13974 lines
459 KiB
Plaintext
13974 lines
459 KiB
Plaintext
--- 9.10.4-P8 released ---
|
|
|
|
4582. [security] 'rndc ""' could trigger a assertion failure in named.
|
|
(CVE-2017-3138) [RT #44924]
|
|
|
|
4580. [bug] 4578 introduced a regression when handling CNAME to
|
|
referral below the current domain. [RT #44850]
|
|
|
|
--- 9.10.4-P7 released ---
|
|
|
|
4578. [security] Some chaining (CNAME or DNAME) responses to upstream
|
|
queries could trigger assertion failures.
|
|
(CVE-2017-3137) [RT #44734]
|
|
|
|
4575. [security] DNS64 with "break-dnssec yes;" can result in an
|
|
assertion failure. (CVE-2017-3136) [RT #44653]
|
|
|
|
4564. [maint] Update the built in managed keys to include the
|
|
upcoming root KSK. [RT #44579]
|
|
|
|
--- 9.10.4-P6 released ---
|
|
|
|
4558. [bug] Synthesised CNAME before matching DNAME was still
|
|
being cached when it should not have been. [RT #44318]
|
|
|
|
4557. [security] Combining dns64 and rpz can result in dereferencing
|
|
a NULL pointer (read). (CVE-2017-3135) [RT#44434]
|
|
|
|
--- 9.10.4-P5 released ---
|
|
|
|
4530. [bug] Change 4489 broke the handling of CNAME -> DNAME
|
|
in responses resulting in SERVFAIL being returned.
|
|
[RT #43779]
|
|
|
|
4528. [bug] Only set the flag bits for the i/o we are waiting
|
|
for on EPOLLERR or EPOLLHUP. [RT #43617]
|
|
|
|
4519. [port] win32: handle ERROR_MORE_DATA. [RT #43534]
|
|
|
|
4517. [security] Named could mishandle authority sections that were
|
|
missing RRSIGs triggering an assertion failure.
|
|
(CVE-2016-9444) [RT # 43632]
|
|
|
|
4510. [security] Named mishandled some responses where covering RRSIG
|
|
records are returned without the requested data
|
|
resulting in a assertion failure. (CVE-2016-9147)
|
|
[RT #43548]
|
|
|
|
4508. [security] Named incorrectly tried to cache TKEY records which
|
|
could trigger a assertion failure when there was
|
|
a class mismatch. (CVE-2016-9131) [RT #43522]
|
|
|
|
--- 9.10.4-P4 released ---
|
|
|
|
4489. [security] It was possible to trigger assertions when processing
|
|
a response. (CVE-2016-8864) [RT #43465]
|
|
|
|
--- 9.10.4-P3 released ---
|
|
|
|
4468. [bug] Address ECS option handling issues. [RT #43191]
|
|
|
|
Note: Only the parts required to restore
|
|
interoperation with ECS clients have been
|
|
included in this security release. The full
|
|
fix is included in BIND 9.10.5.
|
|
|
|
4467. [security] It was possible to trigger a assertion when rendering
|
|
a message. (CVE-2016-2776) [RT #43139]
|
|
|
|
--- 9.10.4-P2 released ---
|
|
|
|
4406. [bug] getrrsetbyname with a non absolute name could
|
|
trigger an infinite recursion bug in lwresd
|
|
and named with lwres configured if when combined
|
|
with a search list entry the resulting name is
|
|
too long. (CVE-2016-2775) [RT #42694]
|
|
|
|
4405. [bug] Change 4342 introduced a regression where you could
|
|
not remove a delegation in a NSEC3 signed zone using
|
|
OPTOUT via nsupdate. [RT #42702]
|
|
|
|
4387. [bug] Change 4336 was not complete leading to SERVFAIL
|
|
being return as NS records expired. [RT #42683]
|
|
|
|
--- 9.10.4-P1 released ---
|
|
|
|
4368. [bug] Fix a crash when calling "rndc stats" on some
|
|
Windows builds because some Visual Studio compilers
|
|
generated crashing code for the "%z" printf()
|
|
format specifier. [RT #42380]
|
|
|
|
4366. [bug] Address race condition when updating rbtnode bit
|
|
fields. [RT #42379]
|
|
|
|
4363. [port] win32: Disable explicit triggering UAC when running
|
|
BINDInstall.
|
|
|
|
--- 9.10.4 released ---
|
|
|
|
--- 9.10.4rc1 released ---
|
|
|
|
4347. [port] Corrected a build error on x86_64 Solaris. [RT #42150]
|
|
|
|
4346. [bug] Fixed a regression introduced in change #4337 which
|
|
caused signed domains with revoked KSKs to fail
|
|
validation. [RT #42147]
|
|
|
|
4345. [contrib] perftcpdns mishandled the return values from
|
|
clock_nanosleep. [RT #42131]
|
|
|
|
4344. [port] Address openssl version differences. [RT #42059]
|
|
|
|
--- 9.10.4b3 released ---
|
|
|
|
4342. [bug] 'rndc flushtree' could fail to clean the tree if there
|
|
wasn't a node at the specified name. [RT #41846]
|
|
|
|
4341. [bug] Correct the handling of ECS options with
|
|
address family 0. [RT #41377]
|
|
|
|
4338. [bug] Reimplement change 4324 as it wasn't properly doing
|
|
all the required book keeping. [RT #41941]
|
|
|
|
4337. [bug] The previous change exposed a latent flaw in
|
|
key refresh queries for managed-keys when
|
|
a cached DNSKEY had TTL 0. [RT #41986]
|
|
|
|
4336. [bug] Don't emit records with zero ttl unless the records
|
|
were learnt with a zero ttl. [RT #41687]
|
|
|
|
4335. [bug] zone->view could be detached too early. [RT #41942]
|
|
|
|
4333. [maint] L.ROOT-SERVERS.NET is now 199.7.83.42 and
|
|
2001:500:9f::42.
|
|
|
|
--- 9.10.4b2 released ---
|
|
|
|
4332. [bug] Windows SIT -> COOKIE configuration support was
|
|
accidentally back ported to 9.10 breaking existing
|
|
configurations. [RT #41905]
|
|
|
|
4331. [func] When loading managed signed zones detect if the
|
|
RRSIG's inception time is in the future and regenerate
|
|
the RRSIG immediately. [RT #41808]
|
|
|
|
4330. [protocol] Identify the PAD option as "PAD" when printing out
|
|
a message.
|
|
|
|
--- 9.10.4b1 released ---
|
|
|
|
4329. [func] Warn about a common misconfiguration when forwarding
|
|
RFC 1918 zones. [RT #41441]
|
|
|
|
4328. [performance] Add dns_name_fromwire() benchmark test. [RT #41694]
|
|
|
|
4327. [func] Log query and depth counters during fetches when
|
|
querytrace (./configure --enable-querytrace) is
|
|
enabled (helps in diagnosing). [RT #41787]
|
|
|
|
4326. [protocol] Add support for AVC. [RT #41819]
|
|
|
|
4324. [bug] When deleting records from a zone database, interior
|
|
nodes could be left empty but not deleted, damaging
|
|
search performance afterward. [RT #40997]
|
|
|
|
4323. [bug] Improve HTTP header processing on statschannel.
|
|
[RT #41674]
|
|
|
|
4322. [security] Duplicate EDNS COOKIE options in a response could
|
|
trigger an assertion failure. (CVE-2016-2088)
|
|
[RT #41809]
|
|
|
|
4321. [bug] Zones using mapped files containing out-of-zone data
|
|
could return SERVFAIL instead of the expected NODATA
|
|
or NXDOMAIN results. [RT #41596]
|
|
|
|
4320. [bug] Insufficient memory allocation when handling
|
|
"none" ACL could cause an assertion failure in
|
|
named when parsing ACL configuration. [RT #41745]
|
|
|
|
4319. [security] Fix resolver assertion failure due to improper
|
|
DNAME handling when parsing fetch reply messages.
|
|
(CVE-2016-1286) [RT #41753]
|
|
|
|
4318. [security] Malformed control messages can trigger assertions
|
|
in named and rndc. (CVE-2016-1285) [RT #41666]
|
|
|
|
4317. [bug] Age all unused servers on fetch timeout. [RT #41597]
|
|
|
|
4315. [bug] Check that configured view class isn't a meta class.
|
|
[RT #41572].
|
|
|
|
4314. [contrib] Added 'dnsperf-2.1.0.0-1', a set of performance
|
|
testing tools provided by Nominum, Inc.
|
|
|
|
4313. [bug] Handle ns_client_replace failures in test mode.
|
|
[RT #41190]
|
|
|
|
4312. [bug] dig's unknown DNS and EDNS flags (MBZ value) logging
|
|
was not consistent. [RT #41600]
|
|
|
|
4311. [bug] Prevent "rndc delzone" from being used on
|
|
response-policy zones. [RT #41593]
|
|
|
|
4310. [performance] Use __builtin_expect() where available to annotate
|
|
conditions with known behavior. [RT #41411]
|
|
|
|
4308. [func] Added operating system details to "named -V"
|
|
output. [RT #41452]
|
|
|
|
4307. [bug] "dig +subnet" could send incorrectly-formatted
|
|
Client Subnet options if the prefix length was
|
|
not divisible by 8. [RT #45178]
|
|
|
|
4306. [maint] Added a PKCS#11 openssl patch supporting
|
|
version 1.0.2f [RT #38312]
|
|
|
|
4305. [bug] dnssec-signzone was not removing unnecessary rrsigs
|
|
from the zone's apex. [RT #41483]
|
|
|
|
4304. [port] xfer system test failed as 'tail -n +value' is not
|
|
portable. [RT #41315]
|
|
|
|
4303. [bug] "dig +subnet" was unable to send a prefix length of
|
|
zero, as it was incorrectly changed to 32 for v4
|
|
prefixes or 128 for v6 prefixes. In addition to
|
|
fixing this, "dig +subnet=0" has been added as a
|
|
short form for 0.0.0.0/0. [RT #41553]
|
|
|
|
4302. [port] win32: fixed a build error in VS 2015. [RT #41426]
|
|
|
|
4300. [cleanup] Added new querytrace logging. [RT #41155]
|
|
|
|
4299. [bug] Check that exactly totallen bytes are read when
|
|
reading a RRset from raw files in both single read
|
|
and incremental modes. [RT #41402]
|
|
|
|
4298. [bug] dns_rpz_add errors in loadzone were not being
|
|
propagated up the call stack. [RT #41425]
|
|
|
|
4297. [test] Ensure delegations in RPZ zones fail robustly.
|
|
[RT #41518]
|
|
|
|
4295. [bug] An unchecked result in dns_message_pseudosectiontotext()
|
|
could allow incorrect text formatting of EDNS EXPIRE
|
|
options. [RT #41437]
|
|
|
|
4294. [bug] Fixed a regression in which "rndc stop -p" failed
|
|
to print the PID. [RT #41513]
|
|
|
|
4293. [bug] Address memory leak on priming query creation failure.
|
|
[RT #41512]
|
|
|
|
4291. [cleanup] Added a required include to dns/forward.h. [RT #41474]
|
|
|
|
4289. [bug] The server could crash due to memory being used
|
|
after it was freed if a zone transfer timed out.
|
|
[RT #41297]
|
|
|
|
4288. [bug] Fixed a regression in resolver.c:possibly_mark()
|
|
which caused known-bogus servers to be queried
|
|
anyway. [RT #41321]
|
|
|
|
4287. [bug] Silence an overly noisy log message when message
|
|
parsing fails. [RT #41374]
|
|
|
|
4286. [security] render_ecs errors were mishandled when printing out
|
|
a OPT record resulting in a assertion failure.
|
|
(CVE-2015-8705) [RT #41397]
|
|
|
|
4285. [security] Specific APL data could trigger a INSIST.
|
|
(CVE-2015-8704) [RT #41396]
|
|
|
|
4284. [bug] Some GeoIP options were incorrectly documented
|
|
using abbreviated forms which were not accepted by
|
|
named. The code has been updated to allow both
|
|
long and abbreviated forms. [RT #41381]
|
|
|
|
4283. [bug] OPENSSL_config is no longer re-callable. [RT #41348]
|
|
|
|
4281. [bug] Teach dns_message_totext about BADCOOKIE. [RT #41257]
|
|
|
|
4280. [performance] Use optimal message sizes to improve compression
|
|
in AXFRs. This reduces network traffic. [RT #40996]
|
|
|
|
4279. [test] Don't use fixed ports when unit testing. [RT #41194]
|
|
|
|
4278. [bug] 'delv +short +[no]split[=##]' didn't work as expected.
|
|
[RT #41238]
|
|
|
|
4277. [performance] Improve performance of the RBT, the central zone
|
|
datastructure: The aux hashtable was improved,
|
|
hash function was updated to perform more
|
|
uniform mapping, uppernode was added to
|
|
dns_rbtnode, and other cleanups and performance
|
|
improvements were made. [RT #41165]
|
|
|
|
4276. [protocol] Add support for SMIMEA. [RT #40513]
|
|
|
|
4274. [performance] Speed up typemap processing from text. [RT #41196]
|
|
|
|
4273. [bug] Only call dns_test_begin() and dns_test_end() once each
|
|
in nsec3_test as it fails with GOST if called multiple
|
|
times.
|
|
|
|
4272. [bug] dig: the +norrcomments option didn't work with +multi.
|
|
[RT #41234]
|
|
|
|
4271. [test] Unit tests could deadlock in isc__taskmgr_pause().
|
|
[RT #41235]
|
|
|
|
4270. [security] Update allowed OpenSSL versions as named is
|
|
potentially vulnerable to CVE-2015-3193.
|
|
|
|
4269. [bug] Zones using "map" format master files currently
|
|
don't work as policy zones. This limitation has
|
|
now been documented; attempting to use such zones
|
|
in "response-policy" statements is now a
|
|
configuration error. [RT #38321]
|
|
|
|
4267. [test] Check sdlz error handling. [RT #41142]
|
|
|
|
4265. [bug] Address unchecked isc_mem_get calls. [RT #41187]
|
|
|
|
4264. [bug] Check const of strchr/strrchr assignments match
|
|
argument's const status. [RT #41150]
|
|
|
|
4262. [bug] Fixed a bug in epoll socket code that caused
|
|
sockets to not be registered for ready
|
|
notification in some cases, causing named to not
|
|
read from or write to them, resulting in what
|
|
appear to the user as blocked connections.
|
|
[RT #41067]
|
|
|
|
4261. [maint] H.ROOT-SERVERS.NET is 198.97.190.53 and 2001:500:1::53.
|
|
[RT #40556]
|
|
|
|
4260. [security] Insufficient testing when parsing a message allowed
|
|
records with an incorrect class to be be accepted,
|
|
triggering a REQUIRE failure when those records
|
|
were subsequently cached. (CVE-2015-8000) [RT #40987]
|
|
|
|
4258. [bug] Limit rndc query message sizes to 32 KiB. This should
|
|
not break any legitimate rndc commands, but will
|
|
prevent a rogue rndc query from allocating too
|
|
much memory. [RT #41073]
|
|
|
|
4257. [cleanup] Python scripts reported incorrect version. [RT #41080]
|
|
|
|
4256. [bug] Allow rndc command arguments to be quoted so as
|
|
to allow spaces. [RT #36665]
|
|
|
|
4254. [bug] Address missing lock when getting zone's serial.
|
|
[RT #41072]
|
|
|
|
4253. [security] Address fetch context reference count handling error
|
|
on socket error. (CVE-2015-8461) [RT#40945]
|
|
|
|
4248. [performance] Add an isc_atomic_storeq() function, use it in
|
|
stats counters to improve performance.
|
|
[RT #39972] [RT #39979]
|
|
|
|
4247. [port] Require both HAVE_JSON and JSON_C_VERSION to be
|
|
defined to report json library version. [RT #41045]
|
|
|
|
4246. [test] Ensure the statschannel system test runs when BIND
|
|
is not built with libjson. [RT #40944]
|
|
|
|
4245. [bug] Fix statistics version to match against in bind9.xsl.
|
|
[RT #41039]
|
|
|
|
4244. [bug] The parser was not reporting that use-ixfr is obsolete.
|
|
[RT #41010]
|
|
|
|
4242. [bug] Replace the client if not already replaced when
|
|
prefetching. [RT #41001]
|
|
|
|
4241. [doc] Improved the TSIG, TKEY, and SIG(0) sections in
|
|
the ARM. [RT #40955]
|
|
|
|
4240. [port] Fix LibreSSL compatibility. [RT #40977]
|
|
|
|
4238. [bug] Don't send to servers on net zero (0.0.0.0/8).
|
|
[RT #40947]
|
|
|
|
4237. [doc] Upgraded documentation toolchain to use DocBook 5
|
|
and dblatex. [RT #40766]
|
|
|
|
4236. [performance] On machines with 2 or more processors (CPU), the
|
|
default value for the number of UDP listeners
|
|
has been changed to the number of detected
|
|
processors minus one. [RT #40761]
|
|
|
|
4233. [test] Add tests for CDS and CDNSKEY with delegation-only.
|
|
[RT #40597]
|
|
|
|
4232. [contrib] Address unchecked memory allocation calls in
|
|
query-loc and zone2ldap. [RT #40789]
|
|
|
|
4230. [contrib] dlz_wildcard_dynamic.c:dlz_create could return a
|
|
uninitialized result. [RT #40839]
|
|
|
|
4229. [bug] A variable could be used uninitialized in
|
|
dns_update_signaturesinc. [RT #40784]
|
|
|
|
4228. [bug] Address race condition in dns_client_destroyrestrans.
|
|
[RT #40605]
|
|
|
|
4227. [bug] Silence static analysis warnings. [RT #40828]
|
|
|
|
4226. [bug] Address a theoretical shutdown race in
|
|
zone.c:notify_send_queue(). [RT #38958]
|
|
|
|
4225. [port] freebsd/openbsd: Use '${CC} -shared' for building
|
|
shared libraries. [RT #39557]
|
|
|
|
4221. [bug] Resource leak on DNS_R_NXDOMAIN in fctx_create.
|
|
[RT #40583]
|
|
|
|
4220. [doc] Improve documentation for zone-statistics.
|
|
[RT #36955]
|
|
|
|
4219. [bug] Set event->result to ISC_R_WOULDBLOCK on EWOULDBLOCK,
|
|
EGAIN when these soft error are not retried for
|
|
isc_socket_send*().
|
|
|
|
4218. [bug] Potential null pointer dereference on out of memory
|
|
if mmap is not supported. [RT #40777]
|
|
|
|
4217. [protocol] Add support for CSYNC. [RT #40532]
|
|
|
|
4216. [cleanup] Silence static analysis warnings. [RT #40649]
|
|
|
|
4215. [bug] nsupdate: skip to next request on GSSTKEY create
|
|
failure. [RT #40685]
|
|
|
|
4214. [protocol] Add support for TALINK. [RT #40544]
|
|
|
|
4213. [bug] Don't reuse a cache across multiple classes.
|
|
[RT #40205]
|
|
|
|
4210. [cleanup] Silence use after free false positive. [RT #40743]
|
|
|
|
4209. [bug] Address resource leaks in dlz modules. [RT #40654]
|
|
|
|
4208. [bug] Address null pointer dereferences on out of memory.
|
|
[RT #40764]
|
|
|
|
4207. [bug] Handle class mismatches with raw zone files.
|
|
[RT #40746]
|
|
|
|
4206. [bug] contrib: fixed a possible NULL dereference in
|
|
DLZ wildcard module. [RT #40745]
|
|
|
|
4205. [bug] 'named-checkconf -p' could include unwanted spaces
|
|
when printing tuples with unset optional fields.
|
|
[RT #40731]
|
|
|
|
4204. [bug] 'dig +trace' failed to lookup the correct type if
|
|
the initial root NS query was retried. [RT #40296]
|
|
|
|
4203. [test] The rrchecker system test now tests conversion
|
|
to and from unknown-type format. [RT #40584]
|
|
|
|
4202. [bug] isccc_cc_fromwire() could return an incorrect
|
|
result. [RT #40614]
|
|
|
|
4201. [func] The default preferred-glue is now the address record
|
|
type of the transport the query was received
|
|
over. [RT #40468]
|
|
|
|
4200. [cleanup] win32: update BINDinstall to be BIND release
|
|
independent. [RT #38915]
|
|
|
|
4199. [protocol] Add support for NINFO, RKEY, SINK, TA.
|
|
[RT #40545] [RT #40547] [RT #40561] [RT #40563]
|
|
|
|
4198. [doc] Add fetch-quota-params, fetches-per-server, and
|
|
fetches-per-zone to doc/misc/options. [RT #40601]
|
|
|
|
4197. [bug] 'named-checkconf -z' didn't handle 'in-view' clauses.
|
|
[RT #40603]
|
|
|
|
4196. [doc] Improve how "enum + other" types are documented.
|
|
[RT #40608]
|
|
|
|
4195. [bug] 'max-zone-ttl unlimited;' was broken. [RT #40608]
|
|
|
|
4194. [bug] named-checkconf -p failed to properly print a port
|
|
range. [RT #40634]
|
|
|
|
--- 9.10.3 released ---
|
|
|
|
--- 9.10.3rc1 released ---
|
|
|
|
4193. [bug] Handle broken servers that return BADVERS incorrectly.
|
|
[RT #40427]
|
|
|
|
4192. [bug] The default rrset-order of random was not always being
|
|
applied. [RT #40456]
|
|
|
|
4191. [protocol] Accept DNS-SD non LDH PTR records in reverse zones
|
|
as per RFC 6763. [RT #37889]
|
|
|
|
4190. [protocol] Accept Active Directory gc._msdcs.<forest> name as
|
|
valid with check-names. <forest> still needs to be
|
|
LDH. [RT #40399]
|
|
|
|
4189. [cleanup] Don't exit on overly long tokens in named.conf.
|
|
[RT #40418]
|
|
|
|
4188. [bug] Support HTTP/1.0 client properly on the statistics
|
|
channel. [RT #40261]
|
|
|
|
4187. [func] When any RR type implementation doesn't
|
|
implement totext() for the RDATA's wire
|
|
representation and returns ISC_R_NOTIMPLEMENTED,
|
|
such RDATA is now printed in unknown
|
|
presentation format (RFC 3597). RR types affected
|
|
include LOC(29) and APL(42). [RT #40317].
|
|
|
|
4186. [bug] Fixed an RPZ bug where a QNAME would be matched
|
|
against a policy RR with wildcard owner name
|
|
(trigger) where the QNAME was the wildcard owner
|
|
name's parent. For example, the bug caused a query
|
|
with QNAME "example.com" to match a policy RR with
|
|
"*.example.com" as trigger. [RT #40357]
|
|
|
|
4185. [bug] Fixed an RPZ bug where a policy RR with wildcard
|
|
owner name (trigger) would prevent another policy RR
|
|
with its parent owner name from being
|
|
loaded. For example, the bug caused a policy RR
|
|
with trigger "example.com" to not have any
|
|
effect when a previous policy RR with trigger
|
|
"*.example.com" existed in that RPZ zone.
|
|
[RT #40357]
|
|
|
|
4183. [cleanup] Use timing-safe memory comparisons in cryptographic
|
|
code. Also, the timing-safe comparison functions have
|
|
been renamed to avoid possible confusion with
|
|
memcmp(). Thanks to Loganaden Velvindron of
|
|
AFRINIC. [RT #40148]
|
|
|
|
4182. [cleanup] Use mnemonics for RR class and type comparisons.
|
|
[RT #40297]
|
|
|
|
4181. [bug] Queued notify messages could be dequeued from the
|
|
wrong rate limiter queue. [RT #40350]
|
|
|
|
4179. [bug] Fix double frees in getaddrinfo() in libirs.
|
|
[RT #40209]
|
|
|
|
4178. [bug] Fix assertion failure in parsing UNSPEC(103) RR from
|
|
text. [RT #40274]
|
|
|
|
4177. [bug] Fix assertion failure in parsing NSAP records from
|
|
text. [RT #40285]
|
|
|
|
4176. [bug] Address race issues with lwresd. [RT #40284]
|
|
|
|
4175. [bug] TKEY with GSS-API keys needed bigger buffers.
|
|
[RT #40333]
|
|
|
|
4174. [bug] "dnssec-coverage -r" didn't handle time unit
|
|
suffixes correctly. [RT #38444]
|
|
|
|
4173. [bug] dig +sigchase was not properly matching the trusted
|
|
key. [RT #40188]
|
|
|
|
4172. [bug] Named / named-checkconf didn't handle a view of CLASS0.
|
|
[RT #40265]
|
|
|
|
4171. [bug] Fixed incorrect class checks in TSIG RR
|
|
implementation. [RT #40287]
|
|
|
|
4170. [security] An incorrect boundary check in the OPENPGPKEY
|
|
rdatatype could trigger an assertion failure.
|
|
(CVE-2015-5986) [RT #40286]
|
|
|
|
4169. [test] Added a 'wire_test -d' option to read input as
|
|
raw binary data, for use as a fuzzing harness.
|
|
[RT #40312]
|
|
|
|
4168. [security] A buffer accounting error could trigger an
|
|
assertion failure when parsing certain malformed
|
|
DNSSEC keys. (CVE-2015-5722) [RT #40212]
|
|
|
|
--- 9.10.3b1 released ---
|
|
|
|
4165. [security] A failure to reset a value to NULL in tkey.c could
|
|
result in an assertion failure. (CVE-2015-5477)
|
|
[RT #40046]
|
|
|
|
4164. [bug] Don't rename slave files and journals on out of memory.
|
|
[RT #40033]
|
|
|
|
4163. [bug] Address compiler warnings. [RT #40024]
|
|
|
|
4162. [bug] httpdmgr->flags was not being initialized. [RT #40017]
|
|
|
|
4161. [test] Test for consistency between "rndc stats" and the
|
|
XML and JSON statistics channel contents. [RT #38700]
|
|
|
|
4159. [cleanup] Alphabetize dig's help output. [RT #39966]
|
|
|
|
4157. [protocol] Update experimental SIT code to use the EDNS COOKIE
|
|
option code point (10). This is the minimal change
|
|
required to use the new code point. [RT #39928]
|
|
|
|
4154. [bug] A OPT record should be included with the FORMERR
|
|
response when there is a malformed EDNS option.
|
|
[RT #39647]
|
|
|
|
4153. [bug] Dig should zero non significant +subnet bits. Check
|
|
that non significant ECS bits are zero on receipt.
|
|
[RT #39647]
|
|
|
|
4151. [bug] 'rndc flush' could cause a deadlock. [RT #39835]
|
|
|
|
4150. [bug] win32: listen-on-v6 { any; }; was not working. Apply
|
|
minimal fix. [RT #39667]
|
|
|
|
4149. [bug] Fixed a race condition in the getaddrinfo()
|
|
implementation in libirs, which caused the delv
|
|
utility to crash with an assertion failure when using
|
|
the '@server' syntax with a hostname argument.
|
|
[RT #39899]
|
|
|
|
4148. [bug] Fix a bug when printing zone names with '/' character
|
|
in XML and JSON statistics output. [RT #39873]
|
|
|
|
4147. [bug] Filter-aaaa / filter-aaaa-on-v4 / filter-aaaa-on-v6
|
|
was returning referrals rather than nodata responses
|
|
when the AAAA records were filtered. [RT #39843]
|
|
|
|
4146. [bug] Address reference leak that could prevent a clean
|
|
shutdown. [RT #37125]
|
|
|
|
4145. [bug] Not all unassociated adb entries where being printed.
|
|
[RT #37125]
|
|
|
|
4143. [bug] serial-query-rate was not effective for notify.
|
|
[RT #39858]
|
|
|
|
4142. [bug] rndc addzone with view specified saved NZF config
|
|
that could not be read back by named. This has now
|
|
been fixed. [RT #39845]
|
|
|
|
4141. [bug] A formatting bug caused rndc zonestatus to print
|
|
negative numbers for large serial values. This has
|
|
now been fixed. [RT #39854]
|
|
|
|
4139. [doc] Fix rpz-client-ip documentation. [RT #39783]
|
|
|
|
4138. [security] An uninitialized value in validator.c could result
|
|
in an assertion failure. (CVE-2015-4620) [RT #39795]
|
|
|
|
4137. [bug] Make rndc reconfig report configuration errors the
|
|
same way rndc reload does. [RT #39635]
|
|
|
|
4136. [bug] Stale statistics counters with the leading
|
|
'#' prefix (such as #NXDOMAIN) were not being
|
|
updated correctly. This has been fixed. [RT #39141]
|
|
|
|
4134. [cleanup] Include client-ip rules when logging the number
|
|
of RPZ rules of each type. [RT #39670]
|
|
|
|
4133. [port] Update how various json libraries are handled.
|
|
[RT #39646]
|
|
|
|
4132. [cleanup] dig: added +rd as a synonym for +recurse,
|
|
added +class as an unabbreviated alternative
|
|
to +cl. [RT #39686]
|
|
|
|
4131. [bug] Addressed further problems with reloading RPZ
|
|
zones. [RT #39649]
|
|
|
|
4130. [bug] The compatibility shim for *printf() misprinted some
|
|
large numbers. [RT #39586]
|
|
|
|
4129. [port] Address API changes in OpenSSL 1.1.0. [RT #39532]
|
|
|
|
4128. [bug] Address issues raised by Coverity 7.6. [RT #39537]
|
|
|
|
4127. [protocol] CDS and CDNSKEY need to be signed by the key signing
|
|
key as per RFC 7344, Section 4.1. [RT #37215]
|
|
|
|
4126. [bug] Addressed a regression introduced in change #4121.
|
|
[RT #39611]
|
|
|
|
4123. [port] Added %z (size_t) format options to the portable
|
|
internal printf/sprintf implementation. [RT #39586]
|
|
|
|
4122. [bug] The server could match a shorter prefix than what was
|
|
available in CLIENT-IP policy triggers, and so, an
|
|
unexpected action could be taken. This has been
|
|
corrected. [RT #39481]
|
|
|
|
4121. [bug] On servers with one or more policy zones
|
|
configured as slaves, if a policy zone updated
|
|
during regular operation (rather than at
|
|
startup) using a full zone reload, such as via
|
|
AXFR, a bug could allow the RPZ summary data to
|
|
fall out of sync, potentially leading to an
|
|
assertion failure in rpz.c when further
|
|
incremental updates were made to the zone, such
|
|
as via IXFR. [RT #39567]
|
|
|
|
4120. [bug] A bug in RPZ could cause the server to crash if
|
|
policy zones were updated while recursion was
|
|
pending for RPZ processing of an active query.
|
|
[RT #39415]
|
|
|
|
4119. [test] Allow dig to set the message opcode. [RT #39550]
|
|
|
|
4118. [bug] Teach isc-config.sh about irs. [RT #39213]
|
|
|
|
4117. [protocol] Add EMPTY.AS112.ARPA as per RFC 7534.
|
|
|
|
4116. [bug] Fix a bug in RPZ that could cause some policy
|
|
zones that did not specifically require
|
|
recursion to be treated as if they did;
|
|
consequently, setting qname-wait-recurse no; was
|
|
sometimes ineffective. [RT #39229]
|
|
|
|
4113. [test] Check for Net::DNS is some system test
|
|
prerequisites. [RT #39369]
|
|
|
|
4112. [bug] Named failed to load when "root-delegation-only"
|
|
was used without a list of domains to exclude.
|
|
[RT #39380]
|
|
|
|
4111. [doc] Alphabetize rndc man page. [RT #39360]
|
|
|
|
4110. [bug] Address memory leaks / null pointer dereferences
|
|
on out of memory. [RT #39310]
|
|
|
|
4109. [port] linux: support reading the local port range from
|
|
net.ipv4.ip_local_port_range. [RT # 39379]
|
|
|
|
4107. [bug] Address potential deadlock when updating zone content.
|
|
[RT #39269]
|
|
|
|
4106. [port] Improve readline support. [RT #38938]
|
|
|
|
4105. [port] Misc fixes for Microsoft Visual Studio
|
|
2015 CTP6 in 64 bit mode. [RT #39308]
|
|
|
|
4104. [bug] Address uninitialized elements. [RT #39252]
|
|
|
|
4102. [bug] Fix a use after free bug introduced in change
|
|
#4094. [RT #39281]
|
|
|
|
4101. [bug] dig: the +split and +rrcomments options didn't
|
|
work with +short. [RT #39291]
|
|
|
|
4100. [bug] Inherited owernames on the line immediately following
|
|
a $INCLUDE were not working. [RT #39268]
|
|
|
|
4099. [port] clang: make unknown commandline options hard errors
|
|
when determining what options are supported.
|
|
[RT #39273]
|
|
|
|
4098. [bug] Address use-after-free issue when using a
|
|
predecessor key with dnssec-settime. [RT #39272]
|
|
|
|
4097. [func] Add additional logging about xfrin transfer status.
|
|
[RT #39170]
|
|
|
|
4096. [bug] Fix a use after free of query->sendevent.
|
|
[RT #39132]
|
|
|
|
4095. [bug] zone->options2 was not being properly initialized.
|
|
[RT #39228]
|
|
|
|
4094. [bug] A race during shutdown or reconfiguration could
|
|
cause an assertion in mem.c. [RT #38979]
|
|
|
|
4093. [func] Dig now learns the SIT value from truncated
|
|
responses when it retries over TCP. [RT #39047]
|
|
|
|
4092. [bug] 'in-view' didn't work for zones beneath a empty zone.
|
|
[RT #39173]
|
|
|
|
4091. [cleanup] Some cleanups in isc mem code. [RT #38896]
|
|
|
|
4090. [bug] Fix a crash while parsing malformed CAA RRs in
|
|
presentation format, i.e., from text such as
|
|
from master files. Thanks to John Van de
|
|
Meulebrouck Brendgard for discovering and
|
|
reporting this problem. [RT #39003]
|
|
|
|
4089. [bug] Send notifies immediately for slave zones during
|
|
startup. [RT #38843]
|
|
|
|
4088. [port] Fixed errors when building with libressl. [RT #38899]
|
|
|
|
4087. [bug] Fix a crash due to use-after-free due to sequencing
|
|
of tasks actions. [RT #38495]
|
|
|
|
4086. [bug] Fix out-of-srcdir build with native pkcs11. [RT #38831]
|
|
|
|
4085. [bug] ISC_PLATFORM_HAVEXADDQ could be inconsistently set.
|
|
[RT #38828]
|
|
|
|
4084. [bug] Fix a possible race in updating stats counters.
|
|
[RT #38826]
|
|
|
|
4082. [bug] Incrementally sign large inline zone deltas.
|
|
[RT #37927]
|
|
|
|
4081. [cleanup] Use dns_rdatalist_init consistently. [RT #38759]
|
|
|
|
4078. [bug] Handle the case where CMSG_SPACE(sizeof(int)) !=
|
|
CMSG_SPACE(sizeof(char)). [RT #38621]
|
|
|
|
4077. [test] Add static-stub regression test for DS NXDOMAIN
|
|
return making the static stub disappear. [RT #38564]
|
|
|
|
4076. [bug] Named could crash on shutdown with outstanding
|
|
reload / reconfig events. [RT #38622]
|
|
|
|
4074. [cleanup] Cleaned up more warnings from gcc -Wshadow. [RT #38708]
|
|
|
|
4073. [cleanup] Add libjson-c version number reporting to
|
|
"named -V"; normalize version number formatting.
|
|
[RT #38056]
|
|
|
|
4072. [func] Add a --enable-querytrace configure switch for
|
|
very verbose query trace logging. (This option
|
|
has a negative performance impact and should be
|
|
used only for debugging.) [RT #37520]
|
|
|
|
4071. [cleanup] Initialize pthread mutex attrs just once, instead of
|
|
doing it per mutex creation. [RT #38547]
|
|
|
|
4070. [bug] Fix a segfault in nslookup in a query such as
|
|
"nslookup isc.org AMS.SNS-PB.ISC.ORG -all".
|
|
[RT #38548]
|
|
|
|
4069. [doc] Reorganize options in the nsupdate man page.
|
|
[RT #38515]
|
|
|
|
4068. [bug] Omit unknown serial number from JSON zone statistics.
|
|
[RT #38604]
|
|
|
|
4067. [cleanup] Reduce noise from RRL when query logging is
|
|
disabled. [RT #38648]
|
|
|
|
4066. [doc] Reorganize options in the dig man page. [RT #38516]
|
|
|
|
4064. [contrib] dnssec-keyset.sh: Generates a specified number
|
|
of DNSSEC keys with timing set to implement a
|
|
pre-publication key rollover strategy. Thanks
|
|
to Jeffry A. Spain. [RT #38459]
|
|
|
|
4063. [bug] Asynchronous zone loads were not handled
|
|
correctly when the zone load was already in
|
|
progress; this could trigger a crash in zt.c.
|
|
[RT #37573]
|
|
|
|
4062. [bug] Fix an out-of-bounds read in RPZ code. If the
|
|
read succeeded, it doesn't result in a bug
|
|
during operation. If the read failed, named
|
|
could segfault. [RT #38559]
|
|
|
|
3993. [func] Dig now supports EDNS negotiation by default.
|
|
(dig +[no]ednsnegotiation).
|
|
|
|
Note: This is disabled by default in BIND 9.10
|
|
and enabled by default in BIND 9.11. [RT #37604]
|
|
|
|
3951. [func] Add the ability to set yet-to-be-defined EDNS flags
|
|
to dig (+ednsflags=#). [RT #37142]
|
|
|
|
3938. [func] Added quotas to be used in recursive resolvers
|
|
that are under high query load for names in zones
|
|
whose authoritative servers are nonresponsive or
|
|
are experiencing a denial of service attack.
|
|
|
|
- "fetches-per-server" limits the number of
|
|
simultaneous queries that can be sent to any
|
|
single authoritative server. The configured
|
|
value is a starting point; it is automatically
|
|
adjusted downward if the server is partially or
|
|
completely non-responsive. The algorithm used to
|
|
adjust the quota can be configured via the
|
|
"fetch-quota-params" option.
|
|
- "fetches-per-zone" limits the number of
|
|
simultaneous queries that can be sent for names
|
|
within a single domain. (Note: Unlike
|
|
"fetches-per-server", this value is not
|
|
self-tuning.)
|
|
- New stats counters have been added to count
|
|
queries spilled due to these quotas.
|
|
|
|
These options are not available by default;
|
|
use "configure --enable-fetchlimit" (or
|
|
--enable-developer) to include them in the build.
|
|
|
|
See the ARM for details of these options. [RT #37125]
|
|
|
|
3937. [func] Added some debug logging to better indicate the
|
|
conditions causing SERVFAILs when resolving.
|
|
[RT #35538]
|
|
|
|
3812. [func] Dig now supports sending arbitary EDNS options from
|
|
the command line (+ednsopt=code[:value]). [RT #35584]
|
|
|
|
--- 9.10.2 released ---
|
|
|
|
--- 9.10.2rc2 released ---
|
|
|
|
4061. [bug] Handle timeout in legacy system test. [RT #38573]
|
|
|
|
4060. [bug] dns_rdata_freestruct could be called on a
|
|
uninitialized structure when handling a error.
|
|
[RT #38568]
|
|
|
|
4059. [bug] Addressed valgrind warnings. [RT #38549]
|
|
|
|
4058. [bug] UDP dispatches could use the wrong pseudorandom
|
|
number generator context. [RT #38578]
|
|
|
|
4056. [bug] Fixed several small bugs in automatic trust anchor
|
|
management, including a memory leak and a possible
|
|
loss of key state information. [RT #38458]
|
|
|
|
4057. [bug] 'dnssec-dsfromkey -T 0' failed to add ttl field.
|
|
[RT #38565]
|
|
|
|
4053. [security] Revoking a managed trust anchor and supplying
|
|
an untrusted replacement could cause named
|
|
to crash with an assertion failure.
|
|
(CVE-2015-1349) [RT #38344]
|
|
|
|
4052. [bug] Fix a leak of query fetchlock. [RT #38454]
|
|
|
|
4051. [bug] Fix a leak of pthread_mutexattr_t. [RT #38454]
|
|
|
|
4050. [bug] RPZ could send spurious SERVFAILs in response
|
|
to duplicate queries. [RT #38510]
|
|
|
|
4049. [bug] CDS and CDNSKEY had the wrong attributes. [RT #38491]
|
|
|
|
4048. [bug] adb hash table was not being grown. [RT #38470]
|
|
|
|
--- 9.10.2rc1 released ---
|
|
|
|
4047. [cleanup] "named -V" now reports the current running versions
|
|
of OpenSSL and the libxml2 libraries, in addition to
|
|
the versions that were in use at build time.
|
|
|
|
4046. [bug] Accounting of "total use" in memory context
|
|
statistics was not correct. [RT #38370]
|
|
|
|
4045. [bug] Skip to next master on dns_request_createvia4 failure.
|
|
[RT #25185]
|
|
|
|
4044. [bug] Change 3955 was not complete, resulting in an assertion
|
|
failure if the timing was just right. [RT #38352]
|
|
|
|
4039. [cleanup] Cleaned up warnings from gcc -Wshadow. [RT #37381]
|
|
|
|
4038. [bug] Add 'rpz' flag to node and use it to determine whether
|
|
to call dns_rpz_delete. This should prevent unbalanced
|
|
add / delete calls. [RT #36888]
|
|
|
|
4037. [bug] also-notify was ignoring the tsig key when checking
|
|
for duplicates resulting in some expected notify
|
|
messages not being sent. [RT #38369]
|
|
|
|
4035. [bug] Close temporary and NZF FILE pointers before moving
|
|
the former into the latter's place, as required on
|
|
Windows. [RT #38332]
|
|
|
|
4033. [bug] Missing out of memory check in request.c:req_send.
|
|
[RT #38311]
|
|
|
|
4032. [bug] Built-in "empty" zones did not correctly inherit the
|
|
"allow-transfer" ACL from the options or view.
|
|
[RT #38310]
|
|
|
|
4031. [bug] named-checkconf -z failed to report a missing file
|
|
with a hint zone. [RT #38294]
|
|
|
|
4028. [bug] $GENERATE with a zero step was not being caught as a
|
|
error. A $GENERATE with a / but no step was not being
|
|
caught as a error. [RT #38262]
|
|
|
|
3973. [test] Added hooks for Google Performance Tools CPU profiler,
|
|
including real-time/wall-clock profiling. Use
|
|
"configure --with-gperftools-profiler" to enable.
|
|
[RT #37339]
|
|
|
|
--- 9.10.2b1 released ---
|
|
|
|
4027. [port] Net::DNS 0.81 compatibility. [RT #38165]
|
|
|
|
4026. [bug] Fix RFC 3658 reference in dig +sigchase. [RT #38173]
|
|
|
|
4025. [port] bsdi: failed to build. [RT #38047]
|
|
|
|
4024. [bug] dns_rdata_opt_first, dns_rdata_opt_next,
|
|
dns_rdata_opt_current, dns_rdata_txt_first,
|
|
dns_rdata_txt_next and dns_rdata_txt_current were
|
|
documented but not implemented. These have now been
|
|
implemented.
|
|
|
|
dns_rdata_spf_first, dns_rdata_spf_next and
|
|
dns_rdata_spf_current were documented but not
|
|
implemented. The prototypes for these
|
|
functions have been removed. [RT #38068]
|
|
|
|
4023. [bug] win32: socket handling with explicit ports and
|
|
invoking named with -4 was broken for some
|
|
configurations. [RT #38068]
|
|
|
|
4021. [bug] Adjust max-recursion-queries to accommodate
|
|
the need for more queries when the cache is
|
|
empty. [RT #38104]
|
|
|
|
4020. [bug] Change 3736 broke nsupdate's SOA MNAME discovery
|
|
resulting in updates being sent to the wrong server.
|
|
[RT #37925]
|
|
|
|
4019. [func] If named is not configured to validate the answer
|
|
then allow fallback to plain DNS on timeout even
|
|
when we know the server supports EDNS. [RT #37978]
|
|
|
|
4017. [test] Add system test to check lookups to legacy servers
|
|
with broken DNS behavior. [RT #37965]
|
|
|
|
4016. [bug] Fix a dig segfault due to bad linked list usage.
|
|
[RT #37591]
|
|
|
|
4015. [bug] Nameservers that are skipped due to them being
|
|
CNAMEs were not being logged. They are now logged
|
|
to category 'cname' as per BIND 8. [RT #37935]
|
|
|
|
4014. [bug] When including a master file origin_changed was
|
|
not being properly set leading to a potentially
|
|
spurious 'inherited owner' warning. [RT #37919]
|
|
|
|
4012. [bug] Check returned status of OpenSSL digest and HMAC
|
|
functions when they return one. Note this applies
|
|
only to FIPS capable OpenSSL libraries put in
|
|
FIPS mode and MD5. [RT #37944]
|
|
|
|
4011. [bug] master's list port and dscp inheritance was not
|
|
properly implemented. [RT #37792]
|
|
|
|
4010. [cleanup] Clear the prefetchable state when initiating a prefetch.
|
|
[RT #37399]
|
|
|
|
4008. [contrib] Updated zkt to latest version (1.1.3). [RT #37886]
|
|
|
|
4007. [doc] Remove acl forward reference restriction. [RT #37772]
|
|
|
|
4006. [security] A flaw in delegation handling could be exploited
|
|
to put named into an infinite loop. This has
|
|
been addressed by placing limits on the number
|
|
of levels of recursion named will allow (default 7),
|
|
and the number of iterative queries that it will
|
|
send (default 50) before terminating a recursive
|
|
query (CVE-2014-8500).
|
|
|
|
The recursion depth limit is configured via the
|
|
"max-recursion-depth" option, and the query limit
|
|
via the "max-recursion-queries" option. [RT #37580]
|
|
|
|
4004. [bug] When delegations had AAAA glue but not A, a
|
|
reference could be leaked causing an assertion
|
|
failure on shutdown. [RT #37796]
|
|
|
|
4003. [security] When geoip-directory was reconfigured during
|
|
named run-time, the previously loaded GeoIP
|
|
data could remain, potentially causing wrong
|
|
ACLs to be used or wrong results to be served
|
|
based on geolocation (CVE-2014-8680). [RT #37720]
|
|
|
|
4002. [security] Lookups in GeoIP databases that were not
|
|
loaded could cause an assertion failure
|
|
(CVE-2014-8680). [RT #37679]
|
|
|
|
4001. [security] The caching of GeoIP lookups did not always
|
|
handle address families correctly, potentially
|
|
resulting in an assertion failure (CVE-2014-8680).
|
|
[RT #37672]
|
|
|
|
4000. [bug] NXDOMAIN redirection incorrectly handled NXRRSET
|
|
from the redirect zone. [RT #37722]
|
|
|
|
3998. [bug] isc_radix_search was returning matches that were
|
|
too precise. [RT #37680]
|
|
|
|
3997. [protocol] Add OPENGPGKEY record. [RT# 37671]
|
|
|
|
3996. [bug] Address use after free on out of memory error in
|
|
keyring_add. [RT #37639]
|
|
|
|
3995. [bug] receive_secure_serial holds the zone lock for too
|
|
long. [RT #37626]
|
|
|
|
3990. [testing] Add tests for unknown DNSSEC algorithm handling.
|
|
[RT #37541]
|
|
|
|
3989. [cleanup] Remove redundant dns_db_resigned calls. [RT #35748]
|
|
|
|
3987. [func] Handle future Visual Studio 14 incompatible changes.
|
|
[RT #37380]
|
|
|
|
3986. [doc] Add the BIND version number to page footers
|
|
in the ARM. [RT #37398]
|
|
|
|
3985. [doc] Describe how +ndots and +search interact in dig.
|
|
[RT #37529]
|
|
|
|
3984. [func] Accept 256 byte long PINs in native PKCS#11
|
|
crypto. [RT #37410]
|
|
|
|
3982. [doc] Include release notes in product documentation.
|
|
[RT #37272]
|
|
|
|
3981. [bug] Cache DS/NXDOMAIN independently of other query types.
|
|
[RT #37467]
|
|
|
|
3980. [bug] Improve --with-tuning=large by self tuning of SO_RCVBUF
|
|
size. [RT #37187]
|
|
|
|
3978. [test] Added a unit test for Diffie-Hellman key
|
|
computation, completing change #3974. [RT #37477]
|
|
|
|
3976. [bug] When refreshing managed-key trust anchors, clear
|
|
any cached trust so that they will always be
|
|
revalidated with the current set of secure
|
|
roots. [RT #37506]
|
|
|
|
3974. [bug] Handle DH_compute_key() failure correctly in
|
|
openssldh_link.c. [RT #37477]
|
|
|
|
3972. [bug] Fix host's usage statement. [RT #37397]
|
|
|
|
3971. [bug] Reduce the cascading failures due to a bad $TTL line
|
|
in named-checkconf / named-checkzone. [RT #37138]
|
|
|
|
3970. [contrib] Fixed a use after free bug in the SDB LDAP driver.
|
|
[RT #37237]
|
|
|
|
3969. [test] Added 'delv' system test. [RT #36901]
|
|
|
|
3968. [bug] Silence spurious log messages when using 'named -[46]'.
|
|
[RT #37308]
|
|
|
|
3967. [test] Add test for inlined signed zone in multiple views
|
|
with different DNSKEY sets. [RT #35759]
|
|
|
|
3966. [bug] Missing dns_db_closeversion call in receive_secure_db.
|
|
[RT #35746]
|
|
|
|
3962. [bug] 'dig +topdown +trace +sigchase' address unhandled error
|
|
conditions. [RT #34663]
|
|
|
|
3961. [bug] Forwarding of SIG(0) signed UPDATE messages failed with
|
|
BADSIG. [RT #37216]
|
|
|
|
3960. [bug] 'dig +sigchase' could loop forever. [RT #37220]
|
|
|
|
3959. [bug] Updates could be lost if they arrived immediately
|
|
after a rndc thaw. [RT #37233]
|
|
|
|
3958. [bug] Detect when writeable files have multiple references
|
|
in named.conf. [RT #37172]
|
|
|
|
3957. [bug] "dnssec-keygen -S" failed for ECCGOST, ECDSAP256SHA256
|
|
and ECDSAP384SHA384. [RT #37183]
|
|
|
|
3955. [bug] Notify messages due to changes are no longer queued
|
|
behind startup notify messages. [RT #24454]
|
|
|
|
3954. [bug] Unchecked mutex init in dlz_dlopen_driver.c [RT #37112]
|
|
|
|
3953. [bug] Don't escape semi-colon in TXT fields. [RT #37159]
|
|
|
|
3952. [bug] dns_name_fullcompare failed to set *nlabelsp when the
|
|
two name pointers were the same. [RT #37176]
|
|
|
|
--- 9.10.1 released ---
|
|
|
|
3950. [port] Changed the bin/python Makefile to work around a
|
|
bmake bug in FreeBSD 10 and NetBSD 6. [RT #36993]
|
|
|
|
3948. [port] solaris: RCVBUFSIZE was too large on Solaris with
|
|
--with-tuning=large. [RT #37059]
|
|
|
|
--- 9.10.1rc2 released ---
|
|
|
|
3947. [cleanup] Set the executable bit on libraries when using
|
|
libtool. [RT #36786]
|
|
|
|
3946. [cleanup] Improved "configure" search for a python interpreter.
|
|
[RT #36992]
|
|
|
|
3945. [bug] Invalid wildcard expansions could be incorrectly
|
|
accepted by the validator. [RT #37093]
|
|
|
|
3944. [test] Added a regression test for "server-id". [RT #37057]
|
|
|
|
3942. [bug] Wildcard responses from a optout range should be
|
|
marked as insecure. [RT #37072]
|
|
|
|
3941. [doc] Include the BIND version number in the ARM. [RT #37067]
|
|
|
|
--- 9.10.1rc1 released ---
|
|
|
|
3935. [bug] "geoip asnum" ACL elements would not match unless
|
|
the full organization name was specified. They
|
|
can now match against the AS number alone (e.g.,
|
|
AS1234). [RT #36945]
|
|
|
|
3934. [bug] Catch bad 'sit-secret' in named-checkconf. Improve
|
|
sit-secret documentation. [RT #36980]
|
|
|
|
3933. [bug] Corrected the implementation of dns_rdata_casecompare()
|
|
for the HIP rdata type. [RT #36911]
|
|
|
|
3932. [test] Improved named-checkconf tests. [RT #36911]
|
|
|
|
3931. [cleanup] Cleanup how dlz grammar is defined. [RT #36879]
|
|
|
|
3929. [bug] 'host -a' needed to clear idnoptions. [RT #36963]
|
|
|
|
3928. [test] Improve rndc system test. [RT #36898]
|
|
|
|
3927. [bug] dig: report PKCS#11 error codes correctly when
|
|
compiled with --enable-native-pkcs11. [RT #36956]
|
|
|
|
3926. [doc] Added doc for geoip-directory. [RT #36877]
|
|
|
|
3925. [bug] DS lookup of RFC 1918 empty zones failed. [RT #36917]
|
|
|
|
3924. [bug] Improve 'rndc addzone' error reporting. [RT #35187]
|
|
|
|
3923. [bug] Sanity check the xml2-config output. [RT #22246]
|
|
|
|
3922. [bug] When resigning, dnssec-signzone was removing
|
|
all signatures from delegation nodes. It now
|
|
retains DS and (if applicable) NSEC signatures.
|
|
[RT #36946]
|
|
|
|
3921. [bug] AD was inappropriately set on RPZ responses. [RT #36833]
|
|
|
|
3919. [bug] dig: continue to next line if a address lookup fails
|
|
in batch mode. [RT #36755]
|
|
|
|
3918. [doc] Update check-spf documentation. [RT #36910]
|
|
|
|
3917. [bug] dig, nslookup and host now continue on names that are
|
|
too long after applying a search list elements.
|
|
[RT #36892]
|
|
|
|
3916. [contrib] zone2sqlite checked wrong result code. Address
|
|
compiler warnings. [RT #36931]
|
|
|
|
3915. [bug] Address a assertion if a route event arrived while
|
|
shutting down. [RT #36887]
|
|
|
|
--- 9.10.1b2 released ---
|
|
|
|
3914. [bug] Allow the URI target and CAA value fields to
|
|
be zero length. [RT #36737]
|
|
|
|
3913. [bug] Address race issue in dispatch. [RT #36731]
|
|
|
|
3912. [bug] Address some unrecoverable lookup failures. [RT #36330]
|
|
|
|
3910. [bug] Fix races to free event during shutdown. [RT #36720]
|
|
|
|
3909. [bug] When computing the number of elements required for a
|
|
acl count_acl_elements could have a short count leading
|
|
to a assertion failure. Also zero out new acl elements
|
|
in dns_acl_merge. [RT #36675]
|
|
|
|
3908. [bug] rndc now differentiates between a zone in multiple
|
|
views and a zone that doesn't exist at all. [RT #36691]
|
|
|
|
3907. [cleanup] Alphabetize rndc help. [RT #36683]
|
|
|
|
3906. [protocol] Update URI record format to comply with
|
|
draft-faltstrom-uri-08. [RT #36642]
|
|
|
|
3905. [bug] Address deadlock between view.c and adb.c. [RT #36341]
|
|
|
|
3904. [func] Add the RPZ SOA to the additional section. [RT36507]
|
|
|
|
3903. [bug] Improve the accuracy of DiG's reported round trip
|
|
time. [RT 36611]
|
|
|
|
3902. [bug] liblwres wasn't handling link-local addresses in
|
|
nameserver clauses in resolv.conf. [RT #36039]
|
|
|
|
3901. [protocol] Added support for CAA record type (RFC 6844).
|
|
[RT #36625]
|
|
|
|
3900. [bug] Fix a crash in PostgreSQL DLZ driver. [RT #36637]
|
|
|
|
3899. [bug] "request-ixfr" is only applicable to slave and redirect
|
|
zones. [RT #36608]
|
|
|
|
3898. [bug] Too small a buffer in tohexstr() calls in test code.
|
|
[RT #36598]
|
|
|
|
3897. [bug] RPZ summary information was not properly being updated
|
|
after a AXFR resulting in changes sometimes being
|
|
ignored. [RT #35885]
|
|
|
|
3896. [bug] Address performance issues with DSCP code on some
|
|
platforms. [RT #36534]
|
|
|
|
3894. [bug] Buffers in isc_print_vsnprintf were not properly
|
|
initialized leading to potential overflows when
|
|
printing out quad values. [RT #36505]
|
|
|
|
3893. [bug] Peer DSCP values could be returned without being set.
|
|
[RT #36538]
|
|
|
|
3892. [bug] Setting '-t aaaa' in .digrc had unintended side
|
|
effects. [RT #36452]
|
|
|
|
3891. [bug] Use ${INSTALL_SCRIPT} rather than ${INSTALL_PROGRAM}
|
|
to install python programs.
|
|
|
|
3890. [bug] RRSIG sets that were not loaded in a single transaction
|
|
at start up where not being correctly added to
|
|
re-signing heaps. [RT #36302]
|
|
|
|
3889. [port] hurd: configure fixes as per:
|
|
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=746540
|
|
|
|
3887. [cleanup] Make all static symbols in rbtdb64 end in "64" so
|
|
they are easier to use in a debugger. [RT #36373]
|
|
|
|
3886. [bug] rbtdb_write_header should use a once to initialize
|
|
FILE_VERSION. [RT #36374]
|
|
|
|
--- 9.10.1b1 released ---
|
|
|
|
3885. [port] Use 'open()' rather than 'file()' to open files in
|
|
python.
|
|
|
|
3884. [protocol] Add CDS and CDNSKEY record types. [RT #36333]
|
|
|
|
3881. [bug] Address memory leak with UPDATE error handling.
|
|
[RT #36303]
|
|
|
|
3880. [test] Update ans.pl to work with new TSIG support in
|
|
Net::DNS; add additional Net::DNS version prerequisite
|
|
checks. [RT #36327]
|
|
|
|
3879. [func] Add version printing option to various BIND utilities.
|
|
[RT #10686]
|
|
|
|
3878. [bug] Using the incorrect filename for a DLZ module
|
|
caused a segmentation fault on startup. [RT #36286]
|
|
|
|
3877. [bug] Inserting and deleting parent and child nodes
|
|
in response policy zones could trigger an assertion
|
|
failure. [RT #36272]
|
|
|
|
3874. [test] Check that only "check-names master" is needed for
|
|
updates to be accepted.
|
|
|
|
3873. [protocol] Only warn for SPF without TXT spf record. [RT #36210]
|
|
|
|
3872. [bug] Address issues found by static analysis. [RT #36209]
|
|
|
|
3871. [bug] Don't publish an activated key automatically before
|
|
its publish time. [RT #35063]
|
|
|
|
3869. [doc] Document that in-view zones cannot be used for
|
|
response policy zones. [RT #35941]
|
|
|
|
3868. [bug] isc_mem_setwater incorrectly cleared hi_called
|
|
potentially leaving over memory cleaner running.
|
|
[RT #35270]
|
|
|
|
3866. [bug] Named could die on disk full in generate_session_key.
|
|
[RT #36119]
|
|
|
|
3865. [test] Improved testability of the red-black tree
|
|
implementation and added unit tests. [RT #35904]
|
|
|
|
3864. [bug] RPZ didn't work well when being used as forwarder.
|
|
[RT #36060]
|
|
|
|
3863. [bug] The "E" flag was missing from the query log as a
|
|
unintended side effect of code rearrangement to
|
|
support EDNS EXPIRE. [RT #36117]
|
|
|
|
3862. [cleanup] Return immediately if we are not going to log the
|
|
message in ns_client_dumpmessage.
|
|
|
|
3861. [security] Missing isc_buffer_availablelength check results
|
|
in a REQUIRE assertion when printing out a packet
|
|
(CVE-2014-3859). [RT #36078]
|
|
|
|
3860. [bug] ioctl(DP_POLL) array size needs to be determined
|
|
at run time as it is limited to {OPEN_MAX}.
|
|
[RT #35878]
|
|
|
|
3858. [bug] Disable GCC 4.9 "delete null pointer check".
|
|
[RT #35968]
|
|
|
|
3857. [bug] Make it harder for a incorrect NOEDNS classification
|
|
to be made. [RT #36020]
|
|
|
|
3856. [bug] Configuring libjson without also configuring libxml
|
|
resulting in a REQUIRE assertion when retrieving
|
|
statistics using json. [RT #36009]
|
|
|
|
3855. [bug] Limit smoothed round trip time aging to no more than
|
|
once a second. [RT #32909]
|
|
|
|
3854. [cleanup] Report unrecognized options, if any, in the final
|
|
configure summary. [RT #36014]
|
|
|
|
3853. [cleanup] Refactor dns_rdataslab_fromrdataset to separate out
|
|
the handling of a rdataset with no records. [RT #35968]
|
|
|
|
3851. [func] Allow libseccomp based system-call filtering
|
|
on Linux; use "configure --enable-seccomp" to
|
|
turn it on. Thanks to Loganaden Velvindron for
|
|
the contribution. [RT #35347]
|
|
|
|
3850. [bug] Disabling forwarding could trigger a REQUIRE assertion.
|
|
[RT #35979]
|
|
|
|
3849. [doc] Alphabetized dig's +options. [RT #35992]
|
|
|
|
3848. [bug] Adjust 'statistics-channels specified but not effective'
|
|
error message to account for JSON support. [RT #36008]
|
|
|
|
3847. [bug] 'configure --with-dlz-postgres' failed to fail when
|
|
there is not support available.
|
|
|
|
3846. [bug] "dig +notcp ixfr=<serial>" should result in a UDP
|
|
ixfr query. [RT #35980]
|
|
|
|
3845. [doc] Remove documention for yet to be committed RRL
|
|
changes. [RT #35897]
|
|
|
|
3844. [bug] Use the x64 version of the Microsoft Visual C++
|
|
Redistributable when built for 64 bit Windows.
|
|
[RT #35973]
|
|
|
|
3843. [protocol] Check EDNS EXPIRE option in dns_rdata_fromwire.
|
|
[RT #35969]
|
|
|
|
3842. [bug] Adjust RRL log-only logging category. [RT #35945]
|
|
|
|
3841. [cleanup] Refactor zone.c:add_opt to use dns_message_buildopt.
|
|
[RT #35924]
|
|
|
|
3840. [port] Check for arc4random_addrandom() before using it;
|
|
it's been removed from OpenBSD 5.5. [RT #35907]
|
|
|
|
3839. [test] Use only posix-compatible shell in system tests.
|
|
[RT #35625]
|
|
|
|
3838. [protocol] EDNS EXPIRE as been assigned a code point of 9.
|
|
|
|
3837. [security] A NULL pointer is passed to query_prefetch resulting
|
|
a REQUIRE assertion failure when a fetch is actually
|
|
initiated (CVE-2014-3214). [RT #35899]
|
|
|
|
3836. [bug] Address C++ keyword usage in header file.
|
|
|
|
3835. [bug] Geoip ACL elements didn't work correctly when
|
|
referenced via named or nested ACLs. [RT #35879]
|
|
|
|
3834. [bug] The re-signing heaps were not being updated soon enough
|
|
leading to multiple re-generations of the same RRSIG
|
|
when a zone transfer was in progress. [RT #35273]
|
|
|
|
3833. [bug] Cross compiling was broken due to calling genrandom at
|
|
build time. [RT #35869]
|
|
|
|
3831. [cleanup] Reduce logging noise when EDNS state changes occur.
|
|
[RT #35843]
|
|
|
|
3827. [contrib] The example DLZ driver (a version of which is
|
|
also used in the dlzexternal system test) could
|
|
use absolute names as relative. [RT #35802]
|
|
|
|
3826. [bug] Corrected bad INSIST logic in isc_radix_remove().
|
|
[RT #35870]
|
|
|
|
3825. [bug] Address sign extension bug in isc_regex_validate.
|
|
[RT #35758]
|
|
|
|
3822. [bug] Log the correct type of static-stub zones when
|
|
removing them. [RT #35842]
|
|
|
|
3819. [bug] NSEC3 hashes need to be able to be entered and
|
|
displayed without padding. This is not a issue for
|
|
currently defined algorithms but may be for future
|
|
hash algorithms. [RT #27925]
|
|
|
|
3818. [bug] Stop lying to the optimizer that 'void *arg' is a
|
|
constant in isc_event_allocate.
|
|
|
|
--- 9.10.0 released ---
|
|
|
|
3824. [bug] A collision between two flag values could cause
|
|
problems with cache cleaning when SIT was enabled.
|
|
[RT #35858]
|
|
|
|
--- 9.10.0rc2 released ---
|
|
|
|
3817. [func] The "delve" command is now spelled "delv" to avoid
|
|
a namespace collision with the Xapian project.
|
|
[RT #35801]
|
|
|
|
3815. [doc] Clarify "nsupdate -y" usage in man page. [RT #35808]
|
|
|
|
3810. [bug] Work around broken nameservers that fail to ignore
|
|
unknown EDNS options. [RT #35766]
|
|
|
|
3809. [doc] Fix SIT and NSID documentation.
|
|
|
|
3808. [doc] Clean up "prefetch" documentation. [RT #35751]
|
|
|
|
3807. [bug] Fix sign extension bug in dns_name_fromtext when
|
|
lowercase is set. [RT #35743]
|
|
|
|
3806. [test] Improved system test portability. [RT #35625]
|
|
|
|
3805. [contrib] Added contrib/perftcpdns, a performance testing tool
|
|
for DNS over TCP. [RT #35710]
|
|
|
|
--- 9.10.0rc1 released ---
|
|
|
|
3804. [bug] Corrected a race condition in dispatch.c in which
|
|
portentry could be reset leading to an assertion
|
|
failure in socket_search(). (Change #3708
|
|
addressed the same issue but was incomplete.)
|
|
[RT #35128]
|
|
|
|
3803. [bug] "named-checkconf -z" incorrectly rejected zones
|
|
using alternate data sources for not having a "file"
|
|
option. [RT #35685]
|
|
|
|
3802. [bug] Various header files were not being installed.
|
|
|
|
3801. [port] Fix probing for gssapi support on FreeBSD. [RT #35615]
|
|
|
|
3800. [bug] A pending event on the route socket could cause an
|
|
assertion failure when shutting down named. [RT #35674]
|
|
|
|
3799. [bug] Improve named's command line error reporting.
|
|
[RT #35603]
|
|
|
|
3798. [bug] 'rndc zonestatus' was reporting the wrong re-signing
|
|
time. [RT #35659]
|
|
|
|
3797. [port] netbsd: geoip support probing was broken. [RT #35642]
|
|
|
|
3796. [bug] Register dns and pkcs#11 error codes. [RT #35629]
|
|
|
|
3795. [bug] Make named-checkconf detect raw masterfiles for
|
|
hint zones and reject them. [RT #35268]
|
|
|
|
3794. [maint] Added AAAA for C.ROOT-SERVERS.NET.
|
|
|
|
3793. [bug] zone.c:save_nsec3param() could assert when out of
|
|
memory. [RT #35621]
|
|
|
|
3792. [func] Provide links to the alternate statistics views when
|
|
displaying in a browser. [RT #35605]
|
|
|
|
3791. [placeholder]
|
|
|
|
3790. [bug] Handle broken nameservers that send BADVERS in
|
|
response to unknown EDNS options. Maintain
|
|
statistics on BADVERS responses.
|
|
|
|
3789. [bug] Null pointer dereference on rbt creation failure.
|
|
|
|
3788. [bug] dns_peer_getrequestsit was returning request_nsid by
|
|
mistake.
|
|
|
|
--- 9.10.0b2 released ---
|
|
|
|
3787. [bug] The code that checks whether "auto-dnssec" is
|
|
allowed was ignoring "allow-update" ACLs set at
|
|
the options or view level. [RT #29536]
|
|
|
|
3786. [func] Provide more detailed error codes when using
|
|
native PKCS#11. "pkcs11-tokens" now fails robustly
|
|
rather than asserting when run against an HSM with
|
|
an incomplete PKCS#11 API implementation. [RT #35479]
|
|
|
|
3785. [bug] Debugging code dumphex didn't accept arbitrarily long
|
|
input (only compiled with -DDEBUG). [RT #35544]
|
|
|
|
3784. [bug] Using "rrset-order fixed" when it had not been
|
|
enabled at compile time caused inconsistent
|
|
results. It now works as documented, defaulting
|
|
to cyclic mode. [RT #28104]
|
|
|
|
3783. [func] "tsig-keygen" is now available as an alternate
|
|
command name for "ddns-confgen". It generates
|
|
a TSIG key in named.conf format without comments.
|
|
[RT #35503]
|
|
|
|
3782. [func] Specifying "auto" as the salt when using
|
|
"rndc signing -nsec3param" causes named to
|
|
generate a 64-bit salt at random. [RT #35322]
|
|
|
|
3781. [tuning] Use adaptive mutex locks when available; this
|
|
has been found to improve performance under load
|
|
on many systems. "configure --with-locktype=standard"
|
|
restores conventional mutex locks. [RT #32576]
|
|
|
|
3780. [bug] $GENERATE handled negative numbers incorrectly.
|
|
[RT #25528]
|
|
|
|
3779. [cleanup] Clarify the error message when using an option
|
|
that was not enabled at compile time. [RT #35504]
|
|
|
|
3778. [bug] Log a warning when the wrong address family is
|
|
used in "listen-on" or "listen-on-v6". [RT #17848]
|
|
|
|
3777. [bug] EDNS EXPIRE code could dump core when processing
|
|
DLZ queries. [RT #35493]
|
|
|
|
3776. [func] "rndc -q" suppresses output from successful
|
|
rndc commands. Errors are printed on stderr.
|
|
[RT #21393]
|
|
|
|
3775. [bug] dlz_dlopen driver could return the wrong error
|
|
code on API version mismatch, leading to a segfault.
|
|
[RT #35495]
|
|
|
|
3774. [func] When using "request-nsid", log the NSID value in
|
|
printable form as well as hex. [RT #20864]
|
|
|
|
3773. [func] "host", "nslookup" and "nsupdate" now have
|
|
options to print the version number and exit.
|
|
[RT #26057]
|
|
|
|
3772. [contrib] Added sqlite3 dynamically-loadable DLZ module.
|
|
(Based in part on a contribution from Tim Tessier.)
|
|
[RT #20822]
|
|
|
|
3771. [cleanup] Adjusted log level for "using built-in key"
|
|
messages. [RT #24383]
|
|
|
|
3770. [bug] "dig +trace" could fail with an assertion when it
|
|
needed to fall back to TCP due to a truncated
|
|
response. [RT #24660]
|
|
|
|
3769. [doc] Improved documentation of "rndc signing -list".
|
|
[RT #30652]
|
|
|
|
3768. [bug] "dnssec-checkds" was missing the SHA-384 digest
|
|
algorithm. [RT #34000]
|
|
|
|
3767. [func] Log explicitly when using rndc.key to configure
|
|
command channel. [RT #35316]
|
|
|
|
3766. [cleanup] Fixed problems with building outside the source
|
|
tree when using native PKCS#11. [RT #35459]
|
|
|
|
3765. [bug] Fixed a bug in "rndc secroots" that could crash
|
|
named when dumping an empty keynode. [RT #35469]
|
|
|
|
3764. [bug] The dnssec-keygen/settime -S and -i options
|
|
(to set up a successor key and set the prepublication
|
|
interval) were missing from dnssec-keyfromlabel.
|
|
[RT #35394]
|
|
|
|
3763. [bug] delve: Cache DNSSEC records to avoid the need to
|
|
re-fetch them when restarting validation. [RT #35476]
|
|
|
|
3762. [bug] Address build problems with --pkcs11-native +
|
|
--with-openssl with ECDSA support. [RT #35467]
|
|
|
|
3761. [bug] Address dangling reference bug in dns_keytable_add.
|
|
[RT #35471]
|
|
|
|
3760. [bug] Improve SIT with native PKCS#11 and on Windows.
|
|
[RT #35433]
|
|
|
|
3759. [port] Enable delve on Windows. [RT #35441]
|
|
|
|
3758. [port] Enable export library APIs on Windows. [RT #35382]
|
|
|
|
3757. [port] Enable Python tools (dnssec-coverage,
|
|
dnssec-checkds) to run on Windows. [RT #34355]
|
|
|
|
3756. [bug] GSSAPI Kerberos realm checking was broken in
|
|
check_config leading to spurious messages being
|
|
logged. [RT #35443]
|
|
|
|
--- 9.10.0b1 released ---
|
|
|
|
3755. [func] Add stats counters for known EDNS options + others.
|
|
[RT #35447]
|
|
|
|
3754. [cleanup] win32: Installer now places files in the
|
|
Program Files area rather than system services.
|
|
[RT #35361]
|
|
|
|
3753. [bug] allow-notify was ignoring keys. [RT #35425]
|
|
|
|
3752. [bug] Address potential REQUIRE failure if
|
|
DNS_STYLEFLAG_COMMENTDATA is set when printing out
|
|
a rdataset.
|
|
|
|
3751. [tuning] The default setting for the -U option (setting
|
|
the number of UDP listeners per interface) has
|
|
been adjusted to improve performance. [RT #35417]
|
|
|
|
3750. [experimental] Partially implement EDNS EXPIRE option as described
|
|
in draft-andrews-dnsext-expire-00. Retrieval of
|
|
the remaining time until expiry for slave zones
|
|
is supported.
