BIND 9.5.3rc1 is now available.

Mark Andrews marka at isc.org
Tue Oct 5 23:48:24 UTC 2010


		BIND 9.5.3rc1 is now available.

	BIND 9.5.3rc1 is a beta version of the maintenance release
	for BIND 9.5.  BIND 9.5.3 is intended to be the last
	maintenance release for BIND 9.5.

BIND 9.5.3rc1 can be downloaded from

        ftp://ftp.isc.org/isc/bind9/9.5.3rc1/bind-9.5.3rc1.tar.gz
        http://ftp.isc.org/isc/bind9/9.5.3rc1/bind-9.5.3rc1.tar.gz

The PGP signature of the distribution is at

        ftp://ftp.isc.org/isc/bind9/9.5.3rc1/bind-9.5.3rc1.tar.gz.asc
        ftp://ftp.isc.org/isc/bind9/9.5.3rc1/bind-9.5.3rc1.tar.gz.sha256.asc
        ftp://ftp.isc.org/isc/bind9/9.5.3rc1/bind-9.5.3rc1.tar.gz.sha512.asc

        http://ftp.isc.org/isc/bind9/9.5.3rc1/bind-9.5.3rc1.tar.gz.asc
        http://ftp.isc.org/isc/bind9/9.5.3rc1/bind-9.5.3rc1.tar.gz.sha256.asc
        http://ftp.isc.org/isc/bind9/9.5.3rc1/bind-9.5.3rc1.tar.gz.sha512.asc

The signature was generated with the ISC public key, which is
available at <https://www.isc.org/about/openpgp>.

A binary kit for Windows XP and Window 2003 is at

	ftp://ftp.isc.org/isc/bind9/9.5.3rc1/BIND9.5.3rc1.zip
	http://ftp.isc.org/isc/bind9/9.5.3rc1/BIND9.5.3rc1.zip

	ftp://ftp.isc.org/isc/bind9/9.5.3rc1/BIND9.5.3rc1.debug.zip
	http://ftp.isc.org/isc/bind9/9.5.3rc1/BIND9.5.3rc1.debug.zip

The PGP signature of the binary kit for Windows XP and Window 2003 is at
        
	ftp://ftp.isc.org/isc/bind9/9.5.3rc1/BIND9.5.3rc1.zip.asc
	ftp://ftp.isc.org/isc/bind9/9.5.3rc1/BIND9.5.3rc1.zip.sha256.asc
	ftp://ftp.isc.org/isc/bind9/9.5.3rc1/BIND9.5.3rc1.zip.sha512.asc

	http://ftp.isc.org/isc/bind9/9.5.3rc1/BIND9.5.3rc1.zip.asc
	http://ftp.isc.org/isc/bind9/9.7.2rc1/BIND9.5.3rc1.zip.sha256.asc
	http://ftp.isc.org/isc/bind9/9.5.3rc1/BIND9.5.3rc1.zip.sha512.asc

	ftp://ftp.isc.org/isc/bind9/9.5.3rc1/BIND9.5.3rc1.debug.zip.asc
	ftp://ftp.isc.org/isc/bind9/9.5.3rc1/BIND9.5.3rc1.debug.zip.sha256.asc
	ftp://ftp.isc.org/isc/bind9/9.5.3rc1/BIND9.5.3rc1.debug.zip.sha512.asc

	http://ftp.isc.org/isc/bind9/9.5.3rc1/BIND9.5.3rc1.debug.zip.asc
	http://ftp.isc.org/isc/bind9/9.5.3rc1/BIND9.5.3rc1.debug.zip.sha256.asc
	http://ftp.isc.org/isc/bind9/9.5.3rc1/BIND9.5.3rc1.debug.zip.sha512.asc

Changes since 9.5.0.

	--- 9.5.3rc1 released ---

2946.	[doc]		Document the default values for the minimum and maximum
			zone refresh and retry values in the ARM. [RT #21886]

2945.	[doc]		Update empty-zones list in ARM. [RT #21772]

2944.	[maint]		Remove ORCHID prefix from built in empty zones.
			[RT #21772]

2937.	[bug]		Worked around an apparent race condition in over
			memory conditions.  Without this fix a DNS cache DB or
			ADB could incorrectly stay in an over memory state,
			effectively refusing further caching, which
			subsequently made a BIND 9 caching server unworkable.
			This fix prevents this problem from happening by
			polling the state of the memory context, rather than
			making a copy of the state, which appeared to cause
			a race.  This is a "workaround" in that it doesn't
			solve the possible race per se, but several experiments
			proved this change solves the symptom.  Also, the
			polling overhead hasn't been reported to be an issue.
			This bug should only affect a caching server that
			specifies a finite max-cache-size.  It's also quite
			likely that the bug happens only when enabling threads,
			but it's not confirmed yet. [RT #21818]

	--- 9.5.3b1 released ---

2929.	[bug]		Improved handling of GSS security contexts: 
			 - added LRU expiration for generated TSIGs
			 - added the ability to use a non-default realm
                         - added new "realm" keyword in nsupdate
			 - limited lifetime of generated keys to 1 hour
			   or the lifetime of the context (whichever is
			   smaller)
			[RT #19737]

2925.	[bug]		Named failed to accept uncachable negative responses
			from insecure zones. [RT# 21555]

2923.	[bug]		'dig +trace' could drop core after "connection
			timeout". [RT #21514]

2921.	[bug]		The resolver could attempt to destroy a fetch context
			too soon.  [RT #19878]

2918.	[maint]		Add AAAA address for I.ROOT-SERVERS.NET.

