"Fossies" - the Fresh Open Source Software Archive

Member "bind-9.17.5/ChangeLog" (4 Sep 2020, 626825 Bytes) of package /linux/misc/dns/bind9/9.17.5/bind-9.17.5.tar.xz:


As a special service "Fossies" has tried to format the requested text file into HTML format (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file. See also the latest Fossies "Diffs" side-by-side code changes report for "ChangeLog": 9.17.4_vs_9.17.5.

    1 	--- 9.17.5 released ---
    2 
    3 5502.	[func]		'dig +bufsize=0' no longer disables EDNS. [GL #2054]
    4 
    5 5501.	[func]		Log CDS/CDNSKEY publication. [GL #1748]
    6 
    7 5500.	[bug]		Fix (non-)publication of CDS and CDNSKEY records.
    8 			[GL #2103]
    9 
   10 5499.	[func]		Add '-P ds' and '-D ds' arguments to dnssec-settime.
   11 			[GL #1748]
   12 
   13 5498.	[test]		The --with-gperftools-profiler configure option was
   14 			removed. [GL !4045]
   15 
   16 5497.	[placeholder]
   17 
   18 5496.	[bug]		Address a TSAN report by ensuring each rate limiter
   19 			object holds a reference to its task. [GL #2081]
   20 
   21 5495.	[bug]		With query minimization enabled, named failed to
   22 			resolve ip6.arpa. names that had extra labels to the
   23 			left of the IPv6 part. [GL #1847]
   24 
   25 5494.	[bug]		Silence the EPROTO syslog message on older systems.
   26 			[GL #1928]
   27 
   28 5493.	[bug]		Fix off-by-one error when calculating new hash table
   29 			size. [GL #2104]
   30 
   31 5492.	[bug]		Tighten LOC parsing to reject a period (".") and/or "m"
   32 			as a value. Fix handling of negative altitudes which are
   33 			not whole meters. [GL #2074]
   34 
   35 5491.	[bug]		rbtversion->glue_table_size could be read without the
   36 			appropriate lock being held. [GL #2080]
   37 
   38 5490.	[func]		Refactor readline support to use pkg-config and add
   39 			support for the editline library. [GL !3942]
   40 
   41 5489.	[bug]		Named erroneously accepted certain invalid resource
   42 			records that were incorrectly processed after
   43 			subsequently being written to disk and loaded back, as
   44 			the wire format differed. Such records include: CERT,
   45 			IPSECKEY, NSEC3, NSEC3PARAM, NXT, SIG, TLSA, WKS, and
   46 			X25. [GL !3953]
   47 
   48 5488.	[bug]		NTA code needed to have a weak reference on its
   49 			associated view to prevent the latter from being deleted
   50 			while NTA tests were being performed. [GL #2067]
   51 
   52 5487.	[cleanup]	Update managed keys log messages to be less confusing.
   53 			[GL #2027]
   54 
   55 5486.	[func]		Add 'rndc dnssec -checkds' command, which signals to
   56 			named that the DS record for a given zone or key has
   57 			been updated in the parent zone. [GL #1613]
   58 
   59 	--- 9.17.4 released ---
   60 
   61 5485.	[placeholder]
   62 
   63 5484.	[func]		Expire zero TTL records quickly rather than using them
   64 			for stale answers. [GL #1829]
   65 
   66 5483.	[func]		Keeping "stale" answers in cache has been disabled by
   67 			default and can be re-enabled with a new configuration
   68 			option "stale-cache-enable". [GL #1712]
   69 
   70 5482.	[bug]		If the Duplicate Address Detection (DAD) mechanism had
   71 			not yet finished after adding a new IPv6 address to the
   72 			system, BIND 9 would fail to bind to IPv6 addresses in a
   73 			tentative state. [GL #2038]
   74 
   75 5481.	[security]	"update-policy" rules of type "subdomain" were
   76 			incorrectly treated as "zonesub" rules, which allowed
   77 			keys used in "subdomain" rules to update names outside
   78 			of the specified subdomains. The problem was fixed by
   79 			making sure "subdomain" rules are again processed as
   80 			described in the ARM. (CVE-2020-8624) [GL #2055]
   81 
   82 5480.	[security]	When BIND 9 was compiled with native PKCS#11 support, it
   83 			was possible to trigger an assertion failure in code
   84 			determining the number of bits in the PKCS#11 RSA public
   85 			key with a specially crafted packet. (CVE-2020-8623)
   86 			[GL #2037]
   87 
   88 5479.	[security]	named could crash in certain query resolution scenarios
   89 			where QNAME minimization and forwarding were both
   90 			enabled. (CVE-2020-8621) [GL #1997]
   91 
   92 5478.	[security]	It was possible to trigger an assertion failure by
   93 			sending a specially crafted large TCP DNS message.
   94 			(CVE-2020-8620) [GL #1996]
   95 
   96 5477.	[bug]		The idle timeout for connected TCP sockets, which was
   97 			previously set to a high fixed value, is now derived
   98 			from the client query processing timeout configured for
   99 			a resolver. [GL #2024]
  100 
  101 5476.	[security]	It was possible to trigger an assertion failure when
  102 			verifying the response to a TSIG-signed request.
  103 			(CVE-2020-8622) [GL #2028]
  104 
  105 5475.	[bug]		Wildcard RPZ passthru rules could incorrectly be
  106 			overridden by other rules that were loaded from RPZ
  107 			zones which appeared later in the "response-policy"
  108 			statement. This has been fixed. [GL #1619]
  109 
  110 5474.	[bug]		dns_rdata_hip_next() failed to return ISC_R_NOMORE
  111 			when it should have. [GL !3880]
  112 
  113 5473.	[func]		The RBT hash table implementation has been changed
  114 			to use a faster hash function (HalfSipHash2-4) and
  115 			Fibonacci hashing for better distribution. Setting
  116 			"max-cache-size" now preallocates a fixed-size hash
  117 			table so that rehashing does not cause resolution
  118 			brownouts while the hash table is grown. [GL #1775]
  119 
  120 5472.	[func]		The statistics channel has been updated to use the
  121 			new network manager. [GL #2022]
  122 
  123 5471.	[bug]		The introduction of KASP support inadvertently caused
  124 			the second field of "sig-validity-interval" to always be
  125 			calculated in hours, even in cases when it should have
  126 			been calculated in days. This has been fixed. (Thanks to
  127 			Tony Finch.) [GL !3735]
  128 
  129 5470.	[port]		gsskrb5_register_acceptor_identity() is now only called
  130 			if gssapi_krb5.h is present. [GL #1995]
  131 
  132 5469.	[port]		On illumos, a constant called SEC is already defined in
  133 			<sys/time.h>, which conflicts with an identically named
  134 			constant in libbind9. This conflict has been resolved.
  135 			[GL #1993]
  136 
  137 5468.	[bug]		Addressed potential double unlock in process_fd().
  138 			[GL #2005]
  139 
  140 5467.	[func]		The control channel and the rndc utility have been
  141 			updated to use the new network manager. To support
  142 			this, the network manager was updated to enable
  143 			the initiation of client TCP connections. Its
  144 			internal reference counting has been refactored.
  145 
  146 			Note: As a side effect of this change, rndc cannot
  147 			currently be used with UNIX-domain sockets, and its
  148 			default timeout has changed from 60 seconds to 30.
  149 			These will be addressed in a future release.
  150 			[GL #1759]
  151 
  152 5466.	[bug]		Addressed an error in recursive clients stats reporting.
  153 			[GL #1719]
  154 
  155 5465.	[func]		Added fallback to built-in trust-anchors, managed-keys,
  156 			or trusted-keys if the bindkeys-file (bind.keys) cannot
  157 			be parsed. [GL #1235]
  158 
  159 5464.	[bug]		Requesting more than 128 files to be saved when rolling
  160 			dnstap log files caused a buffer overflow. This has been
  161 			fixed. [GL #1989]
  162 
  163 5463.	[placeholder]
  164 
  165 5462.	[bug]		Move LMDB locking from LMDB itself to named. [GL #1976]
  166 
  167 5461.	[bug]		The STALE rdataset header attribute was updated while
  168 			the write lock was not being held, leading to incorrect
  169 			statistics. The header attributes are now converted to
  170 			use atomic operations. [GL #1475]
  171 
  172 5460.	[cleanup]	tsig-keygen was previously an alias for
  173 			ddns-confgen and was documented in the ddns-confgen
  174 			man page. This has been reversed; tsig-keygen is
  175 			now the primary name. [GL #1998]
  176 
  177 5459.	[bug]		Fixed bad isc_mem_put() size when an invalid type was
  178 			specified in an "update-policy" rule. [GL #1990]
  179 
  180 	--- 9.17.3 released ---
  181 
  182 5458.	[bug]		Prevent a theoretically possible NULL dereference caused
  183 			by a data race between zone_maintenance() and
  184 			dns_zone_setview_helper(). [GL #1627]
  185 
  186 5457.	[placeholder]
  187 
  188 5456.	[func]		Added "primaries" as a synonym for "masters" in
  189 			named.conf, and "primary-only" as a synonym for
  190 			"master-only" in the parameters to "notify", to bring
  191 			terminology up-to-date with RFC 8499. [GL #1948]
  192 
  193 5455.	[bug]		named could crash when cleaning dead nodes in
  194 			lib/dns/rbtdb.c that were being reused. [GL #1968]
  195 
  196 5454.	[bug]		Address a startup crash that occurred when the server
  197 			was under load and the root zone had not yet been
  198 			loaded. [GL #1862]
  199 
  200 5453.	[bug]		named crashed on shutdown when a new rndc connection was
  201 			received during shutdown. [GL #1747]
  202 
  203 5452.	[bug]		The "blackhole" ACL was accidentally disabled for client
  204 			queries. [GL #1936]
  205 
  206 5451.	[func]		Add 'rndc dnssec -status' command. [GL #1612]
  207 
  208 5450.	[placeholder]
  209 
  210 5449.	[bug]		Fix a socket shutdown race in netmgr udp. [GL #1938]
  211 
  212 5448.	[bug]		Fix a race condition in isc__nm_tcpdns_send().
  213 			[GL #1937]
  214 
  215 5447.	[bug]		IPv6 addresses ending in "::" could break YAML
  216 			parsing. A "0" is now appended to such addresses
  217 			in YAML output from dig, mdig, delv, and dnstap-read.
  218 			[GL #1952]
  219 
  220 5446.	[bug]		The validator could fail to accept a properly signed
  221 			RRset if an unsupported algorithm appeared earlier in
  222 			the DNSKEY RRset than a supported algorithm. It could
  223 			also stop if it detected a malformed public key.
  224 			[GL #1689]
  225 
  226 5445.	[cleanup]	Disable and disallow static linking. [GL #1933]
  227 
  228 5444.	[bug]		'rndc dnstap -roll <value>' did not limit the number of
  229 			saved files to <value>. [GL !3728]
  230 
  231 5443.	[bug]		The "primary" and "secondary" keywords, when used
  232 			as parameters for "check-names", were not
  233 			processed correctly and were being ignored. [GL #1949]
  234 
  235 5442.	[func]		Add support for outgoing TCP connections in netmgr.
  236 			[GL #1958]
  237 
  238 5441.	[placeholder]
  239 
  240 5440.	[placeholder]
  241 
  242 5439.	[bug]		The DS RRset returned by dns_keynode_dsset() was used in
  243 			a non-thread-safe manner. [GL #1926]
  244 
  245 	--- 9.17.2 released ---
  246 
  247 5438.	[bug]		Fix a race in TCP accepting code. [GL #1930]
  248 
  249 5437.	[bug]		Fix a data race in lib/dns/resolver.c:log_formerr().
  250 			[GL #1808]
  251 
  252 5436.	[security]	It was possible to trigger an INSIST when determining
  253 			whether a record would fit into a TCP message buffer.
  254 			(CVE-2020-8618) [GL #1850]
  255 
  256 5435.	[tests]		Add RFC 4592 responses examples to the wildcard system
  257 			test. [GL #1718]
  258 
  259 5434.	[security]	It was possible to trigger an INSIST in
  260 			lib/dns/rbtdb.c:new_reference() with a particular zone
  261 			content and query patterns. (CVE-2020-8619) [GL #1111]
  262 			[GL #1718]
  263 
  264 5433.	[placeholder]
  265 
  266 5432.	[bug]		Check the question section when processing AXFR, IXFR,
  267 			and SOA replies when transferring a zone in. [GL #1683]
  268 
  269 5431.	[func]		Reject DS records at the zone apex when loading
  270 			master files. Log but otherwise ignore attempts to
  271 			add DS records at the zone apex via UPDATE. [GL #1798]
  272 
  273 5430.	[doc]		Update docs - with netmgr, a separate listening socket
  274 			is created for each IPv6 interface (just as with IPv4).
  275 			[GL #1782]
  276 
  277 5429.	[cleanup]	Move BIND binaries which are neither daemons nor
  278 			administrative programs to $bindir. [GL #1724]
  279 
  280 5428.	[bug]		Clean up GSSAPI resources in nsupdate only after taskmgr
  281 			has been destroyed. Thanks to Petr Menšík. [GL !3316]
  282 
  283 5427.	[placeholder]
  284 
  285 5426.	[bug]		Don't abort() when setting SO_INCOMING_CPU on the socket
  286 			fails. [GL #1911]
  287 
  288 5425.	[func]		The default value of "max-stale-ttl" has been changed
  289 			from 1 week to 12 hours. [GL #1877]
  290 
  291 5424.	[bug]		With KASP, when creating a successor key, the "goal"
  292 			state of the current active key (predecessor) was not
  293 			changed and thus never removed from the zone. [GL #1846]
  294 
  295 5423.	[bug]		Fix a bug in keymgr_key_has_successor(): it incorrectly
  296 			returned true if any other key in the keyring had a
  297 			successor. [GL #1845]
  298 
  299 5422.	[bug]		When using dnssec-policy, print correct key timing
  300 			metadata. [GL #1843]
  301 
  302 5421.	[bug]		Fix a race that could cause named to crash when looking
  303 			up the nodename of an RBT node if the tree was modified.
  304 			[GL #1857]
  305 
  306 5420.	[bug]		Add missing isc_{mutex,conditional}_destroy() calls
  307 			that caused a memory leak on FreeBSD. [GL #1893]
  308 
  309 5419.	[func]		Add new dig command line option, "+qid=<num>", which
  310 			allows the query ID to be set to an arbitrary value.
  311 			Add a new ./configure option, --enable-singletrace,
  312 			which allows trace logging of a single query when QID is
  313 			set to 0. [GL #1851]
  314 
  315 5418.	[bug]		delv failed to parse deprecated trusted-keys-style
  316 			trust anchors. [GL #1860]
  317 
  318 5417.	[cleanup]	The code determining the advertised UDP buffer size in
  319 			outgoing EDNS queries has been refactored to improve its
  320 			clarity. [GL #1868]
  321 
  322 5416.	[bug]		Fix a lock order inversion in lib/isc/unix/socket.c.
  323 			[GL #1859]
  324 
  325 5415.	[test]		Address race in dnssec system test that led to
  326 			test failures. [GL #1852]
  327 
  328 5414.	[test]		Adjust time allowed for journal truncation to occur
  329 			in nsupdate system test to avoid test failure.
  330 			[GL #1855]
  331 
  332 5413.	[test]		Address race in autosign system test that led to
  333 			test failures. [GL #1852]
  334 
  335 5412.	[bug]		'provide-ixfr no;' failed to return up-to-date responses
  336 			when the serial was greater than or equal to the
  337 			current serial. [GL #1714]
  338 
  339 5411.	[cleanup]	TCP accept code has been refactored to use a single
  340 			accept() and pass the accepted socket to child threads
  341 			for processing. [GL !3320]
  342 
  343 5410.	[func]		Add the ability to specify per-type record count limits,
  344 			which are enforced when adding records via UPDATE, in an
  345 			"update-policy" statement. [GL #1657]
  346 
  347 5409.	[performance]	When looking up NSEC3 data in a zone database, skip the
  348 			check for empty non-terminal nodes; the NSEC3 tree does
  349 			not have any. [GL #1834]
  350 
  351 5408.	[protocol]	Print Extended DNS Errors if present in OPT record.
  352 			[GL #1835]
  353 
  354 5407.	[func]		Zone timers are now exported via statistics channel.
  355 			Thanks to Paul Frieden, Verizon Media. [GL #1232]
  356 
  357 5406.	[func]		Add a new logging category, "rpz-passthru", which allows
  358 			RPZ passthru actions to be logged in a separate channel.
  359 			[GL #54]
  360 
  361 5405.	[bug]		'named-checkconf -p' could include spurious text in
  362 			server-addresses statements due to an uninitialized DSCP
  363 			value. [GL #1812]
  364 
  365 5404.	[bug]		'named-checkconf -z' could incorrectly indicate
  366 			success if errors were found in one view but not in a
  367 			subsequent one. [GL #1807]
  368 
  369 5403.	[func]		Do not set UDP receive/send buffer sizes - use system
  370 			defaults. [GL #1713]
  371 
  372 5402.	[bug]		On FreeBSD, use SO_REUSEPORT_LB instead of SO_REUSEPORT.
  373 			Enable use of SO_REUSEADDR on all platforms which
  374 			support it. [GL !3365]
  375 
  376 5401.	[bug]		The number of input queues allocated during dnstap
  377 			initialization was too low, which could prevent some
  378 			dnstap data from being logged. [GL #1795]
  379 
  380 5400.	[func]		Add engine support to OpenSSL EdDSA implementation.
  381 			[GL #1763]
  382 
  383 5399.	[func]		Add engine support to OpenSSL ECDSA implementation.
  384 			[GL #1534]
  385 
  386 5398.	[bug]		Named could fail to restart if a zone with a double
  387 			quote (") in its name was added with 'rndc addzone'.
  388 			[GL #1695]
  389 
  390 5397.	[func]		Update PKCS#11 EdDSA implementation to PKCS#11 v3.0.
  391 			Thanks to Aaron Thompson. [GL !3326]
  392 
  393 5396.	[func]		When necessary (i.e. in libuv >= 1.37), use the
  394 			UV_UDP_RECVMMSG flag to enable recvmmsg() support in
  395 			libuv. [GL #1797]
  396 
  397 5395.	[security]	Further limit the number of queries that can be
  398 			triggered from a request.  Root and TLD servers
  399 			are no longer exempt from max-recursion-queries.
  400 			Fetches for missing name server address records
  401 			are limited to 4 for any domain. (CVE-2020-8616)
  402 			[GL #1388]
  403 
  404 5394.	[cleanup]	Named formerly attempted to change the effective UID and
  405 			GID in named_os_openfile(), which could trigger a
  406 			spurious log message if they were already set to the
  407 			desired values. This has been fixed. [GL #1042]
  408 			[GL #1090]
  409 
  410 5393.	[cleanup]	Unused and/or redundant APIs were removed from libirs.
  411 			[GL #1758]
  412 
  413 5392.	[bug]		It was possible for named to crash during shutdown
  414 			or reconfiguration if an RPZ zone was still being
  415 			updated. [GL #1779]
  416 
  417 5391.	[func]		The BIND 9 build system has been changed to use a
  418 			typical autoconf+automake+libtool stack. When building
  419 			from the Git repository, run "autoreconf -fi" first.
  420 			[GL #4]
  421 
  422 5390.	[security]	Replaying a TSIG BADTIME response as a request could
  423 			trigger an assertion failure. (CVE-2020-8617)
  424 			[GL #1703]
  425 
  426 5389.	[bug]		Finish PKCS#11 code cleanup, fix a couple of smaller
  427 			bugs and use PKCS#11 v3.0 EdDSA macros and constants.
  428 			Thanks to Aaron Thompson. [GL !3391]
  429 
  430 5388.	[func]		Reject AXFR streams where the message ID is not
  431 			consistent. [GL #1674]
  432 
  433 5387.	[placeholder]
  434 
  435 5386.	[cleanup]	Address Coverity warnings in lib/dns/keymgr.c.
  436 			[GL #1737]
  437 
  438 5385.	[func]		Make ISC rwlock implementation the default again.
  439 			[GL #1753]
  440 
  441 5384.	[bug]		With "dnssec-policy" in effect, "inline-signing" was
  442 			implicitly set to "yes". Now "inline-signing" is only
  443 			set to "yes" if the zone is not dynamic. [GL #1709]
  444 
  445 	--- 9.17.1 released ---
  446 
  447 5383.	[func]		Add a quota attach function with a callback and clean up
  448 			the isc_quota API. [GL !3280]
  449 
  450 5382.	[bug]		Use clock_gettime() instead of gettimeofday() for
  451 			isc_stdtime() function. [GL #1679]
  452 
  453 5381.	[bug]		Fix logging API data race by adding rwlock and caching
  454 			logging levels in stdatomic variables to restore
  455 			performance to original levels. [GL #1675] [GL #1717]
  456 
  457 5380.	[contrib]	Fix building MySQL DLZ modules against MySQL 8
  458 			libraries. [GL #1678]
  459 
  460 5379.	[placeholder]
  461 
  462 5378.	[bug]		Receiving invalid DNS data was triggering an assertion
  463 			failure in nslookup. [GL #1652]
  464 
  465 5377.	[placeholder]
  466 
  467 5376.	[bug]		Fix ineffective DNS rebinding protection when BIND is
  468 			configured as a forwarding DNS server. Thanks to Tobias
  469 			Klein. [GL #1574]
  470 
  471 5375.	[test]		Fix timing issues in the "kasp" system test. [GL #1669]
  472 
  473 5374.	[bug]		Statistics counters tracking recursive clients and
  474 			active connections could underflow. [GL #1087]
  475 
  476 5373.	[bug]		Collecting statistics for DNSSEC signing operations
  477 			(change 5254) caused an array of significant size (over
  478 			100 kB) to be allocated for each configured zone. Each
  479 			of these arrays is tracking all possible key IDs; this
  480 			could trigger an out-of-memory condition on servers with
  481 			a high enough number of zones configured. Fixed by
  482 			tracking up to four keys per zone and rotating counters
  483 			when keys are replaced. This fixes the immediate problem
  484 			of high memory usage, but should be improved in a future
  485 			release by growing or shrinking the number of keys to
  486 			track upon key rollover events. [GL #1179]
  487 
  488 5372.	[bug]		Fix migration from existing DNSSEC key files
  489 			("auto-dnssec maintain") to "dnssec-policy". [GL #1706]
  490 
  491 5371.	[bug]		Improve incremental updates of the RPZ summary
  492 			database to reduce delays that could occur when
  493 			a policy zone update included a large number of
  494 			record deletions. [GL #1447]
  495 
  496 5370.	[bug]		Deactivation of a netmgr handle associated with a
  497 			socket could be skipped in some circumstances.
  498 			Fixed by deactivating the netmgr handle before
  499 			scheduling the asynchronous close routine. [GL #1700]
  500 
  501 5369.	[func]		Add the ability to specify whether to wait for
  502 			nameserver domain names to be looked up, with a new RPZ
  503 			modifying directive 'nsdname-wait-recurse'. [GL #1138]
  504 
  505 5368.	[bug]		Named failed to restart if 'rndc addzone' names
  506 			contained special characters (e.g. '/'). [GL #1655]
  507 
  508 5367.	[placeholder]
  509 
  510 	--- 9.17.0 released ---
  511 
  512 5366.	[bug]		Fix a race condition with the keymgr when the same
  513 			zone plus dnssec-policy is configured in multiple
  514 			views. [GL #1653]
  515 
  516 5365.	[bug]		Algorithm rollover was stuck on submitting DS
  517 			because keymgr thought it would move to an invalid
  518 			state.  Fixed by checking the current key against
  519 			the desired state, not the existing state. [GL #1626]
  520 
  521 5364.	[bug]		Algorithm rollover waited too long before introducing
  522 			zone signatures.  It waited to make sure all signatures
  523 			were regenerated, but when introducing a new algorithm,
  524 			all signatures are regenerated immediately.  Only
  525 			add the sign delay if there is a predecessor key.
  526 			[GL #1625]
  527 
  528 5363.	[bug]		When changing a dnssec-policy, existing keys with
  529 			properties that no longer match were not being retired.
  530 			[GL #1624]
  531 
  532 5362.	[func]		Limit the size of IXFR responses so that AXFR will
  533 			be used instead if it would be smaller. This is
  534 			controlled by the "max-ixfr-ratio" option, which
  535 			is a percentage representing the ratio of IXFR size
  536 			to the size of the entire zone. This value cannot
  537 			exceed 100%, which is the default. [GL #1515]
  538 
  539 5361.	[bug]		named might not accept new connections after
  540 			hitting tcp-clients quota. [GL #1643]
  541 
  542 5360.	[bug]		delv could fail to load trust anchors in DNSKEY
  543 			format. [GL #1647]
  544 
  545 5359.	[func]		"rndc nta -d" and "rndc secroots" now include
  546 			"validate-except" entries when listing negative
  547 			trust anchors. These are indicated by the keyword
  548 			"permanent" in place of an expiry date. [GL #1532]
  549 
  550 5358.	[bug]		Inline master zones whose master files were touched
  551 			but otherwise unchanged and were subsequently reloaded
  552 			may have stopped re-signing. [GL !3135]
  553 
  554 5357.	[bug]		Newly added RRSIG records with expiry times before
  555 			the previous earliest expiry times might not be
  556 			re-signed in time.  This was a side effect of 5315.
  557 			[GL !3137]
  558 
  559 5356.	[func]		Update dnssec-policy configuration statements:
  560 			- Rename "zone-max-ttl" dnssec-policy option to
  561 			  "max-zone-ttl" for consistency with the existing
  562 			  zone option.
  563 			- Allow for "lifetime unlimited" as a synonym for
  564 			  "lifetime PT0S".
  565 			- Make "key-directory" optional.
  566 			- Warn if specifying a key length does not make
  567 			  sense; fail if key length is out of range for
  568 			  the algorithm.
  569 			- Allow use of mnemonics when specifying key
  570 			  algorithm (e.g. "rsasha256", "ecdsa384", etc.).
  571 			- Make ISO 8601 durations case-insensitive.
  572 			[GL #1598]
  573 
  574 5355.	[func]		What was set with --with-tuning=large option in
  575 			older BIND9 versions is now a default, and
  576 			a --with-tuning=small option was added for small
  577 			(e.g. OpenWRT) systems. [GL !2989]
  578 
  579 5354.	[bug]		dnssec-policy created new KSK keys for zones in the
  580 			initial stage of signing (with the DS not yet in the
  581 			rumoured or omnipresent states).  Fix by checking the
  582 			key goals rather than the active state when determining
  583 			whether new keys are needed. [GL #1593]
  584 
  585 5353.	[doc]		Document port and dscp parameters in forwarders
  586 			configuration option. [GL #914]
  587 
  588 5352.	[bug]		Correctly handle catalog zone entries containing
  589 			characters that aren't legal in filenames. [GL #1592]
  590 
  591 5351.	[bug]		CDS / CDNSKEY consistency checks failed to handle
  592 			removal records. [GL #1554]
  593 
  594 5350.	[bug]		When a view was configured with class CHAOS, the
  595 			server could crash while processing a query for a
  596 			non-existent record. [GL #1540]
  597 
  598 5349.	[bug]		Fix a race in task_pause/unpause. [GL #1571]
  599 
  600 5348.	[bug]		dnssec-settime -Psync was not being honoured.
  601 			[GL !2893]
  602 
  603 	--- 9.15.8 released ---
  604 
  605 5347.	[bug]		Fixed a bug that could cause an intermittent crash
  606 			in validator.c when validating a negative cache
  607 			entry. [GL #1561]
  608 
  609 5346.	[bug]		Make hazard pointer array allocations dynamic, fixing
  610 			a bug that caused named to crash on machines with more
  611 			than 40 cores. [GL #1493]
  612 
  613 5345.	[func]		Key-style trust anchors and DS-style trust anchors
  614 			can now both be used for the same name. [GL #1237]
  615 
  616 5344.	[bug]		Handle accept() errors properly in netmgr. [GL !2880]
  617 
  618 5343.	[func]		Add statistics counters to the netmgr. [GL #1311]
  619 
  620 5342.	[bug]		Disable pktinfo for IPv6 and bind to each interface
  621 			explicitly instead, because libuv doesn't support
  622 			pktinfo control messages. [GL #1558]
  623 
  624 5341.	[func]		Simplify passing the bound TCP socket to child
  625 			threads by using isc_uv_export/import functions.
  626 			[GL !2825]
  627 
  628 5340.	[bug]		Don't deadlock when binding to a TCP socket fails.
  629 			[GL #1499]
  630 
  631 5339.	[bug]		With some libmaxminddb versions, named could erroneously
  632 			match an IP address not belonging to any subnet defined
  633 			in a given GeoIP2 database to one of the existing
  634 			entries in that database. [GL #1552]
  635 
  636 5338.	[bug]		Fix line spacing in `rndc secroots`.
  637 			Thanks to Tony Finch. [GL !2478]
  638 
  639 5337.	[func]		'named -V' now reports maxminddb and protobuf-c
  640 			versions. [GL !2686]
  641 
  642 	--- 9.15.7 released ---
  643 
  644 5336.	[bug]		The TCP high-water statistic could report an
  645 			incorrect value on startup. [GL #1392]
  646 
  647 5335.	[func]		Make TCP listening code multithreaded. [GL !2659]
  648 
  649 5334.	[doc]		Update documentation with dnssec-policy clarifications.
  650 			Also change some defaults. [GL !2711]
  651 
  652 5333.	[bug]		Fix duration printing on Solaris when value is not
  653 			an ISO 8601 duration. [GL #1460]
  654 
  655 5332.	[func]		Renamed "dnssec-keys" configuration statement
  656 			to the more descriptive "trust-anchors". [GL !2702]
  657 
  658 5331.	[func]		Use compiler-provided mechanisms for thread local
  659 			storage, and make the requirement for such mechanisms
  660 			explicit in configure. [GL #1444]
  661 
  662 5330.	[bug]		'configure --without-python' was ineffective if
  663 			PYTHON was set in the environment. [GL #1434]
  664 
  665 5329.	[bug]		Reconfiguring named caused memory to be leaked when any
  666 			GeoIP2 database was in use. [GL #1445]
  667 
  668 5328.	[bug]		rbtdb.c:rdataset_{get,set}ownercase failed to obtain
  669 			a node lock. [GL #1417]
  670 
  671 5327.	[func]		Added a statistics counter to track queries
  672 			dropped because the recursive-clients quota was
  673 			exceeded. [GL #1399]
  674 
  675 5326.	[bug]		Add Python dependency on 'distutils.core' to configure.
  676 			'distutils.core' is required for installation.
  677 			[GL #1397]
  678 
  679 5325.	[bug]		Addressed several issues with TCP connections in
  680 			the netmgr: restored support for TCP connection
  681 			timeouts, restored TCP backlog support, actively
  682 			close all open sockets during shutdown. [GL #1312]
  683 
  684 5324.	[bug]		Change the category of some log messages from general
  685 			to the more appropriate catergory of xfer-in. [GL #1394]
  686 
  687 5323.	[bug]		Fix a bug in DNSSEC trust anchor verification.
  688 			[GL !2609]
  689 
  690 5322.	[placeholder]
  691 
  692 5321.	[bug]		Obtain write lock before updating version->records
  693 			and version->bytes. [GL #1341]
  694 
  695 5320.	[cleanup]	Silence TSAN on header->count. [GL #1344]
  696 
  697 	--- 9.15.6 released ---
  698 
  699 5319.	[func]		Trust anchors can now be configured using DS
  700 			format to represent a key digest, by using the
  701 			new "initial-ds" or "static-ds" keywords in
  702 			the "dnssec-keys" statement.
  703 
  704 			Note: DNSKEY-format and DS-format trust anchors
  705 			cannot both be used for the same domain name.
  706 			[GL #622]
  707 
  708 5318.	[cleanup]	The DNSSEC validation code has been refactored
  709 			for clarity and to reduce code duplication.
  710 			[GL #622]
  711 
  712 5317.	[func]		A new asynchronous network communications system
  713 			based on libuv is now used for listening for
  714 			incoming requests and responding to them. (The
  715 			old isc_socket API remains in use for sending
  716 			iterative queries and processing responses; this
  717 			will be changed too in a later release.)
  718 
  719 			This change will make it easier to improve
  720 			performance and implement new protocol layers
  721 			(e.g., DNS over TLS) in the future. [GL #29]
  722 
  723 5316.	[func]		A new "dnssec-policy" option has been added to
  724 			named.conf to implement a key and signing policy
  725 			(KASP) for zones. When this option is in use,
  726 			named can generate new keys as needed and
  727 			automatically roll both ZSK and KSK keys. (Note
  728 			that the syntax for this statement differs from
  729 			the dnssec policy used by dnssec-keymgr.)
  730 
  731 			See the ARM for configuration details. [GL #1134]
  732 
  733 5315.	[bug]		Apply the initial RRSIG expiration spread fixed
  734 			to all dynamically created records in the zone
  735 			including NSEC3. Also fix the signature clusters
  736 			when the server has been offline for prolonged
  737 			period of times. [GL #1256]
  738 
  739 5314.	[func]		Added a new statistics variable "tcp-highwater"
  740 			that reports the maximum number of simultaneous TCP
  741 			clients BIND has handled while running. [GL #1206]
  742 
  743 5313.	[bug]		The default GeoIP2 database location did not match
  744 			the ARM.  'named -V' now reports the default
  745 			location. [GL #1301]
  746 
  747 5312.	[bug]		Do not flush the cache for `rndc validation status`.
  748 			Thanks to Tony Finch. [GL !2462]
  749 
  750 5311.	[cleanup]	Include all views in output of `rndc validation status`.
  751 			Thanks to Tony Finch. [GL !2461]
  752 
  753 5310.	[bug]		TCP failures were affecting EDNS statistics. [GL #1059]
  754 
  755 5309.	[placeholder]
  756 
  757 5308.	[bug]		Don't log DNS_R_UNCHANGED from sync_secure_journal()
  758 			at ERROR level in receive_secure_serial(). [GL #1288]
  759 
  760 5307.	[bug]		Fix hang when named-compilezone output is sent to pipe.
  761 			Thanks to Tony Finch. [GL !2481]
  762 
  763 5306.	[security]	Set a limit on number of simultaneous pipelined TCP
  764 			queries. (CVE-2019-6477) [GL #1264]
  765 
  766 5305.	[bug]		NSEC Aggressive Cache ("synth-from-dnssec") has been
  767 			disabled by default because it was found to have
  768 			a significant performance impact on the recursive
  769 			service. [GL #1265]
  770 
  771 5304.	[bug]		"dnskey-sig-validity 0;" was not being accepted.
  772 			[GL #876]
  773 
  774 5303.	[placeholder]
  775 
  776 5302.	[bug]		Fix checking that "dnstap-output" is defined when
  777 			"dnstap" is specified in a view. [GL #1281]
  778 
  779 5301.	[bug]		Detect partial prefixes / incomplete IPv4 address in
  780 			acls. [GL #1143]
  781 
  782 5300.	[bug]		dig/mdig/delv: Add a colon after EDNS option names,
  783 			even when the option is empty, to improve
  784 			readability and allow correct parsing of YAML
  785 			output. [GL #1226]
  786 
  787 	--- 9.15.5 released ---
  788 
  789 5299.	[security]	A flaw in DNSSEC verification when transferring
  790 			mirror zones could allow data to be incorrectly
  791 			marked valid. (CVE-2019-6475) [GL #1252]
  792 
  793 5298.	[security]	Named could assert if a forwarder returned a
  794 			referral, rather than resolving the query, when QNAME
  795 			minimization was enabled. (CVE-2019-6476) [GL #1051]
  796 
  797 5297.	[bug]		Check whether a previous QNAME minimization fetch
  798 			is still running before starting a new one; return
  799 			SERVFAIL and log an error if so. [GL #1191]
  800 
  801 5296.	[placeholder]
  802 
  803 5295.	[cleanup]	Split dns_name_copy() calls into dns_name_copy() and
  804 			dns_name_copynf() for those calls that can potentially
  805 			fail and those that should not fail respectively.
  806 			[GL !2265]
  807 
  808 5294.	[func]		Fallback to ACE name on output in locale, which does not
  809 			support converting it to unicode.  [GL #846]
  810 
  811 5293.	[bug]		On Windows, named crashed upon any attempt to fetch XML
  812 			statistics from it. [GL #1245]
  813 
  814 5292.	[bug]		Queue 'rndc nsec3param' requests while signing inline
  815 			zone changes. [GL #1205]
  816 
  817 	--- 9.15.4 released ---
  818 
  819 5291.	[placeholder]
  820 
  821 5290.	[placeholder]
  822 
  823 5289.	[bug]		Address NULL pointer dereference in rpz.c:rpz_detach.
  824 			[GL #1210]
  825 
  826 5288.	[bug]		dnssec-must-be-secure was not always honored.
  827 			[GL #1209]
  828 
  829 5287.	[placeholder]
  830 
  831 5286.	[contrib]	Address potential NULL pointer dereferences in
  832 			dlz_mysqldyn_mod.c. [GL #1207]
  833 
  834 5285.	[port]		win32: implement "-T maxudpXXX". [GL #837]
  835 
  836 5284.	[func]		Added +unexpected command line option to dig.
  837 			By default, dig won't accept a reply from a source
  838 			other than the one to which it sent the query.
  839 			Invoking dig with +unexpected argument will allow it
  840 			to process replies from unexpected sources.
  841 
  842 5283.	[bug]		When a response-policy zone expires, ensure that
  843 			its policies are removed from the RPZ summary
  844 			database. [GL #1146]
  845 
  846 5282.	[bug]		Fixed a bug in searching for possible wildcard matches
  847 			for query names in the RPZ summary database. [GL #1146]
  848 
  849 5281.	[cleanup]	Don't escape commas when reporting named's command
  850 			line. [GL #1189]
  851 
  852 5280.	[protocol]	Add support for displaying EDNS option LLQ. [GL #1201]
  853 
  854 5279.	[bug]		When loading, reject zones containing CDS or CDNSKEY
  855 			RRsets at the zone apex if they would cause DNSSEC
  856 			validation failures if published in the parent zone
  857 			as the DS RRset.  [GL #1187]
  858 
  859 5278.	[func]		Add YAML output formats for dig, mdig and delv;
  860 			use the "+yaml" option to enable. [GL #1145]
  861 
  862 	--- 9.15.3 released ---
  863 
  864 5277.	[bug]		Cache DB statistics could underflow when serve-stale
  865 			was in use, because of a bug in counter maintenance
  866 			when RRsets become stale.
  867 
  868 			Functions for dumping statistics have been updated
  869 			to dump active, stale, and ancient statistic
  870 			counters.  Ancient RRset counters are prefixed
  871 			with '~'; stale RRset counters are still prefixed
  872 			with '#'. [GL #602]
  873 
  874 5276.	[func]		DNSSEC Lookaside Validation (DLV) is now obsolete;
  875 			all code enabling its use has been removed from the
  876 			validator, "delv", and the DNSSEC tools. [GL #7]
  877 
  878 5275.	[bug]		Mark DS records included in referral messages
  879 			with trust level "pending" so that they can be
  880 			validated and cached immediately, with no need to
  881 			re-query. [GL #964]
  882 
  883 5274.	[bug]		Address potential use after free race when shutting
  884 			down rpz. [GL #1175]
  885 
  886 5273.	[bug]		Check that bits [64..71] of a dns64 prefix are zero.
  887 			[GL #1159]
  888 
  889 5272.	[cleanup]	Remove isc-config.sh script as the BIND 9 libraries
  890 			are now purely internal. [GL #1123]
  891 
  892 5271.	[func]		The normal (non-debugging) output of dnssec-signzone
  893 			and dnssec-verify tools now goes to stdout, instead of
  894 			the combination of stderr and stdout.
  895 
  896 5270.	[bug]		'dig +expandaaaa +short' did not work. [GL #1152]
  897 
  898 5269.	[port]		cygwin: can return ETIMEDOUT on connect() with a
  899 			non-blocking socket. [GL #1133]
  900 
  901 5268.	[placeholder]
  902 
  903 5267.	[func]		Allow statistics groups display to be toggle-able.
  904 			[GL #1030]
  905 
  906 5266.	[bug]		named-checkconf failed to report dnstap-output
  907 			missing from named.conf when dnstap was specified.
  908 			[GL #1136]
  909 
  910 5265.	[bug]		DNS64 and RPZ nodata (CNAME *.) rules interacted badly
  911 			[GL #1106]
  912 
  913 5264.	[func]		New DNS Cookie algorithm - siphash24 - has been added
  914 			to BIND 9, and the old HMAC-SHA DNS Cookie algorithms
  915 			have been removed. [GL #605]
  916 
  917 	--- 9.15.2 released ---
  918 
  919 5263.	[cleanup]	Use atomics and isc_refcount_t wherever possible.
  920 			[GL #1038]
  921 
  922 5262.	[func]		Removed support for the legacy GeoIP API. [GL #1112]
  923 
  924 5261.	[cleanup]	Remove SO_BSDCOMPAT socket option usage.
  925 
  926 5260.	[bug]		dnstap-read was producing malformed output for large
  927 			packets. [GL #1093]
  928 
  929 5259.	[func]		New option '-i' for 'named-checkconf' to ignore
  930 			warnings about deprecated options. [GL #1101]
  931 
  932 5258.	[func]		Added support for the GeoIP2 API from MaxMind. This
  933 			will be compiled in by default if the "libmaxminddb"
  934 			library is found at compile time, but can be
  935 			suppressed using "configure --disable-geoip".
  936 
  937 			Certain geoip ACL settings that were available with
  938 			legacy GeoIP are not available when using GeoIP2.
  939 			[GL #182]
  940 
  941 5257.	[bug]		Some statistics data was not being displayed.
  942 			Add shading to the zone tables. [GL #1030]
  943 
  944 5256.	[bug]		Ensure that glue records are included in root
  945 			priming responses if "minimal-responses" is not
  946 			set to "yes". [GL #1092]
  947 
  948 5255.	[bug]		Errors encountered while reloading inline-signing
  949 			zones could be ignored, causing the zone content to
  950 			be left in an incompletely updated state rather than
  951 			reverted. [GL #1109]
  952 
  953 5254.	[func]		Collect metrics to report to the statistics-channel
  954 			DNSSEC signing operations (dnssec-sign) and refresh
  955 			operations (dnssec-refresh) per zone and per keytag.
  956 			[GL #513]
  957 
  958 5253.	[port]		Support platforms that don't define ULLONG_MAX.
  959 			[GL #1098]
  960 
  961 5252.	[func]		Report if the last 'rndc reload/reconfig' failed in
  962 			rndc status. [GL !2040]
  963 
  964 5251.	[bug]		Statistics were broken in x86 Windows builds.
  965 			[GL #1081]
  966 
  967 5250.	[func]		The default size for RSA keys is now 2048 bits,
  968 			for both ZSKs and KSKs. [GL #1097]
  969 
  970 5249.	[bug]		Fix a possible underflow in recursion clients
  971 			statistics when hitting recursive clients
  972 			soft quota. [GL #1067]
  973 
  974 	--- 9.15.1 released ---
  975 
  976 5248.	[func]		To clarify the configuration of DNSSEC keys,
  977 			the "managed-keys" and "trusted-keys" options
  978 			have both been deprecated.  The new "dnssec-keys"
  979 			statement can now be used for all trust anchors,
  980 			with the keywords "iniital-key" or "static-key"
  981 			to indicate whether the configured trust anchor
  982 			should be used for initialization of RFC 5011 key
  983 			management, or as a permanent trust anchor.
  984 
  985 			The "static-key" keyword will generate a warning if
  986 			used for the root zone.
  987 
  988 			Configurations using "trusted-keys" or "managed-keys"
  989 			will continue to work with no changes, but will
  990 			generate warnings in the log. In a future release,
  991 			these options will be marked obsolete. [GL #6]
  992 
  993 5247.	[cleanup]	The 'cleaning-interval' option has been removed.
  994 			[GL !1731]
  995 
  996 5246.	[func]		Log TSIG if appropriate in 'sending notify to' message.
  997 			[GL #1058]
  998 
  999 5245.	[cleanup]	Reduce logging level for IXFR up-to-date poll
 1000 			responses. [GL #1009]
 1001 
 1002 5244.	[security]	Fixed a race condition in dns_dispatch_getnext()
 1003 			that could cause an assertion failure if a
 1004 			significant number of incoming packets were
 1005 			rejected. (CVE-2019-6471) [GL #942]
 1006 
 1007 5243.	[bug]		Fix a possible race between dispatcher and socket
 1008 			code in a high-load cold-cache resolver scenario.
 1009 			[GL #943]
 1010 
 1011 5242.	[bug]		In relaxed qname minimization mode, fall back to
 1012 			normal resolution when encountering a lame
 1013 			delegation, and use _.domain/A queries rather
 1014 			than domain/NS. [GL #1055]
 1015 
 1016 5241.	[bug]		Fix Ed448 private and public key ASN.1 prefix blobs.
 1017 			[GL #225]
 1018 
 1019 5240.	[bug]		Remove key id calculation for RSAMD5. [GL #996]
 1020 
 1021 5239.	[func]		Change the json-c detection to pkg-config. [GL #855]
 1022 
 1023 5238.	[bug]		Fix a possible deadlock in TCP code. [GL #1046]
 1024 
 1025 5237.	[bug]		Recurse to find the root server list with 'dig +trace'.
 1026 			[GL #1028]
 1027 
 1028 5236.	[func]		Add SipHash 2-4 implementation in lib/isc/siphash.c
 1029 			and switch isc_hash_function() to use SipHash 2-4.
 1030 			[GL #605]
 1031 
 1032 5235.	[cleanup]	Refactor lib/isc/app.c to be thread-safe, unused
 1033 			parts of the API has been removed and the
 1034 			isc_appctx_t data type has been changed to be
 1035 			fully opaque. [GL #1023]
 1036 
 1037 5234.	[port]		arm: just use the compiler's default support for
 1038 			yield. [GL #981]
 1039 
 1040 	--- 9.15.0 released ---
 1041 
 1042 5233.	[bug]		Negative trust anchors did not work with "forward only;"
 1043 			to validating resolvers. [GL #997]
 1044 
 1045 5232.	[placeholder]
 1046 
 1047 5231.	[protocol]	Add support for displaying CLIENT-TAG and SERVER-TAG.
 1048 			[GL #960]
 1049 
 1050 5230.	[protocol]	The SHA-1 hash algorithm is no longer used when
 1051 			generating DS and CDS records. [GL #1015]
 1052 
 1053 5229.	[protocol]	Enforce known SSHFP fingerprint lengths. [GL #852]
 1054 
 1055 5228.	[func]		If trusted-keys and managed-keys were configured
 1056 			simultaneously for the same name, the key could
 1057 			not be be rolled automatically. This is now
 1058 			a fatal configuration error. [GL #868]
 1059 
 1060 5227.	[placeholder]
 1061 
 1062 5226.	[placeholder]
 1063 
 1064 5225.	[func]		Allow dig to print out AAAA record fully expanded.
 1065 			with +[no]expandaaaa. [GL #765]
 1066 
 1067 5224.	[bug]		Only test provide-ixfr on TCP streams. [GL #991]
 1068 
 1069 5223.	[bug]		Fixed a race in the filter-aaaa plugin accessing
 1070 			the hash table. [GL #1005]
 1071 
 1072 5222.	[bug]		'delv -t ANY' could leak memory. [GL #983]
 1073 
 1074 5221.	[test]		Enable parallel execution of system tests on
 1075 			Windows. [GL !4101]
 1076 
 1077 5220.	[cleanup]	Refactor the isc_stat structure to take advantage
 1078 			of stdatomic. [GL !1493]
 1079 
 1080 5219.	[bug]		Fixed a race in the filter-aaaa plugin that could
 1081 			trigger a crash when returning an instance object
 1082 			to the memory pool. [GL #982]
 1083 
 1084 5218.	[bug]		Conditionally include <dlfcn.h>. [GL #995]
 1085 
 1086 5217.	[bug]		Restore key id calculation for RSAMD5. [GL #996]
 1087 
 1088 5216.	[bug]		Fetches-per-zone counter wasn't updated correctly
 1089 			when doing qname minimization. [GL #992]
 1090 
 1091 5215.	[bug]		Change #5124 was incomplete; named could still
 1092 			return FORMERR instead of SERVFAIL in some cases.
 1093 			[GL #990]
 1094 
 1095 5214.	[bug]		win32: named now removes its lock file upon shutdown.
 1096 			[GL #979]
 1097 
 1098 5213.	[bug]		win32: Eliminated a race which allowed named.exe running
 1099 			as a service to be killed prematurely during shutdown.
 1100 			[GL #978]
 1101 
 1102 5212.	[placeholder]
 1103 
 1104 5211.	[bug]		Allow out-of-zone additional data to be included
 1105 			in authoritative responses if recursion is allowed
 1106 			and "minimal-responses" is disabled.  This behavior
 1107 			was inadvertently removed in change #4605. [GL #817]
 1108 
 1109 5210.	[bug]		When dnstap is enabled and recursion is not
 1110 			available, incoming queries are now logged
 1111 			as "auth". Previously, this depended on whether
 1112 			recursion was requested by the client, not on
 1113 			whether recursion was available. [GL #963]
 1114 
 1115 5209.	[bug]		When update-check-ksk is true, add_sigs was not
 1116 			considering offline keys, leaving record sets signed
 1117 			with the incorrect type key. [GL #763]
 1118 
 1119 5208.	[test]		Run valid rdata wire encodings through totext+fromtext
 1120 			and tofmttext+fromtext methods to check these methods.
 1121 			[GL #899]
 1122 
 1123 5207.	[test]		Check delv and dig TTL values. [GL #965]
 1124 
 1125 5206.	[bug]		Delv could print out bad TTLs. [GL #965]
 1126 
 1127 5205.	[bug]		Enforce that a DS hash exists. [GL #899]
 1128 
 1129 5204.	[test]		Check that dns_rdata_fromtext() produces a record that
 1130 			will be accepted by dns_rdata_fromwire(). [GL #852]
 1131 
 1132 5203.	[bug]		Enforce whether key rdata exists or not in KEY,
 1133 			DNSKEY, CDNSKEY and RKEY. [GL #899]
 1134 
 1135 5202.	[bug]		<dns/ecs.h> was missing ISC_LANG_ENDDECLS. [GL #976]
 1136 
 1137 5201.	[bug]		Fix a possible deadlock in RPZ update code. [GL #973]
 1138 
 1139 5200.	[security]	tcp-clients settings could be exceeded in some cases,
 1140 			which could lead to exhaustion of file descriptors.
 1141 			(CVE-2018-5743) [GL #615]
 1142 
 1143 5199.	[security]	In certain configurations, named could crash
 1144 			if nxdomain-redirect was in use and a redirected
 1145 			query resulted in an NXDOMAIN from the cache.
 1146 			(CVE-2019-6467) [GL #880]
 1147 
 1148 5198.	[bug]		If a fetch context was being shut down and, at the same
 1149 			time, we returned from qname minimization, an INSIST
 1150 			could be hit. [GL #966]
 1151 
 1152 5197.	[bug]		dig could die in best effort mode on multiple SIG(0)
 1153 			records. Similarly on multiple OPT and multiple TSIG
 1154 			records. [GL #920]
 1155 
 1156 5196.	[bug]		make install failed with --with-dlopen=no. [GL #955]
 1157 
 1158 5195.	[bug]		"allow-update" and "allow-update-forwarding" were
 1159 			treated as configuration errors if used at the
 1160 			options or view level. [GL #913]
 1161 
 1162 5194.	[bug]		Enforce non empty ZOMEMD hash. [GL #899]
 1163 
 1164 5193.	[bug]		EID and NIMLOC failed to do multi-line output
 1165 			correctly. [GL #899]
 1166 
 1167 5192.	[placeholder]
 1168 
 1169 5191.	[placeholder]
 1170 
 1171 5190.	[bug]		Ignore trust anchors using disabled algorithms.
 1172 			[GL #806]
 1173 
 1174 5189.	[cleanup]	Remove revoked root DNSKEY from bind.keys. [GL #945]
 1175 
 1176 5188.	[func]		The "dnssec-enable" option is deprecated and no
 1177 			longer has any effect; DNSSEC responses are
 1178 			always enabled. [GL #866]
 1179 
 1180 5187.	[test]		Set time zone before running any tests in dnstap_test.
 1181 			[GL #940]
 1182 
 1183 5186.	[cleanup]	More dnssec-keygen manual tidying. [GL !1678]
 1184 
 1185 5185.	[placeholder]
 1186 
 1187 5184.	[bug]		Missing unlocks in sdlz.c. [GL #936]
 1188 
 1189 5183.	[bug]		Reinitialize ECS data before reusing client
 1190 			structures. [GL #881]
 1191 
 1192 5182.	[bug]		Fix a high-load race/crash in handling of
 1193 			isc_socket_close() in resolver. [GL #834]
 1194 
 1195 5181.	[func]		Add a mechanism for a DLZ module to signal that
 1196 			the view's allow-transfer ACL should be used to
 1197 			determine whether transfers are allowed. [GL #803]
 1198 
 1199 5180.	[bug]		delv now honors the operating system's preferred
 1200 			ephemeral port range. [GL #925]
 1201 
 1202 5179.	[cleanup]	Replace some vague type declarations with the more
 1203 			specific dns_secalg_t and dns_dsdigest_t.
 1204 			Thanks to Tony Finch. [GL !1498]
 1205 
 1206 5178.	[bug]		Handle EDQUOT (disk quota) and ENOSPC (disk full)
 1207 			errors when writing files. [GL #902]
 1208 
 1209 5177.	[func]		Add the ability to specify in named.conf whether a
 1210 			response-policy zone's SOA record should be added
 1211 			to the additional section (add-soa yes/no). [GL #865]
 1212 
 1213 5176.	[tests]		Remove a dependency on libxml in statschannel system
 1214 			test. [GL #926]
 1215 
 1216 5175.	[bug]		Fixed a problem with file input in dnssec-keymgr,
 1217 			dnssec-coverage and dnssec-checkds when using
 1218 			python3. [GL #882]
 1219 
 1220 5174.	[doc]		Tidy dnssec-keygen manual. [GL !1557]
 1221 
 1222 5173.	[bug]		Fixed a race in socket code that could occur when
 1223 			accept, send, or recv were called from an event
 1224 			loop but the socket had been closed by another
 1225 			thread. [RT #874]
 1226 
 1227 5172.	[bug]		nsupdate now honors the operating system's preferred
 1228 			ephemeral port range. [GL #905]
 1229 
 1230 5171.	[func]		named plugins are now installed into a separate
 1231 			directory.  Supplying a filename (a string without path
 1232 			separators) in a "plugin" configuration stanza now
 1233 			causes named to look for that plugin in that directory.
 1234 			[GL #878]
 1235 
 1236 5170.	[test]		Added --with-dlz-filesystem to feature-test. [GL !1587]
 1237 
 1238 5169.	[bug]		The presence of certain types in an otherwise
 1239 			empty node could cause a crash while processing a
 1240 			type ANY query. [GL #901]
 1241 
 1242 5168.	[bug]		Do not crash on shutdown when RPZ fails to load.  Also,
 1243 			keep previous version of the database if RPZ fails to
 1244 			load. [GL #813]
 1245 
 1246 5167.	[bug]		nxdomain-redirect could sometimes lookup the wrong
 1247 			redirect name. [GL #892]
 1248 
 1249 5166.	[placeholder]
 1250 
 1251 5165.	[contrib]	Removed SDB drivers from contrib; they're obsolete.
 1252 			[GL #428]
 1253 
 1254 5164.	[bug]		Correct errno to result translation in dlz filesystem
 1255 			modules. [GL #884]
 1256 
 1257 5163.	[cleanup]	Out-of-tree builds failed --enable-dnstap. [GL #836]
 1258 
 1259 5162.	[cleanup]	Improve dnssec-keymgr manual. Thanks to Tony Finch.
 1260 			[GL !1518]
 1261 
 1262 5161.	[bug]		Do not require the SEP bit to be set for mirror zone
 1263 			trust anchors. [GL #873]
 1264 
 1265 5160.	[contrib]	Added DNAME support to the DLZ LDAP schema. Also
 1266 			fixed a compilation bug affecting several DLZ
 1267 			modules. [GL #872]
 1268 
 1269 5159.	[bug]		dnssec-coverage was incorrectly ignoring
 1270 			names specified on the command line without
 1271 			trailing dots. [GL !1478]
 1272 
 1273 5158.	[protocol]	Add support for AMTRELAY and ZONEMD. [GL #867]
 1274 
 1275 5157.	[bug]		Nslookup now errors out if there are extra command
 1276 			line arguments. [GL #207]
 1277 
 1278 5156.	[doc]		Extended and refined the section of the ARM describing
 1279 			mirror zones. [GL #774]
 1280 
 1281 5155.	[func]		"named -V" now outputs the default paths to
 1282 			named.conf, rndc.conf, bind.keys, and other
 1283 			files used or created by named and other tools, so
 1284 			that the correct paths to these files can quickly be
 1285 			determined regardless of the configure settings
 1286 			used when BIND was built. [GL #859]
 1287 
 1288 5154.	[bug]		dig: process_opt could be called twice on the same
 1289 			message leading to a assertion failure. [GL #860]
 1290 
 1291 5153.	[func]		Zone transfer statistics (size, number of records, and
 1292 			number of messages) are now logged for outgoing
 1293 			transfers as well as incoming ones. [GL #513]
 1294 
 1295 5152.	[func]		Improved logging of DNSSEC key events:
 1296 			- Zone signing and DNSKEY maintenance events are
 1297 			  now logged to the "dnssec" category
 1298 			- Messages are now logged when DNSSEC keys are
 1299 			  published, activated, inactivated, deleted,
 1300 			  or revoked.
 1301 			[GL #714]
 1302 
 1303 5151.	[func]		Options that have been been marked as obsolete in
 1304 			named.conf for a very long time are now fatal
 1305 			configuration errors. [GL #358]
 1306 
 1307 5150.	[cleanup]	Remove the ability to compile BIND with assertions
 1308 			disabled. [GL #735]
 1309 
 1310 5149.	[func]		"rndc dumpdb" now prints a line above a stale RRset
 1311 			indicating how long the data will be retained in the
 1312 			cache for emergency use. [GL #101]
 1313 
 1314 5148.	[bug]		named did not sign the TKEY response. [GL #821]
 1315 
 1316 5147.	[bug]		dnssec-keymgr: Add a five-minute margin to better
 1317 			handle key events close to 'now'. [GL #848]
 1318 
 1319 5146.	[placeholder]
 1320 
 1321 5145.	[func]		Use atomics instead of locked variables for isc_quota
 1322 			and isc_counter. [GL !1389]
 1323 
 1324 5144.	[bug]		dig now returns a non-zero exit code when a TCP
 1325 			connection is prematurely closed by a peer more than
 1326 			once for the same lookup.  [GL #820]
 1327 
 1328 5143.	[bug]		dnssec-keymgr and dnssec-coverage failed to find
 1329 			key files for zone names ending in ".". [GL #560]
 1330 
 1331 5142.	[cleanup]	Removed "configure --disable-rpz-nsip" and
 1332 			"--disable-rpz-nsdname" options. "nsip-enable"
 1333 			and "nsdname-enable" both now default to yes,
 1334 			regardless of compile-time settings. [GL #824]
 1335 
 1336 5141.	[security]	Zone transfer controls for writable DLZ zones were
 1337 			not effective as the allowzonexfr method was not being
 1338 			called for such zones. (CVE-2019-6465) [GL #790]
 1339 
 1340 5140.	[bug]		Don't immediately mark existing keys as inactive and
 1341 			deleted when running dnssec-keymgr for the first
 1342 			time. [GL #117]
 1343 
 1344 5139.	[bug]		If possible, don't use forwarders when priming.
 1345 			This ensures we can get root server IP addresses
 1346 			from priming query response glue, which may not
 1347 			be present if the forwarding server is returning
 1348 			minimal responses. [GL #752]
 1349 
 1350 5138.	[bug]		Under some circumstances named could hit an assertion
 1351 			failure when doing qname minimization when using
 1352 			forwarders. [GL #797]
 1353 
 1354 5137.	[func]		named now logs messages whenever a mirror zone becomes
 1355 			usable or unusable for resolution purposes. [GL #818]
 1356 
 1357 5136.	[cleanup]	Check in named-checkconf that allow-update and
 1358 			allow-update-forwarding are not set at the
 1359 			view/options level; fix documentation. [GL #512]
 1360 
 1361 5135.	[port]		sparc: Use smt_pause() instead of pause. [GL #816]
 1362 
 1363 5134.	[bug]		win32: WSAStartup was not called before getservbyname
 1364 			was called. [GL #590]
 1365 
 1366 5133.	[bug]		'rndc managed-keys' didn't handle class and view
 1367 			correctly and failed to add new lines between each
 1368 			view. [GL !1327]
 1369 
 1370 5132.	[bug]		Fix race condition in cleanup part of dns_dt_create().
 1371 			[GL !1323]
 1372 
 1373 5131.	[cleanup]	Address Coverity warnings. [GL #801]
 1374 
 1375 5130.	[cleanup]	Remove support for l10n message catalogs. [GL #709]
 1376 
 1377 5129.	[contrib]	sdlz_helper.c:build_querylist was not properly
 1378 			splitting the query string. [GL #798]
 1379 
 1380 5128.	[bug]		Refreshkeytime was not being updated for managed
 1381 			keys zones. [GL #784]
 1382 
 1383 5127.	[bug]		rcode.c:maybe_numeric failed to handle NUL in text
 1384 			regions. [GL #807]
 1385 
 1386 5126.	[bug]		Named incorrectly accepted empty base64 and hex encoded
 1387 			fields when reading master files. [GL #807]
 1388 
 1389 5125.	[bug]		Allow for up to 100 records or 64k of data when caching
 1390 			a negative response. [GL #804]
 1391 
 1392 5124.	[bug]		Named could incorrectly return FORMERR rather than
 1393 			SERVFAIL. [GL #804]
 1394 
 1395 5123.	[bug]		dig could hang indefinitely after encountering an error
 1396 			before creating a TCP socket. [GL #692]
 1397 
 1398 5122.	[bug]		In a "forward first;" configuration, a forwarder
 1399 			timeout did not prevent that forwarder from being
 1400 			queried again after falling back to full recursive
 1401 			resolution. [GL #315]
 1402 
 1403 5121.	[contrib]	dlz_stub_driver.c fails to return ISC_R_NOTFOUND on none
 1404 			matching zone names. [GL !1299]
 1405 
 1406 5120.	[placeholder]
 1407 
 1408 5119.	[placeholder]
 1409 
 1410 5118.	[security]	Named could crash if it is managing a key with
 1411 			`managed-keys` and the authoritative zone is rolling
 1412 			the key to an unsupported algorithm. (CVE-2018-5745)
 1413 			[GL #780]
 1414 
 1415 5117.	[placeholder]
 1416 
 1417 5116.	[bug]		Named/named-checkconf triggered a assertion when
 1418 			a mirror zone's name is bad. [GL #778]
 1419 
 1420 5115.	[bug]		Allow unsupported algorithms in zone when not used for
 1421 			signing with dnssec-signzone. [GL #783]
 1422 
 1423 5114.	[func]		Include a 'reconfig/reload in progress' status line
 1424 			in rndc status, use it in tests.
 1425 
 1426 5113.	[port]		Fixed a Windows build error.
 1427 
 1428 5112.	[bug]		Named/named-checkconf could dump core if there was
 1429 			a missing masters clause and a bad notify clause.
 1430 			[GL #779]
 1431 
 1432 5111.	[bug]		Occluded DNSKEY records could make it into the
 1433 			delegating NSEC/NSEC3 bitmap. [GL #742]
 1434 
 1435 5110.	[security]	Named leaked memory if there were multiple Key Tag
 1436 			EDNS options present. (CVE-2018-5744) [GL #772]
 1437 
 1438 5109.	[cleanup]	Remove support for RSAMD5 algorithm. [GL #628]
 1439 
 1440 	--- 9.13.5 released ---
 1441 
 1442 5108.	[bug]		Named could fail to determine bottom of zone when
 1443 			removing out of date keys leading to invalid NSEC
 1444 			and NSEC3 records being added to the zone. [GL #771]
 1445 
 1446 5107.	[bug]		'host -U' did not work. [GL #769]
 1447 
 1448 5106.	[experimental]	A new "plugin" mechanism has been added to allow
 1449 			extension of query processing functionality through
 1450 			the use of dynamically loadable libraries. A
 1451 			"filter-aaaa.so" plugin has been implemented,
 1452 			replacing the filter-aaaa feature that was formerly
 1453 			implemented as a native part of BIND.
 1454 
 1455 			The "filter-aaaa", "filter-aaaa-on-v4" and
 1456 			"filter-aaaa-on-v6" options can no longer be
 1457 			configured using native named.conf syntax. However,
 1458 			loading the filter-aaaa.so plugin and setting its
 1459 			parameters provides identical functionality.
 1460 
 1461 			Note that the plugin API is a work in progress and
 1462 			is likely to evolve as further plugins are
 1463 			implemented. [GL #15]
 1464 
 1465 5105.	[bug]		Fix a race between process_fd and socketclose in
 1466 			unix socket code. [GL #744]
 1467 
 1468 5104.	[cleanup]	Log clearer informational message when a catz zone
 1469 			is overridden by a zone in named.conf.
 1470 			Thanks to Tony Finch. [GL !1157]
 1471 
 1472 5103.	[bug]		Add missing design by contract tests to dns_catz*.
 1473 			[GL #748]
 1474 
 1475 5102.	[bug]		dnssec-coverage failed to use the default TTL when
 1476 			checking KSK deletion times leading to a exception.
 1477 			[GL #585]
 1478 
 1479 5101.	[bug]		Fix default installation path for Python modules and
 1480 			remove the dnspython dependency accidentally introduced
 1481 			by change 4970. [GL #730]
 1482 
 1483 5100.	[func]		Pin resolver tasks to specific task queues. [GL !1117]
 1484 
 1485 5099.	[func]		Failed mutex and conditional creations are always
 1486 			fatal. [GL #674]
 1487 
 1488 	--- 9.13.4 released ---
 1489 
 1490 5098.	[func]		Failed memory allocations are now fatal. [GL #674]
 1491 
 1492 5097.	[cleanup]	Remove embedded ATF unit testing framework
 1493 			from BIND source distribution.  [GL !875]
 1494 
 1495 5096.	[func]		Use multiple event loops in socket code, and
 1496 			make network threads CPU-affinitive.  This
 1497 			significantly improves performance on large
 1498 			systems. [GL #666]
 1499 
 1500 5095.	[test]		Converted all unit tests from ATF to CMocka;
 1501 			removed the source code for the ATF libraries.
 1502 			Build with "configure --with-cmocka" to enable
 1503 			unit testing. [GL #620]
 1504 
 1505 5094.	[func]		Add 'dig -r' to disable reading of .digrc. [GL !970]
 1506 
 1507 5093.	[bug]		Log lame qname-minimization servers only if they're
 1508 			really lame. [GL #671]
 1509 
 1510 5092.	[bug]		Address memory leak on SIGTERM in nsupdate when using
 1511 			GSS-TSIG. [GL #558]
 1512 
 1513 5091.	[func]		Two new global and per-view options min-cache-ttl
 1514 			and min-ncache-ttl [GL #613]
 1515 
 1516 5090.	[bug]		dig and mdig failed to properly pre-parse dash value
 1517 			pairs when value was a separate argument and started
 1518 			with a dash. [GL #584]
 1519 
 1520 5089.	[bug]		Restore localhost fallback in dig and host which is
 1521 			used when no nameserver addresses present in
 1522 			/etc/resolv.conf are usable due to the requested
 1523 			address family restrictions. [GL #433]
 1524 
 1525 5088.	[bug]		dig/host/nslookup could crash when interrupted close to
 1526 			a query timeout. [GL #599]
 1527 
 1528 5087.	[test]		Check that result tables are complete. [GL #676]
 1529 
 1530 5086.	[func]		Log of RPZ now includes the QTYPE and QCLASS. [GL #623]
 1531 
 1532 5085.	[bug]		win32: Restore looking up nameservers, search list,
 1533 			etc. [GL #186]
 1534 
 1535 5084.	[placeholder]
 1536 
 1537 5083.	[func]		Add autoconf macro AX_POSIX_SHELL, so we
 1538 			can use POSIX-compatible shell features
 1539 			in the scripts.
 1540 
 1541 5082.	[bug]		Fixed a race that could cause a crash in
 1542 			dig/host/nslookup. [GL #650]
 1543 
 1544 5081.	[func]		Use per-worker queues in task manager, make task
 1545 			runners CPU-affine. [GL #659]
 1546 
 1547 5080.	[func]		Improvements to "rndc nta" user interface:
 1548 			- catch and report invalid command line options
 1549 			- when removing an NTA from all views, do not
 1550 			  abort with an error if the NTA was not found
 1551 			  in one of the views
 1552 			- include the view name in "rndc nta -dump"
 1553 			  output, for consistency with the add and remove
 1554 			  actions
 1555 			Thanks to Tony Finch. [GL !816]
 1556 
 1557 5079.	[func]		Disable IDN processing in dig and nslookup
 1558 			when not on a tty. [GL #653]
 1559 
 1560 5078.	[cleanup]	Require python components to be explicitly disabled if
 1561 			python is not available on unix platforms. [GL #601]
 1562 
 1563 5077.	[cleanup]	Remove ip6.int support (-i) from dig and mdig.
 1564 			[GL !969]
 1565 
 1566 5076.	[bug]		"require-server-cookie" was not effective if
 1567 			"rate-limit" was configured. [GL #617]
 1568 
 1569 5075.	[bug]		Refresh nameservers from cache when sending final
 1570 			query in qname minimization. [GL #16]
 1571 
 1572 5074.	[cleanup]	Remove vector socket functions - isc_socket_recvv(),
 1573 			isc_socket_sendtov(), isc_socket_sendtov2(),
 1574 			isc_socket_sendv() - in order to simplify socket code.
 1575 			[GL #645]
 1576 
 1577 5073.	[bug]		Destroy a task first when destroying rpzs and catzs.
 1578 			[GL #84]
 1579 
 1580 5072.	[bug]		Add unit tests for isc_buffer_copyregion() and fix its
 1581 			behavior for auto-reallocated buffers. [GL #644]
 1582 
 1583 5071.	[bug]		Comparison of NXT records was broken. [GL #631]
 1584 
 1585 5070.	[bug]		Record types which support a empty rdata field were
 1586 			not handling the empty rdata field case. [GL #638]
 1587 
 1588 5069.	[bug]		Fix a hang on in RPZ when named is shutdown during RPZ
 1589 			zone update. [GL !907]
 1590 
 1591 5068.	[bug]		Fix a race in RPZ with min-update-interval set to 0.
 1592 			[GL #643]
 1593 
 1594 5067.	[bug]		Don't minimize qname when sending the query
 1595 			to a forwarder. [GL #361]
 1596 
 1597 5066.	[cleanup]	Allow unquoted strings to be used as a zone names
 1598 			in response-policy statements. [GL #641]
 1599 
 1600 5065.	[bug]		Only set IPV6_USE_MIN_MTU on IPv6. [GL #553]
 1601 
 1602 5064.	[test]		Initialize TZ environment variable before calling
 1603 			dns_test_begin in dnstap_test. [GL #624]
 1604 
 1605 5063.	[test]		In statschannel test try a few times before failing
 1606 			when checking if the compressed output is the same as
 1607 			uncompressed. [GL !909]
 1608 
 1609 5062.	[func]		Use non-crypto-secure PRNG to generate nonces for
 1610 			cookies. [GL !887]
 1611 
 1612 5061.	[protocol]	Add support for EID and NIMLOC. [GL #626]
 1613 
 1614 5060.	[bug]		GID, UID and UINFO could not be loaded using unknown
 1615 			record format. [GL #627]
 1616 
 1617 5059.	[bug]		Display a per-view list of zones in the web interface.
 1618 			[GL #427]
 1619 
 1620 5058.	[func]		Replace old message digest and hmac APIs with more
 1621 			generic isc_md and isc_hmac APIs, and convert their
 1622 			respective tests to cmocka. [GL #305]
 1623 
 1624 5057.	[protocol]	Add support for ATMA. [GL #619]
 1625 
 1626 5056.	[placeholder]
 1627 
 1628 5055.	[func]		A default list of primary servers for the root zone is
 1629 			now built into named, allowing the "masters" statement
 1630 			to be omitted when configuring an IANA root zone
 1631 			mirror. [GL #564]
 1632 
 1633 5054.	[func]		Attempts to use mirror zones with recursion disabled
 1634 			are now considered a configuration error. [GL #564]
 1635 
 1636 5053.	[func]		The only valid zone-level NOTIFY settings for mirror
 1637 			zones are now "notify no;" and "notify explicit;".
