BIND 9.4.0b2 is now available.

Mark Andrews Mark_Andrews at isc.org
Tue Sep 5 23:54:24 UTC 2006


		BIND 9.4.0b2 is now available.

BIND 9.4.0b2 is a beta release for BIND 9.4.0.

	BIND 9.4.0b2 contains security fixes:

2066.	[security]	Handle SIG queries gracefully. [RT #16300]

1941.   [bug]           ncache_adderesult() should set eresult even if no
                        rdataset is passed to it. [RT #15642]

	If you are running a BIND 9.3.x or BIND 9.4.x version without
	these changes you are advised to upgrade as soon as possible to
	one of BIND 9.3.2-P1, BIND 9.3.3rc2 or BIND 9.4.0b2.

	Please as a minimum please perform a test build on your
	operating system.  We don't have test platforms for every
	operating system and sometimes we accidently break builds.
	Now is the time to tell us about that.

	Now is the time to report any bugs introduced in this release
	cycle.  Except for *major* bugs, all bugs which pre-date
	this release cycle will be deferred until the next release.
	The aim is to be better than and definitely no worse than
	the last release.  Bugs should be reported to bind9-bugs at isc.org.

BIND 9.4 has a number of new features over BIND 9.3, including:

	Implemented "additional section caching" (or "acache"), an
	internal cache framework for additional section content to
	improve response performance.  Several configuration options
	were provided to control the behavior.

	New notify type 'master-only'.  Enable notify for master
	zones only.

	Accept 'notify-source' style syntax for query-source.

	rndc now allows addresses to be set in the server clauses.

	New option "allow-query-cache".  This lets allow-query be
	used to specify the default zone access level rather than
	having to have every zone override the global value.
	allow-query-cache can be set at both the options and view
	levels.  If allow-query-cache is not set allow-query applies.

	rndc: the source address can now be specified.

	ixfr-from-differences now takes master and slave in addition
	to yes and no at the options and view levels.

	Allow the journal's name to be changed via named.conf.

	'rndc notify zone [class [view]]' resend the NOTIFY messages
	for the specified zone.

	'dig +trace' now randomly selects the next servers to try.
	Report if there is a bad delegation.

	Improve check-names error messages.

	Make public the function to read a key file, dst_key_read_public().

	dig now returns the byte count for axfr/ixfr.
			
	allow-update is now settable at the options / view level.

	named-checkconf now checks the logging configuration.

	host now can turn on memory debugging flags with '-m'.

	Don't send notify messages to self.

	Perform sanity checks on NS records which refer to 'in zone' names.

	New zone option "notify-delay".  Specify a minimum delay
	between sets of NOTIFY messages.

	Extend adjusting TTL warning messages.

	Named and named-checkzone can now both check for non-terminal
	wildcard records.

	"rndc freeze/thaw" now freezes/thaws all zones.

	named-checkconf now check acls to verify that they only
	refer to existing acls.

	The server syntax has been extended to support a range of
	servers.

	Report differences between hints and real NS rrset and
	associated address records.

	Preserve the case of domain names in rdata during zone
	transfers.

	Restructured the data locking framework using architecture
	dependent atomic operations (when available), improving
	response performance on multi-processor machines significantly.
	x86, x86_64, alpha, powerpc, and mips are currently supported.

	UNIX domain controls are now supported.

	Add support for additional zone file formats for improving
	loading performance.  The masterfile-format option in
	named.conf can be used to specify a non-default format.  A
	separate command named-compilezone was provided to generate
	zone files in the new format.  Additionally, the -I and -O
	options for dnssec-signzone specify the input and output
	formats.

	dnssec-signzone can now randomize signature end times
	(dnssec-signzone -j jitter).

	Add support for CH A record.

	Add additional zone data consistancy checks.  named-checkzone
	has extended checking of NS, MX and SRV record and the hosts
	they reference.  named has extended post zone load checks.
	New zone options: check-mx and integrity-check.

	edns-udp-size can now be overridden on a per server basis.

	dig can now specify the EDNS version when making a query.

	Added framework for handling multiple EDNS versions.

	Additional memory debugging support to track size and mctx
	arguments.

