ISC BIND 9.7.0b1 is now available
Evan Hunt
each at isc.org
Tue Oct 20 20:29:20 UTC 2009
BIND 9.7.0b1 is now available.
BIND 9.7.0b1 is the first beta release of BIND 9.7.0.
Overview:
BIND 9.7 includes a number of changes from BIND 9.6 and earlier
releases. Most are intended to simplify DNSSEC configuration
and operation.
New features include:
- Fully automatic signing of zones by "named"
- Simplified configuration of DNSSEC Lookaside Validation (DLV).
- Simplified configuration of Dynamic DNS, using the "ddns-confgen"
command line tool or the "local" update-policy option. (As a side
effect, this also makes it easier to configure automatic zone
re-signing.)
- New named option "attach-cache" that allows multiple views to
share a single cache.
- DNS rebinding attack prevention.
- New default values for dnssec-keygen parameters.
- Support for RFC 5011 automated trust anchor maintenance
(see README.rfc5011 for additional details).
- Smart signing: simplified tools for zone signing and key
maintenance.
- The "statistics-channels" option is now available on Windows.
- A new DNSSEC-aware libdns API for use by non-BIND9 applications
(see README.libdns for details).
- On some platforms, named and other binaries can now print out
a stack backtrace an assertion failure, to aid in debugging.
- A "tools only" installation mode on Windows, which only installs
dig, host, nslookup and nsupdate.
- Improved PKCS#11 support, including Keyper support and explicit
OpenSSL engine selection (see README.pkcs11 for additional details).
Warning: If you had built BIND 9.6 with any of ALLOW_NSEC3PARAM_UPDATE,
ALLOW_SECURE_TO_INSECURE or ALLOW_INSECURE_TO_SECURE defined then
you should ensure that all changes that are in progress have completed
prior to upgrading to BIND 9.7. BIND 9.7 is not backwards compatible.
BIND 9.7.0b1 can be downloaded from:
ftp://ftp.isc.org/isc/bind9/9.7.0b1/bind-9.7.0b1.tar.gz
The PGP signature of the distribution is at:
ftp://ftp.isc.org/isc/bind9/9.7.0b1/bind-9.7.0b1.tar.gz.asc
ftp://ftp.isc.org/isc/bind9/9.7.0b1/bind-9.7.0b1.tar.gz.sha256.asc
ftp://ftp.isc.org/isc/bind9/9.7.0b1/bind-9.7.0b1.tar.gz.sha512.asc
The signature was generated with the ISC public key, which is
available at https://www.isc.org/about/openpgp
A binary kit for Windows XP, Windows 2003 and Windows 2008 is at:
ftp://ftp.isc.org/isc/bind9/9.7.0b1/BIND9.7.0b1.zip
ftp://ftp.isc.org/isc/bind9/9.7.0b1/BIND9.7.0b1.debug.zip
The PGP signature of the binary kit is at:
ftp://ftp.isc.org/isc/bind9/9.7.0b1/BIND9.7.0b1.zip.asc
ftp://ftp.isc.org/isc/bind9/9.7.0b1/BIND9.7.0b1.zip.sha256.asc
ftp://ftp.isc.org/isc/bind9/9.7.0b1/BIND9.7.0b1.zip.sha512.asc
ftp://ftp.isc.org/isc/bind9/9.7.0b1/BIND9.7.0b1.debug.zip.asc
ftp://ftp.isc.org/isc/bind9/9.7.0b1/BIND9.7.0b1.debug.zip.sha256.asc
ftp://ftp.isc.org/isc/bind9/9.7.0b1/BIND9.7.0b1.debug.zip.sha512.asc
Changes since 9.6.0:
--- 9.7.0b1 released ---
2715. [bug] Require OpenSSL support to be explicitly disabled.
[RT #20288]
2714. [port] aix/powerpc: 'asm("ics");' needs non standard assembler
flags.
2713. [bug] powerpc: atomic operations missing asm("ics") /
__isync() calls.
2712. [func] New 'auto-dnssec' zone option allows zone signing
to be fully automated in zones configured for
dynamic DNS. 'auto-dnssec allow;' permits a zone
to be signed by creating keys for it in the
key-directory and using 'rndc sign <zone>'.