 1638 			[GL #564]
 1639 
 1640 5052.	[func]		Mirror zones are now configured using "type mirror;"
 1641 			rather than "mirror yes;". [GL #564]
 1642 
 1643 5051.	[doc]		Documentation incorrectly stated that the
 1644 			"server-addresses" static-stub zone option accepts
 1645 			custom port numbers. [GL #582]
 1646 
 1647 5050.	[bug]		The libirs version of getaddrinfo() was unable to parse
 1648 			scoped IPv6 addresses present in /etc/resolv.conf.
 1649 			[GL #187]
 1650 
 1651 5049.	[cleanup]	QNAME minimization has been deeply refactored. [GL #16]
 1652 
 1653 5048.	[func]		Add configure option to enable and enforce FIPS mode
 1654 			in BIND 9. [GL #506]
 1655 
 1656 5047.	[bug]		Messages logged for certain query processing failures
 1657 			now include a more specific error description if it is
 1658 			available. [GL #572]
 1659 
 1660 5046.	[bug]		named could crash during shutdown if an RPZ
 1661 			reload was in progress. [RT #46210]
 1662 
 1663 5045.	[func]		Remove support for DNSSEC algorithms 3 (DSA)
 1664 			and 6 (DSA-NSEC3-SHA1). [GL #22]
 1665 
 1666 5044.	[cleanup]	If "dnssec-enable" is no, then "dnssec-validation"
 1667 			now also defaults to no.  [GL #388]
 1668 
 1669 5043.	[bug]		Fix creating and validating EdDSA signatures. [GL #579]
 1670 
 1671 5042.	[test]		Make the chained delegations in reclimit behave
 1672 			like they would in a regular name server. [GL #578]
 1673 
 1674 5041.	[test]		The chain test contains a incomplete delegation.
 1675 			[GL #568]
 1676 
 1677 5040.	[func]		Extended dnstap so that it can log UPDATE requests
 1678 			and responses as separate message types. Thanks
 1679 			to Greg Rabil. [GL #570]
 1680 
 1681 5039.	[bug]		Named could fail to preserve owner name case of new
 1682 			RRset. [GL #420]
 1683 
 1684 5038.	[bug]		Chaosnet addresses were compared incorrectly.
 1685 			[GL #562]
 1686 
 1687 5037.	[func]		"allow-recursion-on" and "allow-query-cache-on"
 1688 			each now default to the other if only one of them
 1689 			is set, in order to be more consistent with the way
 1690 			"allow-recursion" and "allow-query-cache" work.
 1691 			Also we now ensure that both query-cache ACLs are
 1692 			checked when determining cache access. [GL #319]
 1693 
 1694 5036.	[cleanup]	Fixed a spacing/formatting error in some RPZ-related
 1695 			error messages in the log. [GL !805]
 1696 
 1697 5035.	[test]		Fixed errors that prevented the DNSRPS subtests
 1698 			from running in the rpz and rpzrecurse system
 1699 			tests. [GL #503]
 1700 
 1701 5034.	[bug]		A race between threads could prevent zone maintenance
 1702 			scheduled immediately after zone load from being
 1703 			performed. [GL #542]
 1704 
 1705 5033.	[bug]		When adding NTAs to multiple views using "rndc nta",
 1706 			the text returned via rndc was incorrectly terminated
 1707 			after the first line, making it look as if only one
 1708 			NTA had been added. Also, it was not possible to
 1709 			differentiate between views with the same name but
 1710 			different classes; this has been corrected with the
 1711 			addition of a "-class" option. [GL #105]
 1712 
 1713 5032.	[func]		Add krb5-selfsub and ms-selfsub update policy rules.
 1714 			[GL #511]
 1715 
 1716 5031.	[cleanup]	Various defines in platform.h has been either dropped
 1717 			if always or never triggered on supported platforms
 1718 			or replaced with config.h equivalents if the defines
 1719 			didn't have any impact on public headers.  Workarounds
 1720 			for LinuxThreads have been removed because NPTL is
 1721 			available since Linux kernel 2.6.0.  [GL #525]
 1722 
 1723 5030.	[bug]		Align CMSG buffers to a 64-bit boundary, fixes crash
 1724 			on architectures with strict alignment. [GL #521]
 1725 
 1726 	--- 9.13.3 released ---
 1727 
 1728 5029.	[func]		Workarounds for servers that misbehave when queried
 1729 			with EDNS have been removed, because these broken
 1730 			servers and the workarounds for their noncompliance
 1731 			cause unnecessary delays, increase code complexity,
 1732 			and prevent deployment of new DNS features. See
 1733 			https://dnsflagday.net for further details. [GL #150]
 1734 
 1735 5028.	[bug]		Spread the initial RRSIG expiration times over the
 1736 			entire working sig-validity-interval when signing a
 1737 			zone in named to even out re-signing and transfer
 1738 			loads. [GL #418]
 1739 
 1740 5027.	[func]		Set SO_SNDBUF size on sockets. [GL #74]
 1741 
 1742 5026.	[bug]		rndc reconfig should not touch already loaded zones.
 1743 			[GL #276]
 1744 
 1745 5025.	[cleanup]	Remove isc_keyboard family of functions. [GL #178]
 1746 
 1747 5024.	[func]		Replace custom assembly for atomic operations with
 1748 			atomic support from the compiler. The code will now use
 1749 			C11 stdatomic, or __atomic, or __sync builtins with GCC
 1750 			or Clang compilers, and Interlocked functions with MSVC.
 1751 			[GL #10]
 1752 
 1753 5023.	[cleanup]	Remove wrappers that try to fix broken or incomplete
 1754 			implementations of IPv6, pthreads and other core
 1755 			functionality required and used by BIND. [GL #192]
 1756 
 1757 5022.	[doc]		Update ms-self, ms-subdomain, krb5-self, and
 1758 			krb5-subdomain documentation. [GL !708]
 1759 
 1760 5021.	[bug]		dig returned a non-zero exit code when it received a
 1761 			reply over TCP after a retry. [GL #487]
 1762 
 1763 5020.	[func]		RNG uses thread-local storage instead of locks, if
 1764 			supported by platform. [GL #496]
 1765 
 1766 5019.	[cleanup]	A message is now logged when ixfr-from-differences is
 1767 			set at zone level for an inline-signed zone. [GL #470]
 1768 
 1769 5018.	[bug]		Fix incorrect sizeof arguments in lib/isc/pk11.c.
 1770 			[GL !588]
 1771 
 1772 5017.	[bug]		lib/isc/pk11.c failed to unlink the session before
 1773 			releasing the lock which is unsafe. [GL !589]
 1774 
 1775 5016.	[bug]		Named could assert with overlapping filter-aaaa and
 1776 			dns64 acls. [GL #445]
 1777 
 1778 5015.	[bug]		Reloading all zones caused zone maintenance to cease
 1779 			for inline-signed zones. [GL #435]
 1780 
 1781 5014.	[bug]		Signatures loaded from the journal for the signed
 1782 			version of an inline-signed zone were not scheduled for
 1783 			refresh. [GL #482]
 1784 
 1785 5013.	[bug]		A referral response with a non-empty ANSWER section was
 1786 			inadvertently being treated as an error. [GL #390]
 1787 
 1788 5012.	[bug]		Fix lock order reversal in pk11_initialize. [GL !590]
 1789 
 1790 5011.	[func]		Remove support for unthreaded named. [GL #478]
 1791 
 1792 5010.	[func]		New "validate-except" option specifies a list of
 1793 			domains beneath which DNSSEC validation should not
 1794 			be performed. [GL #237]
 1795 
 1796 5009.	[bug]		Upon an OpenSSL failure, the first error in the OpenSSL
 1797 			error queue was not logged. [GL #476]
 1798 
 1799 5008.	[bug]		"rndc signing -nsec3param ..." requests were silently
 1800 			ignored for zones which were not yet loaded or
 1801 			transferred. [GL #468]
 1802 
 1803 5007.	[cleanup]	Replace custom ISC boolean and integer data types
 1804 			with C99 stdint.h and stdbool.h types. [GL #9]
 1805 
 1806 5006.	[cleanup]	Code preparing a delegation response was extracted from
 1807 			query_delegation() and query_zone_delegation() into a
 1808 			separate function in order to decrease code
 1809 			duplication. [GL #431]
 1810 
 1811 5005.	[bug]		dnssec-verify, and dnssec-signzone at the verification
 1812 			step, failed on some validly signed zones. [GL #442]
 1813 
 1814 5004.	[bug]		'rndc reconfig' could cause inline zones to stop
 1815 			re-signing. [GL #439]
 1816 
 1817 5003.	[bug]		dns_acl_isinsecure did not handle geoip elements.
 1818 			[GL #406]
 1819 
 1820 5002.	[bug]		mdig: Handle malformed +ednsopt option, support 100
 1821 			+ednsopt options per query rather than 100 total and
 1822 			address memory leaks if +ednsopt was specified.
 1823 			[GL #410]
 1824 
 1825 5001.	[bug]		Fix refcount errors on error paths. [GL !563]
 1826 
 1827 5000.	[bug]		named_server_servestale() could leave the server in
 1828 			exclusive mode if an error occurred. [GL #441]
 1829 
 1830 4999.	[cleanup]	Remove custom printf implementation in lib/isc/print.c.
 1831 			[GL #261]
 1832 
 1833 4998.	[test]		Make resolver and cacheclean tests more civilized.
 1834 
 1835 4997.	[security]	named could crash during recursive processing
 1836 			of DNAME records when "deny-answer-aliases" was
 1837 			in use. (CVE-2018-5740) [GL #387]
 1838 
 1839 4996.	[bug]		dig: Handle malformed +ednsopt option. [GL #403]
 1840 
 1841 4995.	[test]		Add tests for "tcp-self" update policy. [GL !282]
 1842 
 1843 4994.	[bug]		Trust anchor telemetry queries were not being sent
 1844 			upstream for locally served zones. [GL #392]
 1845 
 1846 4993.	[cleanup]	Remove support for silently ignoring 'no-change' deltas
 1847 			from BIND 8 when processing an IXFR stream. 'no-change'
 1848 			deltas will now trigger a fallback to AXFR as the
 1849 			recovery mechanism. [GL #369]
 1850 
 1851 4992.	[bug]		The wrong address was being logged for trust anchor
 1852 			telemetry queries. [GL #379]
 1853 
 1854 4991.	[bug]		"rndc reconfig" was incorrectly handling zones whose
 1855 			"mirror" setting was changed. [GL #381]
 1856 
 1857 4990.	[bug]		Prevent a possible NULL reference in pkcs11-keygen.
 1858 			[GL #401]
 1859 
 1860 4989.	[cleanup]	IDN support in dig has been reworked.  IDNA2003
 1861 			fallbacks were removed in the process. [GL #384]
 1862 
 1863 4988.	[bug]		Don't synthesize NXDOMAIN from NSEC for records under
 1864 			a DNAME.
 1865 
 1866 	--- 9.13.2 released ---
 1867 
 1868 4987.	[cleanup]	dns_rdataslab_tordataset() and its related
 1869 			dns_rdatasetmethods_t callbacks were removed as they
 1870 			were not being used by anything in BIND. [GL #371]
 1871 
 1872 4986.	[func]		When built on Linux, BIND now requires the libcap
 1873 			library to set process privileges, unless capability
 1874 			support is explicitly overridden with "configure
 1875 			--disable-linux-caps". [GL #321]
 1876 
 1877 4985.	[func]		Add a new slave zone option, "mirror", to enable
 1878 			serving a non-authoritative copy of a zone that
 1879 			is subject to DNSSEC validation before being
 1880 			used.  For now, this option is only meant to
 1881 			facilitate deployment of an RFC 7706-style local
 1882 			copy of the root zone. [GL #33]
 1883 
 1884 4984.	[bug]		Improve handling of very large incremental
 1885 			zone transfers to prevent journal corruption. [GL #339]
 1886 
 1887 4983.	[func]		Add the ability to not return a DNS COOKIE option
 1888 			when one is present in the request (answer-cookie no;).
 1889 			[GL #173]
 1890 
 1891 4982.	[cleanup]	Return FORMERR if the question section is empty
 1892 			and no COOKIE option is present; this restores
 1893 			older behavior except in the newly specified
 1894 			COOKIE case. [GL #260]
 1895 
 1896 4981.	[bug]		Fix race in cmsg buffer usage in socket code.
 1897 			[GL #180]
 1898 
 1899 4980.	[bug]		Named-checkconf failed to detect bad in-view targets.
 1900 			[GL #288]
 1901 
 1902 4979.	[placeholder]
 1903 
 1904 4978.	[test]		Fix error handling and resolver configuration in the
 1905 			"rpz" system test. [GL #312]
 1906 
 1907 4977.	[func]		When starting up, log the same details that
 1908 			would be reported by 'named -V'. [GL #247]
 1909 
 1910 4976.	[bug]		Log the label with invalid prefix length correctly
 1911 			when loading RPZ zones. [GL #254]
 1912 
 1913 4975.	[bug]		The server cookie computation for sha1 and sha256 did
 1914 			not match the method described in RFC 7873. [GL #356]
 1915 
 1916 4974.	[bug]		Restore default rrset-order to random. [GL #336]
 1917 
 1918 4973.	[func]		verifyzone() and the functions it uses were moved to
 1919 			libdns and refactored to prevent exit() from being
 1920 			called upon failure.  A side effect of that is that
 1921 			dnssec-signzone and dnssec-verify now check for memory
 1922 			leaks upon shutdown. [GL #266]
 1923 
 1924 4972.	[func]		Declare the 'rdata' argument for dns_rdata_tostruct()
 1925 			to be const. [GL #341]
 1926 
 1927 4971.	[bug]		dnssec-signzone and dnssec-verify did not treat records
 1928 			below a DNAME as out-of-zone data. [GL #298]
 1929 
 1930 4970.	[func]		Add QNAME minimization option to resolver. [GL #16]
 1931 
 1932 4969.	[cleanup]	Refactor zone logging functions. [GL #269]
 1933 
 1934 	--- 9.13.1 released ---
 1935 
 1936 4968.	[bug]		If glue records are signed, attempt to validate them.
 1937 			[GL #209]
 1938 
 1939 4967.	[cleanup]	Add "answer-cookie" to the parser, marked obsolete.
 1940 
 1941 4966.	[placeholder]
 1942 
 1943 4965.	[func]		Add support for marking options as deprecated.
 1944 			[GL #322]
 1945 
 1946 4964.	[bug]		Reduce the probability of double signature when deleting
 1947 			a DNSKEY by checking if the node is otherwise signed
 1948 			by the algorithm of the key to be deleted. [GL #240]
 1949 
 1950 4963.	[test]		ifconfig.sh now uses "ip" instead of "ifconfig",
 1951 			if available, to configure the test interfaces on
 1952 			linux.  [GL #302]
 1953 
 1954 4962.	[cleanup]	Move 'named -T' processing to its own function.
 1955 			[GL #316]
 1956 
 1957 4961.	[protocol]	Remove support for ECC-GOST (GOST R 34.11-94).
 1958 			[GL #295]
 1959 
 1960 4960.	[security]	When recursion is enabled, but the "allow-recursion"
 1961 			and "allow-query-cache" ACLs are not specified,
 1962 			they should be limited to local networks,
 1963 			but were inadvertently set to match the default
 1964 			"allow-query", thus allowing remote queries.
 1965 			(CVE-2018-5738) [GL #309]
 1966 
 1967 4959.	[func]		NSID logging (enabled by the "request-nsid" option)
 1968 			now has its own "nsid" category, instead of using the
 1969 			"resolver" category. [GL !332]
 1970 
 1971 4958.	[bug]		Remove redundant space from NSEC3 record. [GL #281]
 1972 
 1973 4957.	[func]		The default setting for "dnssec-validation" is now
 1974 			"auto", which activates DNSSEC validation using the
 1975 			IANA root key. (The default can be changed back to
 1976 			"yes", which activates DNSSEC validation only when keys
 1977 			are explicitly configured in named.conf, by building
 1978 			BIND with "configure --disable-auto-validation".)
 1979 			[GL #30]
 1980 
 1981 4956.	[func]		Change isc_random() to be just PRNG using xoshiro128**,
 1982 			and add isc_nonce_buf() that uses CSPRNG. [GL #289]
 1983 
 1984 4955.	[cleanup]	Silence cppcheck warnings in lib/dns/master.c.
 1985 			[GL #286]
 1986 
 1987 4954.	[func]		Messages about serving of stale answers are now
 1988 			directed to the "serve-stale" logging category.
 1989 			Also clarified serve-stale documentation. [GL !323]
 1990 
 1991 4953.	[bug]		Removed the option to build the red black tree
 1992 			database without a hash table; the non-hashing
 1993 			version was buggy and is not needed. [GL #184]
 1994 
 1995 4952.	[func]		Authoritative server support in named for the
 1996 			EDNS CLIENT-SUBNET option (which was experimental
 1997 			and not practical to deploy) has been removed.
 1998 
 1999 			The ECS option is still supported in dig and mdig
 2000 			via the +subnet option, and can be parsed and logged
 2001 			when received by named, but it is no longer used
 2002 			for ACL processing. The "geoip-use-ecs" option
 2003 			is now obsolete; a warning will be logged if it is
 2004 			used in named.conf. "ecs" tags in an ACL definition
 2005 			are also obsolete and will cause the configuration
 2006 			to fail to load.  [GL #32]
 2007 
 2008 4951.	[protocol]	Add "HOME.ARPA" to list of built in empty zones as
 2009 			per RFC 8375. [GL #273]
 2010 
 2011 	--- 9.13.0 released ---
 2012 
 2013 4950.	[bug]		ISC_SOCKEVENTATTR_TRUNC was not be set. [GL #238]
 2014 
 2015 4949.	[placeholder]
 2016 
 2017 4948.	[bug]		When request-nsid is turned on, EDNS NSID options
 2018 			should be logged at level info. Since change 3741
 2019 			they have been logged at debug(3) by mistake.
 2020 			[GL !290]
 2021 
 2022 4947.	[func]		Replace all random functions with isc_random(),
 2023 			isc_random_buf() and isc_random_uniform() API.
 2024 			[GL #221]
 2025 
 2026 4946.	[bug]		Additional glue was not being returned by resolver
 2027 			for unsigned zones since change 4596. [GL #209]
 2028 
 2029 4945.	[func]		BIND can no longer be built without DNSSEC support.
 2030 			A cryptography provider (i.e., OpenSSL or a hardware
 2031 			service module with PKCS#11 support) must be
 2032 			available. [GL #244]
 2033 
 2034 4944.	[cleanup]	Silence cppcheck portability warnings in
 2035 			lib/isc/tests/buffer_test.c. [GL #239]
 2036 
 2037 4943.	[bug]		Change 4687 consumed too much memory when running
 2038 			system tests with --with-tuning=large.  Reduced the
 2039 			hash table size to 512 entries for 'named -m record'
 2040 			restoring the previous memory footprint. [GL #248]
 2041 
 2042 4942.	[cleanup]	Consolidate multiple instances of splitting of
 2043 			batchline in dig into a single function. [GL #196]
 2044 
 2045 4941.	[cleanup]	Silence clang static analyzer warnings. [GL #196]
 2046 
 2047 4940.	[cleanup]	Extract the loop in dns__zone_updatesigs() into
 2048 			separate functions to improve code readability.
 2049 			[GL #135]
 2050 
 2051 4939.	[test]		Add basic unit tests for update_sigs(). [GL #135]
 2052 
 2053 4938.	[placeholder]
 2054 
 2055 4937.	[func]		Remove support for OpenSSL < 1.0.0 [GL #191]
 2056 
 2057 4936.	[func]		Always use OpenSSL or PKCS#11 random data providers,
 2058 			and remove the --{enable,disable}-crypto-rand configure
 2059 			options. [GL #165]
 2060 
 2061 4935.	[func]		Add support for LibreSSL >= 2.7.0 (some OpenSSL 1.1.0
 2062 			call were added). [GL #191]
 2063 
 2064 4934.	[security]	The serve-stale feature could cause an assertion failure
 2065 			in rbtdb.c even when stale-answer-enable was false.
 2066 			Simultaneous use of stale cache records and NSEC
 2067 			aggressive negative caching could trigger a recursion
 2068 			loop. (CVE-2018-5737) [GL #185]
 2069 
 2070 4933.	[bug]		Not creating signing keys for an inline signed zone
 2071 			prevented changes applied to the raw zone from being
 2072 			reflected in the secure zone until signing keys were
 2073 			made available. [GL #159]
 2074 
 2075 4932.	[bug]		Bumped signed serial of an inline signed zone was
 2076 			logged even when an error occurred while updating
 2077 			signatures. [GL #159]
 2078 
 2079 4931.	[func]		Removed the "rbtdb64" database implementation.
 2080 			[GL #217]
 2081 
 2082 4930.	[bug]		Remove a bogus check in nslookup command line
 2083 			argument processing. [GL #206]
 2084 
 2085 4929.	[func]		Add the ability to set RA and TC in queries made by
 2086 			dig (+[no]raflag, +[no]tcflag). [GL #213]
 2087 
 2088 4928.	[func]		The "dnskey-sig-validity" option allows
 2089 			"sig-validity-interval" to be overridden for signatures
 2090 			covering DNSKEY RRsets. [GL #145]
 2091 
 2092 4927.	[placeholder]
 2093 
 2094 4926.	[func]		Add root key sentinel support.  To disable, add
 2095 			'root-key-sentinel no;' to named.conf. [GL #37]
 2096 
 2097 4925.	[func]		Several configuration options that define intervals
 2098 			can now take TTL value suffixes (for example, 2h or 1d)
 2099 			in addition to integer parameters. These include
 2100 			max-cache-ttl, max-ncache-ttl, max-policy-ttl,
 2101 			fstrm-set-reopen-interval, interface-interval, and
 2102 			min-update-interval. [GL #203]
 2103 
 2104 4924.	[cleanup]	Clean up the isc_string_* namespace and leave
 2105 			only strlcpy and strlcat. [GL #178]
 2106 
 2107 4923.	[cleanup]	Refactor socket and socket event options into
 2108 			enum types. [GL !135]
 2109 
 2110 4922.	[bug]		dnstap: Log the destination address of client
 2111 			packets rather than the interface address.
 2112 			[GL #197]
 2113 
 2114 4921.	[cleanup]	Add dns_fixedname_initname() and refactor the caller
 2115 			code to make usage of the new function, as a part of
 2116 			refactoring dns_fixedname_*() macros were turned into
 2117 			functions. [GL #183]
 2118 
 2119 4920.	[cleanup]	Clean up libdns removing most of the backwards
 2120 			compatibility wrappers.
 2121 
 2122 4919.	[cleanup]	Clean up the isc_hash_* namespace and leave only
 2123 			the FNV-1a hash implementation. [GL #178]
 2124 
 2125 4918.	[bug]		Fix double free after keygen error in dnssec-keygen
 2126 			when OpenSSL >= 1.1.0 is used and RSA_generate_key_ex
 2127 			fails. [GL #109]
 2128 
 2129 4917.	[func]		Support 64 RPZ policy zones by default. [GL #123]
 2130 
 2131 4916.	[func]		Remove IDNA2003 support and the bundled idnkit-1.0
 2132 			library.
 2133 
 2134 4915.	[func]		Implement IDNA2008 support in dig by adding support
 2135 			for libidn2.  New dig option +idnin has been added,
 2136 			which allows to process invalid domain names much
 2137 			like dig without IDN support.  libidn2 version 2.0
 2138 			or higher is needed for +idnout enabled by default.
 2139 
 2140 4914.	[security]	A bug in zone database reference counting could lead to
 2141 			a crash when multiple versions of a slave zone were
 2142 			transferred from a master in close succession.
 2143 			(CVE-2018-5736) [GL #134]
 2144 
 2145 4913.	[test]		Re-implemented older unit tests in bin/tests as ATF,
 2146 			removed the lib/tests unit testing library. [GL #115]
 2147 
 2148 4912.	[test]		Improved the reliability of the 'cds' system test.
 2149 			[GL #136]
 2150 
 2151 4911.	[test]		Improved the reliability of the 'mkeys' system test.
 2152 			[GL #128]
 2153 
 2154 4910.	[func]		Update util/check-changes to work on release branches.
 2155 			[GL #113]
 2156 
 2157 4909.	[bug]		named-checkconf did not detect in-view zone collisions.
 2158 			[GL #125]
 2159 
 2160 4908.	[test]		Eliminated unnecessary waiting in the allow_query
 2161 			system test. Also changed its name to allow-query.
 2162 			[GL #81]
 2163 
 2164 4907.	[test]		Improved the reliability of the 'notify' system
 2165 			test. [GL #59]
 2166 
 2167 4906.	[func]		Replace getquad() with inet_pton(), completing
 2168 			change #4900. [GL #56]
 2169 
 2170 4905.	[bug]		irs_resconf_load() ignored resolv.conf syntax errors
 2171 			when "domain" or "search" options were present in that
 2172 			file. [GL #110]
 2173 
 2174 4904.	[bug]		Temporarily revert change #4859. [GL #124]
 2175 
 2176 4903.	[bug]		"check-mx fail;" did not prevent MX records containing
 2177 			IP addresses from being added to a zone by a dynamic
 2178 			update. [GL #112]
 2179 
 2180 4902.	[test]		Improved the reliability of the 'ixfr' system
 2181 			test. [GL #66]
 2182 
 2183 4901.	[func]		"dig +nssearch" now lists the name servers
 2184 			for a domain that time out, as well as the servers
 2185 			that respond. [GL #64]
 2186 
 2187 4900.	[func]		Remove all uses of inet_aton().  As a result of this
 2188 			change, IPv4 addresses are now only accepted in
 2189 			dotted-quad format. [GL #13]
 2190 
 2191 4899.	[test]		Convert most of the remaining system tests to be able
 2192 			to run in parallel, continuing the work from change
 2193 			#4895. To take advantage of this, use "make -jN check",
 2194 			where N is the number of processors to use. [GL #91]
 2195 
 2196 4898.	[func]		Remove libseccomp based system-call filtering. [GL #93]
 2197 
 2198 4897.	[test]		Update to rpz system test so that it doesn't recurse.
 2199 			[GL #68]
 2200 
 2201 4896.	[test]		cacheclean system test was not robust. [GL #82]
 2202 
 2203 4895.	[test]		Allow some system tests to run in parallel.
 2204 			[RT #46602]
 2205 
 2206 4894.	[bug]		named could crash while rolling a dnstap output file.
 2207 			[RT #46942]
 2208 
 2209 4893.	[bug]		Address various issues reported by cppcheck. [GL #51]
 2210 
 2211 4892.	[bug]		named could leak memory when "rndc reload" was invoked
 2212 			before all zone loading actions triggered by a previous
 2213 			"rndc reload" command were completed. [RT #47076]
 2214 
 2215 4891.	[placeholder]
 2216 
 2217 4890.	[func]		Remove unused ondestroy callback from libisc.
 2218 			[isc-projects/bind9!3]
 2219 
 2220 4889.	[func]		Warn about the use of old root keys without the new
 2221 			root key being present.  Warn about dlv.isc.org's
 2222 			key being present. Warn about both managed and
 2223 			trusted root keys being present. [RT #43670]
 2224 
 2225 4888.	[test]		Initialize sockets correctly in sample-update so
 2226 			that the nsupdate system test will run on Windows.
 2227 			[RT #47097]
 2228 
 2229 4887.	[test]		Enable the rpzrecurse test to run on Windows.
 2230 			[RT #47093]
 2231 
 2232 4886.	[doc]		Document dig -u in manpage. [RT #47150]
 2233 
 2234 4885.	[security]	update-policy rules that otherwise ignore the name
 2235 			field now require that it be set to "." to ensure
 2236 			that any type list present is properly interpreted.
 2237 			[RT #47126]
 2238 
 2239 4884.	[bug]		named could crash on shutdown due to a race between
 2240 			shutdown_server() and ns__client_request(). [RT #47120]
 2241 
 2242 4883.	[cleanup]	Improved debugging output from dnssec-cds. [RT #47026]
 2243 
 2244 4882.	[bug]		Address potential memory leak in
 2245 			dns_update_signaturesinc. [RT #47084]
 2246 
 2247 4881.	[bug]		Only include dst_openssl.h when OpenSSL is required.
 2248 			[RT #47068]
 2249 
 2250 4880.	[bug]		Named wasn't returning the target of a cross-zone
 2251 			CNAME between two served zones when recursion was
 2252 			desired and available (RD=1, RA=1). (When this is
 2253 			not the case, the CNAME target is deliberately
 2254 			withheld to prevent accidental cache poisoning.)
 2255 			[RT #47078]
 2256 
 2257 4879.	[bug]		dns_rdata_caa:value_len field was too small.
 2258 			[RT #47086]
 2259 
 2260 4878.	[bug]		List 'ply' as a requirement for the 'isc' python
 2261 			package. [RT #47065]
 2262 
 2263 4877.	[bug]		Address integer overflow when exponentially
 2264 			backing off retry intervals. [RT #47041]
 2265 
 2266 4876.	[bug]		Address deadlock with accessing a keytable. [RT #47000]
 2267 
 2268 4875.	[bug]		Address compile failures on older systems. [RT #47015]
 2269 
 2270 4874.	[bug]		Wrong time display when reporting new keywarntime.
 2271 			[RT #47042]
 2272 
 2273 4873.	[doc]		Grammars for named.conf included in the ARM are now
 2274 			automatically generated by the configuration parser
 2275 			itself.  As a side effect of the work needed to
 2276 			separate zone type grammars from each other, this
 2277 			also makes checking of zone statements in
 2278 			named-checkconf more correct and consistent.
 2279 			[RT #36957]
 2280 
 2281 4872.	[bug]		Don't permit loading meta RR types such as TKEY
 2282 			from master files. [RT #47009]
 2283 
 2284 4871.	[bug]		Fix configure glitch in detecting stdatomic.h
 2285 			support on systems with multiple compilers.
 2286 			[RT #46959]
 2287 
 2288 4870.	[test]		Update included ATF library to atf-0.21 preserving
 2289 			the ATF tool. [RT #46967]
 2290 
 2291 4869.	[bug]		Address some cases where NULL with zero length could
 2292 			be passed to memmove which is undefined behavior and
 2293 			can lead to bad optimization. [RT #46888]
 2294 
 2295 4868.	[func]		dnssec-keygen can no longer generate HMAC keys.
 2296 			Use tsig-keygen instead. [RT #46404]
 2297 
 2298 4867.	[cleanup]	Normalize rndc on/off commands (validation,
 2299 			querylog, serve-stale) so they all accept the
 2300 			same synonyms for on/off (yes/no, true/false,
 2301 			enable/disable). Thanks to Tony Finch. [RT #47022]
 2302 
 2303 4866.	[port]		DST library initialization verifies MD5 (when MD5
 2304 			was not disabled) and SHA-1 hash and HMAC support.
 2305 			[RT #46764]
 2306 
 2307 4865.	[cleanup]	Simplify handling isc_socket_sendto2() return values.
 2308 			[RT #46986]
 2309 
 2310 4864.	[bug]		named acting as a slave for a catalog zone crashed if
 2311 			the latter contained a master definition without an IP
 2312 			address. [RT #45999]
 2313 
 2314 4863.	[bug]		Fix various other bugs reported by Valgrind's
 2315 			memcheck tool. [RT #46978]
 2316 
 2317 4862.	[bug]		The rdata flags for RRSIG were not being properly set
 2318 			when constructing a rdataslab. [RT #46978]
 2319 
 2320 4861.	[bug]		The isc_crc64 unit test was not endian independent.
 2321 			[RT #46973]
 2322 
 2323 4860.	[bug]		isc_int8_t should be signed char.  [RT #46973]
 2324 
 2325 4859.	[bug]		A loop was possible when attempting to validate
 2326 			unsigned CNAME responses from secure zones;
 2327 			this caused a delay in returning SERVFAIL and
 2328 			also increased the chances of encountering
 2329 			CVE-2017-3145. [RT #46839]
 2330 
 2331 4858.	[security]	Addresses could be referenced after being freed
 2332 			in resolver.c, causing an assertion failure.
 2333 			(CVE-2017-3145) [RT #46839]
 2334 
 2335 4857.	[bug]		Maintain attach/detach semantics for event->db,
 2336 			event->node, event->rdataset and event->sigrdataset
 2337 			in query.c. [RT #46891]
 2338 
 2339 4856.	[bug]		'rndc zonestatus' reported the wrong underlying type
 2340 			for a inline slave zone. [RT #46875]
 2341 
 2342 4855.	[bug]		isc_time_formatshorttimestamp produced incorrect
 2343 			output. [RT #46938]
 2344 
 2345 4854.	[bug]		query_synthcnamewildcard should stop generating the
 2346 			response if query_synthwildcard fails. [RT #46939]
 2347 
 2348 4853.	[bug]		Add REQUIRE's and INSIST's to isc_time_formatISO8601L
 2349 			and isc_time_formatISO8601Lms. [RT #46916]
 2350 
 2351 4852.	[bug]		Handle strftime() failing in isc_time_formatISO8601ms.
 2352 			Add REQUIRE's and INSIST's to isc_time_formattimestamp,
 2353 			isc_time_formathttptimestamp, isc_time_formatISO8601,
 2354 			isc_time_formatISO8601ms. [RT #46892]
 2355 
 2356 4851.	[port]		Support using kyua as well as atf-run to run the unit
 2357 			tests. [RT #46853]
 2358 
 2359 4850.	[bug]		Named failed to restart with multiple added zones in
 2360 			lmdb database. [RT #46889]
 2361 
 2362 4849.	[bug]		Duplicate zones could appear in the .nzf file if
 2363 			addzone failed. [RT #46435]
 2364 
 2365 4848.	[func]		Zone types "primary" and "secondary" can now be used
 2366 			as synonyms for "master" and "slave" in named.conf.
 2367 			[RT #46713]
 2368 
 2369 4847.	[bug]		dnssec-dnskey-kskonly was not being honored for
 2370 			CDS and CDNSKEY. [RT #46755]
 2371 
 2372 4846.	[test]		Adjust timing values in runtime system test. Address
 2373 			named.pid removal races in runtime system test.
 2374 			[RT #46800]
 2375 
 2376 4845.	[bug]		Dig (non iOS) should exit on malformed names.
 2377 			[RT #46806]
 2378 
 2379 4844.	[test]		Address memory leaks in libatf-c. [RT #46798]
 2380 
 2381 4843.	[bug]		dnssec-signzone free hashlist on exit. [RT #46791]
 2382 
 2383 4842.	[bug]		Conditionally compile opensslecdsa_link.c to avoid
 2384 			warnings about unused function. [RT #46790]
 2385 
 2386 	--- 9.12.0rc1 released ---
 2387 
 2388 4841.	[bug]		Address -fsanitize=undefined warnings. [RT #46786]
 2389 
 2390 4840.	[test]		Add tests to cover fallback to using ZSK on inactive
 2391 			KSK. [RT #46787]
 2392 
 2393 4839.	[bug]		zone.c:zone_sign was not properly determining
 2394 			if there were active KSK and ZSK keys for
 2395 			a algorithm when update-check-ksk is true
 2396 			(default) leaving records unsigned with one or
 2397 			more DNSKEY algorithms. [RT #46774]
 2398 
 2399 4838.	[bug]		zone.c:add_sigs was not properly determining
 2400 			if there were active KSK and ZSK keys for
 2401 			a algorithm when update-check-ksk is true
 2402 			(default) leaving records unsigned with one or
 2403 			more DNSKEY algorithms. [RT #46754]
 2404 
 2405 4837.	[bug]		dns_update_signatures{inc} (add_sigs) was not
 2406 			properly determining if there were active KSK and
 2407 			ZSK keys for a algorithm when update-check-ksk is
 2408 			true (default) leaving records unsigned when there
 2409 			were multiple DNSKEY algorithms for the zone.
 2410 			[RT #46743]
 2411 
 2412 4836.	[bug]		Zones created using "rndc addzone" could
 2413 			temporarily fail to inherit an "allow-transfer"
 2414 			ACL that had been configured in the options
 2415 			statement. [RT #46603]
 2416 
 2417 4835.	[cleanup]	Clean up and refactor LMDB-related code. [RT #46718]
 2418 
 2419 4834.	[port]		Fix LMDB support on OpenBSD. [RT #46718]
 2420 
 2421 4833.	[bug]		isc_event_free should check that the event is not
 2422 			linked when called. [RT #46725]
 2423 
 2424 4832.	[bug]		Events were not being removed from zone->rss_events.
 2425 			[RT #46725]
 2426 
 2427 4831.	[bug]		Convert the RRSIG expirytime to 64 bits for
 2428 			comparisons in diff.c:resign. [RT #46710]
 2429 
 2430 4830.	[bug]		Failure to configure ATF when requested did not cause
 2431 			an error in top-level configure script. [RT #46655]
 2432 
 2433 4829.	[bug]		isc_heap_delete did not zero the index value when
 2434 			the heap was created with a callback to do that.
 2435 			[RT #46709]
 2436 
 2437 4828.	[bug]		Do not use thread-local storage for storing LMDB reader
 2438 			locktable slots. [RT #46556]
 2439 
 2440 4827.	[misc]		Add a precommit check script util/checklibs.sh
 2441 			[RT #46215]
 2442 
 2443 4826.	[cleanup]	Prevent potential build failures in bin/confgen/ and
 2444 			bin/named/ when using parallel make. [RT #46648]
 2445 
 2446 4825.	[bug]		Prevent a bogus "error during managed-keys processing
 2447 			(no more)" warning from being logged. [RT #46645]
 2448 
 2449 4824.	[port]		Add iOS hooks to dig. [RT #42011]
 2450 
 2451 4823.	[test]		Refactor reclimit system test to improve its
 2452 			reliability and speed. [RT #46632]
 2453 
 2454 4822.	[bug]		Use resign_sooner in dns_db_setsigningtime. [RT #46473]
 2455 
 2456 4821.	[bug]		When resigning ensure that the SOA's expire time is
 2457 			always later that the resigning time of other records.
 2458 			[RT #46473]
 2459 
 2460 4820.	[bug]		dns_db_subtractrdataset should transfer the resigning
 2461 			information to the new header. [RT #46473]
 2462 
 2463 4819.	[bug]		Fully backout the transaction when adding a RRset
 2464 			to the resigning / removal heaps fails. [RT #46473]
 2465 
 2466 4818.	[test]		The logfileconfig system test could intermittently
 2467 			report false negatives on some platforms. [RT #46615]
 2468 
 2469 4817.	[cleanup]	Use DNS_NAME_INITABSOLUTE and DNS_NAME_INITNONABSOLUTE.
 2470 			[RT #45433]
 2471 
 2472 4816.	[bug]		Don't use a common array for storing EDNS options
 2473 			in DiG as it could fill up. [RT #45611]
 2474 
 2475 4815.	[bug]		rbt_test.c:insert_and_delete needed to call
 2476 			dns_rbt_addnode instead of dns_rbt_addname. [RT #46553]
 2477 
 2478 4814.	[cleanup]	Use AS_HELP_STRING for consistent help text. [RT #46521]
 2479 
 2480 4813.	[bug]		Address potential read after free errors from
 2481 			query_synthnodata, query_synthwildcard and
 2482 			query_synthnxdomain. [RT #46547]
 2483 
 2484 4812.	[bug]		Minor improvements to stability and consistency of code
 2485 			handling managed keys. [RT #46468]
 2486 
 2487 4811.	[bug]		Revert api changes to use <isc/buffer.h> inline
 2488 			macros.  Provide a alternative mechanism to turn
 2489 			on the use of inline macros when building BIND.
 2490 			[RT #46520]
 2491 
 2492 4810.	[test]		The chain system test failed if the IPv6 interfaces
 2493 			were not configured. [RT #46508]
 2494 
 2495 	--- 9.12.0b2 released ---
 2496 
 2497 4809.	[port]		Check at configure time whether -latomic is needed
 2498 			for stdatomic.h. [RT #46324]
 2499 
 2500 4808.	[bug]		Properly test for zlib.h. [RT #46504]
 2501 
 2502 4807.	[cleanup]	isc_rng_randombytes() returns a specified number of
 2503 			bytes from the PRNG; this is now used instead of
 2504 			calling isc_rng_random() multiple times. [RT #46230]
 2505 
 2506 4806.	[func]		Log messages related to loading of zones are now
 2507 			directed to the "zoneload" logging category.
 2508 			[RT #41640]
 2509 
 2510 4805.	[bug]		TCP4Active and TCP6Active weren't being updated
 2511 			correctly. [RT #46454]
 2512 
 2513 4804.	[port]		win32: access() does not work on directories as
 2514 			required by POSIX.  Supply a alternative in
 2515 			isc_file_isdirwritable. [RT #46394]
 2516 
 2517 4803.	[placeholder]
 2518 
 2519 4802.	[test]		Refactor mkeys system test to make it quicker and more
 2520 			reliable. [RT #45293]
 2521 
 2522 4801.	[func]		'dnssec-lookaside auto;' and 'dnssec-lookaside .
 2523 			trust-anchor dlv.isc.org;' now elicit warnings rather
 2524 			than being fatal configuration errors. [RT #46410]
 2525 
 2526 4800.	[bug]		When processing delzone, write one zone config per
 2527 			line to the NZF. [RT #46323]
 2528 
 2529 4799.	[cleanup]	Improve clarity of keytable unit tests. [RT #46407]
 2530 
 2531 4798.	[func]		Keys specified in "managed-keys" statements
 2532 			are tagged as "initializing" until they have been
 2533 			updated by a key refresh query. If initialization
 2534 			fails it will be visible from "rndc secroots".
 2535 			[RT #46267]
 2536 
 2537 4797.	[func]		Removed "isc-hmac-fixup", as the versions of BIND that
 2538 			had the bug it worked around are long past end of
 2539 			life. [RT #46411]
 2540 
 2541 4796.	[bug]		Increase the maximum configurable TCP keepalive
 2542 			timeout to 65535. [RT #44710]
 2543 
 2544 4795.	[func]		A new statistics counter has been added to track
 2545 			priming queries. [RT #46313]
 2546 
 2547 4794.	[func]		"dnssec-checkds -s" specifies a file from which
 2548 			to read a DS set rather than querying the parent.
 2549 			[RT #44667]
 2550 
 2551 4793.	[bug]		nsupdate -[46] could overflow the array of server
 2552 			addresses. [RT #46402]
 2553 
 2554 4792.	[bug]		Fix map file header correctness check. [RT #38418]
 2555 
 2556 4791.	[doc]		Fixed outdated documentation about export libraries.
 2557 			[RT #46341]
 2558 
 2559 4790.	[bug]		nsupdate could trigger a require when sending a
 2560 			update to the second address of the server.
 2561 			[RT #45731]
 2562 
 2563 4789.	[cleanup]	Check writability of new-zones-directory. [RT #46308]
 2564 
 2565 4788.	[cleanup]	When using "update-policy local", log a warning
 2566 			when an update matching the session key is received
 2567 			from a remote host. [RT #46213]
 2568 
 2569 4787.	[cleanup]	Turn nsec3param_salt_totext() into a public function,
 2570 			dns_nsec3param_salttotext(), and add unit tests for it.
 2571 			[RT #46289]
 2572 
 2573 4786.	[func]		The "filter-aaaa-on-v4" and "filter-aaaa-on-v6"
 2574 			options are no longer conditionally compiled.
 2575 			[RT #46340]
 2576 
 2577 4785.	[func]		The hmac-md5 algorithm is no longer recommended for
 2578 			use with RNDC keys.  The default in rndc-confgen
 2579 			is now hmac-sha256. [RT #42272]
 2580 
 2581 4784.	[func]		The use of dnssec-keygen to generate HMAC keys is
 2582 			deprecated in favor of tsig-keygen.  dnssec-keygen
 2583 			will print a warning when used for this purpose.
 2584 			All HMAC algorithms will be removed from
 2585 			dnssec-keygen in a future release. [RT #42272]
 2586 
 2587 4783.	[test]		dnssec: 'check that NOTIFY is sent at the end of
 2588 			NSEC3 chain generation failed' required more time
 2589 			on some machines for the IXFR to complete. [RT #46388]
 2590 
 2591 4782.	[test]		dnssec: 'checking positive and negative validation
 2592 			with negative trust anchors' required more time to
 2593 			complete on some machines. [RT #46386]
 2594 
 2595 4781.	[maint]		B.ROOT-SERVERS.NET is now 199.9.14.201. [RT #45889]
 2596 
 2597 4780.	[bug]		When answering ANY queries, don't include the NS
 2598 			RRset in the authority section if it was already
 2599 			in the answer section. [RT #44543]
 2600 
 2601 4779.	[bug]		Expire NTA at the start of the second. Don't update
 2602 			the expiry value if the record has already expired
 2603 			after a successful check. [RT #46368]
 2604 
 2605 4778.	[test]		Improve synth-from-dnssec testing. [RT #46352]
 2606 
 2607 4777.	[cleanup]	Removed a redundant call to configure_view_acl().
 2608 			[RT #46369]
 2609 
 2610 4776.	[bug]		Improve portability of ht_test. [RT #46333]
 2611 
 2612 4775.	[bug]		Address Coverity warnings in ht_test.c and mem_test.c
 2613 			[RT #46281]
 2614 
 2615 4774.	[bug]		<isc/util.h> was incorrectly included in several
 2616 			header files. [RT #46311]
 2617 
 2618 4773.	[doc]		Fixed generating Doxygen documentation for functions
 2619 			annotated using certain macros.  Miscellaneous
 2620 			Doxygen-related cleanups. [RT #46276]
 2621 
 2622 	--- 9.12.0b1 released ---
 2623 
 2624 4772.	[test]		Expanded unit testing framework for libns, using
 2625 			hooks to interrupt query flow and inspect state
 2626 			at specified locations. [RT #46173]
 2627 
 2628 4771.	[bug]		When sending RFC 5011 refresh queries, disregard
 2629 			cached DNSKEY rrsets. [RT #46251]
 2630 
 2631 4770.	[bug]		Cache additional data from priming queries as glue.
 2632 			Previously they were ignored as unsigned
 2633 			non-answer data from a secure zone, and never
 2634 			actually got added to the cache, causing hints
 2635 			to be used frequently for root-server
 2636 			addresses, which triggered re-priming. [RT #45241]
 2637 
 2638 4769.	[func]		The working directory and managed-keys directory has
 2639 			to be writeable (and seekable). [RT #46077]
 2640 
 2641 4768.	[func]		By default, memory is no longer filled with tag values
 2642 			when it is allocated or freed; this improves
 2643 			performance but makes debugging of certain memory
 2644 			issues more difficult. "named -M fill" turns memory
 2645 			filling back on. (Building "configure
 2646 			--enable-developer", turns memory fill on by
 2647 			default again; it can then be disabled with
 2648 			"named -M nofill".) [RT #45123]
 2649 
 2650 4767.	[func]		Add a new function, isc_buffer_printf(), which can be
 2651 			used to append a formatted string to the used region of
 2652 			a buffer. [RT #46201]
 2653 
 2654 4766.	[cleanup]	Address Coverity warnings. [RT #46150]
 2655 
 2656 4765.	[bug]		Address potential INSIST in dnssec-cds. [RT #46150]
 2657 
 2658 4764.	[bug]		Address portability issues in cds system test.
 2659 			[RT #46214]
 2660 
 2661 4763.	[contrib]	Improve compatibility when building MySQL DLZ
 2662 			module by using mysql_config if available.
 2663 			[RT #45558]
 2664 
 2665 4762.	[func]		"update-policy local" is now restricted to updates
 2666 			from local addresses. (Previously, other addresses
 2667 			were allowed so long as updates were signed by the
 2668 			local session key.) [RT #45492]
 2669 
 2670 4761.	[protocol]	Add support for DOA. [RT #45612]
 2671 
 2672 4760.	[func]		Add glue cache statistics counters. [RT #46028]
 2673 
 2674 4759.	[func]		Add logging channel "trust-anchor-telemetry" to
 2675 			record trust-anchor-telemetry in incoming requests.
 2676 			Both _ta-XXXX.<anchor>/NULL and EDNS KEY-TAG options
 2677 			are logged.  [RT #46124]
 2678 
 2679 4758.	[doc]		Remove documentation of unimplemented "topology".
 2680 			[RT #46161]
 2681 
 2682 4757.	[func]		New "dnssec-cds" command creates a new parent DS
 2683 			RRset based on CDS or CDNSKEY RRsets found in
 2684 			a child zone, and generates either a dsset file
 2685 			or stream of nsupdate commands to update the
 2686 			parent. Thanks to Tony Finch. [RT #46090]
 2687 
 2688 4756.	[bug]		Interrupting dig could lead to an INSIST failure after
 2689 			certain errors were encountered while querying a host
 2690 			whose name resolved to more than one address.  Change
 2691 			4537 increased the odds of triggering this issue by
 2692 			causing dig to hang indefinitely when certain error
 2693 			paths were evaluated.  dig now also retries TCP queries
 2694 			(once) if the server gracefully closes the connection
 2695 			before sending a response. [RT #42832, #45159]
 2696 
 2697 4755.	[cleanup]	Silence unnecessary log message when NZF file doesn't
 2698 			exist. [RT #46186]
 2699 
 2700 4754.	[bug]		dns_zone_setview needs a two stage commit to properly
 2701 			handle errors. [RT #45841]
 2702 
 2703 4753.	[contrib]	Software obtainable from known upstream locations
 2704 			(i.e., zkt, nslint, query-loc) has been removed.
 2705 			Links to these and other packages can be found at
 2706 			https://www.isc.org/community/tools [RT #46182]
 2707 
 2708 4752.	[test]		Add unit test for isc_net_pton. [RT #46171]
 2709 
 2710 4751.	[func]		"dnssec-signzone -S" can now automatically add parent
 2711 			synchronization records (CDS and CDNSKEY) according
 2712 			to key metadata set using the -Psync and -Dsync
 2713 			options to dnssec-keygen and dnssec-settime.
 2714 			[RT #46149]
 2715 
 2716 4750.	[func]		"rndc managed-keys destroy" shuts down RFC 5011 key
 2717 			maintenance and deletes the managed-keys database.
 2718 			If followed by "rndc reconfig" or a server restart,
 2719 			key maintenance is reinitialized from scratch.
 2720 			This is primarily intended for testing. [RT #32456]
 2721 
 2722 4749.	[func]		The ISC DLV service has been shut down, and all
 2723 			DLV records have been removed from dlv.isc.org.
 2724 			- Removed references to ISC DLV in documentation
 2725 			- Removed DLV key from bind.keys
 2726 			- No longer use ISC DLV by default in delv
 2727 			- "dnssec-lookaside auto" and configuration of
 2728 			  "dnssec-lookaide" with dlv.isc.org as the trust
 2729 			  anchor are both now fatal errors.
 2730 			[RT #46155]
 2731 
 2732 4748.	[cleanup]	Sprintf to snprintf coversions. [RT #46132]
 2733 
 2734 4747.	[func]		Synthesis of responses from DNSSEC-verified records.
 2735 			Stage 3 - synthesize NODATA responses. [RT #40138]
 2736 
 2737 4746.	[cleanup]	Add configured prefixes to configure summary
 2738 			output. [RT #46153]
 2739 
 2740 4745.	[test]		Add color-coded pass/fail messages to system
 2741 			tests when running on terminals that support them.
 2742 			[RT #45977]
 2743 
 2744 4744.	[bug]		Suppress trust-anchor-telemetry queries if
 2745 			validation is disabled. [RT #46131]
 2746 
 2747 4743.	[func]		Exclude trust-anchor-telemetry queries from
 2748 			synth-from-dnssec processing. [RT #46123]
 2749 
 2750 4742.	[func]		Synthesis of responses from DNSSEC-verified records.
 2751 			Stage 2 - synthesis of records from wildcard data.
 2752 			If the dns64 or filter-aaaa* is configured then the
 2753 			involved lookups are currently excluded. [RT #40138]
 2754 
 2755 4741.	[bug]		Make isc_refcount_current() atomically read the
 2756 			counter value. [RT #46074]
 2757 
 2758 4740.	[cleanup]	Avoid triggering format-truncated warnings. [RT #46107]
 2759 
 2760 4739.	[cleanup]	Address clang static analysis warnings. [RT #45952]
 2761 
 2762 4738.	[port]		win32: strftime mishandles %Z. [RT #46039]
 2763 
 2764 4737.	[cleanup]	Address Coverity warnings. [RT #46012]
 2765 
 2766 4736.	[cleanup]	(a) Added comments to NSEC3-related functions in
 2767 			lib/dns/zone.c.  (b) Refactored NSEC3 salt formatting
 2768 			code.  (c) Minor tweaks to lock and result handling.
 2769 			[RT #46053]
 2770 
 2771 4735.	[bug]		Add @ISC_OPENSSL_LIBS@ to isc-config. [RT #46078]
 2772 
 2773 4734.	[contrib]	Added sample configuration for DNS-over-TLS in
 2774 			contrib/dnspriv.
 2775 
 2776 4733.	[bug]		Change #4706 introduced a bug causing TCP clients
 2777 			not be reused correctly, leading to unconstrained
 2778 			memory growth. [RT #46029]
 2779 
 2780 4732.	[func]		Change default minimal-responses setting to
 2781 			no-auth-recursive. [RT #46016]
 2782 
 2783 4731.	[bug]		Fix use after free when closing an LMDB. [RT #46000]
 2784 
 2785 4730.	[bug]		Fix out of bounds access in DHCID totext() method.
 2786 			[RT #46001]
 2787 
 2788 4729.	[bug]		Don't use memset() to wipe memory, as it may be
 2789 			removed by compiler optimizations when the
 2790 			memset() occurs on automatic stack allocation
 2791 			just before function return. [RT #45947]
 2792 
 2793 4728.	[func]		Use C11's stdatomic.h instead of isc_atomic
 2794 			where available. [RT #40668]
 2795 
 2796 4727.	[bug]		Retransferring an inline-signed slave using NSEC3
 2797 			around the time its NSEC3 salt was changed could result
 2798 			in an infinite signing loop. [RT #45080]
 2799 
 2800 4726.	[port]		Prevent setsockopt() errors related to TCP_FASTOPEN
 2801 			from being logged on FreeBSD if the kernel does not
 2802 			support it.  Notify the user when the kernel does
 2803 			support TCP_FASTOPEN, but it is disabled by sysctl.
 2804 			Add a new configure option, --disable-tcp-fastopen, to
 2805 			disable use of TCP_FASTOPEN altogether. [RT #44754]
 2806 
 2807 4725.	[bug]		Nsupdate: "recvsoa" was incorrectly reported for
 2808 			failures in sending the update message.  The correct
 2809 			location to be reported is "update_completed".
 2810 			[RT #46014]
 2811 
 2812 4724.	[func]		By default, BIND now uses the random number
 2813 			functions provided by the crypto library (i.e.,
 2814 			OpenSSL or a PKCS#11 provider) as a source of
 2815 			randomness rather than /dev/random.  This is
 2816 			suitable for virtual machine environments
 2817 			which have limited entropy pools and lack
 2818 			hardware random number generators.
 2819 
 2820 			This can be overridden by specifying another
 2821 			entropy source via the "random-device" option
 2822 			in named.conf, or via the -r command line option;
 2823 			however, for functions requiring full cryptographic
 2824 			strength, such as DNSSEC key generation, this
 2825 			cannot be overridden. In particular, the -r
 2826 			command line option no longer has any effect on
 2827 			dnssec-keygen.
 2828 
 2829 			This can be disabled by building with
 2830 			"configure --disable-crypto-rand".
 2831 			[RT #31459] [RT #46047]
 2832 
 2833 4723.	[bug]		Statistics counter DNSTAPdropped was misidentified
 2834 			as DNSSECdropped. [RT #46002]
 2835 
 2836 4722.	[cleanup]	Clean up uses of strcpy() and strcat() in favor of
 2837 			strlcpy() and strlcat() for safety. [RT #45981]
 2838 
 2839 4721.	[func]		'dnssec-signzone -x' and 'dnssec-dnskey-kskonly'
 2840 			options now apply to CDNSKEY and DS records as well
 2841 			as DNSKEY. Thanks to Tony Finch. [RT #45689]
 2842 
 2843 4720.	[func]		Added a statistics counter to track prefetch
 2844 			queries. [RT #45847]
 2845 
 2846 4719.	[bug]		Address PVS static analyzer warnings. [RT #45946]
 2847 
 2848 4718.	[func]		Avoid searching for a owner name compression pointer
 2849 			more than once when writing out a RRset. [RT #45802]
 2850 
 2851 4717.	[bug]		Treat replies with QCOUNT=0 as truncated if TC=1,
 2852 			FORMERR if TC=0, and log the error correctly.
 2853 			[RT #45836]
 2854 
 2855 4716.	[placeholder]
 2856 
 2857 	--- 9.12.0a1 released ---
 2858 
 2859 4715.	[bug]		TreeMemMax was mis-identified as a second HeapMemMax
 2860 			in the Json cache statistics. [RT #45980]
 2861 
 2862 4714.	[port]		openbsd/libressl: add support for building with
 2863 			--enable-openssl-hash. [RT #45982]
 2864 
 2865 4713.	[func]		Added support for the DNS Response Policy Service
 2866 			(DNSRPS) API, which allows named to use an external
 2867 			response policy daemon when built with
 2868 			"configure --enable-dnsrps". Thanks to Farsight
 2869 			Security. [RT #43376]
 2870 
 2871 4712.	[bug]		"dig +domain" and "dig +search" didn't retain the
 2872 			search domain when retrying with TCP. [RT #45547]
 2873 
 2874 4711.	[test]		Some RR types were missing from genzones.sh.
 2875 			[RT #45782]
 2876 
 2877 4710.	[cleanup]	Changed the --enable-openssl-hash default to yes.
 2878 			[RT #45019]
 2879 
 2880 4709.	[cleanup]	Use dns_name_fullhash() to hash names for RRL.
 2881 			[RT #45435]
 2882 
 2883 4708.	[cleanup]	Legacy Windows builds (i.e. for XP and earlier)
 2884 			are no longer supported. [RT #45186]
 2885 
 2886 4707.	[func]		The lightweight resolver daemon and library (lwresd
 2887 			and liblwres) have been removed. [RT #45186]
 2888 
 2889 4706.	[func]		Code implementing name server query processing has
 2890 			been moved from bin/named to a new library "libns".
 2891 			Functions remaining in bin/named are now prefixed
 2892 			with "named_" rather than "ns_".  This will make it
 2893 			easier to write unit tests for name server code, or
 2894 			link name server functionality into new tools.
 2895 			[RT #45186]
 2896 
 2897 4705.	[placeholder]
 2898 
 2899 4704.	[cleanup]	Silence Visual Studio compiler warnings. [RT #45898]
 2900 
 2901 4703.	[bug]		BINDInstall.exe was missing some buffer length checks.
 2902 			[RT #45898]
 2903 
 2904 4702.	[func]		Update function declarations to use
 2905 			dns_masterstyle_flags_t for style flags. [RT #45924]
 2906 
 2907 4701.	[cleanup]	Refactored lib/dns/tsig.c to reduce code
 2908 			duplication and simplify the disabling of MD5.
 2909 			[RT #45490]
 2910 
 2911 4700.	[func]		Serving of stale answers is now supported. This
 2912 			allows named to provide stale cached answers when
 2913 			the authoritative server is under attack.
 2914 			See max-stale-ttl, stale-answer-enable,
 2915 			stale-answer-ttl. [RT #44790]
 2916 
 2917 4699.	[func]		Multiple cookie-secret clauses can now be specified.
 2918 			The first one specified is used to generate new
 2919 			server cookies.  [RT #45672]
 2920 
 2921 4698.	[port]		Add --with-python-install-dir configure option to allow
 2922 			specifying a nonstandard installation directory for
 2923 			Python modules. [RT #45407]
 2924 
 2925 4697.	[bug]		Restore workaround for Microsoft Windows TSIG hash
 2926 			computation bug. [RT #45854]
 2927 
 2928 4696.	[port]		Enable filter-aaaa support by default on Windows
 2929 			builds. [RT #45883]
 2930 
 2931 4695.	[bug]		cookie-secrets were not being properly checked by
 2932 			named-checkconf. [RT #45886]
 2933 
 2934 4694.	[func]		dnssec-keygen no longer uses RSASHA1 by default;
 2935 			the signing algorithm must be specified on
 2936 			the command line with the "-a" option.  Signing
 2937 			scripts that rely on the existing default behavior
 2938 			will break; use "dnssec-keygen -a RSASHA1" to
 2939 			repair them. (The goal of this change is to make
 2940 			it easier to find scripts using RSASHA1 so they
 2941 			can be changed in the event of that algorithm
 2942 			being deprecated in the future.) [RT #44755]
 2943 
 2944 4693.	[func]		Synthesis of responses from DNSSEC-verified records.
 2945 			Stage 1 covers NXDOMAIN synthesis from NSEC records.
 2946 			This is controlled by synth-from-dnssec and is enabled
 2947 			by default. [RT #40138]
 2948 
 2949 4692.	[bug]		Fix build failures with libressl introduced in 4676.
 2950 			[RT #45879]
 2951 
 2952 4691.	[func]		Add -4/-6 command line options to nsupdate and rndc.
 2953 			[RT #45632]
 2954 
 2955 4690.	[bug]		Command line options -4/-6 were handled inconsistently
 2956 			between tools. [RT #45632]
 2957 
 2958 4689.	[cleanup]	Turn on minimal responses for CDNSKEY and CDS in
 2959 			addition to DNSKEY and DS. Thanks to Tony Finch.
 2960 			[RT #45690]
 2961 
 2962 4688.	[protocol]	Check and display EDNS KEY TAG options (RFC 8145) in
 2963 			messages. [RT #44804]
 2964 
 2965 4687.	[func]		Refactor tracklines code. [RT #45126]
 2966 
 2967 4686.	[bug]		dnssec-settime -p could print a bogus warning about
 2968 			key deletion scheduled before its inactivation when a
 2969 			key had an inactivation date set but no deletion date
 2970 			set. [RT #45807]
 2971 
 2972 4685.	[bug]		dnssec-settime incorrectly calculated publication and
 2973 			activation dates for a successor key. [RT #45806]
 2974 
 2975 4684.	[bug]		delv could send bogus DNS queries when an explicit
 2976 			server address was specified on the command line along
 2977 			with -4/-6. [RT #45804]
 2978 
 2979 4683.	[bug]		Prevent nsupdate from immediately exiting on invalid
 2980 			user input in interactive mode. [RT #28194]
 2981 
 2982 4682.	[bug]		Don't report errors on records below a DNAME.
 2983 			[RT #44880]
 2984 
 2985 4681.	[bug]		Log messages from the validator now include the
 2986 			associated view unless the view is "_default/IN"
 2987 			or "_dnsclient/IN". [RT #45770]
 2988 
 2989 4680.	[bug]		Fix failing over to another master server address when
 2990 			nsupdate is used with GSS-API. [RT #45380]
 2991 
 2992 4679.	[cleanup]	Suggest using -o when dnssec-verify finds a SOA record
 2993 			not at top of zone and -o is not used. [RT #45519]
 2994 
 2995 4678.	[bug]		geoip-use-ecs has the wrong type when geoip support
 2996 			is disabled at configure time. [RT #45763]
 2997 
 2998 4677.	[cleanup]	Split up the main function in dig to better support
 2999 			the iOS app version. [RT #45508]
 3000 
 3001 4676.	[cleanup]	Allow BIND to be built using OpenSSL 1.0.X with
 3002 			deprecated functions removed. [RT #45706]
 3003 
 3004 4675.	[cleanup]	Don't use C++ keyword class. [RT #45726]
 3005 
 3006 4674.	[func]		"dig +sigchase", and related options "+topdown" and
 3007 			"+trusted-keys", have been removed. Use "delv" for
 3008 			queries with DNSSEC validation. [RT #42793]
 3009 
 3010 4673.	[port]		Silence GCC 7 warnings. [RT #45592]
 3011 
 3012 4672.	[placeholder]
 3013 
 3014 4671.	[bug]		Fix a race condition that could cause the
 3015 			resolver to crash with assertion failure when
 3016 			chasing DS in specific conditions with a very
 3017 			short RTT to the upstream nameserver. [RT #45168]
 3018 
 3019 4670.	[cleanup]	Ensure that a request MAC is never sent back
 3020 			in an XFR response unless the signature was
 3021 			verified. [RT #45494]
 3022 
 3023 4669.	[func]		Iterative query logic in resolver.c has been
 3024 			refactored into smaller functions and commented,
 3025 			for improved readability, maintainability and
 3026 			testability. [RT #45362]
 3027 
 3028 4668.	[bug]		Use localtime_r and gmtime_r for thread safety.
 3029 			[RT #45664]
 3030 
 3031 4667.	[cleanup]	Refactor RDATA unit tests. [RT #45610]
 3032 
 3033 4666.	[bug]		dnssec-keymgr: Domain names beginning with digits (0-9)
 3034 			could cause a parser error when reading the policy
 3035 			file. This now works correctly so long as the domain
 3036 			name is quoted. [RT #45641]
 3037 
 3038 4665.	[protocol]	Added support for ED25519 and ED448 DNSSEC signing
 3039 			algorithms (RFC 8080). (Note: these algorithms
 3040 			depend on code currently in the development branch
 3041 			of OpenSSL which has not yet been released.)
 3042 			[RT #44696]
 3043 
 3044 4664.	[func]		Add a "glue-cache" option to enable or disable the
 3045 			glue cache. The default is "yes". [RT #45125]
 3046 
 3047 4663.	[cleanup]	Clarify error message printed by dnssec-dsfromkey.
 3048 			[RT #21731]
 3049 
 3050 4662.	[performance]	Improve cache memory cleanup of zero TTL records
 3051 			by putting them at the tail of LRU header lists.
 3052 			[RT #45274]
 3053 
 3054 4661.	[bug]		A race condition could occur if a zone was reloaded
 3055 			while resigning, triggering a crash in
 3056 			rbtdb.c:closeversion(). [RT #45276]
 3057 
 3058 4660.	[bug]		Remove spurious "peer" from Windows socket log
 3059 			messages. [RT #45617]
 3060 
 3061 4659.	[bug]		Remove spurious log message about lmdb-mapsize
 3062 			not being supported when parsing builtin
 3063 			configuration file. [RT #45618]
 3064 
 3065 4658.	[bug]		Clean up build directory created by "setup.py install"
 3066 			immediately.  [RT #45628]
 3067 
 3068 4657.	[bug]		rrchecker system test result could be improperly
 3069 			determined. [RT #45602]
 3070 
 3071 4656.	[bug]		Apply "port" and "dscp" values specified in catalog
 3072 			zone's "default-masters" option to the generated
 3073 			configuration of its member zones. [RT #45545]
 3074 
 3075 4655.	[bug]		Lack of seccomp could be falsely reported. [RT #45599]
 3076 
 3077 4654.	[cleanup]	Don't use C++ keywords delete, new and namespace.
 3078 			[RT #45538]
 3079 
 3080 4653.	[bug]		Reorder includes to move @DST_OPENSSL_INC@ and
 3081 			@ISC_OPENSSL_INC@ after shipped include directories.
 3082 			[RT #45581]
 3083 
 3084 4652.	[bug]		Nsupdate could attempt to use a zeroed address on
 3085 			server timeout. [RT #45417]
 3086 
 3087 4651.	[test]		Silence coverity warnings in tsig_test.c. [RT #45528]
 3088 
 3089 4650.	[placeholder]
 3090 
 3091 4649.	[bug]		The wrong zone was logged when a catalog zone is added.
 3092 			[RT #45520]
 3093 
 3094 4648.	[bug]		"rndc reconfig" on a slave no longer causes all member
 3095 			zones of configured catalog zones to be removed from
 3096 			configuration. [RT #45310]
 3097 
 3098 4647.	[bug]		Change 4643 broke verification of TSIG signed TCP
 3099 			message sequences where not all the messages contain
 3100 			TSIG records.  These may be used in AXFR and IXFR
 3101 			responses. [RT #45509]
 3102 
 3103 4646.	[placeholder]
 3104 
 3105 4645.	[bug]		Fix PKCS#11 RSA parsing when MD5 is disabled.
 3106 			[RT #45300]
 3107 
 3108 4644.	[placeholder]
 3109 
 3110 4643.	[security]	An error in TSIG handling could permit unauthorized
 3111 			zone transfers or zone updates. (CVE-2017-3142)
 3112 			(CVE-2017-3143) [RT #45383]
 3113 
 3114 4642.	[cleanup]	Add more logging of RFC 5011 events affecting the
 3115 			status of managed keys: newly observed keys,
 3116 			deletion of revoked keys, etc. [RT #45354]
 3117 
 3118 4641.	[cleanup]	Parallel builds (make -j) could fail with --with-atf /
 3119 			--enable-developer. [RT #45373]
 3120 
 3121 4640.	[bug]		If query_findversion failed in query_getdb due to
 3122 			memory failure the error status was incorrectly
 3123 			discarded. [RT #45331]
 3124 
 3125 4639.	[bug]		Fix a regression in --with-tuning reporting introduced
 3126 			by change 4488. [RT #45396]
 3127 
 3128 4638.	[bug]		Reloading or reconfiguring named could fail on
 3129 			some platforms when LMDB was in use. [RT #45203]
 3130 
 3131 4637.	[func]		"nsec3hash -r" option ("rdata order") takes arguments
 3132 			in the same order as they appear in NSEC3 or
 3133 			NSEC3PARAM records, so that NSEC3 parameters can
 3134 			be cut and pasted from an existing record. Thanks
 3135 			to Tony Finch for the contribution. [RT #45183]
 3136 
 3137 4636.	[bug]		Normalize rpz policy zone names when checking for
 3138 			existence. [RT #45358]
 3139 
 3140 4635.	[bug]		Fix RPZ NSDNAME logging that was logging
 3141 			failures as NSIP. [RT #45052]
 3142 
 3143 4634.	[contrib]	check5011.pl needs to handle optional space before
 3144 			semi-colon in +multi-line output. [RT #45352]
 3145 
 3146 4633.	[maint]		Updated AAAA (2001:500:200::b) for B.ROOT-SERVERS.NET.
 3147 
 3148 4632.	[security]	The BIND installer on Windows used an unquoted
 3149 			service path, which can enable privilege escalation.
 3150 			(CVE-2017-3141) [RT #45229]
 3151 
 3152 4631.	[security]	Some RPZ configurations could go into an infinite
 3153 			query loop when encountering responses with TTL=0.
 3154 			(CVE-2017-3140) [RT #45181]
 3155 
 3156 4630.	[bug]		"dyndb" is dependent on dlopen existing / being
 3157 			enabled. [RT #45291]
 3158 
 3159 4629.	[bug]		dns_client_startupdate could not be called with a
 3160 			running client. [RT #45277]
 3161 
 3162 4628.	[bug]		Fixed a potential reference leak in query_getdb().
 3163 			[RT #45247]
 3164 
 3165 4627.	[placeholder]
 3166 
 3167 4626.	[test]		Added more tests for handling of different record
 3168 			ordering in CNAME and DNAME responses. [QA #430]
 3169 
 3170 4625.	[bug]		Running "rndc addzone" and "rndc delzone" at close
 3171 			to the same time could trigger a deadlock if using
 3172 			LMDB. [RT #45209]
 3173 
 3174 4624.	[placeholder]
 3175 
 3176 4623.	[bug]		Use --with-protobuf-c and --with-libfstrm to find
 3177 			protoc-c and fstrm_capture. [RT #45187]
 3178 
 3179 4622.	[bug]		Remove unnecessary escaping of semicolon in CAA and
 3180 			URI records. [RT #45216]
 3181 
 3182 4621.	[port]		Force alignment of oid arrays to silence loader
 3183 			warnings. [RT #45131]
 3184 
 3185 4620.	[port]		Handle EPFNOSUPPORT being returned when probing
 3186 			to see if a socket type is supported. [RT #45214]
 3187 
 3188 4619.	[bug]		Call isc_mem_put instead of isc_mem_free in
 3189 			bin/named/server.c:setup_newzones. [RT #45202]
 3190 
 3191 4618.	[bug]		Check isc_mem_strdup results in dns_view_setnewzones.
 3192 			Add logging for lmdb call failures. [RT #45204]
 3193 
 3194 4617.	[test]		Update rndc system test to be more delay tolerant.
 3195 			[RT #45177]
 3196 
 3197 4616.	[bug]		When using LMDB, zones deleted using "rndc delzone"
 3198 			were not correctly removed from the new-zone
 3199 			database. [RT #45185]
 3200 
 3201 4615.	[bug]		AD could be set on truncated answer with no records
 3202 			present in the answer and authority sections.
