BIND 9.4.0 is now available.

Mark Andrews Mark_Andrews at isc.org
Sat Feb 24 02:02:40 UTC 2007


		BIND 9.4.0 is now available.

	BIND 9.4.0 is a feature release for BIND 9.

	BIND 9.4.0 contains security fixes:

2126.	[security]	Serialise validation of type ANY responses. [RT #16555]

2124.	[security]	It was possible to dereference a freed fetch
			context. [RT #16584]

2089.	[security]	Raise the minimum safe OpenSSL versions to
			OpenSSL 0.9.7l and OpenSSL 0.9.8d.  Versions
			prior to these have known security flaws which
			are (potentially) exploitable in named. [RT #16391]

2088.	[security]	Change the default RSA exponent from 3 to 65537.
			[RT #16391]

2066.	[security]	Handle SIG queries gracefully. [RT #16300]

1941.   [bug]           ncache_adderesult() should set eresult even if no
                        rdataset is passed to it. [RT #15642]

	If you are running a BIND 9.3.x or pre BIND 9.4.0 version without
	these changes you are advised to upgrade as soon as possible to
	one of BIND 9.3.4 or BIND 9.4.0.

BIND 9.4 has a number of new features over BIND 9.3, including:

	Implemented "additional section caching" (or "acache"), an
	internal cache framework for additional section content to
	improve response performance.  Several configuration options
	were provided to control the behavior.

	New notify type 'master-only'.  Enable notify for master
	zones only.

	Accept 'notify-source' style syntax for query-source.

	rndc now allows addresses to be set in the server clauses.

	New option "allow-query-cache".  This lets allow-query be
	used to specify the default zone access level rather than
	having to have every zone override the global value.
	allow-query-cache can be set at both the options and view
	levels.  If allow-query-cache is not set allow-query applies.

	rndc: the source address can now be specified.

	ixfr-from-differences now takes master and slave in addition
	to yes and no at the options and view levels.

	Allow the journal's name to be changed via named.conf.

	'rndc notify zone [class [view]]' resend the NOTIFY messages
	for the specified zone.

	'dig +trace' now randomly selects the next servers to try.
	Report if there is a bad delegation.

	Improve check-names error messages.

	Make public the function to read a key file, dst_key_read_public().

	dig now returns the byte count for axfr/ixfr.
			
	allow-update is now settable at the options / view level.

	named-checkconf now checks the logging configuration.

	host now can turn on memory debugging flags with '-m'.

	Don't send notify messages to self.

	Perform sanity checks on NS records which refer to 'in zone' names.

	New zone option "notify-delay".  Specify a minimum delay
	between sets of NOTIFY messages.

	Extend adjusting TTL warning messages.

	Named and named-checkzone can now both check for non-terminal
	wildcard records.

	"rndc freeze/thaw" now freezes/thaws all zones.

	named-checkconf now check acls to verify that they only
	refer to existing acls.

	The server syntax has been extended to support a range of
	servers.

	Report differences between hints and real NS rrset and
	associated address records.

	Preserve the case of domain names in rdata during zone
	transfers.

	Restructured the data locking framework using architecture
	dependent atomic operations (when available), improving
	response performance on multi-processor machines significantly.
	x86, x86_64, alpha, powerpc, and mips are currently supported.

	UNIX domain controls are now supported.

	Add support for additional zone file formats for improving
	loading performance.  The masterfile-format option in
	named.conf can be used to specify a non-default format.  A
	separate command named-compilezone was provided to generate
	zone files in the new format.  Additionally, the -I and -O
	options for dnssec-signzone specify the input and output
	formats.

	dnssec-signzone can now randomize signature end times
	(dnssec-signzone -j jitter).

	Add support for CH A record.

	Add additional zone data consistancy checks.  named-checkzone
	has extended checking of NS, MX and SRV record and the hosts
	they reference.  named has extended post zone load checks.
	New zone options: check-mx and integrity-check.

	edns-udp-size can now be overridden on a per server basis.

	dig can now specify the EDNS version when making a query.

	Added framework for handling multiple EDNS versions.

	Additional memory debugging support to track size and mctx
	arguments.

	Detect duplicates of UDP queries we are recursing on and
	drop them.  New stats category "duplicates".

	Memory management. "USE INTERNAL MALLOC" is now runtime selectable.

	The lame cache is now done on a <qname,qclass,qtype> basis
	as some servers only appear to be lame for certain query
	types.