'auto-dnssec maintain;' allows that too, plus it
also keeps the zone's DNSSEC keys up to date
according to their timing metadata. [RT #19943]
2711. [port] win32: Add the bin/pkcs11 tools into the full
build. [RT #20372]
2710. [func] New 'dnssec-signzone -x' flag and 'dnskey-ksk-only'
zone option cause a zone to be signed with only KSKs
signing the DNSKEY RRset, not ZSKs. This reduces
the size of a DNSKEY answer. [RT #20340]
2709. [func] Added some data fields, currently unused, to the
private key file format, to allow implementation
of explicit key rollover in a future release
without impairing backward or forward compatibility.
[RT #20310]
2708. [func] Insecure to secure and NSEC3 parameter changes via
update are now fully supported and no longer require
defines to enable. We now no longer overload the
NSEC3PARAM flag field, nor the NSEC OPT bit at the
apex. Secure to insecure changes are controlled by
by the named.conf option 'secure-to-insecure'.
Warning: If you had previously enabled support by
adding defines at compile time to BIND 9.6 you should
ensure that all changes that are in progress have
completed prior to upgrading to BIND 9.7. BIND 9.7
is not backwards compatible.
2707. [func] dnssec-keyfromlabel no longer require engine name
to be specified in the label if there is a default
engine or the -E option has been used. Also, it
now uses default algorithms as dnssec-keygen does
(i.e., RSASHA1, or NSEC3RSASHA1 if -3 is used).
[RT #20371]
2706. [bug] Loading a zone with a very large NSEC3 salt could
trigger an assert. [RT #20368]
2705. [placeholder]
2704. [bug] Serial of dynamic and stub zones could be inconsistent
with their SOA serial. [RT #19387]
2703. [func] Introduce an OpenSSL "engine" argument with -E
for all binaries which can take benefit of
crypto hardware. [RT #20230]
2702. [func] Update PKCS#11 tools (bin/pkcs11) [RT #20225 & all]
2701. [doc] Correction to ARM: hmac-md5 is no longer the only
supported TSIG key algorithm. [RT #18046]
2700. [doc] The match-mapped-addresses option is discouraged.
[RT #12252]
2699. [bug] Missing lock in rbtdb.c. [RT #20037]
2698. [placeholder]
2697. [port] win32: ensure that S_IFMT, S_IFDIR, S_IFCHR and
S_IFREG are defined after including <isc/stat.h>.
[RT #20309]
2696. [bug] named failed to successfully process some valid
acl constructs. [RT #20308]
2695. [func] DHCP/DDNS - update fdwatch code for use by
DHCP. Modify the api to isc_sockfdwatch_t (the
callback funciton for isc_socket_fdwatchcreate)
to include information about the direction (read
or write) and add isc_socket_fdwatchpoke.
[RT #20253]
2694. [bug] Reduce default NSEC3 iterations from 100 to 10.
[RT #19970]
2693. [port] Add some noreturn attributes. [RT #20257]
2692. [port] win32: 32/64 bit cleanups. [RT #20335]
2691. [func] dnssec-signzone: retain the existing NSEC or NSEC3
chain when re-signing a previously-signed zone.
Use -u to modify NSEC3 parameters or switch
between NSEC and NSEC3. [RT #20304]
2690. [bug] win32: fix isc_thread_key_getspecific() prototype.
[RT #20315]
2689. [bug] Correctly handle snprintf result. [RT #20306]
2688. [bug] Use INTERFACE_F_POINTTOPOINT, not IFF_POINTOPOINT,
to decide to fetch the destination address. [RT #20305]
2687. [bug] Fixed dnssec-signzone -S handling of revoked keys.
Also, added warnings when revoking a ZSK, as this is
not defined by protocol (but is legal). [RT #19943]
2686. [bug] dnssec-signzone should clean the old NSEC chain when
signing with NSEC3 and vice versa. [RT #20301]
2685. [contrib] Update contrib/zkt to version 0.99c. [RT #20054]
2684. [cleanup] dig: formalize +ad and +cd as synonyms for
+adflag and +cdflag. [RT #19305]
2683. [bug] dnssec-signzone should clean out old NSEC3 chains when
the NSEC3 parameters used to sign the zone change.
[RT #20246]
2682. [bug] "configure --enable-symtable=all" failed to
build. [RT #20282]
2681. [bug] IPSECKEY RR of gateway type 3 was not correctly
decoded. [RT #20269]
2680. [func] Move contrib/pkcs11-keygen to bin/pkcs11. [RT #20067]
2679. [func] dig -k can now accept TSIG keys in named.conf
format. [RT #20031]
2678. [func] Treat DS queries as if "minimal-response yes;"
was set. [RT #20258]
2677. [func] Changes to key metadata behavior:
- Keys without "publish" or "active" dates set will
no longer be used for smart signing. However,
those dates will be set to "now" by default when
a key is created; to generate a key but not use
it yet, use dnssec-keygen -G.