 3203 			[RT #45140]
 3204 
 3205 4614.	[test]		Fixed an error in the sockaddr unit test. [RT #45146]
 3206 
 3207 4613.	[func]		By default, the maximum size of a zone journal file
 3208 			is now twice the size of the zone's contents (there
 3209 			is little benefit to a journal larger than this).
 3210 			This can be overridden by setting "max-journal-size"
 3211 			to "unlimited" or to an explicit value up to 2G.
 3212 			Thanks to Tony Finch. [RT #38324]
 3213 
 3214 4612.	[bug]		Silence 'may be use uninitalised' warning and simplify
 3215 			the code in lwres/getaddinfo:process_answer.
 3216 			[RT #45158]
 3217 
 3218 4611.	[bug]		The default LMDB mapsize was too low and caused
 3219 			errors after few thousand zones were added using
 3220 			rndc addzone. A new config option "lmdb-mapsize"
 3221 			has been introduced to configure the LMDB
 3222 			mapsize depending on operational needs.
 3223 			[RT #44954]
 3224 
 3225 4610.	[func]		The "new-zones-directory" option specifies the
 3226 			location of NZF or NZD files for storing
 3227 			configuration of zones added by "rndc addzone".
 3228 			Thanks to Petr Menšík. [RT #44853]
 3229 
 3230 4609.	[cleanup]	Rearrange makefiles to enable parallel execution
 3231 			(i.e. "make -j"). [RT #45078]
 3232 
 3233 4608.	[func]		DiG now warns about .local queries which are reserved
 3234 			for Multicast DNS. [RT #44783]
 3235 
 3236 4607.	[bug]		The memory context's malloced and maxmalloced counters
 3237 			were being updated without the appropriate lock being
 3238 			held.  [RT #44869]
 3239 
 3240 4606.	[port]		Stop using experimental "Experimental keys on scalar"
 3241 			feature of perl as it has been removed. [RT #45012]
 3242 
 3243 4605.	[performance]	Improve performance for delegation heavy answers
 3244 			and also general query performance. Removes the
 3245 			acache feature that didn't significantly improve
 3246 			performance. Adds a glue cache. Removes
 3247 			additional-from-cache and additional-from-auth
 3248 			features. Enables minimal-responses by
 3249 			default. Improves performance of compression
 3250 			code, owner case restoration, hash function,
 3251 			etc. Uses inline buffer implementation by
 3252 			default. Many other performance changes and fixes.
 3253 			[RT #44029]
 3254 
 3255 4604.	[bug]		Don't use ERR_load_crypto_strings() when building
 3256 			with OpenSSL 1.1.0. [RT #45117]
 3257 
 3258 4603.	[doc]		Automatically generate named.conf(5) man page
 3259 			from doc/misc/options. Thanks to Tony Finch.
 3260 			[RT #43525]
 3261 
 3262 4602.	[func]		Threads are now set to human-readable
 3263 			names to assist debugging, when supported by
 3264 			the OS. [RT #43234]
 3265 
 3266 4601.	[bug]		Reject incorrect RSA key lengths during key
 3267 			generation and and sign/verify context
 3268 			creation. [RT #45043]
 3269 
 3270 4600.	[bug]		Adjust RPZ trigger counts only when the entry
 3271 			being deleted exists. [RT #43386]
 3272 
 3273 4599.	[bug]		Fix inconsistencies in inline signing time
 3274 			comparison that were introduced with the
 3275 			introduction of rdatasetheader->resign_lsb.
 3276 			[RT #42112]
 3277 
 3278 4598.	[func]		Update fuzzing code to (1) reply to a DNSKEY
 3279 			query from named with appropriate DNSKEY used in
 3280 			fuzzing; (2) patch the QTYPE correctly in
 3281 			resolver fuzzing; (3) comment things so the rest
 3282 			of us are able to understand how fuzzing is
 3283 			implemented in named; (4) Coding style changes,
 3284 			cleanup, etc. [RT #44787]
 3285 
 3286 4597.	[bug]		The validator now ignores SHA-1 DS digest type
 3287 			when a DS record with SHA-384 digest type is
 3288 			present and is a supported digest type.
 3289 			[RT #45017]
 3290 
 3291 4596.	[bug]		Validate glue before adding it to the additional
 3292 			section. This also fixes incorrect TTL capping
 3293 			when the RRSIG expired earlier than the TTL.
 3294 			[RT #45062]
 3295 
 3296 4595.	[func]		dnssec-keygen will no longer generate RSA keys
 3297 			less than 1024 bits in length. dnssec-keymgr
 3298 			was similarly updated. [RT #36895]
 3299 
 3300 4594.	[func]		"dnstap-read -x" prints a hex dump of the wire
 3301 			format of each logged DNS message. [RT #44816]
 3302 
 3303 4593.	[doc]		Update README using markdown, remove outdated FAQ
 3304 			file in favor of the knowledge base.
 3305 
 3306 4592.	[bug]		A race condition on shutdown could trigger an
 3307 			assertion failure in dispatch.c. [RT #43822]
 3308 
 3309 4591.	[port]		Addressed some python 3 compatibility issues.
 3310 			Thanks to Ville Skytta. [RT #44955] [RT #44956]
 3311 
 3312 4590.	[bug]		Support for PTHREAD_MUTEX_ADAPTIVE_NP was not being
 3313 			properly detected. [RT #44871]
 3314 
 3315 4589.	[cleanup]	"configure -q" is now silent. [RT #44829]
 3316 
 3317 4588.	[bug]		nsupdate could send queries for TKEY to the wrong
 3318 			server when using GSSAPI. Thanks to Tomas Hozza.
 3319 			[RT #39893]
 3320 
 3321 4587.	[bug]		named-checkzone failed to handle occulted data below
 3322 			DNAMEs correctly. [RT #44877]
 3323 
 3324 4586.	[func]		dig, host and nslookup now use TCP for ANY queries.
 3325 			[RT #44687]
 3326 
 3327 4585.	[port]		win32: Set CompileAS value. [RT #42474]
 3328 
 3329 4584.	[bug]		A number of memory usage statistics were not properly
 3330 			reported when they exceeded 4G.  [RT #44750]
 3331 
 3332 4583.	[func]		"host -A" returns most records for a name but
 3333 			omits RRSIG, NSEC and NSEC3. (Thanks to Tony Finch.)
 3334 			[RT #43032]
 3335 
 3336 4582.	[security]	'rndc ""' could trigger a assertion failure in named.
 3337 			(CVE-2017-3138) [RT #44924]
 3338 
 3339 4581.	[port]		Linux: Add getpid and getrandom to the list of system
 3340 			calls named uses for seccomp. [RT #44883]
 3341 
 3342 4580.	[bug]		4578 introduced a regression when handling CNAME to
 3343 			referral below the current domain. [RT #44850]
 3344 
 3345 4579.	[func]		Logging channels and dnstap output files can now
 3346 			be configured with a "suffix" option, set to
 3347 			either "increment" or "timestamp", indicating
 3348 			whether to use incrementing numbers or timestamps
 3349 			as the file suffix when rolling over a log file.
 3350 			[RT #42838]
 3351 
 3352 4578.	[security]	Some chaining (CNAME or DNAME) responses to upstream
 3353 			queries could trigger assertion failures.
 3354 			(CVE-2017-3137) [RT #44734]
 3355 
 3356 4577.	[func]		Make qtype of resolver fuzzing packet configurable
 3357 			via command line. [RT #43540]
 3358 
 3359 4576.	[func]		The RPZ implementation has been substantially
 3360 			refactored for improved performance and reliability.
 3361 			[RT #43449]
 3362 
 3363 4575.	[security]	DNS64 with "break-dnssec yes;" can result in an
 3364 			assertion failure. (CVE-2017-3136) [RT #44653]
 3365 
 3366 4574.	[bug]		Dig leaked memory with multiple +subnet options.
 3367 			[RT #44683]
 3368 
 3369 4573.	[func]		Query logic has been substantially refactored (e.g.
 3370 			query_find function has been split into smaller
 3371 			functions) for improved readability, maintainability
 3372 			and testability. [RT #43929]
 3373 
 3374 4572.	[func]		The "dnstap-output" option can now take "size" and
 3375 			"versions" parameters to indicate the maximum size
 3376 			a dnstap log file can grow before rolling to a new
 3377 			file, and how many old files to retain. [RT #44502]
 3378 
 3379 4571.	[bug]		Out-of-tree builds of backtrace_test failed.
 3380 
 3381 4570.	[cleanup]	named did not correctly fall back to the built-in
 3382 			initializing keys if the bind.keys file was present
 3383 			but empty. [RT #44531]
 3384 
 3385 4569.	[func]		Store both local and remote addresses in dnstap
 3386 			logging, and modify dnstap-read output format to
 3387 			print them. [RT #43595]
 3388 
 3389 4568.	[contrib]	Added a --with-bind option to the dnsperf configure
 3390 			script to specify BIND prefix path.
 3391 
 3392 4567.	[port]		Call getprotobyname and getservbyname prior to calling
 3393 			chroot so that shared libraries get loaded. [RT #44537]
 3394 
 3395 4566.	[func]		Query logging now includes the ECS option if one
 3396 			was included in the query. [RT #44476]
 3397 
 3398 4565.	[cleanup]	The inline macro versions of isc_buffer_put*()
 3399 			did not implement automatic buffer reallocation.
 3400 			[RT #44216]
 3401 
 3402 4564.	[maint]		Update the built in managed keys to include the
 3403 			upcoming root KSK. [RT #44579]
 3404 
 3405 4563.	[bug]		Modified zones would occasionally fail to reload.
 3406 			[RT #39424]
 3407 
 3408 4562.	[func]		Add additional memory statistics currently malloced
 3409 			and maxmalloced per memory context. [RT #43593]
 3410 
 3411 4561.	[port]		Silence a warning in strict C99 compilers. [RT #44414]
 3412 
 3413 4560.	[bug]		mdig: add -m option to enable memory debugging rather
 3414 			than having it on all the time. [RT #44509]
 3415 
 3416 4559.	[bug]		openssl_link.c didn't compile if ISC_MEM_TRACKLINES
 3417 			was turned off.  [RT #44509]
 3418 
 3419 4558.	[bug]		Synthesised CNAME before matching DNAME was still
 3420 			being cached when it should not have been.  [RT #44318]
 3421 
 3422 4557.	[security]	Combining dns64 and rpz can result in dereferencing
 3423 			a NULL pointer (read).  (CVE-2017-3135) [RT#44434]
 3424 
 3425 4556.	[bug]		Sending an EDNS Padding option using "dig
 3426 			+ednsopt" could cause a crash in dig. [RT #44462]
 3427 
 3428 4555.	[func]		dig +ednsopt: EDNS options can now be specified by
 3429 			name in addition to numeric value. [RT #44461]
 3430 
 3431 4554.	[bug]		Remove double unlock in dns_dispatchmgr_setudp.
 3432 			[RT #44336]
 3433 
 3434 4553.	[bug]		Named could deadlock there were multiple changes to
 3435 			NSEC/NSEC3 parameters for a zone being processed at
 3436 			the same time. [RT #42770]
 3437 
 3438 4552.	[bug]		Named could trigger a assertion when sending notify
 3439 			messages. [RT #44019]
 3440 
 3441 4551.	[test]		Add system tests for integrity checks of MX and
 3442 			SRV records. [RT #43953]
 3443 
 3444 4550.	[cleanup]	Increased the number of available master file
 3445 			output style flags from 32 to 64. [RT #44043]
 3446 
 3447 4549.	[func]		Added support for the EDNS TCP Keepalive option
 3448 			(RFC 7828). [RT #42126]
 3449 
 3450 4548.	[func]		Added support for the EDNS Padding option (RFC 7830).
 3451 			[RT #42094]
 3452 
 3453 4547.	[port]		Add support for --enable-native-pkcs11 on the AEP
 3454 			Keyper HSM. [RT #42463]
 3455 
 3456 4546.	[func]		Extend the use of const declarations. [RT #43379]
 3457 
 3458 4545.	[func]		Expand YAML output from dnstap-read to include
 3459 			a detailed breakdown of the DNS message contents.
 3460 			[RT #43642]
 3461 
 3462 4544.	[bug]		Add message/payload size to dnstap-read YAML output.
 3463 			[RT #43622]
 3464 
 3465 4543.	[bug]		dns_client_startupdate now delays sending the update
 3466 			request until isc_app_ctxrun has been called.
 3467 			[RT #43976]
 3468 
 3469 4542.	[func]		Allow rndc to manipulate redirect zones with using
 3470 			-redirect as the zone name (use "-redirect." to
 3471 			manipulate a zone named "-redirect"). [RT #43971]
 3472 
 3473 4541.	[bug]		rndc addzone should properly reject non master/slave
 3474 			zones. [RT #43665]
 3475 
 3476 4540.	[bug]		Correctly handle ecs entries in dns_acl_isinsecure.
 3477 			[RT #43601]
 3478 
 3479 4539.	[bug]		Referencing a nonexistent zone with RPZ could lead
 3480 			to a assertion failure when configuring. [RT #43787]
 3481 
 3482 4538.	[bug]		Call dns_client_startresolve from client->task.
 3483 			[RT #43896]
 3484 
 3485 4537.	[bug]		Handle timeouts better in dig/host/nslookup. [RT #43576]
 3486 
 3487 4536.	[bug]		ISC_SOCKEVENTATTR_USEMINMTU was not being cleared
 3488 			when reusing the event structure. [RT #43885]
 3489 
 3490 4535.	[bug]		Address race condition in setting / testing of
 3491 			DNS_REQUEST_F_SENDING. [RT #43889]
 3492 
 3493 4534.	[bug]		Only set RD, RA and CD in QUERY responses. [RT #43879]
 3494 
 3495 4533.	[bug]		dns_client_update should terminate on prerequisite
 3496 			failures (NXDOMAIN, YXDOMAIN, NXRRSET, YXRRSET)
 3497 			and also on BADZONE.  [RT #43865]
 3498 
 3499 4532.	[contrib]	Make gen-data-queryperf.py python 3 compatible.
 3500 			[RT #43836]
 3501 
 3502 4531.	[security]	'is_zone' was not being properly updated by redirect2
 3503 			and subsequently preserved leading to an assertion
 3504 			failure. (CVE-2016-9778) [RT #43837]
 3505 
 3506 4530.	[bug]		Change 4489 broke the handling of CNAME -> DNAME
 3507 			in responses resulting in SERVFAIL being returned.
 3508 			[RT #43779]
 3509 
 3510 4529.	[cleanup]	Silence noisy log warning when DSCP probe fails
 3511 			due to firewall rules. [RT #43847]
 3512 
 3513 4528.	[bug]		Only set the flag bits for the i/o we are waiting
 3514 			for on EPOLLERR or EPOLLHUP. [RT #43617]
 3515 
 3516 4527.	[doc]		Support DocBook XSL Stylesheets v1.79.1. [RT #43831]
 3517 
 3518 4526.	[doc]		Corrected errors and improved formatting of
 3519 			grammar definitions in the ARM. [RT #43739]
 3520 
 3521 4525.	[doc]		Fixed outdated documentation on managed-keys.
 3522 			[RT #43810]
 3523 
 3524 4524.	[bug]		The net zero test was broken causing IPv4 servers
 3525 			with addresses ending in .0 to be rejected. [RT #43776]
 3526 
 3527 4523.	[doc]		Expand config doc for <querysource4> and
 3528 			<querysource6>. [RT #43768]
 3529 
 3530 4522.	[bug]		Handle big gaps in log file version numbers better.
 3531 			[RT #38688]
 3532 
 3533 4521.	[cleanup]	Log it as an error if an entropy source is not
 3534 			found and there is no fallback available. [RT #43659]
 3535 
 3536 4520.	[cleanup]	Alphabetize more of the grammar when printing it
 3537 			out. Fix unbalanced indenting. [RT #43755]
 3538 
 3539 4519.	[port]		win32: handle ERROR_MORE_DATA. [RT #43534]
 3540 
 3541 4518.	[func]		The "print-time" option in the logging configuration
 3542 			can now take arguments "local", "iso8601" or
 3543 			"iso8601-utc" to indicate the format in which the
 3544 			date and time should be logged. For backward
 3545 			compatibility, "yes" is a synonym for "local".
 3546 			[RT #42585]
 3547 
 3548 4517.	[security]	Named could mishandle authority sections that were
 3549 			missing RRSIGs triggering an assertion failure.
 3550 			(CVE-2016-9444) [RT # 43632]
 3551 
 3552 4516.	[bug]		isc_socketmgr_renderjson was missing from the
 3553 			windows build. [RT #43602]
 3554 
 3555 4515.	[port]		FreeBSD: Find readline headers when they are in
 3556 			edit/readline/ instead of readline/. [RT #43658]
 3557 
 3558 4514.	[port]		NetBSD: strip -WL, from ld command line. [RT #43204]
 3559 
 3560 4513.	[cleanup]	Minimum Python versions are now 2.7 and 3.2.
 3561 			[RT #43566]
 3562 
 3563 4512.	[bug]		win32: @GEOIP_INC@ missing from delv.vcxproj.in.
 3564 			[RT #43556]
 3565 
 3566 4511.	[bug]		win32: mdig.exe-BNFT was missing Configure. [RT #43554]
 3567 
 3568 4510.	[security]	Named mishandled some responses where covering RRSIG
 3569 			records are returned without the requested data
 3570 			resulting in a assertion failure. (CVE-2016-9147)
 3571 			[RT #43548]
 3572 
 3573 4509.	[test]		Make the rrl system test more reliable on slower
 3574 			machines by using mdig instead of dig. [RT #43280]
 3575 
 3576 4508.	[security]	Named incorrectly tried to cache TKEY records which
 3577 			could trigger a assertion failure when there was
 3578 			a class mismatch. (CVE-2016-9131) [RT #43522]
 3579 
 3580 4507.	[bug]		Named could incorrectly log 'allows updates by IP
 3581 			address, which is insecure' [RT #43432]
 3582 
 3583 4506.	[func]		'named-checkconf -l' will now list the zones found in
 3584 			named.conf. [RT #43154]
 3585 
 3586 4505.	[port]		Use IP_PMTUDISC_OMIT if available. [RT #35494]
 3587 
 3588 4504.	[security]	Allow the maximum number of records in a zone to
 3589 			be specified.  This provides a control for issues
 3590 			raised in CVE-2016-6170. [RT #42143]
 3591 
 3592 4503.	[cleanup]	"make uninstall" now removes files installed by
 3593 			BIND. (This currently excludes Python files
 3594 			due to lack of support in setup.py.) [RT #42192]
 3595 
 3596 4502.	[func]		Report multiple and experimental options when printing
 3597 			grammar. [RT #43134]
 3598 
 3599 4501.	[placeholder]
 3600 
 3601 4500.	[bug]		Support modifier I64 in isc__print_printf. [RT #43526]
 3602 
 3603 4499.	[port]		MacOSX: silence deprecated function warning
 3604 			by using arc4random_stir() when available
 3605 			instead of arc4random_addrandom(). [RT #43503]
 3606 
 3607 4498.	[test]		Simplify prerequisite checks in system tests.
 3608 			[RT #43516]
 3609 
 3610 4497.	[port]		Add support for OpenSSL 1.1.0. [RT #41284]
 3611 
 3612 4496.	[func]		dig: add +idnout to control whether labels are
 3613 			display in punycode or not.  Requires idn support
 3614 			to be enabled at compile time. [RT #43398]
 3615 
 3616 4495.	[bug]		A isc_mutex_init call was not being checked.
 3617 			[RT #43391]
 3618 
 3619 4494.	[bug]		Look for <editline/readline.h>. [RT #43429]
 3620 
 3621 4493.	[bug]		bin/tests/system/dyndb/driver/Makefile.in should use
 3622 			SO_TARGETS. [RT# 43336]
 3623 
 3624 4492.	[bug]		irs_resconf_load failed to initialize sortlistnxt
 3625 			causing bad writes if resolv.conf contained a
 3626 			sortlist directive. [RT #43459]
 3627 
 3628 4491.	[bug]		Improve message emitted when testing whether sendmsg
 3629 			works with TOS/TCLASS fails. [RT #43483]
 3630 
 3631 4490.	[maint]		Added AAAA (2001:500:12::d0d) for G.ROOT-SERVERS.NET.
 3632 
 3633 4489.	[security]	It was possible to trigger assertions when processing
 3634 			a response containing a DNAME answer. (CVE-2016-8864)
 3635 			[RT #43465]
 3636 
 3637 4488.	[port]		Darwin: use -framework for Kerberos. [RT #43418]
 3638 
 3639 4487.	[test]		Make system tests work on Windows. [RT #42931]
 3640 
 3641 4486.	[bug]		Look in $prefix/lib/pythonX.Y/site-packages for
 3642 			the python modules we install. [RT #43330]
 3643 
 3644 4485.	[bug]		Failure to find readline when requested should be
 3645 			fatal to configure. [RT #43328]
 3646 
 3647 4484.	[func]		Check prefixes in acls to make sure the address and
 3648 			prefix lengths are consistent.  Warn only in
 3649 			BIND 9.11 and earlier. [RT #43367]
 3650 
 3651 4483.	[bug]		Address use before require check and remove extraneous
 3652 			dns_message_gettsigkey call in dns_tsig_sign.
 3653 			[RT #43374]
 3654 
 3655 4482.	[cleanup]	Change #4455 was incomplete. [RT #43252]
 3656 
 3657 4481.	[func]		dig: make +class, +crypto, +multiline, +rrcomments,
 3658 			+onesoa, +qr, +ttlid, +ttlunits and -u per lookup
 3659 			rather than global. [RT #42450]
 3660 
 3661 4480.	[placeholder]
 3662 
 3663 4479.	[placeholder]
 3664 
 3665 4478.	[func]		Add +continue option to mdig, allow continue on socket
 3666 			errors. [RT #43281]
 3667 
 3668 4477.	[test]		Fix mkeys test timing issues. [RT #41028]
 3669 
 3670 4476.	[test]		Fix reclimit test on slower machines. [RT #43283]
 3671 
 3672 4475.	[doc]		Update named-checkconf documentation. [RT #43153]
 3673 
 3674 4474.	[bug]		win32: call WSAStartup in fromtext_in_wks so that
 3675 			getprotobyname and getservbyname work.  [RT #43197]
 3676 
 3677 4473.	[bug]		Only call fsync / _commit on regular files. [RT #43196]
 3678 
 3679 4472.	[bug]		Named could fail to find the correct NSEC3 records when
 3680 			a zone was updated between looking for the answer and
 3681 			looking for the NSEC3 records proving nonexistence
 3682 			of the answer. [RT #43247]
 3683 
 3684 	--- 9.11.0 released ---
 3685 
 3686 	--- 9.11.0rc3 released ---
 3687 
 3688 4471.	[cleanup]	Render client/query logging format consistent for
 3689 			ease of log file parsing. (Note that this affects
 3690 			"querylog" format: there is now an additional field
 3691 			indicating the client object address.) [RT #43238]
 3692 
 3693 4470.	[bug]		Reset message with intent parse before
 3694 			calling dns_dispatch_getnext. [RT #43229]
 3695 
 3696 4469.	[placeholder]
 3697 
 3698 	--- 9.11.0rc2 released ---
 3699 
 3700 4468.	[bug]		Address ECS option handling issues. [RT #43191]
 3701 
 3702 4467.	[security]	It was possible to trigger an assertion when
 3703 			rendering a message. (CVE-2016-2776) [RT #43139]
 3704 
 3705 4466.	[bug]		Interface scanning didn't work on a Windows system
 3706 			without a non local IPv6 addresses. [RT #43130]
 3707 
 3708 4465.	[bug]		Don't use "%z" as Windows doesn't support it.
 3709 			[RT #43131]
 3710 
 3711 4464.	[bug]		Fix windows python support. [RT #43173]
 3712 
 3713 4463.	[bug]		The dnstap system test failed on some systems.
 3714 			[RT #43129]
 3715 
 3716 4462.	[bug]		Don't describe a returned EDNS COOKIE as "good"
 3717 			when there isn't a valid server cookie. [RT #43167]
 3718 
 3719 4461.	[bug]		win32: not all external data was properly marked
 3720 			as external data for windows dll. [RT #43161]
 3721 
 3722 	--- 9.11.0rc1 released ---
 3723 
 3724 4460.	[test]		Add system test for dnstap using unix domain sockets.
 3725 			[RT #42926]
 3726 
 3727 4459.	[bug]		TCP client objects created to handle pipeline queries
 3728 			were not cleaned up correctly, causing uncontrolled
 3729 			memory growth. [RT #43106]
 3730 
 3731 4458.	[cleanup]	Update assertions to be more correct, and also remove
 3732 			use of a reserved word. [RT #43090]
 3733 
 3734 4457.	[maint]		Added AAAA (2001:500:a8::e) for E.ROOT-SERVERS.NET.
 3735 
 3736 4456.	[doc]		Add DOCTYPE and lang attribute to <html> tags.
 3737 			[RT #42587]
 3738 
 3739 4455.	[cleanup]	Allow dyndb modules to correctly log the filename
 3740 			and line number when processing configuration text
 3741 			from named.conf. [RT #43050]
 3742 
 3743 4454.	[bug]		'rndc dnstap -reopen' had a race issue. [RT #43089]
 3744 
 3745 4453.	[bug]		Prefetching of DS records failed to update their
 3746 			RRSIGs. [RT #42865]
 3747 
 3748 4452.	[bug]		The default key manager policy file is now
 3749 			<sysdir>/dnssec-policy.conf (usually
 3750 			/etc/dnssec-policy.conf). [RT #43064]
 3751 
 3752 4451.	[cleanup]	Log more useful information if a PKCS#11 provider
 3753 			library cannot be loaded. [RT #43076]
 3754 
 3755 4450.	[port]		Provide more nuanced HSM support which better matches
 3756 			the specific PKCS11 providers capabilities. [RT #42458]
 3757 
 3758 4449.	[test]		Fix catalog zones test on slower systems. [RT #42997]
 3759 
 3760 4448.	[bug]		win32: ::1 was not being found when iterating
 3761 			interfaces. [RT #42993]
 3762 
 3763 4447.	[tuning]	Allow the fstrm_iothr_init() options to be set using
 3764 			named.conf to control how dnstap manages the data
 3765 			flow. [RT #42974]
 3766 
 3767 4446.	[bug]		The cache_find() and _findrdataset() functions
 3768 			could find rdatasets that had been marked stale.
 3769 			[RT #42853]
 3770 
 3771 4445.	[cleanup]	isc_errno_toresult() can now be used to call the
 3772 			formerly private function isc__errno2result().
 3773 			[RT #43050]
 3774 
 3775 4444.	[bug]		Fixed some issues related to dyndb: A bug caused
 3776 			braces to be omitted when passing configuration text
 3777 			from named.conf to a dyndb driver, and there was a
 3778 			use-after-free in the sample dyndb driver. [RT #43050]
 3779 
 3780 4443.	[func]		Set TCP_MAXSEG in addition to IPV6_USE_MIN_MTU on
 3781 			TCP sockets. [RT #42864]
 3782 
 3783 4442.	[bug]		Fix RPZ CIDR tree insertion bug that corrupted
 3784 			tree data structure with overlapping networks
 3785 			(longest prefix match was ineffective).
 3786 			[RT #43035]
 3787 
 3788 4441.	[cleanup]	Alphabetize host's help output. [RT #43031]
 3789 
 3790 4440.	[func]		Enable TCP fast open support when available on the
 3791 			server side. [RT #42866]
 3792 
 3793 4439.	[bug]		Address race conditions getting ownernames of nodes.
 3794 			[RT #43005]
 3795 
 3796 4438.	[func]		Use LIFO rather than FIFO when processing startup
 3797 			notify and refresh queries. [RT #42825]
 3798 
 3799 4437.	[func]		Minimal-responses now has two additional modes
 3800 			no-auth and no-auth-recursive which suppress
 3801 			adding the NS records to the authority section
 3802 			as well as the associated address records for the
 3803 			nameservers. [RT #42005]
 3804 
 3805 4436.	[func]		Return TLSA records as additional data for MX and SRV
 3806 			lookups. [RT #42894]
 3807 
 3808 4435.	[tuning]	Only set IPV6_USE_MIN_MTU for UDP when the message
 3809 			will not fit into a single IPv4 encapsulated IPv6
 3810 			UDP packet when transmitted over a Ethernet link.
 3811 			[RT #42871]
 3812 
 3813 4434.	[protocol]	Return EDNS EXPIRE option for master zones in addition
 3814 			to slave zones. [RT #43008]
 3815 
 3816 4433.	[cleanup]	Report an error when passing an invalid option or
 3817 			view name to "rndc dumpdb". [RT #42958]
 3818 
 3819 4432.	[test]		Hide rndc output on expected failures in logfileconfig
 3820 			system test. [RT #27996]
 3821 
 3822 4431.	[bug]		named-checkconf now checks the rate-limit clause.
 3823 			[RT #42970]
 3824 
 3825 4430.	[bug]		Lwresd died if a search list was not defined.
 3826 			Found by 0x710DDDD At Alibaba Security. [RT #42895]
 3827 
 3828 4429.	[bug]		Address potential use after free on fclose() error.
 3829 			[RT #42976]
 3830 
 3831 4428.	[bug]		The "test dispatch getnext" unit test could fail
 3832 			in a threaded build. [RT #42979]
 3833 
 3834 4427.	[bug]		The "query" and "response" parameters to the
 3835 			"dnstap" option had their functions reversed.
 3836 
 3837 	--- 9.11.0b3 released ---
 3838 
 3839 4426.	[bug]		Addressed Coverity warnings. [RT #42908]
 3840 
 3841 4425.	[bug]		arpaname, dnstap-read and named-rrchecker were not
 3842 			being installed into ${prefix}/bin.  Tidy up
 3843 			installation issues with CHANGE 4421. [RT #42910]
 3844 
 3845 4424.	[experimental]	Named now sends _ta-XXXX.<trust-anchor>/NULL queries
 3846 			to provide feedback to the trust-anchor administrators
 3847 			about how key rollovers are progressing as per
 3848 			draft-ietf-dnsop-edns-key-tag-02.  This can be
 3849 			disabled using 'trust-anchor-telemetry no;'.
 3850 			[RT #40583]
 3851 
 3852 4423.	[maint]		Added missing IPv6 address 2001:500:84::b for
 3853 			B.ROOT-SERVERS.NET. [RT #42898]
 3854 
 3855 4422.	[port]		Silence clang warnings in dig.c and dighost.c.
 3856 			[RT #42451]
 3857 
 3858 4421.	[func]		When built with LMDB (Lightning Memory-mapped
 3859 			Database), named will now use a database to store
 3860 			the configuration for zones added by "rndc addzone"
 3861 			instead of using a flat NZF file. This improves
 3862 			performance of "rndc delzone" and "rndc modzone"
 3863 			significantly. Existing NZF files will
 3864 			automatically by converted to NZD databases.
 3865 			To view the contents of an NZD or to roll back to
 3866 			NZF format, use "named-nzd2nzf". To disable
 3867 			this feature, use "configure --without-lmdb".
 3868 			[RT #39837]
 3869 
 3870 4420.	[func]		nslookup now looks for AAAA as well as A by default.
 3871 			[RT #40420]
 3872 
 3873 4419.	[bug]		Don't cause undefined result if the label of an
 3874 			entry in catalog zone is changed. [RT #42708]
 3875 
 3876 4418.	[bug]		Fix a compiler warning in GSSAPI code. [RT #42879]
 3877 
 3878 4417.	[bug]		dnssec-keymgr could fail to create successor keys
 3879 			if the prepublication interval was set to a value
 3880 			smaller than the default. [RT #42820]
 3881 
 3882 4416.	[bug]		dnssec-keymgr: Domain names in policy files could
 3883 			fail to match due to trailing dots. [RT #42807]
 3884 
 3885 4415.	[bug]		dnssec-keymgr: Expired/deleted keys were not always
 3886 			excluded. [RT #42884]
 3887 
 3888 4414.	[bug]		Corrected a bug in the MIPS implementation of
 3889 			isc_atomic_xadd(). [RT #41965]
 3890 
 3891 4413.	[bug]		GSSAPI negotiation could fail if GSS_S_CONTINUE_NEEDED
 3892 			was returned. [RT #42733]
 3893 
 3894 	--- 9.11.0b2 released ---
 3895 
 3896 4412.	[cleanup]	Make fixes for GCC 6. ISC_OFFSET_MAXIMUM macro was
 3897 			removed. [RT #42721]
 3898 
 3899 4411.	[func]		"rndc dnstap -roll" automatically rolls the
 3900 			dnstap output file; the previous version is
 3901 			saved with ".0" suffix, and earlier versions
 3902 			with ".1" and so on. An optional numeric argument
 3903 			indicates how many prior files to save. [RT #42830]
 3904 
 3905 4410.	[bug]		Address use after free and memory leak with dnstap.
 3906 			[RT #42746]
 3907 
 3908 4409.	[bug]		DNS64 should exclude mapped addresses by default when
 3909 			an exclude acl is not defined. [RT #42810]
 3910 
 3911 4408.	[func]		Continue waiting for expected response when we the
 3912 			response we get does not match the request. [RT #41026]
 3913 
 3914 4407.	[performance]	Use GCC builtin for clz in RPZ lookup code.
 3915 			[RT #42818]
 3916 
 3917 4406.	[security]	getrrsetbyname with a non absolute name could
 3918 			trigger an infinite recursion bug in lwresd
 3919 			and named with lwres configured if when combined
 3920 			with a search list entry the resulting name is
 3921 			too long. (CVE-2016-2775) [RT #42694]
 3922 
 3923 4405.	[bug]		Change 4342 introduced a regression where you could
 3924 			not remove a delegation in a NSEC3 signed zone using
 3925 			OPTOUT via nsupdate. [RT #42702]
 3926 
 3927 4404.	[misc]		Allow krb5-config to be used when configuring gssapi.
 3928 			[RT #42580]
 3929 
 3930 4403.	[bug]		Rename variables and arguments that shadow: basename,
 3931 			clone and gai_error.
 3932 
 3933 4402.	[bug]		protoc-c is now a hard requirement for --enable-dnstap.
 3934 
 3935 	--- 9.11.0b1 released ---
 3936 
 3937 4401.	[misc]		Change LICENSE to MPL 2.0.
 3938 
 3939 4400.	[bug]		ttl policy was not being inherited in policy.py.
 3940 			[RT #42718]
 3941 
 3942 4399.	[bug]		policy.py 'ECCGOST', 'ECDSAP256SHA256', and
 3943 			'ECDSAP384SHA384' don't have settable keysize.
 3944 			[RT #42718]
 3945 
 3946 4398.	[bug]		Correct spelling of ECDSAP256SHA256 in policy.py.
 3947 			[RT #42718]
 3948 
 3949 4397.	[bug]		Update Windows python support. [RT #42538]
 3950 
 3951 4396.	[func]		dnssec-keymgr now takes a '-r randomfile' option.
 3952 			[RT #42455]
 3953 
 3954 4395.	[bug]		Improve out-of-tree installation of python modules.
 3955 			[RT #42586]
 3956 
 3957 4394.	[func]		Add rndc command "dnstap-reopen" to close and
 3958 			reopen dnstap output files. [RT #41803]
 3959 
 3960 4393.	[bug]		Address potential NULL pointer dereferences in
 3961 			dnstap code.
 3962 
 3963 4392.	[func]		Collect statistics for RSSAC02v3 traffic-volume,
 3964 			traffic-sizes and rcode-volume reporting. [RT #41475]
 3965 
 3966 4391.	[contrib]	Fix leaks in contrib DLZ code. [RT #42707]
 3967 
 3968 4390.	[doc]		Description of masters with TSIG, allow-query and
 3969 			allow-transfer options in catalog zones. [RT #42692]
 3970 
 3971 4389.	[test]		Rewritten test suite for catalog zones. [RT #42676]
 3972 
 3973 4388.	[func]		Support for master entries with TSIG keys in catalog
 3974 			zones. [RT #42577]
 3975 
 3976 4387.	[bug]		Change 4336 was not complete leading to SERVFAIL
 3977 			being return as NS records expired. [RT #42683]
 3978 
 3979 4386.	[bug]		Remove shadowed overmem function/variable. [RT #42706]
 3980 
 3981 4385.	[func]		Add support for allow-query and allow-transfer ACLs
 3982 			to catalog zones. [RT #42578]
 3983 
 3984 4384.	[bug]		Change 4256 accidentally disabled logging of the
 3985 			rndc command. [RT #42654]
 3986 
 3987 4383.	[bug]		Correct spelling error in stats channel description of
 3988 			"EDNS client subnet option received". [RT #42633]
 3989 
 3990 4382.	[bug]		rndc {addzone,modzone,delzone,showzone} should all
 3991 			compare the zone name using a canonical format.
 3992 			[RT #42630]
 3993 
 3994 4381.	[bug]		Missing "zone-directory" option in catalog zone
 3995 			definition caused BIND to crash. [RT #42579]
 3996 
 3997 	--- 9.11.0a3 released ---
 3998 
 3999 4380.	[experimental]	Added a "zone-directory" option to "catalog-zones"
 4000 			syntax, allowing local masterfiles for slaves
 4001 			that are provisioned by catalog zones to be stored
 4002 			in a directory other than the server's working
 4003 			directory. [RT #42527]
 4004 
 4005 4379.	[bug]		An INSIST could be triggered if a zone contains
 4006 			RRSIG records with expiry fields that loop
 4007 			using serial number arithmetic. [RT #40571]
 4008 
 4009 4378.	[contrib]	#include <isc/string.h> for strlcat in zone2ldap.c.
 4010 			[RT #42525]
 4011 
 4012 4377.	[bug]		Don't reuse zero TTL responses beyond the current
 4013 			client set (excludes ANY/SIG/RRSIG queries).
 4014 			[RT #42142]
 4015 
 4016 4376.	[experimental]	Added support for Catalog Zones, a new method for
 4017 			provisioning secondary servers in which a list of
 4018 			zones to be served is stored in a DNS zone and can
 4019 			be propagated to slaves via AXFR/IXFR. [RT #41581]
 4020 
 4021 4375.	[func]		Add support for automatic reallocation of isc_buffer
 4022 			to isc_buffer_put* functions. [RT #42394]
 4023 
 4024 4374.	[bug]		Use SAVE/RESTORE macros in query.c to reduce the
 4025 			probability of reference counting errors as seen
 4026 			in 4365. [RT #42405]
 4027 
 4028 4373.	[bug]		Address undefined behavior in getaddrinfo. [RT #42479]
 4029 
 4030 4372.	[bug]		Address undefined behavior in libt_api. [RT #42480]
 4031 
 4032 4371.	[func]		New "minimal-any" option reduces the size of UDP
 4033 			responses for qtype ANY by returning a single
 4034 			arbitrarily selected RRset instead of all RRsets.
 4035 			Thanks to Tony Finch. [RT #41615]
 4036 
 4037 4370.	[bug]		Address python3 compatibility issues with RNDC module.
 4038 			[RT #42499] [RT #42506]
 4039 
 4040 	--- 9.11.0a2 released ---
 4041 
 4042 4369.	[bug]		Fix 'make' and 'make install' out-of-tree python
 4043 			support. [RT #42484]
 4044 
 4045 4368.	[bug]		Fix a crash when calling "rndc stats" on some
 4046 			Windows builds because some Visual Studio compilers
 4047 			generated crashing code for the "%z" printf()
 4048 			format specifier. [RT #42380]
 4049 
 4050 4367.	[bug]		Remove unnecessary assignment of loadtime in
 4051 			zone_touched. [RT #42440]
 4052 
 4053 4366.	[bug]		Address race condition when updating rbtnode bit
 4054 			fields. [RT #42379]
 4055 
 4056 4365.	[bug]		Address zone reference counting errors involving
 4057 			nxdomain-redirect. [RT #42258]
 4058 
 4059 4364.	[port]		freebsd: add -Wl,-E to loader flags [RT #41690]
 4060 
 4061 4363.	[port]		win32: Disable explicit triggering UAC when running
 4062 			BINDInstall.
 4063 
 4064 4362.	[func]		Changed rndc reconfig behavior so that newly added
 4065 			zones are loaded asynchronously and the loading does
 4066 			not block the server. [RT #41934]
 4067 
 4068 4361.	[cleanup]	Where supported, file modification times returned
 4069 			by isc_file_getmodtime() are now accurate to the
 4070 			nanosecond. [RT #41968]
 4071 
 4072 4360.	[bug]		Silence spurious 'bad key type' message when there is
 4073 			a existing TSIG key. [RT #42195]
 4074 
 4075 4359.	[bug]		Inherited 'also-notify' lists were not being checked
 4076 			by named-checkconf. [RT #42174]
 4077 
 4078 4358.	[test]		Added American Fuzzy Lop harness that allows
 4079 			feeding fuzzed packets into BIND.
 4080 			[RT #41723]
 4081 
 4082 4357.	[func]		Add the python RNDC module. [RT #42093]
 4083 
 4084 4356.	[func]		Add the ability to specify whether to wait for
 4085 			nameserver addresses to be looked up or not to
 4086 			RPZ with a new modifying directive 'nsip-wait-recurse'.
 4087 			[RT #35009]
 4088 
 4089 4355.	[func]		"pkcs11-list" now displays the extractability
 4090 			attribute of private or secret keys stored in
 4091 			an HSM, as either "true", "false", or "never"
 4092 			Thanks to Daniel Stirnimann. [RT #36557]
 4093 
 4094 4354.	[bug]		Check that the received HMAC length matches the
 4095 			expected length prior to check the contents on the
 4096 			control channel.  This prevents a OOB read error.
 4097 			This was reported by Lian Yihan, <lianyihan@360.cn>.
 4098 			[RT #42215]
 4099 
 4100 4353.	[cleanup]	Update PKCS#11 header files. [RT #42175]
 4101 
 4102 4352.	[cleanup]	The ISC DNSSEC Lookaside Validation (DLV) service
 4103 			is scheduled to be disabled in 2017.  A warning is
 4104 			now logged when named is configured to use it,
 4105 			either explicitly or via "dnssec-lookaside auto;"
 4106 			[RT #42207]
 4107 
 4108 4351.	[bug]		'dig +noignore' didn't work. [RT #42273]
 4109 
 4110 4350.	[contrib]	Declare result in  dlz_filesystem_dynamic.c.
 4111 
 4112 4349.	[contrib]	kasp2policy: A python script to create a DNSSEC
 4113 			policy file from an OpenDNSSEC KASP XML file.
 4114 
 4115 4348.	[func]		dnssec-keymgr: A new python-based DNSSEC key
 4116 			management utility, which reads a policy definition
 4117 			file and can create or update DNSSEC keys as needed
 4118 			to ensure that a zone's keys match policy, roll over
 4119 			correctly on schedule, etc.  Thanks to Sebastian
 4120 			Castro for assistance in development. [RT #39211]
 4121 
 4122 4347.	[port]		Corrected a build error on x86_64 Solaris. [RT #42150]
 4123 
 4124 4346.	[bug]		Fixed a regression introduced in change #4337 which
 4125 			caused signed domains with revoked KSKs to fail
 4126 			validation. [RT #42147]
 4127 
 4128 4345.	[contrib]	perftcpdns mishandled the return values from
 4129 			clock_nanosleep. [RT #42131]
 4130 
 4131 4344.	[port]		Address openssl version differences. [RT #42059]
 4132 
 4133 4343.	[bug]		dns_dnssec_syncupdate mis-declared in <dns/dnssec.h>.
 4134 			[RT #42090]
 4135 
 4136 4342.	[bug]		'rndc flushtree' could fail to clean the tree if there
 4137 			wasn't a node at the specified name. [RT #41846]
 4138 
 4139 	--- 9.11.0a1 released ---
 4140 
 4141 4341.	[bug]		Correct the handling of ECS options with
 4142 			address family 0. [RT #41377]
 4143 
 4144 4340.	[performance]	Implement adaptive read-write locks, reducing the
 4145 			overhead of locks that are only held briefly.
 4146 			[RT #37329]
 4147 
 4148 4339.	[test]		Use "mdig" to test pipelined queries. [RT #41929]
 4149 
 4150 4338.	[bug]		Reimplement change 4324 as it wasn't properly doing
 4151 			all the required book keeping. [RT #41941]
 4152 
 4153 4337.	[bug]		The previous change exposed a latent flaw in
 4154 			key refresh queries for managed-keys when
 4155 			a cached DNSKEY had TTL 0. [RT #41986]
 4156 
 4157 4336.	[bug]		Don't emit records with zero ttl unless the records
 4158 			were learnt with a zero ttl. [RT #41687]
 4159 
 4160 4335.	[bug]		zone->view could be detached too early. [RT #41942]
 4161 
 4162 4334.	[func]		'named -V' now reports zlib version. [RT #41913]
 4163 
 4164 4333.	[maint]		L.ROOT-SERVERS.NET is now 199.7.83.42 and
 4165 			2001:500:9f::42.
 4166 
 4167 4332.	[placeholder]
 4168 
 4169 4331.	[func]		When loading managed signed zones detect if the
 4170 			RRSIG's inception time is in the future and regenerate
 4171 			the RRSIG immediately. [RT #41808]
 4172 
 4173 4330.	[protocol]	Identify the PAD option as "PAD" when printing out
 4174 			a message.
 4175 
 4176 4329.	[func]		Warn about a common misconfiguration when forwarding
 4177 			RFC 1918 zones. [RT #41441]
 4178 
 4179 4328.	[performance]	Add dns_name_fromwire() benchmark test. [RT #41694]
 4180 
 4181 4327.	[func]		Log query and depth counters during fetches when
 4182 			querytrace (./configure --enable-querytrace) is
 4183 			enabled (helps in diagnosing).  [RT #41787]
 4184 
 4185 4326.	[protocol]	Add support for AVC. [RT #41819]
 4186 
 4187 4325.	[func]		Add a line to "rndc status" indicating the
 4188 			hostname and operating system details. [RT #41610]
 4189 
 4190 4324.	[bug]		When deleting records from a zone database, interior
 4191 			nodes could be left empty but not deleted, damaging
 4192 			search performance afterward. [RT #40997]
 4193 
 4194 4323.	[bug]		Improve HTTP header processing on statschannel.
 4195 			[RT #41674]
 4196 
 4197 4322.	[security]	Duplicate EDNS COOKIE options in a response could
 4198 			trigger an assertion failure. (CVE-2016-2088)
 4199 			[RT #41809]
 4200 
 4201 4321.	[bug]		Zones using mapped files containing out-of-zone data
 4202 			could return SERVFAIL instead of the expected NODATA
 4203 			or NXDOMAIN results. [RT #41596]
 4204 
 4205 4320.	[bug]		Insufficient memory allocation when handling
 4206 			"none" ACL could cause an assertion failure in
 4207 			named when parsing ACL configuration. [RT #41745]
 4208 
 4209 4319.	[security]	Fix resolver assertion failure due to improper
 4210 			DNAME handling when parsing fetch reply messages.
 4211 			(CVE-2016-1286) [RT #41753]
 4212 
 4213 4318.	[security]	Malformed control messages can trigger assertions
 4214 			in named and rndc. (CVE-2016-1285) [RT #41666]
 4215 
 4216 4317.	[bug]		Age all unused servers on fetch timeout. [RT #41597]
 4217 
 4218 4316.	[func]		Add option to tools to print RRs in unknown
 4219 			presentation format [RT #41595].
 4220 
 4221 4315.	[bug]		Check that configured view class isn't a meta class.
 4222 			[RT #41572].
 4223 
 4224 4314.	[contrib]	Added 'dnsperf-2.1.0.0-1', a set of performance
 4225 			testing tools provided by Nominum, Inc.
 4226 
 4227 4313.	[bug]		Handle ns_client_replace failures in test mode.
 4228 			[RT #41190]
 4229 
 4230 4312.	[bug]		dig's unknown DNS and EDNS flags (MBZ value) logging
 4231 			was not consistent. [RT #41600]
 4232 
 4233 4311.	[bug]		Prevent "rndc delzone" from being used on
 4234 			response-policy zones. [RT #41593]
 4235 
 4236 4310.	[performance]	Use __builtin_expect() where available to annotate
 4237 			conditions with known behavior. [RT #41411]
 4238 
 4239 4309.	[cleanup]	Remove the spurious "none" filename from log messages
 4240 			when processing built-in configuration. [RT #41594]
 4241 
 4242 4308.	[func]		Added operating system details to "named -V"
 4243 			output. [RT #41452]
 4244 
 4245 4307.	[bug]		"dig +subnet" and "mdig +subnet" could send
 4246 			incorrectly-formatted Client Subnet options
 4247 			if the prefix length was not divisible by 8.
 4248 			Also fixed a memory leak in "mdig". [RT #45178]
 4249 
 4250 4306.	[maint]		Added a PKCS#11 openssl patch supporting
 4251 			version 1.0.2f [RT #38312]
 4252 
 4253 4305.	[bug]		dnssec-signzone was not removing unnecessary rrsigs
 4254 			from the zone's apex. [RT #41483]
 4255 
 4256 4304.	[port]		xfer system test failed as 'tail -n +value' is not
 4257 			portable. [RT #41315]
 4258 
 4259 4303.	[bug]		"dig +subnet" was unable to send a prefix length of
 4260 			zero, as it was incorrectly changed to 32 for v4
 4261 			prefixes or 128 for v6 prefixes. In addition to
 4262 			fixing this, "dig +subnet=0" has been added as a
 4263 			short form for 0.0.0.0/0. The same changes have
 4264 			also been made in "mdig". [RT #41553]
 4265 
 4266 4302.	[port]		win32: fixed a build error in VS 2015. [RT #41426]
 4267 
 4268 4301.	[bug]		dnssec-settime -p [DP]sync was not working. [RT #41534]
 4269 
 4270 4300.	[bug]		A flag could be set in the wrong field when setting
 4271 			up non-recursive queries; this could cause the
 4272 			SERVFAIL cache to cache responses it shouldn't.
 4273 			New querytrace logging has been added which
 4274 			identified this error. [RT #41155]
 4275 
 4276 4299.	[bug]		Check that exactly totallen bytes are read when
 4277 			reading a RRset from raw files in both single read
 4278 			and incremental modes. [RT #41402]
 4279 
 4280 4298.	[bug]		dns_rpz_add errors in loadzone were not being
 4281 			propagated up the call stack. [RT #41425]
 4282 
 4283 4297.	[test]		Ensure delegations in RPZ zones fail robustly.
 4284 			[RT #41518]
 4285 
 4286 4296.	[bug]		TCP packet sizes were calculated incorrectly in the
 4287 			stats channel; they could be counted in the wrong
 4288 			histogram bucket. [RT #40587]
 4289 
 4290 4295.	[bug]		An unchecked result in dns_message_pseudosectiontotext()
 4291 			could allow incorrect text formatting of EDNS EXPIRE
 4292 			options. [RT #41437]
 4293 
 4294 4294.	[bug]		Fixed a regression in which "rndc stop -p" failed
 4295 			to print the PID. [RT #41513]
 4296 
 4297 4293.	[bug]		Address memory leak on priming query creation failure.
 4298 			[RT #41512]
 4299 
 4300 4292.	[placeholder]
 4301 
 4302 4291.	[cleanup]	Added a required include to dns/forward.h. [RT #41474]
 4303 
 4304 4290.	[func]		The timers returned by the statistics channel
 4305 			(indicating current time, server boot time, and
 4306 			most recent reconfiguration time) are now reported
 4307 			with millisecond accuracy. [RT #40082]
 4308 
 4309 4289.	[bug]		The server could crash due to memory being used
 4310 			after it was freed if a zone transfer timed out.
 4311 			[RT #41297]
 4312 
 4313 4288.	[bug]		Fixed a regression in resolver.c:possibly_mark()
 4314 			which caused known-bogus servers to be queried
 4315 			anyway. [RT #41321]
 4316 
 4317 4287.	[bug]		Silence an overly noisy log message when message
 4318 			parsing fails. [RT #41374]
 4319 
 4320 4286.	[security]	render_ecs errors were mishandled when printing out
 4321 			a OPT record resulting in a assertion failure.
 4322 			(CVE-2015-8705) [RT #41397]
 4323 
 4324 4285.	[security]	Specific APL data could trigger a INSIST.
 4325 			(CVE-2015-8704) [RT #41396]
 4326 
 4327 4284.	[bug]		Some GeoIP options were incorrectly documented
 4328 			using abbreviated forms which were not accepted by
 4329 			named.  The code has been updated to allow both
 4330 			long and abbreviated forms. [RT #41381]
 4331 
 4332 4283.	[bug]		OPENSSL_config is no longer re-callable. [RT #41348]
 4333 
 4334 4282.	[func]		'dig +[no]mapped' determine whether the use of mapped
 4335 			IPv4 addresses over IPv6 is permitted or not.  The
 4336 			default is +mapped.  [RT #41307]
 4337 
 4338 4281.	[bug]		Teach dns_message_totext about BADCOOKIE. [RT #41257]
 4339 
 4340 4280.	[performance]	Use optimal message sizes to improve compression
 4341 			in AXFRs. This reduces network traffic. [RT #40996]
 4342 
 4343 4279.	[test]		Don't use fixed ports when unit testing. [RT #41194]
 4344 
 4345 4278.	[bug]		'delv +short +[no]split[=##]' didn't work as expected.
 4346 			[RT #41238]
 4347 
 4348 4277.	[performance]	Improve performance of the RBT, the central zone
 4349 			datastructure: The aux hashtable was improved,
 4350 			hash function was updated to perform more
 4351 			uniform mapping, uppernode was added to
 4352 			dns_rbtnode, and other cleanups and performance
 4353 			improvements were made. [RT #41165]
 4354 
 4355 4276.	[protocol]	Add support for SMIMEA. [RT #40513]
 4356 
 4357 4275.	[performance]	Lazily initialize dns_compress->table only when
 4358 			compression is enabled. [RT #41189]
 4359 
 4360 4274.	[performance]	Speed up typemap processing from text. [RT #41196]
 4361 
 4362 4273.	[bug]		Only call dns_test_begin() and dns_test_end() once each
 4363 			in nsec3_test as it fails with GOST if called multiple
 4364 			times.
 4365 
 4366 4272.	[bug]		dig: the +norrcomments option didn't work with +multi.
 4367 			[RT #41234]
 4368 
 4369 4271.	[test]		Unit tests could deadlock in isc__taskmgr_pause().
 4370 			[RT #41235]
 4371 
 4372 4270.	[security]	Update allowed OpenSSL versions as named is
 4373 			potentially vulnerable to CVE-2015-3193.
 4374 
 4375 4269.	[bug]		Zones using "map" format master files currently
 4376 			don't work as policy zones.  This limitation has
 4377 			now been documented; attempting to use such zones
 4378 			in "response-policy" statements is now a
 4379 			configuration error.  [RT #38321]
 4380 
 4381 4268.	[func]		"rndc status" now reports the path to the
 4382 			configuration file. [RT #36470]
 4383 
 4384 4267.	[test]		Check sdlz error handling. [RT #41142]
 4385 
 4386 4266.	[placeholder]
 4387 
 4388 4265.	[bug]		Address unchecked isc_mem_get calls. [RT #41187]
 4389 
 4390 4264.	[bug]		Check const of strchr/strrchr assignments match
 4391 			argument's const status. [RT #41150]
 4392 
 4393 4263.	[contrib]	Address compiler warnings in mysqldyn module.
 4394 			[RT #41130]
 4395 
 4396 4262.	[bug]		Fixed a bug in epoll socket code that caused
 4397 			sockets to not be registered for ready
 4398 			notification in some cases, causing named to not
 4399 			read from or write to them, resulting in what
 4400 			appear to the user as blocked connections.
 4401 			[RT #41067]
 4402 
 4403 4261.	[maint]		H.ROOT-SERVERS.NET is 198.97.190.53 and 2001:500:1::53.
 4404 			[RT #40556]
 4405 
 4406 4260.	[security]	Insufficient testing when parsing a message allowed
 4407 			records with an incorrect class to be be accepted,
 4408 			triggering a REQUIRE failure when those records
 4409 			were subsequently cached. (CVE-2015-8000) [RT #40987]
 4410 
 4411 4259.	[func]		Add an option for non-destructive control channel
 4412 			access using a "read-only" clause. In such
 4413 			cases, a restricted set of rndc commands are
 4414 			allowed for querying information from named.
 4415 			[RT #40498]
 4416 
 4417 4258.	[bug]		Limit rndc query message sizes to 32 KiB. This should
 4418 			not break any legitimate rndc commands, but will
 4419 			prevent a rogue rndc query from allocating too
 4420 			much memory. [RT #41073]
 4421 
 4422 4257.	[cleanup]	Python scripts reported incorrect version. [RT #41080]
 4423 
 4424 4256.	[bug]		Allow rndc command arguments to be quoted so as
 4425 			to allow spaces. [RT #36665]
 4426 
 4427 4255.	[performance]	Add 'message-compression' option to disable DNS
 4428 			compression in responses. [RT #40726]
 4429 
 4430 4254.	[bug]		Address missing lock when getting zone's serial.
 4431 			[RT #41072]
 4432 
 4433 4253.	[security]	Address fetch context reference count handling error
 4434 			on socket error. (CVE-2015-8461)  [RT#40945]
 4435 
 4436 4252.	[func]		Add support for automating the generation CDS and
 4437 			CDNSKEY rrsets to named and dnssec-signzone.
 4438 			[RT #40424]
 4439 
 4440 4251.	[bug]		NTAs were deleted when the server was reconfigured
 4441 			or reloaded. [RT #41058]
 4442 
 4443 4250.	[func]		Log the TSIG key in use during inbound zone
 4444 			transfers. [RT #41075]
 4445 
 4446 4249.	[func]		Improve error reporting of TSIG / SIG(0) records in
 4447 			the wrong location. [RT #41030]
 4448 
 4449 4248.	[performance]	Add an isc_atomic_storeq() function, use it in
 4450 			stats counters to improve performance.
 4451 			[RT #39972] [RT #39979]
 4452 
 4453 4247.	[port]		Require both HAVE_JSON and JSON_C_VERSION to be
 4454 			defined to report json library version. [RT #41045]
 4455 
 4456 4246.	[test]		Ensure the statschannel system test runs when BIND
 4457 			is not built with libjson. [RT #40944]
 4458 
 4459 4245.	[placeholder]
 4460 
 4461 4244.	[bug]		The parser was not reporting that use-ixfr is obsolete.
 4462 			[RT #41010]
 4463 
 4464 4243.	[func]		Improved stats reporting from Timothe Litt. [RT #38941]
 4465 
 4466 4242.	[bug]		Replace the client if not already replaced when
 4467 			prefetching. [RT #41001]
 4468 
 4469 4241.	[doc]		Improved the TSIG, TKEY, and SIG(0) sections in
 4470 			the ARM. [RT #40955]
 4471 
 4472 4240.	[port]		Fix LibreSSL compatibility. [RT #40977]
 4473 
 4474 4239.	[func]		Changed default servfail-ttl value to 1 second from 10.
 4475 			Also, the maximum value is now 30 instead of 300.
 4476 			[RT #37556]
 4477 
 4478 4238.	[bug]		Don't send to servers on net zero (0.0.0.0/8).
 4479 			[RT #40947]
 4480 
 4481 4237.	[doc]		Upgraded documentation toolchain to use DocBook 5
 4482 			and dblatex. [RT #40766]
 4483 
 4484 4236.	[performance]	On machines with 2 or more processors (CPU), the
 4485 			default value for the number of UDP listeners
 4486 			has been changed to the number of detected
 4487 			processors minus one. [RT #40761]
 4488 
 4489 4235.	[func]		Added support in named for "dnstap", a fast method of
 4490 			capturing and logging DNS traffic, and a new command
 4491 			"dnstap-read" to read a dnstap log file.  Use
 4492 			"configure --enable-dnstap" to enable this
 4493 			feature (note that this requires libprotobuf-c
 4494 			and libfstrm). See the ARM for configuration details.
 4495 
 4496 			Thanks to Robert Edmonds of Farsight Security.
 4497 			[RT #40211]
 4498 
 4499 4234.	[func]		Add deflate compression in statistics channel HTTP
 4500 			server. [RT #40861]
 4501 
 4502 4233.	[test]		Add tests for CDS and CDNSKEY with delegation-only.
 4503 			[RT #40597]
 4504 
 4505 4232.	[contrib]	Address unchecked memory allocation calls in
 4506 			query-loc and zone2ldap. [RT #40789]
 4507 
 4508 4231.	[contrib]	Address unchecked calloc call in dlz_mysqldyn_mod.c.
 4509 			[RT #40840]
 4510 
 4511 4230.	[contrib]	dlz_wildcard_dynamic.c:dlz_create could return a
 4512 			uninitialized result. [RT #40839]
 4513 
 4514 4229.	[bug]		A variable could be used uninitialized in
 4515 			dns_update_signaturesinc. [RT #40784]
 4516 
 4517 4228.	[bug]		Address race condition in dns_client_destroyrestrans.
 4518 			[RT #40605]
 4519 
 4520 4227.	[bug]		Silence static analysis warnings. [RT #40828]
 4521 
 4522 4226.	[bug]		Address a theoretical shutdown race in
 4523 			zone.c:notify_send_queue(). [RT #38958]
 4524 
 4525 4225.	[port]		freebsd/openbsd:  Use '${CC} -shared' for building
 4526 			shared libraries. [RT #39557]
 4527 
 4528 4224.	[func]		Added support for "dyndb", a new interface for loading
 4529 			zone data from an external database, developed by
 4530 			Red Hat for the FreeIPA project.
 4531 
 4532 			DynDB drivers fully implement the BIND database
 4533 			API, and are capable of significantly better
 4534 			performance and functionality than DLZ drivers,
 4535 			while taking advantage of advanced database
 4536 			features not available in BIND such as multi-master
 4537 			replication.
 4538 
 4539 			Thanks to Adam Tkac and Petr Spacek of Red Hat.
 4540 			[RT #35271]
 4541 
 4542 4223.	[func]		Add support for setting max-cache-size to percentage
 4543 			of available physical memory, set default to 90%.
 4544 			[RT #38442]
 4545 
 4546 4222.	[func]		Bias IPv6 servers when selecting the next server to
 4547 			query. [RT #40836]
 4548 
 4549 4221.	[bug]		Resource leak on DNS_R_NXDOMAIN in fctx_create.
 4550 			[RT #40583]
 4551 
 4552 4220.	[doc]		Improve documentation for zone-statistics.
 4553 			[RT #36955]
 4554 
 4555 4219.	[bug]		Set event->result to ISC_R_WOULDBLOCK on EWOULDBLOCK,
 4556 			EGAIN when these soft error are not retried for
 4557 			isc_socket_send*().
 4558 
 4559 4218.	[bug]		Potential null pointer dereference on out of memory
 4560 			if mmap is not supported. [RT #40777]
 4561 
 4562 4217.	[protocol]	Add support for CSYNC. [RT #40532]
 4563 
 4564 4216.	[cleanup]	Silence static analysis warnings. [RT #40649]
 4565 
 4566 4215.	[bug]		nsupdate: skip to next request on GSSTKEY create
 4567 			failure. [RT #40685]
 4568 
 4569 4214.	[protocol]	Add support for TALINK.  [RT #40544]
 4570 
 4571 4213.	[bug]		Don't reuse a cache across multiple classes.
 4572 			[RT #40205]
 4573 
 4574 4212.	[func]		Re-query if we get a bad client cookie returned over
 4575 			UDP. [RT #40748]
 4576 
 4577 4211.	[bug]		Ensure that lwresd gets at least one task to work
 4578 			with if enabled. [RT #40652]
 4579 
 4580 4210.	[cleanup]	Silence use after free false positive. [RT #40743]
 4581 
 4582 4209.	[bug]		Address resource leaks in dlz modules. [RT #40654]
 4583 
 4584 4208.	[bug]		Address null pointer dereferences on out of memory.
 4585 			[RT #40764]
 4586 
 4587 4207.	[bug]		Handle class mismatches with raw zone files.
 4588 			[RT #40746]
 4589 
 4590 4206.	[bug]		contrib: fixed a possible NULL dereference in
 4591 			DLZ wildcard module. [RT #40745]
 4592 
 4593 4205.	[bug]		'named-checkconf -p' could include unwanted spaces
 4594 			when printing tuples with unset optional fields.
 4595 			[RT #40731]
 4596 
 4597 4204.	[bug]		'dig +trace' failed to lookup the correct type if
 4598 			the initial root NS query was retried. [RT #40296]
 4599 
 4600 4203.	[test]		The rrchecker system test now tests conversion
 4601 			to and from unknown-type format. [RT #40584]
 4602 
 4603 4202.	[bug]		isccc_cc_fromwire() could return an incorrect
 4604 			result. [RT #40614]
 4605 
 4606 4201.	[func]		The default preferred-glue is now the address record
 4607 			type of the transport the query was received
 4608 			over.  [RT #40468]
 4609 
 4610 4200.	[cleanup]	win32: update BINDinstall to be BIND release
 4611 			independent. [RT #38915]
 4612 
 4613 4199.	[protocol]	Add support for NINFO, RKEY, SINK, TA.
 4614 			[RT #40545] [RT #40547] [RT #40561] [RT #40563]
 4615 
 4616 4198.	[placeholder]
 4617 
 4618 4197.	[bug]		'named-checkconf -z' didn't handle 'in-view' clauses.
 4619 			[RT #40603]
 4620 
 4621 4196.	[doc]		Improve how "enum + other" types are documented.
 4622 			[RT #40608]
 4623 
 4624 4195.	[bug]		'max-zone-ttl unlimited;' was broken. [RT #40608]
 4625 
 4626 4194.	[bug]		named-checkconf -p failed to properly print a port
 4627 			range.  [RT #40634]
 4628 
 4629 4193.	[bug]		Handle broken servers that return BADVERS incorrectly.
 4630 			[RT #40427]
 4631 
 4632 4192.	[bug]		The default rrset-order of random was not always being
 4633 			applied. [RT #40456]
 4634 
 4635 4191.	[protocol]	Accept DNS-SD non LDH PTR records in reverse zones
 4636 			as per RFC 6763. [RT #37889]
 4637 
 4638 4190.	[protocol]	Accept Active Directory gc._msdcs.<forest> name as
 4639 			valid with check-names.  <forest> still needs to be
 4640 			LDH. [RT #40399]
 4641 
 4642 4189.	[cleanup]	Don't exit on overly long tokens in named.conf.
 4643 			[RT #40418]
 4644 
 4645 4188.	[bug]		Support HTTP/1.0 client properly on the statistics
 4646 			channel. [RT #40261]
 4647 
 4648 4187.	[func]		When any RR type implementation doesn't
 4649 			implement totext() for the RDATA's wire
 4650 			representation and returns ISC_R_NOTIMPLEMENTED,
 4651 			such RDATA is now printed in unknown
 4652 			presentation format (RFC 3597). RR types affected
 4653 			include LOC(29) and APL(42). [RT #40317].
 4654 
 4655 4186.	[bug]		Fixed an RPZ bug where a QNAME would be matched
 4656 			against a policy RR with wildcard owner name
 4657 			(trigger) where the QNAME was the wildcard owner
 4658 			name's parent. For example, the bug caused a query
 4659 			with QNAME "example.com" to match a policy RR with
 4660 			"*.example.com" as trigger. [RT #40357]
 4661 
 4662 4185.	[bug]		Fixed an RPZ bug where a policy RR with wildcard
 4663 			owner name (trigger) would prevent another policy RR
 4664 			with its parent owner name from being
 4665 			loaded. For example, the bug caused a policy RR
 4666 			with trigger "example.com" to not have any
 4667 			effect when a previous policy RR with trigger
 4668 			"*.example.com" existed in that RPZ zone.
 4669 			[RT #40357]
 4670 
 4671 4184.	[bug]		Fixed a possible memory leak in name compression
 4672 			when rendering long messages. (Also, improved
 4673 			wire_test for testing such messages.) [RT #40375]
 4674 
 4675 4183.	[cleanup]	Use timing-safe memory comparisons in cryptographic
 4676 			code. Also, the timing-safe comparison functions have
 4677 			been renamed to avoid possible confusion with
 4678 			memcmp(). Thanks to Loganaden Velvindron of
 4679 			AFRINIC. [RT #40148]
 4680 
 4681 4182.	[cleanup]	Use mnemonics for RR class and type comparisons.
 4682 			[RT #40297]
 4683 
 4684 4181.	[bug]		Queued notify messages could be dequeued from the
 4685 			wrong rate limiter queue. [RT #40350]
 4686 
 4687 4180.	[bug]		Error responses in pipelined queries could
 4688 			cause a crash in client.c. [RT #40289]
 4689 
 4690 4179.	[bug]		Fix double frees in getaddrinfo() in libirs.
 4691 			[RT #40209]
 4692 
 4693 4178.	[bug]		Fix assertion failure in parsing UNSPEC(103) RR from
 4694 			text. [RT #40274]
 4695 
 4696 4177.	[bug]		Fix assertion failure in parsing NSAP records from
 4697 			text. [RT #40285]
 4698 
 4699 4176.	[bug]		Address race issues with lwresd. [RT #40284]
 4700 
 4701 4175.	[bug]		TKEY with GSS-API keys needed bigger buffers.
 4702 			[RT #40333]
 4703 
 4704 4174.	[bug]		"dnssec-coverage -r" didn't handle time unit
 4705 			suffixes correctly. [RT #38444]
 4706 
 4707 4173.	[bug]		dig +sigchase was not properly matching the trusted
 4708 			key. [RT #40188]
 4709 
 4710 4172.	[bug]		Named / named-checkconf didn't handle a view of CLASS0.
 4711 			[RT #40265]
 4712 
 4713 4171.	[bug]		Fixed incorrect class checks in TSIG RR
 4714 			implementation. [RT #40287]
 4715 
 4716 4170.	[security]	An incorrect boundary check in the OPENPGPKEY
 4717 			rdatatype could trigger an assertion failure.
 4718 			(CVE-2015-5986) [RT #40286]
 4719 
 4720 4169.	[test]		Added a 'wire_test -d' option to read input as
 4721 			raw binary data, for use as a fuzzing harness.
 4722 			[RT #40312]
 4723 
 4724 4168.	[security]	A buffer accounting error could trigger an
 4725 			assertion failure when parsing certain malformed
 4726 			DNSSEC keys. (CVE-2015-5722) [RT #40212]
 4727 
 4728 4167.	[func]		Update rndc's usage output to include recently added
 4729 			commands. Thanks to Tony Finch for submitting a
 4730 			patch. [RT #40010]
 4731 
 4732 4166.	[func]		Print informative output from rndc showzone when
 4733 			allow-new-zones is not enabled for a view. Thanks to
 4734 			Tony Finch for submitting a patch. [RT #40009]
 4735 
 4736 4165.	[security]	A failure to reset a value to NULL in tkey.c could
 4737 			result in an assertion failure. (CVE-2015-5477)
 4738 			[RT #40046]
 4739 
 4740 4164.	[bug]		Don't rename slave files and journals on out of memory.
 4741 			[RT #40033]
 4742 
 4743 4163.	[bug]		Address compiler warnings. [RT #40024]
 4744 
 4745 4162.	[bug]		httpdmgr->flags was not being initialized. [RT #40017]
 4746 
 4747 4161.	[test]		Add JSON test for traffic size stats; also test
 4748 			for consistency between "rndc stats" and the XML
 4749 			and JSON statistics channel contents. [RT #38700]
 4750 
 4751 4160.	[placeholder]
 4752 
 4753 4159.	[cleanup]	Alphabetize dig's help output. [RT #39966]
 4754 
 4755 4158.	[placeholder]
 4756 
 4757 4157.	[placeholder]
 4758 
 4759 4156.	[func]		Added statistics counters to track the sizes
 4760 			of incoming queries and outgoing responses in
 4761 			histogram buckets, as specified in RSSAC002.
 4762 			[RT #39049]
 4763 
 4764 4155.	[func]		Allow RPZ rewrite logging to be configured on a
 4765 			per-zone basis using a newly introduced log clause in
 4766 			the response-policy option. [RT #39754]
 4767 
 4768 4154.	[bug]		A OPT record should be included with the FORMERR
 4769 			response when there is a malformed EDNS option.
 4770 			[RT #39647]
 4771 
 4772 4153.	[bug]		Dig should zero non significant +subnet bits.  Check
 4773 			that non significant ECS bits are zero on receipt.