	Limit the number of recursive clients that can be waiting
	for a single query (<qname,qtype,qclass>) to resolve.  New
	options clients-per-query and max-clients-per-query.

	dig: report the number of extra bytes still left in the
	packet after processing all the records.

	Support for IPSECKEY rdata type.

	Raise the UDP receive buffer size to 32k if it is less than 32k.

	x86 and x86_64 now have separate atomic locking implementations.

	named-checkconf now validates update-policy entries.

	Attempt to make the amount of work performed in a iteration
	self tuning.  The covers nodes clean from the cache per
	iteration, nodes written to disk when rewriting a master
	file and nodes destroyed per iteration when destroying a
	zone or a cache.

	ISC string copy API.

	Automatic empty zone creation for D.F.IP6.ARPA and friends.
	Note: RFC 1918 zones are not yet covered by this but are
	likely to be in a future release.

	New options: empty-server, empty-contact, empty-zones-enable
	and disable-empty-zone.

	dig now has a '-q queryname' and '+showsearch' options.

	host/nslookup now continue (default)/fail on SERVFAIL.

	dig now warns if 'RA' is not set in the answer when 'RD'
	was set in the query.  host/nslookup skip servers that fail
	to set 'RA' when 'RD' is set unless a server is explicitly
	set.

	Integrate contributed DLZ code into named.

	Integrate contributed IDN code from JPNIC.

	Validate pending NS RRsets, in the authority section, prior
	to returning them if it can be done without requiring DNSKEYs
	to be fetched.

	It is now possible to configure named to accept expired
	RRSIGs.  Default "dnssec-accept-expired no;".  Setting
	"dnssec-accept-expired yes;" leaves named vulnerable to
	replay attacks.

	Additional memory leakage checks.

	The maximum EDNS UDP response named will send can now be
	set in named.conf (max-udp-size).  This is independent of
	the advertised receive buffer (edns-udp-size).

	Named now falls back to advertising EDNS with a 512 byte
	receive buffer if the initial EDNS queries fail.

	Control the zeroing of the negative response TTL to a soa
	query.  Defaults "zero-no-soa-ttl yes;" and
	"zero-no-soa-ttl-cache no;".
			
	Separate out MX and SRV to CNAME checks.

	dig/nslookup/host: warn about missing "QR".

	TSIG HMACSHA1, HMACSHA224, HMACSHA256, HMACSHA384 and
	HMACSHA512 support.

	dnssec-signzone: output the SOA record as the first record
	in the signed zone.

	Two new update policies.  "selfsub" and "selfwild".

	dig, nslookup and host now advertise a 4096 byte EDNS UDP
	buffer size by default.

	Report when a zone is removed.

	DS/DLV SHA256 digest algorithm support.

	Implement "rrset-order fixed".

	Check the KSK flag when updating a secure dynamic zone.
	New zone option "update-check-ksk yes;".

	It is now possible to explicitly enable DNSSEC validation.
	default dnssec-validation no; to be changed to yes in 9.5.0.

	It is now possible to enable/disable DNSSEC validation
	from rndc.  This is useful for the mobile hosts where the
	current connection point breaks DNSSEC (firewall/proxy).

		rndc validation newstate [view]

	dnssec-signzone can now update the SOA record of the signed
	zone, either as an increment or as the system time().

	Statistics about acache now recorded and sent to log.

	libbind: corresponds to that from BIND 8.4.7.

BIND 9.4.0 can be downloaded from

        ftp://ftp.isc.org/isc/bind9/9.4.0/bind-9.4.0.tar.gz

The PGP signature of the distribution is at

        ftp://ftp.isc.org/isc/bind9/9.4.0/bind-9.4.0.tar.gz.asc
        ftp://ftp.isc.org/isc/bind9/9.4.0/bind-9.4.0.tar.gz.sha256.asc
        ftp://ftp.isc.org/isc/bind9/9.4.0/bind-9.4.0.tar.gz.sha512.asc

The signature was generated with the ISC public key, which is
available at <http://www.isc.org/about/openpgp/pgpkey2006.txt>.

