel has been updated to use the
 1051 			new network manager. [GL #2022]
 1052 
 1053 5471.	[bug]		The introduction of KASP support inadvertently caused
 1054 			the second field of "sig-validity-interval" to always be
 1055 			calculated in hours, even in cases when it should have
 1056 			been calculated in days. This has been fixed. (Thanks to
 1057 			Tony Finch.) [GL !3735]
 1058 
 1059 5470.	[port]		gsskrb5_register_acceptor_identity() is now only called
 1060 			if gssapi_krb5.h is present. [GL #1995]
 1061 
 1062 5469.	[port]		On illumos, a constant called SEC is already defined in
 1063 			<sys/time.h>, which conflicts with an identically named
 1064 			constant in libbind9. This conflict has been resolved.
 1065 			[GL #1993]
 1066 
 1067 5468.	[bug]		Addressed potential double unlock in process_fd().
 1068 			[GL #2005]
 1069 
 1070 5467.	[func]		The control channel and the rndc utility have been
 1071 			updated to use the new network manager. To support
 1072 			this, the network manager was updated to enable
 1073 			the initiation of client TCP connections. Its
 1074 			internal reference counting has been refactored.
 1075 
 1076 			Note: As a side effect of this change, rndc cannot
 1077 			currently be used with UNIX-domain sockets, and its
 1078 			default timeout has changed from 60 seconds to 30.
 1079 			These will be addressed in a future release.
 1080 			[GL #1759]
 1081 
 1082 5466.	[bug]		Addressed an error in recursive clients stats reporting.
 1083 			[GL #1719]
 1084 
 1085 5465.	[func]		Added fallback to built-in trust-anchors, managed-keys,
 1086 			or trusted-keys if the bindkeys-file (bind.keys) cannot
 1087 			be parsed. [GL #1235]
 1088 
 1089 5464.	[bug]		Requesting more than 128 files to be saved when rolling
 1090 			dnstap log files caused a buffer overflow. This has been
 1091 			fixed. [GL #1989]
 1092 
 1093 5463.	[placeholder]
 1094 
 1095 5462.	[bug]		Move LMDB locking from LMDB itself to named. [GL #1976]
 1096 
 1097 5461.	[bug]		The STALE rdataset header attribute was updated while
 1098 			the write lock was not being held, leading to incorrect
 1099 			statistics. The header attributes are now converted to
 1100 			use atomic operations. [GL #1475]
 1101 
 1102 5460.	[cleanup]	tsig-keygen was previously an alias for
 1103 			ddns-confgen and was documented in the ddns-confgen
 1104 			man page. This has been reversed; tsig-keygen is
 1105 			now the primary name. [GL #1998]
 1106 
 1107 5459.	[bug]		Fixed bad isc_mem_put() size when an invalid type was
 1108 			specified in an "update-policy" rule. [GL #1990]
 1109 
 1110 	--- 9.17.3 released ---
 1111 
 1112 5458.	[bug]		Prevent a theoretically possible NULL dereference caused
 1113 			by a data race between zone_maintenance() and
 1114 			dns_zone_setview_helper(). [GL #1627]
 1115 
 1116 5457.	[placeholder]
 1117 
 1118 5456.	[func]		Added "primaries" as a synonym for "masters" in
 1119 			named.conf, and "primary-only" as a synonym for
 1120 			"master-only" in the parameters to "notify", to bring
 1121 			terminology up-to-date with RFC 8499. [GL #1948]
 1122 
 1123 5455.	[bug]		named could crash when cleaning dead nodes in
 1124 			lib/dns/rbtdb.c that were being reused. [GL #1968]
 1125 
 1126 5454.	[bug]		Address a startup crash that occurred when the server
 1127 			was under load and the root zone had not yet been
 1128 			loaded. [GL #1862]
 1129 
 1130 5453.	[bug]		named crashed on shutdown when a new rndc connection was
 1131 			received during shutdown. [GL #1747]
 1132 
 1133 5452.	[bug]		The "blackhole" ACL was accidentally disabled for client
 1134 			queries. [GL #1936]
 1135 
 1136 5451.	[func]		Add 'rndc dnssec -status' command. [GL #1612]
 1137 
 1138 5450.	[placeholder]
 1139 
 1140 5449.	[bug]		Fix a socket shutdown race in netmgr udp. [GL #1938]
 1141 
 1142 5448.	[bug]		Fix a race condition in isc__nm_tcpdns_send().
 1143 			[GL #1937]
 1144 
 1145 5447.	[bug]		IPv6 addresses ending in "::" could break YAML
 1146 			parsing. A "0" is now appended to such addresses
 1147 			in YAML output from dig, mdig, delv, and dnstap-read.
 1148 			[GL #1952]
 1149 
 1150 5446.	[bug]		The validator could fail to accept a properly signed
 1151 			RRset if an unsupported algorithm appeared earlier in
 1152 			the DNSKEY RRset than a supported algorithm. It could
 1153 			also stop if it detected a malformed public key.
 1154 			[GL #1689]
 1155 
 1156 5445.	[cleanup]	Disable and disallow static linking. [GL #1933]
 1157 
 1158 5444.	[bug]		'rndc dnstap -roll <value>' did not limit the number of
 1159 			saved files to <value>. [GL !3728]
 1160 
 1161 5443.	[bug]		The "primary" and "secondary" keywords, when used
 1162 			as parameters for "check-names", were not
 1163 			processed correctly and were being ignored. [GL #1949]
 1164 
 1165 5442.	[func]		Add support for outgoing TCP connections in netmgr.
 1166 			[GL #1958]
 1167 
 1168 5441.	[placeholder]
 1169 
 1170 5440.	[placeholder]
 1171 
 1172 5439.	[bug]		The DS RRset returned by dns_keynode_dsset() was used in
 1173 			a non-thread-safe manner. [GL #1926]
 1174 
 1175 	--- 9.17.2 released ---
 1176 
 1177 5438.	[bug]		Fix a race in TCP accepting code. [GL #1930]
 1178 
 1179 5437.	[bug]		Fix a data race in lib/dns/resolver.c:log_formerr().
 1180 			[GL #1808]
 1181 
 1182 5436.	[security]	It was possible to trigger an INSIST when determining
 1183 			whether a record would fit into a TCP message buffer.
 1184 			(CVE-2020-8618) [GL #1850]
 1185 
 1186 5435.	[tests]		Add RFC 4592 responses examples to the wildcard system
 1187 			test. [GL #1718]
 1188 
 1189 5434.	[security]	It was possible to trigger an INSIST in
 1190 			lib/dns/rbtdb.c:new_reference() with a particular zone
 1191 			content and query patterns. (CVE-2020-8619) [GL #1111]
 1192 			[GL #1718]
 1193 
 1194 5433.	[placeholder]
 1195 
 1196 5432.	[bug]		Check the question section when processing AXFR, IXFR,
 1197 			and SOA replies when transferring a zone in. [GL #1683]
 1198 
 1199 5431.	[func]		Reject DS records at the zone apex when loading
 1200 			master files. Log but otherwise ignore attempts to
 1201 			add DS records at the zone apex via UPDATE. [GL #1798]
 1202 
 1203 5430.	[doc]		Update docs - with netmgr, a separate listening socket
 1204 			is created for each IPv6 interface (just as with IPv4).
 1205 			[GL #1782]
 1206 
 1207 5429.	[cleanup]	Move BIND binaries which are neither daemons nor
 1208 			administrative programs to $bindir. [GL #1724]
 1209 
 1210 5428.	[bug]		Clean up GSSAPI resources in nsupdate only after taskmgr
 1211 			has been destroyed. Thanks to Petr Menšík. [GL !3316]
 1212 
 1213 5427.	[placeholder]
 1214 
 1215 5426.	[bug]		Don't abort() when setting SO_INCOMING_CPU on the socket
 1216 			fails. [GL #1911]
 1217 
 1218 5425.	[func]		The default value of "max-stale-ttl" has been changed
 1219 			from 1 week to 12 hours. [GL #1877]
 1220 
 1221 5424.	[bug]		With KASP, when creating a successor key, the "goal"
 1222 			state of the current active key (predecessor) was not
 1223 			changed and thus never removed from the zone. [GL #1846]
 1224 
 1225 5423.	[bug]		Fix a bug in keymgr_key_has_successor(): it incorrectly
 1226 			returned true if any other key in the keyring had a
 1227 			successor. [GL #1845]
 1228 
 1229 5422.	[bug]		When using dnssec-policy, print correct key timing
 1230 			metadata. [GL #1843]
 1231 
 1232 5421.	[bug]		Fix a race that could cause named to crash when looking
 1233 			up the nodename of an RBT node if the tree was modified.
 1234 			[GL #1857]
 1235 
 1236 5420.	[bug]		Add missing isc_{mutex,conditional}_destroy() calls
 1237 			that caused a memory leak on FreeBSD. [GL #1893]
 1238 
 1239 5419.	[func]		Add new dig command line option, "+qid=<num>", which
 1240 			allows the query ID to be set to an arbitrary value.
 1241 			Add a new ./configure option, --enable-singletrace,
 1242 			which allows trace logging of a single query when QID is
 1243 			set to 0. [GL #1851]
 1244 
 1245 5418.	[bug]		delv failed to parse deprecated trusted-keys-style
 1246 			trust anchors. [GL #1860]
 1247 
 1248 5417.	[cleanup]	The code determining the advertised UDP buffer size in
 1249 			outgoing EDNS queries has been refactored to improve its
 1250 			clarity. [GL #1868]
 1251 
 1252 5416.	[bug]		Fix a lock order inversion in lib/isc/unix/socket.c.
 1253 			[GL #1859]
 1254 
 1255 5415.	[test]		Address race in dnssec system test that led to
 1256 			test failures. [GL #1852]
 1257 
 1258 5414.	[test]		Adjust time allowed for journal truncation to occur
 1259 			in nsupdate system test to avoid test failure.
 1260 			[GL #1855]
 1261 
 1262 5413.	[test]		Address race in autosign system test that led to
 1263 			test failures. [GL #1852]
 1264 
 1265 5412.	[bug]		'provide-ixfr no;' failed to return up-to-date responses
 1266 			when the serial was greater than or equal to the
 1267 			current serial. [GL #1714]
 1268 
 1269 5411.	[cleanup]	TCP accept code has been refactored to use a single
 1270 			accept() and pass the accepted socket to child threads
 1271 			for processing. [GL !3320]
 1272 
 1273 5410.	[func]		Add the ability to specify per-type record count limits,
 1274 			which are enforced when adding records via UPDATE, in an
 1275 			"update-policy" statement. [GL #1657]
 1276 
 1277 5409.	[performance]	When looking up NSEC3 data in a zone database, skip the
 1278 			check for empty non-terminal nodes; the NSEC3 tree does
 1279 			not have any. [GL #1834]
 1280 
 1281 5408.	[protocol]	Print Extended DNS Errors if present in OPT record.
 1282 			[GL #1835]
 1283 
 1284 5407.	[func]		Zone timers are now exported via statistics channel.
 1285 			Thanks to Paul Frieden, Verizon Media. [GL #1232]
 1286 
 1287 5406.	[func]		Add a new logging category, "rpz-passthru", which allows
 1288 			RPZ passthru actions to be logged in a separate channel.
 1289 			[GL #54]
 1290 
 1291 5405.	[bug]		'named-checkconf -p' could include spurious text in
 1292 			server-addresses statements due to an uninitialized DSCP
 1293 			value. [GL #1812]
 1294 
 1295 5404.	[bug]		'named-checkconf -z' could incorrectly indicate
 1296 			success if errors were found in one view but not in a
 1297 			subsequent one. [GL #1807]
 1298 
 1299 5403.	[func]		Do not set UDP receive/send buffer sizes - use system
 1300 			defaults. [GL #1713]
 1301 
 1302 5402.	[bug]		On FreeBSD, use SO_REUSEPORT_LB instead of SO_REUSEPORT.
 1303 			Enable use of SO_REUSEADDR on all platforms which
 1304 			support it. [GL !3365]
 1305 
 1306 5401.	[bug]		The number of input queues allocated during dnstap
 1307 			initialization was too low, which could prevent some
 1308 			dnstap data from being logged. [GL #1795]
 1309 
 1310 5400.	[func]		Add engine support to OpenSSL EdDSA implementation.
 1311 			[GL #1763]
 1312 
 1313 5399.	[func]		Add engine support to OpenSSL ECDSA implementation.
 1314 			[GL #1534]
 1315 
 1316 5398.	[bug]		Named could fail to restart if a zone with a double
 1317 			quote (") in its name was added with 'rndc addzone'.
 1318 			[GL #1695]
 1319 
 1320 5397.	[func]		Update PKCS#11 EdDSA implementation to PKCS#11 v3.0.
 1321 			Thanks to Aaron Thompson. [GL !3326]
 1322 
 1323 5396.	[func]		When necessary (i.e. in libuv >= 1.37), use the
 1324 			UV_UDP_RECVMMSG flag to enable recvmmsg() support in
 1325 			libuv. [GL #1797]
 1326 
 1327 5395.	[security]	Further limit the number of queries that can be
 1328 			triggered from a request.  Root and TLD servers
 1329 			are no longer exempt from max-recursion-queries.
 1330 			Fetches for missing name server address records
 1331 			are limited to 4 for any domain. (CVE-2020-8616)
 1332 			[GL #1388]
 1333 
 1334 5394.	[cleanup]	Named formerly attempted to change the effective UID and
 1335 			GID in named_os_openfile(), which could trigger a
 1336 			spurious log message if they were already set to the
 1337 			desired values. This has been fixed. [GL #1042]
 1338 			[GL #1090]
 1339 
 1340 5393.	[cleanup]	Unused and/or redundant APIs were removed from libirs.
 1341 			[GL #1758]
 1342 
 1343 5392.	[bug]		It was possible for named to crash during shutdown
 1344 			or reconfiguration if an RPZ zone was still being
 1345 			updated. [GL #1779]
 1346 
 1347 5391.	[func]		The BIND 9 build system has been changed to use a
 1348 			typical autoconf+automake+libtool stack. When building
 1349 			from the Git repository, run "autoreconf -fi" first.
 1350 			[GL #4]
 1351 
 1352 5390.	[security]	Replaying a TSIG BADTIME response as a request could
 1353 			trigger an assertion failure. (CVE-2020-8617)
 1354 			[GL #1703]
 1355 
 1356 5389.	[bug]		Finish PKCS#11 code cleanup, fix a couple of smaller
 1357 			bugs and use PKCS#11 v3.0 EdDSA macros and constants.
 1358 			Thanks to Aaron Thompson. [GL !3391]
 1359 
 1360 5388.	[func]		Reject AXFR streams where the message ID is not
 1361 			consistent. [GL #1674]
 1362 
 1363 5387.	[placeholder]
 1364 
 1365 5386.	[cleanup]	Address Coverity warnings in lib/dns/keymgr.c.
 1366 			[GL #1737]
 1367 
 1368 5385.	[func]		Make ISC rwlock implementation the default again.
 1369 			[GL #1753]
 1370 
 1371 5384.	[bug]		With "dnssec-policy" in effect, "inline-signing" was
 1372 			implicitly set to "yes". Now "inline-signing" is only
 1373 			set to "yes" if the zone is not dynamic. [GL #1709]
 1374 
 1375 	--- 9.17.1 released ---
 1376 
 1377 5383.	[func]		Add a quota attach function with a callback and clean up
 1378 			the isc_quota API. [GL !3280]
 1379 
 1380 5382.	[bug]		Use clock_gettime() instead of gettimeofday() for
 1381 			isc_stdtime() function. [GL #1679]
 1382 
 1383 5381.	[bug]		Fix logging API data race by adding rwlock and caching
 1384 			logging levels in stdatomic variables to restore
 1385 			performance to original levels. [GL #1675] [GL #1717]
 1386 
 1387 5380.	[contrib]	Fix building MySQL DLZ modules against MySQL 8
 1388 			libraries. [GL #1678]
 1389 
 1390 5379.	[placeholder]
 1391 
 1392 5378.	[bug]		Receiving invalid DNS data was triggering an assertion
 1393 			failure in nslookup. [GL #1652]
 1394 
 1395 5377.	[placeholder]
 1396 
 1397 5376.	[bug]		Fix ineffective DNS rebinding protection when BIND is
 1398 			configured as a forwarding DNS server. Thanks to Tobias
 1399 			Klein. [GL #1574]
 1400 
 1401 5375.	[test]		Fix timing issues in the "kasp" system test. [GL #1669]
 1402 
 1403 5374.	[bug]		Statistics counters tracking recursive clients and
 1404 			active connections could underflow. [GL #1087]
 1405 
 1406 5373.	[bug]		Collecting statistics for DNSSEC signing operations
 1407 			(change 5254) caused an array of significant size (over
 1408 			100 kB) to be allocated for each configured zone. Each
 1409 			of these arrays is tracking all possible key IDs; this
 1410 			could trigger an out-of-memory condition on servers with
 1411 			a high enough number of zones configured. Fixed by
 1412 			tracking up to four keys per zone and rotating counters
 1413 			when keys are replaced. This fixes the immediate problem
 1414 			of high memory usage, but should be improved in a future
 1415 			release by growing or shrinking the number of keys to
 1416 			track upon key rollover events. [GL #1179]
 1417 
 1418 5372.	[bug]		Fix migration from existing DNSSEC key files
 1419 			("auto-dnssec maintain") to "dnssec-policy". [GL #1706]
 1420 
 1421 5371.	[bug]		Improve incremental updates of the RPZ summary
 1422 			database to reduce delays that could occur when
 1423 			a policy zone update included a large number of
 1424 			record deletions. [GL #1447]
 1425 
 1426 5370.	[bug]		Deactivation of a netmgr handle associated with a
 1427 			socket could be skipped in some circumstances.
 1428 			Fixed by deactivating the netmgr handle before
 1429 			scheduling the asynchronous close routine. [GL #1700]
 1430 
 1431 5369.	[func]		Add the ability to specify whether to wait for
 1432 			nameserver domain names to be looked up, with a new RPZ
 1433 			modifying directive 'nsdname-wait-recurse'. [GL #1138]
 1434 
 1435 5368.	[bug]		Named failed to restart if 'rndc addzone' names
 1436 			contained special characters (e.g. '/'). [GL #1655]
 1437 
 1438 5367.	[placeholder]
 1439 
 1440 	--- 9.17.0 released ---
 1441 
 1442 5366.	[bug]		Fix a race condition with the keymgr when the same
 1443 			zone plus dnssec-policy is configured in multiple
 1444 			views. [GL #1653]
 1445 
 1446 5365.	[bug]		Algorithm rollover was stuck on submitting DS
 1447 			because keymgr thought it would move to an invalid
 1448 			state.  Fixed by checking the current key against
 1449 			the desired state, not the existing state. [GL #1626]
 1450 
 1451 5364.	[bug]		Algorithm rollover waited too long before introducing
 1452 			zone signatures.  It waited to make sure all signatures
 1453 			were regenerated, but when introducing a new algorithm,
 1454 			all signatures are regenerated immediately.  Only
 1455 			add the sign delay if there is a predecessor key.
 1456 			[GL #1625]
 1457 
 1458 5363.	[bug]		When changing a dnssec-policy, existing keys with
 1459 			properties that no longer match were not being retired.
 1460 			[GL #1624]
 1461 
 1462 5362.	[func]		Limit the size of IXFR responses so that AXFR will
 1463 			be used instead if it would be smaller. This is
 1464 			controlled by the "max-ixfr-ratio" option, which
 1465 			is a percentage representing the ratio of IXFR size
 1466 			to the size of the entire zone. This value cannot
 1467 			exceed 100%, which is the default. [GL #1515]
 1468 
 1469 5361.	[bug]		named might not accept new connections after
 1470 			hitting tcp-clients quota. [GL #1643]
 1471 
 1472 5360.	[bug]		delv could fail to load trust anchors in DNSKEY
 1473 			format. [GL #1647]
 1474 
 1475 5359.	[func]		"rndc nta -d" and "rndc secroots" now include
 1476 			"validate-except" entries when listing negative
 1477 			trust anchors. These are indicated by the keyword
 1478 			"permanent" in place of an expiry date. [GL #1532]
 1479 
 1480 5358.	[bug]		Inline master zones whose master files were touched
 1481 			but otherwise unchanged and were subsequently reloaded
 1482 			may have stopped re-signing. [GL !3135]
 1483 
 1484 5357.	[bug]		Newly added RRSIG records with expiry times before
 1485 			the previous earliest expiry times might not be
 1486 			re-signed in time.  This was a side effect of 5315.
 1487 			[GL !3137]
 1488 
 1489 5356.	[func]		Update dnssec-policy configuration statements:
 1490 			- Rename "zone-max-ttl" dnssec-policy option to
 1491 			  "max-zone-ttl" for consistency with the existing
 1492 			  zone option.
 1493 			- Allow for "lifetime unlimited" as a synonym for
 1494 			  "lifetime PT0S".
 1495 			- Make "key-directory" optional.
 1496 			- Warn if specifying a key length does not make
 1497 			  sense; fail if key length is out of range for
 1498 			  the algorithm.
 1499 			- Allow use of mnemonics when specifying key
 1500 			  algorithm (e.g. "rsasha256", "ecdsa384", etc.).
 1501 			- Make ISO 8601 durations case-insensitive.
 1502 			[GL #1598]
 1503 
 1504 5355.	[func]		What was set with --with-tuning=large option in
 1505 			older BIND9 versions is now a default, and
 1506 			a --with-tuning=small option was added for small
 1507 			(e.g. OpenWRT) systems. [GL !2989]
 1508 
 1509 5354.	[bug]		dnssec-policy created new KSK keys for zones in the
 1510 			initial stage of signing (with the DS not yet in the
 1511 			rumoured or omnipresent states).  Fix by checking the
 1512 			key goals rather than the active state when determining
 1513 			whether new keys are needed. [GL #1593]
 1514 
 1515 5353.	[doc]		Document port and dscp parameters in forwarders
 1516 			configuration option. [GL #914]
 1517 
 1518 5352.	[bug]		Correctly handle catalog zone entries containing
 1519 			characters that aren't legal in filenames. [GL #1592]
 1520 
 1521 5351.	[bug]		CDS / CDNSKEY consistency checks failed to handle
 1522 			removal records. [GL #1554]
 1523 
 1524 5350.	[bug]		When a view was configured with class CHAOS, the
 1525 			server could crash while processing a query for a
 1526 			non-existent record. [GL #1540]
 1527 
 1528 5349.	[bug]		Fix a race in task_pause/unpause. [GL #1571]
 1529 
 1530 5348.	[bug]		dnssec-settime -Psync was not being honoured.
 1531 			Thanks to Tony Finch. [GL !2893]
 1532 
 1533 	--- 9.15.8 released ---
 1534 
 1535 5347.	[bug]		Fixed a bug that could cause an intermittent crash
 1536 			in validator.c when validating a negative cache
 1537 			entry. [GL #1561]
 1538 
 1539 5346.	[bug]		Make hazard pointer array allocations dynamic, fixing
 1540 			a bug that caused named to crash on machines with more
 1541 			than 40 cores. [GL #1493]
 1542 
 1543 5345.	[func]		Key-style trust anchors and DS-style trust anchors
 1544 			can now both be used for the same name. [GL #1237]
 1545 
 1546 5344.	[bug]		Handle accept() errors properly in netmgr. [GL !2880]
 1547 
 1548 5343.	[func]		Add statistics counters to the netmgr. [GL #1311]
 1549 
 1550 5342.	[bug]		Disable pktinfo for IPv6 and bind to each interface
 1551 			explicitly instead, because libuv doesn't support
 1552 			pktinfo control messages. [GL #1558]
 1553 
 1554 5341.	[func]		Simplify passing the bound TCP socket to child
 1555 			threads by using isc_uv_export/import functions.
 1556 			[GL !2825]
 1557 
 1558 5340.	[bug]		Don't deadlock when binding to a TCP socket fails.
 1559 			[GL #1499]
 1560 
 1561 5339.	[bug]		With some libmaxminddb versions, named could erroneously
 1562 			match an IP address not belonging to any subnet defined
 1563 			in a given GeoIP2 database to one of the existing
 1564 			entries in that database. [GL #1552]
 1565 
 1566 5338.	[bug]		Fix line spacing in `rndc secroots`.
 1567 			Thanks to Tony Finch. [GL !2478]
 1568 
 1569 5337.	[func]		'named -V' now reports maxminddb and protobuf-c
 1570 			versions. [GL !2686]
 1571 
 1572 	--- 9.15.7 released ---
 1573 
 1574 5336.	[bug]		The TCP high-water statistic could report an
 1575 			incorrect value on startup. [GL #1392]
 1576 
 1577 5335.	[func]		Make TCP listening code multithreaded. [GL !2659]
 1578 
 1579 5334.	[doc]		Update documentation with dnssec-policy clarifications.
 1580 			Also change some defaults. [GL !2711]
 1581 
 1582 5333.	[bug]		Fix duration printing on Solaris when value is not
 1583 			an ISO 8601 duration. [GL #1460]
 1584 
 1585 5332.	[func]		Renamed "dnssec-keys" configuration statement
 1586 			to the more descriptive "trust-anchors". [GL !2702]
 1587 
 1588 5331.	[func]		Use compiler-provided mechanisms for thread local
 1589 			storage, and make the requirement for such mechanisms
 1590 			explicit in configure. [GL #1444]
 1591 
 1592 5330.	[bug]		'configure --without-python' was ineffective if
 1593 			PYTHON was set in the environment. [GL #1434]
 1594 
 1595 5329.	[bug]		Reconfiguring named caused memory to be leaked when any
 1596 			GeoIP2 database was in use. [GL #1445]
 1597 
 1598 5328.	[bug]		rbtdb.c:rdataset_{get,set}ownercase failed to obtain
 1599 			a node lock. [GL #1417]
 1600 
 1601 5327.	[func]		Added a statistics counter to track queries
 1602 			dropped because the recursive-clients quota was
 1603 			exceeded. [GL #1399]
 1604 
 1605 5326.	[bug]		Add Python dependency on 'distutils.core' to configure.
 1606 			'distutils.core' is required for installation.
 1607 			[GL #1397]
 1608 
 1609 5325.	[bug]		Addressed several issues with TCP connections in
 1610 			the netmgr: restored support for TCP connection
 1611 			timeouts, restored TCP backlog support, actively
 1612 			close all open sockets during shutdown. [GL #1312]
 1613 
 1614 5324.	[bug]		Change the category of some log messages from general
 1615 			to the more appropriate catergory of xfer-in. [GL #1394]
 1616 
 1617 5323.	[bug]		Fix a bug in DNSSEC trust anchor verification.
 1618 			[GL !2609]
 1619 
 1620 5322.	[placeholder]
 1621 
 1622 5321.	[bug]		Obtain write lock before updating version->records
 1623 			and version->bytes. [GL #1341]
 1624 
 1625 5320.	[cleanup]	Silence TSAN on header->count. [GL #1344]
 1626 
 1627 	--- 9.15.6 released ---
 1628 
 1629 5319.	[func]		Trust anchors can now be configured using DS
 1630 			format to represent a key digest, by using the
 1631 			new "initial-ds" or "static-ds" keywords in
 1632 			the "dnssec-keys" statement.
 1633 
 1634 			Note: DNSKEY-format and DS-format trust anchors
 1635 			cannot both be used for the same domain name.
 1636 			[GL #622]
 1637 
 1638 5318.	[cleanup]	The DNSSEC validation code has been refactored
 1639 			for clarity and to reduce code duplication.
 1640 			[GL #622]
 1641 
 1642 5317.	[func]		A new asynchronous network communications system
 1643 			based on libuv is now used for listening for
 1644 			incoming requests and responding to them. (The
 1645 			old isc_socket API remains in use for sending
 1646 			iterative queries and processing responses; this
 1647 			will be changed too in a later release.)
 1648 
 1649 			This change will make it easier to improve
 1650 			performance and implement new protocol layers
 1651 			(e.g., DNS over TLS) in the future. [GL #29]
 1652 
 1653 5316.	[func]		A new "dnssec-policy" option has been added to
 1654 			named.conf to implement a key and signing policy
 1655 			(KASP) for zones. When this option is in use,
 1656 			named can generate new keys as needed and
 1657 			automatically roll both ZSK and KSK keys. (Note
 1658 			that the syntax for this statement differs from
 1659 			the dnssec policy used by dnssec-keymgr.)
 1660 
 1661 			See the ARM for configuration details. [GL #1134]
 1662 
 1663 5315.	[bug]		Apply the initial RRSIG expiration spread fixed
 1664 			to all dynamically created records in the zone
 1665 			including NSEC3. Also fix the signature clusters
 1666 			when the server has been offline for prolonged
 1667 			period of times. [GL #1256]
 1668 
 1669 5314.	[func]		Added a new statistics variable "tcp-highwater"
 1670 			that reports the maximum number of simultaneous TCP
 1671 			clients BIND has handled while running. [GL #1206]
 1672 
 1673 5313.	[bug]		The default GeoIP2 database location did not match
 1674 			the ARM.  'named -V' now reports the default
 1675 			location. [GL #1301]
 1676 
 1677 5312.	[bug]		Do not flush the cache for `rndc validation status`.
 1678 			Thanks to Tony Finch. [GL !2462]
 1679 
 1680 5311.	[cleanup]	Include all views in output of `rndc validation status`.
 1681 			Thanks to Tony Finch. [GL !2461]
 1682 
 1683 5310.	[bug]		TCP failures were affecting EDNS statistics. [GL #1059]
 1684 
 1685 5309.	[placeholder]
 1686 
 1687 5308.	[bug]		Don't log DNS_R_UNCHANGED from sync_secure_journal()
 1688 			at ERROR level in receive_secure_serial(). [GL #1288]
 1689 
 1690 5307.	[bug]		Fix hang when named-compilezone output is sent to pipe.
 1691 			Thanks to Tony Finch. [GL !2481]
 1692 
 1693 5306.	[security]	Set a limit on number of simultaneous pipelined TCP
 1694 			queries. (CVE-2019-6477) [GL #1264]
 1695 
 1696 5305.	[bug]		NSEC Aggressive Cache ("synth-from-dnssec") has been
 1697 			disabled by default because it was found to have
 1698 			a significant performance impact on the recursive
 1699 			service. [GL #1265]
 1700 
 1701 5304.	[bug]		"dnskey-sig-validity 0;" was not being accepted.
 1702 			[GL #876]
 1703 
 1704 5303.	[placeholder]
 1705 
 1706 5302.	[bug]		Fix checking that "dnstap-output" is defined when
 1707 			"dnstap" is specified in a view. [GL #1281]
 1708 
 1709 5301.	[bug]		Detect partial prefixes / incomplete IPv4 address in
 1710 			acls. [GL #1143]
 1711 
 1712 5300.	[bug]		dig/mdig/delv: Add a colon after EDNS option names,
 1713 			even when the option is empty, to improve
 1714 			readability and allow correct parsing of YAML
 1715 			output. [GL #1226]
 1716 
 1717 	--- 9.15.5 released ---
 1718 
 1719 5299.	[security]	A flaw in DNSSEC verification when transferring
 1720 			mirror zones could allow data to be incorrectly
 1721 			marked valid. (CVE-2019-6475) [GL #1252]
 1722 
 1723 5298.	[security]	Named could assert if a forwarder returned a
 1724 			referral, rather than resolving the query, when QNAME
 1725 			minimization was enabled. (CVE-2019-6476) [GL #1051]
 1726 
 1727 5297.	[bug]		Check whether a previous QNAME minimization fetch
 1728 			is still running before starting a new one; return
 1729 			SERVFAIL and log an error if so. [GL #1191]
 1730 
 1731 5296.	[placeholder]
 1732 
 1733 5295.	[cleanup]	Split dns_name_copy() calls into dns_name_copy() and
 1734 			dns_name_copynf() for those calls that can potentially
 1735 			fail and those that should not fail respectively.
 1736 			[GL !2265]
 1737 
 1738 5294.	[func]		Fallback to ACE name on output in locale, which does not
 1739 			support converting it to unicode.  [GL #846]
 1740 
 1741 5293.	[bug]		On Windows, named crashed upon any attempt to fetch XML
 1742 			statistics from it. [GL #1245]
 1743 
 1744 5292.	[bug]		Queue 'rndc nsec3param' requests while signing inline
 1745 			zone changes. [GL #1205]
 1746 
 1747 	--- 9.15.4 released ---
 1748 
 1749 5291.	[placeholder]
 1750 
 1751 5290.	[placeholder]
 1752 
 1753 5289.	[bug]		Address NULL pointer dereference in rpz.c:rpz_detach.
 1754 			[GL #1210]
 1755 
 1756 5288.	[bug]		dnssec-must-be-secure was not always honored.
 1757 			[GL #1209]
 1758 
 1759 5287.	[placeholder]
 1760 
 1761 5286.	[contrib]	Address potential NULL pointer dereferences in
 1762 			dlz_mysqldyn_mod.c. [GL #1207]
 1763 
 1764 5285.	[port]		win32: implement "-T maxudpXXX". [GL #837]
 1765 
 1766 5284.	[func]		Added +unexpected command line option to dig.
 1767 			By default, dig won't accept a reply from a source
 1768 			other than the one to which it sent the query.
 1769 			Invoking dig with +unexpected argument will allow it
 1770 			to process replies from unexpected sources.
 1771 
 1772 5283.	[bug]		When a response-policy zone expires, ensure that
 1773 			its policies are removed from the RPZ summary
 1774 			database. [GL #1146]
 1775 
 1776 5282.	[bug]		Fixed a bug in searching for possible wildcard matches
 1777 			for query names in the RPZ summary database. [GL #1146]
 1778 
 1779 5281.	[cleanup]	Don't escape commas when reporting named's command
 1780 			line. [GL #1189]
 1781 
 1782 5280.	[protocol]	Add support for displaying EDNS option LLQ. [GL #1201]
 1783 
 1784 5279.	[bug]		When loading, reject zones containing CDS or CDNSKEY
 1785 			RRsets at the zone apex if they would cause DNSSEC
 1786 			validation failures if published in the parent zone
 1787 			as the DS RRset.  [GL #1187]
 1788 
 1789 5278.	[func]		Add YAML output formats for dig, mdig and delv;
 1790 			use the "+yaml" option to enable. [GL #1145]
 1791 
 1792 	--- 9.15.3 released ---
 1793 
 1794 5277.	[bug]		Cache DB statistics could underflow when serve-stale
 1795 			was in use, because of a bug in counter maintenance
 1796 			when RRsets become stale.
 1797 
 1798 			Functions for dumping statistics have been updated
 1799 			to dump active, stale, and ancient statistic
 1800 			counters.  Ancient RRset counters are prefixed
 1801 			with '~'; stale RRset counters are still prefixed
 1802 			with '#'. [GL #602]
 1803 
 1804 5276.	[func]		DNSSEC Lookaside Validation (DLV) is now obsolete;
 1805 			all code enabling its use has been removed from the
 1806 			validator, "delv", and the DNSSEC tools. [GL #7]
 1807 
 1808 5275.	[bug]		Mark DS records included in referral messages
 1809 			with trust level "pending" so that they can be
 1810 			validated and cached immediately, with no need to
 1811 			re-query. [GL #964]
 1812 
 1813 5274.	[bug]		Address potential use after free race when shutting
 1814 			down rpz. [GL #1175]
 1815 
 1816 5273.	[bug]		Check that bits [64..71] of a dns64 prefix are zero.
 1817 			[GL #1159]
 1818 
 1819 5272.	[cleanup]	Remove isc-config.sh script as the BIND 9 libraries
 1820 			are now purely internal. [GL #1123]
 1821 
 1822 5271.	[func]		The normal (non-debugging) output of dnssec-signzone
 1823 			and dnssec-verify tools now goes to stdout, instead of
 1824 			the combination of stderr and stdout.
 1825 
 1826 5270.	[bug]		'dig +expandaaaa +short' did not work. [GL #1152]
 1827 
 1828 5269.	[port]		cygwin: can return ETIMEDOUT on connect() with a
 1829 			non-blocking socket. [GL #1133]
 1830 
 1831 5268.	[placeholder]
 1832 
 1833 5267.	[func]		Allow statistics groups display to be toggle-able.
 1834 			[GL #1030]
 1835 
 1836 5266.	[bug]		named-checkconf failed to report dnstap-output
 1837 			missing from named.conf when dnstap was specified.
 1838 			[GL #1136]
 1839 
 1840 5265.	[bug]		DNS64 and RPZ nodata (CNAME *.) rules interacted badly
 1841 			[GL #1106]
 1842 
 1843 5264.	[func]		New DNS Cookie algorithm - siphash24 - has been added
 1844 			to BIND 9, and the old HMAC-SHA DNS Cookie algorithms
 1845 			have been removed. [GL #605]
 1846 
 1847 	--- 9.15.2 released ---
 1848 
 1849 5263.	[cleanup]	Use atomics and isc_refcount_t wherever possible.
 1850 			[GL #1038]
 1851 
 1852 5262.	[func]		Removed support for the legacy GeoIP API. [GL #1112]
 1853 
 1854 5261.	[cleanup]	Remove SO_BSDCOMPAT socket option usage.
 1855 
 1856 5260.	[bug]		dnstap-read was producing malformed output for large
 1857 			packets. [GL #1093]
 1858 
 1859 5259.	[func]		New option '-i' for 'named-checkconf' to ignore
 1860 			warnings about deprecated options. [GL #1101]
 1861 
 1862 5258.	[func]		Added support for the GeoIP2 API from MaxMind. This
 1863 			will be compiled in by default if the "libmaxminddb"
 1864 			library is found at compile time, but can be
 1865 			suppressed using "configure --disable-geoip".
 1866 
 1867 			Certain geoip ACL settings that were available with
 1868 			legacy GeoIP are not available when using GeoIP2.
 1869 			[GL #182]
 1870 
 1871 5257.	[bug]		Some statistics data was not being displayed.
 1872 			Add shading to the zone tables. [GL #1030]
 1873 
 1874 5256.	[bug]		Ensure that glue records are included in root
 1875 			priming responses if "minimal-responses" is not
 1876 			set to "yes". [GL #1092]
 1877 
 1878 5255.	[bug]		Errors encountered while reloading inline-signing
 1879 			zones could be ignored, causing the zone content to
 1880 			be left in an incompletely updated state rather than
 1881 			reverted. [GL #1109]
 1882 
 1883 5254.	[func]		Collect metrics to report to the statistics-channel
 1884 			DNSSEC signing operations (dnssec-sign) and refresh
 1885 			operations (dnssec-refresh) per zone and per keytag.
 1886 			[GL #513]
 1887 
 1888 5253.	[port]		Support platforms that don't define ULLONG_MAX.
 1889 			[GL #1098]
 1890 
 1891 5252.	[func]		Report if the last 'rndc reload/reconfig' failed in
 1892 			rndc status. [GL !2040]
 1893 
 1894 5251.	[bug]		Statistics were broken in x86 Windows builds.
 1895 			[GL #1081]
 1896 
 1897 5250.	[func]		The default size for RSA keys is now 2048 bits,
 1898 			for both ZSKs and KSKs. [GL #1097]
 1899 
 1900 5249.	[bug]		Fix a possible underflow in recursion clients
 1901 			statistics when hitting recursive clients
 1902 			soft quota. [GL #1067]
 1903 
 1904 	--- 9.15.1 released ---
 1905 
 1906 5248.	[func]		To clarify the configuration of DNSSEC keys,
 1907 			the "managed-keys" and "trusted-keys" options
 1908 			have both been deprecated.  The new "dnssec-keys"
 1909 			statement can now be used for all trust anchors,
 1910 			with the keywords "iniital-key" or "static-key"
 1911 			to indicate whether the configured trust anchor
 1912 			should be used for initialization of RFC 5011 key
 1913 			management, or as a permanent trust anchor.
 1914 
 1915 			The "static-key" keyword will generate a warning if
 1916 			used for the root zone.
 1917 
 1918 			Configurations using "trusted-keys" or "managed-keys"
 1919 			will continue to work with no changes, but will
 1920 			generate warnings in the log. In a future release,
 1921 			these options will be marked obsolete. [GL #6]
 1922 
 1923 5247.	[cleanup]	The 'cleaning-interval' option has been removed.
 1924 			[GL !1731]
 1925 
 1926 5246.	[func]		Log TSIG if appropriate in 'sending notify to' message.
 1927 			[GL #1058]
 1928 
 1929 5245.	[cleanup]	Reduce logging level for IXFR up-to-date poll
 1930 			responses. [GL #1009]
 1931 
 1932 5244.	[security]	Fixed a race condition in dns_dispatch_getnext()
 1933 			that could cause an assertion failure if a
 1934 			significant number of incoming packets were
 1935 			rejected. (CVE-2019-6471) [GL #942]
 1936 
 1937 5243.	[bug]		Fix a possible race between dispatcher and socket
 1938 			code in a high-load cold-cache resolver scenario.
 1939 			[GL #943]
 1940 
 1941 5242.	[bug]		In relaxed qname minimization mode, fall back to
 1942 			normal resolution when encountering a lame
 1943 			delegation, and use _.domain/A queries rather
 1944 			than domain/NS. [GL #1055]
 1945 
 1946 5241.	[bug]		Fix Ed448 private and public key ASN.1 prefix blobs.
 1947 			[GL #225]
 1948 
 1949 5240.	[bug]		Remove key id calculation for RSAMD5. [GL #996]
 1950 
 1951 5239.	[func]		Change the json-c detection to pkg-config. [GL #855]
 1952 
 1953 5238.	[bug]		Fix a possible deadlock in TCP code. [GL #1046]
 1954 
 1955 5237.	[bug]		Recurse to find the root server list with 'dig +trace'.
 1956 			[GL #1028]
 1957 
 1958 5236.	[func]		Add SipHash 2-4 implementation in lib/isc/siphash.c
 1959 			and switch isc_hash_function() to use SipHash 2-4.
 1960 			[GL #605]
 1961 
 1962 5235.	[cleanup]	Refactor lib/isc/app.c to be thread-safe, unused
 1963 			parts of the API has been removed and the
 1964 			isc_appctx_t data type has been changed to be
 1965 			fully opaque. [GL #1023]
 1966 
 1967 5234.	[port]		arm: just use the compiler's default support for
 1968 			yield. [GL #981]
 1969 
 1970 	--- 9.15.0 released ---
 1971 
 1972 5233.	[bug]		Negative trust anchors did not work with "forward only;"
 1973 			to validating resolvers. [GL #997]
 1974 
 1975 5232.	[placeholder]
 1976 
 1977 5231.	[protocol]	Add support for displaying CLIENT-TAG and SERVER-TAG.
 1978 			[GL #960]
 1979 
 1980 5230.	[protocol]	The SHA-1 hash algorithm is no longer used when
 1981 			generating DS and CDS records. [GL #1015]
 1982 
 1983 5229.	[protocol]	Enforce known SSHFP fingerprint lengths. [GL #852]
 1984 
 1985 5228.	[func]		If trusted-keys and managed-keys were configured
 1986 			simultaneously for the same name, the key could
 1987 			not be be rolled automatically. This is now
 1988 			a fatal configuration error. [GL #868]
 1989 
 1990 5227.	[placeholder]
 1991 
 1992 5226.	[placeholder]
 1993 
 1994 5225.	[func]		Allow dig to print out AAAA record fully expanded.
 1995 			with +[no]expandaaaa. [GL #765]
 1996 
 1997 5224.	[bug]		Only test provide-ixfr on TCP streams. [GL #991]
 1998 
 1999 5223.	[bug]		Fixed a race in the filter-aaaa plugin accessing
 2000 			the hash table. [GL #1005]
 2001 
 2002 5222.	[bug]		'delv -t ANY' could leak memory. [GL #983]
 2003 
 2004 5221.	[test]		Enable parallel execution of system tests on
 2005 			Windows. [GL !4101]
 2006 
 2007 5220.	[cleanup]	Refactor the isc_stat structure to take advantage
 2008 			of stdatomic. [GL !1493]
 2009 
 2010 5219.	[bug]		Fixed a race in the filter-aaaa plugin that could
 2011 			trigger a crash when returning an instance object
 2012 			to the memory pool. [GL #982]
 2013 
 2014 5218.	[bug]		Conditionally include <dlfcn.h>. [GL #995]
 2015 
 2016 5217.	[bug]		Restore key id calculation for RSAMD5. [GL #996]
 2017 
 2018 5216.	[bug]		Fetches-per-zone counter wasn't updated correctly
 2019 			when doing qname minimization. [GL #992]
 2020 
 2021 5215.	[bug]		Change #5124 was incomplete; named could still
 2022 			return FORMERR instead of SERVFAIL in some cases.
 2023 			[GL #990]
 2024 
 2025 5214.	[bug]		win32: named now removes its lock file upon shutdown.
 2026 			[GL #979]
 2027 
 2028 5213.	[bug]		win32: Eliminated a race which allowed named.exe running
 2029 			as a service to be killed prematurely during shutdown.
 2030 			[GL #978]
 2031 
 2032 5212.	[placeholder]
 2033 
 2034 5211.	[bug]		Allow out-of-zone additional data to be included
 2035 			in authoritative responses if recursion is allowed
 2036 			and "minimal-responses" is disabled.  This behavior
 2037 			was inadvertently removed in change #4605. [GL #817]
 2038 
 2039 5210.	[bug]		When dnstap is enabled and recursion is not
 2040 			available, incoming queries are now logged
 2041 			as "auth". Previously, this depended on whether
 2042 			recursion was requested by the client, not on
 2043 			whether recursion was available. [GL #963]
 2044 
 2045 5209.	[bug]		When update-check-ksk is true, add_sigs was not
 2046 			considering offline keys, leaving record sets signed
 2047 			with the incorrect type key. [GL #763]
 2048 
 2049 5208.	[test]		Run valid rdata wire encodings through totext+fromtext
 2050 			and tofmttext+fromtext methods to check these methods.
 2051 			[GL #899]
 2052 
 2053 5207.	[test]		Check delv and dig TTL values. [GL #965]
 2054 
 2055 5206.	[bug]		Delv could print out bad TTLs. [GL #965]
 2056 
 2057 5205.	[bug]		Enforce that a DS hash exists. [GL #899]
 2058 
 2059 5204.	[test]		Check that dns_rdata_fromtext() produces a record that
 2060 			will be accepted by dns_rdata_fromwire(). [GL #852]
 2061 
 2062 5203.	[bug]		Enforce whether key rdata exists or not in KEY,
 2063 			DNSKEY, CDNSKEY and RKEY. [GL #899]
 2064 
 2065 5202.	[bug]		<dns/ecs.h> was missing ISC_LANG_ENDDECLS. [GL #976]
 2066 
 2067 5201.	[bug]		Fix a possible deadlock in RPZ update code. [GL #973]
 2068 
 2069 5200.	[security]	tcp-clients settings could be exceeded in some cases,
 2070 			which could lead to exhaustion of file descriptors.
 2071 			(CVE-2018-5743) [GL #615]
 2072 
 2073 5199.	[security]	In certain configurations, named could crash
 2074 			if nxdomain-redirect was in use and a redirected
 2075 			query resulted in an NXDOMAIN from the cache.
 2076 			(CVE-2019-6467) [GL #880]
 2077 
 2078 5198.	[bug]		If a fetch context was being shut down and, at the same
 2079 			time, we returned from qname minimization, an INSIST
 2080 			could be hit. [GL #966]
 2081 
 2082 5197.	[bug]		dig could die in best effort mode on multiple SIG(0)
 2083 			records. Similarly on multiple OPT and multiple TSIG
 2084 			records. [GL #920]
 2085 
 2086 5196.	[bug]		make install failed with --with-dlopen=no. [GL #955]
 2087 
 2088 5195.	[bug]		"allow-update" and "allow-update-forwarding" were
 2089 			treated as configuration errors if used at the
 2090 			options or view level. [GL #913]
 2091 
 2092 5194.	[bug]		Enforce non empty ZOMEMD hash. [GL #899]
 2093 
 2094 5193.	[bug]		EID and NIMLOC failed to do multi-line output
 2095 			correctly. [GL #899]
 2096 
 2097 5192.	[placeholder]
 2098 
 2099 5191.	[placeholder]
 2100 
 2101 5190.	[bug]		Ignore trust anchors using disabled algorithms.
 2102 			[GL #806]
 2103 
 2104 5189.	[cleanup]	Remove revoked root DNSKEY from bind.keys. [GL #945]
 2105 
 2106 5188.	[func]		The "dnssec-enable" option is deprecated and no
 2107 			longer has any effect; DNSSEC responses are
 2108 			always enabled. [GL #866]
 2109 
 2110 5187.	[test]		Set time zone before running any tests in dnstap_test.
 2111 			[GL #940]
 2112 
 2113 5186.	[cleanup]	More dnssec-keygen manual tidying. [GL !1678]
 2114 
 2115 5185.	[placeholder]
 2116 
 2117 5184.	[bug]		Missing unlocks in sdlz.c. [GL #936]
 2118 
 2119 5183.	[bug]		Reinitialize ECS data before reusing client
 2120 			structures. [GL #881]
 2121 
 2122 5182.	[bug]		Fix a high-load race/crash in handling of
 2123 			isc_socket_close() in resolver. [GL #834]
 2124 
 2125 5181.	[func]		Add a mechanism for a DLZ module to signal that
 2126 			the view's allow-transfer ACL should be used to
 2127 			determine whether transfers are allowed. [GL #803]
 2128 
 2129 5180.	[bug]		delv now honors the operating system's preferred
 2130 			ephemeral port range. [GL #925]
 2131 
 2132 5179.	[cleanup]	Replace some vague type declarations with the more
 2133 			specific dns_secalg_t and dns_dsdigest_t.
 2134 			Thanks to Tony Finch. [GL !1498]
 2135 
 2136 5178.	[bug]		Handle EDQUOT (disk quota) and ENOSPC (disk full)
 2137 			errors when writing files. [GL #902]
 2138 
 2139 5177.	[func]		Add the ability to specify in named.conf whether a
 2140 			response-policy zone's SOA record should be added
 2141 			to the additional section (add-soa yes/no). [GL #865]
 2142 
 2143 5176.	[tests]		Remove a dependency on libxml in statschannel system
 2144 			test. [GL #926]
 2145 
 2146 5175.	[bug]		Fixed a problem with file input in dnssec-keymgr,
 2147 			dnssec-coverage and dnssec-checkds when using
 2148 			python3. [GL #882]
 2149 
 2150 5174.	[doc]		Tidy dnssec-keygen manual. [GL !1557]
 2151 
 2152 5173.	[bug]		Fixed a race in socket code that could occur when
 2153 			accept, send, or recv were called from an event
 2154 			loop but the socket had been closed by another
 2155 			thread. [RT #874]
 2156 
 2157 5172.	[bug]		nsupdate now honors the operating system's preferred
 2158 			ephemeral port range. [GL #905]
 2159 
 2160 5171.	[func]		named plugins are now installed into a separate
 2161 			directory.  Supplying a filename (a string without path
 2162 			separators) in a "plugin" configuration stanza now
 2163 			causes named to look for that plugin in that directory.
 2164 			[GL #878]
 2165 
 2166 5170.	[test]		Added --with-dlz-filesystem to feature-test. [GL !1587]
 2167 
 2168 5169.	[bug]		The presence of certain types in an otherwise
 2169 			empty node could cause a crash while processing a
 2170 			type ANY query. [GL #901]
 2171 
 2172 5168.	[bug]		Do not crash on shutdown when RPZ fails to load.  Also,
 2173 			keep previous version of the database if RPZ fails to
 2174 			load. [GL #813]
 2175 
 2176 5167.	[bug]		nxdomain-redirect could sometimes lookup the wrong
 2177 			redirect name. [GL #892]
 2178 
 2179 5166.	[placeholder]
 2180 
 2181 5165.	[contrib]	Removed SDB drivers from contrib; they're obsolete.
 2182 			[GL #428]
 2183 
 2184 5164.	[bug]		Correct errno to result translation in dlz filesystem
 2185 			modules. [GL #884]
 2186 
 2187 5163.	[cleanup]	Out-of-tree builds failed --enable-dnstap. [GL #836]
 2188 
 2189 5162.	[cleanup]	Improve dnssec-keymgr manual. Thanks to Tony Finch.
 2190 			[GL !1518]
 2191 
 2192 5161.	[bug]		Do not require the SEP bit to be set for mirror zone
 2193 			trust anchors. [GL #873]
 2194 
 2195 5160.	[contrib]	Added DNAME support to the DLZ LDAP schema. Also
 2196 			fixed a compilation bug affecting several DLZ
 2197 			modules. [GL #872]
 2198 
 2199 5159.	[bug]		dnssec-coverage was incorrectly ignoring
 2200 			names specified on the command line without
 2201 			trailing dots. [GL !1478]
 2202 
 2203 5158.	[protocol]	Add support for AMTRELAY and ZONEMD. [GL #867]
 2204 
 2205 5157.	[bug]		Nslookup now errors out if there are extra command
 2206 			line arguments. [GL #207]
 2207 
 2208 5156.	[doc]		Extended and refined the section of the ARM describing
 2209 			mirror zones. [GL #774]
 2210 
 2211 5155.	[func]		"named -V" now outputs the default paths to
 2212 			named.conf, rndc.conf, bind.keys, and other
 2213 			files used or created by named and other tools, so
 2214 			that the correct paths to these files can quickly be
 2215 			determined regardless of the configure settings
 2216 			used when BIND was built. [GL #859]
 2217 
 2218 5154.	[bug]		dig: process_opt could be called twice on the same
 2219 			message leading to a assertion failure. [GL #860]
 2220 
 2221 5153.	[func]		Zone transfer statistics (size, number of records, and
 2222 			number of messages) are now logged for outgoing
 2223 			transfers as well as incoming ones. [GL #513]
 2224 
 2225 5152.	[func]		Improved logging of DNSSEC key events:
 2226 			- Zone signing and DNSKEY maintenance events are
 2227 			  now logged to the "dnssec" category
 2228 			- Messages are now logged when DNSSEC keys are
 2229 			  published, activated, inactivated, deleted,
 2230 			  or revoked.
 2231 			[GL #714]
 2232 
 2233 5151.	[func]		Options that have been been marked as obsolete in
 2234 			named.conf for a very long time are now fatal
 2235 			configuration errors. [GL #358]
 2236 
 2237 5150.	[cleanup]	Remove the ability to compile BIND with assertions
 2238 			disabled. [GL #735]
 2239 
 2240 5149.	[func]		"rndc dumpdb" now prints a line above a stale RRset
 2241 			indicating how long the data will be retained in the
 2242 			cache for emergency use. [GL #101]
 2243 
 2244 5148.	[bug]		named did not sign the TKEY response. [GL #821]
 2245 
 2246 5147.	[bug]		dnssec-keymgr: Add a five-minute margin to better
 2247 			handle key events close to 'now'. [GL #848]
 2248 
 2249 5146.	[placeholder]
 2250 
 2251 5145.	[func]		Use atomics instead of locked variables for isc_quota
 2252 			and isc_counter. [GL !1389]
 2253 
 2254 5144.	[bug]		dig now returns a non-zero exit code when a TCP
 2255 			connection is prematurely closed by a peer more than
 2256 			once for the same lookup.  [GL #820]
 2257 
 2258 5143.	[bug]		dnssec-keymgr and dnssec-coverage failed to find
 2259 			key files for zone names ending in ".". [GL #560]
 2260 
 2261 5142.	[cleanup]	Removed "configure --disable-rpz-nsip" and
 2262 			"--disable-rpz-nsdname" options. "nsip-enable"
 2263 			and "nsdname-enable" both now default to yes,
 2264 			regardless of compile-time settings. [GL #824]
 2265 
 2266 5141.	[security]	Zone transfer controls for writable DLZ zones were
 2267 			not effective as the allowzonexfr method was not being
 2268 			called for such zones. (CVE-2019-6465) [GL #790]
 2269 
 2270 5140.	[bug]		Don't immediately mark existing keys as inactive and
 2271 			deleted when running dnssec-keymgr for the first
 2272 			time. [GL #117]
 2273 
 2274 5139.	[bug]		If possible, don't use forwarders when priming.
 2275 			This ensures we can get root server IP addresses
 2276 			from priming query response glue, which may not
 2277 			be present if the forwarding server is returning
 2278 			minimal responses. [GL #752]
 2279 
 2280 5138.	[bug]		Under some circumstances named could hit an assertion
 2281 			failure when doing qname minimization when using
 2282 			forwarders. [GL #797]
 2283 
 2284 5137.	[func]		named now logs messages whenever a mirror zone becomes
 2285 			usable or unusable for resolution purposes. [GL #818]
 2286 
 2287 5136.	[cleanup]	Check in named-checkconf that allow-update and
 2288 			allow-update-forwarding are not set at the
 2289 			view/options level; fix documentation. [GL #512]
 2290 
 2291 5135.	[port]		sparc: Use smt_pause() instead of pause. [GL #816]
 2292 
 2293 5134.	[bug]		win32: WSAStartup was not called before getservbyname
 2294 			was called. [GL #590]
 2295 
 2296 5133.	[bug]		'rndc managed-keys' didn't handle class and view
 2297 			correctly and failed to add new lines between each
 2298 			view. [GL !1327]
 2299 
 2300 5132.	[bug]		Fix race condition in cleanup part of dns_dt_create().
 2301 			[GL !1323]
 2302 
 2303 5131.	[cleanup]	Address Coverity warnings. [GL #801]
 2304 
 2305 5130.	[cleanup]	Remove support for l10n message catalogs. [GL #709]
 2306 
 2307 5129.	[contrib]	sdlz_helper.c:build_querylist was not properly
 2308 			splitting the query string. [GL #798]
 2309 
 2310 5128.	[bug]		Refreshkeytime was not being updated for managed
 2311 			keys zones. [GL #784]
 2312 
 2313 5127.	[bug]		rcode.c:maybe_numeric failed to handle NUL in text
 2314 			regions. [GL #807]
 2315 
 2316 5126.	[bug]		Named incorrectly accepted empty base64 and hex encoded
 2317 			fields when reading master files. [GL #807]
 2318 
 2319 5125.	[bug]		Allow for up to 100 records or 64k of data when caching
 2320 			a negative response. [GL #804]
 2321 
 2322 5124.	[bug]		Named could incorrectly return FORMERR rather than
 2323 			SERVFAIL. [GL #804]
 2324 
 2325 5123.	[bug]		dig could hang indefinitely after encountering an error
 2326 			before creating a TCP socket. [GL #692]
 2327 
 2328 5122.	[bug]		In a "forward first;" configuration, a forwarder
 2329 			timeout did not prevent that forwarder from being
 2330 			queried again after falling back to full recursive
 2331 			resolution. [GL #315]
 2332 
 2333 5121.	[contrib]	dlz_stub_driver.c fails to return ISC_R_NOTFOUND on none
 2334 			matching zone names. [GL !1299]
 2335 
 2336 5120.	[placeholder]
 2337 
 2338 5119.	[placeholder]
 2339 
 2340 5118.	[security]	Named could crash if it is managing a key with
 2341 			`managed-keys` and the authoritative zone is rolling
 2342 			the key to an unsupported algorithm. (CVE-2018-5745)
 2343 			[GL #780]
 2344 
 2345 5117.	[placeholder]
 2346 
 2347 5116.	[bug]		Named/named-checkconf triggered a assertion when
 2348 			a mirror zone's name is bad. [GL #778]
 2349 
 2350 5115.	[bug]		Allow unsupported algorithms in zone when not used for
 2351 			signing with dnssec-signzone. [GL #783]
 2352 
 2353 5114.	[func]		Include a 'reconfig/reload in progress' status line
 2354 			in rndc status, use it in tests.
 2355 
 2356 5113.	[port]		Fixed a Windows build error.
 2357 
 2358 5112.	[bug]		Named/named-checkconf could dump core if there was
 2359 			a missing masters clause and a bad notify clause.
 2360 			[GL #779]
 2361 
 2362 5111.	[bug]		Occluded DNSKEY records could make it into the
 2363 			delegating NSEC/NSEC3 bitmap. [GL #742]
 2364 
 2365 5110.	[security]	Named leaked memory if there were multiple Key Tag
 2366 			EDNS options present. (CVE-2018-5744) [GL #772]
 2367 
 2368 5109.	[cleanup]	Remove support for RSAMD5 algorithm. [GL #628]
 2369 
 2370 	--- 9.13.5 released ---
 2371 
 2372 5108.	[bug]		Named could fail to determine bottom of zone when
 2373 			removing out of date keys leading to invalid NSEC
 2374 			and NSEC3 records being added to the zone. [GL #771]
 2375 
 2376 5107.	[bug]		'host -U' did not work. [GL #769]
 2377 
 2378 5106.	[experimental]	A new "plugin" mechanism has been added to allow
 2379 			extension of query processing functionality through
 2380 			the use of dynamically loadable libraries. A
 2381 			"filter-aaaa.so" plugin has been implemented,
 2382 			replacing the filter-aaaa feature that was formerly
 2383 			implemented as a native part of BIND.
 2384 
 2385 			The "filter-aaaa", "filter-aaaa-on-v4" and
 2386 			"filter-aaaa-on-v6" options can no longer be
 2387 			configured using native named.conf syntax. However,
 2388 			loading the filter-aaaa.so plugin and setting its
 2389 			parameters provides identical functionality.
 2390 
 2391 			Note that the plugin API is a work in progress and
 2392 			is likely to evolve as further plugins are
 2393 			implemented. [GL #15]
 2394 
 2395 5105.	[bug]		Fix a race between process_fd and socketclose in
 2396 			unix socket code. [GL #744]
 2397 
 2398 5104.	[cleanup]	Log clearer informational message when a catz zone
 2399 			is overridden by a zone in named.conf.
 2400 			Thanks to Tony Finch. [GL !1157]
 2401 
 2402 5103.	[bug]		Add missing design by contract tests to dns_catz*.
 2403 			[GL #748]
 2404 
 2405 5102.	[bug]		dnssec-coverage failed to use the default TTL when
 2406 			checking KSK deletion times leading to a exception.
 2407 			[GL #585]
 2408 
 2409 5101.	[bug]		Fix default installation path for Python modules and
 2410 			remove the dnspython dependency accidentally introduced
 2411 			by change 4970. [GL #730]
 2412 
 2413 5100.	[func]		Pin resolver tasks to specific task queues. [GL !1117]
 2414 
 2415 5099.	[func]		Failed mutex and conditional creations are always
 2416 			fatal. [GL #674]
 2417 
 2418 	--- 9.13.4 released ---
 2419 
 2420 5098.	[func]		Failed memory allocations are now fatal. [GL #674]
 2421 
 2422 5097.	[cleanup]	Remove embedded ATF unit testing framework
 2423 			from BIND source distribution.  [GL !875]
 2424 
 2425 5096.	[func]		Use multiple event loops in socket code, and
 2426 			make network threads CPU-affinitive.  This
 2427 			significantly improves performance on large
 2428 			systems. [GL #666]
 2429 
 2430 5095.	[test]		Converted all unit tests from ATF to CMocka;
 2431 			removed the source code for the ATF libraries.
 2432 			Build with "configure --with-cmocka" to enable
 2433 			unit testing. [GL #620]
 2434 
 2435 5094.	[func]		Add 'dig -r' to disable reading of .digrc. [GL !970]
 2436 
 2437 5093.	[bug]		Log lame qname-minimization servers only if they're
 2438 			really lame. [GL #671]
 2439 
 2440 5092.	[bug]		Address memory leak on SIGTERM in nsupdate when using
 2441 			GSS-TSIG. [GL #558]
 2442 
 2443 5091.	[func]		Two new global and per-view options min-cache-ttl
 2444 			and min-ncache-ttl [GL #613]
 2445 
 2446 5090.	[bug]		dig and mdig failed to properly pre-parse dash value
 2447 			pairs when value was a separate argument and started
 2448 			with a dash. [GL #584]
 2449 
 2450 5089.	[bug]		Restore localhost fallback in dig and host which is
 2451 			used when no nameserver addresses present in
 2452 			/etc/resolv.conf are usable due to the requested
 2453 			address family restrictions. [GL #433]
 2454 
 2455 5088.	[bug]		dig/host/nslookup could crash when interrupted close to
 2456 			a query timeout. [GL #599]
 2457 
 2458 5087.	[test]		Check that result tables are complete. [GL #676]
 2459 
 2460 5086.	[func]		Log of RPZ now includes the QTYPE and QCLASS. [GL #623]
 2461 
 2462 5085.	[bug]		win32: Restore looking up nameservers, search list,
 2463 			etc. [GL #186]
 2464 
 2465 5084.	[placeholder]
 2466 
 2467 5083.	[func]		Add autoconf macro AX_POSIX_SHELL, so we
 2468 			can use POSIX-compatible shell features
 2469 			in the scripts.
 2470 
 2471 5082.	[bug]		Fixed a race that could cause a crash in
 2472 			dig/host/nslookup. [GL #650]
 2473 
 2474 5081.	[func]		Use per-worker queues in task manager, make task
 2475 			runners CPU-affine. [GL #659]
 2476 
 2477 5080.	[func]		Improvements to "rndc nta" user interface:
 2478 			- catch and report invalid command line options
 2479 			- when removing an NTA from all views, do not
 2480 			  abort with an error if the NTA was not found
 2481 			  in one of the views
 2482 			- include the view name in "rndc nta -dump"
 2483 			  output, for consistency with the add and remove
 2484 			  actions
 2485 			Thanks to Tony Finch. [GL !816]
 2486 
 2487 5079.	[func]		Disable IDN processing in dig and nslookup
 2488 			when not on a tty. [GL #653]
 2489 
 2490 5078.	[cleanup]	Require python components to be explicitly disabled if
 2491 			python is not available on unix platforms. [GL #601]
 2492 
 2493 5077.	[cleanup]	Remove ip6.int support (-i) from dig and mdig.
 2494 			[GL !969]
 2495 
 2496 5076.	[bug]		"require-server-cookie" was not effective if
 2497 			"rate-limit" was configured. [GL #617]
 2498 
 2499 5075.	[bug]		Refresh nameservers from cache when sending final
 2500 			query in qname minimization. [GL #16]
 2501 
 2502 5074.	[cleanup]	Remove vector socket functions - isc_socket_recvv(),
 2503 			isc_socket_sendtov(), isc_socket_sendtov2(),
 2504 			isc_socket_sendv() - in order to simplify socket code.
 2505 			[GL #645]
 2506 
 2507 5073.	[bug]		Destroy a task first when destroying rpzs and catzs.