 4774 			[RT #39647]
 4775 
 4776 4152.	[func]		Implement DNS COOKIE option.  This replaces the
 4777 			experimental SIT option of BIND 9.10.  The following
 4778 			named.conf directives are available: send-cookie,
 4779 			cookie-secret, cookie-algorithm, nocookie-udp-size
 4780 			and require-server-cookie.  The following dig options
 4781 			are available: +[no]cookie[=value] and +[no]badcookie.
 4782 			[RT #39928]
 4783 
 4784 4151.	[bug]		'rndc flush' could cause a deadlock. [RT #39835]
 4785 
 4786 4150.	[bug]		win32: listen-on-v6 { any; }; was not working.  Apply
 4787 			minimal fix.  [RT #39667]
 4788 
 4789 4149.	[bug]		Fixed a race condition in the getaddrinfo()
 4790 			implementation in libirs, which caused the delv
 4791 			utility to crash with an assertion failure when using
 4792 			the '@server' syntax with a hostname argument.
 4793 			[RT #39899]
 4794 
 4795 4148.	[bug]		Fix a bug when printing zone names with '/' character
 4796 			in XML and JSON statistics output. [RT #39873]
 4797 
 4798 4147.	[bug]		Filter-aaaa / filter-aaaa-on-v4 / filter-aaaa-on-v6
 4799 			was returning referrals rather than nodata responses
 4800 			when the AAAA records were filtered.  [RT #39843]
 4801 
 4802 4146.	[bug]		Address reference leak that could prevent a clean
 4803 			shutdown. [RT #37125]
 4804 
 4805 4145.	[bug]		Not all unassociated adb entries where being printed.
 4806 			[RT #37125]
 4807 
 4808 4144.	[func]		Add statistics counters for nxdomain redirections.
 4809 			[RT #39790]
 4810 
 4811 4143.	[placeholder]
 4812 
 4813 4142.	[bug]		rndc addzone with view specified saved NZF config
 4814 			that could not be read back by named. This has now
 4815 			been fixed. [RT #39845]
 4816 
 4817 4141.	[bug]		A formatting bug caused rndc zonestatus to print
 4818 			negative numbers for large serial values. This has
 4819 			now been fixed. [RT #39854]
 4820 
 4821 4140.	[cleanup]	Remove redundant nzf_remove() call during delzone.
 4822 			[RT #39844]
 4823 
 4824 4139.	[doc]		Fix rpz-client-ip documentation. [RT #39783]
 4825 
 4826 4138.	[security]	An uninitialized value in validator.c could result
 4827 			in an assertion failure. (CVE-2015-4620) [RT #39795]
 4828 
 4829 4137.	[bug]		Make rndc reconfig report configuration errors the
 4830 			same way rndc reload does. [RT #39635]
 4831 
 4832 4136.	[bug]		Stale statistics counters with the leading
 4833 			'#' prefix (such as #NXDOMAIN) were not being
 4834 			updated correctly. This has been fixed. [RT #39141]
 4835 
 4836 4135.	[cleanup]	Log expired NTA at startup. [RT #39680]
 4837 
 4838 4134.	[cleanup]	Include client-ip rules when logging the number
 4839 			of RPZ rules of each type. [RT #39670]
 4840 
 4841 4133.	[port]		Update how various json libraries are handled.
 4842 			[RT #39646]
 4843 
 4844 4132.	[cleanup]	dig: added +rd as a synonym for +recurse,
 4845 			added +class as an unabbreviated alternative
 4846 			to +cl. [RT #39686]
 4847 
 4848 4131.	[bug]		Addressed further problems with reloading RPZ
 4849 			zones. [RT #39649]
 4850 
 4851 4130.	[bug]		The compatibility shim for *printf() misprinted some
 4852 			large numbers. [RT #39586]
 4853 
 4854 4129.	[port]		Address API changes in OpenSSL 1.1.0. [RT #39532]
 4855 
 4856 4128.	[bug]		Address issues raised by Coverity 7.6. [RT #39537]
 4857 
 4858 4127.	[protocol]	CDS and CDNSKEY need to be signed by the key signing
 4859 			key as per RFC 7344, Section 4.1. [RT #37215]
 4860 
 4861 4126.	[bug]		Addressed a regression introduced in change #4121.
 4862 			[RT #39611]
 4863 
 4864 4125.	[test]		Added tests for dig, renamed delv test to digdelv.
 4865 			[RT #39490]
 4866 
 4867 4124.	[func]		Log errors or warnings encountered when parsing the
 4868 			internal default configuration.  Clarify the logging
 4869 			of errors and warnings encountered in rndc
 4870 			addzone or modzone parameters. [RT #39440]
 4871 
 4872 4123.	[port]		Added %z (size_t) format options to the portable
 4873 			internal printf/sprintf implementation. [RT #39586]
 4874 
 4875 4122.	[bug]		The server could match a shorter prefix than what was
 4876 			available in CLIENT-IP policy triggers, and so, an
 4877 			unexpected action could be taken. This has been
 4878 			corrected. [RT #39481]
 4879 
 4880 4121.	[bug]		On servers with one or more policy zones
 4881 			configured as slaves, if a policy zone updated
 4882 			during regular operation (rather than at
 4883 			startup) using a full zone reload, such as via
 4884 			AXFR, a bug could allow the RPZ summary data to
 4885 			fall out of sync, potentially leading to an
 4886 			assertion failure in rpz.c when further
 4887 			incremental updates were made to the zone, such
 4888 			as via IXFR. [RT #39567]
 4889 
 4890 4120.	[bug]		A bug in RPZ could cause the server to crash if
 4891 			policy zones were updated while recursion was
 4892 			pending for RPZ processing of an active query.
 4893 			[RT #39415]
 4894 
 4895 4119.	[test]		Allow dig to set the message opcode. [RT #39550]
 4896 
 4897 4118.	[bug]		Teach isc-config.sh about irs. [RT #39213]
 4898 
 4899 4117.	[protocol]	Add EMPTY.AS112.ARPA as per RFC 7534.
 4900 
 4901 4116.	[bug]		Fix a bug in RPZ that could cause some policy
 4902 			zones that did not specifically require
 4903 			recursion to be treated as if they did;
 4904 			consequently, setting qname-wait-recurse no; was
 4905 			sometimes ineffective. [RT #39229]
 4906 
 4907 4115.	[func]		"rndc -r" now prints the result code (e.g.,
 4908 			ISC_R_SUCCESS, ISC_R_TIMEOUT, etc) after
 4909 			running the requested command. [RT #38913]
 4910 
 4911 4114.	[bug]		Fix a regression in radix tree implementation
 4912 			introduced by ECS code. This bug was never
 4913 			released, but it was reported by a user testing
 4914 			master. [RT #38983]
 4915 
 4916 4113.	[test]		Check for Net::DNS is some system test
 4917 			prerequisites. [RT #39369]
 4918 
 4919 4112.	[bug]		Named failed to load when "root-delegation-only"
 4920 			was used without a list of domains to exclude.
 4921 			[RT #39380]
 4922 
 4923 4111.	[doc]		Alphabetize rndc man page. [RT #39360]
 4924 
 4925 4110.	[bug]		Address memory leaks / null pointer dereferences
 4926 			on out of memory. [RT #39310]
 4927 
 4928 4109.	[port]		linux: support reading the local port range from
 4929 			net.ipv4.ip_local_port_range. [RT # 39379]
 4930 
 4931 4108.	[func]		An additional NXDOMAIN redirect method (option
 4932 			"nxdomain-redirect") has been added, allowing
 4933 			redirection to a specified DNS namespace instead
 4934 			of a single redirect zone. [RT #37989]
 4935 
 4936 4107.	[bug]		Address potential deadlock when updating zone content.
 4937 			[RT #39269]
 4938 
 4939 4106.	[port]		Improve readline support. [RT #38938]
 4940 
 4941 4105.	[port]		Misc fixes for Microsoft Visual Studio
 4942 			2015 CTP6 in 64 bit mode. [RT #39308]
 4943 
 4944 4104.	[bug]		Address uninitialized elements. [RT #39252]
 4945 
 4946 4103.	[port]		Misc fixes for Microsoft Visual Studio
 4947 			2015 CTP6. [RT #39267]
 4948 
 4949 4102.	[bug]		Fix a use after free bug introduced in change
 4950 			#4094.  [RT #39281]
 4951 
 4952 4101.	[bug]		dig: the +split and +rrcomments options didn't
 4953 			work with +short. [RT #39291]
 4954 
 4955 4100.	[bug]		Inherited owernames on the line immediately following
 4956 			a $INCLUDE were not working.  [RT #39268]
 4957 
 4958 4099.	[port]		clang: make unknown commandline options hard errors
 4959 			when determining what options are supported.
 4960 			[RT #39273]
 4961 
 4962 4098.	[bug]		Address use-after-free issue when using a
 4963 			predecessor key with dnssec-settime. [RT #39272]
 4964 
 4965 4097.	[func]		Add additional logging about xfrin transfer status.
 4966 			[RT #39170]
 4967 
 4968 4096.	[bug]		Fix a use after free of query->sendevent.
 4969 			[RT #39132]
 4970 
 4971 4095.	[bug]		zone->options2 was not being properly initialized.
 4972 			[RT #39228]
 4973 
 4974 4094.	[bug]		A race during shutdown or reconfiguration could
 4975 			cause an assertion in mem.c. [RT #38979]
 4976 
 4977 4093.	[func]		Dig now learns the SIT value from truncated
 4978 			responses when it retries over TCP. [RT #39047]
 4979 
 4980 4092.	[bug]		'in-view' didn't work for zones beneath a empty zone.
 4981 			[RT #39173]
 4982 
 4983 4091.	[cleanup]	Some cleanups in isc mem code. [RT #38896]
 4984 
 4985 4090.	[bug]		Fix a crash while parsing malformed CAA RRs in
 4986 			presentation format, i.e., from text such as
 4987 			from master files. Thanks to John Van de
 4988 			Meulebrouck Brendgard for discovering and
 4989 			reporting this problem. [RT #39003]
 4990 
 4991 4089.	[bug]		Send notifies immediately for slave zones during
 4992 			startup. [RT #38843]
 4993 
 4994 4088.	[port]		Fixed errors when building with libressl. [RT #38899]
 4995 
 4996 4087.	[bug]		Fix a crash due to use-after-free due to sequencing
 4997 			of tasks actions. [RT #38495]
 4998 
 4999 4086.	[bug]		Fix out-of-srcdir build with native pkcs11. [RT #38831]
 5000 
 5001 4085.	[bug]		ISC_PLATFORM_HAVEXADDQ could be inconsistently set.
 5002 			[RT #38828]
 5003 
 5004 4084.	[bug]		Fix a possible race in updating stats counters.
 5005 			[RT #38826]
 5006 
 5007 4083.	[cleanup]	Print the number of CPUs and UDP listeners
 5008 			consistently in the log and in "rndc status"
 5009 			output; indicate whether threads are supported
 5010 			in "named -V" output. [RT #38811]
 5011 
 5012 4082.	[bug]		Incrementally sign large inline zone deltas.
 5013 			[RT #37927]
 5014 
 5015 4081.	[cleanup]	Use dns_rdatalist_init consistently. [RT #38759]
 5016 
 5017 4080.	[func]		Completed change #4022, adding a "lock-file" option
 5018 			to named.conf to override the default lock file,
 5019 			in addition to the "named -X <filename>" command
 5020 			line option.  Setting the lock file to "none"
 5021 			using either method disables the check completely.
 5022 			[RT #37908]
 5023 
 5024 4079.	[func]		Preserve the case of the owner name of records to
 5025 			the RRset level. [RT #37442]
 5026 
 5027 4078.	[bug]		Handle the case where CMSG_SPACE(sizeof(int)) !=
 5028 			CMSG_SPACE(sizeof(char)). [RT #38621]
 5029 
 5030 4077.	[test]		Add static-stub regression test for DS NXDOMAIN
 5031 			return making the static stub disappear. [RT #38564]
 5032 
 5033 4076.	[bug]		Named could crash on shutdown with outstanding
 5034 			reload / reconfig events. [RT #38622]
 5035 
 5036 4075.	[placeholder]
 5037 
 5038 4074.	[cleanup]	Cleaned up more warnings from gcc -Wshadow. [RT #38708]
 5039 
 5040 4073.	[cleanup]	Add libjson-c version number reporting to
 5041 			"named -V"; normalize version number formatting.
 5042 			[RT #38056]
 5043 
 5044 4072.	[func]		Add a --enable-querytrace configure switch for
 5045 			very verbose query trace logging. (This option
 5046 			has a negative performance impact and should be
 5047 			used only for debugging.) [RT #37520]
 5048 
 5049 4071.	[cleanup]	Initialize pthread mutex attrs just once, instead of
 5050 			doing it per mutex creation. [RT #38547]
 5051 
 5052 4070.	[bug]		Fix a segfault in nslookup in a query such as
 5053 			"nslookup isc.org AMS.SNS-PB.ISC.ORG -all".
 5054 			[RT #38548]
 5055 
 5056 4069.	[doc]		Reorganize options in the nsupdate man page.
 5057 			[RT #38515]
 5058 
 5059 4068.	[bug]		Omit unknown serial number from JSON zone statistics.
 5060 			[RT #38604]
 5061 
 5062 4067.	[cleanup]	Reduce noise from RRL when query logging is
 5063 			disabled. [RT #38648]
 5064 
 5065 4066.	[doc]		Reorganize options in the dig man page. [RT #38516]
 5066 
 5067 4065.	[test]		Additional RFC 5011 tests. [RT #38569]
 5068 
 5069 4064.	[contrib]	dnssec-keyset.sh: Generates a specified number
 5070 			of DNSSEC keys with timing set to implement a
 5071 			pre-publication key rollover strategy. Thanks
 5072 			to Jeffry A. Spain. [RT #38459]
 5073 
 5074 4063.	[bug]		Asynchronous zone loads were not handled
 5075 			correctly when the zone load was already in
 5076 			progress; this could trigger a crash in zt.c.
 5077 			[RT #37573]
 5078 
 5079 4062.	[bug]		Fix an out-of-bounds read in RPZ code. If the
 5080 			read succeeded, it doesn't result in a bug
 5081 			during operation. If the read failed, named
 5082 			could segfault. [RT #38559]
 5083 
 5084 4061.	[bug]		Handle timeout in legacy system test. [RT #38573]
 5085 
 5086 4060.	[bug]		dns_rdata_freestruct could be called on a
 5087 			uninitialized structure when handling a error.
 5088 			[RT #38568]
 5089 
 5090 4059.	[bug]		Addressed valgrind warnings. [RT #38549]
 5091 
 5092 4058.	[bug]		UDP dispatches could use the wrong pseudorandom
 5093 			number generator context. [RT #38578]
 5094 
 5095 4057.	[bug]		'dnssec-dsfromkey -T 0' failed to add ttl field.
 5096 			[RT #38565]
 5097 
 5098 4056.	[bug]		Expanded automatic testing of trust anchor
 5099 			management and fixed several small bugs including
 5100 			a memory leak and a possible loss of key state
 5101 			information. [RT #38458]
 5102 
 5103 4055.	[func]		"rndc managed-keys" can be used to check status
 5104 			of trust anchors or to force keys to be refreshed,
 5105 			Also, the managed keys data file has easier-to-read
 5106 			comments.  [RT #38458]
 5107 
 5108 4054.	[func]		Added a new tool 'mdig', a lightweight clone of
 5109 			dig able to send multiple pipelined queries.
 5110 			[RT #38261]
 5111 
 5112 4053.	[security]	Revoking a managed trust anchor and supplying
 5113 			an untrusted replacement could cause named
 5114 			to crash with an assertion failure.
 5115 			(CVE-2015-1349) [RT #38344]
 5116 
 5117 4052.	[bug]		Fix a leak of query fetchlock. [RT #38454]
 5118 
 5119 4051.	[bug]		Fix a leak of pthread_mutexattr_t. [RT #38454]
 5120 
 5121 4050.	[bug]		RPZ could send spurious SERVFAILs in response
 5122 			to duplicate queries. [RT #38510]
 5123 
 5124 4049.	[bug]		CDS and CDNSKEY had the wrong attributes. [RT #38491]
 5125 
 5126 4048.	[bug]		adb hash table was not being grown. [RT #38470]
 5127 
 5128 4047.	[cleanup]	"named -V" now reports the current running versions
 5129 			of OpenSSL and the libxml2 libraries, in addition to
 5130 			the versions that were in use at build time.
 5131 
 5132 4046.	[bug]		Accounting of "total use" in memory context
 5133 			statistics was not correct. [RT #38370]
 5134 
 5135 4045.	[bug]		Skip to next master on dns_request_createvia4 failure.
 5136 			[RT #25185]
 5137 
 5138 4044.	[bug]		Change 3955 was not complete, resulting in an assertion
 5139 			failure if the timing was just right. [RT #38352]
 5140 
 5141 4043.	[func]		"rndc modzone" can be used to modify the
 5142 			configuration of an existing zone, using similar
 5143 			syntax to "rndc addzone". [RT #37895]
 5144 
 5145 4042.	[bug]		zone.c:iszonesecure was being called too late.
 5146 			[RT #38371]
 5147 
 5148 4041.	[func]		TCP sockets can now be shared while connecting.
 5149 			(This will be used to enable client-side support
 5150 			of pipelined queries.) [RT #38231]
 5151 
 5152 4040.	[func]		Added server-side support for pipelined TCP
 5153 			queries. Clients may continue sending queries via
 5154 			TCP while previous queries are being processed
 5155 			in parallel.  (The new "keep-response-order"
 5156 			option allows clients to be specified for which
 5157 			the old behavior will still be used.) [RT #37821]
 5158 
 5159 4039.	[cleanup]	Cleaned up warnings from gcc -Wshadow. [RT #37381]
 5160 
 5161 4038.	[bug]		Add 'rpz' flag to node and use it to determine whether
 5162 			to call dns_rpz_delete.  This should prevent unbalanced
 5163 			add / delete calls. [RT #36888]
 5164 
 5165 4037.	[bug]		also-notify was ignoring the tsig key when checking
 5166 			for duplicates resulting in some expected notify
 5167 			messages not being sent. [RT #38369]
 5168 
 5169 4036.	[bug]		Make call to open a temporary file name safe during
 5170 			NZF creation. [RT #38331]
 5171 
 5172 4035.	[bug]		Close temporary and NZF FILE pointers before moving
 5173 			the former into the latter's place, as required on
 5174 			Windows. [RT #38332]
 5175 
 5176 4034.	[func]		When added, negative trust anchors (NTA) are now
 5177 			saved to files (viewname.nta), in order to
 5178 			persist across restarts of the named server.
 5179 			[RT #37087]
 5180 
 5181 4033.	[bug]		Missing out of memory check in request.c:req_send.
 5182 			[RT #38311]
 5183 
 5184 4032.	[bug]		Built-in "empty" zones did not correctly inherit the
 5185 			"allow-transfer" ACL from the options or view.
 5186 			[RT #38310]
 5187 
 5188 4031.	[bug]		named-checkconf -z failed to report a missing file
 5189 			with a hint zone. [RT #38294]
 5190 
 5191 4030.	[func]		"rndc delzone" is now applicable to zones that were
 5192 			configured in named.conf, as well as zones that
 5193 			were added via "rndc addzone". (Note, however, that
 5194 			if named.conf is not also modified, the deleted zone
 5195 			will return when named is reloaded.) [RT #37887]
 5196 
 5197 4029.	[func]		"rndc showzone" displays the current configuration
 5198 			of a specified zone. [RT #37887]
 5199 
 5200 4028.	[bug]		$GENERATE with a zero step was not being caught as a
 5201 			error.  A $GENERATE with a / but no step was not being
 5202 			caught as a error. [RT #38262]
 5203 
 5204 4027.	[port]		Net::DNS 0.81 compatibility. [RT #38165]
 5205 
 5206 4026.	[bug]		Fix RFC 3658 reference in dig +sigchase. [RT #38173]
 5207 
 5208 4025.	[port]		bsdi: failed to build. [RT #38047]
 5209 
 5210 4024.	[bug]		dns_rdata_opt_first, dns_rdata_opt_next,
 5211 			dns_rdata_opt_current, dns_rdata_txt_first,
 5212 			dns_rdata_txt_next and dns_rdata_txt_current were
 5213 			documented but not implemented.  These have now been
 5214 			implemented.
 5215 
 5216 			dns_rdata_spf_first, dns_rdata_spf_next and
 5217 			dns_rdata_spf_current were documented but not
 5218 			implemented.  The prototypes for these
 5219 			functions have been removed. [RT #38068]
 5220 
 5221 4023.	[bug]		win32: socket handling with explicit ports and
 5222 			invoking named with -4 was broken for some
 5223 			configurations. [RT #38068]
 5224 
 5225 4022.	[func]		Stop multiple spawns of named by limiting number of
 5226 			processes to 1. This is done by using a lockfile and
 5227 			checking whether we can listen on any configured
 5228 			TCP interfaces. [RT #37908]
 5229 
 5230 4021.	[bug]		Adjust max-recursion-queries to accommodate
 5231 			the need for more queries when the cache is
 5232 			empty. [RT #38104]
 5233 
 5234 4020.	[bug]		Change 3736 broke nsupdate's SOA MNAME discovery
 5235 			resulting in updates being sent to the wrong server.
 5236 			[RT #37925]
 5237 
 5238 4019.	[func]		If named is not configured to validate the answer
 5239 			then allow fallback to plain DNS on timeout even
 5240 			when we know the server supports EDNS. [RT #37978]
 5241 
 5242 4018.	[placeholder]
 5243 
 5244 4017.	[test]		Add system test to check lookups to legacy servers
 5245 			with broken DNS behavior. [RT #37965]
 5246 
 5247 4016.	[bug]		Fix a dig segfault due to bad linked list usage.
 5248 			[RT #37591]
 5249 
 5250 4015.	[bug]		Nameservers that are skipped due to them being
 5251 			CNAMEs were not being logged. They are now logged
 5252 			to category 'cname' as per BIND 8. [RT #37935]
 5253 
 5254 4014.	[bug]		When including a master file origin_changed was
 5255 			not being properly set leading to a potentially
 5256 			spurious 'inherited owner' warning. [RT #37919]
 5257 
 5258 4013.	[func]		Add a new tcp-only option to server (config) /
 5259 			peer (struct) to use TCP transport to send
 5260 			queries (in place of UDP transport with a
 5261 			TCP fallback on truncated (TC set) response).
 5262 			[RT #37800]
 5263 
 5264 4012.	[cleanup]	Check returned status of OpenSSL digest and HMAC
 5265 			functions when they return one. Note this applies
 5266 			only to FIPS capable OpenSSL libraries put in
 5267 			FIPS mode and MD5. [RT #37944]
 5268 
 5269 4011.	[bug]		master's list port and dscp inheritance was not
 5270 			properly implemented. [RT #37792]
 5271 
 5272 4010.	[cleanup]	Clear the prefetchable state when initiating a
 5273 			prefetch. [RT #37399]
 5274 
 5275 4009.	[func]		delv: added a +tcp option. [RT #37855]
 5276 
 5277 4008.	[contrib]	Updated zkt to latest version (1.1.3). [RT #37886]
 5278 
 5279 4007.	[doc]		Remove acl forward reference restriction. [RT #37772]
 5280 
 5281 4006.	[security]	A flaw in delegation handling could be exploited
 5282 			to put named into an infinite loop.  This has
 5283 			been addressed by placing limits on the number
 5284 			of levels of recursion named will allow (default 7),
 5285 			and the number of iterative queries that it will
 5286 			send (default 50) before terminating a recursive
 5287 			query (CVE-2014-8500).
 5288 
 5289 			The recursion depth limit is configured via the
 5290 			"max-recursion-depth" option, and the query limit
 5291 			via the "max-recursion-queries" option.  [RT #37580]
 5292 
 5293 4005.	[func]		The buffer used for returning text from rndc
 5294 			commands is now dynamically resizable, allowing
 5295 			arbitrarily large amounts of text to be sent back
 5296 			to the client. (Prior to this change, it was
 5297 			possible for the output of "rndc tsig-list" to be
 5298 			truncated.) [RT #37731]
 5299 
 5300 4004.	[bug]		When delegations had AAAA glue but not A, a
 5301 			reference could be leaked causing an assertion
 5302 			failure on shutdown. [RT #37796]
 5303 
 5304 4003.	[security]	When geoip-directory was reconfigured during
 5305 			named run-time, the previously loaded GeoIP
 5306 			data could remain, potentially causing wrong
 5307 			ACLs to be used or wrong results to be served
 5308 			based on geolocation (CVE-2014-8680). [RT #37720]
 5309 
 5310 4002.	[security]	Lookups in GeoIP databases that were not
 5311 			loaded could cause an assertion failure
 5312 			(CVE-2014-8680). [RT #37679]
 5313 
 5314 4001.	[security]	The caching of GeoIP lookups did not always
 5315 			handle address families correctly, potentially
 5316 			resulting in an assertion failure (CVE-2014-8680).
 5317 			[RT #37672]
 5318 
 5319 4000.	[bug]		NXDOMAIN redirection incorrectly handled NXRRSET
 5320 			from the redirect zone. [RT #37722]
 5321 
 5322 3999.	[func]		"mkeys" and "nzf" files are now named after
 5323 			their corresponding views, unless the view name
 5324 			contains characters that would be incompatible
 5325 			with use in a filename (i.e., slash, backslash,
 5326 			or capital letters). If a view name does contain
 5327 			these characters, the files will still be named
 5328 			using a cryptographic hash of the view name.
 5329 			Regardless of this, if a file using the old name
 5330 			format is found to exist, it will continue to be
 5331 			used. [RT #37704]
 5332 
 5333 3998.	[bug]		isc_radix_search was returning matches that were
 5334 			too precise. [RT #37680]
 5335 
 5336 3997.	[protocol]	Add OPENGPGKEY record. [RT# 37671]
 5337 
 5338 3996.	[bug]		Address use after free on out of memory error in
 5339 			keyring_add. [RT #37639]
 5340 
 5341 3995.	[bug]		receive_secure_serial holds the zone lock for too
 5342 			long. [RT #37626]
 5343 
 5344 3994.	[func]		Dig now supports setting the last unassigned DNS
 5345 			header flag bit (dig +zflag). [RT #37421]
 5346 
 5347 3993.	[func]		Dig now supports EDNS negotiation by default.
 5348 			(dig +[no]ednsnegotiation).
 5349 
 5350 			Note:  This is disabled by default in BIND 9.10
 5351 			and enabled by default in BIND 9.11.  [RT #37604]
 5352 
 5353 3992.	[func]		DiG can now send queries without questions
 5354 			(dig +header-only). [RT #37599]
 5355 
 5356 3991.	[func]		Add the ability to buffer logging output by specifying
 5357 			"buffered yes;" when defining a channel. [RT #26561]
 5358 
 5359 3990.	[test]		Add tests for unknown DNSSEC algorithm handling.
 5360 			[RT #37541]
 5361 
 5362 3989.	[cleanup]	Remove redundant dns_db_resigned calls. [RT #35748]
 5363 
 5364 3988.	[func]		Allow the zone serial of a dynamically updatable
 5365 			zone to be updated via "rndc signing -serial".
 5366 			[RT #37404]
 5367 
 5368 3987.	[port]		Handle future Visual Studio 14 incompatible changes.
 5369 			[RT #37380]
 5370 
 5371 3986.	[doc]		Add the BIND version number to page footers
 5372 			in the ARM. [RT #37398]
 5373 
 5374 3985.	[doc]		Describe how +ndots and +search interact in dig.
 5375 			[RT #37529]
 5376 
 5377 3984.	[func]		Accept 256 byte long PINs in native PKCS#11
 5378 			crypto. [RT #37410]
 5379 
 5380 3983.	[bug]		Change #3940 was incomplete: negative trust anchors
 5381 			could be set to last up to a week, but the
 5382 			"nta-lifetime" and "nta-recheck" options were
 5383 			still limited to one day. [RT #37522]
 5384 
 5385 3982.	[doc]		Include release notes in product documentation.
 5386 			[RT #37272]
 5387 
 5388 3981.	[bug]		Cache DS/NXDOMAIN independently of other query types.
 5389 			[RT #37467]
 5390 
 5391 3980.	[bug]		Improve --with-tuning=large by self tuning of SO_RCVBUF
 5392 			size. [RT #37187]
 5393 
 5394 3979.	[bug]		Negative trust anchor fetches were not properly
 5395 			managed. [RT #37488]
 5396 
 5397 3978.	[test]		Added a unit test for Diffie-Hellman key
 5398 			computation, completing change #3974. [RT #37477]
 5399 
 5400 3977.	[cleanup]	"rndc secroots" reported a "not found" error when
 5401 			there were no negative trust anchors set. [RT #37506]
 5402 
 5403 3976.	[bug]		When refreshing managed-key trust anchors, clear
 5404 			any cached trust so that they will always be
 5405 			revalidated with the current set of secure
 5406 			roots. [RT #37506]
 5407 
 5408 3975.	[bug]		Don't populate or use the bad cache for queries that
 5409 			don't request or use recursion. [RT #37466]
 5410 
 5411 3974.	[bug]		Handle DH_compute_key() failure correctly in
 5412 			openssldh_link.c. [RT #37477]
 5413 
 5414 3973.	[test]		Added hooks for Google Performance Tools CPU profiler,
 5415 			including real-time/wall-clock profiling. Use
 5416 			"configure --with-gperftools-profiler" to enable.
 5417 			[RT #37339]
 5418 
 5419 3972.	[bug]		Fix host's usage statement. [RT #37397]
 5420 
 5421 3971.	[bug]		Reduce the cascading failures due to a bad $TTL line
 5422 			in named-checkconf / named-checkzone. [RT #37138]
 5423 
 5424 3970.	[contrib]	Fixed a use after free bug in the SDB LDAP driver.
 5425 			[RT #37237]
 5426 
 5427 3969.	[test]		Added 'delv' system test. [RT #36901]
 5428 
 5429 3968.	[bug]		Silence spurious log messages when using 'named -[46]'.
 5430 			[RT #37308]
 5431 
 5432 3967.	[test]		Add test for inlined signed zone in multiple views
 5433 			with different DNSKEY sets. [RT #35759]
 5434 
 5435 3966.	[bug]		Missing dns_db_closeversion call in receive_secure_db.
 5436 			[RT #35746]
 5437 
 5438 3965.	[func]		Log outgoing packets and improve packet logging to
 5439 			support logging the remote address. [RT #36624]
 5440 
 5441 3964.	[func]		nsupdate now performs check-names processing.
 5442 			[RT #36266]
 5443 
 5444 3963.	[test]		Added NXRRSET test cases to the "dlzexternal"
 5445 			system test. [RT #37344]
 5446 
 5447 3962.	[bug]		'dig +topdown +trace +sigchase' address unhandled error
 5448 			conditions. [RT #34663]
 5449 
 5450 3961.	[bug]		Forwarding of SIG(0) signed UPDATE messages failed with
 5451 			BADSIG.  [RT #37216]
 5452 
 5453 3960.	[bug]		'dig +sigchase' could loop forever. [RT #37220]
 5454 
 5455 3959.	[bug]		Updates could be lost if they arrived immediately
 5456 			after a rndc thaw. [RT #37233]
 5457 
 5458 3958.	[bug]		Detect when writeable files have multiple references
 5459 			in named.conf. [RT #37172]
 5460 
 5461 3957.	[bug]		"dnssec-keygen -S" failed for ECCGOST, ECDSAP256SHA256
 5462 			and ECDSAP384SHA384. [RT #37183]
 5463 
 5464 3956.	[func]		Notify messages are now rate limited by notify-rate and
 5465 			startup-notify-rate instead of serial-query-rate.
 5466 			[RT #24454]
 5467 
 5468 3955.	[bug]		Notify messages due to changes are no longer queued
 5469 			behind startup notify messages. [RT #24454]
 5470 
 5471 3954.	[bug]		Unchecked mutex init in dlz_dlopen_driver.c [RT #37112]
 5472 
 5473 3953.	[bug]		Don't escape semi-colon in TXT fields. [RT #37159]
 5474 
 5475 3952.	[bug]		dns_name_fullcompare failed to set *nlabelsp when the
 5476 			two name pointers were the same. [RT #37176]
 5477 
 5478 3951.	[func]		Add the ability to set yet-to-be-defined EDNS flags
 5479 			to dig (+ednsflags=#). [RT #37142]
 5480 
 5481 3950.	[port]		Changed the bin/python Makefile to work around a
 5482 			bmake bug in FreeBSD 10 and NetBSD 6. [RT #36993]
 5483 
 5484 3949.	[experimental]	Experimental support for draft-andrews-edns1 by sending
 5485 			EDNS(1) queries (define DRAFT_ANDREWS_EDNS1 when
 5486 			building).  Add support for limiting the EDNS version
 5487 			advertised to servers: server { edns-version 0; };
 5488 			Log the EDNS version received in the query log.
 5489 			[RT #35864]
 5490 
 5491 3948.	[port]		solaris: RCVBUFSIZE was too large on Solaris with
 5492 			--with-tuning=large. [RT #37059]
 5493 
 5494 3947.	[cleanup]	Set the executable bit on libraries when using
 5495 			libtool. [RT #36786]
 5496 
 5497 3946.	[cleanup]	Improved "configure" search for a python interpreter.
 5498 			[RT #36992]
 5499 
 5500 3945.	[bug]		Invalid wildcard expansions could be incorrectly
 5501 			accepted by the validator. [RT #37093]
 5502 
 5503 3944.	[test]		Added a regression test for "server-id". [RT #37057]
 5504 
 5505 3943.	[func]		SERVFAIL responses can now be cached for a
 5506 			limited time (configured by "servfail-ttl",
 5507 			default 10 seconds, limit 30). This can reduce
 5508 			the frequency of retries when an authoritative
 5509 			server is known to be failing, e.g., due to
 5510 			ongoing DNSSEC validation problems. [RT #21347]
 5511 
 5512 3942.	[bug]		Wildcard responses from a optout range should be
 5513 			marked as insecure. [RT #37072]
 5514 
 5515 3941.	[doc]		Include the BIND version number in the ARM. [RT #37067]
 5516 
 5517 3940.	[func]		"rndc nta" now allows negative trust anchors to be
 5518 			set for up to one week. [RT #37069]
 5519 
 5520 3939.	[func]		Improve UPDATE forwarding performance by allowing TCP
 5521 			connections to be shared. [RT #37039]
 5522 
 5523 3938.	[func]		Added quotas to be used in recursive resolvers
 5524 			that are under high query load for names in zones
 5525 			whose authoritative servers are nonresponsive or
 5526 			are experiencing a denial of service attack.
 5527 
 5528 			- "fetches-per-server" limits the number of
 5529 			  simultaneous queries that can be sent to any
 5530 			  single authoritative server.  The configured
 5531 			  value is a starting point; it is automatically
 5532 			  adjusted downward if the server is partially or
 5533 			  completely non-responsive. The algorithm used to
 5534 			  adjust the quota can be configured via the
 5535 			  "fetch-quota-params" option.
 5536 			- "fetches-per-zone" limits the number of
 5537 			  simultaneous queries that can be sent for names
 5538 			  within a single domain.  (Note: Unlike
 5539 			  "fetches-per-server", this value is not
 5540 			  self-tuning.)
 5541 			- New stats counters have been added to count
 5542 			  queries spilled due to these quotas.
 5543 
 5544 			See the ARM for details of these options. [RT #37125]
 5545 
 5546 3937.	[func]		Added some debug logging to better indicate the
 5547 			conditions causing SERVFAILs when resolving.
 5548 			[RT #35538]
 5549 
 5550 3936.	[func]		Added authoritative support for the EDNS Client
 5551 			Subnet (ECS) option.
 5552 
 5553 			ACLs can now include "ecs" elements which specify
 5554 			an address or network prefix; if an ECS option is
 5555 			included in a DNS query, then the address encoded
 5556 			in the option will be matched against "ecs" ACL
 5557 			elements.
 5558 
 5559 			Also, if an ECS address is included in a query,
 5560 			then it will be used instead of the client source
 5561 			address when matching "geoip" ACL elements.  This
 5562 			behavior can be overridden with "geoip-use-ecs no;".
 5563 			(Note: to enable "geoip" ACLs, use "configure
 5564 			--with-geoip". This requires libGeoIP version
 5565 			1.5.0 or higher.)
 5566 
 5567 			When "ecs" or "geoip" ACL elements are used to
 5568 			select a view for a query, the response will include
 5569 			an ECS option to indicate which client network the
 5570 			answer is valid for.
 5571 
 5572 			(Thanks to Vincent Bernat.) [RT #36781]
 5573 
 5574 3935.	[bug]		"geoip asnum" ACL elements would not match unless
 5575 			the full organization name was specified.  They
 5576 			can now match against the AS number alone (e.g.,
 5577 			AS1234). [RT #36945]
 5578 
 5579 3934.	[bug]		Catch bad 'sit-secret' in named-checkconf.  Improve
 5580 			sit-secret documentation. [RT #36980]
 5581 
 5582 3933.	[bug]		Corrected the implementation of dns_rdata_casecompare()
 5583 			for the HIP rdata type.  [RT #36911]
 5584 
 5585 3932.	[test]		Improved named-checkconf tests. [RT #36911]
 5586 
 5587 3931.	[cleanup]	Cleanup how dlz grammar is defined. [RT #36879]
 5588 
 5589 3930.	[bug]		"rndc nta -r" could cause a server hang if the
 5590 			NTA was not found. [RT #36909]
 5591 
 5592 3929.	[bug]		'host -a' needed to clear idnoptions. [RT #36963]
 5593 
 5594 3928.	[test]		Improve rndc system test. [RT #36898]
 5595 
 5596 3927.	[bug]		dig: report PKCS#11 error codes correctly when
 5597 			compiled with --enable-native-pkcs11. [RT #36956]
 5598 
 5599 3926.	[doc]		Added doc for geoip-directory. [RT #36877]
 5600 
 5601 3925.	[bug]		DS lookup of RFC 1918 empty zones failed. [RT #36917]
 5602 
 5603 3924.	[bug]		Improve 'rndc addzone' error reporting. [RT #35187]
 5604 
 5605 3923.	[bug]		Sanity check the xml2-config output. [RT #22246]
 5606 
 5607 3922.	[bug]		When resigning, dnssec-signzone was removing
 5608 			all signatures from delegation nodes. It now
 5609 			retains DS and (if applicable) NSEC signatures.
 5610 			[RT #36946]
 5611 
 5612 3921.	[bug]		AD was inappropriately set on RPZ responses. [RT #36833]
 5613 
 5614 3920.	[doc]		Added doc for masterfile-style. [RT #36823]
 5615 
 5616 3919.	[bug]		dig: continue to next line if a address lookup fails
 5617 			in batch mode. [RT #36755]
 5618 
 5619 3918.	[doc]		Update check-spf documentation. [RT #36910]
 5620 
 5621 3917.	[bug]		dig, nslookup and host now continue on names that are
 5622 			too long after applying a search list elements.
 5623 			[RT #36892]
 5624 
 5625 3916.	[contrib]	zone2sqlite checked wrong result code.  Address
 5626 			compiler warnings. [RT #36931]
 5627 
 5628 3915.	[bug]		Address a assertion if a route event arrived while
 5629 			shutting down. [RT #36887]
 5630 
 5631 3914.	[bug]		Allow the URI target and CAA value fields to
 5632 			be zero length. [RT #36737]
 5633 
 5634 3913.	[bug]		Address race issue in dispatch. [RT #36731]
 5635 
 5636 3912.	[bug]		Address some unrecoverable lookup failures. [RT #36330]
 5637 
 5638 3911.	[func]		Implement EDNS EXPIRE option client side, allowing
 5639 			a slave server to set the expiration timer correctly
 5640 			when transferring zone data from another slave
 5641 			server. [RT #35925]
 5642 
 5643 3910.	[bug]		Fix races to free event during shutdown. [RT #36720]
 5644 
 5645 3909.	[bug]		When computing the number of elements required for a
 5646 			acl count_acl_elements could have a short count leading
 5647 			to a assertion failure.  Also zero out new acl elements
 5648 			in dns_acl_merge.  [RT #36675]
 5649 
 5650 3908.	[bug]		rndc now differentiates between a zone in multiple
 5651 			views and a zone that doesn't exist at all. [RT #36691]
 5652 
 5653 3907.	[cleanup]	Alphabetize rndc help. [RT #36683]
 5654 
 5655 3906.	[protocol]	Update URI record format to comply with
 5656 			draft-faltstrom-uri-08. [RT #36642]
 5657 
 5658 3905.	[bug]		Address deadlock between view.c and adb.c. [RT #36341]
 5659 
 5660 3904.	[func]		Add the RPZ SOA to the additional section. [RT36507]
 5661 
 5662 3903.	[bug]		Improve the accuracy of DiG's reported round trip
 5663 			time. [RT 36611]
 5664 
 5665 3902.	[bug]		liblwres wasn't handling link-local addresses in
 5666 			nameserver clauses in resolv.conf. [RT #36039]
 5667 
 5668 3901.	[protocol]	Added support for CAA record type (RFC 6844).
 5669 			[RT #36625]
 5670 
 5671 3900.	[bug]		Fix a crash in PostgreSQL DLZ driver. [RT #36637]
 5672 
 5673 3899.	[bug]		"request-ixfr" is only applicable to slave and redirect
 5674 			zones. [RT #36608]
 5675 
 5676 3898.	[bug]		Too small a buffer in tohexstr() calls in test code.
 5677 			[RT #36598]
 5678 
 5679 3897.	[bug]		RPZ summary information was not properly being updated
 5680 			after a AXFR resulting in changes sometimes being
 5681 			ignored.  [RT #35885]
 5682 
 5683 3896.	[bug]		Address performance issues with DSCP code on some
 5684 			platforms. [RT #36534]
 5685 
 5686 3895.	[func]		Add the ability to set the DSCP code point to dig.
 5687 			[RT #36546]
 5688 
 5689 3894.	[bug]		Buffers in isc_print_vsnprintf were not properly
 5690 			initialized leading to potential overflows when
 5691 			printing out quad values. [RT #36505]
 5692 
 5693 3893.	[bug]		Peer DSCP values could be returned without being set.
 5694 			[RT #36538]
 5695 
 5696 3892.	[bug]		Setting '-t aaaa' in .digrc had unintended side
 5697 			effects. [RT #36452]
 5698 
 5699 3891.	[bug]		Use ${INSTALL_SCRIPT} rather than ${INSTALL_PROGRAM}
 5700 			to install python programs.
 5701 
 5702 3890.	[bug]		RRSIG sets that were not loaded in a single transaction
 5703 			at start up where not being correctly added to
 5704 			re-signing heaps.  [RT #36302]
 5705 
 5706 3889.	[port]		hurd: configure fixes as per:
 5707 			https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=746540
 5708 
 5709 3888.	[func]		'rndc status' now reports the number of automatic
 5710 			zones. [RT #36015]
 5711 
 5712 3887.	[cleanup]	Make all static symbols in rbtdb64 end in "64" so
 5713 			they are easier to use in a debugger. [RT #36373]
 5714 
 5715 3886.	[bug]		rbtdb_write_header should use a once to initialize
 5716 			FILE_VERSION. [RT #36374]
 5717 
 5718 3885.	[port]		Use 'open()' rather than 'file()' to open files in
 5719 			python.
 5720 
 5721 3884.	[protocol]	Add CDS and CDNSKEY record types. [RT #36333]
 5722 
 5723 3883.	[placeholder]
 5724 
 5725 3882.	[func]		By default, negative trust anchors will be tested
 5726 			periodically to see whether data below them can be
 5727 			validated, and if so, they will be allowed to
 5728 			expire early. The "rndc nta -force" option
 5729 			overrides this behavior.  The default NTA lifetime
 5730 			and the recheck frequency can be configured by the
 5731 			"nta-lifetime" and "nta-recheck" options. [RT #36146]
 5732 
 5733 3881.	[bug]		Address memory leak with UPDATE error handling.
 5734 			[RT #36303]
 5735 
 5736 3880.	[test]		Update ans.pl to work with new TSIG support in
 5737 			Net::DNS; add additional Net::DNS version prerequisite
 5738 			checks. [RT #36327]
 5739 
 5740 3879.	[func]		Add version printing option to various BIND utilities.
 5741 			[RT #10686]
 5742 
 5743 3878.	[bug]		Using the incorrect filename for a DLZ module
 5744 			caused a segmentation fault on startup. [RT #36286]
 5745 
 5746 3877.	[bug]		Inserting and deleting parent and child nodes
 5747 			in response policy zones could trigger an assertion
 5748 			failure. [RT #36272]
 5749 
 5750 3876.	[bug]		Improve efficiency of DLZ redirect zones by
 5751 			suppressing unnecessary database lookups. [RT #35835]
 5752 
 5753 3875.	[cleanup]	Clarify log message when unable to read private
 5754 			key files. [RT #24702]
 5755 
 5756 3874.	[test]		Check that only "check-names master" is needed for
 5757 			updates to be accepted.
 5758 
 5759 3873.	[protocol]	Only warn for SPF without TXT spf record. [RT #36210]
 5760 
 5761 3872.	[bug]		Address issues found by static analysis. [RT #36209]
 5762 
 5763 3871.	[bug]		Don't publish an activated key automatically before
 5764 			its publish time. [RT #35063]
 5765 
 5766 3870.	[func]		Updated the random number generator used in
 5767 			the resolver to use the updated ChaCha based one
 5768 			(similar to OpenBSD's changes). Also moved the
 5769 			RNG to libisc and added unit tests for it.
 5770 			[RT #35942]
 5771 
 5772 3869.	[doc]		Document that in-view zones cannot be used for
 5773 			response policy zones. [RT #35941]
 5774 
 5775 3868.	[bug]		isc_mem_setwater incorrectly cleared hi_called
 5776 			potentially leaving over memory cleaner running.
 5777 			[RT #35270]
 5778 
 5779 3867.	[func]		"rndc nta" can now be used to set a temporary
 5780 			negative trust anchor, which disables DNSSEC
 5781 			validation below a specified name for a specified
 5782 			period of time (not exceeding 24 hours).  This
 5783 			can be used when validation for a domain is known
 5784 			to be failing due to a configuration error on
 5785 			the part of the domain owner rather than a
 5786 			spoofing attack. [RT #29358]
 5787 
 5788 3866.	[bug]		Named could die on disk full in generate_session_key.
 5789 			[RT #36119]
 5790 
 5791 3865.	[test]		Improved testability of the red-black tree
 5792 			implementation and added unit tests. [RT #35904]
 5793 
 5794 3864.	[bug]		RPZ didn't work well when being used as forwarder.
 5795 			[RT #36060]
 5796 
 5797 3863.	[bug]		The "E" flag was missing from the query log as a
 5798 			unintended side effect of code rearrangement to
 5799 			support EDNS EXPIRE. [RT #36117]
 5800 
 5801 3862.	[cleanup]	Return immediately if we are not going to log the
 5802 			message in ns_client_dumpmessage.
 5803 
 5804 3861.	[security]	Missing isc_buffer_availablelength check results
 5805 			in a REQUIRE assertion when printing out a packet
 5806 			(CVE-2014-3859).  [RT #36078]
 5807 
 5808 3860.	[bug]		ioctl(DP_POLL) array size needs to be determined
 5809 			at run time as it is limited to {OPEN_MAX}.
 5810 			[RT #35878]
 5811 
 5812 3859.	[placeholder]
 5813 
 5814 3858.	[bug]		Disable GCC 4.9 "delete null pointer check".
 5815 			[RT #35968]
 5816 
 5817 3857.	[bug]		Make it harder for a incorrect NOEDNS classification
 5818 			to be made. [RT #36020]
 5819 
 5820 3856.	[bug]		Configuring libjson without also configuring libxml
 5821 			resulted in a REQUIRE assertion when retrieving
 5822 			statistics using json. [RT #36009]
 5823 
 5824 3855.	[bug]		Limit smoothed round trip time aging to no more than
 5825 			once a second. [RT #32909]
 5826 
 5827 3854.	[cleanup]	Report unrecognized options, if any, in the final
 5828 			configure summary. [RT #36014]
 5829 
 5830 3853.	[cleanup]	Refactor dns_rdataslab_fromrdataset to separate out
 5831 			the handling of a rdataset with no records. [RT #35968]
 5832 
 5833 3852.	[func]		Increase the default number of clients available
 5834 			for servicing lightweight resolver queries, and
 5835 			make them configurable via the "lwres-tasks" and
 5836 			"lwres-clients" options.  (Thanks to Tomas Hozza.)
 5837 			[RT #35857]
 5838 
 5839 3851.	[func]		Allow libseccomp based system-call filtering
 5840 			on Linux; use "configure --enable-seccomp" to
 5841 			turn it on.  Thanks to Loganaden Velvindron
 5842 			of AFRINIC for the contribution. [RT #35347]
 5843 
 5844 3850.	[bug]		Disabling forwarding could trigger a REQUIRE assertion.
 5845 			[RT #35979]
 5846 
 5847 3849.	[doc]		Alphabetized dig's +options. [RT #35992]
 5848 
 5849 3848.	[bug]		Adjust 'statistics-channels specified but not effective'
 5850 			error message to account for JSON support. [RT #36008]
 5851 
 5852 3847.	[bug]		'configure --with-dlz-postgres' failed to fail when
 5853 			there is not support available.
 5854 
 5855 3846.	[bug]		"dig +notcp ixfr=<serial>" should result in a UDP
 5856 			ixfr query. [RT #35980]
 5857 
 5858 3845.	[placeholder]
 5859 
 5860 3844.	[bug]		Use the x64 version of the Microsoft Visual C++
 5861 			Redistributable when built for 64 bit Windows.
 5862 			[RT #35973]
 5863 
 5864 3843.	[protocol]	Check EDNS EXPIRE option in dns_rdata_fromwire.
 5865 			[RT #35969]
 5866 
 5867 3842.	[bug]		Adjust RRL log-only logging category. [RT #35945]
 5868 
 5869 3841.	[cleanup]	Refactor zone.c:add_opt to use dns_message_buildopt.
 5870 			[RT #35924]
 5871 
 5872 3840.	[port]		Check for arc4random_addrandom() before using it;
 5873 			it's been removed from OpenBSD 5.5. [RT #35907]
 5874 
 5875 3839.	[test]		Use only posix-compatible shell in system tests.
 5876 			[RT #35625]
 5877 
 5878 3838.	[protocol]	EDNS EXPIRE as been assigned a code point of 9.
 5879 
 5880 3837.	[security]	A NULL pointer is passed to query_prefetch resulting
 5881 			a REQUIRE assertion failure when a fetch is actually
 5882 			initiated (CVE-2014-3214).  [RT #35899]
 5883 
 5884 3836.	[bug]		Address C++ keyword usage in header file.
 5885 
 5886 3835.	[bug]		Geoip ACL elements didn't work correctly when
 5887 			referenced via named or nested ACLs. [RT #35879]
 5888 
 5889 3834.	[bug]		The re-signing heaps were not being updated soon enough
 5890 			leading to multiple re-generations of the same RRSIG
 5891 			when a zone transfer was in progress. [RT #35273]
 5892 
 5893 3833.	[bug]		Cross compiling was broken due to calling genrandom at
 5894 			build time. [RT #35869]
 5895 
 5896 3832.	[func]		"named -L <filename>" causes named to send log
 5897 			messages to the specified file by default instead
 5898 			of to the system log. (Thanks to Tony Finch.)
 5899 			[RT #35845]
 5900 
 5901 3831.	[cleanup]	Reduce logging noise when EDNS state changes occur.
 5902 			[RT #35843]
 5903 
 5904 3830.	[func]		When query logging is enabled, log query errors at
 5905 			the same level ('info') as the queries themselves.
 5906 			[RT #35844]
 5907 
 5908 3829.	[func]		"dig +ttlunits" causes dig to print TTL values
 5909 			with time-unit suffixes: w, d, h, m, s for
 5910 			weeks, days, hours, minutes, and seconds. (Thanks
 5911 			to Tony Finch.) [RT #35823]
 5912 
 5913 3828.	[func]		"dnssec-signzone -N date" updates serial number
 5914 			to the current date in YYYYMMDDNN format.
 5915 			[RT #35800]
 5916 
 5917 3827.	[placeholder]
 5918 
 5919 3826.	[bug]		Corrected bad INSIST logic in isc_radix_remove().
 5920 			[RT #35870]
 5921 
 5922 3825.	[bug]		Address sign extension bug in isc_regex_validate.
 5923 			[RT #35758]
 5924 
 5925 3824.	[bug]		A collision between two flag values could cause
 5926 			problems with cache cleaning when SIT was enabled.
 5927 			[RT #35858]
 5928 
 5929 3823.	[func]		Log the rpz cname target when rewriting. [RT #35667]
 5930 
 5931 3822.	[bug]		Log the correct type of static-stub zones when
 5932 			removing them. [RT #35842]
 5933 
 5934 3821.	[contrib]	Added a new "mysqldyn" DLZ module with dynamic
 5935 			update and transaction support. Thanks to Marty
 5936 			Lee for the contribution. [RT #35656]
 5937 
 5938 3820.	[func]		The DLZ API doesn't pass the database version to
 5939 			the lookup() function; this can cause DLZ modules
 5940 			that allow dynamic updates to mishandle prerequisite
 5941 			checks. This has been corrected by adding a
 5942 			'dbversion' field to the dns_clientinfo_t
 5943 			structure. [RT #35656]
 5944 
 5945 3819.	[bug]		NSEC3 hashes need to be able to be entered and
 5946 			displayed without padding.  This is not a issue for
 5947 			currently defined algorithms but may be for future
 5948 			hash algorithms. [RT #27925]
 5949 
 5950 3818.	[bug]		Stop lying to the optimizer that 'void *arg' is a
 5951 			constant in isc_event_allocate.
 5952 
 5953 3817.	[func]		The "delve" command is now spelled "delv" to avoid
 5954 			a namespace collision with the Xapian project.
 5955 			[RT #35801]
 5956 
 5957 3816.	[func]		"dig +qr" now reports query size. (Thanks to
 5958 			Tony Finch.) [RT #35822]
 5959 
 5960 3815.	[doc]		Clarify "nsupdate -y" usage in man page. [RT #35808]
 5961 
 5962 3814.	[func]		The "masterfile-style" zone option controls the
 5963 			formatting of dumped zone files. Options are
 5964 			"relative" (multiline format) and "full" (one
 5965 			record per line). The default is "relative".
 5966 			[RT #20798]
 5967 
 5968 3813.	[func]		"host" now recognizes the "timeout", "attempts" and
 5969 			"debug" options when set in /etc/resolv.conf.
 5970 			(Thanks to Adam Tkac at RedHat.) [RT #21885]
 5971 
 5972 3812.	[func]		Dig now supports sending arbitrary EDNS options from
 5973 			the command line (+ednsopt=code[:value]). [RT #35584]
 5974 
 5975 3811.	[func]		"serial-update-method date;" sets serial number
 5976 			on dynamic update to today's date in YYYYMMDDNN
 5977 			format. (Thanks to Bradley Forschinger.) [RT #24903]
 5978 
 5979 3810.	[bug]		Work around broken nameservers that fail to ignore
 5980 			unknown EDNS options. [RT #35766]
 5981 
 5982 3809.	[doc]		Fix SIT and NSID documentation.
 5983 
 5984 3808.	[doc]		Clean up "prefetch" documentation. [RT #35751]
 5985 
 5986 3807.	[bug]		Fix sign extension bug in dns_name_fromtext when
 5987 			lowercase is set. [RT #35743]
 5988 
 5989 3806.	[test]		Improved system test portability. [RT #35625]
 5990 
 5991 3805.	[contrib]	Added contrib/perftcpdns, a performance testing tool
 5992 			for DNS over TCP. [RT #35710]
 5993 
 5994 	--- 9.10.0rc1 released ---
 5995 
 5996 3804.	[bug]		Corrected a race condition in dispatch.c in which
 5997 			portentry could be reset leading to an assertion
 5998 			failure in socket_search(). (Change #3708
 5999 			addressed the same issue but was incomplete.)
 6000 			[RT #35128]
 6001 
 6002 3803.	[bug]		"named-checkconf -z" incorrectly rejected zones
 6003 			using alternate data sources for not having a "file"
 6004 			option. [RT #35685]
 6005 
 6006 3802.	[bug]		Various header files were not being installed.
 6007 
 6008 3801.	[port]		Fix probing for gssapi support on FreeBSD. [RT #35615]
 6009 
 6010 3800.	[bug]		A pending event on the route socket could cause an
 6011 			assertion failure when shutting down named. [RT #35674]
 6012 
 6013 3799.	[bug]		Improve named's command line error reporting.
 6014 			[RT #35603]
 6015 
 6016 3798.	[bug]		'rndc zonestatus' was reporting the wrong re-signing
 6017 			time. [RT #35659]
 6018 
 6019 3797.	[port]		netbsd: geoip support probing was broken. [RT #35642]
 6020 
 6021 3796.	[bug]		Register dns and pkcs#11 error codes. [RT #35629]
 6022 
 6023 3795.	[bug]		Make named-checkconf detect raw masterfiles for
 6024 			hint zones and reject them. [RT #35268]
 6025 
 6026 3794.	[maint]		Added AAAA for C.ROOT-SERVERS.NET.
 6027 
 6028 3793.	[bug]		zone.c:save_nsec3param() could assert when out of
 6029 			memory. [RT #35621]
 6030 
 6031 3792.	[func]		Provide links to the alternate statistics views when
 6032 			displaying in a browser.  [RT #35605]
 6033 
 6034 3791.	[placeholder]
 6035 
 6036 3790.	[bug]		Handle broken nameservers that send BADVERS in
 6037 			response to unknown EDNS options.  Maintain
 6038 			statistics on BADVERS responses.
 6039 
 6040 3789.	[bug]		Null pointer dereference on rbt creation failure.
 6041 
 6042 3788.	[bug]		dns_peer_getrequestsit was returning request_nsid by
 6043 			mistake.
 6044 
 6045 	--- 9.10.0b2 released ---
 6046 
 6047 3787.	[bug]		The code that checks whether "auto-dnssec" is
 6048 			allowed was ignoring "allow-update" ACLs set at
 6049 			the options or view level. [RT #29536]
 6050 
 6051 3786.	[func]		Provide more detailed error codes when using
 6052 			native PKCS#11. "pkcs11-tokens" now fails robustly
 6053 			rather than asserting when run against an HSM with
 6054 			an incomplete PKCS#11 API implementation. [RT #35479]
 6055 
 6056 3785.	[bug]		Debugging code dumphex didn't accept arbitrarily long
 6057 			input (only compiled with -DDEBUG). [RT #35544]
 6058 
 6059 3784.	[bug]		Using "rrset-order fixed" when it had not been
 6060 			enabled at compile time caused inconsistent
 6061 			results. It now works as documented, defaulting
 6062 			to cyclic mode. [RT #28104]
 6063 
 6064 3783.	[func]		"tsig-keygen" is now available as an alternate
 6065 			command name for "ddns-confgen".  It generates
 6066 			a TSIG key in named.conf format without comments.
 6067 			[RT #35503]
 6068 
 6069 3782.	[func]		Specifying "auto" as the salt when using
 6070 			"rndc signing -nsec3param" causes named to
 6071 			generate a 64-bit salt at random. [RT #35322]
 6072 
 6073 3781.	[tuning]	Use adaptive mutex locks when available; this
 6074 			has been found to improve performance under load
 6075 			on many systems. "configure --with-locktype=standard"
 6076 			restores conventional mutex locks. [RT #32576]
 6077 
 6078 3780.	[bug]		$GENERATE handled negative numbers incorrectly.
 6079 			[RT #25528]
 6080 
 6081 3779.	[cleanup]	Clarify the error message when using an option
 6082 			that was not enabled at compile time. [RT #35504]
 6083 
 6084 3778.	[bug]		Log a warning when the wrong address family is
 6085 			used in "listen-on" or "listen-on-v6". [RT #17848]
 6086 
 6087 3777.	[bug]		EDNS EXPIRE code could dump core when processing
 6088 			DLZ queries. [RT #35493]
 6089 
 6090 3776.	[func]		"rndc -q" suppresses output from successful
 6091 			rndc commands. Errors are printed on stderr.
 6092 			[RT #21393]
 6093 
 6094 3775.	[bug]		dlz_dlopen driver could return the wrong error
 6095 			code on API version mismatch, leading to a segfault.
 6096 			[RT #35495]
 6097 
 6098 3774.	[func]		When using "request-nsid", log the NSID value in
 6099 			printable form as well as hex. [RT #20864]
 6100 
 6101 3773.	[func]		"host", "nslookup" and "nsupdate" now have
 6102 			options to print the version number and exit.
 6103 			[RT #26057]
 6104 
 6105 3772.	[contrib]	Added sqlite3 dynamically-loadable DLZ module.
 6106 			(Based in part on a contribution from Tim Tessier.)
 6107 			[RT #20822]
 6108 
 6109 3771.	[cleanup]	Adjusted log level for "using built-in key"
 6110 			messages. [RT #24383]
 6111 
 6112 3770.	[bug]		"dig +trace" could fail with an assertion when it
 6113 			needed to fall back to TCP due to a truncated
 6114 			response. [RT #24660]
 6115 
 6116 3769.	[doc]		Improved documentation of "rndc signing -list".
 6117 			[RT #30652]
 6118 
 6119 3768.	[bug]		"dnssec-checkds" was missing the SHA-384 digest
 6120 			algorithm. [RT #34000]
 6121 
 6122 3767.	[func]		Log explicitly when using rndc.key to configure
 6123 			command channel. [RT #35316]
 6124 
 6125 3766.	[cleanup]	Fixed problems with building outside the source
 6126 			tree when using native PKCS#11. [RT #35459]
 6127 
 6128 3765.	[bug]		Fixed a bug in "rndc secroots" that could crash
 6129 			named when dumping an empty keynode. [RT #35469]
 6130 
 6131 3764.	[bug]		The dnssec-keygen/settime -S and -i options
 6132 			(to set up a successor key and set the prepublication
 6133 			interval) were missing from dnssec-keyfromlabel.
 6134 			[RT #35394]
 6135 
 6136 3763.	[bug]		delve: Cache DNSSEC records to avoid the need to
 6137 			re-fetch them when restarting validation. [RT #35476]
 6138 
 6139 3762.	[bug]		Address build problems with --pkcs11-native +
 6140 			--with-openssl with ECDSA support. [RT #35467]
 6141 
 6142 3761.	[bug]		Address dangling reference bug in dns_keytable_add.
 6143 			[RT #35471]
 6144 
 6145 3760.	[bug]		Improve SIT with native PKCS#11 and on Windows.
 6146 			[RT #35433]
 6147 
 6148 3759.	[port]		Enable delve on Windows. [RT #35441]
 6149 
 6150 3758.	[port]		Enable export library APIs on Windows. [RT #35382]
 6151 
 6152 3757.	[port]		Enable Python tools (dnssec-coverage,
 6153 			dnssec-checkds) to run on Windows. [RT #34355]
 6154 
 6155 3756.	[bug]		GSSAPI Kerberos realm checking was broken in
 6156 			check_config leading to spurious messages being
 6157 			logged.  [RT #35443]
 6158 
 6159 	--- 9.10.0b1 released ---
 6160 
 6161 3755.	[func]		Add stats counters for known EDNS options + others.
 6162 			[RT #35447]
 6163 
 6164 3754.	[cleanup]	win32: Installer now places files in the
 6165 			Program Files area rather than system services.
 6166 			[RT #35361]
 6167 
 6168 3753.	[bug]		allow-notify was ignoring keys. [RT #35425]
 6169 
 6170 3752.	[bug]		Address potential REQUIRE failure if
 6171 			DNS_STYLEFLAG_COMMENTDATA is set when printing out
 6172 			a rdataset.
 6173 
 6174 3751.	[tuning]	The default setting for the -U option (setting
 6175 			the number of UDP listeners per interface) has
 6176 			been adjusted to improve performance. [RT #35417]
 6177 
 6178 3750.	[experimental]	Partially implement EDNS EXPIRE option as described
 6179 			in draft-andrews-dnsext-expire-00.  Retrieval of
 6180 			the remaining time until expiry for slave zones
 6181 			is supported.
 6182 
 6183 			EXPIRE uses an experimental option code (65002),
 6184 			which is subject to change. [RT #35416]
 6185 
 6186 3749.	[func]		"dig +subnet" sends an EDNS client subnet option
 6187 			containing the specified address/prefix when
 6188 			querying. (Thanks to Wilmer van der Gaast.)
 6189 			[RT #35415]
 6190 
 6191 3748.	[test]		Use delve to test dns_client interfaces. [RT #35383]
 6192 
 6193 3747.	[bug]		A race condition could lead to a core dump when
 6194 			destroying a resolver fetch object. [RT #35385]
 6195 
 6196 3746.	[func]		New "max-zone-ttl" option enforces maximum
 6197 			TTLs for zones. If loading a zone containing a
 6198 			higher TTL, the load fails. DDNS updates with
 6199 			higher TTLs are accepted but the TTL is truncated.
 6200 			(Note: Currently supported for master zones only;
 6201 			inline-signing slaves will be added.) [RT #38405]
 6202 
 6203 3745.	[func]		"configure --with-tuning=large" adjusts various
 6204 			compiled-in constants and default settings to
 6205 			values suited to large servers with abundant
 6206 			memory. [RT #29538]
 6207 
 6208 3744.	[experimental]	SIT: send and process Source Identity Tokens
 6209 			(similar to DNS Cookies by Donald Eastlake 3rd),
 6210 			which are designed to help clients detect off-path
 6211 			spoofed responses and for servers to identify
 6212 			legitimate clients.
 6213 
 6214 			SIT uses an experimental EDNS option code (65001),
 6215 			which will be changed to an IANA-assigned value
 6216 			if the experiment is deemed a success.
 6217 
 6218 			SIT can be enabled via "configure --enable-sit" (or
 6219 			--enable-developer). It is enabled by default in
 6220 			Windows.
 6221 
 6222 			Servers can be configured to send smaller responses
 6223 			to clients that have not identified themselves via
 6224 			SIT.  RRL processing has also been updated;
 6225 			legitimate clients are not subject to rate
 6226 			limiting. [RT #35389]
 6227 
 6228 3743.	[bug]		delegation-only flag wasn't working in forward zone
 6229 			declarations despite being documented.  This is
 6230 			needed to support turning off forwarding and turning
 6231 			on delegation only at the same name.  [RT #35392]
 6232 
 6233 3742.	[port]		linux: libcap support: declare curval at start of
 6234 			block. [RT #35387]
 6235 
 6236 3741.	[func]		"delve" (domain entity lookup and validation engine):
 6237 			A new tool with dig-like semantics for performing DNS
 6238 			lookups, with internal DNSSEC validation, using the
 6239 			same resolver and validator logic as named. This
 6240 			allows easy validation of DNSSEC data in environments
 6241 			with untrustworthy resolvers, and assists with
 6242 			troubleshooting of DNSSEC problems. [RT #32406]
 6243 
 6244 3740.	[contrib]	Minor fixes to configure --with-dlz-bdb,
 6245 			--with-dlz-postgres and --with-dlz-odbc. [RT #35340]
 6246 
 6247 3739.	[func]		Added per-zone stats counters to track TCP and
 6248 			UDP queries. [RT #35375]
 6249 
 6250 3738.	[bug]		--enable-openssl-hash failed to build. [RT #35343]
 6251 
 6252 3737.	[bug]		'rndc retransfer' could trigger a assertion failure
 6253 			with inline zones. [RT #35353]
 6254 
 6255 3736.	[bug]		nsupdate: When specifying a server by name,
 6256 			fall back to alternate addresses if the first
 6257 			address for that name is not reachable. [RT #25784]
 6258 
 6259 3735.	[cleanup]	Merged the libiscpk11 library into libisc
 6260 			to simplify dependencies. [RT #35205]
 6261 
 6262 3734.	[bug]		Improve building with libtool. [RT #35314]
 6263 
 6264 3733.	[func]		Improve interface scanning support.  Interface
 6265 			information will be automatically updated if the
 6266 			OS supports routing sockets (MacOS, *BSD, Linux).
 6267 			Use "automatic-interface-scan no;" to disable.
 6268 
 6269 			Add "rndc scan" to trigger a scan. [RT #23027]
 6270 
 6271 3732.	[contrib]	Fixed a type mismatch causing the ODBC DLZ
 6272 			driver to dump core on 64-bit systems. [RT #35324]
 6273 
 6274 3731.	[func]		Added a "no-case-compress" ACL, which causes
 6275 			named to use case-insensitive compression
 6276 			(disabling change #3645) for specified
 6277 			clients. (This is useful when dealing
 6278 			with broken client implementations that
 6279 			use case-sensitive name comparisons,
 6280 			rejecting responses that fail to match the
 6281 			capitalization of the query that was sent.)
 6282 			[RT #35300]
 6283 
 6284 3730.	[cleanup]	Added "never" as a synonym for "none" when
 6285 			configuring key event dates in the dnssec tools.
 6286 			[RT #35277]
 6287 
 6288 3729.	[bug]		dnssec-keygen could set the publication date
 6289 			incorrectly when only the activation date was
 6290 			specified on the command line. [RT #35278]
 6291 
 6292 3728.	[doc]		Expanded native-PKCS#11 documentation,
 6293 			specifically pkcs11: URI labels. [RT #35287]
 6294 
 6295 3727.	[func]		The isc_bitstring API is no longer used and
 6296 			has been removed from libisc. [RT #35284]
 6297 
 6298 3726.	[cleanup]	Clarified the error message when attempting
 6299 			to configure more than 32 response-policy zones.
 6300 			[RT #35283]
 6301 
 6302 3725.	[contrib]	Updated zkt and nslint to newest versions,
 6303 			cleaned up and rearranged the contrib
 6304 			directory, and added a README.
 6305 
 6306 	--- 9.10.0a2 released ---
 6307 
 6308 3724.	[bug]		win32: Fixed a bug that prevented dig and
 6309 			host from exiting properly after completing
 6310 			a UDP query. [RT #35288]
 6311 
 6312 3723.	[cleanup]	Imported keys are now handled the same way
 6313 			regardless of DNSSEC algorithm. [RT #35215]
 6314 
 6315 3722.	[bug]		Using geoip ACLs in a blackhole statement
 6316 			could cause a segfault. [RT #35272]
 6317 
 6318 3721.	[doc]		Improved documentation of the EDNS processing
 6319 			enhancements introduced in change #3593. [RT #35275]
 6320 
 6321 3720.	[bug]		Address compiler warnings. [RT #35261]
 6322 
 6323 3719.	[bug]		Address memory leak in in peer.c. [RT #35255]
 6324 
 6325 3718.	[bug]		A missing ISC_LINK_INIT in log.c. [RT #35260]
 6326 
 6327 3717.	[port]		hpux: Treat EOPNOTSUPP as a expected error code when
 6328 			probing to see if it is possible to set dscp values
 6329 			on a per packet basis. [RT #35252]
 6330 
 6331 3716.	[bug]		The dns_request code was setting dcsp values when not
 6332 			requested.  [RT #35252]
 6333 
 6334 3715.	[bug]		The region and city databases could fail to
 6335 			initialize when using some versions of libGeoIP,
 6336 			causing assertion failures when named was
 6337 			configured to use them. [RT #35427]
 6338 
 6339 3714.	[test]		System tests that need to test for cryptography
 6340 			support before running can now use a common
 6341 			"testcrypto.sh" script to do so. [RT #35213]
 6342 
 6343 3713.	[bug]		Save memory by not storing "also-notify" addresses
 6344 			in zone objects that are configured not to send
 6345 			notify requests. [RT #35195]
 6346 
 6347 3712.	[placeholder]
 6348 
 6349 3711.	[placeholder]
 6350 
 6351 3710.	[bug]		Address double dns_zone_detach when switching to
 6352 			using automatic empty zones from regular zones.
 6353 			[RT #35177]
 6354 
 6355 3709.	[port]		Use built-in versions of strptime() and timegm()
 6356 			on all platforms to avoid portability issues.
 6357 			[RT #35183]
 6358 
 6359 3708.	[bug]		Address a portentry locking issue in dispatch.c.
 6360 			[RT #35128]
 6361 
 6362 3707.	[bug]		irs_resconf_load now returns ISC_R_FILENOTFOUND
 6363 			on a missing resolv.conf file and initializes the
 6364 			structure as if it had been configured with:
 6365 
 6366 				nameserver ::1
 6367 				nameserver 127.0.0.1
 6368 
 6369 			Note: Callers will need to be updated to treat
 6370 			ISC_R_FILENOTFOUND as a qualified success or else
 6371 			they will leak memory. The following code fragment
 6372 			will work with both old and new versions without
 6373 			changing the behaviour of the existing code.
