Excerpts of the upstream RELNOTES:
The major "theme" for ISC DHCP 4.3.x was to update the suport for
DHCPv6 to include several of the features that have been available
for DHCPv4. These include:
- Support the use of classes
- Support for on_commit, on_expiry and on_release statements
- Better logging of address assignments
- Support for using DHCPv6 relay options in expressions
This release also adds suppport for the standard DDNS as described in the
current RFCs as well as enhancing support for dynamically adding and removing
subclasses via OMAPI.
There are a number of DHCPv6 limitations and features missing in this
release, which will be addressed in the future:
- Only Solaris, Linux, FreeBSD, NetBSD, and OpenBSD are supported.
- DHCPv6 includes human-readable text in status code messages, in
English. A method to reconfigure or support other languages would
be preferable.
- The "host-identifier" option is limited to a simple token.
- The client and server can only operate DHCPv4 or DHCPv6 at a time,
not both. To use both protocols simultaneously, two instances of the
relevant daemon are required, one with the '-6' command line option.
Changes since 4.3.0b1
- Tidy up receive packet processing.
Thanks to Brad Plank of GTA for reporting the issue and suggesting
a possible patch.
[ISC-Bugs #34447]
Changes since 4.3.0a1
- Modify the message displayed when a process hits a fatal error.
The new message is much shorter and simply points to the README
and our website for directions on bug submissions.
[ISC-Bugs #24789]
- Handle an absent resolv.conf file better.
[ISC-Bugs #35194]
Changes since 4.2.5
- Address static analysis warnings.
[ISC-Bugs #33510] [ISC-Bugs #33511]
- Silence benign static analysis warnings.
[ISC-Bugs #33428]
- Add check for 64-bit package for atf.
[ISC-Bugs #32206]
- Use newer auto* tool packages and turn on RFC_3542 support on Mac OS.
[ISC-Bugs #26303]
- Remove a variable when it isn't being used due to #ifdefs to avoid
a compiler warning on Solaris using GCC.
[ISC-Bugs #33032]
- Add a check for too much whitespace in a config or lease file.
Thanks to Paolo Pellegrino for finding the issue and a suggestion
for the patch.
[ISC-Bugs #33351]
- Fix several problems with using OMAPI to manipulate class and subclass
objects.
[ISC-Bugs #27452]
- Added a sleep call after killing the old client to allow time
for the sockets to be cleaned. This should allow the -r option
to work more consistently.
[ISC-Bugs #18175]
- Missing files for ISC DHCP Developer's Guide are now included in
the release tarballs. To generate this documentation, please use
make devel command in doc directory. [ISC-Bugs #32767]
- Update client script for use with openwrt.
[ISC-Bugs #29843]
- Fix the socket handling for DHCPv6 clients to allow multiple instances
of a client on a single machine to work properly. Previously only
one client would receive the packets. Thanks to Jiri Popelka at Red Hat
for the bug report and a potential patch.
[ISC-Bugs #34784]
- Added support for gentle shutdown after signal is received.
[ISC-Bugs #32692] [ISC-Bugs 34945]
- Enhance the DHCPv6 server logging to include the addresses that are assigned
to the clients.
[ISC-Bugs #26377]
- Fix an operation in the DDNS code to be a bitwise instead of logical or.
[ISC-Bugs #35138]
With the new GL shader compiler, glsl-compile is no longer needed as
a tool, but the shader compiler is now duplicated in several
libraries, so (XXX) external/mit/xorg/tools/glsl should be turned
into a proper library that libGL and libmesa can link against.
Changes since the last import:
--- 9.10.0-P2 released ---
3861. [security] Missing isc_buffer_availablelength check results
in a REQUIRE assertion when printing out a packet
(CVE-2014-3859). [RT #36078]
3858. [bug] Disable GCC 4.9 "delete null pointer check".
[RT #35968]
3853. [cleanup] Refactor dns_rdataslab_fromrdataset to seperate out
the handling of a rdataset with no records. [RT #35968]
3850. [bug] Disabling forwarding could trigger a REQUIRE assertion.