|
|
|
|
EXPIRE uses an experimental option code (65002),
|
|
which is subject to change. [RT #35416]
|
|
|
|
3749. [func] "dig +subnet" sends an EDNS client subnet option
|
|
containing the specified address/prefix when
|
|
querying. (Thanks to Wilmer van der Gaast.)
|
|
[RT #35415]
|
|
|
|
3748. [test] Use delve to test dns_client interfaces. [RT #35383]
|
|
|
|
3747. [bug] A race condition could lead to a core dump when
|
|
destroying a resolver fetch object. [RT #35385]
|
|
|
|
3746. [func] New "max-zone-ttl" option enforces maximum
|
|
TTLs for zones. If loading a zone containing a
|
|
higher TTL, the load fails. DDNS updates with
|
|
higher TTLs are accepted but the TTL is truncated.
|
|
(Note: Currently supported for master zones only;
|
|
inline-signing slaves will be added.) [RT #38405]
|
|
|
|
3745. [func] "configure --with-tuning=large" adjusts various
|
|
compiled-in constants and default settings to
|
|
values suited to large servers with abundant
|
|
memory. [RT #29538]
|
|
|
|
3744. [experimental] SIT: send and process Source Identity Tokens
|
|
(similar to DNS Cookies by Donald Eastlake 3rd),
|
|
which are designed to help clients detect off-path
|
|
spoofed responses and for servers to identify
|
|
legitimate clients.
|
|
|
|
SIT uses an experimental EDNS option code (65001),
|
|
which will be changed to an IANA-assigned value
|
|
if the experiment is deemed a success.
|
|
|
|
SIT can be enabled via "configure --enable-sit" (or
|
|
--enable-developer). It is enabled by default in
|
|
Windows.
|
|
|
|
Servers can be configured to send smaller responses
|
|
to clients that have not identified themselves via
|
|
SIT. RRL processing has also been updated;
|
|
legitimate clients are not subject to rate
|
|
limiting. [RT #35389]
|
|
|
|
3743. [bug] delegation-only flag wasn't working in forward zone
|
|
declarations despite being documented. This is
|
|
needed to support turning off forwarding and turning
|
|
on delegation only at the same name. [RT #35392]
|
|
|
|
3742. [port] linux: libcap support: declare curval at start of
|
|
block. [RT #35387]
|
|
|
|
3741. [func] "delve" (domain entity lookup and validation engine):
|
|
A new tool with dig-like semantics for performing DNS
|
|
lookups, with internal DNSSEC validation, using the
|
|
same resolver and validator logic as named. This
|
|
allows easy validation of DNSSEC data in environments
|
|
with untrustworthy resolvers, and assists with
|
|
troubleshooting of DNSSEC problems. [RT #32406]
|
|
|
|
3740. [contrib] Minor fixes to configure --with-dlz-bdb,
|
|
--with-dlz-postgres and --with-dlz-odbc. [RT #35340]
|
|
|
|
3739. [func] Added per-zone stats counters to track TCP and
|
|
UDP queries. [RT #35375]
|
|
|
|
3738. [bug] --enable-openssl-hash failed to build. [RT #35343]
|
|
|
|
3737. [bug] 'rndc retransfer' could trigger a assertion failure
|
|
with inline zones. [RT #35353]
|
|
|
|
3736. [bug] nsupdate: When specifying a server by name,
|
|
fall back to alternate addresses if the first
|
|
address for that name is not reachable. [RT #25784]
|
|
|
|
3735. [cleanup] Merged the libiscpk11 library into libisc
|
|
to simplify dependencies. [RT #35205]
|
|
|
|
3734. [bug] Improve building with libtool. [RT #35314]
|
|
|
|
3733. [func] Improve interface scanning support. Interface
|
|
information will be automatically updated if the
|
|
OS supports routing sockets (MacOS, *BSD, Linux).
|
|
Use "automatic-interface-scan no;" to disable.
|
|
|
|
Add "rndc scan" to trigger a scan. [RT #23027]
|
|
|
|
3732. [contrib] Fixed a type mismatch causing the ODBC DLZ
|
|
driver to dump core on 64-bit systems. [RT #35324]
|
|
|
|
3731. [func] Added a "no-case-compress" ACL, which causes
|
|
named to use case-insensitive compression
|
|
(disabling change #3645) for specified
|
|
clients. (This is useful when dealing
|
|
with broken client implementations that
|
|
use case-sensitive name comparisons,
|
|
rejecting responses that fail to match the
|
|
capitalization of the query that was sent.)
|
|
[RT #35300]
|
|
|
|
3730. [cleanup] Added "never" as a synonym for "none" when
|
|
configuring key event dates in the dnssec tools.
|
|
[RT #35277]
|
|
|
|
3729. [bug] dnssec-keygen could set the publication date
|
|
incorrectly when only the activation date was
|
|
specified on the command line. [RT #35278]
|
|
|
|
3728. [doc] Expanded native-PKCS#11 documentation,
|
|
specifically pkcs11: URI labels. [RT #35287]
|
|
|
|
3727. [func] The isc_bitstring API is no longer used and
|
|
has been removed from libisc. [RT #35284]
|
|
|
|
3726. [cleanup] Clarified the error message when attempting
|
|
to configure more than 32 response-policy zones.
|
|
[RT #35283]
|
|
|
|
3725. [contrib] Updated zkt and nslint to newest versions,
|
|
cleaned up and rearranged the contrib
|
|
directory, and added a README.
|
|
|
|
--- 9.10.0a2 released ---
|
|
|
|
3724. [bug] win32: Fixed a bug that prevented dig and
|
|
host from exiting properly after completing
|
|
a UDP query. [RT #35288]
|
|
|
|
3723. [cleanup] Imported keys are now handled the same way
|
|
regardless of DNSSEC algorithm. [RT #35215]
|
|
|
|
3722. [bug] Using geoip ACLs in a blackhole statement
|
|
could cause a segfault. [RT #35272]
|
|
|
|
3721. [doc] Improved documentation of the EDNS processing
|
|
enhancements introduced in change #3593. [RT #35275]
|
|
|
|
3720. [bug] Address compiler warnings. [RT #35261]
|
|
|
|
3719. [bug] Address memory leak in in peer.c. [RT #35255]
|
|
|
|
3718. [bug] A missing ISC_LINK_INIT in log.c. [RT #35260]
|
|
|
|
3717. [port] hpux: Treat EOPNOTSUPP as a expected error code when
|
|
probing to see if it is possible to set dscp values
|
|
on a per packet basis. [RT #35252]
|
|
|
|
3716. [bug] The dns_request code was setting dcsp values when not
|
|
requested. [RT #35252]
|
|
|
|
3715. [bug] The region and city databases could fail to
|
|
initialize when using some versions of libGeoIP,
|
|
causing assertion failures when named was
|
|
configured to use them. [RT #35427]
|
|
|
|
3714. [test] System tests that need to test for cryptography
|
|
support before running can now use a common
|
|
"testcrypto.sh" script to do so. [RT #35213]
|
|
|
|
3713. [bug] Save memory by not storing "also-notify" addresses
|
|
in zone objects that are configured not to send
|
|
notify requests. [RT #35195]
|
|
|
|
3712. [placeholder]
|
|
|
|
3711. [placeholder]
|
|
|
|
3710. [bug] Address double dns_zone_detach when switching to
|
|
using automatic empty zones from regular zones.
|
|
[RT #35177]
|
|
|
|
3709. [port] Use built-in versions of strptime() and timegm()
|
|
on all platforms to avoid portability issues.
|
|
[RT #35183]
|
|
|
|
3708. [bug] Address a portentry locking issue in dispatch.c.
|
|
[RT #35128]
|
|
|
|
3707. [bug] irs_resconf_load now returns ISC_R_FILENOTFOUND
|
|
on a missing resolv.conf file and initializes the
|
|
structure as if it had been configured with:
|
|
|
|
nameserver ::1
|
|
nameserver 127.0.0.1
|
|
|
|
Note: Callers will need to be updated to treat
|
|
ISC_R_FILENOTFOUND as a qualified success or else
|
|
they will leak memory. The following code fragment
|
|
will work with both old and new versions without
|
|
changing the behaviour of the existing code.
|
|
|
|
resconf = NULL;
|
|
result = irs_resconf_load(mctx, "/etc/resolv.conf",
|
|
&resconf);
|
|
if (result != ISC_SUCCESS) {
|
|
if (resconf != NULL)
|
|
irs_resconf_destroy(&resconf);
|
|
....
|
|
}
|
|
|
|
[RT #35194]
|
|
|
|
3706. [contrib] queryperf: Fixed a possible integer overflow when
|
|
printing results. [RT #35182]
|
|
|
|
3705. [func] "configure --enable-native-pkcs11" enables BIND
|
|
to use the PKCS#11 API for all cryptographic
|
|
functions, so that it can drive a hardware service
|
|
module directly without the need to use a modified
|
|
OpenSSL as intermediary (so long as the HSM's vendor
|
|
provides a complete-enough implementation of the
|
|
PKCS#11 interface). This has been tested successfully
|
|
with the Thales nShield HSM and with SoftHSMv2 from
|
|
the OpenDNSSEC project. [RT #29031]
|
|
|
|
3704. [protocol] Accept integer timestamps in RRSIG records. [RT #35185]
|
|
|
|
3703. [func] To improve recursive resolver performance, cache
|
|
records which are still being requested by clients
|
|
can now be automatically refreshed from the
|
|
authoritative server before they expire, reducing
|
|
or eliminating the time window in which no answer
|
|
is available in the cache. See the "prefetch" option
|
|
for more details. [RT #35041]
|
|
|
|
3702. [func] 'dnssec-coverage -l' option specifies a length
|
|
of time to check for coverage; events further into
|
|
the future are ignored. 'dnssec-coverage -z'
|
|
checks only ZSK events, and 'dnssec-coverage -k'
|
|
checks only KSK events. (Thanks to Peter Palfrader.)
|
|
[RT #35168]
|
|
|
|
3701. [func] named-checkconf can now obscure shared secrets
|
|
when printing by specifying '-x'. [RT #34465]
|
|
|
|
3700. [func] Allow access to subgroups of XML statistics via
|
|
special URLs http://<server>:<port>/xml/v3/server,
|
|
/zones, /net, /tasks, /mem, and /status. [RT #35115]
|
|
|
|
3699. [bug] Improvements to statistics channel XSL stylesheet:
|
|
the stylesheet can now be cached by the browser;
|
|
section headers are omitted from the stats display
|
|
when there is no data in those sections to be
|
|
displayed; counters are now right-justified for
|
|
easier readability. [RT #35117]
|
|
|
|
3698. [cleanup] Replaced all uses of memcpy() with memmove().
|
|
[RT #35120]
|
|
|
|
3697. [bug] Handle "." as a search list element when IDN support
|
|
is enabled. [RT #35133]
|
|
|
|
3696. [bug] dig failed to handle AXFR style IXFR responses which
|
|
span multiple messages. [RT #35137]
|
|
|
|
3695. [bug] Address a possible race in dispatch.c. [RT #35107]
|
|
|
|
3694. [bug] Warn when a key-directory is configured for a zone,
|
|
but does not exist or is not a directory. [RT #35108]
|
|
|
|
3693. [security] memcpy was incorrectly called with overlapping
|
|
ranges resulting in malformed names being generated
|
|
on some platforms. This could cause INSIST failures
|
|
when serving NSEC3 signed zones (CVE-2014-0591).
|
|
[RT #35120]
|
|
|
|
3692. [bug] Two calls to dns_db_getoriginnode were fatal if there
|
|
was no data at the node. [RT #35080]
|
|
|
|
3691. [contrib] Address null pointer dereference in LDAP and
|
|
MySQL DLZ modules.
|
|
|
|
3690. [bug] Iterative responses could be missed when the source
|
|
port for an upstream query was the same as the
|
|
listener port (53). [RT #34925]
|
|
|
|
3689. [bug] Fixed a bug causing an insecure delegation from one
|
|
static-stub zone to another to fail with a broken
|
|
trust chain. [RT #35081]
|
|
|
|
3688. [bug] loadnode could return a freed node on out of memory.
|
|
[RT #35106]
|
|
|
|
3687. [bug] Address null pointer dereference in zone_xfrdone.
|
|
[RT #35042]
|
|
|
|
3686. [func] "dnssec-signzone -Q" drops signatures from keys
|
|
that are still published but no longer active.
|
|
[RT #34990]
|
|
|
|
3685. [bug] "rndc refresh" didn't work correctly with slave
|
|
zones using inline-signing. [RT #35105]
|
|
|
|
3684. [bug] The list of included files would grow on reload.
|
|
[RT 35090]
|
|
|
|
3683. [cleanup] Add a more detailed "not found" message to rndc
|
|
commands which specify a zone name. [RT #35059]
|
|
|
|
3682. [bug] Correct the behavior of rndc retransfer to allow
|
|
inline-signing slave zones to retain NSEC3 parameters
|
|
instead of reverting to NSEC. [RT #34745]
|
|
|
|
3681. [port] Update the Windows build system to support feature
|
|
selection and WIN64 builds. This is a work in
|
|
progress. [RT #34160]
|
|
|
|
3680. [bug] Ensure buffer space is available in "rndc zonestatus".
|
|
[RT #35084]
|
|
|
|
3679. [bug] dig could fail to clean up TCP sockets still
|
|
waiting on connect(). [RT #35074]
|
|
|
|
3678. [port] Update config.guess and config.sub. [RT #35060]
|
|
|
|
3677. [bug] 'nsupdate' leaked memory if 'realm' was used multiple
|
|
times. [RT #35073]
|
|
|
|
3676. [bug] "named-checkconf -z" now checks zones of type
|
|
hint and redirect as well as master. [RT #35046]
|
|
|
|
3675. [misc] Provide a place for third parties to add version
|
|
information for their extensions in the version
|
|
file by setting the EXTENSIONS variable.
|
|
|
|
--- 9.10.0a1 released ---
|
|
|
|
3674. [bug] RPZ zeroed ttls if the query type was '*'. [RT #35026]
|
|
|
|
3673. [func] New "in-view" zone option allows direct sharing
|
|
of zones between views. [RT #32968]
|
|
|
|
3672. [func] Local address can now be specified when using
|
|
dns_client API. [RT #34811]
|
|
|
|
3671. [bug] Don't allow dnssec-importkey overwrite a existing
|
|
non-imported private key.
|
|
|
|
3670. [bug] Address read after free in server side of
|
|
lwres_getrrsetbyname. [RT #29075]
|
|
|
|
3669. [port] freebsd: --with-gssapi needs -lhx509. [RT #35001]
|
|
|
|
3668. [bug] Fix cast in lex.c which could see 0xff treated as eof.
|
|
[RT #34993]
|
|
|
|
3667. [test] dig: add support to keep the TCP socket open between
|
|
successive queries (+[no]keepopen). [RT #34918]
|
|
|
|
3666. [func] Add a tool, named-rrchecker, for checking the syntax
|
|
of individual resource records. This tool is intended
|
|
to be called by provisioning systems so that the front
|
|
end does not need to be upgraded to support new DNS
|
|
record types. [RT #34778]
|
|
|
|
3665. [bug] Failure to release lock on error in receive_secure_db.
|
|
[RT #34944]
|
|
|
|
3664. [bug] Updated OpenSSL PKCS#11 patches to fix active list
|
|
locking and other bugs. [RT #34855]
|
|
|
|
3663. [bug] Address bugs in dns_rdata_fromstruct and
|
|
dns_rdata_tostruct for WKS and ISDN types. [RT #34910]
|
|
|
|
3662. [bug] 'host' could die if a UDP query timed out. [RT #34870]
|
|
|
|
3661. [bug] Address lock order reversal deadlock with inline zones.
|
|
[RT #34856]
|
|
|
|
3660. [cleanup] Changed the name of "isc-config.sh" to "bind9-config".
|
|
[RT #23825]
|
|
|
|
3659. [port] solaris: don't add explicit dependencies/rules for
|
|
python programs as make won't use the implicit rules.
|
|
[RT #34835]
|
|
|
|
3658. [port] linux: Address platform specific compilation issue
|
|
when libcap-devel is installed. [RT #34838]
|
|
|
|
3657. [port] Some readline clones don't accept NULL pointers when
|
|
calling add_history. [RT #34842]
|
|
|
|
3656. [security] Treat an all zero netmask as invalid when generating
|
|
the localnets acl. (The prior behavior could
|
|
allow unexpected matches when using some versions
|
|
of Winsock: CVE-2013-6320.) [RT #34687]
|
|
|
|
3655. [cleanup] Simplify TCP message processing when requesting a
|
|
zone transfer. [RT #34825]
|
|
|
|
3654. [bug] Address race condition with manual notify requests.
|
|
[RT #34806]
|
|
|
|
3653. [func] Create delegations for all "children" of empty zones
|
|
except "forward first". [RT #34826]
|
|
|
|
3652. [bug] Address bug with rpz-drop policy. [RT #34816]
|
|
|
|
3651. [tuning] Adjust when a master server is deemed unreachable.
|
|
[RT #27075]
|
|
|
|
3650. [tuning] Use separate rate limiting queues for refresh and
|
|
notify requests. [RT #30589]
|
|
|
|
3649. [cleanup] Include a comment in .nzf files, giving the name of
|
|
the associated view. [RT #34765]
|
|
|
|
3648. [test] Updated the ATF test framework to version 0.17.
|
|
[RT #25627]
|
|
|
|
3647. [bug] Address a race condition when shutting down a zone.
|
|
[RT #34750]
|
|
|
|
3646. [bug] Journal filename string could be set incorrectly,
|
|
causing garbage in log messages. [RT #34738]
|
|
|
|
3645. [protocol] Use case sensitive compression when responding to
|
|
queries. [RT #34737]
|
|
|
|
3644. [protocol] Check that EDNS subnet client options are well formed.
|
|
[RT #34718]
|
|
|
|
3643. [doc] Clarify RRL "slip" documentation.
|
|
|
|
3642. [func] Allow externally generated DNSKEY to be imported
|
|
into the DNSKEY management framework. A new tool
|
|
dnssec-importkey is used to do this. [RT #34698]
|
|
|
|
3641. [bug] Handle changes to sig-validity-interval settings
|
|
better. [RT #34625]
|
|
|
|
3640. [bug] ndots was not being checked when searching. Only
|
|
continue searching on NXDOMAIN responses. Add the
|
|
ability to specify ndots to nslookup. [RT #34711]
|
|
|
|
3639. [bug] Treat type 65533 (KEYDATA) as opaque except when used
|
|
in a key zone. [RT #34238]
|
|
|
|
3638. [cleanup] Add the ability to handle ENOPROTOOPT in case it is
|
|
encountered. [RT #34668]
|
|
|
|
3637. [bug] 'allow-query-on' was checking the source address
|
|
rather than the destination address. [RT #34590]
|
|
|
|
3636. [bug] Automatic empty zones now behave better with
|
|
forward only "zones" beneath them. [RT #34583]
|
|
|
|
3635. [bug] Signatures were not being removed from a zone with
|
|
only KSK keys for a algorithm. [RT #34439]
|
|
|
|
3634. [func] Report build-id in rndc status. Report build-id
|
|
when building from a git repository. [RT #20422]
|
|
|
|
3633. [cleanup] Refactor OPT processing in named to make it easier
|
|
to support new EDNS options. [RT #34414]
|
|
|
|
3632. [bug] Signature from newly inactive keys were not being
|
|
removed. [RT #32178]
|
|
|
|
3631. [bug] Remove spurious warning about missing signatures when
|
|
qtype is SIG. [RT #34600]
|
|
|
|
3630. [bug] Ensure correct ID computation for MD5 keys. [RT #33033]
|
|
|
|
3629. [func] Allow the printing of cryptographic fields in DNSSEC
|
|
records by dig to be suppressed (dig +nocrypto).
|
|
[RT #34534]
|
|
|
|
3628. [func] Report DNSKEY key id's when dumping the cache.
|
|
[RT #34533]
|
|
|
|
3627. [bug] RPZ changes were not effective on slaves. [RT #34450]
|
|
|
|
3626. [func] dig: NSID output now easier to read. [RT #21160]
|
|
|
|
3625. [bug] Don't send notify messages to machines outside of the
|
|
test setup.
|
|
|
|
3624. [bug] Look for 'json_object_new_int64' when looking for a
|
|
the json library. [RT #34449]
|
|
|
|
3623. [placeholder]
|
|
|
|
3622. [tuning] Eliminate an unnecessary lock when incrementing
|
|
cache statistics. [RT #34339]
|
|
|
|
3621. [security] Incorrect bounds checking on private type 'keydata'
|
|
can lead to a remotely triggerable REQUIRE failure
|
|
(CVE-2013-4854). [RT #34238]
|
|
|
|
3620. [func] Added "rpz-client-ip" policy triggers, enabling
|
|
RPZ responses to be configured on the basis of
|
|
the client IP address; this can be used, for
|
|
example, to blacklist misbehaving recursive
|
|
or stub resolvers. [RT #33605]
|
|
|
|
3619. [bug] Fixed a bug in RPZ with "recursive-only no;"
|
|
[RT #33776]
|
|
|
|
3618. [func] "rndc reload" now checks modification times of
|
|
include files as well as master files to determine
|
|
whether to skip reloading a zone. [RT #33936]
|
|
|
|
3617. [bug] Named was failing to answer queries during
|
|
"rndc reload" [RT #34098]
|
|
|
|
3616. [bug] Change #3613 was incomplete. [RT #34177]
|
|
|
|
3615. [cleanup] "configure" now finishes by printing a summary
|
|
of optional BIND features and whether they are
|
|
active or inactive. ("configure --enable-full-report"
|
|
increases the verbosity of the summary.) [RT #31777]
|
|
|
|
3614. [port] Check for <linux/types.h>. [RT #34162]
|
|
|
|
3613. [bug] named could crash when deleting inline-signing
|
|
zones with "rndc delzone". [RT #34066]
|
|
|
|
3612. [port] Check whether to use -ljson or -ljson-c. [RT #34115]
|
|
|
|
3611. [bug] Improved resistance to a theoretical authentication
|
|
attack based on differential timing. [RT #33939]
|
|
|
|
3610. [cleanup] win32: Some executables had been omitted from the
|
|
installer. [RT #34116]
|
|
|
|
3609. [bug] Corrected a possible deadlock in applications using
|
|
the export version of the isc_app API. [RT #33967]
|
|
|
|
3608. [port] win32: added todos.pl script to ensure all text files
|
|
the win32 build depends on are converted to DOS
|
|
newline format. [RT #22067]
|
|
|
|
3607. [bug] dnssec-keygen had broken 'Invalid keyfile' error
|
|
message. [RT #34045]
|
|
|
|
3606. [func] "rndc flushtree" now flushes matching
|
|
records in the address database and bad cache
|
|
as well as the DNS cache. (Previously only the
|
|
DNS cache was flushed.) [RT #33970]
|
|
|
|
3605. [port] win32: Addressed several compatibility issues
|
|
with newer versions of Visual Studio. [RT #33916]
|
|
|
|
3604. [bug] Fixed a compile-time error when building with
|
|
JSON but not XML. [RT #33959]
|
|
|
|
3603. [bug] Install <isc/stat.h>. [RT #33956]
|
|
|
|
3602. [contrib] Added DLZ Perl module, allowing Perl scripts to
|
|
integrate with named and serve DNS data.
|
|
(Contributed by John Eaglesham of Yahoo.)
|
|
|
|
3601. [bug] Added to PKCS#11 openssl patches a value len
|
|
attribute in DH derive key. [RT #33928]
|
|
|
|
3600. [cleanup] dig: Fixed a typo in the warning output when receiving
|
|
an oversized response. [RT #33910]
|
|
|
|
3599. [tuning] Check for pointer equivalence in name comparisons.
|
|
[RT #18125]
|
|
|
|
3598. [cleanup] Improved portability of map file code. [RT #33820]
|
|
|
|
3597. [bug] Ensure automatic-resigning heaps are reconstructed
|
|
when loading zones in map format. [RT #33381]
|
|
|
|
3596. [port] Updated win32 build documentation, added
|
|
dnssec-verify. [RT #22067]
|
|
|
|
3595. [port] win32: Fix build problems introduced by change #3550.
|
|
[RT #33807]
|
|
|
|
3594. [maint] Update config.guess and config.sub. [RT #33816]
|
|
|
|
3593. [func] Update EDNS processing to better track remote server
|
|
capabilities. [RT #30655]
|
|
|
|
3592. [doc] Moved documentation of rndc command options to the
|
|
rndc man page. [RT #33506]
|
|
|
|
3591. [func] Use CRC-64 to detect map file corruption at load
|
|
time. [RT #33746]
|
|
|
|
3590. [bug] When using RRL on recursive servers, defer
|
|
rate-limiting until after recursion is complete;
|
|
also, use correct rcode for slipped NXDOMAIN
|
|
responses. [RT #33604]
|
|
|
|
3589. [func] Report serial numbers in when starting zone transfers.
|
|
Report accepted NOTIFY requests including serial.
|
|
[RT #33037]
|
|
|
|
3588. [bug] dig: addressed a memory leak in the sigchase code
|
|
that could cause a shutdown crash. [RT #33733]
|
|
|
|
3587. [func] 'named -g' now checks the logging configuration but
|
|
does not use it. [RT #33473]
|
|
|
|
3586. [bug] Handle errors in xmlDocDumpFormatMemoryEnc. [RT #33706]
|
|
|
|
3585. [func] "rndc delzone -clean" option removes zone files
|
|
when deleting a zone. [RT #33570]
|
|
|
|
3584. [security] Caching data from an incompletely signed zone could
|
|
trigger an assertion failure in resolver.c
|
|
(CVE-2013-3919). [RT #33690]
|
|
|
|
3583. [bug] Address memory leak in GSS-API processing [RT #33574]
|
|
|
|
3582. [bug] Silence false positive warning regarding missing file
|
|
directive for inline slave zones. [RT #33662]
|
|
|
|
3581. [bug] Changed the tcp-listen-queue default to 10. [RT #33029]
|
|
|
|
3580. [bug] Addressed a possible race in acache.c [RT #33602]
|
|
|
|
3579. [maint] Updates to PKCS#11 openssl patches, supporting
|
|
versions 0.9.8y, 1.0.0k, 1.0.1e [RT #33463]
|
|
|
|
3578. [bug] 'rndc -c file' now fails if 'file' does not exist.
|
|
[RT #33571]
|
|
|
|
3577. [bug] Handle zero TTL values better. [RT #33411]
|
|
|
|
3576. [bug] Address a shutdown race when validating. [RT #33573]
|
|
|
|
3575. [func] Changed the logging category for RRL events from
|
|
'queries' to 'query-errors'. [RT #33540]
|
|
|
|
3574. [doc] The 'hostname' keyword was missing from server-id
|
|
description in the named.conf man page. [RT #33476]
|
|
|
|
3573. [bug] "rndc addzone" and "rndc delzone" incorrectly handled
|
|
zone names containing punctuation marks and other
|
|
nonstandard characters. [RT #33419]
|
|
|
|
3572. [func] Threads are now enabled by default on most
|
|
operating systems. [RT #25483]
|
|
|
|
3571. [bug] Address race condition in dns_client_startresolve().
|
|
[RT #33234]
|
|
|
|
3570. [bug] Check internal pointers are valid when loading map
|
|
files. [RT #33403]
|
|
|
|
3569. [contrib] Ported mysql DLZ driver to dynamically-loadable
|
|
module, and added multithread support. [RT #33394]
|
|
|
|
3568. [cleanup] Add a product description line to the version file,
|
|
to be reported by named -v/-V. [RT #33366]
|
|
|
|
3567. [bug] Silence clang static analyzer warnings. [RT #33365]
|
|
|
|
3566. [func] Log when forwarding updates to master. [RT #33240]
|
|
|
|
3565. [placeholder]
|
|
|
|
3564. [bug] Improved handling of corrupted map files. [RT #33380]
|
|
|
|
3563. [contrib] zone2sqlite failed with some table names. [RT #33375]
|
|
|
|
3562. [func] Update map file header format to include a SHA-1 hash
|
|
of the database content, so that corrupted map files
|
|
can be rejected at load time. [RT #32459]
|
|
|
|
3561. [bug] dig: issue a warning if an EDNS query returns FORMERR
|
|
or NOTIMP. Adjust usage message. [RT #33363]
|
|
|
|
3560. [bug] isc-config.sh did not honor includedir and libdir
|
|
when set via configure. [RT #33345]
|
|
|
|
3559. [func] Check that both forms of Sender Policy Framework
|
|
records exist or do not exist. [RT #33355]
|
|
|
|
3558. [bug] IXFR of a DLZ stored zone was broken. [RT #33331]
|
|
|
|
3557. [bug] Reloading redirect zones was broken. [RT #33292]
|
|
|
|
3556. [maint] Added AAAA for D.ROOT-SERVERS.NET.
|
|
|
|
3555. [bug] Address theoretical race conditions in acache.c
|
|
(change #3553 was incomplete). [RT #33252]
|
|
|
|
3554. [bug] RRL failed to correctly rate-limit upward
|
|
referrals and failed to count dropped error
|
|
responses in the statistics. [RT #33225]
|
|
|
|
3553. [bug] Address suspected double free in acache. [RT #33252]
|
|
|
|
3552. [bug] Wrong getopt option string for 'nsupdate -r'.
|
|
[RT #33280]
|
|
|
|
3551. [bug] resolver.querydscp[46] were uninitialized. [RT #32686]
|
|
|
|
3550. [func] Unified the internal and export versions of the
|
|
BIND libraries, allowing external clients to use
|
|
the same libraries as BIND. [RT #33131]
|
|
|
|
3549. [doc] Documentation for "request-nsid" was missing.
|
|
[RT #33153]
|
|
|
|
3548. [bug] The NSID request code in resolver.c was broken
|
|
resulting in invalid EDNS options being sent.
|
|
[RT #33153]
|
|
|
|
3547. [bug] Some malformed unknown rdata records were not properly
|
|
detected and rejected. [RT #33129]
|
|
|
|
3546. [func] Add EUI48 and EUI64 types. [RT #33082]
|
|
|
|
3545. [bug] RRL slip behavior was incorrect when set to 1.
|
|
[RT #33111]
|
|
|
|
3544. [contrib] check5011.pl: Script to report the status of
|
|
managed keys as recorded in managed-keys.bind.
|
|
Contributed by Tony Finch <dot@dotat.at>
|
|
|
|
3543. [bug] Update socket structure before attaching to socket
|
|
manager after accept. [RT #33084]
|
|
|
|
3542. [placeholder]
|
|
|
|
3541. [bug] Parts of libdns were not properly initialized when
|
|
built in libexport mode. [RT #33028]
|
|
|
|
3540. [test] libt_api: t_info and t_assert were not thread safe.
|
|
|
|
3539. [port] win32: timestamp format didn't match other platforms.
|
|
|
|
3538. [test] Running "make test" now requires loopback interfaces
|
|
to be set up. [RT #32452]
|
|
|
|
3537. [tuning] Slave zones, when updated, now send NOTIFY messages
|
|
to peers before being dumped to disk rather than
|
|
after. [RT #27242]
|
|
|
|
3536. [func] Add support for setting Differentiated Services Code
|
|
Point (DSCP) values in named. Most configuration
|
|
options which take a "port" option (e.g.,
|
|
listen-on, forwarders, also-notify, masters,
|
|
notify-source, etc) can now also take a "dscp"
|
|
option specifying a code point for use with
|
|
outgoing traffic, if supported by the underlying
|
|
OS. [RT #27596]
|
|
|
|
3535. [bug] Minor win32 cleanups. [RT #32962]
|
|
|
|
3534. [bug] Extra text after an embedded NULL was ignored when
|
|
parsing zone files. [RT #32699]
|
|
|
|
3533. [contrib] query-loc-0.4.0: memory leaks. [RT #32960]
|
|
|
|
3532. [contrib] zkt: fixed buffer overrun, resource leaks. [RT #32960]
|
|
|
|
3531. [bug] win32: A uninitialized value could be returned on out
|
|
of memory. [RT #32960]
|
|
|
|
3530. [contrib] Better RTT tracking in queryperf. [RT #30128]
|
|
|
|
3529. [func] Named now listens on both IPv4 and IPv6 interfaces
|
|
by default. Named previously only listened on IPv4
|
|
interfaces by default unless named was running in
|
|
IPv6 only mode. [RT #32945]
|
|
|
|
3528. [func] New "dnssec-coverage" command scans the timing
|
|
metadata for a set of DNSSEC keys and reports if a
|
|
lapse in signing coverage has been scheduled
|
|
inadvertently. (Note: This tool depends on python;
|
|
it will not be built or installed on systems that
|
|
do not have a python interpreter.) [RT #28098]
|
|
|
|
3527. [compat] Add a URI to allow applications to explicitly
|
|
request a particular XML schema from the statistics
|
|
channel, returning 404 if not supported. [RT #32481]
|
|
|
|
3526. [cleanup] Set up dependencies for unit tests correctly during
|
|
build. [RT #32803]
|
|
|
|
3525. [func] Support for additional signing algorithms in rndc:
|
|
hmac-sha1, -sha224, -sha256, -sha384, and -sha512.
|
|
The -A option to rndc-confgen can be used to
|
|
select the algorithm for the generated key.
|
|
(The default is still hmac-md5; this may
|
|
change in a future release.) [RT #20363]
|
|
|
|
3524. [func] Added an alternate statistics channel in JSON format,
|
|
when the server is built with the json-c library:
|
|
http://[address]:[port]/json. [RT #32630]
|
|
|
|
3523. [contrib] Ported filesystem and ldap DLZ drivers to
|
|
dynamically-loadable modules, and added the
|
|
"wildcard" module based on a contribution from
|
|
Vadim Goncharov <vgoncharov@nic.ru>. [RT #23569]
|
|
|
|
3522. [bug] DLZ lookups could fail to return SERVFAIL when
|
|
they ought to. [RT #32685]
|
|
|
|
3521. [bug] Address memory leak in opensslecdsa_link.c. [RT #32249]
|
|
|
|
3520. [bug] 'mctx' was not being referenced counted in some places
|
|
where it should have been. [RT #32794]
|
|
|
|
3519. [func] Full replay protection via four-way handshake is
|
|
now mandatory for rndc clients. Very old versions
|
|
of rndc will no longer work. [RT #32798]
|
|
|
|
3518. [bug] Increase the size of dns_rrl_key.s.rtype by one bit
|
|
so that all dns_rrl_rtype_t enum values fit regardless
|
|
of whether it is teated as signed or unsigned by
|
|
the compiler. [RT #32792]
|
|
|
|
3517. [bug] Reorder destruction to avoid shutdown race. [RT #32777]
|
|
|
|
3516. [placeholder]
|
|
|
|
3515. [port] '%T' is not portable in strftime(). [RT #32763]
|
|
|
|
3514. [bug] The ranges for valid key sizes in ddns-confgen and
|
|
rndc-confgen were too constrained. Keys up to 512
|
|
bits are now allowed for most algorithms, and up
|
|
to 1024 bits for hmac-sha384 and hmac-sha512.
|
|
[RT #32753]
|
|
|
|
3513. [func] "dig -u" prints times in microseconds rather than
|
|
milliseconds. [RT #32704]
|
|
|
|
3512. [func] "rndc validation check" reports the current status
|
|
of DNSSEC validation. [RT #21397]
|
|
|
|
3511. [doc] Improve documentation of redirect zones. [RT #32756]
|
|
|
|
3510. [func] "rndc status" and XML statistics channel now report
|
|
server start and reconfiguration times. [RT #21048]
|
|
|
|
3509. [cleanup] Added a product line to version file to allow for
|
|
easy naming of different products (BIND
|
|
vs BIND ESV, for example). [RT #32755]
|
|
|
|
3508. [contrib] queryperf was incorrectly rejecting the -T option.
|
|
[RT #32338]
|
|
|
|
3507. [bug] Statistics channel XSL had a glitch when attempting
|
|
to chart query data before any queries had been
|
|
received. [RT #32620]
|
|
|
|
3506. [func] When setting "max-cache-size" and "max-acache-size",
|
|
the keyword "unlimited" is no longer defined as equal
|
|
to 4 gigabytes (except on 32-bit platforms); it
|
|
means literally unlimited. [RT #32358]
|
|
|
|
3505. [bug] When setting "max-cache-size" and "max-acache-size",
|
|
larger values than 4 gigabytes could not be set
|
|
explicitly, though larger sizes were available
|
|
when setting cache size to 0. This has been
|
|
corrected; the full range is now available.
|
|
[RT #32358]
|
|
|
|
3504. [func] Add support for ACLs based on geographic location,
|
|
using MaxMind GeoIP databases. Based on code
|
|
contributed by Ken Brownfield <kb@slide.com>.
|
|
[RT #30681]
|
|
|
|
3503. [doc] Clarify size_spec syntax. [RT #32449]
|
|
|
|
3502. [func] zone-statistics: "no" is now a synonym for "none",
|
|
instead of "terse". [RT #29165]
|
|
|
|
3501. [func] zone-statistics now takes three options: full,
|
|
terse, and none. "yes" and "no" are retained as
|
|
synonyms for full and terse, respectively. [RT #29165]
|
|
|
|
3500. [security] Support NAPTR regular expression validation on
|
|
all platforms without using libregex, which
|
|
can be vulnerable to memory exhaustion attack
|
|
(CVE-2013-2266). [RT #32688]
|
|
|
|
3499. [doc] Corrected ARM documentation of built-in zones.
|
|
[RT #32694]
|
|
|
|
3498. [bug] zone statistics for zones which matched a potential
|
|
empty zone could have their zone-statistics setting
|
|
overridden.
|
|
|
|
3497. [func] When deleting a slave/stub zone using 'rndc delzone'
|
|
report the files that were being used so they can
|
|
be cleaned up if desired. [RT #27899]
|
|
|
|
3496. [placeholder]
|
|
|
|
3495. [func] Support multiple response-policy zones (up to 32),
|
|
while improving RPZ performance. "response-policy"
|
|
syntax now includes a "min-ns-dots" clause, with
|
|
default 1, to exclude top-level domains from
|
|
NSIP and NSDNAME checking. --enable-rpz-nsip and
|
|
--enable-rpz-nsdname are now the default. [RT #32251]
|
|
|
|
3494. [func] DNS RRL: Blunt the impact of DNS reflection and
|
|
amplification attacks by rate-limiting substantially-
|
|
identical responses. [RT #28130]
|
|
|
|
3493. [contrib] Added BDBHPT dynamically-loadable DLZ module,
|
|
contributed by Mark Goldfinch. [RT #32549]
|
|
|
|
3492. [bug] Fixed a regression in zone loading performance
|
|
due to lock contention. [RT #30399]
|
|
|
|
3491. [bug] Slave zones using inline-signing must specify a
|
|
file name. [RT #31946]
|
|
|
|
3490. [bug] When logging RDATA during update, truncate if it's
|
|
too long. [RT #32365]
|
|
|
|
3489. [bug] --enable-developer now turns on ISC_LIST_CHECKINIT.
|
|
dns_dlzcreate() failed to properly initialize
|
|
dlzdb.link. When cloning a rdataset do not copy
|
|
the link contents. [RT #32651]
|
|
|
|
3488. [bug] Use after free error with DH generated keys. [RT #32649]
|
|
|
|
3487. [bug] Change 3444 was not complete. There was a additional
|
|
place where the NOQNAME proof needed to be saved.
|
|
[RT #32629]
|
|
|
|
3486. [bug] named could crash when using TKEY-negotiated keys
|
|
that had been deleted and then recreated. [RT #32506]
|
|
|
|
3485. [cleanup] Only compile openssl_gostlink.c if we support GOST.
|
|
|
|
3484. [bug] Some statistics were incorrectly rendered in XML.
|
|
[RT #32587]
|
|
|
|
3483. [placeholder]
|
|
|
|
3482. [func] dig +nssearch now prints name servers that don't
|
|
have address records (missing AAAA or A, or the name
|
|
doesn't exist). [RT #29348]
|
|
|
|
3481. [cleanup] Removed use of const const in atf.
|
|
|
|
3480. [bug] Silence logging noise when setting up zone
|
|
statistics. [RT #32525]
|
|
|
|
3479. [bug] Address potential memory leaks in gssapi support
|
|
code. [RT #32405]
|
|
|
|
3478. [port] Fix a build failure in strict C99 environments
|
|
[RT #32475]
|
|
|
|
3477. [func] Expand logging when adding records via DDNS update
|
|
[RT #32365]
|
|
|
|
3476. [bug] "rndc zonestatus" could report a spurious "not
|
|
found" error on inline-signing zones. [RT #29226]
|
|
|
|
3475. [cleanup] Changed name of 'map' zone file format (previously
|
|
'fast'). [RT #32458]
|
|
|
|
3474. [bug] nsupdate could assert when the local and remote
|
|
address families didn't match. [RT #22897]
|
|
|
|
3473. [bug] dnssec-signzone/verify could incorrectly report
|
|
an error condition due to an empty node above an
|
|
opt-out delegation lacking an NSEC3. [RT #32072]
|
|
|
|
3472. [bug] The active-connections counter in the socket
|
|
statistics could underflow. [RT #31747]
|
|
|
|
3471. [bug] The number of UDP dispatches now defaults to
|
|
the number of CPUs even if -n has been set to
|
|
a higher value. [RT #30964]
|
|
|
|
3470. [bug] Slave zones could fail to dump when successfully
|
|
refreshing after an initial failure. [RT #31276]
|
|
|
|
3469. [bug] Handle DLZ lookup failures more gracefully. Improve
|
|
backward compatibility between versions of DLZ dlopen
|
|
API. [RT #32275]
|
|
|
|
3468. [security] RPZ rules to generate A records (but not AAAA records)
|
|
could trigger an assertion failure when used in
|
|
conjunction with DNS64 (CVE-2012-5689). [RT #32141]
|
|
|
|
3467. [bug] Added checks in dnssec-keygen and dnssec-settime
|
|
to check for delete date < inactive date. [RT #31719]
|
|
|
|
3466. [contrib] Corrected the DNS_CLIENTINFOMETHODS_VERSION check
|
|
in DLZ example driver. [RT #32275]
|
|
|
|
3465. [bug] Handle isolated reserved ports. [RT #31778]
|
|
|
|
3464. [maint] Updates to PKCS#11 openssl patches, supporting
|
|
versions 0.9.8x, 1.0.0j, 1.0.1c [RT #29749]
|
|
|
|
3463. [doc] Clarify managed-keys syntax in ARM. [RT #32232]
|
|
|
|
3462. [doc] Clarify server selection behavior of dig when using
|
|
-4 or -6 options. [RT #32181]
|
|
|
|
3461. [bug] Negative responses could incorrectly have AD=1
|
|
set. [RT #32237]
|
|
|
|
3460. [bug] Only link against readline where needed. [RT #29810]
|
|
|
|
3459. [func] Added -J option to named-checkzone/named-compilezone
|
|
to specify the path to the journal file. [RT #30958]
|
|
|
|
3458. [bug] Return FORMERR when presented with a overly long
|
|
domain named in a request. [RT #29682]
|
|
|
|
3457. [protocol] Add ILNP records (NID, LP, L32, L64). [RT #31836]
|
|
|
|
3456. [port] g++47: ATF failed to compile. [RT #32012]
|
|
|
|
3455. [contrib] queryperf: fix getopt option list. [RT #32338]
|
|
|
|
3454. [port] sparc64: improve atomic support. [RT #25182]
|
|
|
|
3453. [bug] 'rndc addzone' of a zone with 'inline-signing yes;'
|
|
failed. [RT #31960]
|
|
|
|
3452. [bug] Accept duplicate singleton records. [RT #32329]
|
|
|
|
3451. [port] Increase per thread stack size from 64K to 1M.
|
|
[RT #32230]
|
|
|
|
3450. [bug] Stop logfileconfig system test spam system logs.
|
|
[RT #32315]
|
|
|
|
3449. [bug] gen.c: use the pre-processor to construct format
|
|
strings so that compiler can perform sanity checks;
|
|
check the snprintf results. [RT #17576]
|
|
|
|
3448. [bug] The allow-query-on ACL was not processed correctly.
|
|
[RT #29486]
|
|
|
|
3447. [port] Add support for libxml2-2.9.x [RT #32231]
|
|
|
|
3446. [port] win32: Add source ID (see change #3400) to build.
|
|
[RT #31683]
|
|
|
|
3445. [bug] Warn about zone files with blank owner names
|
|
immediately after $ORIGIN directives. [RT #31848]
|
|
|
|
3444. [bug] The NOQNAME proof was not being returned from cached
|
|
insecure responses. [RT #21409]
|
|
|
|
3443. [bug] ddns-confgen: Some TSIG algorithms were incorrectly
|
|
rejected when generating keys. [RT #31927]
|
|
|
|
3442. [port] Net::DNS 0.69 introduced a non backwards compatible
|
|
change. [RT #32216]
|
|
|
|
3441. [maint] D.ROOT-SERVERS.NET is now 199.7.91.13.
|
|
|
|
3440. [bug] Reorder get_key_struct to not trigger a assertion when
|
|
cleaning up due to out of memory error. [RT #32131]
|
|
|
|
3439. [placeholder]
|
|
|
|
3438. [bug] Don't accept unknown data escape in quotes. [RT #32031]
|
|
|
|
3437. [bug] isc_buffer_init -> isc_buffer_constinit to initialize
|
|
buffers with constant data. [RT #32064]
|
|
|
|
3436. [bug] Check malloc/calloc return values. [RT #32088]
|
|
|
|
3435. [bug] Cross compilation support in configure was broken.
|
|
[RT #32078]
|
|
|
|
3434. [bug] Pass client info to the DLZ findzone() entry
|
|
point in addition to lookup(). This makes it
|
|
possible for a database to answer differently
|
|
whether it's authoritative for a name depending
|
|
on the address of the client. [RT #31775]
|
|
|
|
3433. [bug] dlz_findzone() did not correctly handle
|
|
ISC_R_NOMORE. [RT #31172]
|
|
|
|
3432. [func] Multiple DLZ databases can now be configured.
|
|
DLZ databases are searched in the order configured,
|
|
unless set to "search no", in which case a
|
|
zone can be configured to be retrieved from a
|
|
particular DLZ database by using a "dlz <name>"
|
|
option in the zone statement. DLZ databases can
|
|
support type "master" and "redirect" zones.
|
|
[RT #27597]
|
|
|
|
3431. [bug] ddns-confgen: Some valid key algorithms were
|
|
not accepted. [RT #31927]
|
|
|
|
3430. [bug] win32: isc_time_formatISO8601 was missing the
|
|
'T' between the date and time. [RT #32044]
|
|
|
|
3429. [bug] dns_zone_getserial2 could a return success without
|
|
returning a valid serial. [RT #32007]
|
|
|
|
3428. [cleanup] dig: Add timezone to date output. [RT #2269]
|
|
|
|
3427. [bug] dig +trace incorrectly displayed name server
|
|
addresses instead of names. [RT #31641]
|
|
|
|
3426. [bug] dnssec-checkds: Clearer output when records are not
|
|
found. [RT #31968]
|
|
|
|
3425. [bug] "acacheentry" reference counting was broken resulting
|
|
in use after free. [RT #31908]
|
|
|
|
3424. [func] dnssec-dsfromkey now emits the hash without spaces.
|
|
[RT #31951]
|
|
|
|
3423. [bug] "rndc signing -nsec3param" didn't accept the full
|
|
range of possible values. Address portability issues.
|
|
[RT #31938]
|
|
|
|
3422. [bug] Added a clear error message for when the SOA does not
|
|
match the referral. [RT #31281]
|
|
|
|
3421. [bug] Named loops when re-signing if all keys are offline.
|
|
[RT #31916]
|
|
|
|
3420. [bug] Address VPATH compilation issues. [RT #31879]
|
|
|
|
3419. [bug] Memory leak on validation cancel. [RT #31869]
|
|
|
|
3418. [func] New XML schema (version 3.0) for the statistics channel
|
|
adds query type statistics at the zone level, and
|
|
flattens the XML tree and uses compressed format to
|
|
optimize parsing. Includes new XSL that permits
|
|
charting via the Google Charts API on browsers that
|
|
support javascript in XSL. The old XML schema has been
|
|
deprecated. [RT #30023]
|
|
|
|
3417. [placeholder]
|
|
|
|
3416. [bug] Named could die on shutdown if running with 128 UDP
|
|
dispatches per interface. [RT #31743]
|
|
|
|
3415. [bug] named could die with a REQUIRE failure if a validation
|
|
was canceled. [RT #31804]
|
|
|
|
3414. [bug] Address locking issues found by Coverity. [RT #31626]
|
|
|
|
3413. [func] Record the number of DNS64 AAAA RRsets that have been
|
|
synthesized. [RT #27636]
|
|
|
|
3412. [bug] Copy timeval structure from control message data.
|
|
[RT #31548]
|
|
|
|
3411. [tuning] Use IPV6_USE_MIN_MTU or equivalent with TCP in addition
|
|
to UDP. [RT #31690]
|
|
|
|
3410. [bug] Addressed Coverity warnings. [RT #31626]
|
|
|
|
3409. [contrib] contrib/dane/mkdane.sh: Tool to generate TLSA RR's
|
|
from X.509 certificates, for use with DANE
|
|
(DNS-based Authentication of Named Entities).
|
|
[RT #30513]
|
|
|
|
3408. [bug] Some DNSSEC-related options (update-check-ksk,
|
|
dnssec-loadkeys-interval, dnssec-dnskey-kskonly)
|
|
are now legal in slave zones as long as
|
|
inline-signing is in use. [RT #31078]
|
|
|
|
3407. [placeholder]
|
|
|
|
3406. [bug] mem.c: Fix compilation errors when building with
|
|
ISC_MEM_TRACKLINES or ISC_MEMPOOL_NAMES disabled.
|
|
Also, ISC_MEM_DEBUG is no longer optional. [RT #31559]
|
|
|
|
3405. [bug] Handle time going backwards in acache. [RT #31253]
|
|
|
|
3404. [bug] dnssec-signzone: When re-signing a zone, remove
|
|
RRSIG and NSEC records from nodes that used to be
|
|
in-zone but are now below a zone cut. [RT #31556]
|
|
|
|
3403. [bug] Silence noisy OpenSSL logging. [RT #31497]
|
|
|
|
3402. [test] The IPv6 interface numbers used for system
|
|
tests were incorrect on some platforms. [RT #25085]
|
|
|
|
3401. [bug] Addressed Coverity warnings. [RT #31484]
|
|
|
|
3400. [cleanup] "named -V" can now report a source ID string, defined
|
|
in the "srcid" file in the build tree and normally set
|
|
to the most recent git hash. [RT #31494]
|
|
|
|
3399. [port] netbsd: rename 'bool' parameter to avoid namespace
|
|
clash. [RT #31515]
|
|
|
|
3398. [bug] SOA parameters were not being updated with inline
|
|
signed zones if the zone was modified while the
|
|
server was offline. [RT #29272]
|
|
|
|
3397. [bug] dig crashed when using +nssearch with +tcp. [RT #25298]
|
|
|
|
3396. [bug] OPT records were incorrectly removed from signed,
|
|
truncated responses. [RT #31439]
|
|
|
|
3395. [protocol] Add RFC 6598 reverse zones to built in empty zones
|
|
list, 64.100.IN-ADDR.ARPA ... 127.100.IN-ADDR.ARPA.
|
|
[RT #31336]
|
|
|
|
3394. [bug] Adjust 'successfully validated after lower casing
|
|
signer' log level and category. [RT #31414]
|
|
|
|
3393. [bug] 'host -C' could core dump if REFUSED was received.
|
|
[RT #31381]
|
|
|
|
3392. [func] Keep statistics on REFUSED responses. [RT #31412]
|
|
|
|
3391. [bug] A DNSKEY lookup that encountered a CNAME failed.
|
|
[RT #31262]
|
|
|
|
3390. [bug] Silence clang compiler warnings. [RT #30417]
|
|
|
|
3389. [bug] Always return NOERROR (not 0) in TSIG. [RT #31275]
|
|
|
|
3388. [bug] Fixed several Coverity warnings.
|
|
Note: This change includes a fix for a bug that
|
|
was subsequently determined to be an exploitable
|
|
security vulnerability, CVE-2012-5688: named could
|
|
die on specific queries with dns64 enabled.
|
|
[RT #30996]
|
|
|
|
3387. [func] DS digest can be disabled at runtime with
|
|
disable-ds-digests. [RT #21581]
|
|
|
|
3386. [bug] Address locking violation when generating new NSEC /
|
|
NSEC3 chains. [RT #31224]
|
|
|
|
3385. [bug] named-checkconf didn't detect missing master lists
|
|
in also-notify clauses. [RT #30810]
|
|
|
|
3384. [bug] Improved logging of crypto errors. [RT #30963]
|
|
|
|
3383. [security] A certain combination of records in the RBT could
|
|
cause named to hang while populating the additional
|
|
section of a response. [RT #31090]
|
|
|
|
3382. [bug] SOA query from slave used use-v6-udp-ports range,
|
|
if set, regardless of the address family in use.
|
|
[RT #24173]
|
|
|
|
3381. [contrib] Update queryperf to support more RR types.
|
|
[RT #30762]
|
|
|
|
3380. [bug] named could die if a nonexistent master list was
|
|
referenced in a also-notify. [RT #31004]
|
|
|
|
3379. [bug] isc_interval_zero and isc_time_epoch should be
|
|
"const (type)* const". [RT #31069]
|
|
|
|
3378. [bug] Handle missing 'managed-keys-directory' better.
|
|
[RT #30625]
|
|
|
|
3377. [bug] Removed spurious newline from NSEC3 multiline
|
|
output. [RT #31044]
|
|
|
|
3376. [bug] Lack of EDNS support was being recorded without a
|
|
successful response. [RT #30811]
|
|
|
|
3375. [bug] 'rndc dumpdb' failed on empty caches. [RT #30808]
|
|
|
|
3374. [bug] isc_parse_uint32 failed to return a range error on
|
|
systems with 64 bit longs. [RT #30232]
|
|
|
|
3373. [bug] win32: open raw files in binary mode. [RT #30944]
|
|
|
|
3372. [bug] Silence spurious "deleted from unreachable cache"
|
|
messages. [RT #30501]
|
|
|
|
3371. [bug] AD=1 should behave like DO=1 when deciding whether to
|
|
add NS RRsets to the additional section or not.
|
|
[RT #30479]
|
|
|
|
3370. [bug] Address use after free while shutting down. [RT #30241]
|
|
|
|
3369. [bug] nsupdate terminated unexpectedly in interactive mode
|
|
if built with readline support. [RT #29550]
|
|
|
|
3368. [bug] <dns/iptable.h>, <dns/private.h> and <dns/zone.h>
|
|
were not C++ safe.
|
|
|
|
3367. [bug] dns_dnsseckey_create() result was not being checked.
|
|
[RT #30685]
|
|
|
|
3366. [bug] Fixed Read-After-Write dependency violation for IA64
|
|
atomic operations. [RT #25181]
|
|
|
|
3365. [bug] Removed spurious newlines from log messages in
|
|
zone.c [RT #30675]
|
|
|
|
3364. [security] Named could die on specially crafted record.
|
|
[RT #30416]
|
|
|
|
3363. [bug] Need to allow "forward" and "fowarders" options
|
|
in static-stub zones; this had been overlooked.
|
|
[RT #30482]
|
|
|
|
3362. [bug] Setting some option values to 0 in named.conf
|
|
could trigger an assertion failure on startup.
|
|
[RT #27730]
|
|
|
|
3361. [bug] "rndc signing -nsec3param" didn't work correctly
|
|
when salt was set to '-' (no salt). [RT #30099]
|
|
|
|
3360. [bug] 'host -w' could die. [RT #18723]
|
|
|
|
3359. [bug] An improperly-formed TSIG secret could cause a
|
|
memory leak. [RT #30607]
|
|
|
|
3358. [placeholder]
|
|
|
|
3357. [port] Add support for libxml2-2.8.x [RT #30440]
|
|
|
|
3356. [bug] Cap the TTL of signed RRsets when RRSIGs are
|
|
approaching their expiry, so they don't remain
|
|
in caches after expiry. [RT #26429]
|
|
|
|
3355. [port] Use more portable awk in verify system test.
|
|
|
|
3354. [func] Improve OpenSSL error logging. [RT #29932]
|
|
|
|
3353. [bug] Use a single task for task exclusive operations.
|
|
[RT #29872]
|
|
|
|
3352. [bug] Ensure that learned server attributes timeout of the
|
|
adb cache. [RT #29856]
|
|
|
|
3351. [bug] isc_mem_put and isc_mem_putanddetach didn't report
|
|
caller if either ISC_MEM_DEBUGSIZE or ISC_MEM_DEBUGCTX
|
|
memory debugging flags are set. [RT #30243]
|
|
|
|
3350. [bug] Memory read overrun in isc___mem_reallocate if
|
|
ISC_MEM_DEBUGCTX memory debugging flag is set.
|
|
[RT #30240]
|
|
|
|
3349. [bug] Change #3345 was incomplete. [RT #30233]
|
|
|
|
3348. [bug] Prevent RRSIG data from being cached if a negative
|
|
record matching the covering type exists at a higher
|
|
trust level. Such data already can't be retrieved from
|
|
the cache since change 3218 -- this prevents it
|
|
being inserted into the cache as well. [RT #26809]
|
|
|
|
3347. [bug] dnssec-settime: Issue a warning when writing a new
|
|
private key file would cause a change in the
|
|
permissions of the existing file. [RT #27724]
|
|
|
|
3346. [security] Bad-cache data could be used before it was
|
|
initialized, causing an assert. [RT #30025]
|
|
|
|
3345. [bug] Addressed race condition when removing the last item
|
|
or inserting the first item in an ISC_QUEUE.
|
|
[RT #29539]
|
|
|
|
3344. [func] New "dnssec-checkds" command checks a zone to
|
|
determine which DS records should be published
|
|
in the parent zone, or which DLV records should be
|
|
published in a DLV zone, and queries the DNS to
|
|
ensure that it exists. (Note: This tool depends
|
|
on python; it will not be built or installed on
|
|
systems that do not have a python interpreter.)
|
|
[RT #28099]
|
|
|
|
3343. [placeholder]
|
|
|
|
3342. [bug] Change #3314 broke saving of stub zones to disk
|
|
resulting in excessive cpu usage in some cases.
|
|
[RT #29952]
|
|
|
|
3341. [func] New "dnssec-verify" command checks a signed zone
|
|
to ensure correctness of signatures and of NSEC/NSEC3
|
|
chains. [RT #23673]
|
|
|
|
3340. [func] Added new 'map' zone file format, which is an image
|
|
of a zone database that can be loaded directly into
|
|
memory via mmap(), allowing much faster zone loading.
|
|
(Note: Because of pointer sizes and other
|
|
considerations, this file format is platform-dependent;
|
|
'map' zone files cannot always be transferred from one
|
|
server to another.) [RT #25419]
|
|
|
|
3339. [func] Allow the maximum supported rsa exponent size to be
|
|
specified: "max-rsa-exponent-size <value>;" [RT #29228]
|
|
|
|
3338. [bug] Address race condition in units tests: asyncload_zone
|
|
and asyncload_zt. [RT #26100]
|
|
|
|
3337. [bug] Change #3294 broke support for the multiple keys
|
|
in controls. [RT #29694]
|
|
|
|
3336. [func] Maintain statistics for RRsets tagged as "stale".
|
|
[RT #29514]
|
|
|
|
3335. [func] nslookup: return a nonzero exit code when unable
|
|
to get an answer. [RT #29492]
|
|
|
|
3334. [bug] Hold a zone table reference while performing a
|
|
asynchronous load of a zone. [RT #28326]
|
|
|
|
3333. [bug] Setting resolver-query-timeout too low can cause
|
|
named to not recover if it loses connectivity.
|
|
[RT #29623]
|
|
|
|
3332. [bug] Re-use cached DS rrsets if possible. [RT #29446]
|
|
|
|
3331. [security] dns_rdataslab_fromrdataset could produce bad
|
|
rdataslabs. [RT #29644]
|
|
|
|
3330. [func] Fix missing signatures on NOERROR results despite
|
|
RPZ rewriting. Also
|
|
- add optional "recursive-only yes|no" to the
|
|
response-policy statement
|
|
- add optional "max-policy-ttl" to the response-policy
|
|
statement to limit the false data that
|
|
"recursive-only no" can introduce into
|
|
resolvers' caches
|
|
- add a RPZ performance test to bin/tests/system/rpz
|
|
when queryperf is available.
|
|
- the encoding of PASSTHRU action to "rpz-passthru".
|
|
(The old encoding is still accepted.)
|
|
[RT #26172]
|
|
|
|
|
|
3329. [bug] Handle RRSIG signer-name case consistently: We
|
|
generate RRSIG records with the signer-name in
|
|
lower case. We accept them with any case, but if
|
|
they fail to validate, we try again in lower case.
|
|
[RT #27451]
|
|
|
|
3328. [bug] Fixed inconsistent data checking in dst_parse.c.
|
|
[RT #29401]
|
|
|
|
3327. [func] Added 'filter-aaaa-on-v6' option; this is similar
|
|
to 'filter-aaaa-on-v4' but applies to IPv6
|
|
connections. (Use "configure --enable-filter-aaaa"
|
|
to enable this option.) [RT #27308]
|
|
|
|
3326. [func] Added task list statistics: task model, worker
|
|
threads, quantum, tasks running, tasks ready.
|
|
[RT #27678]
|
|
|
|
3325. [func] Report cache statistics: memory use, number of
|
|
nodes, number of hash buckets, hit and miss counts.
|
|
[RT #27056]
|
|
|
|
3324. [test] Add better tests for ADB stats [RT #27057]
|
|
|
|
3323. [func] Report the number of buckets the resolver is using.
|
|
[RT #27020]
|
|
|
|
3322. [func] Monitor the number of active TCP and UDP dispatches.
|
|
[RT #27055]
|
|
|
|
3321. [func] Monitor the number of recursive fetches and the
|
|
number of open sockets, and report these values in
|
|
the statistics channel. [RT #27054]
|
|
|
|
3320. [func] Added support for monitoring of recursing client
|
|
count. [RT #27009]
|
|
|
|
3319. [func] Added support for monitoring of ADB entry count and
|
|
hash size. [RT #27057]
|
|
|
|
3318. [tuning] Reduce the amount of work performed while holding a
|
|
bucket lock when finished with a fetch context.
|
|
[RT #29239]
|
|
|
|
3317. [func] Add ECDSA support (RFC 6605). [RT #21918]
|
|
|
|
3316. [tuning] Improved locking performance when recursing.
|
|
[RT #28836]
|
|
|
|
3315. [tuning] Use multiple dispatch objects for sending upstream
|
|
queries; this can improve performance on busy
|
|
multiprocessor systems by reducing lock contention.
|
|
[RT #28605]
|
|
|
|
3314. [bug] The masters list could be updated while stub_callback
|
|
or refresh_callback were using it. [RT #26732]
|
|
|
|
3313. [protocol] Add TLSA record type. [RT #28989]
|
|
|
|
3312. [bug] named-checkconf didn't detect a bad dns64 clients acl.
|
|
[RT #27631]
|
|
|
|
3311. [bug] Abort the zone dump if zone->db is NULL in
|
|
zone.c:zone_gotwritehandle. [RT #29028]
|
|
|
|
3310. [test] Increase table size for mutex profiling. [RT #28809]
|
|
|
|
3309. [bug] resolver.c:fctx_finddone() was not thread safe.
|
|
[RT #27995]
|
|
|
|
3308. [placeholder]
|
|
|
|
3307. [bug] Add missing ISC_LANG_BEGINDECLS and ISC_LANG_ENDDECLS.
|
|
[RT #28956]
|
|
|
|
3306. [bug] Improve DNS64 reverse zone performance. [RT #28563]
|
|
|
|
3305. [func] Add wire format lookup method to sdb. [RT #28563]
|
|
|
|
3304. [bug] Use hmctx, not mctx when freeing rbtdb->heaps.
|
|
[RT #28571]
|
|
|
|
3303. [bug] named could die when reloading. [RT #28606]
|
|
|
|
3302. [bug] dns_dnssec_findmatchingkeys could fail to find
|
|
keys if the zone name contained character that
|
|
required special mappings. [RT #28600]
|
|
|
|
3301. [contrib] Update queryperf to build on darwin. Add -R flag
|
|
for non-recursive queries. [RT #28565]
|
|
|
|
3300. [bug] Named could die if gssapi was enabled in named.conf
|
|
but was not compiled in. [RT #28338]
|
|
|
|
3299. [bug] Make SDB handle errors from database drivers better.
|
|
[RT #28534]
|
|
|
|
3298. [bug] Named could dereference a NULL pointer in
|
|
zmgr_start_xfrin_ifquota if the zone was being removed.
|
|
[RT #28419]
|
|
|
|
3297. [bug] Named could die on a malformed master file. [RT #28467]
|
|
|
|
3296. [bug] Named could die with a INSIST failure in
|
|
client.c:exit_check. [RT #28346]
|
|
|
|
3295. [bug] Adjust isc_time_secondsastimet range check to be more
|
|
portable. [RT # 26542]
|
|
|
|
3294. [bug] isccc/cc.c:table_fromwire failed to free alist on
|
|
error. [RT #28265]
|
|
|
|
3293. [func] nsupdate: list supported type. [RT #28261]
|
|
|
|
3292. [func] Log messages in the axfr stream at debug 10.
|
|
[RT #28040]
|
|
|
|
3291. [port] Fixed a build error on systems without ENOTSUP.
|
|
[RT #28200]
|
|
|
|
3290. [bug] <isc/hmacsha.h> was not being installed. [RT #28169]
|
|
|
|
3289. [bug] 'rndc retransfer' failed for inline zones. [RT #28036]
|
|
|
|
3288. [bug] dlz_destroy() function wasn't correctly registered
|
|
by the DLZ dlopen driver. [RT #28056]
|
|
|
|
3287. [port] Update ans.pl to work with Net::DNS 0.68. [RT #28028]
|
|
|
|
3286. [bug] Managed key maintenance timer could fail to start
|
|
after 'rndc reconfig'. [RT #26786]
|
|
|
|
3285. [bug] val-frdataset was incorrectly disassociated in
|
|
proveunsecure after calling startfinddlvsep.
|
|
[RT #27928]
|
|
|
|
3284. [bug] Address race conditions with the handling of
|
|
rbtnode.deadlink. [RT #27738]
|
|
|
|
3283. [bug] Raw zones with with more than 512 records in a RRset
|
|
failed to load. [RT #27863]
|
|
|
|
3282. [bug] Restrict the TTL of NS RRset to no more than that
|
|
of the old NS RRset when replacing it.
|
|
[RT #27792] [RT #27884]
|
|
|
|
3281. [bug] SOA refresh queries could be treated as cancelled
|
|
despite succeeding over the loopback interface.
|
|
[RT #27782]
|
|
|
|
3280. [bug] Potential double free of a rdataset on out of memory
|
|
with DNS64. [RT #27762]
|
|
|
|
3279. [bug] Hold a internal reference to the zone while performing
|
|
a asynchronous load. Address potential memory leak
|
|
if the asynchronous is cancelled. [RT #27750]
|
|
|
|
3278. [bug] Make sure automatic key maintenance is started
|
|
when "auto-dnssec maintain" is turned on during
|
|
"rndc reconfig". [RT #26805]
|
|
|
|
3277. [bug] win32: isc_socket_dup is not implemented. [RT #27696]
|
|
|
|
3276. [bug] win32: ns_os_openfile failed to return NULL on
|
|
safe_open failure. [RT #27696]
|
|
|
|
3275. [bug] Corrected rndc -h output; the 'rndc sync -clean'
|
|
option had been misspelled as '-clear'. (To avoid
|
|
future confusion, both options now work.) [RT #27173]
|
|
|
|
3274. [placeholder]
|
|
|
|
3273. [bug] AAAA responses could be returned in the additional
|
|
section even when filter-aaaa-on-v4 was in use.
|
|
[RT #27292]
|
|
|
|
3272. [func] New "rndc zonestatus" command prints information
|
|
about the specified zone. [RT #21671]
|
|
|
|
3271. [port] darwin: mksymtbl is not always stable, loop several
|
|
times before giving up. mksymtbl was using non
|
|
portable perl to covert 64 bit hex strings. [RT #27653]
|
|
|
|
--- 9.9.0rc2 released ---
|
|
|
|
3270. [bug] "rndc reload" didn't reuse existing zones correctly
|
|
when inline-signing was in use. [RT #27650]
|
|
|
|
3269. [port] darwin 11 and later now built threaded by default.
|
|
|
|
3268. [bug] Convert RRSIG expiry times to 64 timestamps to work
|
|
out the earliest expiry time. [RT #23311]
|
|
|
|
3267. [bug] Memory allocation failures could be mis-reported as
|
|
unexpected error. New ISC_R_UNSET result code.
|
|
[RT #27336]
|
|
|
|
3266. [bug] The maximum number of NSEC3 iterations for a
|
|
DNSKEY RRset was not being properly computed.
|
|
[RT #26543]
|
|
|
|
3265. [bug] Corrected a problem with lock ordering in the
|
|
inline-signing code. [RT #27557]
|
|
|
|
3264. [bug] Automatic regeneration of signatures in an
|
|
inline-signing zone could stall when the server
|
|
was restarted. [RT #27344]
|
|
|
|
3263. [bug] "rndc sync" did not affect the unsigned side of an
|
|
inline-signing zone. [RT #27337]
|
|
|
|
3262. [bug] Signed responses were handled incorrectly by RPZ.
|
|
[RT #27316]
|
|
|
|
3261. [func] RRset ordering now defaults to random. [RT #27174]
|
|
|
|
3260. [bug] "rrset-order cyclic" could appear not to rotate
|
|
for some query patterns. [RT #27170/27185]
|
|
|
|
--- 9.9.0rc1 released ---
|
|
|
|
3259. [bug] named-compilezone: Suppress "dump zone to <file>"
|
|
message when writing to stdout. [RT #27109]
|
|
|
|
3258. [test] Add "forcing full sign with unreadable keys" test.
|
|
[RT #27153]
|
|
|
|
3257. [bug] Do not generate a error message when calling fsync()
|
|
in a pipe or socket. [RT #27109]
|
|
|
|
3256. [bug] Disable empty zones for lwresd -C. [RT #27139]
|
|
|
|
3255. [func] No longer require that a empty zones be explicitly
|
|
enabled or that a empty zone is disabled for
|
|
RFC 1918 empty zones to be configured. [RT #27139]
|
|
|
|
3254. [bug] Set isc_socket_ipv6only() on the IPv6 control channels.
|
|
[RT #22249]
|
|
|
|
3253. [bug] Return DNS_R_SYNTAX when the input to a text field is
|
|
too long. [RT #26956]
|
|
|
|
3252. [bug] When master zones using inline-signing were
|
|
updated while the server was offline, the source
|
|
zone could fall out of sync with the signed
|
|
copy. They can now resynchronize. [RT #26676]
|
|
|
|
3251. [bug] Enforce a upper bound (65535 bytes) on the amount of
|
|
memory dns_sdlz_putrr() can allocate per record to
|
|
prevent run away memory consumption on ISC_R_NOSPACE.
|
|
[RT #26956]
|
|
|
|
3250. [func] 'configure --enable-developer'; turn on various
|
|
configure options, normally off by default, that
|
|
we want developers to build and test with. [RT #27103]
|
|
|
|
3249. [bug] Update log message when saving slave zones files for
|
|
analysis after load failures. [RT #27087]
|
|
|
|
3248. [bug] Configure options --enable-fixed-rrset and
|
|
--enable-exportlib were incompatible with each
|
|
other. [RT #27087]
|
|
|
|
3247. [bug] 'raw' format zones failed to preserve load order
|
|
breaking 'fixed' sort order. [RT #27087]
|
|
|
|
3246. [bug] Named failed to start with a empty also-notify list.
|
|
[RT #27087]
|
|
|
|
3245. [bug] Don't report a error unchanged serials unless there
|
|
were other changes when thawing a zone with
|
|
ixfr-fromdifferences. [RT #26845]
|
|
|
|
3244. [func] Added readline support to nslookup and nsupdate.
|
|
Also simplified nsupdate syntax to make "update"
|
|
and "prereq" optional. [RT #24659]
|
|
|
|
3243. [port] freebsd,netbsd,bsdi: the thread defaults were not
|
|
being properly set.
|
|
|
|
3242. [func] Extended the header of raw-format master files to
|
|
include the serial number of the zone from which
|
|
they were generated, if different (as in the case
|
|
of inline-signing zones). This is to be used in
|
|
inline-signing zones, to track changes between the
|
|
unsigned and signed versions of the zone, which may
|
|
have different serial numbers.