 6374 
 6375 			resconf = NULL;
 6376 			result = irs_resconf_load(mctx, "/etc/resolv.conf",
 6377 						  &resconf);
 6378 			if (result != ISC_SUCCESS) {
 6379 				if (resconf != NULL)
 6380 					irs_resconf_destroy(&resconf);
 6381 				....
 6382 			}
 6383 
 6384 			[RT #35194]
 6385 
 6386 3706.	[contrib]	queryperf: Fixed a possible integer overflow when
 6387 			printing results. [RT #35182]
 6388 
 6389 3705.	[func]		"configure --enable-native-pkcs11" enables BIND
 6390 			to use the PKCS#11 API for all cryptographic
 6391 			functions, so that it can drive a hardware service
 6392 			module directly without the need to use a modified
 6393 			OpenSSL as intermediary (so long as the HSM's vendor
 6394 			provides a complete-enough implementation of the
 6395 			PKCS#11 interface). This has been tested successfully
 6396 			with the Thales nShield HSM and with SoftHSMv2 from
 6397 			the OpenDNSSEC project. [RT #29031]
 6398 
 6399 3704.	[protocol]	Accept integer timestamps in RRSIG records. [RT #35185]
 6400 
 6401 3703.	[func]		To improve recursive resolver performance, cache
 6402 			records which are still being requested by clients
 6403 			can now be automatically refreshed from the
 6404 			authoritative server before they expire, reducing
 6405 			or eliminating the time window in which no answer
 6406 			is available in the cache. See the "prefetch" option
 6407 			for more details. [RT #35041]
 6408 
 6409 3702.	[func]		'dnssec-coverage -l' option specifies a length
 6410 			of time to check for coverage; events further into
 6411 			the future are ignored.  'dnssec-coverage -z'
 6412 			checks only ZSK events, and 'dnssec-coverage -k'
 6413 			checks only KSK events.  (Thanks to Peter Palfrader.)
 6414 			[RT #35168]
 6415 
 6416 3701.	[func]		named-checkconf can now obscure shared secrets
 6417 			when printing by specifying '-x'. [RT #34465]
 6418 
 6419 3700.	[func]		Allow access to subgroups of XML statistics via
 6420 			special URLs http://<server>:<port>/xml/v3/server,
 6421 			/zones, /net, /tasks, /mem, and /status.  [RT #35115]
 6422 
 6423 3699.	[bug]		Improvements to statistics channel XSL stylesheet:
 6424 			the stylesheet can now be cached by the browser;
 6425 			section headers are omitted from the stats display
 6426 			when there is no data in those sections to be
 6427 			displayed; counters are now right-justified for
 6428 			easier readability. [RT #35117]
 6429 
 6430 3698.	[cleanup]	Replaced all uses of memcpy() with memmove().
 6431 			[RT #35120]
 6432 
 6433 3697.	[bug]		Handle "." as a search list element when IDN support
 6434 			is enabled. [RT #35133]
 6435 
 6436 3696.	[bug]		dig failed to handle AXFR style IXFR responses which
 6437 			span multiple messages. [RT #35137]
 6438 
 6439 3695.	[bug]		Address a possible race in dispatch.c. [RT #35107]
 6440 
 6441 3694.	[bug]		Warn when a key-directory is configured for a zone,
 6442 			but does not exist or is not a directory. [RT #35108]
 6443 
 6444 3693.	[security]	memcpy was incorrectly called with overlapping
 6445 			ranges resulting in malformed names being generated
 6446 			on some platforms.  This could cause INSIST failures
 6447 			when serving NSEC3 signed zones (CVE-2014-0591).
 6448 			[RT #35120]
 6449 
 6450 3692.	[bug]		Two calls to dns_db_getoriginnode were fatal if there
 6451 			was no data at the node. [RT #35080]
 6452 
 6453 3691.	[contrib]	Address null pointer dereference in LDAP and
 6454 			MySQL DLZ modules.
 6455 
 6456 3690.	[bug]		Iterative responses could be missed when the source
 6457 			port for an upstream query was the same as the
 6458 			listener port (53). [RT #34925]
 6459 
 6460 3689.	[bug]		Fixed a bug causing an insecure delegation from one
 6461 			static-stub zone to another to fail with a broken
 6462 			trust chain. [RT #35081]
 6463 
 6464 3688.	[bug]		loadnode could return a freed node on out of memory.
 6465 			[RT #35106]
 6466 
 6467 3687.	[bug]		Address null pointer dereference in zone_xfrdone.
 6468 			[RT #35042]
 6469 
 6470 3686.	[func]		"dnssec-signzone -Q" drops signatures from keys
 6471 			that are still published but no longer active.
 6472 			[RT #34990]
 6473 
 6474 3685.	[bug]		"rndc refresh" didn't work correctly with slave
 6475 			zones using inline-signing. [RT #35105]
 6476 
 6477 3684.	[bug]		The list of included files would grow on reload.
 6478 			[RT 35090]
 6479 
 6480 3683.	[cleanup]	Add a more detailed "not found" message to rndc
 6481 			commands which specify a zone name. [RT #35059]
 6482 
 6483 3682.	[bug]		Correct the behavior of rndc retransfer to allow
 6484 			inline-signing slave zones to retain NSEC3 parameters
 6485 			instead of reverting to NSEC. [RT #34745]
 6486 
 6487 3681.	[port]		Update the Windows build system to support feature
 6488 			selection and WIN64 builds.  This is a work in
 6489 			progress. [RT #34160]
 6490 
 6491 3680.	[bug]		Ensure buffer space is available in "rndc zonestatus".
 6492 			[RT #35084]
 6493 
 6494 3679.	[bug]		dig could fail to clean up TCP sockets still
 6495 			waiting on connect(). [RT #35074]
 6496 
 6497 3678.	[port]		Update config.guess and config.sub. [RT #35060]
 6498 
 6499 3677.	[bug]		'nsupdate' leaked memory if 'realm' was used multiple
 6500 			times.  [RT #35073]
 6501 
 6502 3676.	[bug]		"named-checkconf -z" now checks zones of type
 6503 			hint and redirect as well as master. [RT #35046]
 6504 
 6505 3675.	[misc]		Provide a place for third parties to add version
 6506 			information for their extensions in the version
 6507 			file by setting the EXTENSIONS variable.
 6508 
 6509 	--- 9.10.0a1 released ---
 6510 
 6511 3674.	[bug]		RPZ zeroed ttls if the query type was '*'. [RT #35026]
 6512 
 6513 3673.	[func]		New "in-view" zone option allows direct sharing
 6514 			of zones between views. [RT #32968]
 6515 
 6516 3672.	[func]		Local address can now be specified when using
 6517 			dns_client API. [RT #34811]
 6518 
 6519 3671.	[bug]		Don't allow dnssec-importkey overwrite a existing
 6520 			non-imported private key.
 6521 
 6522 3670.	[bug]		Address read after free in server side of
 6523 			lwres_getrrsetbyname. [RT #29075]
 6524 
 6525 3669.	[port]		freebsd: --with-gssapi needs -lhx509. [RT #35001]
 6526 
 6527 3668.	[bug]		Fix cast in lex.c which could see 0xff treated as eof.
 6528 			[RT #34993]
 6529 
 6530 3667.	[test]		dig: add support to keep the TCP socket open between
 6531 			successive queries (+[no]keepopen).  [RT #34918]
 6532 
 6533 3666.	[func]		Add a tool, named-rrchecker, for checking the syntax
 6534 			of individual resource records.  This tool is intended
 6535 			to be called by provisioning systems so that the front
 6536 			end does not need to be upgraded to support new DNS
 6537 			record types. [RT #34778]
 6538 
 6539 3665.	[bug]		Failure to release lock on error in receive_secure_db.
 6540 			[RT #34944]
 6541 
 6542 3664.	[bug]		Updated OpenSSL PKCS#11 patches to fix active list
 6543 			locking and other bugs. [RT #34855]
 6544 
 6545 3663.	[bug]		Address bugs in dns_rdata_fromstruct and
 6546 			dns_rdata_tostruct for WKS and ISDN types. [RT #34910]
 6547 
 6548 3662.	[bug]		'host' could die if a UDP query timed out. [RT #34870]
 6549 
 6550 3661.	[bug]		Address lock order reversal deadlock with inline zones.
 6551 			[RT #34856]
 6552 
 6553 3660.	[cleanup]	Changed the name of "isc-config.sh" to "bind9-config".
 6554 			[RT #23825]
 6555 
 6556 3659.	[port]		solaris: don't add explicit dependencies/rules for
 6557 			python programs as make won't use the implicit rules.
 6558 			[RT #34835]
 6559 
 6560 3658.	[port]		linux: Address platform specific compilation issue
 6561 			when libcap-devel is installed. [RT #34838]
 6562 
 6563 3657.	[port]		Some readline clones don't accept NULL pointers when
 6564 			calling add_history. [RT #34842]
 6565 
 6566 3656.	[security]	Treat an all zero netmask as invalid when generating
 6567 			the localnets acl. (The prior behavior could
 6568 			allow unexpected matches when using some versions
 6569 			of Winsock: CVE-2013-6320.) [RT #34687]
 6570 
 6571 3655.	[cleanup]	Simplify TCP message processing when requesting a
 6572 			zone transfer.  [RT #34825]
 6573 
 6574 3654.	[bug]		Address race condition with manual notify requests.
 6575 			[RT #34806]
 6576 
 6577 3653.	[func]		Create delegations for all "children" of empty zones
 6578 			except "forward first". [RT #34826]
 6579 
 6580 3652.	[bug]		Address bug with rpz-drop policy. [RT #34816]
 6581 
 6582 3651.	[tuning]	Adjust when a master server is deemed unreachable.
 6583 			[RT #27075]
 6584 
 6585 3650.	[tuning]	Use separate rate limiting queues for refresh and
 6586 			notify requests. [RT #30589]
 6587 
 6588 3649.	[cleanup]	Include a comment in .nzf files, giving the name of
 6589 			the associated view. [RT #34765]
 6590 
 6591 3648.	[test]		Updated the ATF test framework to version 0.17.
 6592 			[RT #25627]
 6593 
 6594 3647.	[bug]		Address a race condition when shutting down a zone.
 6595 			[RT #34750]
 6596 
 6597 3646.	[bug]		Journal filename string could be set incorrectly,
 6598 			causing garbage in log messages. [RT #34738]
 6599 
 6600 3645.	[protocol]	Use case sensitive compression when responding to
 6601 			queries. [RT #34737]
 6602 
 6603 3644.	[protocol]	Check that EDNS subnet client options are well formed.
 6604 			[RT #34718]
 6605 
 6606 3643.	[doc]		Clarify RRL "slip" documentation.
 6607 
 6608 3642.	[func]		Allow externally generated DNSKEY to be imported
 6609 			into the DNSKEY management framework.  A new tool
 6610 			dnssec-importkey is used to do this. [RT #34698]
 6611 
 6612 3641.	[bug]		Handle changes to sig-validity-interval settings
 6613 			better. [RT #34625]
 6614 
 6615 3640.	[bug]		ndots was not being checked when searching.  Only
 6616 			continue searching on NXDOMAIN responses.  Add the
 6617 			ability to specify ndots to nslookup. [RT #34711]
 6618 
 6619 3639.	[bug]		Treat type 65533 (KEYDATA) as opaque except when used
 6620 			in a key zone. [RT #34238]
 6621 
 6622 3638.	[cleanup]	Add the ability to handle ENOPROTOOPT in case it is
 6623 			encountered. [RT #34668]
 6624 
 6625 3637.	[bug]		'allow-query-on' was checking the source address
 6626 			rather than the destination address. [RT #34590]
 6627 
 6628 3636.	[bug]		Automatic empty zones now behave better with
 6629 			forward only "zones" beneath them. [RT #34583]
 6630 
 6631 3635.	[bug]		Signatures were not being removed from a zone with
 6632 			only KSK keys for a algorithm. [RT #34439]
 6633 
 6634 3634.	[func]		Report build-id in rndc status. Report build-id
 6635 			when building from a git repository. [RT #20422]
 6636 
 6637 3633.	[cleanup]	Refactor OPT processing in named to make it easier
 6638 			to support new EDNS options. [RT #34414]
 6639 
 6640 3632.	[bug]		Signature from newly inactive keys were not being
 6641 			removed. [RT #32178]
 6642 
 6643 3631.	[bug]		Remove spurious warning about missing signatures when
 6644 			qtype is SIG. [RT #34600]
 6645 
 6646 3630.	[bug]		Ensure correct ID computation for MD5 keys. [RT #33033]
 6647 
 6648 3629.	[func]		Allow the printing of cryptographic fields in DNSSEC
 6649 			records by dig to be suppressed (dig +nocrypto).
 6650 			[RT #34534]
 6651 
 6652 3628.	[func]		Report DNSKEY key id's when dumping the cache.
 6653 			[RT #34533]
 6654 
 6655 3627.	[bug]		RPZ changes were not effective on slaves. [RT #34450]
 6656 
 6657 3626.	[func]		dig: NSID output now easier to read. [RT #21160]
 6658 
 6659 3625.	[bug]		Don't send notify messages to machines outside of the
 6660 			test setup.
 6661 
 6662 3624.	[bug]		Look for 'json_object_new_int64' when looking for a
 6663 			the json library. [RT #34449]
 6664 
 6665 3623.	[placeholder]
 6666 
 6667 3622.	[tuning]	Eliminate an unnecessary lock when incrementing
 6668 			cache statistics. [RT #34339]
 6669 
 6670 3621.	[security]	Incorrect bounds checking on private type 'keydata'
 6671 			can lead to a remotely triggerable REQUIRE failure
 6672 			(CVE-2013-4854). [RT #34238]
 6673 
 6674 3620.	[func]		Added "rpz-client-ip" policy triggers, enabling
 6675 			RPZ responses to be configured on the basis of
 6676 			the client IP address; this can be used, for
 6677 			example, to blacklist misbehaving recursive
 6678 			or stub resolvers. [RT #33605]
 6679 
 6680 3619.	[bug]		Fixed a bug in RPZ with "recursive-only no;"
 6681 			[RT #33776]
 6682 
 6683 3618.	[func]		"rndc reload" now checks modification times of
 6684 			include files as well as master files to determine
 6685 			whether to skip reloading a zone. [RT #33936]
 6686 
 6687 3617.	[bug]		Named was failing to answer queries during
 6688 			"rndc reload" [RT #34098]
 6689 
 6690 3616.	[bug]		Change #3613 was incomplete. [RT #34177]
 6691 
 6692 3615.	[cleanup]	"configure" now finishes by printing a summary
 6693 			of optional BIND features and whether they are
 6694 			active or inactive. ("configure --enable-full-report"
 6695 			increases the verbosity of the summary.) [RT #31777]
 6696 
 6697 3614.	[port]		Check for <linux/types.h>. [RT #34162]
 6698 
 6699 3613.	[bug]		named could crash when deleting inline-signing
 6700 			zones with "rndc delzone". [RT #34066]
 6701 
 6702 3612.	[port]		Check whether to use -ljson or -ljson-c. [RT #34115]
 6703 
 6704 3611.	[bug]		Improved resistance to a theoretical authentication
 6705 			attack based on differential timing.  [RT #33939]
 6706 
 6707 3610.	[cleanup]	win32: Some executables had been omitted from the
 6708 			installer. [RT #34116]
 6709 
 6710 3609.	[bug]		Corrected a possible deadlock in applications using
 6711 			the export version of the isc_app API. [RT #33967]
 6712 
 6713 3608.	[port]		win32: added todos.pl script to ensure all text files
 6714 			the win32 build depends on are converted to DOS
 6715 			newline format. [RT #22067]
 6716 
 6717 3607.	[bug]		dnssec-keygen had broken 'Invalid keyfile' error
 6718 			message. [RT #34045]
 6719 
 6720 3606.	[func]		"rndc flushtree" now flushes matching
 6721 			records in the address database and bad cache
 6722 			as well as the DNS cache. (Previously only the
 6723 			DNS cache was flushed.) [RT #33970]
 6724 
 6725 3605.	[port]		win32: Addressed several compatibility issues
 6726 			with newer versions of Visual Studio. [RT #33916]
 6727 
 6728 3604.	[bug]		Fixed a compile-time error when building with
 6729 			JSON but not XML. [RT #33959]
 6730 
 6731 3603.	[bug]		Install <isc/stat.h>. [RT #33956]
 6732 
 6733 3602.	[contrib]	Added DLZ Perl module, allowing Perl scripts to
 6734 			integrate with named and serve DNS data.
 6735 			(Contributed by John Eaglesham of Yahoo.)
 6736 
 6737 3601.	[bug]		Added to PKCS#11 openssl patches a value len
 6738 			attribute in DH derive key. [RT #33928]
 6739 
 6740 3600.	[cleanup]	dig: Fixed a typo in the warning output when receiving
 6741 			an oversized response. [RT #33910]
 6742 
 6743 3599.	[tuning]	Check for pointer equivalence in name comparisons.
 6744 			[RT #18125]
 6745 
 6746 3598.	[cleanup]	Improved portability of map file code. [RT #33820]
 6747 
 6748 3597.	[bug]		Ensure automatic-resigning heaps are reconstructed
 6749 			when loading zones in map format. [RT #33381]
 6750 
 6751 3596.	[port]		Updated win32 build documentation, added
 6752 			dnssec-verify. [RT #22067]
 6753 
 6754 3595.	[port]		win32: Fix build problems introduced by change #3550.
 6755 			[RT #33807]
 6756 
 6757 3594.	[maint]		Update config.guess and config.sub. [RT #33816]
 6758 
 6759 3593.	[func]		Update EDNS processing to better track remote server
 6760 			capabilities. [RT #30655]
 6761 
 6762 3592.	[doc]		Moved documentation of rndc command options to the
 6763 			rndc man page. [RT #33506]
 6764 
 6765 3591.	[func]		Use CRC-64 to detect map file corruption at load
 6766 			time. [RT #33746]
 6767 
 6768 3590.	[bug]		When using RRL on recursive servers, defer
 6769 			rate-limiting until after recursion is complete;
 6770 			also, use correct rcode for slipped NXDOMAIN
 6771 			responses.  [RT #33604]
 6772 
 6773 3589.	[func]		Report serial numbers in when starting zone transfers.
 6774 			Report accepted NOTIFY requests including serial.
 6775 			[RT #33037]
 6776 
 6777 3588.	[bug]		dig: addressed a memory leak in the sigchase code
 6778 			that could cause a shutdown crash.  [RT #33733]
 6779 
 6780 3587.	[func]		'named -g' now checks the logging configuration but
 6781 			does not use it. [RT #33473]
 6782 
 6783 3586.	[bug]		Handle errors in xmlDocDumpFormatMemoryEnc. [RT #33706]
 6784 
 6785 3585.	[func]		"rndc delzone -clean" option removes zone files
 6786 			when deleting a zone. [RT #33570]
 6787 
 6788 3584.	[security]	Caching data from an incompletely signed zone could
 6789 			trigger an assertion failure in resolver.c
 6790 			(CVE-2013-3919). [RT #33690]
 6791 
 6792 3583.	[bug]		Address memory leak in GSS-API processing [RT #33574]
 6793 
 6794 3582.	[bug]		Silence false positive warning regarding missing file
 6795 			directive for inline slave zones.  [RT #33662]
 6796 
 6797 3581.	[bug]		Changed the tcp-listen-queue default to 10. [RT #33029]
 6798 
 6799 3580.	[bug]		Addressed a possible race in acache.c [RT #33602]
 6800 
 6801 3579.	[maint]		Updates to PKCS#11 openssl patches, supporting
 6802 			versions 0.9.8y, 1.0.0k, 1.0.1e [RT #33463]
 6803 
 6804 3578.	[bug]		'rndc -c file' now fails if 'file' does not exist.
 6805 			[RT #33571]
 6806 
 6807 3577.	[bug]		Handle zero TTL values better. [RT #33411]
 6808 
 6809 3576.	[bug]		Address a shutdown race when validating. [RT #33573]
 6810 
 6811 3575.	[func]		Changed the logging category for RRL events from
 6812 			'queries' to 'query-errors'. [RT #33540]
 6813 
 6814 3574.	[doc]		The 'hostname' keyword was missing from server-id
 6815 			description in the named.conf man page. [RT #33476]
 6816 
 6817 3573.	[bug]		"rndc addzone" and "rndc delzone" incorrectly handled
 6818 			zone names containing punctuation marks and other
 6819 			nonstandard characters. [RT #33419]
 6820 
 6821 3572.	[func]		Threads are now enabled by default on most
 6822 			operating systems. [RT #25483]
 6823 
 6824 3571.	[bug]		Address race condition in dns_client_startresolve().
 6825 			[RT #33234]
 6826 
 6827 3570.	[bug]		Check internal pointers are valid when loading map
 6828 			files. [RT #33403]
 6829 
 6830 3569.	[contrib]	Ported mysql DLZ driver to dynamically-loadable
 6831 			module, and added multithread support. [RT #33394]
 6832 
 6833 3568.	[cleanup]	Add a product description line to the version file,
 6834 			to be reported by named -v/-V. [RT #33366]
 6835 
 6836 3567.	[bug]		Silence clang static analyzer warnings. [RT #33365]
 6837 
 6838 3566.	[func]		Log when forwarding updates to master. [RT #33240]
 6839 
 6840 3565.	[placeholder]
 6841 
 6842 3564.	[bug]		Improved handling of corrupted map files. [RT #33380]
 6843 
 6844 3563.	[contrib]	zone2sqlite failed with some table names. [RT #33375]
 6845 
 6846 3562.	[func]		Update map file header format to include a SHA-1 hash
 6847 			of the database content, so that corrupted map files
 6848 			can be rejected at load time. [RT #32459]
 6849 
 6850 3561.	[bug]		dig: issue a warning if an EDNS query returns FORMERR
 6851 			or NOTIMP.  Adjust usage message. [RT #33363]
 6852 
 6853 3560.	[bug]		isc-config.sh did not honor includedir and libdir
 6854 			when set via configure. [RT #33345]
 6855 
 6856 3559.	[func]		Check that both forms of Sender Policy Framework
 6857 			records exist or do not exist. [RT #33355]
 6858 
 6859 3558.	[bug]		IXFR of a DLZ stored zone was broken. [RT #33331]
 6860 
 6861 3557.	[bug]		Reloading redirect zones was broken. [RT #33292]
 6862 
 6863 3556.	[maint]		Added AAAA for D.ROOT-SERVERS.NET.
 6864 
 6865 3555.	[bug]		Address theoretical race conditions in acache.c
 6866 			(change #3553 was incomplete). [RT #33252]
 6867 
 6868 3554.	[bug]		RRL failed to correctly rate-limit upward
 6869 			referrals and failed to count dropped error
 6870 			responses in the statistics. [RT #33225]
 6871 
 6872 3553.	[bug]		Address suspected double free in acache. [RT #33252]
 6873 
 6874 3552.	[bug]		Wrong getopt option string for 'nsupdate -r'.
 6875 			[RT #33280]
 6876 
 6877 3551.	[bug]		resolver.querydscp[46] were uninitialized.  [RT #32686]
 6878 
 6879 3550.	[func]		Unified the internal and export versions of the
 6880 			BIND libraries, allowing external clients to use
 6881 			the same libraries as BIND. [RT #33131]
 6882 
 6883 3549.	[doc]		Documentation for "request-nsid" was missing.
 6884 			[RT #33153]
 6885 
 6886 3548.	[bug]		The NSID request code in resolver.c was broken
 6887 			resulting in invalid EDNS options being sent.
 6888 			[RT #33153]
 6889 
 6890 3547.	[bug]		Some malformed unknown rdata records were not properly
 6891 			detected and rejected. [RT #33129]
 6892 
 6893 3546.	[func]		Add EUI48 and EUI64 types. [RT #33082]
 6894 
 6895 3545.	[bug]		RRL slip behavior was incorrect when set to 1.
 6896 			[RT #33111]
 6897 
 6898 3544.	[contrib]	check5011.pl: Script to report the status of
 6899 			managed keys as recorded in managed-keys.bind.
 6900 			Contributed by Tony Finch <dot@dotat.at>
 6901 
 6902 3543.	[bug]		Update socket structure before attaching to socket
 6903 			manager after accept. [RT #33084]
 6904 
 6905 3542.	[placeholder]
 6906 
 6907 3541.	[bug]		Parts of libdns were not properly initialized when
 6908 			built in libexport mode. [RT #33028]
 6909 
 6910 3540.	[test]		libt_api: t_info and t_assert were not thread safe.
 6911 
 6912 3539.	[port]		win32: timestamp format didn't match other platforms.
 6913 
 6914 3538.	[test]		Running "make test" now requires loopback interfaces
 6915 			to be set up. [RT #32452]
 6916 
 6917 3537.	[tuning]	Slave zones, when updated, now send NOTIFY messages
 6918 			to peers before being dumped to disk rather than
 6919 			after. [RT #27242]
 6920 
 6921 3536.	[func]		Add support for setting Differentiated Services Code
 6922 			Point (DSCP) values in named.  Most configuration
 6923 			options which take a "port" option (e.g.,
 6924 			listen-on, forwarders, also-notify, masters,
 6925 			notify-source, etc) can now also take a "dscp"
 6926 			option specifying a code point for use with
 6927 			outgoing traffic, if supported by the underlying
 6928 			OS. [RT #27596]
 6929 
 6930 3535.	[bug]		Minor win32 cleanups. [RT #32962]
 6931 
 6932 3534.	[bug]		Extra text after an embedded NULL was ignored when
 6933 			parsing zone files. [RT #32699]
 6934 
 6935 3533.	[contrib]	query-loc-0.4.0: memory leaks. [RT #32960]
 6936 
 6937 3532.	[contrib]	zkt: fixed buffer overrun, resource leaks. [RT #32960]
 6938 
 6939 3531.	[bug]		win32: A uninitialized value could be returned on out
 6940 			of memory. [RT #32960]
 6941 
 6942 3530.	[contrib]	Better RTT tracking in queryperf. [RT #30128]
 6943 
 6944 3529.	[func]		Named now listens on both IPv4 and IPv6 interfaces
 6945 			by default.  Named previously only listened on IPv4
 6946 			interfaces by default unless named was running in
 6947 			IPv6 only mode.  [RT #32945]
 6948 
 6949 3528.	[func]		New "dnssec-coverage" command scans the timing
 6950 			metadata for a set of DNSSEC keys and reports if a
 6951 			lapse in signing coverage has been scheduled
 6952 			inadvertently. (Note: This tool depends on python;
 6953 			it will not be built or installed on systems that
 6954 			do not have a python interpreter.) [RT #28098]
 6955 
 6956 3527.	[compat]	Add a URI to allow applications to explicitly
 6957 			request a particular XML schema from the statistics
 6958 			channel, returning 404 if not supported. [RT #32481]
 6959 
 6960 3526.	[cleanup]	Set up dependencies for unit tests correctly during
 6961 			build. [RT #32803]
 6962 
 6963 3525.	[func]		Support for additional signing algorithms in rndc:
 6964 			hmac-sha1, -sha224, -sha256, -sha384, and -sha512.
 6965 			The -A option to rndc-confgen can be used to
 6966 			select the algorithm for the generated key.
 6967 			(The default is still hmac-md5; this may
 6968 			change in a future release.) [RT #20363]
 6969 
 6970 3524.	[func]		Added an alternate statistics channel in JSON format,
 6971 			when the server is built with the json-c library:
 6972 			http://[address]:[port]/json. [RT #32630]
 6973 
 6974 3523.	[contrib]	Ported filesystem and ldap DLZ drivers to
 6975 			dynamically-loadable modules, and added the
 6976 			"wildcard" module based on a contribution from
 6977 			Vadim Goncharov <vgoncharov@nic.ru>. [RT #23569]
 6978 
 6979 3522.	[bug]		DLZ lookups could fail to return SERVFAIL when
 6980 			they ought to. [RT #32685]
 6981 
 6982 3521.	[bug]		Address memory leak in opensslecdsa_link.c. [RT #32249]
 6983 
 6984 3520.	[bug]		'mctx' was not being referenced counted in some places
 6985 			where it should have been.  [RT #32794]
 6986 
 6987 3519.	[func]		Full replay protection via four-way handshake is
 6988 			now mandatory for rndc clients. Very old versions
 6989 			of rndc will no longer work. [RT #32798]
 6990 
 6991 3518.	[bug]		Increase the size of dns_rrl_key.s.rtype by one bit
 6992 			so that all dns_rrl_rtype_t enum values fit regardless
 6993 			of whether it is treated as signed or unsigned by
 6994 			the compiler. [RT #32792]
 6995 
 6996 3517.	[bug]		Reorder destruction to avoid shutdown race. [RT #32777]
 6997 
 6998 3516.	[placeholder]
 6999 
 7000 3515.	[port]		'%T' is not portable in strftime(). [RT #32763]
 7001 
 7002 3514.	[bug]		The ranges for valid key sizes in ddns-confgen and
 7003 			rndc-confgen were too constrained. Keys up to 512
 7004 			bits are now allowed for most algorithms, and up
 7005 			to 1024 bits for hmac-sha384 and hmac-sha512.
 7006 			[RT #32753]
 7007 
 7008 3513.	[func]		"dig -u" prints times in microseconds rather than
 7009 			milliseconds. [RT #32704]
 7010 
 7011 3512.	[func]		"rndc validation check" reports the current status
 7012 			of DNSSEC validation. [RT #21397]
 7013 
 7014 3511.	[doc]		Improve documentation of redirect zones. [RT #32756]
 7015 
 7016 3510.	[func]		"rndc status" and XML statistics channel now report
 7017 			server start and reconfiguration times. [RT #21048]
 7018 
 7019 3509.	[cleanup]	Added a product line to version file to allow for
 7020 			easy naming of different products (BIND
 7021 			vs BIND ESV, for example). [RT #32755]
 7022 
 7023 3508.	[contrib]	queryperf was incorrectly rejecting the -T option.
 7024 			[RT #32338]
 7025 
 7026 3507.	[bug]		Statistics channel XSL had a glitch when attempting
 7027 			to chart query data before any queries had been
 7028 			received. [RT #32620]
 7029 
 7030 3506.	[func]		When setting "max-cache-size" and "max-acache-size",
 7031 			the keyword "unlimited" is no longer defined as equal
 7032 			to 4 gigabytes (except on 32-bit platforms); it
 7033 			means literally unlimited. [RT #32358]
 7034 
 7035 3505.	[bug]		When setting "max-cache-size" and "max-acache-size",
 7036 			larger values than 4 gigabytes could not be set
 7037 			explicitly, though larger sizes were available
 7038 			when setting cache size to 0. This has been
 7039 			corrected; the full range is now available.
 7040 			[RT #32358]
 7041 
 7042 3504.	[func]		Add support for ACLs based on geographic location,
 7043 			using MaxMind GeoIP databases. Based on code
 7044 			contributed by Ken Brownfield <kb@slide.com>.
 7045 			[RT #30681]
 7046 
 7047 3503.	[doc]		Clarify size_spec syntax. [RT #32449]
 7048 
 7049 3502.	[func]		zone-statistics: "no" is now a synonym for "none",
 7050 			instead of "terse". [RT #29165]
 7051 
 7052 3501.	[func]		zone-statistics now takes three options: full,
 7053 			terse, and none. "yes" and "no" are retained as
 7054 			synonyms for full and terse, respectively. [RT #29165]
 7055 
 7056 3500.	[security]	Support NAPTR regular expression validation on
 7057 			all platforms without using libregex, which
 7058 			can be vulnerable to memory exhaustion attack
 7059 			(CVE-2013-2266). [RT #32688]
 7060 
 7061 3499.	[doc]		Corrected ARM documentation of built-in zones.
 7062 			[RT #32694]
 7063 
 7064 3498.	[bug]		zone statistics for zones which matched a potential
 7065 			empty zone could have their zone-statistics setting
 7066 			overridden.
 7067 
 7068 3497.	[func]		When deleting a slave/stub zone using 'rndc delzone'
 7069 			report the files that were being used so they can
 7070 			be cleaned up if desired. [RT #27899]
 7071 
 7072 3496.	[placeholder]
 7073 
 7074 3495.	[func]		Support multiple response-policy zones (up to 32),
 7075 			while improving RPZ performance.  "response-policy"
 7076 			syntax now includes a "min-ns-dots" clause, with
 7077 			default 1, to exclude top-level domains from
 7078 			NSIP and NSDNAME checking. --enable-rpz-nsip and
 7079 			--enable-rpz-nsdname are now the default. [RT #32251]
 7080 
 7081 3494.	[func]		DNS RRL: Blunt the impact of DNS reflection and
 7082 			amplification attacks by rate-limiting substantially-
 7083 			identical responses. [RT #28130]
 7084 
 7085 3493.	[contrib]	Added BDBHPT dynamically-loadable DLZ module,
 7086 			contributed by Mark Goldfinch. [RT #32549]
 7087 
 7088 3492.	[bug]		Fixed a regression in zone loading performance
 7089 			due to lock contention. [RT #30399]
 7090 
 7091 3491.	[bug]		Slave zones using inline-signing must specify a
 7092 			file name. [RT #31946]
 7093 
 7094 3490.	[bug]		When logging RDATA during update, truncate if it's
 7095 			too long. [RT #32365]
 7096 
 7097 3489.	[bug]		--enable-developer now turns on ISC_LIST_CHECKINIT.
 7098 			dns_dlzcreate() failed to properly initialize
 7099 			dlzdb.link.  When cloning a rdataset do not copy
 7100 			the link contents.  [RT #32651]
 7101 
 7102 3488.	[bug]		Use after free error with DH generated keys. [RT #32649]
 7103 
 7104 3487.	[bug]		Change 3444 was not complete.  There was a additional
 7105 			place where the NOQNAME proof needed to be saved.
 7106 			[RT #32629]
 7107 
 7108 3486.	[bug]		named could crash when using TKEY-negotiated keys
 7109 			that had been deleted and then recreated. [RT #32506]
 7110 
 7111 3485.	[cleanup]	Only compile openssl_gostlink.c if we support GOST.
 7112 
 7113 3484.	[bug]		Some statistics were incorrectly rendered in XML.
 7114 			[RT #32587]
 7115 
 7116 3483.	[placeholder]
 7117 
 7118 3482.	[func]		dig +nssearch now prints name servers that don't
 7119 			have address records (missing AAAA or A, or the name
 7120 			doesn't exist). [RT #29348]
 7121 
 7122 3481.	[cleanup]	Removed use of const const in atf.
 7123 
 7124 3480.	[bug]		Silence logging noise when setting up zone
 7125 			statistics. [RT #32525]
 7126 
 7127 3479.	[bug]		Address potential memory leaks in gssapi support
 7128 			code. [RT #32405]
 7129 
 7130 3478.	[port]		Fix a build failure in strict C99 environments
 7131 			[RT #32475]
 7132 
 7133 3477.	[func]		Expand logging when adding records via DDNS update
 7134 			[RT #32365]
 7135 
 7136 3476.	[bug]		"rndc zonestatus" could report a spurious "not
 7137 			found" error on inline-signing zones. [RT #29226]
 7138 
 7139 3475.	[cleanup]	Changed name of 'map' zone file format (previously
 7140 			'fast'). [RT #32458]
 7141 
 7142 3474.	[bug]		nsupdate could assert when the local and remote
 7143 			address families didn't match. [RT #22897]
 7144 
 7145 3473.	[bug]		dnssec-signzone/verify could incorrectly report
 7146 			an error condition due to an empty node above an
 7147 			opt-out delegation lacking an NSEC3. [RT #32072]
 7148 
 7149 3472.	[bug]		The active-connections counter in the socket
 7150 			statistics could underflow. [RT #31747]
 7151 
 7152 3471.	[bug]		The number of UDP dispatches now defaults to
 7153 			the number of CPUs even if -n has been set to
 7154 			a higher value. [RT #30964]
 7155 
 7156 3470.	[bug]		Slave zones could fail to dump when successfully
 7157 			refreshing after an initial failure. [RT #31276]
 7158 
 7159 3469.	[bug]		Handle DLZ lookup failures more gracefully. Improve
 7160 			backward compatibility between versions of DLZ dlopen
 7161 			API. [RT #32275]
 7162 
 7163 3468.	[security]	RPZ rules to generate A records (but not AAAA records)
 7164 			could trigger an assertion failure when used in
 7165 			conjunction with DNS64 (CVE-2012-5689). [RT #32141]
 7166 
 7167 3467.	[bug]		Added checks in dnssec-keygen and dnssec-settime
 7168 			to check for delete date < inactive date. [RT #31719]
 7169 
 7170 3466.	[contrib]	Corrected the DNS_CLIENTINFOMETHODS_VERSION check
 7171 			in DLZ example driver. [RT #32275]
 7172 
 7173 3465.	[bug]		Handle isolated reserved ports. [RT #31778]
 7174 
 7175 3464.	[maint]		Updates to PKCS#11 openssl patches, supporting
 7176 			versions 0.9.8x, 1.0.0j, 1.0.1c [RT #29749]
 7177 
 7178 3463.	[doc]		Clarify managed-keys syntax in ARM. [RT #32232]
 7179 
 7180 3462.	[doc]		Clarify server selection behavior of dig when using
 7181 			-4 or -6 options. [RT #32181]
 7182 
 7183 3461.	[bug]		Negative responses could incorrectly have AD=1
 7184 			set. [RT #32237]
 7185 
 7186 3460.	[bug]		Only link against readline where needed. [RT #29810]
 7187 
 7188 3459.	[func]		Added -J option to named-checkzone/named-compilezone
 7189 			to specify the path to the journal file. [RT #30958]
 7190 
 7191 3458.	[bug]		Return FORMERR when presented with a overly long
 7192 			domain named in a request. [RT #29682]
 7193 
 7194 3457.	[protocol]	Add ILNP records (NID, LP, L32, L64). [RT #31836]
 7195 
 7196 3456.	[port]		g++47: ATF failed to compile. [RT #32012]
 7197 
 7198 3455.	[contrib]	queryperf: fix getopt option list. [RT #32338]
 7199 
 7200 3454.	[port]		sparc64: improve atomic support. [RT #25182]
 7201 
 7202 3453.	[bug]		'rndc addzone' of a zone with 'inline-signing yes;'
 7203 			failed. [RT #31960]
 7204 
 7205 3452.	[bug]		Accept duplicate singleton records. [RT #32329]
 7206 
 7207 3451.	[port]		Increase per thread stack size from 64K to 1M.
 7208 			[RT #32230]
 7209 
 7210 3450.	[bug]		Stop logfileconfig system test spam system logs.
 7211 			[RT #32315]
 7212 
 7213 3449.	[bug]		gen.c: use the pre-processor to construct format
 7214 			strings so that compiler can perform sanity checks;
 7215 			check the snprintf results. [RT #17576]
 7216 
 7217 3448.	[bug]		The allow-query-on ACL was not processed correctly.
 7218 			[RT #29486]
 7219 
 7220 3447.	[port]		Add support for libxml2-2.9.x [RT #32231]
 7221 
 7222 3446.	[port]		win32: Add source ID (see change #3400) to build.
 7223 			[RT #31683]
 7224 
 7225 3445.	[bug]		Warn about zone files with blank owner names
 7226 			immediately after $ORIGIN directives. [RT #31848]
 7227 
 7228 3444.	[bug]		The NOQNAME proof was not being returned from cached
 7229 			insecure responses. [RT #21409]
 7230 
 7231 3443.	[bug]		ddns-confgen: Some TSIG algorithms were incorrectly
 7232 			rejected when generating keys. [RT #31927]
 7233 
 7234 3442.	[port]		Net::DNS 0.69 introduced a non backwards compatible
 7235 			change. [RT #32216]
 7236 
 7237 3441.	[maint]		D.ROOT-SERVERS.NET is now 199.7.91.13.
 7238 
 7239 3440.	[bug]		Reorder get_key_struct to not trigger a assertion when
 7240 			cleaning up due to out of memory error. [RT #32131]
 7241 
 7242 3439.	[placeholder]
 7243 
 7244 3438.	[bug]		Don't accept unknown data escape in quotes. [RT #32031]
 7245 
 7246 3437.	[bug]		isc_buffer_init -> isc_buffer_constinit to initialize
 7247 			buffers with constant data. [RT #32064]
 7248 
 7249 3436.	[bug]		Check malloc/calloc return values. [RT #32088]
 7250 
 7251 3435.	[bug]		Cross compilation support in configure was broken.
 7252 			[RT #32078]
 7253 
 7254 3434.	[bug]		Pass client info to the DLZ findzone() entry
 7255 			point in addition to lookup().  This makes it
 7256 			possible for a database to answer differently
 7257 			whether it's authoritative for a name depending
 7258 			on the address of the client.  [RT #31775]
 7259 
 7260 3433.	[bug]		dlz_findzone() did not correctly handle
 7261 			ISC_R_NOMORE. [RT #31172]
 7262 
 7263 3432.	[func]		Multiple DLZ databases can now be configured.
 7264 			DLZ databases are searched in the order configured,
 7265 			unless set to "search no", in which case a
 7266 			zone can be configured to be retrieved from a
 7267 			particular DLZ database by using a "dlz <name>"
 7268 			option in the zone statement.  DLZ databases can
 7269 			support type "master" and "redirect" zones.
 7270 			[RT #27597]
 7271 
 7272 3431.	[bug]		ddns-confgen: Some valid key algorithms were
 7273 			not accepted. [RT #31927]
 7274 
 7275 3430.	[bug]		win32: isc_time_formatISO8601 was missing the
 7276 			'T' between the date and time. [RT #32044]
 7277 
 7278 3429.	[bug]		dns_zone_getserial2 could a return success without
 7279 			returning a valid serial. [RT #32007]
 7280 
 7281 3428.	[cleanup]	dig: Add timezone to date output. [RT #2269]
 7282 
 7283 3427.	[bug]		dig +trace incorrectly displayed name server
 7284 			addresses instead of names. [RT #31641]
 7285 
 7286 3426.	[bug]		dnssec-checkds: Clearer output when records are not
 7287 			found. [RT #31968]
 7288 
 7289 3425.	[bug]		"acacheentry" reference counting was broken resulting
 7290 			in use after free. [RT #31908]
 7291 
 7292 3424.	[func]		dnssec-dsfromkey now emits the hash without spaces.
 7293 			[RT #31951]
 7294 
 7295 3423.	[bug]		"rndc signing -nsec3param" didn't accept the full
 7296 			range of possible values.  Address portability issues.
 7297 			[RT #31938]
 7298 
 7299 3422.	[bug]		Added a clear error message for when the SOA does not
 7300 			match the referral. [RT #31281]
 7301 
 7302 3421.	[bug]		Named loops when re-signing if all keys are offline.
 7303 			[RT #31916]
 7304 
 7305 3420.	[bug]		Address VPATH compilation issues. [RT #31879]
 7306 
 7307 3419.	[bug]		Memory leak on validation cancel. [RT #31869]
 7308 
 7309 3418.	[func]		New XML schema (version 3.0) for the statistics channel
 7310 			adds query type statistics at the zone level, and
 7311 			flattens the XML tree and uses compressed format to
 7312 			optimize parsing. Includes new XSL that permits
 7313 			charting via the Google Charts API on browsers that
 7314 			support javascript in XSL.  The old XML schema has been
 7315 			deprecated. [RT #30023]
 7316 
 7317 3417.	[placeholder]
 7318 
 7319 3416.	[bug]		Named could die on shutdown if running with 128 UDP
 7320 			dispatches per interface. [RT #31743]
 7321 
 7322 3415.	[bug]		named could die with a REQUIRE failure if a validation
 7323 			was canceled. [RT #31804]
 7324 
 7325 3414.	[bug]		Address locking issues found by Coverity. [RT #31626]
 7326 
 7327 3413.	[func]		Record the number of DNS64 AAAA RRsets that have been
 7328 			synthesized. [RT #27636]
 7329 
 7330 3412.	[bug]		Copy timeval structure from control message data.
 7331 			[RT #31548]
 7332 
 7333 3411.	[tuning]	Use IPV6_USE_MIN_MTU or equivalent with TCP in addition
 7334 			to UDP. [RT #31690]
 7335 
 7336 3410.	[bug]		Addressed Coverity warnings. [RT #31626]
 7337 
 7338 3409.	[contrib]	contrib/dane/mkdane.sh: Tool to generate TLSA RR's
 7339 			from X.509 certificates, for use with DANE
 7340 			(DNS-based Authentication of Named Entities).
 7341 			[RT #30513]
 7342 
 7343 3408.	[bug]		Some DNSSEC-related options (update-check-ksk,
 7344 			dnssec-loadkeys-interval, dnssec-dnskey-kskonly)
 7345 			are now legal in slave zones as long as
 7346 			inline-signing is in use. [RT #31078]
 7347 
 7348 3407.	[placeholder]
 7349 
 7350 3406.	[bug]		mem.c: Fix compilation errors when building with
 7351 			ISC_MEM_TRACKLINES or ISC_MEMPOOL_NAMES disabled.
 7352 			Also, ISC_MEM_DEBUG is no longer optional. [RT #31559]
 7353 
 7354 3405.	[bug]		Handle time going backwards in acache. [RT #31253]
 7355 
 7356 3404.	[bug]		dnssec-signzone: When re-signing a zone, remove
 7357 			RRSIG and NSEC records from nodes that used to be
 7358 			in-zone but are now below a zone cut. [RT #31556]
 7359 
 7360 3403.	[bug]		Silence noisy OpenSSL logging. [RT #31497]
 7361 
 7362 3402.	[test]		The IPv6 interface numbers used for system
 7363 			tests were incorrect on some platforms. [RT #25085]
 7364 
 7365 3401.	[bug]		Addressed Coverity warnings. [RT #31484]
 7366 
 7367 3400.	[cleanup]	"named -V" can now report a source ID string, defined
 7368 			in the "srcid" file in the build tree and normally set
 7369 			to the most recent git hash.  [RT #31494]
 7370 
 7371 3399.	[port]		netbsd: rename 'bool' parameter to avoid namespace
 7372 			clash.  [RT #31515]
 7373 
 7374 3398.	[bug]		SOA parameters were not being updated with inline
 7375 			signed zones if the zone was modified while the
 7376 			server was offline. [RT #29272]
 7377 
 7378 3397.	[bug]		dig crashed when using +nssearch with +tcp. [RT #25298]
 7379 
 7380 3396.	[bug]		OPT records were incorrectly removed from signed,
 7381 			truncated responses. [RT #31439]
 7382 
 7383 3395.	[protocol]	Add RFC 6598 reverse zones to built in empty zones
 7384 			list, 64.100.IN-ADDR.ARPA ... 127.100.IN-ADDR.ARPA.
 7385 			[RT #31336]
 7386 
 7387 3394.	[bug]		Adjust 'successfully validated after lower casing
 7388 			signer' log level and category. [RT #31414]
 7389 
 7390 3393.	[bug]		'host -C' could core dump if REFUSED was received.
 7391 			[RT #31381]
 7392 
 7393 3392.	[func]		Keep statistics on REFUSED responses. [RT #31412]
 7394 
 7395 3391.	[bug]		A DNSKEY lookup that encountered a CNAME failed.
 7396 			[RT #31262]
 7397 
 7398 3390.	[bug]		Silence clang compiler warnings. [RT #30417]
 7399 
 7400 3389.	[bug]		Always return NOERROR (not 0) in TSIG. [RT #31275]
 7401 
 7402 3388.	[bug]		Fixed several Coverity warnings.
 7403 			Note: This change includes a fix for a bug that
 7404 			was subsequently determined to be an exploitable
 7405 			security vulnerability, CVE-2012-5688: named could
 7406 			die on specific queries with dns64 enabled.
 7407 			[RT #30996]
 7408 
 7409 3387.	[func]		DS digest can be disabled at runtime with
 7410 			disable-ds-digests. [RT #21581]
 7411 
 7412 3386.	[bug]		Address locking violation when generating new NSEC /
 7413 			NSEC3 chains. [RT #31224]
 7414 
 7415 3385.	[bug]		named-checkconf didn't detect missing master lists
 7416 			in also-notify clauses. [RT #30810]
 7417 
 7418 3384.	[bug]		Improved logging of crypto errors. [RT #30963]
 7419 
 7420 3383.	[security]	A certain combination of records in the RBT could
 7421 			cause named to hang while populating the additional
 7422 			section of a response. [RT #31090]
 7423 
 7424 3382.	[bug]		SOA query from slave used use-v6-udp-ports range,
 7425 			if set, regardless of the address family in use.
 7426 			[RT #24173]
 7427 
 7428 3381.	[contrib]	Update queryperf to support more RR types.
 7429 			[RT #30762]
 7430 
 7431 3380.	[bug]		named could die if a nonexistent master list was
 7432 			referenced in a also-notify. [RT #31004]
 7433 
 7434 3379.	[bug]		isc_interval_zero and isc_time_epoch should be
 7435 			"const (type)* const". [RT #31069]
 7436 
 7437 3378.	[bug]		Handle missing 'managed-keys-directory' better.
 7438 			[RT #30625]
 7439 
 7440 3377.	[bug]		Removed spurious newline from NSEC3 multiline
 7441 			output. [RT #31044]
 7442 
 7443 3376.	[bug]		Lack of EDNS support was being recorded without a
 7444 			successful response. [RT #30811]
 7445 
 7446 3375.	[bug]		'rndc dumpdb' failed on empty caches. [RT #30808]
 7447 
 7448 3374.	[bug]		isc_parse_uint32 failed to return a range error on
 7449 			systems with 64 bit longs. [RT #30232]
 7450 
 7451 3373.	[bug]		win32: open raw files in binary mode. [RT #30944]
 7452 
 7453 3372.	[bug]		Silence spurious "deleted from unreachable cache"
 7454 			messages.  [RT #30501]
 7455 
 7456 3371.	[bug]		AD=1 should behave like DO=1 when deciding whether to
 7457 			add NS RRsets to the additional section or not.
 7458 			[RT #30479]
 7459 
 7460 3370.	[bug]		Address use after free while shutting down. [RT #30241]
 7461 
 7462 3369.	[bug]		nsupdate terminated unexpectedly in interactive mode
 7463 			if built with readline support. [RT #29550]
 7464 
 7465 3368.	[bug]		<dns/iptable.h>, <dns/private.h> and <dns/zone.h>
 7466 			were not C++ safe.
 7467 
 7468 3367.	[bug]		dns_dnsseckey_create() result was not being checked.
 7469 			[RT #30685]
 7470 
 7471 3366.	[bug]		Fixed Read-After-Write dependency violation for IA64
 7472 			atomic operations. [RT #25181]
 7473 
 7474 3365.	[bug]		Removed spurious newlines from log messages in
 7475 			zone.c [RT #30675]
 7476 
 7477 3364.	[security]	Named could die on specially crafted record.
 7478 			[RT #30416]
 7479 
 7480 3363.	[bug]		Need to allow "forward" and "fowarders" options
 7481 			in static-stub zones; this had been overlooked.
 7482 			[RT #30482]
 7483 
 7484 3362.	[bug]		Setting some option values to 0 in named.conf
 7485 			could trigger an assertion failure on startup.
 7486 			[RT #27730]
 7487 
 7488 3361.	[bug]		"rndc signing -nsec3param" didn't work correctly
 7489 			when salt was set to '-' (no salt). [RT #30099]
 7490 
 7491 3360.	[bug]		'host -w' could die.  [RT #18723]
 7492 
 7493 3359.	[bug]		An improperly-formed TSIG secret could cause a
 7494 			memory leak. [RT #30607]
 7495 
 7496 3358.	[placeholder]
 7497 
 7498 3357.	[port]		Add support for libxml2-2.8.x [RT #30440]
 7499 
 7500 3356.	[bug]		Cap the TTL of signed RRsets when RRSIGs are
 7501 			approaching their expiry, so they don't remain
 7502 			in caches after expiry. [RT #26429]
 7503 
 7504 3355.	[port]		Use more portable awk in verify system test.
 7505 
 7506 3354.	[func]		Improve OpenSSL error logging. [RT #29932]
 7507 
 7508 3353.	[bug]		Use a single task for task exclusive operations.
 7509 			[RT #29872]
 7510 
 7511 3352.	[bug]		Ensure that learned server attributes timeout of the
 7512 			adb cache. [RT #29856]
 7513 
 7514 3351.	[bug]		isc_mem_put and isc_mem_putanddetach didn't report
 7515 			caller if either ISC_MEM_DEBUGSIZE or ISC_MEM_DEBUGCTX
 7516 			memory debugging flags are set. [RT #30243]
 7517 
 7518 3350.	[bug]		Memory read overrun in isc___mem_reallocate if
 7519 			ISC_MEM_DEBUGCTX memory debugging flag is set.
 7520 			[RT #30240]
 7521 
 7522 3349.	[bug]		Change #3345 was incomplete. [RT #30233]
 7523 
 7524 3348.	[bug]		Prevent RRSIG data from being cached if a negative
 7525 			record matching the covering type exists at a higher
 7526 			trust level. Such data already can't be retrieved from
 7527 			the cache since change 3218 -- this prevents it
 7528 			being inserted into the cache as well. [RT #26809]
 7529 
 7530 3347.	[bug]		dnssec-settime: Issue a warning when writing a new
 7531 			private key file would cause a change in the
 7532 			permissions of the existing file. [RT #27724]
 7533 
 7534 3346.	[security]	Bad-cache data could be used before it was
 7535 			initialized, causing an assert. [RT #30025]
 7536 
 7537 3345.	[bug]		Addressed race condition when removing the last item
 7538 			or inserting the first item in an ISC_QUEUE.
 7539 			[RT #29539]
 7540 
 7541 3344.	[func]		New "dnssec-checkds" command checks a zone to
 7542 			determine which DS records should be published
 7543 			in the parent zone, or which DLV records should be
 7544 			published in a DLV zone, and queries the DNS to
 7545 			ensure that it exists. (Note: This tool depends
 7546 			on python; it will not be built or installed on
 7547 			systems that do not have a python interpreter.)
 7548 			[RT #28099]
 7549 
 7550 3343.	[placeholder]
 7551 
 7552 3342.	[bug]		Change #3314 broke saving of stub zones to disk
 7553 			resulting in excessive cpu usage in some cases.
 7554 			[RT #29952]
 7555 
 7556 3341.	[func]		New "dnssec-verify" command checks a signed zone
 7557 			to ensure correctness of signatures and of NSEC/NSEC3
 7558 			chains. [RT #23673]
 7559 
 7560 3340.	[func]		Added new 'map' zone file format, which is an image
 7561 			of a zone database that can be loaded directly into
 7562 			memory via mmap(), allowing much faster zone loading.
 7563 			(Note: Because of pointer sizes and other
 7564 			considerations, this file format is platform-dependent;
 7565 			'map' zone files cannot always be transferred from one
 7566 			server to another.) [RT #25419]
 7567 
 7568 3339.	[func]		Allow the maximum supported rsa exponent size to be
 7569 			specified: "max-rsa-exponent-size <value>;" [RT #29228]
 7570 
 7571 3338.	[bug]		Address race condition in units tests: asyncload_zone
 7572 			and asyncload_zt. [RT #26100]
 7573 
 7574 3337.	[bug]		Change #3294 broke support for the multiple keys
 7575 			in controls. [RT #29694]
 7576 
 7577 3336.	[func]		Maintain statistics for RRsets tagged as "stale".
 7578 			[RT #29514]
 7579 
 7580 3335.	[func]		nslookup: return a nonzero exit code when unable
 7581 			to get an answer. [RT #29492]
 7582 
 7583 3334.	[bug]		Hold a zone table reference while performing a
 7584 			asynchronous load of a zone. [RT #28326]
 7585 
 7586 3333.	[bug]		Setting resolver-query-timeout too low can cause
 7587 			named to not recover if it loses connectivity.
 7588 			[RT #29623]
 7589 
 7590 3332.	[bug]		Re-use cached DS rrsets if possible. [RT #29446]
 7591 
 7592 3331.	[security]	dns_rdataslab_fromrdataset could produce bad
 7593 			rdataslabs. [RT #29644]
 7594 
 7595 3330.	[func]		Fix missing signatures on NOERROR results despite
 7596 			RPZ rewriting.  Also
 7597 			 - add optional "recursive-only yes|no" to the
 7598 			   response-policy statement
 7599 			 - add optional "max-policy-ttl" to the response-policy
 7600 			    statement to limit the false data that
 7601 			    "recursive-only no" can introduce into
 7602 			    resolvers' caches
 7603 			 - add a RPZ performance test to bin/tests/system/rpz
 7604 			     when queryperf is available.
 7605 			 - the encoding of PASSTHRU action to "rpz-passthru".
 7606 			     (The old encoding is still accepted.)
 7607 			[RT #26172]
 7608 
 7609 
 7610 3329.	[bug]		Handle RRSIG signer-name case consistently: We
 7611 			generate RRSIG records with the signer-name in
 7612 			lower case.  We accept them with any case, but if
 7613 			they fail to validate, we try again in lower case.
 7614 			[RT #27451]
 7615 
 7616 3328.	[bug]		Fixed inconsistent data checking in dst_parse.c.
 7617 			[RT #29401]
 7618 
 7619 3327.	[func]		Added 'filter-aaaa-on-v6' option; this is similar
 7620 			to 'filter-aaaa-on-v4' but applies to IPv6
 7621 			connections.  (Use "configure --enable-filter-aaaa"
 7622 			to enable this option.)  [RT #27308]
 7623 
 7624 3326.	[func]		Added task list statistics: task model, worker
 7625 			threads, quantum, tasks running, tasks ready.
 7626 			[RT #27678]
 7627 
 7628 3325.	[func]		Report cache statistics: memory use, number of
 7629 			nodes, number of hash buckets, hit and miss counts.
 7630 			[RT #27056]
 7631 
 7632 3324.	[test]		Add better tests for ADB stats [RT #27057]
 7633 
 7634 3323.	[func]		Report the number of buckets the resolver is using.
 7635 			[RT #27020]
 7636 
 7637 3322.	[func]		Monitor the number of active TCP and UDP dispatches.
 7638 			[RT #27055]
 7639 
 7640 3321.	[func]		Monitor the number of recursive fetches and the
 7641 			number of open sockets, and report these values in
 7642 			the statistics channel. [RT #27054]
 7643 
 7644 3320.	[func]		Added support for monitoring of recursing client
 7645 			count. [RT #27009]
 7646 
 7647 3319.	[func]		Added support for monitoring of ADB entry count and
 7648 			hash size. [RT #27057]
 7649 
 7650 3318.	[tuning]	Reduce the amount of work performed while holding a
 7651 			bucket lock when finished with a fetch context.
 7652 			[RT #29239]
 7653 
 7654 3317.	[func]		Add ECDSA support (RFC 6605). [RT #21918]
 7655 
 7656 3316.	[tuning]	Improved locking performance when recursing.
 7657 			[RT #28836]
 7658 
 7659 3315.	[tuning]	Use multiple dispatch objects for sending upstream
 7660 			queries; this can improve performance on busy
 7661 			multiprocessor systems by reducing lock contention.
 7662 			[RT #28605]
 7663 
 7664 3314.	[bug]		The masters list could be updated while stub_callback
 7665 			or refresh_callback were using it. [RT #26732]
 7666 
 7667 3313.	[protocol]	Add TLSA record type. [RT #28989]
 7668 
 7669 3312.	[bug]		named-checkconf didn't detect a bad dns64 clients acl.
 7670 			[RT #27631]
 7671 
 7672 3311.	[bug]		Abort the zone dump if zone->db is NULL in
 7673 			zone.c:zone_gotwritehandle. [RT #29028]
 7674 
 7675 3310.	[test]		Increase table size for mutex profiling. [RT #28809]
 7676 
 7677 3309.	[bug]		resolver.c:fctx_finddone() was not thread safe.
 7678 			[RT #27995]
 7679 
 7680 3308.	[placeholder]
 7681 
 7682 3307.	[bug]		Add missing ISC_LANG_BEGINDECLS and ISC_LANG_ENDDECLS.
 7683 			[RT #28956]
 7684 
 7685 3306.	[bug]		Improve DNS64 reverse zone performance. [RT #28563]
 7686 
 7687 3305.	[func]		Add wire format lookup method to sdb. [RT #28563]
 7688 
 7689 3304.	[bug]		Use hmctx, not mctx when freeing rbtdb->heaps.
 7690 			[RT #28571]
 7691 
 7692 3303.	[bug]		named could die when reloading. [RT #28606]
 7693 
 7694 3302.	[bug]		dns_dnssec_findmatchingkeys could fail to find
 7695 			keys if the zone name contained character that
 7696 			required special mappings. [RT #28600]
 7697 
 7698 3301.	[contrib]	Update queryperf to build on darwin.  Add -R flag
 7699 			for non-recursive queries. [RT #28565]
 7700 
 7701 3300.	[bug]		Named could die if gssapi was enabled in named.conf
 7702 			but was not compiled in. [RT #28338]
 7703 
 7704 3299.	[bug]		Make SDB handle errors from database drivers better.
 7705 			[RT #28534]
 7706 
 7707 3298.	[bug]		Named could dereference a NULL pointer in
 7708 			zmgr_start_xfrin_ifquota if the zone was being removed.
 7709 			[RT #28419]
 7710 
 7711 3297.	[bug]		Named could die on a malformed master file. [RT #28467]
 7712 
 7713 3296.	[bug]		Named could die with a INSIST failure in
 7714 			client.c:exit_check. [RT #28346]
 7715 
 7716 3295.	[bug]		Adjust isc_time_secondsastimet range check to be more
 7717 			portable. [RT # 26542]
 7718 
 7719 3294.	[bug]		isccc/cc.c:table_fromwire failed to free alist on
 7720 			error. [RT #28265]
 7721 
 7722 3293.	[func]		nsupdate: list supported type. [RT #28261]
 7723 
 7724 3292.	[func]		Log messages in the axfr stream at debug 10.
 7725 			[RT #28040]
 7726 
 7727 3291.	[port]		Fixed a build error on systems without ENOTSUP.
 7728 			[RT #28200]
 7729 
 7730 3290.	[bug]		<isc/hmacsha.h> was not being installed. [RT #28169]
 7731 
 7732 3289.	[bug]		'rndc retransfer' failed for inline zones. [RT #28036]
 7733 
 7734 3288.	[bug]		dlz_destroy() function wasn't correctly registered
 7735 			by the DLZ dlopen driver. [RT #28056]
 7736 
 7737 3287.	[port]		Update ans.pl to work with Net::DNS 0.68. [RT #28028]
 7738 
 7739 3286.	[bug]		Managed key maintenance timer could fail to start
 7740 			after 'rndc reconfig'. [RT #26786]
 7741 
 7742 3285.	[bug]		val-frdataset was incorrectly disassociated in
 7743 			proveunsecure after calling startfinddlvsep.
 7744 			[RT #27928]
 7745 
 7746 3284.	[bug]		Address race conditions with the handling of
 7747 			rbtnode.deadlink. [RT #27738]
 7748 
 7749 3283.	[bug]		Raw zones with with more than 512 records in a RRset
 7750 			failed to load. [RT #27863]
 7751 
 7752 3282.	[bug]		Restrict the TTL of NS RRset to no more than that
 7753 			of the old NS RRset when replacing it.
 7754 			[RT #27792] [RT #27884]
 7755 
 7756 3281.	[bug]		SOA refresh queries could be treated as cancelled
 7757 			despite succeeding over the loopback interface.
 7758 			[RT #27782]
 7759 
 7760 3280.	[bug]		Potential double free of a rdataset on out of memory
 7761 			with DNS64. [RT #27762]
 7762 
 7763 3279.	[bug]		Hold a internal reference to the zone while performing
 7764 			a asynchronous load.  Address potential memory leak
 7765 			if the asynchronous is cancelled. [RT #27750]
 7766 
 7767 3278.	[bug]		Make sure automatic key maintenance is started
 7768 			when "auto-dnssec maintain" is turned on during
 7769 			"rndc reconfig". [RT #26805]
 7770 
 7771 3277.	[bug]		win32: isc_socket_dup is not implemented. [RT #27696]
 7772 
 7773 3276.	[bug]		win32: ns_os_openfile failed to return NULL on
 7774 			safe_open failure. [RT #27696]
 7775 
 7776 3275.	[bug]		Corrected rndc -h output; the 'rndc sync -clean'
 7777 			option had been misspelled as '-clear'.  (To avoid
 7778 			future confusion, both options now work.) [RT #27173]
 7779 
 7780 3274.	[placeholder]
 7781 
 7782 3273.	[bug]		AAAA responses could be returned in the additional
 7783 			section even when filter-aaaa-on-v4 was in use.
 7784 			[RT #27292]
 7785 
 7786 3272.	[func]		New "rndc zonestatus" command prints information
 7787 			about the specified zone. [RT #21671]
 7788 
 7789 3271.	[port]		darwin: mksymtbl is not always stable, loop several
 7790 			times before giving up.  mksymtbl was using non
 7791 			portable perl to covert 64 bit hex strings. [RT #27653]
 7792 
 7793 	--- 9.9.0rc2 released ---
 7794 
 7795 3270.	[bug]		"rndc reload" didn't reuse existing zones correctly
 7796 			when inline-signing was in use. [RT #27650]
 7797 
 7798 3269.	[port]		darwin 11 and later now built threaded by default.
 7799 
 7800 3268.	[bug]		Convert RRSIG expiry times to 64 timestamps to work
 7801 			out the earliest expiry time. [RT #23311]
 7802 
 7803 3267.	[bug]		Memory allocation failures could be mis-reported as
 7804 			unexpected error.  New ISC_R_UNSET result code.
 7805 			[RT #27336]
 7806 
 7807 3266.	[bug]		The maximum number of NSEC3 iterations for a
 7808 			DNSKEY RRset was not being properly computed.
 7809 			[RT #26543]
 7810 
 7811 3265.	[bug]		Corrected a problem with lock ordering in the
 7812 			inline-signing code. [RT #27557]
 7813 
 7814 3264.	[bug]		Automatic regeneration of signatures in an
 7815 			inline-signing zone could stall when the server
 7816 			was restarted. [RT #27344]
 7817 
 7818 3263.	[bug]		"rndc sync" did not affect the unsigned side of an
 7819 			inline-signing zone. [RT #27337]
 7820 
 7821 3262.	[bug]		Signed responses were handled incorrectly by RPZ.
 7822 			[RT #27316]
 7823 
 7824 3261.	[func]		RRset ordering now defaults to random. [RT #27174]
 7825 
 7826 3260.	[bug]		"rrset-order cyclic" could appear not to rotate
 7827 			for some query patterns.  [RT #27170/27185]
 7828 
 7829 	--- 9.9.0rc1 released ---
 7830 
 7831 3259.	[bug]		named-compilezone: Suppress "dump zone to <file>"
 7832 			message when writing to stdout. [RT #27109]
 7833 
 7834 3258.	[test]		Add "forcing full sign with unreadable keys" test.
 7835 			[RT #27153]
 7836 
 7837 3257.	[bug]		Do not generate a error message when calling fsync()
 7838 			in a pipe or socket. [RT #27109]
 7839 
 7840 3256.	[bug]		Disable empty zones for lwresd -C. [RT #27139]
 7841 
 7842 3255.	[func]		No longer require that a empty zones be explicitly
 7843 			enabled or that a empty zone is disabled for
 7844 			RFC 1918 empty zones to be configured. [RT #27139]
 7845 
 7846 3254.	[bug]		Set isc_socket_ipv6only() on the IPv6 control channels.
 7847 			[RT #22249]
 7848 
 7849 3253.	[bug]		Return DNS_R_SYNTAX when the input to a text field is
 7850 			too long. [RT #26956]
 7851 
 7852 3252.	[bug]		When master zones using inline-signing were
 7853 			updated while the server was offline, the source
 7854 			zone could fall out of sync with the signed
 7855 			copy. They can now resynchronize. [RT #26676]
 7856 
 7857 3251.	[bug]		Enforce a upper bound (65535 bytes) on the amount of
 7858 			memory dns_sdlz_putrr() can allocate per record to
 7859 			prevent run away memory consumption on ISC_R_NOSPACE.
 7860 			[RT #26956]
 7861 
 7862 3250.	[func]		'configure --enable-developer'; turn on various
 7863 			configure options, normally off by default, that
 7864 			we want developers to build and test with. [RT #27103]
 7865 
 7866 3249.	[bug]		Update log message when saving slave zones files for
 7867 			analysis after load failures. [RT #27087]
 7868 
 7869 3248.	[bug]		Configure options --enable-fixed-rrset and
 7870 			--enable-exportlib were incompatible with each
 7871 			other. [RT #27087]
 7872 
 7873 3247.	[bug]		'raw' format zones failed to preserve load order
 7874 			breaking 'fixed' sort order. [RT #27087]
 7875 
 7876 3246.	[bug]		Named failed to start with a empty also-notify list.
 7877 			[RT #27087]
 7878 
 7879 3245.	[bug]		Don't report a error unchanged serials unless there
 7880 			were other changes when thawing a zone with
 7881 			ixfr-fromdifferences. [RT #26845]
 7882 
 7883 3244.	[func]		Added readline support to nslookup and nsupdate.
 7884 			Also simplified nsupdate syntax to make "update"
 7885 			and "prereq" optional. [RT #24659]
 7886 
 7887 3243.	[port]		freebsd,netbsd,bsdi: the thread defaults were not
 7888 			being properly set.
 7889 
 7890 3242.	[func]		Extended the header of raw-format master files to
 7891 			include the serial number of the zone from which
 7892 			they were generated, if different (as in the case
 7893 			of inline-signing zones).  This is to be used in
 7894 			inline-signing zones, to track changes between the
 7895 			unsigned and signed versions of the zone, which may
 7896 			have different serial numbers.
 7897 
 7898 			(Note: raw zonefiles generated by this version of
 7899 			BIND are no longer compatible with prior versions.
 7900 			To generate a backward-compatible raw zonefile
 7901 			using dnssec-signzone or named-compilezone, specify
 7902 			output format "raw=0" instead of simply "raw".)
 7903 			[RT #26587]
 7904 
 7905 3241.	[bug]		Address race conditions in the resolver code.
 7906 			[RT #26889]
 7907 
 7908 3240.	[bug]		DNSKEY state change events could be missed. [RT #26874]
 7909 
 7910 3239.	[bug]		dns_dnssec_findmatchingkeys needs to use a consistent
 7911 			timestamp. [RT #26883]
 7912 
 7913 3238.	[bug]		keyrdata was not being reinitialized in
 7914 			lib/dns/rbtdb.c:iszonesecure. [RT #26913]
 7915 
 7916 3237.	[bug]		dig -6 didn't work with +trace. [RT #26906]
 7917 
 7918 3236.	[bug]		Backed out changes #3182 and #3202, related to
 7919 			EDNS(0) fallback behavior. [RT #26416]
 7920 
 7921 3235.	[func]		dns_db_diffx, a extended dns_db_diff which returns
 7922 			the generated diff and optionally writes it to a
 7923 			journal. [RT #26386]
 7924 
 7925 3234.	[bug]		'make depend' produced invalid makefiles. [RT #26830]
 7926 
 7927 3233.	[bug]		'rndc freeze/thaw' didn't work for inline zones.
 7928 			[RT #26632]
 7929 
 7930 3232.	[bug]		Zero zone->curmaster before return in
 7931 			dns_zone_setmasterswithkeys(). [RT #26732]
 7932 
 7933 3231.	[bug]		named could fail to send a incompressible zone.
 7934 			[RT #26796]
 7935 
 7936 3230.	[bug]		'dig axfr' failed to properly handle a multi-message
 7937 			axfr with a serial of 0. [RT #26796]
 7938 
 7939 3229.	[bug]		Fix local variable to struct var assignment
 7940 			found by CLANG warning.
 7941 
 7942 3228.	[tuning]	Dynamically grow symbol table to improve zone
 7943 			loading performance. [RT #26523]
 7944 
 7945 3227.	[bug]		Interim fix to make WKS's use of getprotobyname()
 7946 			and getservbyname() self thread safe. [RT #26232]
 7947 
 7948 3226.	[bug]		Address minor resource leakages. [RT #26624]
 7949 
 7950 3225.	[bug]		Silence spurious "setsockopt(517, IPV6_V6ONLY) failed"
 7951 			messages. [RT #26507]
 7952 
 7953 3224.	[bug]		'rndc signing' argument parsing was broken. [RT #26684]
 7954 
 7955 3223.	[bug]		'task_test privilege_drop' generated false positives.
 7956 			[RT #26766]
 7957 
 7958 3222.	[cleanup]	Replace dns_journal_{get,set}_bitws with
 7959 			dns_journal_{get,set}_sourceserial. [RT #26634]
 7960 
 7961 3221.	[bug]		Fixed a potential core dump on shutdown due to
 7962 			referencing fetch context after it's been freed.