[RT #35979]
3843. [bug] Use the x64 version of the Microsoft Visual C++
Redistributable when built for 64 bit Windows.
[RT #35973]
3838. [protocol] EDNS EXPIRE as been assigned a code point of 9.
--- 9.10.0-P1 released ---
3837. [security] A NULL pointer is passed to query_prefetch resulting
a REQUIRE assertion failure when a fetch is actually
initiated (CVE-2014-3214). [RT #35899]
--- 9.10.0 released ---
3824. [bug] A collision between two flag values could cause
problems with cache cleaning when SIT was enabled.
[RT #35858]
--- 9.10.0rc2 released ---
3817. [func] The "delve" command is now spelled "delv" to avoid
a namespace collision with the Xapian project.
[RT #35801]
3815. [doc] Clarify "nsupdate -y" usage in man page. [RT #35808]
3810. [bug] Work around broken nameservers that fail to ignore
unknown EDNS options. [RT #35766]
3809. [doc] Fix SIT and NSID documentation.
3808. [doc] Clean up "prefetch" documentation. [RT #35751]
3807. [bug] Fix sign extention bug in dns_name_fromtext when
lowercase is set. [RT #35743]
3806. [test] Improved system test portability. [RT #35625]
3805. [contrib] Added contrib/perftcpdns, a performance testing tool
for DNS over TCP. [RT #35710]
--- 9.10.0rc1 released ---
3804. [bug] Corrected a race condition in dispatch.c in which
portentry could be reset leading to an assertion
failure in socket_search(). (Change #3708
addressed the same issue but was incomplete.)
[RT #35128]
3803. [bug] "named-checkconf -z" incorrectly rejected zones
using alternate data sources for not having a "file"
option. [RT #35685]
3802. [bug] Various header files were not being installed.
3801. [port] Fix probing for gssapi support on FreeBSD. [RT #35615]
3800. [bug] A pending event on the route socket could cause an
assertion failure when shutting down named. [RT #35674]
3799. [bug] Improve named's command line error reporting.
[RT #35603]
3798. [bug] 'rndc zonestatus' was reporting the wrong re-signing
time. [RT #35659]
3797. [port] netbsd: geoip support probing was broken. [RT #35642]
3796. [bug] Register dns and pkcs#11 error codes. [RT #35629]
3795. [bug] Make named-checkconf detect raw masterfiles for
hint zones and reject them. [RT #35268]
3794. [maint] Added AAAA for C.ROOT-SERVERS.NET.
3793. [bug] zone.c:save_nsec3param() could assert when out of
memory. [RT #35621]
3792. [func] Provide links to the alternate statistics views when
displaying in a browser. [RT #35605]
3791. [placeholder]
3790. [bug] Handle broken nameservers that send BADVERS in
response to unknown EDNS options. Maintain
statistics on BADVERS responses.
3789. [bug] Null pointer dereference on rbt creation failure.
3788. [bug] dns_peer_getrequestsit was returning request_nsid by
mistake.
--- 9.10.0b2 released ---
3787. [bug] The code that checks whether "auto-dnssec" is
allowed was ignoring "allow-update" ACLs set at
the options or view level. [RT #29536]
3786. [func] Provide more detailed error codes when using
native PKCS#11. "pkcs11-tokens" now fails robustly
rather than asserting when run against an HSM with
an incomplete PKCS#11 API implementation. [RT #35479]
3785. [bug] Debugging code dumphex didn't accept arbitrarily long
input (only compiled with -DDEBUG). [RT #35544]
3784. [bug] Using "rrset-order fixed" when it had not been
enabled at compile time caused inconsistent
results. It now works as documented, defaulting
to cyclic mode. [RT #28104]
3783. [func] "tsig-keygen" is now available as an alternate
command name for "ddns-confgen". It generates
a TSIG key in named.conf format without comments.
[RT #35503]
3782. [func] Specifying "auto" as the salt when using
"rndc signing -nsec3param" causes named to
generate a 64-bit salt at random. [RT #35322]
3781. [tuning] Use adaptive mutex locks when available; this
has been found to improve performance under load
on many systems. "configure --with-locktype=standard"
restores conventional mutex locks. [RT #32576]
3780. [bug] $GENERATE handled negative numbers incorrectly.