|
|
|
|
(Note: raw zonefiles generated by this version of
|
|
BIND are no longer compatible with prior versions.
|
|
To generate a backward-compatible raw zonefile
|
|
using dnssec-signzone or named-compilezone, specify
|
|
output format "raw=0" instead of simply "raw".)
|
|
[RT #26587]
|
|
|
|
3241. [bug] Address race conditions in the resolver code.
|
|
[RT #26889]
|
|
|
|
3240. [bug] DNSKEY state change events could be missed. [RT #26874]
|
|
|
|
3239. [bug] dns_dnssec_findmatchingkeys needs to use a consistent
|
|
timestamp. [RT #26883]
|
|
|
|
3238. [bug] keyrdata was not being reinitialized in
|
|
lib/dns/rbtdb.c:iszonesecure. [RT #26913]
|
|
|
|
3237. [bug] dig -6 didn't work with +trace. [RT #26906]
|
|
|
|
3236. [bug] Backed out changes #3182 and #3202, related to
|
|
EDNS(0) fallback behavior. [RT #26416]
|
|
|
|
3235. [func] dns_db_diffx, a extended dns_db_diff which returns
|
|
the generated diff and optionally writes it to a
|
|
journal. [RT #26386]
|
|
|
|
3234. [bug] 'make depend' produced invalid makefiles. [RT #26830]
|
|
|
|
3233. [bug] 'rndc freeze/thaw' didn't work for inline zones.
|
|
[RT #26632]
|
|
|
|
3232. [bug] Zero zone->curmaster before return in
|
|
dns_zone_setmasterswithkeys(). [RT #26732]
|
|
|
|
3231. [bug] named could fail to send a incompressible zone.
|
|
[RT #26796]
|
|
|
|
3230. [bug] 'dig axfr' failed to properly handle a multi-message
|
|
axfr with a serial of 0. [RT #26796]
|
|
|
|
3229. [bug] Fix local variable to struct var assignment
|
|
found by CLANG warning.
|
|
|
|
3228. [tuning] Dynamically grow symbol table to improve zone
|
|
loading performance. [RT #26523]
|
|
|
|
3227. [bug] Interim fix to make WKS's use of getprotobyname()
|
|
and getservbyname() self thread safe. [RT #26232]
|
|
|
|
3226. [bug] Address minor resource leakages. [RT #26624]
|
|
|
|
3225. [bug] Silence spurious "setsockopt(517, IPV6_V6ONLY) failed"
|
|
messages. [RT #26507]
|
|
|
|
3224. [bug] 'rndc signing' argument parsing was broken. [RT #26684]
|
|
|
|
3223. [bug] 'task_test privilege_drop' generated false positives.
|
|
[RT #26766]
|
|
|
|
3222. [cleanup] Replace dns_journal_{get,set}_bitws with
|
|
dns_journal_{get,set}_sourceserial. [RT #26634]
|
|
|
|
3221. [bug] Fixed a potential core dump on shutdown due to
|
|
referencing fetch context after it's been freed.
|
|
[RT #26720]
|
|
|
|
--- 9.9.0b2 released ---
|
|
|
|
3220. [bug] Change #3186 was incomplete; dns_db_rpz_findips()
|
|
could fail to set the database version correctly,
|
|
causing an assertion failure. [RT #26180]
|
|
|
|
3219. [bug] Disable NOEDNS caching following a timeout.
|
|
|
|
3218. [security] Cache lookup could return RRSIG data associated with
|
|
nonexistent records, leading to an assertion
|
|
failure. [RT #26590]
|
|
|
|
3217. [cleanup] Fix build problem with --disable-static. [RT #26476]
|
|
|
|
3216. [bug] resolver.c:validated() was not thread-safe. [RT #26478]
|
|
|
|
3215. [bug] 'rndc recursing' could cause a core dump. [RT #26495]
|
|
|
|
3214. [func] Add 'named -U' option to set the number of UDP
|
|
listener threads per interface. [RT #26485]
|
|
|
|
3213. [doc] Clarify ixfr-from-differences behavior. [RT #25188]
|
|
|
|
3212. [bug] rbtdb.c: failed to remove a node from the deadnodes
|
|
list prior to adding a reference to it leading a
|
|
possible assertion failure. [RT #23219]
|
|
|
|
3211. [func] dnssec-signzone: "-f -" prints to stdout; "-O full"
|
|
option prints in single-line-per-record format.
|
|
[RT #20287]
|
|
|
|
3210. [bug] Canceling the oldest query due to recursive-client
|
|
overload could trigger an assertion failure. [RT #26463]
|
|
|
|
3209. [func] Add "dnssec-lookaside 'no'". [RT #24858]
|
|
|
|
3208. [bug] 'dig -y' handle unknown tsig algorithm better.
|
|
[RT #25522]
|
|
|
|
3207. [contrib] Fixed build error in Berkeley DB DLZ module. [RT #26444]
|
|
|
|
3206. [cleanup] Add ISC information to log at start time. [RT #25484]
|
|
|
|
3205. [func] Upgrade dig's defaults to better reflect modern
|
|
nameserver behavior. Enable "dig +adflag" and
|
|
"dig +edns=0" by default. Enable "+dnssec" when
|
|
running "dig +trace". [RT #23497]
|
|
|
|
3204. [bug] When a master server that has been marked as
|
|
unreachable sends a NOTIFY, mark it reachable
|
|
again. [RT #25960]
|
|
|
|
3203. [bug] Increase log level to 'info' for validation failures
|
|
from expired or not-yet-valid RRSIGs. [RT #21796]
|
|
|
|
3202. [bug] NOEDNS caching on timeout was too aggressive.
|
|
[RT #26416]
|
|
|
|
3201. [func] 'rndc querylog' can now be given an on/off parameter
|
|
instead of only being used as a toggle. [RT #18351]
|
|
|
|
3200. [doc] Some rndc functions were undocumented or were
|
|
missing from 'rndc -h' output. [RT #25555]
|
|
|
|
3199. [func] When logging client information, include the name
|
|
being queried. [RT #25944]
|
|
|
|
3198. [doc] Clarified that dnssec-settime can alter keyfile
|
|
permissions. [RT #24866]
|
|
|
|
3197. [bug] Don't try to log the filename and line number when
|
|
the config parser can't open a file. [RT #22263]
|
|
|
|
3196. [bug] nsupdate: return nonzero exit code when target zone
|
|
doesn't exist. [RT #25783]
|
|
|
|
3195. [cleanup] Silence "file not found" warnings when loading
|
|
managed-keys zone. [RT #26340]
|
|
|
|
3194. [doc] Updated RFC references in the 'empty-zones-enable'
|
|
documentation. [RT #25203]
|
|
|
|
3193. [cleanup] Changed MAXZONEKEYS to DNS_MAXZONEKEYS, moved to
|
|
dnssec.h. [RT #26415]
|
|
|
|
3192. [bug] A query structure could be used after being freed.
|
|
[RT #22208]
|
|
|
|
3191. [bug] Print NULL records using "unknown" format. [RT #26392]
|
|
|
|
3190. [bug] Underflow in error handling in isc_mutexblock_init.
|
|
[RT #26397]
|
|
|
|
3189. [test] Added a summary report after system tests. [RT #25517]
|
|
|
|
3188. [bug] zone.c:zone_refreshkeys() could fail to detach
|
|
references correctly when errors occurred, causing
|
|
a hang on shutdown. [RT #26372]
|
|
|
|
3187. [port] win32: support for Visual Studio 2008. [RT #26356]
|
|
|
|
--- 9.9.0b1 released ---
|
|
|
|
3186. [bug] Version/db mis-match in rpz code. [RT #26180]
|
|
|
|
3185. [func] New 'rndc signing' option for auto-dnssec zones:
|
|
- 'rndc signing -list' displays the current
|
|
state of signing operations
|
|
- 'rndc signing -clear' clears the signing state
|
|
records for keys that have fully signed the zone
|
|
- 'rndc signing -nsec3param' sets the NSEC3
|
|
parameters for the zone
|
|
The 'rndc keydone' syntax is removed. [RT #23729]
|
|
|
|
3184. [bug] named had excessive cpu usage when a redirect zone was
|
|
configured. [RT #26013]
|
|
|
|
3183. [bug] Added RTLD_GLOBAL flag to dlopen call. [RT #26301]
|
|
|
|
3182. [bug] Auth servers behind firewalls which block packets
|
|
greater than 512 bytes may cause other servers to
|
|
perform poorly. Now, adb retains edns information
|
|
and caches noedns servers. [RT #23392/24964]
|
|
|
|
3181. [func] Inline-signing is now supported for master zones.
|
|
[RT #26224]
|
|
|
|
3180. [func] Local copies of slave zones are now saved in raw
|
|
format by default, to improve startup performance.
|
|
'masterfile-format text;' can be used to override
|
|
the default, if desired. [RT #25867]
|
|
|
|
3179. [port] kfreebsd: build issues. [RT #26273]
|
|
|
|
3178. [bug] A race condition introduced by change #3163 could
|
|
cause an assertion failure on shutdown. [RT #26271]
|
|
|
|
3177. [func] 'rndc keydone', remove the indicator record that
|
|
named has finished signing the zone with the
|
|
corresponding key. [RT #26206]
|
|
|
|
3176. [doc] Corrected example code and added a README to the
|
|
sample external DLZ module in contrib/dlz/example.
|
|
[RT #26215]
|
|
|
|
3175. [bug] Fix how DNSSEC positive wildcard responses from a
|
|
NSEC3 signed zone are validated. Stop sending a
|
|
unnecessary NSEC3 record when generating such
|
|
responses. [RT #26200]
|
|
|
|
3174. [bug] Always compute to revoked key tag from scratch.
|
|
[RT #26186]
|
|
|
|
3173. [port] Correctly validate root DS responses. [RT #25726]
|
|
|
|
3172. [port] darwin 10.* and freebsd [89] are now built threaded by
|
|
default.
|
|
|
|
3171. [bug] Exclusively lock the task when adding a zone using
|
|
'rndc addzone'. [RT #25600]
|
|
|
|
--- 9.9.0a3 released ---
|
|
|
|
3170. [func] RPZ update:
|
|
- fix precedence among competing rules
|
|
- improve ARM text including documenting rule precedence
|
|
- try to rewrite CNAME chains until first hit
|
|
- new "rpz" logging channel
|
|
- RDATA for CNAME rules can include wildcards
|
|
- replace "NO-OP" named.conf policy override with
|
|
"PASSTHRU" and add "DISABLED" override ("NO-OP"
|
|
is still recognized)
|
|
[RT #25172]
|
|
|
|
3169. [func] Catch db/version mis-matches when calling dns_db_*().
|
|
[RT #26017]
|
|
|
|
3168. [bug] Nxdomain redirection could trigger an assert with
|
|
a ANY query. [RT #26017]
|
|
|
|
3167. [bug] Negative answers from forwarders were not being
|
|
correctly tagged making them appear to not be cached.
|
|
[RT #25380]
|
|
|
|
3166. [bug] Upgrading a zone to support inline-signing failed.
|
|
[RT #26014]
|
|
|
|
3165. [bug] dnssec-signzone could generate new signatures when
|
|
resigning, even when valid signatures were already
|
|
present. [RT #26025]
|
|
|
|
3164. [func] Enable DLZ modules to retrieve client information,
|
|
so that responses can be changed depending on the
|
|
source address of the query. [RT #25768]
|
|
|
|
3163. [bug] Use finer-grained locking in client.c to address
|
|
concurrency problems with large numbers of threads.
|
|
[RT #26044]
|
|
|
|
3162. [test] start.pl: modified to allow for "named.args" in
|
|
ns*/ subdirectory to override stock arguments to
|
|
named. Largely from RT #26044, but no separate ticket.
|
|
|
|
3161. [bug] zone.c:del_sigs failed to always reset rdata leading
|
|
assertion failures. [RT #25880]
|
|
|
|
3160. [bug] When printing out a NSEC3 record in multiline form
|
|
the newline was not being printed causing type codes
|
|
to be run together. [RT #25873]
|
|
|
|
3159. [bug] On some platforms, named could assert on startup
|
|
when running in a chrooted environment without
|
|
/proc. [RT #25863]
|
|
|
|
3158. [bug] Recursive servers would prefer a particular UDP
|
|
socket instead of using all available sockets.
|
|
[RT #26038]
|
|
|
|
3157. [tuning] Reduce the time spent in "rndc reconfig" by parsing
|
|
the config file before pausing the server. [RT #21373]
|
|
|
|
3156. [placeholder]
|
|
|
|
--- 9.9.0a2 released ---
|
|
|
|
3155. [bug] Fixed a build failure when using contrib DLZ
|
|
drivers (e.g., mysql, postgresql, etc). [RT #25710]
|
|
|
|
3154. [bug] Attempting to print an empty rdataset could trigger
|
|
an assert. [RT #25452]
|
|
|
|
3153. [func] Extend request-ixfr to zone level and remove the
|
|
side effect of forcing an AXFR. [RT #25156]
|
|
|
|
3152. [cleanup] Some versions of gcc and clang failed due to
|
|
incorrect use of __builtin_expect. [RT #25183]
|
|
|
|
3151. [bug] Queries for type RRSIG or SIG could be handled
|
|
incorrectly. [RT #21050]
|
|
|
|
3150. [func] Improved startup and reconfiguration time by
|
|
enabling zones to load in multiple threads. [RT #25333]
|
|
|
|
3149. [placeholder]
|
|
|
|
3148. [bug] Processing of normal queries could be stalled when
|
|
forwarding a UPDATE message. [RT #24711]
|
|
|
|
3147. [func] Initial inline signing support. [RT #23657]
|
|
|
|
--- 9.9.0a1 released ---
|
|
|
|
3146. [test] Fixed gcc4.6.0 errors in ATF. [RT #25598]
|
|
|
|
3145. [test] Capture output of ATF unit tests in "./atf.out" if
|
|
there were any errors while running them. [RT #25527]
|
|
|
|
3144. [bug] dns_dbiterator_seek() could trigger an assert when
|
|
used with a nonexistent database node. [RT #25358]
|
|
|
|
3143. [bug] Silence clang compiler warnings. [RT #25174]
|
|
|
|
3142. [bug] NAPTR is class agnostic. [RT #25429]
|
|
|
|
3141. [bug] Silence spurious "zone serial (0) unchanged" messages
|
|
associated with empty zones. [RT #25079]
|
|
|
|
3140. [func] New command "rndc flushtree <name>" clears the
|
|
specified name from the server cache along with
|
|
all names under it. [RT #19970]
|
|
|
|
3139. [test] Added tests from RFC 6234, RFC 2202, and RFC 1321
|
|
for the hashing algorithms (md5, sha1 - sha512, and
|
|
their hmac counterparts). [RT #25067]
|
|
|
|
3138. [bug] Address memory leaks and out-of-order operations when
|
|
shutting named down. [RT #25210]
|
|
|
|
3137. [func] Improve hardware scalability by allowing multiple
|
|
worker threads to process incoming UDP packets.
|
|
This can significantly increase query throughput
|
|
on some systems. [RT #22992]
|
|
|
|
3136. [func] Add RFC 1918 reverse zones to the list of built-in
|
|
empty zones switched on by the 'empty-zones-enable'
|
|
option. [RT #24990]
|
|
|
|
3135. [port] FreeBSD: workaround broken IPV6_USE_MIN_MTU processing.
|
|
See http://www.freebsd.org/cgi/query-pr.cgi?pr=158307
|
|
[RT #24950]
|
|
|
|
3134. [bug] Improve the accuracy of dnssec-signzone's signing
|
|
statistics. [RT #16030]
|
|
|
|
3133. [bug] Change #3114 was incomplete. [RT #24577]
|
|
|
|
3132. [placeholder]
|
|
|
|
3131. [tuning] Improve scalability by allocating one zone task
|
|
per 100 zones at startup time, rather than using a
|
|
fixed-size task table. [RT #24406]
|
|
|
|
3130. [func] Support alternate methods for managing a dynamic
|
|
zone's serial number. Two methods are currently
|
|
defined using serial-update-method, "increment"
|
|
(default) and "unixtime". [RT #23849]
|
|
|
|
3129. [bug] Named could crash on 'rndc reconfig' when
|
|
allow-new-zones was set to yes and named ACLs
|
|
were used. [RT #22739]
|
|
|
|
3128. [func] Inserting an NSEC3PARAM via dynamic update in an
|
|
auto-dnssec zone that has not been signed yet
|
|
will cause it to be signed with the specified NSEC3
|
|
parameters when keys are activated. The
|
|
NSEC3PARAM record will not appear in the zone until
|
|
it is signed, but the parameters will be stored.
|
|
[RT #23684]
|
|
|
|
3127. [bug] 'rndc thaw' will now remove a zone's journal file
|
|
if the zone serial number has been changed and
|
|
ixfr-from-differences is not in use. [RT #24687]
|
|
|
|
3126. [security] Using DNAME record to generate replacements caused
|
|
RPZ to exit with a assertion failure. [RT #24766]
|
|
|
|
3125. [security] Using wildcard CNAME records as a replacement with
|
|
RPZ caused named to exit with a assertion failure.
|
|
[RT #24715]
|
|
|
|
3124. [bug] Use an rdataset attribute flag to indicate
|
|
negative-cache records rather than using rrtype 0;
|
|
this will prevent problems when that rrtype is
|
|
used in actual DNS packets. [RT #24777]
|
|
|
|
3123. [security] Change #2912 exposed a latent flaw in
|
|
dns_rdataset_totext() that could cause named to
|
|
crash with an assertion failure. [RT #24777]
|
|
|
|
3122. [cleanup] dnssec-settime: corrected usage message. [RT #24664]
|
|
|
|
3121. [security] An authoritative name server sending a negative
|
|
response containing a very large RRset could
|
|
trigger an off-by-one error in the ncache code
|
|
and crash named. [RT #24650]
|
|
|
|
3120. [bug] Named could fail to validate zones listed in a DLV
|
|
that validated insecure without using DLV and had
|
|
DS records in the parent zone. [RT #24631]
|
|
|
|
3119. [bug] When rolling to a new DNSSEC key, a private-type
|
|
record could be created and never marked complete.
|
|
[RT #23253]
|
|
|
|
3118. [bug] nsupdate could dump core on shutdown when using
|
|
SIG(0) keys. [RT #24604]
|
|
|
|
3117. [cleanup] Remove doc and parser references to the
|
|
never-implemented 'auto-dnssec create' option.
|
|
[RT #24533]
|
|
|
|
3116. [func] New 'dnssec-update-mode' option controls updates
|
|
of DNSSEC records in signed dynamic zones. Set to
|
|
'no-resign' to disable automatic RRSIG regeneration
|
|
while retaining the ability to sign new or changed
|
|
data. [RT #24533]
|
|
|
|
3115. [bug] Named could fail to return requested data when
|
|
following a CNAME that points into the same zone.
|
|
[RT #24455]
|
|
|
|
3114. [bug] Retain expired RRSIGs in dynamic zones if key is
|
|
inactive and there is no replacement key. [RT #23136]
|
|
|
|
3113. [doc] Document the relationship between serial-query-rate
|
|
and NOTIFY messages.
|
|
|
|
3112. [doc] Add missing descriptions of the update policy name
|
|
types "ms-self", "ms-subdomain", "krb5-self" and
|
|
"krb5-subdomain", which allow machines to update
|
|
their own records, to the BIND 9 ARM.
|
|
|
|
3111. [bug] Improved consistency checks for dnssec-enable and
|
|
dnssec-validation, added test cases to the
|
|
checkconf system test. [RT #24398]
|
|
|
|
3110. [bug] dnssec-signzone: Wrong error message could appear
|
|
when attempting to sign with no KSK. [RT #24369]
|
|
|
|
3109. [func] The also-notify option now uses the same syntax
|
|
as a zone's masters clause. This means it is
|
|
now possible to specify a TSIG key to use when
|
|
sending notifies to a given server, or to include
|
|
an explicit named masters list in an also-notify
|
|
statement. [RT #23508]
|
|
|
|
3108. [cleanup] dnssec-signzone: Clarified some error and
|
|
warning messages; removed #ifdef ALLOW_KSKLESS_ZONES
|
|
code (use -P instead). [RT #20852]
|
|
|
|
3107. [bug] dnssec-signzone: Report the correct number of ZSKs
|
|
when using -x. [RT #20852]
|
|
|
|
3106. [func] When logging client requests, include the name of
|
|
the TSIG key if any. [RT #23619]
|
|
|
|
3105. [bug] GOST support can be suppressed by "configure
|
|
--without-gost" [RT #24367]
|
|
|
|
3104. [bug] Better support for cross-compiling. [RT #24367]
|
|
|
|
3103. [bug] Configuring 'dnssec-validation auto' in a view
|
|
instead of in the options statement could trigger
|
|
an assertion failure in named-checkconf. [RT #24382]
|
|
|
|
3102. [func] New 'dnssec-loadkeys-interval' option configures
|
|
how often, in minutes, to check the key repository
|
|
for updates when using automatic key maintenance.
|
|
Default is every 60 minutes (formerly hard-coded
|
|
to 12 hours). [RT #23744]
|
|
|
|
3101. [bug] Zones using automatic key maintenance could fail
|
|
to check the key repository for updates. [RT #23744]
|
|
|
|
3100. [security] Certain response policy zone configurations could
|
|
trigger an INSIST when receiving a query of type
|
|
RRSIG. [RT #24280]
|
|
|
|
3099. [test] "dlz" system test now runs but gives R:SKIPPED if
|
|
not compiled with --with-dlz-filesystem. [RT #24146]
|
|
|
|
3098. [bug] DLZ zones were answering without setting the AA bit.
|
|
[RT #24146]
|
|
|
|
3097. [test] Add a tool to test handling of malformed packets.
|
|
[RT #24096]
|
|
|
|
3096. [bug] Set KRB5_KTNAME before calling log_cred() in
|
|
dst_gssapi_acceptctx(). [RT #24004]
|
|
|
|
3095. [bug] Handle isolated reserved ports in the port range.
|
|
[RT #23957]
|
|
|
|
3094. [doc] Expand dns64 documentation.
|
|
|
|
3093. [bug] Fix gssapi/kerberos dependencies [RT #23836]
|
|
|
|
3092. [bug] Signatures for records at the zone apex could go
|
|
stale due to an incorrect timer setting. [RT #23769]
|
|
|
|
3091. [bug] Fixed a bug in which zone keys that were published
|
|
and then subsequently activated could fail to trigger
|
|
automatic signing. [RT #22911]
|
|
|
|
3090. [func] Make --with-gssapi default [RT #23738]
|
|
|
|
3089. [func] dnssec-dsfromkey now supports reading keys from
|
|
standard input "dnssec-dsfromkey -f -". [RT #20662]
|
|
|
|
3088. [bug] Remove bin/tests/system/logfileconfig/ns1/named.conf
|
|
and add setup.sh in order to resolve changing
|
|
named.conf issue. [RT #23687]
|
|
|
|
3087. [bug] DDNS updates using SIG(0) with update-policy match
|
|
type "external" could cause a crash. [RT #23735]
|
|
|
|
3086. [bug] Running dnssec-settime -f on an old-style key will
|
|
now force an update to the new key format even if no
|
|
other change has been specified, using "-P now -A now"
|
|
as default values. [RT #22474]
|
|
|
|
3085. [func] New '-R' option in dnssec-signzone forces removal
|
|
of signatures which have not yet expired but
|
|
were generated by a key that no longer exists.
|
|
[RT #22471]
|
|
|
|
3084. [func] A new command "rndc sync" dumps pending changes in
|
|
a dynamic zone to disk; "rndc sync -clean" also
|
|
removes the journal file after syncing. Also,
|
|
"rndc freeze" no longer removes journal files.
|
|
[RT #22473]
|
|
|
|
3083. [bug] NOTIFY messages were not being sent when generating
|
|
a NSEC3 chain incrementally. [RT #23702]
|
|
|
|
3082. [port] strtok_r is threads only. [RT #23747]
|
|
|
|
3081. [bug] Failure of DNAME substitution did not return
|
|
YXDOMAIN. [RT #23591]
|
|
|
|
3080. [cleanup] Replaced compile time constant by STDTIME_ON_32BITS.
|
|
[RT #23587]
|
|
|
|
3079. [bug] Handle isc_event_allocate failures in t_tasks.
|
|
[RT #23572]
|
|
|
|
3078. [func] Added a new include file with function typedefs
|
|
for the DLZ "dlopen" driver. [RT #23629]
|
|
|
|
3077. [bug] zone.c:zone_refreshkeys() incorrectly called
|
|
dns_zone_attach(), use zone->irefs instead. [RT #23303]
|
|
|
|
3076. [func] New '-L' option in dnssec-keygen, dnsset-settime, and
|
|
dnssec-keyfromlabel sets the default TTL of the
|
|
key. When possible, automatic signing will use that
|
|
TTL when the key is published. [RT #23304]
|
|
|
|
3075. [bug] dns_dnssec_findzonekeys{2} used a inconsistent
|
|
timestamp when determining which keys are active.
|
|
[RT #23642]
|
|
|
|
3074. [bug] Make the adb cache read through for zone data and
|
|
glue learn for zone named is authoritative for.
|
|
[RT #22842]
|
|
|
|
3073. [bug] managed-keys changes were not properly being recorded.
|
|
[RT #20256]
|
|
|
|
3072. [bug] dns_dns64_aaaaok() potential NULL pointer dereference.
|
|
[RT #20256]
|
|
|
|
3071. [bug] has_nsec could be used uninitialized in
|
|
update.c:next_active. [RT #20256]
|
|
|
|
3070. [bug] dnssec-signzone potential NULL pointer dereference.
|
|
[RT #20256]
|
|
|
|
3069. [cleanup] Silence warnings messages from clang static analysis.
|
|
[RT #20256]
|
|
|
|
3068. [bug] Named failed to build with a OpenSSL without engine
|
|
support. [RT #23473]
|
|
|
|
3067. [bug] ixfr-from-differences {master|slave}; failed to
|
|
select the master/slave zones. [RT #23580]
|
|
|
|
3066. [func] The DLZ "dlopen" driver is now built by default,
|
|
no longer requiring a configure option. To
|
|
disable it, use "configure --without-dlopen".
|
|
Driver also supported on win32. [RT #23467]
|
|
|
|
3065. [bug] RRSIG could have time stamps too far in the future.
|
|
[RT #23356]
|
|
|
|
3064. [bug] powerpc: add sync instructions to the end of atomic
|
|
operations. [RT #23469]
|
|
|
|
3063. [contrib] More verbose error reporting from DLZ LDAP. [RT #23402]
|
|
|
|
3062. [func] Made several changes to enhance human readability
|
|
of DNSSEC data in dig output and in generated
|
|
zone files:
|
|
- DNSKEY record comments are more verbose, no
|
|
longer used in multiline mode only
|
|
- multiline RRSIG records reformatted
|
|
- multiline output mode for NSEC3PARAM records
|
|
- "dig +norrcomments" suppresses DNSKEY comments
|
|
- "dig +split=X" breaks hex/base64 records into
|
|
fields of width X; "dig +nosplit" disables this.
|
|
[RT #22820]
|
|
|
|
3061. [func] New option "dnssec-signzone -D", only write out
|
|
generated DNSSEC records. [RT #22896]
|
|
|
|
3060. [func] New option "dnssec-signzone -X <date>" allows
|
|
specification of a separate expiration date
|
|
for DNSKEY RRSIGs and other RRSIGs. [RT #22141]
|
|
|
|
3059. [test] Added a regression test for change #3023.
|
|
|
|
3058. [bug] Cause named to terminate at startup or rndc reconfig/
|
|
reload to fail, if a log file specified in the conf
|
|
file isn't a plain file. [RT #22771]
|
|
|
|
3057. [bug] "rndc secroots" would abort after the first error
|
|
and so could miss some views. [RT #23488]
|
|
|
|
3056. [func] Added support for URI resource record. [RT #23386]
|
|
|
|
3055. [placeholder]
|
|
|
|
3054. [bug] Added elliptic curve support check in
|
|
GOST OpenSSL engine detection. [RT #23485]
|
|
|
|
3053. [bug] Under a sustained high query load with a finite
|
|
max-cache-size, it was possible for cache memory
|
|
to be exhausted and not recovered. [RT #23371]
|
|
|
|
3052. [test] Fixed last autosign test report. [RT #23256]
|
|
|
|
3051. [bug] NS records obscure DNAME records at the bottom of the
|
|
zone if both are present. [RT #23035]
|
|
|
|
3050. [bug] The autosign system test was timing dependent.
|
|
Wait for the initial autosigning to complete
|
|
before running the rest of the test. [RT #23035]
|
|
|
|
3049. [bug] Save and restore the gid when creating creating
|
|
named.pid at startup. [RT #23290]
|
|
|
|
3048. [bug] Fully separate view key management. [RT #23419]
|
|
|
|
3047. [bug] DNSKEY NODATA responses not cached fixed in
|
|
validator.c. Tests added to dnssec system test.
|
|
[RT #22908]
|
|
|
|
3046. [bug] Use RRSIG original TTL to compute validated RRset
|
|
and RRSIG TTL. [RT #23332]
|
|
|
|
3045. [removed] Replaced by change #3050.
|
|
|
|
3044. [bug] Hold the socket manager lock while freeing the socket.
|
|
[RT #23333]
|
|
|
|
3043. [test] Merged in the NetBSD ATF test framework (currently
|
|
version 0.12) for development of future unit tests.
|
|
Use configure --with-atf to build ATF internally
|
|
or configure --with-atf=prefix to use an external
|
|
copy. [RT #23209]
|
|
|
|
3042. [bug] dig +trace could fail attempting to use IPv6
|
|
addresses on systems with only IPv4 connectivity.
|
|
[RT #23297]
|
|
|
|
3041. [bug] dnssec-signzone failed to generate new signatures on
|
|
ttl changes. [RT #23330]
|
|
|
|
3040. [bug] Named failed to validate insecure zones where a node
|
|
with a CNAME existed between the trust anchor and the
|
|
top of the zone. [RT #23338]
|
|
|
|
3039. [func] Redirect on NXDOMAIN support. [RT #23146]
|
|
|
|
3038. [bug] Install <dns/rpz.h>. [RT #23342]
|
|
|
|
3037. [doc] Update COPYRIGHT to contain all the individual
|
|
copyright notices that cover various parts.
|
|
|
|
3036. [bug] Check built-in zone arguments to see if the zone
|
|
is re-usable or not. [RT #21914]
|
|
|
|
3035. [cleanup] Simplify by using strlcpy. [RT #22521]
|
|
|
|
3034. [cleanup] nslookup: use strlcpy instead of safecopy. [RT #22521]
|
|
|
|
3033. [cleanup] Add two INSIST(bucket != DNS_ADB_INVALIDBUCKET).
|
|
[RT #22521]
|
|
|
|
3032. [bug] rdatalist.c: add missing REQUIREs. [RT #22521]
|
|
|
|
3031. [bug] dns_rdataclass_format() handle a zero sized buffer.
|
|
[RT #22521]
|
|
|
|
3030. [bug] dns_rdatatype_format() handle a zero sized buffer.
|
|
[RT #22521]
|
|
|
|
3029. [bug] isc_netaddr_format() handle a zero sized buffer.
|
|
[RT #22521]
|
|
|
|
3028. [bug] isc_sockaddr_format() handle a zero sized buffer.
|
|
[RT #22521]
|
|
|
|
3027. [bug] Add documented REQUIREs to cfg_obj_asnetprefix() to
|
|
catch NULL pointer dereferences before they happen.
|
|
[RT #22521]
|
|
|
|
3026. [bug] lib/isc/httpd.c: check that we have enough space
|
|
after calling grow_headerspace() and if not
|
|
re-call grow_headerspace() until we do. [RT #22521]
|
|
|
|
3025. [bug] Fixed a possible deadlock due to zone resigning.
|
|
[RT #22964]
|
|
|
|
3024. [func] RTT Banding removed due to minor security increase
|
|
but major impact on resolver latency. [RT #23310]
|
|
|
|
3023. [bug] Named could be left in an inconsistent state when
|
|
receiving multiple AXFR response messages that were
|
|
not all TSIG-signed. [RT #23254]
|
|
|
|
3022. [bug] Fixed rpz SERVFAILs after failed zone transfers
|
|
[RT #23246]
|
|
|
|
3021. [bug] Change #3010 was incomplete. [RT #22296]
|
|
|
|
3020. [bug] auto-dnssec failed to correctly update the zone when
|
|
changing the DNSKEY RRset. [RT #23232]
|
|
|
|
3019. [test] Test: check apex NSEC3 records after adding DNSKEY
|
|
record via UPDATE. [RT #23229]
|
|
|
|
3018. [bug] Named failed to check for the "none;" acl when deciding
|
|
if a zone may need to be re-signed. [RT #23120]
|
|
|
|
3017. [doc] dnssec-keyfromlabel -I was not properly documented.
|
|
[RT #22887]
|
|
|
|
3016. [bug] rndc usage missing '-b'. [RT #22937]
|
|
|
|
3015. [port] win32: fix IN6_IS_ADDR_LINKLOCAL and
|
|
IN6_IS_ADDR_SITELOCAL macros. [RT #22724]
|
|
|
|
3014. [placeholder]
|
|
|
|
3013. [bug] The DNS64 ttl was not always being set as expected.
|
|
[RT #23034]
|
|
|
|
3012. [bug] Remove DNSKEY TTL change pairs before generating
|
|
signing records for any remaining DNSKEY changes.
|
|
[RT #22590]
|
|
|
|
3011. [func] Change the default query timeout from 30 seconds
|
|
to 10. Allow setting this in named.conf using the new
|
|
'resolver-query-timeout' option, which specifies a max
|
|
time in seconds. 0 means 'default' and anything longer
|
|
than 30 will be silently set to 30. [RT #22852]
|
|
|
|
3010. [bug] Fixed a bug where "rndc reconfig" stopped the timer
|
|
for refreshing managed-keys. [RT #22296]
|
|
|
|
3009. [bug] clients-per-query code didn't work as expected with
|
|
particular query patterns. [RT #22972]
|
|
|
|
--- 9.8.0b1 released ---
|
|
|
|
3008. [func] Response policy zones (RPZ) support. [RT #21726]
|
|
|
|
3007. [bug] Named failed to preserve the case of domain names in
|
|
rdata which is not compressible when writing master
|
|
files. [RT #22863]
|
|
|
|
3006. [func] Allow dynamically generated TSIG keys to be preserved
|
|
across restarts of named. Initially this is for
|
|
TSIG keys generated using GSSAPI. [RT #22639]
|
|
|
|
3005. [port] Solaris: Work around the lack of
|
|
gsskrb5_register_acceptor_identity() by setting
|
|
the KRB5_KTNAME environment variable to the
|
|
contents of tkey-gssapi-keytab. Also fixed
|
|
test errors on MacOSX. [RT #22853]
|
|
|
|
3004. [func] DNS64 reverse support. [RT #22769]
|
|
|
|
3003. [experimental] Added update-policy match type "external",
|
|
enabling named to defer the decision of whether to
|
|
allow a dynamic update to an external daemon.
|
|
(Contributed by Andrew Tridgell.) [RT #22758]
|
|
|
|
3002. [bug] isc_mutex_init_errcheck() failed to destroy attr.
|
|
[RT #22766]
|
|
|
|
3001. [func] Added a default trust anchor for the root zone, which
|
|
can be switched on by setting "dnssec-validation auto;"
|
|
in the named.conf options. [RT #21727]
|
|
|
|
3000. [bug] More TKEY/GSS fixes:
|
|
- nsupdate can now get the default realm from
|
|
the user's Kerberos principal
|
|
- corrected gsstest compilation flags
|
|
- improved documentation
|
|
- fixed some NULL dereferences
|
|
[RT #22795]
|
|
|
|
2999. [func] Add GOST support (RFC 5933). [RT #20639]
|
|
|
|
2998. [func] Add isc_task_beginexclusive and isc_task_endexclusive
|
|
to the task api. [RT #22776]
|
|
|
|
2997. [func] named -V now reports the OpenSSL and libxml2 verions
|
|
it was compiled against. [RT #22687]
|
|
|
|
2996. [security] Temporarily disable SO_ACCEPTFILTER support.
|
|
[RT #22589]
|
|
|
|
2995. [bug] The Kerberos realm was not being correctly extracted
|
|
from the signer's identity. [RT #22770]
|
|
|
|
2994. [port] NetBSD: use pthreads by default on NetBSD >= 5.0, and
|
|
do not use threads on earlier versions. Also kill
|
|
the unproven-pthreads, mit-pthreads, and ptl2 support.
|
|
|
|
2993. [func] Dynamically grow adb hash tables. [RT #21186]
|
|
|
|
2992. [contrib] contrib/check-secure-delegation.pl: A simple tool
|
|
for looking at a secure delegation. [RT #22059]
|
|
|
|
2991. [contrib] contrib/zone-edit.sh: A simple zone editing tool for
|
|
dynamic zones. [RT #22365]
|
|
|
|
2990. [bug] 'dnssec-settime -S' no longer tests prepublication
|
|
interval validity when the interval is set to 0.
|
|
[RT #22761]
|
|
|
|
2989. [func] Added support for writable DLZ zones. (Contributed
|
|
by Andrew Tridgell of the Samba project.) [RT #22629]
|
|
|
|
2988. [experimental] Added a "dlopen" DLZ driver, allowing the creation
|
|
of external DLZ drivers that can be loaded as
|
|
shared objects at runtime rather than linked with
|
|
named. Currently this is switched on via a
|
|
compile-time option, "configure --with-dlz-dlopen".
|
|
Note: the syntax for configuring DLZ zones
|
|
is likely to be refined in future releases.
|
|
(Contributed by Andrew Tridgell of the Samba
|
|
project.) [RT #22629]
|
|
|
|
2987. [func] Improve ease of configuring TKEY/GSS updates by
|
|
adding a "tkey-gssapi-keytab" option. If set,
|
|
updates will be allowed with any key matching
|
|
a principal in the specified keytab file.
|
|
"tkey-gssapi-credential" is no longer required
|
|
and is expected to be deprecated. (Contributed
|
|
by Andrew Tridgell of the Samba project.)
|
|
[RT #22629]
|
|
|
|
2986. [func] Add new zone type "static-stub". It's like a stub
|
|
zone, but the nameserver names and/or their IP
|
|
addresses are statically configured. [RT #21474]
|
|
|
|
2985. [bug] Add a regression test for change #2896. [RT #21324]
|
|
|
|
2984. [bug] Don't run MX checks when the target of the MX record
|
|
is ".". [RT #22645]
|
|
|
|
2983. [bug] Include "loadkeys" in rndc help output. [RT #22493]
|
|
|
|
--- 9.8.0a1 released ---
|
|
|
|
2982. [bug] Reference count dst keys. dst_key_attach() can be used
|
|
increment the reference count.
|
|
|
|
Note: dns_tsigkey_createfromkey() callers should now
|
|
always call dst_key_free() rather than setting it
|
|
to NULL on success. [RT #22672]
|
|
|
|
2981. [func] Partial DNS64 support (AAAA synthesis). [RT #21991]
|
|
|
|
2980. [bug] named didn't properly handle UPDATES that changed the
|
|
TTL of the NSEC3PARAM RRset. [RT #22363]
|
|
|
|
2979. [bug] named could deadlock during shutdown if two
|
|
"rndc stop" commands were issued at the same
|
|
time. [RT #22108]
|
|
|
|
2978. [port] hpux: look for <devpoll.h> [RT #21919]
|
|
|
|
2977. [bug] 'nsupdate -l' report if the session key is missing.
|
|
[RT #21670]
|
|
|
|
2976. [bug] named could die on exit after negotiating a GSS-TSIG
|
|
key. [RT #22573]
|
|
|
|
2975. [bug] rbtdb.c:cleanup_dead_nodes_callback() acquired the
|
|
wrong lock which could lead to server deadlock.
|
|
[RT #22614]
|
|
|
|
2974. [bug] Some valid UPDATE requests could fail due to a
|
|
consistency check examining the existing version
|
|
of the zone rather than the new version resulting
|
|
from the UPDATE. [RT #22413]
|
|
|
|
2973. [bug] bind.keys.h was being removed by the "make clean"
|
|
at the end of configure resulting in build failures
|
|
where there is very old version of perl installed.
|
|
Move it to "make maintainer-clean". [RT #22230]
|
|
|
|
2972. [bug] win32: address windows socket errors. [RT #21906]
|
|
|
|
2971. [bug] Fixed a bug that caused journal files not to be
|
|
compacted on Windows systems as a result of
|
|
non-POSIX-compliant rename() semantics. [RT #22434]
|
|
|
|
2970. [security] Adding a NO DATA negative cache entry failed to clear
|
|
any matching RRSIG records. A subsequent lookup of
|
|
of NO DATA cache entry could trigger a INSIST when the
|
|
unexpected RRSIG was also returned with the NO DATA
|
|
cache entry.
|
|
|
|
CVE-2010-3613, VU#706148. [RT #22288]
|
|
|
|
2969. [security] Fix acl type processing so that allow-query works
|
|
in options and view statements. Also add a new
|
|
set of tests to verify proper functioning.
|
|
|
|
CVE-2010-3615, VU#510208. [RT #22418]
|
|
|
|
2968. [security] Named could fail to prove a data set was insecure
|
|
before marking it as insecure. One set of conditions
|
|
that can trigger this occurs naturally when rolling
|
|
DNSKEY algorithms.
|
|
|
|
CVE-2010-3614, VU#837744. [RT #22309]
|
|
|
|
2967. [bug] 'host -D' now turns on debugging messages earlier.
|
|
[RT #22361]
|
|
|
|
2966. [bug] isc_print_vsnprintf() failed to check if there was
|
|
space available in the buffer when adding a left
|
|
justified character with a non zero width,
|
|
(e.g. "%-1c"). [RT #22270]
|
|
|
|
2965. [func] Test HMAC functions using test data from RFC 2104 and
|
|
RFC 4634. [RT #21702]
|
|
|
|
2964. [placeholder]
|
|
|
|
2963. [security] The allow-query acl was being applied instead of the
|
|
allow-query-cache acl to cache lookups. [RT #22114]
|
|
|
|
2962. [port] win32: add more dependencies to BINDBuild.dsw.
|
|
[RT #22062]
|
|
|
|
2961. [bug] Be still more selective about the non-authoritative
|
|
answers we apply change 2748 to. [RT #22074]
|
|
|
|
2960. [func] Check that named accepts non-authoritative answers.
|
|
[RT #21594]
|
|
|
|
2959. [func] Check that named starts with a missing masterfile.
|
|
[RT #22076]
|
|
|
|
2958. [bug] named failed to start with a missing master file.
|
|
[RT #22076]
|
|
|
|
2957. [bug] entropy_get() and entropy_getpseudo() failed to match
|
|
the API for RAND_bytes() and RAND_pseudo_bytes()
|
|
respectively. [RT #21962]
|
|
|
|
2956. [port] Enable atomic operations on the PowerPC64. [RT #21899]
|
|
|
|
2955. [func] Provide more detail in the recursing log. [RT #22043]
|
|
|
|
2954. [bug] contrib: dlz_mysql_driver.c bad error handling on
|
|
build_sqldbinstance failure. [RT #21623]
|
|
|
|
2953. [bug] Silence spurious "expected covering NSEC3, got an
|
|
exact match" message when returning a wildcard
|
|
no data response. [RT #21744]
|
|
|
|
2952. [port] win32: named-checkzone and named-checkconf failed
|
|
to initialize winsock. [RT #21932]
|
|
|
|
2951. [bug] named failed to generate a correct signed response
|
|
in a optout, delegation only zone with no secure
|
|
delegations. [RT #22007]
|
|
|
|
2950. [bug] named failed to perform a SOA up to date check when
|
|
falling back to TCP on UDP timeouts when
|
|
ixfr-from-differences was set. [RT #21595]
|
|
|
|
2949. [bug] dns_view_setnewzones() contained a memory leak if
|
|
it was called multiple times. [RT #21942]
|
|
|
|
2948. [port] MacOS: provide a mechanism to configure the test
|
|
interfaces at reboot. See bin/tests/system/README
|
|
for details.
|
|
|
|
2947. [placeholder]
|
|
|
|
2946. [doc] Document the default values for the minimum and maximum
|
|
zone refresh and retry values in the ARM. [RT #21886]
|
|
|
|
2945. [doc] Update empty-zones list in ARM. [RT #21772]
|
|
|
|
2944. [maint] Remove ORCHID prefix from built in empty zones.
|
|
[RT #21772]
|
|
|
|
2943. [func] Add support to load new keys into managed zones
|
|
without signing immediately with "rndc loadkeys".
|
|
Add support to link keys with "dnssec-keygen -S"
|
|
and "dnssec-settime -S". [RT #21351]
|
|
|
|
2942. [contrib] zone2sqlite failed to setup the entropy sources.
|
|
[RT #21610]
|
|
|
|
2941. [bug] sdb and sdlz (dlz's zone database) failed to support
|
|
DNAME at the zone apex. [RT #21610]
|
|
|
|
2940. [port] Remove connection aborted error message on
|
|
Windows. [RT #21549]
|
|
|
|
2939. [func] Check that named successfully skips NSEC3 records
|
|
that fail to match the NSEC3PARAM record currently
|
|
in use. [RT #21868]
|
|
|
|
2938. [bug] When generating signed responses, from a signed zone
|
|
that uses NSEC3, named would use a uninitialized
|
|
pointer if it needed to skip a NSEC3 record because
|
|
it didn't match the selected NSEC3PARAM record for
|
|
zone. [RT #21868]
|
|
|
|
2937. [bug] Worked around an apparent race condition in over
|
|
memory conditions. Without this fix a DNS cache DB or
|
|
ADB could incorrectly stay in an over memory state,
|
|
effectively refusing further caching, which
|
|
subsequently made a BIND 9 caching server unworkable.
|
|
This fix prevents this problem from happening by
|
|
polling the state of the memory context, rather than
|
|
making a copy of the state, which appeared to cause
|
|
a race. This is a "workaround" in that it doesn't
|
|
solve the possible race per se, but several experiments
|
|
proved this change solves the symptom. Also, the
|
|
polling overhead hasn't been reported to be an issue.
|
|
This bug should only affect a caching server that
|
|
specifies a finite max-cache-size. It's also quite
|
|
likely that the bug happens only when enabling threads,
|
|
but it's not confirmed yet. [RT #21818]
|
|
|
|
2936. [func] Improved configuration syntax and multiple-view
|
|
support for addzone/delzone feature (see change
|
|
#2930). Removed "new-zone-file" option, replaced
|
|
with "allow-new-zones (yes|no)". The new-zone-file
|
|
for each view is now created automatically, with
|
|
a filename generated from a hash of the view name.
|
|
It is no longer necessary to "include" the
|
|
new-zone-file in named.conf; this happens
|
|
automatically. Zones that were not added via
|
|
"rndc addzone" can no longer be removed with
|
|
"rndc delzone". [RT #19447]
|
|
|
|
2935. [bug] nsupdate: improve 'file not found' error message.
|
|
[RT #21871]
|
|
|
|
2934. [bug] Use ANSI C compliant shift range in lib/isc/entropy.c.
|
|
[RT #21871]
|
|
|
|
2933. [bug] 'dig +nsid' used stack memory after it went out of
|
|
scope. This could potentially result in a unknown,
|
|
potentially malformed, EDNS option being sent instead
|
|
of the desired NSID option. [RT #21781]
|
|
|
|
2932. [cleanup] Corrected a numbering error in the "dnssec" test.
|
|
[RT #21597]
|
|
|
|
2931. [bug] Temporarily and partially disable change 2864
|
|
because it would cause infinite attempts of RRSIG
|
|
queries. This is an urgent care fix; we'll
|
|
revisit the issue and complete the fix later.
|
|
[RT #21710]
|
|
|
|
2930. [experimental] New "rndc addzone" and "rndc delzone" commands
|
|
allow dynamic addition and deletion of zones.
|
|
To enable this feature, specify a "new-zone-file"
|
|
option at the view or options level in named.conf.
|
|
Zone configuration information for the new zones
|
|
will be written into that file. To make the new
|
|
zones persist after a restart, "include" the file
|
|
into named.conf in the appropriate view. (Note:
|
|
This feature is not yet documented, and its syntax
|
|
is expected to change.) [RT #19447]
|
|
|
|
2929. [bug] Improved handling of GSS security contexts:
|
|
- added LRU expiration for generated TSIGs
|
|
- added the ability to use a non-default realm
|
|
- added new "realm" keyword in nsupdate
|
|
- limited lifetime of generated keys to 1 hour
|
|
or the lifetime of the context (whichever is
|
|
smaller)
|
|
[RT #19737]
|
|
|
|
2928. [bug] Be more selective about the non-authoritative
|
|
answer we apply change 2748 to. [RT #21594]
|
|
|
|
2927. [placeholder]
|
|
|
|
2926. [placeholder]
|
|
|
|
2925. [bug] Named failed to accept uncachable negative responses
|
|
from insecure zones. [RT #21555]
|
|
|
|
2924. [func] 'rndc secroots' dump a combined summary of the
|
|
current managed keys combined with trusted keys.
|
|
[RT #20904]
|
|
|
|
2923. [bug] 'dig +trace' could drop core after "connection
|
|
timeout". [RT #21514]
|
|
|
|
2922. [contrib] Update zkt to version 1.0.
|
|
|
|
2921. [bug] The resolver could attempt to destroy a fetch context
|
|
too soon. [RT #19878]
|
|
|
|
2920. [func] Allow 'filter-aaaa-on-v4' to be applied selectively
|
|
to IPv4 clients. New acl 'filter-aaaa' (default any).
|
|
|
|
2919. [func] Add autosign-ksk and autosign-zsk virtual time tests.
|
|
[RT #20840]
|
|
|
|
2918. [maint] Add AAAA address for I.ROOT-SERVERS.NET.
|
|
|
|
2917. [func] Virtual time test framework. [RT #20801]
|
|
|
|
2916. [func] Add framework to use IPv6 in tests.
|
|
fd92:7065:b8e:ffff::1 ... fd92:7065:b8e:ffff::7
|
|
|
|
2915. [cleanup] Be smarter about which objects we attempt to compile
|
|
based on configure options. [RT #21444]
|
|
|
|
2914. [bug] Make the "autosign" system test more portable.
|
|
[RT #20997]
|
|
|
|
2913. [func] Add pkcs#11 system tests. [RT #20784]
|
|
|
|
2912. [func] Windows clients don't like UPDATE responses that clear
|
|
the zone section. [RT #20986]
|
|
|
|
2911. [bug] dnssec-signzone didn't handle out of zone records well.
|
|
[RT #21367]
|
|
|
|
2910. [func] Sanity check Kerberos credentials. [RT #20986]
|
|
|
|
2909. [bug] named-checkconf -p could die if "update-policy local;"
|
|
was specified in named.conf. [RT #21416]
|
|
|
|
2908. [bug] It was possible for re-signing to stop after removing
|
|
a DNSKEY. [RT #21384]
|
|
|
|
2907. [bug] The export version of libdns had undefined references.
|
|
[RT #21444]
|
|
|
|
2906. [bug] Address RFC 5011 implementation issues. [RT #20903]
|
|
|
|
2905. [port] aix: set use_atomic=yes with native compiler.
|
|
[RT #21402]
|
|
|
|
2904. [bug] When using DLV, sub-zones of the zones in the DLV,
|
|
could be incorrectly marked as insecure instead of
|
|
secure leading to negative proofs failing. This was
|
|
a unintended outcome from change 2890. [RT #21392]
|
|
|
|
2903. [bug] managed-keys-directory missing from namedconf.c.
|
|
[RT #21370]
|
|
|
|
2902. [func] Add regression test for change 2897. [RT #21040]
|
|
|
|
2901. [port] Use AC_C_FLEXIBLE_ARRAY_MEMBER. [RT #21316]
|
|
|
|
2900. [bug] The placeholder negative caching element was not
|
|
properly constructed triggering a INSIST in
|
|
dns_ncache_towire(). [RT #21346]
|
|
|
|
2899. [port] win32: Support linking against OpenSSL 1.0.0.
|
|
|
|
2898. [bug] nslookup leaked memory when -domain=value was
|
|
specified. [RT #21301]
|
|
|
|
2897. [bug] NSEC3 chains could be left behind when transitioning
|
|
to insecure. [RT #21040]
|
|
|
|
2896. [bug] "rndc sign" failed to properly update the zone
|
|
when adding a DNSKEY for publication only. [RT #21045]
|
|
|
|
2895. [func] genrandom: add support for the generation of multiple
|
|
files. [RT #20917]
|
|
|
|
2894. [contrib] DLZ LDAP support now use '$' not '%'. [RT #21294]
|
|
|
|
2893. [bug] Improve managed keys support. New named.conf option
|
|
managed-keys-directory. [RT #20924]
|
|
|
|
2892. [bug] Handle REVOKED keys better. [RT #20961]
|
|
|
|
2891. [maint] Update empty-zones list to match
|
|
draft-ietf-dnsop-default-local-zones-13. [RT #21099]
|
|
|
|
2890. [bug] Handle the introduction of new trusted-keys and
|
|
DS, DLV RRsets better. [RT #21097]
|
|
|
|
2889. [bug] Elements of the grammar where not properly reported.
|
|
[RT #21046]
|
|
|
|
2888. [bug] Only the first EDNS option was displayed. [RT #21273]
|
|
|
|
2887. [bug] Report the keytag times in UTC in the .key file,
|
|
local time is presented as a comment within the
|
|
comment. [RT #21223]
|
|
|
|
2886. [bug] ctime() is not thread safe. [RT #21223]
|
|
|
|
2885. [bug] Improve -fno-strict-aliasing support probing in
|
|
configure. [RT #21080]
|
|
|
|
2884. [bug] Insufficient validation in dns_name_getlabelsequence().
|
|
[RT #21283]
|
|
|
|
2883. [bug] 'dig +short' failed to handle really large datasets.
|
|
[RT #21113]
|
|
|
|
2882. [bug] Remove memory context from list of active contexts
|
|
before clearing 'magic'. [RT #21274]
|
|
|
|
2881. [bug] Reduce the amount of time the rbtdb write lock
|
|
is held when closing a version. [RT #21198]
|
|
|
|
2880. [cleanup] Make the output of dnssec-keygen and dnssec-revoke
|
|
consistent. [RT #21078]
|
|
|
|
2879. [contrib] DLZ bdbhpt driver fails to close correct cursor.
|
|
[RT #21106]
|
|
|
|
2878. [func] Incrementally write the master file after performing
|
|
a AXFR. [RT #21010]
|
|
|
|
2877. [bug] The validator failed to skip obviously mismatching
|
|
RRSIGs. [RT #21138]
|
|
|
|
2876. [bug] Named could return SERVFAIL for negative responses
|
|
from unsigned zones. [RT #21131]
|
|
|
|
2875. [bug] dns_time64_fromtext() could accept non digits.
|
|
[RT #21033]
|
|
|
|
2874. [bug] Cache lack of EDNS support only after the server
|
|
successfully responds to the query using plain DNS.
|
|
[RT #20930]
|
|
|
|
2873. [bug] Canceling a dynamic update via the dns/client module
|
|
could trigger an assertion failure. [RT #21133]
|
|
|
|
2872. [bug] Modify dns/client.c:dns_client_createx() to only
|
|
require one of IPv4 or IPv6 rather than both.
|
|
[RT #21122]
|
|
|
|
2871. [bug] Type mismatch in mem_api.c between the definition and
|
|
the header file, causing build failure with
|
|
--enable-exportlib. [RT #21138]
|
|
|
|
2870. [maint] Add AAAA address for L.ROOT-SERVERS.NET.
|
|
|
|
2869. [bug] Fix arguments to dns_keytable_findnextkeynode() call.
|
|
[RT #20877]
|
|
|
|
2868. [cleanup] Run "make clean" at the end of configure to ensure
|
|
any changes made by configure are integrated.
|
|
Use --with-make-clean=no to disable. [RT #20994]
|
|
|
|
2867. [bug] Don't set GSS_C_SEQUENCE_FLAG as Windows DNS servers
|
|
don't like it. [RT #20986]
|
|
|
|
2866. [bug] Windows does not like the TSIG name being compressed.
|
|
[RT #20986]
|
|
|
|
2865. [bug] memset to zero event.data. [RT #20986]
|
|
|
|
2864. [bug] Direct SIG/RRSIG queries were not handled correctly.
|
|
[RT #21050]
|
|
|
|
2863. [port] linux: disable IPv6 PMTUD and use network minimum MTU.
|
|
[RT #21056]
|
|
|
|
2862. [bug] nsupdate didn't default to the parent zone when
|
|
updating DS records. [RT #20896]
|
|
|
|
2861. [doc] dnssec-settime man pages didn't correctly document the
|
|
inactivation time. [RT #21039]
|
|
|
|
2860. [bug] named-checkconf's usage was out of date. [RT #21039]
|
|
|
|
2859. [bug] When canceling validation it was possible to leak
|
|
memory. [RT #20800]
|
|
|
|
2858. [bug] RTT estimates were not being adjusted on ICMP errors.
|
|
[RT #20772]
|
|
|
|
2857. [bug] named-checkconf did not fail on a bad trusted key.
|
|
[RT #20705]
|
|
|
|
2856. [bug] The size of a memory allocation was not always properly
|
|
recorded. [RT #20927]
|
|
|
|
2855. [func] nsupdate will now preserve the entered case of domain
|
|
names in update requests it sends. [RT #20928]
|
|
|
|
2854. [func] dig: allow the final soa record in a axfr response to
|
|
be suppressed, dig +onesoa. [RT #20929]
|
|
|
|
2853. [bug] add_sigs() could run out of scratch space. [RT #21015]
|
|
|
|
2852. [bug] Handle broken DNSSEC trust chains better. [RT #15619]
|
|
|
|
2851. [doc] nslookup.1, removed <informalexample> from the docbook
|
|
source as it produced bad nroff. [RT #21007]
|
|
|
|
2850. [bug] If isc_heap_insert() failed due to memory shortage
|
|
the heap would have corrupted entries. [RT #20951]
|
|
|
|
2849. [bug] Don't treat errors from the xml2 library as fatal.
|
|
[RT #20945]
|
|
|
|
2848. [doc] Moved README.dnssec, README.libdns, README.pkcs11 and
|
|
README.rfc5011 into the ARM. [RT #20899]
|
|
|
|
2847. [cleanup] Corrected usage message in dnssec-settime. [RT #20921]
|
|
|
|
2846. [bug] EOF on unix domain sockets was not being handled
|
|
correctly. [RT #20731]
|
|
|
|
2845. [bug] RFC 5011 client could crash on shutdown. [RT #20903]
|
|
|
|
2844. [doc] notify-delay default in ARM was wrong. It should have
|
|
been five (5) seconds.
|
|
|
|
2843. [func] Prevent dnssec-keygen and dnssec-keyfromlabel from
|
|
creating key files if there is a chance that the new
|
|
key ID will collide with an existing one after
|
|
either of the keys has been revoked. (To override
|
|
this in the case of dnssec-keyfromlabel, use the -y
|
|
option. dnssec-keygen will simply create a
|
|
different, non-colliding key, so an override is
|
|
not necessary.) [RT #20838]
|
|
|
|
2842. [func] Added "smartsign" and improved "autosign" and
|
|
"dnssec" regression tests. [RT #20865]
|
|
|
|
2841. [bug] Change 2836 was not complete. [RT #20883]
|
|
|
|
2840. [bug] Temporary fixed pkcs11-destroy usage check.
|
|
[RT #20760]
|
|
|
|
2839. [bug] A KSK revoked by named could not be deleted.
|
|
[RT #20881]
|
|
|
|
2838. [placeholder]
|
|
|
|
2837. [port] Prevent Linux spurious warnings about fwrite().
|
|
[RT #20812]
|
|
|
|
2836. [bug] Keys that were scheduled to become active could
|
|
be delayed. [RT #20874]
|
|
|
|
2835. [bug] Key inactivity dates were inadvertently stored in
|
|
the private key file with the outdated tag
|
|
"Unpublish" rather than "Inactive". This has been
|
|
fixed; however, any existing keys that had Inactive
|
|
dates set will now need to have them reset, using
|
|
'dnssec-settime -I'. [RT #20868]
|
|
|
|
2834. [bug] HMAC-SHA* keys that were longer than the algorithm
|
|
digest length were used incorrectly, leading to
|
|
interoperability problems with other DNS
|
|
implementations. This has been corrected.
|
|
(Note: If an oversize key is in use, and
|
|
compatibility is needed with an older release of
|
|
BIND, the new tool "isc-hmac-fixup" can convert
|
|
the key secret to a form that will work with all
|
|
versions.) [RT #20751]
|
|
|
|
2833. [cleanup] Fix usage messages in dnssec-keygen and dnssec-settime.
|
|
[RT #20851]
|
|
|
|
2832. [bug] Modify "struct stat" in lib/export/samples/nsprobe.c
|
|
to avoid redefinition in some OSs [RT 20831]
|
|
|
|
2831. [security] Do not attempt to validate or cache
|
|
out-of-bailiwick data returned with a secure
|
|
answer; it must be re-fetched from its original
|
|
source and validated in that context. [RT #20819]
|
|
|
|
2830. [bug] Changing the OPTOUT setting could take multiple
|
|
passes. [RT #20813]
|
|
|
|
2829. [bug] Fixed potential node inconsistency in rbtdb.c.
|
|
[RT #20808]
|
|
|
|
2828. [security] Cached CNAME or DNAME RR could be returned to clients
|
|
without DNSSEC validation. [RT #20737]
|
|
|
|
2827. [security] Bogus NXDOMAIN could be cached as if valid. [RT #20712]
|
|
|
|
2826. [bug] NSEC3->NSEC transitions could fail due to a lock not
|
|
being released. [RT #20740]
|
|
|
|
2825. [bug] Changing the setting of OPTOUT in a NSEC3 chain that
|
|
was in the process of being created was not properly
|
|
recorded in the zone. [RT #20786]
|
|
|
|
2824. [bug] "rndc sign" was not being run by the correct task.
|
|
[RT #20759]
|
|
|
|
2823. [bug] rbtdb.c:getsigningtime() was missing locks. [RT #20781]
|
|
|
|
2822. [bug] rbtdb.c:loadnode() could return the wrong result.
|
|
[RT #20802]
|
|
|
|
2821. [doc] Add note that named-checkconf doesn't automatically
|
|
read rndc.key and bind.keys [RT #20758]
|
|
|
|
2820. [func] Handle read access failure of OpenSSL configuration
|
|
file more user friendly (PKCS#11 engine patch).
|
|
[RT #20668]
|
|
|
|
2819. [cleanup] Removed unnecessary DNS_POINTER_MAXHOPS define.
|
|
[RT #20771]
|
|
|
|
2818. [cleanup] rndc could return an incorrect error code
|
|
when a zone was not found. [RT #20767]
|
|
|
|
2817. [cleanup] Removed unnecessary isc_task_endexclusive() calls.
|
|
[RT #20768]
|
|
|
|
2816. [bug] previous_closest_nsec() could fail to return
|
|
data for NSEC3 nodes [RT #29730]
|
|
|
|
2815. [bug] Exclusively lock the task when freezing a zone.
|
|
[RT #19838]
|
|
|
|
2814. [func] Provide a definitive error message when a master
|
|
zone is not loaded. [RT #20757]
|
|
|
|
2813. [bug] Better handling of unreadable DNSSEC key files.
|
|
[RT #20710]
|
|
|
|
2812. [bug] Make sure updates can't result in a zone with
|
|
NSEC-only keys and NSEC3 records. [RT #20748]
|
|
|
|
2811. [cleanup] Add "rndc sign" to list of commands in rndc usage
|
|
output. [RT #20733]
|
|
|
|
2810. [doc] Clarified the process of transitioning an NSEC3 zone
|
|
to insecure. [RT #20746]
|
|
|
|
2809. [cleanup] Restored accidentally-deleted text in usage output
|
|
in dnssec-settime and dnssec-revoke [RT #20739]
|
|
|
|
2808. [bug] Remove the attempt to install atomic.h from lib/isc.
|
|
atomic.h is correctly installed by the architecture
|
|
specific subdirectories. [RT #20722]
|
|
|
|
2807. [bug] Fixed a possible ASSERT when reconfiguring zone
|
|
keys. [RT #20720]
|
|
|
|
--- 9.7.0rc1 released ---
|
|
|
|
2806. [bug] "rdnc sign" could delay re-signing the DNSKEY
|
|
when it had changed. [RT #20703]
|
|
|
|
2805. [bug] Fixed namespace problems encountered when building
|
|
external programs using non-exported BIND9 libraries
|
|
(i.e., built without --enable-exportlib). [RT #20679]
|
|
|
|
2804. [bug] Send notifies when a zone is signed with "rndc sign"
|
|
or as a result of a scheduled key change. [RT #20700]
|
|
|
|
2803. [port] win32: Install named-journalprint, nsec3hash, arpaname
|
|
and genrandom under windows. [RT #20670]
|
|
|
|
2802. [cleanup] Rename journalprint to named-journalprint. [RT #20670]
|
|
|
|
2801. [func] Detect and report records that are different according
|
|
to DNSSEC but are semantically equal according to plain
|
|
DNS. Apply plain DNS comparisons rather than DNSSEC
|
|
comparisons when processing UPDATE requests.
|
|
dnssec-signzone now removes such semantically duplicate
|
|
records prior to signing the RRset.
|
|
|
|
named-checkzone -r {ignore|warn|fail} (default warn)
|
|
named-compilezone -r {ignore|warn|fail} (default warn)
|
|
|
|
named.conf: check-dup-records {ignore|warn|fail};
|
|
|
|
2800. [func] Reject zones which have NS records which refer to
|
|
CNAMEs, DNAMEs or don't have address record (class IN
|
|
only). Reject UPDATEs which would cause the zone
|
|
to fail the above checks if committed. [RT #20678]
|
|
|
|
2799. [cleanup] Changed the "secure-to-insecure" option to
|
|
"dnssec-secure-to-insecure", and "dnskey-ksk-only"
|
|
to "dnssec-dnskey-kskonly", for clarity. [RT #20586]
|
|
|
|
2798. [bug] Addressed bugs in managed-keys initialization
|
|
and rollover. [RT #20683]
|
|
|
|
2797. [bug] Don't decrement the dispatch manager's maxbuffers.
|
|
[RT #20613]
|
|
|
|
2796. [bug] Missing dns_rdataset_disassociate() call in
|
|
dns_nsec3_delnsec3sx(). [RT #20681]
|
|
|
|
2795. [cleanup] Add text to differentiate "update with no effect"
|
|
log messages. [RT #18889]
|
|
|
|
2794. [bug] Install <isc/namespace.h>. [RT #20677]
|
|
|
|
2793. [func] Add "autosign" and "metadata" tests to the
|
|
automatic tests. [RT #19946]
|
|
|
|
2792. [func] "filter-aaaa-on-v4" can now be set in view
|
|
options (if compiled in). [RT #20635]
|
|
|
|
2791. [bug] The installation of isc-config.sh was broken.
|
|
[RT #20667]
|
|
|
|
2790. [bug] Handle DS queries to stub zones. [RT #20440]
|
|
|
|
2789. [bug] Fixed an INSIST in dispatch.c [RT #20576]
|
|
|
|
2788. [bug] dnssec-signzone could sign with keys that were
|
|
not requested [RT #20625]
|
|
|
|
2787. [bug] Spurious log message when zone keys were
|
|
dynamically reconfigured. [RT #20659]
|
|
|
|
2786. [bug] Additional could be promoted to answer. [RT #20663]
|
|
|
|
--- 9.7.0b3 released ---
|
|
|
|
2785. [bug] Revoked keys could fail to self-sign [RT #20652]
|
|
|
|
2784. [bug] TC was not always being set when required glue was
|
|
dropped. [RT #20655]
|
|
|
|
2783. [func] Return minimal responses to EDNS/UDP queries with a UDP
|
|
buffer size of 512 or less. [RT #20654]
|
|
|
|
2782. [port] win32: use getaddrinfo() for hostname lookups.
|
|
[RT #20650]
|
|
|
|
2781. [bug] Inactive keys could be used for signing. [RT #20649]
|
|
|
|
2780. [bug] dnssec-keygen -A none didn't properly unset the
|
|
activation date in all cases. [RT #20648]
|
|
|
|
2779. [bug] Dynamic key revocation could fail. [RT #20644]
|
|
|
|
2778. [bug] dnssec-signzone could fail when a key was revoked
|
|
without deleting the unrevoked version. [RT #20638]
|
|
|
|
2777. [contrib] DLZ MYSQL auto reconnect support discovery was wrong.
|
|
|
|
2776. [bug] Change #2762 was not correct. [RT #20647]
|
|
|
|
2775. [bug] Accept RSASHA256 and RSASHA512 as NSEC3 compatible
|
|
in dnssec-keyfromlabel. [RT #20643]
|
|
|
|
2774. [bug] Existing cache DB wasn't being reused after
|
|
reconfiguration. [RT #20629]
|
|
|
|
2773. [bug] In autosigned zones, the SOA could be signed
|
|
with the KSK. [RT #20628]
|
|
|
|
2772. [security] When validating, track whether pending data was from
|
|
the additional section or not and only return it if
|
|
validates as secure. [RT #20438]
|
|
|
|
2771. [bug] dnssec-signzone: DNSKEY records could be
|
|
corrupted when importing from key files [RT #20624]
|
|
|
|
2770. [cleanup] Add log messages to resolver.c to indicate events
|
|
causing FORMERR responses. [RT #20526]
|
|
|
|
2769. [cleanup] Change #2742 was incomplete. [RT #19589]
|
|
|
|
2768. [bug] dnssec-signzone: -S no longer implies -g [RT #20568]
|
|
|
|
2767. [bug] named could crash on startup if a zone was
|
|
configured with auto-dnssec and there was no
|
|
key-directory. [RT #20615]
|
|
|
|
2766. [bug] isc_socket_fdwatchpoke() should only update the
|
|
socketmgr state if the socket is not pending on a
|
|
read or write. [RT #20603]
|
|
|
|
2765. [bug] Skip masters for which the TSIG key cannot be found.
|
|
[RT #20595]
|
|
|
|
2764. [bug] "rndc-confgen -a" could trigger a REQUIRE. [RT #20610]
|
|
|
|
2763. [bug] "rndc sign" didn't create an NSEC chain. [RT #20591]
|
|
|
|
2762. [bug] DLV validation failed with a local slave DLV zone.
|
|
[RT #20577]
|
|
|
|
2761. [cleanup] Enable internal symbol table for backtrace only for
|
|
systems that are known to work. Currently, BSD
|
|
variants, Linux and Solaris are supported. [RT #20202]
|
|
|
|
2760. [cleanup] Corrected named-compilezone usage summary. [RT #20533]
|
|
|
|
2759. [doc] Add information about .jbk/.jnw files to
|
|
the ARM. [RT #20303]
|
|
|
|
2758. [bug] win32: Added a workaround for a windows 2008 bug
|
|
that could cause the UDP client handler to shut
|
|
down. [RT #19176]
|
|
|
|
2757. [bug] dig: assertion failure could occur in connect
|
|
timeout. [RT #20599]
|
|
|
|
2756. [bug] Fixed corrupt logfile message in update.c. [RT #20597]
|
|
|
|
2755. [placeholder]
|
|
|
|
2754. [bug] Secure-to-insecure transitions failed when zone
|
|
was signed with NSEC3. [RT #20587]
|
|
|
|
2753. [bug] Removed an unnecessary warning that could appear when
|
|
building an NSEC chain. [RT #20589]
|
|
|
|
2752. [bug] Locking violation. [RT #20587]
|
|
|
|
2751. [bug] Fixed a memory leak in dnssec-keyfromlabel. [RT #20588]
|
|
|
|
2750. [bug] dig: assertion failure could occur when a server
|
|
didn't have an address. [RT #20579]
|
|
|
|
2749. [bug] ixfr-from-differences generated a non-minimal ixfr
|
|
for NSEC3 signed zones. [RT #20452]
|
|
|
|
2748. [func] Identify bad answers from GTLD servers and treat them
|
|
as referrals. [RT #18884]
|
|
|
|
2747. [bug] Journal roll forwards failed to set the re-signing
|
|
time of RRSIGs correctly. [RT #20541]
|
|
|
|
2746. [port] hpux: address signed/unsigned expansion mismatch of
|
|
dns_rbtnode_t.nsec. [RT #20542]
|
|
|
|
2745. [bug] configure script didn't probe the return type of
|
|
gai_strerror(3) correctly. [RT #20573]
|
|
|
|
2744. [func] Log if a query was over TCP. [RT #19961]
|
|
|
|
2743. [bug] RRSIG could be incorrectly set in the NSEC3 record
|
|
for a insecure delegation.