 7963 			[RT #26720]
 7964 
 7965 	--- 9.9.0b2 released ---
 7966 
 7967 3220.	[bug]		Change #3186 was incomplete; dns_db_rpz_findips()
 7968 			could fail to set the database version correctly,
 7969 			causing an assertion failure. [RT #26180]
 7970 
 7971 3219.	[bug]		Disable NOEDNS caching following a timeout.
 7972 
 7973 3218.	[security]	Cache lookup could return RRSIG data associated with
 7974 			nonexistent records, leading to an assertion
 7975 			failure. [RT #26590]
 7976 
 7977 3217.	[cleanup]	Fix build problem with --disable-static. [RT #26476]
 7978 
 7979 3216.	[bug]		resolver.c:validated() was not thread-safe. [RT #26478]
 7980 
 7981 3215.	[bug]		'rndc recursing' could cause a core dump. [RT #26495]
 7982 
 7983 3214.	[func]		Add 'named -U' option to set the number of UDP
 7984 			listener threads per interface. [RT #26485]
 7985 
 7986 3213.	[doc]		Clarify ixfr-from-differences behavior. [RT #25188]
 7987 
 7988 3212.	[bug]		rbtdb.c: failed to remove a node from the deadnodes
 7989 			list prior to adding a reference to it leading a
 7990 			possible assertion failure. [RT #23219]
 7991 
 7992 3211.	[func]		dnssec-signzone: "-f -" prints to stdout; "-O full"
 7993 			option prints in single-line-per-record format.
 7994 			[RT #20287]
 7995 
 7996 3210.	[bug]		Canceling the oldest query due to recursive-client
 7997 			overload could trigger an assertion failure. [RT #26463]
 7998 
 7999 3209.	[func]		Add "dnssec-lookaside 'no'".  [RT #24858]
 8000 
 8001 3208.	[bug]		'dig -y' handle unknown tsig algorithm better.
 8002 			[RT #25522]
 8003 
 8004 3207.	[contrib]	Fixed build error in Berkeley DB DLZ module. [RT #26444]
 8005 
 8006 3206.	[cleanup]	Add ISC information to log at start time. [RT #25484]
 8007 
 8008 3205.	[func]		Upgrade dig's defaults to better reflect modern
 8009 			nameserver behavior.  Enable "dig +adflag" and
 8010 			"dig +edns=0" by default.  Enable "+dnssec" when
 8011 			running "dig +trace". [RT #23497]
 8012 
 8013 3204.	[bug]		When a master server that has been marked as
 8014 			unreachable sends a NOTIFY, mark it reachable
 8015 			again. [RT #25960]
 8016 
 8017 3203.	[bug]		Increase log level to 'info' for validation failures
 8018 			from expired or not-yet-valid RRSIGs. [RT #21796]
 8019 
 8020 3202.	[bug]		NOEDNS caching on timeout was too aggressive.
 8021 			[RT #26416]
 8022 
 8023 3201.	[func]		'rndc querylog' can now be given an on/off parameter
 8024 			instead of only being used as a toggle. [RT #18351]
 8025 
 8026 3200.	[doc]		Some rndc functions were undocumented or were
 8027 			missing from 'rndc -h' output. [RT #25555]
 8028 
 8029 3199.	[func]		When logging client information, include the name
 8030 			being queried. [RT #25944]
 8031 
 8032 3198.	[doc]		Clarified that dnssec-settime can alter keyfile
 8033 			permissions. [RT #24866]
 8034 
 8035 3197.	[bug]		Don't try to log the filename and line number when
 8036 			the config parser can't open a file. [RT #22263]
 8037 
 8038 3196.	[bug]		nsupdate: return nonzero exit code when target zone
 8039 			doesn't exist. [RT #25783]
 8040 
 8041 3195.	[cleanup]	Silence "file not found" warnings when loading
 8042 			managed-keys zone. [RT #26340]
 8043 
 8044 3194.	[doc]		Updated RFC references in the 'empty-zones-enable'
 8045 			documentation. [RT #25203]
 8046 
 8047 3193.	[cleanup]	Changed MAXZONEKEYS to DNS_MAXZONEKEYS, moved to
 8048 			dnssec.h. [RT #26415]
 8049 
 8050 3192.	[bug]		A query structure could be used after being freed.
 8051 			[RT #22208]
 8052 
 8053 3191.	[bug]		Print NULL records using "unknown" format. [RT #26392]
 8054 
 8055 3190.	[bug]		Underflow in error handling in isc_mutexblock_init.
 8056 			[RT #26397]
 8057 
 8058 3189.	[test]		Added a summary report after system tests. [RT #25517]
 8059 
 8060 3188.	[bug]		zone.c:zone_refreshkeys() could fail to detach
 8061 			references correctly when errors occurred, causing
 8062 			a hang on shutdown. [RT #26372]
 8063 
 8064 3187.	[port]		win32: support for Visual Studio 2008.  [RT #26356]
 8065 
 8066 	--- 9.9.0b1 released ---
 8067 
 8068 3186.	[bug]		Version/db mismatch in rpz code. [RT #26180]
 8069 
 8070 3185.	[func]		New 'rndc signing' option for auto-dnssec zones:
 8071 			 - 'rndc signing -list' displays the current
 8072 			   state of signing operations
 8073 			 - 'rndc signing -clear' clears the signing state
 8074 			   records for keys that have fully signed the zone
 8075 			 - 'rndc signing -nsec3param' sets the NSEC3
 8076 			   parameters for the zone
 8077 			The 'rndc keydone' syntax is removed. [RT #23729]
 8078 
 8079 3184.	[bug]		named had excessive cpu usage when a redirect zone was
 8080 			configured. [RT #26013]
 8081 
 8082 3183.	[bug]		Added RTLD_GLOBAL flag to dlopen call. [RT #26301]
 8083 
 8084 3182.	[bug]		Auth servers behind firewalls which block packets
 8085 			greater than 512 bytes may cause other servers to
 8086 			perform poorly. Now, adb retains edns information
 8087 			and caches noedns servers. [RT #23392/24964]
 8088 
 8089 3181.	[func]		Inline-signing is now supported for master zones.
 8090 			[RT #26224]
 8091 
 8092 3180.	[func]		Local copies of slave zones are now saved in raw
 8093 			format by default, to improve startup performance.
 8094 			'masterfile-format text;' can be used to override
 8095 			the default, if desired. [RT #25867]
 8096 
 8097 3179.	[port]		kfreebsd: build issues. [RT #26273]
 8098 
 8099 3178.	[bug]		A race condition introduced by change #3163 could
 8100 			cause an assertion failure on shutdown. [RT #26271]
 8101 
 8102 3177.	[func]		'rndc keydone', remove the indicator record that
 8103 			named has finished signing the zone with the
 8104 			corresponding key.  [RT #26206]
 8105 
 8106 3176.	[doc]		Corrected example code and added a README to the
 8107 			sample external DLZ module in contrib/dlz/example.
 8108 			[RT #26215]
 8109 
 8110 3175.	[bug]		Fix how DNSSEC positive wildcard responses from a
 8111 			NSEC3 signed zone are validated.  Stop sending a
 8112 			unnecessary NSEC3 record when generating such
 8113 			responses. [RT #26200]
 8114 
 8115 3174.	[bug]		Always compute to revoked key tag from scratch.
 8116 			[RT #26186]
 8117 
 8118 3173.	[port]		Correctly validate root DS responses. [RT #25726]
 8119 
 8120 3172.	[port]		darwin 10.* and freebsd [89] are now built threaded by
 8121 			default.
 8122 
 8123 3171.	[bug]		Exclusively lock the task when adding a zone using
 8124 			'rndc addzone'.  [RT #25600]
 8125 
 8126 	--- 9.9.0a3 released ---
 8127 
 8128 3170.	[func]		RPZ update:
 8129 			- fix precedence among competing rules
 8130 			- improve ARM text including documenting rule precedence
 8131 			- try to rewrite CNAME chains until first hit
 8132 			- new "rpz" logging channel
 8133 			- RDATA for CNAME rules can include wildcards
 8134 			- replace "NO-OP" named.conf policy override with
 8135 			  "PASSTHRU" and add "DISABLED" override ("NO-OP"
 8136 			  is still recognized)
 8137 			[RT #25172]
 8138 
 8139 3169.	[func]		Catch db/version mis-matches when calling dns_db_*().
 8140 			[RT #26017]
 8141 
 8142 3168.	[bug]		Nxdomain redirection could trigger an assert with
 8143 			a ANY query. [RT #26017]
 8144 
 8145 3167.	[bug]		Negative answers from forwarders were not being
 8146 			correctly tagged making them appear to not be cached.
 8147 			[RT #25380]
 8148 
 8149 3166.	[bug]		Upgrading a zone to support inline-signing failed.
 8150 			[RT #26014]
 8151 
 8152 3165.	[bug]		dnssec-signzone could generate new signatures when
 8153 			resigning, even when valid signatures were already
 8154 			present. [RT #26025]
 8155 
 8156 3164.	[func]		Enable DLZ modules to retrieve client information,
 8157 			so that responses can be changed depending on the
 8158 			source address of the query. [RT #25768]
 8159 
 8160 3163.	[bug]		Use finer-grained locking in client.c to address
 8161 			concurrency problems with large numbers of threads.
 8162 			[RT #26044]
 8163 
 8164 3162.	[test]		start.pl: modified to allow for "named.args" in
 8165 			ns*/ subdirectory to override stock arguments to
 8166 			named. Largely from RT #26044, but no separate ticket.
 8167 
 8168 3161.	[bug]		zone.c:del_sigs failed to always reset rdata leading
 8169 			assertion failures. [RT #25880]
 8170 
 8171 3160.	[bug]		When printing out a NSEC3 record in multiline form
 8172 			the newline was not being printed causing type codes
 8173 			to be run together. [RT #25873]
 8174 
 8175 3159.	[bug]		On some platforms, named could assert on startup
 8176 			when running in a chrooted environment without
 8177 			/proc. [RT #25863]
 8178 
 8179 3158.	[bug]		Recursive servers would prefer a particular UDP
 8180 			socket instead of using all available sockets.
 8181 			[RT #26038]
 8182 
 8183 3157.	[tuning]	Reduce the time spent in "rndc reconfig" by parsing
 8184 			the config file before pausing the server. [RT #21373]
 8185 
 8186 3156.	[placeholder]
 8187 
 8188 	--- 9.9.0a2 released ---
 8189 
 8190 3155.	[bug]		Fixed a build failure when using contrib DLZ
 8191 			drivers (e.g., mysql, postgresql, etc). [RT #25710]
 8192 
 8193 3154.	[bug]		Attempting to print an empty rdataset could trigger
 8194 			an assert. [RT #25452]
 8195 
 8196 3153.	[func]		Extend request-ixfr to zone level and remove the
 8197 			side effect of forcing an AXFR. [RT #25156]
 8198 
 8199 3152.	[cleanup]	Some versions of gcc and clang failed due to
 8200 			incorrect use of __builtin_expect. [RT #25183]
 8201 
 8202 3151.	[bug]		Queries for type RRSIG or SIG could be handled
 8203 			incorrectly.  [RT #21050]
 8204 
 8205 3150.	[func]		Improved startup and reconfiguration time by
 8206 			enabling zones to load in multiple threads. [RT #25333]
 8207 
 8208 3149.	[placeholder]
 8209 
 8210 3148.	[bug]		Processing of normal queries could be stalled when
 8211 			forwarding a UPDATE message. [RT #24711]
 8212 
 8213 3147.	[func]		Initial inline signing support.  [RT #23657]
 8214 
 8215 	--- 9.9.0a1 released ---
 8216 
 8217 3146.	[test]		Fixed gcc4.6.0 errors in ATF. [RT #25598]
 8218 
 8219 3145.	[test]		Capture output of ATF unit tests in "./atf.out" if
 8220 			there were any errors while running them. [RT #25527]
 8221 
 8222 3144.	[bug]		dns_dbiterator_seek() could trigger an assert when
 8223 			used with a nonexistent database node. [RT #25358]
 8224 
 8225 3143.	[bug]		Silence clang compiler warnings. [RT #25174]
 8226 
 8227 3142.	[bug]		NAPTR is class agnostic. [RT #25429]
 8228 
 8229 3141.	[bug]		Silence spurious "zone serial (0) unchanged" messages
 8230 			associated with empty zones. [RT #25079]
 8231 
 8232 3140.	[func]		New command "rndc flushtree <name>" clears the
 8233 			specified name from the server cache along with
 8234 			all names under it. [RT #19970]
 8235 
 8236 3139.	[test]		Added tests from RFC 6234, RFC 2202, and RFC 1321
 8237 			for the hashing algorithms (md5, sha1 - sha512, and
 8238 			their hmac counterparts).  [RT #25067]
 8239 
 8240 3138.	[bug]		Address memory leaks and out-of-order operations when
 8241 			shutting named down. [RT #25210]
 8242 
 8243 3137.	[func]		Improve hardware scalability by allowing multiple
 8244 			worker threads to process incoming UDP packets.
 8245 			This can significantly increase query throughput
 8246 			on some systems.  [RT #22992]
 8247 
 8248 3136.	[func]		Add RFC 1918 reverse zones to the list of built-in
 8249 			empty zones switched on by the 'empty-zones-enable'
 8250 			option. [RT #24990]
 8251 
 8252 3135.	[port]		FreeBSD: workaround broken IPV6_USE_MIN_MTU processing.
 8253 			See http://www.freebsd.org/cgi/query-pr.cgi?pr=158307
 8254 			[RT #24950]
 8255 
 8256 3134.	[bug]		Improve the accuracy of dnssec-signzone's signing
 8257 			statistics. [RT #16030]
 8258 
 8259 3133.	[bug]		Change #3114 was incomplete. [RT #24577]
 8260 
 8261 3132.	[placeholder]
 8262 
 8263 3131.	[tuning]	Improve scalability by allocating one zone task
 8264 			per 100 zones at startup time, rather than using a
 8265 			fixed-size task table. [RT #24406]
 8266 
 8267 3130.	[func]		Support alternate methods for managing a dynamic
 8268 			zone's serial number.  Two methods are currently
 8269 			defined using serial-update-method, "increment"
 8270 			(default) and "unixtime".  [RT #23849]
 8271 
 8272 3129.	[bug]		Named could crash on 'rndc reconfig' when
 8273 			allow-new-zones was set to yes and named ACLs
 8274 			were used. [RT #22739]
 8275 
 8276 3128.	[func]		Inserting an NSEC3PARAM via dynamic update in an
 8277 			auto-dnssec zone that has not been signed yet
 8278 			will cause it to be signed with the specified NSEC3
 8279 			parameters when keys are activated.  The
 8280 			NSEC3PARAM record will not appear in the zone until
 8281 			it is signed, but the parameters will be stored.
 8282 			[RT #23684]
 8283 
 8284 3127.	[bug]		'rndc thaw' will now remove a zone's journal file
 8285 			if the zone serial number has been changed and
 8286 			ixfr-from-differences is not in use.  [RT #24687]
 8287 
 8288 3126.	[security]	Using DNAME record to generate replacements caused
 8289 			RPZ to exit with a assertion failure. [RT #24766]
 8290 
 8291 3125.	[security]	Using wildcard CNAME records as a replacement with
 8292 			RPZ caused named to exit with a assertion failure.
 8293 			[RT #24715]
 8294 
 8295 3124.	[bug]		Use an rdataset attribute flag to indicate
 8296 			negative-cache records rather than using rrtype 0;
 8297 			this will prevent problems when that rrtype is
 8298 			used in actual DNS packets. [RT #24777]
 8299 
 8300 3123.	[security]	Change #2912 exposed a latent flaw in
 8301 			dns_rdataset_totext() that could cause named to
 8302 			crash with an assertion failure. [RT #24777]
 8303 
 8304 3122.	[cleanup]	dnssec-settime: corrected usage message. [RT #24664]
 8305 
 8306 3121.	[security]	An authoritative name server sending a negative
 8307 			response containing a very large RRset could
 8308 			trigger an off-by-one error in the ncache code
 8309 			and crash named. [RT #24650]
 8310 
 8311 3120.	[bug]		Named could fail to validate zones listed in a DLV
 8312 			that validated insecure without using DLV and had
 8313 			DS records in the parent zone. [RT #24631]
 8314 
 8315 3119.	[bug]		When rolling to a new DNSSEC key, a private-type
 8316 			record could be created and never marked complete.
 8317 			[RT #23253]
 8318 
 8319 3118.	[bug]		nsupdate could dump core on shutdown when using
 8320 			SIG(0) keys. [RT #24604]
 8321 
 8322 3117.	[cleanup]	Remove doc and parser references to the
 8323 			never-implemented 'auto-dnssec create' option.
 8324 			[RT #24533]
 8325 
 8326 3116.	[func]		New 'dnssec-update-mode' option controls updates
 8327 			of DNSSEC records in signed dynamic zones.  Set to
 8328 			'no-resign' to disable automatic RRSIG regeneration
 8329 			while retaining the ability to sign new or changed
 8330 			data. [RT #24533]
 8331 
 8332 3115.	[bug]		Named could fail to return requested data when
 8333 			following a CNAME that points into the same zone.
 8334 			[RT #24455]
 8335 
 8336 3114.	[bug]		Retain expired RRSIGs in dynamic zones if key is
 8337 			inactive and there is no replacement key. [RT #23136]
 8338 
 8339 3113.	[doc]		Document the relationship between serial-query-rate
 8340 			and NOTIFY messages.
 8341 
 8342 3112.	[doc]		Add missing descriptions of the update policy name
 8343 			types "ms-self", "ms-subdomain", "krb5-self" and
 8344 			"krb5-subdomain", which allow machines to update
 8345 			their own records, to the BIND 9 ARM.
 8346 
 8347 3111.	[bug]		Improved consistency checks for dnssec-enable and
 8348 			dnssec-validation, added test cases to the
 8349 			checkconf system test. [RT #24398]
 8350 
 8351 3110.	[bug]		dnssec-signzone: Wrong error message could appear
 8352 			when attempting to sign with no KSK. [RT #24369]
 8353 
 8354 3109.	[func]		The also-notify option now uses the same syntax
 8355 			as a zone's masters clause.  This means it is
 8356 			now possible to specify a TSIG key to use when
 8357 			sending notifies to a given server, or to include
 8358 			an explicit named masters list in an also-notify
 8359 			statement.  [RT #23508]
 8360 
 8361 3108.	[cleanup]	dnssec-signzone: Clarified some error and
 8362 			warning messages; removed #ifdef ALLOW_KSKLESS_ZONES
 8363 			code (use -P instead). [RT #20852]
 8364 
 8365 3107.	[bug]		dnssec-signzone: Report the correct number of ZSKs
 8366 			when using -x. [RT #20852]
 8367 
 8368 3106.	[func]		When logging client requests, include the name of
 8369 			the TSIG key if any. [RT #23619]
 8370 
 8371 3105.	[bug]		GOST support can be suppressed by "configure
 8372 			--without-gost" [RT #24367]
 8373 
 8374 3104.	[bug]		Better support for cross-compiling. [RT #24367]
 8375 
 8376 3103.	[bug]		Configuring 'dnssec-validation auto' in a view
 8377 			instead of in the options statement could trigger
 8378 			an assertion failure in named-checkconf. [RT #24382]
 8379 
 8380 3102.	[func]		New 'dnssec-loadkeys-interval' option configures
 8381 			how often, in minutes, to check the key repository
 8382 			for updates when using automatic key maintenance.
 8383 			Default is every 60 minutes (formerly hard-coded
 8384 			to 12 hours). [RT #23744]
 8385 
 8386 3101.	[bug]		Zones using automatic key maintenance could fail
 8387 			to check the key repository for updates. [RT #23744]
 8388 
 8389 3100.	[security]	Certain response policy zone configurations could
 8390 			trigger an INSIST when receiving a query of type
 8391 			RRSIG. [RT #24280]
 8392 
 8393 3099.	[test]		"dlz" system test now runs but gives R:SKIPPED if
 8394 			not compiled with --with-dlz-filesystem.  [RT #24146]
 8395 
 8396 3098.	[bug]		DLZ zones were answering without setting the AA bit.
 8397 			[RT #24146]
 8398 
 8399 3097.	[test]		Add a tool to test handling of malformed packets.
 8400 			[RT #24096]
 8401 
 8402 3096.	[bug]		Set KRB5_KTNAME before calling log_cred() in
 8403 			dst_gssapi_acceptctx(). [RT #24004]
 8404 
 8405 3095.	[bug]		Handle isolated reserved ports in the port range.
 8406 			[RT #23957]
 8407 
 8408 3094.	[doc]		Expand dns64 documentation.
 8409 
 8410 3093.	[bug]		Fix gssapi/kerberos dependencies [RT #23836]
 8411 
 8412 3092.	[bug]		Signatures for records at the zone apex could go
 8413 			stale due to an incorrect timer setting. [RT #23769]
 8414 
 8415 3091.	[bug]		Fixed a bug in which zone keys that were published
 8416 			and then subsequently activated could fail to trigger
 8417 			automatic signing. [RT #22911]
 8418 
 8419 3090.	[func]		Make --with-gssapi default [RT #23738]
 8420 
 8421 3089.	[func]		dnssec-dsfromkey now supports reading keys from
 8422 			standard input "dnssec-dsfromkey -f -". [RT #20662]
 8423 
 8424 3088.	[bug]		Remove bin/tests/system/logfileconfig/ns1/named.conf
 8425 			and add setup.sh in order to resolve changing
 8426 			named.conf issue.  [RT #23687]
 8427 
 8428 3087.	[bug]		DDNS updates using SIG(0) with update-policy match
 8429 			type "external" could cause a crash. [RT #23735]
 8430 
 8431 3086.	[bug]		Running dnssec-settime -f on an old-style key will
 8432 			now force an update to the new key format even if no
 8433 			other change has been specified, using "-P now -A now"
 8434 			as default values.  [RT #22474]
 8435 
 8436 3085.	[func]		New '-R' option in dnssec-signzone forces removal
 8437 			of signatures which have not yet expired but
 8438 			were generated by a key that no longer exists.
 8439 			[RT #22471]
 8440 
 8441 3084.	[func]		A new command "rndc sync" dumps pending changes in
 8442 			a dynamic zone to disk; "rndc sync -clean" also
 8443 			removes the journal file after syncing.  Also,
 8444 			"rndc freeze" no longer removes journal files.
 8445 			[RT #22473]
 8446 
 8447 3083.	[bug]		NOTIFY messages were not being sent when generating
 8448 			a NSEC3 chain incrementally. [RT #23702]
 8449 
 8450 3082.	[port]		strtok_r is threads only. [RT #23747]
 8451 
 8452 3081.	[bug]		Failure of DNAME substitution did not return
 8453 			YXDOMAIN. [RT #23591]
 8454 
 8455 3080.	[cleanup]	Replaced compile time constant by STDTIME_ON_32BITS.
 8456 			[RT #23587]
 8457 
 8458 3079.	[bug]		Handle isc_event_allocate failures in t_tasks.
 8459 			[RT #23572]
 8460 
 8461 3078.	[func]		Added a new include file with function typedefs
 8462 			for the DLZ "dlopen" driver. [RT #23629]
 8463 
 8464 3077.	[bug]		zone.c:zone_refreshkeys() incorrectly called
 8465 			dns_zone_attach(), use zone->irefs instead. [RT #23303]
 8466 
 8467 3076.	[func]		New '-L' option in dnssec-keygen, dnsset-settime, and
 8468 			dnssec-keyfromlabel sets the default TTL of the
 8469 			key.  When possible, automatic signing will use that
 8470 			TTL when the key is published.  [RT #23304]
 8471 
 8472 3075.	[bug]		dns_dnssec_findzonekeys{2} used a inconsistent
 8473 			timestamp when determining which keys are active.
 8474 			[RT #23642]
 8475 
 8476 3074.	[bug]		Make the adb cache read through for zone data and
 8477 			glue learn for zone named is authoritative for.
 8478 			[RT #22842]
 8479 
 8480 3073.	[bug]		managed-keys changes were not properly being recorded.
 8481 			[RT #20256]
 8482 
 8483 3072.	[bug]		dns_dns64_aaaaok() potential NULL pointer dereference.
 8484 			[RT #20256]
 8485 
 8486 3071.	[bug]		has_nsec could be used uninitialized in
 8487 			update.c:next_active. [RT #20256]
 8488 
 8489 3070.	[bug]		dnssec-signzone potential NULL pointer dereference.
 8490 			[RT #20256]
 8491 
 8492 3069.	[cleanup]	Silence warnings messages from clang static analysis.
 8493 			[RT #20256]
 8494 
 8495 3068.	[bug]		Named failed to build with a OpenSSL without engine
 8496 			support. [RT #23473]
 8497 
 8498 3067.	[bug]		ixfr-from-differences {master|slave}; failed to
 8499 			select the master/slave zones.  [RT #23580]
 8500 
 8501 3066.	[func]		The DLZ "dlopen" driver is now built by default,
 8502 			no longer requiring a configure option.  To
 8503 			disable it, use "configure --without-dlopen".
 8504 			Driver also supported on win32.  [RT #23467]
 8505 
 8506 3065.	[bug]		RRSIG could have time stamps too far in the future.
 8507 			[RT #23356]
 8508 
 8509 3064.	[bug]		powerpc: add sync instructions to the end of atomic
 8510 			operations. [RT #23469]
 8511 
 8512 3063.	[contrib]	More verbose error reporting from DLZ LDAP. [RT #23402]
 8513 
 8514 3062.	[func]		Made several changes to enhance human readability
 8515 			of DNSSEC data in dig output and in generated
 8516 			zone files:
 8517 			 - DNSKEY record comments are more verbose, no
 8518 			   longer used in multiline mode only
 8519 			 - multiline RRSIG records reformatted
 8520 			 - multiline output mode for NSEC3PARAM records
 8521 			 - "dig +norrcomments" suppresses DNSKEY comments
 8522 			 - "dig +split=X" breaks hex/base64 records into
 8523 			   fields of width X; "dig +nosplit" disables this.
 8524 			[RT #22820]
 8525 
 8526 3061.	[func]		New option "dnssec-signzone -D", only write out
 8527 			generated DNSSEC records. [RT #22896]
 8528 
 8529 3060.	[func]		New option "dnssec-signzone -X <date>" allows
 8530 			specification of a separate expiration date
 8531 			for DNSKEY RRSIGs and other RRSIGs. [RT #22141]
 8532 
 8533 3059.	[test]		Added a regression test for change #3023.
 8534 
 8535 3058.	[bug]		Cause named to terminate at startup or rndc reconfig/
 8536 			reload to fail, if a log file specified in the conf
 8537 			file isn't a plain file. [RT #22771]
 8538 
 8539 3057.	[bug]		"rndc secroots" would abort after the first error
 8540 			and so could miss some views. [RT #23488]
 8541 
 8542 3056.	[func]		Added support for URI resource record. [RT #23386]
 8543 
 8544 3055.	[placeholder]
 8545 
 8546 3054.	[bug]		Added elliptic curve support check in
 8547 			GOST OpenSSL engine detection. [RT #23485]
 8548 
 8549 3053.	[bug]		Under a sustained high query load with a finite
 8550 			max-cache-size, it was possible for cache memory
 8551 			to be exhausted and not recovered. [RT #23371]
 8552 
 8553 3052.	[test]		Fixed last autosign test report. [RT #23256]
 8554 
 8555 3051.	[bug]		NS records obscure DNAME records at the bottom of the
 8556 			zone if both are present. [RT #23035]
 8557 
 8558 3050.	[bug]		The autosign system test was timing dependent.
 8559 			Wait for the initial autosigning to complete
 8560 			before running the rest of the test. [RT #23035]
 8561 
 8562 3049.	[bug]		Save and restore the gid when creating creating
 8563 			named.pid at startup. [RT #23290]
 8564 
 8565 3048.	[bug]		Fully separate view key management. [RT #23419]
 8566 
 8567 3047.	[bug]		DNSKEY NODATA responses not cached fixed in
 8568 			validator.c. Tests added to dnssec system test.
 8569 			[RT #22908]
 8570 
 8571 3046.	[bug]		Use RRSIG original TTL to compute validated RRset
 8572 			and RRSIG TTL. [RT #23332]
 8573 
 8574 3045.	[removed]	Replaced by change #3050.
 8575 
 8576 3044.	[bug]		Hold the socket manager lock while freeing the socket.
 8577 			[RT #23333]
 8578 
 8579 3043.	[test]		Merged in the NetBSD ATF test framework (currently
 8580 			version 0.12) for development of future unit tests.
 8581 			Use configure --with-atf to build ATF internally
 8582 			or configure --with-atf=prefix to use an external
 8583 			copy.  [RT #23209]
 8584 
 8585 3042.	[bug]		dig +trace could fail attempting to use IPv6
 8586 			addresses on systems with only IPv4 connectivity.
 8587 			[RT #23297]
 8588 
 8589 3041.	[bug]		dnssec-signzone failed to generate new signatures on
 8590 			ttl changes. [RT #23330]
 8591 
 8592 3040.	[bug]		Named failed to validate insecure zones where a node
 8593 			with a CNAME existed between the trust anchor and the
 8594 			top of the zone. [RT #23338]
 8595 
 8596 3039.	[func]		Redirect on NXDOMAIN support. [RT #23146]
 8597 
 8598 3038.	[bug]		Install <dns/rpz.h>.  [RT #23342]
 8599 
 8600 3037.	[doc]		Update COPYRIGHT to contain all the individual
 8601 			copyright notices that cover various parts.
 8602 
 8603 3036.	[bug]		Check built-in zone arguments to see if the zone
 8604 			is re-usable or not. [RT #21914]
 8605 
 8606 3035.	[cleanup]	Simplify by using strlcpy. [RT #22521]
 8607 
 8608 3034.	[cleanup]	nslookup: use strlcpy instead of safecopy. [RT #22521]
 8609 
 8610 3033.	[cleanup]	Add two INSIST(bucket != DNS_ADB_INVALIDBUCKET).
 8611 			[RT #22521]
 8612 
 8613 3032.	[bug]		rdatalist.c: add missing REQUIREs. [RT #22521]
 8614 
 8615 3031.	[bug]		dns_rdataclass_format() handle a zero sized buffer.
 8616 			[RT #22521]
 8617 
 8618 3030.	[bug]		dns_rdatatype_format() handle a zero sized buffer.
 8619 			[RT #22521]
 8620 
 8621 3029.	[bug]		isc_netaddr_format() handle a zero sized buffer.
 8622 			[RT #22521]
 8623 
 8624 3028.	[bug]		isc_sockaddr_format() handle a zero sized buffer.
 8625 			[RT #22521]
 8626 
 8627 3027.	[bug]		Add documented REQUIREs to cfg_obj_asnetprefix() to
 8628 			catch NULL pointer dereferences before they happen.
 8629 			[RT #22521]
 8630 
 8631 3026.	[bug]		lib/isc/httpd.c: check that we have enough space
 8632 			after calling grow_headerspace() and if not
 8633 			re-call grow_headerspace() until we do. [RT #22521]
 8634 
 8635 3025.	[bug]		Fixed a possible deadlock due to zone resigning.
 8636 			[RT #22964]
 8637 
 8638 3024.	[func]		RTT Banding removed due to minor security increase
 8639 			but major impact on resolver latency. [RT #23310]
 8640 
 8641 3023.	[bug]		Named could be left in an inconsistent state when
 8642 			receiving multiple AXFR response messages that were
 8643 			not all TSIG-signed. [RT #23254]
 8644 
 8645 3022.	[bug]		Fixed rpz SERVFAILs after failed zone transfers
 8646 			[RT #23246]
 8647 
 8648 3021.	[bug]		Change #3010 was incomplete. [RT #22296]
 8649 
 8650 3020.	[bug]		auto-dnssec failed to correctly update the zone when
 8651 			changing the DNSKEY RRset. [RT #23232]
 8652 
 8653 3019.	[test]		Test: check apex NSEC3 records after adding DNSKEY
 8654 			record via UPDATE. [RT #23229]
 8655 
 8656 3018.	[bug]		Named failed to check for the "none;" acl when deciding
 8657 			if a zone may need to be re-signed. [RT #23120]
 8658 
 8659 3017.	[doc]		dnssec-keyfromlabel -I was not properly documented.
 8660 			[RT #22887]
 8661 
 8662 3016.	[bug]		rndc usage missing '-b'. [RT #22937]
 8663 
 8664 3015.	[port]		win32: fix IN6_IS_ADDR_LINKLOCAL and
 8665 			IN6_IS_ADDR_SITELOCAL macros. [RT #22724]
 8666 
 8667 3014.	[placeholder]
 8668 
 8669 3013.	[bug]		The DNS64 ttl was not always being set as expected.
 8670 			[RT #23034]
 8671 
 8672 3012.	[bug]		Remove DNSKEY TTL change pairs before generating
 8673 			signing records for any remaining DNSKEY changes.
 8674 			[RT #22590]
 8675 
 8676 3011.	[func]		Change the default query timeout from 30 seconds
 8677 			to 10.  Allow setting this in named.conf using the new
 8678 			'resolver-query-timeout' option, which specifies a max
 8679 			time in seconds.  0 means 'default' and anything longer
 8680 			than 30 will be silently set to 30. [RT #22852]
 8681 
 8682 3010.	[bug]		Fixed a bug where "rndc reconfig" stopped the timer
 8683 			for refreshing managed-keys. [RT #22296]
 8684 
 8685 3009.	[bug]		clients-per-query code didn't work as expected with
 8686 			particular query patterns. [RT #22972]
 8687 
 8688 	--- 9.8.0b1 released ---
 8689 
 8690 3008.	[func]		Response policy zones (RPZ) support. [RT #21726]
 8691 
 8692 3007.	[bug]		Named failed to preserve the case of domain names in
 8693 			rdata which is not compressible when writing master
 8694 			files.  [RT #22863]
 8695 
 8696 3006.	[func]		Allow dynamically generated TSIG keys to be preserved
 8697 			across restarts of named.  Initially this is for
 8698 			TSIG keys generated using GSSAPI. [RT #22639]
 8699 
 8700 3005.	[port]		Solaris: Work around the lack of
 8701 			gsskrb5_register_acceptor_identity() by setting
 8702 			the KRB5_KTNAME environment variable to the
 8703 			contents of tkey-gssapi-keytab.  Also fixed
 8704 			test errors on MacOSX.  [RT #22853]
 8705 
 8706 3004.	[func]		DNS64 reverse support. [RT #22769]
 8707 
 8708 3003.	[experimental]	Added update-policy match type "external",
 8709 			enabling named to defer the decision of whether to
 8710 			allow a dynamic update to an external daemon.
 8711 			(Contributed by Andrew Tridgell.) [RT #22758]
 8712 
 8713 3002.	[bug]		isc_mutex_init_errcheck() failed to destroy attr.
 8714 			[RT #22766]
 8715 
 8716 3001.	[func]		Added a default trust anchor for the root zone, which
 8717 			can be switched on by setting "dnssec-validation auto;"
 8718 			in the named.conf options. [RT #21727]
 8719 
 8720 3000.	[bug]		More TKEY/GSS fixes:
 8721 			 - nsupdate can now get the default realm from
 8722 			   the user's Kerberos principal
 8723 			 - corrected gsstest compilation flags
 8724 			 - improved documentation
 8725 			 - fixed some NULL dereferences
 8726 			[RT #22795]
 8727 
 8728 2999.	[func]		Add GOST support (RFC 5933). [RT #20639]
 8729 
 8730 2998.	[func]		Add isc_task_beginexclusive and isc_task_endexclusive
 8731 			to the task api. [RT #22776]
 8732 
 8733 2997.	[func]		named -V now reports the OpenSSL and libxml2 versions
 8734 			it was compiled against. [RT #22687]
 8735 
 8736 2996.	[security]	Temporarily disable SO_ACCEPTFILTER support.
 8737 			[RT #22589]
 8738 
 8739 2995.	[bug]		The Kerberos realm was not being correctly extracted
 8740 			from the signer's identity. [RT #22770]
 8741 
 8742 2994.	[port]		NetBSD: use pthreads by default on NetBSD >= 5.0, and
 8743 			do not use threads on earlier versions.  Also kill
 8744 			the unproven-pthreads, mit-pthreads, and ptl2 support.
 8745 
 8746 2993.	[func]		Dynamically grow adb hash tables. [RT #21186]
 8747 
 8748 2992.	[contrib]	contrib/check-secure-delegation.pl:  A simple tool
 8749 			for looking at a secure delegation. [RT #22059]
 8750 
 8751 2991.	[contrib]	contrib/zone-edit.sh: A simple zone editing tool for
 8752 			dynamic zones. [RT #22365]
 8753 
 8754 2990.	[bug]		'dnssec-settime -S' no longer tests prepublication
 8755 			interval validity when the interval is set to 0.
 8756 			[RT #22761]
 8757 
 8758 2989.	[func]		Added support for writable DLZ zones. (Contributed
 8759 			by Andrew Tridgell of the Samba project.) [RT #22629]
 8760 
 8761 2988.	[experimental]	Added a "dlopen" DLZ driver, allowing the creation
 8762 			of external DLZ drivers that can be loaded as
 8763 			shared objects at runtime rather than linked with
 8764 			named.  Currently this is switched on via a
 8765 			compile-time option, "configure --with-dlz-dlopen".
 8766 			Note: the syntax for configuring DLZ zones
 8767 			is likely to be refined in future releases.
 8768 			(Contributed by Andrew Tridgell of the Samba
 8769 			project.) [RT #22629]
 8770 
 8771 2987.	[func]		Improve ease of configuring TKEY/GSS updates by
 8772 			adding a "tkey-gssapi-keytab" option.  If set,
 8773 			updates will be allowed with any key matching
 8774 			a principal in the specified keytab file.
 8775 			"tkey-gssapi-credential" is no longer required
 8776 			and is expected to be deprecated.  (Contributed
 8777 			by Andrew Tridgell of the Samba project.)
 8778 			[RT #22629]
 8779 
 8780 2986.	[func]		Add new zone type "static-stub".  It's like a stub
 8781 			zone, but the nameserver names and/or their IP
 8782 			addresses are statically configured. [RT #21474]
 8783 
 8784 2985.	[bug]		Add a regression test for change #2896. [RT #21324]
 8785 
 8786 2984.	[bug]		Don't run MX checks when the target of the MX record
 8787 			is ".".  [RT #22645]
 8788 
 8789 2983.	[bug]		Include "loadkeys" in rndc help output. [RT #22493]
 8790 
 8791 	--- 9.8.0a1 released ---
 8792 
 8793 2982.	[bug]		Reference count dst keys.  dst_key_attach() can be used
 8794 			increment the reference count.
 8795 
 8796 			Note: dns_tsigkey_createfromkey() callers should now
 8797 			always call dst_key_free() rather than setting it
 8798 			to NULL on success. [RT #22672]
 8799 
 8800 2981.	[func]		Partial DNS64 support (AAAA synthesis). [RT #21991]
 8801 
 8802 2980.	[bug]		named didn't properly handle UPDATES that changed the
 8803 			TTL of the NSEC3PARAM RRset. [RT #22363]
 8804 
 8805 2979.	[bug]		named could deadlock during shutdown if two
 8806 			"rndc stop" commands were issued at the same
 8807 			time. [RT #22108]
 8808 
 8809 2978.	[port]		hpux: look for <devpoll.h> [RT #21919]
 8810 
 8811 2977.	[bug]		'nsupdate -l' report if the session key is missing.
 8812 			[RT #21670]
 8813 
 8814 2976.	[bug]		named could die on exit after negotiating a GSS-TSIG
 8815 			key. [RT #22573]
 8816 
 8817 2975.	[bug]		rbtdb.c:cleanup_dead_nodes_callback() acquired the
 8818 			wrong lock which could lead to server deadlock.
 8819 			[RT #22614]
 8820 
 8821 2974.	[bug]		Some valid UPDATE requests could fail due to a
 8822 			consistency check examining the existing version
 8823 			of the zone rather than the new version resulting
 8824 			from the UPDATE. [RT #22413]
 8825 
 8826 2973.	[bug]		bind.keys.h was being removed by the "make clean"
 8827 			at the end of configure resulting in build failures
 8828 			where there is very old version of perl installed.
 8829 			Move it to "make maintainer-clean". [RT #22230]
 8830 
 8831 2972.	[bug]		win32: address windows socket errors. [RT #21906]
 8832 
 8833 2971.	[bug]		Fixed a bug that caused journal files not to be
 8834 			compacted on Windows systems as a result of
 8835 			non-POSIX-compliant rename() semantics. [RT #22434]
 8836 
 8837 2970.	[security]	Adding a NO DATA negative cache entry failed to clear
 8838 			any matching RRSIG records.  A subsequent lookup of
 8839 			of NO DATA cache entry could trigger a INSIST when the
 8840 			unexpected RRSIG was also returned with the NO DATA
 8841 			cache entry.
 8842 
 8843 			CVE-2010-3613, VU#706148. [RT #22288]
 8844 
 8845 2969.	[security]	Fix acl type processing so that allow-query works
 8846 			in options and view statements.  Also add a new
 8847 			set of tests to verify proper functioning.
 8848 
 8849 			CVE-2010-3615, VU#510208. [RT #22418]
 8850 
 8851 2968.	[security]	Named could fail to prove a data set was insecure
 8852 			before marking it as insecure.  One set of conditions
 8853 			that can trigger this occurs naturally when rolling
 8854 			DNSKEY algorithms.
 8855 
 8856 			CVE-2010-3614, VU#837744. [RT #22309]
 8857 
 8858 2967.	[bug]		'host -D' now turns on debugging messages earlier.
 8859 			[RT #22361]
 8860 
 8861 2966.	[bug]		isc_print_vsnprintf() failed to check if there was
 8862 			space available in the buffer when adding a left
 8863 			justified character with a non zero width,
 8864 			(e.g. "%-1c"). [RT #22270]
 8865 
 8866 2965.	[func]		Test HMAC functions using test data from RFC 2104 and
 8867 			RFC 4634. [RT #21702]
 8868 
 8869 2964.	[placeholder]
 8870 
 8871 2963.	[security]	The allow-query acl was being applied instead of the
 8872 			allow-query-cache acl to cache lookups. [RT #22114]
 8873 
 8874 2962.	[port]		win32: add more dependencies to BINDBuild.dsw.
 8875 			[RT #22062]
 8876 
 8877 2961.	[bug]		Be still more selective about the non-authoritative
 8878 			answers we apply change 2748 to. [RT #22074]
 8879 
 8880 2960.	[func]		Check that named accepts non-authoritative answers.
 8881 			[RT #21594]
 8882 
 8883 2959.	[func]		Check that named starts with a missing masterfile.
 8884 			[RT #22076]
 8885 
 8886 2958.	[bug]		named failed to start with a missing master file.
 8887 			[RT #22076]
 8888 
 8889 2957.	[bug]		entropy_get() and entropy_getpseudo() failed to match
 8890 			the API for RAND_bytes() and RAND_pseudo_bytes()
 8891 			respectively. [RT #21962]
 8892 
 8893 2956.	[port]		Enable atomic operations on the PowerPC64. [RT #21899]
 8894 
 8895 2955.	[func]		Provide more detail in the recursing log. [RT #22043]
 8896 
 8897 2954.	[bug]		contrib: dlz_mysql_driver.c bad error handling on
 8898 			build_sqldbinstance failure. [RT #21623]
 8899 
 8900 2953.	[bug]		Silence spurious "expected covering NSEC3, got an
 8901 			exact match" message when returning a wildcard
 8902 			no data response. [RT #21744]
 8903 
 8904 2952.	[port]		win32: named-checkzone and named-checkconf failed
 8905 			to initialize winsock. [RT #21932]
 8906 
 8907 2951.	[bug]		named failed to generate a correct signed response
 8908 			in a optout, delegation only zone with no secure
 8909 			delegations. [RT #22007]
 8910 
 8911 2950.	[bug]		named failed to perform a SOA up to date check when
 8912 			falling back to TCP on UDP timeouts when
 8913 			ixfr-from-differences was set. [RT #21595]
 8914 
 8915 2949.	[bug]		dns_view_setnewzones() contained a memory leak if
 8916 			it was called multiple times. [RT #21942]
 8917 
 8918 2948.	[port]		MacOS: provide a mechanism to configure the test
 8919 			interfaces at reboot. See bin/tests/system/README
 8920 			for details.
 8921 
 8922 2947.	[placeholder]
 8923 
 8924 2946.	[doc]		Document the default values for the minimum and maximum
 8925 			zone refresh and retry values in the ARM. [RT #21886]
 8926 
 8927 2945.	[doc]		Update empty-zones list in ARM. [RT #21772]
 8928 
 8929 2944.	[maint]		Remove ORCHID prefix from built in empty zones.
 8930 			[RT #21772]
 8931 
 8932 2943.	[func]		Add support to load new keys into managed zones
 8933 			without signing immediately with "rndc loadkeys".
 8934 			Add support to link keys with "dnssec-keygen -S"
 8935 			and "dnssec-settime -S".  [RT #21351]
 8936 
 8937 2942.	[contrib]	zone2sqlite failed to setup the entropy sources.
 8938 			[RT #21610]
 8939 
 8940 2941.	[bug]		sdb and sdlz (dlz's zone database) failed to support
 8941 			DNAME at the zone apex.  [RT #21610]
 8942 
 8943 2940.	[port]		Remove connection aborted error message on
 8944 			Windows. [RT #21549]
 8945 
 8946 2939.	[func]		Check that named successfully skips NSEC3 records
 8947 			that fail to match the NSEC3PARAM record currently
 8948 			in use. [RT #21868]
 8949 
 8950 2938.	[bug]		When generating signed responses, from a signed zone
 8951 			that uses NSEC3, named would use a uninitialized
 8952 			pointer if it needed to skip a NSEC3 record because
 8953 			it didn't match the selected NSEC3PARAM record for
 8954 			zone. [RT #21868]
 8955 
 8956 2937.	[bug]		Worked around an apparent race condition in over
 8957 			memory conditions.  Without this fix a DNS cache DB or
 8958 			ADB could incorrectly stay in an over memory state,
 8959 			effectively refusing further caching, which
 8960 			subsequently made a BIND 9 caching server unworkable.
 8961 			This fix prevents this problem from happening by
 8962 			polling the state of the memory context, rather than
 8963 			making a copy of the state, which appeared to cause
 8964 			a race.  This is a "workaround" in that it doesn't
 8965 			solve the possible race per se, but several experiments
 8966 			proved this change solves the symptom.  Also, the
 8967 			polling overhead hasn't been reported to be an issue.
 8968 			This bug should only affect a caching server that
 8969 			specifies a finite max-cache-size.  It's also quite
 8970 			likely that the bug happens only when enabling threads,
 8971 			but it's not confirmed yet. [RT #21818]
 8972 
 8973 2936.	[func]		Improved configuration syntax and multiple-view
 8974 			support for addzone/delzone feature (see change
 8975 			#2930).  Removed "new-zone-file" option, replaced
 8976 			with "allow-new-zones (yes|no)".  The new-zone-file
 8977 			for each view is now created automatically, with
 8978 			a filename generated from a hash of the view name.
 8979 			It is no longer necessary to "include" the
 8980 			new-zone-file in named.conf; this happens
 8981 			automatically.  Zones that were not added via
 8982 			"rndc addzone" can no longer be removed with
 8983 			"rndc delzone". [RT #19447]
 8984 
 8985 2935.	[bug]		nsupdate: improve 'file not found' error message.
 8986 			[RT #21871]
 8987 
 8988 2934.	[bug]		Use ANSI C compliant shift range in lib/isc/entropy.c.
 8989 			[RT #21871]
 8990 
 8991 2933.	[bug]		'dig +nsid' used stack memory after it went out of
 8992 			scope.  This could potentially result in a unknown,
 8993 			potentially malformed, EDNS option being sent instead
 8994 			of the desired NSID option. [RT #21781]
 8995 
 8996 2932.	[cleanup]	Corrected a numbering error in the "dnssec" test.
 8997 			[RT #21597]
 8998 
 8999 2931.	[bug]		Temporarily and partially disable change 2864
 9000 			because it would cause infinite attempts of RRSIG
 9001 			queries.  This is an urgent care fix; we'll
 9002 			revisit the issue and complete the fix later.
 9003 			[RT #21710]
 9004 
 9005 2930.	[experimental]	New "rndc addzone" and "rndc delzone" commands
 9006 			allow dynamic addition and deletion of zones.
 9007 			To enable this feature, specify a "new-zone-file"
 9008 			option at the view or options level in named.conf.
 9009 			Zone configuration information for the new zones
 9010 			will be written into that file.  To make the new
 9011 			zones persist after a restart, "include" the file
 9012 			into named.conf in the appropriate view.  (Note:
 9013 			This feature is not yet documented, and its syntax
 9014 			is expected to change.) [RT #19447]
 9015 
 9016 2929.	[bug]		Improved handling of GSS security contexts:
 9017 			 - added LRU expiration for generated TSIGs
 9018 			 - added the ability to use a non-default realm
 9019 			 - added new "realm" keyword in nsupdate
 9020 			 - limited lifetime of generated keys to 1 hour
 9021 			   or the lifetime of the context (whichever is
 9022 			   smaller)
 9023 			[RT #19737]
 9024 
 9025 2928.	[bug]		Be more selective about the non-authoritative
 9026 			answer we apply change 2748 to. [RT #21594]
 9027 
 9028 2927.	[placeholder]
 9029 
 9030 2926.	[placeholder]
 9031 
 9032 2925.	[bug]		Named failed to accept uncachable negative responses
 9033 			from insecure zones. [RT #21555]
 9034 
 9035 2924.	[func]		'rndc  secroots'  dump a combined summary of the
 9036 			current managed keys combined with trusted keys.
 9037 			[RT #20904]
 9038 
 9039 2923.	[bug]		'dig +trace' could drop core after "connection
 9040 			timeout". [RT #21514]
 9041 
 9042 2922.	[contrib]	Update zkt to version 1.0.
 9043 
 9044 2921.	[bug]		The resolver could attempt to destroy a fetch context
 9045 			too soon.  [RT #19878]
 9046 
 9047 2920.	[func]		Allow 'filter-aaaa-on-v4' to be applied selectively
 9048 			to IPv4 clients.  New acl 'filter-aaaa' (default any).
 9049 
 9050 2919.	[func]		Add autosign-ksk and autosign-zsk virtual time tests.
 9051 			[RT #20840]
 9052 
 9053 2918.	[maint]		Add AAAA address for I.ROOT-SERVERS.NET.
 9054 
 9055 2917.	[func]		Virtual time test framework. [RT #20801]
 9056 
 9057 2916.	[func]		Add framework to use IPv6 in tests.
 9058 			fd92:7065:b8e:ffff::1 ... fd92:7065:b8e:ffff::7
 9059 
 9060 2915.	[cleanup]	Be smarter about which objects we attempt to compile
 9061 			based on configure options. [RT #21444]
 9062 
 9063 2914.	[bug]		Make the "autosign" system test more portable.
 9064 			[RT #20997]
 9065 
 9066 2913.	[func]		Add pkcs#11 system tests. [RT #20784]
 9067 
 9068 2912.	[func]		Windows clients don't like UPDATE responses that clear
 9069 			the zone section. [RT #20986]
 9070 
 9071 2911.	[bug]		dnssec-signzone didn't handle out of zone records well.
 9072 			[RT #21367]
 9073 
 9074 2910.	[func]		Sanity check Kerberos credentials. [RT #20986]
 9075 
 9076 2909.	[bug]		named-checkconf -p could die if "update-policy local;"
 9077 			was specified in named.conf. [RT #21416]
 9078 
 9079 2908.	[bug]		It was possible for re-signing to stop after removing
 9080 			a DNSKEY. [RT #21384]
 9081 
 9082 2907.	[bug]		The export version of libdns had undefined references.
 9083 			[RT #21444]
 9084 
 9085 2906.	[bug]		Address RFC 5011 implementation issues. [RT #20903]
 9086 
 9087 2905.	[port]		aix: set use_atomic=yes with native compiler.
 9088 			[RT #21402]
 9089 
 9090 2904.	[bug]		When using DLV, sub-zones of the zones in the DLV,
 9091 			could be incorrectly marked as insecure instead of
 9092 			secure leading to negative proofs failing.  This was
 9093 			a unintended outcome from change 2890. [RT #21392]
 9094 
 9095 2903.	[bug]		managed-keys-directory missing from namedconf.c.
 9096 			[RT #21370]
 9097 
 9098 2902.	[func]		Add regression test for change 2897. [RT #21040]
 9099 
 9100 2901.	[port]		Use AC_C_FLEXIBLE_ARRAY_MEMBER. [RT #21316]
 9101 
 9102 2900.	[bug]		The placeholder negative caching element was not
 9103 			properly constructed triggering a INSIST in
 9104 			dns_ncache_towire(). [RT #21346]
 9105 
 9106 2899.	[port]		win32: Support linking against OpenSSL 1.0.0.
 9107 
 9108 2898.	[bug]		nslookup leaked memory when -domain=value was
 9109 			specified. [RT #21301]
 9110 
 9111 2897.	[bug]		NSEC3 chains could be left behind when transitioning
 9112 			to insecure. [RT #21040]
 9113 
 9114 2896.	[bug]		"rndc sign" failed to properly update the zone
 9115 			when adding a DNSKEY for publication only. [RT #21045]
 9116 
 9117 2895.	[func]		genrandom: add support for the generation of multiple
 9118 			files.  [RT #20917]
 9119 
 9120 2894.	[contrib]	DLZ LDAP support now use '$' not '%'. [RT #21294]
 9121 
 9122 2893.	[bug]		Improve managed keys support.  New named.conf option
 9123 			managed-keys-directory. [RT #20924]
 9124 
 9125 2892.	[bug]		Handle REVOKED keys better. [RT #20961]
 9126 
 9127 2891.	[maint]		Update empty-zones list to match
 9128 			draft-ietf-dnsop-default-local-zones-13. [RT #21099]
 9129 
 9130 2890.	[bug]		Handle the introduction of new trusted-keys and
 9131 			DS, DLV RRsets better. [RT #21097]
 9132 
 9133 2889.	[bug]		Elements of the grammar where not properly reported.
 9134 			[RT #21046]
 9135 
 9136 2888.	[bug]		Only the first EDNS option was displayed. [RT #21273]
 9137 
 9138 2887.	[bug]		Report the keytag times in UTC in the .key file,
 9139 			local time is presented as a comment within the
 9140 			comment.  [RT #21223]
 9141 
 9142 2886.	[bug]		ctime() is not thread safe. [RT #21223]
 9143 
 9144 2885.	[bug]		Improve -fno-strict-aliasing support probing in
 9145 			configure. [RT #21080]
 9146 
 9147 2884.	[bug]		Insufficient validation in dns_name_getlabelsequence().
 9148 			[RT #21283]
 9149 
 9150 2883.	[bug]		'dig +short' failed to handle really large datasets.
 9151 			[RT #21113]
 9152 
 9153 2882.	[bug]		Remove memory context from list of active contexts
 9154 			before clearing 'magic'. [RT #21274]
 9155 
 9156 2881.	[bug]		Reduce the amount of time the rbtdb write lock
 9157 			is held when closing a version. [RT #21198]
 9158 
 9159 2880.	[cleanup]	Make the output of dnssec-keygen and dnssec-revoke
 9160 			consistent. [RT #21078]
 9161 
 9162 2879.	[contrib]	DLZ bdbhpt driver fails to close correct cursor.
 9163 			[RT #21106]
 9164 
 9165 2878.	[func]		Incrementally write the master file after performing
 9166 			a AXFR.  [RT #21010]
 9167 
 9168 2877.	[bug]		The validator failed to skip obviously mismatching
 9169 			RRSIGs. [RT #21138]
 9170 
 9171 2876.	[bug]		Named could return SERVFAIL for negative responses
 9172 			from unsigned zones. [RT #21131]
 9173 
 9174 2875.	[bug]		dns_time64_fromtext() could accept non digits.
 9175 			[RT #21033]
 9176 
 9177 2874.	[bug]		Cache lack of EDNS support only after the server
 9178 			successfully responds to the query using plain DNS.
 9179 			[RT #20930]
 9180 
 9181 2873.	[bug]		Canceling a dynamic update via the dns/client module
 9182 			could trigger an assertion failure. [RT #21133]
 9183 
 9184 2872.	[bug]		Modify dns/client.c:dns_client_createx() to only
 9185 			require one of IPv4 or IPv6 rather than both.
 9186 			[RT #21122]
 9187 
 9188 2871.	[bug]		Type mismatch in mem_api.c between the definition and
 9189 			the header file, causing build failure with
 9190 			--enable-exportlib. [RT #21138]
 9191 
 9192 2870.	[maint]		Add AAAA address for L.ROOT-SERVERS.NET.
 9193 
 9194 2869.	[bug]		Fix arguments to dns_keytable_findnextkeynode() call.
 9195 			[RT #20877]
 9196 
 9197 2868.	[cleanup]	Run "make clean" at the end of configure to ensure
 9198 			any changes made by configure are integrated.
 9199 			Use --with-make-clean=no to disable.  [RT #20994]
 9200 
 9201 2867.	[bug]		Don't set GSS_C_SEQUENCE_FLAG as Windows DNS servers
 9202 			don't like it.  [RT #20986]
 9203 
 9204 2866.	[bug]		Windows does not like the TSIG name being compressed.
 9205 			[RT #20986]
 9206 
 9207 2865.	[bug]		memset to zero event.data.  [RT #20986]
 9208 
 9209 2864.	[bug]		Direct SIG/RRSIG queries were not handled correctly.
 9210 			[RT #21050]
 9211 
 9212 2863.	[port]		linux: disable IPv6 PMTUD and use network minimum MTU.
 9213 			[RT #21056]
 9214 
 9215 2862.	[bug]		nsupdate didn't default to the parent zone when
 9216 			updating DS records. [RT #20896]
 9217 
 9218 2861.	[doc]		dnssec-settime man pages didn't correctly document the
 9219 			inactivation time. [RT #21039]
 9220 
 9221 2860.	[bug]		named-checkconf's usage was out of date. [RT #21039]
 9222 
 9223 2859.	[bug]		When canceling validation it was possible to leak
 9224 			memory. [RT #20800]
 9225 
 9226 2858.	[bug]		RTT estimates were not being adjusted on ICMP errors.
 9227 			[RT #20772]
 9228 
 9229 2857.	[bug]		named-checkconf did not fail on a bad trusted key.
 9230 			[RT #20705]
 9231 
 9232 2856.	[bug]		The size of a memory allocation was not always properly
 9233 			recorded. [RT #20927]
 9234 
 9235 2855.	[func]		nsupdate will now preserve the entered case of domain
 9236 			names in update requests it sends. [RT #20928]
 9237 
 9238 2854.	[func]		dig: allow the final soa record in a axfr response to
 9239 			be suppressed, dig +onesoa. [RT #20929]
 9240 
 9241 2853.	[bug]		add_sigs() could run out of scratch space. [RT #21015]
 9242 
 9243 2852.	[bug]		Handle broken DNSSEC trust chains better. [RT #15619]
 9244 
 9245 2851.	[doc]		nslookup.1, removed <informalexample> from the docbook
 9246 			source as it produced bad nroff.  [RT #21007]
 9247 
 9248 2850.	[bug]		If isc_heap_insert() failed due to memory shortage
 9249 			the heap would have corrupted entries. [RT #20951]
 9250 
 9251 2849.	[bug]		Don't treat errors from the xml2 library as fatal.
 9252 			[RT #20945]
 9253 
 9254 2848.	[doc]		Moved README.dnssec, README.libdns, README.pkcs11 and
 9255 			README.rfc5011 into the ARM. [RT #20899]
 9256 
 9257 2847.	[cleanup]	Corrected usage message in dnssec-settime. [RT #20921]
 9258 
 9259 2846.	[bug]		EOF on unix domain sockets was not being handled
 9260 			correctly. [RT #20731]
 9261 
 9262 2845.	[bug]		RFC 5011 client could crash on shutdown. [RT #20903]
 9263 
 9264 2844.	[doc]		notify-delay default in ARM was wrong.  It should have
 9265 			been five (5) seconds.
 9266 
 9267 2843.	[func]		Prevent dnssec-keygen and dnssec-keyfromlabel from
 9268 			creating key files if there is a chance that the new
 9269 			key ID will collide with an existing one after
 9270 			either of the keys has been revoked.  (To override
 9271 			this in the case of dnssec-keyfromlabel, use the -y
 9272 			option.  dnssec-keygen will simply create a
 9273 			different, non-colliding key, so an override is
 9274 			not necessary.) [RT #20838]
 9275 
 9276 2842.	[func]		Added "smartsign" and improved "autosign" and
 9277 			"dnssec" regression tests. [RT #20865]
 9278 
 9279 2841.	[bug]		Change 2836 was not complete. [RT #20883]
 9280 
 9281 2840.	[bug]		Temporary fixed pkcs11-destroy usage check.
 9282 			[RT #20760]
 9283 
 9284 2839.	[bug]		A KSK revoked by named could not be deleted.
 9285 			[RT #20881]
 9286 
 9287 2838.	[placeholder]
 9288 
 9289 2837.	[port]		Prevent Linux spurious warnings about fwrite().
 9290 			[RT #20812]
 9291 
 9292 2836.	[bug]		Keys that were scheduled to become active could
 9293 			be delayed. [RT #20874]
 9294 
 9295 2835.	[bug]		Key inactivity dates were inadvertently stored in
 9296 			the private key file with the outdated tag
 9297 			"Unpublish" rather than "Inactive".  This has been
 9298 			fixed; however, any existing keys that had Inactive
 9299 			dates set will now need to have them reset, using
 9300 			'dnssec-settime -I'. [RT #20868]
 9301 
 9302 2834.	[bug]		HMAC-SHA* keys that were longer than the algorithm
 9303 			digest length were used incorrectly, leading to
 9304 			interoperability problems with other DNS
 9305 			implementations.  This has been corrected.
 9306 			(Note: If an oversize key is in use, and
 9307 			compatibility is needed with an older release of
 9308 			BIND, the new tool "isc-hmac-fixup" can convert
 9309 			the key secret to a form that will work with all
 9310 			versions.) [RT #20751]
 9311 
 9312 2833.	[cleanup]	Fix usage messages in dnssec-keygen and dnssec-settime.
 9313 			[RT #20851]
 9314 
 9315 2832.	[bug]		Modify "struct stat" in lib/export/samples/nsprobe.c
 9316 			to avoid redefinition in some OSs [RT 20831]
 9317 
 9318 2831.	[security]	Do not attempt to validate or cache
 9319 			out-of-bailiwick data returned with a secure
 9320 			answer; it must be re-fetched from its original
 9321 			source and validated in that context. [RT #20819]
 9322 
 9323 2830.	[bug]		Changing the OPTOUT setting could take multiple
 9324 			passes. [RT #20813]
 9325 
 9326 2829.	[bug]		Fixed potential node inconsistency in rbtdb.c.
 9327 			[RT #20808]
 9328 
 9329 2828.	[security]	Cached CNAME or DNAME RR could be returned to clients
 9330 			without DNSSEC validation. [RT #20737]
 9331 
 9332 2827.	[security]	Bogus NXDOMAIN could be cached as if valid. [RT #20712]
 9333 
 9334 2826.	[bug]		NSEC3->NSEC transitions could fail due to a lock not
 9335 			being released.  [RT #20740]
 9336 
 9337 2825.	[bug]		Changing the setting of OPTOUT in a NSEC3 chain that
 9338 			was in the process of being created was not properly
 9339 			recorded in the zone. [RT #20786]
 9340 
 9341 2824.	[bug]		"rndc sign" was not being run by the correct task.
 9342 			[RT #20759]
 9343 
 9344 2823.	[bug]		rbtdb.c:getsigningtime() was missing locks. [RT #20781]
 9345 
 9346 2822.	[bug]		rbtdb.c:loadnode() could return the wrong result.
 9347 			[RT #20802]
 9348 
 9349 2821.	[doc]		Add note that named-checkconf doesn't automatically
 9350 			read rndc.key and bind.keys [RT #20758]
 9351 
 9352 2820.	[func]		Handle read access failure of OpenSSL configuration
 9353 			file more user friendly (PKCS#11 engine patch).
 9354 			[RT #20668]
 9355 
 9356 2819.	[cleanup]	Removed unnecessary DNS_POINTER_MAXHOPS define.
 9357 			[RT #20771]
 9358 
 9359 2818.	[cleanup]	rndc could return an incorrect error code
 9360 			when a zone was not found. [RT #20767]
 9361 
 9362 2817.	[cleanup]	Removed unnecessary isc_task_endexclusive() calls.
 9363 			[RT #20768]
 9364 
 9365 2816.	[bug]		previous_closest_nsec() could fail to return
 9366 			data for NSEC3 nodes [RT #29730]
 9367 
 9368 2815.	[bug]		Exclusively lock the task when freezing a zone.
 9369 			[RT #19838]
 9370 
 9371 2814.	[func]		Provide a definitive error message when a master
 9372 			zone is not loaded. [RT #20757]
 9373 
 9374 2813.	[bug]		Better handling of unreadable DNSSEC key files.
 9375 			[RT #20710]
 9376 
 9377 2812.	[bug]		Make sure updates can't result in a zone with
 9378 			NSEC-only keys and NSEC3 records. [RT #20748]
 9379 
 9380 2811.	[cleanup]	Add "rndc sign" to list of commands in rndc usage
 9381 			output. [RT #20733]
 9382 
 9383 2810.	[doc]		Clarified the process of transitioning an NSEC3 zone
 9384 			to insecure. [RT #20746]
 9385 
 9386 2809.	[cleanup]	Restored accidentally-deleted text in usage output
 9387 			in dnssec-settime and dnssec-revoke [RT #20739]
 9388 
 9389 2808.	[bug]		Remove the attempt to install atomic.h from lib/isc.
 9390 			atomic.h is correctly installed by the architecture
 9391 			specific subdirectories.  [RT #20722]
 9392 
 9393 2807.	[bug]		Fixed a possible ASSERT when reconfiguring zone
 9394 			keys. [RT #20720]
 9395 
 9396 	--- 9.7.0rc1 released ---
 9397 
 9398 2806.	[bug]		"rdnc sign" could delay re-signing the DNSKEY
 9399 			when it had changed. [RT #20703]
 9400 
 9401 2805.	[bug]		Fixed namespace problems encountered when building
 9402 			external programs using non-exported BIND9 libraries
 9403 			(i.e., built without --enable-exportlib). [RT #20679]
 9404 
 9405 2804.	[bug]		Send notifies when a zone is signed with "rndc sign"
 9406 			or as a result of a scheduled key change. [RT #20700]
 9407 
 9408 2803.	[port]		win32: Install named-journalprint, nsec3hash, arpaname
 9409 			and genrandom under windows. [RT #20670]
 9410 
 9411 2802.	[cleanup]	Rename journalprint to named-journalprint. [RT #20670]
 9412 
 9413 2801.	[func]		Detect and report records that are different according
 9414 			to DNSSEC but are semantically equal according to plain
 9415 			DNS.  Apply plain DNS comparisons rather than DNSSEC
 9416 			comparisons when processing UPDATE requests.
 9417 			dnssec-signzone now removes such semantically duplicate
 9418 			records prior to signing the RRset.
 9419 
 9420 			named-checkzone -r {ignore|warn|fail} (default warn)
 9421 			named-compilezone -r {ignore|warn|fail} (default warn)
 9422 
 9423 			named.conf: check-dup-records {ignore|warn|fail};
 9424 
 9425 2800.	[func]		Reject zones which have NS records which refer to
 9426 			CNAMEs, DNAMEs or don't have address record (class IN
 9427 			only).  Reject UPDATEs which would cause the zone
 9428 			to fail the above checks if committed. [RT #20678]
 9429 
 9430 2799.	[cleanup]	Changed the "secure-to-insecure" option to
 9431 			"dnssec-secure-to-insecure", and "dnskey-ksk-only"
 9432 			to "dnssec-dnskey-kskonly", for clarity. [RT #20586]
 9433 
 9434 2798.	[bug]		Addressed bugs in managed-keys initialization
 9435 			and rollover. [RT #20683]
 9436 
 9437 2797.	[bug]		Don't decrement the dispatch manager's maxbuffers.
 9438 			[RT #20613]
 9439 
 9440 2796.	[bug]		Missing dns_rdataset_disassociate() call in
 9441 			dns_nsec3_delnsec3sx(). [RT #20681]
 9442 
 9443 2795.	[cleanup]	Add text to differentiate "update with no effect"
 9444 			log messages. [RT #18889]
 9445 
 9446 2794.	[bug]		Install <isc/namespace.h>.  [RT #20677]
 9447 
 9448 2793.	[func]		Add "autosign" and "metadata" tests to the
 9449 			automatic tests. [RT #19946]
 9450 
 9451 2792.	[func]		"filter-aaaa-on-v4" can now be set in view
 9452 			options (if compiled in).  [RT #20635]
 9453 
 9454 2791.	[bug]		The installation of isc-config.sh was broken.
 9455 			[RT #20667]
 9456 
 9457 2790.	[bug]		Handle DS queries to stub zones. [RT #20440]
 9458 
 9459 2789.	[bug]		Fixed an INSIST in dispatch.c [RT #20576]
 9460 
 9461 2788.	[bug]		dnssec-signzone could sign with keys that were
 9462 			not requested [RT #20625]
 9463 
 9464 2787.	[bug]		Spurious log message when zone keys were
 9465 			dynamically reconfigured. [RT #20659]
 9466 
 9467 2786.	[bug]		Additional could be promoted to answer. [RT #20663]
 9468 
 9469 	--- 9.7.0b3 released ---
 9470 
 9471 2785.	[bug]		Revoked keys could fail to self-sign [RT #20652]
 9472 
 9473 2784.	[bug]		TC was not always being set when required glue was
 9474 			dropped. [RT #20655]
 9475 
 9476 2783.	[func]		Return minimal responses to EDNS/UDP queries with a UDP
 9477 			buffer size of 512 or less.  [RT #20654]
 9478 
 9479 2782.	[port]		win32: use getaddrinfo() for hostname lookups.
 9480 			[RT #20650]
 9481 
 9482 2781.	[bug]		Inactive keys could be used for signing. [RT #20649]
 9483 
 9484 2780.	[bug]		dnssec-keygen -A none didn't properly unset the
 9485 			activation date in all cases. [RT #20648]
 9486 
 9487 2779.	[bug]		Dynamic key revocation could fail. [RT #20644]
 9488 
 9489 2778.	[bug]		dnssec-signzone could fail when a key was revoked
 9490 			without deleting the unrevoked version. [RT #20638]
 9491 
 9492 2777.	[contrib]	DLZ MYSQL auto reconnect support discovery was wrong.
 9493 
 9494 2776.	[bug]		Change #2762 was not correct. [RT #20647]
 9495 
 9496 2775.	[bug]		Accept RSASHA256 and RSASHA512 as NSEC3 compatible
 9497 			in dnssec-keyfromlabel. [RT #20643]
 9498 
 9499 2774.	[bug]		Existing cache DB wasn't being reused after
 9500 			reconfiguration. [RT #20629]
 9501 
 9502 2773.	[bug]		In autosigned zones, the SOA could be signed
 9503 			with the KSK. [RT #20628]
 9504 
 9505 2772.	[security]	When validating, track whether pending data was from
 9506 			the additional section or not and only return it if
 9507 			validates as secure. [RT #20438]
 9508 
 9509 2771.	[bug]		dnssec-signzone: DNSKEY records could be
 9510 			corrupted when importing from key files [RT #20624]
 9511 
 9512 2770.	[cleanup]	Add log messages to resolver.c to indicate events
 9513 			causing FORMERR responses. [RT #20526]
 9514 
 9515 2769.	[cleanup]	Change #2742 was incomplete. [RT #19589]
 9516 
 9517 2768.	[bug]		dnssec-signzone: -S no longer implies -g [RT #20568]
 9518 
 9519 2767.	[bug]		named could crash on startup if a zone was
 9520 			configured with auto-dnssec and there was no
 9521 			key-directory. [RT #20615]
 9522 
 9523 2766.	[bug]		isc_socket_fdwatchpoke() should only update the
 9524 			socketmgr state if the socket is not pending on a
 9525 			read or write.  [RT #20603]
 9526 
 9527 2765.	[bug]		Skip masters for which the TSIG key cannot be found.
 9528 			[RT #20595]
 9529 
 9530 2764.	[bug]		"rndc-confgen -a" could trigger a REQUIRE. [RT #20610]
 9531 
 9532 2763.	[bug]		"rndc sign" didn't create an NSEC chain. [RT #20591]
 9533 
 9534 2762.	[bug]		DLV validation failed with a local slave DLV zone.