[RT #25528]
3779. [cleanup] Clarify the error message when using an option
that was not enabled at compile time. [RT #35504]
3778. [bug] Log a warning when the wrong address family is
used in "listen-on" or "listen-on-v6". [RT #17848]
3777. [bug] EDNS EXPIRE code could dump core when processing
DLZ queries. [RT #35493]
3776. [func] "rndc -q" suppresses output from successful
rndc commands. Errors are printed on stderr.
[RT #21393]
3775. [bug] dlz_dlopen driver could return the wrong error
code on API version mismatch, leading to a segfault.
[RT #35495]
3774. [func] When using "request-nsid", log the NSID value in
printable form as well as hex. [RT #20864]
3773. [func] "host", "nslookup" and "nsupdate" now have
options to print the version number and exit.
[RT #26057]
3772. [contrib] Added sqlite3 dynamically-loadable DLZ module.
(Based in part on a contribution from Tim Tessier.)
[RT #20822]
3771. [cleanup] Adjusted log level for "using built-in key"
messages. [RT #24383]
3770. [bug] "dig +trace" could fail with an assertion when it
needed to fall back to TCP due to a truncated
response. [RT #24660]
3769. [doc] Improved documentation of "rndc signing -list".
[RT #30652]
3768. [bug] "dnssec-checkds" was missing the SHA-384 digest
algorithm. [RT #34000]
3767. [func] Log explicitly when using rndc.key to configure
command channel. [RT #35316]
3766. [cleanup] Fixed problems with building outside the source
tree when using native PKCS#11. [RT #35459]
3765. [bug] Fixed a bug in "rndc secroots" that could crash
named when dumping an empty keynode. [RT #35469]
3764. [bug] The dnssec-keygen/settime -S and -i options
(to set up a successor key and set the prepublication
interval) were missing from dnssec-keyfromlabel.
[RT #35394]
3763. [bug] delve: Cache DNSSEC records to avoid the need to
re-fetch them when restarting validation. [RT #35476]
3762. [bug] Address build problems with --pkcs11-native +
--with-openssl with ECDSA support. [RT #35467]
3761. [bug] Address dangling reference bug in dns_keytable_add.
[RT #35471]
3760. [bug] Improve SIT with native PKCS#11 and on Windows.
[RT #35433]
3759. [port] Enable delve on Windows. [RT #35441]
3758. [port] Enable export library APIs on Windows. [RT #35382]
3757. [port] Enable Python tools (dnssec-coverage,
dnssec-checkds) to run on Windows. [RT #34355]
3756. [bug] GSSAPI Kerberos realm checking was broken in
check_config leading to spurious messages being
logged. [RT #35443]
- Support for PKI-less TLS server certificate verification with DANE
(DNS-based Authentication of Named Entities) where the CA public key
or the server certificate is identified via DNSSEC lookup. This
requires a DNS resolver that validates DNSSEC replies. The problem
with conventional PKI is that there are literally hundreds of
organizations world-wide that can provide a certificate in anyone's
name. DANE limits trust to the people who control the target DNS
zone and its parent zones.
- A new postscreen_dnsbl_whitelist_threshold feature to allow clients
to skip postscreen tests based on their DNSBL score. This can
eliminate email delays due to "after 220 greeting" protocol tests,
which otherwise require that a client reconnects before it can
deliver mail. Some providers such as Google don't retry from the
same IP address, and that can result in large email delivery delays.
- The recipient_delimiter feature now supports different delimiters,
for example both "+" and "-". As before, this implementation
recognizes exactly one delimiter character per email address, and
exactly one address extension per email address.
- Advanced master.cf query/update support to access service attributes
as "name = value" pairs. For example to turn off chroot on all
services use "postconf -F '*/*/chroot = n'", and to change/add a
"-o name=value" setting use "postconf -P 'smtp/inet/name = value'".
This was developed primarily to allow automated tools to manage Postfix
systems without having to parse Postfix configuration files.