2916.	[func]		Add framework to use IPv6 in tests.
			fd92:7065:b8e:ffff::1 ... fd92:7065:b8e:ffff::7

2915.	[cleanup]	Be smarter about which objects we attempt to compile
			based on configure options. [RT #21444]

2912.	[func]		Windows clients don't like UPDATE responses that clear
			the zone section. [RT #20986]

2911.	[bug]		dnssec-signzone didn't handle out of zone records well.
			[RT #21367]

2910.	[func]		Sanity check Kerberos credentials. [RT #20986]

2905.	[port]		aix: set use_atomic=yes with native compiler.
			[RT #21402]

2904.   [bug]           When using DLV, sub-zones of the zones in the DLV,
			could be incorrectly marked as insecure instead of
			secure leading to negative proofs failing.  This was
			a unintended outcome from change 2890. [RT# 21392]

2901.	[port]		Use AC_C_FLEXIBLE_ARRAY_MEMBER. [RT #21316]

2900.	[bug]		The placeholder negative caching element was not
			properly constructed triggering a INSIST in 
			dns_ncache_towire(). [RT #21346]
			
2899.	[port]		win32: Support linking against OpenSSL 1.0.0.

2898.	[bug]		nslookup leaked memory when -domain=value was 
			specified. [RT #21301]

2894.	[contrib]	DLZ LDAP support now use '$' not '%'. [RT #21294]

2891.	[maint]		Update empty-zones list to match
			draft-ietf-dnsop-default-local-zones-13. [RT# 21099]

2890.	[bug]		Handle the introduction of new trusted-keys and
			DS, DLV RRsets better. [RT #21097]

2889.	[bug]		Elements of the grammar where not properly reported.
			[RT #21046]

2888.	[bug]		Only the first EDNS option was displayed. [RT #21273]

2885.	[bug]		Improve -fno-strict-aliasing support probing in
			configure. [RT #21080]

2884.	[bug]		Insufficient valadation in dns_name_getlabelsequence().
			[RT #21283]

2883.	[bug]		'dig +short' failed to handle really large datasets.
			[RT #21113]

2882.	[bug]		Remove memory context from list of active contexts
			before clearing 'magic'. [RT #21274]

2881.	[bug]		Reduce the amount of time the rbtdb write lock
			is held when closing a version. [RT #21198]

2879.	[contrib]	DLZ bdbhpt driver fails to close correct cursor.
			[RT #21106]

2877.	[bug]		The validator failed to skip obviously mismatching
			RRSIGs. [RT #21138]

2876.	[bug]		Named could return SERVFAIL for negative responses
			from unsigned zones. [RT #21131]

2875.	[bug]		dns_time64_fromtext() could accept non digits.
			[RT #21033]

2874.	[bug]		Cache lack of EDNS support only after the server
			successfully responds to the query using plain DNS.
			[RT #20930]

2870.	[maint]		Add AAAA address for L.ROOT-SERVERS.NET.

2869.	[bug]		Fix arguments to dns_keytable_findnextkeynode() call.
			[RT #20877]

2868.	[cleanup]	Run "make clean" at the end of configure to ensure
			any changes made by configure are integrated.
			Use --with-make-clean=no to disable.  [RT #20994]

2867.	[bug]		Don't set GSS_C_SEQUENCE_FLAG as Windows DNS servers
			don't like it.  [RT #20986]

2866.	[bug]		Windows does not like the TSIG name being compressed.
			[RT #20986]

2865.	[bug]		memset to zero event.data.  [RT #20986]

2863.	[port]		linux: disable IPv6 PMTUD and use network minimum MTU.
			[RT #21056]

2862.	[bug]		nsupdate didn't default to the parent zone when
			updating DS records. [RT #20896]

2859.	[bug]		When cancelling validation it was possible to leak
			memory. [RT #20800]

2858.	[bug]		RTT estimates were not being adjusted on ICMP errors.
			[RT #20772]

2857.	[bug]		named-checkconf did not fail on a bad trusted key.
			[RT #20705]

2856.	[bug]		The size of a memory allocation was not always properly
			recorded. [RT #20927]

2853.	[bug]		add_sigs() could run out of scratch space. [RT #21015]

2852.	[bug]		Handle broken DNSSEC trust chains better. [RT #15619]

2851.	[doc]		nslookup.1, removed <informalexample> from the docbook
			source as it produced bad nroff.  [RT #21007]

2850.	[bug]		If isc_heap_insert() failed due to memory shortage
			the heap would have corrupted entries. [RT #20951]

2849.	[bug]		Don't treat errors from the xml2 library as fatal.
			[RT #20945]

2846.	[bug]		EOF on unix domain sockets was not being handled
			correctly. [RT #20731]

2844.	[doc]		notify-delay default in ARM was wrong.  It should have
			been five (5) seconds.