|
|
|
|
--- 9.7.0b2 released ---
|
|
|
|
2742. [cleanup] Clarify some DNSSEC-related log messages in
|
|
validator.c. [RT #19589]
|
|
|
|
2741. [func] Allow the dnssec-keygen progress messages to be
|
|
suppressed (dnssec-keygen -q). Automatically
|
|
suppress the progress messages when stdin is not
|
|
a tty. [RT #20474]
|
|
|
|
2740. [placeholder]
|
|
|
|
2739. [cleanup] Clean up API for initializing and clearing trust
|
|
anchors for a view. [RT #20211]
|
|
|
|
2738. [func] Add RSASHA256 and RSASHA512 tests to the dnssec system
|
|
test. [RT #20453]
|
|
|
|
2737. [func] UPDATE requests can leak existence information.
|
|
[RT #17261]
|
|
|
|
2736. [func] Improve the performance of NSEC signed zones with
|
|
more than a normal amount of glue below a delegation.
|
|
[RT #20191]
|
|
|
|
2735. [bug] dnssec-signzone could fail to read keys
|
|
that were specified on the command line with
|
|
full paths, but weren't in the current
|
|
directory. [RT #20421]
|
|
|
|
2734. [port] cygwin: arpaname did not compile. [RT #20473]
|
|
|
|
2733. [cleanup] Clean up coding style in pkcs11-* tools. [RT #20355]
|
|
|
|
2732. [func] Add optional filter-aaaa-on-v4 option, available
|
|
if built with './configure --enable-filter-aaaa'.
|
|
Filters out AAAA answers to clients connecting
|
|
via IPv4. (This is NOT recommended for general
|
|
use.) [RT #20339]
|
|
|
|
2731. [func] Additional work on change 2709. The key parser
|
|
will now ignore unrecognized fields when the
|
|
minor version number of the private key format
|
|
has been increased. It will reject any key with
|
|
the major version number increased. [RT #20310]
|
|
|
|
2730. [func] Have dnssec-keygen display a progress indication
|
|
a la 'openssl genrsa' on standard error. Note
|
|
when the first '.' is followed by a long stop
|
|
one has the choice between slow generation vs.
|
|
poor random quality, i.e., '-r /dev/urandom'.
|
|
[RT #20284]
|
|
|
|
2729. [func] When constructing a CNAME from a DNAME use the DNAME
|
|
TTL. [RT #20451]
|
|
|
|
2728. [bug] dnssec-keygen, dnssec-keyfromlabel and
|
|
dnssec-signzone now warn immediately if asked to
|
|
write into a nonexistent directory. [RT #20278]
|
|
|
|
2727. [func] The 'key-directory' option can now specify a relative
|
|
path. [RT #20154]
|
|
|
|
2726. [func] Added support for SHA-2 DNSSEC algorithms,
|
|
RSASHA256 and RSASHA512. [RT #20023]
|
|
|
|
2725. [doc] Added information about the file "managed-keys.bind"
|
|
to the ARM. [RT #20235]
|
|
|
|
2724. [bug] Updates to a existing node in secure zone using NSEC
|
|
were failing. [RT #20448]
|
|
|
|
2723. [bug] isc_base32_totext(), isc_base32hex_totext(), and
|
|
isc_base64_totext(), didn't always mark regions of
|
|
memory as fully consumed after conversion. [RT #20445]
|
|
|
|
2722. [bug] Ensure that the memory associated with the name of
|
|
a node in a rbt tree is not altered during the life
|
|
of the node. [RT #20431]
|
|
|
|
2721. [port] Have dst__entropy_status() prime the random number
|
|
generator. [RT #20369]
|
|
|
|
2720. [bug] RFC 5011 trust anchor updates could trigger an
|
|
assert if the DNSKEY record was unsigned. [RT #20406]
|
|
|
|
2719. [func] Skip trusted/managed keys for unsupported algorithms.
|
|
[RT #20392]
|
|
|
|
2718. [bug] The space calculations in opensslrsa_todns() were
|
|
incorrect. [RT #20394]
|
|
|
|
2717. [bug] named failed to update the NSEC/NSEC3 record when
|
|
the last private type record was removed as a result
|
|
of completing the signing the zone with a key.
|
|
[RT #20399]
|
|
|
|
2716. [bug] nslookup debug mode didn't return the ttl. [RT #20414]
|
|
|
|
--- 9.7.0b1 released ---
|
|
|
|
2715. [bug] Require OpenSSL support to be explicitly disabled.
|
|
[RT #20288]
|
|
|
|
2714. [port] aix/powerpc: 'asm("ics");' needs non standard assembler
|
|
flags.
|
|
|
|
2713. [bug] powerpc: atomic operations missing asm("ics") /
|
|
__isync() calls.
|
|
|
|
2712. [func] New 'auto-dnssec' zone option allows zone signing
|
|
to be fully automated in zones configured for
|
|
dynamic DNS. 'auto-dnssec allow;' permits a zone
|
|
to be signed by creating keys for it in the
|
|
key-directory and using 'rndc sign <zone>'.
|
|
'auto-dnssec maintain;' allows that too, plus it
|
|
also keeps the zone's DNSSEC keys up to date
|
|
according to their timing metadata. [RT #19943]
|
|
|
|
2711. [port] win32: Add the bin/pkcs11 tools into the full
|
|
build. [RT #20372]
|
|
|
|
2710. [func] New 'dnssec-signzone -x' flag and 'dnskey-ksk-only'
|
|
zone option cause a zone to be signed with only KSKs
|
|
signing the DNSKEY RRset, not ZSKs. This reduces
|
|
the size of a DNSKEY answer. [RT #20340]
|
|
|
|
2709. [func] Added some data fields, currently unused, to the
|
|
private key file format, to allow implementation
|
|
of explicit key rollover in a future release
|
|
without impairing backward or forward compatibility.
|
|
[RT #20310]
|
|
|
|
2708. [func] Insecure to secure and NSEC3 parameter changes via
|
|
update are now fully supported and no longer require
|
|
defines to enable. We now no longer overload the
|
|
NSEC3PARAM flag field, nor the NSEC OPT bit at the
|
|
apex. Secure to insecure changes are controlled by
|
|
by the named.conf option 'secure-to-insecure'.
|
|
|
|
Warning: If you had previously enabled support by
|
|
adding defines at compile time to BIND 9.6 you should
|
|
ensure that all changes that are in progress have
|
|
completed prior to upgrading to BIND 9.7. BIND 9.7
|
|
is not backwards compatible.
|
|
|
|
2707. [func] dnssec-keyfromlabel no longer require engine name
|
|
to be specified in the label if there is a default
|
|
engine or the -E option has been used. Also, it
|
|
now uses default algorithms as dnssec-keygen does
|
|
(i.e., RSASHA1, or NSEC3RSASHA1 if -3 is used).
|
|
[RT #20371]
|
|
|
|
2706. [bug] Loading a zone with a very large NSEC3 salt could
|
|
trigger an assert. [RT #20368]
|
|
|
|
2705. [placeholder]
|
|
|
|
2704. [bug] Serial of dynamic and stub zones could be inconsistent
|
|
with their SOA serial. [RT #19387]
|
|
|
|
2703. [func] Introduce an OpenSSL "engine" argument with -E
|
|
for all binaries which can take benefit of
|
|
crypto hardware. [RT #20230]
|
|
|
|
2702. [func] Update PKCS#11 tools (bin/pkcs11) [RT #20225 & all]
|
|
|
|
2701. [doc] Correction to ARM: hmac-md5 is no longer the only
|
|
supported TSIG key algorithm. [RT #18046]
|
|
|
|
2700. [doc] The match-mapped-addresses option is discouraged.
|
|
[RT #12252]
|
|
|
|
2699. [bug] Missing lock in rbtdb.c. [RT #20037]
|
|
|
|
2698. [placeholder]
|
|
|
|
2697. [port] win32: ensure that S_IFMT, S_IFDIR, S_IFCHR and
|
|
S_IFREG are defined after including <isc/stat.h>.
|
|
[RT #20309]
|
|
|
|
2696. [bug] named failed to successfully process some valid
|
|
acl constructs. [RT #20308]
|
|
|
|
2695. [func] DHCP/DDNS - update fdwatch code for use by
|
|
DHCP. Modify the api to isc_sockfdwatch_t (the
|
|
callback function for isc_socket_fdwatchcreate)
|
|
to include information about the direction (read
|
|
or write) and add isc_socket_fdwatchpoke.
|
|
[RT #20253]
|
|
|
|
2694. [bug] Reduce default NSEC3 iterations from 100 to 10.
|
|
[RT #19970]
|
|
|
|
2693. [port] Add some noreturn attributes. [RT #20257]
|
|
|
|
2692. [port] win32: 32/64 bit cleanups. [RT #20335]
|
|
|
|
2691. [func] dnssec-signzone: retain the existing NSEC or NSEC3
|
|
chain when re-signing a previously-signed zone.
|
|
Use -u to modify NSEC3 parameters or switch
|
|
between NSEC and NSEC3. [RT #20304]
|
|
|
|
2690. [bug] win32: fix isc_thread_key_getspecific() prototype.
|
|
[RT #20315]
|
|
|
|
2689. [bug] Correctly handle snprintf result. [RT #20306]
|
|
|
|
2688. [bug] Use INTERFACE_F_POINTTOPOINT, not IFF_POINTOPOINT,
|
|
to decide to fetch the destination address. [RT #20305]
|
|
|
|
2687. [bug] Fixed dnssec-signzone -S handling of revoked keys.
|
|
Also, added warnings when revoking a ZSK, as this is
|
|
not defined by protocol (but is legal). [RT #19943]
|
|
|
|
2686. [bug] dnssec-signzone should clean the old NSEC chain when
|
|
signing with NSEC3 and vice versa. [RT #20301]
|
|
|
|
2685. [contrib] Update contrib/zkt to version 0.99c. [RT #20054]
|
|
|
|
2684. [cleanup] dig: formalize +ad and +cd as synonyms for
|
|
+adflag and +cdflag. [RT #19305]
|
|
|
|
2683. [bug] dnssec-signzone should clean out old NSEC3 chains when
|
|
the NSEC3 parameters used to sign the zone change.
|
|
[RT #20246]
|
|
|
|
2682. [bug] "configure --enable-symtable=all" failed to
|
|
build. [RT #20282]
|
|
|
|
2681. [bug] IPSECKEY RR of gateway type 3 was not correctly
|
|
decoded. [RT #20269]
|
|
|
|
2680. [func] Move contrib/pkcs11-keygen to bin/pkcs11. [RT #20067]
|
|
|
|
2679. [func] dig -k can now accept TSIG keys in named.conf
|
|
format. [RT #20031]
|
|
|
|
2678. [func] Treat DS queries as if "minimal-response yes;"
|
|
was set. [RT #20258]
|
|
|
|
2677. [func] Changes to key metadata behavior:
|
|
- Keys without "publish" or "active" dates set will
|
|
no longer be used for smart signing. However,
|
|
those dates will be set to "now" by default when
|
|
a key is created; to generate a key but not use
|
|
it yet, use dnssec-keygen -G.
|
|
- New "inactive" date (dnssec-keygen/settime -I)
|
|
sets the time when a key is no longer used for
|
|
signing but is still published.
|
|
- The "unpublished" date (-U) is deprecated in
|
|
favor of "deleted" (-D).
|
|
[RT #20247]
|
|
|
|
2676. [bug] --with-export-installdir should have been
|
|
--with-export-includedir. [RT #20252]
|
|
|
|
2675. [bug] dnssec-signzone could crash if the key directory
|
|
did not exist. [RT #20232]
|
|
|
|
--- 9.7.0a3 released ---
|
|
|
|
2674. [bug] "dnssec-lookaside auto;" crashed if named was built
|
|
without openssl. [RT #20231]
|
|
|
|
2673. [bug] The managed-keys.bind zone file could fail to
|
|
load due to a spurious result from sync_keyzone()
|
|
[RT #20045]
|
|
|
|
2672. [bug] Don't enable searching in 'host' when doing reverse
|
|
lookups. [RT #20218]
|
|
|
|
2671. [bug] Add support for PKCS#11 providers not returning
|
|
the public exponent in RSA private keys
|
|
(OpenCryptoki for instance) in
|
|
dnssec-keyfromlabel. [RT #19294]
|
|
|
|
2670. [bug] Unexpected connect failures failed to log enough
|
|
information to be useful. [RT #20205]
|
|
|
|
2669. [func] Update PKCS#11 support to support Keyper HSM.
|
|
Update PKCS#11 patch to be against openssl-0.9.8i.
|
|
|
|
2668. [func] Several improvements to dnssec-* tools, including:
|
|
- dnssec-keygen and dnssec-settime can now set key
|
|
metadata fields 0 (to unset a value, use "none")
|
|
- dnssec-revoke sets the revocation date in
|
|
addition to the revoke bit
|
|
- dnssec-settime can now print individual metadata
|
|
fields instead of always printing all of them,
|
|
and can print them in unix epoch time format for
|
|
use by scripts
|
|
[RT #19942]
|
|
|
|
2667. [func] Add support for logging stack backtrace on assertion
|
|
failure (not available for all platforms). [RT #19780]
|
|
|
|
2666. [func] Added an 'options' argument to dns_name_fromstring()
|
|
(API change from 9.7.0a2). [RT #20196]
|
|
|
|
2665. [func] Clarify syntax for managed-keys {} statement, add
|
|
ARM documentation about RFC 5011 support. [RT #19874]
|
|
|
|
2664. [bug] create_keydata() and minimal_update() in zone.c
|
|
didn't properly check return values for some
|
|
functions. [RT #19956]
|
|
|
|
2663. [func] win32: allow named to run as a service using
|
|
"NT AUTHORITY\LocalService" as the account. [RT #19977]
|
|
|
|
2662. [bug] lwres_getipnodebyname() and lwres_getipnodebyaddr()
|
|
returned a misleading error code when lwresd was
|
|
down. [RT #20028]
|
|
|
|
2661. [bug] Check whether socket fd exceeds FD_SETSIZE when
|
|
creating lwres context. [RT #20029]
|
|
|
|
2660. [func] Add a new set of DNS libraries for non-BIND9
|
|
applications. See README.libdns. [RT #19369]
|
|
|
|
2659. [doc] Clarify dnssec-keygen doc: key name must match zone
|
|
name for DNSSEC keys. [RT #19938]
|
|
|
|
2658. [bug] dnssec-settime and dnssec-revoke didn't process
|
|
key file paths correctly. [RT #20078]
|
|
|
|
2657. [cleanup] Lower "journal file <path> does not exist, creating it"
|
|
log level to debug 1. [RT #20058]
|
|
|
|
2656. [func] win32: add a "tools only" check box to the installer
|
|
which causes it to only install dig, host, nslookup,
|
|
nsupdate and relevant DLLs. [RT #19998]
|
|
|
|
2655. [doc] Document that key-directory does not affect
|
|
bind.keys, rndc.key or session.key. [RT #20155]
|
|
|
|
2654. [bug] Improve error reporting on duplicated names for
|
|
deny-answer-xxx. [RT #20164]
|
|
|
|
2653. [bug] Treat ENGINE_load_private_key() failures as key
|
|
not found rather than out of memory. [RT #18033]
|
|
|
|
2652. [func] Provide more detail about what record is being
|
|
deleted. [RT #20061]
|
|
|
|
2651. [bug] Dates could print incorrectly in K*.key files on
|
|
64-bit systems. [RT #20076]
|
|
|
|
2650. [bug] Assertion failure in dnssec-signzone when trying
|
|
to read keyset-* files. [RT #20075]
|
|
|
|
2649. [bug] Set the domain for forward only zones. [RT #19944]
|
|
|
|
2648. [port] win32: isc_time_seconds() was broken. [RT #19900]
|
|
|
|
2647. [bug] Remove unnecessary SOA updates when a new KSK is
|
|
added. [RT #19913]
|
|
|
|
2646. [bug] Incorrect cleanup on error in socket.c. [RT #19987]
|
|
|
|
2645. [port] "gcc -m32" didn't work on amd64 and x86_64 platforms
|
|
which default to 64 bits. [RT #19927]
|
|
|
|
--- 9.7.0a2 released ---
|
|
|
|
2644. [bug] Change #2628 caused a regression on some systems;
|
|
named was unable to write the PID file and would
|
|
fail on startup. [RT #20001]
|
|
|
|
2643. [bug] Stub zones interacted badly with NSEC3 support.
|
|
[RT #19777]
|
|
|
|
2642. [bug] nsupdate could dump core on solaris when reading
|
|
improperly formatted key files. [RT #20015]
|
|
|
|
2641. [bug] Fixed an error in parsing update-policy syntax,
|
|
added a regression test to check it. [RT #20007]
|
|
|
|
2640. [security] A specially crafted update packet will cause named
|
|
to exit. [RT #20000]
|
|
|
|
2639. [bug] Silence compiler warnings in gssapi code. [RT #19954]
|
|
|
|
2638. [bug] Install arpaname. [RT #19957]
|
|
|
|
2637. [func] Rationalize dnssec-signzone's signwithkey() calling.
|
|
[RT #19959]
|
|
|
|
2636. [func] Simplify zone signing and key maintenance with the
|
|
dnssec-* tools. Major changes:
|
|
- all dnssec-* tools now take a -K option to
|
|
specify a directory in which key files will be
|
|
stored
|
|
- DNSSEC can now store metadata indicating when
|
|
they are scheduled to be published, activated,
|
|
revoked or removed; these values can be set by
|
|
dnssec-keygen or overwritten by the new
|
|
dnssec-settime command
|
|
- dnssec-signzone -S (for "smart") option reads key
|
|
metadata and uses it to determine automatically
|
|
which keys to publish to the zone, use for
|
|
signing, revoke, or remove from the zone
|
|
[RT #19816]
|
|
|
|
2635. [bug] isc_inet_ntop() incorrectly handled 0.0/16 addresses.
|
|
[RT #19716]
|
|
|
|
2634. [port] win32: Add support for libxml2, enable
|
|
statschannel. [RT #19773]
|
|
|
|
2633. [bug] Handle 15 bit rand() functions. [RT #19783]
|
|
|
|
2632. [func] util/kit.sh: warn if documentation appears to be out of
|
|
date. [RT #19922]
|
|
|
|
2631. [bug] Handle "//", "/./" and "/../" in mkdirpath().
|
|
[RT #19926 ]
|
|
|
|
2630. [func] Improved syntax for DDNS autoconfiguration: use
|
|
"update-policy local;" to switch on local DDNS in a
|
|
zone. (The "ddns-autoconf" option has been removed.)
|
|
[RT #19875]
|
|
|
|
2629. [port] Check for seteuid()/setegid(), use setresuid()/
|
|
setresgid() if not present. [RT #19932]
|
|
|
|
2628. [port] linux: Allow /var/run/named/named.pid to be opened
|
|
at startup with reduced capabilities in operation.
|
|
[RT #19884]
|
|
|
|
2627. [bug] Named aborted if the same key was included in
|
|
trusted-keys more than once. [RT #19918]
|
|
|
|
2626. [bug] Multiple trusted-keys could trigger an assertion
|
|
failure. [RT #19914]
|
|
|
|
2625. [bug] Missing UNLOCK in rbtdb.c. [RT #19865]
|
|
|
|
2624. [func] 'named-checkconf -p' will print out the parsed
|
|
configuration. [RT #18871]
|
|
|
|
2623. [bug] Named started searches for DS non-optimally. [RT #19915]
|
|
|
|
2622. [bug] Printing of named.conf grammar was broken. [RT #19919]
|
|
|
|
2621. [doc] Made copyright boilerplate consistent. [RT #19833]
|
|
|
|
2620. [bug] Delay thawing the zone until the reload of it has
|
|
completed successfully. [RT #19750]
|
|
|
|
2619. [func] Add support for RFC 5011, automatic trust anchor
|
|
maintenance. The new "managed-keys" statement can
|
|
be used in place of "trusted-keys" for zones which
|
|
support this protocol. (Note: this syntax is
|
|
expected to change prior to 9.7.0 final.) [RT #19248]
|
|
|
|
2618. [bug] The sdb and sdlz db_interator_seek() methods could
|
|
loop infinitely. [RT #19847]
|
|
|
|
2617. [bug] ifconfig.sh failed to emit an error message when
|
|
run from the wrong location. [RT #19375]
|
|
|
|
2616. [bug] 'host' used the nameservers from resolv.conf even
|
|
when a explicit nameserver was specified. [RT #19852]
|
|
|
|
2615. [bug] "__attribute__((unused))" was in the wrong place
|
|
for ia64 gcc builds. [RT #19854]
|
|
|
|
2614. [port] win32: 'named -v' should automatically be executed
|
|
in the foreground. [RT #19844]
|
|
|
|
2613. [placeholder]
|
|
|
|
--- 9.7.0a1 released ---
|
|
|
|
2612. [func] Add default values for the arguments to
|
|
dnssec-keygen. Without arguments, it will now
|
|
generate a 1024-bit RSASHA1 zone-signing key,
|
|
or with the -f KSK option, a 2048-bit RSASHA1
|
|
key-signing key. [RT #19300]
|
|
|
|
2611. [func] Add -l option to dnssec-dsfromkey to generate
|
|
DLV records instead of DS records. [RT #19300]
|
|
|
|
2610. [port] sunos: Change #2363 was not complete. [RT #19796]
|
|
|
|
2609. [func] Simplify the configuration of dynamic zones:
|
|
- add ddns-confgen command to generate
|
|
configuration text for named.conf
|
|
- add zone option "ddns-autoconf yes;", which
|
|
causes named to generate a TSIG session key
|
|
and allow updates to the zone using that key
|
|
- add '-l' (localhost) option to nsupdate, which
|
|
causes nsupdate to connect to a locally-running
|
|
named process using the session key generated
|
|
by named
|
|
[RT #19284]
|
|
|
|
2608. [func] Perform post signing verification checks in
|
|
dnssec-signzone. These can be disabled with -P.
|
|
|
|
The post sign verification test ensures that for each
|
|
algorithm in use there is at least one non revoked
|
|
self signed KSK key. That all revoked KSK keys are
|
|
self signed. That all records in the zone are signed
|
|
by the algorithm. [RT #19653]
|
|
|
|
2607. [bug] named could incorrectly delete NSEC3 records for
|
|
empty nodes when processing a update request.
|
|
[RT #19749]
|
|
|
|
2606. [bug] "delegation-only" was not being accepted in
|
|
delegation-only type zones. [RT #19717]
|
|
|
|
2605. [bug] Accept DS responses from delegation only zones.
|
|
[RT # 19296]
|
|
|
|
2604. [func] Add support for DNS rebinding attack prevention through
|
|
new options, deny-answer-addresses and
|
|
deny-answer-aliases. Based on contributed code from
|
|
JD Nurmi, Google. [RT #18192]
|
|
|
|
2603. [port] win32: handle .exe extension of named-checkzone and
|
|
named-comilezone argv[0] names under windows.
|
|
[RT #19767]
|
|
|
|
2602. [port] win32: fix debugging command line build of libisccfg.
|
|
[RT #19767]
|
|
|
|
2601. [doc] Mention file creation mode mask in the
|
|
named manual page.
|
|
|
|
2600. [doc] ARM: miscellaneous reformatting for different
|
|
page widths. [RT #19574]
|
|
|
|
2599. [bug] Address rapid memory growth when validation fails.
|
|
[RT #19654]
|
|
|
|
2598. [func] Reserve the -F flag. [RT #19657]
|
|
|
|
2597. [bug] Handle a validation failure with a insecure delegation
|
|
from a NSEC3 signed master/slave zone. [RT #19464]
|
|
|
|
2596. [bug] Stale tree nodes of cache/dynamic rbtdb could stay
|
|
long, leading to inefficient memory usage or rejecting
|
|
newer cache entries in the worst case. [RT #19563]
|
|
|
|
2595. [bug] Fix unknown extended rcodes in dig. [RT #19625]
|
|
|
|
2594. [func] Have rndc warn if using its default configuration
|
|
file when the key file also exists. [RT #19424]
|
|
|
|
2593. [bug] Improve a corner source of SERVFAILs [RT #19632]
|
|
|
|
2592. [bug] Treat "any" as a type in nsupdate. [RT #19455]
|
|
|
|
2591. [bug] named could die when processing a update in
|
|
removed_orphaned_ds(). [RT #19507]
|
|
|
|
2590. [func] Report zone/class of "update with no effect".
|
|
[RT #19542]
|
|
|
|
2589. [bug] dns_db_unregister() failed to clear '*dbimp'.
|
|
[RT #19626]
|
|
|
|
2588. [bug] SO_REUSEADDR could be set unconditionally after failure
|
|
of bind(2) call. This should be rare and mostly
|
|
harmless, but may cause interference with other
|
|
processes that happen to use the same port. [RT #19642]
|
|
|
|
2587. [func] Improve logging by reporting serial numbers for
|
|
when zone serial has gone backwards or unchanged.
|
|
[RT #19506]
|
|
|
|
2586. [bug] Missing cleanup of SIG rdataset in searching a DLZ DB
|
|
or SDB. [RT #19577]
|
|
|
|
2585. [bug] Uninitialized socket name could be referenced via a
|
|
statistics channel, triggering an assertion failure in
|
|
XML rendering. [RT #19427]
|
|
|
|
2584. [bug] alpha: gcc optimization could break atomic operations.
|
|
[RT #19227]
|
|
|
|
2583. [port] netbsd: provide a control to not add the compile
|
|
date to the version string, -DNO_VERSION_DATE.
|
|
|
|
2582. [bug] Don't emit warning log message when we attempt to
|
|
remove non-existent journal. [RT #19516]
|
|
|
|
2581. [contrib] dlz/mysql set MYSQL_OPT_RECONNECT option on connection.
|
|
Requires MySQL 5.0.19 or later. [RT #19084]
|
|
|
|
2580. [bug] UpdateRej statistics counter could be incremented twice
|
|
for one rejection. [RT #19476]
|
|
|
|
2579. [bug] DNSSEC lookaside validation failed to handle unknown
|
|
algorithms. [RT #19479]
|
|
|
|
2578. [bug] Changed default sig-signing-type to 65534, because
|
|
65535 turns out to be reserved. [RT #19477]
|
|
|
|
2577. [doc] Clarified some statistics counters. [RT #19454]
|
|
|
|
2576. [bug] NSEC record were not being correctly signed when
|
|
a zone transitions from insecure to secure.
|
|
Handle such incorrectly signed zones. [RT #19114]
|
|
|
|
2575. [func] New functions dns_name_fromstring() and
|
|
dns_name_tostring(), to simplify conversion
|
|
of a string to a dns_name structure and vice
|
|
versa. [RT #19451]
|
|
|
|
2574. [doc] Document nsupdate -g and -o. [RT #19351]
|
|
|
|
2573. [bug] Replacing a non-CNAME record with a CNAME record in a
|
|
single transaction in a signed zone failed. [RT #19397]
|
|
|
|
2572. [func] Simplify DLV configuration, with a new option
|
|
"dnssec-lookaside auto;" This is the equivalent
|
|
of "dnssec-lookaside . trust-anchor dlv.isc.org;"
|
|
plus setting a trusted-key for dlv.isc.org.
|
|
|
|
Note: The trusted key is hard-coded into named,
|
|
but is also stored in (and can be overridden
|
|
by) $sysconfdir/bind.keys. As the ISC DLV key
|
|
rolls over it can be kept up to date by replacing
|
|
the bind.keys file with a key downloaded from
|
|
https://www.isc.org/solutions/dlv. [RT #18685]
|
|
|
|
2571. [func] Add a new tool "arpaname" which translates IP addresses
|
|
to the corresponding IN-ADDR.ARPA or IP6.ARPA name.
|
|
[RT #18976]
|
|
|
|
2570. [func] Log the destination address the query was sent to.
|
|
[RT #19209]
|
|
|
|
2569. [func] Move journalprint, nsec3hash, and genrandom
|
|
commands from bin/tests into bin/tools;
|
|
"make install" will put them in $sbindir. [RT #19301]
|
|
|
|
2568. [bug] Report when the write to indicate a otherwise
|
|
successful start fails. [RT #19360]
|
|
|
|
2567. [bug] dst__privstruct_writefile() could miss write errors.
|
|
write_public_key() could miss write errors.
|
|
dnssec-dsfromkey could miss write errors.
|
|
[RT #19360]
|
|
|
|
2566. [cleanup] Clarify logged message when an insecure DNSSEC
|
|
response arrives from a zone thought to be secure:
|
|
"insecurity proof failed" instead of "not
|
|
insecure". [RT #19400]
|
|
|
|
2565. [func] Add support for HIP record. Includes new functions
|
|
dns_rdata_hip_first(), dns_rdata_hip_next()
|
|
and dns_rdata_hip_current(). [RT #19384]
|
|
|
|
2564. [bug] Only take EDNS fallback steps when processing timeouts.
|
|
[RT #19405]
|
|
|
|
2563. [bug] Dig could leak a socket causing it to wait forever
|
|
to exit. [RT #19359]
|
|
|
|
2562. [doc] ARM: miscellaneous improvements, reorganization,
|
|
and some new content.
|
|
|
|
2561. [doc] Add isc-config.sh(1) man page. [RT #16378]
|
|
|
|
2560. [bug] Add #include <config.h> to iptable.c. [RT #18258]
|
|
|
|
2559. [bug] dnssec-dsfromkey could compute bad DS records when
|
|
reading from a K* files. [RT #19357]
|
|
|
|
2558. [func] Set the ownership of missing directories created
|
|
for pid-file if -u has been specified on the command
|
|
line. [RT #19328]
|
|
|
|
2557. [cleanup] PCI compliance:
|
|
* new libisc log module file
|
|
* isc_dir_chroot() now also changes the working
|
|
directory to "/".
|
|
* additional INSISTs
|
|
* additional logging when files can't be removed.
|
|
|
|
2556. [port] Solaris: mkdir(2) on tmpfs filesystems does not do the
|
|
error checks in the correct order resulting in the
|
|
wrong error code sometimes being returned. [RT #19249]
|
|
|
|
2555. [func] dig: when emitting a hex dump also display the
|
|
corresponding characters. [RT #19258]
|
|
|
|
2554. [bug] Validation of uppercase queries from NSEC3 zones could
|
|
fail. [RT #19297]
|
|
|
|
2553. [bug] Reference leak on DNSSEC validation errors. [RT #19291]
|
|
|
|
2552. [bug] zero-no-soa-ttl-cache was not being honored.
|
|
[RT #19340]
|
|
|
|
2551. [bug] Potential Reference leak on return. [RT #19341]
|
|
|
|
2550. [bug] Check --with-openssl=<path> finds <openssl/opensslv.h>.
|
|
[RT #19343]
|
|
|
|
2549. [port] linux: define NR_OPEN if not currently defined.
|
|
[RT #19344]
|
|
|
|
2548. [bug] Install iterated_hash.h. [RT #19335]
|
|
|
|
2547. [bug] openssl_link.c:mem_realloc() could reference an
|
|
out-of-range area of the source buffer. New public
|
|
function isc_mem_reallocate() was introduced to address
|
|
this bug. [RT #19313]
|
|
|
|
2546. [func] Add --enable-openssl-hash configure flag to use
|
|
OpenSSL (in place of internal routine) for hash
|
|
functions (MD5, SHA[12] and HMAC). [RT #18815]
|
|
|
|
2545. [doc] ARM: Legal hostname checking (check-names) is
|
|
for SRV RDATA too. [RT #19304]
|
|
|
|
2544. [cleanup] Removed unused structure members in adb.c. [RT #19225]
|
|
|
|
2543. [contrib] Update contrib/zkt to version 0.98. [RT #19113]
|
|
|
|
2542. [doc] Update the description of dig +adflag. [RT #19290]
|
|
|
|
2541. [bug] Conditionally update dispatch manager statistics.
|
|
[RT #19247]
|
|
|
|
2540. [func] Add a nibble mode to $GENERATE. [RT #18872]
|
|
|
|
2539. [security] Update the interaction between recursion, allow-query,
|
|
allow-query-cache and allow-recursion. [RT #19198]
|
|
|
|
2538. [bug] cache/ADB memory could grow over max-cache-size,
|
|
especially with threads and smaller max-cache-size
|
|
values. [RT #19240]
|
|
|
|
2537. [func] Added more statistics counters including those on socket
|
|
I/O events and query RTT histograms. [RT #18802]
|
|
|
|
2536. [cleanup] Silence some warnings when -Werror=format-security is
|
|
specified. [RT #19083]
|
|
|
|
2535. [bug] dig +showsearch and +trace interacted badly. [RT #19091]
|
|
|
|
2534. [func] Check NAPTR records regular expressions and
|
|
replacement strings to ensure they are syntactically
|
|
valid and consistent. [RT #18168]
|
|
|
|
2533. [doc] ARM: document @ (at-sign). [RT #17144]
|
|
|
|
2532. [bug] dig: check the question section of the response to
|
|
see if it matches the asked question. [RT #18495]
|
|
|
|
2531. [bug] Change #2207 was incomplete. [RT #19098]
|
|
|
|
2530. [bug] named failed to reject insecure to secure transitions
|
|
via UPDATE. [RT #19101]
|
|
|
|
2529. [cleanup] Upgrade libtool to silence complaints from recent
|
|
version of autoconf. [RT #18657]
|
|
|
|
2528. [cleanup] Silence spurious configure warning about
|
|
--datarootdir [RT #19096]
|
|
|
|
2527. [placeholder]
|
|
|
|
2526. [func] New named option "attach-cache" that allows multiple
|
|
views to share a single cache to save memory and
|
|
improve lookup efficiency. Based on contributed code
|
|
from Barclay Osborn, Google. [RT #18905]
|
|
|
|
2525. [func] New logging category "query-errors" to provide detailed
|
|
internal information about query failures, especially
|
|
about server failures. [RT #19027]
|
|
|
|
2524. [port] sunos: dnssec-signzone needs strtoul(). [RT #19129]
|
|
|
|
2523. [bug] Random type rdata freed by dns_nsec_typepresent().
|
|
[RT #19112]
|
|
|
|
2522. [security] Handle -1 from DSA_do_verify() and EVP_VerifyFinal().
|
|
|
|
2521. [bug] Improve epoll cross compilation support. [RT #19047]
|
|
|
|
2520. [bug] Update xml statistics version number to 2.0 as change
|
|
#2388 made the schema incompatible to the previous
|
|
version. [RT #19080]
|
|
|
|
2519. [bug] dig/host with -4 or -6 didn't work if more than two
|
|
nameserver addresses of the excluded address family
|
|
preceded in resolv.conf. [RT #19081]
|
|
|
|
2518. [func] Add support for the new CERT types from RFC 4398.
|
|
[RT #19077]
|
|
|
|
2517. [bug] dig +trace with -4 or -6 failed when it chose a
|
|
nameserver address of the excluded address type.
|
|
[RT #18843]
|
|
|
|
2516. [bug] glue sort for responses was performed even when not
|
|
needed. [RT #19039]
|
|
|
|
2515. [port] win32: build dnssec-dsfromkey and dnssec-keyfromlabel.
|
|
[RT #19063]
|
|
|
|
2514. [bug] dig/host failed with -4 or -6 when resolv.conf contains
|
|
a nameserver of the excluded address family.
|
|
[RT #18848]
|
|
|
|
2513. [bug] Fix windows cli build. [RT #19062]
|
|
|
|
2512. [func] Print a summary of the cached records which make up
|
|
the negative response. [RT #18885]
|
|
|
|
2511. [cleanup] dns_rdata_tofmttext() add const to linebreak.
|
|
[RT #18885]
|
|
|
|
2510. [bug] "dig +sigchase" could trigger REQUIRE failures.
|
|
[RT #19033]
|
|
|
|
2509. [bug] Specifying a fixed query source port was broken.
|
|
[RT #19051]
|
|
|
|
2508. [placeholder]
|
|
|
|
2507. [func] Log the recursion quota values when killing the
|
|
oldest query or refusing to recurse due to quota.
|
|
[RT #19022]
|
|
|
|
2506. [port] solaris: Check at configure time if
|
|
hack_shutup_pthreadonceinit is needed. [RT #19037]
|
|
|
|
2505. [port] Treat amd64 similarly to x86_64 when determining
|
|
atomic operation support. [RT #19031]
|
|
|
|
2504. [bug] Address race condition in the socket code. [RT #18899]
|
|
|
|
2503. [port] linux: improve compatibility with Linux Standard
|
|
Base. [RT #18793]
|
|
|
|
2502. [cleanup] isc_radix: Improve compliance with coding style,
|
|
document function in <isc/radix.h>. [RT #18534]
|
|
|
|
2501. [func] $GENERATE now supports all rdata types. Multi-field
|
|
rdata types need to be quoted. See the ARM for
|
|
details. [RT #18368]
|
|
|
|
2500. [contrib] contrib/sdb/pgsql/zonetodb.c called non-existent
|
|
function. [RT #18582]
|
|
|
|
2499. [port] solaris: lib/lwres/getaddrinfo.c namespace clash.
|
|
[RT #18837]
|
|
|
|
--- 9.6.0rc1 released ---
|
|
|
|
2498. [bug] Removed a bogus function argument used with
|
|
ISC_SOCKET_USE_POLLWATCH: it could cause compiler
|
|
warning or crash named with the debug 1 level
|
|
of logging. [RT #18917]
|
|
|
|
2497. [bug] Don't add RRSIG bit to NSEC3 bit map for insecure
|
|
delegation.
|
|
|
|
2496. [bug] Add sanity length checks to NSID option. [RT #18813]
|
|
|
|
2495. [bug] Tighten RRSIG checks. [RT #18795]
|
|
|
|
2494. [bug] isc/radix.h, dns/sdlz.h and dns/dlz.h were not being
|
|
installed. [RT #18826]
|
|
|
|
2493. [bug] The linux capabilities code was not correctly cleaning
|
|
up after itself. [RT #18767]
|
|
|
|
2492. [func] Rndc status now reports the number of cpus discovered
|
|
and the number of worker threads when running
|
|
multi-threaded. [RT #18273]
|
|
|
|
2491. [func] Attempt to re-use a local port if we are already using
|
|
the port. [RT #18548]
|
|
|
|
2490. [port] aix: work around a kernel bug where IPV6_RECVPKTINFO
|
|
is cleared when IPV6_V6ONLY is set. [RT #18785]
|
|
|
|
2489. [port] solaris: Workaround Solaris's kernel bug about
|
|
/dev/poll:
|
|
http://bugs.opensolaris.org/view_bug.do?bug_id=6724237
|
|
Define ISC_SOCKET_USE_POLLWATCH at build time to enable
|
|
this workaround. [RT #18870]
|
|
|
|
2488. [func] Added a tool, dnssec-dsfromkey, to generate DS records
|
|
from keyset and .key files. [RT #18694]
|
|
|
|
2487. [bug] Give TCP connections longer to complete. [RT #18675]
|
|
|
|
2486. [func] The default locations for named.pid and lwresd.pid
|
|
are now /var/run/named/named.pid and
|
|
/var/run/lwresd/lwresd.pid respectively.
|
|
|
|
This allows the owner of the containing directory
|
|
to be set, for "named -u" support, and allows there
|
|
to be a permanent symbolic link in the path, for
|
|
"named -t" support. [RT #18306]
|
|
|
|
2485. [bug] Change update's the handling of obscured RRSIG
|
|
records. Not all orphaned DS records were being
|
|
removed. [RT #18828]
|
|
|
|
2484. [bug] It was possible to trigger a REQUIRE failure when
|
|
adding NSEC3 proofs to the response in
|
|
query_addwildcardproof(). [RT #18828]
|
|
|
|
2483. [port] win32: chroot() is not supported. [RT #18805]
|
|
|
|
2482. [port] libxml2: support versions 2.7.* in addition
|
|
to 2.6.*. [RT #18806]
|
|
|
|
--- 9.6.0b1 released ---
|
|
|
|
2481. [bug] rbtdb.c:matchparams() failed to handle NSEC3 chain
|
|
collisions. [RT #18812]
|
|
|
|
2480. [bug] named could fail to emit all the required NSEC3
|
|
records. [RT #18812]
|
|
|
|
2479. [bug] xfrout:covers was not properly initialized. [RT #18801]
|
|
|
|
2478. [bug] 'addresses' could be used uninitialized in
|
|
configure_forward(). [RT #18800]
|
|
|
|
2477. [bug] dig: the global option to print the command line is
|
|
+cmd not print_cmd. Update the output to reflect
|
|
this. [RT #17008]
|
|
|
|
2476. [doc] ARM: improve documentation for max-journal-size and
|
|
ixfr-from-differences. [RT #15909] [RT #18541]
|
|
|
|
2475. [bug] LRU cache cleanup under overmem condition could purge
|
|
particular entries more aggressively. [RT #17628]
|
|
|
|
2474. [bug] ACL structures could be allocated with insufficient
|
|
space, causing an array overrun. [RT #18765]
|
|
|
|
2473. [port] linux: raise the limit on open files to the possible
|
|
maximum value before spawning threads; 'files'
|
|
specified in named.conf doesn't seem to work with
|
|
threads as expected. [RT #18784]
|
|
|
|
2472. [port] linux: check the number of available cpu's before
|
|
calling chroot as it depends on "/proc". [RT #16923]
|
|
|
|
2471. [bug] named-checkzone was not reporting missing mandatory
|
|
glue when sibling checks were disabled. [RT #18768]
|
|
|
|
2470. [bug] Elements of the isc_radix_node_t could be incorrectly
|
|
overwritten. [RT #18719]
|
|
|
|
2469. [port] solaris: Work around Solaris's select() limitations.
|
|
[RT #18769]
|
|
|
|
2468. [bug] Resolver could try unreachable servers multiple times.
|
|
[RT #18739]
|
|
|
|
2467. [bug] Failure of fcntl(F_DUPFD) wasn't logged. [RT #18740]
|
|
|
|
2466. [doc] ARM: explain max-cache-ttl 0 SERVFAIL issue.
|
|
[RT #18302]
|
|
|
|
2465. [bug] Adb's handling of lame addresses was different
|
|
for IPv4 and IPv6. [RT #18738]
|
|
|
|
2464. [port] linux: check that a capability is present before
|
|
trying to set it. [RT #18135]
|
|
|
|
2463. [port] linux: POSIX doesn't include the IPv6 Advanced Socket
|
|
API and glibc hides parts of the IPv6 Advanced Socket
|
|
API as a result. This is stupid as it breaks how the
|
|
two halves (Basic and Advanced) of the IPv6 Socket API
|
|
were designed to be used but we have to live with it.
|
|
Define _GNU_SOURCE to pull in the IPv6 Advanced Socket
|
|
API. [RT #18388]
|
|
|
|
2462. [doc] Document -m (enable memory usage debugging)
|
|
option for dig. [RT #18757]
|
|
|
|
2461. [port] sunos: Change #2363 was not complete. [RT #17513]
|
|
|
|
--- 9.6.0a1 released ---
|
|
|
|
2460. [bug] Don't call dns_db_getnsec3parameters() on the cache.
|
|
[RT #18697]
|
|
|
|
2459. [contrib] Import dnssec-zkt to contrib/zkt. [RT #18448]
|
|
|
|
2458. [doc] ARM: update and correction for max-cache-size.
|
|
[RT #18294]
|
|
|
|
2457. [tuning] max-cache-size is reverted to 0, the previous
|
|
default. It should be safe because expired cache
|
|
entries are also purged. [RT #18684]
|
|
|
|
2456. [bug] In ACLs, ::/0 and 0.0.0.0/0 would both match any
|
|
address, regardless of family. They now correctly
|
|
distinguish IPv4 from IPv6. [RT #18559]
|
|
|
|
2455. [bug] Stop metadata being transferred via axfr/ixfr.
|
|
[RT #18639]
|
|
|
|
2454. [func] nsupdate: you can now set a default ttl. [RT #18317]
|
|
|
|
2453. [bug] Remove NULL pointer dereference in dns_journal_print().
|
|
[RT #18316]
|
|
|
|
2452. [func] Improve bin/test/journalprint. [RT #18316]
|
|
|
|
2451. [port] solaris: handle runtime linking better. [RT #18356]
|
|
|
|
2450. [doc] Fix lwresd docbook problem for manual page.
|
|
[RT #18672]
|
|
|
|
2449. [placeholder]
|
|
|
|
2448. [func] Add NSEC3 support. [RT #15452]
|
|
|
|
2447. [cleanup] libbind has been split out as a separate product.
|
|
|
|
2446. [func] Add a new log message about build options on startup.
|
|
A new command-line option '-V' for named is also
|
|
provided to show this information. [RT #18645]
|
|
|
|
2445. [doc] ARM out-of-date on empty reverse zones (list includes
|
|
RFC1918 address, but these are not yet compiled in).
|
|
[RT #18578]
|
|
|
|
2444. [port] Linux, FreeBSD, AIX: Turn off path mtu discovery
|
|
(clear DF) for UDP responses and requests.
|
|
|
|
2443. [bug] win32: UDP connect() would not generate an event,
|
|
and so connected UDP sockets would never clean up.
|
|
Fix this by doing an immediate WSAConnect() rather
|
|
than an io completion port type for UDP.
|
|
|
|
2442. [bug] A lock could be destroyed twice. [RT #18626]
|
|
|
|
2441. [bug] isc_radix_insert() could copy radix tree nodes
|
|
incompletely. [RT #18573]
|
|
|
|
2440. [bug] named-checkconf used an incorrect test to determine
|
|
if an ACL was set to none.
|
|
|
|
2439. [bug] Potential NULL dereference in dns_acl_isanyornone().
|
|
[RT #18559]
|
|
|
|
2438. [bug] Timeouts could be logged incorrectly under win32.
|
|
|
|
2437. [bug] Sockets could be closed too early, leading to
|
|
inconsistent states in the socket module. [RT #18298]
|
|
|
|
2436. [security] win32: UDP client handler can be shutdown. [RT #18576]
|
|
|
|
2435. [bug] Fixed an ACL memory leak affecting win32.
|
|
|
|
2434. [bug] Fixed a minor error-reporting bug in
|
|
lib/isc/win32/socket.c.
|
|
|
|
2433. [tuning] Set initial timeout to 800ms.
|
|
|
|
2432. [bug] More Windows socket handling improvements. Stop
|
|
using I/O events and use IO Completion Ports
|
|
throughout. Rewrite the receive path logic to make
|
|
it easier to support multiple simultaneous
|
|
requesters in the future. Add stricter consistency
|
|
checking as a compile-time option (define
|
|
ISC_SOCKET_CONSISTENCY_CHECKS; defaults to off).
|
|
|
|
2431. [bug] Acl processing could leak memory. [RT #18323]
|
|
|
|
2430. [bug] win32: isc_interval_set() could round down to
|
|
zero if the input was less than NS_INTERVAL
|
|
nanoseconds. Round up instead. [RT #18549]
|
|
|
|
2429. [doc] nsupdate should be in section 1 of the man pages.
|
|
[RT #18283]
|
|
|
|
2428. [bug] dns_iptable_merge() mishandled merges of negative
|
|
tables. [RT #18409]
|
|
|
|
2427. [func] Treat DNSKEY queries as if "minimal-response yes;"
|
|
was set. [RT #18528]
|
|
|
|
2426. [bug] libbind: inet_net_pton() can sometimes return the
|
|
wrong value if excessively large net masks are
|
|
supplied. [RT #18512]
|
|
|
|
2425. [bug] named didn't detect unavailable query source addresses
|
|
at load time. [RT #18536]
|
|
|
|
2424. [port] configure now probes for a working epoll
|
|
implementation. Allow the use of kqueue,
|
|
epoll and /dev/poll to be selected at compile
|
|
time. [RT #18277]
|
|
|
|
2423. [security] Randomize server selection on queries, so as to
|
|
make forgery a little more difficult. Instead of
|
|
always preferring the server with the lowest RTT,
|
|
pick a server with RTT within the same 128
|
|
millisecond band. [RT #18441]
|
|
|
|
2422. [bug] Handle the special return value of a empty node as
|
|
if it was a NXRRSET in the validator. [RT #18447]
|
|
|
|
2421. [func] Add new command line option '-S' for named to specify
|
|
the max number of sockets. [RT #18493]
|
|
Use caution: this option may not work for some
|
|
operating systems without rebuilding named.
|
|
|
|
2420. [bug] Windows socket handling cleanup. Let the io
|
|
completion event send out canceled read/write
|
|
done events, which keeps us from writing to memory
|
|
we no longer have ownership of. Add debugging
|
|
socket_log() function. Rework TCP socket handling
|
|
to not leak sockets.
|
|
|
|
2419. [cleanup] Document that isc_socket_create() and isc_socket_open()
|
|
should not be used for isc_sockettype_fdwatch sockets.
|
|
[RT #18521]
|
|
|
|
2418. [bug] AXFR request on a DLZ could trigger a REQUIRE failure
|
|
[RT #18430]
|
|
|
|
2417. [bug] Connecting UDP sockets for outgoing queries could
|
|
unexpectedly fail with an 'address already in use'
|
|
error. [RT #18411]
|
|
|
|
2416. [func] Log file descriptors that cause exceeding the
|
|
internal maximum. [RT #18460]
|
|
|
|
2415. [bug] 'rndc dumpdb' could trigger various assertion failures
|
|
in rbtdb.c. [RT #18455]
|
|
|
|
2414. [bug] A masterdump context held the database lock too long,
|
|
causing various troubles such as dead lock and
|
|
recursive lock acquisition. [RT #18311, #18456]
|
|
|
|
2413. [bug] Fixed an unreachable code path in socket.c. [RT #18442]
|
|
|
|
2412. [bug] win32: address a resource leak. [RT #18374]
|
|
|
|
2411. [bug] Allow using a larger number of sockets than FD_SETSIZE
|
|
for select(). To enable this, set ISC_SOCKET_MAXSOCKETS
|
|
at compilation time. [RT #18433]
|
|
|
|
Note: with changes #2469 and #2421 above, there is no
|
|
need to tweak ISC_SOCKET_MAXSOCKETS at compilation time
|
|
any more.
|
|
|
|
2410. [bug] Correctly delete m_versionInfo. [RT #18432]
|
|
|
|
2409. [bug] Only log that we disabled EDNS processing if we were
|
|
subsequently successful. [RT #18029]
|
|
|
|
2408. [bug] A duplicate TCP dispatch event could be sent, which
|
|
could then trigger an assertion failure in
|
|
resquery_response(). [RT #18275]
|
|
|
|
2407. [port] hpux: test for sys/dyntune.h. [RT #18421]
|
|
|
|
2406. [placeholder]
|
|
|
|
2405. [cleanup] The default value for dnssec-validation was changed to
|
|
"yes" in 9.5.0-P1 and all subsequent releases; this
|
|
was inadvertently omitted from CHANGES at the time.
|
|
|
|
2404. [port] hpux: files unlimited support.
|
|
|
|
2403. [bug] TSIG context leak. [RT #18341]
|
|
|
|
2402. [port] Support Solaris 2.11 and over. [RT #18362]
|
|
|
|
2401. [bug] Expect to get E[MN]FILE errno internal_accept()
|
|
(from accept() or fcntl() system calls). [RT #18358]
|
|
|
|
2400. [bug] Log if kqueue()/epoll_create()/open(/dev/poll) fails.
|
|
[RT #18297]
|
|
|
|
2399. [placeholder]
|
|
|
|
2398. [bug] Improve file descriptor management. New,
|
|
temporary, named.conf option reserved-sockets,
|
|
default 512. [RT #18344]
|
|
|
|
2397. [bug] gssapi_functions had too many elements. [RT #18355]
|
|
|
|
2396. [bug] Don't set SO_REUSEADDR for randomized ports.
|
|
[RT #18336]
|
|
|
|
2395. [port] Avoid warning and no effect from "files unlimited"
|
|
on Linux when running as root. [RT #18335]
|
|
|
|
2394. [bug] Default configuration options set the limit for
|
|
open files to 'unlimited' as described in the
|
|
documentation. [RT #18331]
|
|
|
|
2393. [bug] nested acls containing keys could trigger an
|
|
assertion in acl.c. [RT #18166]
|
|
|
|
2392. [bug] remove 'grep -q' from acl test script, some platforms
|
|
don't support it. [RT #18253]
|
|
|
|
2391. [port] hpux: cover additional recvmsg() error codes.
|
|
[RT #18301]
|
|
|
|
2390. [bug] dispatch.c could make a false warning on 'odd socket'.
|
|
[RT #18301].
|
|
|
|
2389. [bug] Move the "working directory writable" check to after
|
|
the ns_os_changeuser() call. [RT #18326]
|
|
|
|
2388. [bug] Avoid using tables for layout purposes in
|
|
statistics XSL [RT #18159].
|
|
|
|
2387. [bug] Silence compiler warnings in lib/isc/radix.c.
|
|
[RT #18147] [RT #18258]
|
|
|
|
2386. [func] Add warning about too small 'open files' limit.
|
|
[RT #18269]
|
|
|
|
2385. [bug] A condition variable in socket.c could leak in
|
|
rare error handling [RT #17968].
|
|
|
|
2384. [security] Fully randomize UDP query ports to improve
|
|
forgery resilience. [RT #17949, #18098]
|
|
|
|
2383. [bug] named could double queries when they resulted in
|
|
SERVFAIL due to overkilling EDNS0 failure detection.
|
|
[RT #18182]
|
|
|
|
2382. [doc] Add descriptions of DHCID, IPSECKEY, SPF and SSHFP
|
|
to ARM.
|
|
|
|
2381. [port] dlz/mysql: support multiple install layouts for
|
|
mysql. <prefix>/include/{,mysql/}mysql.h and
|
|
<prefix>/lib/{,mysql/}. [RT #18152]
|
|
|
|
2380. [bug] dns_view_find() was not returning NXDOMAIN/NXRRSET
|
|
proofs which, in turn, caused validation failures
|
|
for insecure zones immediately below a secure zone
|
|
the server was authoritative for. [RT #18112]
|
|
|
|
2379. [contrib] queryperf/gen-data-queryperf.py: removed redundant
|
|
TLDs and supported RRs with TTLs [RT #17972]
|
|
|
|
2378. [bug] gssapi_functions{} had a redundant member in BIND 9.5.
|
|
[RT #18169]
|
|
|
|
2377. [bug] Address race condition in dnssec-signzone. [RT #18142]
|
|
|
|
2376. [bug] Change #2144 was not complete.
|
|
|
|
2375. [placeholder]
|
|
|
|
2374. [bug] "blackhole" ACLs could cause named to segfault due
|
|
to some uninitialized memory. [RT #18095]
|
|
|
|
2373. [bug] Default values of zone ACLs were re-parsed each time a
|
|
new zone was configured, causing an overconsumption
|
|
of memory. [RT #18092]
|
|
|
|
2372. [bug] Fixed incorrect TAG_HMACSHA256_BITS value [RT #18047]
|
|
|
|
2371. [doc] Add +nsid option to dig man page. [RT #18039]
|
|
|
|
2370. [bug] "rndc freeze" could trigger an assertion in named
|
|
when called on a nonexistent zone. [RT #18050]
|
|
|
|
2369. [bug] libbind: Array bounds overrun on read in bitncmp().
|
|
[RT #18054]
|
|
|
|
2368. [port] Linux: use libcap for capability management if
|
|
possible. [RT #18026]
|
|
|
|
2367. [bug] Improve counting of dns_resstatscounter_retry
|
|
[RT #18030]
|
|
|
|
2366. [bug] Adb shutdown race. [RT #18021]
|
|
|
|
2365. [bug] Fix a bug that caused dns_acl_isany() to return
|
|
spurious results. [RT #18000]
|
|
|
|
2364. [bug] named could trigger a assertion when serving a
|
|
malformed signed zone. [RT #17828]
|
|
|
|
2363. [port] sunos: pre-set "lt_cv_sys_max_cmd_len=4096;".
|
|
[RT #17513]
|
|
|
|
2362. [cleanup] Make "rrset-order fixed" a compile-time option.
|
|
settable by "./configure --enable-fixed-rrset".
|
|
Disabled by default. [RT #17977]
|
|
|
|
2361. [bug] "recursion" statistics counter could be counted
|
|
multiple times for a single query. [RT #17990]
|
|
|
|
2360. [bug] Fix a condition where we release a database version
|
|
(which may acquire a lock) while holding the lock.
|
|
|
|
2359. [bug] Fix NSID bug. [RT #17942]
|
|
|
|
2358. [doc] Update host's default query description. [RT #17934]
|
|
|
|
2357. [port] Don't use OpenSSL's engine support in versions before
|
|
OpenSSL 0.9.7f. [RT #17922]
|
|
|
|
2356. [bug] Built in mutex profiler was not scalable enough.
|
|
[RT #17436]
|
|
|
|
2355. [func] Extend the number statistics counters available.
|
|
[RT #17590]
|
|
|
|
2354. [bug] Failed to initialize some rdatasetheader_t elements.
|
|
[RT #17927]
|
|
|
|
2353. [func] Add support for Name Server ID (RFC 5001).
|
|
'dig +nsid' requests NSID from server.
|
|
'request-nsid yes;' causes recursive server to send
|
|
NSID requests to upstream servers. Server responds
|
|
to NSID requests with the string configured by
|
|
'server-id' option. [RT #17091]
|
|
|
|
2352. [bug] Various GSS_API fixups. [RT #17729]
|
|
|
|
2351. [bug] convertxsl.pl generated very long lines. [RT #17906]
|
|
|
|
2350. [port] win32: IPv6 support. [RT #17797]
|
|
|
|
2349. [func] Provide incremental re-signing support for secure
|
|
dynamic zones. [RT #1091]
|
|
|
|
2348. [func] Use the EVP interface to OpenSSL. Add PKCS#11 support.
|
|
Documentation is in the new README.pkcs11 file.
|
|
New tool, dnssec-keyfromlabel, which takes the
|
|
label of a key pair in a HSM and constructs a DNS
|
|
key pair for use by named and dnssec-signzone.
|
|
[RT #16844]
|
|
|
|
2347. [bug] Delete now traverses the RB tree in the canonical
|
|
order. [RT #17451]
|
|
|
|
2346. [func] Memory statistics now cover all active memory contexts
|
|
in increased detail. [RT #17580]
|
|
|
|
2345. [bug] named-checkconf failed to detect when forwarders
|
|
were set at both the options/view level and in
|
|
a root zone. [RT #17671]
|
|
|
|
2344. [bug] Improve "logging{ file ...; };" documentation.
|
|
[RT #17888]
|
|
|
|
2343. [bug] (Seemingly) duplicate IPv6 entries could be
|
|
created in ADB. [RT #17837]
|
|
|
|
2342. [func] Use getifaddrs() if available under Linux. [RT #17224]
|
|
|
|
2341. [bug] libbind: add missing -I../include for off source
|
|
tree builds. [RT #17606]
|
|
|
|
2340. [port] openbsd: interface configuration. [RT #17700]
|
|
|
|
2339. [port] tru64: support for libbind. [RT #17589]
|
|
|
|
2338. [bug] check_ds() could be called with a non DS rdataset.
|
|
[RT #17598]
|
|
|
|
2337. [bug] BUILD_LDFLAGS was not being correctly set. [RT #17614]
|
|
|
|
2336. [func] If "named -6" is specified then listen on all IPv6
|
|
interfaces if there are not listen-on-v6 clauses in
|
|
named.conf. [RT #17581]
|
|
|
|
2335. [port] sunos: libbind and *printf() support for long long.
|
|
[RT #17513]
|
|
|
|
2334. [bug] Bad REQUIRES in fromstruct_in_naptr(), off by one
|
|
bug in fromstruct_txt(). [RT #17609]
|
|
|
|
2333. [bug] Fix off by one error in isc_time_nowplusinterval().
|
|
[RT #17608]
|
|
|
|
2332. [contrib] query-loc-0.4.0. [RT #17602]
|
|
|
|
2331. [bug] Failure to regenerate any signatures was not being
|
|
reported nor being past back to the UPDATE client.
|
|
[RT #17570]
|
|
|
|
2330. [bug] Remove potential race condition when handling
|
|
over memory events. [RT #17572]
|
|
|
|
WARNING: API CHANGE: over memory callback
|
|
function now needs to call isc_mem_waterack().
|
|
See <isc/mem.h> for details.
|
|
|
|
2329. [bug] Clearer help text for dig's '-x' and '-i' options.
|
|
|
|
2328. [maint] Add AAAA addresses for A.ROOT-SERVERS.NET,
|
|
F.ROOT-SERVERS.NET, H.ROOT-SERVERS.NET,
|
|
J.ROOT-SERVERS.NET, K.ROOT-SERVERS.NET and
|
|
M.ROOT-SERVERS.NET.
|
|
|
|
2327. [bug] It was possible to dereference a NULL pointer in
|
|
rbtdb.c. Implement dead node processing in zones as
|
|
we do for caches. [RT #17312]
|
|
|
|
2326. [bug] It was possible to trigger a INSIST in the acache
|
|
processing.
|
|
|
|
2325. [port] Linux: use capset() function if available. [RT #17557]
|
|
|
|
2324. [bug] Fix IPv6 matching against "any;". [RT #17533]
|
|
|
|
2323. [port] tru64: namespace clash. [RT #17547]
|
|
|
|
2322. [port] MacOS: work around the limitation of setrlimit()
|
|
for RLIMIT_NOFILE. [RT #17526]
|
|
|
|
2321. [placeholder]
|
|
|
|
2320. [func] Make statistics counters thread-safe for platforms
|
|
that support certain atomic operations. [RT #17466]
|
|
|
|
2319. [bug] Silence Coverity warnings in
|
|
lib/dns/rdata/in_1/apl_42.c. [RT #17469]
|
|
|
|
2318. [port] sunos fixes for libbind. [RT #17514]
|
|
|
|
2317. [bug] "make distclean" removed bind9.xsl.h. [RT #17518]
|
|
|
|
2316. [port] Missing #include <isc/print.h> in lib/dns/gssapictx.c.
|
|
[RT #17513]
|
|
|
|
2315. [bug] Used incorrect address family for mapped IPv4
|
|
addresses in acl.c. [RT #17519]
|
|
|
|
2314. [bug] Uninitialized memory use on error path in
|
|
bin/named/lwdnoop.c. [RT #17476]
|
|
|
|
2313. [cleanup] Silence Coverity warnings. Handle private stacks.
|
|
[RT #17447] [RT #17478]
|
|
|
|
2312. [cleanup] Silence Coverity warning in lib/isc/unix/socket.c.
|
|
[RT #17458]
|
|
|
|
2311. [bug] IPv6 addresses could match IPv4 ACL entries and
|
|
vice versa. [RT #17462]
|
|
|
|
2310. [bug] dig, host, nslookup: flush stdout before emitting
|
|
debug/fatal messages. [RT #17501]
|
|
|
|
2309. [cleanup] Fix Coverity warnings in lib/dns/acl.c and iptable.c.
|
|
[RT #17455]
|
|
|
|
2308. [cleanup] Silence Coverity warning in bin/named/controlconf.c.
|
|
[RT #17495]
|
|
|
|
2307. [bug] Remove infinite loop from lib/dns/sdb.c. [RT #17496]
|
|
|
|
2306. [bug] Remove potential race from lib/dns/resolver.c.
|
|
[RT #17470]
|
|
|
|
2305. [security] inet_network() buffer overflow. CVE-2008-0122.
|
|
|
|
2304. [bug] Check returns from all dns_rdata_tostruct() calls.
|
|
[RT #17460]
|
|
|
|
2303. [bug] Remove unnecessary code from bin/named/lwdgnba.c.
|
|
[RT #17471]
|
|
|
|
2302. [bug] Fix memset() calls in lib/tests/t_api.c. [RT #17472]
|
|
|
|
2301. [bug] Remove resource leak and fix error messages in
|
|
bin/tests/system/lwresd/lwtest.c. [RT #17474]
|
|
|
|
2300. [bug] Fixed failure to close open file in
|
|
bin/tests/names/t_names.c. [RT #17473]
|
|
|
|
2299. [bug] Remove unnecessary NULL check in
|
|
bin/nsupdate/nsupdate.c. [RT #17475]
|
|
|
|
2298. [bug] isc_mutex_lock() failure not caught in
|
|
bin/tests/timers/t_timers.c. [RT #17468]
|
|
|
|
2297. [bug] isc_entropy_createfilesource() failure not caught in
|
|
bin/tests/dst/t_dst.c. [RT #17467]
|
|
|
|
2296. [port] Allow docbook stylesheet location to be specified to
|
|
configure. [RT #17457]
|
|
|
|
2295. [bug] Silence static overrun error in bin/named/lwaddr.c.
|
|
[RT #17459]
|
|
|
|
2294. [func] Allow the experimental statistics channels to have
|
|
multiple connections and ACL.
|
|
Note: the stats-server and stats-server-v6 options
|
|
available in the previous beta releases are replaced
|
|
with the generic statistics-channels statement.
|
|
|
|
2293. [func] Add ACL regression test. [RT #17375]
|
|
|
|
2292. [bug] Log if the working directory is not writable.
|
|
[RT #17312]
|
|
|
|
2291. [bug] PR_SET_DUMPABLE may be set too late. Also report
|
|
failure to set PR_SET_DUMPABLE. [RT #17312]
|
|
|
|
2290. [bug] Let AD in the query signal that the client wants AD
|
|
set in the response. [RT #17301]
|
|
|
|
2289. [func] named-checkzone now reports the out-of-zone CNAME
|
|
found. [RT #17309]
|
|
|
|
2288. [port] win32: mark service as running when we have finished
|
|
loading. [RT #17441]
|
|
|
|
2287. [bug] Use 'volatile' if the compiler supports it. [RT #17413]
|
|
|
|
2286. [func] Allow a TCP connection to be used as a weak
|
|
authentication method for reverse zones.
|
|
New update-policy methods tcp-self and 6to4-self.
|
|
[RT #17378]
|
|
|
|
2285. [func] Test framework for client memory context management.
|
|
[RT #17377]
|
|
|
|
2284. [bug] Memory leak in UPDATE prerequisite processing.
|
|
[RT #17377]
|
|
|
|
2283. [bug] TSIG keys were not attaching to the memory
|
|
context. TSIG keys should use the rings
|
|
memory context rather than the clients memory
|
|
context. [RT #17377]
|
|
|
|
2282. [bug] Acl code fixups. [RT #17346] [RT #17374]
|
|
|
|
2281. [bug] Attempts to use undefined acls were not being logged.
|
|
[RT #17307]
|
|
|
|
2280. [func] Allow the experimental http server to be reached
|
|
over IPv6 as well as IPv4. [RT #17332]
|
|
|
|
2279. [bug] Use setsockopt(SO_NOSIGPIPE), when available,
|
|
to protect applications from receiving spurious
|
|
SIGPIPE signals when using the resolver.
|
|
|
|
2278. [bug] win32: handle the case where Windows returns no
|
|
search list or DNS suffix. [RT #17354]
|
|
|
|
2277. [bug] Empty zone names were not correctly being caught at
|
|
in the post parse checks. [RT #17357]
|
|
|
|
2276. [bug] Install <dst/gssapi.h>. [RT #17359]
|
|
|
|
2275. [func] Add support to dig to perform IXFR queries over UDP.
|
|
[RT #17235]
|
|
|
|
2274. [func] Log zone transfer statistics. [RT #17336]
|
|
|
|
2273. [bug] Adjust log level to WARNING when saving inconsistent
|
|
stub/slave master and journal files. [RT #17279]
|
|
|
|
2272. [bug] Handle illegal dnssec-lookaside trust-anchor names.
|
|
[RT #17262]
|
|
|
|
2271. [bug] Fix a memory leak in http server code [RT #17100]
|
|
|
|
2270. [bug] dns_db_closeversion() version->writer could be reset
|
|
before it is tested. [RT #17290]
|
|
|
|
2269. [contrib] dbus memory leaks and missing va_end calls. [RT #17232]
|
|
|
|
2268. [bug] 0.IN-ADDR.ARPA was missing from the empty zones
|
|
list.
|
|
|
|
--- 9.5.0b1 released ---
|
|
|
|
2267. [bug] Radix tree node_num value could be set incorrectly,
|
|
causing positive ACL matches to look like negative
|
|
ones. [RT #17311]
|
|
|
|
2266. [bug] client.c:get_clientmctx() returned the same mctx
|
|
once the pool of mctx's was filled. [RT #17218]
|
|
|
|
2265. [bug] Test that the memory context's basic_table is non NULL
|
|
before freeing. [RT #17265]
|
|
|
|
2264. [bug] Server prefix length was being ignored. [RT #17308]
|
|
|
|
2263. [bug] "named-checkconf -z" failed to set default value
|
|
for "check-integrity". [RT #17306]
|
|
|
|
2262. [bug] Error status from all but the last view could be
|
|
lost. [RT #17292]
|
|
|
|
2261. [bug] Fix memory leak with "any" and "none" ACLs [RT #17272]
|
|
|
|
2260. [bug] Reported wrong clients-per-query when increasing the
|
|
value. [RT #17236]
|
|
|
|
2259. [placeholder]
|
|
|
|
--- 9.5.0a7 released ---
|
|
|
|
2258. [bug] Fallback from IXFR/TSIG to SOA/AXFR/TSIG broken.
|
|
[RT #17241]
|
|
|
|
2257. [bug] win32: Use the full path to vcredist_x86.exe when
|
|
calling it. [RT #17222]
|
|
|
|
2256. [bug] win32: Correctly register the installation location of
|
|
bindevt.dll. [RT #17159]
|
|
|
|
2255. [maint] L.ROOT-SERVERS.NET is now 199.7.83.42.
|
|
|
|
2254. [bug] timer.c:dispatch() failed to lock timer->lock
|
|
when reading timer->idle allowing it to see
|
|
intermediate values as timer->idle was reset by
|
|
isc_timer_touch(). [RT #17243]
|
|
|
|
2253. [func] "max-cache-size" defaults to 32M.
|
|
"max-acache-size" defaults to 16M.
|
|
|
|
2252. [bug] Fixed errors in sortlist code [RT #17216]
|
|
|
|
2251. [placeholder]
|
|
|
|
2250. [func] New flag 'memstatistics' to state whether the
|
|
memory statistics file should be written or not.
|
|
Additionally named's -m option will cause the
|
|
statistics file to be written. [RT #17113]
|
|
|
|
2249. [bug] Only set Authentic Data bit if client requested
|
|
DNSSEC, per RFC 3655 [RT #17175]
|
|
|
|
2248. [cleanup] Fix several errors reported by Coverity. [RT #17160]
|
|
|
|
2247. [doc] Sort doc/misc/options. [RT #17067]
|
|
|
|
2246. [bug] Make the startup of test servers (ans.pl) more
|
|
robust. [RT #17147]
|
|
|
|
2245. [bug] Validating lack of DS records at trust anchors wasn't
|
|
working. [RT #17151]
|
|
|
|
2244. [func] Allow the check of nameserver names against the
|
|
SOA MNAME field to be disabled by specifying
|
|
'notify-to-soa yes;'. [RT #17073]
|
|
|
|
2243. [func] Configuration files without a newline at the end now
|
|
parse without error. [RT #17120]
|
|
|
|
2242. [bug] nsupdate: GSS-TSIG support using the Heimdal Kerberos
|
|
library could require a source of random data.
|
|
[RT #17127]
|
|
|
|
2241. [func] nsupdate: add a interactive 'help' command. [RT #17099]
|
|
|
|
2240. [bug] Cleanup nsupdates GSS-TSIG support. Convert
|
|
a number of INSIST()s into plain fatal() errors
|
|
which report the triggering result code.
|
|
The 'key' command wasn't disabling GSS-TSIG.
|
|
[RT #17099]
|
|
|
|
2239. [func] Ship a pre built bin/named/bind9.xsl.h. [RT #17114]
|
|
|
|
2238. [bug] It was possible to trigger a REQUIRE when a
|
|
validation was canceled. [RT #17106]
|
|
|
|
2237. [bug] libbind: res_init() was not thread aware. [RT #17123]
|
|
|
|
2236. [bug] dnssec-signzone failed to preserve the case of
|
|
of wildcard owner names. [RT #17085]
|
|
|
|
2235. [bug] <isc/atomic.h> was not being installed. [RT #17135]
|
|
|
|
2234. [port] Correct some compiler warnings on SCO OSr5 [RT #17134]
|
|
|
|
2233. [func] Add support for O(1) ACL processing, based on
|
|
radix tree code originally written by Kevin
|
|
Brintnall. [RT #16288]
|
|
|
|
2232. [bug] dns_adb_findaddrinfo() could fail and return
|
|
ISC_R_SUCCESS. [RT #17137]
|
|
|
|
2231. [bug] Building dlzbdb (contrib/dlz/bin/dlzbdb) was broken.
|
|
[RT #17088]
|
|
|
|
2230. [bug] We could INSIST reading a corrupted journal.
|
|
[RT #17132]
|
|
|
|
2229. [bug] Null pointer dereference on query pool creation
|
|
failure. [RT #17133]
|
|
|
|
2228. [contrib] contrib: Change 2188 was incomplete.
|
|
|
|
2227. [cleanup] Tidied up the FAQ. [RT #17121]
|
|
|
|
2226. [placeholder]
|
|
|
|
2225. [bug] More support for systems with no IPv4 addresses.