 9535 			[RT #20577]
 9536 
 9537 2761.	[cleanup]	Enable internal symbol table for backtrace only for
 9538 			systems that are known to work.  Currently, BSD
 9539 			variants, Linux and Solaris are supported. [RT #20202]
 9540 
 9541 2760.	[cleanup]	Corrected named-compilezone usage summary. [RT #20533]
 9542 
 9543 2759.	[doc]		Add information about .jbk/.jnw files to
 9544 			the ARM. [RT #20303]
 9545 
 9546 2758.	[bug]		win32: Added a workaround for a windows 2008 bug
 9547 			that could cause the UDP client handler to shut
 9548 			down. [RT #19176]
 9549 
 9550 2757.	[bug]		dig: assertion failure could occur in connect
 9551 			timeout. [RT #20599]
 9552 
 9553 2756.	[bug]		Fixed corrupt logfile message in update.c. [RT #20597]
 9554 
 9555 2755.	[placeholder]
 9556 
 9557 2754.	[bug]		Secure-to-insecure transitions failed when zone
 9558 			was signed with NSEC3. [RT #20587]
 9559 
 9560 2753.	[bug]		Removed an unnecessary warning that could appear when
 9561 			building an NSEC chain. [RT #20589]
 9562 
 9563 2752.	[bug]		Locking violation. [RT #20587]
 9564 
 9565 2751.	[bug]		Fixed a memory leak in dnssec-keyfromlabel. [RT #20588]
 9566 
 9567 2750.	[bug]		dig: assertion failure could occur when a server
 9568 			didn't have an address. [RT #20579]
 9569 
 9570 2749.	[bug]		ixfr-from-differences generated a non-minimal ixfr
 9571 			for NSEC3 signed zones. [RT #20452]
 9572 
 9573 2748.	[func]		Identify bad answers from GTLD servers and treat them
 9574 			as referrals. [RT #18884]
 9575 
 9576 2747.	[bug]		Journal roll forwards failed to set the re-signing
 9577 			time of RRSIGs correctly. [RT #20541]
 9578 
 9579 2746.	[port]		hpux: address signed/unsigned expansion mismatch of
 9580 			dns_rbtnode_t.nsec. [RT #20542]
 9581 
 9582 2745.	[bug]		configure script didn't probe the return type of
 9583 			gai_strerror(3) correctly. [RT #20573]
 9584 
 9585 2744.	[func]		Log if a query was over TCP. [RT #19961]
 9586 
 9587 2743.	[bug]		RRSIG could be incorrectly set in the NSEC3 record
 9588 			for a insecure delegation.
 9589 
 9590 	--- 9.7.0b2 released ---
 9591 
 9592 2742.	[cleanup]	Clarify some DNSSEC-related log messages in
 9593 			validator.c. [RT #19589]
 9594 
 9595 2741.	[func]		Allow the dnssec-keygen progress messages to be
 9596 			suppressed (dnssec-keygen -q).  Automatically
 9597 			suppress the progress messages when stdin is not
 9598 			a tty. [RT #20474]
 9599 
 9600 2740.	[placeholder]
 9601 
 9602 2739.	[cleanup]	Clean up API for initializing and clearing trust
 9603 			anchors for a view. [RT #20211]
 9604 
 9605 2738.	[func]		Add RSASHA256 and RSASHA512 tests to the dnssec system
 9606 			test. [RT #20453]
 9607 
 9608 2737.	[func]		UPDATE requests can leak existence information.
 9609 			[RT #17261]
 9610 
 9611 2736.	[func]		Improve the performance of NSEC signed zones with
 9612 			more than a normal amount of glue below a delegation.
 9613 			[RT #20191]
 9614 
 9615 2735.	[bug]		dnssec-signzone could fail to read keys
 9616 			that were specified on the command line with
 9617 			full paths, but weren't in the current
 9618 			directory. [RT #20421]
 9619 
 9620 2734.	[port]		cygwin: arpaname did not compile. [RT #20473]
 9621 
 9622 2733.	[cleanup]	Clean up coding style in pkcs11-* tools. [RT #20355]
 9623 
 9624 2732.	[func]		Add optional filter-aaaa-on-v4 option, available
 9625 			if built with './configure --enable-filter-aaaa'.
 9626 			Filters out AAAA answers to clients connecting
 9627 			via IPv4.  (This is NOT recommended for general
 9628 			use.) [RT #20339]
 9629 
 9630 2731.	[func]		Additional work on change 2709.  The key parser
 9631 			will now ignore unrecognized fields when the
 9632 			minor version number of the private key format
 9633 			has been increased.  It will reject any key with
 9634 			the major version number increased. [RT #20310]
 9635 
 9636 2730.	[func]		Have dnssec-keygen display a progress indication
 9637 			a la 'openssl genrsa' on standard error. Note
 9638 			when the first '.' is followed by a long stop
 9639 			one has the choice between slow generation vs.
 9640 			poor random quality, i.e., '-r /dev/urandom'.
 9641 			[RT #20284]
 9642 
 9643 2729.	[func]		When constructing a CNAME from a DNAME use the DNAME
 9644 			TTL. [RT #20451]
 9645 
 9646 2728.	[bug]		dnssec-keygen, dnssec-keyfromlabel and
 9647 			dnssec-signzone now warn immediately if asked to
 9648 			write into a nonexistent directory. [RT #20278]
 9649 
 9650 2727.	[func]		The 'key-directory' option can now specify a relative
 9651 			path. [RT #20154]
 9652 
 9653 2726.	[func]		Added support for SHA-2 DNSSEC algorithms,
 9654 			RSASHA256 and RSASHA512. [RT #20023]
 9655 
 9656 2725.	[doc]		Added information about the file "managed-keys.bind"
 9657 			to the ARM. [RT #20235]
 9658 
 9659 2724.	[bug]		Updates to a existing node in secure zone using NSEC
 9660 			were failing. [RT #20448]
 9661 
 9662 2723.	[bug]		isc_base32_totext(), isc_base32hex_totext(), and
 9663 			isc_base64_totext(), didn't always mark regions of
 9664 			memory as fully consumed after conversion.  [RT #20445]
 9665 
 9666 2722.	[bug]		Ensure that the memory associated with the name of
 9667 			a node in a rbt tree is not altered during the life
 9668 			of the node. [RT #20431]
 9669 
 9670 2721.	[port]		Have dst__entropy_status() prime the random number
 9671 			generator. [RT #20369]
 9672 
 9673 2720.	[bug]		RFC 5011 trust anchor updates could trigger an
 9674 			assert if the DNSKEY record was unsigned. [RT #20406]
 9675 
 9676 2719.	[func]		Skip trusted/managed keys for unsupported algorithms.
 9677 			[RT #20392]
 9678 
 9679 2718.	[bug]		The space calculations in opensslrsa_todns() were
 9680 			incorrect. [RT #20394]
 9681 
 9682 2717.	[bug]		named failed to update the NSEC/NSEC3 record when
 9683 			the last private type record was removed as a result
 9684 			of completing the signing the zone with a key.
 9685 			[RT #20399]
 9686 
 9687 2716.	[bug]		nslookup debug mode didn't return the ttl. [RT #20414]
 9688 
 9689 	--- 9.7.0b1 released ---
 9690 
 9691 2715.	[bug]		Require OpenSSL support to be explicitly disabled.
 9692 			[RT #20288]
 9693 
 9694 2714.	[port]		aix/powerpc: 'asm("ics");' needs non standard assembler
 9695 			flags.
 9696 
 9697 2713.	[bug]		powerpc: atomic operations missing asm("ics") /
 9698 			__isync() calls.
 9699 
 9700 2712.	[func]		New 'auto-dnssec' zone option allows zone signing
 9701 			to be fully automated in zones configured for
 9702 			dynamic DNS.  'auto-dnssec allow;' permits a zone
 9703 			to be signed by creating keys for it in the
 9704 			key-directory and using 'rndc sign <zone>'.
 9705 			'auto-dnssec maintain;' allows that too, plus it
 9706 			also keeps the zone's DNSSEC keys up to date
 9707 			according to their timing metadata. [RT #19943]
 9708 
 9709 2711.	[port]		win32: Add the bin/pkcs11 tools into the full
 9710 			build. [RT #20372]
 9711 
 9712 2710.	[func]		New 'dnssec-signzone -x' flag and 'dnskey-ksk-only'
 9713 			zone option cause a zone to be signed with only KSKs
 9714 			signing the DNSKEY RRset, not ZSKs.  This reduces
 9715 			the size of a DNSKEY answer.  [RT #20340]
 9716 
 9717 2709.	[func]		Added some data fields, currently unused, to the
 9718 			private key file format, to allow implementation
 9719 			of explicit key rollover in a future release
 9720 			without impairing backward or forward compatibility.
 9721 			[RT #20310]
 9722 
 9723 2708.	[func]		Insecure to secure and NSEC3 parameter changes via
 9724 			update are now fully supported and no longer require
 9725 			defines to enable.  We now no longer overload the
 9726 			NSEC3PARAM flag field, nor the NSEC OPT bit at the
 9727 			apex.  Secure to insecure changes are controlled by
 9728 			by the named.conf option 'secure-to-insecure'.
 9729 
 9730 			Warning: If you had previously enabled support by
 9731 			adding defines at compile time to BIND 9.6 you should
 9732 			ensure that all changes that are in progress have
 9733 			completed prior to upgrading to BIND 9.7.  BIND 9.7
 9734 			is not backwards compatible.
 9735 
 9736 2707.	[func]		dnssec-keyfromlabel no longer require engine name
 9737 			to be specified in the label if there is a default
 9738 			engine or the -E option has been used.  Also, it
 9739 			now uses default algorithms as dnssec-keygen does
 9740 			(i.e., RSASHA1, or NSEC3RSASHA1 if -3 is used).
 9741 			[RT #20371]
 9742 
 9743 2706.	[bug]		Loading a zone with a very large NSEC3 salt could
 9744 			trigger an assert. [RT #20368]
 9745 
 9746 2705.	[placeholder]
 9747 
 9748 2704.	[bug]		Serial of dynamic and stub zones could be inconsistent
 9749 			with their SOA serial.  [RT #19387]
 9750 
 9751 2703.	[func]		Introduce an OpenSSL "engine" argument with -E
 9752 			for all binaries which can take benefit of
 9753 			crypto hardware. [RT #20230]
 9754 
 9755 2702.	[func]		Update PKCS#11 tools (bin/pkcs11) [RT #20225 & all]
 9756 
 9757 2701.	[doc]		Correction to ARM: hmac-md5 is no longer the only
 9758 			supported TSIG key algorithm. [RT #18046]
 9759 
 9760 2700.	[doc]		The match-mapped-addresses option is discouraged.
 9761 			[RT #12252]
 9762 
 9763 2699.	[bug]		Missing lock in rbtdb.c. [RT #20037]
 9764 
 9765 2698.	[placeholder]
 9766 
 9767 2697.	[port]		win32: ensure that S_IFMT, S_IFDIR, S_IFCHR and
 9768 			S_IFREG are defined after including <isc/stat.h>.
 9769 			[RT #20309]
 9770 
 9771 2696.	[bug]		named failed to successfully process some valid
 9772 			acl constructs. [RT #20308]
 9773 
 9774 2695.	[func]		DHCP/DDNS - update fdwatch code for use by
 9775 			DHCP.  Modify the api to isc_sockfdwatch_t (the
 9776 			callback function for isc_socket_fdwatchcreate)
 9777 			to include information about the direction (read
 9778 			or write) and add isc_socket_fdwatchpoke.
 9779 			[RT #20253]
 9780 
 9781 2694.	[bug]		Reduce default NSEC3 iterations from 100 to 10.
 9782 			[RT #19970]
 9783 
 9784 2693.	[port]		Add some noreturn attributes. [RT #20257]
 9785 
 9786 2692.	[port]		win32: 32/64 bit cleanups. [RT #20335]
 9787 
 9788 2691.	[func]		dnssec-signzone: retain the existing NSEC or NSEC3
 9789 			chain when re-signing a previously-signed zone.
 9790 			Use -u to modify NSEC3 parameters or switch
 9791 			between NSEC and NSEC3. [RT #20304]
 9792 
 9793 2690.	[bug]		win32: fix isc_thread_key_getspecific() prototype.
 9794 			[RT #20315]
 9795 
 9796 2689.	[bug]		Correctly handle snprintf result. [RT #20306]
 9797 
 9798 2688.	[bug]		Use INTERFACE_F_POINTTOPOINT, not IFF_POINTOPOINT,
 9799 			to decide to fetch the destination address. [RT #20305]
 9800 
 9801 2687.	[bug]		Fixed dnssec-signzone -S handling of revoked keys.
 9802 			Also, added warnings when revoking a ZSK, as this is
 9803 			not defined by protocol (but is legal).  [RT #19943]
 9804 
 9805 2686.	[bug]		dnssec-signzone should clean the old NSEC chain when
 9806 			signing with NSEC3 and vice versa. [RT #20301]
 9807 
 9808 2685.	[contrib]	Update contrib/zkt to version 0.99c. [RT #20054]
 9809 
 9810 2684.	[cleanup]	dig: formalize +ad and +cd as synonyms for
 9811 			+adflag and +cdflag.  [RT #19305]
 9812 
 9813 2683.	[bug]		dnssec-signzone should clean out old NSEC3 chains when
 9814 			the NSEC3 parameters used to sign the zone change.
 9815 			[RT #20246]
 9816 
 9817 2682.	[bug]		"configure --enable-symtable=all" failed to
 9818 			build. [RT #20282]
 9819 
 9820 2681.	[bug]		IPSECKEY RR of gateway type 3 was not correctly
 9821 			decoded. [RT #20269]
 9822 
 9823 2680.	[func]		Move contrib/pkcs11-keygen to bin/pkcs11. [RT #20067]
 9824 
 9825 2679.	[func]		dig -k can now accept TSIG keys in named.conf
 9826 			format.  [RT #20031]
 9827 
 9828 2678.	[func]		Treat DS queries as if "minimal-response yes;"
 9829 			was set. [RT #20258]
 9830 
 9831 2677.	[func]		Changes to key metadata behavior:
 9832 			- Keys without "publish" or "active" dates set will
 9833 			  no longer be used for smart signing.  However,
 9834 			  those dates will be set to "now" by default when
 9835 			  a key is created; to generate a key but not use
 9836 			  it yet, use dnssec-keygen -G.
 9837 			- New "inactive" date (dnssec-keygen/settime -I)
 9838 			  sets the time when a key is no longer used for
 9839 			  signing but is still published.
 9840 			- The "unpublished" date (-U) is deprecated in
 9841 			  favor of "deleted" (-D).
 9842 			[RT #20247]
 9843 
 9844 2676.	[bug]		--with-export-installdir should have been
 9845 			--with-export-includedir. [RT #20252]
 9846 
 9847 2675.	[bug]		dnssec-signzone could crash if the key directory
 9848 			did not exist. [RT #20232]
 9849 
 9850 	--- 9.7.0a3 released ---
 9851 
 9852 2674.	[bug]		"dnssec-lookaside auto;" crashed if named was built
 9853 			without openssl. [RT #20231]
 9854 
 9855 2673.	[bug]		The managed-keys.bind zone file could fail to
 9856 			load due to a spurious result from sync_keyzone()
 9857 			[RT #20045]
 9858 
 9859 2672.	[bug]		Don't enable searching in 'host' when doing reverse
 9860 			lookups. [RT #20218]
 9861 
 9862 2671.	[bug]		Add support for PKCS#11 providers not returning
 9863 			the public exponent in RSA private keys
 9864 			(OpenCryptoki for instance) in
 9865 			dnssec-keyfromlabel. [RT #19294]
 9866 
 9867 2670.	[bug]		Unexpected connect failures failed to log enough
 9868 			information to be useful. [RT #20205]
 9869 
 9870 2669.	[func]		Update PKCS#11 support to support Keyper HSM.
 9871 			Update PKCS#11 patch to be against openssl-0.9.8i.
 9872 
 9873 2668.	[func]		Several improvements to dnssec-* tools, including:
 9874 			- dnssec-keygen and dnssec-settime can now set key
 9875 			  metadata fields 0 (to unset a value, use "none")
 9876 			- dnssec-revoke sets the revocation date in
 9877 			  addition to the revoke bit
 9878 			- dnssec-settime can now print individual metadata
 9879 			  fields instead of always printing all of them,
 9880 			  and can print them in unix epoch time format for
 9881 			  use by scripts
 9882 			[RT #19942]
 9883 
 9884 2667.	[func]		Add support for logging stack backtrace on assertion
 9885 			failure (not available for all platforms). [RT #19780]
 9886 
 9887 2666.	[func]		Added an 'options' argument to dns_name_fromstring()
 9888 			(API change from 9.7.0a2). [RT #20196]
 9889 
 9890 2665.	[func]		Clarify syntax for managed-keys {} statement, add
 9891 			ARM documentation about RFC 5011 support. [RT #19874]
 9892 
 9893 2664.	[bug]		create_keydata() and minimal_update() in zone.c
 9894 			didn't properly check return values for some
 9895 			functions.  [RT #19956]
 9896 
 9897 2663.	[func]		win32:  allow named to run as a service using
 9898 			"NT AUTHORITY\LocalService" as the account. [RT #19977]
 9899 
 9900 2662.	[bug]		lwres_getipnodebyname() and lwres_getipnodebyaddr()
 9901 			returned a misleading error code when lwresd was
 9902 			down. [RT #20028]
 9903 
 9904 2661.	[bug]		Check whether socket fd exceeds FD_SETSIZE when
 9905 			creating lwres context. [RT #20029]
 9906 
 9907 2660.	[func]		Add a new set of DNS libraries for non-BIND9
 9908 			applications.  See README.libdns. [RT #19369]
 9909 
 9910 2659.	[doc]		Clarify dnssec-keygen doc: key name must match zone
 9911 			name for DNSSEC keys. [RT #19938]
 9912 
 9913 2658.	[bug]		dnssec-settime and dnssec-revoke didn't process
 9914 			key file paths correctly. [RT #20078]
 9915 
 9916 2657.	[cleanup]	Lower "journal file <path> does not exist, creating it"
 9917 			log level to debug 1. [RT #20058]
 9918 
 9919 2656.	[func]		win32: add a "tools only" check box to the installer
 9920 			which causes it to only install dig, host, nslookup,
 9921 			nsupdate and relevant DLLs.  [RT #19998]
 9922 
 9923 2655.	[doc]		Document that key-directory does not affect
 9924 			bind.keys, rndc.key or session.key.  [RT #20155]
 9925 
 9926 2654.	[bug]		Improve error reporting on duplicated names for
 9927 			deny-answer-xxx. [RT #20164]
 9928 
 9929 2653.	[bug]		Treat ENGINE_load_private_key() failures as key
 9930 			not found rather than out of memory.  [RT #18033]
 9931 
 9932 2652.	[func]		Provide more detail about what record is being
 9933 			deleted. [RT #20061]
 9934 
 9935 2651.	[bug]		Dates could print incorrectly in K*.key files on
 9936 			64-bit systems. [RT #20076]
 9937 
 9938 2650.	[bug]		Assertion failure in dnssec-signzone when trying
 9939 			to read keyset-* files. [RT #20075]
 9940 
 9941 2649.	[bug]		Set the domain for forward only zones. [RT #19944]
 9942 
 9943 2648.	[port]		win32: isc_time_seconds() was broken. [RT #19900]
 9944 
 9945 2647.	[bug]		Remove unnecessary SOA updates when a new KSK is
 9946 			added. [RT #19913]
 9947 
 9948 2646.	[bug]		Incorrect cleanup on error in socket.c. [RT #19987]
 9949 
 9950 2645.	[port]		"gcc -m32" didn't work on amd64 and x86_64 platforms
 9951 			which default to 64 bits. [RT #19927]
 9952 
 9953 	--- 9.7.0a2 released ---
 9954 
 9955 2644.	[bug]		Change #2628 caused a regression on some systems;
 9956 			named was unable to write the PID file and would
 9957 			fail on startup. [RT #20001]
 9958 
 9959 2643.	[bug]		Stub zones interacted badly with NSEC3 support.
 9960 			[RT #19777]
 9961 
 9962 2642.	[bug]		nsupdate could dump core on solaris when reading
 9963 			improperly formatted key files.  [RT #20015]
 9964 
 9965 2641.	[bug]		Fixed an error in parsing update-policy syntax,
 9966 			added a regression test to check it. [RT #20007]
 9967 
 9968 2640.	[security]	A specially crafted update packet will cause named
 9969 			to exit. [RT #20000]
 9970 
 9971 2639.	[bug]		Silence compiler warnings in gssapi code. [RT #19954]
 9972 
 9973 2638.	[bug]		Install arpaname. [RT #19957]
 9974 
 9975 2637.	[func]		Rationalize dnssec-signzone's signwithkey() calling.
 9976 			[RT #19959]
 9977 
 9978 2636.	[func]		Simplify zone signing and key maintenance with the
 9979 			dnssec-* tools.  Major changes:
 9980 			- all dnssec-* tools now take a -K option to
 9981 			  specify a directory in which key files will be
 9982 			  stored
 9983 			- DNSSEC can now store metadata indicating when
 9984 			  they are scheduled to be published, activated,
 9985 			  revoked or removed; these values can be set by
 9986 			  dnssec-keygen or overwritten by the new
 9987 			  dnssec-settime command
 9988 			- dnssec-signzone -S (for "smart") option reads key
 9989 			  metadata and uses it to determine automatically
 9990 			  which keys to publish to the zone, use for
 9991 			  signing, revoke, or remove from the zone
 9992 			[RT #19816]
 9993 
 9994 2635.	[bug]		isc_inet_ntop() incorrectly handled 0.0/16 addresses.
 9995 			[RT #19716]
 9996 
 9997 2634.	[port]		win32: Add support for libxml2, enable
 9998 			statschannel. [RT #19773]
 9999 
10000 2633.	[bug]		Handle 15 bit rand() functions. [RT #19783]
10001 
10002 2632.	[func]		util/kit.sh: warn if documentation appears to be out of
10003 			date.  [RT #19922]
10004 
10005 2631.	[bug]		Handle "//", "/./" and "/../" in mkdirpath().
10006 			[RT #19926 ]
10007 
10008 2630.	[func]		Improved syntax for DDNS autoconfiguration:  use
10009 			"update-policy local;" to switch on local DDNS in a
10010 			zone. (The "ddns-autoconf" option has been removed.)
10011 			[RT #19875]
10012 
10013 2629.	[port]		Check for seteuid()/setegid(), use setresuid()/
10014 			setresgid() if not present. [RT #19932]
10015 
10016 2628.	[port]		linux: Allow /var/run/named/named.pid to be opened
10017 			at startup with reduced capabilities in operation.
10018 			[RT #19884]
10019 
10020 2627.	[bug]		Named aborted if the same key was included in
10021 			trusted-keys more than once. [RT #19918]
10022 
10023 2626.	[bug]		Multiple trusted-keys could trigger an assertion
10024 			failure. [RT #19914]
10025 
10026 2625.	[bug]		Missing UNLOCK in rbtdb.c. [RT #19865]
10027 
10028 2624.	[func]		'named-checkconf -p' will print out the parsed
10029 			configuration. [RT #18871]
10030 
10031 2623.	[bug]		Named started searches for DS non-optimally. [RT #19915]
10032 
10033 2622.	[bug]		Printing of named.conf grammar was broken. [RT #19919]
10034 
10035 2621.	[doc]		Made copyright boilerplate consistent.  [RT #19833]
10036 
10037 2620.	[bug]		Delay thawing the zone until the reload of it has
10038 			completed successfully.  [RT #19750]
10039 
10040 2619.	[func]		Add support for RFC 5011, automatic trust anchor
10041 			maintenance.  The new "managed-keys" statement can
10042 			be used in place of "trusted-keys" for zones which
10043 			support this protocol.  (Note: this syntax is
10044 			expected to change prior to 9.7.0 final.) [RT #19248]
10045 
10046 2618.	[bug]		The sdb and sdlz db_interator_seek() methods could
10047 			loop infinitely. [RT #19847]
10048 
10049 2617.	[bug]		ifconfig.sh failed to emit an error message when
10050 			run from the wrong location. [RT #19375]
10051 
10052 2616.	[bug]		'host' used the nameservers from resolv.conf even
10053 			when a explicit nameserver was specified. [RT #19852]
10054 
10055 2615.	[bug]		"__attribute__((unused))" was in the wrong place
10056 			for ia64 gcc builds. [RT #19854]
10057 
10058 2614.	[port]		win32: 'named -v' should automatically be executed
10059 			in the foreground. [RT #19844]
10060 
10061 2613.	[placeholder]
10062 
10063 	--- 9.7.0a1 released ---
10064 
10065 2612.	[func]		Add default values for the arguments to
10066 			dnssec-keygen.  Without arguments, it will now
10067 			generate a 1024-bit RSASHA1 zone-signing key,
10068 			or with the -f KSK option, a 2048-bit RSASHA1
10069 			key-signing key. [RT #19300]
10070 
10071 2611.	[func]		Add -l option to dnssec-dsfromkey to generate
10072 			DLV records instead of DS records. [RT #19300]
10073 
10074 2610.	[port]		sunos: Change #2363 was not complete. [RT #19796]
10075 
10076 2609.	[func]		Simplify the configuration of dynamic zones:
10077 			- add ddns-confgen command to generate
10078 			  configuration text for named.conf
10079 			- add zone option "ddns-autoconf yes;", which
10080 			  causes named to generate a TSIG session key
10081 			  and allow updates to the zone using that key
10082 			- add '-l' (localhost) option to nsupdate, which
10083 			  causes nsupdate to connect to a locally-running
10084 			  named process using the session key generated
10085 			  by named
10086 			[RT #19284]
10087 
10088 2608.	[func]		Perform post signing verification checks in
10089 			dnssec-signzone.  These can be disabled with -P.
10090 
10091 			The post sign verification test ensures that for each
10092 			algorithm in use there is at least one non revoked
10093 			self signed KSK key.  That all revoked KSK keys are
10094 			self signed.  That all records in the zone are signed
10095 			by the algorithm.  [RT #19653]
10096 
10097 2607.	[bug]		named could incorrectly delete NSEC3 records for
10098 			empty nodes when processing a update request.
10099 			[RT #19749]
10100 
10101 2606.	[bug]		"delegation-only" was not being accepted in
10102 			delegation-only type zones. [RT #19717]
10103 
10104 2605.	[bug]		Accept DS responses from delegation only zones.
10105 			[RT # 19296]
10106 
10107 2604.	[func]		Add support for DNS rebinding attack prevention through
10108 			new options, deny-answer-addresses and
10109 			deny-answer-aliases.  Based on contributed code from
10110 			JD Nurmi, Google. [RT #18192]
10111 
10112 2603.	[port]		win32: handle .exe extension of named-checkzone and
10113 			named-comilezone argv[0] names under windows.
10114 			[RT #19767]
10115 
10116 2602.	[port]		win32: fix debugging command line build of libisccfg.
10117 			[RT #19767]
10118 
10119 2601.	[doc]		Mention file creation mode mask in the
10120 			named manual page.
10121 
10122 2600.	[doc]		ARM: miscellaneous reformatting for different
10123 			page widths. [RT #19574]
10124 
10125 2599.	[bug]		Address rapid memory growth when validation fails.
10126 			[RT #19654]
10127 
10128 2598.	[func]		Reserve the -F flag. [RT #19657]
10129 
10130 2597.	[bug]		Handle a validation failure with a insecure delegation
10131 			from a NSEC3 signed master/slave zone.  [RT #19464]
10132 
10133 2596.	[bug]		Stale tree nodes of cache/dynamic rbtdb could stay
10134 			long, leading to inefficient memory usage or rejecting
10135 			newer cache entries in the worst case. [RT #19563]
10136 
10137 2595.	[bug]		Fix unknown extended rcodes in dig. [RT #19625]
10138 
10139 2594.	[func]		Have rndc warn if using its default configuration
10140 			file when the key file also exists. [RT #19424]
10141 
10142 2593.	[bug]		Improve a corner source of SERVFAILs [RT #19632]
10143 
10144 2592.	[bug]		Treat "any" as a type in nsupdate. [RT #19455]
10145 
10146 2591.	[bug]		named could die when processing a update in
10147 			removed_orphaned_ds(). [RT #19507]
10148 
10149 2590.	[func]		Report zone/class of "update with no effect".
10150 			[RT #19542]
10151 
10152 2589.	[bug]		dns_db_unregister() failed to clear '*dbimp'.
10153 			[RT #19626]
10154 
10155 2588.	[bug]		SO_REUSEADDR could be set unconditionally after failure
10156 			of bind(2) call.  This should be rare and mostly
10157 			harmless, but may cause interference with other
10158 			processes that happen to use the same port. [RT #19642]
10159 
10160 2587.	[func]		Improve logging by reporting serial numbers for
10161 			when zone serial has gone backwards or unchanged.
10162 			[RT #19506]
10163 
10164 2586.	[bug]		Missing cleanup of SIG rdataset in searching a DLZ DB
10165 			or SDB. [RT #19577]
10166 
10167 2585.	[bug]		Uninitialized socket name could be referenced via a
10168 			statistics channel, triggering an assertion failure in
10169 			XML rendering. [RT #19427]
10170 
10171 2584.	[bug]		alpha: gcc optimization could break atomic operations.
10172 			[RT #19227]
10173 
10174 2583.	[port]		netbsd: provide a control to not add the compile
10175 			date to the version string, -DNO_VERSION_DATE.
10176 
10177 2582.	[bug]		Don't emit warning log message when we attempt to
10178 			remove non-existent journal. [RT #19516]
10179 
10180 2581.	[contrib]	dlz/mysql set MYSQL_OPT_RECONNECT option on connection.
10181 			Requires MySQL 5.0.19 or later. [RT #19084]
10182 
10183 2580.	[bug]		UpdateRej statistics counter could be incremented twice
10184 			for one rejection. [RT #19476]
10185 
10186 2579.	[bug]		DNSSEC lookaside validation failed to handle unknown
10187 			algorithms. [RT #19479]
10188 
10189 2578.	[bug]		Changed default sig-signing-type to 65534, because
10190 			65535 turns out to be reserved.  [RT #19477]
10191 
10192 2577.	[doc]		Clarified some statistics counters. [RT #19454]
10193 
10194 2576.	[bug]		NSEC record were not being correctly signed when
10195 			a zone transitions from insecure to secure.
10196 			Handle such incorrectly signed zones. [RT #19114]
10197 
10198 2575.	[func]		New functions dns_name_fromstring() and
10199 			dns_name_tostring(), to simplify conversion
10200 			of a string to a dns_name structure and vice
10201 			versa. [RT #19451]
10202 
10203 2574.	[doc]		Document nsupdate -g and -o. [RT #19351]
10204 
10205 2573.	[bug]		Replacing a non-CNAME record with a CNAME record in a
10206 			single transaction in a signed zone failed. [RT #19397]
10207 
10208 2572.	[func]		Simplify DLV configuration, with a new option
10209 			"dnssec-lookaside auto;"  This is the equivalent
10210 			of "dnssec-lookaside . trust-anchor dlv.isc.org;"
10211 			plus setting a trusted-key for dlv.isc.org.
10212 
10213 			Note: The trusted key is hard-coded into named,
10214 			but is also stored in (and can be overridden
10215 			by) $sysconfdir/bind.keys.  As the ISC DLV key
10216 			rolls over it can be kept up to date by replacing
10217 			the bind.keys file with a key downloaded from
10218 			https://www.isc.org/solutions/dlv. [RT #18685]
10219 
10220 2571.	[func]		Add a new tool "arpaname" which translates IP addresses
10221 			to the corresponding IN-ADDR.ARPA or IP6.ARPA name.
10222 			[RT #18976]
10223 
10224 2570.	[func]		Log the destination address the query was sent to.
10225 			[RT #19209]
10226 
10227 2569.	[func]		Move journalprint, nsec3hash, and genrandom
10228 			commands from bin/tests into bin/tools;
10229 			"make install" will put them in $sbindir. [RT #19301]
10230 
10231 2568.	[bug]		Report when the write to indicate a otherwise
10232 			successful start fails. [RT #19360]
10233 
10234 2567.	[bug]		dst__privstruct_writefile() could miss write errors.
10235 			write_public_key() could miss write errors.
10236 			dnssec-dsfromkey could miss write errors.
10237 			[RT #19360]
10238 
10239 2566.	[cleanup]	Clarify logged message when an insecure DNSSEC
10240 			response arrives from a zone thought to be secure:
10241 			"insecurity proof failed" instead of "not
10242 			insecure". [RT #19400]
10243 
10244 2565.	[func]		Add support for HIP record.  Includes new functions
10245 			dns_rdata_hip_first(), dns_rdata_hip_next()
10246 			and dns_rdata_hip_current().  [RT #19384]
10247 
10248 2564.	[bug]		Only take EDNS fallback steps when processing timeouts.
10249 			[RT #19405]
10250 
10251 2563.	[bug]		Dig could leak a socket causing it to wait forever
10252 			to exit. [RT #19359]
10253 
10254 2562.	[doc]		ARM: miscellaneous improvements, reorganization,
10255 			and some new content.
10256 
10257 2561.	[doc]		Add isc-config.sh(1) man page. [RT #16378]
10258 
10259 2560.	[bug]		Add #include <config.h> to iptable.c. [RT #18258]
10260 
10261 2559.	[bug]		dnssec-dsfromkey could compute bad DS records when
10262 			reading from a K* files.  [RT #19357]
10263 
10264 2558.	[func]		Set the ownership of missing directories created
10265 			for pid-file if -u has been specified on the command
10266 			line. [RT #19328]
10267 
10268 2557.	[cleanup]	PCI compliance:
10269 			* new libisc log module file
10270 			* isc_dir_chroot() now also changes the working
10271 			  directory to "/".
10272 			* additional INSISTs
10273 			* additional logging when files can't be removed.
10274 
10275 2556.	[port]		Solaris: mkdir(2) on tmpfs filesystems does not do the
10276 			error checks in the correct order resulting in the
10277 			wrong error code sometimes being returned. [RT #19249]
10278 
10279 2555.	[func]		dig: when emitting a hex dump also display the
10280 			corresponding characters. [RT #19258]
10281 
10282 2554.	[bug]		Validation of uppercase queries from NSEC3 zones could
10283 			fail. [RT #19297]
10284 
10285 2553.	[bug]		Reference leak on DNSSEC validation errors. [RT #19291]
10286 
10287 2552.	[bug]		zero-no-soa-ttl-cache was not being honored.
10288 			[RT #19340]
10289 
10290 2551.	[bug]		Potential Reference leak on return. [RT #19341]
10291 
10292 2550.	[bug]		Check --with-openssl=<path> finds <openssl/opensslv.h>.
10293 			[RT #19343]
10294 
10295 2549.	[port]		linux: define NR_OPEN if not currently defined.
10296 			[RT #19344]
10297 
10298 2548.	[bug]		Install iterated_hash.h. [RT #19335]
10299 
10300 2547.	[bug]		openssl_link.c:mem_realloc() could reference an
10301 			out-of-range area of the source buffer.  New public
10302 			function isc_mem_reallocate() was introduced to address
10303 			this bug. [RT #19313]
10304 
10305 2546.	[func]		Add --enable-openssl-hash configure flag to use
10306 			OpenSSL (in place of internal routine) for hash
10307 			functions (MD5, SHA[12] and HMAC). [RT #18815]
10308 
10309 2545.	[doc]		ARM: Legal hostname checking (check-names) is
10310 			for SRV RDATA too. [RT #19304]
10311 
10312 2544.	[cleanup]	Removed unused structure members in adb.c. [RT #19225]
10313 
10314 2543.	[contrib]	Update contrib/zkt to version 0.98. [RT #19113]
10315 
10316 2542.	[doc]		Update the description of dig +adflag. [RT #19290]
10317 
10318 2541.	[bug]		Conditionally update dispatch manager statistics.
10319 			[RT #19247]
10320 
10321 2540.	[func]		Add a nibble mode to $GENERATE. [RT #18872]
10322 
10323 2539.	[security]	Update the interaction between recursion, allow-query,
10324 			allow-query-cache and allow-recursion.  [RT #19198]
10325 
10326 2538.	[bug]		cache/ADB memory could grow over max-cache-size,
10327 			especially with threads and smaller max-cache-size
10328 			values. [RT #19240]
10329 
10330 2537.	[func]		Added more statistics counters including those on socket
10331 			I/O events and query RTT histograms. [RT #18802]
10332 
10333 2536.	[cleanup]	Silence some warnings when -Werror=format-security is
10334 			specified. [RT #19083]
10335 
10336 2535.	[bug]		dig +showsearch and +trace interacted badly. [RT #19091]
10337 
10338 2534.	[func]		Check NAPTR records regular expressions and
10339 			replacement strings to ensure they are syntactically
10340 			valid and consistent. [RT #18168]
10341 
10342 2533.	[doc]		ARM: document @ (at-sign). [RT #17144]
10343 
10344 2532.	[bug]		dig: check the question section of the response to
10345 			see if it matches the asked question. [RT #18495]
10346 
10347 2531.	[bug]		Change #2207 was incomplete. [RT #19098]
10348 
10349 2530.	[bug]		named failed to reject insecure to secure transitions
10350 			via UPDATE. [RT #19101]
10351 
10352 2529.	[cleanup]	Upgrade libtool to silence complaints from recent
10353 			version of autoconf. [RT #18657]
10354 
10355 2528.	[cleanup]	Silence spurious configure warning about
10356 			--datarootdir [RT #19096]
10357 
10358 2527.	[placeholder]
10359 
10360 2526.	[func]		New named option "attach-cache" that allows multiple
10361 			views to share a single cache to save memory and
10362 			improve lookup efficiency.  Based on contributed code
10363 			from Barclay Osborn, Google. [RT #18905]
10364 
10365 2525.	[func]		New logging category "query-errors" to provide detailed
10366 			internal information about query failures, especially
10367 			about server failures. [RT #19027]
10368 
10369 2524.	[port]		sunos: dnssec-signzone needs strtoul(). [RT #19129]
10370 
10371 2523.	[bug]		Random type rdata freed by dns_nsec_typepresent().
10372 			[RT #19112]
10373 
10374 2522.	[security]	Handle -1 from DSA_do_verify() and EVP_VerifyFinal().
10375 
10376 2521.	[bug]		Improve epoll cross compilation support. [RT #19047]
10377 
10378 2520.	[bug]		Update xml statistics version number to 2.0 as change
10379 			#2388 made the schema incompatible to the previous
10380 			version. [RT #19080]
10381 
10382 2519.	[bug]		dig/host with -4 or -6 didn't work if more than two
10383 			nameserver addresses of the excluded address family
10384 			preceded in resolv.conf. [RT #19081]
10385 
10386 2518.	[func]		Add support for the new CERT types from RFC 4398.
10387 			[RT #19077]
10388 
10389 2517.	[bug]		dig +trace with -4 or -6 failed when it chose a
10390 			nameserver address of the excluded address type.
10391 			[RT #18843]
10392 
10393 2516.	[bug]		glue sort for responses was performed even when not
10394 			needed. [RT #19039]
10395 
10396 2515.	[port]		win32: build dnssec-dsfromkey and dnssec-keyfromlabel.
10397 			[RT #19063]
10398 
10399 2514.	[bug]		dig/host failed with -4 or -6 when resolv.conf contains
10400 			a nameserver of the excluded address family.
10401 			[RT #18848]
10402 
10403 2513.	[bug]		Fix windows cli build. [RT #19062]
10404 
10405 2512.	[func]		Print a summary of the cached records which make up
10406 			the negative response.  [RT #18885]
10407 
10408 2511.	[cleanup]	dns_rdata_tofmttext() add const to linebreak.
10409 			[RT #18885]
10410 
10411 2510.	[bug]		"dig +sigchase" could trigger REQUIRE failures.
10412 			[RT #19033]
10413 
10414 2509.	[bug]		Specifying a fixed query source port was broken.
10415 			[RT #19051]
10416 
10417 2508.	[placeholder]
10418 
10419 2507.	[func]		Log the recursion quota values when killing the
10420 			oldest query or refusing to recurse due to quota.
10421 			[RT #19022]
10422 
10423 2506.	[port]		solaris: Check at configure time if
10424 			hack_shutup_pthreadonceinit is needed. [RT #19037]
10425 
10426 2505.	[port]		Treat amd64 similarly to x86_64 when determining
10427 			atomic operation support. [RT #19031]
10428 
10429 2504.	[bug]		Address race condition in the socket code. [RT #18899]
10430 
10431 2503.	[port]		linux: improve compatibility with Linux Standard
10432 			Base. [RT #18793]
10433 
10434 2502.	[cleanup]	isc_radix: Improve compliance with coding style,
10435 			document function in <isc/radix.h>. [RT #18534]
10436 
10437 2501.	[func]		$GENERATE now supports all rdata types.  Multi-field
10438 			rdata types need to be quoted.  See the ARM for
10439 			details. [RT #18368]
10440 
10441 2500.	[contrib]	contrib/sdb/pgsql/zonetodb.c called non-existent
10442 			function. [RT #18582]
10443 
10444 2499.	[port]		solaris: lib/lwres/getaddrinfo.c namespace clash.
10445 			[RT #18837]
10446 
10447 	--- 9.6.0rc1 released ---
10448 
10449 2498.	[bug]		Removed a bogus function argument used with
10450 			ISC_SOCKET_USE_POLLWATCH: it could cause compiler
10451 			warning or crash named with the debug 1 level
10452 			of logging. [RT #18917]
10453 
10454 2497.	[bug]		Don't add RRSIG bit to NSEC3 bit map for insecure
10455 			delegation.
10456 
10457 2496.	[bug]		Add sanity length checks to NSID option. [RT #18813]
10458 
10459 2495.	[bug]		Tighten RRSIG checks. [RT #18795]
10460 
10461 2494.	[bug]		isc/radix.h, dns/sdlz.h and dns/dlz.h were not being
10462 			installed. [RT #18826]
10463 
10464 2493.	[bug]		The linux capabilities code was not correctly cleaning
10465 			up after itself. [RT #18767]
10466 
10467 2492.	[func]		Rndc status now reports the number of cpus discovered
10468 			and the number of worker threads when running
10469 			multi-threaded. [RT #18273]
10470 
10471 2491.	[func]		Attempt to re-use a local port if we are already using
10472 			the port. [RT #18548]
10473 
10474 2490.	[port]		aix: work around a kernel bug where IPV6_RECVPKTINFO
10475 			is cleared when IPV6_V6ONLY is set. [RT #18785]
10476 
10477 2489.	[port]		solaris: Workaround Solaris's kernel bug about
10478 			/dev/poll:
10479 			http://bugs.opensolaris.org/view_bug.do?bug_id=6724237
10480 			Define ISC_SOCKET_USE_POLLWATCH at build time to enable
10481 			this workaround. [RT #18870]
10482 
10483 2488.	[func]		Added a tool, dnssec-dsfromkey, to generate DS records
10484 			from keyset and .key files. [RT #18694]
10485 
10486 2487.	[bug]		Give TCP connections longer to complete. [RT #18675]
10487 
10488 2486.	[func]		The default locations for named.pid and lwresd.pid
10489 			are now /var/run/named/named.pid and
10490 			/var/run/lwresd/lwresd.pid respectively.
10491 
10492 			This allows the owner of the containing directory
10493 			to be set, for "named -u" support, and allows there
10494 			to be a permanent symbolic link in the path, for
10495 			"named -t" support.  [RT #18306]
10496 
10497 2485.	[bug]		Change update's the handling of obscured RRSIG
10498 			records.  Not all orphaned DS records were being
10499 			removed. [RT #18828]
10500 
10501 2484.	[bug]		It was possible to trigger a REQUIRE failure when
10502 			adding NSEC3 proofs to the response in
10503 			query_addwildcardproof().  [RT #18828]
10504 
10505 2483.	[port]		win32: chroot() is not supported. [RT #18805]
10506 
10507 2482.	[port]		libxml2: support versions 2.7.* in addition
10508 			to 2.6.*. [RT #18806]
10509 
10510 	--- 9.6.0b1 released ---
10511 
10512 2481.	[bug]		rbtdb.c:matchparams() failed to handle NSEC3 chain
10513 			collisions.  [RT #18812]
10514 
10515 2480.	[bug]		named could fail to emit all the required NSEC3
10516 			records.  [RT #18812]
10517 
10518 2479.	[bug]		xfrout:covers was not properly initialized. [RT #18801]
10519 
10520 2478.	[bug]		'addresses' could be used uninitialized in
10521 			configure_forward(). [RT #18800]
10522 
10523 2477.	[bug]		dig: the global option to print the command line is
10524 			+cmd not print_cmd.  Update the output to reflect
10525 			this. [RT #17008]
10526 
10527 2476.	[doc]		ARM: improve documentation for max-journal-size and
10528 			ixfr-from-differences. [RT #15909] [RT #18541]
10529 
10530 2475.	[bug]		LRU cache cleanup under overmem condition could purge
10531 			particular entries more aggressively. [RT #17628]
10532 
10533 2474.	[bug]		ACL structures could be allocated with insufficient
10534 			space, causing an array overrun. [RT #18765]
10535 
10536 2473.	[port]		linux: raise the limit on open files to the possible
10537 			maximum value before spawning threads; 'files'
10538 			specified in named.conf doesn't seem to work with
10539 			threads as expected. [RT #18784]
10540 
10541 2472.	[port]		linux: check the number of available cpu's before
10542 			calling chroot as it depends on "/proc". [RT #16923]
10543 
10544 2471.	[bug]		named-checkzone was not reporting missing mandatory
10545 			glue when sibling checks were disabled. [RT #18768]
10546 
10547 2470.	[bug]		Elements of the isc_radix_node_t could be incorrectly
10548 			overwritten.  [RT #18719]
10549 
10550 2469.	[port]		solaris: Work around Solaris's select() limitations.
10551 			[RT #18769]
10552 
10553 2468.	[bug]		Resolver could try unreachable servers multiple times.
10554 			[RT #18739]
10555 
10556 2467.	[bug]		Failure of fcntl(F_DUPFD) wasn't logged. [RT #18740]
10557 
10558 2466.	[doc]		ARM: explain max-cache-ttl 0 SERVFAIL issue.
10559 			[RT #18302]
10560 
10561 2465.	[bug]		Adb's handling of lame addresses was different
10562 			for IPv4 and IPv6. [RT #18738]
10563 
10564 2464.	[port]		linux: check that a capability is present before
10565 			trying to set it. [RT #18135]
10566 
10567 2463.	[port]		linux: POSIX doesn't include the IPv6 Advanced Socket
10568 			API and glibc hides parts of the IPv6 Advanced Socket
10569 			API as a result.  This is stupid as it breaks how the
10570 			two halves (Basic and Advanced) of the IPv6 Socket API
10571 			were designed to be used but we have to live with it.
10572 			Define _GNU_SOURCE to pull in the IPv6 Advanced Socket
10573 			API. [RT #18388]
10574 
10575 2462.	[doc]		Document -m (enable memory usage debugging)
10576 			option for dig. [RT #18757]
10577 
10578 2461.	[port]		sunos: Change #2363 was not complete. [RT #17513]
10579 
10580 	--- 9.6.0a1 released ---
10581 
10582 2460.	[bug]		Don't call dns_db_getnsec3parameters() on the cache.
10583 			[RT #18697]
10584 
10585 2459.	[contrib]	Import dnssec-zkt to contrib/zkt. [RT #18448]
10586 
10587 2458.	[doc]		ARM: update and correction for max-cache-size.
10588 			[RT #18294]
10589 
10590 2457.	[tuning]	max-cache-size is reverted to 0, the previous
10591 			default.  It should be safe because expired cache
10592 			entries are also purged. [RT #18684]
10593 
10594 2456.	[bug]		In ACLs, ::/0 and 0.0.0.0/0 would both match any
10595 			address, regardless of family.  They now correctly
10596 			distinguish IPv4 from IPv6.  [RT #18559]
10597 
10598 2455.	[bug]		Stop metadata being transferred via axfr/ixfr.
10599 			[RT #18639]
10600 
10601 2454.	[func]		nsupdate: you can now set a default ttl. [RT #18317]
10602 
10603 2453.	[bug]		Remove NULL pointer dereference in dns_journal_print().
10604 			[RT #18316]
10605 
10606 2452.	[func]		Improve bin/test/journalprint. [RT #18316]
10607 
10608 2451.	[port]		solaris: handle runtime linking better. [RT #18356]
10609 
10610 2450.	[doc]		Fix lwresd docbook problem for manual page.
10611 			[RT #18672]
10612 
10613 2449.	[placeholder]
10614 
10615 2448.	[func]		Add NSEC3 support. [RT #15452]
10616 
10617 2447.	[cleanup]	libbind has been split out as a separate product.
10618 
10619 2446.	[func]		Add a new log message about build options on startup.
10620 			A new command-line option '-V' for named is also
10621 			provided to show this information. [RT #18645]
10622 
10623 2445.	[doc]		ARM out-of-date on empty reverse zones (list includes
10624 			RFC1918 address, but these are not yet compiled in).
10625 			[RT #18578]
10626 
10627 2444.	[port]		Linux, FreeBSD, AIX: Turn off path mtu discovery
10628 			(clear DF) for UDP responses and requests.
10629 
10630 2443.	[bug]		win32: UDP connect() would not generate an event,
10631 			and so connected UDP sockets would never clean up.
10632 			Fix this by doing an immediate WSAConnect() rather
10633 			than an io completion port type for UDP.
10634 
10635 2442.	[bug]		A lock could be destroyed twice. [RT #18626]
10636 
10637 2441.	[bug]		isc_radix_insert() could copy radix tree nodes
10638 			incompletely. [RT #18573]
10639 
10640 2440.	[bug]		named-checkconf used an incorrect test to determine
10641 			if an ACL was set to none.
10642 
10643 2439.	[bug]		Potential NULL dereference in dns_acl_isanyornone().
10644 			[RT #18559]
10645 
10646 2438.	[bug]		Timeouts could be logged incorrectly under win32.
10647 
10648 2437.	[bug]		Sockets could be closed too early, leading to
10649 			inconsistent states in the socket module. [RT #18298]
10650 
10651 2436.	[security]	win32: UDP client handler can be shutdown. [RT #18576]
10652 
10653 2435.	[bug]		Fixed an ACL memory leak affecting win32.
10654 
10655 2434.	[bug]		Fixed a minor error-reporting bug in
10656 			lib/isc/win32/socket.c.
10657 
10658 2433.	[tuning]	Set initial timeout to 800ms.
10659 
10660 2432.	[bug]		More Windows socket handling improvements.  Stop
10661 			using I/O events and use IO Completion Ports
10662 			throughout.  Rewrite the receive path logic to make
10663 			it easier to support multiple simultaneous
10664 			requesters in the future.  Add stricter consistency
10665 			checking as a compile-time option (define
10666 			ISC_SOCKET_CONSISTENCY_CHECKS; defaults to off).
10667 
10668 2431.	[bug]		Acl processing could leak memory. [RT #18323]
10669 
10670 2430.	[bug]		win32: isc_interval_set() could round down to
10671 			zero if the input was less than NS_INTERVAL
10672 			nanoseconds.  Round up instead. [RT #18549]
10673 
10674 2429.	[doc]		nsupdate should be in section 1 of the man pages.
10675 			[RT #18283]
10676 
10677 2428.	[bug]		dns_iptable_merge() mishandled merges of negative
10678 			tables. [RT #18409]
10679 
10680 2427.	[func]		Treat DNSKEY queries as if "minimal-response yes;"
10681 			was set. [RT #18528]
10682 
10683 2426.	[bug]		libbind: inet_net_pton() can sometimes return the
10684 			wrong value if excessively large net masks are
10685 			supplied. [RT #18512]
10686 
10687 2425.	[bug]		named didn't detect unavailable query source addresses
10688 			at load time. [RT #18536]
10689 
10690 2424.	[port]		configure now probes for a working epoll
10691 			implementation.  Allow the use of kqueue,
10692 			epoll and /dev/poll to be selected at compile
10693 			time. [RT #18277]
10694 
10695 2423.	[security]	Randomize server selection on queries, so as to
10696 			make forgery a little more difficult.  Instead of
10697 			always preferring the server with the lowest RTT,
10698 			pick a server with RTT within the same 128
10699 			millisecond band.  [RT #18441]
10700 
10701 2422.	[bug]		Handle the special return value of a empty node as
10702 			if it was a NXRRSET in the validator. [RT #18447]
10703 
10704 2421.	[func]		Add new command line option '-S' for named to specify
10705 			the max number of sockets. [RT #18493]
10706 			Use caution: this option may not work for some
10707 			operating systems without rebuilding named.
10708 
10709 2420.	[bug]		Windows socket handling cleanup.  Let the io
10710 			completion event send out canceled read/write
10711 			done events, which keeps us from writing to memory
10712 			we no longer have ownership of.  Add debugging
10713 			socket_log() function.  Rework TCP socket handling
10714 			to not leak sockets.
10715 
10716 2419.	[cleanup]	Document that isc_socket_create() and isc_socket_open()
10717 			should not be used for isc_sockettype_fdwatch sockets.
10718 			[RT #18521]
10719 
10720 2418.	[bug]		AXFR request on a DLZ could trigger a REQUIRE failure
10721 			[RT #18430]
10722 
10723 2417.	[bug]		Connecting UDP sockets for outgoing queries could
10724 			unexpectedly fail with an 'address already in use'
10725 			error. [RT #18411]
10726 
10727 2416.	[func]		Log file descriptors that cause exceeding the
10728 			internal maximum. [RT #18460]
10729 
10730 2415.	[bug]		'rndc dumpdb' could trigger various assertion failures
10731 			in rbtdb.c. [RT #18455]
10732 
10733 2414.	[bug]		A masterdump context held the database lock too long,
10734 			causing various troubles such as dead lock and
10735 			recursive lock acquisition. [RT #18311, #18456]
10736 
10737 2413.	[bug]		Fixed an unreachable code path in socket.c. [RT #18442]
10738 
10739 2412.	[bug]		win32: address a resource leak. [RT #18374]
10740 
10741 2411.	[bug]		Allow using a larger number of sockets than FD_SETSIZE
10742 			for select().  To enable this, set ISC_SOCKET_MAXSOCKETS
10743 			at compilation time.  [RT #18433]
10744 
10745 			Note: with changes #2469 and #2421 above, there is no
10746 			need to tweak ISC_SOCKET_MAXSOCKETS at compilation time
10747 			any more.
10748 
10749 2410.	[bug]		Correctly delete m_versionInfo. [RT #18432]
10750 
10751 2409.	[bug]		Only log that we disabled EDNS processing if we were
10752 			subsequently successful.  [RT #18029]
10753 
10754 2408.	[bug]		A duplicate TCP dispatch event could be sent, which
10755 			could then trigger an assertion failure in
10756 			resquery_response().  [RT #18275]
10757 
10758 2407.	[port]		hpux: test for sys/dyntune.h. [RT #18421]
10759 
10760 2406.	[placeholder]
10761 
10762 2405.	[cleanup]	The default value for dnssec-validation was changed to
10763 			"yes" in 9.5.0-P1 and all subsequent releases; this
10764 			was inadvertently omitted from CHANGES at the time.
10765 
10766 2404.	[port]		hpux: files unlimited support.
10767 
10768 2403.	[bug]		TSIG context leak. [RT #18341]
10769 
10770 2402.	[port]		Support Solaris 2.11 and over. [RT #18362]
10771 
10772 2401.	[bug]		Expect to get E[MN]FILE errno internal_accept()
10773 			(from accept() or fcntl() system calls). [RT #18358]
10774 
10775 2400.	[bug]		Log if kqueue()/epoll_create()/open(/dev/poll) fails.
10776 			[RT #18297]
10777 
10778 2399.	[placeholder]
10779 
10780 2398.	[bug]		Improve file descriptor management.  New,
10781 			temporary, named.conf option reserved-sockets,
10782 			default 512. [RT #18344]
10783 
10784 2397.	[bug]		gssapi_functions had too many elements. [RT #18355]
10785 
10786 2396.	[bug]		Don't set SO_REUSEADDR for randomized ports.
10787 			[RT #18336]
10788 
10789 2395.	[port]		Avoid warning and no effect from "files unlimited"
10790 			on Linux when running as root. [RT #18335]
10791 
10792 2394.	[bug]		Default configuration options set the limit for
10793 			open files to 'unlimited' as described in the
10794 			documentation. [RT #18331]
10795 
10796 2393.	[bug]		nested acls containing keys could trigger an
10797 			assertion in acl.c. [RT #18166]
10798 
10799 2392.	[bug]		remove 'grep -q' from acl test script, some platforms
10800 			don't support it. [RT #18253]
10801 
10802 2391.	[port]		hpux: cover additional recvmsg() error codes.
10803 			[RT #18301]
10804 
10805 2390.	[bug]		dispatch.c could make a false warning on 'odd socket'.
10806 			[RT #18301].
10807 
10808 2389.	[bug]		Move the "working directory writable" check to after
10809 			the ns_os_changeuser() call. [RT #18326]
10810 
10811 2388.	[bug]		Avoid using tables for layout purposes in
10812 			statistics XSL [RT #18159].
10813 
10814 2387.	[bug]		Silence compiler warnings in lib/isc/radix.c.
10815 			[RT #18147] [RT #18258]
10816 
10817 2386.	[func]		Add warning about too small 'open files' limit.
10818 			[RT #18269]
10819 
10820 2385.	[bug]		A condition variable in socket.c could leak in
10821 			rare error handling [RT #17968].
10822 
10823 2384.	[security]	Fully randomize UDP query ports to improve
10824 			forgery resilience. [RT #17949, #18098]
10825 
10826 2383.	[bug]		named could double queries when they resulted in
10827 			SERVFAIL due to overkilling EDNS0 failure detection.
10828 			[RT #18182]
10829 
10830 2382.	[doc]		Add descriptions of DHCID, IPSECKEY, SPF and SSHFP
10831 			to ARM.
10832 
10833 2381.	[port]		dlz/mysql: support multiple install layouts for
10834 			mysql.  <prefix>/include/{,mysql/}mysql.h and
10835 			<prefix>/lib/{,mysql/}. [RT #18152]
10836 
10837 2380.	[bug]		dns_view_find() was not returning NXDOMAIN/NXRRSET
10838 			proofs which, in turn, caused validation failures
10839 			for insecure zones immediately below a secure zone
10840 			the server was authoritative for. [RT #18112]
10841 
10842 2379.	[contrib]	queryperf/gen-data-queryperf.py: removed redundant
10843 			TLDs and supported RRs with TTLs [RT #17972]
10844 
10845 2378.	[bug]		gssapi_functions{} had a redundant member in BIND 9.5.
10846 			[RT #18169]
10847 
10848 2377.	[bug]		Address race condition in dnssec-signzone. [RT #18142]
10849 
10850 2376.	[bug]		Change #2144 was not complete.
10851 
10852 2375.	[placeholder]
10853 
10854 2374.	[bug]		"blackhole" ACLs could cause named to segfault due
10855 			to some uninitialized memory. [RT #18095]
10856 
10857 2373.	[bug]		Default values of zone ACLs were re-parsed each time a
10858 			new zone was configured, causing an overconsumption
10859 			of memory. [RT #18092]
10860 
10861 2372.	[bug]		Fixed incorrect TAG_HMACSHA256_BITS value [RT #18047]
10862 
10863 2371.	[doc]		Add +nsid option to dig man page. [RT #18039]
10864 
10865 2370.	[bug]		"rndc freeze" could trigger an assertion in named
10866 			when called on a nonexistent zone. [RT #18050]
10867 
10868 2369.	[bug]		libbind: Array bounds overrun on read in bitncmp().
10869 			[RT #18054]
10870 
10871 2368.	[port]		Linux: use libcap for capability management if
10872 			possible. [RT #18026]
10873 
10874 2367.	[bug]		Improve counting of dns_resstatscounter_retry
10875 			[RT #18030]
10876 
10877 2366.	[bug]		Adb shutdown race. [RT #18021]
10878 
10879 2365.	[bug]		Fix a bug that caused dns_acl_isany() to return
10880 			spurious results. [RT #18000]
10881 
10882 2364.	[bug]		named could trigger a assertion when serving a
10883 			malformed signed zone. [RT #17828]
10884 
10885 2363.	[port]		sunos: pre-set "lt_cv_sys_max_cmd_len=4096;".
10886 			[RT #17513]
10887 
10888 2362.	[cleanup]	Make "rrset-order fixed" a compile-time option.
10889 			settable by "./configure --enable-fixed-rrset".
10890 			Disabled by default. [RT #17977]
10891 
10892 2361.	[bug]		"recursion" statistics counter could be counted
10893 			multiple times for a single query.  [RT #17990]
10894 
10895 2360.	[bug]		Fix a condition where we release a database version
10896 			(which may acquire a lock) while holding the lock.
10897 
10898 2359.	[bug]		Fix NSID bug. [RT #17942]
10899 
10900 2358.	[doc]		Update host's default query description. [RT #17934]
10901 
10902 2357.	[port]		Don't use OpenSSL's engine support in versions before
10903 			OpenSSL 0.9.7f. [RT #17922]
10904 
10905 2356.	[bug]		Built in mutex profiler was not scalable enough.
10906 			[RT #17436]
10907 
10908 2355.	[func]		Extend the number statistics counters available.
10909 			[RT #17590]
10910 
10911 2354.	[bug]		Failed to initialize some rdatasetheader_t elements.
10912 			[RT #17927]
10913 
10914 2353.	[func]		Add support for Name Server ID (RFC 5001).
10915 			'dig +nsid' requests NSID from server.
10916 			'request-nsid yes;' causes recursive server to send
10917 			NSID requests to upstream servers.  Server responds
10918 			to NSID requests with the string configured by
10919 			'server-id' option.  [RT #17091]
10920 
10921 2352.	[bug]		Various GSS_API fixups. [RT #17729]
10922 
10923 2351.	[bug]		convertxsl.pl generated very long lines. [RT #17906]
10924 
10925 2350.	[port]		win32: IPv6 support. [RT #17797]
10926 
10927 2349.	[func]		Provide incremental re-signing support for secure
10928 			dynamic zones. [RT #1091]
10929 
10930 2348.	[func]		Use the EVP interface to OpenSSL. Add PKCS#11 support.
10931 			Documentation is in the new README.pkcs11 file.
10932 			New tool, dnssec-keyfromlabel, which takes the
10933 			label of a key pair in a HSM and constructs a DNS
10934 			key pair for use by named and dnssec-signzone.
10935 			[RT #16844]
10936 
10937 2347.	[bug]		Delete now traverses the RB tree in the canonical
10938 			order. [RT #17451]
10939 
10940 2346.	[func]		Memory statistics now cover all active memory contexts
10941 			in increased detail. [RT #17580]
10942 
10943 2345.	[bug]		named-checkconf failed to detect when forwarders
10944 			were set at both the options/view level and in
10945 			a root zone. [RT #17671]
10946 
10947 2344.	[bug]		Improve "logging{ file ...; };" documentation.
10948 			[RT #17888]
10949 
10950 2343.	[bug]		(Seemingly) duplicate IPv6 entries could be
10951 			created in ADB. [RT #17837]
10952 
10953 2342.	[func]		Use getifaddrs() if available under Linux. [RT #17224]
10954 
10955 2341.	[bug]		libbind: add missing -I../include for off source
10956 			tree builds. [RT #17606]
10957 
10958 2340.	[port]		openbsd: interface configuration. [RT #17700]
10959 
10960 2339.	[port]		tru64: support for libbind. [RT #17589]
10961 
10962 2338.	[bug]		check_ds() could be called with a non DS rdataset.
10963 			[RT #17598]
10964 
10965 2337.	[bug]		BUILD_LDFLAGS was not being correctly set.  [RT #17614]
10966 
10967 2336.	[func]		If "named -6" is specified then listen on all IPv6
10968 			interfaces if there are not listen-on-v6 clauses in
10969 			named.conf.  [RT #17581]
10970 
10971 2335.	[port]		sunos:  libbind and *printf() support for long long.
10972 			[RT #17513]
10973 
10974 2334.	[bug]		Bad REQUIRES in fromstruct_in_naptr(),  off by one
10975 			bug in fromstruct_txt(). [RT #17609]
10976 
10977 2333.	[bug]		Fix off by one error in isc_time_nowplusinterval().
10978 			[RT #17608]
10979 
10980 2332.	[contrib]	query-loc-0.4.0. [RT #17602]
10981 
10982 2331.	[bug]		Failure to regenerate any signatures was not being
10983 			reported nor being past back to the UPDATE client.
10984 			[RT #17570]
10985 
10986 2330.	[bug]		Remove potential race condition when handling
10987 			over memory events. [RT #17572]
10988 
10989 			WARNING: API CHANGE: over memory callback
10990 			function now needs to call isc_mem_waterack().
10991 			See <isc/mem.h> for details.
10992 
10993 2329.	[bug]		Clearer help text for dig's '-x' and '-i' options.
10994 
10995 2328.	[maint]		Add AAAA addresses for A.ROOT-SERVERS.NET,
10996 			F.ROOT-SERVERS.NET, H.ROOT-SERVERS.NET,
10997 			J.ROOT-SERVERS.NET, K.ROOT-SERVERS.NET and
10998 			M.ROOT-SERVERS.NET.
10999 
11000 2327.	[bug]		It was possible to dereference a NULL pointer in
11001 			rbtdb.c.  Implement dead node processing in zones as
11002 			we do for caches. [RT #17312]
11003 
11004 2326.	[bug]		It was possible to trigger a INSIST in the acache
11005 			processing.
11006 
11007 2325.	[port]		Linux: use capset() function if available. [RT #17557]
11008 
11009 2324.	[bug]		Fix IPv6 matching against "any;". [RT #17533]
11010 
11011 2323.	[port]		tru64: namespace clash. [RT #17547]
11012 
11013 2322.	[port]		MacOS: work around the limitation of setrlimit()
11014 			for RLIMIT_NOFILE. [RT #17526]
11015 
11016 2321.	[placeholder]
11017 
11018 2320.	[func]		Make statistics counters thread-safe for platforms
11019 			that support certain atomic operations. [RT #17466]
11020 
11021 2319.	[bug]		Silence Coverity warnings in
11022 			lib/dns/rdata/in_1/apl_42.c. [RT #17469]
11023 
11024 2318.	[port]		sunos fixes for libbind.  [RT #17514]
11025 
11026 2317.	[bug]		"make distclean" removed bind9.xsl.h. [RT #17518]
11027 
11028 2316.	[port]		Missing #include <isc/print.h> in lib/dns/gssapictx.c.
11029 			[RT #17513]
11030 
11031 2315.	[bug]		Used incorrect address family for mapped IPv4
11032 			addresses in acl.c. [RT #17519]
11033 
11034 2314.	[bug]		Uninitialized memory use on error path in
11035 			bin/named/lwdnoop.c.  [RT #17476]
11036 
11037 2313.	[cleanup]	Silence Coverity warnings. Handle private stacks.
11038 			[RT #17447] [RT #17478]
11039 
11040 2312.	[cleanup]	Silence Coverity warning in lib/isc/unix/socket.c.
11041 			[RT #17458]
11042 
11043 2311.	[bug]		IPv6 addresses could match IPv4 ACL entries and
11044 			vice versa. [RT #17462]
11045 
11046 2310.	[bug]		dig, host, nslookup: flush stdout before emitting
11047 			debug/fatal messages.  [RT #17501]
11048 
11049 2309.	[cleanup]	Fix Coverity warnings in lib/dns/acl.c and iptable.c.
11050 			[RT #17455]
11051 
11052 2308.	[cleanup]	Silence Coverity warning in bin/named/controlconf.c.
11053 			[RT #17495]
11054 
11055 2307.	[bug]		Remove infinite loop from lib/dns/sdb.c. [RT #17496]
11056 
11057 2306.	[bug]		Remove potential race from lib/dns/resolver.c.
11058 			[RT #17470]
11059 
11060 2305.	[security]	inet_network() buffer overflow. CVE-2008-0122.
11061 
11062 2304.	[bug]		Check returns from all dns_rdata_tostruct() calls.
11063 			[RT #17460]
11064 
11065 2303.	[bug]		Remove unnecessary code from bin/named/lwdgnba.c.
11066 			[RT #17471]
11067 
11068 2302.	[bug]		Fix memset() calls in lib/tests/t_api.c. [RT #17472]
11069 
11070 2301.	[bug]		Remove resource leak and fix error messages in
11071 			bin/tests/system/lwresd/lwtest.c. [RT #17474]
11072 
11073 2300.	[bug]		Fixed failure to close open file in
11074 			bin/tests/names/t_names.c. [RT #17473]
11075 
11076 2299.	[bug]		Remove unnecessary NULL check in
11077 			bin/nsupdate/nsupdate.c. [RT #17475]
11078 
11079 2298.	[bug]		isc_mutex_lock() failure not caught in
11080 			bin/tests/timers/t_timers.c. [RT #17468]
11081 
11082 2297.	[bug]		isc_entropy_createfilesource() failure not caught in
11083 			bin/tests/dst/t_dst.c. [RT #17467]
11084 
11085 2296.	[port]		Allow docbook stylesheet location to be specified to
11086 			configure. [RT #17457]
11087 
11088 2295.	[bug]		Silence static overrun error in bin/named/lwaddr.c.
11089 			[RT #17459]
11090 
11091 2294.	[func]		Allow the experimental statistics channels to have
11092 			multiple connections and ACL.
11093 			Note: the stats-server and stats-server-v6 options
11094 			available in the previous beta releases are replaced
11095 			with the generic statistics-channels statement.
11096 
11097 2293.	[func]		Add ACL regression test. [RT #17375]
11098 
11099 2292.	[bug]		Log if the working directory is not writable.
11100 			[RT #17312]
11101 
11102 2291.	[bug]		PR_SET_DUMPABLE may be set too late.  Also report
11103 			failure to set PR_SET_DUMPABLE. [RT #17312]
11104 
11105 2290.	[bug]		Let AD in the query signal that the client wants AD
11106 			set in the response. [RT #17301]
11107 
11108 2289.	[func]		named-checkzone now reports the out-of-zone CNAME
11109 			found. [RT #17309]
11110 
11111 2288.	[port]		win32: mark service as running when we have finished
11112 			loading.  [RT #17441]
11113 
11114 2287.	[bug]		Use 'volatile' if the compiler supports it. [RT #17413]
11115 
11116 2286.	[func]		Allow a TCP connection to be used as a weak
11117 			authentication method for reverse zones.
11118 			New update-policy methods tcp-self and 6to4-self.
11119 			[RT #17378]
11120 
11121 2285.	[func]		Test framework for client memory context management.
11122 			[RT #17377]
11123 
11124 2284.	[bug]		Memory leak in UPDATE prerequisite processing.
11125 			[RT #17377]
11126 
11127 2283.	[bug]		TSIG keys were not attaching to the memory
11128 			context.  TSIG keys should use the rings
11129 			memory context rather than the clients memory
11130 			context. [RT #17377]
11131 
11132 2282.	[bug]		Acl code fixups. [RT #17346] [RT #17374]
11133 
11134 2281.	[bug]		Attempts to use undefined acls were not being logged.
11135 			[RT #17307]
11136 
11137 2280.	[func]		Allow the experimental http server to be reached
11138 			over IPv6 as well as IPv4. [RT #17332]
11139 
11140 2279.	[bug]		Use setsockopt(SO_NOSIGPIPE), when available,
11141 			to protect applications from receiving spurious
11142 			SIGPIPE signals when using the resolver.
11143 
11144 2278.	[bug]		win32: handle the case where Windows returns no
11145 			search list or DNS suffix. [RT #17354]
11146 
11147 2277.	[bug]		Empty zone names were not correctly being caught at
11148 			in the post parse checks. [RT #17357]
11149 
11150 2276.	[bug]		Install <dst/gssapi.h>.  [RT #17359]
11151 
11152 2275.	[func]		Add support to dig to perform IXFR queries over UDP.
11153 			[RT #17235]
11154 
11155 2274.	[func]		Log zone transfer statistics. [RT #17336]
11156 
11157 2273.	[bug]		Adjust log level to WARNING when saving inconsistent
11158 			stub/slave master and journal files. [RT #17279]
11159 
11160 2272.	[bug]		Handle illegal dnssec-lookaside trust-anchor names.
11161 			[RT #17262]
11162 
11163 2271.	[bug]		Fix a memory leak in http server code [RT #17100]
11164 
11165 2270.	[bug]		dns_db_closeversion() version->writer could be reset
11166 			before it is tested. [RT #17290]
11167 
11168 2269.	[contrib]	dbus memory leaks and missing va_end calls. [RT #17232]
11169 
11170 2268.	[bug]		0.IN-ADDR.ARPA was missing from the empty zones
11171 			list.