2837.	[port]		Prevent Linux spurious warnings about fwrite().
			[RT #20812]

2831.	[security]	Do not attempt to validate or cache
			out-of-bailiwick data returned with a secure
			answer; it must be re-fetched from its original
			source and validated in that context. [RT #20819]

2828.	[security]	Cached CNAME or DNAME RR could be returned to clients
			without DNSSEC validation. [RT #20737]

2827.	[security]	Bogus NXDOMAIN could be cached as if valid. [RT #20712]

2819.	[cleanup]	Removed unnecessary DNS_POINTER_MAXHOPS define
			[RT #20771]

2818.	[cleanup]	rndc could return an incorrect error code 
			when a zone was not found. [RT #20767]

2815.	[bug]		Exclusively lock the task when freezing a zone.
			[RT #19838]

2814.	[func]		Provide a definitive error message when a master
			zone is not loaded. [RT #20757]
 
2797.	[bug]		Don't decrement the dispatch manager's maxbuffers.
			[RT #20613]

2790.	[bug]		Handle DS queries to stub zones. [RT #20440]

2786.	[bug]		Additional could be promoted to answer. [RT #20663]

2784.	[bug]		TC was not always being set when required glue was
			dropped. [RT #20655]

2783.	[func]		Return minimal responses to EDNS/UDP queries with a UDP
			buffer size of 512 or less.  [RT #20654]

2782.	[port]		win32: use getaddrinfo() for hostname lookups.
			[RT #20650]

2777.	[contrib]	DLZ MYSQL auto reconnect support discovery was wrong.

2772.	[security]	When validating, track whether pending data was from
			the additional section or not and only return it if
			validates as secure. [RT #20438]

2765.	[bug]		Skip masters for which the TSIG key cannot be found.
			[RT #20595]

2760.	[cleanup]	Corrected named-compilezone usage summary. [RT #20533]

2759.	[doc]		Add information about .jbk/.jnw files to 
			the ARM. [RT #20303]

2758.	[bug]		win32: Added a workaround for a windows 2008 bug
			that could cause the UDP client handler to shut
			down. [RT #19176]

2757.	[bug]		dig: assertion failure could occur in connect
			timeout. [RT #20599]

2755.	[doc]		Clarify documentation of keyset- files in
			dnssec-signzone man page. [RT #19810]

2750.	[bug]		dig: assertion failure could occur when a server
			didn't have an address. [RT #20579]

2729.	[func]		When constructing a CNAME from a DNAME use the DNAME
			TTL. [RT #20451]

2723.	[bug]		isc_base64_totext() didn't always mark regions of
			memory as fully consumed after conversion.  [RT #20445]

2722.	[bug]		Ensure that the memory associated with the name of
			a node in a rbt tree is not altered during the life
			of the node. [RT #20431]

2721.	[port]		Have dst__entropy_status() prime the random number
			generator. [RT #20369]

2718.	[bug]		The space calculations in opensslrsa_todns() were
			incorrect. [RT #20394]

2716.	[bug]		nslookup debug mode didn't return the ttl. [RT #20414]

2715.	[bug]		Require OpenSSL support to be explicitly disabled.
			[RT #20288]

2714.	[port]		aix/powerpc: 'asm("ics");' needs non standard assembler
			flags.

2713.	[bug]		powerpc: atomic operations missing asm("ics") /
			__isync() calls.

2705.	[bug]		Reconcile the XML stats version number with a later
                        BIND9 release, by adding a "name" attribute to
                        "cache" elements and increasing the version number
                        to 2.2.  (This is a minor version change, but may
                        affect XML parsers if they assume the cache element
                        doesn't take an attribute.)