	Detect duplicates of UDP queries we are recursing on and
	drop them.  New stats category "duplicates".

	Memory management. "USE INTERNAL MALLOC" is now runtime selectable.

	The lame cache is now done on a <qname,qclass,qtype> basis
	as some servers only appear to be lame for certain query
	types.

	Limit the number of recursive clients that can be waiting
	for a single query (<qname,qtype,qclass>) to resolve.  New
	options clients-per-query and max-clients-per-query.

	dig: report the number of extra bytes still left in the
	packet after processing all the records.

	Support for IPSECKEY rdata type.

	Raise the UDP receive buffer size to 32k if it is less than 32k.

	x86 and x86_64 now have separate atomic locking implementations.

	named-checkconf now validates update-policy entries.

	Attempt to make the amount of work performed in a iteration
	self tuning.  The covers nodes clean from the cache per
	iteration, nodes written to disk when rewriting a master
	file and nodes destroyed per iteration when destroying a
	zone or a cache.

	ISC string copy API.

	Automatic empty zone creation for D.F.IP6.ARPA and friends.
	Note: RFC 1918 zones are not yet covered by this but are
	likely to be in a future release.

	New options: empty-server, empty-contact, empty-zones-enable
	and disable-empty-zone.

	dig now has a '-q queryname' and '+showsearch' options.

	host/nslookup now continue (default)/fail on SERVFAIL.

	dig now warns if 'RA' is not set in the answer when 'RD'
	was set in the query.  host/nslookup skip servers that fail
	to set 'RA' when 'RD' is set unless a server is explicitly
	set.

	Integrate contributed DLZ code into named.

	Integrate contributed IDN code from JPNIC.

	Validate pending NS RRsets, in the authority section, prior
	to returning them if it can be done without requiring DNSKEYs
	to be fetched.

	It is now possible to configure named to accept expired
	RRSIGs.  Default "dnssec-accept-expired no;".  Setting
	"dnssec-accept-expired yes;" leaves named vulnerable to
	replay attacks.

	Additional memory leakage checks.

	The maximum EDNS UDP response named will send can now be
	set in named.conf (max-udp-size).  This is independent of
	the advertised receive buffer (edns-udp-size).

	Named now falls back to advertising EDNS with a 512 byte
	receive buffer if the initial EDNS queries fail.

	Control the zeroing of the negative response TTL to a soa
	query.  Defaults "zero-no-soa-ttl yes;" and
	"zero-no-soa-ttl-cache no;".
			
	Separate out MX and SRV to CNAME checks.

	dig/nslookup/host: warn about missing "QR".

	TSIG HMACSHA1, HMACSHA224, HMACSHA256, HMACSHA384 and
	HMACSHA512 support.

	dnssec-signzone: output the SOA record as the first record
	in the signed zone.

	Two new update policies.  "selfsub" and "selfwild".

	dig, nslookup and host now advertise a 4096 byte EDNS UDP
	buffer size by default.

	Report when a zone is removed.

	DS/DLV SHA256 digest algorithm support.

	Implement "rrset-order fixed".

	Check the KSK flag when updating a secure dynamic zone.
	New zone option "update-check-ksk yes;".

	It is now possible to explicitly enable DNSSEC validation.
	default dnssec-validation no; to be changed to yes in 9.5.0.

	It is now possible to enable/disable DNSSEC validation
	from rndc.  This is useful for the mobile hosts where the
	current connection point breaks DNSSEC (firewall/proxy).

		rndc validation newstate [view]

	dnssec-signzone can now update the SOA record of the signed
	zone, either as an increment or as the system time().

	Statistics about acache now recorded and sent to log.

	libbind: corresponds to that from BIND 8.4.7.

BIND 9.4.0b2 can be downloaded from

        ftp://ftp.isc.org/isc/bind9/9.4.0b2/bind-9.4.0b2.tar.gz

The PGP signature of the distribution is at

        ftp://ftp.isc.org/isc/bind9/9.4.0b2/bind-9.4.0b2.tar.gz.asc
        ftp://ftp.isc.org/isc/bind9/9.4.0b2/bind-9.4.0b2.tar.gz.sha256.asc
        ftp://ftp.isc.org/isc/bind9/9.4.0b2/bind-9.4.0b2.tar.gz.sha512.asc

The signature was generated with the ISC public key, which is
available at <http://www.isc.org/about/openpgp/pgpkey2006.txt>.