|
|
[RT #17111]
|
|
|
|
2224. [bug] Defer journal compaction if a xfrin is in progress.
|
|
[RT #17119]
|
|
|
|
2223. [bug] Make a new journal when compacting. [RT #17119]
|
|
|
|
2222. [func] named-checkconf now checks server key references.
|
|
[RT #17097]
|
|
|
|
2221. [bug] Set the event result code to reflect the actual
|
|
record turned to caller when a cache update is
|
|
rejected due to a more credible answer existing.
|
|
[RT #17017]
|
|
|
|
2220. [bug] win32: Address a race condition in final shutdown of
|
|
the Windows socket code. [RT #17028]
|
|
|
|
2219. [bug] Apply zone consistency checks to additions, not
|
|
removals, when updating. [RT #17049]
|
|
|
|
2218. [bug] Remove unnecessary REQUIRE from dns_validator_create().
|
|
[RT #16976]
|
|
|
|
2217. [func] Adjust update log levels. [RT #17092]
|
|
|
|
2216. [cleanup] Fix a number of errors reported by Coverity.
|
|
[RT #17094]
|
|
|
|
2215. [bug] Bad REQUIRE check isc_hmacsha1_verify(). [RT #17094]
|
|
|
|
2214. [bug] Deregister OpenSSL lock callback when cleaning
|
|
up. Reorder OpenSSL cleanup so that RAND_cleanup()
|
|
is called before the locks are destroyed. [RT #17098]
|
|
|
|
2213. [bug] SIG0 diagnostic failure messages were looking at the
|
|
wrong status code. [RT #17101]
|
|
|
|
2212. [func] 'host -m' now causes memory statistics and active
|
|
memory to be printed at exit. [RT 17028]
|
|
|
|
2211. [func] Update "dynamic update temporarily disabled" message.
|
|
[RT #17065]
|
|
|
|
2210. [bug] Deleting class specific records via UPDATE could
|
|
fail. [RT #17074]
|
|
|
|
2209. [port] osx: linking against user supplied static OpenSSL
|
|
libraries failed as the system ones were still being
|
|
found. [RT #17078]
|
|
|
|
2208. [port] win32: make sure both build methods produce the
|
|
same output. [RT #17058]
|
|
|
|
2207. [port] Some implementations of getaddrinfo() fail to set
|
|
ai_canonname correctly. [RT #17061]
|
|
|
|
--- 9.5.0a6 released ---
|
|
|
|
2206. [security] "allow-query-cache" and "allow-recursion" now
|
|
cross inherit from each other.
|
|
|
|
If allow-query-cache is not set in named.conf then
|
|
allow-recursion is used if set, otherwise allow-query
|
|
is used if set, otherwise the default (localnets;
|
|
localhost;) is used.
|
|
|
|
If allow-recursion is not set in named.conf then
|
|
allow-query-cache is used if set, otherwise allow-query
|
|
is used if set, otherwise the default (localnets;
|
|
localhost;) is used.
|
|
|
|
[RT #16987]
|
|
|
|
2205. [bug] libbind: change #2119 broke thread support. [RT #16982]
|
|
|
|
2204. [bug] "rndc flushname name unknown-view" caused named
|
|
to crash. [RT #16984]
|
|
|
|
2203. [security] Query id generation was cryptographically weak.
|
|
[RT # 16915]
|
|
|
|
2202. [security] The default acls for allow-query-cache and
|
|
allow-recursion were not being applied. [RT #16960]
|
|
|
|
2201. [bug] The build failed in a separate object directory.
|
|
[RT #16943]
|
|
|
|
2200. [bug] The search for cached NSEC records was stopping to
|
|
early leading to excessive DLV queries. [RT #16930]
|
|
|
|
2199. [bug] win32: don't call WSAStartup() while loading dlls.
|
|
[RT #16911]
|
|
|
|
2198. [bug] win32: RegCloseKey() could be called when
|
|
RegOpenKeyEx() failed. [RT #16911]
|
|
|
|
2197. [bug] Add INSIST to catch negative responses which are
|
|
not setting the event result code appropriately.
|
|
[RT #16909]
|
|
|
|
2196. [port] win32: yield processor while waiting for once to
|
|
to complete. [RT #16958]
|
|
|
|
2195. [func] dnssec-keygen now defaults to nametype "ZONE"
|
|
when generating DNSKEYs. [RT #16954]
|
|
|
|
2194. [bug] Close journal before calling 'done' in xfrin.c.
|
|
|
|
--- 9.5.0a5 released ---
|
|
|
|
2193. [port] win32: BINDInstall.exe is now linked statically.
|
|
[RT #16906]
|
|
|
|
2192. [port] win32: use vcredist_x86.exe to install Visual
|
|
Studio's redistributable dlls if building with
|
|
Visual Stdio 2005 or later.
|
|
|
|
2191. [func] named-checkzone now allows dumping to stdout (-).
|
|
named-checkconf now has -h for help.
|
|
named-checkzone now has -h for help.
|
|
rndc now has -h for help.
|
|
Better handling of '-?' for usage summaries.
|
|
[RT #16707]
|
|
|
|
2190. [func] Make fallback to plain DNS from EDNS due to timeouts
|
|
more visible. New logging category "edns-disabled".
|
|
[RT #16871]
|
|
|
|
2189. [bug] Handle socket() returning EINTR. [RT #15949]
|
|
|
|
2188. [contrib] queryperf: autoconf changes to make the search for
|
|
libresolv or libbind more robust. [RT #16299]
|
|
|
|
2187. [bug] query_addds(), query_addwildcardproof() and
|
|
query_addnxrrsetnsec() should take a version
|
|
argument. [RT #16368]
|
|
|
|
2186. [port] cygwin: libbind: check for struct sockaddr_storage
|
|
independently of IPv6. [RT #16482]
|
|
|
|
2185. [port] sunos: libbind: check for ssize_t, memmove() and
|
|
memchr(). [RT #16463]
|
|
|
|
2184. [bug] bind9.xsl.h didn't build out of the source tree.
|
|
[RT #16830]
|
|
|
|
2183. [bug] dnssec-signzone didn't handle offline private keys
|
|
well. [RT #16832]
|
|
|
|
2182. [bug] dns_dispatch_createtcp() and dispatch_createudp()
|
|
could return ISC_R_SUCCESS when they ran out of
|
|
memory. [RT #16365]
|
|
|
|
2181. [port] sunos: libbind: add paths.h from BIND 8. [RT #16462]
|
|
|
|
2180. [cleanup] Remove bit test from 'compress_test' as they
|
|
are no longer needed. [RT #16497]
|
|
|
|
2179. [func] 'rndc command zone' will now find 'zone' if it is
|
|
unique to all the views. [RT #16821]
|
|
|
|
2178. [bug] 'rndc reload' of a slave or stub zone resulted in
|
|
a reference leak. [RT #16867]
|
|
|
|
2177. [bug] Array bounds overrun on read (rcodetext) at
|
|
debug level 10+. [RT #16798]
|
|
|
|
2176. [contrib] dbus update to handle race condition during
|
|
initialization (Bugzilla 235809). [RT #16842]
|
|
|
|
2175. [bug] win32: windows broadcast condition variable support
|
|
was broken. [RT #16592]
|
|
|
|
2174. [bug] I/O errors should always be fatal when reading
|
|
master files. [RT #16825]
|
|
|
|
2173. [port] win32: When compiling with MSVS 2005 SP1 we also
|
|
need to ship Microsoft.VC80.MFCLOC.
|
|
|
|
--- 9.5.0a4 released ---
|
|
|
|
2172. [bug] query_addsoa() was being called with a non zone db.
|
|
[RT #16834]
|
|
|
|
2171. [bug] Handle breaks in DNSSEC trust chains where the parent
|
|
servers are not DS aware (DS queries to the parent
|
|
return a referral to the child).
|
|
|
|
2170. [func] Add acache processing to test suite. [RT #16711]
|
|
|
|
2169. [bug] host, nslookup: when reporting NXDOMAIN report the
|
|
given name and not the last name searched for.
|
|
[RT #16763]
|
|
|
|
2168. [bug] nsupdate: in non-interactive mode treat syntax errors
|
|
as fatal errors. [RT #16785]
|
|
|
|
2167. [bug] When re-using a automatic zone named failed to
|
|
attach it to the new view. [RT #16786]
|
|
|
|
--- 9.5.0a3 released ---
|
|
|
|
2166. [bug] When running in batch mode, dig could misinterpret
|
|
a server address as a name to be looked up, causing
|
|
unexpected output. [RT #16743]
|
|
|
|
2165. [func] Allow the destination address of a query to determine
|
|
if we will answer the query or recurse.
|
|
allow-query-on, allow-recursion-on and
|
|
allow-query-cache-on. [RT #16291]
|
|
|
|
2164. [bug] The code to determine how named-checkzone /
|
|
named-compilezone was called failed under windows.
|
|
[RT #16764]
|
|
|
|
2163. [bug] If only one of query-source and query-source-v6
|
|
specified a port the query pools code broke (change
|
|
2129). [RT #16768]
|
|
|
|
2162. [func] Allow "rrset-order fixed" to be disabled at compile
|
|
time. [RT #16665]
|
|
|
|
2161. [bug] Fix which log messages are emitted for 'rndc flush'.
|
|
[RT #16698]
|
|
|
|
2160. [bug] libisc wasn't handling NULL ifa_addr pointers returned
|
|
from getifaddrs(). [RT #16708]
|
|
|
|
--- 9.5.0a2 released ---
|
|
|
|
2159. [bug] Array bounds overrun in acache processing. [RT #16710]
|
|
|
|
2158. [bug] ns_client_isself() failed to initialize key
|
|
leading to a REQUIRE failure. [RT #16688]
|
|
|
|
2157. [func] dns_db_transfernode() created. [RT #16685]
|
|
|
|
2156. [bug] Fix node reference leaks in lookup.c:lookup_find(),
|
|
resolver.c:validated() and resolver.c:cache_name().
|
|
Fix a memory leak in rbtdb.c:free_noqname().
|
|
Make lookup.c:lookup_find() robust against
|
|
event leaks. [RT #16685]
|
|
|
|
2155. [contrib] SQLite sdb module from jaboydjr@netwalk.com.
|
|
[RT #16694]
|
|
|
|
2154. [func] Scoped (e.g. IPv6 link-local) addresses may now be
|
|
matched in acls by omitting the scope. [RT #16599]
|
|
|
|
2153. [bug] nsupdate could leak memory. [RT #16691]
|
|
|
|
2152. [cleanup] Use sizeof(buf) instead of fixed number in
|
|
dighost.c:get_trusted_key(). [RT #16678]
|
|
|
|
2151. [bug] Missing newline in usage message for journalprint.
|
|
[RT #16679]
|
|
|
|
2150. [bug] 'rrset-order cyclic' uniformly distribute the
|
|
starting point for the first response for a given
|
|
RRset. [RT #16655]
|
|
|
|
2149. [bug] isc_mem_checkdestroyed() failed to abort on
|
|
if there were still active memory contexts.
|
|
[RT #16672]
|
|
|
|
2148. [func] Add positive logging for rndc commands. [RT #14623]
|
|
|
|
2147. [bug] libbind: remove potential buffer overflow from
|
|
hmac_link.c. [RT #16437]
|
|
|
|
2146. [cleanup] Silence Linux's spurious "obsolete setsockopt
|
|
SO_BSDCOMPAT" message. [RT #16641]
|
|
|
|
2145. [bug] Check DS/DLV digest lengths for known digests.
|
|
[RT #16622]
|
|
|
|
2144. [cleanup] Suppress logging of SERVFAIL from forwarders.
|
|
[RT #16619]
|
|
|
|
2143. [bug] We failed to restart the IPv6 client when the
|
|
kernel failed to return the destination the
|
|
packet was sent to. [RT #16613]
|
|
|
|
2142. [bug] Handle master files with a modification time that
|
|
matches the epoch. [RT #16612]
|
|
|
|
2141. [bug] dig/host should not be setting IDN_ASCCHECK (IDN
|
|
equivalent of LDH checks). [RT #16609]
|
|
|
|
2140. [bug] libbind: missing unlock on pthread_key_create()
|
|
failures. [RT #16654]
|
|
|
|
2139. [bug] dns_view_find() was being called with wrong type
|
|
in adb.c. [RT #16670]
|
|
|
|
2138. [bug] Lock order reversal in resolver.c. [RT #16653]
|
|
|
|
2137. [port] Mips little endian and/or mips 64 bit are now
|
|
supported for atomic operations. [RT #16648]
|
|
|
|
2136. [bug] nslookup/host looped if there was no search list
|
|
and the host didn't exist. [RT #16657]
|
|
|
|
2135. [bug] Uninitialized rdataset in sdlz.c. [RT #16656]
|
|
|
|
2134. [func] Additional statistics support. [RT #16666]
|
|
|
|
2133. [port] powerpc: Support both IBM and MacOS Power PC
|
|
assembler syntaxes. [RT #16647]
|
|
|
|
2132. [bug] Missing unlock on out of memory in
|
|
dns_dispatchmgr_setudp().
|
|
|
|
2131. [contrib] dlz/mysql: AXFR was broken. [RT #16630]
|
|
|
|
2130. [func] Log if CD or DO were set. [RT #16640]
|
|
|
|
2129. [func] Provide a pool of UDP sockets for queries to be
|
|
made over. See use-queryport-pool, queryport-pool-ports
|
|
and queryport-pool-updateinterval. [RT #16415]
|
|
|
|
2128. [doc] xsltproc --nonet, update DTD versions. [RT #16635]
|
|
|
|
2127. [port] Improved OpenSSL 0.9.8 support. [RT #16563]
|
|
|
|
2126. [security] Serialize validation of type ANY responses. [RT #16555]
|
|
|
|
2125. [bug] dns_zone_getzeronosoattl() REQUIRE failure if DLZ
|
|
was defined. [RT #16574]
|
|
|
|
2124. [security] It was possible to dereference a freed fetch
|
|
context. [RT #16584]
|
|
|
|
--- 9.5.0a1 released ---
|
|
|
|
2123. [func] Use Doxygen to generate internal documentation.
|
|
[RT #11398]
|
|
|
|
2122. [func] Experimental http server and statistics support
|
|
for named via xml.
|
|
|
|
2121. [func] Add a 10 slot dead masters cache (LRU) with a 600
|
|
second timeout. [RT #16553]
|
|
|
|
2120. [doc] Fix markup on nsupdate man page. [RT #16556]
|
|
|
|
2119. [compat] libbind: allow res_init() to succeed enough to
|
|
return the default domain even if it was unable
|
|
to allocate memory.
|
|
|
|
2118. [bug] Handle response with long chains of domain name
|
|
compression pointers which point to other compression
|
|
pointers. [RT #16427]
|
|
|
|
2117. [bug] DNSSEC fixes: named could fail to cache NSEC records
|
|
which could lead to validation failures. named didn't
|
|
handle negative DS responses that were in the process
|
|
of being validated. Check CNAME bit before accepting
|
|
NODATA proof. To be able to ignore a child NSEC there
|
|
must be SOA (and NS) set in the bitmap. [RT #16399]
|
|
|
|
2116. [bug] 'rndc reload' could cause the cache to continually
|
|
be cleaned. [RT #16401]
|
|
|
|
2115. [bug] 'rndc reconfig' could trigger a INSIST if the
|
|
number of masters for a zone was reduced. [RT #16444]
|
|
|
|
2114. [bug] dig/host/nslookup: searches for names with multiple
|
|
labels were failing. [RT #16447]
|
|
|
|
2113. [bug] nsupdate: if a zone is specified it should be used
|
|
for server discover. [RT #16455]
|
|
|
|
2112. [security] Warn if weak RSA exponent is used. [RT #16460]
|
|
|
|
2111. [bug] Fix a number of errors reported by Coverity.
|
|
[RT #16507]
|
|
|
|
2110. [bug] "minimal-responses yes;" interacted badly with BIND 8
|
|
priming queries. [RT #16491]
|
|
|
|
2109. [port] libbind: silence aix 5.3 compiler warnings. [RT #16502]
|
|
|
|
2108. [func] DHCID support. [RT #16456]
|
|
|
|
2107. [bug] dighost.c: more cleanup of buffers. [RT #16499]
|
|
|
|
2106. [func] 'rndc status' now reports named's version. [RT #16426]
|
|
|
|
2105. [func] GSS-TSIG support (RFC 3645).
|
|
|
|
2104. [port] Fix Solaris SMF error message.
|
|
|
|
2103. [port] Add /usr/sfw to list of locations for OpenSSL
|
|
under Solaris.
|
|
|
|
2102. [port] Silence Solaris 10 warnings.
|
|
|
|
2101. [bug] OpenSSL version checks were not quite right.
|
|
[RT #16476]
|
|
|
|
2100. [port] win32: copy libeay32.dll to Build\Debug.
|
|
Copy Debug\named-checkzone to Debug\named-compilezone.
|
|
|
|
2099. [port] win32: more manifest issues.
|
|
|
|
2098. [bug] Race in rbtdb.c:no_references(), which occasionally
|
|
triggered an INSIST failure about the node lock
|
|
reference. [RT #16411]
|
|
|
|
2097. [bug] named could reference a destroyed memory context
|
|
after being reloaded / reconfigured. [RT #16428]
|
|
|
|
2096. [bug] libbind: handle applications that fail to detect
|
|
res_init() failures better.
|
|
|
|
2095. [port] libbind: alway prototype inet_cidr_ntop_ipv6() and
|
|
net_cidr_ntop_ipv6(). [RT #16388]
|
|
|
|
2094. [contrib] Update named-bootconf. [RT #16404]
|
|
|
|
2093. [bug] named-checkzone -s was broken.
|
|
|
|
2092. [bug] win32: dig, host, nslookup. Use registry config
|
|
if resolv.conf does not exist or no nameservers
|
|
listed. [RT #15877]
|
|
|
|
2091. [port] dighost.c: race condition on cleanup. [RT #16417]
|
|
|
|
2090. [port] win32: Visual C++ 2005 command line manifest support.
|
|
[RT #16417]
|
|
|
|
2089. [security] Raise the minimum safe OpenSSL versions to
|
|
OpenSSL 0.9.7l and OpenSSL 0.9.8d. Versions
|
|
prior to these have known security flaws which
|
|
are (potentially) exploitable in named. [RT #16391]
|
|
|
|
2088. [security] Change the default RSA exponent from 3 to 65537.
|
|
[RT #16391]
|
|
|
|
2087. [port] libisc failed to compile on OS's w/o a vsnprintf.
|
|
[RT #16382]
|
|
|
|
2086. [port] libbind: FreeBSD now has get*by*_r() functions.
|
|
[RT #16403]
|
|
|
|
2085. [doc] win32: added index.html and README to zip. [RT #16201]
|
|
|
|
2084. [contrib] dbus update for 9.3.3rc2.
|
|
|
|
2083. [port] win32: Visual C++ 2005 support.
|
|
|
|
2082. [doc] Document 'cache-file' as a test only option.
|
|
|
|
2081. [port] libbind: minor 64-bit portability fix in memcluster.c.
|
|
[RT #16360]
|
|
|
|
2080. [port] libbind: res_init.c did not compile on older versions
|
|
of Solaris. [RT #16363]
|
|
|
|
2079. [bug] The lame cache was not handling multiple types
|
|
correctly. [RT #16361]
|
|
|
|
2078. [bug] dnssec-checkzone output style "default" was badly
|
|
named. It is now called "relative". [RT #16326]
|
|
|
|
2077. [bug] 'dnssec-signzone -O raw' wasn't outputting the
|
|
complete signed zone. [RT #16326]
|
|
|
|
2076. [bug] Several files were missing #include <config.h>
|
|
causing build failures on OSF. [RT #16341]
|
|
|
|
2075. [bug] The spillat timer event hander could leak memory.
|
|
[RT #16357]
|
|
|
|
2074. [bug] dns_request_createvia2(), dns_request_createvia3(),
|
|
dns_request_createraw2() and dns_request_createraw3()
|
|
failed to send multiple UDP requests. [RT #16349]
|
|
|
|
2073. [bug] Incorrect semantics check for update policy "wildcard".
|
|
[RT #16353]
|
|
|
|
2072. [bug] We were not generating valid HMAC SHA digests.
|
|
[RT #16320]
|
|
|
|
2071. [port] Test whether gcc accepts -fno-strict-aliasing.
|
|
[RT #16324]
|
|
|
|
2070. [bug] The remote address was not always displayed when
|
|
reporting dispatch failures. [RT #16315]
|
|
|
|
2069. [bug] Cross compiling was not working. [RT #16330]
|
|
|
|
2068. [cleanup] Lower incremental tuning message to debug 1.
|
|
[RT #16319]
|
|
|
|
2067. [bug] 'rndc' could close the socket too early triggering
|
|
a INSIST under Windows. [RT #16317]
|
|
|
|
2066. [security] Handle SIG queries gracefully. [RT #16300]
|
|
|
|
2065. [bug] libbind: probe for HPUX prototypes for
|
|
endprotoent_r() and endservent_r(). [RT 16313]
|
|
|
|
2064. [bug] libbind: silence AIX compiler warnings. [RT #16218]
|
|
|
|
2063. [bug] Change #1955 introduced a bug which caused the first
|
|
'rndc flush' call to not free memory. [RT #16244]
|
|
|
|
2062. [bug] 'dig +nssearch' was reusing a buffer before it had
|
|
been returned by the socket code. [RT #16307]
|
|
|
|
2061. [bug] Accept expired wildcard message reversed. [RT #16296]
|
|
|
|
2060. [bug] Enabling DLZ support could leave views partially
|
|
configured. [RT #16295]
|
|
|
|
2059. [bug] Search into cache rbtdb could trigger an INSIST
|
|
failure while cleaning up a stale rdataset.
|
|
[RT #16292]
|
|
|
|
2058. [bug] Adjust how we calculate rtt estimates in the presence
|
|
of authoritative servers that drop EDNS and/or CD
|
|
requests. Also fallback to EDNS/512 and plain DNS
|
|
faster for zones with less than 3 servers. [RT #16187]
|
|
|
|
2057. [bug] Make setting "ra" dependent on both allow-query-cache
|
|
and allow-recursion. [RT #16290]
|
|
|
|
2056. [bug] dig: ixfr= was not being treated case insensitively
|
|
at all times. [RT #15955]
|
|
|
|
2055. [bug] Missing goto after dropping multicast query.
|
|
[RT #15944]
|
|
|
|
2054. [port] freebsd: do not explicitly link against -lpthread.
|
|
[RT #16170]
|
|
|
|
2053. [port] netbsd:libbind: silence compiler warnings. [RT #16220]
|
|
|
|
2052. [bug] 'rndc' improve connect failed message to report
|
|
the failing address. [RT #15978]
|
|
|
|
2051. [port] More strtol() fixes. [RT #16249]
|
|
|
|
2050. [bug] Parsing of NSAP records was not case insensitive.
|
|
[RT #16287]
|
|
|
|
2049. [bug] Restore SOA before AXFR when falling back from
|
|
a attempted IXFR when transferring in a zone.
|
|
Allow a initial SOA query before attempting
|
|
a AXFR to be requested. [RT #16156]
|
|
|
|
2048. [bug] It was possible to loop forever when using
|
|
avoid-v4-udp-ports / avoid-v6-udp-ports when
|
|
the OS always returned the same local port.
|
|
[RT #16182]
|
|
|
|
2047. [bug] Failed to initialize the interface flags to zero.
|
|
[RT #16245]
|
|
|
|
2046. [bug] rbtdb.c:rdataset_setadditional() could cause duplicate
|
|
cleanup [RT #16247].
|
|
|
|
2045. [func] Use lock buckets for acache entries to limit memory
|
|
consumption. [RT #16183]
|
|
|
|
2044. [port] Add support for atomic operations for Itanium.
|
|
[RT #16179]
|
|
|
|
2043. [port] nsupdate/nslookup: Force the flushing of the prompt
|
|
for interactive sessions. [RT #16148]
|
|
|
|
2042. [bug] named-checkconf was incorrectly rejecting the
|
|
logging category "config". [RT #16117]
|
|
|
|
2041. [bug] "configure --with-dlz-bdb=yes" produced a bad
|
|
set of libraries to be linked. [RT #16129]
|
|
|
|
2040. [bug] rbtdb no_references() could trigger an INSIST
|
|
failure with --enable-atomic. [RT #16022]
|
|
|
|
2039. [func] Check that all buffers passed to the socket code
|
|
have been retrieved when the socket event is freed.
|
|
[RT #16122]
|
|
|
|
2038. [bug] dig/nslookup/host was unlinking from wrong list
|
|
when handling errors. [RT #16122]
|
|
|
|
2037. [func] When unlinking the first or last element in a list
|
|
check that the list head points to the element to
|
|
be unlinked. [RT #15959]
|
|
|
|
2036. [bug] 'rndc recursing' could cause trigger a REQUIRE.
|
|
[RT #16075]
|
|
|
|
2035. [func] Make falling back to TCP on UDP refresh failure
|
|
optional. Default "try-tcp-refresh yes;" for BIND 8
|
|
compatibility. [RT #16123]
|
|
|
|
2034. [bug] gcc: set -fno-strict-aliasing. [RT #16124]
|
|
|
|
2033. [bug] We weren't creating multiple client memory contexts
|
|
on demand as expected. [RT #16095]
|
|
|
|
2032. [bug] Remove a INSIST in query_addadditional2(). [RT #16074]
|
|
|
|
2031. [bug] Emit a error message when "rndc refresh" is called on
|
|
a non slave/stub zone. [RT # 16073]
|
|
|
|
2030. [bug] We were being overly conservative when disabling
|
|
openssl engine support. [RT #16030]
|
|
|
|
2029. [bug] host printed out the server multiple times when
|
|
specified on the command line. [RT #15992]
|
|
|
|
2028. [port] linux: socket.c compatibility for old systems.
|
|
[RT #16015]
|
|
|
|
2027. [port] libbind: Solaris x86 support. [RT #16020]
|
|
|
|
2026. [bug] Rate limit the two recursive client exceeded messages.
|
|
[RT #16044]
|
|
|
|
2025. [func] Update "zone serial unchanged" message. [RT #16026]
|
|
|
|
2024. [bug] named emitted spurious "zone serial unchanged"
|
|
messages on reload. [RT #16027]
|
|
|
|
2023. [bug] "make install" should create ${localstatedir}/run and
|
|
${sysconfdir} if they do not exist. [RT #16033]
|
|
|
|
2022. [bug] If dnssec validation is disabled only assert CD if
|
|
CD was requested. [RT #16037]
|
|
|
|
2021. [bug] dnssec-enable no; triggered a REQUIRE. [RT #16037]
|
|
|
|
2020. [bug] rdataset_setadditional() could leak memory. [RT #16034]
|
|
|
|
2019. [tuning] Reduce the amount of work performed per quantum
|
|
when cleaning the cache. [RT #15986]
|
|
|
|
2018. [bug] Checking if the HMAC MD5 private file was broken.
|
|
[RT #15960]
|
|
|
|
2017. [bug] allow-query default was not correct. [RT #15946]
|
|
|
|
2016. [bug] Return a partial answer if recursion is not
|
|
allowed but requested and we had the answer
|
|
to the original qname. [RT #15945]
|
|
|
|
2015. [cleanup] use-additional-cache is now acache-enable for
|
|
consistency. Default acache-enable off in BIND 9.4
|
|
as it requires memory usage to be configured.
|
|
It may be enabled by default in BIND 9.5 once we
|
|
have more experience with it.
|
|
|
|
2014. [func] Statistics about acache now recorded and sent
|
|
to log. [RT #15976]
|
|
|
|
2013. [bug] Handle unexpected TSIGs on unsigned AXFR/IXFR
|
|
responses more gracefully. [RT #15941]
|
|
|
|
2012. [func] Don't insert new acache entries if acache is full.
|
|
[RT #15970]
|
|
|
|
2011. [func] dnssec-signzone can now update the SOA record of
|
|
the signed zone, either as an increment or as the
|
|
system time(). [RT #15633]
|
|
|
|
2010. [placeholder] rt15958
|
|
|
|
2009. [bug] libbind: Coverity fixes. [RT #15808]
|
|
|
|
2008. [func] It is now possible to enable/disable DNSSEC
|
|
validation from rndc. This is useful for the
|
|
mobile hosts where the current connection point
|
|
breaks DNSSEC (firewall/proxy). [RT #15592]
|
|
|
|
rndc validation newstate [view]
|
|
|
|
2007. [func] It is now possible to explicitly enable DNSSEC
|
|
validation. default dnssec-validation no; to
|
|
be changed to yes in 9.5.0. [RT #15674]
|
|
|
|
2006. [security] Allow-query-cache and allow-recursion now default
|
|
to the built in acls "localnets" and "localhost".
|
|
|
|
This is being done to make caching servers less
|
|
attractive as reflective amplifying targets for
|
|
spoofed traffic. This still leave authoritative
|
|
servers exposed.
|
|
|
|
The best fix is for full BCP 38 deployment to
|
|
remove spoofed traffic.
|
|
|
|
2005. [bug] libbind: Retransmission timeouts should be
|
|
based on which attempt it is to the nameserver
|
|
and not the nameserver itself. [RT #13548]
|
|
|
|
2004. [bug] dns_tsig_sign() could pass a NULL pointer to
|
|
dst_context_destroy() when cleaning up after a
|
|
error. [RT #15835]
|
|
|
|
2003. [bug] libbind: The DNS name/address lookup functions could
|
|
occasionally follow a random pointer due to
|
|
structures not being completely zeroed. [RT #15806]
|
|
|
|
2002. [bug] libbind: tighten the constraints on when
|
|
struct addrinfo._ai_pad exists. [RT #15783]
|
|
|
|
2001. [func] Check the KSK flag when updating a secure dynamic zone.
|
|
New zone option "update-check-ksk yes;". [RT #15817]
|
|
|
|
2000. [bug] memmove()/strtol() fix was incomplete. [RT #15812]
|
|
|
|
1999. [func] Implement "rrset-order fixed". [RT #13662]
|
|
|
|
1998. [bug] Restrict handling of fifos as sockets to just SunOS.
|
|
This allows named to connect to entropy gathering
|
|
daemons that use fifos instead of sockets. [RT #15840]
|
|
|
|
1997. [bug] Named was failing to replace negative cache entries
|
|
when a positive one for the type was learnt.
|
|
[RT #15818]
|
|
|
|
1996. [bug] nsupdate: if a zone has been specified it should
|
|
appear in the output of 'show'. [RT #15797]
|
|
|
|
1995. [bug] 'host' was reporting multiple "is an alias" messages.
|
|
[RT #15702]
|
|
|
|
1994. [port] OpenSSL 0.9.8 support. [RT #15694]
|
|
|
|
1993. [bug] Log messages, via syslog, were missing the space
|
|
after the timestamp if "print-time yes" was specified.
|
|
[RT #15844]
|
|
|
|
1992. [bug] Not all incoming zone transfer messages included the
|
|
view. [RT #15825]
|
|
|
|
1991. [cleanup] The configuration data, once read, should be treated
|
|
as read only. Expand the use of const to enforce this
|
|
at compile time. [RT #15813]
|
|
|
|
1990. [bug] libbind: isc's override of broken gettimeofday()
|
|
implementations was not always effective.
|
|
[RT #15709]
|
|
|
|
1989. [bug] win32: don't check the service password when
|
|
re-installing. [RT #15882]
|
|
|
|
1988. [bug] Remove a bus error from the SHA256/SHA512 support.
|
|
[RT #15878]
|
|
|
|
1987. [func] DS/DLV SHA256 digest algorithm support. [RT #15608]
|
|
|
|
1986. [func] Report when a zone is removed. [RT #15849]
|
|
|
|
1985. [protocol] DLV has now been assigned a official type code of
|
|
32769. [RT #15807]
|
|
|
|
Note: care should be taken to ensure you upgrade
|
|
both named and dnssec-signzone at the same time for
|
|
zones with DLV records where named is the master
|
|
server for the zone. Also any zones that contain
|
|
DLV records should be removed when upgrading a slave
|
|
zone. You do not however have to upgrade all
|
|
servers for a zone with DLV records simultaneously.
|
|
|
|
1984. [func] dig, nslookup and host now advertise a 4096 byte
|
|
EDNS UDP buffer size by default. [RT #15855]
|
|
|
|
1983. [func] Two new update policies. "selfsub" and "selfwild".
|
|
[RT #12895]
|
|
|
|
1982. [bug] DNSKEY was being accepted on the parent side of
|
|
a delegation. KEY is still accepted there for
|
|
RFC 3007 validated updates. [RT #15620]
|
|
|
|
1981. [bug] win32: condition.c:wait() could fail to reattain
|
|
the mutex lock.
|
|
|
|
1980. [func] dnssec-signzone: output the SOA record as the
|
|
first record in the signed zone. [RT #15758]
|
|
|
|
1979. [port] linux: allow named to drop core after changing
|
|
user ids. [RT #15753]
|
|
|
|
1978. [port] Handle systems which have a broken recvmsg().
|
|
[RT #15742]
|
|
|
|
1977. [bug] Silence noisy log message. [RT #15704]
|
|
|
|
1976. [bug] Handle systems with no IPv4 addresses. [RT #15695]
|
|
|
|
1975. [bug] libbind: isc_gethexstring() could misparse multi-line
|
|
hex strings with comments. [RT #15814]
|
|
|
|
1974. [doc] List each of the zone types and associated zone
|
|
options separately in the ARM.
|
|
|
|
1973. [func] TSIG HMACSHA1, HMACSHA224, HMACSHA256, HMACSHA384 and
|
|
HMACSHA512 support. [RT #13606]
|
|
|
|
1972. [contrib] DBUS dynamic forwarders integration from
|
|
Jason Vas Dias <jvdias@redhat.com>.
|
|
|
|
1971. [port] linux: make detection of missing IF_NAMESIZE more
|
|
robust. [RT #15443]
|
|
|
|
1970. [bug] nsupdate: adjust UDP timeout when falling back to
|
|
unsigned SOA query. [RT #15775]
|
|
|
|
1969. [bug] win32: the socket code was freeing the socket
|
|
structure too early. [RT #15776]
|
|
|
|
1968. [bug] Missing lock in resolver.c:validated(). [RT #15739]
|
|
|
|
1967. [func] dig/nslookup/host: warn about missing "QR". [RT #15779]
|
|
|
|
1966. [bug] Don't set CD when we have fallen back to plain DNS.
|
|
[RT #15727]
|
|
|
|
1965. [func] Suppress spurious "recursion requested but not
|
|
available" warning with 'dig +qr'. [RT #15780].
|
|
|
|
1964. [func] Separate out MX and SRV to CNAME checks. [RT #15723]
|
|
|
|
1963. [port] Tru64 4.0E doesn't support send() and recv().
|
|
[RT #15586]
|
|
|
|
1962. [bug] Named failed to clear old update-policy when it
|
|
was removed. [RT #15491]
|
|
|
|
1961. [bug] Check the port and address of responses forwarded
|
|
to dispatch. [RT #15474]
|
|
|
|
1960. [bug] Update code should set NSEC ttls from SOA MINIMUM.
|
|
[RT #15465]
|
|
|
|
1959. [func] Control the zeroing of the negative response TTL to
|
|
a soa query. Defaults "zero-no-soa-ttl yes;" and
|
|
"zero-no-soa-ttl-cache no;". [RT #15460]
|
|
|
|
1958. [bug] Named failed to update the zone's secure state
|
|
until the zone was reloaded. [RT #15412]
|
|
|
|
1957. [bug] Dig mishandled responses to class ANY queries.
|
|
[RT #15402]
|
|
|
|
1956. [bug] Improve cross compile support, 'gen' is now built
|
|
by native compiler. See README for additional
|
|
cross compile support information. [RT #15148]
|
|
|
|
1955. [bug] Pre-allocate the cache cleaning iterator. [RT #14998]
|
|
|
|
1954. [func] Named now falls back to advertising EDNS with a
|
|
512 byte receive buffer if the initial EDNS queries
|
|
fail. [RT #14852]
|
|
|
|
1953. [func] The maximum EDNS UDP response named will send can
|
|
now be set in named.conf (max-udp-size). This is
|
|
independent of the advertised receive buffer
|
|
(edns-udp-size). [RT #14852]
|
|
|
|
1952. [port] hpux: tell the linker to build a runtime link
|
|
path "-Wl,+b:". [RT #14816].
|
|
|
|
1951. [security] Drop queries from particular well known ports.
|
|
Don't return FORMERR to queries from particular
|
|
well known ports. [RT #15636]
|
|
|
|
1950. [port] Solaris 2.5.1 and earlier cannot bind() then connect()
|
|
a TCP socket. This prevents the source address being
|
|
set for TCP connections. [RT #15628]
|
|
|
|
1949. [func] Addition memory leakage checks. [RT #15544]
|
|
|
|
1948. [bug] If was possible to trigger a REQUIRE failure in
|
|
xfrin.c:maybe_free() if named ran out of memory.
|
|
[RT #15568]
|
|
|
|
1947. [func] It is now possible to configure named to accept
|
|
expired RRSIGs. Default "dnssec-accept-expired no;".
|
|
Setting "dnssec-accept-expired yes;" leaves named
|
|
vulnerable to replay attacks. [RT #14685]
|
|
|
|
1946. [bug] resume_dslookup() could trigger a REQUIRE failure
|
|
when using forwarders. [RT #15549]
|
|
|
|
1945. [cleanup] dnssec-keygen: RSA (RSAMD5) is no longer recommended.
|
|
To generate a RSAMD5 key you must explicitly request
|
|
RSAMD5. [RT #13780]
|
|
|
|
1944. [cleanup] isc_hash_create() does not need a read/write lock.
|
|
[RT #15522]
|
|
|
|
1943. [bug] Set the loadtime after rolling forward the journal.
|
|
[RT #15647]
|
|
|
|
1942. [bug] If the name of a DNSKEY match that of one in
|
|
trusted-keys do not attempt to validate the DNSKEY
|
|
using the parents DS RRset. [RT #15649]
|
|
|
|
1941. [bug] ncache_adderesult() should set eresult even if no
|
|
rdataset is passed to it. [RT #15642]
|
|
|
|
1940. [bug] Fixed a number of error conditions reported by
|
|
Coverity.
|
|
|
|
1939. [bug] The resolver could dereference a null pointer after
|
|
validation if all the queries have timed out.
|
|
[RT #15528]
|
|
|
|
1938. [bug] The validator was not correctly handling unsecure
|
|
negative responses at or below a SEP. [RT #15528]
|
|
|
|
1937. [bug] sdlz doesn't handle RRSIG records. [RT #15564]
|
|
|
|
1936. [bug] The validator could leak memory. [RT #15544]
|
|
|
|
1935. [bug] 'acache' was DO sensitive. [RT #15430]
|
|
|
|
1934. [func] Validate pending NS RRsets, in the authority section,
|
|
prior to returning them if it can be done without
|
|
requiring DNSKEYs to be fetched. [RT #15430]
|
|
|
|
1933. [bug] dump_rdataset_raw() had a incorrect INSIST. [RT #15534]
|
|
|
|
1932. [bug] hpux: LDFLAGS was getting corrupted. [RT #15530]
|
|
|
|
1931. [bug] Per-client mctx could require a huge amount of memory,
|
|
particularly for a busy caching server. [RT #15519]
|
|
|
|
1930. [port] HPUX: ia64 support. [RT #15473]
|
|
|
|
1929. [port] FreeBSD: extend use of PTHREAD_SCOPE_SYSTEM.
|
|
|
|
1928. [bug] Race in rbtdb.c:currentversion(). [RT #15517]
|
|
|
|
1927. [bug] Access to soanode or nsnode in rbtdb violated the
|
|
lock order rule and could cause a dead lock.
|
|
[RT #15518]
|
|
|
|
1926. [bug] The Windows installer did not check for empty
|
|
passwords. BINDinstall was being installed in
|
|
the wrong place. [RT #15483]
|
|
|
|
1925. [port] All outer level AC_TRY_RUNs need cross compiling
|
|
defaults. [RT #15469]
|
|
|
|
1924. [port] libbind: hpux ia64 support. [RT #15473]
|
|
|
|
1923. [bug] ns_client_detach() called too early. [RT #15499]
|
|
|
|
1922. [bug] check-tool.c:setup_logging() missing call to
|
|
dns_log_setcontext().
|
|
|
|
1921. [bug] Client memory contexts were not using internal
|
|
malloc. [RT #15434]
|
|
|
|
1920. [bug] The cache rbtdb lock array was too small to
|
|
have the desired performance characteristics.
|
|
[RT #15454]
|
|
|
|
1919. [contrib] queryperf: a set of new features: collecting/printing
|
|
response delays, printing intermediate results, and
|
|
adjusting query rate for the "target" qps.
|
|
|
|
1918. [bug] Memory leak when checking acls. [RT #15391]
|
|
|
|
1917. [doc] funcsynopsisinfo wasn't being treated as verbatim
|
|
when generating man pages. [RT #15385]
|
|
|
|
1916. [func] Integrate contributed IDN code from JPNIC. [RT #15383]
|
|
|
|
1915. [bug] dig +ndots was broken. [RT #15215]
|
|
|
|
1914. [protocol] DS is required to accept mnemonic algorithms
|
|
(RFC 4034). Still emit numeric algorithms for
|
|
compatibility with RFC 3658. [RT #15354]
|
|
|
|
1913. [func] Integrate contributed DLZ code into named. [RT #11382]
|
|
|
|
1912. [port] aix: atomic locking for powerpc. [RT #15020]
|
|
|
|
1911. [bug] Update windows socket code. [RT #14965]
|
|
|
|
1910. [bug] dig's +sigchase code overhauled. [RT #14933]
|
|
|
|
1909. [bug] The DLV code has been re-worked to make no longer
|
|
query order sensitive. [RT #14933]
|
|
|
|
1908. [func] dig now warns if 'RA' is not set in the answer when
|
|
'RD' was set in the query. host/nslookup skip servers
|
|
that fail to set 'RA' when 'RD' is set unless a server
|
|
is explicitly set. [RT #15005]
|
|
|
|
1907. [func] host/nslookup now continue (default)/fail on SERVFAIL.
|
|
[RT #15006]
|
|
|
|
1906. [func] dig now has a '-q queryname' and '+showsearch' options.
|
|
[RT #15034]
|
|
|
|
1905. [bug] Strings returned from cfg_obj_asstring() should be
|
|
treated as read-only. The prototype for
|
|
cfg_obj_asstring() has been updated to reflect this.
|
|
[RT #15256]
|
|
|
|
1904. [func] Automatic empty zone creation for D.F.IP6.ARPA and
|
|
friends. Note: RFC 1918 zones are not yet covered by
|
|
this but are likely to be in a future release.
|
|
|
|
New options: empty-server, empty-contact,
|
|
empty-zones-enable and disable-empty-zone.
|
|
|
|
1903. [func] ISC string copy API.
|
|
|
|
1902. [func] Attempt to make the amount of work performed in a
|
|
iteration self tuning. The covers nodes clean from
|
|
the cache per iteration, nodes written to disk when
|
|
rewriting a master file and nodes destroyed per
|
|
iteration when destroying a zone or a cache.
|
|
[RT #14996]
|
|
|
|
1901. [cleanup] Don't add DNSKEY records to the additional section.
|
|
|
|
1900. [bug] ixfr-from-differences failed to ensure that the
|
|
serial number increased. [RT #15036]
|
|
|
|
1899. [func] named-checkconf now validates update-policy entries.
|
|
[RT #14963]
|
|
|
|
1898. [bug] Extend ISC_SOCKADDR_FORMATSIZE and
|
|
ISC_NETADDR_FORMATSIZE to allow for scope details.
|
|
|
|
1897. [func] x86 and x86_64 now have separate atomic locking
|
|
implementations.
|
|
|
|
1896. [bug] Recursive clients soft quota support wasn't working
|
|
as expected. [RT #15103]
|
|
|
|
1895. [bug] A escaped character is, potentially, converted to
|
|
the output character set too early. [RT #14666]
|
|
|
|
1894. [doc] Review ARM for BIND 9.4.
|
|
|
|
1893. [port] Use uintptr_t if available. [RT #14606]
|
|
|
|
1892. [func] Support for SPF rdata type. [RT #15033]
|
|
|
|
1891. [port] freebsd: pthread_mutex_init can fail if it runs out
|
|
of memory. [RT #14995]
|
|
|
|
1890. [func] Raise the UDP receive buffer size to 32k if it is
|
|
less than 32k. [RT #14953]
|
|
|
|
1889. [port] sunos: non blocking i/o support. [RT #14951]
|
|
|
|
1888. [func] Support for IPSECKEY rdata type. [RT #14967]
|
|
|
|
1887. [bug] The cache could delete expired records too fast for
|
|
clients with a virtual time in the past. [RT #14991]
|
|
|
|
1886. [bug] fctx_create() could return success even though it
|
|
failed. [RT #14993]
|
|
|
|
1885. [func] dig: report the number of extra bytes still left in
|
|
the packet after processing all the records.
|
|
|
|
1884. [cleanup] dighost.c: move external declarations into <dig/dig.h>.
|
|
|
|
1883. [bug] dnssec-signzone, dnssec-keygen: handle negative debug
|
|
levels. [RT #14962]
|
|
|
|
1882. [func] Limit the number of recursive clients that can be
|
|
waiting for a single query (<qname,qtype,qclass>) to
|
|
resolve. New options clients-per-query and
|
|
max-clients-per-query.
|
|
|
|
1881. [func] Add a system test for named-checkconf. [RT #14931]
|
|
|
|
1880. [func] The lame cache is now done on a <qname,qclass,qtype>
|
|
basis as some servers only appear to be lame for
|
|
certain query types. [RT #14916]
|
|
|
|
1879. [func] "USE INTERNAL MALLOC" is now runtime selectable.
|
|
[RT #14892]
|
|
|
|
1878. [func] Detect duplicates of UDP queries we are recursing on
|
|
and drop them. New stats category "duplicate".
|
|
[RT #2471]
|
|
|
|
1877. [bug] Fix unreasonably low quantum on call to
|
|
dns_rbt_destroy2(). Remove unnecessary unhash_node()
|
|
call. [RT #14919]
|
|
|
|
1876. [func] Additional memory debugging support to track size
|
|
and mctx arguments. [RT #14814]
|
|
|
|
1875. [bug] process_dhtkey() was using the wrong memory context
|
|
to free some memory. [RT #14890]
|
|
|
|
1874. [port] sunos: portability fixes. [RT #14814]
|
|
|
|
1873. [port] win32: isc__errno2result() now reports its caller.
|
|
[RT #13753]
|
|
|
|
1872. [port] win32: Handle ERROR_NETNAME_DELETED. [RT #13753]
|
|
|
|
1871. [placeholder]
|
|
|
|
1870. [func] Added framework for handling multiple EDNS versions.
|
|
[RT #14873]
|
|
|
|
1869. [func] dig can now specify the EDNS version when making
|
|
a query. [RT #14873]
|
|
|
|
1868. [func] edns-udp-size can now be overridden on a per
|
|
server basis. [RT #14851]
|
|
|
|
1867. [bug] It was possible to trigger a INSIST in
|
|
dlv_validatezonekey(). [RT #14846]
|
|
|
|
1866. [bug] resolv.conf parse errors were being ignored by
|
|
dig/host/nslookup. [RT #14841]
|
|
|
|
1865. [bug] Silently ignore nameservers in /etc/resolv.conf with
|
|
bad addresses. [RT #14841]
|
|
|
|
1864. [bug] Don't try the alternative transfer source if you
|
|
got a answer / transfer with the main source
|
|
address. [RT #14802]
|
|
|
|
1863. [bug] rrset-order "fixed" error messages not complete.
|
|
|
|
1862. [func] Add additional zone data constancy checks.
|
|
named-checkzone has extended checking of NS, MX and
|
|
SRV record and the hosts they reference.
|
|
named has extended post zone load checks.
|
|
New zone options: check-mx and integrity-check.
|
|
[RT #4940]
|
|
|
|
1861. [bug] dig could trigger a INSIST on certain malformed
|
|
responses. [RT #14801]
|
|
|
|
1860. [port] solaris 2.8: hack_shutup_pthreadmutexinit was
|
|
incorrectly set. [RT #14775]
|
|
|
|
1859. [func] Add support for CH A record. [RT #14695]
|
|
|
|
1858. [bug] The flush-zones-on-shutdown option wasn't being
|
|
parsed. [RT #14686]
|
|
|
|
1857. [bug] named could trigger a INSIST() if reconfigured /
|
|
reloaded too fast. [RT #14673]
|
|
|
|
1856. [doc] Switch Docbook toolchain from DSSSL to XSL.
|
|
[RT #11398]
|
|
|
|
1855. [bug] ixfr-from-differences was failing to detect changes
|
|
of ttl due to dns_diff_subtract() was ignoring the ttl
|
|
of records. [RT #14616]
|
|
|
|
1854. [bug] lwres also needs to know the print format for
|
|
(long long). [RT #13754]
|
|
|
|
1853. [bug] Rework how DLV interacts with proveunsecure().
|
|
[RT #13605]
|
|
|
|
1852. [cleanup] Remove last vestiges of dnssec-signkey and
|
|
dnssec-makekeyset (removed from Makefile years ago).
|
|
|
|
1851. [doc] Doxygen comment markup. [RT #11398]
|
|
|
|
1850. [bug] Memory leak in lwres_getipnodebyaddr(). [RT #14591]
|
|
|
|
1849. [doc] All forms of the man pages (docbook, man, html) should
|
|
have consistent copyright dates.
|
|
|
|
1848. [bug] Improve SMF integration. [RT #13238]
|
|
|
|
1847. [bug] isc_ondestroy_init() is called too late in
|
|
dns_rbtdb_create()/dns_rbtdb64_create().
|
|
[RT #13661]
|
|
|
|
1846. [contrib] query-loc-0.3.0 from Stephane Bortzmeyer
|
|
<bortzmeyer@nic.fr>.
|
|
|
|
1845. [bug] Improve error reporting to distinguish between
|
|
accept()/fcntl() and socket()/fcntl() errors.
|
|
[RT #13745]
|
|
|
|
1844. [bug] inet_pton() accepted more that 4 hexadecimal digits
|
|
for each 16 bit piece of the IPv6 address. The text
|
|
representation of a IPv6 address has been tightened
|
|
to disallow this (draft-ietf-ipv6-addr-arch-v4-02.txt).
|
|
[RT #5662]
|
|
|
|
1843. [cleanup] CINCLUDES takes precedence over CFLAGS. This helps
|
|
when CFLAGS contains "-I /usr/local/include"
|
|
resulting in old header files being used.
|
|
|
|
1842. [port] cmsg_len() could produce incorrect results on
|
|
some platform. [RT #13744]
|
|
|
|
1841. [bug] "dig +nssearch" now makes a recursive query to
|
|
find the list of nameservers to query. [RT #13694]
|
|
|
|
1840. [func] dnssec-signzone can now randomize signature end times
|
|
(dnssec-signzone -j jitter). [RT #13609]
|
|
|
|
1839. [bug] <isc/hash.h> was not being installed.
|
|
|
|
1838. [cleanup] Don't allow Linux capabilities to be inherited.
|
|
[RT #13707]
|
|
|
|
1837. [bug] Compile time option ISC_FACILITY was not effective
|
|
for 'named -u <user>'. [RT #13714]
|
|
|
|
1836. [cleanup] Silence compiler warnings in hash_test.c.
|
|
|
|
1835. [bug] Update dnssec-signzone's usage message. [RT #13657]
|
|
|
|
1834. [bug] Bad memset in rdata_test.c. [RT #13658]
|
|
|
|
1833. [bug] Race condition in isc_mutex_lock_profile(). [RT #13660]
|
|
|
|
1832. [bug] named fails to return BADKEY on unknown TSIG algorithm.
|
|
[RT #13620]
|
|
|
|
1831. [doc] Update named-checkzone documentation. [RT #13604]
|
|
|
|
1830. [bug] adb lame cache has sence of test reversed. [RT #13600]
|
|
|
|
1829. [bug] win32: "pid-file none;" broken. [RT #13563]
|
|
|
|
1828. [bug] isc_rwlock_init() failed to properly cleanup if it
|
|
encountered a error. [RT #13549]
|
|
|
|
1827. [bug] host: update usage message for '-a'. [RT #37116]
|
|
|
|
1826. [bug] Missing DESTROYLOCK() in isc_mem_createx() on out
|
|
of memory error. [RT #13537]
|
|
|
|
1825. [bug] Missing UNLOCK() on out of memory error from in
|
|
rbtdb.c:subtractrdataset(). [RT #13519]
|
|
|
|
1824. [bug] Memory leak on dns_zone_setdbtype() failure.
|
|
[RT #13510]
|
|
|
|
1823. [bug] Wrong macro used to check for point to point interface.
|
|
[RT #13418]
|
|
|
|
1822. [bug] check-names test for RT was reversed. [RT #13382]
|
|
|
|
1821. [placeholder]
|
|
|
|
1820. [bug] Gracefully handle acl loops. [RT #13659]
|
|
|
|
1819. [bug] The validator needed to check both the algorithm and
|
|
digest types of the DS to determine if it could be
|
|
used to introduce a secure zone. [RT #13593]
|
|
|
|
1818. [bug] 'named-checkconf -z' triggered an INSIST. [RT #13599]
|
|
|
|
1817. [func] Add support for additional zone file formats for
|
|
improving loading performance. The masterfile-format
|
|
option in named.conf can be used to specify a
|
|
non-default format. A separate command
|
|
named-compilezone was provided to generate zone files
|
|
in the new format. Additionally, the -I and -O options
|
|
for dnssec-signzone specify the input and output
|
|
formats.
|
|
|
|
1816. [port] UnixWare: failed to compile lib/isc/unix/net.c.
|
|
[RT #13597]
|
|
|
|
1815. [bug] nsupdate triggered a REQUIRE if the server was set
|
|
without also setting the zone and it encountered
|
|
a CNAME and was using TSIG. [RT #13086]
|
|
|
|
1814. [func] UNIX domain controls are now supported.
|
|
|
|
1813. [func] Restructured the data locking framework using
|
|
architecture dependent atomic operations (when
|
|
available), improving response performance on
|
|
multi-processor machines significantly.
|
|
x86, x86_64, alpha, powerpc, and mips are currently
|
|
supported.
|
|
|
|
1812. [port] win32: IN6_IS_ADDR_UNSPECIFIED macro is incorrect.
|
|
[RT #13453]
|
|
|
|
1811. [func] Preserve the case of domain names in rdata during
|
|
zone transfers. [RT #13547]
|
|
|
|
1810. [bug] configure, lib/bind/configure make different default
|
|
decisions about whether to do a threaded build.
|
|
[RT #13212]
|
|
|
|
1809. [bug] "make distclean" failed for libbind if the platform
|
|
is not supported.
|
|
|
|
1808. [bug] zone.c:notify_zone() contained a race condition,
|
|
zone->db could change underneath it. [RT #13511]
|
|
|
|
1807. [bug] When forwarding (forward only) set the active domain
|
|
from the forward zone name. [RT #13526]
|
|
|
|
1806. [bug] The resolver returned the wrong result when a CNAME /
|
|
DNAME was encountered when fetching glue from a
|
|
secure namespace. [RT #13501]
|
|
|
|
1805. [bug] Pending status was not being cleared when DLV was
|
|
active. [RT #13501]
|
|
|
|
1804. [bug] Ensure that if we are queried for glue that it fits
|
|
in the additional section or TC is set to tell the
|
|
client to retry using TCP. [RT #10114]
|
|
|
|
1803. [bug] dnssec-signzone sometimes failed to remove old
|
|
RRSIGs. [RT #13483]
|
|
|
|
1802. [bug] Handle connection resets better. [RT #11280]
|
|
|
|
1801. [func] Report differences between hints and real NS rrset
|
|
and associated address records.
|
|
|
|
1800. [bug] Changes #1719 allowed a INSIST to be triggered.
|
|
[RT #13428]
|
|
|
|
1799. [bug] 'rndc flushname' failed to flush negative cache
|
|
entries. [RT #13438]
|
|
|
|
1798. [func] The server syntax has been extended to support a
|
|
range of servers. [RT #11132]
|
|
|
|
1797. [func] named-checkconf now check acls to verify that they
|
|
only refer to existing acls. [RT #13101]
|
|
|
|
1796. [func] "rndc freeze/thaw" now freezes/thaws all zones.
|
|
|
|
1795. [bug] "rndc dumpdb" was not fully documented. Minor
|
|
formating issues with "rndc dumpdb -all". [RT #13396]
|
|
|
|
1794. [func] Named and named-checkzone can now both check for
|
|
non-terminal wildcard records.
|
|
|
|
1793. [func] Extend adjusting TTL warning messages. [RT #13378]
|
|
|
|
1792. [func] New zone option "notify-delay". Specify a minimum
|
|
delay between sets of NOTIFY messages.
|
|
|
|
1791. [bug] 'host -t a' still printed out AAAA and MX records.
|
|
[RT #13230]
|
|
|
|
1790. [cleanup] Move lib/dns/sec/dst up into lib/dns. This should
|
|
allow parallel make to succeed.
|
|
|
|
1789. [bug] Prerequisite test for tkey and dnssec could fail
|
|
with "configure --with-libtool".
|
|
|
|
1788. [bug] libbind9.la/libbind9.so needs to link against
|
|
libisccfg.la/libisccfg.so.
|
|
|
|
1787. [port] HPUX: both "cc" and "gcc" need -Wl,+vnocompatwarnings.
|
|
|
|
1786. [port] AIX: libt_api needs to be taught to look for
|
|
T_testlist in the main executable (--with-libtool).
|
|
[RT #13239]
|
|
|
|
1785. [bug] libbind9.la/libbind9.so needs to link against
|
|
libisc.la/libisc.so.
|
|
|
|
1784. [cleanup] "libtool -allow-undefined" is the default.
|
|
Leave hooks in configure to allow it to be set
|
|
if needed in the future.
|
|
|
|
1783. [cleanup] We only need one copy of libtool.m4, ltmain.sh in the
|
|
source tree.
|
|
|
|
1782. [port] OSX: --with-libtool + --enable-libbind broke on
|
|
__evOptMonoTime. [RT #13219]
|
|
|
|
1781. [port] FreeBSD 5.3: set PTHREAD_SCOPE_SYSTEM. [RT #12810]
|
|
|
|
1780. [bug] Update libtool to 1.5.10.
|
|
|
|
1779. [port] OSF 5.1: libtool didn't handle -pthread correctly.
|
|
|
|
1778. [port] HUX 11.11: fix broken IN6ADDR_ANY_INIT and
|
|
IN6ADDR_LOOPBACK_INIT macros.
|
|
|
|
1777. [port] OSF 5.1: fix broken IN6ADDR_ANY_INIT and
|
|
IN6ADDR_LOOPBACK_INIT macros.
|
|
|
|
1776. [port] Solaris 2.9: fix broken IN6ADDR_ANY_INIT and
|
|
IN6ADDR_LOOPBACK_INIT macros.
|
|
|
|
1775. [bug] Only compile getnetent_r.c when threaded. [RT #13205]
|
|
|
|
1774. [port] Aix: Silence compiler warnings / build failures.
|
|
[RT #13154]
|
|
|
|
1773. [bug] Fast retry on host / net unreachable. [RT #13153]
|
|
|
|
1772. [placeholder]
|
|
|
|
1771. [placeholder]
|
|
|
|
1770. [bug] named-checkconf failed to report missing a missing
|
|
file clause for rbt{64} master/hint zones. [RT #13009]
|
|
|
|
1769. [port] win32: change compiler flags /MTd ==> /MDd,
|
|
/MT ==> /MD.
|
|
|
|
1768. [bug] nsecnoexistnodata() could be called with a non-NSEC
|
|
rdataset. [RT #12907]
|
|
|
|
1767. [port] Builds on IPv6 platforms without IPv6 Advanced API
|
|
support for (struct in6_pktinfo) failed. [RT #13077]
|
|
|
|
1766. [bug] Update the master file timestamp on successful refresh
|
|
as well as the journal's timestamp. [RT #13062]
|
|
|
|
1765. [bug] configure --with-openssl=auto failed. [RT #12937]
|
|
|
|
1764. [bug] dns_zone_replacedb failed to emit a error message
|
|
if there was no SOA record in the replacement db.
|
|
[RT #13016]
|
|
|
|
1763. [func] Perform sanity checks on NS records which refer to
|
|
'in zone' names. [RT #13002]
|
|
|
|
1762. [bug] isc_interfaceiter_create() could return ISC_R_SUCCESS
|
|
even when it failed. [RT #12995]
|
|
|
|
1761. [bug] 'rndc dumpdb' didn't report unassociated entries.
|
|
[RT #12971]
|
|
|
|
1760. [bug] Host / net unreachable was not penalising rtt
|
|
estimates. [RT #12970]
|
|
|
|
1759. [bug] Named failed to startup if the OS supported IPv6
|
|
but had no IPv6 interfaces configured. [RT #12942]
|
|
|
|
1758. [func] Don't send notify messages to self. [RT #12933]
|
|
|
|
1757. [func] host now can turn on memory debugging flags with '-m'.
|
|
|
|
1756. [func] named-checkconf now checks the logging configuration.
|
|
[RT #12352]
|
|
|
|
1755. [func] allow-update is now settable at the options / view
|
|
level. [RT #6636]
|
|
|
|
1754. [bug] We weren't always attempting to query the parent
|
|
server for the DS records at the zone cut.
|
|
[RT #12774]
|
|
|
|
1753. [bug] Don't serve a slave zone which has no NS records.
|
|
[RT #12894]
|
|
|
|
1752. [port] Move isc_app_start() to after ns_os_daemonise()
|
|
as some fork() implementations unblock the signals
|
|
that are blocked by isc_app_start(). [RT #12810]
|
|
|
|
1751. [bug] --enable-getifaddrs failed under linux. [RT #12867]
|
|
|
|
1750. [port] lib/bind/make/rules.in:subdirs was not bash friendly.
|
|
[RT #12864]
|
|
|
|
1749. [bug] 'check-names response ignore;' failed to ignore.
|
|
[RT #12866]
|
|
|
|
1748. [func] dig now returns the byte count for axfr/ixfr.
|
|
|
|
1747. [bug] BIND 8 compatibility: named/named-checkconf failed
|
|
to parse "host-statistics-max" in named.conf.
|
|
|
|
1746. [func] Make public the function to read a key file,
|
|
dst_key_read_public(). [RT #12450]
|
|
|
|
1745. [bug] Dig/host/nslookup accept replies from link locals
|
|
regardless of scope if no scope was specified when
|
|
query was sent. [RT #12745]
|
|
|
|
1744. [bug] If tuple2msgname() failed to convert a tuple to
|
|
a name a REQUIRE could be triggered. [RT #12796]
|
|
|
|
1743. [bug] If isc_taskmgr_create() was not able to create the
|
|
requested number of worker threads then destruction
|
|
of the manager would trigger an INSIST() failure.
|
|
[RT #12790]
|
|
|
|
1742. [bug] Deleting all records at a node then adding a
|
|
previously existing record, in a single UPDATE
|
|
transaction, failed to leave / regenerate the
|
|
associated RRSIG records. [RT #12788]
|
|
|
|
1741. [bug] Deleting all records at a node in a secure zone
|
|
using a update-policy grant failed. [RT #12787]
|
|
|
|
1740. [bug] Replace rbt's hash algorithm as it performed badly
|
|
with certain zones. [RT #12729]
|
|
|
|
NOTE: a hash context now needs to be established
|
|
via isc_hash_create() if the application was not
|
|
already doing this.
|
|
|
|
1739. [bug] dns_rbt_deletetree() could incorrectly return
|
|
ISC_R_QUOTA. [RT #12695]
|
|
|
|
1738. [bug] Enable overrun checking by default. [RT #12695]
|
|
|
|
1737. [bug] named failed if more than 16 masters were specified.
|
|
[RT #12627]
|
|
|
|
1736. [bug] dst_key_fromnamedfile() could fail to read a
|
|
public key. [RT #12687]
|
|
|
|
1735. [bug] 'dig +sigtrace' could die with a REQUIRE failure.
|
|
[RE #12688]
|
|
|
|
1734. [cleanup] 'rndc-confgen -a -t' remove extra '/' in path.
|
|
[RT #12588]
|
|
|
|
1733. [bug] Return non-zero exit status on initial load failure.
|
|
[RT #12658]
|
|
|
|
1732. [bug] 'rrset-order name "*"' wasn't being applied to ".".
|
|
[RT #12467]
|
|
|
|
1731. [port] darwin: relax version test in ifconfig.sh.
|
|
[RT #12581]
|
|
|
|
1730. [port] Determine the length type used by the socket API.
|
|
[RT #12581]
|
|
|
|
1729. [func] Improve check-names error messages.
|
|
|
|
1728. [doc] Update check-names documentation.
|
|
|
|
1727. [bug] named-checkzone: check-names support didn't match
|
|
documentation.
|
|
|
|
1726. [port] aix5: add support for aix5.
|
|
|
|
1725. [port] linux: update error message on interaction of threads,
|
|
capabilities and setuid support (named -u). [RT #12541]
|
|
|
|
1724. [bug] Look for DNSKEY records with "dig +sigtrace".
|
|
[RT #12557]
|
|
|
|
1723. [cleanup] Silence compiler warnings from t_tasks.c. [RT #12493]
|
|
|
|
1722. [bug] Don't commit the journal on malformed ixfr streams.
|
|
[RT #12519]
|
|
|
|
1721. [bug] Error message from the journal processing were not
|
|
always identifying the relevant journal. [RT #12519]
|
|
|
|
1720. [bug] 'dig +chase' did not terminate on a RFC 2308 Type 1
|
|
negative response. [RT #12506]
|
|
|
|
1719. [bug] named was not correctly caching a RFC 2308 Type 1
|
|
negative response. [RT #12506]
|
|
|
|
1718. [bug] nsupdate was not handling RFC 2308 Type 3 negative
|
|
responses when looking for the zone / master server.
|
|
[RT #12506]
|
|
|
|
1717. [port] solaris: ifconfig.sh did not support Solaris 10.
|
|
"ifconfig.sh down" didn't work for Solaris 9.
|
|
|
|
1716. [doc] named.conf(5) was being installed in the wrong
|
|
location. [RT #12441]
|
|
|
|
1715. [func] 'dig +trace' now randomly selects the next servers
|
|
to try. Report if there is a bad delegation.
|
|
|
|
1714. [bug] dig/host/nslookup were only trying the first
|
|
address when a nameserver was specified by name.
|
|
[RT #12286]
|
|
|
|
1713. [port] linux: extend capset failure message to say:
|
|
please ensure that the capset kernel module is
|
|
loaded. see insmod(8)
|
|
|
|
1712. [bug] Missing FULLCHECK for "trusted-key" in dig.
|
|
|
|
1711. [func] 'rndc unfreeze' has been deprecated by 'rndc thaw'.
|
|
|
|
1710. [func] 'rndc notify zone [class [view]]' resend the NOTIFY
|
|
messages for the specified zone. [RT #9479]
|
|
|
|
1709. [port] solaris: add SMF support from Sun.
|
|
|
|
1708. [cleanup] Replaced dns_fullname_hash() with dns_name_fullhash()
|
|
for conformance to the name space convention. Binary
|
|
backward compatibility to the old function name is
|
|
provided. [RT #12376]
|
|
|
|
1707. [contrib] sdb/ldap updated to version 1.0-beta.
|
|
|
|
1706. [bug] 'rndc stop' failed to cause zones to be flushed
|
|
sometimes. [RT #12328]
|
|
|
|
1705. [func] Allow the journal's name to be changed via named.conf.
|
|
|
|
1704. [port] lwres needed a snprintf() implementation for
|
|
platforms without snprintf(). Add missing
|
|
"#include <isc/print.h>". [RT #12321]
|
|
|
|
1703. [bug] named would loop sending NOTIFY messages when it
|
|
failed to receive a response. [RT #12322]
|
|
|
|
1702. [bug] also-notify should not be applied to built in zones.
|
|
[RT #12323]
|
|
|
|
1701. [doc] A minimal named.conf man page.
|
|
|
|
1700. [func] nslookup is no longer to be treated as deprecated.
|
|
Remove "deprecated" warning message. Add man page.
|
|
|
|
1699. [bug] dnssec-signzone can generate "not exact" errors
|
|
when resigning. [RT #12281]
|
|
|
|
1698. [doc] Use reserved IPv6 documentation prefix.
|
|
|
|
1697. [bug] xxx-source{,-v6} was not effective when it
|
|
specified one of listening addresses and a
|
|
different port than the listening port. [RT #12257]
|
|
|
|
1696. [bug] dnssec-signzone failed to clean out nodes that
|
|
consisted of only NSEC and RRSIG records.
|
|
[RT #12154]
|
|
|
|
1695. [bug] DS records when forwarding require special handling.
|
|
[RT #12133]
|
|
|
|
1694. [bug] Report if the builtin views of "_default" / "_bind"
|
|
are defined in named.conf. [RT #12023]
|
|
|
|
1693. [bug] max-journal-size was not effective for master zones
|
|
with ixfr-from-differences set. [RT #12024]
|
|
|
|
1692. [bug] Don't set -I, -L and -R flags when libcrypto is in
|
|
/usr/lib. [RT #11971]
|
|
|
|
1691. [bug] sdb's attachversion was not complete. [RT #11990]
|
|
|
|
1690. [bug] Delay detaching view from the client until UPDATE
|
|
processing completes when shutting down. [RT #11714]
|
|
|
|
1689. [bug] DNS_NAME_TOREGION() and DNS_NAME_SPLIT() macros
|
|
contained gratuitous semicolons. [RT #11707]
|
|
|
|
1688. [bug] LDFLAGS was not supported.
|
|
|
|
1687. [bug] Race condition in dispatch. [RT #10272]
|
|
|
|
1686. [bug] Named sent a extraneous NOTIFY when it received a
|
|
redundant UPDATE request. [RT #11943]
|
|
|
|
1685. [bug] Change #1679 loop tests weren't quite right.
|
|
|
|
1684. [func] ixfr-from-differences now takes master and slave in
|
|
addition to yes and no at the options and view levels.
|
|
|
|
1683. [bug] dig +sigchase could leak memory. [RT #11445]
|
|
|
|
1682. [port] Update configure test for (long long) printf format.
|
|
[RT #5066]
|
|
|
|
1681. [bug] Only set SO_REUSEADDR when a port is specified in
|
|
isc_socket_bind(). [RT #11742]
|
|
|
|
1680. [func] rndc: the source address can now be specified.
|
|
|
|
1679. [bug] When there was a single nameserver with multiple
|
|
addresses for a zone not all addresses were tried.
|
|
[RT #11706]
|
|
|
|
1678. [bug] RRSIG should use TYPEXXXXX for unknown types.
|
|
|
|
1677. [bug] dig: +aaonly didn't work, +aaflag undocumented.
|
|
|
|
1676. [func] New option "allow-query-cache". This lets
|
|
allow-query be used to specify the default zone
|
|
access level rather than having to have every
|
|
zone override the global value. allow-query-cache
|
|
can be set at both the options and view levels.
|
|
If allow-query-cache is not set allow-query applies.
|
|
|
|
1675. [bug] named would sometimes add extra NSEC records to
|
|
the authority section.
|
|
|
|
1674. [port] linux: increase buffer size used to scan
|
|
/proc/net/if_inet6.
|
|
|
|
1673. [port] linux: issue a error messages if IPv6 interface
|
|
scans fails.
|
|
|
|
1672. [cleanup] Tests which only function in a threaded build
|
|
now return R:THREADONLY (rather than R:UNTESTED)
|
|
in a non-threaded build.
|
|
|
|
1671. [contrib] queryperf: add NAPTR to the list of known types.
|
|
|
|
1670. [func] Log UPDATE requests to slave zones without an acl as
|
|
"disabled" at debug level 3. [RT #11657]
|
|
|
|
1669. [placeholder]
|
|
|
|
1668. [bug] DIG_SIGCHASE was making bin/dig/host dump core.
|
|
|
|
1667. [port] linux: not all versions have IF_NAMESIZE.
|
|
|
|
1666. [bug] The optional port on hostnames in dual-stack-servers
|
|
was being ignored.
|
|
|
|
1665. [func] rndc now allows addresses to be set in the
|
|
server clauses.
|
|
|
|
1664. [bug] nsupdate needed KEY for SIG(0), not DNSKEY.
|
|
|
|
1663. [func] Look for OpenSSL by default.
|
|
|
|
1662. [bug] Change #1658 failed to change one use of 'type'
|
|
to 'keytype'.
|
|
|
|
1661. [bug] Restore dns_name_concatenate() call in
|
|
adb.c:set_target(). [RT #11582]
|
|
|
|
1660. [bug] win32: connection_reset_fix() was being called
|
|
unconditionally. [RT #11595]
|
|
|
|
1659. [cleanup] Cleanup some messages that were referring to KEY vs
|
|
DNSKEY, NXT vs NSEC and SIG vs RRSIG.