2704.	[bug]		Serial of dynamic and stub zones could be inconsistent
			with their SOA serial.  [RT #19387]

2701.	[doc]		Correction to ARM: hmac-md5 is no longer the only
			supported TSIG key algorithm. [RT #18046]

2700.	[doc]		The match-mapped-addresses option is discouraged.
			[RT #12252]

2698.   [cleanup]       configure --enable-libbind is deprecated. [RT #20090]

2697.	[port]		win32: ensure that S_IFMT, S_IFDIR, S_IFCHR and
			S_IFREG are defined after including <isc/stat.h>.
			[RT #20309]

2696.	[bug]		named failed to successfully process some valid
			acl constructs. [RT #20308]

2692.	[port]		win32: 32/64 bit cleanups. [RT #20335]

2690.	[bug]		win32: fix isc_thread_key_getspecific() prototype.
			[RT #20315]

2689.	[bug]		Correctly handle snprintf result. [RT #20306]

2688.	[bug]		Use INTERFACE_F_POINTTOPOINT, not IFF_POINTOPOINT,
			to decide to fetch the destination address. [RT #20305]

2659.	[doc]		Clarify dnssec-keygen doc: key name must match zone
			name for DNSSEC keys. [RT #19938]

2601.	[doc]		Mention file creation mode mask in the
			named manual page.

2533.	[doc]		ARM: document @ (at-sign). [RT #17144]

	--- 9.5.2 released ---

2681.	[bug]		IPSECKEY RR of gateway type 3 was not correctly
			decoded. [RT #20269]

2678.	[func]		Treat DS queries as if "minimal-response yes;"
			was set. [RT #20258]

2427.	[func]		Treat DNSKEY queries as if "minimal-response yes;"
			was set. [RT #18528]

	--- 9.5.2rc1 released ---

2672.	[bug]		Don't enable searching in 'host' when doing reverse
			lookups. [RT #20218]

2670.	[bug]		Unexpected connect failures failed to log enough
			information to be useful. [RT #20205]

2663.	[func]		win32:  allow named to run as a service using
			"NT AUTHORITY\LocalService" as the account. [RT #19977]

2656.	[func]		win32: add a "tools only" check box to the installer
			which causes it to only install dig, host, nslookup,
			nsupdate and relevent dlls.  [RT #19998]

2655.	[doc]		Document that key-directory does not affect
			rndc.key.  [RT #20155]

	--- 9.5.2b1 released ---

2649.	[bug]		Set the domain for forward only zones. [RT #19944]

2648.	[port]		win32: isc_time_seconds() was broken. [RT #19900]

2646.	[bug]		Incorrect cleanup on error in socket.c. [RT #19987]

2645.	[port]		"gcc -m32" didn't work on amd64 and x86_64 platforms
			which default to 64 bits. [RT #19927]

2642.	[bug]		nsupdate could dump core on solaris when reading
			improperly formatted key files.  [RT #20015]

2640.	[security]	A specially crafted update packet will cause named
			to exit. [RT #20000]

2637.	[func]		Rationalize dnssec-signzone's signwithkey() calling.
			[RT #19959]

2635.	[bug]		isc_inet_ntop() incorrectly handled 0.0/16 addresses.
			[RT #19716]

2633.	[bug]		Handle 15 bit rand() functions. [RT #19783]

2632.	[func]		util/kit.sh: warn if documentation appears to be out of
			date.  [RT #19922]

2623.	[bug]		Named started seaches for DS non-optimally. [RT #19915]

2621.	[doc]		Made copyright boilterplate consistent.  [RT #19833]

2920.	[bug]		Delay thawing the zone until the reload of it has
			completed successfully.  [RT #19750]

2618.	[bug]		The sdb and sdlz db_interator_seek() methods could
			loop infinitely. [RT #19847]

2617.	[bug]		ifconfig.sh failed to emit an error message when
			run from the wrong location. [RT #19375]

2616.	[bug]		'host' used the nameservers from resolv.conf even
			when a explicit nameserver was specified. [RT #19852]

2615.	[bug]		"__attribute__((unused))" was in the wrong place
			for ia64 gcc builds. [RT #19854]

2614.	[port]		win32: 'named -v' should automatically be executed
			in the foreground. [RT #19844]

2610.	[port]		sunos: Change #2363 was not complete. [RT #19796]

2606.	[bug]		"delegation-only" was not being accepted in
			delegation-only type zones. [RT #19717]

2605.	[bug]		Accept DS responses from delegation only zones.
			[RT # 19296]

2603.	[port]		win32: handle .exe extension of named-checkzone and
			named-comilezone argv[0] names under windows.
			[RT #19767]

2602.	[port]		win32: fix debugging command line build of libisccfg.
			[RT #19767]

2599.	[bug]		Address rapid memory growth when validation fails.
			[RT #19654]

2596.	[bug]		Stale tree nodes of cache/dynamic rbtdb could stay
			long, leading to inefficient memory usage or rejecting
			newer cache entries in the worst case. [RT #19563]

2595.	[bug]		Fix unknown extended rcodes in dig. [RT #19625]

2592.	[bug]		Treat "any" as a type in nsupdate. [RT #19455]

2591.	[bug]		named could die when processing a update in
			removed_orphaned_ds(). [RT #19507]

2589.	[bug]		dns_db_unregister() failed to clear '*dbimp'.
			[RT #19626]

2586.	[bug]		Missing cleanup of SIG rdataset in searching a DLZ DB
			or SDB. [RT #19577]

2585.	[bug]		Uninitialized socket name could be referenced via a
			statistics channel, triggering an assertion failure in
			XML rendering. [RT #19427]

2584.	[bug]		alpha: gcc optimization could break atomic operations.
			[RT #19227]

2583.	[port]		netbsd: provide a control to not add the compile
			date to the version string, -DNO_VERSION_DATE.