A binary kit for Windows NT 4.0 is at

	ftp://ftp.isc.org/isc/bind9/9.4.0/BIND9.4.0.nt4.zip
	ftp://ftp.isc.org/isc/bind9/9.4.0/BIND9.4.0.nt4.debug.zip

The PGP signature of the binary kit for Windows NT 4.0 is at
        
	ftp://ftp.isc.org/isc/bind9/9.4.0/BIND9.4.0.nt4.zip.asc
	ftp://ftp.isc.org/isc/bind9/9.4.0/BIND9.4.0.nt4.zip.sha256.asc
	ftp://ftp.isc.org/isc/bind9/9.4.0/BIND9.4.0.nt4.zip.sha512.asc
	ftp://ftp.isc.org/isc/bind9/9.4.0/BIND9.4.0.nt4.debug.zip.asc
	ftp://ftp.isc.org/isc/bind9/9.4.0/BIND9.4.0.nt4.debug.zip.sha256.asc
	ftp://ftp.isc.org/isc/bind9/9.4.0/BIND9.4.0.nt4.debug.zip.sha512.asc

Note: BIND 9.4.0 will be the last binary release for Windows NT 4.0.

A binary kit for Windows 2000, Windows XP and Window 2003 is at

	ftp://ftp.isc.org/isc/bind9/9.4.0/BIND9.4.0.zip
	ftp://ftp.isc.org/isc/bind9/9.4.0/BIND9.4.0.debug.zip

The PGP signature of the binary kit for Windows 2000, Windows XP and
Window 2003 is at
        
	ftp://ftp.isc.org/isc/bind9/9.4.0/BIND9.4.0.zip.asc
	ftp://ftp.isc.org/isc/bind9/9.4.0/BIND9.4.0.zip.sha256.asc
	ftp://ftp.isc.org/isc/bind9/9.4.0/BIND9.4.0.zip.sha512.asc
	ftp://ftp.isc.org/isc/bind9/9.4.0/BIND9.4.0.debug.zip.asc
	ftp://ftp.isc.org/isc/bind9/9.4.0/BIND9.4.0.debug.zip.sha256.asc
	ftp://ftp.isc.org/isc/bind9/9.4.0/BIND9.4.0.debug.zip.sha512.asc

Changes since 9.4.0a1.

	--- 9.4.0 released ---

2138.	[bug]		Lock order reversal in resolver.c. [RT #16653]

2137.	[port]		Mips little endian and/or mips 64 bit are now
			supported for atomic operations. [RT#16648]

2136.	[bug]		nslookup/host looped if there was no search list
			and the host didn't exist. [RT #16657]

2135.	[bug]		Uninitialised rdataset in sdlz.c. [RT# 16656]

2133.	[port]		powerpc:  Support both IBM and MacOS Power PC
			assembler syntaxes. [RT #16647]

2132.	[bug]		Missing unlock on out of memory in
			dns_dispatchmgr_setudp().

2131.	[contrib]	dlz/mysql: AXFR was broken. [RT #16630]

2128.	[doc]		xsltproc --nonet, update DTD versions.  [RT #16635]

	--- 9.4.0rc2 released ---

2127.	[port]		Improved OpenSSL 0.9.8 support. [RT #16563]

2126.	[security]	Serialise validation of type ANY responses. [RT #16555]

2125.	[bug]		dns_zone_getzeronosoattl() REQUIRE failure if DLZ
			was defined. [RT #16574]

2124.	[security]	It was possible to dereference a freed fetch
			context. [RT #16584]

2120.	[doc]		Fix markup on nsupdate man page. [RT #16556]

	--- 9.4.0rc1 released ---

2118.	[bug]		Handle response with long chains of domain name
			compression pointers which point to other compression
			pointers. [RT #16427]

2117.	[bug]		DNSSEC fixes: named could fail to cache NSEC records
			which could lead to validation failures.  named didn't
			handle negative DS responses that were in the process
			of being validated.  Check CNAME bit before accepting
			NODATA proof. To be able to ignore a child NSEC there
			must be SOA (and NS) set in the bitmap. [RT #16399]

2116.	[bug]		'rndc reload' could cause the cache to continually
			be cleaned. [RT #16401]

2115.	[bug]		'rndc reconfig' could trigger a INSIST if the
			number of masters for a zone was reduced. [RT #16444]

2114.	[bug]		dig/host/nslookup: searches for names with multiple
			labels were failing. [RT #16447]

2113.	[bug]		nsupdate: if a zone is specified it should be used
			for server discover. [RT# 16455]

2112.	[security]	Warn if weak RSA exponent is used. [RT #16460]

2111.	[bug]		Fix a number of errors reported by Coverity.
			[RT #16507]

2110.	[bug]		"minimal-response yes;" interacted badly with BIND 8
			priming queries. [RT #16491]

2109.	[port]		libbind: silence aix 5.3 compiler warnings. [RT #16502]

2107.	[bug]		dighost.c: more cleanup of buffers. [RT #16499]

2104.	[port]		Fix Solaris SMF error message.