Rename the following reference documents to match their programs:
shell -> sh
viref -> vi
and rename the following to match their topic better:
ipctut -> sockets
ipc -> sockets-advanced
Also, the old "timed" and "timedop" docs are now ref5/timed and
ref8/timed respectively, as the first of these documented the
protocol.
Move all the reference manuals to subdirs of /usr/share/doc/reference.
We have subdirs ref1-ref9, corresponding to man page sections 1-9.
Everything that's the reference manual for a program (sections 1, 6,
8), C interface (sections 2, 3), driver or file system (section 4),
format or configuration (section 5), or kernel internal interface
(section 9) belongs in here.
Section 7 is a little less clear: some things that might go in section
7 if they were a man page aren't really reference manuals. So I'm only
putting things in reference section 7 that are (to me) clearly
reference material, rather than e.g. tutorials, guides, FAQs, etc.
This obviously leaves some room for debate, especially without first
editing the docs with this distinction in mind, but if people hate
what I've done things can always be moved again.
Note also that while roff macro man pages traditionally go in section
7, I have put all the roff documentation (macros, tools, etc.) in one
place in reference/ref1/roff. This will make it easier to find and
also easier to edit it into some kind of coherent form.
Update the <bsd.doc.mk> infrastructure, and update the docs to match
the new infrastructure.
- Build and install text, ps, pdf, and/or html, not roff sources.
- Don't wire the chapter numbers into the build system, or use them in
the installed pathnames. This didn't matter much when the docs were a
museum, but now that we're theoretically going to start maintaining
them again, we're going to add and remove documents periodically and
having the chapter numbers baked in creates a lot of thrashing for no
purpose.
- Specify the document name explicitly, rather than implicitly in a
path. Use this name (instead of other random strings) as the name
of the installed files.
- Specify the document section, which is the subdirectory of
/usr/share/doc to install into.
- Allow multiple subdocuments. (That is, multiple documents in one
output directory.)
- Enumerate the .png files groff emits along with html so they can be
installed.
- Remove assorted hand-rolled rules for running roff and roff widgetry
and add enough variable settings to make these unnecessary. This
includes support for
- explicit use of soelim
- refer
- tbl
- pic
- eqn
- Forcibly apply at least minimal amounts of sanity to certain
autogenerated roff files.
- Don't exclude USD.doc, SMM.doc, and PSD.doc directories from the
build, as they now actually do stuff.
Note: currently we can't generate pdf. This turns out to be a
nontrivial problem with no immediate solution forthcoming. So for now,
as a workaround, install compressed .ps as the printable form.
http://mail-index.NetBSD.org/source-changes/2014/06/29/msg055885.html
---
Tweak LIB1ASMFUNCS order to avoid linker warnings on libgcc_s build with -O2.
Without this change, ld complains as the following:
>> libgcc_s_pic.a(_float.pico):(.text+0x8): relocation truncated to fit:
>> R_68K_PC16 against symbol `$_exception_handler' defined in .text section in
>> libgcc_s_pic.a(_floatex.pico)
_float.S and _double.S refer `$_exception_handler' declared in _floatex.S
and linking the _floatex.S first seems to work around these warnings
(probably caused by pic relative jump addresses).
See port-m68k@ posts for more details:
http://mail-index.NetBSD.org/port-m68k/2014/06/22/msg000488.html
---
Note m68k/defs.mk is manually edited to avoid extra diffs.
Without this change, ld complains as the following:
>> libgcc_s_pic.a(_float.pico):(.text+0x8): relocation truncated to fit:
>> R_68K_PC16 against symbol `$_exception_handler' defined in .text section in
>> libgcc_s_pic.a(_floatex.pico)
_float.S and _double.S refer `$_exception_handler' declared in _floatex.S
and linking the _floatex.S first seems to work around these warnings
(probably caused by pic relative jump addresses).
See port-m68k@ posts for more details:
http://mail-index.NetBSD.org/port-m68k/2014/06/22/msg000488.html
Note m68k.mk is manually edited to avoid extra diffs.