2582.	[bug]		Don't emit warning log message when we attempt to
			remove non-existent journal. [RT #19516]

2581.	[contrib]	dlz/mysql set MYSQL_OPT_RECONNECT option on connection.
			Requires MySQL 5.0.19 or later. [RT #19084]

2580.	[bug]		UpdateRej statistics counter could be incremented twice
			for one rejection. [RT #19476]

2579.	[bug]		DNSSEC lookaside validation failed to handle unknown
			algorithms. [RT #19479]

2577.	[doc]		Clarified some statistics counters. [RT #19454]

2573.	[bug]		Replacing a non-CNAME record with a CNAME record in a
			single transaction in a signed zone failed. [RT #19397]

2568.	[bug]		Report when the write to indicate a otherwise
			successful start fails. [RT #19360]

2567.	[bug]		dst__privstruct_writefile() could miss write errors.
			write_public_key() could miss write errors.
			[RT #19360]

2564.	[bug]		Only take EDNS fallback steps when processing timeouts.
			[RT #19405]

2563.	[bug]		Dig could leak a socket causing it to wait forever
			to exit. [RT #19359]

2562.	[doc]		ARM: miscellaneous improvements, reorganization,
			and some new content.

2561.	[doc]		Add isc-config.sh(1) man page. [RT #16378]

2560.	[bug]		Add #include <config.h> to iptable.c. [RT #18258]

2557.	[cleanup]	PCI compliance:
			* new libisc log module file
			* isc_dir_chroot() now also changes the working
			  directory to "/".
			* additional INSISTs
			* additional logging when files can't be removed.

2553.	[bug]		Reference leak on DNSSEC validation errors. [RT #19291]

2552.	[bug]		zero-no-soa-ttl-cache was not being honoured.
			[RT #19340]

2551.	[bug]		Potential Reference leak on return. [RT #19341]

2550.	[bug]		Check --with-openssl=<path> finds <openssl/opensslv.h>.
			[RT #19343]

2549.	[port]		linux: define NR_OPEN if not currently defined.
			[RT #19344]

2547.	[bug]		openssl_link.c:mem_realloc() could reference an
			out-of-range area of the source buffer.  New public
			function isc_mem_reallocate() was introduced to address
			this bug. [RT #19313]

2545.	[doc]		ARM: Legal hostname checking (check-names) is
			for SRV RDATA too. [RT #19304]

2544.	[cleanup]	Removed unused structure members in adb.c. [RT #19225]

2542.	[doc]		Update the description of dig +adflag. [RT #19290]

2541.	[bug]		Conditionally update dispatch manager statistics.
			[RT #19247]

2539.	[security]	Update the interaction between recursion, allow-query,
			allow-query-cache and allow-recursion.  [RT #19198]

2538.	[bug]		cache/ADB memory could grow over max-cache-size,
			especially with threads and smaller max-cache-size
			values. [RT #19240]

2537.	[experimental]	Added more statistics counters including those on socket
			I/O events and query RTT histograms. [RT #18802]

2536.	[cleanup]	Silence some warnings when -Werror=format-security is
			specified. [RT #19083]

2535.	[bug]		dig +showsearch and +trace interacted badly. [RT #19091]

2532.	[bug]		dig: check the question section of the response to
			see if it matches the asked question. [RT #18495]

2531.	[bug]		Change #2207 was incomplete. [RT #19098]

2529.	[cleanup]	Upgrade libtool to silence complaints from recent
			version of autoconf. [RT #18657]

2528.   [cleanup]	Silence spurious configure warning about
			--datarootdir [RT #19096]

2527.	[bug]		named could reuse cache on reload with
			enabling/disabling validation. [RT #19119]

2525.	[experimental]	New logging category "query-errors" to provide detailed
			internal information about query failures, especially
			about server failures. [RT #19027]

2523.	[bug]		Random type rdata freed by dns_nsec_typepresent().
			[RT #19112]

2522.	[security]	Handle -1 from DSA_do_verify().