A binary kit for Windows NT 4.0, Windows 2000, Windows XP and Window 2003 is at

	ftp://ftp.isc.org/isc/bind9/9.4.0b2/BIND9.4.0b2.zip
	ftp://ftp.isc.org/isc/bind9/9.4.0b2/BIND9.4.0b2.debug.zip

The PGP signature of the binary kit for Windows NT 4.0, Windows 2000,
Windows XP and Window 2003 is at
        
	ftp://ftp.isc.org/isc/bind9/9.4.0b2/BIND9.4.0b2.zip.asc
	ftp://ftp.isc.org/isc/bind9/9.4.0b2/BIND9.4.0b2.zip.sha256.asc
	ftp://ftp.isc.org/isc/bind9/9.4.0b2/BIND9.4.0b2.zip.sha512.asc
	ftp://ftp.isc.org/isc/bind9/9.4.0b2/BIND9.4.0b2.debug.zip.asc
	ftp://ftp.isc.org/isc/bind9/9.4.0b2/BIND9.4.0b2.debug.zip.sha256.asc
	ftp://ftp.isc.org/isc/bind9/9.4.0b2/BIND9.4.0b2.debug.zip.sha512.asc

Changes since 9.4.0a1.

	--- 9.4.0b2 released ---

2081.	[port]		libbind: minor 64-bit portability fix in memcluster.c.
			[RT #16360]

2080.	[port]		libbind: res_init.c did not compile on older versions
			of Solaris. [RT #16363]

2079.	[bug]		The lame cache was not handling multiple types
			correctly. [RT #16361]

2078.	[bug]		dnssec-checkzone output style "default" was badly
			named.  It is now called "relative". [RT #16326]

2077.	[bug]		'dnssec-signzone -O raw' wasn't outputing the
			complete signed zone. [RT #16326]

2076.	[bug]		Several files were missing #include <config.h>
			causing build failures on OSF. [RT #16341]

2075.	[bug]		The spillat timer event hander could leak memory.
			[RT #16357]

2074.	[bug]		dns_request_createvia2(), dns_request_createvia3(),
			dns_request_createraw2() and dns_request_createraw3()
			failed to send multiple UDP requests. [RT #16349]

2073.	[bug]		Incorrect semantics check for update policy "wildcard".
			[RT #16353]

2072.	[bug]		We were not generating valid HMAC SHA digests.
			[RT #16320]

2071.	[port]		Test whether gcc accepts -fno-strict-aliasing.
			[RT #16324]

2070.	[bug]		The remote address was not always displayed when
			reporting dispatch failures. [RT #16315]

2069.	[bug]		Cross compiling was not working. [RT #16330]

2068.	[cleanup]	Lower incremental tuning message to debug 1.
			[RT #16319]

2067.	[bug]		'rndc' could close the socket too early triggering
			a INSIST under Windows. [RT #16317]

2066.	[security]	Handle SIG queries gracefully. [RT #16300]

2065.	[bug]		libbind: probe for HPUX prototypes for
			endprotoent_r() and endservent_r().  [RT 16313]

2064.	[bug]		libbind: silence AIX compiler warnings. [RT #16218]

2063.	[bug]		Change #1955 introduced a bug which caused the first
			'rndc flush' call to not free memory. [RT #16244]

2062.	[bug]		'dig +nssearch' was reusing a buffer before it had
			been returned by the socket code. [RT #16307]

2061.	[bug]		Accept expired wildcard message reversed. [RT #16296]

2060.	[bug]		Enabling DLZ support could leave views partially
			configured. [RT #16295]

	--- 9.4.0b1 released ---

2059.	[bug]		Search into cache rbtdb could trigger an INSIST
			failure while cleaning up a stale rdataset.
			[RT #16292]

2058.	[bug]		Adjust how we calculate rtt estimates in the presence
			of authoritative servers that drop EDNS and/or CD
			requests.  Also fallback to EDNS/512 and plain DNS
			faster for zones with less than 3 servers.  [RT #16187]