|
|
|
|
1658. [func] Update dnssec-keygen to default to KEY for HMAC-MD5
|
|
and DH. Tighten which options apply to KEY and
|
|
DNSKEY records.
|
|
|
|
1657. [doc] ARM: document query log output.
|
|
|
|
1656. [doc] Update DNSSEC description in ARM to cover DS, NSEC
|
|
DNSKEY and RRSIG. [RT #11542]
|
|
|
|
1655. [bug] Logging multiple versions w/o a size was broken.
|
|
[RT #11446]
|
|
|
|
1654. [bug] isc_result_totext() contained array bounds read
|
|
error.
|
|
|
|
1653. [func] Add key type checking to dst_key_fromfilename(),
|
|
DST_TYPE_KEY should be used to read TSIG, TKEY and
|
|
SIG(0) keys.
|
|
|
|
1652. [bug] TKEY still uses KEY.
|
|
|
|
1651. [bug] dig: process multiple dash options.
|
|
|
|
1650. [bug] dig, nslookup: flush standard out after each command.
|
|
|
|
1649. [bug] Silence "unexpected non-minimal diff" message.
|
|
[RT #11206]
|
|
|
|
1648. [func] Update dnssec-lookaside named.conf syntax to support
|
|
multiple dnssec-lookaside namespaces (not yet
|
|
implemented).
|
|
|
|
1647. [bug] It was possible trigger a INSIST when chasing a DS
|
|
record that required walking back over a empty node.
|
|
[RT #11445]
|
|
|
|
1646. [bug] win32: logging file versions didn't work with
|
|
non-UNC filenames. [RT #11486]
|
|
|
|
1645. [bug] named could trigger a REQUIRE failure if multiple
|
|
masters with keys are specified.
|
|
|
|
1644. [bug] Update the journal modification time after a
|
|
successful refresh query. [RT #11436]
|
|
|
|
1643. [bug] dns_db_closeversion() could leak memory / node
|
|
references. [RT #11163]
|
|
|
|
1642. [port] Support OpenSSL implementations which don't have
|
|
DSA support. [RT #11360]
|
|
|
|
1641. [bug] Update the check-names description in ARM. [RT #11389]
|
|
|
|
1640. [bug] win32: isc_socket_cancel(ISC_SOCKCANCEL_ACCEPT) was
|
|
incorrectly closing the socket. [RT #11291]
|
|
|
|
1639. [func] Initial dlv system test.
|
|
|
|
1638. [bug] "ixfr-from-differences" could generate a REQUIRE
|
|
failure if the journal open failed. [RT #11347]
|
|
|
|
1637. [bug] Node reference leak on error in addnoqname().
|
|
|
|
1636. [bug] The dump done callback could get ISC_R_SUCCESS even if
|
|
a error had occurred. The database version no longer
|
|
matched the version of the database that was dumped.
|
|
|
|
1635. [bug] Memory leak on error in query_addds().
|
|
|
|
1634. [bug] named didn't supply a useful error message when it
|
|
detected duplicate views. [RT #11208]
|
|
|
|
1633. [bug] named should return NOTIMP to update requests to a
|
|
slaves without a allow-update-forwarding acl specified.
|
|
[RT #11331]
|
|
|
|
1632. [bug] nsupdate failed to send prerequisite only UPDATE
|
|
messages. [RT #11288]
|
|
|
|
1631. [bug] dns_journal_compact() could sometimes corrupt the
|
|
journal. [RT #11124]
|
|
|
|
1630. [contrib] queryperf: add support for IPv6 transport.
|
|
|
|
1629. [func] dig now supports IPv6 scoped addresses with the
|
|
extended format in the local-server part. [RT #8753]
|
|
|
|
1628. [bug] Typo in Compaq Trucluster support. [RT #11264]
|
|
|
|
1627. [bug] win32: sockets were not being closed when the
|
|
last external reference was removed. [RT #11179]
|
|
|
|
1626. [bug] --enable-getifaddrs was broken. [RT #11259]
|
|
|
|
1625. [bug] named failed to load/transfer RFC2535 signed zones
|
|
which contained CNAMES. [RT #11237]
|
|
|
|
1624. [bug] zonemgr_putio() call should be locked. [RT #11163]
|
|
|
|
1623. [bug] A serial number of zero was being displayed in the
|
|
"sending notifies" log message when also-notify was
|
|
used. [RT #11177]
|
|
|
|
1622. [func] probe the system to see if IPV6_(RECV)PKTINFO is
|
|
available, and suppress wildcard binding if not.
|
|
|
|
1621. [bug] match-destinations did not work for IPv6 TCP queries.
|
|
[RT #11156]
|
|
|
|
1620. [func] When loading a zone report if it is signed. [RT #11149]
|
|
|
|
1619. [bug] Missing ISC_LIST_UNLINK in end_reserved_dispatches().
|
|
[RT #11118]
|
|
|
|
1618. [bug] Fencepost errors in dns_name_ishostname() and
|
|
dns_name_ismailbox() could trigger a INSIST().
|
|
|
|
1617. [port] win32: VC++ 6.0 support.
|
|
|
|
1616. [compat] Ensure that named's version is visible in the core
|
|
dump. [RT #11127]
|
|
|
|
1615. [port] Define ISC_SOCKADDR_LEN_T based on _BSD_SOCKLEN_T_ if
|
|
it is defined.
|
|
|
|
1614. [port] win32: silence resource limit messages. [RT #11101]
|
|
|
|
1613. [bug] Builds would fail on machines w/o a if_nametoindex().
|
|
Missing #ifdef ISC_PLATFORM_HAVEIFNAMETOINDEX/#endif.
|
|
[RT #11119]
|
|
|
|
1612. [bug] check-names at the option/view level could trigger
|
|
an INSIST. [RT #11116]
|
|
|
|
1611. [bug] solaris: IPv6 interface scanning failed to cope with
|
|
no active IPv6 interfaces.
|
|
|
|
1610. [bug] On dual stack machines "dig -b" failed to set the
|
|
address type to be looked up with "@server".
|
|
[RT #11069]
|
|
|
|
1609. [func] dig now has support to chase DNSSEC signature chains.
|
|
Requires -DDIG_SIGCHASE=1 to be set in STD_CDEFINES.
|
|
|
|
DNSSEC validation code in dig coded by Olivier Courtay
|
|
(olivier.courtay@irisa.fr) for the IDsA project
|
|
(http://idsa.irisa.fr).
|
|
|
|
1608. [func] dig and host now accept -4/-6 to select IP transport
|
|
to use when making queries.
|
|
|
|
1607. [bug] dig, host and nslookup were still using random()
|
|
to generate query ids. [RT #11013]
|
|
|
|
1606. [bug] DLV insecurity proof was failing.
|
|
|
|
1605. [func] New dns_db_find() option DNS_DBFIND_COVERINGNSEC.
|
|
|
|
1604. [bug] A xfrout_ctx_create() failure would result in
|
|
xfrout_ctx_destroy() being called with a
|
|
partially initialized structure.
|
|
|
|
1603. [bug] nsupdate: set interactive based on isatty().
|
|
[RT #10929]
|
|
|
|
1602. [bug] Logging to a file failed unless a size was specified.
|
|
[RT #10925]
|
|
|
|
1601. [bug] Silence spurious warning 'both "recursion no;" and
|
|
"allow-recursion" active' warning from view "_bind".
|
|
[RT #10920]
|
|
|
|
1600. [bug] Duplicate zone pre-load checks were not case
|
|
insensitive.
|
|
|
|
1599. [bug] Fix memory leak on error path when checking named.conf.
|
|
|
|
1598. [func] Specify that certain parts of the namespace must
|
|
be secure (dnssec-must-be-secure).
|
|
|
|
1597. [func] Allow notify-source and query-source to be specified
|
|
on a per server basis similar to transfer-source.
|
|
[RT #6496]
|
|
|
|
1596. [func] Accept 'notify-source' style syntax for query-source.
|
|
|
|
1595. [func] New notify type 'master-only'. Enable notify for
|
|
master zones only.
|
|
|
|
1594. [bug] 'rndc dumpdb' could prevent named from answering
|
|
queries while the dump was in progress. [RT #10565]
|
|
|
|
1593. [bug] rndc should return "unknown command" to unknown
|
|
commands. [RT #10642]
|
|
|
|
1592. [bug] configure_view() could leak a dispatch. [RT #10675]
|
|
|
|
1591. [bug] libbind: updated to BIND 8.4.5.
|
|
|
|
1590. [port] netbsd: update thread support.
|
|
|
|
1589. [func] DNSSEC lookaside validation.
|
|
|
|
1588. [bug] win32: TCP sockets could become blocked. [RT #10115]
|
|
|
|
1587. [bug] dns_message_settsigkey() failed to clear existing key.
|
|
[RT #10590]
|
|
|
|
1586. [func] "check-names" is now implemented.
|
|
|
|
1585. [placeholder]
|
|
|
|
1584. [bug] "make test" failed with a read only source tree.
|
|
[RT #10461]
|
|
|
|
1583. [bug] Records add via UPDATE failed to get the correct trust
|
|
level. [RT #10452]
|
|
|
|
1582. [bug] rrset-order failed to work on RRsets with more
|
|
than 32 elements. [RT #10381]
|
|
|
|
1581. [func] Disable DNSSEC support by default. To enable
|
|
DNSSEC specify "dnssec-enable yes;" in named.conf.
|
|
|
|
1580. [bug] Zone destruction on final detach takes a long time.
|
|
[RT #3746]
|
|
|
|
1579. [bug] Multiple task managers could not be created.
|
|
|
|
1578. [bug] Don't use CLASS E IPv4 addresses when resolving.
|
|
[RT #10346]
|
|
|
|
1577. [bug] Use isc_uint32_t in ultrasparc optimizer bug
|
|
workaround code. [RT #10331]
|
|
|
|
1576. [bug] Race condition in dns_dispatch_addresponse().
|
|
[RT #10272]
|
|
|
|
1575. [func] Log TSIG name on TSIG verify failure. [RT #4404]
|
|
|
|
1574. [bug] Don't attempt to open the controls socket(s) when
|
|
running tests. [RT #9091]
|
|
|
|
1573. [port] linux: update to libtool 1.5.2 so that
|
|
"make install DESTDIR=/xx" works with
|
|
"configure --with-libtool". [RT #9941]
|
|
|
|
1572. [bug] nsupdate: sign the soa query to find the enclosing
|
|
zone if the server is specified. [RT #10148]
|
|
|
|
1571. [bug] rbt:hash_node() could fail leaving the hash table
|
|
in an inconsistent state. [RT #10208]
|
|
|
|
1570. [bug] nsupdate failed to handle classes other than IN.
|
|
New keyword 'class' which sets the default class.
|
|
[RT #10202]
|
|
|
|
1569. [func] nsupdate new command 'answer' which displays the
|
|
complete answer message to the last update.
|
|
|
|
1568. [bug] nsupdate now reports that the update failed in
|
|
interactive mode. [RT #10236]
|
|
|
|
1567. [maint] B.ROOT-SERVERS.NET is now 192.228.79.201.
|
|
|
|
1566. [port] Support for the cmsg framework on Solaris and HP/UX.
|
|
This also solved the problem that match-destinations
|
|
for IPv6 addresses did not work on these systems.
|
|
[RT #10221]
|
|
|
|
1565. [bug] CD flag should be copied to outgoing queries unless
|
|
the query is under a secure entry point in which case
|
|
CD should be set.
|
|
|
|
1564. [func] Attempt to provide a fallback entropy source to be
|
|
used if named is running chrooted and named is unable
|
|
to open entropy source within the chroot area.
|
|
[RT #10133]
|
|
|
|
1563. [bug] Gracefully fail when unable to obtain neither an IPv4
|
|
nor an IPv6 dispatch. [RT #10230]
|
|
|
|
1562. [bug] isc_socket_create() and isc_socket_accept() could
|
|
leak memory under error conditions. [RT #10230]
|
|
|
|
1561. [bug] It was possible to release the same name twice if
|
|
named ran out of memory. [RT #10197]
|
|
|
|
1560. [port] FreeBSD: work around FreeBSD 5.2 mapping EAI_NODATA
|
|
and EAI_NONAME to the same value.
|
|
|
|
1559. [port] named should ignore SIGFSZ.
|
|
|
|
1558. [func] New DNSSEC 'disable-algorithms'. Support entry into
|
|
child zones for which we don't have a supported
|
|
algorithm. Such child zones are treated as unsigned.
|
|
|
|
1557. [func] Implement missing DNSSEC tests for
|
|
* NOQNAME proof with wildcard answers.
|
|
* NOWILDARD proof with NXDOMAIN.
|
|
Cache and return NOQNAME with wildcard answers.
|
|
|
|
1556. [bug] nsupdate now treats all names as fully qualified.
|
|
[RT #6427]
|
|
|
|
1555. [func] 'rrset-order cyclic' no longer has a random starting
|
|
point per query. [RT #7572]
|
|
|
|
1554. [bug] dig, host, nslookup failed when no nameservers
|
|
were specified in /etc/resolv.conf. [RT #8232]
|
|
|
|
1553. [bug] The windows socket code could stop accepting
|
|
connections. [RT #10115]
|
|
|
|
1552. [bug] Accept NOTIFY requests from mapped masters if
|
|
matched-mapped is set. [RT #10049]
|
|
|
|
1551. [port] Open "/dev/null" before calling chroot().
|
|
|
|
1550. [port] Call tzset(), if available, before calling chroot().
|
|
|
|
1549. [func] named-checkzone can now write out the zone contents
|
|
in a easily parsable format (-D and -o).
|
|
|
|
1548. [bug] When parsing APL records it was possible to silently
|
|
accept out of range ADDRESSFAMILY values. [RT #9979]
|
|
|
|
1547. [bug] Named wasted memory recording duplicate lame zone
|
|
entries. [RT #9341]
|
|
|
|
1546. [bug] We were rejecting valid secure CNAME to negative
|
|
answers.
|
|
|
|
1545. [bug] It was possible to leak memory if named was unable to
|
|
bind to the specified transfer source and TSIG was
|
|
being used. [RT #10120]
|
|
|
|
1544. [bug] Named would logged a single entry to a file despite it
|
|
being over the specified size limit.
|
|
|
|
1543. [bug] Logging using "versions unlimited" did not work.
|
|
|
|
1542. [placeholder]
|
|
|
|
1541. [func] NSEC now uses new bitmap format.
|
|
|
|
1540. [bug] "rndc reload <dynamiczone>" was silently accepted.
|
|
[RT #8934]
|
|
|
|
1539. [bug] Open UDP sockets for notify-source and transfer-source
|
|
that use reserved ports at startup. [RT #9475]
|
|
|
|
1538. [placeholder] rt9997
|
|
|
|
1537. [func] New option "querylog". If set specify whether query
|
|
logging is to be enabled or disabled at startup.
|
|
|
|
1536. [bug] Windows socket code failed to log a error description
|
|
when returning ISC_R_UNEXPECTED. [RT #9998]
|
|
|
|
1535. [placeholder]
|
|
|
|
1534. [bug] Race condition when priming cache. [RT #9940]
|
|
|
|
1533. [func] Warn if both "recursion no;" and "allow-recursion"
|
|
are active. [RT #4389]
|
|
|
|
1532. [port] netbsd: the configure test for <sys/sysctl.h>
|
|
requires <sys/param.h>.
|
|
|
|
1531. [port] AIX more libtool fixes.
|
|
|
|
1530. [bug] It was possible to trigger a INSIST() failure if a
|
|
slave master file was removed at just the correct
|
|
moment. [RT #9462]
|
|
|
|
1529. [bug] "notify explicit;" failed to log that NOTIFY messages
|
|
were being sent for the zone. [RT #9442]
|
|
|
|
1528. [cleanup] Simplify some dns_name_ functions based on the
|
|
deprecation of bitstring labels.
|
|
|
|
1527. [cleanup] Reduce the number of gettimeofday() calls without
|
|
losing necessary timer granularity.
|
|
|
|
1526. [func] Implemented "additional section caching (or acache)",
|
|
an internal cache framework for additional section
|
|
content to improve response performance. Several
|
|
configuration options were provided to control the
|
|
behavior.
|
|
|
|
1525. [bug] dns_cache_create() could trigger a REQUIRE
|
|
failure in isc_mem_put() during error cleanup.
|
|
[RT #9360]
|
|
|
|
1524. [port] AIX needs to be able to resolve all symbols when
|
|
creating shared libraries (--with-libtool).
|
|
|
|
1523. [bug] Fix race condition in rbtdb. [RT #9189]
|
|
|
|
1522. [bug] dns_db_findnode() relax the requirements on 'name'.
|
|
[RT #9286]
|
|
|
|
1521. [bug] dns_view_createresolver() failed to check the
|
|
result from isc_mem_create(). [RT #9294]
|
|
|
|
1520. [protocol] Add SSHFP (SSH Finger Print) type.
|
|
|
|
1519. [bug] dnssec-signzone:nsec_setbit() computed the wrong
|
|
length of the new bitmap.
|
|
|
|
1518. [bug] dns_nsec_buildrdata(), and hence dns_nsec_build(),
|
|
contained a off-by-one error when working out the
|
|
number of octets in the bitmap.
|
|
|
|
1517. [port] Support for IPv6 interface scanning on HP/UX and
|
|
TrueUNIX 5.1.
|
|
|
|
1516. [func] Roll the DNSSEC types to RRSIG, NSEC and DNSKEY.
|
|
|
|
1515. [func] Allow transfer source to be set in a server statement.
|
|
[RT #6496]
|
|
|
|
1514. [bug] named: isc_hash_destroy() was being called too early.
|
|
[RT #9160]
|
|
|
|
1513. [doc] Add "US" to root-delegation-only exclude list.
|
|
|
|
1512. [bug] Extend the delegation-only logging to return query
|
|
type, class and responding nameserver.
|
|
|
|
1511. [bug] delegation-only was generating false positives
|
|
on negative answers from sub-zones.
|
|
|
|
1510. [func] New view option "root-delegation-only". Apply
|
|
delegation-only check to all TLDs and root.
|
|
Note there are some TLDs that are NOT delegation
|
|
only (e.g. DE, LV, US and MUSEUM) these can be excluded
|
|
from the checks by using exclude.
|
|
|
|
root-delegation-only exclude {
|
|
"DE"; "LV"; "US"; "MUSEUM";
|
|
};
|
|
|
|
1509. [bug] Hint zones should accept delegation-only. Forward
|
|
zone should not accept delegation-only.
|
|
|
|
1508. [bug] Don't apply delegation-only checks to answers from
|
|
forwarders.
|
|
|
|
1507. [bug] Handle BIND 8 style returns to NS queries to parents
|
|
when making delegation-only checks.
|
|
|
|
1506. [bug] Wrong return type for dns_view_isdelegationonly().
|
|
|
|
1505. [bug] Uninitialized rdataset in sdb. [RT #8750]
|
|
|
|
1504. [func] New zone type "delegation-only".
|
|
|
|
1503. [port] win32: install libeay32.dll outside of system32.
|
|
|
|
1502. [bug] nsupdate: adjust timeouts for UPDATE requests over TCP.
|
|
|
|
1501. [func] Allow TCP queue length to be specified via
|
|
named.conf, tcp-listen-queue.
|
|
|
|
1500. [bug] host failed to lookup MX records. Also look up
|
|
AAAA records.
|
|
|
|
1499. [bug] isc_random need to be seeded better if arc4random()
|
|
is not used.
|
|
|
|
1498. [port] bsdos: 5.x support.
|
|
|
|
1497. [placeholder]
|
|
|
|
1496. [port] test for pthread_attr_setstacksize().
|
|
|
|
1495. [cleanup] Replace hash functions with universal hash.
|
|
|
|
1494. [security] Turn on RSA BLINDING as a precaution.
|
|
|
|
1493. [placeholder]
|
|
|
|
1492. [cleanup] Preserve rwlock quota context when upgrading /
|
|
downgrading. [RT #5599]
|
|
|
|
1491. [bug] dns_master_dump*() would produce extraneous $ORIGIN
|
|
lines. [RT #6206]
|
|
|
|
1490. [bug] Accept reading state as well as working state in
|
|
ns_client_next(). [RT #6813]
|
|
|
|
1489. [compat] Treat 'allow-update' on slave zones as a warning.
|
|
[RT #3469]
|
|
|
|
1488. [bug] Don't override trust levels for glue addresses.
|
|
[RT #5764]
|
|
|
|
1487. [bug] A REQUIRE() failure could be triggered if a zone was
|
|
queued for transfer and the zone was then removed.
|
|
[RT #6189]
|
|
|
|
1486. [bug] isc_print_snprintf() '%%' consumed one too many format
|
|
characters. [RT #8230]
|
|
|
|
1485. [bug] gen failed to handle high type values. [RT #6225]
|
|
|
|
1484. [bug] The number of records reported after a AXFR was wrong.
|
|
[RT #6229]
|
|
|
|
1483. [bug] dig axfr failed if the message id in the answer failed
|
|
to match that in the request. Only the id in the first
|
|
message is required to match. [RT #8138]
|
|
|
|
1482. [bug] named could fail to start if the kernel supports
|
|
IPv6 but no interfaces are configured. Similarly
|
|
for IPv4. [RT #6229]
|
|
|
|
1481. [bug] Refresh and stub queries failed to use masters keys
|
|
if specified. [RT #7391]
|
|
|
|
1480. [bug] Provide replay protection for rndc commands. Full
|
|
replay protection requires both rndc and named to
|
|
be updated. Partial replay protection (limited
|
|
exposure after restart) is provided if just named
|
|
is updated.
|
|
|
|
1479. [bug] cfg_create_tuple() failed to handle out of
|
|
memory cleanup. parse_list() would leak memory
|
|
on syntax errors.
|
|
|
|
1478. [port] ifconfig.sh didn't account for other virtual
|
|
interfaces. It now takes a optional argument
|
|
to specify the first interface number. [RT #3907]
|
|
|
|
1477. [bug] memory leak using stub zones and TSIG.
|
|
|
|
1476. [placeholder]
|
|
|
|
1475. [port] Probe for old sprintf().
|
|
|
|
1474. [port] Provide strtoul() and memmove() for platforms
|
|
without them.
|
|
|
|
1473. [bug] create_map() and create_string() failed to handle out
|
|
of memory cleanup. [RT #6813]
|
|
|
|
1472. [contrib] idnkit-1.0 from JPNIC, replaces mdnkit.
|
|
|
|
1471. [bug] libbind: updated to BIND 8.4.0.
|
|
|
|
1470. [bug] Incorrect length passed to snprintf. [RT #5966]
|
|
|
|
1469. [func] Log end of outgoing zone transfer at same level
|
|
as the start of transfer is logged. [RT #4441]
|
|
|
|
1468. [func] Internal zones are no longer counted for
|
|
'rndc status'. [RT #4706]
|
|
|
|
1467. [func] $GENERATES now supports optional class and ttl.
|
|
|
|
1466. [bug] lwresd configuration errors resulted in memory
|
|
and lock leaks. [RT #5228]
|
|
|
|
1465. [bug] isc_base64_decodestring() and isc_base64_tobuffer()
|
|
failed to check that trailing bits were zero allowing
|
|
some invalid base64 strings to be accepted. [RT #5397]
|
|
|
|
1464. [bug] Preserve "out of zone" data for outgoing zone
|
|
transfers. [RT #5192]
|
|
|
|
1463. [bug] dns_rdata_from{wire,struct}() failed to catch bad
|
|
NXT bit maps. [RT #5577]
|
|
|
|
1462. [bug] parse_sizeval() failed to check the token type.
|
|
[RT #5586]
|
|
|
|
1461. [bug] Remove deadlock from rbtdb code. [RT #5599]
|
|
|
|
1460. [bug] inet_pton() failed to reject certain malformed
|
|
IPv6 literals.
|
|
|
|
1459. [placeholder]
|
|
|
|
1458. [cleanup] sprintf() -> snprintf().
|
|
|
|
1457. [port] Provide strlcat() and strlcpy() for platforms without
|
|
them.
|
|
|
|
1456. [contrib] gen-data-queryperf.py from Stephane Bortzmeyer.
|
|
|
|
1455. [bug] <netaddr> missing from server grammar in
|
|
doc/misc/options. [RT #5616]
|
|
|
|
1454. [port] Use getifaddrs() if available for interface scanning.
|
|
--disable-getifaddrs to override. Glibc currently
|
|
has a getifaddrs() that does not support IPv6.
|
|
Use --enable-getifaddrs=glibc to force the use of
|
|
this version under linux machines.
|
|
|
|
1453. [doc] ARM: $GENERATE example wasn't accurate. [RT #5298]
|
|
|
|
1452. [placeholder]
|
|
|
|
1451. [bug] rndc-confgen didn't exit with a error code for all
|
|
failures. [RT #5209]
|
|
|
|
1450. [bug] Fetching expired glue failed under certain
|
|
circumstances. [RT #5124]
|
|
|
|
1449. [bug] query_addbestns() didn't handle running out of memory
|
|
gracefully.
|
|
|
|
1448. [bug] Handle empty wildcards labels.
|
|
|
|
1447. [bug] We were casting (unsigned int) to and from (void *).
|
|
rdataset->private4 is now rdataset->privateuint4
|
|
to reflect a type change.
|
|
|
|
1446. [func] Implemented undocumented alternate transfer sources
|
|
from BIND 8. See use-alt-transfer-source,
|
|
alt-transfer-source and alt-transfer-source-v6.
|
|
|
|
SECURITY: use-alt-transfer-source is ENABLED unless
|
|
you are using views. This may cause a security risk
|
|
resulting in accidental disclosure of wrong zone
|
|
content if the master supplying different source
|
|
content based on IP address. If you are not certain
|
|
ISC recommends setting use-alt-transfer-source no;
|
|
|
|
1445. [bug] DNS_ADBFIND_STARTATROOT broke stub zones. This has
|
|
been replaced with DNS_ADBFIND_STARTATZONE which
|
|
causes the search to start using the closest zone.
|
|
|
|
1444. [func] dns_view_findzonecut2() allows you to specify if the
|
|
cache should be searched for zone cuts.
|
|
|
|
1443. [func] Masters lists can now be specified and referenced
|
|
in zone masters clauses and other masters lists.
|
|
|
|
1442. [func] New functions for manipulating port lists:
|
|
dns_portlist_create(), dns_portlist_add(),
|
|
dns_portlist_remove(), dns_portlist_match(),
|
|
dns_portlist_attach() and dns_portlist_detach().
|
|
|
|
1441. [func] It is now possible to tell dig to bind to a specific
|
|
source port.
|
|
|
|
1440. [func] It is now possible to tell named to avoid using
|
|
certain source ports (avoid-v4-udp-ports,
|
|
avoid-v6-udp-ports).
|
|
|
|
1439. [bug] Named could return NOERROR with certain NOTIFY
|
|
failures. Return NOTAUTH if the NOTIFY zone is
|
|
not being served.
|
|
|
|
1438. [func] Log TSIG (if any) when logging NOTIFY requests.
|
|
|
|
1437. [bug] Leave space for stdio to work in. [RT #5033]
|
|
|
|
1436. [func] dns_zonemgr_resumexfrs() can be used to restart
|
|
stalled transfers.
|
|
|
|
1435. [bug] zmgr_resume_xfrs() was being called read locked
|
|
rather than write locked. zmgr_resume_xfrs()
|
|
was not being called if the zone was being
|
|
shutdown.
|
|
|
|
1434. [bug] "rndc reconfig" failed to initiate the initial
|
|
zone transfer of new slave zones.
|
|
|
|
1433. [bug] named could trigger a REQUIRE failure if it could
|
|
not get a file descriptor when attempting to write
|
|
a master file. [RT #4347]
|
|
|
|
1432. [func] The advertised EDNS UDP buffer size can now be set
|
|
via named.conf (edns-udp-size).
|
|
|
|
1431. [bug] isc_print_snprintf() "%s" with precision could walk off
|
|
end of argument. [RT #5191]
|
|
|
|
1430. [port] linux: IPv6 interface scanning support.
|
|
|
|
1429. [bug] Prevent the cache getting locked to old servers.
|
|
|
|
1428. [placeholder]
|
|
|
|
1427. [bug] Race condition in adb with threaded build.
|
|
|
|
1426. [placeholder]
|
|
|
|
1425. [port] linux/libbind: define __USE_MISC when testing *_r()
|
|
function prototypes in netdb.h. [RT #4921]
|
|
|
|
1424. [bug] EDNS version not being correctly printed.
|
|
|
|
1423. [contrib] queryperf: added A6 and SRV.
|
|
|
|
1422. [func] Log name/type/class when denying a query. [RT #4663]
|
|
|
|
1421. [func] Differentiate updates that don't succeed due to
|
|
prerequisites (unsuccessful) vs other reasons
|
|
(failed).
|
|
|
|
1420. [port] solaris: work around gcc optimizer bug.
|
|
|
|
1419. [port] openbsd: use /dev/arandom. [RT #4950]
|
|
|
|
1418. [bug] 'rndc reconfig' did not cause new slaves to load.
|
|
|
|
1417. [func] ID.SERVER/CHAOS is now a built in zone.
|
|
See "server-id" for how to configure.
|
|
|
|
1416. [bug] Empty node should return NOERROR NODATA, not NXDOMAIN.
|
|
[RT #4715]
|
|
|
|
1415. [func] DS TTL now derived from NS ttl. NXT TTL now derived
|
|
from SOA MINIMUM.
|
|
|
|
1414. [func] Support for KSK flag.
|
|
|
|
1413. [func] Explicitly request the (re-)generation of DS records
|
|
from keysets (dnssec-signzone -g).
|
|
|
|
1412. [func] You can now specify servers to be tried if a nameserver
|
|
has IPv6 address and you only support IPv4 or the
|
|
reverse. See dual-stack-servers.
|
|
|
|
1411. [bug] empty nodes should stop wildcard matches. [RT #4802]
|
|
|
|
1410. [func] Handle records that live in the parent zone, e.g. DS.
|
|
|
|
1409. [bug] DS should have attribute DNS_RDATATYPEATTR_DNSSEC.
|
|
|
|
1408. [bug] "make distclean" was not complete. [RT #4700]
|
|
|
|
1407. [bug] lfsr incorrectly implements the shift register.
|
|
[RT #4617]
|
|
|
|
1406. [bug] dispatch initializes one of the LFSR's with a incorrect
|
|
polynomial. [RT #4617]
|
|
|
|
1405. [func] Use arc4random() if available.
|
|
|
|
1404. [bug] libbind: ns_name_ntol() could overwrite a zero length
|
|
buffer.
|
|
|
|
1403. [func] dnssec-signzone, dnssec-keygen, dnssec-makekeyset
|
|
dnssec-signkey now report their version in the
|
|
usage message.
|
|
|
|
1402. [cleanup] A6 has been moved to experimental and is no longer
|
|
fully supported.
|
|
|
|
1401. [bug] adb wasn't clearing state when the timer expired.
|
|
|
|
1400. [bug] Block the addition of wildcard NS records by IXFR
|
|
or UPDATE. [RT #3502]
|
|
|
|
1399. [bug] Use serial number arithmetic when testing SIG
|
|
timestamps. [RT #4268]
|
|
|
|
1398. [doc] ARM: notify-also should have been also-notify.
|
|
[RT #4345]
|
|
|
|
1397. [maint] J.ROOT-SERVERS.NET is now 192.58.128.30.
|
|
|
|
1396. [func] dnssec-signzone: adjust the default signing time by
|
|
1 hour to allow for clock skew.
|
|
|
|
1395. [port] OpenSSL 0.9.7 defines CRYPTO_LOCK_ENGINE but doesn't
|
|
have a working implementation. [RT #4079]
|
|
|
|
1394. [func] It is now possible to check if a particular element is
|
|
in a acl. Remove duplicate entries from the localnets
|
|
acl.
|
|
|
|
1393. [port] Bind to individual IPv6 interfaces if IPV6_IPV6ONLY
|
|
is not available in the kernel to prevent accidently
|
|
listening on IPv4 interfaces.
|
|
|
|
1392. [bug] named-checkzone: update usage.
|
|
|
|
1391. [func] Add support for IPv6 scoped addresses in named.
|
|
|
|
1390. [func] host now supports ixfr.
|
|
|
|
1389. [bug] named could fail to rotate long log files. [RT #3666]
|
|
|
|
1388. [port] irix: check for sys/sysctl.h and NET_RT_IFLIST before
|
|
defining HAVE_IFLIST_SYSCTL. [RT #3770]
|
|
|
|
1387. [bug] named could crash due to an access to invalid memory
|
|
space (which caused an assertion failure) in
|
|
incremental cleaning. [RT #3588]
|
|
|
|
1386. [bug] named-checkzone -z stopped on errors in a zone.
|
|
[RT #3653]
|
|
|
|
1385. [bug] Setting serial-query-rate to 10 would trigger a
|
|
REQUIRE failure.
|
|
|
|
1384. [bug] host was incompatible with BIND 8 in its exit code and
|
|
in the output with the -l option. [RT #3536]
|
|
|
|
1383. [func] Track the serial number in a IXFR response and log if
|
|
a mismatch occurs. This is a more specific error than
|
|
"not exact". [RT #3445]
|
|
|
|
1382. [bug] make install failed with --enable-libbind. [RT #3656]
|
|
|
|
1381. [bug] named failed to correctly process answers that
|
|
contained DNAME records where the resulting CNAME
|
|
resulted in a negative answer.
|
|
|
|
1380. [func] 'rndc recursing' dump recursing queries to
|
|
'recursing-file = "named.recursing";'.
|
|
|
|
1379. [func] 'rndc status' now reports tcp and recursion quota
|
|
states.
|
|
|
|
1378. [func] Improved positive feedback for 'rndc {reload|refresh}.
|
|
|
|
1377. [func] dns_zone_load{new}() now reports if the zone was
|
|
loaded, queued for loading to up to date.
|
|
|
|
1376. [func] New function dns_zone_logc() to log to specified
|
|
category.
|
|
|
|
1375. [func] 'rndc dumpdb' now dumps the adb cache along with the
|
|
data cache.
|
|
|
|
1374. [func] dns_adb_dump() now logs the lame zones associated
|
|
with each server.
|
|
|
|
1373. [bug] Recovery from expired glue failed under certain
|
|
circumstances.
|
|
|
|
1372. [bug] named crashes with an assertion failure on exit when
|
|
sharing the same port for listening and querying, and
|
|
changing listening addresses several times. [RT #3509]
|
|
|
|
1371. [bug] notify-source-v6, transfer-source-v6 and
|
|
query-source-v6 with explicit addresses and using the
|
|
same ports as named was listening on could interfere
|
|
with named's ability to answer queries sent to those
|
|
addresses.
|
|
|
|
1370. [bug] dig '+[no]recurse' was incorrectly documented.
|
|
|
|
1369. [bug] Adding an NS record as the lexicographically last
|
|
record in a secure zone didn't work.
|
|
|
|
1368. [func] remove support for bitstring labels.
|
|
|
|
1367. [func] Use response times to select forwarders.
|
|
|
|
1366. [contrib] queryperf usage was incomplete. Add '-h' for help.
|
|
|
|
1365. [func] "localhost" and "localnets" acls now include IPv6
|
|
addresses / prefixes.
|
|
|
|
1364. [func] Log file name when unable to open memory statistics
|
|
and dump database files. [RT #3437]
|
|
|
|
1363. [func] Listen-on-v6 now supports specific addresses.
|
|
|
|
1362. [bug] remove IFF_RUNNING test when scanning interfaces.
|
|
|
|
1361. [func] log the reason for rejecting a server when resolving
|
|
queries.
|
|
|
|
1360. [bug] --enable-libbind would fail when not built in the
|
|
source tree for certain OS's.
|
|
|
|
1359. [security] Support patches OpenSSL libraries.
|
|
http://www.cert.org/advisories/CA-2002-23.html
|
|
|
|
1358. [bug] It was possible to trigger a INSIST when debugging
|
|
large dynamic updates. [RT #3390]
|
|
|
|
1357. [bug] nsupdate was extremely wasteful of memory.
|
|
|
|
1356. [tuning] Reduce the number of events / quantum for zone tasks.
|
|
|
|
1355. [bug] Fix DNSSEC wildcard proof for CNAME/DNAME.
|
|
|
|
1354. [doc] lwres man pages had illegal nroff.
|
|
|
|
1353. [contrib] sdb/ldap to version 0.9.
|
|
|
|
1352. [bug] dig, host, nslookup when falling back to TCP use the
|
|
current search entry (if any). [RT #3374]
|
|
|
|
1351. [bug] lwres_getipnodebyname() returned the wrong name
|
|
when given a IPv4 literal, af=AF_INET6 and AI_MAPPED
|
|
was set.
|
|
|
|
1350. [bug] dns_name_fromtext() failed to handle too many labels
|
|
gracefully.
|
|
|
|
1349. [security] Minimum OpenSSL version now 0.9.6e (was 0.9.5a).
|
|
http://www.cert.org/advisories/CA-2002-23.html
|
|
|
|
1348. [port] win32: Rewrote code to use I/O Completion Ports
|
|
in socket.c and eliminating a host of socket
|
|
errors. Performance is enhanced.
|
|
|
|
1347. [placeholder]
|
|
|
|
1346. [placeholder]
|
|
|
|
1345. [port] Use a explicit -Wformat with gcc. Not all versions
|
|
include it in -Wall.
|
|
|
|
1344. [func] Log if the serial number on the master has gone
|
|
backwards.
|
|
If you have multiple machines specified in the masters
|
|
clause you may want to set 'multi-master yes;' to
|
|
suppress this warning.
|
|
|
|
1343. [func] Log successful notifies received (info). Adjust log
|
|
level for failed notifies to notice.
|
|
|
|
1342. [func] Log remote address with TCP dispatch failures.
|
|
|
|
1341. [func] Allow a rate limiter to be stalled.
|
|
|
|
1340. [bug] Delay and spread out the startup refresh load.
|
|
|
|
1339. [func] dig, host and nslookup now use IP6.ARPA for nibble
|
|
lookups. Bit string lookups are no longer attempted.
|
|
|
|
1338. [placeholder]
|
|
|
|
1337. [placeholder]
|
|
|
|
1336. [func] Nibble lookups under IP6.ARPA are now supported by
|
|
dns_byaddr_create(). dns_byaddr_createptrname() is
|
|
deprecated, use dns_byaddr_createptrname2() instead.
|
|
|
|
1335. [bug] When performing a nonexistence proof, the validator
|
|
should discard parent NXTs from higher in the DNS.
|
|
|
|
1334. [bug] When signing/verifying rdatasets, duplicate rdatas
|
|
need to be suppressed.
|
|
|
|
1333. [contrib] queryperf now reports a summary of returned
|
|
rcodes (-c), rcodes are printed in mnemonic form (-v).
|
|
|
|
1332. [func] Report the current serial with periodic commits when
|
|
rolling forward the journal.
|
|
|
|
1331. [func] Generate DNSSEC wildcard proofs.
|
|
|
|
1330. [bug] When processing events (non-threaded) only allow
|
|
the task one chance to use to use its quantum.
|
|
|
|
1329. [func] named-checkzone will now check if nameservers that
|
|
appear to be IP addresses. Available modes "fail",
|
|
"warn" (default) and "ignore" the results of the
|
|
check.
|
|
|
|
1328. [bug] The validator could incorrectly verify an invalid
|
|
negative proof.
|
|
|
|
1327. [bug] The validator would incorrectly mark data as insecure
|
|
when seeing a bogus signature before a correct
|
|
signature.
|
|
|
|
1326. [bug] DNAME/CNAME signatures were not being cached when
|
|
validation was not being performed. [RT #3284]
|
|
|
|
1325. [bug] If the tcpquota was exhausted it was possible to
|
|
to trigger a INSIST() failure.
|
|
|
|
1324. [port] darwin: ifconfig.sh now supports darwin.
|
|
|
|
1323. [port] linux: Slackware 4.0 needs <asm/unistd.h>. [RT #3205]
|
|
|
|
1322. [bug] dnssec-signzone usage message was misleading.
|
|
|
|
1321. [bug] If the last RRset in a zone is glue, dnssec-signzone
|
|
would incorrectly duplicate its output and sign it.
|
|
|
|
1320. [doc] query-source-v6 was missing from options section.
|
|
[RT #3218]
|
|
|
|
1319. [func] libbind: log attempts to exploit #1318.
|
|
|
|
1318. [bug] libbind: Remote buffer overrun.
|
|
|
|
1317. [port] libbind: TrueUNIX 5.1 does not like __align as a
|
|
element name.
|
|
|
|
1316. [bug] libbind: gethostans() could get out of sync parsing
|
|
the response if there was a very long CNAME chain.
|
|
|
|
1315. [bug] Options should apply to the internal _bind view.
|
|
|
|
1314. [port] Handle ECONNRESET from sendmsg() [unix].
|
|
|
|
1313. [func] Query log now says if the query was signed (S) or
|
|
if EDNS was used (E).
|
|
|
|
1312. [func] Log TSIG key used w/ outgoing zone transfers.
|
|
|
|
1311. [bug] lwres_getrrsetbyname leaked memory. [RT #3159]
|
|
|
|
1310. [bug] 'rndc stop' failed to cause zones to be flushed
|
|
sometimes. [RT #3157]
|
|
|
|
1309. [func] Log that a zone transfer was covered by a TSIG.
|
|
|
|
1308. [func] DS (delegation signer) support.
|
|
|
|
1307. [bug] nsupdate: allow white space base64 key data.
|
|
|
|
1306. [bug] Badly encoded LOC record when the size, horizontal
|
|
precision or vertical precision was 0.1m.
|
|
|
|
1305. [bug] Document that internal zones are included in the
|
|
rndc status results.
|
|
|
|
1304. [func] New function: dns_zone_name().
|
|
|
|
1303. [func] Option 'flush-zones-on-shutdown <boolean>;'.
|
|
|
|
1302. [func] Extended rndc dumpdb to support dumping of zones and
|
|
view selection: 'dumpdb [-all|-zones|-cache] [view]'.
|
|
|
|
1301. [func] New category 'update-security'.
|
|
|
|
1300. [port] Compaq Trucluster support.
|
|
|
|
1299. [bug] Set AI_ADDRCONFIG when looking up addresses
|
|
via getaddrinfo() (affects dig, host, nslookup, rndc
|
|
and nsupdate).
|
|
|
|
1298. [bug] The CINCLUDES macro in lib/dns/sec/dst/Makefile
|
|
could be left with a trailing "\" after configure
|
|
has been run.
|
|
|
|
1297. [port] linux: make handling EINVAL from socket() no longer
|
|
conditional on #ifdef LINUX.
|
|
|
|
1296. [bug] isc_log_closefilelogs() needed to lock the log
|
|
context.
|
|
|
|
1295. [bug] isc_log_setdebuglevel() needed to lock the log
|
|
context.
|
|
|
|
1294. [func] libbind: no longer attempts bit string labels for
|
|
IPv6 reverse resolution. Try IP6.ARPA then IP6.INT
|
|
for nibble style resolution.
|
|
|
|
1293. [func] Entropy can now be retrieved from EGDs. [RT #2438]
|
|
|
|
1292. [func] Enable IPv6 support when using ioctl style interface
|
|
scanning and OS supports SIOCGLIFADDR using struct
|
|
if_laddrreq.
|
|
|
|
1291. [func] Enable IPv6 support when using sysctl style interface
|
|
scanning.
|
|
|
|
1290. [func] "dig axfr" now reports the number of messages
|
|
as well as the number of records.
|
|
|
|
1289. [port] See if -ldl is required for OpenSSL? [RT #2672]
|
|
|
|
1288. [bug] Adjusted REQUIRE's in lib/dns/name.c to better
|
|
reflect written requirements.
|
|
|
|
1287. [bug] REQUIRE that DNS_DBADD_MERGE only be set when adding
|
|
a rdataset to a zone db in the rbtdb implementation of
|
|
addrdataset.
|
|
|
|
1286. [bug] dns_name_downcase() enforce requirement that
|
|
target != NULL or name->buffer != NULL.
|
|
|
|
1285. [func] lwres: probe the system to see what address families
|
|
are currently in use.
|
|
|
|
1284. [bug] The RTT estimate on unused servers was not aged.
|
|
[RT #2569]
|
|
|
|
1283. [func] Use "dataready" accept filter if available.
|
|
|
|
1282. [port] libbind: hpux 11.11 interface scanning.
|
|
|
|
1281. [func] Log zone when unable to get private keys to update
|
|
zone. Log zone when NXT records are missing from
|
|
secure zone.
|
|
|
|
1280. [bug] libbind: escape '(' and ')' when converting to
|
|
presentation form.
|
|
|
|
1279. [port] Darwin uses (unsigned long) for size_t. [RT #2590]
|
|
|
|
1278. [func] dig: now supports +[no]cl +[no]ttlid.
|
|
|
|
1277. [func] You can now create your own customized printing
|
|
styles: dns_master_stylecreate() and
|
|
dns_master_styledestroy().
|
|
|
|
1276. [bug] libbind: const pointer conflicts in res_debug.c.
|
|
|
|
1275. [port] libbind: hpux: treat all hpux systems as BIG_ENDIAN.
|
|
|
|
1274. [bug] Memory leak in lwres_gnbarequest_parse().
|
|
|
|
1273. [port] libbind: solaris: 64 bit binary compatibility.
|
|
|
|
1272. [contrib] Berkeley DB 4.0 sdb implementation from
|
|
Nuno Miguel Rodrigues <nmr@co.sapo.pt>.
|
|
|
|
1271. [bug] "recursion available: {denied,approved}" was too
|
|
confusing.
|
|
|
|
1270. [bug] Check that system inet_pton() and inet_ntop() support
|
|
AF_INET6.
|
|
|
|
1269. [port] Openserver: ifconfig.sh support.
|
|
|
|
1268. [port] Openserver: the value FD_SETSIZE depends on whether
|
|
<sys/param.h> is included or not. Be consistent.
|
|
|
|
1267. [func] isc_file_openunique() now creates file using mode
|
|
0666 rather than 0600.
|
|
|
|
1266. [bug] ISC_LINK_INIT, ISC_LINK_UNLINK, ISC_LIST_DEQUEUE,
|
|
__ISC_LINK_UNLINKUNSAFE and __ISC_LIST_DEQUEUEUNSAFE
|
|
are not C++ compatible, use *_TYPE versions instead.
|
|
|
|
1265. [bug] libbind: LINK_INIT and UNLINK were not compatible with
|
|
C++, use LINK_INIT_TYPE and UNLINK_TYPE instead.
|
|
|
|
1264. [placeholder]
|
|
|
|
1263. [bug] Reference after free error if dns_dispatchmgr_create()
|
|
failed.
|
|
|
|
1262. [bug] ns_server_destroy() failed to set *serverp to NULL.
|
|
|
|
1261. [func] libbind: ns_sign2() and ns_sign_tcp() now provide
|
|
support for compressed TSIG owner names.
|
|
|
|
1260. [func] libbind: res_update can now update IPv6 servers,
|
|
new function res_findzonecut2().
|
|
|
|
1259. [bug] libbind: get_salen() IPv6 support was broken for OSs
|
|
w/o sa_len.
|
|
|
|
1258. [bug] libbind: res_nametotype() and res_nametoclass() were
|
|
broken.
|
|
|
|
1257. [bug] Failure to write pid-file should not be fatal on
|
|
reload. [RT #2861]
|
|
|
|
1256. [contrib] 'queryperf' now has EDNS (-e) + DNSSEC DO (-D) support.
|
|
|
|
1255. [bug] When verifying that an NXT proves nonexistence, check
|
|
the rcode of the message and only do the matching NXT
|
|
check. That is, for NXDOMAIN responses, check that
|
|
the name is in the range between the NXT owner and
|
|
next name, and for NOERROR NODATA responses, check
|
|
that the type is not present in the NXT bitmap.
|
|
|
|
1254. [func] preferred-glue option from BIND 8.3.
|
|
|
|
1253. [bug] The dnssec system test failed to remove the correct
|
|
files.
|
|
|
|
1252. [bug] Dig, host and nslookup were not checking the address
|
|
the answer was coming from against the address it was
|
|
sent to. [RT #2692]
|
|
|
|
1251. [port] win32: a make file contained absolute version specific
|
|
references.
|
|
|
|
1250. [func] Nsupdate will report the address the update was
|
|
sent to.
|
|
|
|
1249. [bug] Missing masters clause was not handled gracefully.
|
|
[RT #2703]
|
|
|
|
1248. [bug] DESTDIR was not being propagated between makes.
|
|
|
|
1247. [bug] Don't reset the interface index for link/site local
|
|
addresses. [RT #2576]
|
|
|
|
1246. [func] New functions isc_sockaddr_issitelocal(),
|
|
isc_sockaddr_islinklocal(), isc_netaddr_issitelocal()
|
|
and isc_netaddr_islinklocal().
|
|
|
|
1245. [bug] Treat ENOBUFS, ENOMEM and ENFILE as soft errors for
|
|
accept().
|
|
|
|
1244. [bug] Receiving a TCP message from a blackhole address would
|
|
prevent further messages being received over that
|
|
interface.
|
|
|
|
1243. [bug] It was possible to trigger a REQUIRE() in
|
|
dns_message_findtype(). [RT #2659]
|
|
|
|
1242. [bug] named-checkzone failed if a journal existed. [RT #2657]
|
|
|
|
1241. [bug] Drop received UDP messages with a zero source port
|
|
as these are invariably forged. [RT #2621]
|
|
|
|
1240. [bug] It was possible to leak zone references by
|
|
specifying an incorrect zone to rndc.
|
|
|
|
1239. [bug] Under certain circumstances named could continue to
|
|
use a name after it had been freed triggering
|
|
INSIST() failures. [RT #2614]
|
|
|
|
1238. [bug] It is possible to lockup the server when shutting down
|
|
if notifies were being processed. [RT #2591]
|
|
|
|
1237. [bug] nslookup: "set q=type" failed.
|
|
|
|
1236. [bug] dns_rdata{class,type}_fromtext() didn't handle non
|
|
NULL terminated text regions. [RT #2588]
|
|
|
|
1235. [func] Report 'out of memory' errors from openssl.
|
|
|
|
1234. [bug] contrib/sdb: 'zonetodb' failed to call
|
|
dns_result_register(). DNS_R_SEENINCLUDE should not
|
|
be fatal.
|
|
|
|
1233. [bug] The flags field of a KEY record can be expressed in
|
|
hex as well as decimal.
|
|
|
|
1232. [bug] unix/errno2result() didn't handle EADDRNOTAVAIL.
|
|
|
|
1231. [port] HPUX 11.11 recvmsg() can return spurious EADDRNOTAVAIL.
|
|
|
|
1230. [bug] isccc_cc_isreply() and isccc_cc_isack() were broken.
|
|
|
|
1229. [bug] named would crash if it received a TSIG signed
|
|
query as part of an AXFR response. [RT #2570]
|
|
|
|
1228. [bug] 'make install' did not depend on 'make all'. [RT #2559]
|
|
|
|
1227. [bug] dns_lex_getmastertoken() now returns ISC_R_BADNUMBER
|
|
if a number was expected and some other token was
|
|
found. [RT #2532]
|
|
|
|
1226. [func] Use EDNS for zone refresh queries. [RT #2551]
|
|
|
|
1225. [func] dns_message_setopt() no longer requires that
|
|
dns_message_renderbegin() to have been called.
|
|
|
|
1224. [bug] 'rrset-order' and 'sortlist' should be additive
|
|
not exclusive.
|
|
|
|
1223. [func] 'rrset-order' partially works 'cyclic' and 'random'
|
|
are supported.
|
|
|
|
1222. [bug] Specifying 'port *' did not always result in a system
|
|
selected (non-reserved) port being used. [RT #2537]
|
|
|
|
1221. [bug] Zone types 'master', 'slave' and 'stub' were not being
|
|
compared case insensitively. [RT #2542]
|
|
|
|
1220. [func] Support for APL rdata type.
|
|
|
|
1219. [func] Named now reports the TSIG extended error code when
|
|
signature verification fails. [RT #1651]
|
|
|
|
1218. [bug] Named incorrectly returned SERVFAIL rather than
|
|
NOTAUTH when there was a TSIG BADTIME error. [RT #2519]
|
|
|
|
1217. [func] Report locations of previous key definition when a
|
|
duplicate is detected.
|
|
|
|
1216. [bug] Multiple server clauses for the same server were not
|
|
reported. [RT #2514]
|
|
|
|
1215. [port] solaris: add support to ifconfig.sh for x86 2.5.1
|
|
|
|
1214. [bug] Win32: isc_file_renameunique() could leave zero length
|
|
files behind.
|
|
|
|
1213. [func] Report view associated with client if it is not a
|
|
standard view (_default or _bind).
|
|
|
|
1212. [port] libbind: 64k answer buffers were causing stack space
|
|
to be exceeded for certain OS. Use heap space instead.
|
|
|
|
1211. [bug] dns_name_fromtext() incorrectly handled certain
|
|
valid octal bitlabels. [RT #2483]
|
|
|
|
1210. [bug] libbind: getnameinfo() failed to lookup IPv4 mapped /
|
|
compatible addresses. [RT #2461]
|
|
|
|
1209. [bug] Dig, host, nslookup were not checking the message ids
|
|
on the responses. [RT #2454]
|
|
|
|
1208. [bug] dns_master_load*() failed to log a error message if
|
|
an error was detected when parsing the owner name of
|
|
a record. [RT #2448]
|
|
|
|
1207. [bug] libbind: getaddrinfo() could call freeaddrinfo() with
|
|
an invalid pointer.
|
|
|
|
1206. [bug] SERVFAIL and NOTIMP responses to an EDNS query should
|
|
trigger a non-EDNS retry.
|
|
|
|
1205. [bug] OPT, TSIG and TKEY cannot be used to set the "class"
|
|
of the message. [RT #2449]
|
|
|
|
1204. [bug] libbind: res_nupdate() failed to update the name
|
|
server addresses before sending the update.
|
|
|
|
1203. [func] Report locations of previous acl and zone definitions
|
|
when a duplicate is detected.
|
|
|
|
1202. [func] New functions: cfg_obj_line() and cfg_obj_file().
|
|
|
|
1201. [bug] Require that if 'callbacks' is passed to
|
|
dns_rdata_fromtext(), callbacks->error and
|
|
callbacks->warn are initialized.
|
|
|
|
1200. [bug] Log 'errno' that we are unable to convert to
|
|
isc_result_t. [RT #2404]
|
|
|
|
1199. [doc] ARM reference to RFC 2157 should have been RFC 1918.
|
|
[RT #2436]
|
|
|
|
1198. [bug] OPT printing style was not consistent with the way the
|
|
header fields are printed. The DO bit was not reported
|
|
if set. Report if any of the MBZ bits are set.
|
|
|
|
1197. [bug] Attempts to define the same acl multiple times were not
|
|
detected.
|
|
|
|
1196. [contrib] update mdnkit to 2.2.3.
|
|
|
|
1195. [bug] Attempts to redefine builtin acls should be caught.
|
|
[RT #2403]
|
|
|
|
1194. [bug] Not all duplicate zone definitions were being detected
|
|
at the named.conf checking stage. [RT #2431]
|
|
|
|
1193. [bug] dig +besteffort parsing didn't handle packet
|
|
truncation. dns_message_parse() has new flag
|
|
DNS_MESSAGE_IGNORETRUNCATION.
|
|
|
|
1192. [bug] The seconds fields in LOC records were restricted
|
|
to three decimal places. More decimal places should
|
|
be allowed but warned about.
|
|
|
|
1191. [bug] A dynamic update removing the last non-apex name in
|
|
a secure zone would fail. [RT #2399]
|
|
|
|
1190. [func] Add the "rndc freeze" and "rndc unfreeze" commands.
|
|
[RT #2394]
|
|
|
|
1189. [bug] On some systems, malloc(0) returns NULL, which
|
|
could cause the caller to report an out of memory
|
|
error. [RT #2398]
|
|
|
|
1188. [bug] Dynamic updates of a signed zone would fail if
|
|
some of the zone private keys were unavailable.
|
|
|
|
1187. [bug] named was incorrectly returning DNSSEC records
|
|
in negative responses when the DO bit was not set.
|
|
|
|
1186. [bug] isc_hex_tobuffer(,,length = 0) failed to unget the
|
|
EOL token when reading to end of line.
|
|
|
|
1185. [bug] libbind: don't assume statp->_u._ext.ext is valid
|
|
unless RES_INIT is set when calling res_*init().
|
|
|
|
1184. [bug] libbind: call res_ndestroy() if RES_INIT is set
|
|
when res_*init() is called.
|
|
|
|
1183. [bug] Handle ENOSR error when writing to the internal
|
|
control pipe. [RT #2395]
|
|
|
|
1182. [bug] The server could throw an assertion failure when
|
|
constructing a negative response packet.
|
|
|
|
1181. [func] Add the "key-directory" configuration statement,
|
|
which allows the server to look for online signing
|
|
keys in alternate directories.
|
|
|
|
1180. [func] dnssec-keygen should always generate keys with
|
|
protocol 3 (DNSSEC), since it's less confusing
|
|
that way.
|
|
|
|
1179. [func] Add SIG(0) support to nsupdate.
|
|
|
|
1178. [bug] Follow and cache (if appropriate) A6 and other
|
|
data chains to completion in the additional section.
|
|
|
|
1177. [func] Report view when loading zones if it is not a
|
|
standard view (_default or _bind). [RT #2270]
|
|
|
|
1176. [doc] Document that allow-v6-synthesis is only performed
|
|
for clients that are supplied recursive service.
|
|
[RT #2260]
|
|
|
|
1175. [bug] named-checkzone and named-checkconf failed to call
|
|
dns_result_register() at startup which could
|
|
result in runtime exceptions when printing
|
|
"out of memory" errors. [RT #2335]
|
|
|
|
1174. [bug] Win32: add WSAECONNRESET to the expected errors
|
|
from connect(). [RT #2308]
|
|
|
|
1173. [bug] Potential memory leaks in isc_log_create() and
|
|
isc_log_settag(). [RT #2336]
|
|
|
|
1172. [doc] Add CERT, GPOS, KX, NAPTR, NSAP, PX and TXT to
|
|
table of RR types in ARM.
|
|
|
|
1171. [func] Added function isc_region_compare(), updated files in
|
|
lib/dns to use this function instead of local one.
|
|
|
|
1170. [bug] Don't attempt to print the token when a I/O error
|
|
occurs when parsing named.conf. [RT #2275]
|
|
|
|
1169. [func] Identify recursive queries in the query log.
|
|
|
|
1168. [bug] Empty also-notify clauses were not handled. [RT #2309]
|
|
|
|
1167. [contrib] nslint-2.1a3 (from author).
|
|
|
|
1166. [bug] "Not Implemented" should be reported as NOTIMP,
|
|
not NOTIMPL. [RT #2281]
|
|
|
|
1165. [bug] We were rejecting notify-source{-v6} in zone clauses.
|
|
|
|
1164. [bug] Empty masters clauses in slave / stub zones were not
|
|
handled gracefully. [RT #2262]
|
|
|
|
1163. [func] isc_time_formattimestamp() now includes the year.
|
|
|
|
1162. [bug] The allow-notify option was not accepted in slave
|
|
zone statements.
|
|
|
|
1161. [bug] named-checkzone looped on unbalanced brackets.
|
|
[RT #2248]
|
|
|
|
1160. [bug] Generating Diffie-Hellman keys longer than 1024
|
|
bits could fail. [RT #2241]
|
|
|
|
1159. [bug] MD and MF are not permitted to be loaded by RFC1123.
|
|
|
|
1158. [func] Report the client's address when logging notify
|
|
messages.
|
|
|
|
1157. [func] match-clients and match-destinations now accept
|
|
keys. [RT #2045]
|
|
|
|
1156. [port] The configure test for strsep() incorrectly
|
|
succeeded on certain patched versions of
|
|
AIX 4.3.3. [RT #2190]
|
|
|
|
1155. [func] Recover from master files being removed from under
|
|
us.
|
|
|
|
1154. [bug] Don't attempt to obtain the netmask of a interface
|
|
if there is no address configured. [RT #2176]
|
|
|
|
1153. [func] 'rndc {stop|halt} -p' now reports the process id
|
|
of the instance of named being shutdown.
|
|
|
|
1152. [bug] libbind: read buffer overflows.
|
|
|
|
1151. [bug] nslookup failed to check that the arguments to
|
|
the port, timeout, and retry options were
|
|
valid integers and in range. [RT #2099]
|
|
|
|
1150. [bug] named incorrectly accepted TTL values
|
|
containing plus or minus signs, such as
|
|
1d+1h-1s.
|
|
|
|
1149. [func] New function isc_parse_uint32().
|
|
|
|
1148. [func] 'rndc-confgen -a' now provides positive feedback.
|
|
|
|
1147. [func] Set IPV6_V6ONLY on IPv6 sockets if supported by
|
|
the OS. listen-on-v6 { any; }; should no longer
|
|
result in IPv4 queries be accepted. Similarly
|
|
control { inet :: ... }; should no longer result
|
|
in IPv4 connections being accepted. This can be
|
|
overridden at compile time by defining
|
|
ISC_ALLOW_MAPPED=1.
|
|
|
|
1146. [func] Allow IPV6_IPV6ONLY to be set/cleared on a socket if
|
|
supported by the OS by a new function
|
|
isc_socket_ipv6only().
|
|
|
|
1145. [func] "host" no longer reports a NOERROR/NODATA response
|
|
by printing nothing. [RT #2065]
|
|
|
|
1144. [bug] rndc-confgen would crash if both the -a and -t
|
|
options were specified. [RT #2159]
|
|
|
|
1143. [bug] When a trusted-keys statement was present and named
|
|
was built without crypto support, it would leak memory.
|
|
|
|
1142. [bug] dnssec-signzone would fail to delete temporary files
|
|
in some failure cases. [RT #2144]
|
|
|
|
1141. [bug] When named rejected a control message, it would
|
|
leak a file descriptor and memory. It would also
|
|
fail to respond, causing rndc to hang.
|
|
[RT #2139, #2164]
|
|
|
|
1140. [bug] rndc-confgen did not accept IPv6 addresses as arguments
|
|
to the -s option. [RT #2138]
|
|
|
|
1139. [func] It is now possible to flush a given name from the
|
|
cache(s) via 'rndc flushname name [view]'. [RT #2051]
|
|
|
|
1138. [func] It is now possible to flush a given name from the
|
|
cache by calling the new function
|
|
dns_cache_flushname().
|
|
|
|
1137. [func] It is now possible to flush a given name from the
|
|
ADB by calling the new function dns_adb_flushname().
|
|
|
|
1136. [bug] CNAME records synthesized from DNAMEs did not
|
|
have a TTL of zero as required by RFC2672.
|
|
[RT #2129]
|
|
|
|
1135. [func] You can now override the default syslog() facility for
|
|
named/lwresd at compile time. [RT #1982]
|
|
|
|
1134. [bug] Multi-threaded servers could deadlock in ferror()
|
|
when reloading zone files. [RT #1951, #1998]
|
|
|
|
1133. [bug] IN6_IS_ADDR_LOOPBACK was not portably defined on
|
|
platforms without IN6_IS_ADDR_LOOPBACK. [RT #2106]
|
|
|
|
1132. [func] Improve UPDATE prerequisite failure diagnostic messages.
|
|
|
|
1131. [bug] The match-destinations view option did not work with
|
|
IPv6 destinations. [RT #2073, #2074]
|
|
|
|
1130. [bug] Log messages reporting an out-of-range serial number
|
|
did not include the out-of-range number but the
|
|
following token. [RT #2076]
|
|
|
|
1129. [bug] Multi-threaded servers could crash under heavy
|
|
resolution load due to a race condition. [RT #2018]
|
|
|
|
1128. [func] sdb drivers can now provide RR data in either text
|
|
or wire format, the latter using the new functions
|
|
dns_sdb_putrdata() and dns_sdb_putnamedrdata().
|
|
|
|
1127. [func] rndc: If the server to contact has multiple addresses,
|
|
try all of them.
|
|
|
|
1126. [bug] The server could access a freed event if shut
|
|
down while a client start event was pending
|
|
delivery. [RT #2061]
|
|
|
|
1125. [bug] rndc: -k option was missing from usage message.
|
|
[RT #2057]
|
|
|
|
1124. [doc] dig: +[no]dnssec, +[no]besteffort and +[no]fail
|
|
are now documented. [RT #2052]
|
|
|
|
1123. [bug] dig +[no]fail did not match description. [RT #2052]
|
|
|
|
1122. [tuning] Resolution timeout reduced from 90 to 30 seconds.
|
|
[RT #2046]
|
|
|
|
1121. [bug] The server could attempt to access a NULL zone
|
|
table if shut down while resolving.
|
|
[RT #1587, #2054]
|
|
|
|
1120. [bug] Errors in options were not fatal. [RT #2002]
|
|
|
|
1119. [func] Added support in Win32 for NTFS file/directory ACL's
|
|
for access control.
|
|
|
|
1118. [bug] On multi-threaded servers, a race condition
|
|
could cause an assertion failure in resolver.c
|
|
during resolver shutdown. [RT #2029]
|
|
|
|
1117. [port] The configure check for in6addr_loopback incorrectly
|
|
succeeded on AIX 4.3 when compiling with -O2
|
|
because the test code was optimized away.
|
|
[RT #2016]
|
|
|
|
1116. [bug] Setting transfers in a server clause, transfers-in,
|
|
or transfers-per-ns to a value greater than
|
|
2147483647 disabled transfers. [RT #2002]
|
|
|
|
1115. [func] Set maximum values for cleaning-interval,
|
|
heartbeat-interval, interface-interval,
|
|
max-transfer-idle-in, max-transfer-idle-out,
|
|
max-transfer-time-in, max-transfer-time-out,
|
|
statistics-interval of 28 days and
|
|
sig-validity-interval of 3660 days. [RT #2002]
|
|
|
|
1114. [port] Ignore more accept() errors. [RT #2021]
|
|
|
|
1113. [bug] The allow-update-forwarding option was ignored
|
|
when specified in a view. [RT #2014]
|
|
|
|
1112. [placeholder]
|
|
|
|
1111. [bug] Multi-threaded servers could deadlock processing
|
|
recursive queries due to a locking hierarchy
|
|
violation in adb.c. [RT #2017]
|
|
|
|
1110. [bug] dig should only accept valid abbreviations of +options.
|
|
[RT #2003]
|
|
|
|
1109. [bug] nsupdate accepted illegal ttl values.
|
|
|
|
1108. [bug] On Win32, rndc was hanging when named was not running
|
|
due to failure to select for exceptional conditions
|
|
in select(). [RT #1870]
|
|
|
|
1107. [bug] nsupdate could catch an assertion failure if an
|
|
invalid domain name was given as the argument to
|
|
the "zone" command.
|
|
|
|
1106. [bug] After seeing an out of range TTL, nsupdate would
|
|
treat all TTLs as out of range. [RT #2001]
|
|
|
|
1105. [port] OpenUNIX 8 enable threads by default. [RT #1970]
|
|
|
|
1104. [bug] Invalid arguments to the transfer-format option
|
|
could cause an assertion failure. [RT #1995]
|
|
|
|
1103. [port] OpenUNIX 8 support (ifconfig.sh). [RT #1970]
|
|
|
|
1102. [doc] Note that query logging is enabled by directing the
|
|
queries category to a channel.
|
|
|
|
1101. [bug] Array bounds read error in lwres_gai_strerror.
|
|
|
|
1100. [bug] libbind: DNSSEC key ids were computed incorrectly.
|
|
|
|
1099. [cleanup] libbind: defining REPORT_ERRORS in lib/bind/dst caused
|
|
compile time errors.
|
|
|
|
1098. [bug] libbind: HMAC-MD5 key files are now mode 0600.
|
|
|
|
1097. [func] libbind: RES_PRF_TRUNC for dig.
|
|
|
|
1096. [func] libbind: "DNSSEC OK" (DO) support.
|
|
|
|
1095. [func] libbind: resolver option: no-tld-query. disables
|
|
trying unqualified as a tld. no_tld_query is also
|
|
supported for FreeBSD compatibility.
|
|
|
|
1094. [func] libbind: add support gcc's format string checking.
|
|
|
|
1093. [doc] libbind: miscellaneous nroff fixes.
|
|
|
|
1092. [bug] libbind: get*by*() failed to check if res_init() had
|
|
been called.
|
|
|
|
1091. [bug] libbind: misplaced va_end().
|
|
|
|
1090. [bug] libbind: dns_ho.c:add_hostent() was not returning
|
|
the amount of memory consumed resulting in garbage
|
|
address being returned. Alignment calculations were
|
|
wasting space. We weren't suppressing duplicate
|
|
addresses.
|
|
|
|
1089. [func] libbind: inet_{cidr,net}_{pton,ntop}() now have IPv6
|
|
support.
|
|
|
|
1088. [port] libbind: MPE/iX C.70 (incomplete)
|
|
|
|
1087. [bug] libbind: struct __res_state too large on 64 bit arch.
|
|
|
|
1086. [port] libbind: sunos: old sprintf.
|
|
|
|
1085. [port] libbind: solaris: sys_nerr and sys_errlist do not
|
|
exist when compiling in 64 bit mode.
|
|
|
|
1084. [cleanup] libbind: gai_strerror() rewritten.
|
|
|
|
1083. [bug] The default control channel listened on the
|
|
wildcard address, not the loopback as documented.
|
|
[RT #1975]
|
|
|
|
1082. [bug] The -g option to named incorrectly caused logging
|
|
to be sent to syslog in addition to stderr.
|
|
[RT #1974]
|
|
|
|
1081. [bug] Multicast queries were incorrectly identified
|
|
based on the source address, not the destination
|
|
address.
|
|
|
|
1080. [bug] BIND 8 compatibility: accept bare IP prefixes
|
|
as the second element of a two-element top level
|
|
sort list statement. [RT #1964]
|
|
|
|
1079. [bug] BIND 8 compatibility: accept bare elements at top
|
|
level of sort list treating them as if they were
|
|
a single element list. [RT #1963]
|
|
|
|
1078. [bug] We failed to correct bad tv_usec values in one case.
|
|
[RT #1966]
|
|
|
|
1077. [func] Do not accept further recursive clients when
|
|
the total number of recursive lookups being
|
|
processed exceeds max-recursive-clients, even
|
|
if some of the lookups are internally generated.
|
|
[RT #1915, #1938]
|
|
|
|
1076. [bug] A badly defined global key could trigger an assertion
|
|
on load/reload if views were used. [RT #1947]
|
|
|
|
1075. [bug] Out-of-range network prefix lengths were not
|
|
reported. [RT #1954]
|
|
|
|
1074. [bug] Running out of memory in dump_rdataset() could
|
|
cause an assertion failure. [RT #1946]
|
|
|
|
1073. [bug] The ADB cache cleaning should also be space driven.
|
|
[RT #1915, #1938]
|
|
|
|
1072. [bug] The TCP client quota could be exceeded when
|
|
recursion occurred. [RT #1937]
|
|
|
|
1071. [bug] Sockets listening for TCP DNS connections
|
|
specified an excessive listen backlog. [RT #1937]
|
|
|
|
1070. [bug] Copy DNSSEC OK (DO) to response as specified by
|
|
draft-ietf-dnsext-dnssec-okbit-03.txt.
|
|
|
|
1069. [placeholder]
|
|
|
|
1068. [bug] errno could be overwritten by catgets(). [RT #1921]
|
|
|
|
1067. [func] Allow quotas to be soft, isc_quota_soft().
|
|
|
|
1066. [bug] Provide a thread safe wrapper for strerror().
|
|
[RT #1689]
|
|
|
|
1065. [func] Runtime support to select new / old style interface
|
|
scanning using ioctls.
|
|
|
|
1064. [bug] Do not shut down active network interfaces if we
|
|
are unable to scan the interface list. [RT #1921]
|
|
|
|
1063. [bug] libbind: "make install" was failing on IRIX.
|
|
[RT #1919]
|
|
|
|
1062. [bug] If the control channel listener socket was shut
|
|
down before server exit, the listener object could
|
|
be freed twice. [RT #1916]
|
|
|
|
1061. [bug] If periodic cache cleaning happened to start
|
|
while cleaning due to reaching the configured
|
|
maximum cache size was in progress, the server
|
|
could catch an assertion failure. [RT #1912]
|
|
|
|
1060. [func] Move refresh, stub and notify UDP retry processing
|
|
into dns_request.
|
|
|
|
1059. [func] dns_request now support will now retry UDP queries,
|
|
dns_request_createvia2() and dns_request_createraw2().
|
|
|
|
1058. [func] Limited lifetime ticker timers are now available,
|
|
isc_timertype_limited.
|
|
|
|
1057. [bug] Reloading the server after adding a "file" clause
|
|
to a zone statement could cause the server to
|
|
crash due to a typo in change 1016.