2103.	[port]		Add /usr/sfw to list of locations for OpenSSL
			under Solaris.

2102.	[port]		Silence solaris 10 warnings.

	--- 9.4.0b4 released ---

2101.	[bug]		OpenSSL version checks were not quite right.
			[RT #16476]

2100.	[port]		win32: copy libeay32.dll to Build\Debug.
			Copy Debug\named-checkzone to Debug\named-compilezone.

2099.	[port]		win32: more manifiest issues.

2098.	[bug]		Race in rbtdb.c:no_references(), which occasionally
			triggered an INSIST failure about the node lock
			reference.  [RT #16411]

	--- 9.4.0b3 released ---

2097.	[bug]		named could reference a destroyed memory context
			after being reloaded / reconfigured. [RT #16428]

2096.	[bug]		libbind: handle applications that fail to detect
			res_init() failures better.

2095.	[port]		libbind: alway prototype inet_cidr_ntop_ipv6() and
			net_cidr_ntop_ipv6(). [RT #16388]
 
2094.	[contrib]	Update named-bootconf.  [RT# 16404]

2093.	[bug]		named-checkzone -s was broken.

2092.	[bug]		win32: dig, host, nslookup.  Use registry config
			if resolv.conf does not exist or no nameservers
			listed. [RT #15877] 

2091.	[port]		dighost.c: race condition on cleanup. [RT #16417]

2090.	[port]		win32: Visual C++ 2005 command line manifest support.
			[RT #16417]

2089.	[security]	Raise the minimum safe OpenSSL versions to
			OpenSSL 0.9.7l and OpenSSL 0.9.8d.  Versions
			prior to these have known security flaws which
			are (potentially) exploitable in named. [RT #16391]

2088.	[security]	Change the default RSA exponent from 3 to 65537.
			[RT #16391]

2087.	[port]		libisc failed to compile on OS's w/o a vsnprintf.
			[RT #16382]

2086.	[port]		libbind: FreeBSD now has get*by*_r() functions.
			[RT #16403]

2085.	[doc]		win32: added index.html and README to zip. [RT #16201]

2084.	[contrib]	dbus update for 9.3.3rc2.

2083.	[port]		win32: Visual C++ 2005 support.

2082.	[doc]		Document 'cache-file' as a test only option.

	--- 9.4.0b2 released ---

2081.	[port]		libbind: minor 64-bit portability fix in memcluster.c.
			[RT #16360]

2080.	[port]		libbind: res_init.c did not compile on older versions
			of Solaris. [RT #16363]

2079.	[bug]		The lame cache was not handling multiple types
			correctly. [RT #16361]

2078.	[bug]		dnssec-checkzone output style "default" was badly
			named.  It is now called "relative". [RT #16326]

2077.	[bug]		'dnssec-signzone -O raw' wasn't outputing the
			complete signed zone. [RT #16326]

2076.	[bug]		Several files were missing #include <config.h>
			causing build failures on OSF. [RT #16341]

2075.	[bug]		The spillat timer event hander could leak memory.
			[RT #16357]

2074.	[bug]		dns_request_createvia2(), dns_request_createvia3(),
			dns_request_createraw2() and dns_request_createraw3()
			failed to send multiple UDP requests. [RT #16349]

2073.	[bug]		Incorrect semantics check for update policy "wildcard".
			[RT #16353]

2072.	[bug]		We were not generating valid HMAC SHA digests.
			[RT #16320]

2071.	[port]		Test whether gcc accepts -fno-strict-aliasing.
			[RT #16324]

2070.	[bug]		The remote address was not always displayed when
			reporting dispatch failures. [RT #16315]

2069.	[bug]		Cross compiling was not working. [RT #16330]

2068.	[cleanup]	Lower incremental tuning message to debug 1.
			[RT #16319]

2067.	[bug]		'rndc' could close the socket too early triggering
			a INSIST under Windows. [RT #16317]

2066.	[security]	Handle SIG queries gracefully. [RT #16300]