2521.	[bug]		Improve epoll cross compilation support. [RT #19047]

2519.	[bug]		dig/host with -4 or -6 didn't work if more than two
			nameserver addresses of the excluded address family
			preceded in resolv.conf. [RT #19081]

2517.	[bug]		dig +trace with -4 or -6 failed when it chose a
			nameserver address of the excluded address type.
			[RT #18843]

2516.	[bug]		glue sort for responses was performed even when not
			needed. [RT #19039]

2514.	[bug]		dig/host failed with -4 or -6 when resolv.conf contains
			a nameserver of the excluded address family.
			[RT #18848]

2511.	[cleanup]	dns_rdata_tofmttext() add const to linebreak.
			[RT #18885]

2506.	[port]		solaris: Check at configure time if
			hack_shutup_pthreadonceinit is needed. [RT #19037]

2505.	[port]		Treat amd64 similarly to x86_64 when determining
			atomic operation support. [RT #19031]

2503.	[port]		linux: improve compatibility with Linux Standard
			Base. [RT #18793]

2502.	[cleanup]	isc_radix: Improve compliance with coding style,
			document function in <isc/radix.h>. [RT #18534]

2500.	[contrib]	contrib/sdb/pgsql/zonetodb.c called non-existent
			function. [RT #18582]

2499.	[port]		solaris: lib/lwres/getaddrinfo.c namespace clash.
			[RT #18837]

	--- 9.5.1 released ---

2520.	[bug]		Update xml statistics version number to 2.0 as change
			#2388 made the schema incompatible to the previous
			version. [RT #19080]

	--- 9.5.1rc2 released ---

2513	[bug]		Fix windows cli build. [RT #19062]

2510.	[bug]		"dig +sigchase" could trigger REQUIRE failures.
			[RT #19033]

2509.	[bug]		Specifying a fixed query source port was broken.
			[RT #19051]

2504.	[bug]		Address race condition in the socket code. [RT #18899]

	--- 9.5.1rc1 released ---

2498.	[bug]		Removed a bogus function argument used with
			ISC_SOCKET_USE_POLLWATCH: it could cause compiler
			warning or crash named with the debug 1 level
			of logging. [RT #18917]

2496.	[bug]		Add sanity length checks to NSID option. [RT #18813]

2495.	[bug]		Tighten RRSIG checks. [RT #18795]

2494.	[bug]		isc/radix.h, dns/sdlz.h and dns/dlz.h were not being
			installed. [RT #18826]

2493.	[bug]		The linux capabilites code was not correctly cleaning
			up after itself. [RT #18767]

2490.	[port]		aix: work around a kernel bug where IPV6_RECVPKTINFO
			is cleared when IPV6_V6ONLY is set. [RT #18785]

2489.	[port]		solaris: Workaround Solaris's kernel bug about
			/dev/poll:
			http://bugs.opensolaris.org/view_bug.do?bug_id=6724237
			Define ISC_SOCKET_USE_POLLWATCH at build time to enable
			this workaround. [RT #18870]

2487.	[bug]		Give TCP connections longer to complete. [RT #18675]

2485.	[bug]		Change update's the handling of obscured RRSIG
			records.  Not all orphand DS records were being
			removed. [RT #18828]

2482.	[port]		libxml2: support versions 2.7.* in addition
			to 2.6.*. [RT #18806]

2479.	[bug]		xfrout:covers was not properly initalized. [RT #18801]

2478.	[bug]		'addresses' could be used uninitalized in
			configure_forward(). [RT #18800]

2476.	[doc]		ARM: improve documentation for max-journal-size and
			ixfr-from-differences. [RT #15909] [RT #18541]

	--- 9.5.1b3 released ---

2475.	[bug]		LRU cache cleanup under overmem condition could purge
			particular entries more aggressively. [RT #17628]

2474.	[bug]		ACL structures could be allocated with insufficient
			space, causing an array overrun. [RT #18765]

2473.	[port]		linux: raise the limit on open files to the possible
			maximum value before spawning threads; 'files'
			specified in named.conf doesn't seem to work with
			threads as expected. [RT #18784]

2472.	[port]		linux: check the number of available cpu's before
			calling chroot as it depends on "/proc". [RT #16923]

2471.	[bug]		named-checkzone was not reporting missing mandatory
			glue when sibling checks were disabled. [RT #18768]

2470.	[bug]		Elements of the isc_radix_node_t could be incorrectly
			overwritten.  [RT# 18719]

2469.	[port]		solaris: Work around Solaris's select() limitations.
			[RT #18769]

2468.	[bug]		Resolver could try unreachable servers multiple times.
			[RT #18739]

2467.	[bug]		Failure of fcntl(F_DUPFD) wasn't logged. [RT #18740]

2466.	[doc]		ARM: explain max-cache-ttl 0 SERVFAIL issue.
			[RT #18302]

2465.	[bug]		Adb's handling of lame addresses was different
			for IPv4 and IPv6. [RT #18738]

2464.	[port]		linux: check that a capability is present before
			trying to set it. [RT #18135]

2463.	[port]		linux: POSIX doesn't include the IPv6 Advanced Socket
			API and glibc hides parts of the IPv6 Advanced Socket
			API as a result.  This is stupid as it breaks how the
			two halves (Basic and Advanced) of the IPv6 Socket API
			were designed to be used but we have to live with it.
			Define _GNU_SOURCE to pull in the IPv6 Advanced Socket
			API. [RT #18388]