 2508 			[GL #84]
 2509 
 2510 5072.	[bug]		Add unit tests for isc_buffer_copyregion() and fix its
 2511 			behavior for auto-reallocated buffers. [GL #644]
 2512 
 2513 5071.	[bug]		Comparison of NXT records was broken. [GL #631]
 2514 
 2515 5070.	[bug]		Record types which support a empty rdata field were
 2516 			not handling the empty rdata field case. [GL #638]
 2517 
 2518 5069.	[bug]		Fix a hang on in RPZ when named is shutdown during RPZ
 2519 			zone update. [GL !907]
 2520 
 2521 5068.	[bug]		Fix a race in RPZ with min-update-interval set to 0.
 2522 			[GL #643]
 2523 
 2524 5067.	[bug]		Don't minimize qname when sending the query
 2525 			to a forwarder. [GL #361]
 2526 
 2527 5066.	[cleanup]	Allow unquoted strings to be used as a zone names
 2528 			in response-policy statements. [GL #641]
 2529 
 2530 5065.	[bug]		Only set IPV6_USE_MIN_MTU on IPv6. [GL #553]
 2531 
 2532 5064.	[test]		Initialize TZ environment variable before calling
 2533 			dns_test_begin in dnstap_test. [GL #624]
 2534 
 2535 5063.	[test]		In statschannel test try a few times before failing
 2536 			when checking if the compressed output is the same as
 2537 			uncompressed. [GL !909]
 2538 
 2539 5062.	[func]		Use non-crypto-secure PRNG to generate nonces for
 2540 			cookies. [GL !887]
 2541 
 2542 5061.	[protocol]	Add support for EID and NIMLOC. [GL #626]
 2543 
 2544 5060.	[bug]		GID, UID and UINFO could not be loaded using unknown
 2545 			record format. [GL #627]
 2546 
 2547 5059.	[bug]		Display a per-view list of zones in the web interface.
 2548 			[GL #427]
 2549 
 2550 5058.	[func]		Replace old message digest and hmac APIs with more
 2551 			generic isc_md and isc_hmac APIs, and convert their
 2552 			respective tests to cmocka. [GL #305]
 2553 
 2554 5057.	[protocol]	Add support for ATMA. [GL #619]
 2555 
 2556 5056.	[placeholder]
 2557 
 2558 5055.	[func]		A default list of primary servers for the root zone is
 2559 			now built into named, allowing the "masters" statement
 2560 			to be omitted when configuring an IANA root zone
 2561 			mirror. [GL #564]
 2562 
 2563 5054.	[func]		Attempts to use mirror zones with recursion disabled
 2564 			are now considered a configuration error. [GL #564]
 2565 
 2566 5053.	[func]		The only valid zone-level NOTIFY settings for mirror
 2567 			zones are now "notify no;" and "notify explicit;".
 2568 			[GL #564]
 2569 
 2570 5052.	[func]		Mirror zones are now configured using "type mirror;"
 2571 			rather than "mirror yes;". [GL #564]
 2572 
 2573 5051.	[doc]		Documentation incorrectly stated that the
 2574 			"server-addresses" static-stub zone option accepts
 2575 			custom port numbers. [GL #582]
 2576 
 2577 5050.	[bug]		The libirs version of getaddrinfo() was unable to parse
 2578 			scoped IPv6 addresses present in /etc/resolv.conf.
 2579 			[GL #187]
 2580 
 2581 5049.	[cleanup]	QNAME minimization has been deeply refactored. [GL #16]
 2582 
 2583 5048.	[func]		Add configure option to enable and enforce FIPS mode
 2584 			in BIND 9. [GL #506]
 2585 
 2586 5047.	[bug]		Messages logged for certain query processing failures
 2587 			now include a more specific error description if it is
 2588 			available. [GL #572]
 2589 
 2590 5046.	[bug]		named could crash during shutdown if an RPZ
 2591 			reload was in progress. [RT #46210]
 2592 
 2593 5045.	[func]		Remove support for DNSSEC algorithms 3 (DSA)
 2594 			and 6 (DSA-NSEC3-SHA1). [GL #22]
 2595 
 2596 5044.	[cleanup]	If "dnssec-enable" is no, then "dnssec-validation"
 2597 			now also defaults to no.  [GL #388]
 2598 
 2599 5043.	[bug]		Fix creating and validating EdDSA signatures. [GL #579]
 2600 
 2601 5042.	[test]		Make the chained delegations in reclimit behave
 2602 			like they would in a regular name server. [GL #578]
 2603 
 2604 5041.	[test]		The chain test contains a incomplete delegation.
 2605 			[GL #568]
 2606 
 2607 5040.	[func]		Extended dnstap so that it can log UPDATE requests
 2608 			and responses as separate message types. Thanks
 2609 			to Greg Rabil. [GL #570]
 2610 
 2611 5039.	[bug]		Named could fail to preserve owner name case of new
 2612 			RRset. [GL #420]
 2613 
 2614 5038.	[bug]		Chaosnet addresses were compared incorrectly.
 2615 			[GL #562]
 2616 
 2617 5037.	[func]		"allow-recursion-on" and "allow-query-cache-on"
 2618 			each now default to the other if only one of them
 2619 			is set, in order to be more consistent with the way
 2620 			"allow-recursion" and "allow-query-cache" work.
 2621 			Also we now ensure that both query-cache ACLs are
 2622 			checked when determining cache access. [GL #319]
 2623 
 2624 5036.	[cleanup]	Fixed a spacing/formatting error in some RPZ-related
 2625 			error messages in the log. [GL !805]
 2626 
 2627 5035.	[test]		Fixed errors that prevented the DNSRPS subtests
 2628 			from running in the rpz and rpzrecurse system
 2629 			tests. [GL #503]
 2630 
 2631 5034.	[bug]		A race between threads could prevent zone maintenance
 2632 			scheduled immediately after zone load from being
 2633 			performed. [GL #542]
 2634 
 2635 5033.	[bug]		When adding NTAs to multiple views using "rndc nta",
 2636 			the text returned via rndc was incorrectly terminated
 2637 			after the first line, making it look as if only one
 2638 			NTA had been added. Also, it was not possible to
 2639 			differentiate between views with the same name but
 2640 			different classes; this has been corrected with the
 2641 			addition of a "-class" option. [GL #105]
 2642 
 2643 5032.	[func]		Add krb5-selfsub and ms-selfsub update policy rules.
 2644 			[GL #511]
 2645 
 2646 5031.	[cleanup]	Various defines in platform.h has been either dropped
 2647 			if always or never triggered on supported platforms
 2648 			or replaced with config.h equivalents if the defines
 2649 			didn't have any impact on public headers.  Workarounds
 2650 			for LinuxThreads have been removed because NPTL is
 2651 			available since Linux kernel 2.6.0.  [GL #525]
 2652 
 2653 5030.	[bug]		Align CMSG buffers to a 64-bit boundary, fixes crash
 2654 			on architectures with strict alignment. [GL #521]
 2655 
 2656 	--- 9.13.3 released ---
 2657 
 2658 5029.	[func]		Workarounds for servers that misbehave when queried
 2659 			with EDNS have been removed, because these broken
 2660 			servers and the workarounds for their noncompliance
 2661 			cause unnecessary delays, increase code complexity,
 2662 			and prevent deployment of new DNS features. See
 2663 			https://dnsflagday.net for further details. [GL #150]
 2664 
 2665 5028.	[bug]		Spread the initial RRSIG expiration times over the
 2666 			entire working sig-validity-interval when signing a
 2667 			zone in named to even out re-signing and transfer
 2668 			loads. [GL #418]
 2669 
 2670 5027.	[func]		Set SO_SNDBUF size on sockets. [GL #74]
 2671 
 2672 5026.	[bug]		rndc reconfig should not touch already loaded zones.
 2673 			[GL #276]
 2674 
 2675 5025.	[cleanup]	Remove isc_keyboard family of functions. [GL #178]
 2676 
 2677 5024.	[func]		Replace custom assembly for atomic operations with
 2678 			atomic support from the compiler. The code will now use
 2679 			C11 stdatomic, or __atomic, or __sync builtins with GCC
 2680 			or Clang compilers, and Interlocked functions with MSVC.
 2681 			[GL #10]
 2682 
 2683 5023.	[cleanup]	Remove wrappers that try to fix broken or incomplete
 2684 			implementations of IPv6, pthreads and other core
 2685 			functionality required and used by BIND. [GL #192]
 2686 
 2687 5022.	[doc]		Update ms-self, ms-subdomain, krb5-self, and
 2688 			krb5-subdomain documentation. [GL !708]
 2689 
 2690 5021.	[bug]		dig returned a non-zero exit code when it received a
 2691 			reply over TCP after a retry. [GL #487]
 2692 
 2693 5020.	[func]		RNG uses thread-local storage instead of locks, if
 2694 			supported by platform. [GL #496]
 2695 
 2696 5019.	[cleanup]	A message is now logged when ixfr-from-differences is
 2697 			set at zone level for an inline-signed zone. [GL #470]
 2698 
 2699 5018.	[bug]		Fix incorrect sizeof arguments in lib/isc/pk11.c.
 2700 			[GL !588]
 2701 
 2702 5017.	[bug]		lib/isc/pk11.c failed to unlink the session before
 2703 			releasing the lock which is unsafe. [GL !589]
 2704 
 2705 5016.	[bug]		Named could assert with overlapping filter-aaaa and
 2706 			dns64 acls. [GL #445]
 2707 
 2708 5015.	[bug]		Reloading all zones caused zone maintenance to cease
 2709 			for inline-signed zones. [GL #435]
 2710 
 2711 5014.	[bug]		Signatures loaded from the journal for the signed
 2712 			version of an inline-signed zone were not scheduled for
 2713 			refresh. [GL #482]
 2714 
 2715 5013.	[bug]		A referral response with a non-empty ANSWER section was
 2716 			inadvertently being treated as an error. [GL #390]
 2717 
 2718 5012.	[bug]		Fix lock order reversal in pk11_initialize. [GL !590]
 2719 
 2720 5011.	[func]		Remove support for unthreaded named. [GL #478]
 2721 
 2722 5010.	[func]		New "validate-except" option specifies a list of
 2723 			domains beneath which DNSSEC validation should not
 2724 			be performed. [GL #237]
 2725 
 2726 5009.	[bug]		Upon an OpenSSL failure, the first error in the OpenSSL
 2727 			error queue was not logged. [GL #476]
 2728 
 2729 5008.	[bug]		"rndc signing -nsec3param ..." requests were silently
 2730 			ignored for zones which were not yet loaded or
 2731 			transferred. [GL #468]
 2732 
 2733 5007.	[cleanup]	Replace custom ISC boolean and integer data types
 2734 			with C99 stdint.h and stdbool.h types. [GL #9]
 2735 
 2736 5006.	[cleanup]	Code preparing a delegation response was extracted from
 2737 			query_delegation() and query_zone_delegation() into a
 2738 			separate function in order to decrease code
 2739 			duplication. [GL #431]
 2740 
 2741 5005.	[bug]		dnssec-verify, and dnssec-signzone at the verification
 2742 			step, failed on some validly signed zones. [GL #442]
 2743 
 2744 5004.	[bug]		'rndc reconfig' could cause inline zones to stop
 2745 			re-signing. [GL #439]
 2746 
 2747 5003.	[bug]		dns_acl_isinsecure did not handle geoip elements.
 2748 			[GL #406]
 2749 
 2750 5002.	[bug]		mdig: Handle malformed +ednsopt option, support 100
 2751 			+ednsopt options per query rather than 100 total and
 2752 			address memory leaks if +ednsopt was specified.
 2753 			[GL #410]
 2754 
 2755 5001.	[bug]		Fix refcount errors on error paths. [GL !563]
 2756 
 2757 5000.	[bug]		named_server_servestale() could leave the server in
 2758 			exclusive mode if an error occurred. [GL #441]
 2759 
 2760 4999.	[cleanup]	Remove custom printf implementation in lib/isc/print.c.
 2761 			[GL #261]
 2762 
 2763 4998.	[test]		Make resolver and cacheclean tests more civilized.
 2764 
 2765 4997.	[security]	named could crash during recursive processing
 2766 			of DNAME records when "deny-answer-aliases" was
 2767 			in use. (CVE-2018-5740) [GL #387]
 2768 
 2769 4996.	[bug]		dig: Handle malformed +ednsopt option. [GL #403]
 2770 
 2771 4995.	[test]		Add tests for "tcp-self" update policy. [GL !282]
 2772 
 2773 4994.	[bug]		Trust anchor telemetry queries were not being sent
 2774 			upstream for locally served zones. [GL #392]
 2775 
 2776 4993.	[cleanup]	Remove support for silently ignoring 'no-change' deltas
 2777 			from BIND 8 when processing an IXFR stream. 'no-change'
 2778 			deltas will now trigger a fallback to AXFR as the
 2779 			recovery mechanism. [GL #369]
 2780 
 2781 4992.	[bug]		The wrong address was being logged for trust anchor
 2782 			telemetry queries. [GL #379]
 2783 
 2784 4991.	[bug]		"rndc reconfig" was incorrectly handling zones whose
 2785 			"mirror" setting was changed. [GL #381]
 2786 
 2787 4990.	[bug]		Prevent a possible NULL reference in pkcs11-keygen.
 2788 			[GL #401]
 2789 
 2790 4989.	[cleanup]	IDN support in dig has been reworked.  IDNA2003
 2791 			fallbacks were removed in the process. [GL #384]
 2792 
 2793 4988.	[bug]		Don't synthesize NXDOMAIN from NSEC for records under
 2794 			a DNAME.
 2795 
 2796 	--- 9.13.2 released ---
 2797 
 2798 4987.	[cleanup]	dns_rdataslab_tordataset() and its related
 2799 			dns_rdatasetmethods_t callbacks were removed as they
 2800 			were not being used by anything in BIND. [GL #371]
 2801 
 2802 4986.	[func]		When built on Linux, BIND now requires the libcap
 2803 			library to set process privileges, unless capability
 2804 			support is explicitly overridden with "configure
 2805 			--disable-linux-caps". [GL #321]
 2806 
 2807 4985.	[func]		Add a new slave zone option, "mirror", to enable
 2808 			serving a non-authoritative copy of a zone that
 2809 			is subject to DNSSEC validation before being
 2810 			used.  For now, this option is only meant to
 2811 			facilitate deployment of an RFC 7706-style local
 2812 			copy of the root zone. [GL #33]
 2813 
 2814 4984.	[bug]		Improve handling of very large incremental
 2815 			zone transfers to prevent journal corruption. [GL #339]
 2816 
 2817 4983.	[func]		Add the ability to not return a DNS COOKIE option
 2818 			when one is present in the request (answer-cookie no;).
 2819 			[GL #173]
 2820 
 2821 4982.	[cleanup]	Return FORMERR if the question section is empty
 2822 			and no COOKIE option is present; this restores
 2823 			older behavior except in the newly specified
 2824 			COOKIE case. [GL #260]
 2825 
 2826 4981.	[bug]		Fix race in cmsg buffer usage in socket code.
 2827 			[GL #180]
 2828 
 2829 4980.	[bug]		Named-checkconf failed to detect bad in-view targets.
 2830 			[GL #288]
 2831 
 2832 4979.	[placeholder]
 2833 
 2834 4978.	[test]		Fix error handling and resolver configuration in the
 2835 			"rpz" system test. [GL #312]
 2836 
 2837 4977.	[func]		When starting up, log the same details that
 2838 			would be reported by 'named -V'. [GL #247]
 2839 
 2840 4976.	[bug]		Log the label with invalid prefix length correctly
 2841 			when loading RPZ zones. [GL #254]
 2842 
 2843 4975.	[bug]		The server cookie computation for sha1 and sha256 did
 2844 			not match the method described in RFC 7873. [GL #356]
 2845 
 2846 4974.	[bug]		Restore default rrset-order to random. [GL #336]
 2847 
 2848 4973.	[func]		verifyzone() and the functions it uses were moved to
 2849 			libdns and refactored to prevent exit() from being
 2850 			called upon failure.  A side effect of that is that
 2851 			dnssec-signzone and dnssec-verify now check for memory
 2852 			leaks upon shutdown. [GL #266]
 2853 
 2854 4972.	[func]		Declare the 'rdata' argument for dns_rdata_tostruct()
 2855 			to be const. [GL #341]
 2856 
 2857 4971.	[bug]		dnssec-signzone and dnssec-verify did not treat records
 2858 			below a DNAME as out-of-zone data. [GL #298]
 2859 
 2860 4970.	[func]		Add QNAME minimization option to resolver. [GL #16]
 2861 
 2862 4969.	[cleanup]	Refactor zone logging functions. [GL #269]
 2863 
 2864 	--- 9.13.1 released ---
 2865 
 2866 4968.	[bug]		If glue records are signed, attempt to validate them.
 2867 			[GL #209]
 2868 
 2869 4967.	[cleanup]	Add "answer-cookie" to the parser, marked obsolete.
 2870 
 2871 4966.	[placeholder]
 2872 
 2873 4965.	[func]		Add support for marking options as deprecated.
 2874 			[GL #322]
 2875 
 2876 4964.	[bug]		Reduce the probability of double signature when deleting
 2877 			a DNSKEY by checking if the node is otherwise signed
 2878 			by the algorithm of the key to be deleted. [GL #240]
 2879 
 2880 4963.	[test]		ifconfig.sh now uses "ip" instead of "ifconfig",
 2881 			if available, to configure the test interfaces on
 2882 			linux.  [GL #302]
 2883 
 2884 4962.	[cleanup]	Move 'named -T' processing to its own function.
 2885 			[GL #316]
 2886 
 2887 4961.	[protocol]	Remove support for ECC-GOST (GOST R 34.11-94).
 2888 			[GL #295]
 2889 
 2890 4960.	[security]	When recursion is enabled, but the "allow-recursion"
 2891 			and "allow-query-cache" ACLs are not specified,
 2892 			they should be limited to local networks,
 2893 			but were inadvertently set to match the default
 2894 			"allow-query", thus allowing remote queries.
 2895 			(CVE-2018-5738) [GL #309]
 2896 
 2897 4959.	[func]		NSID logging (enabled by the "request-nsid" option)
 2898 			now has its own "nsid" category, instead of using the
 2899 			"resolver" category. [GL !332]
 2900 
 2901 4958.	[bug]		Remove redundant space from NSEC3 record. [GL #281]
 2902 
 2903 4957.	[func]		The default setting for "dnssec-validation" is now
 2904 			"auto", which activates DNSSEC validation using the
 2905 			IANA root key. (The default can be changed back to
 2906 			"yes", which activates DNSSEC validation only when keys
 2907 			are explicitly configured in named.conf, by building
 2908 			BIND with "configure --disable-auto-validation".)
 2909 			[GL #30]
 2910 
 2911 4956.	[func]		Change isc_random() to be just PRNG using xoshiro128**,
 2912 			and add isc_nonce_buf() that uses CSPRNG. [GL #289]
 2913 
 2914 4955.	[cleanup]	Silence cppcheck warnings in lib/dns/master.c.
 2915 			[GL #286]
 2916 
 2917 4954.	[func]		Messages about serving of stale answers are now
 2918 			directed to the "serve-stale" logging category.
 2919 			Also clarified serve-stale documentation. [GL !323]
 2920 
 2921 4953.	[bug]		Removed the option to build the red black tree
 2922 			database without a hash table; the non-hashing
 2923 			version was buggy and is not needed. [GL #184]
 2924 
 2925 4952.	[func]		Authoritative server support in named for the
 2926 			EDNS CLIENT-SUBNET option (which was experimental
 2927 			and not practical to deploy) has been removed.
 2928 
 2929 			The ECS option is still supported in dig and mdig
 2930 			via the +subnet option, and can be parsed and logged
 2931 			when received by named, but it is no longer used
 2932 			for ACL processing. The "geoip-use-ecs" option
 2933 			is now obsolete; a warning will be logged if it is
 2934 			used in named.conf. "ecs" tags in an ACL definition
 2935 			are also obsolete and will cause the configuration
 2936 			to fail to load.  [GL #32]
 2937 
 2938 4951.	[protocol]	Add "HOME.ARPA" to list of built in empty zones as
 2939 			per RFC 8375. [GL #273]
 2940 
 2941 	--- 9.13.0 released ---
 2942 
 2943 4950.	[bug]		ISC_SOCKEVENTATTR_TRUNC was not be set. [GL #238]
 2944 
 2945 4949.	[placeholder]
 2946 
 2947 4948.	[bug]		When request-nsid is turned on, EDNS NSID options
 2948 			should be logged at level info. Since change 3741
 2949 			they have been logged at debug(3) by mistake.
 2950 			[GL !290]
 2951 
 2952 4947.	[func]		Replace all random functions with isc_random(),
 2953 			isc_random_buf() and isc_random_uniform() API.
 2954 			[GL #221]
 2955 
 2956 4946.	[bug]		Additional glue was not being returned by resolver
 2957 			for unsigned zones since change 4596. [GL #209]
 2958 
 2959 4945.	[func]		BIND can no longer be built without DNSSEC support.
 2960 			A cryptography provider (i.e., OpenSSL or a hardware
 2961 			service module with PKCS#11 support) must be
 2962 			available. [GL #244]
 2963 
 2964 4944.	[cleanup]	Silence cppcheck portability warnings in
 2965 			lib/isc/tests/buffer_test.c. [GL #239]
 2966 
 2967 4943.	[bug]		Change 4687 consumed too much memory when running
 2968 			system tests with --with-tuning=large.  Reduced the
 2969 			hash table size to 512 entries for 'named -m record'
 2970 			restoring the previous memory footprint. [GL #248]
 2971 
 2972 4942.	[cleanup]	Consolidate multiple instances of splitting of
 2973 			batchline in dig into a single function. [GL #196]
 2974 
 2975 4941.	[cleanup]	Silence clang static analyzer warnings. [GL #196]
 2976 
 2977 4940.	[cleanup]	Extract the loop in dns__zone_updatesigs() into
 2978 			separate functions to improve code readability.
 2979 			[GL #135]
 2980 
 2981 4939.	[test]		Add basic unit tests for update_sigs(). [GL #135]
 2982 
 2983 4938.	[placeholder]
 2984 
 2985 4937.	[func]		Remove support for OpenSSL < 1.0.0 [GL #191]
 2986 
 2987 4936.	[func]		Always use OpenSSL or PKCS#11 random data providers,
 2988 			and remove the --{enable,disable}-crypto-rand configure
 2989 			options. [GL #165]
 2990 
 2991 4935.	[func]		Add support for LibreSSL >= 2.7.0 (some OpenSSL 1.1.0
 2992 			call were added). [GL #191]
 2993 
 2994 4934.	[security]	The serve-stale feature could cause an assertion failure
 2995 			in rbtdb.c even when stale-answer-enable was false.
 2996 			Simultaneous use of stale cache records and NSEC
 2997 			aggressive negative caching could trigger a recursion
 2998 			loop. (CVE-2018-5737) [GL #185]
 2999 
 3000 4933.	[bug]		Not creating signing keys for an inline signed zone
 3001 			prevented changes applied to the raw zone from being
 3002 			reflected in the secure zone until signing keys were
 3003 			made available. [GL #159]
 3004 
 3005 4932.	[bug]		Bumped signed serial of an inline signed zone was
 3006 			logged even when an error occurred while updating
 3007 			signatures. [GL #159]
 3008 
 3009 4931.	[func]		Removed the "rbtdb64" database implementation.
 3010 			[GL #217]
 3011 
 3012 4930.	[bug]		Remove a bogus check in nslookup command line
 3013 			argument processing. [GL #206]
 3014 
 3015 4929.	[func]		Add the ability to set RA and TC in queries made by
 3016 			dig (+[no]raflag, +[no]tcflag). [GL #213]
 3017 
 3018 4928.	[func]		The "dnskey-sig-validity" option allows
 3019 			"sig-validity-interval" to be overridden for signatures
 3020 			covering DNSKEY RRsets. [GL #145]
 3021 
 3022 4927.	[placeholder]
 3023 
 3024 4926.	[func]		Add root key sentinel support.  To disable, add
 3025 			'root-key-sentinel no;' to named.conf. [GL #37]
 3026 
 3027 4925.	[func]		Several configuration options that define intervals
 3028 			can now take TTL value suffixes (for example, 2h or 1d)
 3029 			in addition to integer parameters. These include
 3030 			max-cache-ttl, max-ncache-ttl, max-policy-ttl,
 3031 			fstrm-set-reopen-interval, interface-interval, and
 3032 			min-update-interval. [GL #203]
 3033 
 3034 4924.	[cleanup]	Clean up the isc_string_* namespace and leave
 3035 			only strlcpy and strlcat. [GL #178]
 3036 
 3037 4923.	[cleanup]	Refactor socket and socket event options into
 3038 			enum types. [GL !135]
 3039 
 3040 4922.	[bug]		dnstap: Log the destination address of client
 3041 			packets rather than the interface address.
 3042 			[GL #197]
 3043 
 3044 4921.	[cleanup]	Add dns_fixedname_initname() and refactor the caller
 3045 			code to make usage of the new function, as a part of
 3046 			refactoring dns_fixedname_*() macros were turned into
 3047 			functions. [GL #183]
 3048 
 3049 4920.	[cleanup]	Clean up libdns removing most of the backwards
 3050 			compatibility wrappers.
 3051 
 3052 4919.	[cleanup]	Clean up the isc_hash_* namespace and leave only
 3053 			the FNV-1a hash implementation. [GL #178]
 3054 
 3055 4918.	[bug]		Fix double free after keygen error in dnssec-keygen
 3056 			when OpenSSL >= 1.1.0 is used and RSA_generate_key_ex
 3057 			fails. [GL #109]
 3058 
 3059 4917.	[func]		Support 64 RPZ policy zones by default. [GL #123]
 3060 
 3061 4916.	[func]		Remove IDNA2003 support and the bundled idnkit-1.0
 3062 			library.
 3063 
 3064 4915.	[func]		Implement IDNA2008 support in dig by adding support
 3065 			for libidn2.  New dig option +idnin has been added,
 3066 			which allows to process invalid domain names much
 3067 			like dig without IDN support.  libidn2 version 2.0
 3068 			or higher is needed for +idnout enabled by default.
 3069 
 3070 4914.	[security]	A bug in zone database reference counting could lead to
 3071 			a crash when multiple versions of a slave zone were
 3072 			transferred from a master in close succession.
 3073 			(CVE-2018-5736) [GL #134]
 3074 
 3075 4913.	[test]		Re-implemented older unit tests in bin/tests as ATF,
 3076 			removed the lib/tests unit testing library. [GL #115]
 3077 
 3078 4912.	[test]		Improved the reliability of the 'cds' system test.
 3079 			[GL #136]
 3080 
 3081 4911.	[test]		Improved the reliability of the 'mkeys' system test.
 3082 			[GL #128]
 3083 
 3084 4910.	[func]		Update util/check-changes to work on release branches.
 3085 			[GL #113]
 3086 
 3087 4909.	[bug]		named-checkconf did not detect in-view zone collisions.
 3088 			[GL #125]
 3089 
 3090 4908.	[test]		Eliminated unnecessary waiting in the allow_query
 3091 			system test. Also changed its name to allow-query.
 3092 			[GL #81]
 3093 
 3094 4907.	[test]		Improved the reliability of the 'notify' system
 3095 			test. [GL #59]
 3096 
 3097 4906.	[func]		Replace getquad() with inet_pton(), completing
 3098 			change #4900. [GL #56]
 3099 
 3100 4905.	[bug]		irs_resconf_load() ignored resolv.conf syntax errors
 3101 			when "domain" or "search" options were present in that
 3102 			file. [GL #110]
 3103 
 3104 4904.	[bug]		Temporarily revert change #4859. [GL #124]
 3105 
 3106 4903.	[bug]		"check-mx fail;" did not prevent MX records containing
 3107 			IP addresses from being added to a zone by a dynamic
 3108 			update. [GL #112]
 3109 
 3110 4902.	[test]		Improved the reliability of the 'ixfr' system
 3111 			test. [GL #66]
 3112 
 3113 4901.	[func]		"dig +nssearch" now lists the name servers
 3114 			for a domain that time out, as well as the servers
 3115 			that respond. [GL #64]
 3116 
 3117 4900.	[func]		Remove all uses of inet_aton().  As a result of this
 3118 			change, IPv4 addresses are now only accepted in
 3119 			dotted-quad format. [GL #13]
 3120 
 3121 4899.	[test]		Convert most of the remaining system tests to be able
 3122 			to run in parallel, continuing the work from change
 3123 			#4895. To take advantage of this, use "make -jN check",
 3124 			where N is the number of processors to use. [GL #91]
 3125 
 3126 4898.	[func]		Remove libseccomp based system-call filtering. [GL #93]
 3127 
 3128 4897.	[test]		Update to rpz system test so that it doesn't recurse.
 3129 			[GL #68]
 3130 
 3131 4896.	[test]		cacheclean system test was not robust. [GL #82]
 3132 
 3133 4895.	[test]		Allow some system tests to run in parallel.
 3134 			[RT #46602]
 3135 
 3136 4894.	[bug]		named could crash while rolling a dnstap output file.
 3137 			[RT #46942]
 3138 
 3139 4893.	[bug]		Address various issues reported by cppcheck. [GL #51]
 3140 
 3141 4892.	[bug]		named could leak memory when "rndc reload" was invoked
 3142 			before all zone loading actions triggered by a previous
 3143 			"rndc reload" command were completed. [RT #47076]
 3144 
 3145 4891.	[placeholder]
 3146 
 3147 4890.	[func]		Remove unused ondestroy callback from libisc.
 3148 			[isc-projects/bind9!3]
 3149 
 3150 4889.	[func]		Warn about the use of old root keys without the new
 3151 			root key being present.  Warn about dlv.isc.org's
 3152 			key being present. Warn about both managed and
 3153 			trusted root keys being present. [RT #43670]
 3154 
 3155 4888.	[test]		Initialize sockets correctly in sample-update so
 3156 			that the nsupdate system test will run on Windows.
 3157 			[RT #47097]
 3158 
 3159 4887.	[test]		Enable the rpzrecurse test to run on Windows.
 3160 			[RT #47093]
 3161 
 3162 4886.	[doc]		Document dig -u in manpage. [RT #47150]
 3163 
 3164 4885.	[security]	update-policy rules that otherwise ignore the name
 3165 			field now require that it be set to "." to ensure
 3166 			that any type list present is properly interpreted.
 3167 			[RT #47126]
 3168 
 3169 4884.	[bug]		named could crash on shutdown due to a race between
 3170 			shutdown_server() and ns__client_request(). [RT #47120]
 3171 
 3172 4883.	[cleanup]	Improved debugging output from dnssec-cds. [RT #47026]
 3173 
 3174 4882.	[bug]		Address potential memory leak in
 3175 			dns_update_signaturesinc. [RT #47084]
 3176 
 3177 4881.	[bug]		Only include dst_openssl.h when OpenSSL is required.
 3178 			[RT #47068]
 3179 
 3180 4880.	[bug]		Named wasn't returning the target of a cross-zone
 3181 			CNAME between two served zones when recursion was
 3182 			desired and available (RD=1, RA=1). (When this is
 3183 			not the case, the CNAME target is deliberately
 3184 			withheld to prevent accidental cache poisoning.)
 3185 			[RT #47078]
 3186 
 3187 4879.	[bug]		dns_rdata_caa:value_len field was too small.
 3188 			[RT #47086]
 3189 
 3190 4878.	[bug]		List 'ply' as a requirement for the 'isc' python
 3191 			package. [RT #47065]
 3192 
 3193 4877.	[bug]		Address integer overflow when exponentially
 3194 			backing off retry intervals. [RT #47041]
 3195 
 3196 4876.	[bug]		Address deadlock with accessing a keytable. [RT #47000]
 3197 
 3198 4875.	[bug]		Address compile failures on older systems. [RT #47015]
 3199 
 3200 4874.	[bug]		Wrong time display when reporting new keywarntime.
 3201 			[RT #47042]
 3202 
 3203 4873.	[doc]		Grammars for named.conf included in the ARM are now
 3204 			automatically generated by the configuration parser
 3205 			itself.  As a side effect of the work needed to
 3206 			separate zone type grammars from each other, this
 3207 			also makes checking of zone statements in
 3208 			named-checkconf more correct and consistent.
 3209 			[RT #36957]
 3210 
 3211 4872.	[bug]		Don't permit loading meta RR types such as TKEY
 3212 			from master files. [RT #47009]
 3213 
 3214 4871.	[bug]		Fix configure glitch in detecting stdatomic.h
 3215 			support on systems with multiple compilers.
 3216 			[RT #46959]
 3217 
 3218 4870.	[test]		Update included ATF library to atf-0.21 preserving
 3219 			the ATF tool. [RT #46967]
 3220 
 3221 4869.	[bug]		Address some cases where NULL with zero length could
 3222 			be passed to memmove which is undefined behavior and
 3223 			can lead to bad optimization. [RT #46888]
 3224 
 3225 4868.	[func]		dnssec-keygen can no longer generate HMAC keys.
 3226 			Use tsig-keygen instead. [RT #46404]
 3227 
 3228 4867.	[cleanup]	Normalize rndc on/off commands (validation,
 3229 			querylog, serve-stale) so they all accept the
 3230 			same synonyms for on/off (yes/no, true/false,
 3231 			enable/disable). Thanks to Tony Finch. [RT #47022]
 3232 
 3233 4866.	[port]		DST library initialization verifies MD5 (when MD5
 3234 			was not disabled) and SHA-1 hash and HMAC support.
 3235 			[RT #46764]
 3236 
 3237 4865.	[cleanup]	Simplify handling isc_socket_sendto2() return values.
 3238 			[RT #46986]
 3239 
 3240 4864.	[bug]		named acting as a slave for a catalog zone crashed if
 3241 			the latter contained a master definition without an IP
 3242 			address. [RT #45999]
 3243 
 3244 4863.	[bug]		Fix various other bugs reported by Valgrind's
 3245 			memcheck tool. [RT #46978]
 3246 
 3247 4862.	[bug]		The rdata flags for RRSIG were not being properly set
 3248 			when constructing a rdataslab. [RT #46978]
 3249 
 3250 4861.	[bug]		The isc_crc64 unit test was not endian independent.
 3251 			[RT #46973]
 3252 
 3253 4860.	[bug]		isc_int8_t should be signed char.  [RT #46973]
 3254 
 3255 4859.	[bug]		A loop was possible when attempting to validate
 3256 			unsigned CNAME responses from secure zones;
 3257 			this caused a delay in returning SERVFAIL and
 3258 			also increased the chances of encountering
 3259 			CVE-2017-3145. [RT #46839]
 3260 
 3261 4858.	[security]	Addresses could be referenced after being freed
 3262 			in resolver.c, causing an assertion failure.
 3263 			(CVE-2017-3145) [RT #46839]
 3264 
 3265 4857.	[bug]		Maintain attach/detach semantics for event->db,
 3266 			event->node, event->rdataset and event->sigrdataset
 3267 			in query.c. [RT #46891]
 3268 
 3269 4856.	[bug]		'rndc zonestatus' reported the wrong underlying type
 3270 			for a inline slave zone. [RT #46875]
 3271 
 3272 4855.	[bug]		isc_time_formatshorttimestamp produced incorrect
 3273 			output. [RT #46938]
 3274 
 3275 4854.	[bug]		query_synthcnamewildcard should stop generating the
 3276 			response if query_synthwildcard fails. [RT #46939]
 3277 
 3278 4853.	[bug]		Add REQUIRE's and INSIST's to isc_time_formatISO8601L
 3279 			and isc_time_formatISO8601Lms. [RT #46916]
 3280 
 3281 4852.	[bug]		Handle strftime() failing in isc_time_formatISO8601ms.
 3282 			Add REQUIRE's and INSIST's to isc_time_formattimestamp,
 3283 			isc_time_formathttptimestamp, isc_time_formatISO8601,
 3284 			isc_time_formatISO8601ms. [RT #46892]
 3285 
 3286 4851.	[port]		Support using kyua as well as atf-run to run the unit
 3287 			tests. [RT #46853]
 3288 
 3289 4850.	[bug]		Named failed to restart with multiple added zones in
 3290 			lmdb database. [RT #46889]
 3291 
 3292 4849.	[bug]		Duplicate zones could appear in the .nzf file if
 3293 			addzone failed. [RT #46435]
 3294 
 3295 4848.	[func]		Zone types "primary" and "secondary" can now be used
 3296 			as synonyms for "master" and "slave" in named.conf.
 3297 			[RT #46713]
 3298 
 3299 4847.	[bug]		dnssec-dnskey-kskonly was not being honored for
 3300 			CDS and CDNSKEY. [RT #46755]
 3301 
 3302 4846.	[test]		Adjust timing values in runtime system test. Address
 3303 			named.pid removal races in runtime system test.
 3304 			[RT #46800]
 3305 
 3306 4845.	[bug]		Dig (non iOS) should exit on malformed names.
 3307 			[RT #46806]
 3308 
 3309 4844.	[test]		Address memory leaks in libatf-c. [RT #46798]
 3310 
 3311 4843.	[bug]		dnssec-signzone free hashlist on exit. [RT #46791]
 3312 
 3313 4842.	[bug]		Conditionally compile opensslecdsa_link.c to avoid
 3314 			warnings about unused function. [RT #46790]
 3315 
 3316 	--- 9.12.0rc1 released ---
 3317 
 3318 4841.	[bug]		Address -fsanitize=undefined warnings. [RT #46786]
 3319 
 3320 4840.	[test]		Add tests to cover fallback to using ZSK on inactive
 3321 			KSK. [RT #46787]
 3322 
 3323 4839.	[bug]		zone.c:zone_sign was not properly determining
 3324 			if there were active KSK and ZSK keys for
 3325 			a algorithm when update-check-ksk is true
 3326 			(default) leaving records unsigned with one or
 3327 			more DNSKEY algorithms. [RT #46774]
 3328 
 3329 4838.	[bug]		zone.c:add_sigs was not properly determining
 3330 			if there were active KSK and ZSK keys for
 3331 			a algorithm when update-check-ksk is true
 3332 			(default) leaving records unsigned with one or
 3333 			more DNSKEY algorithms. [RT #46754]
 3334 
 3335 4837.	[bug]		dns_update_signatures{inc} (add_sigs) was not
 3336 			properly determining if there were active KSK and
 3337 			ZSK keys for a algorithm when update-check-ksk is
 3338 			true (default) leaving records unsigned when there
 3339 			were multiple DNSKEY algorithms for the zone.
 3340 			[RT #46743]
 3341 
 3342 4836.	[bug]		Zones created using "rndc addzone" could
 3343 			temporarily fail to inherit an "allow-transfer"
 3344 			ACL that had been configured in the options
 3345 			statement. [RT #46603]
 3346 
 3347 4835.	[cleanup]	Clean up and refactor LMDB-related code. [RT #46718]
 3348 
 3349 4834.	[port]		Fix LMDB support on OpenBSD. [RT #46718]
 3350 
 3351 4833.	[bug]		isc_event_free should check that the event is not
 3352 			linked when called. [RT #46725]
 3353 
 3354 4832.	[bug]		Events were not being removed from zone->rss_events.
 3355 			[RT #46725]
 3356 
 3357 4831.	[bug]		Convert the RRSIG expirytime to 64 bits for
 3358 			comparisons in diff.c:resign. [RT #46710]
 3359 
 3360 4830.	[bug]		Failure to configure ATF when requested did not cause
 3361 			an error in top-level configure script. [RT #46655]
 3362 
 3363 4829.	[bug]		isc_heap_delete did not zero the index value when
 3364 			the heap was created with a callback to do that.
 3365 			[RT #46709]
 3366 
 3367 4828.	[bug]		Do not use thread-local storage for storing LMDB reader
 3368 			locktable slots. [RT #46556]
 3369 
 3370 4827.	[misc]		Add a precommit check script util/checklibs.sh
 3371 			[RT #46215]
 3372 
 3373 4826.	[cleanup]	Prevent potential build failures in bin/confgen/ and
 3374 			bin/named/ when using parallel make. [RT #46648]
 3375 
 3376 4825.	[bug]		Prevent a bogus "error during managed-keys processing
 3377 			(no more)" warning from being logged. [RT #46645]
 3378 
 3379 4824.	[port]		Add iOS hooks to dig. [RT #42011]
 3380 
 3381 4823.	[test]		Refactor reclimit system test to improve its
 3382 			reliability and speed. [RT #46632]
 3383 
 3384 4822.	[bug]		Use resign_sooner in dns_db_setsigningtime. [RT #46473]
 3385 
 3386 4821.	[bug]		When resigning ensure that the SOA's expire time is
 3387 			always later that the resigning time of other records.
 3388 			[RT #46473]
 3389 
 3390 4820.	[bug]		dns_db_subtractrdataset should transfer the resigning
 3391 			information to the new header. [RT #46473]
 3392 
 3393 4819.	[bug]		Fully backout the transaction when adding a RRset
 3394 			to the resigning / removal heaps fails. [RT #46473]
 3395 
 3396 4818.	[test]		The logfileconfig system test could intermittently
 3397 			report false negatives on some platforms. [RT #46615]
 3398 
 3399 4817.	[cleanup]	Use DNS_NAME_INITABSOLUTE and DNS_NAME_INITNONABSOLUTE.
 3400 			[RT #45433]
 3401 
 3402 4816.	[bug]		Don't use a common array for storing EDNS options
 3403 			in DiG as it could fill up. [RT #45611]
 3404 
 3405 4815.	[bug]		rbt_test.c:insert_and_delete needed to call
 3406 			dns_rbt_addnode instead of dns_rbt_addname. [RT #46553]
 3407 
 3408 4814.	[cleanup]	Use AS_HELP_STRING for consistent help text. [RT #46521]
 3409 
 3410 4813.	[bug]		Address potential read after free errors from
 3411 			query_synthnodata, query_synthwildcard and
 3412 			query_synthnxdomain. [RT #46547]
 3413 
 3414 4812.	[bug]		Minor improvements to stability and consistency of code
 3415 			handling managed keys. [RT #46468]
 3416 
 3417 4811.	[bug]		Revert api changes to use <isc/buffer.h> inline
 3418 			macros.  Provide a alternative mechanism to turn
 3419 			on the use of inline macros when building BIND.
 3420 			[RT #46520]
 3421 
 3422 4810.	[test]		The chain system test failed if the IPv6 interfaces
 3423 			were not configured. [RT #46508]
 3424 
 3425 	--- 9.12.0b2 released ---
 3426 
 3427 4809.	[port]		Check at configure time whether -latomic is needed
 3428 			for stdatomic.h. [RT #46324]
 3429 
 3430 4808.	[bug]		Properly test for zlib.h. [RT #46504]
 3431 
 3432 4807.	[cleanup]	isc_rng_randombytes() returns a specified number of
 3433 			bytes from the PRNG; this is now used instead of
 3434 			calling isc_rng_random() multiple times. [RT #46230]
 3435 
 3436 4806.	[func]		Log messages related to loading of zones are now
 3437 			directed to the "zoneload" logging category.
 3438 			[RT #41640]
 3439 
 3440 4805.	[bug]		TCP4Active and TCP6Active weren't being updated
 3441 			correctly. [RT #46454]
 3442 
 3443 4804.	[port]		win32: access() does not work on directories as
 3444 			required by POSIX.  Supply a alternative in
 3445 			isc_file_isdirwritable. [RT #46394]
 3446 
 3447 4803.	[placeholder]
 3448 
 3449 4802.	[test]		Refactor mkeys system test to make it quicker and more
 3450 			reliable. [RT #45293]
 3451 
 3452 4801.	[func]		'dnssec-lookaside auto;' and 'dnssec-lookaside .
 3453 			trust-anchor dlv.isc.org;' now elicit warnings rather
 3454 			than being fatal configuration errors. [RT #46410]
 3455 
 3456 4800.	[bug]		When processing delzone, write one zone config per
 3457 			line to the NZF. [RT #46323]
 3458 
 3459 4799.	[cleanup]	Improve clarity of keytable unit tests. [RT #46407]
 3460 
 3461 4798.	[func]		Keys specified in "managed-keys" statements
 3462 			are tagged as "initializing" until they have been
 3463 			updated by a key refresh query. If initialization
 3464 			fails it will be visible from "rndc secroots".
 3465 			[RT #46267]
 3466 
 3467 4797.	[func]		Removed "isc-hmac-fixup", as the versions of BIND that
 3468 			had the bug it worked around are long past end of
 3469 			life. [RT #46411]
 3470 
 3471 4796.	[bug]		Increase the maximum configurable TCP keepalive
 3472 			timeout to 65535. [RT #44710]
 3473 
 3474 4795.	[func]		A new statistics counter has been added to track
 3475 			priming queries. [RT #46313]
 3476 
 3477 4794.	[func]		"dnssec-checkds -s" specifies a file from which
 3478 			to read a DS set rather than querying the parent.
 3479 			[RT #44667]
 3480 
 3481 4793.	[bug]		nsupdate -[46] could overflow the array of server
 3482 			addresses. [RT #46402]
 3483 
 3484 4792.	[bug]		Fix map file header correctness check. [RT #38418]
 3485 
 3486 4791.	[doc]		Fixed outdated documentation about export libraries.
 3487 			[RT #46341]
 3488 
 3489 4790.	[bug]		nsupdate could trigger a require when sending a
 3490 			update to the second address of the server.
 3491 			[RT #45731]
 3492 
 3493 4789.	[cleanup]	Check writability of new-zones-directory. [RT #46308]
 3494 
 3495 4788.	[cleanup]	When using "update-policy local", log a warning
 3496 			when an update matching the session key is received
 3497 			from a remote host. [RT #46213]
 3498 
 3499 4787.	[cleanup]	Turn nsec3param_salt_totext() into a public function,
 3500 			dns_nsec3param_salttotext(), and add unit tests for it.
 3501 			[RT #46289]
 3502 
 3503 4786.	[func]		The "filter-aaaa-on-v4" and "filter-aaaa-on-v6"
 3504 			options are no longer conditionally compiled.
 3505 			[RT #46340]
 3506 
 3507 4785.	[func]		The hmac-md5 algorithm is no longer recommended for
 3508 			use with RNDC keys.  The default in rndc-confgen
 3509 			is now hmac-sha256. [RT #42272]
 3510 
 3511 4784.	[func]		The use of dnssec-keygen to generate HMAC keys is
 3512 			deprecated in favor of tsig-keygen.  dnssec-keygen
 3513 			will print a warning when used for this purpose.
 3514 			All HMAC algorithms will be removed from
 3515 			dnssec-keygen in a future release. [RT #42272]
 3516 
 3517 4783.	[test]		dnssec: 'check that NOTIFY is sent at the end of
 3518 			NSEC3 chain generation failed' required more time
 3519 			on some machines for the IXFR to complete. [RT #46388]
 3520 
 3521 4782.	[test]		dnssec: 'checking positive and negative validation
 3522 			with negative trust anchors' required more time to
 3523 			complete on some machines. [RT #46386]
 3524 
 3525 4781.	[maint]		B.ROOT-SERVERS.NET is now 199.9.14.201. [RT #45889]
 3526 
 3527 4780.	[bug]		When answering ANY queries, don't include the NS
 3528 			RRset in the authority section if it was already
 3529 			in the answer section. [RT #44543]
 3530 
 3531 4779.	[bug]		Expire NTA at the start of the second. Don't update
 3532 			the expiry value if the record has already expired
 3533 			after a successful check. [RT #46368]
 3534 
 3535 4778.	[test]		Improve synth-from-dnssec testing. [RT #46352]
 3536 
 3537 4777.	[cleanup]	Removed a redundant call to configure_view_acl().
 3538 			[RT #46369]
 3539 
 3540 4776.	[bug]		Improve portability of ht_test. [RT #46333]
 3541 
 3542 4775.	[bug]		Address Coverity warnings in ht_test.c and mem_test.c
 3543 			[RT #46281]
 3544 
 3545 4774.	[bug]		<isc/util.h> was incorrectly included in several
 3546 			header files. [RT #46311]
 3547 
 3548 4773.	[doc]		Fixed generating Doxygen documentation for functions
 3549 			annotated using certain macros.  Miscellaneous
 3550 			Doxygen-related cleanups. [RT #46276]
 3551 
 3552 	--- 9.12.0b1 released ---
 3553 
 3554 4772.	[test]		Expanded unit testing framework for libns, using
 3555 			hooks to interrupt query flow and inspect state
 3556 			at specified locations. [RT #46173]
 3557 
 3558 4771.	[bug]		When sending RFC 5011 refresh queries, disregard
 3559 			cached DNSKEY rrsets. [RT #46251]
 3560 
 3561 4770.	[bug]		Cache additional data from priming queries as glue.
 3562 			Previously they were ignored as unsigned
 3563 			non-answer data from a secure zone, and never
 3564 			actually got added to the cache, causing hints
 3565 			to be used frequently for root-server
 3566 			addresses, which triggered re-priming. [RT #45241]
 3567 
 3568 4769.	[func]		The working directory and managed-keys directory has
 3569 			to be writeable (and seekable). [RT #46077]
 3570 
 3571 4768.	[func]		By default, memory is no longer filled with tag values
 3572 			when it is allocated or freed; this improves
 3573 			performance but makes debugging of certain memory
 3574 			issues more difficult. "named -M fill" turns memory
 3575 			filling back on. (Building "configure
 3576 			--enable-developer", turns memory fill on by
 3577 			default again; it can then be disabled with
 3578 			"named -M nofill".) [RT #45123]
 3579 
 3580 4767.	[func]		Add a new function, isc_buffer_printf(), which can be
 3581 			used to append a formatted string to the used region of
 3582 			a buffer. [RT #46201]
 3583 
 3584 4766.	[cleanup]	Address Coverity warnings. [RT #46150]
 3585 
 3586 4765.	[bug]		Address potential INSIST in dnssec-cds. [RT #46150]
 3587 
 3588 4764.	[bug]		Address portability issues in cds system test.
 3589 			[RT #46214]
 3590 
 3591 4763.	[contrib]	Improve compatibility when building MySQL DLZ
 3592 			module by using mysql_config if available.
 3593 			[RT #45558]
 3594 
 3595 4762.	[func]		"update-policy local" is now restricted to updates
 3596 			from local addresses. (Previously, other addresses
 3597 			were allowed so long as updates were signed by the
 3598 			local session key.) [RT #45492]
 3599 
 3600 4761.	[protocol]	Add support for DOA. [RT #45612]
 3601 
 3602 4760.	[func]		Add glue cache statistics counters. [RT #46028]
 3603 
 3604 4759.	[func]		Add logging channel "trust-anchor-telemetry" to
 3605 			record trust-anchor-telemetry in incoming requests.
 3606 			Both _ta-XXXX.<anchor>/NULL and EDNS KEY-TAG options
 3607 			are logged.  [RT #46124]
 3608 
 3609 4758.	[doc]		Remove documentation of unimplemented "topology".
 3610 			[RT #46161]
 3611 
 3612 4757.	[func]		New "dnssec-cds" command creates a new parent DS
 3613 			RRset based on CDS or CDNSKEY RRsets found in
 3614 			a child zone, and generates either a dsset file
 3615 			or stream of nsupdate commands to update the
 3616 			parent. Thanks to Tony Finch. [RT #46090]
 3617 
 3618 4756.	[bug]		Interrupting dig could lead to an INSIST failure after
 3619 			certain errors were encountered while querying a host
 3620 			whose name resolved to more than one address.  Change
 3621 			4537 increased the odds of triggering this issue by
 3622 			causing dig to hang indefinitely when certain error
 3623 			paths were evaluated.  dig now also retries TCP queries
 3624 			(once) if the server gracefully closes the connection
 3625 			before sending a response. [RT #42832, #45159]
 3626 
 3627 4755.	[cleanup]	Silence unnecessary log message when NZF file doesn't
 3628 			exist. [RT #46186]
 3629 
 3630 4754.	[bug]		dns_zone_setview needs a two stage commit to properly
 3631 			handle errors. [RT #45841]
 3632 
 3633 4753.	[contrib]	Software obtainable from known upstream locations
 3634 			(i.e., zkt, nslint, query-loc) has been removed.
 3635 			Links to these and other packages can be found at
 3636 			https://www.isc.org/community/tools [RT #46182]
 3637 
 3638 4752.	[test]		Add unit test for isc_net_pton. [RT #46171]
 3639 
 3640 4751.	[func]		"dnssec-signzone -S" can now automatically add parent
 3641 			synchronization records (CDS and CDNSKEY) according
 3642 			to key metadata set using the -Psync and -Dsync
 3643 			options to dnssec-keygen and dnssec-settime.
 3644 			[RT #46149]
 3645 
 3646 4750.	[func]		"rndc managed-keys destroy" shuts down RFC 5011 key
 3647 			maintenance and deletes the managed-keys database.
 3648 			If followed by "rndc reconfig" or a server restart,
 3649 			key maintenance is reinitialized from scratch.
 3650 			This is primarily intended for testing. [RT #32456]
 3651 
 3652 4749.	[func]		The ISC DLV service has been shut down, and all
 3653 			DLV records have been removed from dlv.isc.org.
 3654 			- Removed references to ISC DLV in documentation
 3655 			- Removed DLV key from bind.keys
 3656 			- No longer use ISC DLV by default in delv
 3657 			- "dnssec-lookaside auto" and configuration of
 3658 			  "dnssec-lookaide" with dlv.isc.org as the trust
 3659 			  anchor are both now fatal errors.
 3660 			[RT #46155]
 3661 
 3662 4748.	[cleanup]	Sprintf to snprintf coversions. [RT #46132]
 3663 
 3664 4747.	[func]		Synthesis of responses from DNSSEC-verified records.
 3665 			Stage 3 - synthesize NODATA responses. [RT #40138]
 3666 
 3667 4746.	[cleanup]	Add configured prefixes to configure summary
 3668 			output. [RT #46153]
 3669 
 3670 4745.	[test]		Add color-coded pass/fail messages to system
 3671 			tests when running on terminals that support them.
 3672 			[RT #45977]
 3673 
 3674 4744.	[bug]		Suppress trust-anchor-telemetry queries if
 3675 			validation is disabled. [RT #46131]
 3676 
 3677 4743.	[func]		Exclude trust-anchor-telemetry queries from
 3678 			synth-from-dnssec processing. [RT #46123]
 3679 
 3680 4742.	[func]		Synthesis of responses from DNSSEC-verified records.
 3681 			Stage 2 - synthesis of records from wildcard data.
 3682 			If the dns64 or filter-aaaa* is configured then the
 3683 			involved lookups are currently excluded. [RT #40138]
 3684 
 3685 4741.	[bug]		Make isc_refcount_current() atomically read the
 3686 			counter value. [RT #46074]
 3687 
 3688 4740.	[cleanup]	Avoid triggering format-truncated warnings. [RT #46107]
 3689 
 3690 4739.	[cleanup]	Address clang static analysis warnings. [RT #45952]
 3691 
 3692 4738.	[port]		win32: strftime mishandles %Z. [RT #46039]
 3693 
 3694 4737.	[cleanup]	Address Coverity warnings. [RT #46012]
 3695 
 3696 4736.	[cleanup]	(a) Added comments to NSEC3-related functions in
 3697 			lib/dns/zone.c.  (b) Refactored NSEC3 salt formatting
 3698 			code.  (c) Minor tweaks to lock and result handling.
 3699 			[RT #46053]
 3700 
 3701 4735.	[bug]		Add @ISC_OPENSSL_LIBS@ to isc-config. [RT #46078]
 3702 
 3703 4734.	[contrib]	Added sample configuration for DNS-over-TLS in
 3704 			contrib/dnspriv.
 3705 
 3706 4733.	[bug]		Change #4706 introduced a bug causing TCP clients
 3707 			not be reused correctly, leading to unconstrained
 3708 			memory growth. [RT #46029]
 3709 
 3710 4732.	[func]		Change default minimal-responses setting to
 3711 			no-auth-recursive. [RT #46016]
 3712 
 3713 4731.	[bug]		Fix use after free when closing an LMDB. [RT #46000]
 3714 
 3715 4730.	[bug]		Fix out of bounds access in DHCID totext() method.
 3716 			[RT #46001]
 3717 
 3718 4729.	[bug]		Don't use memset() to wipe memory, as it may be
 3719 			removed by compiler optimizations when the
 3720 			memset() occurs on automatic stack allocation
 3721 			just before function return. [RT #45947]
 3722 
 3723 4728.	[func]		Use C11's stdatomic.h instead of isc_atomic
 3724 			where available. [RT #40668]
 3725 
 3726 4727.	[bug]		Retransferring an inline-signed slave using NSEC3
 3727 			around the time its NSEC3 salt was changed could result
 3728 			in an infinite signing loop. [RT #45080]
 3729 
 3730 4726.	[port]		Prevent setsockopt() errors related to TCP_FASTOPEN
 3731 			from being logged on FreeBSD if the kernel does not
 3732 			support it.  Notify the user when the kernel does
 3733 			support TCP_FASTOPEN, but it is disabled by sysctl.
 3734 			Add a new configure option, --disable-tcp-fastopen, to
 3735 			disable use of TCP_FASTOPEN altogether. [RT #44754]
 3736 
 3737 4725.	[bug]		Nsupdate: "recvsoa" was incorrectly reported for
 3738 			failures in sending the update message.  The correct
 3739 			location to be reported is "update_completed".
 3740 			[RT #46014]
 3741 
 3742 4724.	[func]		By default, BIND now uses the random number
 3743 			functions provided by the crypto library (i.e.,
 3744 			OpenSSL or a PKCS#11 provider) as a source of
 3745 			randomness rather than /dev/random.  This is
 3746 			suitable for virtual machine environments
 3747 			which have limited entropy pools and lack
 3748 			hardware random number generators.
 3749 
 3750 			This can be overridden by specifying another
 3751 			entropy source via the "random-device" option
 3752 			in named.conf, or via the -r command line option;
 3753 			however, for functions requiring full cryptographic
 3754 			strength, such as DNSSEC key generation, this
 3755 			cannot be overridden. In particular, the -r
 3756 			command line option no longer has any effect on
 3757 			dnssec-keygen.
 3758 
 3759 			This can be disabled by building with
 3760 			"configure --disable-crypto-rand".
 3761 			[RT #31459] [RT #46047]
 3762 
 3763 4723.	[bug]		Statistics counter DNSTAPdropped was misidentified
 3764 			as DNSSECdropped. [RT #46002]
 3765 
 3766 4722.	[cleanup]	Clean up uses of strcpy() and strcat() in favor of
 3767 			strlcpy() and strlcat() for safety. [RT #45981]
 3768 
 3769 4721.	[func]		'dnssec-signzone -x' and 'dnssec-dnskey-kskonly'
 3770 			options now apply to CDNSKEY and DS records as well
 3771 			as DNSKEY. Thanks to Tony Finch. [RT #45689]
 3772 
 3773 4720.	[func]		Added a statistics counter to track prefetch
 3774 			queries. [RT #45847]
 3775 
 3776 4719.	[bug]		Address PVS static analyzer warnings. [RT #45946]
 3777 
 3778 4718.	[func]		Avoid searching for a owner name compression pointer
 3779 			more than once when writing out a RRset. [RT #45802]
 3780 
 3781 4717.	[bug]		Treat replies with QCOUNT=0 as truncated if TC=1,
 3782 			FORMERR if TC=0, and log the error correctly.
 3783 			[RT #45836]
 3784 
 3785 4716.	[placeholder]
 3786 
 3787 	--- 9.12.0a1 released ---
 3788 
 3789 4715.	[bug]		TreeMemMax was mis-identified as a second HeapMemMax
 3790 			in the Json cache statistics. [RT #45980]
 3791 
 3792 4714.	[port]		openbsd/libressl: add support for building with
 3793 			--enable-openssl-hash. [RT #45982]
 3794 
 3795 4713.	[func]		Added support for the DNS Response Policy Service
 3796 			(DNSRPS) API, which allows named to use an external
 3797 			response policy daemon when built with
 3798 			"configure --enable-dnsrps". Thanks to Farsight
 3799 			Security. [RT #43376]
 3800 
 3801 4712.	[bug]		"dig +domain" and "dig +search" didn't retain the
 3802 			search domain when retrying with TCP. [RT #45547]
 3803 
 3804 4711.	[test]		Some RR types were missing from genzones.sh.
 3805 			[RT #45782]
 3806 
 3807 4710.	[cleanup]	Changed the --enable-openssl-hash default to yes.
 3808 			[RT #45019]
 3809 
 3810 4709.	[cleanup]	Use dns_name_fullhash() to hash names for RRL.
 3811 			[RT #45435]
 3812 
 3813 4708.	[cleanup]	Legacy Windows builds (i.e. for XP and earlier)
 3814 			are no longer supported. [RT #45186]
 3815 
 3816 4707.	[func]		The lightweight resolver daemon and library (lwresd
 3817 			and liblwres) have been removed. [RT #45186]
 3818 
 3819 4706.	[func]		Code implementing name server query processing has
 3820 			been moved from bin/named to a new library "libns".
 3821 			Functions remaining in bin/named are now prefixed
 3822 			with "named_" rather than "ns_".  This will make it
 3823 			easier to write unit tests for name server code, or
 3824 			link name server functionality into new tools.
 3825 			[RT #45186]
 3826 
 3827 4705.	[placeholder]
 3828 
 3829 4704.	[cleanup]	Silence Visual Studio compiler warnings. [RT #45898]
 3830 
 3831 4703.	[bug]		BINDInstall.exe was missing some buffer length checks.
 3832 			[RT #45898]
 3833 
 3834 4702.	[func]		Update function declarations to use
 3835 			dns_masterstyle_flags_t for style flags. [RT #45924]
 3836 
 3837 4701.	[cleanup]	Refactored lib/dns/tsig.c to reduce code
 3838 			duplication and simplify the disabling of MD5.
 3839 			[RT #45490]
 3840 
 3841 4700.	[func]		Serving of stale answers is now supported. This
 3842 			allows named to provide stale cached answers when
 3843 			the authoritative server is under attack.
 3844 			See max-stale-ttl, stale-answer-enable,
 3845 			stale-answer-ttl. [RT #44790]
 3846 
 3847 4699.	[func]		Multiple cookie-secret clauses can now be specified.
 3848 			The first one specified is used to generate new
 3849 			server cookies.  [RT #45672]
 3850 
 3851 4698.	[port]		Add --with-python-install-dir configure option to allow
 3852 			specifying a nonstandard installation directory for
 3853 			Python modules. [RT #45407]
 3854 
 3855 4697.	[bug]		Restore workaround for Microsoft Windows TSIG hash
 3856 			computation bug. [RT #45854]
 3857 
 3858 4696.	[port]		Enable filter-aaaa support by default on Windows
 3859 			builds. [RT #45883]
 3860 
 3861 4695.	[bug]		cookie-secrets were not being properly checked by
 3862 			named-checkconf. [RT #45886]
 3863 
 3864 4694.	[func]		dnssec-keygen no longer uses RSASHA1 by default;
 3865 			the signing algorithm must be specified on
 3866 			the command line with the "-a" option.  Signing
 3867 			scripts that rely on the existing default behavior
 3868 			will break; use "dnssec-keygen -a RSASHA1" to
 3869 			repair them. (The goal of this change is to make
 3870 			it easier to find scripts using RSASHA1 so they
 3871 			can be changed in the event of that algorithm
 3872 			being deprecated in the future.) [RT #44755]
 3873 
 3874 4693.	[func]		Synthesis of responses from DNSSEC-verified records.
 3875 			Stage 1 covers NXDOMAIN synthesis from NSEC records.
 3876 			This is controlled by synth-from-dnssec and is enabled
 3877 			by default. [RT #40138]
 3878 
 3879 4692.	[bug]		Fix build failures with libressl introduced in 4676.
 3880 			[RT #45879]
 3881 
 3882 4691.	[func]		Add -4/-6 command line options to nsupdate and rndc.
 3883 			[RT #45632]
 3884 
 3885 4690.	[bug]		Command line options -4/-6 were handled inconsistently
 3886 			between tools. [RT #45632]
 3887 
 3888 4689.	[cleanup]	Turn on minimal responses for CDNSKEY and CDS in
 3889 			addition to DNSKEY and DS. Thanks to Tony Finch.
 3890 			[RT #45690]
 3891 
 3892 4688.	[protocol]	Check and display EDNS KEY TAG options (RFC 8145) in
 3893 			messages. [RT #44804]
 3894 
 3895 4687.	[func]		Refactor tracklines code. [RT #45126]
 3896 
 3897 4686.	[bug]		dnssec-settime -p could print a bogus warning about
 3898 			key deletion scheduled before its inactivation when a
 3899 			key had an inactivation date set but no deletion date
 3900 			set. [RT #45807]
 3901 
 3902 4685.	[bug]		dnssec-settime incorrectly calculated publication and
 3903 			activation dates for a successor key. [RT #45806]
 3904 
 3905 4684.	[bug]		delv could send bogus DNS queries when an explicit
 3906 			server address was specified on the command line along
 3907 			with -4/-6. [RT #45804]
 3908 
 3909 4683.	[bug]		Prevent nsupdate from immediately exiting on invalid
 3910 			user input in interactive mode. [RT #28194]
 3911 
 3912 4682.	[bug]		Don't report errors on records below a DNAME.
 3913 			[RT #44880]
 3914 
 3915 4681.	[bug]		Log messages from the validator now include the
 3916 			associated view unless the view is "_default/IN"
 3917 			or "_dnsclient/IN". [RT #45770]
 3918 
 3919 4680.	[bug]		Fix failing over to another master server address when
 3920 			nsupdate is used with GSS-API. [RT #45380]
 3921 
 3922 4679.	[cleanup]	Suggest using -o when dnssec-verify finds a SOA record
 3923 			not at top of zone and -o is not used. [RT #45519]
 3924 
 3925 4678.	[bug]		geoip-use-ecs has the wrong type when geoip support
 3926 			is disabled at configure time. [RT #45763]
 3927 
 3928 4677.	[cleanup]	Split up the main function in dig to better support
 3929 			the iOS app version. [RT #45508]
 3930 
 3931 4676.	[cleanup]	Allow BIND to be built using OpenSSL 1.0.X with
 3932 			deprecated functions removed. [RT #45706]
 3933 
 3934 4675.	[cleanup]	Don't use C++ keyword class. [RT #45726]
 3935 
 3936 4674.	[func]		"dig +sigchase", and related options "+topdown" and
 3937 			"+trusted-keys", have been removed. Use "delv" for
 3938 			queries with DNSSEC validation. [RT #42793]
 3939 
 3940 4673.	[port]		Silence GCC 7 warnings. [RT #45592]
 3941 
 3942 4672.	[placeholder]
 3943 
 3944 4671.	[bug]		Fix a race condition that could cause the
 3945 			resolver to crash with assertion failure when
 3946 			chasing DS in specific conditions with a very
 3947 			short RTT to the upstream nameserver. [RT #45168]
 3948 
 3949 4670.	[cleanup]	Ensure that a request MAC is never sent back
 3950 			in an XFR response unless the signature was
 3951 			verified. [RT #45494]
 3952 
 3953 4669.	[func]		Iterative query logic in resolver.c has been
 3954 			refactored into smaller functions and commented,
 3955 			for improved readability, maintainability and
 3956 			testability. [RT #45362]
 3957 
 3958 4668.	[bug]		Use localtime_r and gmtime_r for thread safety.