2065.	[bug]		libbind: probe for HPUX prototypes for
			endprotoent_r() and endservent_r().  [RT 16313]

2064.	[bug]		libbind: silence AIX compiler warnings. [RT #16218]

2063.	[bug]		Change #1955 introduced a bug which caused the first
			'rndc flush' call to not free memory. [RT #16244]

2062.	[bug]		'dig +nssearch' was reusing a buffer before it had
			been returned by the socket code. [RT #16307]

2061.	[bug]		Accept expired wildcard message reversed. [RT #16296]

2060.	[bug]		Enabling DLZ support could leave views partially
			configured. [RT #16295]

	--- 9.4.0b1 released ---

2059.	[bug]		Search into cache rbtdb could trigger an INSIST
			failure while cleaning up a stale rdataset.
			[RT #16292]

2058.	[bug]		Adjust how we calculate rtt estimates in the presence
			of authoritative servers that drop EDNS and/or CD
			requests.  Also fallback to EDNS/512 and plain DNS
			faster for zones with less than 3 servers.  [RT #16187]

2057.	[bug]		Make setting "ra" dependent on both allow-query-cache
			and allow-recursion. [RT #16290]

2056.	[bug]		dig: ixfr= was not being treated case insensitively
			at all times. [RT #15955]

2055.	[bug]		Missing goto after dropping multicast query.
			[RT #15944]

2054.	[port]		freebsd: do not explicitly link against -lpthread.
			[RT #16170]

2053.	[port]		netbsd:libbind: silence compiler warnings. [RT #16220]

2052.	[bug]		'rndc' improve connect failed message to report
			the failing address. [RT #15978]

2051.	[port]		More strtol() fixes. [RT #16249]

2050.	[bug]		Parsing of NSAP records was not case insensitive.
			[RT #16287]

2049.	[bug]		Restore SOA before AXFR when falling back from
			a attempted IXFR when transfering in a zone.
			Allow a initial SOA query before attempting
			a AXFR to be requested. [RT #16156]

2048.	[bug]		It was possible to loop forever when using
			avoid-v4-udp-ports / avoid-v6-udp-ports when
			the OS always returned the same local port.
			[RT #16182]

2047.	[bug]		Failed to initialise the interface flags to zero.
			[RT #16245]

2046.	[bug]		rbtdb.c:rdataset_setadditional() could cause duplicate
			cleanup [RT #16247].

2045.	[func]		Use lock buckets for acache entries to limit memory
			consumption. [RT #16183]

2044.	[port]		Add support for atomic operations for Itanium.
			[RT #16179]

2043.	[port]		nsupdate/nslookup: Force the flushing of the prompt
			for interactive sessions. [RT#16148]

2042.	[bug]		named-checkconf was incorrectly rejecting the
			logging category "config". [RT #16117]

2041.	[bug]		"configure --with-dlz-bdb=yes" produced a bad
			set of libraries to be linked. [RT #16129]

2040.	[bug]		rbtdb no_references() could trigger an INSIST
			failure with --enable-atomic.  [RT #16022]

2039.	[func]		Check that all buffers passed to the socket code
			have been retrieved when the socket event is freed.
			[RT #16122]

2038.	[bug]		dig/nslookup/host was unlinking from wrong list
			when handling errors. [RT #16122]

2037.	[func]		When unlinking the first or last element in a list
			check that the list head points to the element to
			be unlinked. [RT #15959]

2036.	[bug]		'rndc recursing' could cause trigger a REQUIRE.
			[RT #16075]

2034.	[bug]		gcc: set -fno-strict-aliasing. [RT #16124]

2033.	[bug]		We wern't creating multiple client memory contexts
			on demand as expected. [RT #16095]

	--- 9.4.0a6 released ---

2032.	[bug]		Remove a INSIST in query_addadditional2(). [RT #16074]

2031.	[bug]		Emit a error message when "rndc refresh" is called on
			a non slave/stub zone. [RT # 16073]

2030.	[bug]		We were being overly conservative when disabling
			openssl engine support. [RT #16030]

2029.	[bug]		host printed out the server multiple times when
			specified on the command line. [RT #15992]

2028.	[port]		linux: socket.c compatability for old systems.
			[RT #16015]

2027.	[port]		libbind: Solaris x86 support. [RT #16020]

2026.	[bug]		Rate limit the two recursive client exceeded messages.
			[RT #16044]