2462.	[doc]		Document -m (enable memory usage debugging)
			option for dig. [RT #18757]

2461.	[port]		sunos: Change #2363 was not complete. [RT #17513]

2458.	[doc]		ARM: update and correction for max-cache-size.
			[RT #18294]

2457.	[tuning]	max-cache-size is reverted to 0, the previous
			default.  It should be safe because expired cache
			entries are also purged. [RT #18684]

2456.	[bug]		In ACLs, ::/0 and 0.0.0.0/0 would both match any
			address, regardless of family.  They now correctly
			distinguish IPv4 from IPv6.  [RT #18559]

2455.	[bug]		Stop metadata being transferred via axfr/ixfr.
			[RT #18639]

2453.	[bug]		Remove NULL pointer dereference in dns_journal_print().
			[RT #18316]

2451.	[port]		solaris: handle runtime linking better. [RT #18356]

2449.	[bug]		libbind: Out of bounds reference in dns_ho.c:addrsort.
			[RT #18044]

2445.	[doc]		ARM out-of-date on empty reverse zones (list includes
			RFC1918 address, but these are not yet compiled in).
			[RT #18578]

2444.	[port]		Linux, FreeBSD, AIX: Turn off path mtu discovery
			(clear DF) for UDP responses and requests.

2387.	[bug]		Silence compiler warnings in lib/isc/radix.c.
			[RT #18147] [RT #18258]

2369.	[bug]		libbind: Array bounds overrun on read in bitncmp().
			[RT #18054]

	--- 9.5.1b2 released ---

2443.	[bug]		win32: UDP connect() would not generate an event,
			and so connected UDP sockets would never clean up.
			Fix this by doing an immediate WSAConnect() rather
			than an io completion port type for UDP.

2442.	[bug]		A lock could be destroyed twice. [RT# 18626]

2441.	[bug]		isc_radix_insert() could copy radix tree nodes
			incompletely. [RT #18573]

2440.   [bug]		named-checkconf used an incorrect test to determine
			if an ACL was set to none.

2439.   [bug]           Potential NULL dereference in dns_acl_isanyornone().
                        [RT #18559]

2438.	[bug]		Timeouts could be logged incorrectly under win32.
			[RT #18617]

2437.	[bug]		Sockets could be closed too early, leading to
			inconsistent states in the socket module. [RT #18298]

2436.	[security]	win32: UDP client handler can be shutdown. [RT #18576]

2435.	[bug]		Fixed an ACL memory leak affecting win32.

2434.	[bug]		Fixed a minor error-reporting bug in
			lib/isc/win32/socket.c.

2433.	[tuning]	Set initial timeout to 800ms.

2432.	[bug]		More Windows socket handling improvements.  Stop
			using I/O events and use IO Completion Ports
			throughout.  Rewrite the receive path logic to make
			it easier to support multiple simultaneous
			requesters in the future.  Add stricter consistency
			checking as a compile-time option (define
			ISC_SOCKET_CONSISTENCY_CHECKS; defaults to off).

2431.	[bug]		Acl processing could leak memory. [RT #18323]

2430.	[bug]		win32: isc_interval_set() could round down to
			zero if the input was less than NS_INTERVAL
			nanoseconds.  Round up instead. [RT #18549]

2429.	[doc]		nsupdate should be in section 1 of the man pages.
			[RT #18283]

2428.	[bug]		dns_iptable_merge() mishandled merges of negative
			tables. [RT #18409]

2426.	[bug]		libbind: inet_net_pton() can sometimes return the
			wrong value if excessively large net masks are
			supplied. [RT #18512]

2425.	[bug]		named didn't detect unavailable query source addresses
			at load time. [RT #18536]

2424.	[port]		configure now probes for a working epoll
			implementation.  Allow the use of kqueue,
			epoll and /dev/poll to be selected at compile
			time. [RT #18277]

2422.	[bug]		Handle the special return value of a empty node as
			if it was a NXRRSET in the validator. [RT #18447]

2421.	[func]		Add new command line option '-S' for named to specify
			the max number of sockets. [RT #18493]
			Use caution: this option may not work for some
			operating systems without rebuilding named.

2420.	[bug]		Windows socket handling cleanup.  Let the io
			completion event send out cancelled read/write
			done events, which keeps us from writing to memory
			we no longer have ownership of.  Add debugging
			socket_log() function.  Rework TCP socket handling
			to not leak sockets.