 3959 			[RT #45664]
 3960 
 3961 4667.	[cleanup]	Refactor RDATA unit tests. [RT #45610]
 3962 
 3963 4666.	[bug]		dnssec-keymgr: Domain names beginning with digits (0-9)
 3964 			could cause a parser error when reading the policy
 3965 			file. This now works correctly so long as the domain
 3966 			name is quoted. [RT #45641]
 3967 
 3968 4665.	[protocol]	Added support for ED25519 and ED448 DNSSEC signing
 3969 			algorithms (RFC 8080). (Note: these algorithms
 3970 			depend on code currently in the development branch
 3971 			of OpenSSL which has not yet been released.)
 3972 			[RT #44696]
 3973 
 3974 4664.	[func]		Add a "glue-cache" option to enable or disable the
 3975 			glue cache. The default is "yes". [RT #45125]
 3976 
 3977 4663.	[cleanup]	Clarify error message printed by dnssec-dsfromkey.
 3978 			[RT #21731]
 3979 
 3980 4662.	[performance]	Improve cache memory cleanup of zero TTL records
 3981 			by putting them at the tail of LRU header lists.
 3982 			[RT #45274]
 3983 
 3984 4661.	[bug]		A race condition could occur if a zone was reloaded
 3985 			while resigning, triggering a crash in
 3986 			rbtdb.c:closeversion(). [RT #45276]
 3987 
 3988 4660.	[bug]		Remove spurious "peer" from Windows socket log
 3989 			messages. [RT #45617]
 3990 
 3991 4659.	[bug]		Remove spurious log message about lmdb-mapsize
 3992 			not being supported when parsing builtin
 3993 			configuration file. [RT #45618]
 3994 
 3995 4658.	[bug]		Clean up build directory created by "setup.py install"
 3996 			immediately.  [RT #45628]
 3997 
 3998 4657.	[bug]		rrchecker system test result could be improperly
 3999 			determined. [RT #45602]
 4000 
 4001 4656.	[bug]		Apply "port" and "dscp" values specified in catalog
 4002 			zone's "default-masters" option to the generated
 4003 			configuration of its member zones. [RT #45545]
 4004 
 4005 4655.	[bug]		Lack of seccomp could be falsely reported. [RT #45599]
 4006 
 4007 4654.	[cleanup]	Don't use C++ keywords delete, new and namespace.
 4008 			[RT #45538]
 4009 
 4010 4653.	[bug]		Reorder includes to move @DST_OPENSSL_INC@ and
 4011 			@ISC_OPENSSL_INC@ after shipped include directories.
 4012 			[RT #45581]
 4013 
 4014 4652.	[bug]		Nsupdate could attempt to use a zeroed address on
 4015 			server timeout. [RT #45417]
 4016 
 4017 4651.	[test]		Silence coverity warnings in tsig_test.c. [RT #45528]
 4018 
 4019 4650.	[placeholder]
 4020 
 4021 4649.	[bug]		The wrong zone was logged when a catalog zone is added.
 4022 			[RT #45520]
 4023 
 4024 4648.	[bug]		"rndc reconfig" on a slave no longer causes all member
 4025 			zones of configured catalog zones to be removed from
 4026 			configuration. [RT #45310]
 4027 
 4028 4647.	[bug]		Change 4643 broke verification of TSIG signed TCP
 4029 			message sequences where not all the messages contain
 4030 			TSIG records.  These may be used in AXFR and IXFR
 4031 			responses. [RT #45509]
 4032 
 4033 4646.	[placeholder]
 4034 
 4035 4645.	[bug]		Fix PKCS#11 RSA parsing when MD5 is disabled.
 4036 			[RT #45300]
 4037 
 4038 4644.	[placeholder]
 4039 
 4040 4643.	[security]	An error in TSIG handling could permit unauthorized
 4041 			zone transfers or zone updates. (CVE-2017-3142)
 4042 			(CVE-2017-3143) [RT #45383]
 4043 
 4044 4642.	[cleanup]	Add more logging of RFC 5011 events affecting the
 4045 			status of managed keys: newly observed keys,
 4046 			deletion of revoked keys, etc. [RT #45354]
 4047 
 4048 4641.	[cleanup]	Parallel builds (make -j) could fail with --with-atf /
 4049 			--enable-developer. [RT #45373]
 4050 
 4051 4640.	[bug]		If query_findversion failed in query_getdb due to
 4052 			memory failure the error status was incorrectly
 4053 			discarded. [RT #45331]
 4054 
 4055 4639.	[bug]		Fix a regression in --with-tuning reporting introduced
 4056 			by change 4488. [RT #45396]
 4057 
 4058 4638.	[bug]		Reloading or reconfiguring named could fail on
 4059 			some platforms when LMDB was in use. [RT #45203]
 4060 
 4061 4637.	[func]		"nsec3hash -r" option ("rdata order") takes arguments
 4062 			in the same order as they appear in NSEC3 or
 4063 			NSEC3PARAM records, so that NSEC3 parameters can
 4064 			be cut and pasted from an existing record. Thanks
 4065 			to Tony Finch for the contribution. [RT #45183]
 4066 
 4067 4636.	[bug]		Normalize rpz policy zone names when checking for
 4068 			existence. [RT #45358]
 4069 
 4070 4635.	[bug]		Fix RPZ NSDNAME logging that was logging
 4071 			failures as NSIP. [RT #45052]
 4072 
 4073 4634.	[contrib]	check5011.pl needs to handle optional space before
 4074 			semi-colon in +multi-line output. [RT #45352]
 4075 
 4076 4633.	[maint]		Updated AAAA (2001:500:200::b) for B.ROOT-SERVERS.NET.
 4077 
 4078 4632.	[security]	The BIND installer on Windows used an unquoted
 4079 			service path, which can enable privilege escalation.
 4080 			(CVE-2017-3141) [RT #45229]
 4081 
 4082 4631.	[security]	Some RPZ configurations could go into an infinite
 4083 			query loop when encountering responses with TTL=0.
 4084 			(CVE-2017-3140) [RT #45181]
 4085 
 4086 4630.	[bug]		"dyndb" is dependent on dlopen existing / being
 4087 			enabled. [RT #45291]
 4088 
 4089 4629.	[bug]		dns_client_startupdate could not be called with a
 4090 			running client. [RT #45277]
 4091 
 4092 4628.	[bug]		Fixed a potential reference leak in query_getdb().
 4093 			[RT #45247]
 4094 
 4095 4627.	[placeholder]
 4096 
 4097 4626.	[test]		Added more tests for handling of different record
 4098 			ordering in CNAME and DNAME responses. [QA #430]
 4099 
 4100 4625.	[bug]		Running "rndc addzone" and "rndc delzone" at close
 4101 			to the same time could trigger a deadlock if using
 4102 			LMDB. [RT #45209]
 4103 
 4104 4624.	[placeholder]
 4105 
 4106 4623.	[bug]		Use --with-protobuf-c and --with-libfstrm to find
 4107 			protoc-c and fstrm_capture. [RT #45187]
 4108 
 4109 4622.	[bug]		Remove unnecessary escaping of semicolon in CAA and
 4110 			URI records. [RT #45216]
 4111 
 4112 4621.	[port]		Force alignment of oid arrays to silence loader
 4113 			warnings. [RT #45131]
 4114 
 4115 4620.	[port]		Handle EPFNOSUPPORT being returned when probing
 4116 			to see if a socket type is supported. [RT #45214]
 4117 
 4118 4619.	[bug]		Call isc_mem_put instead of isc_mem_free in
 4119 			bin/named/server.c:setup_newzones. [RT #45202]
 4120 
 4121 4618.	[bug]		Check isc_mem_strdup results in dns_view_setnewzones.
 4122 			Add logging for lmdb call failures. [RT #45204]
 4123 
 4124 4617.	[test]		Update rndc system test to be more delay tolerant.
 4125 			[RT #45177]
 4126 
 4127 4616.	[bug]		When using LMDB, zones deleted using "rndc delzone"
 4128 			were not correctly removed from the new-zone
 4129 			database. [RT #45185]
 4130 
 4131 4615.	[bug]		AD could be set on truncated answer with no records
 4132 			present in the answer and authority sections.
 4133 			[RT #45140]
 4134 
 4135 4614.	[test]		Fixed an error in the sockaddr unit test. [RT #45146]
 4136 
 4137 4613.	[func]		By default, the maximum size of a zone journal file
 4138 			is now twice the size of the zone's contents (there
 4139 			is little benefit to a journal larger than this).
 4140 			This can be overridden by setting "max-journal-size"
 4141 			to "unlimited" or to an explicit value up to 2G.
 4142 			Thanks to Tony Finch. [RT #38324]
 4143 
 4144 4612.	[bug]		Silence 'may be use uninitalised' warning and simplify
 4145 			the code in lwres/getaddinfo:process_answer.
 4146 			[RT #45158]
 4147 
 4148 4611.	[bug]		The default LMDB mapsize was too low and caused
 4149 			errors after few thousand zones were added using
 4150 			rndc addzone. A new config option "lmdb-mapsize"
 4151 			has been introduced to configure the LMDB
 4152 			mapsize depending on operational needs.
 4153 			[RT #44954]
 4154 
 4155 4610.	[func]		The "new-zones-directory" option specifies the
 4156 			location of NZF or NZD files for storing
 4157 			configuration of zones added by "rndc addzone".
 4158 			Thanks to Petr Menšík. [RT #44853]
 4159 
 4160 4609.	[cleanup]	Rearrange makefiles to enable parallel execution
 4161 			(i.e. "make -j"). [RT #45078]
 4162 
 4163 4608.	[func]		DiG now warns about .local queries which are reserved
 4164 			for Multicast DNS. [RT #44783]
 4165 
 4166 4607.	[bug]		The memory context's malloced and maxmalloced counters
 4167 			were being updated without the appropriate lock being
 4168 			held.  [RT #44869]
 4169 
 4170 4606.	[port]		Stop using experimental "Experimental keys on scalar"
 4171 			feature of perl as it has been removed. [RT #45012]
 4172 
 4173 4605.	[performance]	Improve performance for delegation heavy answers
 4174 			and also general query performance. Removes the
 4175 			acache feature that didn't significantly improve
 4176 			performance. Adds a glue cache. Removes
 4177 			additional-from-cache and additional-from-auth
 4178 			features. Enables minimal-responses by
 4179 			default. Improves performance of compression
 4180 			code, owner case restoration, hash function,
 4181 			etc. Uses inline buffer implementation by
 4182 			default. Many other performance changes and fixes.
 4183 			[RT #44029]
 4184 
 4185 4604.	[bug]		Don't use ERR_load_crypto_strings() when building
 4186 			with OpenSSL 1.1.0. [RT #45117]
 4187 
 4188 4603.	[doc]		Automatically generate named.conf(5) man page
 4189 			from doc/misc/options. Thanks to Tony Finch.
 4190 			[RT #43525]
 4191 
 4192 4602.	[func]		Threads are now set to human-readable
 4193 			names to assist debugging, when supported by
 4194 			the OS. [RT #43234]
 4195 
 4196 4601.	[bug]		Reject incorrect RSA key lengths during key
 4197 			generation and and sign/verify context
 4198 			creation. [RT #45043]
 4199 
 4200 4600.	[bug]		Adjust RPZ trigger counts only when the entry
 4201 			being deleted exists. [RT #43386]
 4202 
 4203 4599.	[bug]		Fix inconsistencies in inline signing time
 4204 			comparison that were introduced with the
 4205 			introduction of rdatasetheader->resign_lsb.
 4206 			[RT #42112]
 4207 
 4208 4598.	[func]		Update fuzzing code to (1) reply to a DNSKEY
 4209 			query from named with appropriate DNSKEY used in
 4210 			fuzzing; (2) patch the QTYPE correctly in
 4211 			resolver fuzzing; (3) comment things so the rest
 4212 			of us are able to understand how fuzzing is
 4213 			implemented in named; (4) Coding style changes,
 4214 			cleanup, etc. [RT #44787]
 4215 
 4216 4597.	[bug]		The validator now ignores SHA-1 DS digest type
 4217 			when a DS record with SHA-384 digest type is
 4218 			present and is a supported digest type.
 4219 			[RT #45017]
 4220 
 4221 4596.	[bug]		Validate glue before adding it to the additional
 4222 			section. This also fixes incorrect TTL capping
 4223 			when the RRSIG expired earlier than the TTL.
 4224 			[RT #45062]
 4225 
 4226 4595.	[func]		dnssec-keygen will no longer generate RSA keys
 4227 			less than 1024 bits in length. dnssec-keymgr
 4228 			was similarly updated. [RT #36895]
 4229 
 4230 4594.	[func]		"dnstap-read -x" prints a hex dump of the wire
 4231 			format of each logged DNS message. [RT #44816]
 4232 
 4233 4593.	[doc]		Update README using markdown, remove outdated FAQ
 4234 			file in favor of the knowledge base.
 4235 
 4236 4592.	[bug]		A race condition on shutdown could trigger an
 4237 			assertion failure in dispatch.c. [RT #43822]
 4238 
 4239 4591.	[port]		Addressed some python 3 compatibility issues.
 4240 			Thanks to Ville Skytta. [RT #44955] [RT #44956]
 4241 
 4242 4590.	[bug]		Support for PTHREAD_MUTEX_ADAPTIVE_NP was not being
 4243 			properly detected. [RT #44871]
 4244 
 4245 4589.	[cleanup]	"configure -q" is now silent. [RT #44829]
 4246 
 4247 4588.	[bug]		nsupdate could send queries for TKEY to the wrong
 4248 			server when using GSSAPI. Thanks to Tomas Hozza.
 4249 			[RT #39893]
 4250 
 4251 4587.	[bug]		named-checkzone failed to handle occulted data below
 4252 			DNAMEs correctly. [RT #44877]
 4253 
 4254 4586.	[func]		dig, host and nslookup now use TCP for ANY queries.
 4255 			[RT #44687]
 4256 
 4257 4585.	[port]		win32: Set CompileAS value. [RT #42474]
 4258 
 4259 4584.	[bug]		A number of memory usage statistics were not properly
 4260 			reported when they exceeded 4G.  [RT #44750]
 4261 
 4262 4583.	[func]		"host -A" returns most records for a name but
 4263 			omits RRSIG, NSEC and NSEC3. (Thanks to Tony Finch.)
 4264 			[RT #43032]
 4265 
 4266 4582.	[security]	'rndc ""' could trigger a assertion failure in named.
 4267 			(CVE-2017-3138) [RT #44924]
 4268 
 4269 4581.	[port]		Linux: Add getpid and getrandom to the list of system
 4270 			calls named uses for seccomp. [RT #44883]
 4271 
 4272 4580.	[bug]		4578 introduced a regression when handling CNAME to
 4273 			referral below the current domain. [RT #44850]
 4274 
 4275 4579.	[func]		Logging channels and dnstap output files can now
 4276 			be configured with a "suffix" option, set to
 4277 			either "increment" or "timestamp", indicating
 4278 			whether to use incrementing numbers or timestamps
 4279 			as the file suffix when rolling over a log file.
 4280 			[RT #42838]
 4281 
 4282 4578.	[security]	Some chaining (CNAME or DNAME) responses to upstream
 4283 			queries could trigger assertion failures.
 4284 			(CVE-2017-3137) [RT #44734]
 4285 
 4286 4577.	[func]		Make qtype of resolver fuzzing packet configurable
 4287 			via command line. [RT #43540]
 4288 
 4289 4576.	[func]		The RPZ implementation has been substantially
 4290 			refactored for improved performance and reliability.
 4291 			[RT #43449]
 4292 
 4293 4575.	[security]	DNS64 with "break-dnssec yes;" can result in an
 4294 			assertion failure. (CVE-2017-3136) [RT #44653]
 4295 
 4296 4574.	[bug]		Dig leaked memory with multiple +subnet options.
 4297 			[RT #44683]
 4298 
 4299 4573.	[func]		Query logic has been substantially refactored (e.g.
 4300 			query_find function has been split into smaller
 4301 			functions) for improved readability, maintainability
 4302 			and testability. [RT #43929]
 4303 
 4304 4572.	[func]		The "dnstap-output" option can now take "size" and
 4305 			"versions" parameters to indicate the maximum size
 4306 			a dnstap log file can grow before rolling to a new
 4307 			file, and how many old files to retain. [RT #44502]
 4308 
 4309 4571.	[bug]		Out-of-tree builds of backtrace_test failed.
 4310 
 4311 4570.	[cleanup]	named did not correctly fall back to the built-in
 4312 			initializing keys if the bind.keys file was present
 4313 			but empty. [RT #44531]
 4314 
 4315 4569.	[func]		Store both local and remote addresses in dnstap
 4316 			logging, and modify dnstap-read output format to
 4317 			print them. [RT #43595]
 4318 
 4319 4568.	[contrib]	Added a --with-bind option to the dnsperf configure
 4320 			script to specify BIND prefix path.
 4321 
 4322 4567.	[port]		Call getprotobyname and getservbyname prior to calling
 4323 			chroot so that shared libraries get loaded. [RT #44537]
 4324 
 4325 4566.	[func]		Query logging now includes the ECS option if one
 4326 			was included in the query. [RT #44476]
 4327 
 4328 4565.	[cleanup]	The inline macro versions of isc_buffer_put*()
 4329 			did not implement automatic buffer reallocation.
 4330 			[RT #44216]
 4331 
 4332 4564.	[maint]		Update the built in managed keys to include the
 4333 			upcoming root KSK. [RT #44579]
 4334 
 4335 4563.	[bug]		Modified zones would occasionally fail to reload.
 4336 			[RT #39424]
 4337 
 4338 4562.	[func]		Add additional memory statistics currently malloced
 4339 			and maxmalloced per memory context. [RT #43593]
 4340 
 4341 4561.	[port]		Silence a warning in strict C99 compilers. [RT #44414]
 4342 
 4343 4560.	[bug]		mdig: add -m option to enable memory debugging rather
 4344 			than having it on all the time. [RT #44509]
 4345 
 4346 4559.	[bug]		openssl_link.c didn't compile if ISC_MEM_TRACKLINES
 4347 			was turned off.  [RT #44509]
 4348 
 4349 4558.	[bug]		Synthesised CNAME before matching DNAME was still
 4350 			being cached when it should not have been.  [RT #44318]
 4351 
 4352 4557.	[security]	Combining dns64 and rpz can result in dereferencing
 4353 			a NULL pointer (read).  (CVE-2017-3135) [RT#44434]
 4354 
 4355 4556.	[bug]		Sending an EDNS Padding option using "dig
 4356 			+ednsopt" could cause a crash in dig. [RT #44462]
 4357 
 4358 4555.	[func]		dig +ednsopt: EDNS options can now be specified by
 4359 			name in addition to numeric value. [RT #44461]
 4360 
 4361 4554.	[bug]		Remove double unlock in dns_dispatchmgr_setudp.
 4362 			[RT #44336]
 4363 
 4364 4553.	[bug]		Named could deadlock there were multiple changes to
 4365 			NSEC/NSEC3 parameters for a zone being processed at
 4366 			the same time. [RT #42770]
 4367 
 4368 4552.	[bug]		Named could trigger a assertion when sending notify
 4369 			messages. [RT #44019]
 4370 
 4371 4551.	[test]		Add system tests for integrity checks of MX and
 4372 			SRV records. [RT #43953]
 4373 
 4374 4550.	[cleanup]	Increased the number of available master file
 4375 			output style flags from 32 to 64. [RT #44043]
 4376 
 4377 4549.	[func]		Added support for the EDNS TCP Keepalive option
 4378 			(RFC 7828). [RT #42126]
 4379 
 4380 4548.	[func]		Added support for the EDNS Padding option (RFC 7830).
 4381 			[RT #42094]
 4382 
 4383 4547.	[port]		Add support for --enable-native-pkcs11 on the AEP
 4384 			Keyper HSM. [RT #42463]
 4385 
 4386 4546.	[func]		Extend the use of const declarations. [RT #43379]
 4387 
 4388 4545.	[func]		Expand YAML output from dnstap-read to include
 4389 			a detailed breakdown of the DNS message contents.
 4390 			[RT #43642]
 4391 
 4392 4544.	[bug]		Add message/payload size to dnstap-read YAML output.
 4393 			[RT #43622]
 4394 
 4395 4543.	[bug]		dns_client_startupdate now delays sending the update
 4396 			request until isc_app_ctxrun has been called.
 4397 			[RT #43976]
 4398 
 4399 4542.	[func]		Allow rndc to manipulate redirect zones with using
 4400 			-redirect as the zone name (use "-redirect." to
 4401 			manipulate a zone named "-redirect"). [RT #43971]
 4402 
 4403 4541.	[bug]		rndc addzone should properly reject non master/slave
 4404 			zones. [RT #43665]
 4405 
 4406 4540.	[bug]		Correctly handle ecs entries in dns_acl_isinsecure.
 4407 			[RT #43601]
 4408 
 4409 4539.	[bug]		Referencing a nonexistent zone with RPZ could lead
 4410 			to a assertion failure when configuring. [RT #43787]
 4411 
 4412 4538.	[bug]		Call dns_client_startresolve from client->task.
 4413 			[RT #43896]
 4414 
 4415 4537.	[bug]		Handle timeouts better in dig/host/nslookup. [RT #43576]
 4416 
 4417 4536.	[bug]		ISC_SOCKEVENTATTR_USEMINMTU was not being cleared
 4418 			when reusing the event structure. [RT #43885]
 4419 
 4420 4535.	[bug]		Address race condition in setting / testing of
 4421 			DNS_REQUEST_F_SENDING. [RT #43889]
 4422 
 4423 4534.	[bug]		Only set RD, RA and CD in QUERY responses. [RT #43879]
 4424 
 4425 4533.	[bug]		dns_client_update should terminate on prerequisite
 4426 			failures (NXDOMAIN, YXDOMAIN, NXRRSET, YXRRSET)
 4427 			and also on BADZONE.  [RT #43865]
 4428 
 4429 4532.	[contrib]	Make gen-data-queryperf.py python 3 compatible.
 4430 			[RT #43836]
 4431 
 4432 4531.	[security]	'is_zone' was not being properly updated by redirect2
 4433 			and subsequently preserved leading to an assertion
 4434 			failure. (CVE-2016-9778) [RT #43837]
 4435 
 4436 4530.	[bug]		Change 4489 broke the handling of CNAME -> DNAME
 4437 			in responses resulting in SERVFAIL being returned.
 4438 			[RT #43779]
 4439 
 4440 4529.	[cleanup]	Silence noisy log warning when DSCP probe fails
 4441 			due to firewall rules. [RT #43847]
 4442 
 4443 4528.	[bug]		Only set the flag bits for the i/o we are waiting
 4444 			for on EPOLLERR or EPOLLHUP. [RT #43617]
 4445 
 4446 4527.	[doc]		Support DocBook XSL Stylesheets v1.79.1. [RT #43831]
 4447 
 4448 4526.	[doc]		Corrected errors and improved formatting of
 4449 			grammar definitions in the ARM. [RT #43739]
 4450 
 4451 4525.	[doc]		Fixed outdated documentation on managed-keys.
 4452 			[RT #43810]
 4453 
 4454 4524.	[bug]		The net zero test was broken causing IPv4 servers
 4455 			with addresses ending in .0 to be rejected. [RT #43776]
 4456 
 4457 4523.	[doc]		Expand config doc for <querysource4> and
 4458 			<querysource6>. [RT #43768]
 4459 
 4460 4522.	[bug]		Handle big gaps in log file version numbers better.
 4461 			[RT #38688]
 4462 
 4463 4521.	[cleanup]	Log it as an error if an entropy source is not
 4464 			found and there is no fallback available. [RT #43659]
 4465 
 4466 4520.	[cleanup]	Alphabetize more of the grammar when printing it
 4467 			out. Fix unbalanced indenting. [RT #43755]
 4468 
 4469 4519.	[port]		win32: handle ERROR_MORE_DATA. [RT #43534]
 4470 
 4471 4518.	[func]		The "print-time" option in the logging configuration
 4472 			can now take arguments "local", "iso8601" or
 4473 			"iso8601-utc" to indicate the format in which the
 4474 			date and time should be logged. For backward
 4475 			compatibility, "yes" is a synonym for "local".
 4476 			[RT #42585]
 4477 
 4478 4517.	[security]	Named could mishandle authority sections that were
 4479 			missing RRSIGs triggering an assertion failure.
 4480 			(CVE-2016-9444) [RT # 43632]
 4481 
 4482 4516.	[bug]		isc_socketmgr_renderjson was missing from the
 4483 			windows build. [RT #43602]
 4484 
 4485 4515.	[port]		FreeBSD: Find readline headers when they are in
 4486 			edit/readline/ instead of readline/. [RT #43658]
 4487 
 4488 4514.	[port]		NetBSD: strip -WL, from ld command line. [RT #43204]
 4489 
 4490 4513.	[cleanup]	Minimum Python versions are now 2.7 and 3.2.
 4491 			[RT #43566]
 4492 
 4493 4512.	[bug]		win32: @GEOIP_INC@ missing from delv.vcxproj.in.
 4494 			[RT #43556]
 4495 
 4496 4511.	[bug]		win32: mdig.exe-BNFT was missing Configure. [RT #43554]
 4497 
 4498 4510.	[security]	Named mishandled some responses where covering RRSIG
 4499 			records are returned without the requested data
 4500 			resulting in a assertion failure. (CVE-2016-9147)
 4501 			[RT #43548]
 4502 
 4503 4509.	[test]		Make the rrl system test more reliable on slower
 4504 			machines by using mdig instead of dig. [RT #43280]
 4505 
 4506 4508.	[security]	Named incorrectly tried to cache TKEY records which
 4507 			could trigger a assertion failure when there was
 4508 			a class mismatch. (CVE-2016-9131) [RT #43522]
 4509 
 4510 4507.	[bug]		Named could incorrectly log 'allows updates by IP
 4511 			address, which is insecure' [RT #43432]
 4512 
 4513 4506.	[func]		'named-checkconf -l' will now list the zones found in
 4514 			named.conf. [RT #43154]
 4515 
 4516 4505.	[port]		Use IP_PMTUDISC_OMIT if available. [RT #35494]
 4517 
 4518 4504.	[security]	Allow the maximum number of records in a zone to
 4519 			be specified.  This provides a control for issues
 4520 			raised in CVE-2016-6170. [RT #42143]
 4521 
 4522 4503.	[cleanup]	"make uninstall" now removes files installed by
 4523 			BIND. (This currently excludes Python files
 4524 			due to lack of support in setup.py.) [RT #42192]
 4525 
 4526 4502.	[func]		Report multiple and experimental options when printing
 4527 			grammar. [RT #43134]
 4528 
 4529 4501.	[placeholder]
 4530 
 4531 4500.	[bug]		Support modifier I64 in isc__print_printf. [RT #43526]
 4532 
 4533 4499.	[port]		MacOSX: silence deprecated function warning
 4534 			by using arc4random_stir() when available
 4535 			instead of arc4random_addrandom(). [RT #43503]
 4536 
 4537 4498.	[test]		Simplify prerequisite checks in system tests.
 4538 			[RT #43516]
 4539 
 4540 4497.	[port]		Add support for OpenSSL 1.1.0. [RT #41284]
 4541 
 4542 4496.	[func]		dig: add +idnout to control whether labels are
 4543 			display in punycode or not.  Requires idn support
 4544 			to be enabled at compile time. [RT #43398]
 4545 
 4546 4495.	[bug]		A isc_mutex_init call was not being checked.
 4547 			[RT #43391]
 4548 
 4549 4494.	[bug]		Look for <editline/readline.h>. [RT #43429]
 4550 
 4551 4493.	[bug]		bin/tests/system/dyndb/driver/Makefile.in should use
 4552 			SO_TARGETS. [RT# 43336]
 4553 
 4554 4492.	[bug]		irs_resconf_load failed to initialize sortlistnxt
 4555 			causing bad writes if resolv.conf contained a
 4556 			sortlist directive. [RT #43459]
 4557 
 4558 4491.	[bug]		Improve message emitted when testing whether sendmsg
 4559 			works with TOS/TCLASS fails. [RT #43483]
 4560 
 4561 4490.	[maint]		Added AAAA (2001:500:12::d0d) for G.ROOT-SERVERS.NET.
 4562 
 4563 4489.	[security]	It was possible to trigger assertions when processing
 4564 			a response containing a DNAME answer. (CVE-2016-8864)
 4565 			[RT #43465]
 4566 
 4567 4488.	[port]		Darwin: use -framework for Kerberos. [RT #43418]
 4568 
 4569 4487.	[test]		Make system tests work on Windows. [RT #42931]
 4570 
 4571 4486.	[bug]		Look in $prefix/lib/pythonX.Y/site-packages for
 4572 			the python modules we install. [RT #43330]
 4573 
 4574 4485.	[bug]		Failure to find readline when requested should be
 4575 			fatal to configure. [RT #43328]
 4576 
 4577 4484.	[func]		Check prefixes in acls to make sure the address and
 4578 			prefix lengths are consistent.  Warn only in
 4579 			BIND 9.11 and earlier. [RT #43367]
 4580 
 4581 4483.	[bug]		Address use before require check and remove extraneous
 4582 			dns_message_gettsigkey call in dns_tsig_sign.
 4583 			[RT #43374]
 4584 
 4585 4482.	[cleanup]	Change #4455 was incomplete. [RT #43252]
 4586 
 4587 4481.	[func]		dig: make +class, +crypto, +multiline, +rrcomments,
 4588 			+onesoa, +qr, +ttlid, +ttlunits and -u per lookup
 4589 			rather than global. [RT #42450]
 4590 
 4591 4480.	[placeholder]
 4592 
 4593 4479.	[placeholder]
 4594 
 4595 4478.	[func]		Add +continue option to mdig, allow continue on socket
 4596 			errors. [RT #43281]
 4597 
 4598 4477.	[test]		Fix mkeys test timing issues. [RT #41028]
 4599 
 4600 4476.	[test]		Fix reclimit test on slower machines. [RT #43283]
 4601 
 4602 4475.	[doc]		Update named-checkconf documentation. [RT #43153]
 4603 
 4604 4474.	[bug]		win32: call WSAStartup in fromtext_in_wks so that
 4605 			getprotobyname and getservbyname work.  [RT #43197]
 4606 
 4607 4473.	[bug]		Only call fsync / _commit on regular files. [RT #43196]
 4608 
 4609 4472.	[bug]		Named could fail to find the correct NSEC3 records when
 4610 			a zone was updated between looking for the answer and
 4611 			looking for the NSEC3 records proving nonexistence
 4612 			of the answer. [RT #43247]
 4613 
 4614 	--- 9.11.0 released ---
 4615 
 4616 	--- 9.11.0rc3 released ---
 4617 
 4618 4471.	[cleanup]	Render client/query logging format consistent for
 4619 			ease of log file parsing. (Note that this affects
 4620 			"querylog" format: there is now an additional field
 4621 			indicating the client object address.) [RT #43238]
 4622 
 4623 4470.	[bug]		Reset message with intent parse before
 4624 			calling dns_dispatch_getnext. [RT #43229]
 4625 
 4626 4469.	[placeholder]
 4627 
 4628 	--- 9.11.0rc2 released ---
 4629 
 4630 4468.	[bug]		Address ECS option handling issues. [RT #43191]
 4631 
 4632 4467.	[security]	It was possible to trigger an assertion when
 4633 			rendering a message. (CVE-2016-2776) [RT #43139]
 4634 
 4635 4466.	[bug]		Interface scanning didn't work on a Windows system
 4636 			without a non local IPv6 addresses. [RT #43130]
 4637 
 4638 4465.	[bug]		Don't use "%z" as Windows doesn't support it.
 4639 			[RT #43131]
 4640 
 4641 4464.	[bug]		Fix windows python support. [RT #43173]
 4642 
 4643 4463.	[bug]		The dnstap system test failed on some systems.
 4644 			[RT #43129]
 4645 
 4646 4462.	[bug]		Don't describe a returned EDNS COOKIE as "good"
 4647 			when there isn't a valid server cookie. [RT #43167]
 4648 
 4649 4461.	[bug]		win32: not all external data was properly marked
 4650 			as external data for windows dll. [RT #43161]
 4651 
 4652 	--- 9.11.0rc1 released ---
 4653 
 4654 4460.	[test]		Add system test for dnstap using unix domain sockets.
 4655 			[RT #42926]
 4656 
 4657 4459.	[bug]		TCP client objects created to handle pipeline queries
 4658 			were not cleaned up correctly, causing uncontrolled
 4659 			memory growth. [RT #43106]
 4660 
 4661 4458.	[cleanup]	Update assertions to be more correct, and also remove
 4662 			use of a reserved word. [RT #43090]
 4663 
 4664 4457.	[maint]		Added AAAA (2001:500:a8::e) for E.ROOT-SERVERS.NET.
 4665 
 4666 4456.	[doc]		Add DOCTYPE and lang attribute to <html> tags.
 4667 			[RT #42587]
 4668 
 4669 4455.	[cleanup]	Allow dyndb modules to correctly log the filename
 4670 			and line number when processing configuration text
 4671 			from named.conf. [RT #43050]
 4672 
 4673 4454.	[bug]		'rndc dnstap -reopen' had a race issue. [RT #43089]
 4674 
 4675 4453.	[bug]		Prefetching of DS records failed to update their
 4676 			RRSIGs. [RT #42865]
 4677 
 4678 4452.	[bug]		The default key manager policy file is now
 4679 			<sysdir>/dnssec-policy.conf (usually
 4680 			/etc/dnssec-policy.conf). [RT #43064]
 4681 
 4682 4451.	[cleanup]	Log more useful information if a PKCS#11 provider
 4683 			library cannot be loaded. [RT #43076]
 4684 
 4685 4450.	[port]		Provide more nuanced HSM support which better matches
 4686 			the specific PKCS11 providers capabilities. [RT #42458]
 4687 
 4688 4449.	[test]		Fix catalog zones test on slower systems. [RT #42997]
 4689 
 4690 4448.	[bug]		win32: ::1 was not being found when iterating
 4691 			interfaces. [RT #42993]
 4692 
 4693 4447.	[tuning]	Allow the fstrm_iothr_init() options to be set using
 4694 			named.conf to control how dnstap manages the data
 4695 			flow. [RT #42974]
 4696 
 4697 4446.	[bug]		The cache_find() and _findrdataset() functions
 4698 			could find rdatasets that had been marked stale.
 4699 			[RT #42853]
 4700 
 4701 4445.	[cleanup]	isc_errno_toresult() can now be used to call the
 4702 			formerly private function isc__errno2result().
 4703 			[RT #43050]
 4704 
 4705 4444.	[bug]		Fixed some issues related to dyndb: A bug caused
 4706 			braces to be omitted when passing configuration text
 4707 			from named.conf to a dyndb driver, and there was a
 4708 			use-after-free in the sample dyndb driver. [RT #43050]
 4709 
 4710 4443.	[func]		Set TCP_MAXSEG in addition to IPV6_USE_MIN_MTU on
 4711 			TCP sockets. [RT #42864]
 4712 
 4713 4442.	[bug]		Fix RPZ CIDR tree insertion bug that corrupted
 4714 			tree data structure with overlapping networks
 4715 			(longest prefix match was ineffective).
 4716 			[RT #43035]
 4717 
 4718 4441.	[cleanup]	Alphabetize host's help output. [RT #43031]
 4719 
 4720 4440.	[func]		Enable TCP fast open support when available on the
 4721 			server side. [RT #42866]
 4722 
 4723 4439.	[bug]		Address race conditions getting ownernames of nodes.
 4724 			[RT #43005]
 4725 
 4726 4438.	[func]		Use LIFO rather than FIFO when processing startup
 4727 			notify and refresh queries. [RT #42825]
 4728 
 4729 4437.	[func]		Minimal-responses now has two additional modes
 4730 			no-auth and no-auth-recursive which suppress
 4731 			adding the NS records to the authority section
 4732 			as well as the associated address records for the
 4733 			nameservers. [RT #42005]
 4734 
 4735 4436.	[func]		Return TLSA records as additional data for MX and SRV
 4736 			lookups. [RT #42894]
 4737 
 4738 4435.	[tuning]	Only set IPV6_USE_MIN_MTU for UDP when the message
 4739 			will not fit into a single IPv4 encapsulated IPv6
 4740 			UDP packet when transmitted over a Ethernet link.
 4741 			[RT #42871]
 4742 
 4743 4434.	[protocol]	Return EDNS EXPIRE option for master zones in addition
 4744 			to slave zones. [RT #43008]
 4745 
 4746 4433.	[cleanup]	Report an error when passing an invalid option or
 4747 			view name to "rndc dumpdb". [RT #42958]
 4748 
 4749 4432.	[test]		Hide rndc output on expected failures in logfileconfig
 4750 			system test. [RT #27996]
 4751 
 4752 4431.	[bug]		named-checkconf now checks the rate-limit clause.
 4753 			[RT #42970]
 4754 
 4755 4430.	[bug]		Lwresd died if a search list was not defined.
 4756 			Found by 0x710DDDD At Alibaba Security. [RT #42895]
 4757 
 4758 4429.	[bug]		Address potential use after free on fclose() error.
 4759 			[RT #42976]
 4760 
 4761 4428.	[bug]		The "test dispatch getnext" unit test could fail
 4762 			in a threaded build. [RT #42979]
 4763 
 4764 4427.	[bug]		The "query" and "response" parameters to the
 4765 			"dnstap" option had their functions reversed.
 4766 
 4767 	--- 9.11.0b3 released ---
 4768 
 4769 4426.	[bug]		Addressed Coverity warnings. [RT #42908]
 4770 
 4771 4425.	[bug]		arpaname, dnstap-read and named-rrchecker were not
 4772 			being installed into ${prefix}/bin.  Tidy up
 4773 			installation issues with CHANGE 4421. [RT #42910]
 4774 
 4775 4424.	[experimental]	Named now sends _ta-XXXX.<trust-anchor>/NULL queries
 4776 			to provide feedback to the trust-anchor administrators
 4777 			about how key rollovers are progressing as per
 4778 			draft-ietf-dnsop-edns-key-tag-02.  This can be
 4779 			disabled using 'trust-anchor-telemetry no;'.
 4780 			[RT #40583]
 4781 
 4782 4423.	[maint]		Added missing IPv6 address 2001:500:84::b for
 4783 			B.ROOT-SERVERS.NET. [RT #42898]
 4784 
 4785 4422.	[port]		Silence clang warnings in dig.c and dighost.c.
 4786 			[RT #42451]
 4787 
 4788 4421.	[func]		When built with LMDB (Lightning Memory-mapped
 4789 			Database), named will now use a database to store
 4790 			the configuration for zones added by "rndc addzone"
 4791 			instead of using a flat NZF file. This improves
 4792 			performance of "rndc delzone" and "rndc modzone"
 4793 			significantly. Existing NZF files will
 4794 			automatically by converted to NZD databases.
 4795 			To view the contents of an NZD or to roll back to
 4796 			NZF format, use "named-nzd2nzf". To disable
 4797 			this feature, use "configure --without-lmdb".
 4798 			[RT #39837]
 4799 
 4800 4420.	[func]		nslookup now looks for AAAA as well as A by default.
 4801 			[RT #40420]
 4802 
 4803 4419.	[bug]		Don't cause undefined result if the label of an
 4804 			entry in catalog zone is changed. [RT #42708]
 4805 
 4806 4418.	[bug]		Fix a compiler warning in GSSAPI code. [RT #42879]
 4807 
 4808 4417.	[bug]		dnssec-keymgr could fail to create successor keys
 4809 			if the prepublication interval was set to a value
 4810 			smaller than the default. [RT #42820]
 4811 
 4812 4416.	[bug]		dnssec-keymgr: Domain names in policy files could
 4813 			fail to match due to trailing dots. [RT #42807]
 4814 
 4815 4415.	[bug]		dnssec-keymgr: Expired/deleted keys were not always
 4816 			excluded. [RT #42884]
 4817 
 4818 4414.	[bug]		Corrected a bug in the MIPS implementation of
 4819 			isc_atomic_xadd(). [RT #41965]
 4820 
 4821 4413.	[bug]		GSSAPI negotiation could fail if GSS_S_CONTINUE_NEEDED
 4822 			was returned. [RT #42733]
 4823 
 4824 	--- 9.11.0b2 released ---
 4825 
 4826 4412.	[cleanup]	Make fixes for GCC 6. ISC_OFFSET_MAXIMUM macro was
 4827 			removed. [RT #42721]
 4828 
 4829 4411.	[func]		"rndc dnstap -roll" automatically rolls the
 4830 			dnstap output file; the previous version is
 4831 			saved with ".0" suffix, and earlier versions
 4832 			with ".1" and so on. An optional numeric argument
 4833 			indicates how many prior files to save. [RT #42830]
 4834 
 4835 4410.	[bug]		Address use after free and memory leak with dnstap.
 4836 			[RT #42746]
 4837 
 4838 4409.	[bug]		DNS64 should exclude mapped addresses by default when
 4839 			an exclude acl is not defined. [RT #42810]
 4840 
 4841 4408.	[func]		Continue waiting for expected response when we the
 4842 			response we get does not match the request. [RT #41026]
 4843 
 4844 4407.	[performance]	Use GCC builtin for clz in RPZ lookup code.
 4845 			[RT #42818]
 4846 
 4847 4406.	[security]	getrrsetbyname with a non absolute name could
 4848 			trigger an infinite recursion bug in lwresd
 4849 			and named with lwres configured if when combined
 4850 			with a search list entry the resulting name is
 4851 			too long. (CVE-2016-2775) [RT #42694]
 4852 
 4853 4405.	[bug]		Change 4342 introduced a regression where you could
 4854 			not remove a delegation in a NSEC3 signed zone using
 4855 			OPTOUT via nsupdate. [RT #42702]
 4856 
 4857 4404.	[misc]		Allow krb5-config to be used when configuring gssapi.
 4858 			[RT #42580]
 4859 
 4860 4403.	[bug]		Rename variables and arguments that shadow: basename,
 4861 			clone and gai_error.
 4862 
 4863 4402.	[bug]		protoc-c is now a hard requirement for --enable-dnstap.
 4864 
 4865 	--- 9.11.0b1 released ---
 4866 
 4867 4401.	[misc]		Change LICENSE to MPL 2.0.
 4868 
 4869 4400.	[bug]		ttl policy was not being inherited in policy.py.
 4870 			[RT #42718]
 4871 
 4872 4399.	[bug]		policy.py 'ECCGOST', 'ECDSAP256SHA256', and
 4873 			'ECDSAP384SHA384' don't have settable keysize.
 4874 			[RT #42718]
 4875 
 4876 4398.	[bug]		Correct spelling of ECDSAP256SHA256 in policy.py.
 4877 			[RT #42718]
 4878 
 4879 4397.	[bug]		Update Windows python support. [RT #42538]
 4880 
 4881 4396.	[func]		dnssec-keymgr now takes a '-r randomfile' option.
 4882 			[RT #42455]
 4883 
 4884 4395.	[bug]		Improve out-of-tree installation of python modules.
 4885 			[RT #42586]
 4886 
 4887 4394.	[func]		Add rndc command "dnstap-reopen" to close and
 4888 			reopen dnstap output files. [RT #41803]
 4889 
 4890 4393.	[bug]		Address potential NULL pointer dereferences in
 4891 			dnstap code.
 4892 
 4893 4392.	[func]		Collect statistics for RSSAC02v3 traffic-volume,
 4894 			traffic-sizes and rcode-volume reporting. [RT #41475]
 4895 
 4896 4391.	[contrib]	Fix leaks in contrib DLZ code. [RT #42707]
 4897 
 4898 4390.	[doc]		Description of masters with TSIG, allow-query and
 4899 			allow-transfer options in catalog zones. [RT #42692]
 4900 
 4901 4389.	[test]		Rewritten test suite for catalog zones. [RT #42676]
 4902 
 4903 4388.	[func]		Support for master entries with TSIG keys in catalog
 4904 			zones. [RT #42577]
 4905 
 4906 4387.	[bug]		Change 4336 was not complete leading to SERVFAIL
 4907 			being return as NS records expired. [RT #42683]
 4908 
 4909 4386.	[bug]		Remove shadowed overmem function/variable. [RT #42706]
 4910 
 4911 4385.	[func]		Add support for allow-query and allow-transfer ACLs
 4912 			to catalog zones. [RT #42578]
 4913 
 4914 4384.	[bug]		Change 4256 accidentally disabled logging of the
 4915 			rndc command. [RT #42654]
 4916 
 4917 4383.	[bug]		Correct spelling error in stats channel description of
 4918 			"EDNS client subnet option received". [RT #42633]
 4919 
 4920 4382.	[bug]		rndc {addzone,modzone,delzone,showzone} should all
 4921 			compare the zone name using a canonical format.
 4922 			[RT #42630]
 4923 
 4924 4381.	[bug]		Missing "zone-directory" option in catalog zone
 4925 			definition caused BIND to crash. [RT #42579]
 4926 
 4927 	--- 9.11.0a3 released ---
 4928 
 4929 4380.	[experimental]	Added a "zone-directory" option to "catalog-zones"
 4930 			syntax, allowing local masterfiles for slaves
 4931 			that are provisioned by catalog zones to be stored
 4932 			in a directory other than the server's working
 4933 			directory. [RT #42527]
 4934 
 4935 4379.	[bug]		An INSIST could be triggered if a zone contains
 4936 			RRSIG records with expiry fields that loop
 4937 			using serial number arithmetic. [RT #40571]
 4938 
 4939 4378.	[contrib]	#include <isc/string.h> for strlcat in zone2ldap.c.
 4940 			[RT #42525]
 4941 
 4942 4377.	[bug]		Don't reuse zero TTL responses beyond the current
 4943 			client set (excludes ANY/SIG/RRSIG queries).
 4944 			[RT #42142]
 4945 
 4946 4376.	[experimental]	Added support for Catalog Zones, a new method for
 4947 			provisioning secondary servers in which a list of
 4948 			zones to be served is stored in a DNS zone and can
 4949 			be propagated to slaves via AXFR/IXFR. [RT #41581]
 4950 
 4951 4375.	[func]		Add support for automatic reallocation of isc_buffer
 4952 			to isc_buffer_put* functions. [RT #42394]
 4953 
 4954 4374.	[bug]		Use SAVE/RESTORE macros in query.c to reduce the
 4955 			probability of reference counting errors as seen
 4956 			in 4365. [RT #42405]
 4957 
 4958 4373.	[bug]		Address undefined behavior in getaddrinfo. [RT #42479]
 4959 
 4960 4372.	[bug]		Address undefined behavior in libt_api. [RT #42480]
 4961 
 4962 4371.	[func]		New "minimal-any" option reduces the size of UDP
 4963 			responses for qtype ANY by returning a single
 4964 			arbitrarily selected RRset instead of all RRsets.
 4965 			Thanks to Tony Finch. [RT #41615]
 4966 
 4967 4370.	[bug]		Address python3 compatibility issues with RNDC module.
 4968 			[RT #42499] [RT #42506]
 4969 
 4970 	--- 9.11.0a2 released ---
 4971 
 4972 4369.	[bug]		Fix 'make' and 'make install' out-of-tree python
 4973 			support. [RT #42484]
 4974 
 4975 4368.	[bug]		Fix a crash when calling "rndc stats" on some
 4976 			Windows builds because some Visual Studio compilers
 4977 			generated crashing code for the "%z" printf()
 4978 			format specifier. [RT #42380]
 4979 
 4980 4367.	[bug]		Remove unnecessary assignment of loadtime in
 4981 			zone_touched. [RT #42440]
 4982 
 4983 4366.	[bug]		Address race condition when updating rbtnode bit
 4984 			fields. [RT #42379]
 4985 
 4986 4365.	[bug]		Address zone reference counting errors involving
 4987 			nxdomain-redirect. [RT #42258]
 4988 
 4989 4364.	[port]		freebsd: add -Wl,-E to loader flags [RT #41690]
 4990 
 4991 4363.	[port]		win32: Disable explicit triggering UAC when running
 4992 			BINDInstall.
 4993 
 4994 4362.	[func]		Changed rndc reconfig behavior so that newly added
 4995 			zones are loaded asynchronously and the loading does
 4996 			not block the server. [RT #41934]
 4997 
 4998 4361.	[cleanup]	Where supported, file modification times returned
 4999 			by isc_file_getmodtime() are now accurate to the
 5000 			nanosecond. [RT #41968]
 5001 
 5002 4360.	[bug]		Silence spurious 'bad key type' message when there is
 5003 			a existing TSIG key. [RT #42195]
 5004 
 5005 4359.	[bug]		Inherited 'also-notify' lists were not being checked
 5006 			by named-checkconf. [RT #42174]
 5007 
 5008 4358.	[test]		Added American Fuzzy Lop harness that allows
 5009 			feeding fuzzed packets into BIND.
 5010 			[RT #41723]
 5011 
 5012 4357.	[func]		Add the python RNDC module. [RT #42093]
 5013 
 5014 4356.	[func]		Add the ability to specify whether to wait for
 5015 			nameserver addresses to be looked up or not to
 5016 			RPZ with a new modifying directive 'nsip-wait-recurse'.
 5017 			[RT #35009]
 5018 
 5019 4355.	[func]		"pkcs11-list" now displays the extractability
 5020 			attribute of private or secret keys stored in
 5021 			an HSM, as either "true", "false", or "never"
 5022 			Thanks to Daniel Stirnimann. [RT #36557]
 5023 
 5024 4354.	[bug]		Check that the received HMAC length matches the
 5025 			expected length prior to check the contents on the
 5026 			control channel.  This prevents a OOB read error.
 5027 			This was reported by Lian Yihan, <lianyihan@360.cn>.
 5028 			[RT #42215]
 5029 
 5030 4353.	[cleanup]	Update PKCS#11 header files. [RT #42175]
 5031 
 5032 4352.	[cleanup]	The ISC DNSSEC Lookaside Validation (DLV) service
 5033 			is scheduled to be disabled in 2017.  A warning is
 5034 			now logged when named is configured to use it,
 5035 			either explicitly or via "dnssec-lookaside auto;"
 5036 			[RT #42207]
 5037 
 5038 4351.	[bug]		'dig +noignore' didn't work. [RT #42273]
 5039 
 5040 4350.	[contrib]	Declare result in  dlz_filesystem_dynamic.c.
 5041 
 5042 4349.	[contrib]	kasp2policy: A python script to create a DNSSEC
 5043 			policy file from an OpenDNSSEC KASP XML file.
 5044 
 5045 4348.	[func]		dnssec-keymgr: A new python-based DNSSEC key
 5046 			management utility, which reads a policy definition
 5047 			file and can create or update DNSSEC keys as needed
 5048 			to ensure that a zone's keys match policy, roll over
 5049 			correctly on schedule, etc.  Thanks to Sebastian
 5050 			Castro for assistance in development. [RT #39211]
 5051 
 5052 4347.	[port]		Corrected a build error on x86_64 Solaris. [RT #42150]
 5053 
 5054 4346.	[bug]		Fixed a regression introduced in change #4337 which
 5055 			caused signed domains with revoked KSKs to fail
 5056 			validation. [RT #42147]
 5057 
 5058 4345.	[contrib]	perftcpdns mishandled the return values from
 5059 			clock_nanosleep. [RT #42131]
 5060 
 5061 4344.	[port]		Address openssl version differences. [RT #42059]
 5062 
 5063 4343.	[bug]		dns_dnssec_syncupdate mis-declared in <dns/dnssec.h>.
 5064 			[RT #42090]
 5065 
 5066 4342.	[bug]		'rndc flushtree' could fail to clean the tree if there
 5067 			wasn't a node at the specified name. [RT #41846]
 5068 
 5069 	--- 9.11.0a1 released ---
 5070 
 5071 4341.	[bug]		Correct the handling of ECS options with
 5072 			address family 0. [RT #41377]
 5073 
 5074 4340.	[performance]	Implement adaptive read-write locks, reducing the
 5075 			overhead of locks that are only held briefly.
 5076 			[RT #37329]
 5077 
 5078 4339.	[test]		Use "mdig" to test pipelined queries. [RT #41929]
 5079 
 5080 4338.	[bug]		Reimplement change 4324 as it wasn't properly doing
 5081 			all the required book keeping. [RT #41941]
 5082 
 5083 4337.	[bug]		The previous change exposed a latent flaw in
 5084 			key refresh queries for managed-keys when
 5085 			a cached DNSKEY had TTL 0. [RT #41986]
 5086 
 5087 4336.	[bug]		Don't emit records with zero ttl unless the records
 5088 			were learnt with a zero ttl. [RT #41687]
 5089 
 5090 4335.	[bug]		zone->view could be detached too early. [RT #41942]
 5091 
 5092 4334.	[func]		'named -V' now reports zlib version. [RT #41913]
 5093 
 5094 4333.	[maint]		L.ROOT-SERVERS.NET is now 199.7.83.42 and
 5095 			2001:500:9f::42.
 5096 
 5097 4332.	[placeholder]
 5098 
 5099 4331.	[func]		When loading managed signed zones detect if the
 5100 			RRSIG's inception time is in the future and regenerate
 5101 			the RRSIG immediately. [RT #41808]
 5102 
 5103 4330.	[protocol]	Identify the PAD option as "PAD" when printing out
 5104 			a message.
 5105 
 5106 4329.	[func]		Warn about a common misconfiguration when forwarding
 5107 			RFC 1918 zones. [RT #41441]
 5108 
 5109 4328.	[performance]	Add dns_name_fromwire() benchmark test. [RT #41694]
 5110 
 5111 4327.	[func]		Log query and depth counters during fetches when
 5112 			querytrace (./configure --enable-querytrace) is
 5113 			enabled (helps in diagnosing).  [RT #41787]
 5114 
 5115 4326.	[protocol]	Add support for AVC. [RT #41819]
 5116 
 5117 4325.	[func]		Add a line to "rndc status" indicating the
 5118 			hostname and operating system details. [RT #41610]
 5119 
 5120 4324.	[bug]		When deleting records from a zone database, interior
 5121 			nodes could be left empty but not deleted, damaging
 5122 			search performance afterward. [RT #40997]
 5123 
 5124 4323.	[bug]		Improve HTTP header processing on statschannel.
 5125 			[RT #41674]
 5126 
 5127 4322.	[security]	Duplicate EDNS COOKIE options in a response could
 5128 			trigger an assertion failure. (CVE-2016-2088)
 5129 			[RT #41809]
 5130 
 5131 4321.	[bug]		Zones using mapped files containing out-of-zone data
 5132 			could return SERVFAIL instead of the expected NODATA
 5133 			or NXDOMAIN results. [RT #41596]
 5134 
 5135 4320.	[bug]		Insufficient memory allocation when handling
 5136 			"none" ACL could cause an assertion failure in
 5137 			named when parsing ACL configuration. [RT #41745]
 5138 
 5139 4319.	[security]	Fix resolver assertion failure due to improper
 5140 			DNAME handling when parsing fetch reply messages.
 5141 			(CVE-2016-1286) [RT #41753]
 5142 
 5143 4318.	[security]	Malformed control messages can trigger assertions
 5144 			in named and rndc. (CVE-2016-1285) [RT #41666]
 5145 
 5146 4317.	[bug]		Age all unused servers on fetch timeout. [RT #41597]
 5147 
 5148 4316.	[func]		Add option to tools to print RRs in unknown
 5149 			presentation format [RT #41595].
 5150 
 5151 4315.	[bug]		Check that configured view class isn't a meta class.
 5152 			[RT #41572].
 5153 
 5154 4314.	[contrib]	Added 'dnsperf-2.1.0.0-1', a set of performance
 5155 			testing tools provided by Nominum, Inc.
 5156 
 5157 4313.	[bug]		Handle ns_client_replace failures in test mode.
 5158 			[RT #41190]
 5159 
 5160 4312.	[bug]		dig's unknown DNS and EDNS flags (MBZ value) logging
 5161 			was not consistent. [RT #41600]
 5162 
 5163 4311.	[bug]		Prevent "rndc delzone" from being used on
 5164 			response-policy zones. [RT #41593]
 5165 
 5166 4310.	[performance]	Use __builtin_expect() where available to annotate
 5167 			conditions with known behavior. [RT #41411]
 5168 
 5169 4309.	[cleanup]	Remove the spurious "none" filename from log messages
 5170 			when processing built-in configuration. [RT #41594]
 5171 
 5172 4308.	[func]		Added operating system details to "named -V"
 5173 			output. [RT #41452]
 5174 
 5175 4307.	[bug]		"dig +subnet" and "mdig +subnet" could send
 5176 			incorrectly-formatted Client Subnet options
 5177 			if the prefix length was not divisible by 8.
 5178 			Also fixed a memory leak in "mdig". [RT #45178]
 5179 
 5180 4306.	[maint]		Added a PKCS#11 openssl patch supporting
 5181 			version 1.0.2f [RT #38312]
 5182 
 5183 4305.	[bug]		dnssec-signzone was not removing unnecessary rrsigs
 5184 			from the zone's apex. [RT #41483]
 5185 
 5186 4304.	[port]		xfer system test failed as 'tail -n +value' is not
 5187 			portable. [RT #41315]
 5188 
 5189 4303.	[bug]		"dig +subnet" was unable to send a prefix length of
 5190 			zero, as it was incorrectly changed to 32 for v4
 5191 			prefixes or 128 for v6 prefixes. In addition to
 5192 			fixing this, "dig +subnet=0" has been added as a
 5193 			short form for 0.0.0.0/0. The same changes have
 5194 			also been made in "mdig". [RT #41553]
 5195 
 5196 4302.	[port]		win32: fixed a build error in VS 2015. [RT #41426]
 5197 
 5198 4301.	[bug]		dnssec-settime -p [DP]sync was not working. [RT #41534]
 5199 
 5200 4300.	[bug]		A flag could be set in the wrong field when setting
 5201 			up non-recursive queries; this could cause the
 5202 			SERVFAIL cache to cache responses it shouldn't.
 5203 			New querytrace logging has been added which
 5204 			identified this error. [RT #41155]
 5205 
 5206 4299.	[bug]		Check that exactly totallen bytes are read when
 5207 			reading a RRset from raw files in both single read
 5208 			and incremental modes. [RT #41402]
 5209 
 5210 4298.	[bug]		dns_rpz_add errors in loadzone were not being
 5211 			propagated up the call stack. [RT #41425]
 5212 
 5213 4297.	[test]		Ensure delegations in RPZ zones fail robustly.
 5214 			[RT #41518]
 5215 
 5216 4296.	[bug]		TCP packet sizes were calculated incorrectly in the
 5217 			stats channel; they could be counted in the wrong
 5218 			histogram bucket. [RT #40587]
 5219 
 5220 4295.	[bug]		An unchecked result in dns_message_pseudosectiontotext()
 5221 			could allow incorrect text formatting of EDNS EXPIRE
 5222 			options. [RT #41437]
 5223 
 5224 4294.	[bug]		Fixed a regression in which "rndc stop -p" failed
 5225 			to print the PID. [RT #41513]
 5226 
 5227 4293.	[bug]		Address memory leak on priming query creation failure.
 5228 			[RT #41512]
 5229 
 5230 4292.	[placeholder]
 5231 
 5232 4291.	[cleanup]	Added a required include to dns/forward.h. [RT #41474]
 5233 
 5234 4290.	[func]		The timers returned by the statistics channel
 5235 			(indicating current time, server boot time, and
 5236 			most recent reconfiguration time) are now reported
 5237 			with millisecond accuracy. [RT #40082]
 5238 
 5239 4289.	[bug]		The server could crash due to memory being used
 5240 			after it was freed if a zone transfer timed out.
 5241 			[RT #41297]
 5242 
 5243 4288.	[bug]		Fixed a regression in resolver.c:possibly_mark()
 5244 			which caused known-bogus servers to be queried
 5245 			anyway. [RT #41321]
 5246 
 5247 4287.	[bug]		Silence an overly noisy log message when message
 5248 			parsing fails. [RT #41374]
 5249 
 5250 4286.	[security]	render_ecs errors were mishandled when printing out
 5251 			a OPT record resulting in a assertion failure.
 5252 			(CVE-2015-8705) [RT #41397]
 5253 
 5254 4285.	[security]	Specific APL data could trigger a INSIST.
 5255 			(CVE-2015-8704) [RT #41396]
 5256 
 5257 4284.	[bug]		Some GeoIP options were incorrectly documented
 5258 			using abbreviated forms which were not accepted by
 5259 			named.  The code has been updated to allow both
 5260 			long and abbreviated forms. [RT #41381]
 5261 
 5262 4283.	[bug]		OPENSSL_config is no longer re-callable. [RT #41348]
 5263 
 5264 4282.	[func]		'dig +[no]mapped' determine whether the use of mapped
 5265 			IPv4 addresses over IPv6 is permitted or not.  The
 5266 			default is +mapped.  [RT #41307]
 5267 
 5268 4281.	[bug]		Teach dns_message_totext about BADCOOKIE. [RT #41257]
 5269 
 5270 4280.	[performance]	Use optimal message sizes to improve compression
 5271 			in AXFRs. This reduces network traffic. [RT #40996]
 5272 
 5273 4279.	[test]		Don't use fixed ports when unit testing. [RT #41194]
 5274 
 5275 4278.	[bug]		'delv +short +[no]split[=##]' didn't work as expected.
 5276 			[RT #41238]
 5277 
 5278 4277.	[performance]	Improve performance of the RBT, the central zone
 5279 			datastructure: The aux hashtable was improved,
 5280 			hash function was updated to perform more
 5281 			uniform mapping, uppernode was added to
 5282 			dns_rbtnode, and other cleanups and performance
 5283 			improvements were made. [RT #41165]
 5284 
 5285 4276.	[protocol]	Add support for SMIMEA. [RT #40513]
 5286 
 5287 4275.	[performance]	Lazily initialize dns_compress->table only when
 5288 			compression is enabled. [RT #41189]
 5289 
 5290 4274.	[performance]	Speed up typemap processing from text. [RT #41196]
 5291 
 5292 4273.	[bug]		Only call dns_test_begin() and dns_test_end() once each
 5293 			in nsec3_test as it fails with GOST if called multiple
 5294 			times.
 5295 
 5296 4272.	[bug]		dig: the +norrcomments option didn't work with +multi.
 5297 			[RT #41234]
 5298 
 5299 4271.	[test]		Unit tests could deadlock in isc__taskmgr_pause().
 5300 			[RT #41235]
 5301 
 5302 4270.	[security]	Update allowed OpenSSL versions as named is
 5303 			potentially vulnerable to CVE-2015-3193.
 5304 
 5305 4269.	[bug]		Zones using "map" format master files currently
 5306 			don't work as policy zones.  This limitation has
 5307 			now been documented; attempting to use such zones
 5308 			in "response-policy" statements is now a
 5309 			configuration error.  [RT #38321]
 5310 
 5311 4268.	[func]		"rndc status" now reports the path to the
 5312 			configuration file. [RT #36470]
 5313 
 5314 4267.	[test]		Check sdlz error handling. [RT #41142]
 5315 
 5316 4266.	[placeholder]
 5317 
 5318 4265.	[bug]		Address unchecked isc_mem_get calls. [RT #41187]
 5319 
 5320 4264.	[bug]		Check const of strchr/strrchr assignments match
 5321 			argument's const status. [RT #41150]
 5322 
 5323 4263.	[contrib]	Address compiler warnings in mysqldyn module.
 5324 			[RT #41130]
 5325 
 5326 4262.	[bug]		Fixed a bug in epoll socket code that caused
 5327 			sockets to not be registered for ready
 5328 			notification in some cases, causing named to not
 5329 			read from or write to them, resulting in what
 5330 			appear to the user as blocked connections.
 5331 			[RT #41067]
 5332 
 5333 4261.	[maint]		H.ROOT-SERVERS.NET is 198.97.190.53 and 2001:500:1::53.
 5334 			[RT #40556]
 5335 
 5336 4260.	[security]	Insufficient testing when parsing a message allowed
 5337 			records with an incorrect class to be be accepted,
 5338 			triggering a REQUIRE failure when those records
 5339 			were subsequently cached. (CVE-2015-8000) [RT #40987]
 5340 
 5341 4259.	[func]		Add an option for non-destructive control channel
 5342 			access using a "read-only" clause. In such
 5343 			cases, a restricted set of rndc commands are
 5344 			allowed for querying information from named.
 5345 			[RT #40498]
 5346 
 5347 4258.	[bug]		Limit rndc query message sizes to 32 KiB. This should
 5348 			not break any legitimate rndc commands, but will
 5349 			prevent a rogue rndc query from allocating too
 5350 			much memory. [RT #41073]
 5351 
 5352 4257.	[cleanup]	Python scripts reported incorrect version. [RT #41080]
 5353 
 5354 4256.	[bug]		Allow rndc command arguments to be quoted so as
 5355 			to allow spaces. [RT #36665]
 5356 
 5357 4255.	[performance]	Add 'message-compression' option to disable DNS
 5358 			compression in responses. [RT #40726]
 5359 
 5360 4254.	[bug]		Address missing lock when getting zone's serial.
 5361 			[RT #41072]
 5362 
 5363 4253.	[security]	Address fetch context reference count handling error
 5364 			on socket error. (CVE-2015-8461)  [RT#40945]
 5365 
 5366 4252.	[func]		Add support for automating the generation CDS and
 5367 			CDNSKEY rrsets to named and dnssec-signzone.
 5368 			[RT #40424]
 5369 
 5370 4251.	[bug]		NTAs were deleted when the server was reconfigured
 5371 			or reloaded. [RT #41058]
 5372 
 5373 4250.	[func]		Log the TSIG key in use during inbound zone
 5374 			transfers. [RT #41075]
 5375 
 5376 4249.	[func]		Improve error reporting of TSIG / SIG(0) records in
 5377 			the wrong location. [RT #41030]
 5378 
 5379 4248.	[performance]	Add an isc_atomic_storeq() function, use it in
 5380 			stats counters to improve performance.