2057.	[bug]		Make setting "ra" dependent on both allow-query-cache
			and allow-recursion. [RT #16290]

2056.	[bug]		dig: ixfr= was not being treated case insensitively
			at all times. [RT #15955]

2055.	[bug]		Missing goto after dropping multicast query.
			[RT #15944]

2054.	[port]		freebsd: do not explicitly link against -lpthread.
			[RT #16170]

2053.	[port]		netbsd:libbind: silence compiler warnings. [RT #16220]

2052.	[bug]		'rndc' improve connect failed message to report
			the failing address. [RT #15978]

2051.	[port]		More strtol() fixes. [RT #16249]

2050.	[bug]		Parsing of NSAP records was not case insensitive.
			[RT #16287]

2049.	[bug]		Restore SOA before AXFR when falling back from
			a attempted IXFR when transfering in a zone.
			Allow a initial SOA query before attempting
			a AXFR to be requested. [RT #16156]

2048.	[bug]		It was possible to loop forever when using
			avoid-v4-udp-ports / avoid-v6-udp-ports when
			the OS always returned the same local port.
			[RT #16182]

2047.	[bug]		Failed to initialise the interface flags to zero.
			[RT #16245]

2046.	[bug]		rbtdb.c:rdataset_setadditional() could cause duplicate
			cleanup [RT #16247].

2045.	[func]		Use lock buckets for acache entries to limit memory
			consumption. [RT #16183]

2044.	[port]		Add support for atomic operations for Itanium.
			[RT #16179]

2043.	[port]		nsupdate/nslookup: Force the flushing of the prompt
			for interactive sessions. [RT#16148]

2042.	[bug]		named-checkconf was incorrectly rejecting the
			logging category "config". [RT #16117]

2041.	[bug]		"configure --with-dlz-bdb=yes" produced a bad
			set of libraries to be linked. [RT #16129]

2040.	[bug]		rbtdb no_references() could trigger an INSIST
			failure with --enable-atomic.  [RT #16022]

2039.	[func]		Check that all buffers passed to the socket code
			have been retrieved when the socket event is freed.
			[RT #16122]

2038.	[bug]		dig/nslookup/host was unlinking from wrong list
			when handling errors. [RT #16122]

2037.	[func]		When unlinking the first or last element in a list
			check that the list head points to the element to
			be unlinked. [RT #15959]

2036.	[bug]		'rndc recursing' could cause trigger a REQUIRE.
			[RT #16075]

2034.	[bug]		gcc: set -fno-strict-aliasing. [RT #16124]

2033.	[bug]		We wern't creating multiple client memory contexts
			on demand as expected. [RT #16095]

	--- 9.4.0a6 released ---

2032.	[bug]		Remove a INSIST in query_addadditional2(). [RT #16074]

2031.	[bug]		Emit a error message when "rndc refresh" is called on
			a non slave/stub zone. [RT # 16073]

2030.	[bug]		We were being overly conservative when disabling
			openssl engine support. [RT #16030]

2029.	[bug]		host printed out the server multiple times when
			specified on the command line. [RT #15992]

2028.	[port]		linux: socket.c compatability for old systems.
			[RT #16015]

2027.	[port]		libbind: Solaris x86 support. [RT #16020]

2026.	[bug]		Rate limit the two recursive client exceeded messages.
			[RT #16044]

2025.	[func]		Update "zone serial unchanged" message. [RT #16026]

2024.	[bug]		named emited spurious "zone serial unchanged"
			messages on reload. [RT #16027]

2023.	[bug]		"make install" should create ${localstatedir}/run and
			${sysconfdir} if they do not exist. [RT #16033]

2022.	[bug]		If dnssec validation is disabled only assert CD if
			CD was requested. [RT #16037]

2021.	[bug]		dnssec-enable no; triggered a REQUIRE. [RT #16037]

2020.	[bug]		rdataset_setadditional() could leak memory. [RT #16034]

2019.	[tuning]	Reduce the amount of work performed per quantum
			when cleaning the cache. [RT #15986]

2018.	[bug]		Checking if the HMAC MD5 private file was broken.
			[RT #15960]

2017.	[bug]		allow-query default was not correct. [RT #15946]

2016.	[bug]		Return a partial answer if recursion is not
			allowed but requested and we had the answer
			to the original qname. [RT #15945]

	--- 9.4.0a5 released ---

2015.	[cleanup]	use-additional-cache is now acache-enable for
			consistancy.  Default acache-enable off in BIND 9.4
			as it requires memory usage to be configured.
			It may be enabled by default in BIND 9.5 once we
			have more experience with it.