2419.	[cleanup]	Document that isc_socket_create() and isc_socket_open()
			should not be used for isc_sockettype_fdwatch sockets.
			[RT #18521]

2418.	[bug]		AXFR request on a DLZ could trigger a REQUIRE failure
			[RT #18430]

2417.	[bug]		Connecting UDP sockets for outgoing queries could
			unexpectedly fail with an 'address already in use'
			error. [RT #18411]

2416.	[func]		Log file descriptors that cause exceeding the
			internal maximum. [RT #18460]

2415.	[bug]		'rndc dumpdb' could trigger various assertion failures
			in rbtdb.c. [RT #18455]

2414.	[bug]		A masterdump context held the database lock too long,
			causing various troubles such as dead lock and
			recursive lock acquisition. [RT #18311, #18456]

2413.	[bug]		Fixed an unreachable code path in socket.c. [RT #18442]

2412.	[bug]		win32: address a resourse leak. [RT #18374]

2411.	[bug]		Allow using a larger number of sockets than FD_SETSIZE
			for select().  To enable this, set ISC_SOCKET_MAXSOCKETS
			at compilation time.  [RT #18433]

			Note: with changes #2469 and #2421 above, there is no
			need to tweak ISC_SOCKET_MAXSOCKETS at compilation time
			any more.

2410.	[bug]		Correctly delete m_versionInfo. [RT #18432]

2409.	[bug]		Only log that we disabled EDNS processing if we were
			subsequently successful.  [RT #18029]

2408.	[bug]		A duplicate TCP dispatch event could be sent, which
			could then trigger an assertion failure in
			resquery_response().  [RT #18275]

2407.	[port]		hpux: test for sys/dyntune.h. [RT #18421]

2405.	[cleanup]	The default value for dnssec-validation was changed to
			"yes" in 9.5.0-P1 and all subsequent releases; this
			was inadvertently omitted from CHANGES at the time.

2404.	[port]		hpux: files unlimited support.

2403.	[bug]		TSIG context leak. [RT #18341]

2402.	[port]		Support Solaris 2.11 and over. [RT #18362]

2401.	[bug]		Expect to get E[MN]FILE errno internal_accept()
			(from accept() or fcntl() system calls). [RT #18358]

2400.	[bug]		Log if kqueue()/epoll_create()/open(/dev/poll) fails.
			[RT #18297]

2398.	[bug]           Improve file descriptor management.  New,
			temporary, named.conf option reserved-sockets,
			default 512. [RT #18344]

2397.	[bug]		gssapi_functions bad declaration. [RT #18355]

2396.	[bug]		Don't set SO_REUSEADDR for randomized ports.
			[RT #18336]

2395.	[port]		Avoid warning and no effect from "files unlimited"
			on Linux when running as root. [RT #18335]

2394.	[bug]		Default configuration options set the limit for
			open files to 'unlimited' as described in the
			documentation. [RT #18331]

2393.	[bug]		nested acls containing keys could trigger an
			assertion in acl.c. [RT #18166]

2392.	[bug]		remove 'grep -q' from acl test script, some platforms
			don't support it. [RT #18253]

2391.	[port]		hpux: cover additional recvmsg() error codes.
			[RT #18301]

2390.	[bug]		dispatch.c could make a false warning on 'odd socket'.
			[RT #18301].

2389.	[bug]		Move the "working directory writable" check to after
			the ns_os_changeuser() call. [RT #18326]

2388.	[bug]		Avoid using tables for layout purposes in
			statistics XSL [RT #18159].

2386.	[func]		Add warning about too small 'open files' limit.
			[RT #18269]

	--- 9.5.1b1 released ---

2385.	[bug]		A condition variable in socket.c could leak in
			rare error handling [RT #17968].

2384.	[security]	Additional support for query port randomization (change
			#2375) including performance improvement and port range
			specification.  [RT #17949, #18098]

2383.	[bug]		named could double queries when they resulted in
			SERVFAIL due to overkilling EDNS0 failure detection.
			[RT #18182]

2382.	[doc]		Add descriptions of DHCID, IPSECKEY, SPF and SSHFP
			to ARM.

2381.	[port]		dlz/mysql: support multiple install layouts for
			mysql.  <prefix>/include/{,mysql/}mysql.h and
			<prefix>/lib/{,mysql/}. [RT #18152]

2380.	[bug]		dns_view_find() was not returning NXDOMAIN/NXRRSET
			proofs which, in turn, caused validation failures
			for insecure zones immediately below a secure zone
			the server was authoritative for. [RT #18112]

2379.	[contrib]	queryperf/gen-data-queryperf.py: removed redundant
			TLDs and supported RRs with TTLs [RT #17972]

2378.	[bug]		gssapi_functions{} had a redundant member in BIND 9.5.
			[RT #18169]

2377.	[bug]		Address race condition in dnssec-signzone. [RT #18142]

2376.	[bug]		Change #2144 was not complete.

2375.	[security]	Fully randomize UDP query ports to improve
			forgery resilience. [RT #17949]

2373.	[bug]		Default values of zone ACLs were re-parsed each time a
			new zone was configured, causing an overconsumption
			of memory. [RT #18092]

	--- 9.5.0 released ---
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE:	+61 2 9871 4742		         INTERNET: marka at isc.org




More information about the bind-announce mailing list