 5381 			[RT #39972] [RT #39979]
 5382 
 5383 4247.	[port]		Require both HAVE_JSON and JSON_C_VERSION to be
 5384 			defined to report json library version. [RT #41045]
 5385 
 5386 4246.	[test]		Ensure the statschannel system test runs when BIND
 5387 			is not built with libjson. [RT #40944]
 5388 
 5389 4245.	[placeholder]
 5390 
 5391 4244.	[bug]		The parser was not reporting that use-ixfr is obsolete.
 5392 			[RT #41010]
 5393 
 5394 4243.	[func]		Improved stats reporting from Timothe Litt. [RT #38941]
 5395 
 5396 4242.	[bug]		Replace the client if not already replaced when
 5397 			prefetching. [RT #41001]
 5398 
 5399 4241.	[doc]		Improved the TSIG, TKEY, and SIG(0) sections in
 5400 			the ARM. [RT #40955]
 5401 
 5402 4240.	[port]		Fix LibreSSL compatibility. [RT #40977]
 5403 
 5404 4239.	[func]		Changed default servfail-ttl value to 1 second from 10.
 5405 			Also, the maximum value is now 30 instead of 300.
 5406 			[RT #37556]
 5407 
 5408 4238.	[bug]		Don't send to servers on net zero (0.0.0.0/8).
 5409 			[RT #40947]
 5410 
 5411 4237.	[doc]		Upgraded documentation toolchain to use DocBook 5
 5412 			and dblatex. [RT #40766]
 5413 
 5414 4236.	[performance]	On machines with 2 or more processors (CPU), the
 5415 			default value for the number of UDP listeners
 5416 			has been changed to the number of detected
 5417 			processors minus one. [RT #40761]
 5418 
 5419 4235.	[func]		Added support in named for "dnstap", a fast method of
 5420 			capturing and logging DNS traffic, and a new command
 5421 			"dnstap-read" to read a dnstap log file.  Use
 5422 			"configure --enable-dnstap" to enable this
 5423 			feature (note that this requires libprotobuf-c
 5424 			and libfstrm). See the ARM for configuration details.
 5425 
 5426 			Thanks to Robert Edmonds of Farsight Security.
 5427 			[RT #40211]
 5428 
 5429 4234.	[func]		Add deflate compression in statistics channel HTTP
 5430 			server. [RT #40861]
 5431 
 5432 4233.	[test]		Add tests for CDS and CDNSKEY with delegation-only.
 5433 			[RT #40597]
 5434 
 5435 4232.	[contrib]	Address unchecked memory allocation calls in
 5436 			query-loc and zone2ldap. [RT #40789]
 5437 
 5438 4231.	[contrib]	Address unchecked calloc call in dlz_mysqldyn_mod.c.
 5439 			[RT #40840]
 5440 
 5441 4230.	[contrib]	dlz_wildcard_dynamic.c:dlz_create could return a
 5442 			uninitialized result. [RT #40839]
 5443 
 5444 4229.	[bug]		A variable could be used uninitialized in
 5445 			dns_update_signaturesinc. [RT #40784]
 5446 
 5447 4228.	[bug]		Address race condition in dns_client_destroyrestrans.
 5448 			[RT #40605]
 5449 
 5450 4227.	[bug]		Silence static analysis warnings. [RT #40828]
 5451 
 5452 4226.	[bug]		Address a theoretical shutdown race in
 5453 			zone.c:notify_send_queue(). [RT #38958]
 5454 
 5455 4225.	[port]		freebsd/openbsd:  Use '${CC} -shared' for building
 5456 			shared libraries. [RT #39557]
 5457 
 5458 4224.	[func]		Added support for "dyndb", a new interface for loading
 5459 			zone data from an external database, developed by
 5460 			Red Hat for the FreeIPA project.
 5461 
 5462 			DynDB drivers fully implement the BIND database
 5463 			API, and are capable of significantly better
 5464 			performance and functionality than DLZ drivers,
 5465 			while taking advantage of advanced database
 5466 			features not available in BIND such as multi-master
 5467 			replication.
 5468 
 5469 			Thanks to Adam Tkac and Petr Spacek of Red Hat.
 5470 			[RT #35271]
 5471 
 5472 4223.	[func]		Add support for setting max-cache-size to percentage
 5473 			of available physical memory, set default to 90%.
 5474 			[RT #38442]
 5475 
 5476 4222.	[func]		Bias IPv6 servers when selecting the next server to
 5477 			query. [RT #40836]
 5478 
 5479 4221.	[bug]		Resource leak on DNS_R_NXDOMAIN in fctx_create.
 5480 			[RT #40583]
 5481 
 5482 4220.	[doc]		Improve documentation for zone-statistics.
 5483 			[RT #36955]
 5484 
 5485 4219.	[bug]		Set event->result to ISC_R_WOULDBLOCK on EWOULDBLOCK,
 5486 			EGAIN when these soft error are not retried for
 5487 			isc_socket_send*().
 5488 
 5489 4218.	[bug]		Potential null pointer dereference on out of memory
 5490 			if mmap is not supported. [RT #40777]
 5491 
 5492 4217.	[protocol]	Add support for CSYNC. [RT #40532]
 5493 
 5494 4216.	[cleanup]	Silence static analysis warnings. [RT #40649]
 5495 
 5496 4215.	[bug]		nsupdate: skip to next request on GSSTKEY create
 5497 			failure. [RT #40685]
 5498 
 5499 4214.	[protocol]	Add support for TALINK.  [RT #40544]
 5500 
 5501 4213.	[bug]		Don't reuse a cache across multiple classes.
 5502 			[RT #40205]
 5503 
 5504 4212.	[func]		Re-query if we get a bad client cookie returned over
 5505 			UDP. [RT #40748]
 5506 
 5507 4211.	[bug]		Ensure that lwresd gets at least one task to work
 5508 			with if enabled. [RT #40652]
 5509 
 5510 4210.	[cleanup]	Silence use after free false positive. [RT #40743]
 5511 
 5512 4209.	[bug]		Address resource leaks in dlz modules. [RT #40654]
 5513 
 5514 4208.	[bug]		Address null pointer dereferences on out of memory.
 5515 			[RT #40764]
 5516 
 5517 4207.	[bug]		Handle class mismatches with raw zone files.
 5518 			[RT #40746]
 5519 
 5520 4206.	[bug]		contrib: fixed a possible NULL dereference in
 5521 			DLZ wildcard module. [RT #40745]
 5522 
 5523 4205.	[bug]		'named-checkconf -p' could include unwanted spaces
 5524 			when printing tuples with unset optional fields.
 5525 			[RT #40731]
 5526 
 5527 4204.	[bug]		'dig +trace' failed to lookup the correct type if
 5528 			the initial root NS query was retried. [RT #40296]
 5529 
 5530 4203.	[test]		The rrchecker system test now tests conversion
 5531 			to and from unknown-type format. [RT #40584]
 5532 
 5533 4202.	[bug]		isccc_cc_fromwire() could return an incorrect
 5534 			result. [RT #40614]
 5535 
 5536 4201.	[func]		The default preferred-glue is now the address record
 5537 			type of the transport the query was received
 5538 			over.  [RT #40468]
 5539 
 5540 4200.	[cleanup]	win32: update BINDinstall to be BIND release
 5541 			independent. [RT #38915]
 5542 
 5543 4199.	[protocol]	Add support for NINFO, RKEY, SINK, TA.
 5544 			[RT #40545] [RT #40547] [RT #40561] [RT #40563]
 5545 
 5546 4198.	[placeholder]
 5547 
 5548 4197.	[bug]		'named-checkconf -z' didn't handle 'in-view' clauses.
 5549 			[RT #40603]
 5550 
 5551 4196.	[doc]		Improve how "enum + other" types are documented.
 5552 			[RT #40608]
 5553 
 5554 4195.	[bug]		'max-zone-ttl unlimited;' was broken. [RT #40608]
 5555 
 5556 4194.	[bug]		named-checkconf -p failed to properly print a port
 5557 			range.  [RT #40634]
 5558 
 5559 4193.	[bug]		Handle broken servers that return BADVERS incorrectly.
 5560 			[RT #40427]
 5561 
 5562 4192.	[bug]		The default rrset-order of random was not always being
 5563 			applied. [RT #40456]
 5564 
 5565 4191.	[protocol]	Accept DNS-SD non LDH PTR records in reverse zones
 5566 			as per RFC 6763. [RT #37889]
 5567 
 5568 4190.	[protocol]	Accept Active Directory gc._msdcs.<forest> name as
 5569 			valid with check-names.  <forest> still needs to be
 5570 			LDH. [RT #40399]
 5571 
 5572 4189.	[cleanup]	Don't exit on overly long tokens in named.conf.
 5573 			[RT #40418]
 5574 
 5575 4188.	[bug]		Support HTTP/1.0 client properly on the statistics
 5576 			channel. [RT #40261]
 5577 
 5578 4187.	[func]		When any RR type implementation doesn't
 5579 			implement totext() for the RDATA's wire
 5580 			representation and returns ISC_R_NOTIMPLEMENTED,
 5581 			such RDATA is now printed in unknown
 5582 			presentation format (RFC 3597). RR types affected
 5583 			include LOC(29) and APL(42). [RT #40317].
 5584 
 5585 4186.	[bug]		Fixed an RPZ bug where a QNAME would be matched
 5586 			against a policy RR with wildcard owner name
 5587 			(trigger) where the QNAME was the wildcard owner
 5588 			name's parent. For example, the bug caused a query
 5589 			with QNAME "example.com" to match a policy RR with
 5590 			"*.example.com" as trigger. [RT #40357]
 5591 
 5592 4185.	[bug]		Fixed an RPZ bug where a policy RR with wildcard
 5593 			owner name (trigger) would prevent another policy RR
 5594 			with its parent owner name from being
 5595 			loaded. For example, the bug caused a policy RR
 5596 			with trigger "example.com" to not have any
 5597 			effect when a previous policy RR with trigger
 5598 			"*.example.com" existed in that RPZ zone.
 5599 			[RT #40357]
 5600 
 5601 4184.	[bug]		Fixed a possible memory leak in name compression
 5602 			when rendering long messages. (Also, improved
 5603 			wire_test for testing such messages.) [RT #40375]
 5604 
 5605 4183.	[cleanup]	Use timing-safe memory comparisons in cryptographic
 5606 			code. Also, the timing-safe comparison functions have
 5607 			been renamed to avoid possible confusion with
 5608 			memcmp(). Thanks to Loganaden Velvindron of
 5609 			AFRINIC. [RT #40148]
 5610 
 5611 4182.	[cleanup]	Use mnemonics for RR class and type comparisons.
 5612 			[RT #40297]
 5613 
 5614 4181.	[bug]		Queued notify messages could be dequeued from the
 5615 			wrong rate limiter queue. [RT #40350]
 5616 
 5617 4180.	[bug]		Error responses in pipelined queries could
 5618 			cause a crash in client.c. [RT #40289]
 5619 
 5620 4179.	[bug]		Fix double frees in getaddrinfo() in libirs.
 5621 			[RT #40209]
 5622 
 5623 4178.	[bug]		Fix assertion failure in parsing UNSPEC(103) RR from
 5624 			text. [RT #40274]
 5625 
 5626 4177.	[bug]		Fix assertion failure in parsing NSAP records from
 5627 			text. [RT #40285]
 5628 
 5629 4176.	[bug]		Address race issues with lwresd. [RT #40284]
 5630 
 5631 4175.	[bug]		TKEY with GSS-API keys needed bigger buffers.
 5632 			[RT #40333]
 5633 
 5634 4174.	[bug]		"dnssec-coverage -r" didn't handle time unit
 5635 			suffixes correctly. [RT #38444]
 5636 
 5637 4173.	[bug]		dig +sigchase was not properly matching the trusted
 5638 			key. [RT #40188]
 5639 
 5640 4172.	[bug]		Named / named-checkconf didn't handle a view of CLASS0.
 5641 			[RT #40265]
 5642 
 5643 4171.	[bug]		Fixed incorrect class checks in TSIG RR
 5644 			implementation. [RT #40287]
 5645 
 5646 4170.	[security]	An incorrect boundary check in the OPENPGPKEY
 5647 			rdatatype could trigger an assertion failure.
 5648 			(CVE-2015-5986) [RT #40286]
 5649 
 5650 4169.	[test]		Added a 'wire_test -d' option to read input as
 5651 			raw binary data, for use as a fuzzing harness.
 5652 			[RT #40312]
 5653 
 5654 4168.	[security]	A buffer accounting error could trigger an
 5655 			assertion failure when parsing certain malformed
 5656 			DNSSEC keys. (CVE-2015-5722) [RT #40212]
 5657 
 5658 4167.	[func]		Update rndc's usage output to include recently added
 5659 			commands. Thanks to Tony Finch for submitting a
 5660 			patch. [RT #40010]
 5661 
 5662 4166.	[func]		Print informative output from rndc showzone when
 5663 			allow-new-zones is not enabled for a view. Thanks to
 5664 			Tony Finch for submitting a patch. [RT #40009]
 5665 
 5666 4165.	[security]	A failure to reset a value to NULL in tkey.c could
 5667 			result in an assertion failure. (CVE-2015-5477)
 5668 			[RT #40046]
 5669 
 5670 4164.	[bug]		Don't rename slave files and journals on out of memory.
 5671 			[RT #40033]
 5672 
 5673 4163.	[bug]		Address compiler warnings. [RT #40024]
 5674 
 5675 4162.	[bug]		httpdmgr->flags was not being initialized. [RT #40017]
 5676 
 5677 4161.	[test]		Add JSON test for traffic size stats; also test
 5678 			for consistency between "rndc stats" and the XML
 5679 			and JSON statistics channel contents. [RT #38700]
 5680 
 5681 4160.	[placeholder]
 5682 
 5683 4159.	[cleanup]	Alphabetize dig's help output. [RT #39966]
 5684 
 5685 4158.	[placeholder]
 5686 
 5687 4157.	[placeholder]
 5688 
 5689 4156.	[func]		Added statistics counters to track the sizes
 5690 			of incoming queries and outgoing responses in
 5691 			histogram buckets, as specified in RSSAC002.
 5692 			[RT #39049]
 5693 
 5694 4155.	[func]		Allow RPZ rewrite logging to be configured on a
 5695 			per-zone basis using a newly introduced log clause in
 5696 			the response-policy option. [RT #39754]
 5697 
 5698 4154.	[bug]		A OPT record should be included with the FORMERR
 5699 			response when there is a malformed EDNS option.
 5700 			[RT #39647]
 5701 
 5702 4153.	[bug]		Dig should zero non significant +subnet bits.  Check
 5703 			that non significant ECS bits are zero on receipt.
 5704 			[RT #39647]
 5705 
 5706 4152.	[func]		Implement DNS COOKIE option.  This replaces the
 5707 			experimental SIT option of BIND 9.10.  The following
 5708 			named.conf directives are available: send-cookie,
 5709 			cookie-secret, cookie-algorithm, nocookie-udp-size
 5710 			and require-server-cookie.  The following dig options
 5711 			are available: +[no]cookie[=value] and +[no]badcookie.
 5712 			[RT #39928]
 5713 
 5714 4151.	[bug]		'rndc flush' could cause a deadlock. [RT #39835]
 5715 
 5716 4150.	[bug]		win32: listen-on-v6 { any; }; was not working.  Apply
 5717 			minimal fix.  [RT #39667]
 5718 
 5719 4149.	[bug]		Fixed a race condition in the getaddrinfo()
 5720 			implementation in libirs, which caused the delv
 5721 			utility to crash with an assertion failure when using
 5722 			the '@server' syntax with a hostname argument.
 5723 			[RT #39899]
 5724 
 5725 4148.	[bug]		Fix a bug when printing zone names with '/' character
 5726 			in XML and JSON statistics output. [RT #39873]
 5727 
 5728 4147.	[bug]		Filter-aaaa / filter-aaaa-on-v4 / filter-aaaa-on-v6
 5729 			was returning referrals rather than nodata responses
 5730 			when the AAAA records were filtered.  [RT #39843]
 5731 
 5732 4146.	[bug]		Address reference leak that could prevent a clean
 5733 			shutdown. [RT #37125]
 5734 
 5735 4145.	[bug]		Not all unassociated adb entries where being printed.
 5736 			[RT #37125]
 5737 
 5738 4144.	[func]		Add statistics counters for nxdomain redirections.
 5739 			[RT #39790]
 5740 
 5741 4143.	[placeholder]
 5742 
 5743 4142.	[bug]		rndc addzone with view specified saved NZF config
 5744 			that could not be read back by named. This has now
 5745 			been fixed. [RT #39845]
 5746 
 5747 4141.	[bug]		A formatting bug caused rndc zonestatus to print
 5748 			negative numbers for large serial values. This has
 5749 			now been fixed. [RT #39854]
 5750 
 5751 4140.	[cleanup]	Remove redundant nzf_remove() call during delzone.
 5752 			[RT #39844]
 5753 
 5754 4139.	[doc]		Fix rpz-client-ip documentation. [RT #39783]
 5755 
 5756 4138.	[security]	An uninitialized value in validator.c could result
 5757 			in an assertion failure. (CVE-2015-4620) [RT #39795]
 5758 
 5759 4137.	[bug]		Make rndc reconfig report configuration errors the
 5760 			same way rndc reload does. [RT #39635]
 5761 
 5762 4136.	[bug]		Stale statistics counters with the leading
 5763 			'#' prefix (such as #NXDOMAIN) were not being
 5764 			updated correctly. This has been fixed. [RT #39141]
 5765 
 5766 4135.	[cleanup]	Log expired NTA at startup. [RT #39680]
 5767 
 5768 4134.	[cleanup]	Include client-ip rules when logging the number
 5769 			of RPZ rules of each type. [RT #39670]
 5770 
 5771 4133.	[port]		Update how various json libraries are handled.
 5772 			[RT #39646]
 5773 
 5774 4132.	[cleanup]	dig: added +rd as a synonym for +recurse,
 5775 			added +class as an unabbreviated alternative
 5776 			to +cl. [RT #39686]
 5777 
 5778 4131.	[bug]		Addressed further problems with reloading RPZ
 5779 			zones. [RT #39649]
 5780 
 5781 4130.	[bug]		The compatibility shim for *printf() misprinted some
 5782 			large numbers. [RT #39586]
 5783 
 5784 4129.	[port]		Address API changes in OpenSSL 1.1.0. [RT #39532]
 5785 
 5786 4128.	[bug]		Address issues raised by Coverity 7.6. [RT #39537]
 5787 
 5788 4127.	[protocol]	CDS and CDNSKEY need to be signed by the key signing
 5789 			key as per RFC 7344, Section 4.1. [RT #37215]
 5790 
 5791 4126.	[bug]		Addressed a regression introduced in change #4121.
 5792 			[RT #39611]
 5793 
 5794 4125.	[test]		Added tests for dig, renamed delv test to digdelv.
 5795 			[RT #39490]
 5796 
 5797 4124.	[func]		Log errors or warnings encountered when parsing the
 5798 			internal default configuration.  Clarify the logging
 5799 			of errors and warnings encountered in rndc
 5800 			addzone or modzone parameters. [RT #39440]
 5801 
 5802 4123.	[port]		Added %z (size_t) format options to the portable
 5803 			internal printf/sprintf implementation. [RT #39586]
 5804 
 5805 4122.	[bug]		The server could match a shorter prefix than what was
 5806 			available in CLIENT-IP policy triggers, and so, an
 5807 			unexpected action could be taken. This has been
 5808 			corrected. [RT #39481]
 5809 
 5810 4121.	[bug]		On servers with one or more policy zones
 5811 			configured as slaves, if a policy zone updated
 5812 			during regular operation (rather than at
 5813 			startup) using a full zone reload, such as via
 5814 			AXFR, a bug could allow the RPZ summary data to
 5815 			fall out of sync, potentially leading to an
 5816 			assertion failure in rpz.c when further
 5817 			incremental updates were made to the zone, such
 5818 			as via IXFR. [RT #39567]
 5819 
 5820 4120.	[bug]		A bug in RPZ could cause the server to crash if
 5821 			policy zones were updated while recursion was
 5822 			pending for RPZ processing of an active query.
 5823 			[RT #39415]
 5824 
 5825 4119.	[test]		Allow dig to set the message opcode. [RT #39550]
 5826 
 5827 4118.	[bug]		Teach isc-config.sh about irs. [RT #39213]
 5828 
 5829 4117.	[protocol]	Add EMPTY.AS112.ARPA as per RFC 7534.
 5830 
 5831 4116.	[bug]		Fix a bug in RPZ that could cause some policy
 5832 			zones that did not specifically require
 5833 			recursion to be treated as if they did;
 5834 			consequently, setting qname-wait-recurse no; was
 5835 			sometimes ineffective. [RT #39229]
 5836 
 5837 4115.	[func]		"rndc -r" now prints the result code (e.g.,
 5838 			ISC_R_SUCCESS, ISC_R_TIMEOUT, etc) after
 5839 			running the requested command. [RT #38913]
 5840 
 5841 4114.	[bug]		Fix a regression in radix tree implementation
 5842 			introduced by ECS code. This bug was never
 5843 			released, but it was reported by a user testing
 5844 			master. [RT #38983]
 5845 
 5846 4113.	[test]		Check for Net::DNS is some system test
 5847 			prerequisites. [RT #39369]
 5848 
 5849 4112.	[bug]		Named failed to load when "root-delegation-only"
 5850 			was used without a list of domains to exclude.
 5851 			[RT #39380]
 5852 
 5853 4111.	[doc]		Alphabetize rndc man page. [RT #39360]
 5854 
 5855 4110.	[bug]		Address memory leaks / null pointer dereferences
 5856 			on out of memory. [RT #39310]
 5857 
 5858 4109.	[port]		linux: support reading the local port range from
 5859 			net.ipv4.ip_local_port_range. [RT # 39379]
 5860 
 5861 4108.	[func]		An additional NXDOMAIN redirect method (option
 5862 			"nxdomain-redirect") has been added, allowing
 5863 			redirection to a specified DNS namespace instead
 5864 			of a single redirect zone. [RT #37989]
 5865 
 5866 4107.	[bug]		Address potential deadlock when updating zone content.
 5867 			[RT #39269]
 5868 
 5869 4106.	[port]		Improve readline support. [RT #38938]
 5870 
 5871 4105.	[port]		Misc fixes for Microsoft Visual Studio
 5872 			2015 CTP6 in 64 bit mode. [RT #39308]
 5873 
 5874 4104.	[bug]		Address uninitialized elements. [RT #39252]
 5875 
 5876 4103.	[port]		Misc fixes for Microsoft Visual Studio
 5877 			2015 CTP6. [RT #39267]
 5878 
 5879 4102.	[bug]		Fix a use after free bug introduced in change
 5880 			#4094.  [RT #39281]
 5881 
 5882 4101.	[bug]		dig: the +split and +rrcomments options didn't
 5883 			work with +short. [RT #39291]
 5884 
 5885 4100.	[bug]		Inherited owernames on the line immediately following
 5886 			a $INCLUDE were not working.  [RT #39268]
 5887 
 5888 4099.	[port]		clang: make unknown commandline options hard errors
 5889 			when determining what options are supported.
 5890 			[RT #39273]
 5891 
 5892 4098.	[bug]		Address use-after-free issue when using a
 5893 			predecessor key with dnssec-settime. [RT #39272]
 5894 
 5895 4097.	[func]		Add additional logging about xfrin transfer status.
 5896 			[RT #39170]
 5897 
 5898 4096.	[bug]		Fix a use after free of query->sendevent.
 5899 			[RT #39132]
 5900 
 5901 4095.	[bug]		zone->options2 was not being properly initialized.
 5902 			[RT #39228]
 5903 
 5904 4094.	[bug]		A race during shutdown or reconfiguration could
 5905 			cause an assertion in mem.c. [RT #38979]
 5906 
 5907 4093.	[func]		Dig now learns the SIT value from truncated
 5908 			responses when it retries over TCP. [RT #39047]
 5909 
 5910 4092.	[bug]		'in-view' didn't work for zones beneath a empty zone.
 5911 			[RT #39173]
 5912 
 5913 4091.	[cleanup]	Some cleanups in isc mem code. [RT #38896]
 5914 
 5915 4090.	[bug]		Fix a crash while parsing malformed CAA RRs in
 5916 			presentation format, i.e., from text such as
 5917 			from master files. Thanks to John Van de
 5918 			Meulebrouck Brendgard for discovering and
 5919 			reporting this problem. [RT #39003]
 5920 
 5921 4089.	[bug]		Send notifies immediately for slave zones during
 5922 			startup. [RT #38843]
 5923 
 5924 4088.	[port]		Fixed errors when building with libressl. [RT #38899]
 5925 
 5926 4087.	[bug]		Fix a crash due to use-after-free due to sequencing
 5927 			of tasks actions. [RT #38495]
 5928 
 5929 4086.	[bug]		Fix out-of-srcdir build with native pkcs11. [RT #38831]
 5930 
 5931 4085.	[bug]		ISC_PLATFORM_HAVEXADDQ could be inconsistently set.
 5932 			[RT #38828]
 5933 
 5934 4084.	[bug]		Fix a possible race in updating stats counters.
 5935 			[RT #38826]
 5936 
 5937 4083.	[cleanup]	Print the number of CPUs and UDP listeners
 5938 			consistently in the log and in "rndc status"
 5939 			output; indicate whether threads are supported
 5940 			in "named -V" output. [RT #38811]
 5941 
 5942 4082.	[bug]		Incrementally sign large inline zone deltas.
 5943 			[RT #37927]
 5944 
 5945 4081.	[cleanup]	Use dns_rdatalist_init consistently. [RT #38759]
 5946 
 5947 4080.	[func]		Completed change #4022, adding a "lock-file" option
 5948 			to named.conf to override the default lock file,
 5949 			in addition to the "named -X <filename>" command
 5950 			line option.  Setting the lock file to "none"
 5951 			using either method disables the check completely.
 5952 			[RT #37908]
 5953 
 5954 4079.	[func]		Preserve the case of the owner name of records to
 5955 			the RRset level. [RT #37442]
 5956 
 5957 4078.	[bug]		Handle the case where CMSG_SPACE(sizeof(int)) !=
 5958 			CMSG_SPACE(sizeof(char)). [RT #38621]
 5959 
 5960 4077.	[test]		Add static-stub regression test for DS NXDOMAIN
 5961 			return making the static stub disappear. [RT #38564]
 5962 
 5963 4076.	[bug]		Named could crash on shutdown with outstanding
 5964 			reload / reconfig events. [RT #38622]
 5965 
 5966 4075.	[placeholder]
 5967 
 5968 4074.	[cleanup]	Cleaned up more warnings from gcc -Wshadow. [RT #38708]
 5969 
 5970 4073.	[cleanup]	Add libjson-c version number reporting to
 5971 			"named -V"; normalize version number formatting.
 5972 			[RT #38056]
 5973 
 5974 4072.	[func]		Add a --enable-querytrace configure switch for
 5975 			very verbose query trace logging. (This option
 5976 			has a negative performance impact and should be
 5977 			used only for debugging.) [RT #37520]
 5978 
 5979 4071.	[cleanup]	Initialize pthread mutex attrs just once, instead of
 5980 			doing it per mutex creation. [RT #38547]
 5981 
 5982 4070.	[bug]		Fix a segfault in nslookup in a query such as
 5983 			"nslookup isc.org AMS.SNS-PB.ISC.ORG -all".
 5984 			[RT #38548]
 5985 
 5986 4069.	[doc]		Reorganize options in the nsupdate man page.
 5987 			[RT #38515]
 5988 
 5989 4068.	[bug]		Omit unknown serial number from JSON zone statistics.
 5990 			[RT #38604]
 5991 
 5992 4067.	[cleanup]	Reduce noise from RRL when query logging is
 5993 			disabled. [RT #38648]
 5994 
 5995 4066.	[doc]		Reorganize options in the dig man page. [RT #38516]
 5996 
 5997 4065.	[test]		Additional RFC 5011 tests. [RT #38569]
 5998 
 5999 4064.	[contrib]	dnssec-keyset.sh: Generates a specified number
 6000 			of DNSSEC keys with timing set to implement a
 6001 			pre-publication key rollover strategy. Thanks
 6002 			to Jeffry A. Spain. [RT #38459]
 6003 
 6004 4063.	[bug]		Asynchronous zone loads were not handled
 6005 			correctly when the zone load was already in
 6006 			progress; this could trigger a crash in zt.c.
 6007 			[RT #37573]
 6008 
 6009 4062.	[bug]		Fix an out-of-bounds read in RPZ code. If the
 6010 			read succeeded, it doesn't result in a bug
 6011 			during operation. If the read failed, named
 6012 			could segfault. [RT #38559]
 6013 
 6014 4061.	[bug]		Handle timeout in legacy system test. [RT #38573]
 6015 
 6016 4060.	[bug]		dns_rdata_freestruct could be called on a
 6017 			uninitialized structure when handling a error.
 6018 			[RT #38568]
 6019 
 6020 4059.	[bug]		Addressed valgrind warnings. [RT #38549]
 6021 
 6022 4058.	[bug]		UDP dispatches could use the wrong pseudorandom
 6023 			number generator context. [RT #38578]
 6024 
 6025 4057.	[bug]		'dnssec-dsfromkey -T 0' failed to add ttl field.
 6026 			[RT #38565]
 6027 
 6028 4056.	[bug]		Expanded automatic testing of trust anchor
 6029 			management and fixed several small bugs including
 6030 			a memory leak and a possible loss of key state
 6031 			information. [RT #38458]
 6032 
 6033 4055.	[func]		"rndc managed-keys" can be used to check status
 6034 			of trust anchors or to force keys to be refreshed,
 6035 			Also, the managed keys data file has easier-to-read
 6036 			comments.  [RT #38458]
 6037 
 6038 4054.	[func]		Added a new tool 'mdig', a lightweight clone of
 6039 			dig able to send multiple pipelined queries.
 6040 			[RT #38261]
 6041 
 6042 4053.	[security]	Revoking a managed trust anchor and supplying
 6043 			an untrusted replacement could cause named
 6044 			to crash with an assertion failure.
 6045 			(CVE-2015-1349) [RT #38344]
 6046 
 6047 4052.	[bug]		Fix a leak of query fetchlock. [RT #38454]
 6048 
 6049 4051.	[bug]		Fix a leak of pthread_mutexattr_t. [RT #38454]
 6050 
 6051 4050.	[bug]		RPZ could send spurious SERVFAILs in response
 6052 			to duplicate queries. [RT #38510]
 6053 
 6054 4049.	[bug]		CDS and CDNSKEY had the wrong attributes. [RT #38491]
 6055 
 6056 4048.	[bug]		adb hash table was not being grown. [RT #38470]
 6057 
 6058 4047.	[cleanup]	"named -V" now reports the current running versions
 6059 			of OpenSSL and the libxml2 libraries, in addition to
 6060 			the versions that were in use at build time.
 6061 
 6062 4046.	[bug]		Accounting of "total use" in memory context
 6063 			statistics was not correct. [RT #38370]
 6064 
 6065 4045.	[bug]		Skip to next master on dns_request_createvia4 failure.
 6066 			[RT #25185]
 6067 
 6068 4044.	[bug]		Change 3955 was not complete, resulting in an assertion
 6069 			failure if the timing was just right. [RT #38352]
 6070 
 6071 4043.	[func]		"rndc modzone" can be used to modify the
 6072 			configuration of an existing zone, using similar
 6073 			syntax to "rndc addzone". [RT #37895]
 6074 
 6075 4042.	[bug]		zone.c:iszonesecure was being called too late.
 6076 			[RT #38371]
 6077 
 6078 4041.	[func]		TCP sockets can now be shared while connecting.
 6079 			(This will be used to enable client-side support
 6080 			of pipelined queries.) [RT #38231]
 6081 
 6082 4040.	[func]		Added server-side support for pipelined TCP
 6083 			queries. Clients may continue sending queries via
 6084 			TCP while previous queries are being processed
 6085 			in parallel.  (The new "keep-response-order"
 6086 			option allows clients to be specified for which
 6087 			the old behavior will still be used.) [RT #37821]
 6088 
 6089 4039.	[cleanup]	Cleaned up warnings from gcc -Wshadow. [RT #37381]
 6090 
 6091 4038.	[bug]		Add 'rpz' flag to node and use it to determine whether
 6092 			to call dns_rpz_delete.  This should prevent unbalanced
 6093 			add / delete calls. [RT #36888]
 6094 
 6095 4037.	[bug]		also-notify was ignoring the tsig key when checking
 6096 			for duplicates resulting in some expected notify
 6097 			messages not being sent. [RT #38369]
 6098 
 6099 4036.	[bug]		Make call to open a temporary file name safe during
 6100 			NZF creation. [RT #38331]
 6101 
 6102 4035.	[bug]		Close temporary and NZF FILE pointers before moving
 6103 			the former into the latter's place, as required on
 6104 			Windows. [RT #38332]
 6105 
 6106 4034.	[func]		When added, negative trust anchors (NTA) are now
 6107 			saved to files (viewname.nta), in order to
 6108 			persist across restarts of the named server.
 6109 			[RT #37087]
 6110 
 6111 4033.	[bug]		Missing out of memory check in request.c:req_send.
 6112 			[RT #38311]
 6113 
 6114 4032.	[bug]		Built-in "empty" zones did not correctly inherit the
 6115 			"allow-transfer" ACL from the options or view.
 6116 			[RT #38310]
 6117 
 6118 4031.	[bug]		named-checkconf -z failed to report a missing file
 6119 			with a hint zone. [RT #38294]
 6120 
 6121 4030.	[func]		"rndc delzone" is now applicable to zones that were
 6122 			configured in named.conf, as well as zones that
 6123 			were added via "rndc addzone". (Note, however, that
 6124 			if named.conf is not also modified, the deleted zone
 6125 			will return when named is reloaded.) [RT #37887]
 6126 
 6127 4029.	[func]		"rndc showzone" displays the current configuration
 6128 			of a specified zone. [RT #37887]
 6129 
 6130 4028.	[bug]		$GENERATE with a zero step was not being caught as a
 6131 			error.  A $GENERATE with a / but no step was not being
 6132 			caught as a error. [RT #38262]
 6133 
 6134 4027.	[port]		Net::DNS 0.81 compatibility. [RT #38165]
 6135 
 6136 4026.	[bug]		Fix RFC 3658 reference in dig +sigchase. [RT #38173]
 6137 
 6138 4025.	[port]		bsdi: failed to build. [RT #38047]
 6139 
 6140 4024.	[bug]		dns_rdata_opt_first, dns_rdata_opt_next,
 6141 			dns_rdata_opt_current, dns_rdata_txt_first,
 6142 			dns_rdata_txt_next and dns_rdata_txt_current were
 6143 			documented but not implemented.  These have now been
 6144 			implemented.
 6145 
 6146 			dns_rdata_spf_first, dns_rdata_spf_next and
 6147 			dns_rdata_spf_current were documented but not
 6148 			implemented.  The prototypes for these
 6149 			functions have been removed. [RT #38068]
 6150 
 6151 4023.	[bug]		win32: socket handling with explicit ports and
 6152 			invoking named with -4 was broken for some
 6153 			configurations. [RT #38068]
 6154 
 6155 4022.	[func]		Stop multiple spawns of named by limiting number of
 6156 			processes to 1. This is done by using a lockfile and
 6157 			checking whether we can listen on any configured
 6158 			TCP interfaces. [RT #37908]
 6159 
 6160 4021.	[bug]		Adjust max-recursion-queries to accommodate
 6161 			the need for more queries when the cache is
 6162 			empty. [RT #38104]
 6163 
 6164 4020.	[bug]		Change 3736 broke nsupdate's SOA MNAME discovery
 6165 			resulting in updates being sent to the wrong server.
 6166 			[RT #37925]
 6167 
 6168 4019.	[func]		If named is not configured to validate the answer
 6169 			then allow fallback to plain DNS on timeout even
 6170 			when we know the server supports EDNS. [RT #37978]
 6171 
 6172 4018.	[placeholder]
 6173 
 6174 4017.	[test]		Add system test to check lookups to legacy servers
 6175 			with broken DNS behavior. [RT #37965]
 6176 
 6177 4016.	[bug]		Fix a dig segfault due to bad linked list usage.
 6178 			[RT #37591]
 6179 
 6180 4015.	[bug]		Nameservers that are skipped due to them being
 6181 			CNAMEs were not being logged. They are now logged
 6182 			to category 'cname' as per BIND 8. [RT #37935]
 6183 
 6184 4014.	[bug]		When including a master file origin_changed was
 6185 			not being properly set leading to a potentially
 6186 			spurious 'inherited owner' warning. [RT #37919]
 6187 
 6188 4013.	[func]		Add a new tcp-only option to server (config) /
 6189 			peer (struct) to use TCP transport to send
 6190 			queries (in place of UDP transport with a
 6191 			TCP fallback on truncated (TC set) response).
 6192 			[RT #37800]
 6193 
 6194 4012.	[cleanup]	Check returned status of OpenSSL digest and HMAC
 6195 			functions when they return one. Note this applies
 6196 			only to FIPS capable OpenSSL libraries put in
 6197 			FIPS mode and MD5. [RT #37944]
 6198 
 6199 4011.	[bug]		master's list port and dscp inheritance was not
 6200 			properly implemented. [RT #37792]
 6201 
 6202 4010.	[cleanup]	Clear the prefetchable state when initiating a
 6203 			prefetch. [RT #37399]
 6204 
 6205 4009.	[func]		delv: added a +tcp option. [RT #37855]
 6206 
 6207 4008.	[contrib]	Updated zkt to latest version (1.1.3). [RT #37886]
 6208 
 6209 4007.	[doc]		Remove acl forward reference restriction. [RT #37772]
 6210 
 6211 4006.	[security]	A flaw in delegation handling could be exploited
 6212 			to put named into an infinite loop.  This has
 6213 			been addressed by placing limits on the number
 6214 			of levels of recursion named will allow (default 7),
 6215 			and the number of iterative queries that it will
 6216 			send (default 50) before terminating a recursive
 6217 			query (CVE-2014-8500).
 6218 
 6219 			The recursion depth limit is configured via the
 6220 			"max-recursion-depth" option, and the query limit
 6221 			via the "max-recursion-queries" option.  [RT #37580]
 6222 
 6223 4005.	[func]		The buffer used for returning text from rndc
 6224 			commands is now dynamically resizable, allowing
 6225 			arbitrarily large amounts of text to be sent back
 6226 			to the client. (Prior to this change, it was
 6227 			possible for the output of "rndc tsig-list" to be
 6228 			truncated.) [RT #37731]
 6229 
 6230 4004.	[bug]		When delegations had AAAA glue but not A, a
 6231 			reference could be leaked causing an assertion
 6232 			failure on shutdown. [RT #37796]
 6233 
 6234 4003.	[security]	When geoip-directory was reconfigured during
 6235 			named run-time, the previously loaded GeoIP
 6236 			data could remain, potentially causing wrong
 6237 			ACLs to be used or wrong results to be served
 6238 			based on geolocation (CVE-2014-8680). [RT #37720]
 6239 
 6240 4002.	[security]	Lookups in GeoIP databases that were not
 6241 			loaded could cause an assertion failure
 6242 			(CVE-2014-8680). [RT #37679]
 6243 
 6244 4001.	[security]	The caching of GeoIP lookups did not always
 6245 			handle address families correctly, potentially
 6246 			resulting in an assertion failure (CVE-2014-8680).
 6247 			[RT #37672]
 6248 
 6249 4000.	[bug]		NXDOMAIN redirection incorrectly handled NXRRSET
 6250 			from the redirect zone. [RT #37722]
 6251 
 6252 3999.	[func]		"mkeys" and "nzf" files are now named after
 6253 			their corresponding views, unless the view name
 6254 			contains characters that would be incompatible
 6255 			with use in a filename (i.e., slash, backslash,
 6256 			or capital letters). If a view name does contain
 6257 			these characters, the files will still be named
 6258 			using a cryptographic hash of the view name.
 6259 			Regardless of this, if a file using the old name
 6260 			format is found to exist, it will continue to be
 6261 			used. [RT #37704]
 6262 
 6263 3998.	[bug]		isc_radix_search was returning matches that were
 6264 			too precise. [RT #37680]
 6265 
 6266 3997.	[protocol]	Add OPENGPGKEY record. [RT# 37671]
 6267 
 6268 3996.	[bug]		Address use after free on out of memory error in
 6269 			keyring_add. [RT #37639]
 6270 
 6271 3995.	[bug]		receive_secure_serial holds the zone lock for too
 6272 			long. [RT #37626]
 6273 
 6274 3994.	[func]		Dig now supports setting the last unassigned DNS
 6275 			header flag bit (dig +zflag). [RT #37421]
 6276 
 6277 3993.	[func]		Dig now supports EDNS negotiation by default.
 6278 			(dig +[no]ednsnegotiation).
 6279 
 6280 			Note:  This is disabled by default in BIND 9.10
 6281 			and enabled by default in BIND 9.11.  [RT #37604]
 6282 
 6283 3992.	[func]		DiG can now send queries without questions
 6284 			(dig +header-only). [RT #37599]
 6285 
 6286 3991.	[func]		Add the ability to buffer logging output by specifying
 6287 			"buffered yes;" when defining a channel. [RT #26561]
 6288 
 6289 3990.	[test]		Add tests for unknown DNSSEC algorithm handling.
 6290 			[RT #37541]
 6291 
 6292 3989.	[cleanup]	Remove redundant dns_db_resigned calls. [RT #35748]
 6293 
 6294 3988.	[func]		Allow the zone serial of a dynamically updatable
 6295 			zone to be updated via "rndc signing -serial".
 6296 			[RT #37404]
 6297 
 6298 3987.	[port]		Handle future Visual Studio 14 incompatible changes.
 6299 			[RT #37380]
 6300 
 6301 3986.	[doc]		Add the BIND version number to page footers
 6302 			in the ARM. [RT #37398]
 6303 
 6304 3985.	[doc]		Describe how +ndots and +search interact in dig.
 6305 			[RT #37529]
 6306 
 6307 3984.	[func]		Accept 256 byte long PINs in native PKCS#11
 6308 			crypto. [RT #37410]
 6309 
 6310 3983.	[bug]		Change #3940 was incomplete: negative trust anchors
 6311 			could be set to last up to a week, but the
 6312 			"nta-lifetime" and "nta-recheck" options were
 6313 			still limited to one day. [RT #37522]
 6314 
 6315 3982.	[doc]		Include release notes in product documentation.
 6316 			[RT #37272]
 6317 
 6318 3981.	[bug]		Cache DS/NXDOMAIN independently of other query types.
 6319 			[RT #37467]
 6320 
 6321 3980.	[bug]		Improve --with-tuning=large by self tuning of SO_RCVBUF
 6322 			size. [RT #37187]
 6323 
 6324 3979.	[bug]		Negative trust anchor fetches were not properly
 6325 			managed. [RT #37488]
 6326 
 6327 3978.	[test]		Added a unit test for Diffie-Hellman key
 6328 			computation, completing change #3974. [RT #37477]
 6329 
 6330 3977.	[cleanup]	"rndc secroots" reported a "not found" error when
 6331 			there were no negative trust anchors set. [RT #37506]
 6332 
 6333 3976.	[bug]		When refreshing managed-key trust anchors, clear
 6334 			any cached trust so that they will always be
 6335 			revalidated with the current set of secure
 6336 			roots. [RT #37506]
 6337 
 6338 3975.	[bug]		Don't populate or use the bad cache for queries that
 6339 			don't request or use recursion. [RT #37466]
 6340 
 6341 3974.	[bug]		Handle DH_compute_key() failure correctly in
 6342 			openssldh_link.c. [RT #37477]
 6343 
 6344 3973.	[test]		Added hooks for Google Performance Tools CPU profiler,
 6345 			including real-time/wall-clock profiling. Use
 6346 			"configure --with-gperftools-profiler" to enable.
 6347 			[RT #37339]
 6348 
 6349 3972.	[bug]		Fix host's usage statement. [RT #37397]
 6350 
 6351 3971.	[bug]		Reduce the cascading failures due to a bad $TTL line
 6352 			in named-checkconf / named-checkzone. [RT #37138]
 6353 
 6354 3970.	[contrib]	Fixed a use after free bug in the SDB LDAP driver.
 6355 			[RT #37237]
 6356 
 6357 3969.	[test]		Added 'delv' system test. [RT #36901]
 6358 
 6359 3968.	[bug]		Silence spurious log messages when using 'named -[46]'.
 6360 			[RT #37308]
 6361 
 6362 3967.	[test]		Add test for inlined signed zone in multiple views
 6363 			with different DNSKEY sets. [RT #35759]
 6364 
 6365 3966.	[bug]		Missing dns_db_closeversion call in receive_secure_db.
 6366 			[RT #35746]
 6367 
 6368 3965.	[func]		Log outgoing packets and improve packet logging to
 6369 			support logging the remote address. [RT #36624]
 6370 
 6371 3964.	[func]		nsupdate now performs check-names processing.
 6372 			[RT #36266]
 6373 
 6374 3963.	[test]		Added NXRRSET test cases to the "dlzexternal"
 6375 			system test. [RT #37344]
 6376 
 6377 3962.	[bug]		'dig +topdown +trace +sigchase' address unhandled error
 6378 			conditions. [RT #34663]
 6379 
 6380 3961.	[bug]		Forwarding of SIG(0) signed UPDATE messages failed with
 6381 			BADSIG.  [RT #37216]
 6382 
 6383 3960.	[bug]		'dig +sigchase' could loop forever. [RT #37220]
 6384 
 6385 3959.	[bug]		Updates could be lost if they arrived immediately
 6386 			after a rndc thaw. [RT #37233]
 6387 
 6388 3958.	[bug]		Detect when writeable files have multiple references
 6389 			in named.conf. [RT #37172]
 6390 
 6391 3957.	[bug]		"dnssec-keygen -S" failed for ECCGOST, ECDSAP256SHA256
 6392 			and ECDSAP384SHA384. [RT #37183]
 6393 
 6394 3956.	[func]		Notify messages are now rate limited by notify-rate and
 6395 			startup-notify-rate instead of serial-query-rate.
 6396 			[RT #24454]
 6397 
 6398 3955.	[bug]		Notify messages due to changes are no longer queued
 6399 			behind startup notify messages. [RT #24454]
 6400 
 6401 3954.	[bug]		Unchecked mutex init in dlz_dlopen_driver.c [RT #37112]
 6402 
 6403 3953.	[bug]		Don't escape semi-colon in TXT fields. [RT #37159]
 6404 
 6405 3952.	[bug]		dns_name_fullcompare failed to set *nlabelsp when the
 6406 			two name pointers were the same. [RT #37176]
 6407 
 6408 3951.	[func]		Add the ability to set yet-to-be-defined EDNS flags
 6409 			to dig (+ednsflags=#). [RT #37142]
 6410 
 6411 3950.	[port]		Changed the bin/python Makefile to work around a
 6412 			bmake bug in FreeBSD 10 and NetBSD 6. [RT #36993]
 6413 
 6414 3949.	[experimental]	Experimental support for draft-andrews-edns1 by sending
 6415 			EDNS(1) queries (define DRAFT_ANDREWS_EDNS1 when
 6416 			building).  Add support for limiting the EDNS version
 6417 			advertised to servers: server { edns-version 0; };
 6418 			Log the EDNS version received in the query log.
 6419 			[RT #35864]
 6420 
 6421 3948.	[port]		solaris: RCVBUFSIZE was too large on Solaris with
 6422 			--with-tuning=large. [RT #37059]
 6423 
 6424 3947.	[cleanup]	Set the executable bit on libraries when using
 6425 			libtool. [RT #36786]
 6426 
 6427 3946.	[cleanup]	Improved "configure" search for a python interpreter.
 6428 			[RT #36992]
 6429 
 6430 3945.	[bug]		Invalid wildcard expansions could be incorrectly
 6431 			accepted by the validator. [RT #37093]
 6432 
 6433 3944.	[test]		Added a regression test for "server-id". [RT #37057]
 6434 
 6435 3943.	[func]		SERVFAIL responses can now be cached for a
 6436 			limited time (configured by "servfail-ttl",
 6437 			default 10 seconds, limit 30). This can reduce
 6438 			the frequency of retries when an authoritative
 6439 			server is known to be failing, e.g., due to
 6440 			ongoing DNSSEC validation problems. [RT #21347]
 6441 
 6442 3942.	[bug]		Wildcard responses from a optout range should be
 6443 			marked as insecure. [RT #37072]
 6444 
 6445 3941.	[doc]		Include the BIND version number in the ARM. [RT #37067]
 6446 
 6447 3940.	[func]		"rndc nta" now allows negative trust anchors to be
 6448 			set for up to one week. [RT #37069]
 6449 
 6450 3939.	[func]		Improve UPDATE forwarding performance by allowing TCP
 6451 			connections to be shared. [RT #37039]
 6452 
 6453 3938.	[func]		Added quotas to be used in recursive resolvers
 6454 			that are under high query load for names in zones
 6455 			whose authoritative servers are nonresponsive or
 6456 			are experiencing a denial of service attack.
 6457 
 6458 			- "fetches-per-server" limits the number of
 6459 			  simultaneous queries that can be sent to any
 6460 			  single authoritative server.  The configured
 6461 			  value is a starting point; it is automatically
 6462 			  adjusted downward if the server is partially or
 6463 			  completely non-responsive. The algorithm used to
 6464 			  adjust the quota can be configured via the
 6465 			  "fetch-quota-params" option.
 6466 			- "fetches-per-zone" limits the number of
 6467 			  simultaneous queries that can be sent for names
 6468 			  within a single domain.  (Note: Unlike
 6469 			  "fetches-per-server", this value is not
 6470 			  self-tuning.)
 6471 			- New stats counters have been added to count
 6472 			  queries spilled due to these quotas.
 6473 
 6474 			See the ARM for details of these options. [RT #37125]
 6475 
 6476 3937.	[func]		Added some debug logging to better indicate the
 6477 			conditions causing SERVFAILs when resolving.
 6478 			[RT #35538]
 6479 
 6480 3936.	[func]		Added authoritative support for the EDNS Client
 6481 			Subnet (ECS) option.
 6482 
 6483 			ACLs can now include "ecs" elements which specify
 6484 			an address or network prefix; if an ECS option is
 6485 			included in a DNS query, then the address encoded
 6486 			in the option will be matched against "ecs" ACL
 6487 			elements.
 6488 
 6489 			Also, if an ECS address is included in a query,
 6490 			then it will be used instead of the client source
 6491 			address when matching "geoip" ACL elements.  This
 6492 			behavior can be overridden with "geoip-use-ecs no;".
 6493 			(Note: to enable "geoip" ACLs, use "configure
 6494 			--with-geoip". This requires libGeoIP version
 6495 			1.5.0 or higher.)
 6496 
 6497 			When "ecs" or "geoip" ACL elements are used to
 6498 			select a view for a query, the response will include
 6499 			an ECS option to indicate which client network the
 6500 			answer is valid for.
 6501 
 6502 			(Thanks to Vincent Bernat.) [RT #36781]
 6503 
 6504 3935.	[bug]		"geoip asnum" ACL elements would not match unless
 6505 			the full organization name was specified.  They
 6506 			can now match against the AS number alone (e.g.,
 6507 			AS1234). [RT #36945]
 6508 
 6509 3934.	[bug]		Catch bad 'sit-secret' in named-checkconf.  Improve
 6510 			sit-secret documentation. [RT #36980]
 6511 
 6512 3933.	[bug]		Corrected the implementation of dns_rdata_casecompare()
 6513 			for the HIP rdata type.  [RT #36911]
 6514 
 6515 3932.	[test]		Improved named-checkconf tests. [RT #36911]
 6516 
 6517 3931.	[cleanup]	Cleanup how dlz grammar is defined. [RT #36879]
 6518 
 6519 3930.	[bug]		"rndc nta -r" could cause a server hang if the
 6520 			NTA was not found. [RT #36909]
 6521 
 6522 3929.	[bug]		'host -a' needed to clear idnoptions. [RT #36963]
 6523 
 6524 3928.	[test]		Improve rndc system test. [RT #36898]
 6525 
 6526 3927.	[bug]		dig: report PKCS#11 error codes correctly when
 6527 			compiled with --enable-native-pkcs11. [RT #36956]
 6528 
 6529 3926.	[doc]		Added doc for geoip-directory. [RT #36877]
 6530 
 6531 3925.	[bug]		DS lookup of RFC 1918 empty zones failed. [RT #36917]
 6532 
 6533 3924.	[bug]		Improve 'rndc addzone' error reporting. [RT #35187]
 6534 
 6535 3923.	[bug]		Sanity check the xml2-config output. [RT #22246]
 6536 
 6537 3922.	[bug]		When resigning, dnssec-signzone was removing
 6538 			all signatures from delegation nodes. It now
 6539 			retains DS and (if applicable) NSEC signatures.
 6540 			[RT #36946]
 6541 
 6542 3921.	[bug]		AD was inappropriately set on RPZ responses. [RT #36833]
 6543 
 6544 3920.	[doc]		Added doc for masterfile-style. [RT #36823]
 6545 
 6546 3919.	[bug]		dig: continue to next line if a address lookup fails
 6547 			in batch mode. [RT #36755]
 6548 
 6549 3918.	[doc]		Update check-spf documentation. [RT #36910]
 6550 
 6551 3917.	[bug]		dig, nslookup and host now continue on names that are
 6552 			too long after applying a search list elements.
 6553 			[RT #36892]
 6554 
 6555 3916.	[contrib]	zone2sqlite checked wrong result code.  Address
 6556 			compiler warnings. [RT #36931]
 6557 
 6558 3915.	[bug]		Address a assertion if a route event arrived while
 6559 			shutting down. [RT #36887]
 6560 
 6561 3914.	[bug]		Allow the URI target and CAA value fields to
 6562 			be zero length. [RT #36737]
 6563 
 6564 3913.	[bug]		Address race issue in dispatch. [RT #36731]
 6565 
 6566 3912.	[bug]		Address some unrecoverable lookup failures. [RT #36330]
 6567 
 6568 3911.	[func]		Implement EDNS EXPIRE option client side, allowing
 6569 			a slave server to set the expiration timer correctly
 6570 			when transferring zone data from another slave
 6571 			server. [RT #35925]
 6572 
 6573 3910.	[bug]		Fix races to free event during shutdown. [RT #36720]
 6574 
 6575 3909.	[bug]		When computing the number of elements required for a
 6576 			acl count_acl_elements could have a short count leading
 6577 			to a assertion failure.  Also zero out new acl elements
 6578 			in dns_acl_merge.  [RT #36675]
 6579 
 6580 3908.	[bug]		rndc now differentiates between a zone in multiple
 6581 			views and a zone that doesn't exist at all. [RT #36691]
 6582 
 6583 3907.	[cleanup]	Alphabetize rndc help. [RT #36683]
 6584 
 6585 3906.	[protocol]	Update URI record format to comply with
 6586 			draft-faltstrom-uri-08. [RT #36642]
 6587 
 6588 3905.	[bug]		Address deadlock between view.c and adb.c. [RT #36341]
 6589 
 6590 3904.	[func]		Add the RPZ SOA to the additional section. [RT36507]
 6591 
 6592 3903.	[bug]		Improve the accuracy of DiG's reported round trip
 6593 			time. [RT 36611]
 6594 
 6595 3902.	[bug]		liblwres wasn't handling link-local addresses in
 6596 			nameserver clauses in resolv.conf. [RT #36039]
 6597 
 6598 3901.	[protocol]	Added support for CAA record type (RFC 6844).
 6599 			[RT #36625]
 6600 
 6601 3900.	[bug]		Fix a crash in PostgreSQL DLZ driver. [RT #36637]
 6602 
 6603 3899.	[bug]		"request-ixfr" is only applicable to slave and redirect
 6604 			zones. [RT #36608]
 6605 
 6606 3898.	[bug]		Too small a buffer in tohexstr() calls in test code.
 6607 			[RT #36598]
 6608 
 6609 3897.	[bug]		RPZ summary information was not properly being updated
 6610 			after a AXFR resulting in changes sometimes being
 6611 			ignored.  [RT #35885]
 6612 
 6613 3896.	[bug]		Address performance issues with DSCP code on some
 6614 			platforms. [RT #36534]
 6615 
 6616 3895.	[func]		Add the ability to set the DSCP code point to dig.
 6617 			[RT #36546]
 6618 
 6619 3894.	[bug]		Buffers in isc_print_vsnprintf were not properly
 6620 			initialized leading to potential overflows when
 6621 			printing out quad values. [RT #36505]
 6622 
 6623 3893.	[bug]		Peer DSCP values could be returned without being set.
 6624 			[RT #36538]
 6625 
 6626 3892.	[bug]		Setting '-t aaaa' in .digrc had unintended side
 6627 			effects. [RT #36452]
 6628 
 6629 3891.	[bug]		Use ${INSTALL_SCRIPT} rather than ${INSTALL_PROGRAM}
 6630 			to install python programs.
 6631 
 6632 3890.	[bug]		RRSIG sets that were not loaded in a single transaction
 6633 			at start up where not being correctly added to
 6634 			re-signing heaps.  [RT #36302]
 6635 
 6636 3889.	[port]		hurd: configure fixes as per:
 6637 			https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=746540
 6638 
 6639 3888.	[func]		'rndc status' now reports the number of automatic
 6640 			zones. [RT #36015]
 6641 
 6642 3887.	[cleanup]	Make all static symbols in rbtdb64 end in "64" so
 6643 			they are easier to use in a debugger. [RT #36373]
 6644 
 6645 3886.	[bug]		rbtdb_write_header should use a once to initialize
 6646 			FILE_VERSION. [RT #36374]
 6647 
 6648 3885.	[port]		Use 'open()' rather than 'file()' to open files in
 6649 			python.
 6650 
 6651 3884.	[protocol]	Add CDS and CDNSKEY record types. [RT #36333]
 6652 
 6653 3883.	[placeholder]
 6654 
 6655 3882.	[func]		By default, negative trust anchors will be tested
 6656 			periodically to see whether data below them can be
 6657 			validated, and if so, they will be allowed to
 6658 			expire early. The "rndc nta -force" option
 6659 			overrides this behavior.  The default NTA lifetime
 6660 			and the recheck frequency can be configured by the
 6661 			"nta-lifetime" and "nta-recheck" options. [RT #36146]
 6662 
 6663 3881.	[bug]		Address memory leak with UPDATE error handling.
 6664 			[RT #36303]
 6665 
 6666 3880.	[test]		Update ans.pl to work with new TSIG support in
 6667 			Net::DNS; add additional Net::DNS version prerequisite
 6668 			checks. [RT #36327]
 6669 
 6670 3879.	[func]		Add version printing option to various BIND utilities.
 6671 			[RT #10686]
 6672 
 6673 3878.	[bug]		Using the incorrect filename for a DLZ module
 6674 			caused a segmentation fault on startup. [RT #36286]
 6675 
 6676 3877.	[bug]		Inserting and deleting parent and child nodes
 6677 			in response policy zones could trigger an assertion
 6678 			failure. [RT #36272]
 6679 
 6680 3876.	[bug]		Improve efficiency of DLZ redirect zones by
 6681 			suppressing unnecessary database lookups. [RT #35835]
 6682 
 6683 3875.	[cleanup]	Clarify log message when unable to read private
 6684 			key files. [RT #24702]
 6685 
 6686 3874.	[test]		Check that only "check-names master" is needed for
 6687 			updates to be accepted.
 6688 
 6689 3873.	[protocol]	Only warn for SPF without TXT spf record. [RT #36210]
 6690 
 6691 3872.	[bug]		Address issues found by static analysis. [RT #36209]
 6692 
 6693 3871.	[bug]		Don't publish an activated key automatically before
 6694 			its publish time. [RT #35063]
 6695 
 6696 3870.	[func]		Updated the random number generator used in
 6697 			the resolver to use the updated ChaCha based one
 6698 			(similar to OpenBSD's changes). Also moved the
 6699 			RNG to libisc and added unit tests for it.
 6700 			[RT #35942]
 6701 
 6702 3869.	[doc]		Document that in-view zones cannot be used for
 6703 			response policy zones. [RT #35941]
 6704 
 6705 3868.	[bug]		isc_mem_setwater incorrectly cleared hi_called
 6706 			potentially leaving over memory cleaner running.
 6707 			[RT #35270]
 6708 
 6709 3867.	[func]		"rndc nta" can now be used to set a temporary
 6710 			negative trust anchor, which disables DNSSEC
 6711 			validation below a specified name for a specified
 6712 			period of time (not exceeding 24 hours).  This
 6713 			can be used when validation for a domain is known
 6714 			to be failing due to a configuration error on
 6715 			the part of the domain owner rather than a
 6716 			spoofing attack. [RT #29358]
 6717 
 6718 3866.	[bug]		Named could die on disk full in generate_session_key.
 6719 			[RT #36119]
 6720 
 6721 3865.	[test]		Improved testability of the red-black tree
 6722 			implementation and added unit tests. [RT #35904]
 6723 
 6724 3864.	[bug]		RPZ didn't work well when being used as forwarder.
 6725 			[RT #36060]
 6726 
 6727 3863.	[bug]		The "E" flag was missing from the query log as a
 6728 			unintended side effect of code rearrangement to
 6729 			support EDNS EXPIRE. [RT #36117]
 6730 
 6731 3862.	[cleanup]	Return immediately if we are not going to log the
 6732 			message in ns_client_dumpmessage.
 6733 
 6734 3861.	[security]	Missing isc_buffer_availablelength check results
 6735 			in a REQUIRE assertion when printing out a packet
 6736 			(CVE-2014-3859).  [RT #36078]
 6737 
 6738 3860.	[bug]		ioctl(DP_POLL) array size needs to be determined
 6739 			at run time as it is limited to {OPEN_MAX}.
 6740 			[RT #35878]
 6741 
 6742 3859.	[placeholder]
 6743 
 6744 3858.	[bug]		Disable GCC 4.9 "delete null pointer check".
 6745 			[RT #35968]
 6746 
 6747 3857.	[bug]		Make it harder for a incorrect NOEDNS classification
 6748 			to be made. [RT #36020]
 6749 
 6750 3856.	[bug]		Configuring libjson without also configuring libxml
 6751 			resulted in a REQUIRE assertion when retrieving
 6752 			statistics using json. [RT #36009]
 6753 
 6754 3855.	[bug]		Limit smoothed round trip time aging to no more than
 6755 			once a second. [RT #32909]
 6756 
 6757 3854.	[cleanup]	Report unrecognized options, if any, in the final
 6758 			configure summary. [RT #36014]
 6759 
 6760 3853.	[cleanup]	Refactor dns_rdataslab_fromrdataset to separate out
 6761 			the handling of a rdataset with no records. [RT #35968]
 6762 
 6763 3852.	[func]		Increase the default number of clients available
 6764 			for servicing lightweight resolver queries, and
 6765 			make them configurable via the "lwres-tasks" and
 6766 			"lwres-clients" options.  (Thanks to Tomas Hozza.)
 6767 			[RT #35857]
 6768 
 6769 3851.	[func]		Allow libseccomp based system-call filtering
 6770 			on Linux; use "configure --enable-seccomp" to
 6771 			turn it on.  Thanks to Loganaden Velvindron
 6772 			of AFRINIC for the contribution. [RT #35347]
 6773 
 6774 3850.	[bug]		Disabling forwarding could trigger a REQUIRE assertion.
 6775 			[RT #35979]
 6776 
 6777 3849.	[doc]		Alphabetized dig's +options. [RT #35992]
 6778 
 6779 3848.	[bug]		Adjust 'statistics-channels specified but not effective'
 6780 			error message to account for JSON support. [RT #36008]
 6781 
 6782 3847.	[bug]		'configure --with-dlz-postgres' failed to fail when
 6783 			there is not support available.
 6784 
 6785 3846.	[bug]		"dig +notcp ixfr=<serial>" should result in a UDP
 6786 			ixfr query. [RT #35980]
 6787 
 6788 3845.	[placeholder]
 6789 
 6790 3844.	[bug]		Use the x64 version of the Microsoft Visual C++
 6791 			Redistributable when built for 64 bit Windows.
 6792 			[RT #35973]
 6793 
 6794 3843.	[protocol]	Check EDNS EXPIRE option in dns_rdata_fromwire.
 6795 			[RT #35969]
 6796 
 6797 3842.	[bug]		Adjust RRL log-only logging category. [RT #35945]
 6798 
 6799 3841.	[cleanup]	Refactor zone.c:add_opt to use dns_message_buildopt.
 6800 			[RT #35924]
 6801 
 6802 3840.	[port]		Check for arc4random_addrandom() before using it;
 6803 			it's been removed from OpenBSD 5.5. [RT #35907]
 6804 
 6805 3839.	[test]		Use only posix-compatible shell in system tests.
 6806 			[RT #35625]
 6807 
 6808 3838.	[protocol]	EDNS EXPIRE as been assigned a code point of 9.
 6809 
 6810 3837.	[security]	A NULL pointer is passed to query_prefetch resulting
 6811 			a REQUIRE assertion failure when a fetch is actually
 6812 			initiated (CVE-2014-3214).  [RT #35899]
 6813 
 6814 3836.	[bug]		Address C++ keyword usage in header file.
 6815 
 6816 3835.	[bug]		Geoip ACL elements didn't work correctly when
 6817 			referenced via named or nested ACLs. [RT #35879]
 6818 
 6819 3834.	[bug]		The re-signing heaps were not being updated soon enough
 6820 			leading to multiple re-generations of the same RRSIG
 6821 			when a zone transfer was in progress. [RT #35273]
 6822 
 6823 3833.	[bug]		Cross compiling was broken due to calling genrandom at
 6824 			build time. [RT #35869]
 6825 
 6826 3832.	[func]		"named -L <filename>" causes named to send log
 6827 			messages to the specified file by default instead
 6828 			of to the system log. (Thanks to Tony Finch.)
 6829 			[RT #35845]
 6830 
 6831 3831.	[cleanup]	Reduce logging noise when EDNS state changes occur.
 6832 			[RT #35843]
 6833 
 6834 3830.	[func]		When query logging is enabled, log query errors at
 6835 			the same level ('info') as the queries themselves.