|
|
|
|
1056. [bug] Rndc could catch an assertion failure on SIGINT due
|
|
to an uninitialized variable. [RT #1908]
|
|
|
|
1055. [func] Version and hostname queries can now be disabled
|
|
using "version none;" and "hostname none;",
|
|
respectively.
|
|
|
|
1054. [bug] On Win32, cfg_categories and cfg_modules need to be
|
|
exported from the libisccfg DLL.
|
|
|
|
1053. [bug] Dig did not increase its timeout when receiving
|
|
AXFRs unless the +time option was used. [RT #1904]
|
|
|
|
1052. [bug] Journals were not being created in binary mode
|
|
resulting in "journal format not recognized" error
|
|
under Win32. [RT #1889]
|
|
|
|
1051. [bug] Do not ignore a network interface completely just
|
|
because it has a noncontiguous netmask. Instead,
|
|
omit it from the localnets ACL and issue a warning.
|
|
[RT #1891]
|
|
|
|
1050. [bug] Log messages reporting malformed IP addresses in
|
|
address lists such as that of the forwarders option
|
|
failed to include the correct error code, file
|
|
name, and line number. [RT #1890]
|
|
|
|
1049. [func] "pid-file none;" will disable writing a pid file.
|
|
[RT #1848]
|
|
|
|
1048. [bug] Servers built with -DISC_MEM_USE_INTERNAL_MALLOC=1
|
|
didn't work.
|
|
|
|
1047. [bug] named was incorrectly refusing all requests signed
|
|
with a TSIG key derived from an unsigned TKEY
|
|
negotiation with a NOERROR response. [RT #1886]
|
|
|
|
1046. [bug] The help message for the --with-openssl configure
|
|
option was inaccurate. [RT #1880]
|
|
|
|
1045. [bug] It was possible to skip saving glue for a nameserver
|
|
for a stub zone.
|
|
|
|
1044. [bug] Specifying allow-transfer, notify-source, or
|
|
notify-source-v6 in a stub zone was not treated
|
|
as an error.
|
|
|
|
1043. [bug] Specifying a transfer-source or transfer-source-v6
|
|
option in the zone statement for a master zone was
|
|
not treated as an error. [RT #1876]
|
|
|
|
1042. [bug] The "config" logging category did not work properly.
|
|
[RT #1873]
|
|
|
|
1041. [bug] Dig/host/nslookup could catch an assertion failure
|
|
on SIGINT due to an uninitialized variable. [RT #1867]
|
|
|
|
1040. [bug] Multiple listen-on-v6 options with different ports
|
|
were not accepted. [RT #1875]
|
|
|
|
1039. [bug] Negative responses with CNAMEs in the answer section
|
|
were cached incorrectly. [RT #1862]
|
|
|
|
1038. [bug] In servers configured with a tkey-domain option,
|
|
TKEY queries with an owner name other than the root
|
|
could cause an assertion failure. [RT #1866, #1869]
|
|
|
|
1037. [bug] Negative responses whose authority section contain
|
|
SOA or NS records whose owner names are not equal
|
|
equal to or parents of the query name should be
|
|
rejected. [RT #1862]
|
|
|
|
1036. [func] Silently drop requests received via multicast as
|
|
long as there is no final multicast DNS standard.
|
|
|
|
1035. [bug] If we respond to multicast queries (which we
|
|
currently do not), respond from a unicast address
|
|
as specified in RFC 1123. [RT #137]
|
|
|
|
1034. [bug] Ignore the RD bit on multicast queries as specified
|
|
in RFC 1123. [RT #137]
|
|
|
|
1033. [bug] Always respond to requests with an unsupported opcode
|
|
with NOTIMP, even if we don't have a matching view
|
|
or cannot determine the class.
|
|
|
|
1032. [func] hostname.bind/txt/chaos now returns the name of
|
|
the machine hosting the nameserver. This is useful
|
|
in diagnosing problems with anycast servers.
|
|
|
|
1031. [bug] libbind.a: isc__gettimeofday() infinite recursion.
|
|
[RT #1858]
|
|
|
|
1030. [bug] On systems with no resolv.conf file, nsupdate
|
|
exited with an error rather than defaulting
|
|
to using the loopback address. [RT #1836]
|
|
|
|
1029. [bug] Some named.conf errors did not cause the loading
|
|
of the configuration file to return a failure
|
|
status even though they were logged. [RT #1847]
|
|
|
|
1028. [bug] On Win32, dig/host/nslookup looked for resolv.conf
|
|
in the wrong directory. [RT #1833]
|
|
|
|
1027. [bug] RRs having the reserved type 0 should be rejected.
|
|
[RT #1471]
|
|
|
|
1026. [placeholder]
|
|
|
|
1025. [bug] Don't use multicast addresses to resolve iterative
|
|
queries. [RT #101]
|
|
|
|
1024. [port] Compilation failed on HP-UX 11.11 due to
|
|
incompatible use of the SIOCGLIFCONF macro
|
|
name. [RT #1831]
|
|
|
|
1023. [func] Accept hints without TTLs.
|
|
|
|
1022. [bug] Don't report empty root hints as "extra data".
|
|
[RT #1802]
|
|
|
|
1021. [bug] On Win32, log message timestamps were one month
|
|
later than they should have been, and the server
|
|
would exhibit unspecified behavior in December.
|
|
|
|
1020. [bug] IXFR log messages did not distinguish between
|
|
true IXFRs, AXFR-style IXFRs, and mere version
|
|
polls. [RT #1811]
|
|
|
|
1019. [bug] The value of the lame-ttl option was limited to 18000
|
|
seconds, not 1800 seconds as documented. [RT #1803]
|
|
|
|
1018. [bug] The default log channel was not always initialized
|
|
correctly. [RT #1813]
|
|
|
|
1017. [bug] When specifying TSIG keys to dig and nsupdate using
|
|
the -k option, they must be HMAC-MD5 keys. [RT #1810]
|
|
|
|
1016. [bug] Slave zones with no backup file were re-transferred
|
|
on every server reload.
|
|
|
|
1015. [bug] Log channels that had a "versions" option but no
|
|
"size" option failed to create numbered log
|
|
files. [RT #1783]
|
|
|
|
1014. [bug] Some queries would cause statistics counters to
|
|
increment more than once or not at all. [RT #1321]
|
|
|
|
1013. [bug] It was possible to cancel a query twice when marking
|
|
a server as bogus or by having a blackhole acl.
|
|
[RT #1776]
|
|
|
|
1012. [bug] The -p option to named did not behave as documented.
|
|
|
|
1011. [cleanup] Removed isc_dir_current().
|
|
|
|
1010. [bug] The server could attempt to execute a command channel
|
|
command after initiating server shutdown, causing
|
|
an assertion failure. [RT #1766]
|
|
|
|
1009. [port] OpenUNIX 8 support. [RT #1728]
|
|
|
|
1008. [port] libtool.m4, ltmain.sh from libtool-1.4.2.
|
|
|
|
1007. [port] config.guess, config.sub from autoconf-2.52.
|
|
|
|
1006. [bug] If a KEY RR was found missing during DNSSEC validation,
|
|
an assertion failure could subsequently be triggered
|
|
in the resolver. [RT #1763]
|
|
|
|
1005. [bug] Don't copy nonzero RCODEs from request to response.
|
|
[RT #1765]
|
|
|
|
1004. [port] Deal with recvfrom() returning EHOSTDOWN. [RT #1770]
|
|
|
|
1003. [func] Add the +retry option to dig.
|
|
|
|
1002. [bug] When reporting an unknown class name in named.conf,
|
|
including the file name and line number. [RT #1759]
|
|
|
|
1001. [bug] win32 socket code doio_recv was not catching a
|
|
WSACONNRESET error when a client was timing out
|
|
the request and closing its socket. [RT #1745]
|
|
|
|
1000. [bug] BIND 8 compatibility: accept "HESIOD" as an alias
|
|
for class "HS". [RT #1759]
|
|
|
|
999. [func] "rndc retransfer zone [class [view]]" added.
|
|
[RT #1752]
|
|
|
|
998. [func] named-checkzone now has arguments to specify the
|
|
chroot directory (-t) and working directory (-w).
|
|
[RT #1755]
|
|
|
|
997. [func] Add support for RSA-SHA1 keys (RFC3110).
|
|
|
|
996. [func] Issue warning if the configuration filename contains
|
|
the chroot path.
|
|
|
|
995. [bug] dig, host, nslookup: using a raw IPv6 address as a
|
|
target address should be fatal on a IPv4 only system.
|
|
|
|
994. [func] Treat non-authoritative responses to queries for type
|
|
NS as referrals even if the NS records are in the
|
|
answer section, because BIND 8 servers incorrectly
|
|
send them that way. This is necessary for DNSSEC
|
|
validation of the NS records of a secure zone to
|
|
succeed when the parent is a BIND 8 server. [RT #1706]
|
|
|
|
993. [func] dig: -v now reports the version.
|
|
|
|
992. [doc] dig: ~/.digrc is now documented.
|
|
|
|
991. [func] Lower UDP refresh timeout messages to level
|
|
debug 1.
|
|
|
|
990. [bug] The rndc-confgen man page was not installed.
|
|
|
|
989. [bug] Report filename if $INCLUDE fails for file related
|
|
errors. [RT #1736]
|
|
|
|
988. [bug] 'additional-from-auth no;' did not work reliably
|
|
in the case of queries answered from the cache.
|
|
[RT #1436]
|
|
|
|
987. [bug] "dig -help" didn't show "+[no]stats".
|
|
|
|
986. [bug] "dig +noall" failed to clear stats and command
|
|
printing.
|
|
|
|
985. [func] Consider network interfaces to be up iff they have
|
|
a nonzero IP address rather than based on the
|
|
IFF_UP flag. [RT #1160]
|
|
|
|
984. [bug] Multi-threading should be enabled by default on
|
|
Solaris 2.7 and newer, but it wasn't.
|
|
|
|
983. [func] The server now supports generating IXFR difference
|
|
sequences for non-dynamic zones by comparing zone
|
|
versions, when enabled using the new config
|
|
option "ixfr-from-differences". [RT #1727]
|
|
|
|
982. [func] If "memstatistics-file" is set in options the memory
|
|
statistics will be written to it.
|
|
|
|
981. [func] The dnssec tools can now take multiple '-r randomfile'
|
|
arguments.
|
|
|
|
980. [bug] Incoming zone transfers restarting after an error
|
|
could trigger an assertion failure. [RT #1692]
|
|
|
|
979. [func] Incremental master file dumping. dns_master_dumpinc(),
|
|
dns_master_dumptostreaminc(), dns_dumpctx_attach(),
|
|
dns_dumpctx_detach(), dns_dumpctx_cancel(),
|
|
dns_dumpctx_db() and dns_dumpctx_version().
|
|
|
|
978. [bug] dns_db_attachversion() had an invalid REQUIRE()
|
|
condition.
|
|
|
|
977. [bug] Improve "not at top of zone" error message.
|
|
|
|
976. [func] named-checkconf can now test load master zones
|
|
(named-checkconf -z). [RT #1468]
|
|
|
|
975. [bug] "max-cache-size default;" as a view option
|
|
caused an assertion failure.
|
|
|
|
974. [bug] "max-cache-size unlimited;" as a global option
|
|
was not accepted.
|
|
|
|
973. [bug] Failed to log the question name when logging:
|
|
"bad zone transfer request: non-authoritative zone
|
|
(NOTAUTH)".
|
|
|
|
972. [bug] The file modification time code in zone.c was using the
|
|
wrong epoch. [RT #1667]
|
|
|
|
971. [placeholder]
|
|
|
|
970. [func] 'max-journal-size' can now be used to set a target
|
|
size for a journal.
|
|
|
|
969. [func] dig now supports the undocumented dig 8 feature
|
|
of allowing arbitrary labels, not just dotted
|
|
decimal quads, with the -x option. This can be
|
|
used to conveniently look up RFC2317 names as in
|
|
"dig -x 10.0.0.0-127". [RT #827, #1576, #1598]
|
|
|
|
968. [bug] On win32, the isc_time_now() function was unnecessarily
|
|
calling strtime(). [RT #1671]
|
|
|
|
967. [bug] On win32, the link for bindevt was not including the
|
|
required resource file to enable the event viewer
|
|
to interpret the error messages in the event log,
|
|
[RT #1668]
|
|
|
|
966. [placeholder]
|
|
|
|
965. [bug] Including data other than root server NS and A
|
|
records in the root hint file could cause a rbtdb
|
|
node reference leak. [RT #1581, #1618]
|
|
|
|
964. [func] Warn if data other than root server NS and A records
|
|
are found in the root hint file. [RT #1581, #1618]
|
|
|
|
963. [bug] Bad ISC_LANG_ENDDECLS. [RT #1645]
|
|
|
|
962. [bug] libbind: bad "#undef", don't attempt to install
|
|
non-existent nlist.h. [RT #1640]
|
|
|
|
961. [bug] Tried to use a IPV6 feature when ISC_PLATFORM_HAVEIPV6
|
|
was not defined. [RT #1482]
|
|
|
|
960. [port] liblwres failed to build on systems with support for
|
|
getrrsetbyname() in the OS. [RT #1592]
|
|
|
|
959. [port] On FreeBSD, determine the number of CPUs by calling
|
|
sysctlbyname(). [RT #1584]
|
|
|
|
958. [port] ssize_t is not available on all platforms. [RT #1607]
|
|
|
|
957. [bug] sys/select.h inclusion was broken on older platforms.
|
|
[RT #1607]
|
|
|
|
956. [bug] ns_g_autorndcfile changed to ns_g_keyfile
|
|
in named/win32/os.c due to code changes in
|
|
change #953. win32 .make file for rndc-confgen
|
|
updated to add include path for os.h header.
|
|
|
|
--- 9.2.0rc1 released ---
|
|
|
|
955. [bug] When using views, the zone's class was not being
|
|
inherited from the view's class. [RT #1583]
|
|
|
|
954. [bug] When requesting AXFRs or IXFRs using dig, host, or
|
|
nslookup, the RD bit should not be set as zone
|
|
transfers are inherently non-recursive. [RT #1575]
|
|
|
|
953. [func] The /var/run/named.key file from change #843
|
|
has been replaced by /etc/rndc.key. Both
|
|
named and rndc will look for this file and use
|
|
it to configure a default control channel key
|
|
if not already configured using a different
|
|
method (rndc.conf / controls). Unlike
|
|
named.key, rndc.key is not created automatically;
|
|
it must be created by manually running
|
|
"rndc-confgen -a".
|
|
|
|
952. [bug] The server required manual intervention to serve the
|
|
affected zones if it died between creating a journal
|
|
and committing the first change to it.
|
|
|
|
951. [bug] CFLAGS was not passed to the linker when
|
|
linking some of the test programs under
|
|
bin/tests. [RT #1555].
|
|
|
|
950. [bug] Explicit TTLs did not properly override $TTL
|
|
due to a bug in change 834. [RT #1558]
|
|
|
|
949. [bug] host was unable to print records larger than 512
|
|
bytes. [RT #1557]
|
|
|
|
--- 9.2.0b2 released ---
|
|
|
|
948. [port] Integrated support for building on Windows NT /
|
|
Windows 2000.
|
|
|
|
947. [bug] dns_rdata_soa_t had a badly named element "mname" which
|
|
was really the RNAME field from RFC1035. To avoid
|
|
confusion and silent errors that would occur it the
|
|
"origin" and "mname" elements were given their correct
|
|
names "mname" and "rname" respectively, the "mname"
|
|
element is renamed to "contact".
|
|
|
|
946. [cleanup] doc/misc/options is now machine-generated from the
|
|
configuration parser syntax tables, and therefore
|
|
more likely to be correct.
|
|
|
|
945. [func] Add the new view-specific options
|
|
"match-destinations" and "match-recursive-only".
|
|
|
|
944. [func] Check for expired signatures on load.
|
|
|
|
943. [bug] The server could crash when receiving a command
|
|
via rndc if the configuration file listed only
|
|
nonexistent keys in the controls statement. [RT #1530]
|
|
|
|
942. [port] libbind: GETNETBYADDR_ADDR_T was not correctly
|
|
defined on some platforms.
|
|
|
|
941. [bug] The configuration checker crashed if a slave
|
|
zone didn't contain a masters statement. [RT #1514]
|
|
|
|
940. [bug] Double zone locking failure on error path. [RT #1510]
|
|
|
|
--- 9.2.0b1 released ---
|
|
|
|
939. [port] Add the --disable-linux-caps option to configure for
|
|
systems that manage capabilities outside of named.
|
|
[RT #1503]
|
|
|
|
938. [placeholder]
|
|
|
|
937. [bug] A race when shutting down a zone could trigger a
|
|
INSIST() failure. [RT #1034]
|
|
|
|
936. [func] Warn about IPv4 addresses that are not complete
|
|
dotted quads. [RT #1084]
|
|
|
|
935. [bug] inet_pton failed to reject leading zeros.
|
|
|
|
934. [port] Deal with systems where accept() spuriously returns
|
|
ECONNRESET.
|
|
|
|
933. [bug] configure failed doing libbind on platforms not
|
|
supported by BIND 8. [RT #1496]
|
|
|
|
--- 9.2.0a3 released ---
|
|
|
|
932. [bug] Use INSTALL_SCRIPT, not INSTALL_PROGRAM,
|
|
when installing isc-config.sh.
|
|
[RT #198, #1466]
|
|
|
|
931. [bug] The controls statement only attempted to verify
|
|
messages using the first key in the key list.
|
|
(9.2.0a1/a2 only).
|
|
|
|
930. [func] Query performance testing tool added as
|
|
contrib/queryperf.
|
|
|
|
929. [placeholder]
|
|
|
|
928. [bug] nsupdate would send empty update packets if the
|
|
send (or empty line) command was run after
|
|
another send but before any new updates or
|
|
prerequisites were specified. It should simply
|
|
ignore this command.
|
|
|
|
927. [bug] Don't hold the zone lock for the entire dump to disk.
|
|
[RT #1423]
|
|
|
|
926. [bug] The resolver could deadlock with the ADB when
|
|
shutting down (multi-threaded builds only).
|
|
[RT #1324]
|
|
|
|
925. [cleanup] Remove openssl from the distribution; require that
|
|
--with-openssl be specified if DNSSEC is needed.
|
|
|
|
924. [port] Extend support for pre-RFC2133 IPv6 implementation.
|
|
[RT #987]
|
|
|
|
923. [bug] Multiline TSIG secrets (and other multiline strings)
|
|
were not accepted in named.conf. [RT #1469]
|
|
|
|
922. [func] Added two new lwres_getrrsetbyname() result codes,
|
|
ERR_NONAME and ERR_NODATA.
|
|
|
|
921. [bug] lwres returned an incorrect error code if it received
|
|
a truncated message.
|
|
|
|
920. [func] Increase the lwres receive buffer size to 16K.
|
|
[RT #1451]
|
|
|
|
919. [placeholder]
|
|
|
|
918. [func] In nsupdate, TSIG errors are no longer treated as
|
|
fatal errors.
|
|
|
|
917. [func] New nsupdate command 'key', allowing TSIG keys to
|
|
be specified in the nsupdate command stream rather
|
|
than the command line.
|
|
|
|
916. [bug] Specifying type ixfr to dig without specifying
|
|
a serial number failed in unexpected ways.
|
|
|
|
915. [func] The named-checkconf and named-checkzone programs
|
|
now have a '-v' option for printing their version.
|
|
[RT #1151]
|
|
|
|
914. [bug] Global 'server' statements were rejected when
|
|
using views, even though they were accepted
|
|
in 9.1. [RT #1368]
|
|
|
|
913. [bug] Cache cleaning was not sufficiently aggressive.
|
|
[RT #1441, #1444]
|
|
|
|
912. [bug] Attempts to set the 'additional-from-cache' or
|
|
'additional-from-auth' option to 'no' in a
|
|
server with recursion enabled will now
|
|
be ignored and cause a warning message.
|
|
[RT #1145]
|
|
|
|
911. [placeholder]
|
|
|
|
910. [port] Some pre-RFC2133 IPv6 implementations do not define
|
|
IN6ADDR_ANY_INIT. [RT #1416]
|
|
|
|
909. [placeholder]
|
|
|
|
908. [func] New program, rndc-confgen, to simplify setting up rndc.
|
|
|
|
907. [func] The ability to get entropy from either the
|
|
random device, a user-provided file or from
|
|
the keyboard was migrated from the DNSSEC tools
|
|
to libisc as isc_entropy_usebestsource().
|
|
|
|
906. [port] Separated the system independent portion of
|
|
lib/isc/unix/entropy.c into lib/isc/entropy.c
|
|
and added lib/isc/win32/entropy.c.
|
|
|
|
905. [bug] Configuring a forward "zone" for the root domain
|
|
did not work. [RT #1418]
|
|
|
|
904. [bug] The server would leak memory if attempting to use
|
|
an expired TSIG key. [RT #1406]
|
|
|
|
903. [bug] dig should not crash when receiving a TCP packet
|
|
of length 0.
|
|
|
|
902. [bug] The -d option was ignored if both -t and -g were also
|
|
specified.
|
|
|
|
901. [placeholder]
|
|
|
|
900. [bug] A config.guess update changed the system identification
|
|
string of FreeBSD systems; configure and
|
|
bin/tests/system/ifconfig.sh now recognize the new
|
|
string.
|
|
|
|
--- 9.2.0a2 released ---
|
|
|
|
899. [bug] lib/dns/soa.c failed to compile on many platforms
|
|
due to inappropriate use of a void value.
|
|
[RT #1372, #1373, #1386, #1387, #1395]
|
|
|
|
898. [bug] "dig" failed to set a nonzero exit status
|
|
on UDP query timeout. [RT #1323]
|
|
|
|
897. [bug] A config.guess update changed the system identification
|
|
string of UnixWare systems; configure now recognizes
|
|
the new string.
|
|
|
|
896. [bug] If a configuration file is set on named's command line
|
|
and it has a relative pathname, the current directory
|
|
(after any possible jailing resulting from named -t)
|
|
will be prepended to it so that reloading works
|
|
properly even when a directory option is present.
|
|
|
|
895. [func] New function, isc_dir_current(), akin to POSIX's
|
|
getcwd().
|
|
|
|
894. [bug] When using the DNSSEC tools, a message intended to warn
|
|
when the keyboard was being used because of the lack
|
|
of a suitable random device was not being printed.
|
|
|
|
893. [func] Removed isc_file_test() and added isc_file_exists()
|
|
for the basic functionality that was being added
|
|
with isc_file_test().
|
|
|
|
892. [placeholder]
|
|
|
|
891. [bug] Return an error when a SIG(0) signed response to
|
|
an unsigned query is seen. This should actually
|
|
do the verification, but it's not currently
|
|
possible. [RT #1391]
|
|
|
|
890. [cleanup] The man pages no longer require the mandoc macros
|
|
and should now format cleanly using most versions of
|
|
nroff, and HTML versions of the man pages have been
|
|
added. Both are generated from DocBook source.
|
|
|
|
889. [port] Eliminated blank lines before .TH in nroff man
|
|
pages since they cause problems with some versions
|
|
of nroff. [RT #1390]
|
|
|
|
888. [bug] Don't die when using TKEY to delete a nonexistent
|
|
TSIG key. [RT #1392]
|
|
|
|
887. [port] Detect broken compilers that can't call static
|
|
functions from inline functions. [RT #1212]
|
|
|
|
886. [placeholder]
|
|
|
|
885. [placeholder]
|
|
|
|
884. [placeholder]
|
|
|
|
883. [placeholder]
|
|
|
|
882. [placeholder]
|
|
|
|
881. [placeholder]
|
|
|
|
880. [placeholder]
|
|
|
|
879. [placeholder]
|
|
|
|
878. [placeholder]
|
|
|
|
877. [placeholder]
|
|
|
|
876. [placeholder]
|
|
|
|
875. [placeholder]
|
|
|
|
874. [placeholder]
|
|
|
|
873. [placeholder]
|
|
|
|
872. [placeholder]
|
|
|
|
871. [placeholder]
|
|
|
|
870. [placeholder]
|
|
|
|
869. [placeholder]
|
|
|
|
868. [placeholder]
|
|
|
|
867. [placeholder]
|
|
|
|
866. [func] Close debug only file channels when debug is set to
|
|
zero. [RT #1246]
|
|
|
|
865. [bug] The new configuration parser did not allow
|
|
the optional debug level in a "severity debug"
|
|
clause of a logging channel to be omitted.
|
|
This is now allowed and treated as "severity
|
|
debug 1;" like it does in BIND 8.2.4, not as
|
|
"severity debug 0;" like it did in BIND 9.1.
|
|
[RT #1367]
|
|
|
|
864. [cleanup] Multi-threading is now enabled by default on
|
|
OSF1, Solaris 2.7 and newer, AIX, IRIX, and HP-UX.
|
|
|
|
863. [bug] If an error occurred while an outgoing zone transfer
|
|
was starting up, the server could access a domain
|
|
name that had already been freed when logging a
|
|
message saying that the transfer was starting.
|
|
[RT #1383]
|
|
|
|
862. [bug] Use after realloc(), non portable pointer arithmetic in
|
|
grmerge().
|
|
|
|
861. [port] Add support for Mac OS X, by making it equivalent
|
|
to Darwin. This was derived from the config.guess
|
|
file shipped with Mac OS X. [RT #1355]
|
|
|
|
860. [func] Drop cross class glue in zone transfers.
|
|
|
|
859. [bug] Cache cleaning now won't swamp the CPU if there
|
|
is a persistent over limit condition.
|
|
|
|
858. [func] isc_mem_setwater() no longer requires that when the
|
|
callback function is non-NULL then its hi_water
|
|
argument must be greater than its lo_water argument
|
|
(they can now be equal) or that they be non-zero.
|
|
|
|
857. [cleanup] Use ISC_MAGIC() to define all magic numbers for
|
|
structs, for our friends in EBCDIC-land.
|
|
|
|
856. [func] Allow partial rdatasets to be returned in answer and
|
|
authority sections to help non-TCP capable clients
|
|
recover from truncation. [RT #1301]
|
|
|
|
855. [bug] Stop spurious "using RFC 1035 TTL semantics" warnings.
|
|
|
|
854. [bug] The config parser didn't properly handle config
|
|
options that were specified in units of time other
|
|
than seconds. [RT #1372]
|
|
|
|
853. [bug] configure_view_acl() failed to detach existing acls.
|
|
[RT #1374]
|
|
|
|
852. [bug] Handle responses from servers which do not know
|
|
about IXFR.
|
|
|
|
851. [cleanup] The obsolete support-ixfr option was not properly
|
|
ignored.
|
|
|
|
--- 9.2.0a1 released ---
|
|
|
|
850. [bug] dns_rbt_findnode() would not find nodes that were
|
|
split on a bitstring label somewhere other than in
|
|
the last label of the node. [RT #1351]
|
|
|
|
849. [func] <isc/net.h> will ensure INADDR_LOOPBACK is defined.
|
|
|
|
848. [func] A minimum max-cache-size of two megabytes is enforced
|
|
by the cache cleaner.
|
|
|
|
847. [func] Added isc_file_test(), which currently only has
|
|
some very basic functionality to test for the
|
|
existence of a file, whether a pathname is absolute,
|
|
or whether a pathname is the fundamental representation
|
|
of the current directory. It is intended that this
|
|
function can be expanded to test other things a
|
|
programmer might want to know about a file.
|
|
|
|
846. [func] A non-zero 'param' to dst_key_generate() when making an
|
|
hmac-md5 key means that good entropy is not required.
|
|
|
|
845. [bug] The access rights on the public file of a symmetric
|
|
key are now restricted as soon as the file is opened,
|
|
rather than after it has been written and closed.
|
|
|
|
844. [func] <isc/net.h> will ensure INADDR_LOOPBACK is defined,
|
|
just as <lwres/net.h> does.
|
|
|
|
843. [func] If no controls statement is present in named.conf,
|
|
or if any inet phrase of a controls statement is
|
|
lacking a keys clause, then a key will be automatically
|
|
generated by named and an rndc.conf-style file
|
|
named named.key will be written that uses it. rndc
|
|
will use this file only if its normal configuration
|
|
file, or one provided on the command line, does not
|
|
exist.
|
|
|
|
842. [func] 'rndc flush' now takes an optional view.
|
|
|
|
841. [bug] When sdb modules were not declared threadsafe, their
|
|
create and destroy functions were not serialized.
|
|
|
|
840. [bug] The config file parser could print the wrong file
|
|
name if an error was detected after an included file
|
|
was parsed. [RT #1353]
|
|
|
|
839. [func] Dump packets for which there was no view or that the
|
|
class could not be determined to category "unmatched".
|
|
|
|
838. [port] UnixWare 7.x.x is now suported by
|
|
bin/tests/system/ifconfig.sh.
|
|
|
|
837. [cleanup] Multi-threading is now enabled by default only on
|
|
OSF1, Solaris 2.7 and newer, and AIX.
|
|
|
|
836. [func] Upgraded libtool to 1.4.
|
|
|
|
835. [bug] The dispatcher could enter a busy loop if
|
|
it got an I/O error receiving on a UDP socket.
|
|
[RT #1293]
|
|
|
|
834. [func] Accept (but warn about) master files beginning with
|
|
an SOA record without an explicit TTL field and
|
|
lacking a $TTL directive, by using the SOA MINTTL
|
|
as a default TTL. This is for backwards compatibility
|
|
with old versions of BIND 8, which accepted such
|
|
files without warning although they are illegal
|
|
according to RFC1035.
|
|
|
|
833. [cleanup] Moved dns_soa_*() from <dns/journal.h> to
|
|
<dns/soa.h>, and extended them to support
|
|
all the integer-valued fields of the SOA RR.
|
|
|
|
832. [bug] The default location for named.conf in named-checkconf
|
|
should depend on --sysconfdir like it does in named.
|
|
[RT #1258]
|
|
|
|
831. [placeholder]
|
|
|
|
830. [func] Implement 'rndc status'.
|
|
|
|
829. [bug] The DNS_R_ZONECUT result code should only be returned
|
|
when an ANY query is made with DNS_DBFIND_GLUEOK set.
|
|
In all other ANY query cases, returning the delegation
|
|
is better.
|
|
|
|
828. [bug] The errno value from recvfrom() could be overwritten
|
|
by logging code. [RT #1293]
|
|
|
|
827. [bug] When an IXFR protocol error occurs, the slave
|
|
should retry with AXFR.
|
|
|
|
826. [bug] Some IXFR protocol errors were not detected.
|
|
|
|
825. [bug] zone.c:ns_query() detached from the wrong zone
|
|
reference. [RT #1264]
|
|
|
|
824. [bug] Correct line numbers reported by dns_master_load().
|
|
[RT #1263]
|
|
|
|
823. [func] The output of "dig -h" now goes to stdout so that it
|
|
can easily be piped through "more". [RT #1254]
|
|
|
|
822. [bug] Sending nxrrset prerequisites would crash nsupdate.
|
|
[RT #1248]
|
|
|
|
821. [bug] The program name used when logging to syslog should
|
|
be stripped of leading path components.
|
|
[RT #1178, #1232]
|
|
|
|
820. [bug] Name server address lookups failed to follow
|
|
A6 chains into the glue of local authoritative
|
|
zones.
|
|
|
|
819. [bug] In certain cases, the resolver's attempts to
|
|
restart an address lookup at the root could cause
|
|
the fetch to deadlock (with itself) instead of
|
|
restarting. [RT #1225]
|
|
|
|
818. [bug] Certain pathological responses to ANY queries could
|
|
cause an assertion failure. [RT #1218]
|
|
|
|
817. [func] Adjust timeouts for dialup zone queries.
|
|
|
|
816. [bug] Report potential problems with log file accessibility
|
|
at configuration time, since such problems can't
|
|
reliably be reported at the time they actually occur.
|
|
|
|
815. [bug] If a log file was specified with a path separator
|
|
character (i.e. "/") in its name and the directory
|
|
did not exist, the log file's name was treated as
|
|
though it were the directory name. [RT #1189]
|
|
|
|
814. [bug] Socket objects left over from accept() failures
|
|
were incorrectly destroyed, causing corruption
|
|
of socket manager data structures.
|
|
|
|
813. [bug] File descriptors exceeding FD_SETSIZE were handled
|
|
badly. [RT #1192]
|
|
|
|
812. [bug] dig sometimes printed incomplete IXFR responses
|
|
due to an uninitialized variable. [RT #1188]
|
|
|
|
811. [bug] Parentheses were not quoted in zone dumps. [RT #1194]
|
|
|
|
810. [bug] The signer name in SIG records was not properly
|
|
down-cased when signing/verifying records. [RT #1186]
|
|
|
|
809. [bug] Configuring a non-local address as a transfer-source
|
|
could cause an assertion failure during load.
|
|
|
|
808. [func] Add 'rndc flush' to flush the server's cache.
|
|
|
|
807. [bug] When setting up TCP connections for incoming zone
|
|
transfers, the transfer-source port was not
|
|
ignored like it should be.
|
|
|
|
806. [bug] DNS_R_SEENINCLUDE was failing to propagate back up
|
|
the calling stack to the zone maintenance level,
|
|
causing zones to not reload when an included file was
|
|
touched but the top-level zone file was not.
|
|
|
|
805. [bug] When using "forward only", missing root hints should
|
|
not cause queries to fail. [RT #1143]
|
|
|
|
804. [bug] Attempting to obtain entropy could fail in some
|
|
situations. This would be most common on systems
|
|
with user-space threads. [RT #1131]
|
|
|
|
803. [bug] Treat all SIG queries as if they have the CD bit set,
|
|
otherwise no data will be returned [RT #749]
|
|
|
|
802. [bug] DNSSEC key tags were computed incorrectly in almost
|
|
all cases. [RT #1146]
|
|
|
|
801. [bug] nsupdate should treat lines beginning with ';' as
|
|
comments. [RT #1139]
|
|
|
|
800. [bug] dnssec-signzone produced incorrect statistics for
|
|
large zones. [RT #1133]
|
|
|
|
799. [bug] The ADB didn't find AAAA glue in a zone unless A6
|
|
glue was also present.
|
|
|
|
798. [bug] nsupdate should be able to reject bad input lines
|
|
and continue. [RT #1130]
|
|
|
|
797. [func] Issue a warning if the 'directory' option contains
|
|
a relative path. [RT #269]
|
|
|
|
796. [func] When a size limit is associated with a log file,
|
|
only roll it when the size is reached, not every
|
|
time the log file is opened. [RT #1096]
|
|
|
|
795. [func] Add the +multiline option to dig. [RT #1095]
|
|
|
|
794. [func] Implement the "port" and "default-port" statements
|
|
in rndc.conf.
|
|
|
|
793. [cleanup] The DNSSEC tools could create filenames that were
|
|
illegal or contained shell meta-characters. They
|
|
now use a different text encoding of names that
|
|
doesn't have these problems. [RT #1101]
|
|
|
|
792. [cleanup] Replace the OMAPI command channel protocol with a
|
|
simpler one.
|
|
|
|
791. [bug] The command channel now works over IPv6.
|
|
|
|
790. [bug] Wildcards created using dynamic update or IXFR
|
|
could fail to match. [RT #1111]
|
|
|
|
789. [bug] The "localhost" and "localnets" ACLs did not match
|
|
when used as the second element of a two-element
|
|
sortlist item.
|
|
|
|
788. [func] Add the "match-mapped-addresses" option, which
|
|
causes IPv6 v4mapped addresses to be treated as
|
|
IPv4 addresses for the purpose of acl matching.
|
|
|
|
787. [bug] The DNSSEC tools failed to downcase domain
|
|
names when mapping them into file names.
|
|
|
|
786. [bug] When DNSSEC signing/verifying data, owner names were
|
|
not properly down-cased.
|
|
|
|
785. [bug] A race condition in the resolver could cause
|
|
an assertion failure. [RT #673, #872, #1048]
|
|
|
|
784. [bug] nsupdate and other programs would not quit properly
|
|
if some signals were blocked by the caller. [RT #1081]
|
|
|
|
783. [bug] Following CNAMEs could cause an assertion failure
|
|
when either using an sdb database or under very
|
|
rare conditions.
|
|
|
|
782. [func] Implement the "serial-query-rate" option.
|
|
|
|
781. [func] Avoid error packet loops by dropping duplicate FORMERR
|
|
responses. [RT #1006]
|
|
|
|
780. [bug] Error handling code dealing with out of memory or
|
|
other rare errors could lead to assertion failures
|
|
by calling functions on uninitialized names. [RT #1065]
|
|
|
|
779. [func] Added the "minimal-responses" option.
|
|
|
|
778. [bug] When starting cache cleaning, cleaning_timer_action()
|
|
returned without first pausing the iterator, which
|
|
could cause deadlock. [RT #998]
|
|
|
|
777. [bug] An empty forwarders list in a zone failed to override
|
|
global forwarders. [RT #995]
|
|
|
|
776. [func] Improved error reporting in denied messages. [RT #252]
|
|
|
|
775. [placeholder]
|
|
|
|
774. [func] max-cache-size is implemented.
|
|
|
|
773. [func] Added isc_rwlock_trylock() to attempt to lock without
|
|
blocking.
|
|
|
|
772. [bug] Owner names could be incorrectly omitted from cache
|
|
dumps in the presence of negative caching entries.
|
|
[RT #991]
|
|
|
|
771. [cleanup] TSIG errors related to unsynchronized clocks
|
|
are logged better. [RT #919]
|
|
|
|
770. [func] Add the "edns yes_or_no" statement to the server
|
|
clause. [RT #524]
|
|
|
|
769. [func] Improved error reporting when parsing rdata. [RT #740]
|
|
|
|
768. [bug] The server did not emit an SOA when a CNAME
|
|
or DNAME chain ended in NXDOMAIN in an
|
|
authoritative zone.
|
|
|
|
767. [placeholder]
|
|
|
|
766. [bug] A few cases in query_find() could leak fname.
|
|
This would trigger the mpctx->allocated == 0
|
|
assertion when the server exited.
|
|
[RT #739, #776, #798, #812, #818, #821, #845,
|
|
#892, #935, #966]
|
|
|
|
765. [func] ACL names are once again case insensitive, like
|
|
in BIND 8. [RT #252]
|
|
|
|
764. [func] Configuration files now allow "include" directives
|
|
in more places, such as inside the "view" statement.
|
|
[RT #377, #728, #860]
|
|
|
|
763. [func] Configuration files no longer have reserved words.
|
|
[RT #731, #753]
|
|
|
|
762. [cleanup] The named.conf and rndc.conf file parsers have
|
|
been completely rewritten.
|
|
|
|
761. [bug] _REENTRANT was still defined when building with
|
|
--disable-threads.
|
|
|
|
760. [contrib] Significant enhancements to the pgsql sdb driver.
|
|
|
|
759. [bug] The resolver didn't turn off "avoid fetches" mode
|
|
when restarting, possibly causing resolution
|
|
to fail when it should not. This bug only affected
|
|
platforms which support both IPv4 and IPv6. [RT #927]
|
|
|
|
758. [bug] The "avoid fetches" code did not treat negative
|
|
cache entries correctly, causing fetches that would
|
|
be useful to be avoided. This bug only affected
|
|
platforms which support both IPv4 and IPv6. [RT #927]
|
|
|
|
757. [func] Log zone transfers.
|
|
|
|
756. [bug] dns_zone_load() could "return" success when no master
|
|
file was configured.
|
|
|
|
755. [bug] Fix incorrectly formatted log messages in zone.c.
|
|
|
|
754. [bug] Certain failure conditions sending UDP packets
|
|
could cause the server to retry the transmission
|
|
indefinitely. [RT #902]
|
|
|
|
753. [bug] dig, host, and nslookup would fail to contact a
|
|
remote server if getaddrinfo() returned an IPv6
|
|
address on a system that doesn't support IPv6.
|
|
[RT #917]
|
|
|
|
752. [func] Correct bad tv_usec elements returned by
|
|
gettimeofday().
|
|
|
|
751. [func] Log successful zone loads / transfers. [RT #898]
|
|
|
|
750. [bug] A query should not match a DNAME whose trust level
|
|
is pending. [RT #916]
|
|
|
|
749. [bug] When a query matched a DNAME in a secure zone, the
|
|
server did not return the signature of the DNAME.
|
|
[RT #915]
|
|
|
|
748. [doc] List supported RFCs in doc/misc/rfc-compliance.
|
|
[RT #781]
|
|
|
|
747. [bug] The code to determine whether an IXFR was possible
|
|
did not properly check for a database that could
|
|
not have a journal. [RT #865, #908]
|
|
|
|
746. [bug] The sdb didn't clone rdatasets properly, causing
|
|
a crash when the server followed delegations. [RT #905]
|
|
|
|
745. [func] Report the owner name of records that fail
|
|
semantic checks while loading.
|
|
|
|
744. [bug] When returning DNS_R_CNAME or DNS_R_DNAME as the
|
|
result of an ANY or SIG query, the resolver failed
|
|
to setup the return event's rdatasets, causing an
|
|
assertion failure in the query code. [RT #881]
|
|
|
|
743. [bug] Receiving a large number of certain malformed
|
|
answers could cause named to stop responding.
|
|
[RT #861]
|
|
|
|
742. [placeholder]
|
|
|
|
741. [port] Support openssl-engine. [RT #709]
|
|
|
|
740. [port] Handle openssl library mismatches slightly better.
|
|
|
|
739. [port] Look for /dev/random in configure, rather than
|
|
assuming it will be there for only a predefined
|
|
set of OSes.
|
|
|
|
738. [bug] If a non-threadsafe sdb driver supported AXFR and
|
|
received an AXFR request, it would deadlock or die
|
|
with an assertion failure. [RT #852]
|
|
|
|
737. [port] stdtime.c failed to compile on certain platforms.
|
|
|
|
736. [func] New functions isc_task_{begin,end}exclusive().
|
|
|
|
735. [doc] Add BIND 4 migration notes.
|
|
|
|
734. [bug] An attempt to re-lock the zone lock could occur if
|
|
the server was shutdown during a zone transfer.
|
|
[RT #830]
|
|
|
|
733. [bug] Reference counts of dns_acl_t objects need to be
|
|
locked but were not. [RT #801, #821]
|
|
|
|
732. [bug] Glue with 0 TTL could also cause SERVFAIL. [RT #828]
|
|
|
|
731. [bug] Certain zone errors could cause named-checkzone to
|
|
fail ungracefully. [RT #819]
|
|
|
|
730. [bug] lwres_getaddrinfo() returns the correct result when
|
|
it fails to contact a server. [RT #768]
|
|
|
|
729. [port] pthread_setconcurrency() needs to be called on Solaris.
|
|
|
|
728. [bug] Fix comment processing on master file directives.
|
|
[RT #757]
|
|
|
|
727. [port] Work around OS bug where accept() succeeds but
|
|
fails to fill in the peer address of the accepted
|
|
connection, by treating it as an error rather than
|
|
an assertion failure. [RT #809]
|
|
|
|
726. [func] Implement the "trace" and "notrace" commands in rndc.
|
|
|
|
725. [bug] Installing man pages could fail.
|
|
|
|
724. [func] New libisc functions isc_netaddr_any(),
|
|
isc_netaddr_any6().
|
|
|
|
723. [bug] Referrals whose NS RRs had a 0 TTL caused the resolver
|
|
to return DNS_R_SERVFAIL. [RT #783]
|
|
|
|
722. [func] Allow incremental loads to be canceled.
|
|
|
|
721. [cleanup] Load manager and dns_master_loadfilequota() are no
|
|
more.
|
|
|
|
720. [bug] Server could enter infinite loop in
|
|
dispatch.c:do_cancel(). [RT #733]
|
|
|
|
719. [bug] Rapid reloads could trigger an assertion failure.
|
|
[RT #743, #763]
|
|
|
|
718. [cleanup] "internal" is no longer a reserved word in named.conf.
|
|
[RT #753, #731]
|
|
|
|
717. [bug] Certain TKEY processing failure modes could
|
|
reference an uninitialized variable, causing the
|
|
server to crash. [RT #750]
|
|
|
|
716. [bug] The first line of a $INCLUDE master file was lost if
|
|
an origin was specified. [RT #744]
|
|
|
|
715. [bug] Resolving some A6 chains could cause an assertion
|
|
failure in adb.c. [RT #738]
|
|
|
|
714. [bug] Preserve interval timers across reloads unless changed.
|
|
[RT #729]
|
|
|
|
713. [func] named-checkconf takes '-t directory' similar to named.
|
|
[RT #726]
|
|
|
|
712. [bug] Sending a large signed update message caused an
|
|
assertion failure. [RT #718]
|
|
|
|
711. [bug] The libisc and liblwres implementations of
|
|
inet_ntop contained an off by one error.
|
|
|
|
710. [func] The forwarders statement now takes an optional
|
|
port. [RT #418]
|
|
|
|
709. [bug] ANY or SIG queries for data with a TTL of 0
|
|
would return SERVFAIL. [RT #620]
|
|
|
|
708. [bug] When building with --with-openssl, the openssl headers
|
|
included with BIND 9 should not be used. [RT #702]
|
|
|
|
707. [func] The "filename" argument to named-checkzone is no
|
|
longer optional, to reduce confusion. [RT #612]
|
|
|
|
706. [bug] Zones with an explicit "allow-update { none; };"
|
|
were considered dynamic and therefore not reloaded
|
|
on SIGHUP or "rndc reload".
|
|
|
|
705. [port] Work out resource limit type for use where rlim_t is
|
|
not available. [RT #695]
|
|
|
|
704. [port] RLIMIT_NOFILE is not available on all platforms.
|
|
[RT #695]
|
|
|
|
703. [port] sys/select.h is needed on older platforms. [RT #695]
|
|
|
|
702. [func] If the address 0.0.0.0 is seen in resolv.conf,
|
|
use 127.0.0.1 instead. [RT #693]
|
|
|
|
701. [func] Root hints are now fully optional. Class IN
|
|
views use compiled-in hints by default, as
|
|
before. Non-IN views with no root hints now
|
|
provide authoritative service but not recursion.
|
|
A warning is logged if a view has neither root
|
|
hints nor authoritative data for the root. [RT #696]
|
|
|
|
700. [bug] $GENERATE range check was wrong. [RT #688]
|
|
|
|
699. [bug] The lexer mishandled empty quoted strings. [RT #694]
|
|
|
|
698. [bug] Aborting nsupdate with ^C would lead to several
|
|
race conditions.
|
|
|
|
697. [bug] nsupdate was not compatible with the undocumented
|
|
BIND 8 behavior of ignoring TTLs in "update delete"
|
|
commands. [RT #693]
|
|
|
|
696. [bug] lwresd would die with an assertion failure when passed
|
|
a zero-length name. [RT #692]
|
|
|
|
695. [bug] If the resolver attempted to query a blackholed or
|
|
bogus server, the resolution would fail immediately.
|
|
|
|
694. [bug] $GENERATE did not produce the last entry.
|
|
[RT #682, #683]
|
|
|
|
693. [bug] An empty lwres statement in named.conf caused
|
|
the server to crash while loading.
|
|
|
|
692. [bug] Deal with systems that have getaddrinfo() but not
|
|
gai_strerror(). [RT #679]
|
|
|
|
691. [bug] Configuring per-view forwarders caused an assertion
|
|
failure. [RT #675, #734]
|
|
|
|
690. [func] $GENERATE now supports DNAME. [RT #654]
|
|
|
|
689. [doc] man pages are now installed. [RT #210]
|
|
|
|
688. [func] "make tags" now works on systems with the
|
|
"Exuberant Ctags" etags.
|
|
|
|
687. [bug] Only say we have IPv6, with sufficient functionality,
|
|
if it has actually been tested. [RT #586]
|
|
|
|
686. [bug] dig and nslookup can now be properly aborted during
|
|
blocking operations. [RT #568]
|
|
|
|
685. [bug] nslookup should use the search list/domain options
|
|
from resolv.conf by default. [RT #405, #630]
|
|
|
|
684. [bug] Memory leak with view forwarders. [RT #656]
|
|
|
|
683. [bug] File descriptor leak in isc_lex_openfile().
|
|
|
|
682. [bug] nslookup displayed SOA records incorrectly. [RT #665]
|
|
|
|
681. [bug] $GENERATE specifying output format was broken. [RT #653]
|
|
|
|
680. [bug] dns_rdata_fromstruct() mishandled options bigger
|
|
than 255 octets.
|
|
|
|
679. [bug] $INCLUDE could leak memory and file descriptors on
|
|
reload. [RT #639]
|
|
|
|
678. [bug] "transfer-format one-answer;" could trigger an assertion
|
|
failure. [RT #646]
|
|
|
|
677. [bug] dnssec-signzone would occasionally use the wrong ttl
|
|
for database operations and fail. [RT #643]
|
|
|
|
676. [bug] Log messages about lame servers to category
|
|
'lame-servers' rather than 'resolver', so as not
|
|
to be gratuitously incompatible with BIND 8.
|
|
|
|
675. [bug] TKEY queries could cause the server to leak
|
|
memory.
|
|
|
|
674. [func] Allow messages to be TSIG signed / verified using
|
|
a offset from the current time.
|
|
|
|
673. [func] The server can now convert RFC1886-style recursive
|
|
lookup requests into RFC2874-style lookups, when
|
|
enabled using the new option "allow-v6-synthesis".
|
|
|
|
672. [bug] The wrong time was in the "time signed" field when
|
|
replying with BADTIME error.
|
|
|
|
671. [bug] The message code was failing to parse a message with
|
|
no question section and a TSIG record. [RT #628]
|
|
|
|
670. [bug] The lwres replacements for getaddrinfo and
|
|
getipnodebyname didn't properly check for the
|
|
existence of the sockaddr sa_len field.
|
|
|
|
669. [bug] dnssec-keygen now makes the public key file
|
|
non-world-readable for symmetric keys. [RT #403]
|
|
|
|
668. [func] named-checkzone now reports multiple errors in master
|
|
files.
|
|
|
|
667. [bug] On Linux, running named with the -u option and a
|
|
non-world-readable configuration file didn't work.
|
|
[RT #626]
|
|
|
|
666. [bug] If a request sent by dig is longer than 512 bytes,
|
|
use TCP.
|
|
|
|
665. [bug] Signed responses were not sent when the size of the
|
|
TSIG + question exceeded the maximum message size.
|
|
[RT #628]
|
|
|
|
664. [bug] The t_tasks and t_timers module tests are now skipped
|
|
when building without threads, since they require
|
|
threads.
|
|
|
|
663. [func] Accept a size_spec, not just an integer, in the
|
|
(unimplemented and ignored) max-ixfr-log-size option
|
|
for compatibility with recent versions of BIND 8.
|
|
[RT #613]
|
|
|
|
662. [bug] dns_rdata_fromtext() failed to log certain errors.
|
|
|
|
661. [bug] Certain UDP IXFR requests caused an assertion failure
|
|
(mpctx->allocated == 0). [RT #355, #394, #623]
|
|
|
|
660. [port] Detect multiple CPUs on HP-UX and IRIX.
|
|
|
|
659. [performance] Rewrite the name compression code to be much faster.
|
|
|
|
658. [cleanup] Remove all vestiges of 16 bit global compression.
|
|
|
|
657. [bug] When a listen-on statement in an lwres block does not
|
|
specify a port, use 921, not 53. Also update the
|
|
listen-on documentation. [RT #616]
|
|
|
|
656. [func] Treat an unescaped newline in a quoted string as
|
|
an error. This means that TXT records with missing
|
|
close quotes should have meaningful errors printed.
|
|
|
|
655. [bug] Improve error reporting on unexpected eof when loading
|
|
zones. [RT #611]
|
|
|
|
654. [bug] Origin was being forgotten in TCP retries in dig.
|
|
[RT #574]
|
|
|
|
653. [bug] +defname option in dig was reversed in sense.
|
|
[RT #549]
|
|
|
|
652. [bug] zone_saveunique() did not report the new name.
|
|
|
|
651. [func] The AD bit in responses now has the meaning
|
|
specified in <draft-ietf-dnsext-ad-is-secure>.
|
|
|
|
650. [bug] SIG(0) records were being generated and verified
|
|
incorrectly. [RT #606]
|
|
|
|
649. [bug] It was possible to join to an already running fctx
|
|
after it had "cloned" its events, but before it sent
|
|
them. In this case, the event of the newly joined
|
|
fetch would not contain the answer, and would
|
|
trigger the INSIST() in fctx_sendevents(). In
|
|
BIND 9.0, this bug did not trigger an INSIST(), but
|
|
caused the fetch to fail with a SERVFAIL result.
|
|
[RT #588, #597, #605, #607]
|
|
|
|
648. [port] Add support for pre-RFC2133 IPv6 implementations.
|
|
|
|
647. [bug] Resolver queries sent after following multiple
|
|
referrals had excessively long retransmission
|
|
timeouts due to incorrectly counting the referrals
|
|
as "restarts".
|
|
|
|
646. [bug] The UnixWare ISC_PLATFORM_FIXIN6INADDR fix in isc/net.h
|
|
didn't _cleanly_ fix the problem it was trying to fix.
|
|
|
|
645. [port] BSD/OS 3.0 needs pthread_init(). [RT #603]
|
|
|
|
644. [bug] #622 needed more work. [RT #562]
|
|
|
|
643. [bug] xfrin error messages made more verbose, added class
|
|
of the zone. [RT #599]
|
|
|
|
642. [bug] Break the exit_check() race in the zone module.
|
|
[RT #598]
|
|
|
|
--- 9.1.0b2 released ---
|
|
|
|
641. [bug] $GENERATE caused a uninitialized link to be used.
|
|
[RT #595]
|
|
|
|
640. [bug] Memory leak in error path could cause
|
|
"mpctx->allocated == 0" failure. [RT #584]
|
|
|
|
639. [bug] Reading entropy from the keyboard would sometimes fail.
|
|
[RT #591]
|
|
|
|
638. [port] lib/isc/random.c needed to explicitly include time.h
|
|
to get a prototype for time() when pthreads was not
|
|
being used. [RT #592]
|
|
|
|
637. [port] Use isc_u?int64_t instead of (unsigned) long long in
|
|
lib/isc/print.c. Also allow lib/isc/print.c to
|
|
be compiled even if the platform does not need it.
|
|
[RT #592]
|
|
|
|
636. [port] Shut up MSVC++ about a possible loss of precision
|
|
in the ISC__BUFFER_PUTUINT*() macros. [RT #592]
|
|
|
|
635. [bug] Reloading a server with a configured blackhole list
|
|
would cause an assertion. [RT #590]
|
|
|
|
634. [bug] A log file will completely stop being written when
|
|
it reaches the maximum size in all cases, not just
|
|
when versioning is also enabled. [RT #570]
|
|
|
|
633. [port] Cope with rlim_t missing on BSD/OS systems. [RT #575]
|
|
|
|
632. [bug] The index array of the journal file was
|
|
corrupted as it was written to disk.
|
|
|
|
631. [port] Build without thread support on systems without
|
|
pthreads.
|
|
|
|
630. [bug] Locking failure in zone code. [RT #582]
|
|
|
|
629. [bug] 9.1.0b1 dereferenced a null pointer and crashed
|
|
when responding to a UDP IXFR request.
|
|
|
|
628. [bug] If the root hints contained only AAAA addresses,
|
|
named would be unable to perform resolution.
|
|
|
|
627. [bug] The EDNS0 blackhole detection code of change 324
|
|
waited for three retransmissions to each server,
|
|
which takes much too long when a domain has many
|
|
name servers and all of them drop EDNS0 queries.
|
|
Now we retry without EDNS0 after three consecutive
|
|
timeouts, even if they are all from different
|
|
servers. [RT #143]
|
|
|
|
626. [bug] The lightweight resolver daemon no longer crashes
|
|
when asked for a SIG rrset. [RT #558]
|
|
|
|
625. [func] Zones now inherit their class from the enclosing view.
|
|
|
|
624. [bug] The zone object could get timer events after it had
|
|
been destroyed, causing a server crash. [RT #571]
|
|
|
|
623. [func] Added "named-checkconf" and "named-checkzone" program
|
|
for syntax checking named.conf files and zone files,
|
|
respectively.
|
|
|
|
622. [bug] A canceled request could be destroyed before
|
|
dns_request_destroy() was called. [RT #562]
|
|
|
|
621. [port] Disable IPv6 at runtime if IPv6 sockets are unusable.
|
|
This mostly affects Red Hat Linux 7.0, which has
|
|
conflicts between libc and the kernel.
|
|
|
|
620. [bug] dns_master_load*inc() now require 'task' and 'load'
|
|
to be non-null. Also 'done' will not be called if
|
|
dns_master_load*inc() fails immediately. [RT #565]
|
|
|
|
619. [placeholder]
|
|
|
|
618. [bug] Queries to a signed zone could sometimes cause
|
|
an assertion failure.
|
|
|
|
617. [bug] When using dynamic update to add a new RR to an
|
|
existing RRset with a different TTL, the journal
|
|
entries generated from the update did not include
|
|
explicit deletions and re-additions of the existing
|
|
RRs to update their TTL to the new value.
|
|
|
|
616. [func] dnssec-signzone -t output now includes performance
|
|
statistics.
|
|
|
|
615. [bug] dnssec-signzone did not like child keysets signed
|
|
by multiple keys.
|
|
|
|
614. [bug] Checks for uninitialized link fields were prone
|
|
to false positives, causing assertion failures.
|
|
The checks are now disabled by default and may
|
|
be re-enabled by defining ISC_LIST_CHECKINIT.
|
|
|
|
613. [bug] "rndc reload zone" now reloads primary zones.
|
|
It previously only updated slave and stub zones,
|
|
if an SOA query indicated an out of date serial.
|
|
|
|
612. [cleanup] Shutup a ridiculously noisy HP-UX compiler that
|
|
complains relentlessly about how its treatment
|
|
of 'const' has changed as well as how casting
|
|
sometimes tightens alignment constraints.
|
|
|
|
611. [func] allow-notify can be used to permit processing of
|
|
notify messages from hosts other than a slave's
|
|
masters.
|
|
|
|
610. [func] rndc dumpdb is now supported.
|
|
|
|
609. [bug] getrrsetbyname() would crash lwresd if the server
|
|
found more SIGs than answers. [RT #554]
|
|
|
|
608. [func] dnssec-signzone now adds a comment to the zone
|
|
with the time the file was signed.
|
|
|
|
607. [bug] nsupdate would fail if it encountered a CNAME or
|
|
DNAME in a response to an SOA query. [RT #515]
|
|
|
|
606. [bug] Compiling with --disable-threads failed due
|
|
to isc_thread_self() being incorrectly defined
|
|
as an integer rather than a function.
|
|
|
|
605. [func] New function isc_lex_getlasttokentext().
|
|
|
|
604. [bug] The named.conf parser could print incorrect line
|
|
numbers when long comments were present.
|
|
|
|
603. [bug] Make dig handle multiple types or classes on the same
|
|
query more correctly.
|
|
|
|
602. [func] Cope automatically with UnixWare's broken
|
|
IN6_IS_ADDR_* macros. [RT #539]
|
|
|
|
601. [func] Return a non-zero exit code if an update fails
|
|
in nsupdate.
|
|
|
|
600. [bug] Reverse lookups sometimes failed in dig, etc...
|
|
|
|
599. [func] Added four new functions to the libisc log API to
|
|
support i18n messages. isc_log_iwrite(),
|
|
isc_log_ivwrite(), isc_log_iwrite1() and
|
|
isc_log_ivwrite1() were added.
|
|
|
|
598. [bug] An update-policy statement would cause the server
|
|
to assert while loading. [RT #536]
|
|
|
|
597. [func] dnssec-signzone is now multi-threaded.
|
|
|
|
596. [bug] DNS_RDATASLAB_FORCE and DNS_RDATASLAB_EXACT are
|
|
not mutually exclusive.
|
|
|
|
595. [port] On Linux 2.2, socket() returns EINVAL when it
|
|
should return EAFNOSUPPORT. Work around this.
|
|
[RT #531]
|
|
|
|
594. [func] sdb drivers are now assumed to not be thread-safe
|
|
unless the DNS_SDBFLAG_THREADSAFE flag is supplied.
|
|
|
|
593. [bug] If a secure zone was missing all its NXTs and
|
|
a dynamic update was attempted, the server entered
|
|
an infinite loop.
|
|
|
|
592. [bug] The sig-validity-interval option now specifies a
|
|
number of days, not seconds. This matches the
|
|
documentation. [RT #529]
|
|
|
|
--- 9.1.0b1 released ---
|
|
|
|
591. [bug] Work around non-reentrancy in openssl by disabling
|
|
pre-computation in keys.
|
|
|
|
590. [doc] There are now man pages for the lwres library in
|
|
doc/man/lwres.
|
|
|
|
589. [bug] The server could deadlock if a zone was updated
|
|
while being transferred out.
|
|
|
|
588. [bug] ctx->in_use was not being correctly initialized when
|
|
when pushing a file for $INCLUDE. [RT #523]
|
|
|
|
587. [func] A warning is now printed if the "allow-update"
|
|
option allows updates based on the source IP
|
|
address, to alert users to the fact that this
|
|
is insecure and becoming increasingly so as
|
|
servers capable of update forwarding are being
|
|
deployed.
|
|
|
|
586. [bug] multiple views with the same name were fatal. [RT #516]
|
|
|
|
585. [func] dns_db_addrdataset() and and dns_rdataslab_merge()
|
|
now support 'exact' additions in a similar manner to
|
|
dns_db_subtractrdataset() and dns_rdataslab_subtract().
|
|
|
|
584. [func] You can now say 'notify explicit'; to suppress
|
|
notification of the servers listed in NS records
|
|
and notify only those servers listed in the
|
|
'also-notify' option.
|
|
|
|
583. [func] "rndc querylog" will now toggle logging of
|
|
queries, like "ndc querylog" in BIND 8.
|
|
|
|
582. [bug] dns_zone_idetach() failed to lock the zone.
|
|
[RT #199, #463]
|
|
|
|
581. [bug] log severity was not being correctly processed.
|
|
[RT #485]
|
|
|
|
580. [func] Ignore trailing garbage on incoming DNS packets,
|
|
for interoperability with broken server
|
|
implementations. [RT #491]
|
|
|
|
579. [bug] nsupdate did not take a filename to read update from.
|
|
[RT #492]
|
|
|
|
578. [func] New config option "notify-source", to specify the
|
|
source address for notify messages.
|
|
|
|
577. [func] Log illegal RDATA combinations. e.g. multiple
|
|
singleton types, cname and other data.
|
|
|
|
576. [doc] isc_log_create() description did not match reality.
|
|
|
|
575. [bug] isc_log_create() was not setting internal state
|
|
correctly to reflect the default channels created.
|
|
|
|
574. [bug] TSIG signed queries sent by the resolver would fail to
|
|
have their responses validated and would leak memory.
|
|
|
|
573. [bug] The journal files of IXFRed slave zones were
|
|
inadvertently discarded on server reload, causing
|
|
"journal out of sync with zone" errors on subsequent
|
|
reloads. [RT #482]
|
|
|
|
572. [bug] Quoted strings were not accepted as key names in
|
|
address match lists.
|
|
|
|
571. [bug] It was possible to create an rdataset of singleton
|
|
type which had more than one rdata. [RT #154]
|
|
[RT #279]
|
|
|
|
570. [bug] rbtdb.c allowed zones containing nodes which had
|
|
both a CNAME and "other data". [RT #154]
|
|
|
|
569. [func] The DNSSEC AD bit will not be set on queries which
|
|
have not requested a DNSSEC response.
|
|
|
|
568. [func] Add sample simple database drivers in contrib/sdb.
|
|
|
|
567. [bug] Setting the zone transfer timeout to zero caused an
|
|
assertion failure. [RT #302]
|
|
|
|
566. [func] New public function dns_timer_setidle().
|
|
|
|
565. [func] Log queries more like BIND 8: query logging is now
|
|
done to category "queries", level "info". [RT #169]
|
|
|
|
564. [func] Add sortlist support to lwresd.
|
|
|
|
563. [func] New public functions dns_rdatatype_format() and
|
|
dns_rdataclass_format(), for convenient formatting
|
|
of rdata type/class mnemonics in log messages.
|
|
|
|
562. [cleanup] Moved lib/dns/*conf.c to bin/named where they belong.
|
|
|
|
561. [func] The 'datasize', 'stacksize', 'coresize' and 'files'
|
|
clauses of the options{} statement are now implemented.
|
|
|
|
560. [bug] dns_name_split did not properly the resulting prefix
|
|
when a maximal length bitstring label was split which
|
|
was preceded by another bitstring label. [RT #429]
|
|
|
|
559. [bug] dns_name_split did not properly create the suffix
|
|
when splitting within a maximal length bitstring label.
|
|
|
|
558. [func] New functions, isc_resource_getlimit and
|
|
isc_resource_setlimit.
|
|
|
|
557. [func] Symbolic constants for libisc integral types.
|
|
|
|
556. [func] The DNSSEC OK bit in the EDNS extended flags
|
|
is now implemented. Responses to queries without
|
|
this bit set will not contain any DNSSEC records.
|
|
|
|
555. [bug] A slave server attempting a zone transfer could
|
|
crash with an assertion failure on certain
|
|
malformed responses from the master. [RT #457]
|
|
|
|
554. [bug] In some cases, not all of the dnssec tools were
|
|
properly installed.
|
|
|
|
553. [bug] Incoming zone transfers deferred due to quota
|
|
were not started when quota was increased but
|
|
only when a transfer in progress finished. [RT #456]
|
|
|
|
552. [bug] We were not correctly detecting the end of all c-style
|
|
comments. [RT #455]
|
|
|
|
551. [func] Implemented the 'sortlist' option.
|
|
|
|
550. [func] Support unknown rdata types and classes.
|
|
|
|
549. [bug] "make" did not immediately abort the build when a
|
|
subdirectory make failed [RT #450].
|
|
|
|
548. [func] The lexer now ungets tokens more correctly.
|
|
|
|
547. [placeholder]
|
|
|
|
546. [func] Option 'lame-ttl' is now implemented.
|
|
|
|
545. [func] Name limit and counting options removed from dig;
|
|
they didn't work properly, and cannot be correctly
|
|
implemented without significant changes.
|
|
|
|
544. [func] Add statistics option, enable statistics-file option,
|
|
add RNDC option "dump-statistics" to write out a
|
|
query statistics file.
|
|
|
|
543. [doc] The 'port' option is now documented.
|
|
|
|
542. [func] Add support for update forwarding as required for
|
|
full compliance with RFC2136. It is turned off
|
|
by default and can be enabled using the
|
|
'allow-update-forwarding' option.
|
|
|
|
541. [func] Add bogus server support.
|
|
|
|
540. [func] Add dialup support.
|
|
|
|
539. [func] Support the blackhole option.
|
|
|
|
538. [bug] fix buffer overruns by 1 in lwres_getnameinfo().
|
|
|
|
537. [placeholder]
|
|
|
|
536. [func] Use transfer-source{-v6} when sending refresh queries.
|
|
Transfer-source{-v6} now take a optional port
|
|
parameter for setting the UDP source port. The port
|
|
parameter is ignored for TCP.
|
|
|
|
535. [func] Use transfer-source{-v6} when forwarding update
|
|
requests.
|
|
|
|
534. [func] Ancestors have been removed from RBT chains. Ancestor
|
|
information can be discerned via node parent pointers.
|
|
|
|
533. [func] Incorporated name hashing into the RBT database to
|
|
improve search speed.
|
|
|
|
532. [func] Implement DNS UPDATE pseudo records using
|
|
DNS_RDATA_UPDATE flag.
|
|
|
|
531. [func] Rdata really should be initialized before being assigned
|
|
to (dns_rdata_fromwire(), dns_rdata_fromtext(),
|
|
dns_rdata_clone(), dns_rdata_fromregion()),
|
|
check that it is.
|
|
|
|
530. [func] New function dns_rdata_invalidate().
|
|
|
|
529. [bug] 521 contained a bug which caused zones to always
|
|
reload. [RT #410]
|
|
|
|
528. [func] The ISC_LIST_XXXX macros now perform sanity checks
|
|
on their arguments. ISC_LIST_XXXXUNSAFE can be use
|
|
to skip the checks however use with caution.
|
|
|
|
527. [func] New function dns_rdata_clone().
|
|
|
|
526. [bug] nsupdate incorrectly refused to add RRs with a TTL
|
|
of 0.
|
|
|
|
525. [func] New arguments 'options' for dns_db_subtractrdataset(),
|
|
and 'flags' for dns_rdataslab_subtract() allowing you
|
|
to request that the RR's must exist prior to deletion.
|
|
DNS_R_NOTEXACT is returned if the condition is not met.
|
|
|
|
524. [func] The 'forward' and 'forwarders' statement in
|
|
non-forward zones should work now.
|
|
|
|
523. [doc] The source to the Administrator Reference Manual is
|
|
now an XML file using the DocBook DTD, and is included
|
|
in the distribution. The plain text version of the
|
|
ARM is temporarily unavailable while we figure out
|
|
how to generate readable plain text from the XML.
|
|
|
|
522. [func] The lightweight resolver daemon can now use
|
|
a real configuration file, and its functionality
|
|
can be provided by a name server. Also, the -p and -P
|
|
options to lwresd have been reversed.
|
|
|
|
521. [bug] Detect master files which contain $INCLUDE and always
|
|
reload. [RT #196]
|
|
|
|
520. [bug] Upgraded libtool to 1.3.5, which makes shared
|
|
library builds almost work on AIX (and possibly
|
|
others).
|
|
|
|
519. [bug] dns_name_split() would improperly split some bitstring
|
|
labels, zeroing a few of the least significant bits in
|
|
the prefix part. When such an improperly created
|
|
prefix was returned to the RBT database, the bogus
|
|
label was dutifully stored, corrupting the tree.
|
|
[RT #369]
|
|
|
|
518. [bug] The resolver did not realize that a DNAME which was
|
|
"the answer" to the client's query was "the answer",
|
|
and such queries would fail. [RT #399]
|
|
|
|
517. [bug] The resolver's DNAME code would trigger an assertion
|
|
if there was more than one DNAME in the chain.
|
|
[RT #399]
|
|
|
|
516. [bug] Cache lookups which had a NULL node pointer, e.g.
|
|
those by dns_view_find(), and which would match a
|
|
DNAME, would trigger an INSIST(!search.need_cleanup)
|
|
assertion. [RT #399]
|
|
|
|
515. [bug] The ssu table was not being attached / detached
|
|
by dns_zone_[sg]etssutable. [RT #397]
|
|
|
|
514. [func] Retry refresh and notify queries if they timeout.
|
|
[RT #388]
|
|
|
|
513. [func] New functionality added to rdnc and server to allow
|
|
individual zones to be refreshed or reloaded.
|
|
|
|
512. [bug] The zone transfer code could throw an exception with
|
|
an invalid IXFR stream.
|
|
|
|
511. [bug] The message code could throw an assertion on an
|
|
out of memory failure. [RT #392]
|
|
|
|
510. [bug] Remove spurious view notify warning. [RT #376]
|
|
|
|
509. [func] Add support for write of zone files on shutdown.
|
|
|
|
508. [func] dns_message_parse() can now do a best-effort
|
|
attempt, which should allow dig to print more invalid
|
|
messages.
|
|
|
|
507. [func] New functions dns_zone_flush(), dns_zt_flushanddetach()
|
|
and dns_view_flushanddetach().
|
|
|
|
506. [func] Do not fail to start on errors in zone files.
|
|
|
|
505. [bug] nsupdate was printing "unknown result code". [RT #373]
|
|
|
|
504. [bug] The zone was not being marked as dirty when updated via
|
|
IXFR.
|
|
|
|
503. [bug] dumptime was not being set along with
|
|
DNS_ZONEFLG_NEEDDUMP.
|
|
|
|
502. [func] On a SERVFAIL reply, DiG will now try the next server
|
|
in the list, unless the +fail option is specified.
|
|
|
|
501. [bug] Incorrect port numbers were being displayed by
|
|
nslookup. [RT #352]
|
|
|
|
500. [func] Nearly useless +details option removed from DiG.
|
|
|
|
499. [func] In DiG, specifying a class with -c or type with -t
|
|
changes command-line parsing so that classes and
|
|
types are only recognized if following -c or -t.
|
|
This allows hosts with the same name as a class or
|
|
type to be looked up.
|
|
|
|
498. [doc] There is now a man page for "dig"
|
|
in doc/man/bin/dig.1.
|
|
|
|
497. [bug] The error messages printed when an IP match list
|
|
contained a network address with a nonzero host
|
|
part where not sufficiently detailed. [RT #365]
|
|
|
|
496. [bug] named didn't sanity check numeric parameters. [RT #361]
|
|
|
|
495. [bug] nsupdate was unable to handle large records. [RT #368]
|
|
|
|
494. [func] Do not cache NXDOMAIN responses for SOA queries.
|
|
|
|
493. [func] Return non-cachable (ttl = 0) NXDOMAIN responses
|
|
for SOA queries. This makes it easier to locate
|
|
the containing zone without polluting intermediate
|
|
caches.