2025.	[func]		Update "zone serial unchanged" message. [RT #16026]

2024.	[bug]		named emited spurious "zone serial unchanged"
			messages on reload. [RT #16027]

2023.	[bug]		"make install" should create ${localstatedir}/run and
			${sysconfdir} if they do not exist. [RT #16033]

2022.	[bug]		If dnssec validation is disabled only assert CD if
			CD was requested. [RT #16037]

2021.	[bug]		dnssec-enable no; triggered a REQUIRE. [RT #16037]

2020.	[bug]		rdataset_setadditional() could leak memory. [RT #16034]

2019.	[tuning]	Reduce the amount of work performed per quantum
			when cleaning the cache. [RT #15986]

2018.	[bug]		Checking if the HMAC MD5 private file was broken.
			[RT #15960]

2017.	[bug]		allow-query default was not correct. [RT #15946]

2016.	[bug]		Return a partial answer if recursion is not
			allowed but requested and we had the answer
			to the original qname. [RT #15945]

	--- 9.4.0a5 released ---

2015.	[cleanup]	use-additional-cache is now acache-enable for
			consistancy.  Default acache-enable off in BIND 9.4
			as it requires memory usage to be configured.
			It may be enabled by default in BIND 9.5 once we
			have more experience with it.

2014.	[func]		Statistics about acache now recorded and sent
			to log. [RT #15976]

2013.	[bug]		Handle unexpected TSIGs on unsigned AXFR/IXFR
			responses more gracefully. [RT #15941]

2012.	[func]		Don't insert new acache entries if acache is full.
			[RT #15970]

2011.	[func]		dnssec-signzone can now update the SOA record of
			the signed zone, either as an increment or as the
			system time(). [RT #15633]

	--- 9.4.0a4 released ---

2009.	[bug]		libbind: coverity fixes. [RT #15808]

2008.	[func]		It is now posssible to enable/disable DNSSEC
			validation from rndc.  This is useful for the
			mobile hosts where the current connection point
			breaks DNSSEC (firewall/proxy).  [RT #15592]

				rndc validation newstate [view]

2007.	[func]		It is now possible to explicitly enable DNSSEC
			validation.  default dnssec-validation no; to
			be changed to yes in 9.5.0.  [RT #15674]

2006.	[security]	Allow-query-cache and allow-recursion now default
			to the builtin acls "localnets" and "localhost".

			This is being done to make caching servers less
			attractive as reflective amplifying targets for
			spoofed traffic.  This still leave authoritative
			servers exposed.

			The best fix is for full BCP 38 deployment to
			remove spoofed traffic.

2005.	[bug]		libbind: Retransmission timeouts should be
			based on which attempt it is to the nameserver
			and not the nameserver itself. [RT #13548]

2004.	[bug]		dns_tsig_sign() could pass a NULL pointer to
			dst_context_destroy() when cleaning up after a
			error. [RT #15835]

2003.	[bug]		libbind: The DNS name/address lookup functions could
			occasionally follow a random pointer due to
			structures not being completely zeroed. [RT #15806]

2002.	[bug]		libbind: tighten the constraints on when
			struct addrinfo._ai_pad exists.  [RT #15783]

2001.	[func]		Check the KSK flag when updating a secure dynamic zone.
			New zone option "update-check-ksk yes;".  [RT #15817]

2000.	[bug]		memmove()/strtol() fix was incomplete. [RT #15812]

1999.	[func]		Implement "rrset-order fixed". [RT #13662]

1998.	[bug]		Restrict handling of fifos as sockets to just SunOS.
			This allows named to connect to entropy gathering
			daemons that use fifos instead of sockets. [RT #15840]

1997.	[bug]		Named was failing to replace negative cache entries
			when a positive one for the type was learnt.
			[RT #15818]

1996.	[bug]		nsupdate: if a zone has been specified it should
			appear in the output of 'show'. [RT #15797]

1995.	[bug]		'host' was reporting multiple "is an alias" messages.
			[RT #15702]

1994.	[port]		OpenSSL 0.9.8 support. [RT #15694]

1993.	[bug]		Log messsage, via syslog, were missing the space
			after the timestamp if "print-time yes" was specified.
			[RT #15844]

1992.	[bug]		Not all incoming zone transfer messages included the
			view.  [RT #15825]