11172 
11173 	--- 9.5.0b1 released ---
11174 
11175 2267.	[bug]		Radix tree node_num value could be set incorrectly,
11176 			causing positive ACL matches to look like negative
11177 			ones.  [RT #17311]
11178 
11179 2266.	[bug]		client.c:get_clientmctx() returned the same mctx
11180 			once the pool of mctx's was filled. [RT #17218]
11181 
11182 2265.	[bug]		Test that the memory context's basic_table is non NULL
11183 			before freeing.  [RT #17265]
11184 
11185 2264.	[bug]		Server prefix length was being ignored. [RT #17308]
11186 
11187 2263.	[bug]		"named-checkconf -z" failed to set default value
11188 			for "check-integrity".  [RT #17306]
11189 
11190 2262.	[bug]		Error status from all but the last view could be
11191 			lost. [RT #17292]
11192 
11193 2261.	[bug]		Fix memory leak with "any" and "none" ACLs [RT #17272]
11194 
11195 2260.	[bug]		Reported wrong clients-per-query when increasing the
11196 			value. [RT #17236]
11197 
11198 2259.	[placeholder]
11199 
11200 	--- 9.5.0a7 released ---
11201 
11202 2258.	[bug]		Fallback from IXFR/TSIG to SOA/AXFR/TSIG broken.
11203 			[RT #17241]
11204 
11205 2257.	[bug]		win32: Use the full path to vcredist_x86.exe when
11206 			calling it. [RT #17222]
11207 
11208 2256.	[bug]		win32: Correctly register the installation location of
11209 			bindevt.dll. [RT #17159]
11210 
11211 2255.	[maint]		L.ROOT-SERVERS.NET is now 199.7.83.42.
11212 
11213 2254.	[bug]		timer.c:dispatch() failed to lock timer->lock
11214 			when reading timer->idle allowing it to see
11215 			intermediate values as timer->idle was reset by
11216 			isc_timer_touch(). [RT #17243]
11217 
11218 2253.	[func]		"max-cache-size" defaults to 32M.
11219 			"max-acache-size" defaults to 16M.
11220 
11221 2252.	[bug]		Fixed errors in sortlist code [RT #17216]
11222 
11223 2251.	[placeholder]
11224 
11225 2250.	[func]		New flag 'memstatistics' to state whether the
11226 			memory statistics file should be written or not.
11227 			Additionally named's -m option will cause the
11228 			statistics file to be written. [RT #17113]
11229 
11230 2249.	[bug]		Only set Authentic Data bit if client requested
11231 			DNSSEC, per RFC 3655 [RT #17175]
11232 
11233 2248.	[cleanup]	Fix several errors reported by Coverity. [RT #17160]
11234 
11235 2247.	[doc]		Sort doc/misc/options. [RT #17067]
11236 
11237 2246.	[bug]		Make the startup of test servers (ans.pl) more
11238 			robust. [RT #17147]
11239 
11240 2245.	[bug]		Validating lack of DS records at trust anchors wasn't
11241 			working. [RT #17151]
11242 
11243 2244.	[func]		Allow the check of nameserver names against the
11244 			SOA MNAME field to be disabled by specifying
11245 			'notify-to-soa yes;'.  [RT #17073]
11246 
11247 2243.	[func]		Configuration files without a newline at the end now
11248 			parse without error. [RT #17120]
11249 
11250 2242.	[bug]		nsupdate: GSS-TSIG support using the Heimdal Kerberos
11251 			library could require a source of random data.
11252 			[RT #17127]
11253 
11254 2241.	[func]		nsupdate: add a interactive 'help' command. [RT #17099]
11255 
11256 2240.	[bug]		Cleanup nsupdates GSS-TSIG support.  Convert
11257 			a number of INSIST()s into plain fatal() errors
11258 			which report the triggering result code.
11259 			The 'key' command wasn't disabling GSS-TSIG.
11260 			[RT #17099]
11261 
11262 2239.	[func]		Ship a pre built bin/named/bind9.xsl.h. [RT #17114]
11263 
11264 2238.	[bug]		It was possible to trigger a REQUIRE when a
11265 			validation was canceled. [RT #17106]
11266 
11267 2237.	[bug]		libbind: res_init() was not thread aware. [RT #17123]
11268 
11269 2236.	[bug]		dnssec-signzone failed to preserve the case of
11270 			of wildcard owner names. [RT #17085]
11271 
11272 2235.	[bug]		<isc/atomic.h> was not being installed. [RT #17135]
11273 
11274 2234.	[port]		Correct some compiler warnings on SCO OSr5 [RT #17134]
11275 
11276 2233.	[func]		Add support for O(1) ACL processing, based on
11277 			radix tree code originally written by Kevin
11278 			Brintnall. [RT #16288]
11279 
11280 2232.	[bug]		dns_adb_findaddrinfo() could fail and return
11281 			ISC_R_SUCCESS. [RT #17137]
11282 
11283 2231.	[bug]		Building dlzbdb (contrib/dlz/bin/dlzbdb) was broken.
11284 			[RT #17088]
11285 
11286 2230.	[bug]		We could INSIST reading a corrupted journal.
11287 			[RT #17132]
11288 
11289 2229.	[bug]		Null pointer dereference on query pool creation
11290 			failure. [RT #17133]
11291 
11292 2228.	[contrib]	contrib: Change 2188 was incomplete.
11293 
11294 2227.	[cleanup]	Tidied up the FAQ. [RT #17121]
11295 
11296 2226.	[placeholder]
11297 
11298 2225.	[bug]		More support for systems with no IPv4 addresses.
11299 			[RT #17111]
11300 
11301 2224.	[bug]		Defer journal compaction if a xfrin is in progress.
11302 			[RT #17119]
11303 
11304 2223.	[bug]		Make a new journal when compacting. [RT #17119]
11305 
11306 2222.	[func]		named-checkconf now checks server key references.
11307 			[RT #17097]
11308 
11309 2221.	[bug]		Set the event result code to reflect the actual
11310 			record turned to caller when a cache update is
11311 			rejected due to a more credible answer existing.
11312 			[RT #17017]
11313 
11314 2220.	[bug]		win32: Address a race condition in final shutdown of
11315 			the Windows socket code. [RT #17028]
11316 
11317 2219.	[bug]		Apply zone consistency checks to additions, not
11318 			removals, when updating. [RT #17049]
11319 
11320 2218.	[bug]		Remove unnecessary REQUIRE from dns_validator_create().
11321 			[RT #16976]
11322 
11323 2217.	[func]		Adjust update log levels. [RT #17092]
11324 
11325 2216.	[cleanup]	Fix a number of errors reported by Coverity.
11326 			[RT #17094]
11327 
11328 2215.	[bug]		Bad REQUIRE check isc_hmacsha1_verify(). [RT #17094]
11329 
11330 2214.	[bug]		Deregister OpenSSL lock callback when cleaning
11331 			up.  Reorder OpenSSL cleanup so that RAND_cleanup()
11332 			is called before the locks are destroyed. [RT #17098]
11333 
11334 2213.	[bug]		SIG0 diagnostic failure messages were looking at the
11335 			wrong status code. [RT #17101]
11336 
11337 2212.	[func]		'host -m' now causes memory statistics and active
11338 			memory to be printed at exit. [RT 17028]
11339 
11340 2211.	[func]		Update "dynamic update temporarily disabled" message.
11341 			[RT #17065]
11342 
11343 2210.	[bug]		Deleting class specific records via UPDATE could
11344 			fail.  [RT #17074]
11345 
11346 2209.	[port]		osx: linking against user supplied static OpenSSL
11347 			libraries failed as the system ones were still being
11348 			found. [RT #17078]
11349 
11350 2208.	[port]		win32: make sure both build methods produce the
11351 			same output. [RT #17058]
11352 
11353 2207.	[port]		Some implementations of getaddrinfo() fail to set
11354 			ai_canonname correctly. [RT #17061]
11355 
11356 	--- 9.5.0a6 released ---
11357 
11358 2206.	[security]	"allow-query-cache" and "allow-recursion" now
11359 			cross inherit from each other.
11360 
11361 			If allow-query-cache is not set in named.conf then
11362 			allow-recursion is used if set, otherwise allow-query
11363 			is used if set, otherwise the default (localnets;
11364 			localhost;) is used.
11365 
11366 			If allow-recursion is not set in named.conf then
11367 			allow-query-cache is used if set, otherwise allow-query
11368 			is used if set, otherwise the default (localnets;
11369 			localhost;) is used.
11370 
11371 			[RT #16987]
11372 
11373 2205.	[bug]		libbind: change #2119 broke thread support. [RT #16982]
11374 
11375 2204.	[bug]		"rndc flushname name unknown-view" caused named
11376 			to crash. [RT #16984]
11377 
11378 2203.	[security]	Query id generation was cryptographically weak.
11379 			[RT # 16915]
11380 
11381 2202.	[security]	The default acls for allow-query-cache and
11382 			allow-recursion were not being applied. [RT #16960]
11383 
11384 2201.	[bug]		The build failed in a separate object directory.
11385 			[RT #16943]
11386 
11387 2200.	[bug]		The search for cached NSEC records was stopping to
11388 			early leading to excessive DLV queries. [RT #16930]
11389 
11390 2199.	[bug]		win32: don't call WSAStartup() while loading dlls.
11391 			[RT #16911]
11392 
11393 2198.	[bug]		win32: RegCloseKey() could be called when
11394 			RegOpenKeyEx() failed. [RT #16911]
11395 
11396 2197.	[bug]		Add INSIST to catch negative responses which are
11397 			not setting the event result code appropriately.
11398 			[RT #16909]
11399 
11400 2196.	[port]		win32: yield processor while waiting for once to
11401 			to complete. [RT #16958]
11402 
11403 2195.	[func]		dnssec-keygen now defaults to nametype "ZONE"
11404 			when generating DNSKEYs. [RT #16954]
11405 
11406 2194.	[bug]		Close journal before calling 'done' in xfrin.c.
11407 
11408 	--- 9.5.0a5 released ---
11409 
11410 2193.	[port]		win32: BINDInstall.exe is now linked statically.
11411 			[RT #16906]
11412 
11413 2192.	[port]		win32: use vcredist_x86.exe to install Visual
11414 			Studio's redistributable dlls if building with
11415 			Visual Stdio 2005 or later.
11416 
11417 2191.	[func]		named-checkzone now allows dumping to stdout (-).
11418 			named-checkconf now has -h for help.
11419 			named-checkzone now has -h for help.
11420 			rndc now has -h for help.
11421 			Better handling of '-?' for usage summaries.
11422 			[RT #16707]
11423 
11424 2190.	[func]		Make fallback to plain DNS from EDNS due to timeouts
11425 			more visible.  New logging category "edns-disabled".
11426 			[RT #16871]
11427 
11428 2189.	[bug]		Handle socket() returning EINTR. [RT #15949]
11429 
11430 2188.	[contrib]	queryperf: autoconf changes to make the search for
11431 			libresolv or libbind more robust. [RT #16299]
11432 
11433 2187.	[bug]		query_addds(), query_addwildcardproof() and
11434 			query_addnxrrsetnsec() should take a version
11435 			argument. [RT #16368]
11436 
11437 2186.	[port]		cygwin: libbind: check for struct sockaddr_storage
11438 			independently of IPv6. [RT #16482]
11439 
11440 2185.	[port]		sunos: libbind: check for ssize_t, memmove() and
11441 			memchr(). [RT #16463]
11442 
11443 2184.	[bug]		bind9.xsl.h didn't build out of the source tree.
11444 			[RT #16830]
11445 
11446 2183.	[bug]		dnssec-signzone didn't handle offline private keys
11447 			well.  [RT #16832]
11448 
11449 2182.	[bug]		dns_dispatch_createtcp() and dispatch_createudp()
11450 			could return ISC_R_SUCCESS when they ran out of
11451 			memory. [RT #16365]
11452 
11453 2181.	[port]		sunos: libbind: add paths.h from BIND 8. [RT #16462]
11454 
11455 2180.	[cleanup]	Remove bit test from 'compress_test' as they
11456 			are no longer needed. [RT #16497]
11457 
11458 2179.	[func]		'rndc command zone' will now find 'zone' if it is
11459 			unique to all the views. [RT #16821]
11460 
11461 2178.	[bug]		'rndc reload' of a slave or stub zone resulted in
11462 			a reference leak. [RT #16867]
11463 
11464 2177.	[bug]		Array bounds overrun on read (rcodetext) at
11465 			debug level 10+. [RT #16798]
11466 
11467 2176.	[contrib]	dbus update to handle race condition during
11468 			initialization (Bugzilla 235809). [RT #16842]
11469 
11470 2175.	[bug]		win32: windows broadcast condition variable support
11471 			was broken. [RT #16592]
11472 
11473 2174.	[bug]		I/O errors should always be fatal when reading
11474 			master files. [RT #16825]
11475 
11476 2173.	[port]		win32: When compiling with MSVS 2005 SP1 we also
11477 			need to ship Microsoft.VC80.MFCLOC.
11478 
11479 	--- 9.5.0a4 released ---
11480 
11481 2172.	[bug]		query_addsoa() was being called with a non zone db.
11482 			[RT #16834]
11483 
11484 2171.	[bug]		Handle breaks in DNSSEC trust chains where the parent
11485 			servers are not DS aware (DS queries to the parent
11486 			return a referral to the child).
11487 
11488 2170.	[func]		Add acache processing to test suite. [RT #16711]
11489 
11490 2169.	[bug]		host, nslookup: when reporting NXDOMAIN report the
11491 			given name and not the last name searched for.
11492 			[RT #16763]
11493 
11494 2168.	[bug]		nsupdate: in non-interactive mode treat syntax errors
11495 			as fatal errors. [RT #16785]
11496 
11497 2167.	[bug]		When re-using a automatic zone named failed to
11498 			attach it to the new view. [RT #16786]
11499 
11500 	--- 9.5.0a3 released ---
11501 
11502 2166.	[bug]		When running in batch mode, dig could misinterpret
11503 			a server address as a name to be looked up, causing
11504 			unexpected output. [RT #16743]
11505 
11506 2165.	[func]		Allow the destination address of a query to determine
11507 			if we will answer the query or recurse.
11508 			allow-query-on, allow-recursion-on and
11509 			allow-query-cache-on. [RT #16291]
11510 
11511 2164.	[bug]		The code to determine how named-checkzone /
11512 			named-compilezone was called failed under windows.
11513 			[RT #16764]
11514 
11515 2163.	[bug]		If only one of query-source and query-source-v6
11516 			specified a port the query pools code broke (change
11517 			2129).  [RT #16768]
11518 
11519 2162.	[func]		Allow "rrset-order fixed" to be disabled at compile
11520 			time. [RT #16665]
11521 
11522 2161.	[bug]		Fix which log messages are emitted for 'rndc flush'.
11523 			[RT #16698]
11524 
11525 2160.	[bug]		libisc wasn't handling NULL ifa_addr pointers returned
11526 			from getifaddrs(). [RT #16708]
11527 
11528 	--- 9.5.0a2 released ---
11529 
11530 2159.	[bug]		Array bounds overrun in acache processing. [RT #16710]
11531 
11532 2158.	[bug]		ns_client_isself() failed to initialize key
11533 			leading to a REQUIRE failure. [RT #16688]
11534 
11535 2157.	[func]		dns_db_transfernode() created. [RT #16685]
11536 
11537 2156.	[bug]		Fix node reference leaks in lookup.c:lookup_find(),
11538 			resolver.c:validated() and resolver.c:cache_name().
11539 			Fix a memory leak in rbtdb.c:free_noqname().
11540 			Make lookup.c:lookup_find() robust against
11541 			event leaks. [RT #16685]
11542 
11543 2155.	[contrib]	SQLite sdb module from jaboydjr@netwalk.com.
11544 			[RT #16694]
11545 
11546 2154.	[func]		Scoped (e.g. IPv6 link-local) addresses may now be
11547 			matched in acls by omitting the scope. [RT #16599]
11548 
11549 2153.	[bug]		nsupdate could leak memory. [RT #16691]
11550 
11551 2152.	[cleanup]	Use sizeof(buf) instead of fixed number in
11552 			dighost.c:get_trusted_key(). [RT #16678]
11553 
11554 2151.	[bug]		Missing newline in usage message for journalprint.
11555 			[RT #16679]
11556 
11557 2150.	[bug]		'rrset-order cyclic' uniformly distribute the
11558 			starting point for the first response for a given
11559 			RRset. [RT #16655]
11560 
11561 2149.	[bug]		isc_mem_checkdestroyed() failed to abort on
11562 			if there were still active memory contexts.
11563 			[RT #16672]
11564 
11565 2148.	[func]		Add positive logging for rndc commands. [RT #14623]
11566 
11567 2147.	[bug]		libbind: remove potential buffer overflow from
11568 			hmac_link.c. [RT #16437]
11569 
11570 2146.	[cleanup]	Silence Linux's spurious "obsolete setsockopt
11571 			SO_BSDCOMPAT" message. [RT #16641]
11572 
11573 2145.	[bug]		Check DS/DLV digest lengths for known digests.
11574 			[RT #16622]
11575 
11576 2144.	[cleanup]	Suppress logging of SERVFAIL from forwarders.
11577 			[RT #16619]
11578 
11579 2143.	[bug]		We failed to restart the IPv6 client when the
11580 			kernel failed to return the destination the
11581 			packet was sent to. [RT #16613]
11582 
11583 2142.	[bug]		Handle master files with a modification time that
11584 			matches the epoch. [RT #16612]
11585 
11586 2141.	[bug]		dig/host should not be setting IDN_ASCCHECK (IDN
11587 			equivalent of LDH checks).  [RT #16609]
11588 
11589 2140.	[bug]		libbind: missing unlock on pthread_key_create()
11590 			failures. [RT #16654]
11591 
11592 2139.	[bug]		dns_view_find() was being called with wrong type
11593 			in adb.c. [RT #16670]
11594 
11595 2138.	[bug]		Lock order reversal in resolver.c. [RT #16653]
11596 
11597 2137.	[port]		Mips little endian and/or mips 64 bit are now
11598 			supported for atomic operations. [RT #16648]
11599 
11600 2136.	[bug]		nslookup/host looped if there was no search list
11601 			and the host didn't exist. [RT #16657]
11602 
11603 2135.	[bug]		Uninitialized rdataset in sdlz.c. [RT #16656]
11604 
11605 2134.	[func]		Additional statistics support. [RT #16666]
11606 
11607 2133.	[port]		powerpc:  Support both IBM and MacOS Power PC
11608 			assembler syntaxes. [RT #16647]
11609 
11610 2132.	[bug]		Missing unlock on out of memory in
11611 			dns_dispatchmgr_setudp().
11612 
11613 2131.	[contrib]	dlz/mysql: AXFR was broken. [RT #16630]
11614 
11615 2130.	[func]		Log if CD or DO were set. [RT #16640]
11616 
11617 2129.	[func]		Provide a pool of UDP sockets for queries to be
11618 			made over. See use-queryport-pool, queryport-pool-ports
11619 			and queryport-pool-updateinterval.  [RT #16415]
11620 
11621 2128.	[doc]		xsltproc --nonet, update DTD versions.  [RT #16635]
11622 
11623 2127.	[port]		Improved OpenSSL 0.9.8 support. [RT #16563]
11624 
11625 2126.	[security]	Serialize validation of type ANY responses. [RT #16555]
11626 
11627 2125.	[bug]		dns_zone_getzeronosoattl() REQUIRE failure if DLZ
11628 			was defined. [RT #16574]
11629 
11630 2124.	[security]	It was possible to dereference a freed fetch
11631 			context. [RT #16584]
11632 
11633 	--- 9.5.0a1 released ---
11634 
11635 2123.	[func]		Use Doxygen to generate internal documentation.
11636 			[RT #11398]
11637 
11638 2122.	[func]		Experimental http server and statistics support
11639 			for named via xml.
11640 
11641 2121.	[func]		Add a 10 slot dead masters cache (LRU) with a 600
11642 			second timeout. [RT #16553]
11643 
11644 2120.	[doc]		Fix markup on nsupdate man page. [RT #16556]
11645 
11646 2119.	[compat]	libbind: allow res_init() to succeed enough to
11647 			return the default domain even if it was unable
11648 			to allocate memory.
11649 
11650 2118.	[bug]		Handle response with long chains of domain name
11651 			compression pointers which point to other compression
11652 			pointers. [RT #16427]
11653 
11654 2117.	[bug]		DNSSEC fixes: named could fail to cache NSEC records
11655 			which could lead to validation failures.  named didn't
11656 			handle negative DS responses that were in the process
11657 			of being validated.  Check CNAME bit before accepting
11658 			NODATA proof. To be able to ignore a child NSEC there
11659 			must be SOA (and NS) set in the bitmap. [RT #16399]
11660 
11661 2116.	[bug]		'rndc reload' could cause the cache to continually
11662 			be cleaned. [RT #16401]
11663 
11664 2115.	[bug]		'rndc reconfig' could trigger a INSIST if the
11665 			number of masters for a zone was reduced. [RT #16444]
11666 
11667 2114.	[bug]		dig/host/nslookup: searches for names with multiple
11668 			labels were failing. [RT #16447]
11669 
11670 2113.	[bug]		nsupdate: if a zone is specified it should be used
11671 			for server discover. [RT #16455]
11672 
11673 2112.	[security]	Warn if weak RSA exponent is used. [RT #16460]
11674 
11675 2111.	[bug]		Fix a number of errors reported by Coverity.
11676 			[RT #16507]
11677 
11678 2110.	[bug]		"minimal-responses yes;" interacted badly with BIND 8
11679 			priming queries. [RT #16491]
11680 
11681 2109.	[port]		libbind: silence aix 5.3 compiler warnings. [RT #16502]
11682 
11683 2108.	[func]		DHCID support. [RT #16456]
11684 
11685 2107.	[bug]		dighost.c: more cleanup of buffers. [RT #16499]
11686 
11687 2106.	[func]		'rndc status' now reports named's version. [RT #16426]
11688 
11689 2105.	[func]		GSS-TSIG support (RFC 3645).
11690 
11691 2104.	[port]		Fix Solaris SMF error message.
11692 
11693 2103.	[port]		Add /usr/sfw to list of locations for OpenSSL
11694 			under Solaris.
11695 
11696 2102.	[port]		Silence Solaris 10 warnings.
11697 
11698 2101.	[bug]		OpenSSL version checks were not quite right.
11699 			[RT #16476]
11700 
11701 2100.	[port]		win32: copy libeay32.dll to Build\Debug.
11702 			Copy Debug\named-checkzone to Debug\named-compilezone.
11703 
11704 2099.	[port]		win32: more manifest issues.
11705 
11706 2098.	[bug]		Race in rbtdb.c:no_references(), which occasionally
11707 			triggered an INSIST failure about the node lock
11708 			reference.  [RT #16411]
11709 
11710 2097.	[bug]		named could reference a destroyed memory context
11711 			after being reloaded / reconfigured. [RT #16428]
11712 
11713 2096.	[bug]		libbind: handle applications that fail to detect
11714 			res_init() failures better.
11715 
11716 2095.	[port]		libbind: always prototype inet_cidr_ntop_ipv6() and
11717 			net_cidr_ntop_ipv6(). [RT #16388]
11718 
11719 2094.	[contrib]	Update named-bootconf.  [RT #16404]
11720 
11721 2093.	[bug]		named-checkzone -s was broken.
11722 
11723 2092.	[bug]		win32: dig, host, nslookup.  Use registry config
11724 			if resolv.conf does not exist or no nameservers
11725 			listed. [RT #15877]
11726 
11727 2091.	[port]		dighost.c: race condition on cleanup. [RT #16417]
11728 
11729 2090.	[port]		win32: Visual C++ 2005 command line manifest support.
11730 			[RT #16417]
11731 
11732 2089.	[security]	Raise the minimum safe OpenSSL versions to
11733 			OpenSSL 0.9.7l and OpenSSL 0.9.8d.  Versions
11734 			prior to these have known security flaws which
11735 			are (potentially) exploitable in named. [RT #16391]
11736 
11737 2088.	[security]	Change the default RSA exponent from 3 to 65537.
11738 			[RT #16391]
11739 
11740 2087.	[port]		libisc failed to compile on OS's w/o a vsnprintf.
11741 			[RT #16382]
11742 
11743 2086.	[port]		libbind: FreeBSD now has get*by*_r() functions.
11744 			[RT #16403]
11745 
11746 2085.	[doc]		win32: added index.html and README to zip. [RT #16201]
11747 
11748 2084.	[contrib]	dbus update for 9.3.3rc2.
11749 
11750 2083.	[port]		win32: Visual C++ 2005 support.
11751 
11752 2082.	[doc]		Document 'cache-file' as a test only option.
11753 
11754 2081.	[port]		libbind: minor 64-bit portability fix in memcluster.c.
11755 			[RT #16360]
11756 
11757 2080.	[port]		libbind: res_init.c did not compile on older versions
11758 			of Solaris. [RT #16363]
11759 
11760 2079.	[bug]		The lame cache was not handling multiple types
11761 			correctly. [RT #16361]
11762 
11763 2078.	[bug]		dnssec-checkzone output style "default" was badly
11764 			named.  It is now called "relative". [RT #16326]
11765 
11766 2077.	[bug]		'dnssec-signzone -O raw' wasn't outputting the
11767 			complete signed zone. [RT #16326]
11768 
11769 2076.	[bug]		Several files were missing #include <config.h>
11770 			causing build failures on OSF. [RT #16341]
11771 
11772 2075.	[bug]		The spillat timer event handler could leak memory.
11773 			[RT #16357]
11774 
11775 2074.	[bug]		dns_request_createvia2(), dns_request_createvia3(),
11776 			dns_request_createraw2() and dns_request_createraw3()
11777 			failed to send multiple UDP requests. [RT #16349]
11778 
11779 2073.	[bug]		Incorrect semantics check for update policy "wildcard".
11780 			[RT #16353]
11781 
11782 2072.	[bug]		We were not generating valid HMAC SHA digests.
11783 			[RT #16320]
11784 
11785 2071.	[port]		Test whether gcc accepts -fno-strict-aliasing.
11786 			[RT #16324]
11787 
11788 2070.	[bug]		The remote address was not always displayed when
11789 			reporting dispatch failures. [RT #16315]
11790 
11791 2069.	[bug]		Cross compiling was not working. [RT #16330]
11792 
11793 2068.	[cleanup]	Lower incremental tuning message to debug 1.
11794 			[RT #16319]
11795 
11796 2067.	[bug]		'rndc' could close the socket too early triggering
11797 			a INSIST under Windows. [RT #16317]
11798 
11799 2066.	[security]	Handle SIG queries gracefully. [RT #16300]
11800 
11801 2065.	[bug]		libbind: probe for HPUX prototypes for
11802 			endprotoent_r() and endservent_r().  [RT 16313]
11803 
11804 2064.	[bug]		libbind: silence AIX compiler warnings. [RT #16218]
11805 
11806 2063.	[bug]		Change #1955 introduced a bug which caused the first
11807 			'rndc flush' call to not free memory. [RT #16244]
11808 
11809 2062.	[bug]		'dig +nssearch' was reusing a buffer before it had
11810 			been returned by the socket code. [RT #16307]
11811 
11812 2061.	[bug]		Accept expired wildcard message reversed. [RT #16296]
11813 
11814 2060.	[bug]		Enabling DLZ support could leave views partially
11815 			configured. [RT #16295]
11816 
11817 2059.	[bug]		Search into cache rbtdb could trigger an INSIST
11818 			failure while cleaning up a stale rdataset.
11819 			[RT #16292]
11820 
11821 2058.	[bug]		Adjust how we calculate rtt estimates in the presence
11822 			of authoritative servers that drop EDNS and/or CD
11823 			requests.  Also fallback to EDNS/512 and plain DNS
11824 			faster for zones with less than 3 servers.  [RT #16187]
11825 
11826 2057.	[bug]		Make setting "ra" dependent on both allow-query-cache
11827 			and allow-recursion. [RT #16290]
11828 
11829 2056.	[bug]		dig: ixfr= was not being treated case insensitively
11830 			at all times. [RT #15955]
11831 
11832 2055.	[bug]		Missing goto after dropping multicast query.
11833 			[RT #15944]
11834 
11835 2054.	[port]		freebsd: do not explicitly link against -lpthread.
11836 			[RT #16170]
11837 
11838 2053.	[port]		netbsd:libbind: silence compiler warnings. [RT #16220]
11839 
11840 2052.	[bug]		'rndc' improve connect failed message to report
11841 			the failing address. [RT #15978]
11842 
11843 2051.	[port]		More strtol() fixes. [RT #16249]
11844 
11845 2050.	[bug]		Parsing of NSAP records was not case insensitive.
11846 			[RT #16287]
11847 
11848 2049.	[bug]		Restore SOA before AXFR when falling back from
11849 			a attempted IXFR when transferring in a zone.
11850 			Allow a initial SOA query before attempting
11851 			a AXFR to be requested. [RT #16156]
11852 
11853 2048.	[bug]		It was possible to loop forever when using
11854 			avoid-v4-udp-ports / avoid-v6-udp-ports when
11855 			the OS always returned the same local port.
11856 			[RT #16182]
11857 
11858 2047.	[bug]		Failed to initialize the interface flags to zero.
11859 			[RT #16245]
11860 
11861 2046.	[bug]		rbtdb.c:rdataset_setadditional() could cause duplicate
11862 			cleanup [RT #16247].
11863 
11864 2045.	[func]		Use lock buckets for acache entries to limit memory
11865 			consumption. [RT #16183]
11866 
11867 2044.	[port]		Add support for atomic operations for Itanium.
11868 			[RT #16179]
11869 
11870 2043.	[port]		nsupdate/nslookup: Force the flushing of the prompt
11871 			for interactive sessions. [RT #16148]
11872 
11873 2042.	[bug]		named-checkconf was incorrectly rejecting the
11874 			logging category "config". [RT #16117]
11875 
11876 2041.	[bug]		"configure --with-dlz-bdb=yes" produced a bad
11877 			set of libraries to be linked. [RT #16129]
11878 
11879 2040.	[bug]		rbtdb no_references() could trigger an INSIST
11880 			failure with --enable-atomic.  [RT #16022]
11881 
11882 2039.	[func]		Check that all buffers passed to the socket code
11883 			have been retrieved when the socket event is freed.
11884 			[RT #16122]
11885 
11886 2038.	[bug]		dig/nslookup/host was unlinking from wrong list
11887 			when handling errors. [RT #16122]
11888 
11889 2037.	[func]		When unlinking the first or last element in a list
11890 			check that the list head points to the element to
11891 			be unlinked. [RT #15959]
11892 
11893 2036.	[bug]		'rndc recursing' could cause trigger a REQUIRE.
11894 			[RT #16075]
11895 
11896 2035.	[func]		Make falling back to TCP on UDP refresh failure
11897 			optional. Default "try-tcp-refresh yes;" for BIND 8
11898 			compatibility. [RT #16123]
11899 
11900 2034.	[bug]		gcc: set -fno-strict-aliasing. [RT #16124]
11901 
11902 2033.	[bug]		We weren't creating multiple client memory contexts
11903 			on demand as expected. [RT #16095]
11904 
11905 2032.	[bug]		Remove a INSIST in query_addadditional2(). [RT #16074]
11906 
11907 2031.	[bug]		Emit a error message when "rndc refresh" is called on
11908 			a non slave/stub zone. [RT # 16073]
11909 
11910 2030.	[bug]		We were being overly conservative when disabling
11911 			openssl engine support. [RT #16030]
11912 
11913 2029.	[bug]		host printed out the server multiple times when
11914 			specified on the command line. [RT #15992]
11915 
11916 2028.	[port]		linux: socket.c compatibility for old systems.
11917 			[RT #16015]
11918 
11919 2027.	[port]		libbind: Solaris x86 support. [RT #16020]
11920 
11921 2026.	[bug]		Rate limit the two recursive client exceeded messages.
11922 			[RT #16044]
11923 
11924 2025.	[func]		Update "zone serial unchanged" message. [RT #16026]
11925 
11926 2024.	[bug]		named emitted spurious "zone serial unchanged"
11927 			messages on reload. [RT #16027]
11928 
11929 2023.	[bug]		"make install" should create ${localstatedir}/run and
11930 			${sysconfdir} if they do not exist. [RT #16033]
11931 
11932 2022.	[bug]		If dnssec validation is disabled only assert CD if
11933 			CD was requested. [RT #16037]
11934 
11935 2021.	[bug]		dnssec-enable no; triggered a REQUIRE. [RT #16037]
11936 
11937 2020.	[bug]		rdataset_setadditional() could leak memory. [RT #16034]
11938 
11939 2019.	[tuning]	Reduce the amount of work performed per quantum
11940 			when cleaning the cache. [RT #15986]
11941 
11942 2018.	[bug]		Checking if the HMAC MD5 private file was broken.
11943 			[RT #15960]
11944 
11945 2017.	[bug]		allow-query default was not correct. [RT #15946]
11946 
11947 2016.	[bug]		Return a partial answer if recursion is not
11948 			allowed but requested and we had the answer
11949 			to the original qname. [RT #15945]
11950 
11951 2015.	[cleanup]	use-additional-cache is now acache-enable for
11952 			consistency.  Default acache-enable off in BIND 9.4
11953 			as it requires memory usage to be configured.
11954 			It may be enabled by default in BIND 9.5 once we
11955 			have more experience with it.
11956 
11957 2014.	[func]		Statistics about acache now recorded and sent
11958 			to log. [RT #15976]
11959 
11960 2013.	[bug]		Handle unexpected TSIGs on unsigned AXFR/IXFR
11961 			responses more gracefully. [RT #15941]
11962 
11963 2012.	[func]		Don't insert new acache entries if acache is full.
11964 			[RT #15970]
11965 
11966 2011.	[func]		dnssec-signzone can now update the SOA record of
11967 			the signed zone, either as an increment or as the
11968 			system time(). [RT #15633]
11969 
11970 2010.	[placeholder]	rt15958
11971 
11972 2009.	[bug]		libbind: Coverity fixes. [RT #15808]
11973 
11974 2008.	[func]		It is now possible to enable/disable DNSSEC
11975 			validation from rndc.  This is useful for the
11976 			mobile hosts where the current connection point
11977 			breaks DNSSEC (firewall/proxy).  [RT #15592]
11978 
11979 				rndc validation newstate [view]
11980 
11981 2007.	[func]		It is now possible to explicitly enable DNSSEC
11982 			validation.  default dnssec-validation no; to
11983 			be changed to yes in 9.5.0.  [RT #15674]
11984 
11985 2006.	[security]	Allow-query-cache and allow-recursion now default
11986 			to the built in acls "localnets" and "localhost".
11987 
11988 			This is being done to make caching servers less
11989 			attractive as reflective amplifying targets for
11990 			spoofed traffic.  This still leave authoritative
11991 			servers exposed.
11992 
11993 			The best fix is for full BCP 38 deployment to
11994 			remove spoofed traffic.
11995 
11996 2005.	[bug]		libbind: Retransmission timeouts should be
11997 			based on which attempt it is to the nameserver
11998 			and not the nameserver itself. [RT #13548]
11999 
12000 2004.	[bug]		dns_tsig_sign() could pass a NULL pointer to
12001 			dst_context_destroy() when cleaning up after a
12002 			error. [RT #15835]
12003 
12004 2003.	[bug]		libbind: The DNS name/address lookup functions could
12005 			occasionally follow a random pointer due to
12006 			structures not being completely zeroed. [RT #15806]
12007 
12008 2002.	[bug]		libbind: tighten the constraints on when
12009 			struct addrinfo._ai_pad exists.  [RT #15783]
12010 
12011 2001.	[func]		Check the KSK flag when updating a secure dynamic zone.
12012 			New zone option "update-check-ksk yes;".  [RT #15817]
12013 
12014 2000.	[bug]		memmove()/strtol() fix was incomplete. [RT #15812]
12015 
12016 1999.	[func]		Implement "rrset-order fixed". [RT #13662]
12017 
12018 1998.	[bug]		Restrict handling of fifos as sockets to just SunOS.
12019 			This allows named to connect to entropy gathering
12020 			daemons that use fifos instead of sockets. [RT #15840]
12021 
12022 1997.	[bug]		Named was failing to replace negative cache entries
12023 			when a positive one for the type was learnt.
12024 			[RT #15818]
12025 
12026 1996.	[bug]		nsupdate: if a zone has been specified it should
12027 			appear in the output of 'show'. [RT #15797]
12028 
12029 1995.	[bug]		'host' was reporting multiple "is an alias" messages.
12030 			[RT #15702]
12031 
12032 1994.	[port]		OpenSSL 0.9.8 support. [RT #15694]
12033 
12034 1993.	[bug]		Log messages, via syslog, were missing the space
12035 			after the timestamp if "print-time yes" was specified.
12036 			[RT #15844]
12037 
12038 1992.	[bug]		Not all incoming zone transfer messages included the
12039 			view.  [RT #15825]
12040 
12041 1991.	[cleanup]	The configuration data, once read, should be treated
12042 			as read only.  Expand the use of const to enforce this
12043 			at compile time. [RT #15813]
12044 
12045 1990.	[bug]		libbind:  isc's override of broken gettimeofday()
12046 			implementations was not always effective.
12047 			[RT #15709]
12048 
12049 1989.	[bug]		win32: don't check the service password when
12050 			re-installing. [RT #15882]
12051 
12052 1988.	[bug]		Remove a bus error from the SHA256/SHA512 support.
12053 			[RT #15878]
12054 
12055 1987.	[func]		DS/DLV SHA256 digest algorithm support. [RT #15608]
12056 
12057 1986.	[func]		Report when a zone is removed. [RT #15849]
12058 
12059 1985.	[protocol]	DLV has now been assigned a official type code of
12060 			32769. [RT #15807]
12061 
12062 			Note: care should be taken to ensure you upgrade
12063 			both named and dnssec-signzone at the same time for
12064 			zones with DLV records where named is the master
12065 			server for the zone.  Also any zones that contain
12066 			DLV records should be removed when upgrading a slave
12067 			zone.  You do not however have to upgrade all
12068 			servers for a zone with DLV records simultaneously.
12069 
12070 1984.	[func]		dig, nslookup and host now advertise a 4096 byte
12071 			EDNS UDP buffer size by default. [RT #15855]
12072 
12073 1983.	[func]		Two new update policies.  "selfsub" and "selfwild".
12074 			[RT #12895]
12075 
12076 1982.	[bug]		DNSKEY was being accepted on the parent side of
12077 			a delegation.  KEY is still accepted there for
12078 			RFC 3007 validated updates. [RT #15620]
12079 
12080 1981.	[bug]		win32: condition.c:wait() could fail to reattain
12081 			the mutex lock.
12082 
12083 1980.	[func]		dnssec-signzone: output the SOA record as the
12084 			first record in the signed zone. [RT #15758]
12085 
12086 1979.	[port]		linux: allow named to drop core after changing
12087 			user ids. [RT #15753]
12088 
12089 1978.	[port]		Handle systems which have a broken recvmsg().
12090 			[RT #15742]
12091 
12092 1977.	[bug]		Silence noisy log message. [RT #15704]
12093 
12094 1976.	[bug]		Handle systems with no IPv4 addresses. [RT #15695]
12095 
12096 1975.	[bug]		libbind: isc_gethexstring() could misparse multi-line
12097 			hex strings with comments. [RT #15814]
12098 
12099 1974.	[doc]		List each of the zone types and associated zone
12100 			options separately in the ARM.
12101 
12102 1973.	[func]		TSIG HMACSHA1, HMACSHA224, HMACSHA256, HMACSHA384 and
12103 			HMACSHA512 support. [RT #13606]
12104 
12105 1972.	[contrib]	DBUS dynamic forwarders integration from
12106 			Jason Vas Dias <jvdias@redhat.com>.
12107 
12108 1971.	[port]		linux: make detection of missing IF_NAMESIZE more
12109 			robust. [RT #15443]
12110 
12111 1970.	[bug]		nsupdate: adjust UDP timeout when falling back to
12112 			unsigned SOA query. [RT #15775]
12113 
12114 1969.	[bug]		win32: the socket code was freeing the socket
12115 			structure too early. [RT #15776]
12116 
12117 1968.	[bug]		Missing lock in resolver.c:validated(). [RT #15739]
12118 
12119 1967.	[func]		dig/nslookup/host: warn about missing "QR". [RT #15779]
12120 
12121 1966.	[bug]		Don't set CD when we have fallen back to plain DNS.
12122 			[RT #15727]
12123 
12124 1965.	[func]		Suppress spurious "recursion requested but not
12125 			available" warning with 'dig +qr'. [RT #15780].
12126 
12127 1964.	[func]		Separate out MX and SRV to CNAME checks. [RT #15723]
12128 
12129 1963.	[port]		Tru64 4.0E doesn't support send() and recv().
12130 			[RT #15586]
12131 
12132 1962.	[bug]		Named failed to clear old update-policy when it
12133 			was removed. [RT #15491]
12134 
12135 1961.	[bug]		Check the port and address of responses forwarded
12136 			to dispatch. [RT #15474]
12137 
12138 1960.	[bug]		Update code should set NSEC ttls from SOA MINIMUM.
12139 			[RT #15465]
12140 
12141 1959.	[func]		Control the zeroing of the negative response TTL to
12142 			a soa query.  Defaults "zero-no-soa-ttl yes;" and
12143 			"zero-no-soa-ttl-cache no;". [RT #15460]
12144 
12145 1958.	[bug]		Named failed to update the zone's secure state
12146 			until the zone was reloaded. [RT #15412]
12147 
12148 1957.	[bug]		Dig mishandled responses to class ANY queries.
12149 			[RT #15402]
12150 
12151 1956.	[bug]		Improve cross compile support, 'gen' is now built
12152 			by native compiler.  See README for additional
12153 			cross compile support information. [RT #15148]
12154 
12155 1955.	[bug]		Pre-allocate the cache cleaning iterator. [RT #14998]
12156 
12157 1954.	[func]		Named now falls back to advertising EDNS with a
12158 			512 byte receive buffer if the initial EDNS queries
12159 			fail.  [RT #14852]
12160 
12161 1953.	[func]		The maximum EDNS UDP response named will send can
12162 			now be set in named.conf (max-udp-size).  This is
12163 			independent of the advertised receive buffer
12164 			(edns-udp-size). [RT #14852]
12165 
12166 1952.	[port]		hpux: tell the linker to build a runtime link
12167 			path "-Wl,+b:". [RT #14816].
12168 
12169 1951.	[security]	Drop queries from particular well known ports.
12170 			Don't return FORMERR to queries from particular
12171 			well known ports.  [RT #15636]
12172 
12173 1950.	[port]		Solaris 2.5.1 and earlier cannot bind() then connect()
12174 			a TCP socket. This prevents the source address being
12175 			set for TCP connections. [RT #15628]
12176 
12177 1949.	[func]		Addition memory leakage checks. [RT #15544]
12178 
12179 1948.	[bug]		If was possible to trigger a REQUIRE failure in
12180 			xfrin.c:maybe_free() if named ran out of memory.
12181 			[RT #15568]
12182 
12183 1947.	[func]		It is now possible to configure named to accept
12184 			expired RRSIGs.  Default "dnssec-accept-expired no;".
12185 			Setting "dnssec-accept-expired yes;" leaves named
12186 			vulnerable to replay attacks.  [RT #14685]
12187 
12188 1946.	[bug]		resume_dslookup() could trigger a REQUIRE failure
12189 			when using forwarders. [RT #15549]
12190 
12191 1945.	[cleanup]	dnssec-keygen: RSA (RSAMD5) is no longer recommended.
12192 			To generate a RSAMD5 key you must explicitly request
12193 			RSAMD5. [RT #13780]
12194 
12195 1944.	[cleanup]	isc_hash_create() does not need a read/write lock.
12196 			[RT #15522]
12197 
12198 1943.	[bug]		Set the loadtime after rolling forward the journal.
12199 			[RT #15647]
12200 
12201 1942.	[bug]		If the name of a DNSKEY match that of one in
12202 			trusted-keys do not attempt to validate the DNSKEY
12203 			using the parents DS RRset. [RT #15649]
12204 
12205 1941.	[bug]		ncache_adderesult() should set eresult even if no
12206 			rdataset is passed to it. [RT #15642]
12207 
12208 1940.	[bug]		Fixed a number of error conditions reported by
12209 			Coverity.
12210 
12211 1939.	[bug]		The resolver could dereference a null pointer after
12212 			validation if all the queries have timed out.
12213 			[RT #15528]
12214 
12215 1938.	[bug]		The validator was not correctly handling unsecure
12216 			negative responses at or below a SEP. [RT #15528]
12217 
12218 1937.	[bug]		sdlz doesn't handle RRSIG records. [RT #15564]
12219 
12220 1936.	[bug]		The validator could leak memory. [RT #15544]
12221 
12222 1935.	[bug]		'acache' was DO sensitive. [RT #15430]
12223 
12224 1934.	[func]		Validate pending NS RRsets, in the authority section,
12225 			prior to returning them if it can be done without
12226 			requiring DNSKEYs to be fetched.  [RT #15430]
12227 
12228 1933.	[bug]		dump_rdataset_raw() had a incorrect INSIST. [RT #15534]
12229 
12230 1932.	[bug]		hpux: LDFLAGS was getting corrupted. [RT #15530]
12231 
12232 1931.	[bug]		Per-client mctx could require a huge amount of memory,
12233 			particularly for a busy caching server. [RT #15519]
12234 
12235 1930.	[port]		HPUX: ia64 support. [RT #15473]
12236 
12237 1929.	[port]		FreeBSD: extend use of PTHREAD_SCOPE_SYSTEM.
12238 
12239 1928.	[bug]		Race in rbtdb.c:currentversion(). [RT #15517]
12240 
12241 1927.	[bug]		Access to soanode or nsnode in rbtdb violated the
12242 			lock order rule and could cause a dead lock.
12243 			[RT #15518]
12244 
12245 1926.	[bug]		The Windows installer did not check for empty
12246 			passwords.  BINDinstall was being installed in
12247 			the wrong place. [RT #15483]
12248 
12249 1925.	[port]		All outer level AC_TRY_RUNs need cross compiling
12250 			defaults. [RT #15469]
12251 
12252 1924.	[port]		libbind: hpux ia64 support. [RT #15473]
12253 
12254 1923.	[bug]		ns_client_detach() called too early. [RT #15499]
12255 
12256 1922.	[bug]		check-tool.c:setup_logging() missing call to
12257 			dns_log_setcontext().
12258 
12259 1921.	[bug]		Client memory contexts were not using internal
12260 			malloc. [RT #15434]
12261 
12262 1920.	[bug]		The cache rbtdb lock array was too small to
12263 			have the desired performance characteristics.
12264 			[RT #15454]
12265 
12266 1919.	[contrib]	queryperf: a set of new features: collecting/printing
12267 			response delays, printing intermediate results, and
12268 			adjusting query rate for the "target" qps.
12269 
12270 1918.	[bug]		Memory leak when checking acls. [RT #15391]
12271 
12272 1917.	[doc]		funcsynopsisinfo wasn't being treated as verbatim
12273 			when generating man pages. [RT #15385]
12274 
12275 1916.	[func]		Integrate contributed IDN code from JPNIC. [RT #15383]
12276 
12277 1915.	[bug]		dig +ndots was broken. [RT #15215]
12278 
12279 1914.	[protocol]	DS is required to accept mnemonic algorithms
12280 			(RFC 4034).  Still emit numeric algorithms for
12281 			compatibility with RFC 3658. [RT #15354]
12282 
12283 1913.	[func]		Integrate contributed DLZ code into named. [RT #11382]
12284 
12285 1912.	[port]		aix: atomic locking for powerpc. [RT #15020]
12286 
12287 1911.	[bug]		Update windows socket code. [RT #14965]
12288 
12289 1910.	[bug]		dig's +sigchase code overhauled. [RT #14933]
12290 
12291 1909.	[bug]		The DLV code has been re-worked to make no longer
12292 			query order sensitive. [RT #14933]
12293 
12294 1908.	[func]		dig now warns if 'RA' is not set in the answer when
12295 			'RD' was set in the query.  host/nslookup skip servers
12296 			that fail to set 'RA' when 'RD' is set unless a server
12297 			is explicitly set.  [RT #15005]
12298 
12299 1907.	[func]		host/nslookup now continue (default)/fail on SERVFAIL.
12300 			[RT #15006]
12301 
12302 1906.	[func]		dig now has a '-q queryname' and '+showsearch' options.
12303 			[RT #15034]
12304 
12305 1905.	[bug]		Strings returned from cfg_obj_asstring() should be
12306 			treated as read-only.  The prototype for
12307 			cfg_obj_asstring() has been updated to reflect this.
12308 			[RT #15256]
12309 
12310 1904.	[func]		Automatic empty zone creation for D.F.IP6.ARPA and
12311 			friends.  Note: RFC 1918 zones are not yet covered by
12312 			this but are likely to be in a future release.
12313 
12314 			New options: empty-server, empty-contact,
12315 			empty-zones-enable and disable-empty-zone.
12316 
12317 1903.	[func]		ISC string copy API.
12318 
12319 1902.	[func]		Attempt to make the amount of work performed in a
12320 			iteration self tuning.  The covers nodes clean from
12321 			the cache per iteration, nodes written to disk when
12322 			rewriting a master file and nodes destroyed per
12323 			iteration when destroying a zone or a cache.
12324 			[RT #14996]
12325 
12326 1901.	[cleanup]	Don't add DNSKEY records to the additional section.
12327 
12328 1900.	[bug]		ixfr-from-differences failed to ensure that the
12329 			serial number increased. [RT #15036]
12330 
12331 1899.	[func]		named-checkconf now validates update-policy entries.
12332 			[RT #14963]
12333 
12334 1898.	[bug]		Extend ISC_SOCKADDR_FORMATSIZE and
12335 			ISC_NETADDR_FORMATSIZE to allow for scope details.
12336 
12337 1897.	[func]		x86 and x86_64 now have separate atomic locking
12338 			implementations.
12339 
12340 1896.	[bug]		Recursive clients soft quota support wasn't working
12341 			as expected. [RT #15103]
12342 
12343 1895.	[bug]		A escaped character is, potentially, converted to
12344 			the output character set too early. [RT #14666]
12345 
12346 1894.	[doc]		Review ARM for BIND 9.4.
12347 
12348 1893.	[port]		Use uintptr_t if available. [RT #14606]
12349 
12350 1892.	[func]		Support for SPF rdata type. [RT #15033]
12351 
12352 1891.	[port]		freebsd: pthread_mutex_init can fail if it runs out
12353 			of memory. [RT #14995]
12354 
12355 1890.	[func]		Raise the UDP receive buffer size to 32k if it is
12356 			less than 32k. [RT #14953]
12357 
12358 1889.	[port]		sunos: non blocking i/o support. [RT #14951]
12359 
12360 1888.	[func]		Support for IPSECKEY rdata type. [RT #14967]
12361 
12362 1887.	[bug]		The cache could delete expired records too fast for
12363 			clients with a virtual time in the past. [RT #14991]
12364 
12365 1886.	[bug]		fctx_create() could return success even though it
12366 			failed. [RT #14993]
12367 
12368 1885.	[func]		dig: report the number of extra bytes still left in
12369 			the packet after processing all the records.
12370 
12371 1884.	[cleanup]	dighost.c: move external declarations into <dig/dig.h>.
12372 
12373 1883.	[bug]		dnssec-signzone, dnssec-keygen: handle negative debug
12374 			levels. [RT #14962]
12375 
12376 1882.	[func]		Limit the number of recursive clients that can be
12377 			waiting for a single query (<qname,qtype,qclass>) to
12378 			resolve.  New options clients-per-query and
12379 			max-clients-per-query.
12380 
12381 1881.	[func]		Add a system test for named-checkconf. [RT #14931]
12382 
12383 1880.	[func]		The lame cache is now done on a <qname,qclass,qtype>
12384 			basis as some servers only appear to be lame for
12385 			certain query types.  [RT #14916]
12386 
12387 1879.	[func]		"USE INTERNAL MALLOC" is now runtime selectable.
12388 			[RT #14892]
12389 
12390 1878.	[func]		Detect duplicates of UDP queries we are recursing on
12391 			and drop them.  New stats category "duplicate".
12392 			[RT #2471]
12393 
12394 1877.	[bug]		Fix unreasonably low quantum on call to
12395 			dns_rbt_destroy2().  Remove unnecessary unhash_node()
12396 			call. [RT #14919]
12397 
12398 1876.	[func]		Additional memory debugging support to track size
12399 			and mctx arguments. [RT #14814]
12400 
12401 1875.	[bug]		process_dhtkey() was using the wrong memory context
12402 			to free some memory. [RT #14890]
12403 
12404 1874.	[port]		sunos: portability fixes. [RT #14814]
12405 
12406 1873.	[port]		win32: isc__errno2result() now reports its caller.
12407 			[RT #13753]
12408 
12409 1872.	[port]		win32: Handle ERROR_NETNAME_DELETED.  [RT #13753]
12410 
12411 1871.	[placeholder]
12412 
12413 1870.	[func]		Added framework for handling multiple EDNS versions.
12414 			[RT #14873]
12415 
12416 1869.	[func]		dig can now specify the EDNS version when making
12417 			a query. [RT #14873]
12418 
12419 1868.	[func]		edns-udp-size can now be overridden on a per
12420 			server basis. [RT #14851]
12421 
12422 1867.	[bug]		It was possible to trigger a INSIST in
12423 			dlv_validatezonekey(). [RT #14846]
12424 
12425 1866.	[bug]		resolv.conf parse errors were being ignored by
12426 			dig/host/nslookup. [RT #14841]
12427 
12428 1865.	[bug]		Silently ignore nameservers in /etc/resolv.conf with
12429 			bad addresses. [RT #14841]
12430 
12431 1864.	[bug]		Don't try the alternative transfer source if you
12432 			got a answer / transfer with the main source
12433 			address. [RT #14802]
12434 
12435 1863.	[bug]		rrset-order "fixed" error messages not complete.
12436 
12437 1862.	[func]		Add additional zone data constancy checks.
12438 			named-checkzone has extended checking of NS, MX and
12439 			SRV record and the hosts they reference.
12440 			named has extended post zone load checks.
12441 			New zone options: check-mx and integrity-check.
12442 			[RT #4940]
12443 
12444 1861.	[bug]		dig could trigger a INSIST on certain malformed
12445 			responses. [RT #14801]
12446 
12447 1860.	[port]		solaris 2.8: hack_shutup_pthreadmutexinit was
12448 			incorrectly set. [RT #14775]
12449 
12450 1859.	[func]		Add support for CH A record. [RT #14695]
12451 
12452 1858.	[bug]		The flush-zones-on-shutdown option wasn't being
12453 			parsed. [RT #14686]
12454 
12455 1857.	[bug]		named could trigger a INSIST() if reconfigured /
12456 			reloaded too fast.  [RT #14673]
12457 
12458 1856.	[doc]		Switch Docbook toolchain from DSSSL to XSL.
12459 			[RT #11398]
12460 
12461 1855.	[bug]		ixfr-from-differences was failing to detect changes
12462 			of ttl due to dns_diff_subtract() was ignoring the ttl
12463 			of records.  [RT #14616]
12464 
12465 1854.	[bug]		lwres also needs to know the print format for
12466 			(long long).  [RT #13754]
12467 
12468 1853.	[bug]		Rework how DLV interacts with proveunsecure().
12469 			[RT #13605]
12470 
12471 1852.	[cleanup]	Remove last vestiges of dnssec-signkey and
12472 			dnssec-makekeyset (removed from Makefile years ago).
12473 
12474 1851.	[doc]		Doxygen comment markup. [RT #11398]
12475 
12476 1850.	[bug]		Memory leak in lwres_getipnodebyaddr(). [RT #14591]
12477 
12478 1849.	[doc]		All forms of the man pages (docbook, man, html) should
12479 			have consistent copyright dates.
12480 
12481 1848.	[bug]		Improve SMF integration. [RT #13238]
12482 
12483 1847.	[bug]		isc_ondestroy_init() is called too late in
12484 			dns_rbtdb_create()/dns_rbtdb64_create().
12485 			[RT #13661]
12486 
12487 1846.	[contrib]	query-loc-0.3.0 from Stephane Bortzmeyer
12488 			<bortzmeyer@nic.fr>.
12489 
12490 1845.	[bug]		Improve error reporting to distinguish between
12491 			accept()/fcntl() and socket()/fcntl() errors.
12492 			[RT #13745]
12493 
12494 1844.	[bug]		inet_pton() accepted more that 4 hexadecimal digits
12495 			for each 16 bit piece of the IPv6 address.  The text
12496 			representation of a IPv6 address has been tightened
12497 			to disallow this (draft-ietf-ipv6-addr-arch-v4-02.txt).
12498 			[RT #5662]
12499 
12500 1843.	[cleanup]	CINCLUDES takes precedence over CFLAGS.  This helps
12501 			when CFLAGS contains "-I /usr/local/include"
12502 			resulting in old header files being used.
12503 
12504 1842.	[port]		cmsg_len() could produce incorrect results on
12505 			some platform. [RT #13744]
12506 
12507 1841.	[bug]		"dig +nssearch" now makes a recursive query to
12508 			find the list of nameservers to query. [RT #13694]
12509 
12510 1840.	[func]		dnssec-signzone can now randomize signature end times
12511 			(dnssec-signzone -j jitter). [RT #13609]
12512 
12513 1839.	[bug]		<isc/hash.h> was not being installed.
12514 
12515 1838.	[cleanup]	Don't allow Linux capabilities to be inherited.
12516 			[RT #13707]
12517 
12518 1837.	[bug]		Compile time option ISC_FACILITY was not effective
12519 			for 'named -u <user>'.  [RT #13714]
12520 
12521 1836.	[cleanup]	Silence compiler warnings in hash_test.c.
12522 
12523 1835.	[bug]		Update dnssec-signzone's usage message. [RT #13657]
12524 
12525 1834.	[bug]		Bad memset in rdata_test.c. [RT #13658]
12526 
12527 1833.	[bug]		Race condition in isc_mutex_lock_profile(). [RT #13660]
12528 
12529 1832.	[bug]		named fails to return BADKEY on unknown TSIG algorithm.
12530 			[RT #13620]
12531 
12532 1831.	[doc]		Update named-checkzone documentation. [RT #13604]
12533 
12534 1830.	[bug]		adb lame cache has sense of test reversed. [RT #13600]
12535 
12536 1829.	[bug]		win32: "pid-file none;" broken. [RT #13563]
12537 
12538 1828.	[bug]		isc_rwlock_init() failed to properly cleanup if it
12539 			encountered a error. [RT #13549]
12540 
12541 1827.	[bug]		host: update usage message for '-a'. [RT #37116]
12542 
12543 1826.	[bug]		Missing DESTROYLOCK() in isc_mem_createx() on out
12544 			of memory error. [RT #13537]
12545 
12546 1825.	[bug]		Missing UNLOCK() on out of memory error from in
12547 			rbtdb.c:subtractrdataset(). [RT #13519]
12548 
12549 1824.	[bug]		Memory leak on dns_zone_setdbtype() failure.
12550 			[RT #13510]
12551 
12552 1823.	[bug]		Wrong macro used to check for point to point interface.
12553 			[RT #13418]
12554 
12555 1822.	[bug]		check-names test for RT was reversed. [RT #13382]
12556 
12557 1821.	[placeholder]
12558 
12559 1820.	[bug]		Gracefully handle acl loops. [RT #13659]
12560 
12561 1819.	[bug]		The validator needed to check both the algorithm and
12562 			digest types of the DS to determine if it could be
12563 			used to introduce a secure zone. [RT #13593]
12564 
12565 1818.	[bug]		'named-checkconf -z' triggered an INSIST. [RT #13599]
12566 
12567 1817.	[func]		Add support for additional zone file formats for
12568 			improving loading performance.  The masterfile-format
12569 			option in named.conf can be used to specify a
12570 			non-default format.  A separate command
12571 			named-compilezone was provided to generate zone files
12572 			in the new format.  Additionally, the -I and -O options
12573 			for dnssec-signzone specify the input and output
12574 			formats.
12575 
12576 1816.	[port]		UnixWare: failed to compile lib/isc/unix/net.c.
12577 			[RT #13597]
12578 
12579 1815.	[bug]		nsupdate triggered a REQUIRE if the server was set
12580 			without also setting the zone and it encountered
12581 			a CNAME and was using TSIG.  [RT #13086]
12582 
12583 1814.	[func]		UNIX domain controls are now supported.
12584 
12585 1813.	[func]		Restructured the data locking framework using
12586 			architecture dependent atomic operations (when
12587 			available), improving response performance on
12588 			multi-processor machines significantly.
12589 			x86, x86_64, alpha, powerpc, and mips are currently
12590 			supported.
12591 
12592 1812.	[port]		win32: IN6_IS_ADDR_UNSPECIFIED macro is incorrect.
12593 			[RT #13453]
12594 
12595 1811.	[func]		Preserve the case of domain names in rdata during
12596 			zone transfers. [RT #13547]
12597 
12598 1810.	[bug]		configure, lib/bind/configure make different default
12599 			decisions about whether to do a threaded build.
12600 			[RT #13212]
12601 
12602 1809.	[bug]		"make distclean" failed for libbind if the platform
12603 			is not supported.
12604 
12605 1808.	[bug]		zone.c:notify_zone() contained a race condition,
12606 			zone->db could change underneath it.  [RT #13511]
12607 
12608 1807.	[bug]		When forwarding (forward only) set the active domain
12609 			from the forward zone name. [RT #13526]
12610 
12611 1806.	[bug]		The resolver returned the wrong result when a CNAME /
12612 			DNAME was encountered when fetching glue from a
12613 			secure namespace. [RT #13501]
12614 
12615 1805.	[bug]		Pending status was not being cleared when DLV was
12616 			active. [RT #13501]
12617 
12618 1804.	[bug]		Ensure that if we are queried for glue that it fits
12619 			in the additional section or TC is set to tell the
12620 			client to retry using TCP. [RT #10114]
12621 
12622 1803.	[bug]		dnssec-signzone sometimes failed to remove old
12623 			RRSIGs. [RT #13483]
12624 
12625 1802.	[bug]		Handle connection resets better. [RT #11280]
12626 
12627 1801.	[func]		Report differences between hints and real NS rrset
12628 			and associated address records.
12629 
12630 1800.	[bug]		Changes #1719 allowed a INSIST to be triggered.
12631 			[RT #13428]
12632 
12633 1799.	[bug]		'rndc flushname' failed to flush negative cache
12634 			entries. [RT #13438]
12635 
12636 1798.	[func]		The server syntax has been extended to support a
12637 			range of servers.  [RT #11132]
12638 
12639 1797.	[func]		named-checkconf now check acls to verify that they
12640 			only refer to existing acls. [RT #13101]
12641 
12642 1796.	[func]		"rndc freeze/thaw" now freezes/thaws all zones.
12643 
12644 1795.	[bug]		"rndc dumpdb" was not fully documented.  Minor
12645 			formatting issues with "rndc dumpdb -all".  [RT #13396]
12646 
12647 1794.	[func]		Named and named-checkzone can now both check for
12648 			non-terminal wildcard records.
12649 
12650 1793.	[func]		Extend adjusting TTL warning messages. [RT #13378]
12651 
12652 1792.	[func]		New zone option "notify-delay".  Specify a minimum
12653 			delay between sets of NOTIFY messages.
12654 
12655 1791.	[bug]		'host -t a' still printed out AAAA and MX records.
12656 			[RT #13230]
12657 
12658 1790.	[cleanup]	Move lib/dns/sec/dst up into lib/dns.  This should
12659 			allow parallel make to succeed.
12660 
12661 1789.	[bug]		Prerequisite test for tkey and dnssec could fail
12662 			with "configure --with-libtool".
12663 
12664 1788.	[bug]		libbind9.la/libbind9.so needs to link against
12665 			libisccfg.la/libisccfg.so.
12666 
12667 1787.	[port]		HPUX: both "cc" and "gcc" need -Wl,+vnocompatwarnings.
12668 
12669 1786.	[port]		AIX: libt_api needs to be taught to look for
12670 			T_testlist in the main executable (--with-libtool).
12671 			[RT #13239]
12672 
12673 1785.	[bug]		libbind9.la/libbind9.so needs to link against
12674 			libisc.la/libisc.so.
12675 
12676 1784.	[cleanup]	"libtool -allow-undefined" is the default.
12677 			Leave hooks in configure to allow it to be set
12678 			if needed in the future.
12679 
12680 1783.	[cleanup]	We only need one copy of libtool.m4, ltmain.sh in the
12681 			source tree.
12682 
12683 1782.	[port]		OSX: --with-libtool + --enable-libbind broke on
12684 			__evOptMonoTime.  [RT #13219]
12685 
12686 1781.	[port]		FreeBSD 5.3: set PTHREAD_SCOPE_SYSTEM. [RT #12810]
12687 
12688 1780.	[bug]		Update libtool to 1.5.10.
12689 
12690 1779.	[port]		OSF 5.1: libtool didn't handle -pthread correctly.
12691 
12692 1778.	[port]		HUX 11.11: fix broken IN6ADDR_ANY_INIT and
12693 			IN6ADDR_LOOPBACK_INIT macros.
12694 
12695 1777.	[port]		OSF 5.1: fix broken IN6ADDR_ANY_INIT and
12696 			IN6ADDR_LOOPBACK_INIT macros.
12697 
12698 1776.	[port]		Solaris 2.9: fix broken IN6ADDR_ANY_INIT and
12699 			IN6ADDR_LOOPBACK_INIT macros.
12700 
12701 1775.	[bug]		Only compile getnetent_r.c when threaded. [RT #13205]
12702 
12703 1774.	[port]		Aix: Silence compiler warnings / build failures.
12704 			[RT #13154]
12705 
12706 1773.	[bug]		Fast retry on host / net unreachable. [RT #13153]
12707 
12708 1772.	[placeholder]
12709 
12710 1771.	[placeholder]
12711 
12712 1770.	[bug]		named-checkconf failed to report missing a missing
12713 			file clause for rbt{64} master/hint zones. [RT #13009]
12714 
12715 1769.	[port]		win32: change compiler flags /MTd ==> /MDd,
12716 			/MT ==> /MD.
12717 
12718 1768.	[bug]		nsecnoexistnodata() could be called with a non-NSEC
12719 			rdataset. [RT #12907]
12720 
12721 1767.	[port]		Builds on IPv6 platforms without IPv6 Advanced API
12722 			support for (struct in6_pktinfo) failed.  [RT #13077]
12723 
12724 1766.	[bug]		Update the master file timestamp on successful refresh
12725 			as well as the journal's timestamp. [RT #13062]
12726 
12727 1765.	[bug]		configure --with-openssl=auto failed. [RT #12937]
12728 
12729 1764.	[bug]		dns_zone_replacedb failed to emit a error message
12730 			if there was no SOA record in the replacement db.
12731 			[RT #13016]
12732 
12733 1763.	[func]		Perform sanity checks on NS records which refer to
12734 			'in zone' names. [RT #13002]
12735 
12736 1762.	[bug]		isc_interfaceiter_create() could return ISC_R_SUCCESS
12737 			even when it failed. [RT #12995]
12738 
12739 1761.	[bug]		'rndc dumpdb' didn't report unassociated entries.
12740 			[RT #12971]
12741 
12742 1760.	[bug]		Host / net unreachable was not penalising rtt
12743 			estimates. [RT #12970]
12744 
12745 1759.	[bug]		Named failed to startup if the OS supported IPv6
12746 			but had no IPv6 interfaces configured. [RT #12942]
12747 
12748 1758.	[func]		Don't send notify messages to self. [RT #12933]
12749 
12750 1757.	[func]		host now can turn on memory debugging flags with '-m'.
12751 
12752 1756.	[func]		named-checkconf now checks the logging configuration.
12753 			[RT #12352]
12754 
12755 1755.	[func]		allow-update is now settable at the options / view
12756 			level. [RT #6636]
12757 
12758 1754.	[bug]		We weren't always attempting to query the parent
12759 			server for the DS records at the zone cut.
12760 			[RT #12774]
12761 
12762 1753.	[bug]		Don't serve a slave zone which has no NS records.
12763 			[RT #12894]
12764 
12765 1752.	[port]		Move isc_app_start() to after ns_os_daemonise()
12766 			as some fork() implementations unblock the signals
12767 			that are blocked by isc_app_start(). [RT #12810]
12768 
12769 1751.	[bug]		--enable-getifaddrs failed under linux. [RT #12867]
12770 
12771 1750.	[port]		lib/bind/make/rules.in:subdirs was not bash friendly.
12772 			[RT #12864]
12773 
12774 1749.	[bug]		'check-names response ignore;' failed to ignore.
12775 			[RT #12866]
12776 
12777 1748.	[func]		dig now returns the byte count for axfr/ixfr.
12778 
12779 1747.	[bug]		BIND 8 compatibility: named/named-checkconf failed
12780 			to parse "host-statistics-max" in named.conf.
12781 
12782 1746.	[func]		Make public the function to read a key file,
12783 			dst_key_read_public(). [RT #12450]
12784 
12785 1745.	[bug]		Dig/host/nslookup accept replies from link locals
12786 			regardless of scope if no scope was specified when
12787 			query was sent. [RT #12745]
12788 
12789 1744.	[bug]		If tuple2msgname() failed to convert a tuple to
12790 			a name a REQUIRE could be triggered. [RT #12796]
12791 
12792 1743.	[bug]		If isc_taskmgr_create() was not able to create the
12793 			requested number of worker threads then destruction
12794 			of the manager would trigger an INSIST() failure.
12795 			[RT #12790]
12796 
12797 1742.	[bug]		Deleting all records at a node then adding a
12798 			previously existing record, in a single UPDATE
12799 			transaction, failed to leave / regenerate the
12800 			associated RRSIG records. [RT #12788]
12801 
12802 1741.	[bug]		Deleting all records at a node in a secure zone
12803 			using a update-policy grant failed. [RT #12787]
12804 
12805 1740.	[bug]		Replace rbt's hash algorithm as it performed badly
12806 			with certain zones. [RT #12729]
12807 
12808 			NOTE: a hash context now needs to be established
12809 			via isc_hash_create() if the application was not
12810 			already doing this.
12811 
12812 1739.	[bug]		dns_rbt_deletetree() could incorrectly return
12813 			ISC_R_QUOTA.  [RT #12695]
12814 
12815 1738.	[bug]		Enable overrun checking by default. [RT #12695]
12816 
12817 1737.	[bug]		named failed if more than 16 masters were specified.
12818 			[RT #12627]
12819 
12820 1736.	[bug]		dst_key_fromnamedfile() could fail to read a
12821 			public key. [RT #12687]
12822 
12823 1735.	[bug]		'dig +sigtrace' could die with a REQUIRE failure.
12824 			[RE #12688]
12825 
12826 1734.	[cleanup]	'rndc-confgen -a -t' remove extra '/' in path.
12827 			[RT #12588]
12828 
12829 1733.	[bug]		Return non-zero exit status on initial load failure.
12830 			[RT #12658]
12831 
12832 1732.	[bug]		'rrset-order name "*"' wasn't being applied to ".".
12833 			[RT #12467]
12834 
12835 1731.	[port]		darwin: relax version test in ifconfig.sh.
12836 			[RT #12581]
12837 
12838 1730.	[port]		Determine the length type used by the socket API.
12839 			[RT #12581]
12840 
12841 1729.	[func]		Improve check-names error messages.
12842 
12843 1728.	[doc]		Update check-names documentation.
12844 
12845 1727.	[bug]		named-checkzone: check-names support didn't match
12846 			documentation.
12847 
12848 1726.	[port]		aix5: add support for aix5.
12849 
12850 1725.	[port]		linux: update error message on interaction of threads,
12851 			capabilities and setuid support (named -u). [RT #12541]
12852 
12853 1724.	[bug]		Look for DNSKEY records with "dig +sigtrace".
12854 			[RT #12557]
12855 
12856 1723.	[cleanup]	Silence compiler warnings from t_tasks.c. [RT #12493]
12857 
12858 1722.	[bug]		Don't commit the journal on malformed ixfr streams.
12859 			[RT #12519]
12860 
12861 1721.	[bug]		Error message from the journal processing were not
12862 			always identifying the relevant journal. [RT #12519]
12863 
12864 1720.	[bug]		'dig +chase' did not terminate on a RFC 2308 Type 1
12865 			negative response. [RT #12506]