2014.	[func]		Statistics about acache now recorded and sent
			to log. [RT #15976]

2013.	[bug]		Handle unexpected TSIGs on unsigned AXFR/IXFR
			responses more gracefully. [RT #15941]

2012.	[func]		Don't insert new acache entries if acache is full.
			[RT #15970]

2011.	[func]		dnssec-signzone can now update the SOA record of
			the signed zone, either as an increment or as the
			system time(). [RT #15633]

	--- 9.4.0a4 released ---

2009.	[bug]		libbind: coverity fixes. [RT #15808]

2008.	[func]		It is now posssible to enable/disable DNSSEC
			validation from rndc.  This is useful for the
			mobile hosts where the current connection point
			breaks DNSSEC (firewall/proxy).  [RT #15592]

				rndc validation newstate [view]

2007.	[func]		It is now possible to explicitly enable DNSSEC
			validation.  default dnssec-validation no; to
			be changed to yes in 9.5.0.  [RT #15674]

2006.	[security]	Allow-query-cache and allow-recursion now default
			to the builtin acls "localnets" and "localhost".

			This is being done to make caching servers less
			attractive as reflective amplifying targets for
			spoofed traffic.  This still leave authoritative
			servers exposed.

			The best fix is for full BCP 38 deployment to
			remove spoofed traffic.

2005.	[bug]		libbind: Retransmission timeouts should be
			based on which attempt it is to the nameserver
			and not the nameserver itself. [RT #13548]

2004.	[bug]		dns_tsig_sign() could pass a NULL pointer to
			dst_context_destroy() when cleaning up after a
			error. [RT #15835]

2003.	[bug]		libbind: The DNS name/address lookup functions could
			occasionally follow a random pointer due to
			structures not being completely zeroed. [RT #15806]

2002.	[bug]		libbind: tighten the constraints on when
			struct addrinfo._ai_pad exists.  [RT #15783]

2001.	[func]		Check the KSK flag when updating a secure dynamic zone.
			New zone option "update-check-ksk yes;".  [RT #15817]

2000.	[bug]		memmove()/strtol() fix was incomplete. [RT #15812]

1999.	[func]		Implement "rrset-order fixed". [RT #13662]

1998.	[bug]		Restrict handling of fifos as sockets to just SunOS.
			This allows named to connect to entropy gathering
			daemons that use fifos instead of sockets. [RT #15840]

1997.	[bug]		Named was failing to replace negative cache entries
			when a positive one for the type was learnt.
			[RT #15818]

1996.	[bug]		nsupdate: if a zone has been specified it should
			appear in the output of 'show'. [RT #15797]

1995.	[bug]		'host' was reporting multiple "is an alias" messages.
			[RT #15702]

1994.	[port]		OpenSSL 0.9.8 support. [RT #15694]

1993.	[bug]		Log messsage, via syslog, were missing the space
			after the timestamp if "print-time yes" was specified.
			[RT #15844]

1992.	[bug]		Not all incoming zone transfer messages included the
			view.  [RT #15825]

1991.	[cleanup]	The configuration data, once read, should be treated
			as readonly.  Expand the use of const to enforce this
			at compile time. [RT #15813]

1990.	[bug]		libbind:  isc's override of broken gettimeofday()
			implementions was not always effective.
			[RT #15709]

1989.	[bug]		win32: don't check the service password when
			re-installing. [RT #15882]

1988.	[bug]		Remove a bus error from the SHA256/SHA512 support.
			[RT #15878]

1987.	[func]		DS/DLV SHA256 digest algorithm support. [RT #15608]

1986.	[func]		Report when a zone is removed. [RT #15849]

1985.	[protocol]	DLV has now been assigned a official type code of
			32769. [RT #15807]

			Note: care should be taken to ensure you upgrade
			both named and dnssec-signzone at the same time for
			zones with DLV records where named is the master
			server for the zone.  Also any zones that contain
			DLV records should be removed when upgrading a slave
			zone.  You do not however have to upgrade all
			servers for a zone with DLV records simultaniously.