 6836 			[RT #35844]
 6837 
 6838 3829.	[func]		"dig +ttlunits" causes dig to print TTL values
 6839 			with time-unit suffixes: w, d, h, m, s for
 6840 			weeks, days, hours, minutes, and seconds. (Thanks
 6841 			to Tony Finch.) [RT #35823]
 6842 
 6843 3828.	[func]		"dnssec-signzone -N date" updates serial number
 6844 			to the current date in YYYYMMDDNN format.
 6845 			[RT #35800]
 6846 
 6847 3827.	[placeholder]
 6848 
 6849 3826.	[bug]		Corrected bad INSIST logic in isc_radix_remove().
 6850 			[RT #35870]
 6851 
 6852 3825.	[bug]		Address sign extension bug in isc_regex_validate.
 6853 			[RT #35758]
 6854 
 6855 3824.	[bug]		A collision between two flag values could cause
 6856 			problems with cache cleaning when SIT was enabled.
 6857 			[RT #35858]
 6858 
 6859 3823.	[func]		Log the rpz cname target when rewriting. [RT #35667]
 6860 
 6861 3822.	[bug]		Log the correct type of static-stub zones when
 6862 			removing them. [RT #35842]
 6863 
 6864 3821.	[contrib]	Added a new "mysqldyn" DLZ module with dynamic
 6865 			update and transaction support. Thanks to Marty
 6866 			Lee for the contribution. [RT #35656]
 6867 
 6868 3820.	[func]		The DLZ API doesn't pass the database version to
 6869 			the lookup() function; this can cause DLZ modules
 6870 			that allow dynamic updates to mishandle prerequisite
 6871 			checks. This has been corrected by adding a
 6872 			'dbversion' field to the dns_clientinfo_t
 6873 			structure. [RT #35656]
 6874 
 6875 3819.	[bug]		NSEC3 hashes need to be able to be entered and
 6876 			displayed without padding.  This is not a issue for
 6877 			currently defined algorithms but may be for future
 6878 			hash algorithms. [RT #27925]
 6879 
 6880 3818.	[bug]		Stop lying to the optimizer that 'void *arg' is a
 6881 			constant in isc_event_allocate.
 6882 
 6883 3817.	[func]		The "delve" command is now spelled "delv" to avoid
 6884 			a namespace collision with the Xapian project.
 6885 			[RT #35801]
 6886 
 6887 3816.	[func]		"dig +qr" now reports query size. (Thanks to
 6888 			Tony Finch.) [RT #35822]
 6889 
 6890 3815.	[doc]		Clarify "nsupdate -y" usage in man page. [RT #35808]
 6891 
 6892 3814.	[func]		The "masterfile-style" zone option controls the
 6893 			formatting of dumped zone files. Options are
 6894 			"relative" (multiline format) and "full" (one
 6895 			record per line). The default is "relative".
 6896 			[RT #20798]
 6897 
 6898 3813.	[func]		"host" now recognizes the "timeout", "attempts" and
 6899 			"debug" options when set in /etc/resolv.conf.
 6900 			(Thanks to Adam Tkac at RedHat.) [RT #21885]
 6901 
 6902 3812.	[func]		Dig now supports sending arbitrary EDNS options from
 6903 			the command line (+ednsopt=code[:value]). [RT #35584]
 6904 
 6905 3811.	[func]		"serial-update-method date;" sets serial number
 6906 			on dynamic update to today's date in YYYYMMDDNN
 6907 			format. (Thanks to Bradley Forschinger.) [RT #24903]
 6908 
 6909 3810.	[bug]		Work around broken nameservers that fail to ignore
 6910 			unknown EDNS options. [RT #35766]
 6911 
 6912 3809.	[doc]		Fix SIT and NSID documentation.
 6913 
 6914 3808.	[doc]		Clean up "prefetch" documentation. [RT #35751]
 6915 
 6916 3807.	[bug]		Fix sign extension bug in dns_name_fromtext when
 6917 			lowercase is set. [RT #35743]
 6918 
 6919 3806.	[test]		Improved system test portability. [RT #35625]
 6920 
 6921 3805.	[contrib]	Added contrib/perftcpdns, a performance testing tool
 6922 			for DNS over TCP. [RT #35710]
 6923 
 6924 	--- 9.10.0rc1 released ---
 6925 
 6926 3804.	[bug]		Corrected a race condition in dispatch.c in which
 6927 			portentry could be reset leading to an assertion
 6928 			failure in socket_search(). (Change #3708
 6929 			addressed the same issue but was incomplete.)
 6930 			[RT #35128]
 6931 
 6932 3803.	[bug]		"named-checkconf -z" incorrectly rejected zones
 6933 			using alternate data sources for not having a "file"
 6934 			option. [RT #35685]
 6935 
 6936 3802.	[bug]		Various header files were not being installed.
 6937 
 6938 3801.	[port]		Fix probing for gssapi support on FreeBSD. [RT #35615]
 6939 
 6940 3800.	[bug]		A pending event on the route socket could cause an
 6941 			assertion failure when shutting down named. [RT #35674]
 6942 
 6943 3799.	[bug]		Improve named's command line error reporting.
 6944 			[RT #35603]
 6945 
 6946 3798.	[bug]		'rndc zonestatus' was reporting the wrong re-signing
 6947 			time. [RT #35659]
 6948 
 6949 3797.	[port]		netbsd: geoip support probing was broken. [RT #35642]
 6950 
 6951 3796.	[bug]		Register dns and pkcs#11 error codes. [RT #35629]
 6952 
 6953 3795.	[bug]		Make named-checkconf detect raw masterfiles for
 6954 			hint zones and reject them. [RT #35268]
 6955 
 6956 3794.	[maint]		Added AAAA for C.ROOT-SERVERS.NET.
 6957 
 6958 3793.	[bug]		zone.c:save_nsec3param() could assert when out of
 6959 			memory. [RT #35621]
 6960 
 6961 3792.	[func]		Provide links to the alternate statistics views when
 6962 			displaying in a browser.  [RT #35605]
 6963 
 6964 3791.	[placeholder]
 6965 
 6966 3790.	[bug]		Handle broken nameservers that send BADVERS in
 6967 			response to unknown EDNS options.  Maintain
 6968 			statistics on BADVERS responses.
 6969 
 6970 3789.	[bug]		Null pointer dereference on rbt creation failure.
 6971 
 6972 3788.	[bug]		dns_peer_getrequestsit was returning request_nsid by
 6973 			mistake.
 6974 
 6975 	--- 9.10.0b2 released ---
 6976 
 6977 3787.	[bug]		The code that checks whether "auto-dnssec" is
 6978 			allowed was ignoring "allow-update" ACLs set at
 6979 			the options or view level. [RT #29536]
 6980 
 6981 3786.	[func]		Provide more detailed error codes when using
 6982 			native PKCS#11. "pkcs11-tokens" now fails robustly
 6983 			rather than asserting when run against an HSM with
 6984 			an incomplete PKCS#11 API implementation. [RT #35479]
 6985 
 6986 3785.	[bug]		Debugging code dumphex didn't accept arbitrarily long
 6987 			input (only compiled with -DDEBUG). [RT #35544]
 6988 
 6989 3784.	[bug]		Using "rrset-order fixed" when it had not been
 6990 			enabled at compile time caused inconsistent
 6991 			results. It now works as documented, defaulting
 6992 			to cyclic mode. [RT #28104]
 6993 
 6994 3783.	[func]		"tsig-keygen" is now available as an alternate
 6995 			command name for "ddns-confgen".  It generates
 6996 			a TSIG key in named.conf format without comments.
 6997 			[RT #35503]
 6998 
 6999 3782.	[func]		Specifying "auto" as the salt when using
 7000 			"rndc signing -nsec3param" causes named to
 7001 			generate a 64-bit salt at random. [RT #35322]
 7002 
 7003 3781.	[tuning]	Use adaptive mutex locks when available; this
 7004 			has been found to improve performance under load
 7005 			on many systems. "configure --with-locktype=standard"
 7006 			restores conventional mutex locks. [RT #32576]
 7007 
 7008 3780.	[bug]		$GENERATE handled negative numbers incorrectly.
 7009 			[RT #25528]
 7010 
 7011 3779.	[cleanup]	Clarify the error message when using an option
 7012 			that was not enabled at compile time. [RT #35504]
 7013 
 7014 3778.	[bug]		Log a warning when the wrong address family is
 7015 			used in "listen-on" or "listen-on-v6". [RT #17848]
 7016 
 7017 3777.	[bug]		EDNS EXPIRE code could dump core when processing
 7018 			DLZ queries. [RT #35493]
 7019 
 7020 3776.	[func]		"rndc -q" suppresses output from successful
 7021 			rndc commands. Errors are printed on stderr.
 7022 			[RT #21393]
 7023 
 7024 3775.	[bug]		dlz_dlopen driver could return the wrong error
 7025 			code on API version mismatch, leading to a segfault.
 7026 			[RT #35495]
 7027 
 7028 3774.	[func]		When using "request-nsid", log the NSID value in
 7029 			printable form as well as hex. [RT #20864]
 7030 
 7031 3773.	[func]		"host", "nslookup" and "nsupdate" now have
 7032 			options to print the version number and exit.
 7033 			[RT #26057]
 7034 
 7035 3772.	[contrib]	Added sqlite3 dynamically-loadable DLZ module.
 7036 			(Based in part on a contribution from Tim Tessier.)
 7037 			[RT #20822]
 7038 
 7039 3771.	[cleanup]	Adjusted log level for "using built-in key"
 7040 			messages. [RT #24383]
 7041 
 7042 3770.	[bug]		"dig +trace" could fail with an assertion when it
 7043 			needed to fall back to TCP due to a truncated
 7044 			response. [RT #24660]
 7045 
 7046 3769.	[doc]		Improved documentation of "rndc signing -list".
 7047 			[RT #30652]
 7048 
 7049 3768.	[bug]		"dnssec-checkds" was missing the SHA-384 digest
 7050 			algorithm. [RT #34000]
 7051 
 7052 3767.	[func]		Log explicitly when using rndc.key to configure
 7053 			command channel. [RT #35316]
 7054 
 7055 3766.	[cleanup]	Fixed problems with building outside the source
 7056 			tree when using native PKCS#11. [RT #35459]
 7057 
 7058 3765.	[bug]		Fixed a bug in "rndc secroots" that could crash
 7059 			named when dumping an empty keynode. [RT #35469]
 7060 
 7061 3764.	[bug]		The dnssec-keygen/settime -S and -i options
 7062 			(to set up a successor key and set the prepublication
 7063 			interval) were missing from dnssec-keyfromlabel.
 7064 			[RT #35394]
 7065 
 7066 3763.	[bug]		delve: Cache DNSSEC records to avoid the need to
 7067 			re-fetch them when restarting validation. [RT #35476]
 7068 
 7069 3762.	[bug]		Address build problems with --pkcs11-native +
 7070 			--with-openssl with ECDSA support. [RT #35467]
 7071 
 7072 3761.	[bug]		Address dangling reference bug in dns_keytable_add.
 7073 			[RT #35471]
 7074 
 7075 3760.	[bug]		Improve SIT with native PKCS#11 and on Windows.
 7076 			[RT #35433]
 7077 
 7078 3759.	[port]		Enable delve on Windows. [RT #35441]
 7079 
 7080 3758.	[port]		Enable export library APIs on Windows. [RT #35382]
 7081 
 7082 3757.	[port]		Enable Python tools (dnssec-coverage,
 7083 			dnssec-checkds) to run on Windows. [RT #34355]
 7084 
 7085 3756.	[bug]		GSSAPI Kerberos realm checking was broken in
 7086 			check_config leading to spurious messages being
 7087 			logged.  [RT #35443]
 7088 
 7089 	--- 9.10.0b1 released ---
 7090 
 7091 3755.	[func]		Add stats counters for known EDNS options + others.
 7092 			[RT #35447]
 7093 
 7094 3754.	[cleanup]	win32: Installer now places files in the
 7095 			Program Files area rather than system services.
 7096 			[RT #35361]
 7097 
 7098 3753.	[bug]		allow-notify was ignoring keys. [RT #35425]
 7099 
 7100 3752.	[bug]		Address potential REQUIRE failure if
 7101 			DNS_STYLEFLAG_COMMENTDATA is set when printing out
 7102 			a rdataset.
 7103 
 7104 3751.	[tuning]	The default setting for the -U option (setting
 7105 			the number of UDP listeners per interface) has
 7106 			been adjusted to improve performance. [RT #35417]
 7107 
 7108 3750.	[experimental]	Partially implement EDNS EXPIRE option as described
 7109 			in draft-andrews-dnsext-expire-00.  Retrieval of
 7110 			the remaining time until expiry for slave zones
 7111 			is supported.
 7112 
 7113 			EXPIRE uses an experimental option code (65002),
 7114 			which is subject to change. [RT #35416]
 7115 
 7116 3749.	[func]		"dig +subnet" sends an EDNS client subnet option
 7117 			containing the specified address/prefix when
 7118 			querying. (Thanks to Wilmer van der Gaast.)
 7119 			[RT #35415]
 7120 
 7121 3748.	[test]		Use delve to test dns_client interfaces. [RT #35383]
 7122 
 7123 3747.	[bug]		A race condition could lead to a core dump when
 7124 			destroying a resolver fetch object. [RT #35385]
 7125 
 7126 3746.	[func]		New "max-zone-ttl" option enforces maximum
 7127 			TTLs for zones. If loading a zone containing a
 7128 			higher TTL, the load fails. DDNS updates with
 7129 			higher TTLs are accepted but the TTL is truncated.
 7130 			(Note: Currently supported for master zones only;
 7131 			inline-signing slaves will be added.) [RT #38405]
 7132 
 7133 3745.	[func]		"configure --with-tuning=large" adjusts various
 7134 			compiled-in constants and default settings to
 7135 			values suited to large servers with abundant
 7136 			memory. [RT #29538]
 7137 
 7138 3744.	[experimental]	SIT: send and process Source Identity Tokens
 7139 			(similar to DNS Cookies by Donald Eastlake 3rd),
 7140 			which are designed to help clients detect off-path
 7141 			spoofed responses and for servers to identify
 7142 			legitimate clients.
 7143 
 7144 			SIT uses an experimental EDNS option code (65001),
 7145 			which will be changed to an IANA-assigned value
 7146 			if the experiment is deemed a success.
 7147 
 7148 			SIT can be enabled via "configure --enable-sit" (or
 7149 			--enable-developer). It is enabled by default in
 7150 			Windows.
 7151 
 7152 			Servers can be configured to send smaller responses
 7153 			to clients that have not identified themselves via
 7154 			SIT.  RRL processing has also been updated;
 7155 			legitimate clients are not subject to rate
 7156 			limiting. [RT #35389]
 7157 
 7158 3743.	[bug]		delegation-only flag wasn't working in forward zone
 7159 			declarations despite being documented.  This is
 7160 			needed to support turning off forwarding and turning
 7161 			on delegation only at the same name.  [RT #35392]
 7162 
 7163 3742.	[port]		linux: libcap support: declare curval at start of
 7164 			block. [RT #35387]
 7165 
 7166 3741.	[func]		"delve" (domain entity lookup and validation engine):
 7167 			A new tool with dig-like semantics for performing DNS
 7168 			lookups, with internal DNSSEC validation, using the
 7169 			same resolver and validator logic as named. This
 7170 			allows easy validation of DNSSEC data in environments
 7171 			with untrustworthy resolvers, and assists with
 7172 			troubleshooting of DNSSEC problems. [RT #32406]
 7173 
 7174 3740.	[contrib]	Minor fixes to configure --with-dlz-bdb,
 7175 			--with-dlz-postgres and --with-dlz-odbc. [RT #35340]
 7176 
 7177 3739.	[func]		Added per-zone stats counters to track TCP and
 7178 			UDP queries. [RT #35375]
 7179 
 7180 3738.	[bug]		--enable-openssl-hash failed to build. [RT #35343]
 7181 
 7182 3737.	[bug]		'rndc retransfer' could trigger a assertion failure
 7183 			with inline zones. [RT #35353]
 7184 
 7185 3736.	[bug]		nsupdate: When specifying a server by name,
 7186 			fall back to alternate addresses if the first
 7187 			address for that name is not reachable. [RT #25784]
 7188 
 7189 3735.	[cleanup]	Merged the libiscpk11 library into libisc
 7190 			to simplify dependencies. [RT #35205]
 7191 
 7192 3734.	[bug]		Improve building with libtool. [RT #35314]
 7193 
 7194 3733.	[func]		Improve interface scanning support.  Interface
 7195 			information will be automatically updated if the
 7196 			OS supports routing sockets (MacOS, *BSD, Linux).
 7197 			Use "automatic-interface-scan no;" to disable.
 7198 
 7199 			Add "rndc scan" to trigger a scan. [RT #23027]
 7200 
 7201 3732.	[contrib]	Fixed a type mismatch causing the ODBC DLZ
 7202 			driver to dump core on 64-bit systems. [RT #35324]
 7203 
 7204 3731.	[func]		Added a "no-case-compress" ACL, which causes
 7205 			named to use case-insensitive compression
 7206 			(disabling change #3645) for specified
 7207 			clients. (This is useful when dealing
 7208 			with broken client implementations that
 7209 			use case-sensitive name comparisons,
 7210 			rejecting responses that fail to match the
 7211 			capitalization of the query that was sent.)
 7212 			[RT #35300]
 7213 
 7214 3730.	[cleanup]	Added "never" as a synonym for "none" when
 7215 			configuring key event dates in the dnssec tools.
 7216 			[RT #35277]
 7217 
 7218 3729.	[bug]		dnssec-keygen could set the publication date
 7219 			incorrectly when only the activation date was
 7220 			specified on the command line. [RT #35278]
 7221 
 7222 3728.	[doc]		Expanded native-PKCS#11 documentation,
 7223 			specifically pkcs11: URI labels. [RT #35287]
 7224 
 7225 3727.	[func]		The isc_bitstring API is no longer used and
 7226 			has been removed from libisc. [RT #35284]
 7227 
 7228 3726.	[cleanup]	Clarified the error message when attempting
 7229 			to configure more than 32 response-policy zones.
 7230 			[RT #35283]
 7231 
 7232 3725.	[contrib]	Updated zkt and nslint to newest versions,
 7233 			cleaned up and rearranged the contrib
 7234 			directory, and added a README.
 7235 
 7236 	--- 9.10.0a2 released ---
 7237 
 7238 3724.	[bug]		win32: Fixed a bug that prevented dig and
 7239 			host from exiting properly after completing
 7240 			a UDP query. [RT #35288]
 7241 
 7242 3723.	[cleanup]	Imported keys are now handled the same way
 7243 			regardless of DNSSEC algorithm. [RT #35215]
 7244 
 7245 3722.	[bug]		Using geoip ACLs in a blackhole statement
 7246 			could cause a segfault. [RT #35272]
 7247 
 7248 3721.	[doc]		Improved documentation of the EDNS processing
 7249 			enhancements introduced in change #3593. [RT #35275]
 7250 
 7251 3720.	[bug]		Address compiler warnings. [RT #35261]
 7252 
 7253 3719.	[bug]		Address memory leak in in peer.c. [RT #35255]
 7254 
 7255 3718.	[bug]		A missing ISC_LINK_INIT in log.c. [RT #35260]
 7256 
 7257 3717.	[port]		hpux: Treat EOPNOTSUPP as a expected error code when
 7258 			probing to see if it is possible to set dscp values
 7259 			on a per packet basis. [RT #35252]
 7260 
 7261 3716.	[bug]		The dns_request code was setting dcsp values when not
 7262 			requested.  [RT #35252]
 7263 
 7264 3715.	[bug]		The region and city databases could fail to
 7265 			initialize when using some versions of libGeoIP,
 7266 			causing assertion failures when named was
 7267 			configured to use them. [RT #35427]
 7268 
 7269 3714.	[test]		System tests that need to test for cryptography
 7270 			support before running can now use a common
 7271 			"testcrypto.sh" script to do so. [RT #35213]
 7272 
 7273 3713.	[bug]		Save memory by not storing "also-notify" addresses
 7274 			in zone objects that are configured not to send
 7275 			notify requests. [RT #35195]
 7276 
 7277 3712.	[placeholder]
 7278 
 7279 3711.	[placeholder]
 7280 
 7281 3710.	[bug]		Address double dns_zone_detach when switching to
 7282 			using automatic empty zones from regular zones.
 7283 			[RT #35177]
 7284 
 7285 3709.	[port]		Use built-in versions of strptime() and timegm()
 7286 			on all platforms to avoid portability issues.
 7287 			[RT #35183]
 7288 
 7289 3708.	[bug]		Address a portentry locking issue in dispatch.c.
 7290 			[RT #35128]
 7291 
 7292 3707.	[bug]		irs_resconf_load now returns ISC_R_FILENOTFOUND
 7293 			on a missing resolv.conf file and initializes the
 7294 			structure as if it had been configured with:
 7295 
 7296 				nameserver ::1
 7297 				nameserver 127.0.0.1
 7298 
 7299 			Note: Callers will need to be updated to treat
 7300 			ISC_R_FILENOTFOUND as a qualified success or else
 7301 			they will leak memory. The following code fragment
 7302 			will work with both old and new versions without
 7303 			changing the behaviour of the existing code.
 7304 
 7305 			resconf = NULL;
 7306 			result = irs_resconf_load(mctx, "/etc/resolv.conf",
 7307 						  &resconf);
 7308 			if (result != ISC_SUCCESS) {
 7309 				if (resconf != NULL)
 7310 					irs_resconf_destroy(&resconf);
 7311 				....
 7312 			}
 7313 
 7314 			[RT #35194]
 7315 
 7316 3706.	[contrib]	queryperf: Fixed a possible integer overflow when
 7317 			printing results. [RT #35182]
 7318 
 7319 3705.	[func]		"configure --enable-native-pkcs11" enables BIND
 7320 			to use the PKCS#11 API for all cryptographic
 7321 			functions, so that it can drive a hardware service
 7322 			module directly without the need to use a modified
 7323 			OpenSSL as intermediary (so long as the HSM's vendor
 7324 			provides a complete-enough implementation of the
 7325 			PKCS#11 interface). This has been tested successfully
 7326 			with the Thales nShield HSM and with SoftHSMv2 from
 7327 			the OpenDNSSEC project. [RT #29031]
 7328 
 7329 3704.	[protocol]	Accept integer timestamps in RRSIG records. [RT #35185]
 7330 
 7331 3703.	[func]		To improve recursive resolver performance, cache
 7332 			records which are still being requested by clients
 7333 			can now be automatically refreshed from the
 7334 			authoritative server before they expire, reducing
 7335 			or eliminating the time window in which no answer
 7336 			is available in the cache. See the "prefetch" option
 7337 			for more details. [RT #35041]
 7338 
 7339 3702.	[func]		'dnssec-coverage -l' option specifies a length
 7340 			of time to check for coverage; events further into
 7341 			the future are ignored.  'dnssec-coverage -z'
 7342 			checks only ZSK events, and 'dnssec-coverage -k'
 7343 			checks only KSK events.  (Thanks to Peter Palfrader.)
 7344 			[RT #35168]
 7345 
 7346 3701.	[func]		named-checkconf can now obscure shared secrets
 7347 			when printing by specifying '-x'. [RT #34465]
 7348 
 7349 3700.	[func]		Allow access to subgroups of XML statistics via
 7350 			special URLs http://<server>:<port>/xml/v3/server,
 7351 			/zones, /net, /tasks, /mem, and /status.  [RT #35115]
 7352 
 7353 3699.	[bug]		Improvements to statistics channel XSL stylesheet:
 7354 			the stylesheet can now be cached by the browser;
 7355 			section headers are omitted from the stats display
 7356 			when there is no data in those sections to be
 7357 			displayed; counters are now right-justified for
 7358 			easier readability. [RT #35117]
 7359 
 7360 3698.	[cleanup]	Replaced all uses of memcpy() with memmove().
 7361 			[RT #35120]
 7362 
 7363 3697.	[bug]		Handle "." as a search list element when IDN support
 7364 			is enabled. [RT #35133]
 7365 
 7366 3696.	[bug]		dig failed to handle AXFR style IXFR responses which
 7367 			span multiple messages. [RT #35137]
 7368 
 7369 3695.	[bug]		Address a possible race in dispatch.c. [RT #35107]
 7370 
 7371 3694.	[bug]		Warn when a key-directory is configured for a zone,
 7372 			but does not exist or is not a directory. [RT #35108]
 7373 
 7374 3693.	[security]	memcpy was incorrectly called with overlapping
 7375 			ranges resulting in malformed names being generated
 7376 			on some platforms.  This could cause INSIST failures
 7377 			when serving NSEC3 signed zones (CVE-2014-0591).
 7378 			[RT #35120]
 7379 
 7380 3692.	[bug]		Two calls to dns_db_getoriginnode were fatal if there
 7381 			was no data at the node. [RT #35080]
 7382 
 7383 3691.	[contrib]	Address null pointer dereference in LDAP and
 7384 			MySQL DLZ modules.
 7385 
 7386 3690.	[bug]		Iterative responses could be missed when the source
 7387 			port for an upstream query was the same as the
 7388 			listener port (53). [RT #34925]
 7389 
 7390 3689.	[bug]		Fixed a bug causing an insecure delegation from one
 7391 			static-stub zone to another to fail with a broken
 7392 			trust chain. [RT #35081]
 7393 
 7394 3688.	[bug]		loadnode could return a freed node on out of memory.
 7395 			[RT #35106]
 7396 
 7397 3687.	[bug]		Address null pointer dereference in zone_xfrdone.
 7398 			[RT #35042]
 7399 
 7400 3686.	[func]		"dnssec-signzone -Q" drops signatures from keys
 7401 			that are still published but no longer active.
 7402 			[RT #34990]
 7403 
 7404 3685.	[bug]		"rndc refresh" didn't work correctly with slave
 7405 			zones using inline-signing. [RT #35105]
 7406 
 7407 3684.	[bug]		The list of included files would grow on reload.
 7408 			[RT 35090]
 7409 
 7410 3683.	[cleanup]	Add a more detailed "not found" message to rndc
 7411 			commands which specify a zone name. [RT #35059]
 7412 
 7413 3682.	[bug]		Correct the behavior of rndc retransfer to allow
 7414 			inline-signing slave zones to retain NSEC3 parameters
 7415 			instead of reverting to NSEC. [RT #34745]
 7416 
 7417 3681.	[port]		Update the Windows build system to support feature
 7418 			selection and WIN64 builds.  This is a work in
 7419 			progress. [RT #34160]
 7420 
 7421 3680.	[bug]		Ensure buffer space is available in "rndc zonestatus".
 7422 			[RT #35084]
 7423 
 7424 3679.	[bug]		dig could fail to clean up TCP sockets still
 7425 			waiting on connect(). [RT #35074]
 7426 
 7427 3678.	[port]		Update config.guess and config.sub. [RT #35060]
 7428 
 7429 3677.	[bug]		'nsupdate' leaked memory if 'realm' was used multiple
 7430 			times.  [RT #35073]
 7431 
 7432 3676.	[bug]		"named-checkconf -z" now checks zones of type
 7433 			hint and redirect as well as master. [RT #35046]
 7434 
 7435 3675.	[misc]		Provide a place for third parties to add version
 7436 			information for their extensions in the version
 7437 			file by setting the EXTENSIONS variable.
 7438 
 7439 	--- 9.10.0a1 released ---
 7440 
 7441 3674.	[bug]		RPZ zeroed ttls if the query type was '*'. [RT #35026]
 7442 
 7443 3673.	[func]		New "in-view" zone option allows direct sharing
 7444 			of zones between views. [RT #32968]
 7445 
 7446 3672.	[func]		Local address can now be specified when using
 7447 			dns_client API. [RT #34811]
 7448 
 7449 3671.	[bug]		Don't allow dnssec-importkey overwrite a existing
 7450 			non-imported private key.
 7451 
 7452 3670.	[bug]		Address read after free in server side of
 7453 			lwres_getrrsetbyname. [RT #29075]
 7454 
 7455 3669.	[port]		freebsd: --with-gssapi needs -lhx509. [RT #35001]
 7456 
 7457 3668.	[bug]		Fix cast in lex.c which could see 0xff treated as eof.
 7458 			[RT #34993]
 7459 
 7460 3667.	[test]		dig: add support to keep the TCP socket open between
 7461 			successive queries (+[no]keepopen).  [RT #34918]
 7462 
 7463 3666.	[func]		Add a tool, named-rrchecker, for checking the syntax
 7464 			of individual resource records.  This tool is intended
 7465 			to be called by provisioning systems so that the front
 7466 			end does not need to be upgraded to support new DNS
 7467 			record types. [RT #34778]
 7468 
 7469 3665.	[bug]		Failure to release lock on error in receive_secure_db.
 7470 			[RT #34944]
 7471 
 7472 3664.	[bug]		Updated OpenSSL PKCS#11 patches to fix active list
 7473 			locking and other bugs. [RT #34855]
 7474 
 7475 3663.	[bug]		Address bugs in dns_rdata_fromstruct and
 7476 			dns_rdata_tostruct for WKS and ISDN types. [RT #34910]
 7477 
 7478 3662.	[bug]		'host' could die if a UDP query timed out. [RT #34870]
 7479 
 7480 3661.	[bug]		Address lock order reversal deadlock with inline zones.
 7481 			[RT #34856]
 7482 
 7483 3660.	[cleanup]	Changed the name of "isc-config.sh" to "bind9-config".
 7484 			[RT #23825]
 7485 
 7486 3659.	[port]		solaris: don't add explicit dependencies/rules for
 7487 			python programs as make won't use the implicit rules.
 7488 			[RT #34835]
 7489 
 7490 3658.	[port]		linux: Address platform specific compilation issue
 7491 			when libcap-devel is installed. [RT #34838]
 7492 
 7493 3657.	[port]		Some readline clones don't accept NULL pointers when
 7494 			calling add_history. [RT #34842]
 7495 
 7496 3656.	[security]	Treat an all zero netmask as invalid when generating
 7497 			the localnets acl. (The prior behavior could
 7498 			allow unexpected matches when using some versions
 7499 			of Winsock: CVE-2013-6320.) [RT #34687]
 7500 
 7501 3655.	[cleanup]	Simplify TCP message processing when requesting a
 7502 			zone transfer.  [RT #34825]
 7503 
 7504 3654.	[bug]		Address race condition with manual notify requests.
 7505 			[RT #34806]
 7506 
 7507 3653.	[func]		Create delegations for all "children" of empty zones
 7508 			except "forward first". [RT #34826]
 7509 
 7510 3652.	[bug]		Address bug with rpz-drop policy. [RT #34816]
 7511 
 7512 3651.	[tuning]	Adjust when a master server is deemed unreachable.
 7513 			[RT #27075]
 7514 
 7515 3650.	[tuning]	Use separate rate limiting queues for refresh and
 7516 			notify requests. [RT #30589]
 7517 
 7518 3649.	[cleanup]	Include a comment in .nzf files, giving the name of
 7519 			the associated view. [RT #34765]
 7520 
 7521 3648.	[test]		Updated the ATF test framework to version 0.17.
 7522 			[RT #25627]
 7523 
 7524 3647.	[bug]		Address a race condition when shutting down a zone.
 7525 			[RT #34750]
 7526 
 7527 3646.	[bug]		Journal filename string could be set incorrectly,
 7528 			causing garbage in log messages. [RT #34738]
 7529 
 7530 3645.	[protocol]	Use case sensitive compression when responding to
 7531 			queries. [RT #34737]
 7532 
 7533 3644.	[protocol]	Check that EDNS subnet client options are well formed.
 7534 			[RT #34718]
 7535 
 7536 3643.	[doc]		Clarify RRL "slip" documentation.
 7537 
 7538 3642.	[func]		Allow externally generated DNSKEY to be imported
 7539 			into the DNSKEY management framework.  A new tool
 7540 			dnssec-importkey is used to do this. [RT #34698]
 7541 
 7542 3641.	[bug]		Handle changes to sig-validity-interval settings
 7543 			better. [RT #34625]
 7544 
 7545 3640.	[bug]		ndots was not being checked when searching.  Only
 7546 			continue searching on NXDOMAIN responses.  Add the
 7547 			ability to specify ndots to nslookup. [RT #34711]
 7548 
 7549 3639.	[bug]		Treat type 65533 (KEYDATA) as opaque except when used
 7550 			in a key zone. [RT #34238]
 7551 
 7552 3638.	[cleanup]	Add the ability to handle ENOPROTOOPT in case it is
 7553 			encountered. [RT #34668]
 7554 
 7555 3637.	[bug]		'allow-query-on' was checking the source address
 7556 			rather than the destination address. [RT #34590]
 7557 
 7558 3636.	[bug]		Automatic empty zones now behave better with
 7559 			forward only "zones" beneath them. [RT #34583]
 7560 
 7561 3635.	[bug]		Signatures were not being removed from a zone with
 7562 			only KSK keys for a algorithm. [RT #34439]
 7563 
 7564 3634.	[func]		Report build-id in rndc status. Report build-id
 7565 			when building from a git repository. [RT #20422]
 7566 
 7567 3633.	[cleanup]	Refactor OPT processing in named to make it easier
 7568 			to support new EDNS options. [RT #34414]
 7569 
 7570 3632.	[bug]		Signature from newly inactive keys were not being
 7571 			removed. [RT #32178]
 7572 
 7573 3631.	[bug]		Remove spurious warning about missing signatures when
 7574 			qtype is SIG. [RT #34600]
 7575 
 7576 3630.	[bug]		Ensure correct ID computation for MD5 keys. [RT #33033]
 7577 
 7578 3629.	[func]		Allow the printing of cryptographic fields in DNSSEC
 7579 			records by dig to be suppressed (dig +nocrypto).
 7580 			[RT #34534]
 7581 
 7582 3628.	[func]		Report DNSKEY key id's when dumping the cache.
 7583 			[RT #34533]
 7584 
 7585 3627.	[bug]		RPZ changes were not effective on slaves. [RT #34450]
 7586 
 7587 3626.	[func]		dig: NSID output now easier to read. [RT #21160]
 7588 
 7589 3625.	[bug]		Don't send notify messages to machines outside of the
 7590 			test setup.
 7591 
 7592 3624.	[bug]		Look for 'json_object_new_int64' when looking for a
 7593 			the json library. [RT #34449]
 7594 
 7595 3623.	[placeholder]
 7596 
 7597 3622.	[tuning]	Eliminate an unnecessary lock when incrementing
 7598 			cache statistics. [RT #34339]
 7599 
 7600 3621.	[security]	Incorrect bounds checking on private type 'keydata'
 7601 			can lead to a remotely triggerable REQUIRE failure
 7602 			(CVE-2013-4854). [RT #34238]
 7603 
 7604 3620.	[func]		Added "rpz-client-ip" policy triggers, enabling
 7605 			RPZ responses to be configured on the basis of
 7606 			the client IP address; this can be used, for
 7607 			example, to blacklist misbehaving recursive
 7608 			or stub resolvers. [RT #33605]
 7609 
 7610 3619.	[bug]		Fixed a bug in RPZ with "recursive-only no;"
 7611 			[RT #33776]
 7612 
 7613 3618.	[func]		"rndc reload" now checks modification times of
 7614 			include files as well as master files to determine
 7615 			whether to skip reloading a zone. [RT #33936]
 7616 
 7617 3617.	[bug]		Named was failing to answer queries during
 7618 			"rndc reload" [RT #34098]
 7619 
 7620 3616.	[bug]		Change #3613 was incomplete. [RT #34177]
 7621 
 7622 3615.	[cleanup]	"configure" now finishes by printing a summary
 7623 			of optional BIND features and whether they are
 7624 			active or inactive. ("configure --enable-full-report"
 7625 			increases the verbosity of the summary.) [RT #31777]
 7626 
 7627 3614.	[port]		Check for <linux/types.h>. [RT #34162]
 7628 
 7629 3613.	[bug]		named could crash when deleting inline-signing
 7630 			zones with "rndc delzone". [RT #34066]
 7631 
 7632 3612.	[port]		Check whether to use -ljson or -ljson-c. [RT #34115]
 7633 
 7634 3611.	[bug]		Improved resistance to a theoretical authentication
 7635 			attack based on differential timing.  [RT #33939]
 7636 
 7637 3610.	[cleanup]	win32: Some executables had been omitted from the
 7638 			installer. [RT #34116]
 7639 
 7640 3609.	[bug]		Corrected a possible deadlock in applications using
 7641 			the export version of the isc_app API. [RT #33967]
 7642 
 7643 3608.	[port]		win32: added todos.pl script to ensure all text files
 7644 			the win32 build depends on are converted to DOS
 7645 			newline format. [RT #22067]
 7646 
 7647 3607.	[bug]		dnssec-keygen had broken 'Invalid keyfile' error
 7648 			message. [RT #34045]
 7649 
 7650 3606.	[func]		"rndc flushtree" now flushes matching
 7651 			records in the address database and bad cache
 7652 			as well as the DNS cache. (Previously only the
 7653 			DNS cache was flushed.) [RT #33970]
 7654 
 7655 3605.	[port]		win32: Addressed several compatibility issues
 7656 			with newer versions of Visual Studio. [RT #33916]
 7657 
 7658 3604.	[bug]		Fixed a compile-time error when building with
 7659 			JSON but not XML. [RT #33959]
 7660 
 7661 3603.	[bug]		Install <isc/stat.h>. [RT #33956]
 7662 
 7663 3602.	[contrib]	Added DLZ Perl module, allowing Perl scripts to
 7664 			integrate with named and serve DNS data.
 7665 			(Contributed by John Eaglesham of Yahoo.)
 7666 
 7667 3601.	[bug]		Added to PKCS#11 openssl patches a value len
 7668 			attribute in DH derive key. [RT #33928]
 7669 
 7670 3600.	[cleanup]	dig: Fixed a typo in the warning output when receiving
 7671 			an oversized response. [RT #33910]
 7672 
 7673 3599.	[tuning]	Check for pointer equivalence in name comparisons.
 7674 			[RT #18125]
 7675 
 7676 3598.	[cleanup]	Improved portability of map file code. [RT #33820]
 7677 
 7678 3597.	[bug]		Ensure automatic-resigning heaps are reconstructed
 7679 			when loading zones in map format. [RT #33381]
 7680 
 7681 3596.	[port]		Updated win32 build documentation, added
 7682 			dnssec-verify. [RT #22067]
 7683 
 7684 3595.	[port]		win32: Fix build problems introduced by change #3550.
 7685 			[RT #33807]
 7686 
 7687 3594.	[maint]		Update config.guess and config.sub. [RT #33816]
 7688 
 7689 3593.	[func]		Update EDNS processing to better track remote server
 7690 			capabilities. [RT #30655]
 7691 
 7692 3592.	[doc]		Moved documentation of rndc command options to the
 7693 			rndc man page. [RT #33506]
 7694 
 7695 3591.	[func]		Use CRC-64 to detect map file corruption at load
 7696 			time. [RT #33746]
 7697 
 7698 3590.	[bug]		When using RRL on recursive servers, defer
 7699 			rate-limiting until after recursion is complete;
 7700 			also, use correct rcode for slipped NXDOMAIN
 7701 			responses.  [RT #33604]
 7702 
 7703 3589.	[func]		Report serial numbers in when starting zone transfers.
 7704 			Report accepted NOTIFY requests including serial.
 7705 			[RT #33037]
 7706 
 7707 3588.	[bug]		dig: addressed a memory leak in the sigchase code
 7708 			that could cause a shutdown crash.  [RT #33733]
 7709 
 7710 3587.	[func]		'named -g' now checks the logging configuration but
 7711 			does not use it. [RT #33473]
 7712 
 7713 3586.	[bug]		Handle errors in xmlDocDumpFormatMemoryEnc. [RT #33706]
 7714 
 7715 3585.	[func]		"rndc delzone -clean" option removes zone files
 7716 			when deleting a zone. [RT #33570]
 7717 
 7718 3584.	[security]	Caching data from an incompletely signed zone could
 7719 			trigger an assertion failure in resolver.c
 7720 			(CVE-2013-3919). [RT #33690]
 7721 
 7722 3583.	[bug]		Address memory leak in GSS-API processing [RT #33574]
 7723 
 7724 3582.	[bug]		Silence false positive warning regarding missing file
 7725 			directive for inline slave zones.  [RT #33662]
 7726 
 7727 3581.	[bug]		Changed the tcp-listen-queue default to 10. [RT #33029]
 7728 
 7729 3580.	[bug]		Addressed a possible race in acache.c [RT #33602]
 7730 
 7731 3579.	[maint]		Updates to PKCS#11 openssl patches, supporting
 7732 			versions 0.9.8y, 1.0.0k, 1.0.1e [RT #33463]
 7733 
 7734 3578.	[bug]		'rndc -c file' now fails if 'file' does not exist.
 7735 			[RT #33571]
 7736 
 7737 3577.	[bug]		Handle zero TTL values better. [RT #33411]
 7738 
 7739 3576.	[bug]		Address a shutdown race when validating. [RT #33573]
 7740 
 7741 3575.	[func]		Changed the logging category for RRL events from
 7742 			'queries' to 'query-errors'. [RT #33540]
 7743 
 7744 3574.	[doc]		The 'hostname' keyword was missing from server-id
 7745 			description in the named.conf man page. [RT #33476]
 7746 
 7747 3573.	[bug]		"rndc addzone" and "rndc delzone" incorrectly handled
 7748 			zone names containing punctuation marks and other
 7749 			nonstandard characters. [RT #33419]
 7750 
 7751 3572.	[func]		Threads are now enabled by default on most
 7752 			operating systems. [RT #25483]
 7753 
 7754 3571.	[bug]		Address race condition in dns_client_startresolve().
 7755 			[RT #33234]
 7756 
 7757 3570.	[bug]		Check internal pointers are valid when loading map
 7758 			files. [RT #33403]
 7759 
 7760 3569.	[contrib]	Ported mysql DLZ driver to dynamically-loadable
 7761 			module, and added multithread support. [RT #33394]
 7762 
 7763 3568.	[cleanup]	Add a product description line to the version file,
 7764 			to be reported by named -v/-V. [RT #33366]
 7765 
 7766 3567.	[bug]		Silence clang static analyzer warnings. [RT #33365]
 7767 
 7768 3566.	[func]		Log when forwarding updates to master. [RT #33240]
 7769 
 7770 3565.	[placeholder]
 7771 
 7772 3564.	[bug]		Improved handling of corrupted map files. [RT #33380]
 7773 
 7774 3563.	[contrib]	zone2sqlite failed with some table names. [RT #33375]
 7775 
 7776 3562.	[func]		Update map file header format to include a SHA-1 hash
 7777 			of the database content, so that corrupted map files
 7778 			can be rejected at load time. [RT #32459]
 7779 
 7780 3561.	[bug]		dig: issue a warning if an EDNS query returns FORMERR
 7781 			or NOTIMP.  Adjust usage message. [RT #33363]
 7782 
 7783 3560.	[bug]		isc-config.sh did not honor includedir and libdir
 7784 			when set via configure. [RT #33345]
 7785 
 7786 3559.	[func]		Check that both forms of Sender Policy Framework
 7787 			records exist or do not exist. [RT #33355]
 7788 
 7789 3558.	[bug]		IXFR of a DLZ stored zone was broken. [RT #33331]
 7790 
 7791 3557.	[bug]		Reloading redirect zones was broken. [RT #33292]
 7792 
 7793 3556.	[maint]		Added AAAA for D.ROOT-SERVERS.NET.
 7794 
 7795 3555.	[bug]		Address theoretical race conditions in acache.c
 7796 			(change #3553 was incomplete). [RT #33252]
 7797 
 7798 3554.	[bug]		RRL failed to correctly rate-limit upward
 7799 			referrals and failed to count dropped error
 7800 			responses in the statistics. [RT #33225]
 7801 
 7802 3553.	[bug]		Address suspected double free in acache. [RT #33252]
 7803 
 7804 3552.	[bug]		Wrong getopt option string for 'nsupdate -r'.
 7805 			[RT #33280]
 7806 
 7807 3551.	[bug]		resolver.querydscp[46] were uninitialized.  [RT #32686]
 7808 
 7809 3550.	[func]		Unified the internal and export versions of the
 7810 			BIND libraries, allowing external clients to use
 7811 			the same libraries as BIND. [RT #33131]
 7812 
 7813 3549.	[doc]		Documentation for "request-nsid" was missing.
 7814 			[RT #33153]
 7815 
 7816 3548.	[bug]		The NSID request code in resolver.c was broken
 7817 			resulting in invalid EDNS options being sent.
 7818 			[RT #33153]
 7819 
 7820 3547.	[bug]		Some malformed unknown rdata records were not properly
 7821 			detected and rejected. [RT #33129]
 7822 
 7823 3546.	[func]		Add EUI48 and EUI64 types. [RT #33082]
 7824 
 7825 3545.	[bug]		RRL slip behavior was incorrect when set to 1.
 7826 			[RT #33111]
 7827 
 7828 3544.	[contrib]	check5011.pl: Script to report the status of
 7829 			managed keys as recorded in managed-keys.bind.
 7830 			Contributed by Tony Finch <dot@dotat.at>
 7831 
 7832 3543.	[bug]		Update socket structure before attaching to socket
 7833 			manager after accept. [RT #33084]
 7834 
 7835 3542.	[placeholder]
 7836 
 7837 3541.	[bug]		Parts of libdns were not properly initialized when
 7838 			built in libexport mode. [RT #33028]
 7839 
 7840 3540.	[test]		libt_api: t_info and t_assert were not thread safe.
 7841 
 7842 3539.	[port]		win32: timestamp format didn't match other platforms.
 7843 
 7844 3538.	[test]		Running "make test" now requires loopback interfaces
 7845 			to be set up. [RT #32452]
 7846 
 7847 3537.	[tuning]	Slave zones, when updated, now send NOTIFY messages
 7848 			to peers before being dumped to disk rather than
 7849 			after. [RT #27242]
 7850 
 7851 3536.	[func]		Add support for setting Differentiated Services Code
 7852 			Point (DSCP) values in named.  Most configuration
 7853 			options which take a "port" option (e.g.,
 7854 			listen-on, forwarders, also-notify, masters,
 7855 			notify-source, etc) can now also take a "dscp"
 7856 			option specifying a code point for use with
 7857 			outgoing traffic, if supported by the underlying
 7858 			OS. [RT #27596]
 7859 
 7860 3535.	[bug]		Minor win32 cleanups. [RT #32962]
 7861 
 7862 3534.	[bug]		Extra text after an embedded NULL was ignored when
 7863 			parsing zone files. [RT #32699]
 7864 
 7865 3533.	[contrib]	query-loc-0.4.0: memory leaks. [RT #32960]
 7866 
 7867 3532.	[contrib]	zkt: fixed buffer overrun, resource leaks. [RT #32960]
 7868 
 7869 3531.	[bug]		win32: A uninitialized value could be returned on out
 7870 			of memory. [RT #32960]
 7871 
 7872 3530.	[contrib]	Better RTT tracking in queryperf. [RT #30128]
 7873 
 7874 3529.	[func]		Named now listens on both IPv4 and IPv6 interfaces
 7875 			by default.  Named previously only listened on IPv4
 7876 			interfaces by default unless named was running in
 7877 			IPv6 only mode.  [RT #32945]
 7878 
 7879 3528.	[func]		New "dnssec-coverage" command scans the timing
 7880 			metadata for a set of DNSSEC keys and reports if a
 7881 			lapse in signing coverage has been scheduled
 7882 			inadvertently. (Note: This tool depends on python;
 7883 			it will not be built or installed on systems that
 7884 			do not have a python interpreter.) [RT #28098]
 7885 
 7886 3527.	[compat]	Add a URI to allow applications to explicitly
 7887 			request a particular XML schema from the statistics
 7888 			channel, returning 404 if not supported. [RT #32481]
 7889 
 7890 3526.	[cleanup]	Set up dependencies for unit tests correctly during
 7891 			build. [RT #32803]
 7892 
 7893 3525.	[func]		Support for additional signing algorithms in rndc:
 7894 			hmac-sha1, -sha224, -sha256, -sha384, and -sha512.
 7895 			The -A option to rndc-confgen can be used to
 7896 			select the algorithm for the generated key.
 7897 			(The default is still hmac-md5; this may
 7898 			change in a future release.) [RT #20363]
 7899 
 7900 3524.	[func]		Added an alternate statistics channel in JSON format,
 7901 			when the server is built with the json-c library:
 7902 			http://[address]:[port]/json. [RT #32630]
 7903 
 7904 3523.	[contrib]	Ported filesystem and ldap DLZ drivers to
 7905 			dynamically-loadable modules, and added the
 7906 			"wildcard" module based on a contribution from
 7907 			Vadim Goncharov <vgoncharov@nic.ru>. [RT #23569]
 7908 
 7909 3522.	[bug]		DLZ lookups could fail to return SERVFAIL when
 7910 			they ought to. [RT #32685]
 7911 
 7912 3521.	[bug]		Address memory leak in opensslecdsa_link.c. [RT #32249]
 7913 
 7914 3520.	[bug]		'mctx' was not being referenced counted in some places
 7915 			where it should have been.  [RT #32794]
 7916 
 7917 3519.	[func]		Full replay protection via four-way handshake is
 7918 			now mandatory for rndc clients. Very old versions
 7919 			of rndc will no longer work. [RT #32798]
 7920 
 7921 3518.	[bug]		Increase the size of dns_rrl_key.s.rtype by one bit
 7922 			so that all dns_rrl_rtype_t enum values fit regardless
 7923 			of whether it is treated as signed or unsigned by
 7924 			the compiler. [RT #32792]
 7925 
 7926 3517.	[bug]		Reorder destruction to avoid shutdown race. [RT #32777]
 7927 
 7928 3516.	[placeholder]
 7929 
 7930 3515.	[port]		'%T' is not portable in strftime(). [RT #32763]
 7931 
 7932 3514.	[bug]		The ranges for valid key sizes in ddns-confgen and
 7933 			rndc-confgen were too constrained. Keys up to 512
 7934 			bits are now allowed for most algorithms, and up
 7935 			to 1024 bits for hmac-sha384 and hmac-sha512.
 7936 			[RT #32753]
 7937 
 7938 3513.	[func]		"dig -u" prints times in microseconds rather than
 7939 			milliseconds. [RT #32704]
 7940 
 7941 3512.	[func]		"rndc validation check" reports the current status
 7942 			of DNSSEC validation. [RT #21397]
 7943 
 7944 3511.	[doc]		Improve documentation of redirect zones. [RT #32756]
 7945 
 7946 3510.	[func]		"rndc status" and XML statistics channel now report
 7947 			server start and reconfiguration times. [RT #21048]
 7948 
 7949 3509.	[cleanup]	Added a product line to version file to allow for
 7950 			easy naming of different products (BIND
 7951 			vs BIND ESV, for example). [RT #32755]
 7952 
 7953 3508.	[contrib]	queryperf was incorrectly rejecting the -T option.
 7954 			[RT #32338]
 7955 
 7956 3507.	[bug]		Statistics channel XSL had a glitch when attempting
 7957 			to chart query data before any queries had been
 7958 			received. [RT #32620]
 7959 
 7960 3506.	[func]		When setting "max-cache-size" and "max-acache-size",
 7961 			the keyword "unlimited" is no longer defined as equal
 7962 			to 4 gigabytes (except on 32-bit platforms); it
 7963 			means literally unlimited. [RT #32358]
 7964 
 7965 3505.	[bug]		When setting "max-cache-size" and "max-acache-size",
 7966 			larger values than 4 gigabytes could not be set
 7967 			explicitly, though larger sizes were available
 7968 			when setting cache size to 0. This has been
 7969 			corrected; the full range is now available.
 7970 			[RT #32358]
 7971 
 7972 3504.	[func]		Add support for ACLs based on geographic location,
 7973 			using MaxMind GeoIP databases. Based on code
 7974 			contributed by Ken Brownfield <kb@slide.com>.
 7975 			[RT #30681]
 7976 
 7977 3503.	[doc]		Clarify size_spec syntax. [RT #32449]
 7978 
 7979 3502.	[func]		zone-statistics: "no" is now a synonym for "none",
 7980 			instead of "terse". [RT #29165]
 7981 
 7982 3501.	[func]		zone-statistics now takes three options: full,
 7983 			terse, and none. "yes" and "no" are retained as
 7984 			synonyms for full and terse, respectively. [RT #29165]
 7985 
 7986 3500.	[security]	Support NAPTR regular expression validation on
 7987 			all platforms without using libregex, which
 7988 			can be vulnerable to memory exhaustion attack
 7989 			(CVE-2013-2266). [RT #32688]
 7990 
 7991 3499.	[doc]		Corrected ARM documentation of built-in zones.
 7992 			[RT #32694]
 7993 
 7994 3498.	[bug]		zone statistics for zones which matched a potential
 7995 			empty zone could have their zone-statistics setting
 7996 			overridden.
 7997 
 7998 3497.	[func]		When deleting a slave/stub zone using 'rndc delzone'
 7999 			report the files that were being used so they can
 8000 			be cleaned up if desired. [RT #27899]
 8001 
 8002 3496.	[placeholder]
 8003 
 8004 3495.	[func]		Support multiple response-policy zones (up to 32),
 8005 			while improving RPZ performance.  "response-policy"
 8006 			syntax now includes a "min-ns-dots" clause, with
 8007 			default 1, to exclude top-level domains from
 8008 			NSIP and NSDNAME checking. --enable-rpz-nsip and
 8009 			--enable-rpz-nsdname are now the default. [RT #32251]
 8010 
 8011 3494.	[func]		DNS RRL: Blunt the impact of DNS reflection and
 8012 			amplification attacks by rate-limiting substantially-
 8013 			identical responses. [RT #28130]
 8014 
 8015 3493.	[contrib]	Added BDBHPT dynamically-loadable DLZ module,
 8016 			contributed by Mark Goldfinch. [RT #32549]
 8017 
 8018 3492.	[bug]		Fixed a regression in zone loading performance
 8019 			due to lock contention. [RT #30399]
 8020 
 8021 3491.	[bug]		Slave zones using inline-signing must specify a
 8022 			file name. [RT #31946]
 8023 
 8024 3490.	[bug]		When logging RDATA during update, truncate if it's
 8025 			too long. [RT #32365]
 8026 
 8027 3489.	[bug]		--enable-developer now turns on ISC_LIST_CHECKINIT.
 8028 			dns_dlzcreate() failed to properly initialize
 8029 			dlzdb.link.  When cloning a rdataset do not copy
 8030 			the link contents.  [RT #32651]
 8031 
 8032 3488.	[bug]		Use after free error with DH generated keys. [RT #32649]
 8033 
 8034 3487.	[bug]		Change 3444 was not complete.  There was a additional
 8035 			place where the NOQNAME proof needed to be saved.
 8036 			[RT #32629]
 8037 
 8038 3486.	[bug]		named could crash when using TKEY-negotiated keys
 8039 			that had been deleted and then recreated. [RT #32506]
 8040 
 8041 3485.	[cleanup]	Only compile openssl_gostlink.c if we support GOST.
 8042 
 8043 3484.	[bug]		Some statistics were incorrectly rendered in XML.
 8044 			[RT #32587]
 8045 
 8046 3483.	[placeholder]
 8047 
 8048 3482.	[func]		dig +nssearch now prints name servers that don't
 8049 			have address records (missing AAAA or A, or the name
 8050 			doesn't exist). [RT #29348]
 8051 
 8052 3481.	[cleanup]	Removed use of const const in atf.
 8053 
 8054 3480.	[bug]		Silence logging noise when setting up zone
 8055 			statistics. [RT #32525]
 8056 
 8057 3479.	[bug]		Address potential memory leaks in gssapi support
 8058 			code. [RT #32405]
 8059 
 8060 3478.	[port]		Fix a build failure in strict C99 environments
 8061 			[RT #32475]
 8062 
 8063 3477.	[func]		Expand logging when adding records via DDNS update
 8064 			[RT #32365]
 8065 
 8066 3476.	[bug]		"rndc zonestatus" could report a spurious "not
 8067 			found" error on inline-signing zones. [RT #29226]
 8068 
 8069 3475.	[cleanup]	Changed name of 'map' zone file format (previously
 8070 			'fast'). [RT #32458]
 8071 
 8072 3474.	[bug]		nsupdate could assert when the local and remote
 8073 			address families didn't match. [RT #22897]
 8074 
 8075 3473.	[bug]		dnssec-signzone/verify could incorrectly report
 8076 			an error condition due to an empty node above an
 8077 			opt-out delegation lacking an NSEC3. [RT #32072]
 8078 
 8079 3472.	[bug]		The active-connections counter in the socket
 8080 			statistics could underflow. [RT #31747]
 8081 
 8082 3471.	[bug]		The number of UDP dispatches now defaults to
 8083 			the number of CPUs even if -n has been set to
 8084 			a higher value. [RT #30964]
 8085 
 8086 3470.	[bug]		Slave zones could fail to dump when successfully
 8087 			refreshing after an initial failure. [RT #31276]
 8088 
 8089 3469.	[bug]		Handle DLZ lookup failures more gracefully. Improve
 8090 			backward compatibility between versions of DLZ dlopen
 8091 			API. [RT #32275]
 8092 
 8093 3468.	[security]	RPZ rules to generate A records (but not AAAA records)
 8094 			could trigger an assertion failure when used in
 8095 			conjunction with DNS64 (CVE-2012-5689). [RT #32141]
 8096 
 8097 3467.	[bug]		Added checks in dnssec-keygen and dnssec-settime
 8098 			to check for delete date < inactive date. [RT #31719]
 8099 
 8100 3466.	[contrib]	Corrected the DNS_CLIENTINFOMETHODS_VERSION check
 8101 			in DLZ example driver. [RT #32275]
 8102 
 8103 3465.	[bug]		Handle isolated reserved ports. [RT #31778]
 8104 
 8105 3464.	[maint]		Updates to PKCS#11 openssl patches, supporting
 8106 			versions 0.9.8x, 1.0.0j, 1.0.1c [RT #29749]
 8107 
 8108 3463.	[doc]		Clarify managed-keys syntax in ARM. [RT #32232]
 8109 
 8110 3462.	[doc]		Clarify server selection behavior of dig when using
 8111 			-4 or -6 options. [RT #32181]
 8112 
 8113 3461.	[bug]		Negative responses could incorrectly have AD=1
 8114 			set. [RT #32237]
 8115 
 8116 3460.	[bug]		Only link against readline where needed. [RT #29810]
 8117 
 8118 3459.	[func]		Added -J option to named-checkzone/named-compilezone
 8119 			to specify the path to the journal file. [RT #30958]
 8120 
 8121 3458.	[bug]		Return FORMERR when presented with a overly long
 8122 			domain named in a request. [RT #29682]
 8123 
 8124 3457.	[protocol]	Add ILNP records (NID, LP, L32, L64). [RT #31836]
 8125 
 8126 3456.	[port]		g++47: ATF failed to compile. [RT #32012]
 8127 
 8128 3455.	[contrib]	queryperf: fix getopt option list. [RT #32338]
 8129 
 8130 3454.	[port]		sparc64: improve atomic support. [RT #25182]
 8131 
 8132 3453.	[bug]		'rndc addzone' of a zone with 'inline-signing yes;'
 8133 			failed. [RT #31960]
 8134 
 8135 3452.	[bug]		Accept duplicate singleton records. [RT #32329]
 8136 
 8137 3451.	[port]		Increase per thread stack size from 64K to 1M.
 8138 			[RT #32230]
 8139 
 8140 3450.	[bug]		Stop logfileconfig system test spam system logs.
 8141 			[RT #32315]
 8142 
 8143 3449.	[bug]		gen.c: use the pre-processor to construct format
 8144 			strings so that compiler can perform sanity checks;
 8145 			check the snprintf results. [RT #17576]
 8146 
 8147 3448.	[bug]		The allow-query-on ACL was not processed correctly.
 8148 			[RT #29486]
 8149 
 8150 3447.	[port]		Add support for libxml2-2.9.x [RT #32231]
 8151 
 8152 3446.	[port]		win32: Add source ID (see change #3400) to build.
 8153 			[RT #31683]
 8154 
 8155 3445.	[bug]		Warn about zone files with blank owner names
 8156 			immediately after $ORIGIN directives. [RT #31848]
 8157 
 8158 3444.	[bug]		The NOQNAME proof was not being returned from cached
 8159 			insecure responses. [RT #21409]
 8160 
 8161 3443.	[bug]		ddns-confgen: Some TSIG algorithms were incorrectly
 8162 			rejected when generating keys. [RT #31927]
 8163 
 8164 3442.	[port]		Net::DNS 0.69 introduced a non backwards compatible
 8165 			change. [RT #32216]
 8166 
 8167 3441.	[maint]		D.ROOT-SERVERS.NET is now 199.7.91.13.
 8168 
 8169 3440.	[bug]		Reorder get_key_struct to not trigger a assertion when
 8170 			cleaning up due to out of memory error. [RT #32131]
 8171 
 8172 3439.	[placeholder]
 8173 
 8174 3438.	[bug]		Don't accept unknown data escape in quotes. [RT #32031]
 8175 
 8176 3437.	[bug]		isc_buffer_init -> isc_buffer_constinit to initialize
 8177 			buffers with constant data. [RT #32064]
 8178 
 8179 3436.	[bug]		Check malloc/calloc return values. [RT #32088]
 8180 
 8181 3435.	[bug]		Cross compilation support in configure was broken.
 8182 			[RT #32078]
 8183 
 8184 3434.	[bug]		Pass client info to the DLZ findzone() entry
 8185 			point in addition to lookup().  This makes it
 8186 			possible for a database to answer differently
 8187 			whether it's authoritative for a name depending
 8188 			on the address of the client.  [RT #31775]
 8189 
 8190 3433.	[bug]		dlz_findzone() did not correctly handle
 8191 			ISC_R_NOMORE. [RT #31172]
 8192 
 8193 3432.	[func]		Multiple DLZ databases can now be configured.
 8194 			DLZ databases are searched in the order configured,
 8195 			unless set to "search no", in which case a
 8196 			zone can be configured to be retrieved from a
 8197 			particular DLZ database by using a "dlz <name>"
 8198 			option in the zone statement.  DLZ databases can
 8199 			support type "master" and "redirect" zones.
 8200 			[RT #27597]
 8201 
 8202 3431.	[bug]		ddns-confgen: Some valid key algorithms were
 8203 			not accepted. [RT #31927]
 8204 
 8205 3430.	[bug]		win32: isc_time_formatISO8601 was missing the
 8206 			'T' between the date and time. [RT #32044]
 8207 
 8208 3429.	[bug]		dns_zone_getserial2 could a return success without
 8209 			returning a valid serial. [RT #32007]
 8210 
 8211 3428.	[cleanup]	dig: Add timezone to date output. [RT #2269]
 8212 
 8213 3427.	[bug]		dig +trace incorrectly displayed name server
 8214 			addresses instead of names. [RT #31641]
 8215 
 8216 3426.	[bug]		dnssec-checkds: Clearer output when records are not
 8217 			found. [RT #31968]
 8218 
 8219 3425.	[bug]		"acacheentry" reference counting was broken resulting
 8220 			in use after free. [RT #31908]
 8221 
 8222 3424.	[func]		dnssec-dsfromkey now emits the hash without spaces.
 8223 			[RT #31951]
 8224 
 8225 3423.	[bug]		"rndc signing -nsec3param" didn't accept the full
 8226 			range of possible values.  Address portability issues.
 8227 			[RT #31938]
 8228 
 8229 3422.	[bug]		Added a clear error message for when the SOA does not
 8230 			match the referral. [RT #31281]
 8231 
 8232 3421.	[bug]		Named loops when re-signing if all keys are offline.
 8233 			[RT #31916]
 8234 
 8235 3420.	[bug]		Address VPATH compilation issues. [RT #31879]
 8236 
 8237 3419.	[bug]		Memory leak on validation cancel. [RT #31869]
 8238 
 8239 3418.	[func]		New XML schema (version 3.0) for the statistics channel
 8240 			adds query type statistics at the zone level, and
 8241 			flattens the XML tree and uses compressed format to
 8242 			optimize parsing. Includes new XSL that permits
 8243 			charting via the Google Charts API on browsers that
 8244 			support javascript in XSL.  The old XML schema has been
 8245 			deprecated. [RT #30023]
 8246 
 8247 3417.	[placeholder]
 8248 
 8249 3416.	[bug]		Named could die on shutdown if running with 128 UDP
 8250 			dispatches per interface. [RT #31743]
 8251 
 8252 3415.	[bug]		named could die with a REQUIRE failure if a validation
 8253 			was canceled. [RT #31804]
 8254 
 8255 3414.	[bug]		Address locking issues found by Coverity. [RT #31626]
 8256 
 8257 3413.	[func]		Record the number of DNS64 AAAA RRsets that have been
 8258 			synthesized. [RT #27636]
 8259 
 8260 3412.	[bug]		Copy timeval structure from control message data.
 8261 			[RT #31548]
 8262 
 8263 3411.	[tuning]	Use IPV6_USE_MIN_MTU or equivalent with TCP in addition
 8264 			to UDP. [RT #31690]
 8265 
 8266 3410.	[bug]		Addressed Coverity warnings. [RT #31626]
 8267 
 8268 3409.	[contrib]	contrib/dane/mkdane.sh: Tool to generate TLSA RR's
 8269 			from X.509 certificates, for use with DANE
 8270 			(DNS-based Authentication of Named Entities).
 8271 			[RT #30513]
 8272 
 8273 3408.	[bug]		Some DNSSEC-related options (update-check-ksk,
 8274 			dnssec-loadkeys-interval, dnssec-dnskey-kskonly)
 8275 			are now legal in slave zones as long as
 8276 			inline-signing is in use. [RT #31078]
 8277 
 8278 3407.	[placeholder]
 8279 
 8280 3406.	[bug]		mem.c: Fix compilation errors when building with
 8281 			ISC_MEM_TRACKLINES or ISC_MEMPOOL_NAMES disabled.
 8282 			Also, ISC_MEM_DEBUG is no longer optional. [RT #31559]
 8283 
 8284 3405.	[bug]		Handle time going backwards in acache. [RT #31253]
 8285 
 8286 3404.	[bug]		dnssec-signzone: When re-signing a zone, remove
 8287 			RRSIG and NSEC records from nodes that used to be
 8288 			in-zone but are now below a zone cut. [RT #31556]
 8289 
 8290 3403.	[bug]		Silence noisy OpenSSL logging. [RT #31497]
 8291 
 8292 3402.	[test]		The IPv6 interface numbers used for system
 8293 			tests were incorrect on some platforms. [RT #25085]
 8294 
 8295 3401.	[bug]		Addressed Coverity warnings. [RT #31484]
 8296 
 8297 3400.	[cleanup]	"named -V" can now report a source ID string, defined
 8298 			in the "srcid" file in the build tree and normally set
 8299 			to the most recent git hash.  [RT #31494]
 8300 
 8301 3399.	[port]		netbsd: rename 'bool' parameter to avoid namespace
 8302 			clash.  [RT #31515]
 8303 
 8304 3398.	[bug]		SOA parameters were not being updated with inline
 8305 			signed zones if the zone was modified while the
 8306 			server was offline. [RT #29272]
 8307 
 8308 3397.	[bug]		dig crashed when using +nssearch with +tcp. [RT #25298]
 8309 
 8310 3396.	[bug]		OPT records were incorrectly removed from signed,
 8311 			truncated responses. [RT #31439]
 8312 
 8313 3395.	[protocol]	Add RFC 6598 reverse zones to built in empty zones
 8314 			list, 64.100.IN-ADDR.ARPA ... 127.100.IN-ADDR.ARPA.