1991.	[cleanup]	The configuration data, once read, should be treated
			as readonly.  Expand the use of const to enforce this
			at compile time. [RT #15813]

1990.	[bug]		libbind:  isc's override of broken gettimeofday()
			implementions was not always effective.
			[RT #15709]

1989.	[bug]		win32: don't check the service password when
			re-installing. [RT #15882]

1988.	[bug]		Remove a bus error from the SHA256/SHA512 support.
			[RT #15878]

1987.	[func]		DS/DLV SHA256 digest algorithm support. [RT #15608]

1986.	[func]		Report when a zone is removed. [RT #15849]

1985.	[protocol]	DLV has now been assigned a official type code of
			32769. [RT #15807]

			Note: care should be taken to ensure you upgrade
			both named and dnssec-signzone at the same time for
			zones with DLV records where named is the master
			server for the zone.  Also any zones that contain
			DLV records should be removed when upgrading a slave
			zone.  You do not however have to upgrade all
			servers for a zone with DLV records simultaniously.

1984.	[func]		dig, nslookup and host now advertise a 4096 byte
			EDNS UDP buffer size by default. [RT #15855]

1983.	[func]		Two new update policies.  "selfsub" and "selfwild".
			[RT #12895]

1982.	[bug]		DNSKEY was being accepted on the parent side of
			a delegation.  KEY is still accepted there for
			RFC 3007 validated updates. [RT #15620]

1981.	[bug]		win32: condition.c:wait() could fail to reattain
			the mutex lock.

1980.	[func]		dnssec-signzone: output the SOA record as the
			first record in the signed zone. [RT #15758]

1979.	[port]		linux: allow named to drop core after changing
			user ids. [RT #15753]

1978.	[port]		Handle systems which have a broken recvmsg().
			[RT #15742]

1977.	[bug]		Silence noisy log message. [RT #15704]

1976.	[bug]		Handle systems with no IPv4 addresses. [RT #15695]

1975.	[bug]		libbind: isc_gethexstring() could misparse multi-line
			hex strings with comments. [RT #15814]

1974.	[doc]		List each of the zone types and associated zone
			options seperately in the ARM.

1973.	[func]		TSIG HMACSHA1, HMACSHA224, HMACSHA256, HMACSHA384 and
			HMACSHA512 support. [RT #13606]

1972.	[contrib]	DBUS dynamic forwarders integation from
			Jason Vas Dias <jvdias at redhat.com>.

1971.	[port]		linux: make detection of missing IF_NAMESIZE more
			robust. [RT #15443]

1970.	[bug]		nsupdate: adjust UDP timeout when falling back to
			unsigned SOA query. [RT #15775]

1969.	[bug]		win32: the socket code was freeing the socket
			structure too early. [RT #15776]

1968.	[bug]		Missing lock in resolver.c:validated(). [RT #15739]

1967.	[func]		dig/nslookup/host: warn about missing "QR". [RT #15779]

1966.	[bug]		Don't set CD when we have fallen back to plain DNS.
			[RT #15727]

1965.	[func]		Suppress spurious "recusion requested but not
			available" warning with 'dig +qr'. [RT #15780].

1964.	[func]		Seperate out MX and SRV to CNAME checks. [RT #15723]

1963.	[port]		Tru64 4.0E doesn't support send() and recv(). 
			[RT #15586]

1962.	[bug]		Named failed to clear old update-policy when it
			was removed. [RT #15491]

1961.	[bug]		Check the port and address of responses forwarded
			to dispatch. [RT #15474]

1960.	[bug]		Update code should set NSEC ttls from SOA MINIMUM.
			[RT #15465]

1959.	[func]		Control the zeroing of the negative response TTL to
			a soa query.  Defaults "zero-no-soa-ttl yes;" and
			"zero-no-soa-ttl-cache no;". [RT #15460]

1958.	[bug]		Named failed to update the zone's secure state
			until the zone was reloaded. [RT #15412]

1957.	[bug]		Dig mishandled responses to class ANY queries.
			[RT #15402]

1956.	[bug]		Improve cross compile support, 'gen' is now built
			by native compiler.  See README for additional
			cross compile support information. [RT #15148]

1955.	[bug]		Pre-allocate the cache cleaning interator. [RT #14998]

1954.	[func]		Named now falls back to advertising EDNS with a
			512 byte receive buffer if the initial EDNS queries
			fail.  [RT #14852]

1953.	[func]		The maximum EDNS UDP response named will send can
			now be set in named.conf (max-udp-size).  This is
			independent of the advertised receive buffer
			(edns-udp-size). [RT #14852]

1952.	[port]		hpux: tell the linker to build a runtime link
			path "-Wl,+b:". [RT #14816].