1984.	[func]		dig, nslookup and host now advertise a 4096 byte
			EDNS UDP buffer size by default. [RT #15855]

1983.	[func]		Two new update policies.  "selfsub" and "selfwild".
			[RT #12895]

1982.	[bug]		DNSKEY was being accepted on the parent side of
			a delegation.  KEY is still accepted there for
			RFC 3007 validated updates. [RT #15620]

1981.	[bug]		win32: condition.c:wait() could fail to reattain
			the mutex lock.

1980.	[func]		dnssec-signzone: output the SOA record as the
			first record in the signed zone. [RT #15758]

1979.	[port]		linux: allow named to drop core after changing
			user ids. [RT #15753]

1978.	[port]		Handle systems which have a broken recvmsg().
			[RT #15742]

1977.	[bug]		Silence noisy log message. [RT #15704]

1976.	[bug]		Handle systems with no IPv4 addresses. [RT #15695]

1975.	[bug]		libbind: isc_gethexstring() could misparse multi-line
			hex strings with comments. [RT #15814]

1974.	[doc]		List each of the zone types and associated zone
			options seperately in the ARM.

1973.	[func]		TSIG HMACSHA1, HMACSHA224, HMACSHA256, HMACSHA384 and
			HMACSHA512 support. [RT #13606]

1972.	[contrib]	DBUS dynamic forwarders integation from
			Jason Vas Dias <jvdias at redhat.com>.

1971.	[port]		linux: make detection of missing IF_NAMESIZE more
			robust. [RT #15443]

1970.	[bug]		nsupdate: adjust UDP timeout when falling back to
			unsigned SOA query. [RT #15775]

1969.	[bug]		win32: the socket code was freeing the socket
			structure too early. [RT #15776]

1968.	[bug]		Missing lock in resolver.c:validated(). [RT #15739]

1967.	[func]		dig/nslookup/host: warn about missing "QR". [RT #15779]

1966.	[bug]		Don't set CD when we have fallen back to plain DNS.
			[RT #15727]

1965.	[func]		Suppress spurious "recusion requested but not
			available" warning with 'dig +qr'. [RT #15780].

1964.	[func]		Seperate out MX and SRV to CNAME checks. [RT #15723]

1963.	[port]		Tru64 4.0E doesn't support send() and recv(). 
			[RT #15586]

1962.	[bug]		Named failed to clear old update-policy when it
			was removed. [RT #15491]

1961.	[bug]		Check the port and address of responses forwarded
			to dispatch. [RT #15474]

1960.	[bug]		Update code should set NSEC ttls from SOA MINIMUM.
			[RT #15465]

1959.	[func]		Control the zeroing of the negative response TTL to
			a soa query.  Defaults "zero-no-soa-ttl yes;" and
			"zero-no-soa-ttl-cache no;". [RT #15460]

1958.	[bug]		Named failed to update the zone's secure state
			until the zone was reloaded. [RT #15412]

1957.	[bug]		Dig mishandled responses to class ANY queries.
			[RT #15402]

1956.	[bug]		Improve cross compile support, 'gen' is now built
			by native compiler.  See README for additional
			cross compile support information. [RT #15148]

1955.	[bug]		Pre-allocate the cache cleaning interator. [RT #14998]

1954.	[func]		Named now falls back to advertising EDNS with a
			512 byte receive buffer if the initial EDNS queries
			fail.  [RT #14852]

1953.	[func]		The maximum EDNS UDP response named will send can
			now be set in named.conf (max-udp-size).  This is
			independent of the advertised receive buffer
			(edns-udp-size). [RT #14852]

1952.	[port]		hpux: tell the linker to build a runtime link
			path "-Wl,+b:". [RT #14816].