 8315 			[RT #31336]
 8316 
 8317 3394.	[bug]		Adjust 'successfully validated after lower casing
 8318 			signer' log level and category. [RT #31414]
 8319 
 8320 3393.	[bug]		'host -C' could core dump if REFUSED was received.
 8321 			[RT #31381]
 8322 
 8323 3392.	[func]		Keep statistics on REFUSED responses. [RT #31412]
 8324 
 8325 3391.	[bug]		A DNSKEY lookup that encountered a CNAME failed.
 8326 			[RT #31262]
 8327 
 8328 3390.	[bug]		Silence clang compiler warnings. [RT #30417]
 8329 
 8330 3389.	[bug]		Always return NOERROR (not 0) in TSIG. [RT #31275]
 8331 
 8332 3388.	[bug]		Fixed several Coverity warnings.
 8333 			Note: This change includes a fix for a bug that
 8334 			was subsequently determined to be an exploitable
 8335 			security vulnerability, CVE-2012-5688: named could
 8336 			die on specific queries with dns64 enabled.
 8337 			[RT #30996]
 8338 
 8339 3387.	[func]		DS digest can be disabled at runtime with
 8340 			disable-ds-digests. [RT #21581]
 8341 
 8342 3386.	[bug]		Address locking violation when generating new NSEC /
 8343 			NSEC3 chains. [RT #31224]
 8344 
 8345 3385.	[bug]		named-checkconf didn't detect missing master lists
 8346 			in also-notify clauses. [RT #30810]
 8347 
 8348 3384.	[bug]		Improved logging of crypto errors. [RT #30963]
 8349 
 8350 3383.	[security]	A certain combination of records in the RBT could
 8351 			cause named to hang while populating the additional
 8352 			section of a response. [RT #31090]
 8353 
 8354 3382.	[bug]		SOA query from slave used use-v6-udp-ports range,
 8355 			if set, regardless of the address family in use.
 8356 			[RT #24173]
 8357 
 8358 3381.	[contrib]	Update queryperf to support more RR types.
 8359 			[RT #30762]
 8360 
 8361 3380.	[bug]		named could die if a nonexistent master list was
 8362 			referenced in a also-notify. [RT #31004]
 8363 
 8364 3379.	[bug]		isc_interval_zero and isc_time_epoch should be
 8365 			"const (type)* const". [RT #31069]
 8366 
 8367 3378.	[bug]		Handle missing 'managed-keys-directory' better.
 8368 			[RT #30625]
 8369 
 8370 3377.	[bug]		Removed spurious newline from NSEC3 multiline
 8371 			output. [RT #31044]
 8372 
 8373 3376.	[bug]		Lack of EDNS support was being recorded without a
 8374 			successful response. [RT #30811]
 8375 
 8376 3375.	[bug]		'rndc dumpdb' failed on empty caches. [RT #30808]
 8377 
 8378 3374.	[bug]		isc_parse_uint32 failed to return a range error on
 8379 			systems with 64 bit longs. [RT #30232]
 8380 
 8381 3373.	[bug]		win32: open raw files in binary mode. [RT #30944]
 8382 
 8383 3372.	[bug]		Silence spurious "deleted from unreachable cache"
 8384 			messages.  [RT #30501]
 8385 
 8386 3371.	[bug]		AD=1 should behave like DO=1 when deciding whether to
 8387 			add NS RRsets to the additional section or not.
 8388 			[RT #30479]
 8389 
 8390 3370.	[bug]		Address use after free while shutting down. [RT #30241]
 8391 
 8392 3369.	[bug]		nsupdate terminated unexpectedly in interactive mode
 8393 			if built with readline support. [RT #29550]
 8394 
 8395 3368.	[bug]		<dns/iptable.h>, <dns/private.h> and <dns/zone.h>
 8396 			were not C++ safe.
 8397 
 8398 3367.	[bug]		dns_dnsseckey_create() result was not being checked.
 8399 			[RT #30685]
 8400 
 8401 3366.	[bug]		Fixed Read-After-Write dependency violation for IA64
 8402 			atomic operations. [RT #25181]
 8403 
 8404 3365.	[bug]		Removed spurious newlines from log messages in
 8405 			zone.c [RT #30675]
 8406 
 8407 3364.	[security]	Named could die on specially crafted record.
 8408 			[RT #30416]
 8409 
 8410 3363.	[bug]		Need to allow "forward" and "fowarders" options
 8411 			in static-stub zones; this had been overlooked.
 8412 			[RT #30482]
 8413 
 8414 3362.	[bug]		Setting some option values to 0 in named.conf
 8415 			could trigger an assertion failure on startup.
 8416 			[RT #27730]
 8417 
 8418 3361.	[bug]		"rndc signing -nsec3param" didn't work correctly
 8419 			when salt was set to '-' (no salt). [RT #30099]
 8420 
 8421 3360.	[bug]		'host -w' could die.  [RT #18723]
 8422 
 8423 3359.	[bug]		An improperly-formed TSIG secret could cause a
 8424 			memory leak. [RT #30607]
 8425 
 8426 3358.	[placeholder]
 8427 
 8428 3357.	[port]		Add support for libxml2-2.8.x [RT #30440]
 8429 
 8430 3356.	[bug]		Cap the TTL of signed RRsets when RRSIGs are
 8431 			approaching their expiry, so they don't remain
 8432 			in caches after expiry. [RT #26429]
 8433 
 8434 3355.	[port]		Use more portable awk in verify system test.
 8435 
 8436 3354.	[func]		Improve OpenSSL error logging. [RT #29932]
 8437 
 8438 3353.	[bug]		Use a single task for task exclusive operations.
 8439 			[RT #29872]
 8440 
 8441 3352.	[bug]		Ensure that learned server attributes timeout of the
 8442 			adb cache. [RT #29856]
 8443 
 8444 3351.	[bug]		isc_mem_put and isc_mem_putanddetach didn't report
 8445 			caller if either ISC_MEM_DEBUGSIZE or ISC_MEM_DEBUGCTX
 8446 			memory debugging flags are set. [RT #30243]
 8447 
 8448 3350.	[bug]		Memory read overrun in isc___mem_reallocate if
 8449 			ISC_MEM_DEBUGCTX memory debugging flag is set.
 8450 			[RT #30240]
 8451 
 8452 3349.	[bug]		Change #3345 was incomplete. [RT #30233]
 8453 
 8454 3348.	[bug]		Prevent RRSIG data from being cached if a negative
 8455 			record matching the covering type exists at a higher
 8456 			trust level. Such data already can't be retrieved from
 8457 			the cache since change 3218 -- this prevents it
 8458 			being inserted into the cache as well. [RT #26809]
 8459 
 8460 3347.	[bug]		dnssec-settime: Issue a warning when writing a new
 8461 			private key file would cause a change in the
 8462 			permissions of the existing file. [RT #27724]
 8463 
 8464 3346.	[security]	Bad-cache data could be used before it was
 8465 			initialized, causing an assert. [RT #30025]
 8466 
 8467 3345.	[bug]		Addressed race condition when removing the last item
 8468 			or inserting the first item in an ISC_QUEUE.
 8469 			[RT #29539]
 8470 
 8471 3344.	[func]		New "dnssec-checkds" command checks a zone to
 8472 			determine which DS records should be published
 8473 			in the parent zone, or which DLV records should be
 8474 			published in a DLV zone, and queries the DNS to
 8475 			ensure that it exists. (Note: This tool depends
 8476 			on python; it will not be built or installed on
 8477 			systems that do not have a python interpreter.)
 8478 			[RT #28099]
 8479 
 8480 3343.	[placeholder]
 8481 
 8482 3342.	[bug]		Change #3314 broke saving of stub zones to disk
 8483 			resulting in excessive cpu usage in some cases.
 8484 			[RT #29952]
 8485 
 8486 3341.	[func]		New "dnssec-verify" command checks a signed zone
 8487 			to ensure correctness of signatures and of NSEC/NSEC3
 8488 			chains. [RT #23673]
 8489 
 8490 3340.	[func]		Added new 'map' zone file format, which is an image
 8491 			of a zone database that can be loaded directly into
 8492 			memory via mmap(), allowing much faster zone loading.
 8493 			(Note: Because of pointer sizes and other
 8494 			considerations, this file format is platform-dependent;
 8495 			'map' zone files cannot always be transferred from one
 8496 			server to another.) [RT #25419]
 8497 
 8498 3339.	[func]		Allow the maximum supported rsa exponent size to be
 8499 			specified: "max-rsa-exponent-size <value>;" [RT #29228]
 8500 
 8501 3338.	[bug]		Address race condition in units tests: asyncload_zone
 8502 			and asyncload_zt. [RT #26100]
 8503 
 8504 3337.	[bug]		Change #3294 broke support for the multiple keys
 8505 			in controls. [RT #29694]
 8506 
 8507 3336.	[func]		Maintain statistics for RRsets tagged as "stale".
 8508 			[RT #29514]
 8509 
 8510 3335.	[func]		nslookup: return a nonzero exit code when unable
 8511 			to get an answer. [RT #29492]
 8512 
 8513 3334.	[bug]		Hold a zone table reference while performing a
 8514 			asynchronous load of a zone. [RT #28326]
 8515 
 8516 3333.	[bug]		Setting resolver-query-timeout too low can cause
 8517 			named to not recover if it loses connectivity.
 8518 			[RT #29623]
 8519 
 8520 3332.	[bug]		Re-use cached DS rrsets if possible. [RT #29446]
 8521 
 8522 3331.	[security]	dns_rdataslab_fromrdataset could produce bad
 8523 			rdataslabs. [RT #29644]
 8524 
 8525 3330.	[func]		Fix missing signatures on NOERROR results despite
 8526 			RPZ rewriting.  Also
 8527 			 - add optional "recursive-only yes|no" to the
 8528 			   response-policy statement
 8529 			 - add optional "max-policy-ttl" to the response-policy
 8530 			    statement to limit the false data that
 8531 			    "recursive-only no" can introduce into
 8532 			    resolvers' caches
 8533 			 - add a RPZ performance test to bin/tests/system/rpz
 8534 			     when queryperf is available.
 8535 			 - the encoding of PASSTHRU action to "rpz-passthru".
 8536 			     (The old encoding is still accepted.)
 8537 			[RT #26172]
 8538 
 8539 
 8540 3329.	[bug]		Handle RRSIG signer-name case consistently: We
 8541 			generate RRSIG records with the signer-name in
 8542 			lower case.  We accept them with any case, but if
 8543 			they fail to validate, we try again in lower case.
 8544 			[RT #27451]
 8545 
 8546 3328.	[bug]		Fixed inconsistent data checking in dst_parse.c.
 8547 			[RT #29401]
 8548 
 8549 3327.	[func]		Added 'filter-aaaa-on-v6' option; this is similar
 8550 			to 'filter-aaaa-on-v4' but applies to IPv6
 8551 			connections.  (Use "configure --enable-filter-aaaa"
 8552 			to enable this option.)  [RT #27308]
 8553 
 8554 3326.	[func]		Added task list statistics: task model, worker
 8555 			threads, quantum, tasks running, tasks ready.
 8556 			[RT #27678]
 8557 
 8558 3325.	[func]		Report cache statistics: memory use, number of
 8559 			nodes, number of hash buckets, hit and miss counts.
 8560 			[RT #27056]
 8561 
 8562 3324.	[test]		Add better tests for ADB stats [RT #27057]
 8563 
 8564 3323.	[func]		Report the number of buckets the resolver is using.
 8565 			[RT #27020]
 8566 
 8567 3322.	[func]		Monitor the number of active TCP and UDP dispatches.
 8568 			[RT #27055]
 8569 
 8570 3321.	[func]		Monitor the number of recursive fetches and the
 8571 			number of open sockets, and report these values in
 8572 			the statistics channel. [RT #27054]
 8573 
 8574 3320.	[func]		Added support for monitoring of recursing client
 8575 			count. [RT #27009]
 8576 
 8577 3319.	[func]		Added support for monitoring of ADB entry count and
 8578 			hash size. [RT #27057]
 8579 
 8580 3318.	[tuning]	Reduce the amount of work performed while holding a
 8581 			bucket lock when finished with a fetch context.
 8582 			[RT #29239]
 8583 
 8584 3317.	[func]		Add ECDSA support (RFC 6605). [RT #21918]
 8585 
 8586 3316.	[tuning]	Improved locking performance when recursing.
 8587 			[RT #28836]
 8588 
 8589 3315.	[tuning]	Use multiple dispatch objects for sending upstream
 8590 			queries; this can improve performance on busy
 8591 			multiprocessor systems by reducing lock contention.
 8592 			[RT #28605]
 8593 
 8594 3314.	[bug]		The masters list could be updated while stub_callback
 8595 			or refresh_callback were using it. [RT #26732]
 8596 
 8597 3313.	[protocol]	Add TLSA record type. [RT #28989]
 8598 
 8599 3312.	[bug]		named-checkconf didn't detect a bad dns64 clients acl.
 8600 			[RT #27631]
 8601 
 8602 3311.	[bug]		Abort the zone dump if zone->db is NULL in
 8603 			zone.c:zone_gotwritehandle. [RT #29028]
 8604 
 8605 3310.	[test]		Increase table size for mutex profiling. [RT #28809]
 8606 
 8607 3309.	[bug]		resolver.c:fctx_finddone() was not thread safe.
 8608 			[RT #27995]
 8609 
 8610 3308.	[placeholder]
 8611 
 8612 3307.	[bug]		Add missing ISC_LANG_BEGINDECLS and ISC_LANG_ENDDECLS.
 8613 			[RT #28956]
 8614 
 8615 3306.	[bug]		Improve DNS64 reverse zone performance. [RT #28563]
 8616 
 8617 3305.	[func]		Add wire format lookup method to sdb. [RT #28563]
 8618 
 8619 3304.	[bug]		Use hmctx, not mctx when freeing rbtdb->heaps.
 8620 			[RT #28571]
 8621 
 8622 3303.	[bug]		named could die when reloading. [RT #28606]
 8623 
 8624 3302.	[bug]		dns_dnssec_findmatchingkeys could fail to find
 8625 			keys if the zone name contained character that
 8626 			required special mappings. [RT #28600]
 8627 
 8628 3301.	[contrib]	Update queryperf to build on darwin.  Add -R flag
 8629 			for non-recursive queries. [RT #28565]
 8630 
 8631 3300.	[bug]		Named could die if gssapi was enabled in named.conf
 8632 			but was not compiled in. [RT #28338]
 8633 
 8634 3299.	[bug]		Make SDB handle errors from database drivers better.
 8635 			[RT #28534]
 8636 
 8637 3298.	[bug]		Named could dereference a NULL pointer in
 8638 			zmgr_start_xfrin_ifquota if the zone was being removed.
 8639 			[RT #28419]
 8640 
 8641 3297.	[bug]		Named could die on a malformed master file. [RT #28467]
 8642 
 8643 3296.	[bug]		Named could die with a INSIST failure in
 8644 			client.c:exit_check. [RT #28346]
 8645 
 8646 3295.	[bug]		Adjust isc_time_secondsastimet range check to be more
 8647 			portable. [RT # 26542]
 8648 
 8649 3294.	[bug]		isccc/cc.c:table_fromwire failed to free alist on
 8650 			error. [RT #28265]
 8651 
 8652 3293.	[func]		nsupdate: list supported type. [RT #28261]
 8653 
 8654 3292.	[func]		Log messages in the axfr stream at debug 10.
 8655 			[RT #28040]
 8656 
 8657 3291.	[port]		Fixed a build error on systems without ENOTSUP.
 8658 			[RT #28200]
 8659 
 8660 3290.	[bug]		<isc/hmacsha.h> was not being installed. [RT #28169]
 8661 
 8662 3289.	[bug]		'rndc retransfer' failed for inline zones. [RT #28036]
 8663 
 8664 3288.	[bug]		dlz_destroy() function wasn't correctly registered
 8665 			by the DLZ dlopen driver. [RT #28056]
 8666 
 8667 3287.	[port]		Update ans.pl to work with Net::DNS 0.68. [RT #28028]
 8668 
 8669 3286.	[bug]		Managed key maintenance timer could fail to start
 8670 			after 'rndc reconfig'. [RT #26786]
 8671 
 8672 3285.	[bug]		val-frdataset was incorrectly disassociated in
 8673 			proveunsecure after calling startfinddlvsep.
 8674 			[RT #27928]
 8675 
 8676 3284.	[bug]		Address race conditions with the handling of
 8677 			rbtnode.deadlink. [RT #27738]
 8678 
 8679 3283.	[bug]		Raw zones with with more than 512 records in a RRset
 8680 			failed to load. [RT #27863]
 8681 
 8682 3282.	[bug]		Restrict the TTL of NS RRset to no more than that
 8683 			of the old NS RRset when replacing it.
 8684 			[RT #27792] [RT #27884]
 8685 
 8686 3281.	[bug]		SOA refresh queries could be treated as cancelled
 8687 			despite succeeding over the loopback interface.
 8688 			[RT #27782]
 8689 
 8690 3280.	[bug]		Potential double free of a rdataset on out of memory
 8691 			with DNS64. [RT #27762]
 8692 
 8693 3279.	[bug]		Hold a internal reference to the zone while performing
 8694 			a asynchronous load.  Address potential memory leak
 8695 			if the asynchronous is cancelled. [RT #27750]
 8696 
 8697 3278.	[bug]		Make sure automatic key maintenance is started
 8698 			when "auto-dnssec maintain" is turned on during
 8699 			"rndc reconfig". [RT #26805]
 8700 
 8701 3277.	[bug]		win32: isc_socket_dup is not implemented. [RT #27696]
 8702 
 8703 3276.	[bug]		win32: ns_os_openfile failed to return NULL on
 8704 			safe_open failure. [RT #27696]
 8705 
 8706 3275.	[bug]		Corrected rndc -h output; the 'rndc sync -clean'
 8707 			option had been misspelled as '-clear'.  (To avoid
 8708 			future confusion, both options now work.) [RT #27173]
 8709 
 8710 3274.	[placeholder]
 8711 
 8712 3273.	[bug]		AAAA responses could be returned in the additional
 8713 			section even when filter-aaaa-on-v4 was in use.
 8714 			[RT #27292]
 8715 
 8716 3272.	[func]		New "rndc zonestatus" command prints information
 8717 			about the specified zone. [RT #21671]
 8718 
 8719 3271.	[port]		darwin: mksymtbl is not always stable, loop several
 8720 			times before giving up.  mksymtbl was using non
 8721 			portable perl to covert 64 bit hex strings. [RT #27653]
 8722 
 8723 	--- 9.9.0rc2 released ---
 8724 
 8725 3270.	[bug]		"rndc reload" didn't reuse existing zones correctly
 8726 			when inline-signing was in use. [RT #27650]
 8727 
 8728 3269.	[port]		darwin 11 and later now built threaded by default.
 8729 
 8730 3268.	[bug]		Convert RRSIG expiry times to 64 timestamps to work
 8731 			out the earliest expiry time. [RT #23311]
 8732 
 8733 3267.	[bug]		Memory allocation failures could be mis-reported as
 8734 			unexpected error.  New ISC_R_UNSET result code.
 8735 			[RT #27336]
 8736 
 8737 3266.	[bug]		The maximum number of NSEC3 iterations for a
 8738 			DNSKEY RRset was not being properly computed.
 8739 			[RT #26543]
 8740 
 8741 3265.	[bug]		Corrected a problem with lock ordering in the
 8742 			inline-signing code. [RT #27557]
 8743 
 8744 3264.	[bug]		Automatic regeneration of signatures in an
 8745 			inline-signing zone could stall when the server
 8746 			was restarted. [RT #27344]
 8747 
 8748 3263.	[bug]		"rndc sync" did not affect the unsigned side of an
 8749 			inline-signing zone. [RT #27337]
 8750 
 8751 3262.	[bug]		Signed responses were handled incorrectly by RPZ.
 8752 			[RT #27316]
 8753 
 8754 3261.	[func]		RRset ordering now defaults to random. [RT #27174]
 8755 
 8756 3260.	[bug]		"rrset-order cyclic" could appear not to rotate
 8757 			for some query patterns.  [RT #27170/27185]
 8758 
 8759 	--- 9.9.0rc1 released ---
 8760 
 8761 3259.	[bug]		named-compilezone: Suppress "dump zone to <file>"
 8762 			message when writing to stdout. [RT #27109]
 8763 
 8764 3258.	[test]		Add "forcing full sign with unreadable keys" test.
 8765 			[RT #27153]
 8766 
 8767 3257.	[bug]		Do not generate a error message when calling fsync()
 8768 			in a pipe or socket. [RT #27109]
 8769 
 8770 3256.	[bug]		Disable empty zones for lwresd -C. [RT #27139]
 8771 
 8772 3255.	[func]		No longer require that a empty zones be explicitly
 8773 			enabled or that a empty zone is disabled for
 8774 			RFC 1918 empty zones to be configured. [RT #27139]
 8775 
 8776 3254.	[bug]		Set isc_socket_ipv6only() on the IPv6 control channels.
 8777 			[RT #22249]
 8778 
 8779 3253.	[bug]		Return DNS_R_SYNTAX when the input to a text field is
 8780 			too long. [RT #26956]
 8781 
 8782 3252.	[bug]		When master zones using inline-signing were
 8783 			updated while the server was offline, the source
 8784 			zone could fall out of sync with the signed
 8785 			copy. They can now resynchronize. [RT #26676]
 8786 
 8787 3251.	[bug]		Enforce a upper bound (65535 bytes) on the amount of
 8788 			memory dns_sdlz_putrr() can allocate per record to
 8789 			prevent run away memory consumption on ISC_R_NOSPACE.
 8790 			[RT #26956]
 8791 
 8792 3250.	[func]		'configure --enable-developer'; turn on various
 8793 			configure options, normally off by default, that
 8794 			we want developers to build and test with. [RT #27103]
 8795 
 8796 3249.	[bug]		Update log message when saving slave zones files for
 8797 			analysis after load failures. [RT #27087]
 8798 
 8799 3248.	[bug]		Configure options --enable-fixed-rrset and
 8800 			--enable-exportlib were incompatible with each
 8801 			other. [RT #27087]
 8802 
 8803 3247.	[bug]		'raw' format zones failed to preserve load order
 8804 			breaking 'fixed' sort order. [RT #27087]
 8805 
 8806 3246.	[bug]		Named failed to start with a empty also-notify list.
 8807 			[RT #27087]
 8808 
 8809 3245.	[bug]		Don't report a error unchanged serials unless there
 8810 			were other changes when thawing a zone with
 8811 			ixfr-fromdifferences. [RT #26845]
 8812 
 8813 3244.	[func]		Added readline support to nslookup and nsupdate.
 8814 			Also simplified nsupdate syntax to make "update"
 8815 			and "prereq" optional. [RT #24659]
 8816 
 8817 3243.	[port]		freebsd,netbsd,bsdi: the thread defaults were not
 8818 			being properly set.
 8819 
 8820 3242.	[func]		Extended the header of raw-format master files to
 8821 			include the serial number of the zone from which
 8822 			they were generated, if different (as in the case
 8823 			of inline-signing zones).  This is to be used in
 8824 			inline-signing zones, to track changes between the
 8825 			unsigned and signed versions of the zone, which may
 8826 			have different serial numbers.
 8827 
 8828 			(Note: raw zonefiles generated by this version of
 8829 			BIND are no longer compatible with prior versions.
 8830 			To generate a backward-compatible raw zonefile
 8831 			using dnssec-signzone or named-compilezone, specify
 8832 			output format "raw=0" instead of simply "raw".)
 8833 			[RT #26587]
 8834 
 8835 3241.	[bug]		Address race conditions in the resolver code.
 8836 			[RT #26889]
 8837 
 8838 3240.	[bug]		DNSKEY state change events could be missed. [RT #26874]
 8839 
 8840 3239.	[bug]		dns_dnssec_findmatchingkeys needs to use a consistent
 8841 			timestamp. [RT #26883]
 8842 
 8843 3238.	[bug]		keyrdata was not being reinitialized in
 8844 			lib/dns/rbtdb.c:iszonesecure. [RT #26913]
 8845 
 8846 3237.	[bug]		dig -6 didn't work with +trace. [RT #26906]
 8847 
 8848 3236.	[bug]		Backed out changes #3182 and #3202, related to
 8849 			EDNS(0) fallback behavior. [RT #26416]
 8850 
 8851 3235.	[func]		dns_db_diffx, a extended dns_db_diff which returns
 8852 			the generated diff and optionally writes it to a
 8853 			journal. [RT #26386]
 8854 
 8855 3234.	[bug]		'make depend' produced invalid makefiles. [RT #26830]
 8856 
 8857 3233.	[bug]		'rndc freeze/thaw' didn't work for inline zones.
 8858 			[RT #26632]
 8859 
 8860 3232.	[bug]		Zero zone->curmaster before return in
 8861 			dns_zone_setmasterswithkeys(). [RT #26732]
 8862 
 8863 3231.	[bug]		named could fail to send a incompressible zone.
 8864 			[RT #26796]
 8865 
 8866 3230.	[bug]		'dig axfr' failed to properly handle a multi-message
 8867 			axfr with a serial of 0. [RT #26796]
 8868 
 8869 3229.	[bug]		Fix local variable to struct var assignment
 8870 			found by CLANG warning.
 8871 
 8872 3228.	[tuning]	Dynamically grow symbol table to improve zone
 8873 			loading performance. [RT #26523]
 8874 
 8875 3227.	[bug]		Interim fix to make WKS's use of getprotobyname()
 8876 			and getservbyname() self thread safe. [RT #26232]
 8877 
 8878 3226.	[bug]		Address minor resource leakages. [RT #26624]
 8879 
 8880 3225.	[bug]		Silence spurious "setsockopt(517, IPV6_V6ONLY) failed"
 8881 			messages. [RT #26507]
 8882 
 8883 3224.	[bug]		'rndc signing' argument parsing was broken. [RT #26684]
 8884 
 8885 3223.	[bug]		'task_test privilege_drop' generated false positives.
 8886 			[RT #26766]
 8887 
 8888 3222.	[cleanup]	Replace dns_journal_{get,set}_bitws with
 8889 			dns_journal_{get,set}_sourceserial. [RT #26634]
 8890 
 8891 3221.	[bug]		Fixed a potential core dump on shutdown due to
 8892 			referencing fetch context after it's been freed.
 8893 			[RT #26720]
 8894 
 8895 	--- 9.9.0b2 released ---
 8896 
 8897 3220.	[bug]		Change #3186 was incomplete; dns_db_rpz_findips()
 8898 			could fail to set the database version correctly,
 8899 			causing an assertion failure. [RT #26180]
 8900 
 8901 3219.	[bug]		Disable NOEDNS caching following a timeout.
 8902 
 8903 3218.	[security]	Cache lookup could return RRSIG data associated with
 8904 			nonexistent records, leading to an assertion
 8905 			failure. [RT #26590]
 8906 
 8907 3217.	[cleanup]	Fix build problem with --disable-static. [RT #26476]
 8908 
 8909 3216.	[bug]		resolver.c:validated() was not thread-safe. [RT #26478]
 8910 
 8911 3215.	[bug]		'rndc recursing' could cause a core dump. [RT #26495]
 8912 
 8913 3214.	[func]		Add 'named -U' option to set the number of UDP
 8914 			listener threads per interface. [RT #26485]
 8915 
 8916 3213.	[doc]		Clarify ixfr-from-differences behavior. [RT #25188]
 8917 
 8918 3212.	[bug]		rbtdb.c: failed to remove a node from the deadnodes
 8919 			list prior to adding a reference to it leading a
 8920 			possible assertion failure. [RT #23219]
 8921 
 8922 3211.	[func]		dnssec-signzone: "-f -" prints to stdout; "-O full"
 8923 			option prints in single-line-per-record format.
 8924 			[RT #20287]
 8925 
 8926 3210.	[bug]		Canceling the oldest query due to recursive-client
 8927 			overload could trigger an assertion failure. [RT #26463]
 8928 
 8929 3209.	[func]		Add "dnssec-lookaside 'no'".  [RT #24858]
 8930 
 8931 3208.	[bug]		'dig -y' handle unknown tsig algorithm better.
 8932 			[RT #25522]
 8933 
 8934 3207.	[contrib]	Fixed build error in Berkeley DB DLZ module. [RT #26444]
 8935 
 8936 3206.	[cleanup]	Add ISC information to log at start time. [RT #25484]
 8937 
 8938 3205.	[func]		Upgrade dig's defaults to better reflect modern
 8939 			nameserver behavior.  Enable "dig +adflag" and
 8940 			"dig +edns=0" by default.  Enable "+dnssec" when
 8941 			running "dig +trace". [RT #23497]
 8942 
 8943 3204.	[bug]		When a master server that has been marked as
 8944 			unreachable sends a NOTIFY, mark it reachable
 8945 			again. [RT #25960]
 8946 
 8947 3203.	[bug]		Increase log level to 'info' for validation failures
 8948 			from expired or not-yet-valid RRSIGs. [RT #21796]
 8949 
 8950 3202.	[bug]		NOEDNS caching on timeout was too aggressive.
 8951 			[RT #26416]
 8952 
 8953 3201.	[func]		'rndc querylog' can now be given an on/off parameter
 8954 			instead of only being used as a toggle. [RT #18351]
 8955 
 8956 3200.	[doc]		Some rndc functions were undocumented or were
 8957 			missing from 'rndc -h' output. [RT #25555]
 8958 
 8959 3199.	[func]		When logging client information, include the name
 8960 			being queried. [RT #25944]
 8961 
 8962 3198.	[doc]		Clarified that dnssec-settime can alter keyfile
 8963 			permissions. [RT #24866]
 8964 
 8965 3197.	[bug]		Don't try to log the filename and line number when
 8966 			the config parser can't open a file. [RT #22263]
 8967 
 8968 3196.	[bug]		nsupdate: return nonzero exit code when target zone
 8969 			doesn't exist. [RT #25783]
 8970 
 8971 3195.	[cleanup]	Silence "file not found" warnings when loading
 8972 			managed-keys zone. [RT #26340]
 8973 
 8974 3194.	[doc]		Updated RFC references in the 'empty-zones-enable'
 8975 			documentation. [RT #25203]
 8976 
 8977 3193.	[cleanup]	Changed MAXZONEKEYS to DNS_MAXZONEKEYS, moved to
 8978 			dnssec.h. [RT #26415]
 8979 
 8980 3192.	[bug]		A query structure could be used after being freed.
 8981 			[RT #22208]
 8982 
 8983 3191.	[bug]		Print NULL records using "unknown" format. [RT #26392]
 8984 
 8985 3190.	[bug]		Underflow in error handling in isc_mutexblock_init.
 8986 			[RT #26397]
 8987 
 8988 3189.	[test]		Added a summary report after system tests. [RT #25517]
 8989 
 8990 3188.	[bug]		zone.c:zone_refreshkeys() could fail to detach
 8991 			references correctly when errors occurred, causing
 8992 			a hang on shutdown. [RT #26372]
 8993 
 8994 3187.	[port]		win32: support for Visual Studio 2008.  [RT #26356]
 8995 
 8996 	--- 9.9.0b1 released ---
 8997 
 8998 3186.	[bug]		Version/db mismatch in rpz code. [RT #26180]
 8999 
 9000 3185.	[func]		New 'rndc signing' option for auto-dnssec zones:
 9001 			 - 'rndc signing -list' displays the current
 9002 			   state of signing operations
 9003 			 - 'rndc signing -clear' clears the signing state
 9004 			   records for keys that have fully signed the zone
 9005 			 - 'rndc signing -nsec3param' sets the NSEC3
 9006 			   parameters for the zone
 9007 			The 'rndc keydone' syntax is removed. [RT #23729]
 9008 
 9009 3184.	[bug]		named had excessive cpu usage when a redirect zone was
 9010 			configured. [RT #26013]
 9011 
 9012 3183.	[bug]		Added RTLD_GLOBAL flag to dlopen call. [RT #26301]
 9013 
 9014 3182.	[bug]		Auth servers behind firewalls which block packets
 9015 			greater than 512 bytes may cause other servers to
 9016 			perform poorly. Now, adb retains edns information
 9017 			and caches noedns servers. [RT #23392/24964]
 9018 
 9019 3181.	[func]		Inline-signing is now supported for master zones.
 9020 			[RT #26224]
 9021 
 9022 3180.	[func]		Local copies of slave zones are now saved in raw
 9023 			format by default, to improve startup performance.
 9024 			'masterfile-format text;' can be used to override
 9025 			the default, if desired. [RT #25867]
 9026 
 9027 3179.	[port]		kfreebsd: build issues. [RT #26273]
 9028 
 9029 3178.	[bug]		A race condition introduced by change #3163 could
 9030 			cause an assertion failure on shutdown. [RT #26271]
 9031 
 9032 3177.	[func]		'rndc keydone', remove the indicator record that
 9033 			named has finished signing the zone with the
 9034 			corresponding key.  [RT #26206]
 9035 
 9036 3176.	[doc]		Corrected example code and added a README to the
 9037 			sample external DLZ module in contrib/dlz/example.
 9038 			[RT #26215]
 9039 
 9040 3175.	[bug]		Fix how DNSSEC positive wildcard responses from a
 9041 			NSEC3 signed zone are validated.  Stop sending a
 9042 			unnecessary NSEC3 record when generating such
 9043 			responses. [RT #26200]
 9044 
 9045 3174.	[bug]		Always compute to revoked key tag from scratch.
 9046 			[RT #26186]
 9047 
 9048 3173.	[port]		Correctly validate root DS responses. [RT #25726]
 9049 
 9050 3172.	[port]		darwin 10.* and freebsd [89] are now built threaded by
 9051 			default.
 9052 
 9053 3171.	[bug]		Exclusively lock the task when adding a zone using
 9054 			'rndc addzone'.  [RT #25600]
 9055 
 9056 	--- 9.9.0a3 released ---
 9057 
 9058 3170.	[func]		RPZ update:
 9059 			- fix precedence among competing rules
 9060 			- improve ARM text including documenting rule precedence
 9061 			- try to rewrite CNAME chains until first hit
 9062 			- new "rpz" logging channel
 9063 			- RDATA for CNAME rules can include wildcards
 9064 			- replace "NO-OP" named.conf policy override with
 9065 			  "PASSTHRU" and add "DISABLED" override ("NO-OP"
 9066 			  is still recognized)
 9067 			[RT #25172]
 9068 
 9069 3169.	[func]		Catch db/version mis-matches when calling dns_db_*().
 9070 			[RT #26017]
 9071 
 9072 3168.	[bug]		Nxdomain redirection could trigger an assert with
 9073 			a ANY query. [RT #26017]
 9074 
 9075 3167.	[bug]		Negative answers from forwarders were not being
 9076 			correctly tagged making them appear to not be cached.
 9077 			[RT #25380]
 9078 
 9079 3166.	[bug]		Upgrading a zone to support inline-signing failed.
 9080 			[RT #26014]
 9081 
 9082 3165.	[bug]		dnssec-signzone could generate new signatures when
 9083 			resigning, even when valid signatures were already
 9084 			present. [RT #26025]
 9085 
 9086 3164.	[func]		Enable DLZ modules to retrieve client information,
 9087 			so that responses can be changed depending on the
 9088 			source address of the query. [RT #25768]
 9089 
 9090 3163.	[bug]		Use finer-grained locking in client.c to address
 9091 			concurrency problems with large numbers of threads.
 9092 			[RT #26044]
 9093 
 9094 3162.	[test]		start.pl: modified to allow for "named.args" in
 9095 			ns*/ subdirectory to override stock arguments to
 9096 			named. Largely from RT #26044, but no separate ticket.
 9097 
 9098 3161.	[bug]		zone.c:del_sigs failed to always reset rdata leading
 9099 			assertion failures. [RT #25880]
 9100 
 9101 3160.	[bug]		When printing out a NSEC3 record in multiline form
 9102 			the newline was not being printed causing type codes
 9103 			to be run together. [RT #25873]
 9104 
 9105 3159.	[bug]		On some platforms, named could assert on startup
 9106 			when running in a chrooted environment without
 9107 			/proc. [RT #25863]
 9108 
 9109 3158.	[bug]		Recursive servers would prefer a particular UDP
 9110 			socket instead of using all available sockets.
 9111 			[RT #26038]
 9112 
 9113 3157.	[tuning]	Reduce the time spent in "rndc reconfig" by parsing
 9114 			the config file before pausing the server. [RT #21373]
 9115 
 9116 3156.	[placeholder]
 9117 
 9118 	--- 9.9.0a2 released ---
 9119 
 9120 3155.	[bug]		Fixed a build failure when using contrib DLZ
 9121 			drivers (e.g., mysql, postgresql, etc). [RT #25710]
 9122 
 9123 3154.	[bug]		Attempting to print an empty rdataset could trigger
 9124 			an assert. [RT #25452]
 9125 
 9126 3153.	[func]		Extend request-ixfr to zone level and remove the
 9127 			side effect of forcing an AXFR. [RT #25156]
 9128 
 9129 3152.	[cleanup]	Some versions of gcc and clang failed due to
 9130 			incorrect use of __builtin_expect. [RT #25183]
 9131 
 9132 3151.	[bug]		Queries for type RRSIG or SIG could be handled
 9133 			incorrectly.  [RT #21050]
 9134 
 9135 3150.	[func]		Improved startup and reconfiguration time by
 9136 			enabling zones to load in multiple threads. [RT #25333]
 9137 
 9138 3149.	[placeholder]
 9139 
 9140 3148.	[bug]		Processing of normal queries could be stalled when
 9141 			forwarding a UPDATE message. [RT #24711]
 9142 
 9143 3147.	[func]		Initial inline signing support.  [RT #23657]
 9144 
 9145 	--- 9.9.0a1 released ---
 9146 
 9147 3146.	[test]		Fixed gcc4.6.0 errors in ATF. [RT #25598]
 9148 
 9149 3145.	[test]		Capture output of ATF unit tests in "./atf.out" if
 9150 			there were any errors while running them. [RT #25527]
 9151 
 9152 3144.	[bug]		dns_dbiterator_seek() could trigger an assert when
 9153 			used with a nonexistent database node. [RT #25358]
 9154 
 9155 3143.	[bug]		Silence clang compiler warnings. [RT #25174]
 9156 
 9157 3142.	[bug]		NAPTR is class agnostic. [RT #25429]
 9158 
 9159 3141.	[bug]		Silence spurious "zone serial (0) unchanged" messages
 9160 			associated with empty zones. [RT #25079]
 9161 
 9162 3140.	[func]		New command "rndc flushtree <name>" clears the
 9163 			specified name from the server cache along with
 9164 			all names under it. [RT #19970]
 9165 
 9166 3139.	[test]		Added tests from RFC 6234, RFC 2202, and RFC 1321
 9167 			for the hashing algorithms (md5, sha1 - sha512, and
 9168 			their hmac counterparts).  [RT #25067]
 9169 
 9170 3138.	[bug]		Address memory leaks and out-of-order operations when
 9171 			shutting named down. [RT #25210]
 9172 
 9173 3137.	[func]		Improve hardware scalability by allowing multiple
 9174 			worker threads to process incoming UDP packets.
 9175 			This can significantly increase query throughput
 9176 			on some systems.  [RT #22992]
 9177 
 9178 3136.	[func]		Add RFC 1918 reverse zones to the list of built-in
 9179 			empty zones switched on by the 'empty-zones-enable'
 9180 			option. [RT #24990]
 9181 
 9182 3135.	[port]		FreeBSD: workaround broken IPV6_USE_MIN_MTU processing.
 9183 			See http://www.freebsd.org/cgi/query-pr.cgi?pr=158307
 9184 			[RT #24950]
 9185 
 9186 3134.	[bug]		Improve the accuracy of dnssec-signzone's signing
 9187 			statistics. [RT #16030]
 9188 
 9189 3133.	[bug]		Change #3114 was incomplete. [RT #24577]
 9190 
 9191 3132.	[placeholder]
 9192 
 9193 3131.	[tuning]	Improve scalability by allocating one zone task
 9194 			per 100 zones at startup time, rather than using a
 9195 			fixed-size task table. [RT #24406]
 9196 
 9197 3130.	[func]		Support alternate methods for managing a dynamic
 9198 			zone's serial number.  Two methods are currently
 9199 			defined using serial-update-method, "increment"
 9200 			(default) and "unixtime".  [RT #23849]
 9201 
 9202 3129.	[bug]		Named could crash on 'rndc reconfig' when
 9203 			allow-new-zones was set to yes and named ACLs
 9204 			were used. [RT #22739]
 9205 
 9206 3128.	[func]		Inserting an NSEC3PARAM via dynamic update in an
 9207 			auto-dnssec zone that has not been signed yet
 9208 			will cause it to be signed with the specified NSEC3
 9209 			parameters when keys are activated.  The
 9210 			NSEC3PARAM record will not appear in the zone until
 9211 			it is signed, but the parameters will be stored.
 9212 			[RT #23684]
 9213 
 9214 3127.	[bug]		'rndc thaw' will now remove a zone's journal file
 9215 			if the zone serial number has been changed and
 9216 			ixfr-from-differences is not in use.  [RT #24687]
 9217 
 9218 3126.	[security]	Using DNAME record to generate replacements caused
 9219 			RPZ to exit with a assertion failure. [RT #24766]
 9220 
 9221 3125.	[security]	Using wildcard CNAME records as a replacement with
 9222 			RPZ caused named to exit with a assertion failure.
 9223 			[RT #24715]
 9224 
 9225 3124.	[bug]		Use an rdataset attribute flag to indicate
 9226 			negative-cache records rather than using rrtype 0;
 9227 			this will prevent problems when that rrtype is
 9228 			used in actual DNS packets. [RT #24777]
 9229 
 9230 3123.	[security]	Change #2912 exposed a latent flaw in
 9231 			dns_rdataset_totext() that could cause named to
 9232 			crash with an assertion failure. [RT #24777]
 9233 
 9234 3122.	[cleanup]	dnssec-settime: corrected usage message. [RT #24664]
 9235 
 9236 3121.	[security]	An authoritative name server sending a negative
 9237 			response containing a very large RRset could
 9238 			trigger an off-by-one error in the ncache code
 9239 			and crash named. [RT #24650]
 9240 
 9241 3120.	[bug]		Named could fail to validate zones listed in a DLV
 9242 			that validated insecure without using DLV and had
 9243 			DS records in the parent zone. [RT #24631]
 9244 
 9245 3119.	[bug]		When rolling to a new DNSSEC key, a private-type
 9246 			record could be created and never marked complete.
 9247 			[RT #23253]
 9248 
 9249 3118.	[bug]		nsupdate could dump core on shutdown when using
 9250 			SIG(0) keys. [RT #24604]
 9251 
 9252 3117.	[cleanup]	Remove doc and parser references to the
 9253 			never-implemented 'auto-dnssec create' option.
 9254 			[RT #24533]
 9255 
 9256 3116.	[func]		New 'dnssec-update-mode' option controls updates
 9257 			of DNSSEC records in signed dynamic zones.  Set to
 9258 			'no-resign' to disable automatic RRSIG regeneration
 9259 			while retaining the ability to sign new or changed
 9260 			data. [RT #24533]
 9261 
 9262 3115.	[bug]		Named could fail to return requested data when
 9263 			following a CNAME that points into the same zone.
 9264 			[RT #24455]
 9265 
 9266 3114.	[bug]		Retain expired RRSIGs in dynamic zones if key is
 9267 			inactive and there is no replacement key. [RT #23136]
 9268 
 9269 3113.	[doc]		Document the relationship between serial-query-rate
 9270 			and NOTIFY messages.
 9271 
 9272 3112.	[doc]		Add missing descriptions of the update policy name
 9273 			types "ms-self", "ms-subdomain", "krb5-self" and
 9274 			"krb5-subdomain", which allow machines to update
 9275 			their own records, to the BIND 9 ARM.
 9276 
 9277 3111.	[bug]		Improved consistency checks for dnssec-enable and
 9278 			dnssec-validation, added test cases to the
 9279 			checkconf system test. [RT #24398]
 9280 
 9281 3110.	[bug]		dnssec-signzone: Wrong error message could appear
 9282 			when attempting to sign with no KSK. [RT #24369]
 9283 
 9284 3109.	[func]		The also-notify option now uses the same syntax
 9285 			as a zone's masters clause.  This means it is
 9286 			now possible to specify a TSIG key to use when
 9287 			sending notifies to a given server, or to include
 9288 			an explicit named masters list in an also-notify
 9289 			statement.  [RT #23508]
 9290 
 9291 3108.	[cleanup]	dnssec-signzone: Clarified some error and
 9292 			warning messages; removed #ifdef ALLOW_KSKLESS_ZONES
 9293 			code (use -P instead). [RT #20852]
 9294 
 9295 3107.	[bug]		dnssec-signzone: Report the correct number of ZSKs
 9296 			when using -x. [RT #20852]
 9297 
 9298 3106.	[func]		When logging client requests, include the name of
 9299 			the TSIG key if any. [RT #23619]
 9300 
 9301 3105.	[bug]		GOST support can be suppressed by "configure
 9302 			--without-gost" [RT #24367]
 9303 
 9304 3104.	[bug]		Better support for cross-compiling. [RT #24367]
 9305 
 9306 3103.	[bug]		Configuring 'dnssec-validation auto' in a view
 9307 			instead of in the options statement could trigger
 9308 			an assertion failure in named-checkconf. [RT #24382]
 9309 
 9310 3102.	[func]		New 'dnssec-loadkeys-interval' option configures
 9311 			how often, in minutes, to check the key repository
 9312 			for updates when using automatic key maintenance.
 9313 			Default is every 60 minutes (formerly hard-coded
 9314 			to 12 hours). [RT #23744]
 9315 
 9316 3101.	[bug]		Zones using automatic key maintenance could fail
 9317 			to check the key repository for updates. [RT #23744]
 9318 
 9319 3100.	[security]	Certain response policy zone configurations could
 9320 			trigger an INSIST when receiving a query of type
 9321 			RRSIG. [RT #24280]
 9322 
 9323 3099.	[test]		"dlz" system test now runs but gives R:SKIPPED if
 9324 			not compiled with --with-dlz-filesystem.  [RT #24146]
 9325 
 9326 3098.	[bug]		DLZ zones were answering without setting the AA bit.
 9327 			[RT #24146]
 9328 
 9329 3097.	[test]		Add a tool to test handling of malformed packets.
 9330 			[RT #24096]
 9331 
 9332 3096.	[bug]		Set KRB5_KTNAME before calling log_cred() in
 9333 			dst_gssapi_acceptctx(). [RT #24004]
 9334 
 9335 3095.	[bug]		Handle isolated reserved ports in the port range.
 9336 			[RT #23957]
 9337 
 9338 3094.	[doc]		Expand dns64 documentation.
 9339 
 9340 3093.	[bug]		Fix gssapi/kerberos dependencies [RT #23836]
 9341 
 9342 3092.	[bug]		Signatures for records at the zone apex could go
 9343 			stale due to an incorrect timer setting. [RT #23769]
 9344 
 9345 3091.	[bug]		Fixed a bug in which zone keys that were published
 9346 			and then subsequently activated could fail to trigger
 9347 			automatic signing. [RT #22911]
 9348 
 9349 3090.	[func]		Make --with-gssapi default [RT #23738]
 9350 
 9351 3089.	[func]		dnssec-dsfromkey now supports reading keys from
 9352 			standard input "dnssec-dsfromkey -f -". [RT #20662]
 9353 
 9354 3088.	[bug]		Remove bin/tests/system/logfileconfig/ns1/named.conf
 9355 			and add setup.sh in order to resolve changing
 9356 			named.conf issue.  [RT #23687]
 9357 
 9358 3087.	[bug]		DDNS updates using SIG(0) with update-policy match
 9359 			type "external" could cause a crash. [RT #23735]
 9360 
 9361 3086.	[bug]		Running dnssec-settime -f on an old-style key will
 9362 			now force an update to the new key format even if no
 9363 			other change has been specified, using "-P now -A now"
 9364 			as default values.  [RT #22474]
 9365 
 9366 3085.	[func]		New '-R' option in dnssec-signzone forces removal
 9367 			of signatures which have not yet expired but
 9368 			were generated by a key that no longer exists.
 9369 			[RT #22471]
 9370 
 9371 3084.	[func]		A new command "rndc sync" dumps pending changes in
 9372 			a dynamic zone to disk; "rndc sync -clean" also
 9373 			removes the journal file after syncing.  Also,
 9374 			"rndc freeze" no longer removes journal files.
 9375 			[RT #22473]
 9376 
 9377 3083.	[bug]		NOTIFY messages were not being sent when generating
 9378 			a NSEC3 chain incrementally. [RT #23702]
 9379 
 9380 3082.	[port]		strtok_r is threads only. [RT #23747]
 9381 
 9382 3081.	[bug]		Failure of DNAME substitution did not return
 9383 			YXDOMAIN. [RT #23591]
 9384 
 9385 3080.	[cleanup]	Replaced compile time constant by STDTIME_ON_32BITS.
 9386 			[RT #23587]
 9387 
 9388 3079.	[bug]		Handle isc_event_allocate failures in t_tasks.
 9389 			[RT #23572]
 9390 
 9391 3078.	[func]		Added a new include file with function typedefs
 9392 			for the DLZ "dlopen" driver. [RT #23629]
 9393 
 9394 3077.	[bug]		zone.c:zone_refreshkeys() incorrectly called
 9395 			dns_zone_attach(), use zone->irefs instead. [RT #23303]
 9396 
 9397 3076.	[func]		New '-L' option in dnssec-keygen, dnsset-settime, and
 9398 			dnssec-keyfromlabel sets the default TTL of the
 9399 			key.  When possible, automatic signing will use that
 9400 			TTL when the key is published.  [RT #23304]
 9401 
 9402 3075.	[bug]		dns_dnssec_findzonekeys{2} used a inconsistent
 9403 			timestamp when determining which keys are active.
 9404 			[RT #23642]
 9405 
 9406 3074.	[bug]		Make the adb cache read through for zone data and
 9407 			glue learn for zone named is authoritative for.
 9408 			[RT #22842]
 9409 
 9410 3073.	[bug]		managed-keys changes were not properly being recorded.
 9411 			[RT #20256]
 9412 
 9413 3072.	[bug]		dns_dns64_aaaaok() potential NULL pointer dereference.
 9414 			[RT #20256]
 9415 
 9416 3071.	[bug]		has_nsec could be used uninitialized in
 9417 			update.c:next_active. [RT #20256]
 9418 
 9419 3070.	[bug]		dnssec-signzone potential NULL pointer dereference.
 9420 			[RT #20256]
 9421 
 9422 3069.	[cleanup]	Silence warnings messages from clang static analysis.
 9423 			[RT #20256]
 9424 
 9425 3068.	[bug]		Named failed to build with a OpenSSL without engine
 9426 			support. [RT #23473]
 9427 
 9428 3067.	[bug]		ixfr-from-differences {master|slave}; failed to
 9429 			select the master/slave zones.  [RT #23580]
 9430 
 9431 3066.	[func]		The DLZ "dlopen" driver is now built by default,
 9432 			no longer requiring a configure option.  To
 9433 			disable it, use "configure --without-dlopen".
 9434 			Driver also supported on win32.  [RT #23467]
 9435 
 9436 3065.	[bug]		RRSIG could have time stamps too far in the future.
 9437 			[RT #23356]
 9438 
 9439 3064.	[bug]		powerpc: add sync instructions to the end of atomic
 9440 			operations. [RT #23469]
 9441 
 9442 3063.	[contrib]	More verbose error reporting from DLZ LDAP. [RT #23402]
 9443 
 9444 3062.	[func]		Made several changes to enhance human readability
 9445 			of DNSSEC data in dig output and in generated
 9446 			zone files:
 9447 			 - DNSKEY record comments are more verbose, no
 9448 			   longer used in multiline mode only
 9449 			 - multiline RRSIG records reformatted
 9450 			 - multiline output mode for NSEC3PARAM records
 9451 			 - "dig +norrcomments" suppresses DNSKEY comments
 9452 			 - "dig +split=X" breaks hex/base64 records into
 9453 			   fields of width X; "dig +nosplit" disables this.
 9454 			[RT #22820]
 9455 
 9456 3061.	[func]		New option "dnssec-signzone -D", only write out
 9457 			generated DNSSEC records. [RT #22896]
 9458 
 9459 3060.	[func]		New option "dnssec-signzone -X <date>" allows
 9460 			specification of a separate expiration date
 9461 			for DNSKEY RRSIGs and other RRSIGs. [RT #22141]
 9462 
 9463 3059.	[test]		Added a regression test for change #3023.
 9464 
 9465 3058.	[bug]		Cause named to terminate at startup or rndc reconfig/
 9466 			reload to fail, if a log file specified in the conf
 9467 			file isn't a plain file. [RT #22771]
 9468 
 9469 3057.	[bug]		"rndc secroots" would abort after the first error
 9470 			and so could miss some views. [RT #23488]
 9471 
 9472 3056.	[func]		Added support for URI resource record. [RT #23386]
 9473 
 9474 3055.	[placeholder]
 9475 
 9476 3054.	[bug]		Added elliptic curve support check in
 9477 			GOST OpenSSL engine detection. [RT #23485]
 9478 
 9479 3053.	[bug]		Under a sustained high query load with a finite
 9480 			max-cache-size, it was possible for cache memory
 9481 			to be exhausted and not recovered. [RT #23371]
 9482 
 9483 3052.	[test]		Fixed last autosign test report. [RT #23256]
 9484 
 9485 3051.	[bug]		NS records obscure DNAME records at the bottom of the
 9486 			zone if both are present. [RT #23035]
 9487 
 9488 3050.	[bug]		The autosign system test was timing dependent.
 9489 			Wait for the initial autosigning to complete
 9490 			before running the rest of the test. [RT #23035]
 9491 
 9492 3049.	[bug]		Save and restore the gid when creating creating
 9493 			named.pid at startup. [RT #23290]
 9494 
 9495 3048.	[bug]		Fully separate view key management. [RT #23419]
 9496 
 9497 3047.	[bug]		DNSKEY NODATA responses not cached fixed in
 9498 			validator.c. Tests added to dnssec system test.
 9499 			[RT #22908]
 9500 
 9501 3046.	[bug]		Use RRSIG original TTL to compute validated RRset
 9502 			and RRSIG TTL. [RT #23332]
 9503 
 9504 3045.	[removed]	Replaced by change #3050.
 9505 
 9506 3044.	[bug]		Hold the socket manager lock while freeing the socket.
 9507 			[RT #23333]
 9508 
 9509 3043.	[test]		Merged in the NetBSD ATF test framework (currently
 9510 			version 0.12) for development of future unit tests.
 9511 			Use configure --with-atf to build ATF internally
 9512 			or configure --with-atf=prefix to use an external
 9513 			copy.  [RT #23209]
 9514 
 9515 3042.	[bug]		dig +trace could fail attempting to use IPv6
 9516 			addresses on systems with only IPv4 connectivity.
 9517 			[RT #23297]
 9518 
 9519 3041.	[bug]		dnssec-signzone failed to generate new signatures on
 9520 			ttl changes. [RT #23330]
 9521 
 9522 3040.	[bug]		Named failed to validate insecure zones where a node
 9523 			with a CNAME existed between the trust anchor and the
 9524 			top of the zone. [RT #23338]
 9525 
 9526 3039.	[func]		Redirect on NXDOMAIN support. [RT #23146]
 9527 
 9528 3038.	[bug]		Install <dns/rpz.h>.  [RT #23342]
 9529 
 9530 3037.	[doc]		Update COPYRIGHT to contain all the individual
 9531 			copyright notices that cover various parts.
 9532 
 9533 3036.	[bug]		Check built-in zone arguments to see if the zone
 9534 			is re-usable or not. [RT #21914]
 9535 
 9536 3035.	[cleanup]	Simplify by using strlcpy. [RT #22521]
 9537 
 9538 3034.	[cleanup]	nslookup: use strlcpy instead of safecopy. [RT #22521]
 9539 
 9540 3033.	[cleanup]	Add two INSIST(bucket != DNS_ADB_INVALIDBUCKET).
 9541 			[RT #22521]
 9542 
 9543 3032.	[bug]		rdatalist.c: add missing REQUIREs. [RT #22521]
 9544 
 9545 3031.	[bug]		dns_rdataclass_format() handle a zero sized buffer.
 9546 			[RT #22521]
 9547 
 9548 3030.	[bug]		dns_rdatatype_format() handle a zero sized buffer.
 9549 			[RT #22521]
 9550 
 9551 3029.	[bug]		isc_netaddr_format() handle a zero sized buffer.
 9552 			[RT #22521]
 9553 
 9554 3028.	[bug]		isc_sockaddr_format() handle a zero sized buffer.
 9555 			[RT #22521]
 9556 
 9557 3027.	[bug]		Add documented REQUIREs to cfg_obj_asnetprefix() to
 9558 			catch NULL pointer dereferences before they happen.
 9559 			[RT #22521]
 9560 
 9561 3026.	[bug]		lib/isc/httpd.c: check that we have enough space
 9562 			after calling grow_headerspace() and if not
 9563 			re-call grow_headerspace() until we do. [RT #22521]
 9564 
 9565 3025.	[bug]		Fixed a possible deadlock due to zone resigning.
 9566 			[RT #22964]
 9567 
 9568 3024.	[func]		RTT Banding removed due to minor security increase
 9569 			but major impact on resolver latency. [RT #23310]
 9570 
 9571 3023.	[bug]		Named could be left in an inconsistent state when
 9572 			receiving multiple AXFR response messages that were
 9573 			not all TSIG-signed. [RT #23254]
 9574 
 9575 3022.	[bug]		Fixed rpz SERVFAILs after failed zone transfers
 9576 			[RT #23246]
 9577 
 9578 3021.	[bug]		Change #3010 was incomplete. [RT #22296]
 9579 
 9580 3020.	[bug]		auto-dnssec failed to correctly update the zone when
 9581 			changing the DNSKEY RRset. [RT #23232]
 9582 
 9583 3019.	[test]		Test: check apex NSEC3 records after adding DNSKEY
 9584 			record via UPDATE. [RT #23229]
 9585 
 9586 3018.	[bug]		Named failed to check for the "none;" acl when deciding
 9587 			if a zone may need to be re-signed. [RT #23120]
 9588 
 9589 3017.	[doc]		dnssec-keyfromlabel -I was not properly documented.
 9590 			[RT #22887]
 9591 
 9592 3016.	[bug]		rndc usage missing '-b'. [RT #22937]
 9593 
 9594 3015.	[port]		win32: fix IN6_IS_ADDR_LINKLOCAL and
 9595 			IN6_IS_ADDR_SITELOCAL macros. [RT #22724]
 9596 
 9597 3014.	[placeholder]
 9598 
 9599 3013.	[bug]		The DNS64 ttl was not always being set as expected.
 9600 			[RT #23034]
 9601 
 9602 3012.	[bug]		Remove DNSKEY TTL change pairs before generating
 9603 			signing records for any remaining DNSKEY changes.
 9604 			[RT #22590]
 9605 
 9606 3011.	[func]		Change the default query timeout from 30 seconds
 9607 			to 10.  Allow setting this in named.conf using the new
 9608 			'resolver-query-timeout' option, which specifies a max
 9609 			time in seconds.  0 means 'default' and anything longer
 9610 			than 30 will be silently set to 30. [RT #22852]
 9611 
 9612 3010.	[bug]		Fixed a bug where "rndc reconfig" stopped the timer
 9613 			for refreshing managed-keys. [RT #22296]
 9614 
 9615 3009.	[bug]		clients-per-query code didn't work as expected with
 9616 			particular query patterns. [RT #22972]
 9617 
 9618 	--- 9.8.0b1 released ---
 9619 
 9620 3008.	[func]		Response policy zones (RPZ) support. [RT #21726]
 9621 
 9622 3007.	[bug]		Named failed to preserve the case of domain names in
 9623 			rdata which is not compressible when writing master
 9624 			files.  [RT #22863]
 9625 
 9626 3006.	[func]		Allow dynamically generated TSIG keys to be preserved
 9627 			across restarts of named.  Initially this is for
 9628 			TSIG keys generated using GSSAPI. [RT #22639]
 9629 
 9630 3005.	[port]		Solaris: Work around the lack of
 9631 			gsskrb5_register_acceptor_identity() by setting
 9632 			the KRB5_KTNAME environment variable to the
 9633 			contents of tkey-gssapi-keytab.  Also fixed
 9634 			test errors on MacOSX.  [RT #22853]
 9635 
 9636 3004.	[func]		DNS64 reverse support. [RT #22769]
 9637 
 9638 3003.	[experimental]	Added update-policy match type "external",
 9639 			enabling named to defer the decision of whether to
 9640 			allow a dynamic update to an external daemon.
 9641 			(Contributed by Andrew Tridgell.) [RT #22758]
 9642 
 9643 3002.	[bug]		isc_mutex_init_errcheck() failed to destroy attr.
 9644 			[RT #22766]
 9645 
 9646 3001.	[func]		Added a default trust anchor for the root zone, which
 9647 			can be switched on by setting "dnssec-validation auto;"
 9648 			in the named.conf options. [RT #21727]
 9649 
 9650 3000.	[bug]		More TKEY/GSS fixes:
 9651 			 - nsupdate can now get the default realm from
 9652 			   the user's Kerberos principal
 9653 			 - corrected gsstest compilation flags
 9654 			 - improved documentation
 9655 			 - fixed some NULL dereferences
 9656 			[RT #22795]
 9657 
 9658 2999.	[func]		Add GOST support (RFC 5933). [RT #20639]
 9659 
 9660 2998.	[func]		Add isc_task_beginexclusive and isc_task_endexclusive
 9661 			to the task api. [RT #22776]
 9662 
 9663 2997.	[func]		named -V now reports the OpenSSL and libxml2 versions
 9664 			it was compiled against. [RT #22687]
 9665 
 9666 2996.	[security]	Temporarily disable SO_ACCEPTFILTER support.
 9667 			[RT #22589]
 9668 
 9669 2995.	[bug]		The Kerberos realm was not being correctly extracted
 9670 			from the signer's identity. [RT #22770]
 9671 
 9672 2994.	[port]		NetBSD: use pthreads by default on NetBSD >= 5.0, and
 9673 			do not use threads on earlier versions.  Also kill
 9674 			the unproven-pthreads, mit-pthreads, and ptl2 support.
 9675 
 9676 2993.	[func]		Dynamically grow adb hash tables. [RT #21186]
 9677 
 9678 2992.	[contrib]	contrib/check-secure-delegation.pl:  A simple tool
 9679 			for looking at a secure delegation. [RT #22059]
 9680 
 9681 2991.	[contrib]	contrib/zone-edit.sh: A simple zone editing tool for
 9682 			dynamic zones. [RT #22365]
 9683 
 9684 2990.	[bug]		'dnssec-settime -S' no longer tests prepublication
 9685 			interval validity when the interval is set to 0.
 9686 			[RT #22761]
 9687 
 9688 2989.	[func]		Added support for writable DLZ zones. (Contributed
 9689 			by Andrew Tridgell of the Samba project.) [RT #22629]
 9690 
 9691 2988.	[experimental]	Added a "dlopen" DLZ driver, allowing the creation
 9692 			of external DLZ drivers that can be loaded as
 9693 			shared objects at runtime rather than linked with
 9694 			named.  Currently this is switched on via a
 9695 			compile-time option, "configure --with-dlz-dlopen".
 9696 			Note: the syntax for configuring DLZ zones
 9697 			is likely to be refined in future releases.
 9698 			(Contributed by Andrew Tridgell of the Samba
 9699 			project.) [RT #22629]
 9700 
 9701 2987.	[func]		Improve ease of configuring TKEY/GSS updates by
 9702 			adding a "tkey-gssapi-keytab" option.  If set,
 9703 			updates will be allowed with any key matching
 9704 			a principal in the specified keytab file.
 9705 			"tkey-gssapi-credential" is no longer required
 9706 			and is expected to be deprecated.  (Contributed
 9707 			by Andrew Tridgell of the Samba project.)
 9708 			[RT #22629]
 9709 
 9710 2986.	[func]		Add new zone type "static-stub".  It's like a stub
 9711 			zone, but the nameserver names and/or their IP
 9712 			addresses are statically configured. [RT #21474]
 9713 
 9714 2985.	[bug]		Add a regression test for change #2896. [RT #21324]
 9715 
 9716 2984.	[bug]		Don't run MX checks when the target of the MX record
 9717 			is ".".  [RT #22645]
 9718 
 9719 2983.	[bug]		Include "loadkeys" in rndc help output. [RT #22493]
 9720 
 9721 	--- 9.8.0a1 released ---
 9722 
 9723 2982.	[bug]		Reference count dst keys.  dst_key_attach() can be used
 9724 			increment the reference count.
 9725 
 9726 			Note: dns_tsigkey_createfromkey() callers should now
 9727 			always call dst_key_free() rather than setting it
 9728 			to NULL on success. [RT #22672]
 9729 
 9730 2981.	[func]		Partial DNS64 support (AAAA synthesis). [RT #21991]
 9731 
 9732 2980.	[bug]		named didn't properly handle UPDATES that changed the
 9733 			TTL of the NSEC3PARAM RRset. [RT #22363]
 9734 
 9735 2979.	[bug]		named could deadlock during shutdown if two
 9736 			"rndc stop" commands were issued at the same
 9737 			time. [RT #22108]
 9738 
 9739 2978.	[port]		hpux: look for <devpoll.h> [RT #21919]
 9740 
 9741 2977.	[bug]		'nsupdate -l' report if the session key is missing.