|
|
|
|
492. [bug] attempting to reload a zone caused the server fail
|
|
to shutdown cleanly. [RT #360]
|
|
|
|
491. [bug] nsupdate would segfault when sending certain
|
|
prerequisites with empty RDATA. [RT #356]
|
|
|
|
490. [func] When a slave/stub zone has not yet successfully
|
|
obtained an SOA containing the zone's configured
|
|
retry time, perform the SOA query retries using
|
|
exponential backoff. [RT #337]
|
|
|
|
489. [func] The zone manager now has a "i/o" queue.
|
|
|
|
488. [bug] Locks weren't properly destroyed in some cases.
|
|
|
|
487. [port] flockfile() is not defined on all systems.
|
|
|
|
486. [bug] nslookup: "set all" and "server" commands showed
|
|
the incorrect port number if a port other than 53
|
|
was specified. [RT #352]
|
|
|
|
485. [func] When dig had more than one server to query, it would
|
|
send all of the messages at the same time. Add
|
|
rate limiting of the transmitted messages.
|
|
|
|
484. [bug] When the server was reloaded after removing addresses
|
|
from the named.conf "listen-on" statement, sockets
|
|
were still listening on the removed addresses due
|
|
to reference count loops. [RT #325]
|
|
|
|
483. [bug] nslookup: "set all" showed a "search" option but it
|
|
was not settable.
|
|
|
|
482. [bug] nslookup: a plain "server" or "lserver" should be
|
|
treated as a lookup.
|
|
|
|
481. [bug] nslookup:get_next_command() stack size could exceed
|
|
per thread limit.
|
|
|
|
480. [bug] strtok() is not thread safe. [RT #349]
|
|
|
|
479. [func] The test suite can now be run by typing "make check"
|
|
or "make test" at the top level.
|
|
|
|
478. [bug] "make install" failed if the directory specified with
|
|
--prefix did not already exist.
|
|
|
|
477. [bug] The the isc-config.sh script could be installed before
|
|
its directory was created. [RT #324]
|
|
|
|
476. [bug] A zone could expire while a zone transfer was in
|
|
progress triggering a INSIST failure. [RT #329]
|
|
|
|
475. [bug] query_getzonedb() sometimes returned a non-null version
|
|
on failure. This caused assertion failures when
|
|
generating query responses where names subject to
|
|
additional section processing pointed to a zone
|
|
to which access had been denied by means of the
|
|
allow-query option. [RT #336]
|
|
|
|
474. [bug] The mnemonic of the CHAOS class is CH according to
|
|
RFC1035, but it was printed and read only as CHAOS.
|
|
We now accept both forms as input, and print it
|
|
as CH. [RT #305]
|
|
|
|
473. [bug] nsupdate overran the end of the list of name servers
|
|
when no servers could be reached, typically causing
|
|
it to print the error message "dns_request_create:
|
|
not implemented".
|
|
|
|
472. [bug] Off-by-one error caused isc_time_add() to sometimes
|
|
produce invalid time values.
|
|
|
|
471. [bug] nsupdate didn't compile on HP/UX 10.20
|
|
|
|
470. [func] $GENERATE is now supported. See also
|
|
doc/misc/migration.
|
|
|
|
469. [bug] "query-source address * port 53;" now works.
|
|
|
|
468. [bug] dns_master_load*() failed to report file and line
|
|
number in certain error conditions.
|
|
|
|
467. [bug] dns_master_load*() failed to log an error if
|
|
pushfile() failed.
|
|
|
|
466. [bug] dns_master_load*() could return success when it failed.
|
|
|
|
465. [cleanup] Allow 0 to be set as an omapi_value_t value by
|
|
omapi_value_storeint().
|
|
|
|
464. [cleanup] Build with openssl's RSA code instead of dnssafe.
|
|
|
|
463. [bug] nsupdate sent malformed SOA queries to the second
|
|
and subsequent name servers in resolv.conf if the
|
|
query sent to the first one failed.
|
|
|
|
462. [bug] --disable-ipv6 should work now.
|
|
|
|
461. [bug] Specifying an unknown key in the "keys" clause of the
|
|
"controls" statement caused a NULL pointer dereference.
|
|
[RT #316]
|
|
|
|
460. [bug] Much of the DNSSEC code only worked with class IN.
|
|
|
|
459. [bug] Nslookup processed the "set" command incorrectly.
|
|
|
|
458. [bug] Nslookup didn't properly check class and type values.
|
|
[RT #305]
|
|
|
|
457. [bug] Dig/host/hslookup didn't properly handle connect
|
|
timeouts in certain situations, causing an
|
|
unnecessary warning message to be printed.
|
|
|
|
456. [bug] Stub zones were not resetting the refresh and expire
|
|
counters, loadtime or clearing the DNS_ZONE_REFRESH
|
|
(refresh in progress) flag upon successful update.
|
|
This disabled further refreshing of the stub zone,
|
|
causing it to eventually expire. [RT #300]
|
|
|
|
455. [doc] Document IPv4 prefix notation does not require a
|
|
dotted decimal quad but may be just dotted decimal.
|
|
|
|
454. [bug] Enforce dotted decimal and dotted decimal quad where
|
|
documented as such in named.conf. [RT #304, RT #311]
|
|
|
|
453. [bug] Warn if the obsolete option "maintain-ixfr-base"
|
|
is specified in named.conf. [RT #306]
|
|
|
|
452. [bug] Warn if the unimplemented option "statistics-file"
|
|
is specified in named.conf. [RT #301]
|
|
|
|
451. [func] Update forwarding implemented.
|
|
|
|
450. [func] New function ns_client_sendraw().
|
|
|
|
449. [bug] isc_bitstring_copy() only works correctly if the
|
|
two bitstrings have the same lsb0 value, but this
|
|
requirement was not documented, nor was there a
|
|
REQUIRE for it.
|
|
|
|
448. [bug] Host output formatting change, to match v8. [RT #255]
|
|
|
|
447. [bug] Dig didn't properly retry in TCP mode after
|
|
a truncated reply. [RT #277]
|
|
|
|
446. [bug] Confusing notify log message. [RT #298]
|
|
|
|
445. [bug] Doing a 0 bit isc_bitstring_copy() of an lsb0
|
|
bitstring triggered a REQUIRE statement. The REQUIRE
|
|
statement was incorrect. [RT #297]
|
|
|
|
444. [func] "recursion denied" messages are always logged at
|
|
debug level 1, now, rather than sometimes at ERROR.
|
|
This silences these warnings in the usual case, where
|
|
some clients set the RD bit in all queries.
|
|
|
|
443. [bug] When loading a master file failed because of an
|
|
unrecognized RR type name, the error message
|
|
did not include the file name and line number.
|
|
[RT #285]
|
|
|
|
442. [bug] TSIG signed messages that did not match any view
|
|
crashed the server. [RT #290]
|
|
|
|
441. [bug] Nodes obscured by a DNAME were inaccessible even
|
|
when DNS_DBFIND_GLUEOK was set.
|
|
|
|
440. [func] New function dns_zone_forwardupdate().
|
|
|
|
439. [func] New function dns_request_createraw().
|
|
|
|
438. [func] New function dns_message_getrawmessage().
|
|
|
|
437. [func] Log NOTIFY activity to the notify channel.
|
|
|
|
436. [bug] If recvmsg() returned EHOSTUNREACH or ENETUNREACH,
|
|
which sometimes happens on Linux, named would enter
|
|
a busy loop. Also, unexpected socket errors were
|
|
not logged at a high enough logging level to be
|
|
useful in diagnosing this situation. [RT #275]
|
|
|
|
435. [bug] dns_zone_dump() overwrote existing zone files
|
|
rather than writing to a temporary file and
|
|
renaming. This could lead to empty or partial
|
|
zone files being left around in certain error
|
|
conditions involving the initial transfer of a
|
|
slave zone, interfering with subsequent server
|
|
startup. [RT #282]
|
|
|
|
434. [func] New function isc_file_isabsolute().
|
|
|
|
433. [func] isc_base64_decodestring() now accepts newlines
|
|
within the base64 data. This makes it possible
|
|
to break up the key data in a "trusted-keys"
|
|
statement into multiple lines. [RT #284]
|
|
|
|
432. [func] Added refresh/retry jitter. The actual refresh/
|
|
retry time is now a random value between 75% and
|
|
100% of the configured value.
|
|
|
|
431. [func] Log at ISC_LOG_INFO when a zone is successfully
|
|
loaded.
|
|
|
|
430. [bug] Rewrote the lightweight resolver client management
|
|
code to handle shutdown correctly and general
|
|
cleanup.
|
|
|
|
429. [bug] The space reserved for a TSIG record in a response
|
|
was 2 bytes too short, leading to message
|
|
generation failures.
|
|
|
|
428. [bug] rbtdb.c:find_closest_nxt() erroneously returned
|
|
DNS_R_BADDB for nodes which had neither NXT nor SIG NXT
|
|
(e.g. glue). This could cause SERVFAILs when
|
|
generating negative responses in a secure zone.
|
|
|
|
427. [bug] Avoid going into an infinite loop when the validator
|
|
gets a negative response to a key query where the
|
|
records are signed by the missing key.
|
|
|
|
426. [bug] Attempting to generate an oversized RSA key could
|
|
cause dnssec-keygen to dump core.
|
|
|
|
425. [bug] Warn about the auth-nxdomain default value change
|
|
if there is no auth-nxdomain statement in the
|
|
config file. [RT #287]
|
|
|
|
424. [bug] notify_createmessage() could trigger an assertion
|
|
failure when creating the notify message failed,
|
|
e.g. due to corrupt zones with multiple SOA records.
|
|
[RT #279]
|
|
|
|
423. [bug] When responding to a recursive query, errors that occur
|
|
after following a CNAME should cause the query to fail.
|
|
[RT #274]
|
|
|
|
422. [func] get rid of isc_random_t, and make isc_random_get()
|
|
and isc_random_jitter() use rand() internally
|
|
instead of local state. Note that isc_random_*()
|
|
functions are only for weak, non-critical "randomness"
|
|
such as timing jitter and such.
|
|
|
|
421. [bug] nslookup would exit when given a blank line as input.
|
|
|
|
420. [bug] nslookup failed to implement the "exit" command.
|
|
|
|
419. [bug] The certificate type PKIX was misspelled as SKIX.
|
|
|
|
418. [bug] At debug levels >= 10, getting an unexpected
|
|
socket receive error would crash the server
|
|
while trying to log the error message.
|
|
|
|
417. [func] Add isc_app_block() and isc_app_unblock(), which
|
|
allow an application to handle signals while
|
|
blocking.
|
|
|
|
416. [bug] Slave zones with no master file tried to use a
|
|
NULL pointer for a journal file name when they
|
|
received an IXFR. [RT #273]
|
|
|
|
415. [bug] The logging code leaked file descriptors.
|
|
|
|
414. [bug] Server did not shut down until all incoming zone
|
|
transfers were finished.
|
|
|
|
413. [bug] Notify could attempt to use the zone database after
|
|
it had been unloaded. [RT #267]
|
|
|
|
412. [bug] named -v didn't print the version.
|
|
|
|
411. [bug] A typo in the HS A code caused an assertion failure.
|
|
|
|
410. [bug] lwres_gethostbyname() and company set lwres_h_errno
|
|
to a random value on success.
|
|
|
|
409. [bug] If named was shut down early in the startup
|
|
process, ns_omapi_shutdown() would attempt to lock
|
|
an uninitialized mutex. [RT #262]
|
|
|
|
408. [bug] stub zones could leak memory and reference counts if
|
|
all the masters were unreachable.
|
|
|
|
407. [bug] isc_rwlock_lock() would needlessly block
|
|
readers when it reached the read quota even
|
|
if no writers were waiting.
|
|
|
|
406. [bug] Log messages were occasionally lost or corrupted
|
|
due to a race condition in isc_log_doit().
|
|
|
|
405. [func] Add support for selective forwarding (forward zones)
|
|
|
|
404. [bug] The request library didn't completely work with IPv6.
|
|
|
|
403. [bug] "host" did not use the search list.
|
|
|
|
402. [bug] Treat undefined acls as errors, rather than
|
|
warning and then later throwing an assertion.
|
|
[RT #252]
|
|
|
|
401. [func] Added simple database API.
|
|
|
|
400. [bug] SIG(0) signing and verifying was done incorrectly.
|
|
[RT #249]
|
|
|
|
399. [bug] When reloading the server with a config file
|
|
containing a syntax error, it could catch an
|
|
assertion failure trying to perform zone
|
|
maintenance on, or sending notifies from,
|
|
tentatively created zones whose views were
|
|
never fully configured and lacked an address
|
|
database and request manager.
|
|
|
|
398. [bug] "dig" sometimes caught an assertion failure when
|
|
using TSIG, depending on the key length.
|
|
|
|
397. [func] Added utility functions dns_view_gettsig() and
|
|
dns_view_getpeertsig().
|
|
|
|
396. [doc] There is now a man page for "nsupdate"
|
|
in doc/man/bin/nsupdate.8.
|
|
|
|
395. [bug] nslookup printed incorrect RR type mnemonics
|
|
for RRs of type >= 21 [RT #237].
|
|
|
|
394. [bug] Current name was not propagated via $INCLUDE.
|
|
|
|
393. [func] Initial answer while loading (awl) support.
|
|
Entry points: dns_master_loadfileinc(),
|
|
dns_master_loadstreaminc(), dns_master_loadbufferinc().
|
|
Note: calls to dns_master_load*inc() should be rate
|
|
be rate limited so as to not use up all file
|
|
descriptors.
|
|
|
|
392. [func] Add ISC_R_FAMILYNOSUPPORT. Returned when OS does
|
|
not support the given address family requested.
|
|
|
|
391. [clarity] ISC_R_FAMILY -> ISC_R_FAMILYMISMATCH.
|
|
|
|
390. [func] The function dns_zone_setdbtype() now takes
|
|
an argc/argv style vector of words and sets
|
|
both the zone database type and its arguments,
|
|
making the functions dns_zone_adddbarg()
|
|
and dns_zone_cleardbargs() unnecessary.
|
|
|
|
389. [bug] Attempting to send a request over IPv6 using
|
|
dns_request_create() on a system without IPv6
|
|
support caused an assertion failure [RT #235].
|
|
|
|
388. [func] dig and host can now do reverse ipv6 lookups.
|
|
|
|
387. [func] Add dns_byaddr_createptrname(), which converts
|
|
an address into the name used by a PTR query.
|
|
|
|
386. [bug] Missing strdup() of ACL name caused random
|
|
ACL matching failures [RT #228].
|
|
|
|
385. [cleanup] Removed functions dns_zone_equal(), dns_zone_print(),
|
|
and dns_zt_print().
|
|
|
|
384. [bug] nsupdate was incorrectly limiting TTLs to 65535 instead
|
|
of 2147483647.
|
|
|
|
383. [func] When writing a master file, print the SOA and NS
|
|
records (and their SIGs) before other records.
|
|
|
|
382. [bug] named -u failed on many Linux systems where the
|
|
libc provided kernel headers do not match
|
|
the current kernel.
|
|
|
|
381. [bug] Check for IPV6_RECVPKTINFO and use it instead of
|
|
IPV6_PKTINFO if found. [RT #229]
|
|
|
|
380. [bug] nsupdate didn't work with IPv6.
|
|
|
|
379. [func] New library function isc_sockaddr_anyofpf().
|
|
|
|
378. [func] named and lwresd will log the command line arguments
|
|
they were started with in the "starting ..." message.
|
|
|
|
377. [bug] When additional data lookups were refused due to
|
|
"allow-query", the databases were still being
|
|
attached causing reference leaks.
|
|
|
|
376. [bug] The server should always use good entropy when
|
|
performing cryptographic functions needing entropy.
|
|
|
|
375. [bug] Per-zone "allow-query" did not properly override the
|
|
view/global one for CNAME targets and additional
|
|
data [RT #220].
|
|
|
|
374. [bug] SOA in authoritative negative responses had wrong TTL.
|
|
|
|
373. [func] nslookup is now installed by "make install".
|
|
|
|
372. [bug] Deal with Microsoft DNS servers appending two bytes of
|
|
garbage to zone transfer requests.
|
|
|
|
371. [bug] At high debug levels, doing an outgoing zone transfer
|
|
of a very large RRset could cause an assertion failure
|
|
during logging.
|
|
|
|
370. [bug] The error messages for roll-forward failures were
|
|
overly terse.
|
|
|
|
369. [func] Support new named.conf options, view and zone
|
|
statements:
|
|
|
|
max-retry-time, min-retry-time,
|
|
max-refresh-time, min-refresh-time.
|
|
|
|
368. [func] Restructure the internal ".bind" view so that more
|
|
zones can be added to it.
|
|
|
|
367. [bug] Allow proper selection of server on nslookup command
|
|
line.
|
|
|
|
366. [func] Allow use of '-' batch file in dig for stdin.
|
|
|
|
365. [bug] nsupdate -k leaked memory.
|
|
|
|
364. [func] Added additional-from-{cache,auth}
|
|
|
|
363. [placeholder]
|
|
|
|
362. [bug] rndc no longer aborts if the configuration file is
|
|
missing an options statement. [RT #209]
|
|
|
|
361. [func] When the RBT find or chain functions set the name and
|
|
origin for a node that stores the root label
|
|
the name is now set to an empty name, instead of ".",
|
|
to simplify later use of the name and origin by
|
|
dns_name_concatenate(), dns_name_totext() or
|
|
dns_name_format().
|
|
|
|
360. [func] dns_name_totext() and dns_name_format() now allow
|
|
an empty name to be passed, which is formatted as "@".
|
|
|
|
359. [bug] dnssec-signzone occasionally signed glue records.
|
|
|
|
358. [cleanup] Rename the intermediate files used by the dnssec
|
|
programs.
|
|
|
|
357. [bug] The zone file parser crashed if the argument
|
|
to $INCLUDE was a quoted string.
|
|
|
|
356. [cleanup] isc_task_send no longer requires event->sender to
|
|
be non-null.
|
|
|
|
355. [func] Added isc_dir_createunique(), similar to mkdtemp().
|
|
|
|
354. [doc] Man pages for the dnssec tools are now included in
|
|
the distribution, in doc/man/dnssec.
|
|
|
|
353. [bug] double increment in lwres/gethost.c:copytobuf().
|
|
[RT #187]
|
|
|
|
352. [bug] Race condition in dns_client_t startup could cause
|
|
an assertion failure.
|
|
|
|
351. [bug] Constructing a response with rcode SERVFAIL to a TSIG
|
|
signed query could crash the server.
|
|
|
|
350. [bug] Also-notify lists specified in the global options
|
|
block were not correctly reference counted, causing
|
|
a memory leak.
|
|
|
|
349. [bug] Processing a query with the CD bit set now works
|
|
as expected.
|
|
|
|
348. [func] New boolean named.conf options 'additional-from-auth'
|
|
and 'additional-from-cache' now supported in view and
|
|
global options statement.
|
|
|
|
347. [bug] Don't crash if an argument is left off options in dig.
|
|
|
|
346. [placeholder]
|
|
|
|
345. [bug] Large-scale changes/cleanups to dig:
|
|
* Significantly improve structure handling
|
|
* Don't pre-load entire batch files
|
|
* Add name/rr counting/limiting
|
|
* Fix SIGINT handling
|
|
* Shorten timeouts to match v8's behavior
|
|
|
|
344. [bug] When shutting down, lwresd sometimes tried
|
|
to shut down its client tasks twice,
|
|
triggering an assertion.
|
|
|
|
343. [bug] Although zone maintenance SOA queries and
|
|
notify requests were signed with TSIG keys
|
|
when configured for the server in case,
|
|
the TSIG was not verified on the response.
|
|
|
|
342. [bug] The wrong name was being passed to
|
|
dns_name_dup() when generating a TSIG
|
|
key using TKEY.
|
|
|
|
341. [func] Support 'key' clause in named.conf zone masters
|
|
statement to allow authentication via TSIG keys:
|
|
|
|
masters {
|
|
10.0.0.1 port 5353 key "foo";
|
|
10.0.0.2 ;
|
|
};
|
|
|
|
340. [bug] The top-level COPYRIGHT file was missing from
|
|
the distribution.
|
|
|
|
339. [bug] DNSSEC validation of the response to an ANY
|
|
query at a name with a CNAME RR in a secure
|
|
zone triggered an assertion failure.
|
|
|
|
338. [bug] lwresd logged to syslog as named, not lwresd.
|
|
|
|
337. [bug] "dig" did not recognize "nsap-ptr" as an RR type
|
|
on the command line.
|
|
|
|
336. [bug] "dig -f" used 64 k of memory for each line in
|
|
the file. It now uses much less, though still
|
|
proportionally to the file size.
|
|
|
|
335. [bug] named would occasionally attempt recursion when
|
|
it was disallowed or undesired.
|
|
|
|
334. [func] Added hmac-md5 to libisc.
|
|
|
|
333. [bug] The resolver incorrectly accepted referrals to
|
|
domains that were not parents of the query name,
|
|
causing assertion failures.
|
|
|
|
332. [func] New function dns_name_reset().
|
|
|
|
331. [bug] Only log "recursion denied" if RD is set. [RT #178]
|
|
|
|
330. [bug] Many debugging messages were partially formatted
|
|
even when debugging was turned off, causing a
|
|
significant decrease in query performance.
|
|
|
|
329. [func] omapi_auth_register() now takes a size_t argument for
|
|
the length of a key's secret data. Previously
|
|
OMAPI only stored secrets up to the first NUL byte.
|
|
|
|
328. [func] Added isc_base64_decodestring().
|
|
|
|
327. [bug] rndc.conf parser wasn't correctly recognizing an IP
|
|
address where a host specification was required.
|
|
|
|
326. [func] 'keys' in an 'inet' control statement is now
|
|
required and must have at least one item in it.
|
|
A "not supported" warning is now issued if a 'unix'
|
|
control channel is defined.
|
|
|
|
325. [bug] isc_lex_gettoken was processing octal strings when
|
|
ISC_LEXOPT_CNUMBER was not set.
|
|
|
|
324. [func] In the resolver, turn EDNS0 off if there is no
|
|
response after a number of retransmissions.
|
|
This is to allow queries some chance of succeeding
|
|
even if all the authoritative servers of a zone
|
|
silently discard EDNS0 requests instead of
|
|
sending an error response like they ought to.
|
|
|
|
323. [bug] dns_rbt_findname() did not ignore empty rbt nodes.
|
|
Because of this, servers authoritative for a parent
|
|
and grandchild zone but not authoritative for the
|
|
intervening child zone did not correctly issue
|
|
referrals to the servers of the child zone.
|
|
|
|
322. [bug] Queries for KEY RRs are now sent to the parent
|
|
server before the authoritative one, making
|
|
DNSSEC insecurity proofs work in many cases
|
|
where they previously didn't.
|
|
|
|
321. [bug] When synthesizing a CNAME RR for a DNAME
|
|
response, query_addcname() failed to initialize
|
|
the type and class of the CNAME dns_rdata_t,
|
|
causing random failures.
|
|
|
|
320. [func] Multiple rndc changes: parses an rndc.conf file,
|
|
uses authentication to talk to named, command
|
|
line syntax changed. This will all be described
|
|
in the ARM.
|
|
|
|
319. [func] The named.conf "controls" statement is now used
|
|
to configure the OMAPI command channel.
|
|
|
|
318. [func] dns_c_ndcctx_destroy() could never return anything
|
|
except ISC_R_SUCCESS; made it have void return instead.
|
|
|
|
317. [func] Use callbacks from libomapi to determine if a
|
|
new connection is valid, and if a key requested
|
|
to be used with that connection is valid.
|
|
|
|
316. [bug] Generate a warning if we detect an unexpected <eof>
|
|
but treat as <eol><eof>.
|
|
|
|
315. [bug] Handle non-empty blanks lines. [RT #163]
|
|
|
|
314. [func] The named.conf controls statement can now have
|
|
more than one key specified for the inet clause.
|
|
|
|
313. [bug] When parsing resolv.conf, don't terminate on an
|
|
error. Instead, parse as much as possible, but
|
|
still return an error if one was found.
|
|
|
|
312. [bug] Increase the number of allowed elements in the
|
|
resolv.conf search path from 6 to 8. If there
|
|
are more than this, ignore the remainder rather
|
|
than returning a failure in lwres_conf_parse.
|
|
|
|
311. [bug] lwres_conf_parse failed when the first line of
|
|
resolv.conf was empty or a comment.
|
|
|
|
310. [func] Changes to named.conf "controls" statement (inet
|
|
subtype only)
|
|
|
|
- support "keys" clause
|
|
|
|
controls {
|
|
inet * port 1024
|
|
allow { any; } keys { "foo"; }
|
|
}
|
|
|
|
- allow "port xxx" to be left out of statement,
|
|
in which case it defaults to omapi's default port
|
|
of 953.
|
|
|
|
309. [bug] When sending a referral, the server did not look
|
|
for name server addresses as glue in the zone
|
|
holding the NS RRset in the case where this zone
|
|
was not the same as the one where it looked for
|
|
name server addresses as authoritative data.
|
|
|
|
308. [bug] Treat a SOA record not at top of zone as an error
|
|
when loading a zone. [RT #154]
|
|
|
|
307. [bug] When canceling a query, the resolver didn't check for
|
|
isc_socket_sendto() calls that did not yet have their
|
|
completion events posted, so it could (rarely) end up
|
|
destroying the query context and then want to use
|
|
it again when the send event posted, triggering an
|
|
assertion as it tried to cancel an already-canceled
|
|
query. [RT #77]
|
|
|
|
306. [bug] Reading HMAC-MD5 private key files didn't work.
|
|
|
|
305. [bug] When reloading the server with a config file
|
|
containing a syntax error, it could catch an
|
|
assertion failure trying to perform zone
|
|
maintenance on tentatively created zones whose
|
|
views were never fully configured and lacked
|
|
an address database.
|
|
|
|
304. [bug] If more than LWRES_CONFMAXNAMESERVERS servers
|
|
are listed in resolv.conf, silently ignore them
|
|
instead of returning failure.
|
|
|
|
303. [bug] Add additional sanity checks to differentiate a AXFR
|
|
response vs a IXFR response. [RT #157]
|
|
|
|
302. [bug] In dig, host, and nslookup, MXNAME should be large
|
|
enough to hold any legal domain name in presentation
|
|
format + terminating NULL.
|
|
|
|
301. [bug] Uninitialized pointer in host:printmessage(). [RT #159]
|
|
|
|
300. [bug] Using both <isc/net.h> and <lwres/net.h> didn't work
|
|
on platforms lacking IPv6 because each included their
|
|
own ipv6 header file for the missing definitions. Now
|
|
each library's ipv6.h defines the wrapper symbol of
|
|
the other (ISC_IPV6_H and LWRES_IPV6_H).
|
|
|
|
299. [cleanup] Get the user and group information before changing the
|
|
root directory, so the administrator does not need to
|
|
keep a copy of the user and group databases in the
|
|
chroot'ed environment. Suggested by Hakan Olsson.
|
|
|
|
298. [bug] A mutex deadlock occurred during shutdown of the
|
|
interface manager under certain conditions.
|
|
Digital Unix systems were the most affected.
|
|
|
|
297. [bug] Specifying a key name that wasn't fully qualified
|
|
in certain parts of the config file could cause
|
|
an assertion failure.
|
|
|
|
296. [bug] "make install" from a separate build directory
|
|
failed unless configure had been run in the source
|
|
directory, too.
|
|
|
|
295. [bug] When invoked with type==CNAME and a message
|
|
not constructed by dns_message_parse(),
|
|
dns_message_findname() failed to find anything
|
|
due to checking for attribute bits that are set
|
|
only in dns_message_parse(). This caused an
|
|
infinite loop when constructing the response to
|
|
an ANY query at a CNAME in a secure zone.
|
|
|
|
294. [bug] If we run out of space in while processing glue
|
|
when reading a master file and commit "current name"
|
|
reverts to "name_current" instead of staying as
|
|
"name_glue".
|
|
|
|
293. [port] Add support for FreeBSD 4.0 system tests.
|
|
|
|
292. [bug] Due to problems with the way some operating systems
|
|
handle simultaneous listening on IPv4 and IPv6
|
|
addresses, the server no longer listens on IPv6
|
|
addresses by default. To revert to the previous
|
|
behavior, specify "listen-on-v6 { any; };" in
|
|
the config file.
|
|
|
|
291. [func] Caching servers no longer send outgoing queries
|
|
over TCP just because the incoming recursive query
|
|
was a TCP one.
|
|
|
|
290. [cleanup] +twiddle option to dig (for testing only) removed.
|
|
|
|
289. [cleanup] dig is now installed in $bindir instead of $sbindir.
|
|
host is now installed in $bindir. (Be sure to remove
|
|
any $sbindir/dig from a previous release.)
|
|
|
|
288. [func] rndc is now installed by "make install" into $sbindir.
|
|
|
|
287. [bug] rndc now works again as "rndc 127.1 reload" (for
|
|
only that task). Parsing its configuration file and
|
|
using digital signatures for authentication has been
|
|
disabled until named supports the "controls" statement,
|
|
post-9.0.0.
|
|
|
|
286. [bug] On Solaris 2, when named inherited a signal state
|
|
where SIGHUP had the SIG_IGN action, SIGHUP would
|
|
be ignored rather than causing the server to reload
|
|
its configuration.
|
|
|
|
285. [bug] A change made to the dst API for beta4 inadvertently
|
|
broke OMAPI's creation of a dst key from an incoming
|
|
message, causing an assertion to be triggered. Fixed.
|
|
|
|
284. [func] The DNSSEC key generation and signing tools now
|
|
generate randomness from keyboard input on systems
|
|
that lack /dev/random.
|
|
|
|
283. [cleanup] The 'lwresd' program is now a link to 'named'.
|
|
|
|
282. [bug] The lexer now returns ISC_R_RANGE if parsed integer is
|
|
too big for an unsigned long.
|
|
|
|
281. [bug] Fixed list of recognized config file category names.
|
|
|
|
280. [func] Add isc-config.sh, which can be used to more
|
|
easily build applications that link with
|
|
our libraries.
|
|
|
|
279. [bug] Private omapi function symbols shared between
|
|
two or more files in libomapi.a were not namespace
|
|
protected using the ISC convention of starting with
|
|
the library name and two underscores ("omapi__"...)
|
|
|
|
278. [bug] bin/named/logconf.c:category_fromconf() didn't take
|
|
note of when isc_log_categorybyname() wasn't able
|
|
to find the category name and would then apply the
|
|
channel list of the unknown category to all categories.
|
|
|
|
277. [bug] isc_log_categorybyname() and isc_log_modulebyname()
|
|
would fail to find the first member of any category
|
|
or module array apart from the internal defaults.
|
|
Thus, for example, the "notify" category was improperly
|
|
configured by named.
|
|
|
|
276. [bug] dig now supports maximum sized TCP messages.
|
|
|
|
275. [bug] The definition of lwres_gai_strerror() was missing
|
|
the lwres_ prefix.
|
|
|
|
274. [bug] TSIG AXFR verify failed when talking to a BIND 8
|
|
server.
|
|
|
|
273. [func] The default for the 'transfer-format' option is
|
|
now 'many-answers'. This will break zone transfers
|
|
to BIND 4.9.5 and older unless there is an explicit
|
|
'one-answer' configuration.
|
|
|
|
272. [bug] The sending of large TCP responses was canceled
|
|
in mid-transmission due to a race condition
|
|
caused by the failure to set the client object's
|
|
"newstate" variable correctly when transitioning
|
|
to the "working" state.
|
|
|
|
271. [func] Attempt to probe the number of cpus in named
|
|
if unspecified rather than defaulting to 1.
|
|
|
|
270. [func] Allow maximum sized TCP answers.
|
|
|
|
269. [bug] Failed DNSSEC validations could cause an assertion
|
|
failure by causing clone_results() to be called with
|
|
with hevent->node == NULL.
|
|
|
|
268. [doc] A plain text version of the Administrator
|
|
Reference Manual is now included in the distribution,
|
|
as doc/arm/Bv9ARM.txt.
|
|
|
|
267. [func] Nsupdate is now provided in the distribution.
|
|
|
|
266. [bug] zone.c:save_nsrrset() node was not initialized.
|
|
|
|
265. [bug] dns_request_create() now works for TCP.
|
|
|
|
264. [func] Dispatch can not take TCP sockets in connecting
|
|
state. Set DNS_DISPATCHATTR_CONNECTED when calling
|
|
dns_dispatch_createtcp() for connected TCP sockets
|
|
or call dns_dispatch_starttcp() when the socket is
|
|
connected.
|
|
|
|
263. [func] New logging channel type 'stderr'
|
|
|
|
channel some-name {
|
|
stderr;
|
|
severity error;
|
|
}
|
|
|
|
262. [bug] 'master' was not initialized in zone.c:stub_callback().
|
|
|
|
261. [func] Add dns_zone_markdirty().
|
|
|
|
260. [bug] Running named as a non-root user failed on Linux
|
|
kernels new enough to support retaining capabilities
|
|
after setuid().
|
|
|
|
259. [func] New random-device and random-seed-file statements
|
|
for global options block of named.conf. Both accept
|
|
a single string argument.
|
|
|
|
258. [bug] Fixed printing of lwres_addr_t.address field.
|
|
|
|
257. [bug] The server detached the last zone manager reference
|
|
too early, while it could still be in use by queries.
|
|
This manifested itself as assertion failures during the
|
|
shutdown process for busy name servers. [RT #133]
|
|
|
|
256. [func] isc_ratelimiter_t now has attach/detach semantics, and
|
|
isc_ratelimiter_shutdown guarantees that the rate
|
|
limiter is detached from its task.
|
|
|
|
255. [func] New function dns_zonemgr_attach().
|
|
|
|
254. [bug] Suppress "query denied" messages on additional data
|
|
lookups.
|
|
|
|
--- 9.0.0b4 released ---
|
|
|
|
253. [func] resolv.conf parser now recognizes ';' and '#' as
|
|
comments (anywhere in line, not just as the beginning).
|
|
|
|
252. [bug] resolv.conf parser mishandled masks on sortlists.
|
|
It also aborted when an unrecognized keyword was seen,
|
|
now it silently ignores the entire line.
|
|
|
|
251. [bug] lwresd caught an assertion failure on startup.
|
|
|
|
250. [bug] fixed handling of size+unit when value would be too
|
|
large for internal representation.
|
|
|
|
249. [cleanup] max-cache-size config option now takes a size-spec
|
|
like 'datasize', except 'default' is not allowed.
|
|
|
|
248. [bug] global lame-ttl option was not being printed when
|
|
config structures were written out.
|
|
|
|
247. [cleanup] Rename cache-size config option to max-cache-size.
|
|
|
|
246. [func] Rename global option cachesize to cache-size and
|
|
add corresponding option to view statement.
|
|
|
|
245. [bug] If an uncompressed name will take more than 255
|
|
bytes and the buffer is sufficiently long,
|
|
dns_name_fromwire should return DNS_R_FORMERR,
|
|
not ISC_R_NOSPACE. This bug caused cause the
|
|
server to catch an assertion failure when it
|
|
received a query for a name longer than 255
|
|
bytes.
|
|
|
|
244. [bug] empty named.conf file and empty options statement are
|
|
now parsed properly.
|
|
|
|
243. [func] new cachesize option for named.conf
|
|
|
|
242. [cleanup] fixed incorrect warning about auth-nxdomain usage.
|
|
|
|
241. [cleanup] nscount and soacount have been removed from the
|
|
dns_master_*() argument lists.
|
|
|
|
240. [func] databases now come in three flavours: zone, cache
|
|
and stub.
|
|
|
|
239. [func] If ISC_MEM_DEBUG is enabled, the variable
|
|
isc_mem_debugging controls whether messages
|
|
are printed or not.
|
|
|
|
238. [cleanup] A few more compilation warnings have been quieted:
|
|
+ missing sigwait prototype on BSD/OS 4.0/4.0.1.
|
|
+ PTHREAD_ONCE_INIT unbraced initializer warnings on
|
|
Solaris 2.8.
|
|
+ IN6ADDR_ANY_INIT unbraced initializer warnings on
|
|
BSD/OS 4.*, Linux and Solaris 2.8.
|
|
|
|
237. [bug] If connect() returned ENOBUFS when the resolver was
|
|
initiating a TCP query, the socket didn't get
|
|
destroyed, and the server did not shut down cleanly.
|
|
|
|
236. [func] Added new listen-on-v6 config file statement.
|
|
|
|
235. [func] Consider it a config file error if a listen-on
|
|
statement has an IPv6 address in it, or a
|
|
listen-on-v6 statement has an IPv4 address in it.
|
|
|
|
234. [bug] Allow a trusted-key's first field (domain-name) be
|
|
either a quoted or an unquoted string, instead of
|
|
requiring a quoted string.
|
|
|
|
233. [cleanup] Convert all config structure integer values to unsigned
|
|
integer (isc_uint32_t) to match grammar.
|
|
|
|
232. [bug] Allow slave zones to not have a file.
|
|
|
|
231. [func] Support new 'port' clause in config file options
|
|
section. Causes 'listen-on', 'masters' and
|
|
'also-notify' statements to use its value instead of
|
|
default (53).
|
|
|
|
230. [func] Replace the dst sign/verify API with a cleaner one.
|
|
|
|
229. [func] Support config file sig-validity-interval statement
|
|
in options, views and zone statements (master
|
|
zones only).
|
|
|
|
228. [cleanup] Logging messages in config module stripped of
|
|
trailing period.
|
|
|
|
227. [cleanup] The enumerated identifiers dns_rdataclass_*,
|
|
dns_rcode_*, dns_opcode_*, and dns_trust_* are
|
|
also now cast to their appropriate types, as with
|
|
dns_rdatatype_* in item number 225 below.
|
|
|
|
226. [func] dns_name_totext() now always prints the root name as
|
|
'.', even when omit_final_dot is true.
|
|
|
|
225. [cleanup] The enumerated dns_rdatatype_* identifiers are now
|
|
cast to dns_rdatatype_t via macros of their same name
|
|
so that they are of the proper integral type wherever
|
|
a dns_rdatatype_t is needed.
|
|
|
|
224. [cleanup] The entire project builds cleanly with gcc's
|
|
-Wcast-qual and -Wwrite-strings warnings enabled,
|
|
which is now the default when using gcc. (Warnings
|
|
from confparser.c, because of yacc's code, are
|
|
unfortunately to be expected.)
|
|
|
|
223. [func] Several functions were re-prototyped to qualify one
|
|
or more of their arguments with "const". Similarly,
|
|
several functions that return pointers now have
|
|
those pointers qualified with const.
|
|
|
|
222. [bug] The global 'also-notify' option was ignored.
|
|
|
|
221. [bug] An uninitialized variable was sometimes passed to
|
|
dns_rdata_freestruct() when loading a zone, causing
|
|
an assertion failure.
|
|
|
|
220. [cleanup] Set the default outgoing port in the view, and
|
|
set it in sockaddrs returned from the ADB.
|
|
[31-May-2000 explorer]
|
|
|
|
219. [bug] Signed truncated messages more correctly follow
|
|
the respective specs.
|
|
|
|
218. [func] When an rdataset is signed, its ttl is normalized
|
|
based on the signature validity period.
|
|
|
|
217. [func] Also-notify and trusted-keys can now be used in
|
|
the 'view' statement.
|
|
|
|
216. [func] The 'max-cache-ttl' and 'max-ncache-ttl' options
|
|
now work.
|
|
|
|
215. [bug] Failures at certain points in request processing
|
|
could cause the assertion INSIST(client->lockview
|
|
== NULL) to be triggered.
|
|
|
|
214. [func] New public function isc_netaddr_format(), for
|
|
formatting network addresses in log messages.
|
|
|
|
213. [bug] Don't leak memory when reloading the zone if
|
|
an update-policy clause was present in the old zone.
|
|
|
|
212. [func] Added dns_message_get/settsigkey, to make TSIG
|
|
key management reasonable.
|
|
|
|
211. [func] The 'key' and 'server' statements can now occur
|
|
inside 'view' statements.
|
|
|
|
210. [bug] The 'allow-transfer' option was ignored for slave
|
|
zones, and the 'transfers-per-ns' option was
|
|
was ignored for all zones.
|
|
|
|
209. [cleanup] Upgraded openssl files to new version 0.9.5a
|
|
|
|
208. [func] Added ISC_OFFSET_MAXIMUM for the maximum value
|
|
of an isc_offset_t.
|
|
|
|
207. [func] The dnssec tools properly use the logging subsystem.
|
|
|
|
206. [cleanup] dst now stores the key name as a dns_name_t, not
|
|
a char *.
|
|
|
|
205. [cleanup] On IRIX, turn off the mostly harmless warnings 1692
|
|
("prototyped function redeclared without prototype")
|
|
and 1552 ("variable ... set but not used") when
|
|
compiling in the lib/dns/sec/{dnssafe,openssl}
|
|
directories, which contain code imported from outside
|
|
sources.
|
|
|
|
204. [cleanup] On HP/UX, pass +vnocompatwarnings to the linker
|
|
to quiet the warnings that "The linked output may not
|
|
run on a PA 1.x system."
|
|
|
|
203. [func] notify and zone soa queries are now tsig signed when
|
|
appropriate.
|
|
|
|
202. [func] isc_lex_getsourceline() changed from returning int
|
|
to returning unsigned long, the type of its underlying
|
|
counter.
|
|
|
|
201. [cleanup] Removed the test/sdig program, it has been
|
|
replaced by bin/dig/dig.
|
|
|
|
--- 9.0.0b3 released ---
|
|
|
|
200. [bug] Failures in sending query responses to clients
|
|
(e.g., running out of network buffers) were
|
|
not logged.
|
|
|
|
199. [bug] isc_heap_delete() sometimes violated the heap
|
|
invariant, causing timer events not to be posted
|
|
when due.
|
|
|
|
198. [func] Dispatch managers hold memory pools which
|
|
any managed dispatcher may use. This allows
|
|
us to avoid dipping into the memory context for
|
|
most allocations. [19-May-2000 explorer]
|
|
|
|
197. [bug] When an incoming AXFR or IXFR completes, the
|
|
zone's internal state is refreshed from the
|
|
SOA data. [19-May-2000 explorer]
|
|
|
|
196. [func] Dispatchers can be shared easily between views
|
|
and/or interfaces. [19-May-2000 explorer]
|
|
|
|
195. [bug] Including the NXT record of the root domain
|
|
in a negative response caused an assertion
|
|
failure.
|
|
|
|
194. [doc] The PDF version of the Administrator's Reference
|
|
Manual is no longer included in the ISC BIND9
|
|
distribution.
|
|
|
|
193. [func] changed dst_key_free() prototype.
|
|
|
|
192. [bug] Zone configuration validation is now done at end
|
|
of config file parsing, and before loading
|
|
callbacks.
|
|
|
|
191. [func] Patched to compile on UnixWare 7.x. This platform
|
|
is not directly supported by the ISC.
|
|
|
|
190. [cleanup] The DNSSEC tools have been moved to a separate
|
|
directory dnssec/ and given the following new,
|
|
more descriptive names:
|
|
|
|
dnssec-keygen
|
|
dnssec-signzone
|
|
dnssec-signkey
|
|
dnssec-makekeyset
|
|
|
|
Their command line arguments have also been changed to
|
|
be more consistent. dnssec-keygen now prints the
|
|
name of the generated key files (sans extension)
|
|
on standard output to simplify its use in automated
|
|
scripts.
|
|
|
|
189. [func] isc_time_secondsastimet(), a new function, will ensure
|
|
that the number of seconds in an isc_time_t does not
|
|
exceed the range of a time_t, or return ISC_R_RANGE.
|
|
Similarly, isc_time_now(), isc_time_nowplusinterval(),
|
|
isc_time_add() and isc_time_subtract() now check the
|
|
range for overflow/underflow. In the case of
|
|
isc_time_subtract, this changed a calling requirement
|
|
(ie, something that could generate an assertion)
|
|
into merely a condition that returns an error result.
|
|
isc_time_add() and isc_time_subtract() were void-
|
|
valued before but now return isc_result_t.
|
|
|
|
188. [func] Log a warning message when an incoming zone transfer
|
|
contains out-of-zone data.
|
|
|
|
187. [func] isc_ratelimiter_enqueue() has an additional argument
|
|
'task'.
|
|
|
|
186. [func] dns_request_getresponse() has an additional argument
|
|
'preserve_order'.
|
|
|
|
185. [bug] Fixed up handling of ISC_MEMCLUSTER_LEGACY. Several
|
|
public functions did not have an isc__ prefix, and
|
|
referred to functions that had previously been
|
|
renamed.
|
|
|
|
184. [cleanup] Variables/functions which began with two leading
|
|
underscores were made to conform to the ANSI/ISO
|
|
standard, which says that such names are reserved.
|
|
|
|
183. [func] ISC_LOG_PRINTTAG option for log channels. Useful
|
|
for logging the program name or other identifier.
|
|
|
|
182. [cleanup] New command-line parameters for dnssec tools
|
|
|
|
181. [func] Added dst_key_buildfilename and dst_key_parsefilename
|
|
|
|
180. [func] New isc_result_t ISC_R_RANGE. Supersedes DNS_R_RANGE.
|
|
|
|
179. [func] options named.conf statement *must* now come
|
|
before any zone or view statements.
|
|
|
|
178. [func] Post-load of named.conf check verifies a slave zone
|
|
has non-empty list of masters defined.
|
|
|
|
177. [func] New per-zone boolean:
|
|
|
|
enable-zone yes | no ;
|
|
|
|
intended to let a zone be disabled without having
|
|
to comment out the entire zone statement.
|
|
|
|
176. [func] New global and per-view option:
|
|
|
|
max-cache-ttl number
|
|
|
|
175. [func] New global and per-view option:
|
|
|
|
additional-data internal | minimal | maximal;
|
|
|
|
174. [func] New public function isc_sockaddr_format(), for
|
|
formatting socket addresses in log messages.
|
|
|
|
173. [func] Keep a queue of zones waiting for zone transfer
|
|
quota so that a new transfer can be dispatched
|
|
immediately whenever quota becomes available.
|
|
|
|
172. [bug] $TTL directive was sometimes missing from dumped
|
|
master files because totext_ctx_init() failed to
|
|
initialize ctx->current_ttl_valid.
|
|
|
|
171. [cleanup] On NetBSD systems, the mit-pthreads or
|
|
unproven-pthreads library is now always used
|
|
unless --with-ptl2 is explicitly specified on
|
|
the configure command line. The
|
|
--with-mit-pthreads option is no longer needed
|
|
and has been removed.
|
|
|
|
170. [cleanup] Remove inter server consistency checks from zone,
|
|
these should return as a separate module in 9.1.
|
|
dns_zone_checkservers(), dns_zone_checkparents(),
|
|
dns_zone_checkchildren(), dns_zone_checkglue().
|
|
|
|
Remove dns_zone_setadb(), dns_zone_setresolver(),
|
|
dns_zone_setrequestmgr() these should now be found
|
|
via the view.
|
|
|
|
169. [func] ratelimiter can now process N events per interval.
|
|
|
|
168. [bug] include statements in named.conf caused syntax errors
|
|
due to not consuming the semicolon ending the include
|
|
statement before switching input streams.
|
|
|
|
167. [bug] Make lack of masters for a slave zone a soft error.
|
|
|
|
166. [bug] Keygen was overwriting existing keys if key_id
|
|
conflicted, now it will retry, and non-null keys
|
|
with key_id == 0 are not generated anymore. Key
|
|
was not able to generate NOAUTHCONF DSA key,
|
|
increased RSA key size to 2048 bits.
|
|
|
|
165. [cleanup] Silence "end-of-loop condition not reached" warnings
|
|
from Solaris compiler.
|
|
|
|
164. [func] Added functions isc_stdio_open(), isc_stdio_close(),
|
|
isc_stdio_seek(), isc_stdio_read(), isc_stdio_write(),
|
|
isc_stdio_flush(), isc_stdio_sync(), isc_file_remove()
|
|
to encapsulate nonportable usage of errno and sync.
|
|
|
|
163. [func] Added result codes ISC_R_FILENOTFOUND and
|
|
ISC_R_FILEEXISTS.
|
|
|
|
162. [bug] Ensure proper range for arguments to ctype.h functions.
|
|
|
|
161. [cleanup] error in yyparse prototype that only HPUX caught.
|
|
|
|
160. [cleanup] getnet*() are not going to be implemented at this
|
|
stage.
|
|
|
|
159. [func] Redefinition of config file elements is now an
|
|
error (instead of a warning).
|
|
|
|
158. [bug] Log channel and category list copy routines
|
|
weren't assigning properly to output parameter.
|
|
|
|
157. [port] Fix missing prototype for getopt().
|
|
|
|
156. [func] Support new 'database' statement in zone.
|
|
|
|
database "quoted-string";
|
|
|
|
155. [bug] ns_notify_start() was not detaching the found zone.
|
|
|
|
154. [func] The signer now logs libdns warnings to stderr even when
|
|
not verbose, and in a nicer format.
|
|
|
|
153. [func] dns_rdata_tostruct() 'mctx' is now optional. If 'mctx'
|
|
is NULL then you need to preserve the 'rdata' until
|
|
you have finished using the structure as there may be
|
|
references to the associated memory. If 'mctx' is
|
|
non-NULL it is guaranteed that there are no references
|
|
to memory associated with 'rdata'.
|
|
|
|
dns_rdata_freestruct() must be called if 'mctx' was
|
|
non-NULL and may safely be called if 'mctx' was NULL.
|
|
|
|
152. [bug] keygen dumped core if domain name argument was omitted
|
|
from command line.
|
|
|
|
151. [func] Support 'disabled' statement in zone config (causes
|
|
zone to be parsed and then ignored). Currently must
|
|
come after the 'type' clause.
|
|
|
|
150. [func] Support optional ports in masters and also-notify
|
|
statements:
|
|
|
|
masters [ port xxx ] { y.y.y.y [ port zzz ] ; }
|
|
|
|
149. [cleanup] Removed unused argument 'olist' from
|
|
dns_c_view_unsetordering().
|
|
|
|
148. [cleanup] Stop issuing some warnings about some configuration
|
|
file statements that were not implemented, but now are.
|
|
|
|
147. [bug] Changed yacc union size to be smaller for yaccs that
|
|
put yacc-stack on the real stack.
|
|
|
|
146. [cleanup] More general redundant header file cleanup. Rather
|
|
than continuing to itemize every header which changed,
|
|
this changelog entry just notes that if a header file
|
|
did not need another header file that it was including
|
|
in order to provide its advertised functionality, the
|
|
inclusion of the other header file was removed. See
|
|
util/check-includes for how this was tested.
|
|
|
|
145. [cleanup] Added <isc/lang.h> and ISC_LANG_BEGINDECLS/
|
|
ISC_LANG_ENDDECLS to header files that had function
|
|
prototypes, and removed it from those that did not.
|
|
|
|
144. [cleanup] libdns header files too numerous to name were made
|
|
to conform to the same style for multiple inclusion
|
|
protection.
|
|
|
|
143. [func] Added function dns_rdatatype_isknown().
|
|
|
|
142. [cleanup] <isc/stdtime.h> does not need <time.h> or
|
|
<isc/result.h>.
|
|
|
|
141. [bug] Corrupt requests with multiple questions could
|
|
cause an assertion failure.
|
|
|
|
140. [cleanup] <isc/time.h> does not need <time.h> or <isc/result.h>.
|
|
|
|
139. [cleanup] <isc/net.h> now includes <isc/types.h> instead of
|
|
<isc/int.h> and <isc/result.h>.
|
|
|
|
138. [cleanup] isc_strtouq moved from str.[ch] to string.[ch] and
|
|
renamed isc_string_touint64. isc_strsep moved from
|
|
strsep.c to string.c and renamed isc_string_separate.
|
|
|
|
137. [cleanup] <isc/commandline.h>, <isc/mem.h>, <isc/print.h>
|
|
<isc/serial.h>, <isc/string.h> and <isc/offset.h>
|
|
made to conform to the same style for multiple
|
|
inclusion protection.
|
|
|
|
136. [cleanup] <isc/commandline.h>, <isc/interfaceiter.h>,
|
|
<isc/net.h> and Win32's <isc/thread.h> needed
|
|
ISC_LANG_BEGINDECLS/ISC_LANG_ENDDECLS.
|
|
|
|
135. [cleanup] Win32's <isc/condition.h> did not need <isc/result.h>
|
|
or <isc/boolean.h>, now uses <isc/types.h> in place
|
|
of <isc/time.h>, and needed ISC_LANG_BEGINDECLS
|
|
and ISC_LANG_ENDDECLS.
|
|
|
|
134. [cleanup] <isc/dir.h> does not need <limits.h>.
|
|
|
|
133. [cleanup] <isc/ipv6.h> needs <isc/platform.h>.
|
|
|
|
132. [cleanup] <isc/app.h> does not need <isc/task.h>, but does
|
|
need <isc/eventclass.h>.
|
|
|
|
131. [cleanup] <isc/mutex.h> and <isc/util.h> need <isc/result.h>
|
|
for ISC_R_* codes used in macros.
|
|
|
|
130. [cleanup] <isc/condition.h> does not need <pthread.h> or
|
|
<isc/boolean.h>, and now includes <isc/types.h>
|
|
instead of <isc/time.h>.
|
|
|
|
129. [bug] The 'default_debug' log channel was not set up when
|
|
'category default' was present in the config file
|
|
|
|
128. [cleanup] <isc/dir.h> had ISC_LANG_BEGINDECLS instead of
|
|
ISC_LANG_ENDDECLS at end of header.
|
|
|
|
127. [cleanup] The contracts for the comparison routines
|
|
dns_name_fullcompare(), dns_name_compare(),
|
|
dns_name_rdatacompare(), and dns_rdata_compare() now
|
|
specify that the order value returned is < 0, 0, or > 0
|
|
instead of -1, 0, or 1.
|
|
|
|
126. [cleanup] <isc/quota.h> and <isc/taskpool.h> need <isc/lang.h>.
|
|
|
|
125. [cleanup] <isc/eventclass.h>, <isc/ipv6.h>, <isc/magic.h>,
|
|
<isc/mutex.h>, <isc/once.h>, <isc/region.h>, and
|
|
<isc/resultclass.h> do not need <isc/lang.h>.
|
|
|
|
124. [func] signer now imports parent's zone key signature
|
|
and creates null keys/sets zone status bit for
|
|
children when necessary
|
|
|
|
123. [cleanup] <isc/event.h> does not need <stddef.h>.
|
|
|
|
122. [cleanup] <isc/task.h> does not need <isc/mem.h> or
|
|
<isc/result.h>.
|
|
|
|
121. [cleanup] <isc/symtab.h> does not need <isc/mem.h> or
|
|
<isc/result.h>. Multiple inclusion protection
|
|
symbol fixed from ISC_SYMBOL_H to ISC_SYMTAB_H.
|
|
isc_symtab_t moved to <isc/types.h>.
|
|
|
|
120. [cleanup] <isc/socket.h> does not need <isc/boolean.h>,
|
|
<isc/bufferlist.h>, <isc/task.h>, <isc/mem.h> or
|
|
<isc/net.h>.
|
|
|
|
119. [cleanup] structure definitions for generic rdata structures do
|
|
not have _generic_ in their names.
|
|
|
|
118. [cleanup] libdns.a is now namespace-clean, on NetBSD, excepting
|
|
YACC crust (yyparse, etc) [2000-apr-27 explorer]
|
|
|
|
117. [cleanup] libdns.a changes:
|
|
dns_zone_clearnotify() and dns_zone_addnotify()
|
|
are replaced by dns_zone_setnotifyalso().
|
|
dns_zone_clearmasters() and dns_zone_addmaster()
|
|
are replaced by dns_zone_setmasters().
|
|
|
|
116. [func] Added <isc/offset.h> for isc_offset_t (aka off_t
|
|
on Unix systems).
|
|
|
|
115. [port] Shut up the -Wmissing-declarations warning about
|
|
<stdio.h>'s __sputaux on BSD/OS pre-4.1.
|
|
|
|
114. [cleanup] <isc/sockaddr.h> does not need <isc/buffer.h> or
|
|
<isc/list.h>.
|
|
|
|
113. [func] Utility programs dig and host added.
|
|
|
|
112. [cleanup] <isc/serial.h> does not need <isc/boolean.h>.
|
|
|
|
111. [cleanup] <isc/rwlock.h> does not need <isc/result.h> or
|
|
<isc/mutex.h>.
|
|
|
|
110. [cleanup] <isc/result.h> does not need <isc/boolean.h> or
|
|
<isc/list.h>.
|
|
|
|
109. [bug] "make depend" did nothing for
|
|
bin/tests/{db,mem,sockaddr,tasks,timers}/.
|
|
|
|
108. [cleanup] DNS_SETBIT/DNS_GETBIT/DNS_CLEARBIT moved from
|
|
<dns/types.h> to <dns/bit.h> and renamed to
|
|
DNS_BIT_SET/DNS_BIT_GET/DNS_BIT_CLEAR.
|
|
|
|
107. [func] Add keysigner and keysettool.
|
|
|
|
106. [func] Allow dnssec verifications to ignore the validity
|
|
period. Used by several of the dnssec tools.
|
|
|
|
105. [doc] doc/dev/coding.html expanded with other
|
|
implicit conventions the developers have used.
|
|
|
|
104. [bug] Made compress_add and compress_find static to
|
|
lib/dns/compress.c.
|
|
|
|
103. [func] libisc buffer API changes for <isc/buffer.h>:
|
|
Added:
|
|
isc_buffer_base(b) (pointer)
|
|
isc_buffer_current(b) (pointer)
|
|
isc_buffer_active(b) (pointer)
|
|
isc_buffer_used(b) (pointer)
|
|
isc_buffer_length(b) (int)
|
|
isc_buffer_usedlength(b) (int)
|
|
isc_buffer_consumedlength(b) (int)
|
|
isc_buffer_remaininglength(b) (int)
|
|
isc_buffer_activelength(b) (int)
|
|
isc_buffer_availablelength(b) (int)
|
|
Removed:
|
|
ISC_BUFFER_USEDCOUNT(b)
|
|
ISC_BUFFER_AVAILABLECOUNT(b)
|
|
isc_buffer_type(b)
|
|
Changed names:
|
|
isc_buffer_used(b, r) ->
|
|
isc_buffer_usedregion(b, r)
|
|
isc_buffer_available(b, r) ->
|
|
isc_buffer_available_region(b, r)
|
|
isc_buffer_consumed(b, r) ->
|
|
isc_buffer_consumedregion(b, r)
|
|
isc_buffer_active(b, r) ->
|
|
isc_buffer_activeregion(b, r)
|
|
isc_buffer_remaining(b, r) ->
|
|
isc_buffer_remainingregion(b, r)
|
|
|
|
Buffer types were removed, so the ISC_BUFFERTYPE_*
|
|
macros are no more, and the type argument to
|
|
isc_buffer_init and isc_buffer_allocate were removed.
|
|
isc_buffer_putstr is now void (instead of isc_result_t)
|
|
and requires that the caller ensure that there
|
|
is enough available buffer space for the string.
|
|
|
|
102. [port] Correctly detect inet_aton, inet_pton and inet_ptop
|
|
on BSD/OS 4.1.
|
|
|
|
101. [cleanup] Quieted EGCS warnings from lib/isc/print.c.
|
|
|
|
100. [cleanup] <isc/random.h> does not need <isc/int.h> or
|
|
<isc/mutex.h>. isc_random_t moved to <isc/types.h>.
|
|
|
|
99. [cleanup] Rate limiter now has separate shutdown() and
|
|
destroy() functions, and it guarantees that all
|
|
queued events are delivered even in the shutdown case.
|
|
|
|
98. [cleanup] <isc/print.h> does not need <stdarg.h> or <stddef.h>
|
|
unless ISC_PLATFORM_NEEDVSNPRINTF is defined.
|
|
|
|
97. [cleanup] <isc/ondestroy.h> does not need <stddef.h> or
|
|
<isc/event.h>.
|
|
|
|
96. [cleanup] <isc/mutex.h> does not need <isc/result.h>.
|
|
|
|
95. [cleanup] <isc/mutexblock.h> does not need <isc/result.h>.
|
|
|
|
94. [cleanup] Some installed header files did not compile as C++.
|
|
|
|
93. [cleanup] <isc/msgcat.h> does not need <isc/result.h>.
|
|
|
|
92. [cleanup] <isc/mem.h> does not need <stddef.h>, <isc/boolean.h>,
|
|
or <isc/result.h>.
|
|
|
|
91. [cleanup] <isc/log.h> does not need <sys/types.h> or
|
|
<isc/result.h>.
|
|
|
|
90. [cleanup] Removed unneeded ISC_LANG_BEGINDECLS/ISC_LANG_ENDDECLS
|
|
from <named/listenlist.h>.
|
|
|
|
89. [cleanup] <isc/lex.h> does not need <stddef.h>.
|
|
|
|
88. [cleanup] <isc/interfaceiter.h> does not need <isc/result.h> or
|
|
<isc/mem.h>. isc_interface_t and isc_interfaceiter_t
|
|
moved to <isc/types.h>.
|
|
|
|
87. [cleanup] <isc/heap.h> does not need <isc/boolean.h>,
|
|
<isc/mem.h> or <isc/result.h>.
|
|
|
|
86. [cleanup] isc_bufferlist_t moved from <isc/bufferlist.h> to
|
|
<isc/types.h>.
|
|
|
|
85. [cleanup] <isc/bufferlist.h> does not need <isc/buffer.h>,
|
|
<isc/list.h>, <isc/mem.h>, <isc/region.h> or
|
|
<isc/int.h>.
|
|
|
|
84. [func] allow-query ACL checks now apply to all data
|
|
added to a response.
|
|
|
|
83. [func] If the server is authoritative for both a
|
|
delegating zone and its (nonsecure) delegatee, and
|
|
a query is made for a KEY RR at the top of the
|
|
delegatee, then the server will look for a KEY
|
|
in the delegator if it is not found in the delegatee.
|
|
|
|
82. [cleanup] <isc/buffer.h> does not need <isc/list.h>.
|
|
|
|
81. [cleanup] <isc/int.h> and <isc/boolean.h> do not need
|
|
<isc/lang.h>.
|
|
|
|
80. [cleanup] <isc/print.h> does not need <stdio.h> or <stdlib.h>.
|
|
|
|
79. [cleanup] <dns/callbacks.h> does not need <stdio.h>.
|
|
|
|
78. [cleanup] lwres_conftest renamed to lwresconf_test for
|
|
consistency with other *_test programs.
|
|
|
|
77. [cleanup] typedef of isc_time_t and isc_interval_t moved from
|
|
<isc/time.h> to <isc/types.h>.
|
|
|
|
76. [cleanup] Rewrote keygen.
|
|
|
|
75. [func] Don't load a zone if its database file is older
|
|
than the last time the zone was loaded.
|
|
|
|
74. [cleanup] Removed mktemplate.o and ufile.o from libisc.a,
|
|
subsumed by file.o.
|
|
|
|
73. [func] New "file" API in libisc, including new function
|
|
isc_file_getmodtime, isc_mktemplate renamed to
|
|
isc_file_mktemplate and isc_ufile renamed to
|
|
isc_file_openunique. By no means an exhaustive API,
|
|
it is just what's needed for now.
|
|
|
|
72. [func] DNS_RBTFIND_NOPREDECESSOR and DNS_RBTFIND_NOOPTIONS
|
|
added for dns_rbt_findnode, the former to disable the
|
|
setting of the chain to the predecessor, and the
|
|
latter to make clear when no options are set.
|
|
|
|
71. [cleanup] Made explicit the implicit REQUIREs of
|
|
isc_time_seconds, isc_time_nanoseconds, and
|
|
isc_time_subtract.
|
|
|
|
70. [func] isc_time_set() added.
|
|
|
|
69. [bug] The zone object's master and also-notify lists grew
|
|
longer with each server reload.
|
|
|
|
68. [func] Partial support for SIG(0) on incoming messages.
|
|
|
|
67. [performance] Allow use of alternate (compile-time supplied)
|
|
OpenSSL libraries/headers.
|
|
|
|
66. [func] Data in authoritative zones should have a trust level
|
|
beyond secure.
|
|
|
|
65. [cleanup] Removed obsolete typedef of dns_zone_callbackarg_t
|
|
from <dns/types.h>.
|
|
|
|
64. [func] The RBT, DB, and zone table APIs now allow the
|
|
caller find the most-enclosing superdomain of
|
|
a name.
|
|
|
|
63. [func] Generate NOTIFY messages.
|
|
|
|
62. [func] Add UDP refresh support.
|
|
|
|
61. [cleanup] Use single quotes consistently in log messages.
|
|
|
|
60. [func] Catch and disallow singleton types on message
|
|
parse.
|
|
|
|
59. [bug] Cause net/host unreachable to be a hard error
|
|
when sending and receiving.
|
|
|
|
58. [bug] bin/named/query.c could sometimes trigger the
|
|
(client->query.attributes & NS_QUERYATTR_NAMEBUFUSED)
|
|
== 0 assertion in query_newname().
|
|
|
|
57. [func] Added dns_nxt_typepresent()
|
|
|
|
56. [bug] SIG records were not properly returned in cached
|
|
negative answers.
|
|
|
|
55. [bug] Responses containing multiple names in the authority
|
|
section were not negatively cached.
|
|
|
|
54. [bug] If a fetch with sigrdataset==NULL joined one with
|
|
sigrdataset!=NULL or vice versa, the resolver
|
|
could catch an assertion or lose signature data,
|
|
respectively.
|
|
|
|
53. [port] freebsd 4.0: lib/isc/unix/socket.c requires
|
|
<sys/param.h>.
|
|
|
|
52. [bug] rndc: taskmgr and socketmgr were not initialized
|
|
to NULL.
|
|
|
|
51. [cleanup] dns/compress.h and dns/zt.h did not need to include
|
|
dns/rbt.h; it was needed only by compress.c and zt.c.
|
|
|
|
50. [func] RBT deletion no longer requires a valid chain to work,
|
|
and dns_rbt_deletenode was added.
|
|
|
|
49. [func] Each cache now has its own mctx.
|
|
|
|
48. [func] isc_task_create() no longer takes an mctx.
|
|
isc_task_mem() has been eliminated.
|
|
|
|
47. [func] A number of modules now use memory context reference
|
|
counting.
|
|
|
|
46. [func] Memory contexts are now reference counted.
|
|
Added isc_mem_inuse() and isc_mem_preallocate().
|
|
Renamed isc_mem_destroy_check() to
|
|
isc_mem_setdestroycheck().
|
|
|
|
45. [bug] The trusted-key statement incorrectly loaded keys.
|
|
|
|
44. [bug] Don't include authority data if it would force us
|
|
to unset the AD bit in the message.
|
|
|
|
43. [bug] DNSSEC verification of cached rdatasets was failing.
|
|
|
|
42. [cleanup] Simplified logging of messages with embedded domain
|
|
names by introducing a new convenience function
|
|
dns_name_format().
|
|
|
|
41. [func] Use PR_SET_KEEPCAPS on Linux 2.3.99-pre3 and later
|
|
to allow 'named' to run as a non-root user while
|
|
retaining the ability to bind() to privileged
|
|
ports.
|
|
|
|
40. [func] Introduced new logging category "dnssec" and
|
|
logging module "dns/validator".
|
|
|
|
39. [cleanup] Moved the typedefs for isc_region_t, isc_textregion_t,
|
|
and isc_lex_t to <isc/types.h>.
|
|
|
|
38. [bug] TSIG signed incoming zone transfers work now.
|
|
|
|
37. [bug] If the first RR in an incoming zone transfer was
|
|
not an SOA, the server died with an assertion failure
|
|
instead of just reporting an error.
|
|
|
|
36. [cleanup] Change DNS_R_SUCCESS (and others) to ISC_R_SUCCESS
|
|
|
|
35. [performance] Log messages which are of a level too high to be
|
|
logged by any channel in the logging configuration
|
|
will not cause the log mutex to be locked.
|
|
|
|
34. [bug] Recursion was allowed even with 'recursion no'.
|
|
|
|
33. [func] The RBT now maintains a parent pointer at each node.
|
|
|
|
32. [cleanup] bin/lwresd/client.c needs <string.h> for memset()
|
|
prototype.
|
|
|
|
31. [bug] Use ${LIBTOOL} to compile bin/named/main.@O@.
|
|
|
|
30. [func] config file grammar change to support optional
|
|
class type for a view.
|
|
|
|
29. [func] support new config file view options:
|
|
|
|
auth-nxdomain recursion query-source
|
|
query-source-v6 transfer-source
|
|
transfer-source-v6 max-transfer-time-out
|
|
max-transfer-idle-out transfer-format
|
|
request-ixfr provide-ixfr cleaning-interval
|
|
fetch-glue notify rfc2308-type1 lame-ttl
|
|
max-ncache-ttl min-roots
|
|
|
|
28. [func] support lame-ttl, min-roots and serial-queries
|
|
config global options.
|
|
|
|
27. [bug] Only include <netinet6/in6.h> on BSD/OS 4.[01]*.
|
|
Including it on other platforms (eg, NetBSD) can
|
|
cause a forced #error from the C preprocessor.
|
|
|
|
26. [func] new match-clients statement in config file view.
|
|
|
|
25. [bug] make install failed to install <isc/log.h> and
|
|
<isc/ondestroy.h>.
|
|
|
|
24. [cleanup] Eliminate some unnecessary #includes of header
|
|
files from header files.
|
|
|
|
23. [cleanup] Provide more context in log messages about client
|
|
requests, using a new function ns_client_log().
|
|
|
|
22. [bug] SIGs weren't returned in the answer section when
|
|
the query resulted in a fetch.
|
|
|
|
21. [port] Look at STD_CINCLUDES after CINCLUDES during
|
|
compilation, so additional system include directories
|
|
can be searched but header files in the bind9 source
|
|
tree with conflicting names take precedence. This
|
|
avoids issues with installed versions of dnssafe and
|
|
openssl.
|
|
|
|
20. [func] Configuration file post-load validation of zones
|
|
failed if there were no zones.
|
|
|
|
19. [bug] dns_zone_notifyreceive() failed to unlock the zone
|
|
lock in certain error cases.
|
|
|
|
18. [bug] Use AC_TRY_LINK rather than AC_TRY_COMPILE in
|
|
configure.in to check for presence of in6addr_any.
|
|
|
|
17. [func] Do configuration file post-load validation of zones.
|
|
|
|
16. [bug] put quotes around key names on config file
|
|
output to avoid possible keyword clashes.
|
|
|
|
15. [func] Add dns_name_dupwithoffsets(). This function is
|
|
improves comparison performance for duped names.
|
|
|
|
14. [bug] free_rbtdb() could have 'put' unallocated memory in
|
|
an unlikely error path.
|
|
|
|
13. [bug] lib/dns/master.c and lib/dns/xfrin.c didn't ignore
|
|
out-of-zone data.
|
|
|
|
12. [bug] Fixed possible uninitialized variable error.
|
|
|
|
11. [bug] axfr_rrstream_first() didn't check the result code of
|
|
db_rr_iterator_first(), possibly causing an assertion
|
|
to be triggered later.
|
|
|
|
10. [bug] A bug in the code which makes EDNS0 OPT records in
|
|
bin/named/client.c and lib/dns/resolver.c could
|
|
trigger an assertion.
|
|
|
|
9. [cleanup] replaced bit-setting code in confctx.c and replaced
|
|
repeated code with macro calls.
|
|
|
|
8. [bug] Shutdown of incoming zone transfer accessed
|
|
freed memory.
|
|
|
|
7. [cleanup] removed 'listen-on' from view statement.
|
|
|
|
6. [bug] quote RR names when generating config file to
|
|
prevent possible clash with config file keywords
|
|
(such as 'key').
|
|
|
|
5. [func] syntax change to named.conf file: new ssu grant/deny
|
|
statements must now be enclosed by an 'update-policy'
|
|
block.
|
|
|
|
4. [port] bin/named/unix/os.c didn't compile on systems with
|
|
linux 2.3 kernel includes due to conflicts between
|
|
C library includes and the kernel includes. We now
|
|
get only what we need from <linux/capability.h>, and
|
|
avoid pulling in other linux kernel .h files.
|
|
|
|
3. [bug] TKEYs go in the answer section of responses, not
|
|
the additional section.
|
|
|
|
2. [bug] Generating cryptographic randomness failed on
|
|
systems without /dev/random.
|
|
|
|
1. [bug] The installdirs rule in
|
|
lib/isc/unix/include/isc/Makefile.in had a typo which
|
|
prevented the isc directory from being created if it
|
|
didn't exist.
|
|
|
|
--- 9.0.0b2 released ---
|
|
|
|
# This tells Emacs to use hard tabs in this file.
|
|
# Local Variables:
|
|
# indent-tabs-mode: t
|
|
# End:
|