1951.	[security]	Drop queries from particular well known ports.
			Don't return FORMERR to queries from particular
			well known ports.  [RT #15636]
			
1950.	[port]		Solaris 2.5.1 and earlier cannot bind() then connect()
			a TCP socket. This prevents the source address being
			set for TCP connections. [RT #15628]

1949.	[func]		Addition memory leakage checks. [RT #15544]

1948.	[bug]		If was possible to trigger a REQUIRE failure in
			xfrin.c:maybe_free() if named ran out of memory.
			[RT #15568]

1947.	[func]		It is now possible to configure named to accept
			expired RRSIGs.  Default "dnssec-accept-expired no;".
			Setting "dnssec-accept-expired yes;" leaves named
			vulnerable to replay attacks.  [RT #14685]

1946.	[bug]		resume_dslookup() could trigger a REQUIRE failure
			when using forwarders. [RT #15549]

1945.	[cleanup]	dnssec-keygen: RSA (RSAMD5) is nolonger recommended.
			To generate a RSAMD5 key you must explicitly request
			RSAMD5. [RT #13780]
			
1944.	[cleanup]	isc_hash_create() does not need a read/write lock.
			[RT #15522]

1943.	[bug]		Set the loadtime after rolling forward the journal.
			[RT #15647]

1597.	[func]		Allow notify-source and query-source to be specified
			on a per server basis similar to transfer-source.
			[RT #6496]

	--- 9.4.0a3 released ---

1942.	[bug]		If the name of a DNSKEY match that of one in
			trusted-keys do not attempt to validate the DNSKEY
			using the parents DS RRset. [RT #15649]

1941.	[bug]		ncache_adderesult() should set eresult even if no
			rdataset is passed to it. [RT #15642]

1940.	[bug]		Fixed a number of error conditions reported by
			Coverity.

1939.	[bug]		The resolver could dereference a null pointer after
			validation if all the queries have timed out.
			[RT #15528]

1938.	[bug]		The validator was not correctly handling unsecure
			negative responses at or below a SEP. [RT #15528]

1937.	[bug]		sdlz doesn't handle RRSIG records. [RT #15564]

1936.	[bug]		The validator could leak memory. [RT #15544]

1935.	[bug]		'acache' was DO sensitive. [RT #15430]

1934.	[func]		Validate pending NS RRsets, in the authority section,
			prior to returning them if it can be done without
			requiring DNSKEYs to be fetched.  [RT #15430]

1919.	[contrib]	queryperf: a set of new features: collecting/printing
			response delays, printing intermediate results, and
			adjusting query rate for the "target" qps.

	--- 9.4.0a2 released ---

1933.	[bug]		dump_rdataset_raw() had a incorrect INSIST. [RT #15534]

1932.	[bug]		hpux: LDFLAGS was getting corrupted. [RT #15530]

1931.	[bug]		Per-client mctx could require a huge amount of memory,
			particularly for a busy caching server. [RT #15519]

1930.	[port]		HPUX: ia64 support. [RT #15473]

1929.	[port]		FreeBSD: extend use of PTHREAD_SCOPE_SYSTEM.

1928.	[bug]		Race in rbtdb.c:currentversion(). [RT #15517]

1927.	[bug]		Access to soanode or nsnode in rbtdb violated the
			lock order rule and could cause a dead lock.
			[RT# 15518]

1926.	[bug]		The Windows installer did not check for empty
			passwords.  BINDinstall was being installed in
			the wrong place. [RT #15483]

1925.	[port]		All outer level AC_TRY_RUNs need cross compiling
			defaults. [RT #15469]

1924.	[port]		libbind: hpux ia64 support. [RT #15473]

1923.	[bug]		ns_client_detach() called too early. [RT #15499]

1922.	[bug]		check-tool.c:setup_logging() missing call to
			dns_log_setcontext().

1921.	[bug]		Client memory contexts were not using internal
			malloc. [RT# 15434]

1920.	[bug]		The cache rbtdb lock array was too small to
			have the desired performance characteristics.
			[RT #15454]

	--- 9.4.0a1 released ---



More information about the bind-announce mailing list