 9742 			[RT #21670]
 9743 
 9744 2976.	[bug]		named could die on exit after negotiating a GSS-TSIG
 9745 			key. [RT #22573]
 9746 
 9747 2975.	[bug]		rbtdb.c:cleanup_dead_nodes_callback() acquired the
 9748 			wrong lock which could lead to server deadlock.
 9749 			[RT #22614]
 9750 
 9751 2974.	[bug]		Some valid UPDATE requests could fail due to a
 9752 			consistency check examining the existing version
 9753 			of the zone rather than the new version resulting
 9754 			from the UPDATE. [RT #22413]
 9755 
 9756 2973.	[bug]		bind.keys.h was being removed by the "make clean"
 9757 			at the end of configure resulting in build failures
 9758 			where there is very old version of perl installed.
 9759 			Move it to "make maintainer-clean". [RT #22230]
 9760 
 9761 2972.	[bug]		win32: address windows socket errors. [RT #21906]
 9762 
 9763 2971.	[bug]		Fixed a bug that caused journal files not to be
 9764 			compacted on Windows systems as a result of
 9765 			non-POSIX-compliant rename() semantics. [RT #22434]
 9766 
 9767 2970.	[security]	Adding a NO DATA negative cache entry failed to clear
 9768 			any matching RRSIG records.  A subsequent lookup of
 9769 			of NO DATA cache entry could trigger a INSIST when the
 9770 			unexpected RRSIG was also returned with the NO DATA
 9771 			cache entry.
 9772 
 9773 			CVE-2010-3613, VU#706148. [RT #22288]
 9774 
 9775 2969.	[security]	Fix acl type processing so that allow-query works
 9776 			in options and view statements.  Also add a new
 9777 			set of tests to verify proper functioning.
 9778 
 9779 			CVE-2010-3615, VU#510208. [RT #22418]
 9780 
 9781 2968.	[security]	Named could fail to prove a data set was insecure
 9782 			before marking it as insecure.  One set of conditions
 9783 			that can trigger this occurs naturally when rolling
 9784 			DNSKEY algorithms.
 9785 
 9786 			CVE-2010-3614, VU#837744. [RT #22309]
 9787 
 9788 2967.	[bug]		'host -D' now turns on debugging messages earlier.
 9789 			[RT #22361]
 9790 
 9791 2966.	[bug]		isc_print_vsnprintf() failed to check if there was
 9792 			space available in the buffer when adding a left
 9793 			justified character with a non zero width,
 9794 			(e.g. "%-1c"). [RT #22270]
 9795 
 9796 2965.	[func]		Test HMAC functions using test data from RFC 2104 and
 9797 			RFC 4634. [RT #21702]
 9798 
 9799 2964.	[placeholder]
 9800 
 9801 2963.	[security]	The allow-query acl was being applied instead of the
 9802 			allow-query-cache acl to cache lookups. [RT #22114]
 9803 
 9804 2962.	[port]		win32: add more dependencies to BINDBuild.dsw.
 9805 			[RT #22062]
 9806 
 9807 2961.	[bug]		Be still more selective about the non-authoritative
 9808 			answers we apply change 2748 to. [RT #22074]
 9809 
 9810 2960.	[func]		Check that named accepts non-authoritative answers.
 9811 			[RT #21594]
 9812 
 9813 2959.	[func]		Check that named starts with a missing masterfile.
 9814 			[RT #22076]
 9815 
 9816 2958.	[bug]		named failed to start with a missing master file.
 9817 			[RT #22076]
 9818 
 9819 2957.	[bug]		entropy_get() and entropy_getpseudo() failed to match
 9820 			the API for RAND_bytes() and RAND_pseudo_bytes()
 9821 			respectively. [RT #21962]
 9822 
 9823 2956.	[port]		Enable atomic operations on the PowerPC64. [RT #21899]
 9824 
 9825 2955.	[func]		Provide more detail in the recursing log. [RT #22043]
 9826 
 9827 2954.	[bug]		contrib: dlz_mysql_driver.c bad error handling on
 9828 			build_sqldbinstance failure. [RT #21623]
 9829 
 9830 2953.	[bug]		Silence spurious "expected covering NSEC3, got an
 9831 			exact match" message when returning a wildcard
 9832 			no data response. [RT #21744]
 9833 
 9834 2952.	[port]		win32: named-checkzone and named-checkconf failed
 9835 			to initialize winsock. [RT #21932]
 9836 
 9837 2951.	[bug]		named failed to generate a correct signed response
 9838 			in a optout, delegation only zone with no secure
 9839 			delegations. [RT #22007]
 9840 
 9841 2950.	[bug]		named failed to perform a SOA up to date check when
 9842 			falling back to TCP on UDP timeouts when
 9843 			ixfr-from-differences was set. [RT #21595]
 9844 
 9845 2949.	[bug]		dns_view_setnewzones() contained a memory leak if
 9846 			it was called multiple times. [RT #21942]
 9847 
 9848 2948.	[port]		MacOS: provide a mechanism to configure the test
 9849 			interfaces at reboot. See bin/tests/system/README
 9850 			for details.
 9851 
 9852 2947.	[placeholder]
 9853 
 9854 2946.	[doc]		Document the default values for the minimum and maximum
 9855 			zone refresh and retry values in the ARM. [RT #21886]
 9856 
 9857 2945.	[doc]		Update empty-zones list in ARM. [RT #21772]
 9858 
 9859 2944.	[maint]		Remove ORCHID prefix from built in empty zones.
 9860 			[RT #21772]
 9861 
 9862 2943.	[func]		Add support to load new keys into managed zones
 9863 			without signing immediately with "rndc loadkeys".
 9864 			Add support to link keys with "dnssec-keygen -S"
 9865 			and "dnssec-settime -S".  [RT #21351]
 9866 
 9867 2942.	[contrib]	zone2sqlite failed to setup the entropy sources.
 9868 			[RT #21610]
 9869 
 9870 2941.	[bug]		sdb and sdlz (dlz's zone database) failed to support
 9871 			DNAME at the zone apex.  [RT #21610]
 9872 
 9873 2940.	[port]		Remove connection aborted error message on
 9874 			Windows. [RT #21549]
 9875 
 9876 2939.	[func]		Check that named successfully skips NSEC3 records
 9877 			that fail to match the NSEC3PARAM record currently
 9878 			in use. [RT #21868]
 9879 
 9880 2938.	[bug]		When generating signed responses, from a signed zone
 9881 			that uses NSEC3, named would use a uninitialized
 9882 			pointer if it needed to skip a NSEC3 record because
 9883 			it didn't match the selected NSEC3PARAM record for
 9884 			zone. [RT #21868]
 9885 
 9886 2937.	[bug]		Worked around an apparent race condition in over
 9887 			memory conditions.  Without this fix a DNS cache DB or
 9888 			ADB could incorrectly stay in an over memory state,
 9889 			effectively refusing further caching, which
 9890 			subsequently made a BIND 9 caching server unworkable.
 9891 			This fix prevents this problem from happening by
 9892 			polling the state of the memory context, rather than
 9893 			making a copy of the state, which appeared to cause
 9894 			a race.  This is a "workaround" in that it doesn't
 9895 			solve the possible race per se, but several experiments
 9896 			proved this change solves the symptom.  Also, the
 9897 			polling overhead hasn't been reported to be an issue.
 9898 			This bug should only affect a caching server that
 9899 			specifies a finite max-cache-size.  It's also quite
 9900 			likely that the bug happens only when enabling threads,
 9901 			but it's not confirmed yet. [RT #21818]
 9902 
 9903 2936.	[func]		Improved configuration syntax and multiple-view
 9904 			support for addzone/delzone feature (see change
 9905 			#2930).  Removed "new-zone-file" option, replaced
 9906 			with "allow-new-zones (yes|no)".  The new-zone-file
 9907 			for each view is now created automatically, with
 9908 			a filename generated from a hash of the view name.
 9909 			It is no longer necessary to "include" the
 9910 			new-zone-file in named.conf; this happens
 9911 			automatically.  Zones that were not added via
 9912 			"rndc addzone" can no longer be removed with
 9913 			"rndc delzone". [RT #19447]
 9914 
 9915 2935.	[bug]		nsupdate: improve 'file not found' error message.
 9916 			[RT #21871]
 9917 
 9918 2934.	[bug]		Use ANSI C compliant shift range in lib/isc/entropy.c.
 9919 			[RT #21871]
 9920 
 9921 2933.	[bug]		'dig +nsid' used stack memory after it went out of
 9922 			scope.  This could potentially result in a unknown,
 9923 			potentially malformed, EDNS option being sent instead
 9924 			of the desired NSID option. [RT #21781]
 9925 
 9926 2932.	[cleanup]	Corrected a numbering error in the "dnssec" test.
 9927 			[RT #21597]
 9928 
 9929 2931.	[bug]		Temporarily and partially disable change 2864
 9930 			because it would cause infinite attempts of RRSIG
 9931 			queries.  This is an urgent care fix; we'll
 9932 			revisit the issue and complete the fix later.
 9933 			[RT #21710]
 9934 
 9935 2930.	[experimental]	New "rndc addzone" and "rndc delzone" commands
 9936 			allow dynamic addition and deletion of zones.
 9937 			To enable this feature, specify a "new-zone-file"
 9938 			option at the view or options level in named.conf.
 9939 			Zone configuration information for the new zones
 9940 			will be written into that file.  To make the new
 9941 			zones persist after a restart, "include" the file
 9942 			into named.conf in the appropriate view.  (Note:
 9943 			This feature is not yet documented, and its syntax
 9944 			is expected to change.) [RT #19447]
 9945 
 9946 2929.	[bug]		Improved handling of GSS security contexts:
 9947 			 - added LRU expiration for generated TSIGs
 9948 			 - added the ability to use a non-default realm
 9949 			 - added new "realm" keyword in nsupdate
 9950 			 - limited lifetime of generated keys to 1 hour
 9951 			   or the lifetime of the context (whichever is
 9952 			   smaller)
 9953 			[RT #19737]
 9954 
 9955 2928.	[bug]		Be more selective about the non-authoritative
 9956 			answer we apply change 2748 to. [RT #21594]
 9957 
 9958 2927.	[placeholder]
 9959 
 9960 2926.	[placeholder]
 9961 
 9962 2925.	[bug]		Named failed to accept uncachable negative responses
 9963 			from insecure zones. [RT #21555]
 9964 
 9965 2924.	[func]		'rndc  secroots'  dump a combined summary of the
 9966 			current managed keys combined with trusted keys.
 9967 			[RT #20904]
 9968 
 9969 2923.	[bug]		'dig +trace' could drop core after "connection
 9970 			timeout". [RT #21514]
 9971 
 9972 2922.	[contrib]	Update zkt to version 1.0.
 9973 
 9974 2921.	[bug]		The resolver could attempt to destroy a fetch context
 9975 			too soon.  [RT #19878]
 9976 
 9977 2920.	[func]		Allow 'filter-aaaa-on-v4' to be applied selectively
 9978 			to IPv4 clients.  New acl 'filter-aaaa' (default any).
 9979 
 9980 2919.	[func]		Add autosign-ksk and autosign-zsk virtual time tests.
 9981 			[RT #20840]
 9982 
 9983 2918.	[maint]		Add AAAA address for I.ROOT-SERVERS.NET.
 9984 
 9985 2917.	[func]		Virtual time test framework. [RT #20801]
 9986 
 9987 2916.	[func]		Add framework to use IPv6 in tests.
 9988 			fd92:7065:b8e:ffff::1 ... fd92:7065:b8e:ffff::7
 9989 
 9990 2915.	[cleanup]	Be smarter about which objects we attempt to compile
 9991 			based on configure options. [RT #21444]
 9992 
 9993 2914.	[bug]		Make the "autosign" system test more portable.
 9994 			[RT #20997]
 9995 
 9996 2913.	[func]		Add pkcs#11 system tests. [RT #20784]
 9997 
 9998 2912.	[func]		Windows clients don't like UPDATE responses that clear
 9999 			the zone section. [RT #20986]
10000 
10001 2911.	[bug]		dnssec-signzone didn't handle out of zone records well.
10002 			[RT #21367]
10003 
10004 2910.	[func]		Sanity check Kerberos credentials. [RT #20986]
10005 
10006 2909.	[bug]		named-checkconf -p could die if "update-policy local;"
10007 			was specified in named.conf. [RT #21416]
10008 
10009 2908.	[bug]		It was possible for re-signing to stop after removing
10010 			a DNSKEY. [RT #21384]
10011 
10012 2907.	[bug]		The export version of libdns had undefined references.
10013 			[RT #21444]
10014 
10015 2906.	[bug]		Address RFC 5011 implementation issues. [RT #20903]
10016 
10017 2905.	[port]		aix: set use_atomic=yes with native compiler.
10018 			[RT #21402]
10019 
10020 2904.	[bug]		When using DLV, sub-zones of the zones in the DLV,
10021 			could be incorrectly marked as insecure instead of
10022 			secure leading to negative proofs failing.  This was
10023 			a unintended outcome from change 2890. [RT #21392]
10024 
10025 2903.	[bug]		managed-keys-directory missing from namedconf.c.
10026 			[RT #21370]
10027 
10028 2902.	[func]		Add regression test for change 2897. [RT #21040]
10029 
10030 2901.	[port]		Use AC_C_FLEXIBLE_ARRAY_MEMBER. [RT #21316]
10031 
10032 2900.	[bug]		The placeholder negative caching element was not
10033 			properly constructed triggering a INSIST in
10034 			dns_ncache_towire(). [RT #21346]
10035 
10036 2899.	[port]		win32: Support linking against OpenSSL 1.0.0.
10037 
10038 2898.	[bug]		nslookup leaked memory when -domain=value was
10039 			specified. [RT #21301]
10040 
10041 2897.	[bug]		NSEC3 chains could be left behind when transitioning
10042 			to insecure. [RT #21040]
10043 
10044 2896.	[bug]		"rndc sign" failed to properly update the zone
10045 			when adding a DNSKEY for publication only. [RT #21045]
10046 
10047 2895.	[func]		genrandom: add support for the generation of multiple
10048 			files.  [RT #20917]
10049 
10050 2894.	[contrib]	DLZ LDAP support now use '$' not '%'. [RT #21294]
10051 
10052 2893.	[bug]		Improve managed keys support.  New named.conf option
10053 			managed-keys-directory. [RT #20924]
10054 
10055 2892.	[bug]		Handle REVOKED keys better. [RT #20961]
10056 
10057 2891.	[maint]		Update empty-zones list to match
10058 			draft-ietf-dnsop-default-local-zones-13. [RT #21099]
10059 
10060 2890.	[bug]		Handle the introduction of new trusted-keys and
10061 			DS, DLV RRsets better. [RT #21097]
10062 
10063 2889.	[bug]		Elements of the grammar where not properly reported.
10064 			[RT #21046]
10065 
10066 2888.	[bug]		Only the first EDNS option was displayed. [RT #21273]
10067 
10068 2887.	[bug]		Report the keytag times in UTC in the .key file,
10069 			local time is presented as a comment within the
10070 			comment.  [RT #21223]
10071 
10072 2886.	[bug]		ctime() is not thread safe. [RT #21223]
10073 
10074 2885.	[bug]		Improve -fno-strict-aliasing support probing in
10075 			configure. [RT #21080]
10076 
10077 2884.	[bug]		Insufficient validation in dns_name_getlabelsequence().
10078 			[RT #21283]
10079 
10080 2883.	[bug]		'dig +short' failed to handle really large datasets.
10081 			[RT #21113]
10082 
10083 2882.	[bug]		Remove memory context from list of active contexts
10084 			before clearing 'magic'. [RT #21274]
10085 
10086 2881.	[bug]		Reduce the amount of time the rbtdb write lock
10087 			is held when closing a version. [RT #21198]
10088 
10089 2880.	[cleanup]	Make the output of dnssec-keygen and dnssec-revoke
10090 			consistent. [RT #21078]
10091 
10092 2879.	[contrib]	DLZ bdbhpt driver fails to close correct cursor.
10093 			[RT #21106]
10094 
10095 2878.	[func]		Incrementally write the master file after performing
10096 			a AXFR.  [RT #21010]
10097 
10098 2877.	[bug]		The validator failed to skip obviously mismatching
10099 			RRSIGs. [RT #21138]
10100 
10101 2876.	[bug]		Named could return SERVFAIL for negative responses
10102 			from unsigned zones. [RT #21131]
10103 
10104 2875.	[bug]		dns_time64_fromtext() could accept non digits.
10105 			[RT #21033]
10106 
10107 2874.	[bug]		Cache lack of EDNS support only after the server
10108 			successfully responds to the query using plain DNS.
10109 			[RT #20930]
10110 
10111 2873.	[bug]		Canceling a dynamic update via the dns/client module
10112 			could trigger an assertion failure. [RT #21133]
10113 
10114 2872.	[bug]		Modify dns/client.c:dns_client_createx() to only
10115 			require one of IPv4 or IPv6 rather than both.
10116 			[RT #21122]
10117 
10118 2871.	[bug]		Type mismatch in mem_api.c between the definition and
10119 			the header file, causing build failure with
10120 			--enable-exportlib. [RT #21138]
10121 
10122 2870.	[maint]		Add AAAA address for L.ROOT-SERVERS.NET.
10123 
10124 2869.	[bug]		Fix arguments to dns_keytable_findnextkeynode() call.
10125 			[RT #20877]
10126 
10127 2868.	[cleanup]	Run "make clean" at the end of configure to ensure
10128 			any changes made by configure are integrated.
10129 			Use --with-make-clean=no to disable.  [RT #20994]
10130 
10131 2867.	[bug]		Don't set GSS_C_SEQUENCE_FLAG as Windows DNS servers
10132 			don't like it.  [RT #20986]
10133 
10134 2866.	[bug]		Windows does not like the TSIG name being compressed.
10135 			[RT #20986]
10136 
10137 2865.	[bug]		memset to zero event.data.  [RT #20986]
10138 
10139 2864.	[bug]		Direct SIG/RRSIG queries were not handled correctly.
10140 			[RT #21050]
10141 
10142 2863.	[port]		linux: disable IPv6 PMTUD and use network minimum MTU.
10143 			[RT #21056]
10144 
10145 2862.	[bug]		nsupdate didn't default to the parent zone when
10146 			updating DS records. [RT #20896]
10147 
10148 2861.	[doc]		dnssec-settime man pages didn't correctly document the
10149 			inactivation time. [RT #21039]
10150 
10151 2860.	[bug]		named-checkconf's usage was out of date. [RT #21039]
10152 
10153 2859.	[bug]		When canceling validation it was possible to leak
10154 			memory. [RT #20800]
10155 
10156 2858.	[bug]		RTT estimates were not being adjusted on ICMP errors.
10157 			[RT #20772]
10158 
10159 2857.	[bug]		named-checkconf did not fail on a bad trusted key.
10160 			[RT #20705]
10161 
10162 2856.	[bug]		The size of a memory allocation was not always properly
10163 			recorded. [RT #20927]
10164 
10165 2855.	[func]		nsupdate will now preserve the entered case of domain
10166 			names in update requests it sends. [RT #20928]
10167 
10168 2854.	[func]		dig: allow the final soa record in a axfr response to
10169 			be suppressed, dig +onesoa. [RT #20929]
10170 
10171 2853.	[bug]		add_sigs() could run out of scratch space. [RT #21015]
10172 
10173 2852.	[bug]		Handle broken DNSSEC trust chains better. [RT #15619]
10174 
10175 2851.	[doc]		nslookup.1, removed <informalexample> from the docbook
10176 			source as it produced bad nroff.  [RT #21007]
10177 
10178 2850.	[bug]		If isc_heap_insert() failed due to memory shortage
10179 			the heap would have corrupted entries. [RT #20951]
10180 
10181 2849.	[bug]		Don't treat errors from the xml2 library as fatal.
10182 			[RT #20945]
10183 
10184 2848.	[doc]		Moved README.dnssec, README.libdns, README.pkcs11 and
10185 			README.rfc5011 into the ARM. [RT #20899]
10186 
10187 2847.	[cleanup]	Corrected usage message in dnssec-settime. [RT #20921]
10188 
10189 2846.	[bug]		EOF on unix domain sockets was not being handled
10190 			correctly. [RT #20731]
10191 
10192 2845.	[bug]		RFC 5011 client could crash on shutdown. [RT #20903]
10193 
10194 2844.	[doc]		notify-delay default in ARM was wrong.  It should have
10195 			been five (5) seconds.
10196 
10197 2843.	[func]		Prevent dnssec-keygen and dnssec-keyfromlabel from
10198 			creating key files if there is a chance that the new
10199 			key ID will collide with an existing one after
10200 			either of the keys has been revoked.  (To override
10201 			this in the case of dnssec-keyfromlabel, use the -y
10202 			option.  dnssec-keygen will simply create a
10203 			different, non-colliding key, so an override is
10204 			not necessary.) [RT #20838]
10205 
10206 2842.	[func]		Added "smartsign" and improved "autosign" and
10207 			"dnssec" regression tests. [RT #20865]
10208 
10209 2841.	[bug]		Change 2836 was not complete. [RT #20883]
10210 
10211 2840.	[bug]		Temporary fixed pkcs11-destroy usage check.
10212 			[RT #20760]
10213 
10214 2839.	[bug]		A KSK revoked by named could not be deleted.
10215 			[RT #20881]
10216 
10217 2838.	[placeholder]
10218 
10219 2837.	[port]		Prevent Linux spurious warnings about fwrite().
10220 			[RT #20812]
10221 
10222 2836.	[bug]		Keys that were scheduled to become active could
10223 			be delayed. [RT #20874]
10224 
10225 2835.	[bug]		Key inactivity dates were inadvertently stored in
10226 			the private key file with the outdated tag
10227 			"Unpublish" rather than "Inactive".  This has been
10228 			fixed; however, any existing keys that had Inactive
10229 			dates set will now need to have them reset, using
10230 			'dnssec-settime -I'. [RT #20868]
10231 
10232 2834.	[bug]		HMAC-SHA* keys that were longer than the algorithm
10233 			digest length were used incorrectly, leading to
10234 			interoperability problems with other DNS
10235 			implementations.  This has been corrected.
10236 			(Note: If an oversize key is in use, and
10237 			compatibility is needed with an older release of
10238 			BIND, the new tool "isc-hmac-fixup" can convert
10239 			the key secret to a form that will work with all
10240 			versions.) [RT #20751]
10241 
10242 2833.	[cleanup]	Fix usage messages in dnssec-keygen and dnssec-settime.
10243 			[RT #20851]
10244 
10245 2832.	[bug]		Modify "struct stat" in lib/export/samples/nsprobe.c
10246 			to avoid redefinition in some OSs [RT 20831]
10247 
10248 2831.	[security]	Do not attempt to validate or cache
10249 			out-of-bailiwick data returned with a secure
10250 			answer; it must be re-fetched from its original
10251 			source and validated in that context. [RT #20819]
10252 
10253 2830.	[bug]		Changing the OPTOUT setting could take multiple
10254 			passes. [RT #20813]
10255 
10256 2829.	[bug]		Fixed potential node inconsistency in rbtdb.c.
10257 			[RT #20808]
10258 
10259 2828.	[security]	Cached CNAME or DNAME RR could be returned to clients
10260 			without DNSSEC validation. [RT #20737]
10261 
10262 2827.	[security]	Bogus NXDOMAIN could be cached as if valid. [RT #20712]
10263 
10264 2826.	[bug]		NSEC3->NSEC transitions could fail due to a lock not
10265 			being released.  [RT #20740]
10266 
10267 2825.	[bug]		Changing the setting of OPTOUT in a NSEC3 chain that
10268 			was in the process of being created was not properly
10269 			recorded in the zone. [RT #20786]
10270 
10271 2824.	[bug]		"rndc sign" was not being run by the correct task.
10272 			[RT #20759]
10273 
10274 2823.	[bug]		rbtdb.c:getsigningtime() was missing locks. [RT #20781]
10275 
10276 2822.	[bug]		rbtdb.c:loadnode() could return the wrong result.
10277 			[RT #20802]
10278 
10279 2821.	[doc]		Add note that named-checkconf doesn't automatically
10280 			read rndc.key and bind.keys [RT #20758]
10281 
10282 2820.	[func]		Handle read access failure of OpenSSL configuration
10283 			file more user friendly (PKCS#11 engine patch).
10284 			[RT #20668]
10285 
10286 2819.	[cleanup]	Removed unnecessary DNS_POINTER_MAXHOPS define.
10287 			[RT #20771]
10288 
10289 2818.	[cleanup]	rndc could return an incorrect error code
10290 			when a zone was not found. [RT #20767]
10291 
10292 2817.	[cleanup]	Removed unnecessary isc_task_endexclusive() calls.
10293 			[RT #20768]
10294 
10295 2816.	[bug]		previous_closest_nsec() could fail to return
10296 			data for NSEC3 nodes [RT #29730]
10297 
10298 2815.	[bug]		Exclusively lock the task when freezing a zone.
10299 			[RT #19838]
10300 
10301 2814.	[func]		Provide a definitive error message when a master
10302 			zone is not loaded. [RT #20757]
10303 
10304 2813.	[bug]		Better handling of unreadable DNSSEC key files.
10305 			[RT #20710]
10306 
10307 2812.	[bug]		Make sure updates can't result in a zone with
10308 			NSEC-only keys and NSEC3 records. [RT #20748]
10309 
10310 2811.	[cleanup]	Add "rndc sign" to list of commands in rndc usage
10311 			output. [RT #20733]
10312 
10313 2810.	[doc]		Clarified the process of transitioning an NSEC3 zone
10314 			to insecure. [RT #20746]
10315 
10316 2809.	[cleanup]	Restored accidentally-deleted text in usage output
10317 			in dnssec-settime and dnssec-revoke [RT #20739]
10318 
10319 2808.	[bug]		Remove the attempt to install atomic.h from lib/isc.
10320 			atomic.h is correctly installed by the architecture
10321 			specific subdirectories.  [RT #20722]
10322 
10323 2807.	[bug]		Fixed a possible ASSERT when reconfiguring zone
10324 			keys. [RT #20720]
10325 
10326 	--- 9.7.0rc1 released ---
10327 
10328 2806.	[bug]		"rdnc sign" could delay re-signing the DNSKEY
10329 			when it had changed. [RT #20703]
10330 
10331 2805.	[bug]		Fixed namespace problems encountered when building
10332 			external programs using non-exported BIND9 libraries
10333 			(i.e., built without --enable-exportlib). [RT #20679]
10334 
10335 2804.	[bug]		Send notifies when a zone is signed with "rndc sign"
10336 			or as a result of a scheduled key change. [RT #20700]
10337 
10338 2803.	[port]		win32: Install named-journalprint, nsec3hash, arpaname
10339 			and genrandom under windows. [RT #20670]
10340 
10341 2802.	[cleanup]	Rename journalprint to named-journalprint. [RT #20670]
10342 
10343 2801.	[func]		Detect and report records that are different according
10344 			to DNSSEC but are semantically equal according to plain
10345 			DNS.  Apply plain DNS comparisons rather than DNSSEC
10346 			comparisons when processing UPDATE requests.
10347 			dnssec-signzone now removes such semantically duplicate
10348 			records prior to signing the RRset.
10349 
10350 			named-checkzone -r {ignore|warn|fail} (default warn)
10351 			named-compilezone -r {ignore|warn|fail} (default warn)
10352 
10353 			named.conf: check-dup-records {ignore|warn|fail};
10354 
10355 2800.	[func]		Reject zones which have NS records which refer to
10356 			CNAMEs, DNAMEs or don't have address record (class IN
10357 			only).  Reject UPDATEs which would cause the zone
10358 			to fail the above checks if committed. [RT #20678]
10359 
10360 2799.	[cleanup]	Changed the "secure-to-insecure" option to
10361 			"dnssec-secure-to-insecure", and "dnskey-ksk-only"
10362 			to "dnssec-dnskey-kskonly", for clarity. [RT #20586]
10363 
10364 2798.	[bug]		Addressed bugs in managed-keys initialization
10365 			and rollover. [RT #20683]
10366 
10367 2797.	[bug]		Don't decrement the dispatch manager's maxbuffers.
10368 			[RT #20613]
10369 
10370 2796.	[bug]		Missing dns_rdataset_disassociate() call in
10371 			dns_nsec3_delnsec3sx(). [RT #20681]
10372 
10373 2795.	[cleanup]	Add text to differentiate "update with no effect"
10374 			log messages. [RT #18889]
10375 
10376 2794.	[bug]		Install <isc/namespace.h>.  [RT #20677]
10377 
10378 2793.	[func]		Add "autosign" and "metadata" tests to the
10379 			automatic tests. [RT #19946]
10380 
10381 2792.	[func]		"filter-aaaa-on-v4" can now be set in view
10382 			options (if compiled in).  [RT #20635]
10383 
10384 2791.	[bug]		The installation of isc-config.sh was broken.
10385 			[RT #20667]
10386 
10387 2790.	[bug]		Handle DS queries to stub zones. [RT #20440]
10388 
10389 2789.	[bug]		Fixed an INSIST in dispatch.c [RT #20576]
10390 
10391 2788.	[bug]		dnssec-signzone could sign with keys that were
10392 			not requested [RT #20625]
10393 
10394 2787.	[bug]		Spurious log message when zone keys were
10395 			dynamically reconfigured. [RT #20659]
10396 
10397 2786.	[bug]		Additional could be promoted to answer. [RT #20663]
10398 
10399 	--- 9.7.0b3 released ---
10400 
10401 2785.	[bug]		Revoked keys could fail to self-sign [RT #20652]
10402 
10403 2784.	[bug]		TC was not always being set when required glue was
10404 			dropped. [RT #20655]
10405 
10406 2783.	[func]		Return minimal responses to EDNS/UDP queries with a UDP
10407 			buffer size of 512 or less.  [RT #20654]
10408 
10409 2782.	[port]		win32: use getaddrinfo() for hostname lookups.
10410 			[RT #20650]
10411 
10412 2781.	[bug]		Inactive keys could be used for signing. [RT #20649]
10413 
10414 2780.	[bug]		dnssec-keygen -A none didn't properly unset the
10415 			activation date in all cases. [RT #20648]
10416 
10417 2779.	[bug]		Dynamic key revocation could fail. [RT #20644]
10418 
10419 2778.	[bug]		dnssec-signzone could fail when a key was revoked
10420 			without deleting the unrevoked version. [RT #20638]
10421 
10422 2777.	[contrib]	DLZ MYSQL auto reconnect support discovery was wrong.
10423 
10424 2776.	[bug]		Change #2762 was not correct. [RT #20647]
10425 
10426 2775.	[bug]		Accept RSASHA256 and RSASHA512 as NSEC3 compatible
10427 			in dnssec-keyfromlabel. [RT #20643]
10428 
10429 2774.	[bug]		Existing cache DB wasn't being reused after
10430 			reconfiguration. [RT #20629]
10431 
10432 2773.	[bug]		In autosigned zones, the SOA could be signed
10433 			with the KSK. [RT #20628]
10434 
10435 2772.	[security]	When validating, track whether pending data was from
10436 			the additional section or not and only return it if
10437 			validates as secure. [RT #20438]
10438 
10439 2771.	[bug]		dnssec-signzone: DNSKEY records could be
10440 			corrupted when importing from key files [RT #20624]
10441 
10442 2770.	[cleanup]	Add log messages to resolver.c to indicate events
10443 			causing FORMERR responses. [RT #20526]
10444 
10445 2769.	[cleanup]	Change #2742 was incomplete. [RT #19589]
10446 
10447 2768.	[bug]		dnssec-signzone: -S no longer implies -g [RT #20568]
10448 
10449 2767.	[bug]		named could crash on startup if a zone was
10450 			configured with auto-dnssec and there was no
10451 			key-directory. [RT #20615]
10452 
10453 2766.	[bug]		isc_socket_fdwatchpoke() should only update the
10454 			socketmgr state if the socket is not pending on a
10455 			read or write.  [RT #20603]
10456 
10457 2765.	[bug]		Skip masters for which the TSIG key cannot be found.
10458 			[RT #20595]
10459 
10460 2764.	[bug]		"rndc-confgen -a" could trigger a REQUIRE. [RT #20610]
10461 
10462 2763.	[bug]		"rndc sign" didn't create an NSEC chain. [RT #20591]
10463 
10464 2762.	[bug]		DLV validation failed with a local slave DLV zone.
10465 			[RT #20577]
10466 
10467 2761.	[cleanup]	Enable internal symbol table for backtrace only for
10468 			systems that are known to work.  Currently, BSD
10469 			variants, Linux and Solaris are supported. [RT #20202]
10470 
10471 2760.	[cleanup]	Corrected named-compilezone usage summary. [RT #20533]
10472 
10473 2759.	[doc]		Add information about .jbk/.jnw files to
10474 			the ARM. [RT #20303]
10475 
10476 2758.	[bug]		win32: Added a workaround for a windows 2008 bug
10477 			that could cause the UDP client handler to shut
10478 			down. [RT #19176]
10479 
10480 2757.	[bug]		dig: assertion failure could occur in connect
10481 			timeout. [RT #20599]
10482 
10483 2756.	[bug]		Fixed corrupt logfile message in update.c. [RT #20597]
10484 
10485 2755.	[placeholder]
10486 
10487 2754.	[bug]		Secure-to-insecure transitions failed when zone
10488 			was signed with NSEC3. [RT #20587]
10489 
10490 2753.	[bug]		Removed an unnecessary warning that could appear when
10491 			building an NSEC chain. [RT #20589]
10492 
10493 2752.	[bug]		Locking violation. [RT #20587]
10494 
10495 2751.	[bug]		Fixed a memory leak in dnssec-keyfromlabel. [RT #20588]
10496 
10497 2750.	[bug]		dig: assertion failure could occur when a server
10498 			didn't have an address. [RT #20579]
10499 
10500 2749.	[bug]		ixfr-from-differences generated a non-minimal ixfr
10501 			for NSEC3 signed zones. [RT #20452]
10502 
10503 2748.	[func]		Identify bad answers from GTLD servers and treat them
10504 			as referrals. [RT #18884]
10505 
10506 2747.	[bug]		Journal roll forwards failed to set the re-signing
10507 			time of RRSIGs correctly. [RT #20541]
10508 
10509 2746.	[port]		hpux: address signed/unsigned expansion mismatch of
10510 			dns_rbtnode_t.nsec. [RT #20542]
10511 
10512 2745.	[bug]		configure script didn't probe the return type of
10513 			gai_strerror(3) correctly. [RT #20573]
10514 
10515 2744.	[func]		Log if a query was over TCP. [RT #19961]
10516 
10517 2743.	[bug]		RRSIG could be incorrectly set in the NSEC3 record
10518 			for a insecure delegation.
10519 
10520 	--- 9.7.0b2 released ---
10521 
10522 2742.	[cleanup]	Clarify some DNSSEC-related log messages in
10523 			validator.c. [RT #19589]
10524 
10525 2741.	[func]		Allow the dnssec-keygen progress messages to be
10526 			suppressed (dnssec-keygen -q).  Automatically
10527 			suppress the progress messages when stdin is not
10528 			a tty. [RT #20474]
10529 
10530 2740.	[placeholder]
10531 
10532 2739.	[cleanup]	Clean up API for initializing and clearing trust
10533 			anchors for a view. [RT #20211]
10534 
10535 2738.	[func]		Add RSASHA256 and RSASHA512 tests to the dnssec system
10536 			test. [RT #20453]
10537 
10538 2737.	[func]		UPDATE requests can leak existence information.
10539 			[RT #17261]
10540 
10541 2736.	[func]		Improve the performance of NSEC signed zones with
10542 			more than a normal amount of glue below a delegation.
10543 			[RT #20191]
10544 
10545 2735.	[bug]		dnssec-signzone could fail to read keys
10546 			that were specified on the command line with
10547 			full paths, but weren't in the current
10548 			directory. [RT #20421]
10549 
10550 2734.	[port]		cygwin: arpaname did not compile. [RT #20473]
10551 
10552 2733.	[cleanup]	Clean up coding style in pkcs11-* tools. [RT #20355]
10553 
10554 2732.	[func]		Add optional filter-aaaa-on-v4 option, available
10555 			if built with './configure --enable-filter-aaaa'.
10556 			Filters out AAAA answers to clients connecting
10557 			via IPv4.  (This is NOT recommended for general
10558 			use.) [RT #20339]
10559 
10560 2731.	[func]		Additional work on change 2709.  The key parser
10561 			will now ignore unrecognized fields when the
10562 			minor version number of the private key format
10563 			has been increased.  It will reject any key with
10564 			the major version number increased. [RT #20310]
10565 
10566 2730.	[func]		Have dnssec-keygen display a progress indication
10567 			a la 'openssl genrsa' on standard error. Note
10568 			when the first '.' is followed by a long stop
10569 			one has the choice between slow generation vs.
10570 			poor random quality, i.e., '-r /dev/urandom'.
10571 			[RT #20284]
10572 
10573 2729.	[func]		When constructing a CNAME from a DNAME use the DNAME
10574 			TTL. [RT #20451]
10575 
10576 2728.	[bug]		dnssec-keygen, dnssec-keyfromlabel and
10577 			dnssec-signzone now warn immediately if asked to
10578 			write into a nonexistent directory. [RT #20278]
10579 
10580 2727.	[func]		The 'key-directory' option can now specify a relative
10581 			path. [RT #20154]
10582 
10583 2726.	[func]		Added support for SHA-2 DNSSEC algorithms,
10584 			RSASHA256 and RSASHA512. [RT #20023]
10585 
10586 2725.	[doc]		Added information about the file "managed-keys.bind"
10587 			to the ARM. [RT #20235]
10588 
10589 2724.	[bug]		Updates to a existing node in secure zone using NSEC
10590 			were failing. [RT #20448]
10591 
10592 2723.	[bug]		isc_base32_totext(), isc_base32hex_totext(), and
10593 			isc_base64_totext(), didn't always mark regions of
10594 			memory as fully consumed after conversion.  [RT #20445]
10595 
10596 2722.	[bug]		Ensure that the memory associated with the name of
10597 			a node in a rbt tree is not altered during the life
10598 			of the node. [RT #20431]
10599 
10600 2721.	[port]		Have dst__entropy_status() prime the random number
10601 			generator. [RT #20369]
10602 
10603 2720.	[bug]		RFC 5011 trust anchor updates could trigger an
10604 			assert if the DNSKEY record was unsigned. [RT #20406]
10605 
10606 2719.	[func]		Skip trusted/managed keys for unsupported algorithms.
10607 			[RT #20392]
10608 
10609 2718.	[bug]		The space calculations in opensslrsa_todns() were
10610 			incorrect. [RT #20394]
10611 
10612 2717.	[bug]		named failed to update the NSEC/NSEC3 record when
10613 			the last private type record was removed as a result
10614 			of completing the signing the zone with a key.
10615 			[RT #20399]
10616 
10617 2716.	[bug]		nslookup debug mode didn't return the ttl. [RT #20414]
10618 
10619 	--- 9.7.0b1 released ---
10620 
10621 2715.	[bug]		Require OpenSSL support to be explicitly disabled.
10622 			[RT #20288]
10623 
10624 2714.	[port]		aix/powerpc: 'asm("ics");' needs non standard assembler
10625 			flags.
10626 
10627 2713.	[bug]		powerpc: atomic operations missing asm("ics") /
10628 			__isync() calls.
10629 
10630 2712.	[func]		New 'auto-dnssec' zone option allows zone signing
10631 			to be fully automated in zones configured for
10632 			dynamic DNS.  'auto-dnssec allow;' permits a zone
10633 			to be signed by creating keys for it in the
10634 			key-directory and using 'rndc sign <zone>'.
10635 			'auto-dnssec maintain;' allows that too, plus it
10636 			also keeps the zone's DNSSEC keys up to date
10637 			according to their timing metadata. [RT #19943]
10638 
10639 2711.	[port]		win32: Add the bin/pkcs11 tools into the full
10640 			build. [RT #20372]
10641 
10642 2710.	[func]		New 'dnssec-signzone -x' flag and 'dnskey-ksk-only'
10643 			zone option cause a zone to be signed with only KSKs
10644 			signing the DNSKEY RRset, not ZSKs.  This reduces
10645 			the size of a DNSKEY answer.  [RT #20340]
10646 
10647 2709.	[func]		Added some data fields, currently unused, to the
10648 			private key file format, to allow implementation
10649 			of explicit key rollover in a future release
10650 			without impairing backward or forward compatibility.
10651 			[RT #20310]
10652 
10653 2708.	[func]		Insecure to secure and NSEC3 parameter changes via
10654 			update are now fully supported and no longer require
10655 			defines to enable.  We now no longer overload the
10656 			NSEC3PARAM flag field, nor the NSEC OPT bit at the
10657 			apex.  Secure to insecure changes are controlled by
10658 			by the named.conf option 'secure-to-insecure'.
10659 
10660 			Warning: If you had previously enabled support by
10661 			adding defines at compile time to BIND 9.6 you should
10662 			ensure that all changes that are in progress have
10663 			completed prior to upgrading to BIND 9.7.  BIND 9.7
10664 			is not backwards compatible.
10665 
10666 2707.	[func]		dnssec-keyfromlabel no longer require engine name
10667 			to be specified in the label if there is a default
10668 			engine or the -E option has been used.  Also, it
10669 			now uses default algorithms as dnssec-keygen does
10670 			(i.e., RSASHA1, or NSEC3RSASHA1 if -3 is used).
10671 			[RT #20371]
10672 
10673 2706.	[bug]		Loading a zone with a very large NSEC3 salt could
10674 			trigger an assert. [RT #20368]
10675 
10676 2705.	[placeholder]
10677 
10678 2704.	[bug]		Serial of dynamic and stub zones could be inconsistent
10679 			with their SOA serial.  [RT #19387]
10680 
10681 2703.	[func]		Introduce an OpenSSL "engine" argument with -E
10682 			for all binaries which can take benefit of
10683 			crypto hardware. [RT #20230]
10684 
10685 2702.	[func]		Update PKCS#11 tools (bin/pkcs11) [RT #20225 & all]
10686 
10687 2701.	[doc]		Correction to ARM: hmac-md5 is no longer the only
10688 			supported TSIG key algorithm. [RT #18046]
10689 
10690 2700.	[doc]		The match-mapped-addresses option is discouraged.
10691 			[RT #12252]
10692 
10693 2699.	[bug]		Missing lock in rbtdb.c. [RT #20037]
10694 
10695 2698.	[placeholder]
10696 
10697 2697.	[port]		win32: ensure that S_IFMT, S_IFDIR, S_IFCHR and
10698 			S_IFREG are defined after including <isc/stat.h>.
10699 			[RT #20309]
10700 
10701 2696.	[bug]		named failed to successfully process some valid
10702 			acl constructs. [RT #20308]
10703 
10704 2695.	[func]		DHCP/DDNS - update fdwatch code for use by
10705 			DHCP.  Modify the api to isc_sockfdwatch_t (the
10706 			callback function for isc_socket_fdwatchcreate)
10707 			to include information about the direction (read
10708 			or write) and add isc_socket_fdwatchpoke.
10709 			[RT #20253]
10710 
10711 2694.	[bug]		Reduce default NSEC3 iterations from 100 to 10.
10712 			[RT #19970]
10713 
10714 2693.	[port]		Add some noreturn attributes. [RT #20257]
10715 
10716 2692.	[port]		win32: 32/64 bit cleanups. [RT #20335]
10717 
10718 2691.	[func]		dnssec-signzone: retain the existing NSEC or NSEC3
10719 			chain when re-signing a previously-signed zone.
10720 			Use -u to modify NSEC3 parameters or switch
10721 			between NSEC and NSEC3. [RT #20304]
10722 
10723 2690.	[bug]		win32: fix isc_thread_key_getspecific() prototype.
10724 			[RT #20315]
10725 
10726 2689.	[bug]		Correctly handle snprintf result. [RT #20306]
10727 
10728 2688.	[bug]		Use INTERFACE_F_POINTTOPOINT, not IFF_POINTOPOINT,
10729 			to decide to fetch the destination address. [RT #20305]
10730 
10731 2687.	[bug]		Fixed dnssec-signzone -S handling of revoked keys.
10732 			Also, added warnings when revoking a ZSK, as this is
10733 			not defined by protocol (but is legal).  [RT #19943]
10734 
10735 2686.	[bug]		dnssec-signzone should clean the old NSEC chain when
10736 			signing with NSEC3 and vice versa. [RT #20301]
10737 
10738 2685.	[contrib]	Update contrib/zkt to version 0.99c. [RT #20054]
10739 
10740 2684.	[cleanup]	dig: formalize +ad and +cd as synonyms for
10741 			+adflag and +cdflag.  [RT #19305]
10742 
10743 2683.	[bug]		dnssec-signzone should clean out old NSEC3 chains when
10744 			the NSEC3 parameters used to sign the zone change.
10745 			[RT #20246]
10746 
10747 2682.	[bug]		"configure --enable-symtable=all" failed to
10748 			build. [RT #20282]
10749 
10750 2681.	[bug]		IPSECKEY RR of gateway type 3 was not correctly
10751 			decoded. [RT #20269]
10752 
10753 2680.	[func]		Move contrib/pkcs11-keygen to bin/pkcs11. [RT #20067]
10754 
10755 2679.	[func]		dig -k can now accept TSIG keys in named.conf
10756 			format.  [RT #20031]
10757 
10758 2678.	[func]		Treat DS queries as if "minimal-response yes;"
10759 			was set. [RT #20258]
10760 
10761 2677.	[func]		Changes to key metadata behavior:
10762 			- Keys without "publish" or "active" dates set will
10763 			  no longer be used for smart signing.  However,
10764 			  those dates will be set to "now" by default when
10765 			  a key is created; to generate a key but not use
10766 			  it yet, use dnssec-keygen -G.
10767 			- New "inactive" date (dnssec-keygen/settime -I)
10768 			  sets the time when a key is no longer used for
10769 			  signing but is still published.
10770 			- The "unpublished" date (-U) is deprecated in
10771 			  favor of "deleted" (-D).
10772 			[RT #20247]
10773 
10774 2676.	[bug]		--with-export-installdir should have been
10775 			--with-export-includedir. [RT #20252]
10776 
10777 2675.	[bug]		dnssec-signzone could crash if the key directory
10778 			did not exist. [RT #20232]
10779 
10780 	--- 9.7.0a3 released ---
10781 
10782 2674.	[bug]		"dnssec-lookaside auto;" crashed if named was built
10783 			without openssl. [RT #20231]
10784 
10785 2673.	[bug]		The managed-keys.bind zone file could fail to
10786 			load due to a spurious result from sync_keyzone()
10787 			[RT #20045]
10788 
10789 2672.	[bug]		Don't enable searching in 'host' when doing reverse
10790 			lookups. [RT #20218]
10791 
10792 2671.	[bug]		Add support for PKCS#11 providers not returning
10793 			the public exponent in RSA private keys
10794 			(OpenCryptoki for instance) in
10795 			dnssec-keyfromlabel. [RT #19294]
10796 
10797 2670.	[bug]		Unexpected connect failures failed to log enough
10798 			information to be useful. [RT #20205]
10799 
10800 2669.	[func]		Update PKCS#11 support to support Keyper HSM.
10801 			Update PKCS#11 patch to be against openssl-0.9.8i.
10802 
10803 2668.	[func]		Several improvements to dnssec-* tools, including:
10804 			- dnssec-keygen and dnssec-settime can now set key
10805 			  metadata fields 0 (to unset a value, use "none")
10806 			- dnssec-revoke sets the revocation date in
10807 			  addition to the revoke bit
10808 			- dnssec-settime can now print individual metadata
10809 			  fields instead of always printing all of them,
10810 			  and can print them in unix epoch time format for
10811 			  use by scripts
10812 			[RT #19942]
10813 
10814 2667.	[func]		Add support for logging stack backtrace on assertion
10815 			failure (not available for all platforms). [RT #19780]
10816 
10817 2666.	[func]		Added an 'options' argument to dns_name_fromstring()
10818 			(API change from 9.7.0a2). [RT #20196]
10819 
10820 2665.	[func]		Clarify syntax for managed-keys {} statement, add
10821 			ARM documentation about RFC 5011 support. [RT #19874]
10822 
10823 2664.	[bug]		create_keydata() and minimal_update() in zone.c
10824 			didn't properly check return values for some
10825 			functions.  [RT #19956]
10826 
10827 2663.	[func]		win32:  allow named to run as a service using
10828 			"NT AUTHORITY\LocalService" as the account. [RT #19977]
10829 
10830 2662.	[bug]		lwres_getipnodebyname() and lwres_getipnodebyaddr()
10831 			returned a misleading error code when lwresd was
10832 			down. [RT #20028]
10833 
10834 2661.	[bug]		Check whether socket fd exceeds FD_SETSIZE when
10835 			creating lwres context. [RT #20029]
10836 
10837 2660.	[func]		Add a new set of DNS libraries for non-BIND9
10838 			applications.  See README.libdns. [RT #19369]
10839 
10840 2659.	[doc]		Clarify dnssec-keygen doc: key name must match zone
10841 			name for DNSSEC keys. [RT #19938]
10842 
10843 2658.	[bug]		dnssec-settime and dnssec-revoke didn't process
10844 			key file paths correctly. [RT #20078]
10845 
10846 2657.	[cleanup]	Lower "journal file <path> does not exist, creating it"
10847 			log level to debug 1. [RT #20058]
10848 
10849 2656.	[func]		win32: add a "tools only" check box to the installer
10850 			which causes it to only install dig, host, nslookup,
10851 			nsupdate and relevant DLLs.  [RT #19998]
10852 
10853 2655.	[doc]		Document that key-directory does not affect
10854 			bind.keys, rndc.key or session.key.  [RT #20155]
10855 
10856 2654.	[bug]		Improve error reporting on duplicated names for
10857 			deny-answer-xxx. [RT #20164]
10858 
10859 2653.	[bug]		Treat ENGINE_load_private_key() failures as key
10860 			not found rather than out of memory.  [RT #18033]
10861 
10862 2652.	[func]		Provide more detail about what record is being
10863 			deleted. [RT #20061]
10864 
10865 2651.	[bug]		Dates could print incorrectly in K*.key files on
10866 			64-bit systems. [RT #20076]
10867 
10868 2650.	[bug]		Assertion failure in dnssec-signzone when trying
10869 			to read keyset-* files. [RT #20075]
10870 
10871 2649.	[bug]		Set the domain for forward only zones. [RT #19944]
10872 
10873 2648.	[port]		win32: isc_time_seconds() was broken. [RT #19900]
10874 
10875 2647.	[bug]		Remove unnecessary SOA updates when a new KSK is
10876 			added. [RT #19913]
10877 
10878 2646.	[bug]		Incorrect cleanup on error in socket.c. [RT #19987]
10879 
10880 2645.	[port]		"gcc -m32" didn't work on amd64 and x86_64 platforms
10881 			which default to 64 bits. [RT #19927]
10882 
10883 	--- 9.7.0a2 released ---
10884 
10885 2644.	[bug]		Change #2628 caused a regression on some systems;
10886 			named was unable to write the PID file and would
10887 			fail on startup. [RT #20001]
10888 
10889 2643.	[bug]		Stub zones interacted badly with NSEC3 support.
10890 			[RT #19777]
10891 
10892 2642.	[bug]		nsupdate could dump core on solaris when reading
10893 			improperly formatted key files.  [RT #20015]
10894 
10895 2641.	[bug]		Fixed an error in parsing update-policy syntax,
10896 			added a regression test to check it. [RT #20007]
10897 
10898 2640.	[security]	A specially crafted update packet will cause named
10899 			to exit. [RT #20000]
10900 
10901 2639.	[bug]		Silence compiler warnings in gssapi code. [RT #19954]
10902 
10903 2638.	[bug]		Install arpaname. [RT #19957]
10904 
10905 2637.	[func]		Rationalize dnssec-signzone's signwithkey() calling.
10906 			[RT #19959]
10907 
10908 2636.	[func]		Simplify zone signing and key maintenance with the
10909 			dnssec-* tools.  Major changes:
10910 			- all dnssec-* tools now take a -K option to
10911 			  specify a directory in which key files will be
10912 			  stored
10913 			- DNSSEC can now store metadata indicating when
10914 			  they are scheduled to be published, activated,
10915 			  revoked or removed; these values can be set by
10916 			  dnssec-keygen or overwritten by the new
10917 			  dnssec-settime command
10918 			- dnssec-signzone -S (for "smart") option reads key
10919 			  metadata and uses it to determine automatically
10920 			  which keys to publish to the zone, use for
10921 			  signing, revoke, or remove from the zone
10922 			[RT #19816]
10923 
10924 2635.	[bug]		isc_inet_ntop() incorrectly handled 0.0/16 addresses.
10925 			[RT #19716]
10926 
10927 2634.	[port]		win32: Add support for libxml2, enable
10928 			statschannel. [RT #19773]
10929 
10930 2633.	[bug]		Handle 15 bit rand() functions. [RT #19783]
10931 
10932 2632.	[func]		util/kit.sh: warn if documentation appears to be out of
10933 			date.  [RT #19922]
10934 
10935 2631.	[bug]		Handle "//", "/./" and "/../" in mkdirpath().
10936 			[RT #19926 ]
10937 
10938 2630.	[func]		Improved syntax for DDNS autoconfiguration:  use
10939 			"update-policy local;" to switch on local DDNS in a
10940 			zone. (The "ddns-autoconf" option has been removed.)
10941 			[RT #19875]
10942 
10943 2629.	[port]		Check for seteuid()/setegid(), use setresuid()/
10944 			setresgid() if not present. [RT #19932]
10945 
10946 2628.	[port]		linux: Allow /var/run/named/named.pid to be opened
10947 			at startup with reduced capabilities in operation.
10948 			[RT #19884]
10949 
10950 2627.	[bug]		Named aborted if the same key was included in
10951 			trusted-keys more than once. [RT #19918]
10952 
10953 2626.	[bug]		Multiple trusted-keys could trigger an assertion
10954 			failure. [RT #19914]
10955 
10956 2625.	[bug]		Missing UNLOCK in rbtdb.c. [RT #19865]
10957 
10958 2624.	[func]		'named-checkconf -p' will print out the parsed
10959 			configuration. [RT #18871]
10960 
10961 2623.	[bug]		Named started searches for DS non-optimally. [RT #19915]
10962 
10963 2622.	[bug]		Printing of named.conf grammar was broken. [RT #19919]
10964 
10965 2621.	[doc]		Made copyright boilerplate consistent.  [RT #19833]
10966 
10967 2620.	[bug]		Delay thawing the zone until the reload of it has
10968 			completed successfully.  [RT #19750]
10969 
10970 2619.	[func]		Add support for RFC 5011, automatic trust anchor
10971 			maintenance.  The new "managed-keys" statement can
10972 			be used in place of "trusted-keys" for zones which
10973 			support this protocol.  (Note: this syntax is
10974 			expected to change prior to 9.7.0 final.) [RT #19248]
10975 
10976 2618.	[bug]		The sdb and sdlz db_interator_seek() methods could
10977 			loop infinitely. [RT #19847]
10978 
10979 2617.	[bug]		ifconfig.sh failed to emit an error message when
10980 			run from the wrong location. [RT #19375]
10981 
10982 2616.	[bug]		'host' used the nameservers from resolv.conf even
10983 			when a explicit nameserver was specified. [RT #19852]
10984 
10985 2615.	[bug]		"__attribute__((unused))" was in the wrong place
10986 			for ia64 gcc builds. [RT #19854]
10987 
10988 2614.	[port]		win32: 'named -v' should automatically be executed
10989 			in the foreground. [RT #19844]
10990 
10991 2613.	[placeholder]
10992 
10993 	--- 9.7.0a1 released ---
10994 
10995 2612.	[func]		Add default values for the arguments to
10996 			dnssec-keygen.  Without arguments, it will now
10997 			generate a 1024-bit RSASHA1 zone-signing key,
10998 			or with the -f KSK option, a 2048-bit RSASHA1
10999 			key-signing key. [RT #19300]
11000 
11001 2611.	[func]		Add -l option to dnssec-dsfromkey to generate
11002 			DLV records instead of DS records. [RT #19300]
11003 
11004 2610.	[port]		sunos: Change #2363 was not complete. [RT #19796]
11005 
11006 2609.	[func]		Simplify the configuration of dynamic zones:
11007 			- add ddns-confgen command to generate
11008 			  configuration text for named.conf
11009 			- add zone option "ddns-autoconf yes;", which
11010 			  causes named to generate a TSIG session key
11011 			  and allow updates to the zone using that key
11012 			- add '-l' (localhost) option to nsupdate, which
11013 			  causes nsupdate to connect to a locally-running
11014 			  named process using the session key generated
11015 			  by named
11016 			[RT #19284]
11017 
11018 2608.	[func]		Perform post signing verification checks in
11019 			dnssec-signzone.  These can be disabled with -P.
11020 
11021 			The post sign verification test ensures that for each
11022 			algorithm in use there is at least one non revoked
11023 			self signed KSK key.  That all revoked KSK keys are
11024 			self signed.  That all records in the zone are signed
11025 			by the algorithm.  [RT #19653]
11026 
11027 2607.	[bug]		named could incorrectly delete NSEC3 records for
11028 			empty nodes when processing a update request.
11029 			[RT #19749]
11030 
11031 2606.	[bug]		"delegation-only" was not being accepted in
11032 			delegation-only type zones. [RT #19717]
11033 
11034 2605.	[bug]		Accept DS responses from delegation only zones.
11035 			[RT # 19296]
11036 
11037 2604.	[func]		Add support for DNS rebinding attack prevention through
11038 			new options, deny-answer-addresses and
11039 			deny-answer-aliases.  Based on contributed code from
11040 			JD Nurmi, Google. [RT #18192]
11041 
11042 2603.	[port]		win32: handle .exe extension of named-checkzone and
11043 			named-comilezone argv[0] names under windows.
11044 			[RT #19767]
11045 
11046 2602.	[port]		win32: fix debugging command line build of libisccfg.
11047 			[RT #19767]
11048 
11049 2601.	[doc]		Mention file creation mode mask in the
11050 			named manual page.
11051 
11052 2600.	[doc]		ARM: miscellaneous reformatting for different
11053 			page widths. [RT #19574]
11054 
11055 2599.	[bug]		Address rapid memory growth when validation fails.
11056 			[RT #19654]
11057 
11058 2598.	[func]		Reserve the -F flag. [RT #19657]
11059 
11060 2597.	[bug]		Handle a validation failure with a insecure delegation
11061 			from a NSEC3 signed master/slave zone.  [RT #19464]
11062 
11063 2596.	[bug]		Stale tree nodes of cache/dynamic rbtdb could stay
11064 			long, leading to inefficient memory usage or rejecting
11065 			newer cache entries in the worst case. [RT #19563]
11066 
11067 2595.	[bug]		Fix unknown extended rcodes in dig. [RT #19625]
11068 
11069 2594.	[func]		Have rndc warn if using its default configuration
11070 			file when the key file also exists. [RT #19424]
11071 
11072 2593.	[bug]		Improve a corner source of SERVFAILs [RT #19632]
11073 
11074 2592.	[bug]		Treat "any" as a type in nsupdate. [RT #19455]
11075 
11076 2591.	[bug]		named could die when processing a update in
11077 			removed_orphaned_ds(). [RT #19507]
11078 
11079 2590.	[func]		Report zone/class of "update with no effect".
11080 			[RT #19542]
11081 
11082 2589.	[bug]		dns_db_unregister() failed to clear '*dbimp'.
11083 			[RT #19626]
11084 
11085 2588.	[bug]		SO_REUSEADDR could be set unconditionally after failure
11086 			of bind(2) call.  This should be rare and mostly
11087 			harmless, but may cause interference with other
11088 			processes that happen to use the same port. [RT #19642]
11089 
11090 2587.	[func]		Improve logging by reporting serial numbers for
11091 			when zone serial has gone backwards or unchanged.
11092 			[RT #19506]
11093 
11094 2586.	[bug]		Missing cleanup of SIG rdataset in searching a DLZ DB
11095 			or SDB. [RT #19577]
11096 
11097 2585.	[bug]		Uninitialized socket name could be referenced via a
11098 			statistics channel, triggering an assertion failure in
11099 			XML rendering. [RT #19427]
11100 
11101 2584.	[bug]		alpha: gcc optimization could break atomic operations.
11102 			[RT #19227]
11103 
11104 2583.	[port]		netbsd: provide a control to not add the compile
11105 			date to the version string, -DNO_VERSION_DATE.
11106 
11107 2582.	[bug]		Don't emit warning log message when we attempt to
11108 			remove non-existent journal. [RT #19516]
11109 
11110 2581.	[contrib]	dlz/mysql set MYSQL_OPT_RECONNECT option on connection.
11111 			Requires MySQL 5.0.19 or later. [RT #19084]
11112 
11113 2580.	[bug]		UpdateRej statistics counter could be incremented twice
11114 			for one rejection. [RT #19476]
11115 
11116 2579.	[bug]		DNSSEC lookaside validation failed to handle unknown
11117 			algorithms. [RT #19479]
11118 
11119 2578.	[bug]		Changed default sig-signing-type to 65534, because
11120 			65535 turns out to be reserved.  [RT #19477]
11121 
11122 2577.	[doc]		Clarified some statistics counters. [RT #19454]
11123 
11124 2576.	[bug]		NSEC record were not being correctly signed when
11125 			a zone transitions from insecure to secure.
11126 			Handle such incorrectly signed zones. [RT #19114]
11127 
11128 2575.	[func]		New functions dns_name_fromstring() and
11129 			dns_name_tostring(), to simplify conversion
11130 			of a string to a dns_name structure and vice
11131 			versa. [RT #19451]
11132 
11133 2574.	[doc]		Document nsupdate -g and -o. [RT #19351]
11134 
11135 2573.	[bug]		Replacing a non-CNAME record with a CNAME record in a
11136 			single transaction in a signed zone failed. [RT #19397]
11137 
11138 2572.	[func]		Simplify DLV configuration, with a new option
11139 			"dnssec-lookaside auto;"  This is the equivalent
11140 			of "dnssec-lookaside . trust-anchor dlv.isc.org;"
11141 			plus setting a trusted-key for dlv.isc.org.
11142 
11143 			Note: The trusted key is hard-coded into named,
11144 			but is also stored in (and can be overridden
11145 			by) $sysconfdir/bind.keys.  As the ISC DLV key
11146 			rolls over it can be kept up to date by replacing
11147 			the bind.keys file with a key downloaded from
11148 			https://www.isc.org/solutions/dlv. [RT #18685]
11149 
11150 2571.	[func]		Add a new tool "arpaname" which translates IP addresses
11151 			to the corresponding IN-ADDR.ARPA or IP6.ARPA name.
11152 			[RT #18976]
11153 
11154 2570.	[func]		Log the destination address the query was sent to.
11155 			[RT #19209]
11156 
11157 2569.	[func]		Move journalprint, nsec3hash, and genrandom
11158 			commands from bin/tests into bin/tools;
11159 			"make install" will put them in $sbindir. [RT #19301]
11160 
11161 2568.	[bug]		Report when the write to indicate a otherwise
11162 			successful start fails. [RT #19360]
11163 
11164 2567.	[bug]		dst__privstruct_writefile() could miss write errors.
11165 			write_public_key() could miss write errors.
11166 			dnssec-dsfromkey could miss write errors.
11167 			[RT #19360]
11168 
11169 2566.	[cleanup]	Clarify logged message when an insecure DNSSEC
11170 			response arrives from a zone thought to be secure:
11171 			"insecurity proof failed" instead of "not
11172 			insecure". [RT #19400]
11173 
11174 2565.	[func]		Add support for HIP record.  Includes new functions
11175 			dns_rdata_hip_first(), dns_rdata_hip_next()
11176 			and dns_rdata_hip_current().  [RT #19384]
11177 
11178 2564.	[bug]		Only take EDNS fallback steps when processing timeouts.
11179 			[RT #19405]
11180 
11181 2563.	[bug]		Dig could leak a socket causing it to wait forever
11182 			to exit. [RT #19359]
11183 
11184 2562.	[doc]		ARM: miscellaneous improvements, reorganization,
11185 			and some new content.
11186 
11187 2561.	[doc]		Add isc-config.sh(1) man page. [RT #16378]
11188 
11189 2560.	[bug]		Add #include <config.h> to iptable.c. [RT #18258]
11190 
11191 2559.	[bug]		dnssec-dsfromkey could compute bad DS records when
11192 			reading from a K* files.  [RT #19357]
11193 
11194 2558.	[func]		Set the ownership of missing directories created
11195 			for pid-file if -u has been specified on the command
11196 			line. [RT #19328]
11197 
11198 2557.	[cleanup]	PCI compliance:
11199 			* new libisc log module file
11200 			* isc_dir_chroot() now also changes the working
11201 			  directory to "/".
11202 			* additional INSISTs
11203 			* additional logging when files can't be removed.
11204 
11205 2556.	[port]		Solaris: mkdir(2) on tmpfs filesystems does not do the
11206 			error checks in the correct order resulting in the
11207 			wrong error code sometimes being returned. [RT #19249]
11208 
11209 2555.	[func]		dig: when emitting a hex dump also display the
11210 			corresponding characters. [RT #19258]
11211 
11212 2554.	[bug]		Validation of uppercase queries from NSEC3 zones could
11213 			fail. [RT #19297]
11214 
11215 2553.	[bug]		Reference leak on DNSSEC validation errors. [RT #19291]
11216 
11217 2552.	[bug]		zero-no-soa-ttl-cache was not being honored.
11218 			[RT #19340]
11219 
11220 2551.	[bug]		Potential Reference leak on return. [RT #19341]
11221 
11222 2550.	[bug]		Check --with-openssl=<path> finds <openssl/opensslv.h>.
11223 			[RT #19343]
11224 
11225 2549.	[port]		linux: define NR_OPEN if not currently defined.
11226 			[RT #19344]
11227 
11228 2548.	[bug]		Install iterated_hash.h. [RT #19335]
11229 
11230 2547.	[bug]		openssl_link.c:mem_realloc() could reference an
11231 			out-of-range area of the source buffer.  New public
11232 			function isc_mem_reallocate() was introduced to address
11233 			this bug. [RT #19313]
11234 
11235 2546.	[func]		Add --enable-openssl-hash configure flag to use
11236 			OpenSSL (in place of internal routine) for hash
11237 			functions (MD5, SHA[12] and HMAC). [RT #18815]
11238 
11239 2545.	[doc]		ARM: Legal hostname checking (check-names) is
11240 			for SRV RDATA too. [RT #19304]
11241 
11242 2544.	[cleanup]	Removed unused structure members in adb.c. [RT #19225]
11243 
11244 2543.	[contrib]	Update contrib/zkt to version 0.98. [RT #19113]
11245 
11246 2542.	[doc]		Update the description of dig +adflag. [RT #19290]
11247 
11248 2541.	[bug]		Conditionally update dispatch manager statistics.