1951.	[security]	Drop queries from particular well known ports.
			Don't return FORMERR to queries from particular
			well known ports.  [RT #15636]
			
1950.	[port]		Solaris 2.5.1 and earlier cannot bind() then connect()
			a TCP socket. This prevents the source address being
			set for TCP connections. [RT #15628]

1949.	[func]		Addition memory leakage checks. [RT #15544]

1948.	[bug]		If was possible to trigger a REQUIRE failure in
			xfrin.c:maybe_free() if named ran out of memory.
			[RT #15568]

1947.	[func]		It is now possible to configure named to accept
			expired RRSIGs.  Default "dnssec-accept-expired no;".
			Setting "dnssec-accept-expired yes;" leaves named
			vulnerable to replay attacks.  [RT #14685]

1946.	[bug]		resume_dslookup() could trigger a REQUIRE failure
			when using forwarders. [RT #15549]

1945.	[cleanup]	dnssec-keygen: RSA (RSAMD5) is nolonger recommended.
			To generate a RSAMD5 key you must explicitly request
			RSAMD5. [RT #13780]
			
1944.	[cleanup]	isc_hash_create() does not need a read/write lock.
			[RT #15522]

1943.	[bug]		Set the loadtime after rolling forward the journal.
			[RT #15647]

1597.	[func]		Allow notify-source and query-source to be specified
			on a per server basis similar to transfer-source.
			[RT #6496]

	--- 9.4.0a3 released ---

1942.	[bug]		If the name of a DNSKEY match that of one in
			trusted-keys do not attempt to validate the DNSKEY
			using the parents DS RRset. [RT #15649]

1941.	[bug]		ncache_adderesult() should set eresult even if no
			rdataset is passed to it. [RT #15642]

1940.	[bug]		Fixed a number of error conditions reported by
			Coverity.

1939.	[bug]		The resolver could dereference a null pointer after
			validation if all the queries have timed out.
			[RT #15528]

1938.	[bug]		The validator was not correctly handling unsecure
			negative responses at or below a SEP. [RT #15528]

1937.	[bug]		sdlz doesn't handle RRSIG records. [RT #15564]

1936.	[bug]		The validator could leak memory. [RT #15544]

1935.	[bug]		'acache' was DO sensitive. [RT #15430]

1934.	[func]		Validate pending NS RRsets, in the authority section,
			prior to returning them if it can be done without 
			requiring DNSKEYs to be fetched.  [RT #15430]

1919.	[contrib]	queryperf: a set of new features: collecting/printing
			response delays, printing intermediate results, and
			adjusting query rate for the "target" qps.

	--- 9.4.0a2 released ---

1933.	[bug]		dump_rdataset_raw() had a incorrect INSIST. [RT #15534]

1932.	[bug]		hpux: LDFLAGS was getting corrupted. [RT #15530]

1931.	[bug]		Per-client mctx could require a huge amount of memory,
			particularly for a busy caching server. [RT #15519]

1930.	[port]		HPUX: ia64 support. [RT #15473]

1929.	[port]		FreeBSD: extend use of PTHREAD_SCOPE_SYSTEM.

1928.	[bug]		Race in rbtdb.c:currentversion(). [RT #15517]

1927.	[bug]		Access to soanode or nsnode in rbtdb violated the
			lock order rule and could cause a dead lock.
			[RT# 15518]

1926.	[bug]		The Windows installer did not check for empty
			passwords.  BINDinstall was being installed in
			the wrong place. [RT #15483]

1925.	[port]		All outer level AC_TRY_RUNs need cross compiling
			defaults. [RT #15469]

1924.	[port]		libbind: hpux ia64 support. [RT #15473]

1923.	[bug]		ns_client_detach() called too early. [RT #15499]

1922.	[bug]		check-tool.c:setup_logging() missing call to
			dns_log_setcontext().

1921.	[bug]		Client memory contexts were not using internal
			malloc. [RT# 15434]

1920.	[bug]		The cache rbtdb lock array was too small to
			have the desired performance characteristics.
			[RT #15454]

	--- 9.4.0a1 released ---



More information about the bind-announce mailing list