11249 			[RT #19247]
11250 
11251 2540.	[func]		Add a nibble mode to $GENERATE. [RT #18872]
11252 
11253 2539.	[security]	Update the interaction between recursion, allow-query,
11254 			allow-query-cache and allow-recursion.  [RT #19198]
11255 
11256 2538.	[bug]		cache/ADB memory could grow over max-cache-size,
11257 			especially with threads and smaller max-cache-size
11258 			values. [RT #19240]
11259 
11260 2537.	[func]		Added more statistics counters including those on socket
11261 			I/O events and query RTT histograms. [RT #18802]
11262 
11263 2536.	[cleanup]	Silence some warnings when -Werror=format-security is
11264 			specified. [RT #19083]
11265 
11266 2535.	[bug]		dig +showsearch and +trace interacted badly. [RT #19091]
11267 
11268 2534.	[func]		Check NAPTR records regular expressions and
11269 			replacement strings to ensure they are syntactically
11270 			valid and consistent. [RT #18168]
11271 
11272 2533.	[doc]		ARM: document @ (at-sign). [RT #17144]
11273 
11274 2532.	[bug]		dig: check the question section of the response to
11275 			see if it matches the asked question. [RT #18495]
11276 
11277 2531.	[bug]		Change #2207 was incomplete. [RT #19098]
11278 
11279 2530.	[bug]		named failed to reject insecure to secure transitions
11280 			via UPDATE. [RT #19101]
11281 
11282 2529.	[cleanup]	Upgrade libtool to silence complaints from recent
11283 			version of autoconf. [RT #18657]
11284 
11285 2528.	[cleanup]	Silence spurious configure warning about
11286 			--datarootdir [RT #19096]
11287 
11288 2527.	[placeholder]
11289 
11290 2526.	[func]		New named option "attach-cache" that allows multiple
11291 			views to share a single cache to save memory and
11292 			improve lookup efficiency.  Based on contributed code
11293 			from Barclay Osborn, Google. [RT #18905]
11294 
11295 2525.	[func]		New logging category "query-errors" to provide detailed
11296 			internal information about query failures, especially
11297 			about server failures. [RT #19027]
11298 
11299 2524.	[port]		sunos: dnssec-signzone needs strtoul(). [RT #19129]
11300 
11301 2523.	[bug]		Random type rdata freed by dns_nsec_typepresent().
11302 			[RT #19112]
11303 
11304 2522.	[security]	Handle -1 from DSA_do_verify() and EVP_VerifyFinal().
11305 
11306 2521.	[bug]		Improve epoll cross compilation support. [RT #19047]
11307 
11308 2520.	[bug]		Update xml statistics version number to 2.0 as change
11309 			#2388 made the schema incompatible to the previous
11310 			version. [RT #19080]
11311 
11312 2519.	[bug]		dig/host with -4 or -6 didn't work if more than two
11313 			nameserver addresses of the excluded address family
11314 			preceded in resolv.conf. [RT #19081]
11315 
11316 2518.	[func]		Add support for the new CERT types from RFC 4398.
11317 			[RT #19077]
11318 
11319 2517.	[bug]		dig +trace with -4 or -6 failed when it chose a
11320 			nameserver address of the excluded address type.
11321 			[RT #18843]
11322 
11323 2516.	[bug]		glue sort for responses was performed even when not
11324 			needed. [RT #19039]
11325 
11326 2515.	[port]		win32: build dnssec-dsfromkey and dnssec-keyfromlabel.
11327 			[RT #19063]
11328 
11329 2514.	[bug]		dig/host failed with -4 or -6 when resolv.conf contains
11330 			a nameserver of the excluded address family.
11331 			[RT #18848]
11332 
11333 2513.	[bug]		Fix windows cli build. [RT #19062]
11334 
11335 2512.	[func]		Print a summary of the cached records which make up
11336 			the negative response.  [RT #18885]
11337 
11338 2511.	[cleanup]	dns_rdata_tofmttext() add const to linebreak.
11339 			[RT #18885]
11340 
11341 2510.	[bug]		"dig +sigchase" could trigger REQUIRE failures.
11342 			[RT #19033]
11343 
11344 2509.	[bug]		Specifying a fixed query source port was broken.
11345 			[RT #19051]
11346 
11347 2508.	[placeholder]
11348 
11349 2507.	[func]		Log the recursion quota values when killing the
11350 			oldest query or refusing to recurse due to quota.
11351 			[RT #19022]
11352 
11353 2506.	[port]		solaris: Check at configure time if
11354 			hack_shutup_pthreadonceinit is needed. [RT #19037]
11355 
11356 2505.	[port]		Treat amd64 similarly to x86_64 when determining
11357 			atomic operation support. [RT #19031]
11358 
11359 2504.	[bug]		Address race condition in the socket code. [RT #18899]
11360 
11361 2503.	[port]		linux: improve compatibility with Linux Standard
11362 			Base. [RT #18793]
11363 
11364 2502.	[cleanup]	isc_radix: Improve compliance with coding style,
11365 			document function in <isc/radix.h>. [RT #18534]
11366 
11367 2501.	[func]		$GENERATE now supports all rdata types.  Multi-field
11368 			rdata types need to be quoted.  See the ARM for
11369 			details. [RT #18368]
11370 
11371 2500.	[contrib]	contrib/sdb/pgsql/zonetodb.c called non-existent
11372 			function. [RT #18582]
11373 
11374 2499.	[port]		solaris: lib/lwres/getaddrinfo.c namespace clash.
11375 			[RT #18837]
11376 
11377 	--- 9.6.0rc1 released ---
11378 
11379 2498.	[bug]		Removed a bogus function argument used with
11380 			ISC_SOCKET_USE_POLLWATCH: it could cause compiler
11381 			warning or crash named with the debug 1 level
11382 			of logging. [RT #18917]
11383 
11384 2497.	[bug]		Don't add RRSIG bit to NSEC3 bit map for insecure
11385 			delegation.
11386 
11387 2496.	[bug]		Add sanity length checks to NSID option. [RT #18813]
11388 
11389 2495.	[bug]		Tighten RRSIG checks. [RT #18795]
11390 
11391 2494.	[bug]		isc/radix.h, dns/sdlz.h and dns/dlz.h were not being
11392 			installed. [RT #18826]
11393 
11394 2493.	[bug]		The linux capabilities code was not correctly cleaning
11395 			up after itself. [RT #18767]
11396 
11397 2492.	[func]		Rndc status now reports the number of cpus discovered
11398 			and the number of worker threads when running
11399 			multi-threaded. [RT #18273]
11400 
11401 2491.	[func]		Attempt to re-use a local port if we are already using
11402 			the port. [RT #18548]
11403 
11404 2490.	[port]		aix: work around a kernel bug where IPV6_RECVPKTINFO
11405 			is cleared when IPV6_V6ONLY is set. [RT #18785]
11406 
11407 2489.	[port]		solaris: Workaround Solaris's kernel bug about
11408 			/dev/poll:
11409 			http://bugs.opensolaris.org/view_bug.do?bug_id=6724237
11410 			Define ISC_SOCKET_USE_POLLWATCH at build time to enable
11411 			this workaround. [RT #18870]
11412 
11413 2488.	[func]		Added a tool, dnssec-dsfromkey, to generate DS records
11414 			from keyset and .key files. [RT #18694]
11415 
11416 2487.	[bug]		Give TCP connections longer to complete. [RT #18675]
11417 
11418 2486.	[func]		The default locations for named.pid and lwresd.pid
11419 			are now /var/run/named/named.pid and
11420 			/var/run/lwresd/lwresd.pid respectively.
11421 
11422 			This allows the owner of the containing directory
11423 			to be set, for "named -u" support, and allows there
11424 			to be a permanent symbolic link in the path, for
11425 			"named -t" support.  [RT #18306]
11426 
11427 2485.	[bug]		Change update's the handling of obscured RRSIG
11428 			records.  Not all orphaned DS records were being
11429 			removed. [RT #18828]
11430 
11431 2484.	[bug]		It was possible to trigger a REQUIRE failure when
11432 			adding NSEC3 proofs to the response in
11433 			query_addwildcardproof().  [RT #18828]
11434 
11435 2483.	[port]		win32: chroot() is not supported. [RT #18805]
11436 
11437 2482.	[port]		libxml2: support versions 2.7.* in addition
11438 			to 2.6.*. [RT #18806]
11439 
11440 	--- 9.6.0b1 released ---
11441 
11442 2481.	[bug]		rbtdb.c:matchparams() failed to handle NSEC3 chain
11443 			collisions.  [RT #18812]
11444 
11445 2480.	[bug]		named could fail to emit all the required NSEC3
11446 			records.  [RT #18812]
11447 
11448 2479.	[bug]		xfrout:covers was not properly initialized. [RT #18801]
11449 
11450 2478.	[bug]		'addresses' could be used uninitialized in
11451 			configure_forward(). [RT #18800]
11452 
11453 2477.	[bug]		dig: the global option to print the command line is
11454 			+cmd not print_cmd.  Update the output to reflect
11455 			this. [RT #17008]
11456 
11457 2476.	[doc]		ARM: improve documentation for max-journal-size and
11458 			ixfr-from-differences. [RT #15909] [RT #18541]
11459 
11460 2475.	[bug]		LRU cache cleanup under overmem condition could purge
11461 			particular entries more aggressively. [RT #17628]
11462 
11463 2474.	[bug]		ACL structures could be allocated with insufficient
11464 			space, causing an array overrun. [RT #18765]
11465 
11466 2473.	[port]		linux: raise the limit on open files to the possible
11467 			maximum value before spawning threads; 'files'
11468 			specified in named.conf doesn't seem to work with
11469 			threads as expected. [RT #18784]
11470 
11471 2472.	[port]		linux: check the number of available cpu's before
11472 			calling chroot as it depends on "/proc". [RT #16923]
11473 
11474 2471.	[bug]		named-checkzone was not reporting missing mandatory
11475 			glue when sibling checks were disabled. [RT #18768]
11476 
11477 2470.	[bug]		Elements of the isc_radix_node_t could be incorrectly
11478 			overwritten.  [RT #18719]
11479 
11480 2469.	[port]		solaris: Work around Solaris's select() limitations.
11481 			[RT #18769]
11482 
11483 2468.	[bug]		Resolver could try unreachable servers multiple times.
11484 			[RT #18739]
11485 
11486 2467.	[bug]		Failure of fcntl(F_DUPFD) wasn't logged. [RT #18740]
11487 
11488 2466.	[doc]		ARM: explain max-cache-ttl 0 SERVFAIL issue.
11489 			[RT #18302]
11490 
11491 2465.	[bug]		Adb's handling of lame addresses was different
11492 			for IPv4 and IPv6. [RT #18738]
11493 
11494 2464.	[port]		linux: check that a capability is present before
11495 			trying to set it. [RT #18135]
11496 
11497 2463.	[port]		linux: POSIX doesn't include the IPv6 Advanced Socket
11498 			API and glibc hides parts of the IPv6 Advanced Socket
11499 			API as a result.  This is stupid as it breaks how the
11500 			two halves (Basic and Advanced) of the IPv6 Socket API
11501 			were designed to be used but we have to live with it.
11502 			Define _GNU_SOURCE to pull in the IPv6 Advanced Socket
11503 			API. [RT #18388]
11504 
11505 2462.	[doc]		Document -m (enable memory usage debugging)
11506 			option for dig. [RT #18757]
11507 
11508 2461.	[port]		sunos: Change #2363 was not complete. [RT #17513]
11509 
11510 	--- 9.6.0a1 released ---
11511 
11512 2460.	[bug]		Don't call dns_db_getnsec3parameters() on the cache.
11513 			[RT #18697]
11514 
11515 2459.	[contrib]	Import dnssec-zkt to contrib/zkt. [RT #18448]
11516 
11517 2458.	[doc]		ARM: update and correction for max-cache-size.
11518 			[RT #18294]
11519 
11520 2457.	[tuning]	max-cache-size is reverted to 0, the previous
11521 			default.  It should be safe because expired cache
11522 			entries are also purged. [RT #18684]
11523 
11524 2456.	[bug]		In ACLs, ::/0 and 0.0.0.0/0 would both match any
11525 			address, regardless of family.  They now correctly
11526 			distinguish IPv4 from IPv6.  [RT #18559]
11527 
11528 2455.	[bug]		Stop metadata being transferred via axfr/ixfr.
11529 			[RT #18639]
11530 
11531 2454.	[func]		nsupdate: you can now set a default ttl. [RT #18317]
11532 
11533 2453.	[bug]		Remove NULL pointer dereference in dns_journal_print().
11534 			[RT #18316]
11535 
11536 2452.	[func]		Improve bin/test/journalprint. [RT #18316]
11537 
11538 2451.	[port]		solaris: handle runtime linking better. [RT #18356]
11539 
11540 2450.	[doc]		Fix lwresd docbook problem for manual page.
11541 			[RT #18672]
11542 
11543 2449.	[placeholder]
11544 
11545 2448.	[func]		Add NSEC3 support. [RT #15452]
11546 
11547 2447.	[cleanup]	libbind has been split out as a separate product.
11548 
11549 2446.	[func]		Add a new log message about build options on startup.
11550 			A new command-line option '-V' for named is also
11551 			provided to show this information. [RT #18645]
11552 
11553 2445.	[doc]		ARM out-of-date on empty reverse zones (list includes
11554 			RFC1918 address, but these are not yet compiled in).
11555 			[RT #18578]
11556 
11557 2444.	[port]		Linux, FreeBSD, AIX: Turn off path mtu discovery
11558 			(clear DF) for UDP responses and requests.
11559 
11560 2443.	[bug]		win32: UDP connect() would not generate an event,
11561 			and so connected UDP sockets would never clean up.
11562 			Fix this by doing an immediate WSAConnect() rather
11563 			than an io completion port type for UDP.
11564 
11565 2442.	[bug]		A lock could be destroyed twice. [RT #18626]
11566 
11567 2441.	[bug]		isc_radix_insert() could copy radix tree nodes
11568 			incompletely. [RT #18573]
11569 
11570 2440.	[bug]		named-checkconf used an incorrect test to determine
11571 			if an ACL was set to none.
11572 
11573 2439.	[bug]		Potential NULL dereference in dns_acl_isanyornone().
11574 			[RT #18559]
11575 
11576 2438.	[bug]		Timeouts could be logged incorrectly under win32.
11577 
11578 2437.	[bug]		Sockets could be closed too early, leading to
11579 			inconsistent states in the socket module. [RT #18298]
11580 
11581 2436.	[security]	win32: UDP client handler can be shutdown. [RT #18576]
11582 
11583 2435.	[bug]		Fixed an ACL memory leak affecting win32.
11584 
11585 2434.	[bug]		Fixed a minor error-reporting bug in
11586 			lib/isc/win32/socket.c.
11587 
11588 2433.	[tuning]	Set initial timeout to 800ms.
11589 
11590 2432.	[bug]		More Windows socket handling improvements.  Stop
11591 			using I/O events and use IO Completion Ports
11592 			throughout.  Rewrite the receive path logic to make
11593 			it easier to support multiple simultaneous
11594 			requesters in the future.  Add stricter consistency
11595 			checking as a compile-time option (define
11596 			ISC_SOCKET_CONSISTENCY_CHECKS; defaults to off).
11597 
11598 2431.	[bug]		Acl processing could leak memory. [RT #18323]
11599 
11600 2430.	[bug]		win32: isc_interval_set() could round down to
11601 			zero if the input was less than NS_INTERVAL
11602 			nanoseconds.  Round up instead. [RT #18549]
11603 
11604 2429.	[doc]		nsupdate should be in section 1 of the man pages.
11605 			[RT #18283]
11606 
11607 2428.	[bug]		dns_iptable_merge() mishandled merges of negative
11608 			tables. [RT #18409]
11609 
11610 2427.	[func]		Treat DNSKEY queries as if "minimal-response yes;"
11611 			was set. [RT #18528]
11612 
11613 2426.	[bug]		libbind: inet_net_pton() can sometimes return the
11614 			wrong value if excessively large net masks are
11615 			supplied. [RT #18512]
11616 
11617 2425.	[bug]		named didn't detect unavailable query source addresses
11618 			at load time. [RT #18536]
11619 
11620 2424.	[port]		configure now probes for a working epoll
11621 			implementation.  Allow the use of kqueue,
11622 			epoll and /dev/poll to be selected at compile
11623 			time. [RT #18277]
11624 
11625 2423.	[security]	Randomize server selection on queries, so as to
11626 			make forgery a little more difficult.  Instead of
11627 			always preferring the server with the lowest RTT,
11628 			pick a server with RTT within the same 128
11629 			millisecond band.  [RT #18441]
11630 
11631 2422.	[bug]		Handle the special return value of a empty node as
11632 			if it was a NXRRSET in the validator. [RT #18447]
11633 
11634 2421.	[func]		Add new command line option '-S' for named to specify
11635 			the max number of sockets. [RT #18493]
11636 			Use caution: this option may not work for some
11637 			operating systems without rebuilding named.
11638 
11639 2420.	[bug]		Windows socket handling cleanup.  Let the io
11640 			completion event send out canceled read/write
11641 			done events, which keeps us from writing to memory
11642 			we no longer have ownership of.  Add debugging
11643 			socket_log() function.  Rework TCP socket handling
11644 			to not leak sockets.
11645 
11646 2419.	[cleanup]	Document that isc_socket_create() and isc_socket_open()
11647 			should not be used for isc_sockettype_fdwatch sockets.
11648 			[RT #18521]
11649 
11650 2418.	[bug]		AXFR request on a DLZ could trigger a REQUIRE failure
11651 			[RT #18430]
11652 
11653 2417.	[bug]		Connecting UDP sockets for outgoing queries could
11654 			unexpectedly fail with an 'address already in use'
11655 			error. [RT #18411]
11656 
11657 2416.	[func]		Log file descriptors that cause exceeding the
11658 			internal maximum. [RT #18460]
11659 
11660 2415.	[bug]		'rndc dumpdb' could trigger various assertion failures
11661 			in rbtdb.c. [RT #18455]
11662 
11663 2414.	[bug]		A masterdump context held the database lock too long,
11664 			causing various troubles such as dead lock and
11665 			recursive lock acquisition. [RT #18311, #18456]
11666 
11667 2413.	[bug]		Fixed an unreachable code path in socket.c. [RT #18442]
11668 
11669 2412.	[bug]		win32: address a resource leak. [RT #18374]
11670 
11671 2411.	[bug]		Allow using a larger number of sockets than FD_SETSIZE
11672 			for select().  To enable this, set ISC_SOCKET_MAXSOCKETS
11673 			at compilation time.  [RT #18433]
11674 
11675 			Note: with changes #2469 and #2421 above, there is no
11676 			need to tweak ISC_SOCKET_MAXSOCKETS at compilation time
11677 			any more.
11678 
11679 2410.	[bug]		Correctly delete m_versionInfo. [RT #18432]
11680 
11681 2409.	[bug]		Only log that we disabled EDNS processing if we were
11682 			subsequently successful.  [RT #18029]
11683 
11684 2408.	[bug]		A duplicate TCP dispatch event could be sent, which
11685 			could then trigger an assertion failure in
11686 			resquery_response().  [RT #18275]
11687 
11688 2407.	[port]		hpux: test for sys/dyntune.h. [RT #18421]
11689 
11690 2406.	[placeholder]
11691 
11692 2405.	[cleanup]	The default value for dnssec-validation was changed to
11693 			"yes" in 9.5.0-P1 and all subsequent releases; this
11694 			was inadvertently omitted from CHANGES at the time.
11695 
11696 2404.	[port]		hpux: files unlimited support.
11697 
11698 2403.	[bug]		TSIG context leak. [RT #18341]
11699 
11700 2402.	[port]		Support Solaris 2.11 and over. [RT #18362]
11701 
11702 2401.	[bug]		Expect to get E[MN]FILE errno internal_accept()
11703 			(from accept() or fcntl() system calls). [RT #18358]
11704 
11705 2400.	[bug]		Log if kqueue()/epoll_create()/open(/dev/poll) fails.
11706 			[RT #18297]
11707 
11708 2399.	[placeholder]
11709 
11710 2398.	[bug]		Improve file descriptor management.  New,
11711 			temporary, named.conf option reserved-sockets,
11712 			default 512. [RT #18344]
11713 
11714 2397.	[bug]		gssapi_functions had too many elements. [RT #18355]
11715 
11716 2396.	[bug]		Don't set SO_REUSEADDR for randomized ports.
11717 			[RT #18336]
11718 
11719 2395.	[port]		Avoid warning and no effect from "files unlimited"
11720 			on Linux when running as root. [RT #18335]
11721 
11722 2394.	[bug]		Default configuration options set the limit for
11723 			open files to 'unlimited' as described in the
11724 			documentation. [RT #18331]
11725 
11726 2393.	[bug]		nested acls containing keys could trigger an
11727 			assertion in acl.c. [RT #18166]
11728 
11729 2392.	[bug]		remove 'grep -q' from acl test script, some platforms
11730 			don't support it. [RT #18253]
11731 
11732 2391.	[port]		hpux: cover additional recvmsg() error codes.
11733 			[RT #18301]
11734 
11735 2390.	[bug]		dispatch.c could make a false warning on 'odd socket'.
11736 			[RT #18301].
11737 
11738 2389.	[bug]		Move the "working directory writable" check to after
11739 			the ns_os_changeuser() call. [RT #18326]
11740 
11741 2388.	[bug]		Avoid using tables for layout purposes in
11742 			statistics XSL [RT #18159].
11743 
11744 2387.	[bug]		Silence compiler warnings in lib/isc/radix.c.
11745 			[RT #18147] [RT #18258]
11746 
11747 2386.	[func]		Add warning about too small 'open files' limit.
11748 			[RT #18269]
11749 
11750 2385.	[bug]		A condition variable in socket.c could leak in
11751 			rare error handling [RT #17968].
11752 
11753 2384.	[security]	Fully randomize UDP query ports to improve
11754 			forgery resilience. [RT #17949, #18098]
11755 
11756 2383.	[bug]		named could double queries when they resulted in
11757 			SERVFAIL due to overkilling EDNS0 failure detection.
11758 			[RT #18182]
11759 
11760 2382.	[doc]		Add descriptions of DHCID, IPSECKEY, SPF and SSHFP
11761 			to ARM.
11762 
11763 2381.	[port]		dlz/mysql: support multiple install layouts for
11764 			mysql.  <prefix>/include/{,mysql/}mysql.h and
11765 			<prefix>/lib/{,mysql/}. [RT #18152]
11766 
11767 2380.	[bug]		dns_view_find() was not returning NXDOMAIN/NXRRSET
11768 			proofs which, in turn, caused validation failures
11769 			for insecure zones immediately below a secure zone
11770 			the server was authoritative for. [RT #18112]
11771 
11772 2379.	[contrib]	queryperf/gen-data-queryperf.py: removed redundant
11773 			TLDs and supported RRs with TTLs [RT #17972]
11774 
11775 2378.	[bug]		gssapi_functions{} had a redundant member in BIND 9.5.
11776 			[RT #18169]
11777 
11778 2377.	[bug]		Address race condition in dnssec-signzone. [RT #18142]
11779 
11780 2376.	[bug]		Change #2144 was not complete.
11781 
11782 2375.	[placeholder]
11783 
11784 2374.	[bug]		"blackhole" ACLs could cause named to segfault due
11785 			to some uninitialized memory. [RT #18095]
11786 
11787 2373.	[bug]		Default values of zone ACLs were re-parsed each time a
11788 			new zone was configured, causing an overconsumption
11789 			of memory. [RT #18092]
11790 
11791 2372.	[bug]		Fixed incorrect TAG_HMACSHA256_BITS value [RT #18047]
11792 
11793 2371.	[doc]		Add +nsid option to dig man page. [RT #18039]
11794 
11795 2370.	[bug]		"rndc freeze" could trigger an assertion in named
11796 			when called on a nonexistent zone. [RT #18050]
11797 
11798 2369.	[bug]		libbind: Array bounds overrun on read in bitncmp().
11799 			[RT #18054]
11800 
11801 2368.	[port]		Linux: use libcap for capability management if
11802 			possible. [RT #18026]
11803 
11804 2367.	[bug]		Improve counting of dns_resstatscounter_retry
11805 			[RT #18030]
11806 
11807 2366.	[bug]		Adb shutdown race. [RT #18021]
11808 
11809 2365.	[bug]		Fix a bug that caused dns_acl_isany() to return
11810 			spurious results. [RT #18000]
11811 
11812 2364.	[bug]		named could trigger a assertion when serving a
11813 			malformed signed zone. [RT #17828]
11814 
11815 2363.	[port]		sunos: pre-set "lt_cv_sys_max_cmd_len=4096;".
11816 			[RT #17513]
11817 
11818 2362.	[cleanup]	Make "rrset-order fixed" a compile-time option.
11819 			settable by "./configure --enable-fixed-rrset".
11820 			Disabled by default. [RT #17977]
11821 
11822 2361.	[bug]		"recursion" statistics counter could be counted
11823 			multiple times for a single query.  [RT #17990]
11824 
11825 2360.	[bug]		Fix a condition where we release a database version
11826 			(which may acquire a lock) while holding the lock.
11827 
11828 2359.	[bug]		Fix NSID bug. [RT #17942]
11829 
11830 2358.	[doc]		Update host's default query description. [RT #17934]
11831 
11832 2357.	[port]		Don't use OpenSSL's engine support in versions before
11833 			OpenSSL 0.9.7f. [RT #17922]
11834 
11835 2356.	[bug]		Built in mutex profiler was not scalable enough.
11836 			[RT #17436]
11837 
11838 2355.	[func]		Extend the number statistics counters available.
11839 			[RT #17590]
11840 
11841 2354.	[bug]		Failed to initialize some rdatasetheader_t elements.
11842 			[RT #17927]
11843 
11844 2353.	[func]		Add support for Name Server ID (RFC 5001).
11845 			'dig +nsid' requests NSID from server.
11846 			'request-nsid yes;' causes recursive server to send
11847 			NSID requests to upstream servers.  Server responds
11848 			to NSID requests with the string configured by
11849 			'server-id' option.  [RT #17091]
11850 
11851 2352.	[bug]		Various GSS_API fixups. [RT #17729]
11852 
11853 2351.	[bug]		convertxsl.pl generated very long lines. [RT #17906]
11854 
11855 2350.	[port]		win32: IPv6 support. [RT #17797]
11856 
11857 2349.	[func]		Provide incremental re-signing support for secure
11858 			dynamic zones. [RT #1091]
11859 
11860 2348.	[func]		Use the EVP interface to OpenSSL. Add PKCS#11 support.
11861 			Documentation is in the new README.pkcs11 file.
11862 			New tool, dnssec-keyfromlabel, which takes the
11863 			label of a key pair in a HSM and constructs a DNS
11864 			key pair for use by named and dnssec-signzone.
11865 			[RT #16844]
11866 
11867 2347.	[bug]		Delete now traverses the RB tree in the canonical
11868 			order. [RT #17451]
11869 
11870 2346.	[func]		Memory statistics now cover all active memory contexts
11871 			in increased detail. [RT #17580]
11872 
11873 2345.	[bug]		named-checkconf failed to detect when forwarders
11874 			were set at both the options/view level and in
11875 			a root zone. [RT #17671]
11876 
11877 2344.	[bug]		Improve "logging{ file ...; };" documentation.
11878 			[RT #17888]
11879 
11880 2343.	[bug]		(Seemingly) duplicate IPv6 entries could be
11881 			created in ADB. [RT #17837]
11882 
11883 2342.	[func]		Use getifaddrs() if available under Linux. [RT #17224]
11884 
11885 2341.	[bug]		libbind: add missing -I../include for off source
11886 			tree builds. [RT #17606]
11887 
11888 2340.	[port]		openbsd: interface configuration. [RT #17700]
11889 
11890 2339.	[port]		tru64: support for libbind. [RT #17589]
11891 
11892 2338.	[bug]		check_ds() could be called with a non DS rdataset.
11893 			[RT #17598]
11894 
11895 2337.	[bug]		BUILD_LDFLAGS was not being correctly set.  [RT #17614]
11896 
11897 2336.	[func]		If "named -6" is specified then listen on all IPv6
11898 			interfaces if there are not listen-on-v6 clauses in
11899 			named.conf.  [RT #17581]
11900 
11901 2335.	[port]		sunos:  libbind and *printf() support for long long.
11902 			[RT #17513]
11903 
11904 2334.	[bug]		Bad REQUIRES in fromstruct_in_naptr(),  off by one
11905 			bug in fromstruct_txt(). [RT #17609]
11906 
11907 2333.	[bug]		Fix off by one error in isc_time_nowplusinterval().
11908 			[RT #17608]
11909 
11910 2332.	[contrib]	query-loc-0.4.0. [RT #17602]
11911 
11912 2331.	[bug]		Failure to regenerate any signatures was not being
11913 			reported nor being past back to the UPDATE client.
11914 			[RT #17570]
11915 
11916 2330.	[bug]		Remove potential race condition when handling
11917 			over memory events. [RT #17572]
11918 
11919 			WARNING: API CHANGE: over memory callback
11920 			function now needs to call isc_mem_waterack().
11921 			See <isc/mem.h> for details.
11922 
11923 2329.	[bug]		Clearer help text for dig's '-x' and '-i' options.
11924 
11925 2328.	[maint]		Add AAAA addresses for A.ROOT-SERVERS.NET,
11926 			F.ROOT-SERVERS.NET, H.ROOT-SERVERS.NET,
11927 			J.ROOT-SERVERS.NET, K.ROOT-SERVERS.NET and
11928 			M.ROOT-SERVERS.NET.
11929 
11930 2327.	[bug]		It was possible to dereference a NULL pointer in
11931 			rbtdb.c.  Implement dead node processing in zones as
11932 			we do for caches. [RT #17312]
11933 
11934 2326.	[bug]		It was possible to trigger a INSIST in the acache
11935 			processing.
11936 
11937 2325.	[port]		Linux: use capset() function if available. [RT #17557]
11938 
11939 2324.	[bug]		Fix IPv6 matching against "any;". [RT #17533]
11940 
11941 2323.	[port]		tru64: namespace clash. [RT #17547]
11942 
11943 2322.	[port]		MacOS: work around the limitation of setrlimit()
11944 			for RLIMIT_NOFILE. [RT #17526]
11945 
11946 2321.	[placeholder]
11947 
11948 2320.	[func]		Make statistics counters thread-safe for platforms
11949 			that support certain atomic operations. [RT #17466]
11950 
11951 2319.	[bug]		Silence Coverity warnings in
11952 			lib/dns/rdata/in_1/apl_42.c. [RT #17469]
11953 
11954 2318.	[port]		sunos fixes for libbind.  [RT #17514]
11955 
11956 2317.	[bug]		"make distclean" removed bind9.xsl.h. [RT #17518]
11957 
11958 2316.	[port]		Missing #include <isc/print.h> in lib/dns/gssapictx.c.
11959 			[RT #17513]
11960 
11961 2315.	[bug]		Used incorrect address family for mapped IPv4
11962 			addresses in acl.c. [RT #17519]
11963 
11964 2314.	[bug]		Uninitialized memory use on error path in
11965 			bin/named/lwdnoop.c.  [RT #17476]
11966 
11967 2313.	[cleanup]	Silence Coverity warnings. Handle private stacks.
11968 			[RT #17447] [RT #17478]
11969 
11970 2312.	[cleanup]	Silence Coverity warning in lib/isc/unix/socket.c.
11971 			[RT #17458]
11972 
11973 2311.	[bug]		IPv6 addresses could match IPv4 ACL entries and
11974 			vice versa. [RT #17462]
11975 
11976 2310.	[bug]		dig, host, nslookup: flush stdout before emitting
11977 			debug/fatal messages.  [RT #17501]
11978 
11979 2309.	[cleanup]	Fix Coverity warnings in lib/dns/acl.c and iptable.c.
11980 			[RT #17455]
11981 
11982 2308.	[cleanup]	Silence Coverity warning in bin/named/controlconf.c.
11983 			[RT #17495]
11984 
11985 2307.	[bug]		Remove infinite loop from lib/dns/sdb.c. [RT #17496]
11986 
11987 2306.	[bug]		Remove potential race from lib/dns/resolver.c.
11988 			[RT #17470]
11989 
11990 2305.	[security]	inet_network() buffer overflow. CVE-2008-0122.
11991 
11992 2304.	[bug]		Check returns from all dns_rdata_tostruct() calls.
11993 			[RT #17460]
11994 
11995 2303.	[bug]		Remove unnecessary code from bin/named/lwdgnba.c.
11996 			[RT #17471]
11997 
11998 2302.	[bug]		Fix memset() calls in lib/tests/t_api.c. [RT #17472]
11999 
12000 2301.	[bug]		Remove resource leak and fix error messages in
12001 			bin/tests/system/lwresd/lwtest.c. [RT #17474]
12002 
12003 2300.	[bug]		Fixed failure to close open file in
12004 			bin/tests/names/t_names.c. [RT #17473]
12005 
12006 2299.	[bug]		Remove unnecessary NULL check in
12007 			bin/nsupdate/nsupdate.c. [RT #17475]
12008 
12009 2298.	[bug]		isc_mutex_lock() failure not caught in
12010 			bin/tests/timers/t_timers.c. [RT #17468]
12011 
12012 2297.	[bug]		isc_entropy_createfilesource() failure not caught in
12013 			bin/tests/dst/t_dst.c. [RT #17467]
12014 
12015 2296.	[port]		Allow docbook stylesheet location to be specified to
12016 			configure. [RT #17457]
12017 
12018 2295.	[bug]		Silence static overrun error in bin/named/lwaddr.c.
12019 			[RT #17459]
12020 
12021 2294.	[func]		Allow the experimental statistics channels to have
12022 			multiple connections and ACL.
12023 			Note: the stats-server and stats-server-v6 options
12024 			available in the previous beta releases are replaced
12025 			with the generic statistics-channels statement.
12026 
12027 2293.	[func]		Add ACL regression test. [RT #17375]
12028 
12029 2292.	[bug]		Log if the working directory is not writable.
12030 			[RT #17312]
12031 
12032 2291.	[bug]		PR_SET_DUMPABLE may be set too late.  Also report
12033 			failure to set PR_SET_DUMPABLE. [RT #17312]
12034 
12035 2290.	[bug]		Let AD in the query signal that the client wants AD
12036 			set in the response. [RT #17301]
12037 
12038 2289.	[func]		named-checkzone now reports the out-of-zone CNAME
12039 			found. [RT #17309]
12040 
12041 2288.	[port]		win32: mark service as running when we have finished
12042 			loading.  [RT #17441]
12043 
12044 2287.	[bug]		Use 'volatile' if the compiler supports it. [RT #17413]
12045 
12046 2286.	[func]		Allow a TCP connection to be used as a weak
12047 			authentication method for reverse zones.
12048 			New update-policy methods tcp-self and 6to4-self.
12049 			[RT #17378]
12050 
12051 2285.	[func]		Test framework for client memory context management.
12052 			[RT #17377]
12053 
12054 2284.	[bug]		Memory leak in UPDATE prerequisite processing.
12055 			[RT #17377]
12056 
12057 2283.	[bug]		TSIG keys were not attaching to the memory
12058 			context.  TSIG keys should use the rings
12059 			memory context rather than the clients memory
12060 			context. [RT #17377]
12061 
12062 2282.	[bug]		Acl code fixups. [RT #17346] [RT #17374]
12063 
12064 2281.	[bug]		Attempts to use undefined acls were not being logged.
12065 			[RT #17307]
12066 
12067 2280.	[func]		Allow the experimental http server to be reached
12068 			over IPv6 as well as IPv4. [RT #17332]
12069 
12070 2279.	[bug]		Use setsockopt(SO_NOSIGPIPE), when available,
12071 			to protect applications from receiving spurious
12072 			SIGPIPE signals when using the resolver.
12073 
12074 2278.	[bug]		win32: handle the case where Windows returns no
12075 			search list or DNS suffix. [RT #17354]
12076 
12077 2277.	[bug]		Empty zone names were not correctly being caught at
12078 			in the post parse checks. [RT #17357]
12079 
12080 2276.	[bug]		Install <dst/gssapi.h>.  [RT #17359]
12081 
12082 2275.	[func]		Add support to dig to perform IXFR queries over UDP.
12083 			[RT #17235]
12084 
12085 2274.	[func]		Log zone transfer statistics. [RT #17336]
12086 
12087 2273.	[bug]		Adjust log level to WARNING when saving inconsistent
12088 			stub/slave master and journal files. [RT #17279]
12089 
12090 2272.	[bug]		Handle illegal dnssec-lookaside trust-anchor names.
12091 			[RT #17262]
12092 
12093 2271.	[bug]		Fix a memory leak in http server code [RT #17100]
12094 
12095 2270.	[bug]		dns_db_closeversion() version->writer could be reset
12096 			before it is tested. [RT #17290]
12097 
12098 2269.	[contrib]	dbus memory leaks and missing va_end calls. [RT #17232]
12099 
12100 2268.	[bug]		0.IN-ADDR.ARPA was missing from the empty zones
12101 			list.
12102 
12103 	--- 9.5.0b1 released ---
12104 
12105 2267.	[bug]		Radix tree node_num value could be set incorrectly,
12106 			causing positive ACL matches to look like negative
12107 			ones.  [RT #17311]
12108 
12109 2266.	[bug]		client.c:get_clientmctx() returned the same mctx
12110 			once the pool of mctx's was filled. [RT #17218]
12111 
12112 2265.	[bug]		Test that the memory context's basic_table is non NULL
12113 			before freeing.  [RT #17265]
12114 
12115 2264.	[bug]		Server prefix length was being ignored. [RT #17308]
12116 
12117 2263.	[bug]		"named-checkconf -z" failed to set default value
12118 			for "check-integrity".  [RT #17306]
12119 
12120 2262.	[bug]		Error status from all but the last view could be
12121 			lost. [RT #17292]
12122 
12123 2261.	[bug]		Fix memory leak with "any" and "none" ACLs [RT #17272]
12124 
12125 2260.	[bug]		Reported wrong clients-per-query when increasing the
12126 			value. [RT #17236]
12127 
12128 2259.	[placeholder]
12129 
12130 	--- 9.5.0a7 released ---
12131 
12132 2258.	[bug]		Fallback from IXFR/TSIG to SOA/AXFR/TSIG broken.
12133 			[RT #17241]
12134 
12135 2257.	[bug]		win32: Use the full path to vcredist_x86.exe when
12136 			calling it. [RT #17222]
12137 
12138 2256.	[bug]		win32: Correctly register the installation location of
12139 			bindevt.dll. [RT #17159]
12140 
12141 2255.	[maint]		L.ROOT-SERVERS.NET is now 199.7.83.42.
12142 
12143 2254.	[bug]		timer.c:dispatch() failed to lock timer->lock
12144 			when reading timer->idle allowing it to see
12145 			intermediate values as timer->idle was reset by
12146 			isc_timer_touch(). [RT #17243]
12147 
12148 2253.	[func]		"max-cache-size" defaults to 32M.
12149 			"max-acache-size" defaults to 16M.
12150 
12151 2252.	[bug]		Fixed errors in sortlist code [RT #17216]
12152 
12153 2251.	[placeholder]
12154 
12155 2250.	[func]		New flag 'memstatistics' to state whether the
12156 			memory statistics file should be written or not.
12157 			Additionally named's -m option will cause the
12158 			statistics file to be written. [RT #17113]
12159 
12160 2249.	[bug]		Only set Authentic Data bit if client requested
12161 			DNSSEC, per RFC 3655 [RT #17175]
12162 
12163 2248.	[cleanup]	Fix several errors reported by Coverity. [RT #17160]
12164 
12165 2247.	[doc]		Sort doc/misc/options. [RT #17067]
12166 
12167 2246.	[bug]		Make the startup of test servers (ans.pl) more
12168 			robust. [RT #17147]
12169 
12170 2245.	[bug]		Validating lack of DS records at trust anchors wasn't
12171 			working. [RT #17151]
12172 
12173 2244.	[func]		Allow the check of nameserver names against the
12174 			SOA MNAME field to be disabled by specifying
12175 			'notify-to-soa yes;'.  [RT #17073]
12176 
12177 2243.	[func]		Configuration files without a newline at the end now
12178 			parse without error. [RT #17120]
12179 
12180 2242.	[bug]		nsupdate: GSS-TSIG support using the Heimdal Kerberos
12181 			library could require a source of random data.
12182 			[RT #17127]
12183 
12184 2241.	[func]		nsupdate: add a interactive 'help' command. [RT #17099]
12185 
12186 2240.	[bug]		Cleanup nsupdates GSS-TSIG support.  Convert
12187 			a number of INSIST()s into plain fatal() errors
12188 			which report the triggering result code.
12189 			The 'key' command wasn't disabling GSS-TSIG.
12190 			[RT #17099]
12191 
12192 2239.	[func]		Ship a pre built bin/named/bind9.xsl.h. [RT #17114]
12193 
12194 2238.	[bug]		It was possible to trigger a REQUIRE when a
12195 			validation was canceled. [RT #17106]
12196 
12197 2237.	[bug]		libbind: res_init() was not thread aware. [RT #17123]
12198 
12199 2236.	[bug]		dnssec-signzone failed to preserve the case of
12200 			of wildcard owner names. [RT #17085]
12201 
12202 2235.	[bug]		<isc/atomic.h> was not being installed. [RT #17135]
12203 
12204 2234.	[port]		Correct some compiler warnings on SCO OSr5 [RT #17134]
12205 
12206 2233.	[func]		Add support for O(1) ACL processing, based on
12207 			radix tree code originally written by Kevin
12208 			Brintnall. [RT #16288]
12209 
12210 2232.	[bug]		dns_adb_findaddrinfo() could fail and return
12211 			ISC_R_SUCCESS. [RT #17137]
12212 
12213 2231.	[bug]		Building dlzbdb (contrib/dlz/bin/dlzbdb) was broken.
12214 			[RT #17088]
12215 
12216 2230.	[bug]		We could INSIST reading a corrupted journal.
12217 			[RT #17132]
12218 
12219 2229.	[bug]		Null pointer dereference on query pool creation
12220 			failure. [RT #17133]
12221 
12222 2228.	[contrib]	contrib: Change 2188 was incomplete.
12223 
12224 2227.	[cleanup]	Tidied up the FAQ. [RT #17121]
12225 
12226 2226.	[placeholder]
12227 
12228 2225.	[bug]		More support for systems with no IPv4 addresses.
12229 			[RT #17111]
12230 
12231 2224.	[bug]		Defer journal compaction if a xfrin is in progress.
12232 			[RT #17119]
12233 
12234 2223.	[bug]		Make a new journal when compacting. [RT #17119]
12235 
12236 2222.	[func]		named-checkconf now checks server key references.
12237 			[RT #17097]
12238 
12239 2221.	[bug]		Set the event result code to reflect the actual
12240 			record turned to caller when a cache update is
12241 			rejected due to a more credible answer existing.
12242 			[RT #17017]
12243 
12244 2220.	[bug]		win32: Address a race condition in final shutdown of
12245 			the Windows socket code. [RT #17028]
12246 
12247 2219.	[bug]		Apply zone consistency checks to additions, not
12248 			removals, when updating. [RT #17049]
12249 
12250 2218.	[bug]		Remove unnecessary REQUIRE from dns_validator_create().
12251 			[RT #16976]
12252 
12253 2217.	[func]		Adjust update log levels. [RT #17092]
12254 
12255 2216.	[cleanup]	Fix a number of errors reported by Coverity.
12256 			[RT #17094]
12257 
12258 2215.	[bug]		Bad REQUIRE check isc_hmacsha1_verify(). [RT #17094]
12259 
12260 2214.	[bug]		Deregister OpenSSL lock callback when cleaning
12261 			up.  Reorder OpenSSL cleanup so that RAND_cleanup()
12262 			is called before the locks are destroyed. [RT #17098]
12263 
12264 2213.	[bug]		SIG0 diagnostic failure messages were looking at the
12265 			wrong status code. [RT #17101]
12266 
12267 2212.	[func]		'host -m' now causes memory statistics and active
12268 			memory to be printed at exit. [RT 17028]
12269 
12270 2211.	[func]		Update "dynamic update temporarily disabled" message.
12271 			[RT #17065]
12272 
12273 2210.	[bug]		Deleting class specific records via UPDATE could
12274 			fail.  [RT #17074]
12275 
12276 2209.	[port]		osx: linking against user supplied static OpenSSL
12277 			libraries failed as the system ones were still being
12278 			found. [RT #17078]
12279 
12280 2208.	[port]		win32: make sure both build methods produce the
12281 			same output. [RT #17058]
12282 
12283 2207.	[port]		Some implementations of getaddrinfo() fail to set
12284 			ai_canonname correctly. [RT #17061]
12285 
12286 	--- 9.5.0a6 released ---
12287 
12288 2206.	[security]	"allow-query-cache" and "allow-recursion" now
12289 			cross inherit from each other.
12290 
12291 			If allow-query-cache is not set in named.conf then
12292 			allow-recursion is used if set, otherwise allow-query
12293 			is used if set, otherwise the default (localnets;
12294 			localhost;) is used.
12295 
12296 			If allow-recursion is not set in named.conf then
12297 			allow-query-cache is used if set, otherwise allow-query
12298 			is used if set, otherwise the default (localnets;
12299 			localhost;) is used.
12300 
12301 			[RT #16987]
12302 
12303 2205.	[bug]		libbind: change #2119 broke thread support. [RT #16982]
12304 
12305 2204.	[bug]		"rndc flushname name unknown-view" caused named
12306 			to crash. [RT #16984]
12307 
12308 2203.	[security]	Query id generation was cryptographically weak.
12309 			[RT # 16915]
12310 
12311 2202.	[security]	The default acls for allow-query-cache and
12312 			allow-recursion were not being applied. [RT #16960]
12313 
12314 2201.	[bug]		The build failed in a separate object directory.
12315 			[RT #16943]
12316 
12317 2200.	[bug]		The search for cached NSEC records was stopping to
12318 			early leading to excessive DLV queries. [RT #16930]
12319 
12320 2199.	[bug]		win32: don't call WSAStartup() while loading dlls.
12321 			[RT #16911]
12322 
12323 2198.	[bug]		win32: RegCloseKey() could be called when
12324 			RegOpenKeyEx() failed. [RT #16911]
12325 
12326 2197.	[bug]		Add INSIST to catch negative responses which are
12327 			not setting the event result code appropriately.
12328 			[RT #16909]
12329 
12330 2196.	[port]		win32: yield processor while waiting for once to
12331 			to complete. [RT #16958]
12332 
12333 2195.	[func]		dnssec-keygen now defaults to nametype "ZONE"
12334 			when generating DNSKEYs. [RT #16954]
12335 
12336 2194.	[bug]		Close journal before calling 'done' in xfrin.c.
12337 
12338 	--- 9.5.0a5 released ---
12339 
12340 2193.	[port]		win32: BINDInstall.exe is now linked statically.
12341 			[RT #16906]
12342 
12343 2192.	[port]		win32: use vcredist_x86.exe to install Visual
12344 			Studio's redistributable dlls if building with
12345 			Visual Stdio 2005 or later.
12346 
12347 2191.	[func]		named-checkzone now allows dumping to stdout (-).
12348 			named-checkconf now has -h for help.
12349 			named-checkzone now has -h for help.
12350 			rndc now has -h for help.
12351 			Better handling of '-?' for usage summaries.
12352 			[RT #16707]
12353 
12354 2190.	[func]		Make fallback to plain DNS from EDNS due to timeouts
12355 			more visible.  New logging category "edns-disabled".
12356 			[RT #16871]
12357 
12358 2189.	[bug]		Handle socket() returning EINTR. [RT #15949]
12359 
12360 2188.	[contrib]	queryperf: autoconf changes to make the search for
12361 			libresolv or libbind more robust. [RT #16299]
12362 
12363 2187.	[bug]		query_addds(), query_addwildcardproof() and
12364 			query_addnxrrsetnsec() should take a version
12365 			argument. [RT #16368]
12366 
12367 2186.	[port]		cygwin: libbind: check for struct sockaddr_storage
12368 			independently of IPv6. [RT #16482]
12369 
12370 2185.	[port]		sunos: libbind: check for ssize_t, memmove() and
12371 			memchr(). [RT #16463]
12372 
12373 2184.	[bug]		bind9.xsl.h didn't build out of the source tree.
12374 			[RT #16830]
12375 
12376 2183.	[bug]		dnssec-signzone didn't handle offline private keys
12377 			well.  [RT #16832]
12378 
12379 2182.	[bug]		dns_dispatch_createtcp() and dispatch_createudp()
12380 			could return ISC_R_SUCCESS when they ran out of
12381 			memory. [RT #16365]
12382 
12383 2181.	[port]		sunos: libbind: add paths.h from BIND 8. [RT #16462]
12384 
12385 2180.	[cleanup]	Remove bit test from 'compress_test' as they
12386 			are no longer needed. [RT #16497]
12387 
12388 2179.	[func]		'rndc command zone' will now find 'zone' if it is
12389 			unique to all the views. [RT #16821]
12390 
12391 2178.	[bug]		'rndc reload' of a slave or stub zone resulted in
12392 			a reference leak. [RT #16867]
12393 
12394 2177.	[bug]		Array bounds overrun on read (rcodetext) at
12395 			debug level 10+. [RT #16798]
12396 
12397 2176.	[contrib]	dbus update to handle race condition during
12398 			initialization (Bugzilla 235809). [RT #16842]
12399 
12400 2175.	[bug]		win32: windows broadcast condition variable support
12401 			was broken. [RT #16592]
12402 
12403 2174.	[bug]		I/O errors should always be fatal when reading
12404 			master files. [RT #16825]
12405 
12406 2173.	[port]		win32: When compiling with MSVS 2005 SP1 we also
12407 			need to ship Microsoft.VC80.MFCLOC.
12408 
12409 	--- 9.5.0a4 released ---
12410 
12411 2172.	[bug]		query_addsoa() was being called with a non zone db.
12412 			[RT #16834]
12413 
12414 2171.	[bug]		Handle breaks in DNSSEC trust chains where the parent
12415 			servers are not DS aware (DS queries to the parent
12416 			return a referral to the child).
12417 
12418 2170.	[func]		Add acache processing to test suite. [RT #16711]
12419 
12420 2169.	[bug]		host, nslookup: when reporting NXDOMAIN report the
12421 			given name and not the last name searched for.
12422 			[RT #16763]
12423 
12424 2168.	[bug]		nsupdate: in non-interactive mode treat syntax errors
12425 			as fatal errors. [RT #16785]
12426 
12427 2167.	[bug]		When re-using a automatic zone named failed to
12428 			attach it to the new view. [RT #16786]
12429 
12430 	--- 9.5.0a3 released ---
12431 
12432 2166.	[bug]		When running in batch mode, dig could misinterpret
12433 			a server address as a name to be looked up, causing
12434 			unexpected output. [RT #16743]
12435 
12436 2165.	[func]		Allow the destination address of a query to determine
12437 			if we will answer the query or recurse.
12438 			allow-query-on, allow-recursion-on and
12439 			allow-query-cache-on. [RT #16291]
12440 
12441 2164.	[bug]		The code to determine how named-checkzone /
12442 			named-compilezone was called failed under windows.
12443 			[RT #16764]
12444 
12445 2163.	[bug]		If only one of query-source and query-source-v6
12446 			specified a port the query pools code broke (change
12447 			2129).  [RT #16768]
12448 
12449 2162.	[func]		Allow "rrset-order fixed" to be disabled at compile
12450 			time. [RT #16665]
12451 
12452 2161.	[bug]		Fix which log messages are emitted for 'rndc flush'.
12453 			[RT #16698]
12454 
12455 2160.	[bug]		libisc wasn't handling NULL ifa_addr pointers returned
12456 			from getifaddrs(). [RT #16708]
12457 
12458 	--- 9.5.0a2 released ---
12459 
12460 2159.	[bug]		Array bounds overrun in acache processing. [RT #16710]
12461 
12462 2158.	[bug]		ns_client_isself() failed to initialize key
12463 			leading to a REQUIRE failure. [RT #16688]
12464 
12465 2157.	[func]		dns_db_transfernode() created. [RT #16685]
12466 
12467 2156.	[bug]		Fix node reference leaks in lookup.c:lookup_find(),
12468 			resolver.c:validated() and resolver.c:cache_name().
12469 			Fix a memory leak in rbtdb.c:free_noqname().
12470 			Make lookup.c:lookup_find() robust against
12471 			event leaks. [RT #16685]
12472 
12473 2155.	[contrib]	SQLite sdb module from jaboydjr@netwalk.com.
12474 			[RT #16694]
12475 
12476 2154.	[func]		Scoped (e.g. IPv6 link-local) addresses may now be
12477 			matched in acls by omitting the scope. [RT #16599]
12478 
12479 2153.	[bug]		nsupdate could leak memory. [RT #16691]
12480 
12481 2152.	[cleanup]	Use sizeof(buf) instead of fixed number in
12482 			dighost.c:get_trusted_key(). [RT #16678]
12483 
12484 2151.	[bug]		Missing newline in usage message for journalprint.
12485 			[RT #16679]
12486 
12487 2150.	[bug]		'rrset-order cyclic' uniformly distribute the
12488 			starting point for the first response for a given
12489 			RRset. [RT #16655]
12490 
12491 2149.	[bug]		isc_mem_checkdestroyed() failed to abort on
12492 			if there were still active memory contexts.
12493 			[RT #16672]
12494 
12495 2148.	[func]		Add positive logging for rndc commands. [RT #14623]
12496 
12497 2147.	[bug]		libbind: remove potential buffer overflow from
12498 			hmac_link.c. [RT #16437]
12499 
12500 2146.	[cleanup]	Silence Linux's spurious "obsolete setsockopt
12501 			SO_BSDCOMPAT" message. [RT #16641]
12502 
12503 2145.	[bug]		Check DS/DLV digest lengths for known digests.
12504 			[RT #16622]
12505 
12506 2144.	[cleanup]	Suppress logging of SERVFAIL from forwarders.
12507 			[RT #16619]
12508 
12509 2143.	[bug]		We failed to restart the IPv6 client when the
12510 			kernel failed to return the destination the
12511 			packet was sent to. [RT #16613]
12512 
12513 2142.	[bug]		Handle master files with a modification time that
12514 			matches the epoch. [RT #16612]
12515 
12516 2141.	[bug]		dig/host should not be setting IDN_ASCCHECK (IDN
12517 			equivalent of LDH checks).  [RT #16609]
12518 
12519 2140.	[bug]		libbind: missing unlock on pthread_key_create()
12520 			failures. [RT #16654]
12521 
12522 2139.	[bug]		dns_view_find() was being called with wrong type
12523 			in adb.c. [RT #16670]
12524 
12525 2138.	[bug]		Lock order reversal in resolver.c. [RT #16653]
12526 
12527 2137.	[port]		Mips little endian and/or mips 64 bit are now
12528 			supported for atomic operations. [RT #16648]
12529 
12530 2136.	[bug]		nslookup/host looped if there was no search list
12531 			and the host didn't exist. [RT #16657]
12532 
12533 2135.	[bug]		Uninitialized rdataset in sdlz.c. [RT #16656]
12534 
12535 2134.	[func]		Additional statistics support. [RT #16666]
12536 
12537 2133.	[port]		powerpc:  Support both IBM and MacOS Power PC
12538 			assembler syntaxes. [RT #16647]
12539 
12540 2132.	[bug]		Missing unlock on out of memory in
12541 			dns_dispatchmgr_setudp().
12542 
12543 2131.	[contrib]	dlz/mysql: AXFR was broken. [RT #16630]
12544 
12545 2130.	[func]		Log if CD or DO were set. [RT #16640]
12546 
12547 2129.	[func]		Provide a pool of UDP sockets for queries to be
12548 			made over. See use-queryport-pool, queryport-pool-ports
12549 			and queryport-pool-updateinterval.  [RT #16415]
12550 
12551 2128.	[doc]		xsltproc --nonet, update DTD versions.  [RT #16635]
12552 
12553 2127.	[port]		Improved OpenSSL 0.9.8 support. [RT #16563]
12554 
12555 2126.	[security]	Serialize validation of type ANY responses. [RT #16555]
12556 
12557 2125.	[bug]		dns_zone_getzeronosoattl() REQUIRE failure if DLZ
12558 			was defined. [RT #16574]
12559 
12560 2124.	[security]	It was possible to dereference a freed fetch
12561 			context. [RT #16584]
12562 
12563 	--- 9.5.0a1 released ---
12564 
12565 2123.	[func]		Use Doxygen to generate internal documentation.
12566 			[RT #11398]
12567 
12568 2122.	[func]		Experimental http server and statistics support
12569 			for named via xml.
12570 
12571 2121.	[func]		Add a 10 slot dead masters cache (LRU) with a 600
12572 			second timeout. [RT #16553]
12573 
12574 2120.	[doc]		Fix markup on nsupdate man page. [RT #16556]
12575 
12576 2119.	[compat]	libbind: allow res_init() to succeed enough to
12577 			return the default domain even if it was unable
12578 			to allocate memory.
12579 
12580 2118.	[bug]		Handle response with long chains of domain name
12581 			compression pointers which point to other compression
12582 			pointers. [RT #16427]
12583 
12584 2117.	[bug]		DNSSEC fixes: named could fail to cache NSEC records
12585 			which could lead to validation failures.  named didn't
12586 			handle negative DS responses that were in the process
12587 			of being validated.  Check CNAME bit before accepting
12588 			NODATA proof. To be able to ignore a child NSEC there
12589 			must be SOA (and NS) set in the bitmap. [RT #16399]
12590 
12591 2116.	[bug]		'rndc reload' could cause the cache to continually
12592 			be cleaned. [RT #16401]
12593 
12594 2115.	[bug]		'rndc reconfig' could trigger a INSIST if the
12595 			number of masters for a zone was reduced. [RT #16444]
12596 
12597 2114.	[bug]		dig/host/nslookup: searches for names with multiple
12598 			labels were failing. [RT #16447]
12599 
12600 2113.	[bug]		nsupdate: if a zone is specified it should be used
12601 			for server discover. [RT #16455]
12602 
12603 2112.	[security]	Warn if weak RSA exponent is used. [RT #16460]
12604 
12605 2111.	[bug]		Fix a number of errors reported by Coverity.
12606 			[RT #16507]
12607 
12608 2110.	[bug]		"minimal-responses yes;" interacted badly with BIND 8
12609 			priming queries. [RT #16491]
12610 
12611 2109.	[port]		libbind: silence aix 5.3 compiler warnings. [RT #16502]
12612 
12613 2108.	[func]		DHCID support. [RT #16456]
12614 
12615 2107.	[bug]		dighost.c: more cleanup of buffers. [RT #16499]
12616 
12617 2106.	[func]		'rndc status' now reports named's version. [RT #16426]
12618 
12619 2105.	[func]		GSS-TSIG support (RFC 3645).
12620 
12621 2104.	[port]		Fix Solaris SMF error message.
12622 
12623 2103.	[port]		Add /usr/sfw to list of locations for OpenSSL
12624 			under Solaris.
12625 
12626 2102.	[port]		Silence Solaris 10 warnings.
12627 
12628 2101.	[bug]		OpenSSL version checks were not quite right.
12629 			[RT #16476]
12630 
12631 2100.	[port]		win32: copy libeay32.dll to Build\Debug.
12632 			Copy Debug\named-checkzone to Debug\named-compilezone.
12633 
12634 2099.	[port]		win32: more manifest issues.
12635 
12636 2098.	[bug]		Race in rbtdb.c:no_references(), which occasionally
12637 			triggered an INSIST failure about the node lock
12638 			reference.  [RT #16411]
12639 
12640 2097.	[bug]		named could reference a destroyed memory context
12641 			after being reloaded / reconfigured. [RT #16428]
12642 
12643 2096.	[bug]		libbind: handle applications that fail to detect
12644 			res_init() failures better.
12645 
12646 2095.	[port]		libbind: always prototype inet_cidr_ntop_ipv6() and
12647 			net_cidr_ntop_ipv6(). [RT #16388]
12648 
12649 2094.	[contrib]	Update named-bootconf.  [RT #16404]
12650 
12651 2093.	[bug]		named-checkzone -s was broken.
12652 
12653 2092.	[bug]		win32: dig, host, nslookup.  Use registry config
12654 			if resolv.conf does not exist or no nameservers
12655 			listed. [RT #15877]
12656 
12657 2091.	[port]		dighost.c: race condition on cleanup. [RT #16417]
12658 
12659 2090.	[port]		win32: Visual C++ 2005 command line manifest support.
12660 			[RT #16417]
12661 
12662 2089.	[security]	Raise the minimum safe OpenSSL versions to
12663 			OpenSSL 0.9.7l and OpenSSL 0.9.8d.  Versions
12664 			prior to these have known security flaws which
12665 			are (potentially) exploitable in named. [RT #16391]
12666 
12667 2088.	[security]	Change the default RSA exponent from 3 to 65537.
12668 			[RT #16391]
12669 
12670 2087.	[port]		libisc failed to compile on OS's w/o a vsnprintf.
12671 			[RT #16382]
12672 
12673 2086.	[port]		libbind: FreeBSD now has get*by*_r() functions.
12674 			[RT #16403]
12675 
12676 2085.	[doc]		win32: added index.html and README to zip. [RT #16201]
12677 
12678 2084.	[contrib]	dbus update for 9.3.3rc2.
12679 
12680 2083.	[port]		win32: Visual C++ 2005 support.
12681 
12682 2082.	[doc]		Document 'cache-file' as a test only option.
12683 
12684 2081.	[port]		libbind: minor 64-bit portability fix in memcluster.c.
12685 			[RT #16360]
12686 
12687 2080.	[port]		libbind: res_init.c did not compile on older versions
12688 			of Solaris. [RT #16363]
12689 
12690 2079.	[bug]		The lame cache was not handling multiple types
12691 			correctly. [RT #16361]
12692 
12693 2078.	[bug]		dnssec-checkzone output style "default" was badly
12694 			named.  It is now called "relative". [RT #16326]
12695 
12696 2077.	[bug]		'dnssec-signzone -O raw' wasn't outputting the
12697 			complete signed zone. [RT #16326]
12698 
12699 2076.	[bug]		Several files were missing #include <config.h>
12700 			causing build failures on OSF. [RT #16341]
12701 
12702 2075.	[bug]		The spillat timer event handler could leak memory.
12703 			[RT #16357]
12704 
12705 2074.	[bug]		dns_request_createvia2(), dns_request_createvia3(),
12706 			dns_request_createraw2() and dns_request_createraw3()
12707 			failed to send multiple UDP requests. [RT #16349]
12708 
12709 2073.	[bug]		Incorrect semantics check for update policy "wildcard".
12710 			[RT #16353]
12711 
12712 2072.	[bug]		We were not generating valid HMAC SHA digests.
12713 			[RT #16320]
12714 
12715 2071.	[port]		Test whether gcc accepts -fno-strict-aliasing.
12716 			[RT #16324]
12717 
12718 2070.	[bug]		The remote address was not always displayed when
12719 			reporting dispatch failures. [RT #16315]
12720 
12721 2069.	[bug]		Cross compiling was not working. [RT #16330]
12722 
12723 2068.	[cleanup]	Lower incremental tuning message to debug 1.
12724 			[RT #16319]
12725 
12726 2067.	[bug]		'rndc' could close the socket too early triggering
12727 			a INSIST under Windows. [RT #16317]
12728 
12729 2066.	[security]	Handle SIG queries gracefully. [RT #16300]
12730 
12731 2065.	[bug]		libbind: probe for HPUX prototypes for
12732 			endprotoent_r() and endservent_r().  [RT 16313]
12733 
12734 2064.	[bug]		libbind: silence AIX compiler warnings. [RT #16218]
12735 
12736 2063.	[bug]		Change #1955 introduced a bug which caused the first
12737 			'rndc flush' call to not free memory. [RT #16244]
12738 
12739 2062.	[bug]		'dig +nssearch' was reusing a buffer before it had
12740 			been returned by the socket code. [RT #16307]
12741 
12742 2061.	[bug]		Accept expired wildcard message reversed. [RT #16296]
12743 
12744 2060.	[bug]		Enabling DLZ support could leave views partially
12745 			configured. [RT #16295]
12746 
12747 2059.	[bug]		Search into cache rbtdb could trigger an INSIST
12748 			failure while cleaning up a stale rdataset.
12749 			[RT #16292]
12750 
12751 2058.	[bug]		Adjust how we calculate rtt estimates in the presence
12752 			of authoritative servers that drop EDNS and/or CD
12753 			requests.  Also fallback to EDNS/512 and plain DNS
12754 			faster for zones with less than 3 servers.  [RT #16187]
12755 
12756 2057.	[bug]		Make setting "ra" dependent on both allow-query-cache
12757 			and allow-recursion. [RT #16290]
12758 
12759 2056.	[bug]		dig: ixfr= was not being treated case insensitively
12760 			at all times. [RT #15955]
12761 
12762 2055.	[bug]		Missing goto after dropping multicast query.
12763 			[RT #15944]
12764 
12765 2054.	[port]		freebsd: do not explicitly link against -lpthread.
12766 			[RT #16170]
12767 
12768 2053.	[port]		netbsd:libbind: silence compiler warnings. [RT #16220]
12769 
12770 2052.	[bug]		'rndc' improve connect failed message to report
12771 			the failing address. [RT #15978]
12772 
12773 2051.	[port]		More strtol() fixes. [RT #16249]
12774 
12775 2050.	[bug]		Parsing of NSAP records was not case insensitive.
12776 			[RT #16287]
12777 
12778 2049.	[bug]		Restore SOA before AXFR when falling back from
12779 			a attempted IXFR when transferring in a zone.
12780 			Allow a initial SOA query before attempting
12781 			a AXFR to be requested. [RT #16156]
12782 
12783 2048.	[bug]		It was possible to loop forever when using
12784 			avoid-v4-udp-ports / avoid-v6-udp-ports when
12785 			the OS always returned the same local port.
12786 			[RT #16182]
12787 
12788 2047.	[bug]		Failed to initialize