- New "inactive" date (dnssec-keygen/settime -I)
sets the time when a key is no longer used for
signing but is still published.
- The "unpublished" date (-U) is deprecated in
favor of "deleted" (-D).
[RT #20247]
2676. [bug] --with-export-installdir should have been
--with-export-includedir. [RT #20252]
2675. [bug] dnssec-signzone could crash if the key directory
did not exist. [RT #20232]
--- 9.7.0a3 released ---
2674. [bug] "dnssec-lookaside auto;" crashed if named was built
without openssl. [RT #20231]
2673. [bug] The managed-keys.bind zone file could fail to
load due to a spurious result from sync_keyzone()
[RT #20045]
2672. [bug] Don't enable searching in 'host' when doing reverse
lookups. [RT #20218]
2671. [bug] Add support for PKCS#11 providers not returning
the public exponent in RSA private keys
(OpenCryptoki for instance) in
dnssec-keyfromlabel. [RT #19294]
2670. [bug] Unexpected connect failures failed to log enough
information to be useful. [RT #20205]
2669. [func] Update PKCS#11 support to support Keyper HSM.
Update PKCS#11 patch to be against openssl-0.9.8i.
2668. [func] Several improvements to dnssec-* tools, including:
- dnssec-keygen and dnssec-settime can now set key
metadata fields 0 (to unset a value, use "none")
- dnssec-revoke sets the revocation date in
addition to the revoke bit
- dnssec-settime can now print individual metadata
fields instead of always printing all of them,
and can print them in unix epoch time format for
use by scripts
[RT #19942]
2667. [func] Add support for logging stack backtrace on assertion
failure (not available for all platforms). [RT #19780]
2666. [func] Added an 'options' argument to dns_name_fromstring()
(API change from 9.7.0a2). [RT #20196]
2665. [func] Clarify syntax for managed-keys {} statement, add
ARM documentation about RFC 5011 support. [RT #19874]
2664. [bug] create_keydata() and minimal_update() in zone.c
didn't properly check return values for some
functions. [RT #19956]
2663. [func] win32: allow named to run as a service using
"NT AUTHORITY\LocalService" as the account. [RT #19977]
2662. [bug] lwres_getipnodebyname() and lwres_getipnodebyaddr()
returned a misleading error code when lwresd was
down. [RT #20028]
2661. [bug] Check whether socket fd exceeds FD_SETSIZE when
creating lwres context. [RT #20029]
2660. [func] Add a new set of DNS libraries for non-BIND9
applications. See README.libdns. [RT #19369]
2659. [doc] Clarify dnssec-keygen doc: key name must match zone
name for DNSSEC keys. [RT #19938]
2658. [bug] dnssec-settime and dnssec-revoke didn't process
key file paths correctly. [RT #20078]
2657. [cleanup] Lower "journal file <path> does not exist, creating it"
log level to debug 1. [RT #20058]
2656. [func] win32: add a "tools only" check box to the installer
which causes it to only install dig, host, nslookup,
nsupdate and relevant DLLs. [RT #19998]
2655. [doc] Document that key-directory does not affect
bind.keys, rndc.key or session.key. [RT #20155]
2654. [bug] Improve error reporting on duplicated names for
deny-answer-xxx. [RT #20164]
2653. [bug] Treat ENGINE_load_private_key() failures as key
not found rather than out of memory. [RT #18033]
2652. [func] Provide more detail about what record is being
deleted. [RT #20061]
2651. [bug] Dates could print incorrectly in K*.key files on
64-bit systems. [RT #20076]
2650. [bug] Assertion failure in dnssec-signzone when trying
to read keyset-* files. [RT #20075]
2649. [bug] Set the domain for forward only zones. [RT #19944]
2648. [port] win32: isc_time_seconds() was broken. [RT #19900]
2647. [bug] Remove unnecessary SOA updates when a new KSK is
added. [RT #19913]
2646. [bug] Incorrect cleanup on error in socket.c. [RT #19987]
2645. [port] "gcc -m32" didn't work on amd64 and x86_64 platforms
which default to 64 bits. [RT #19927]
--- 9.7.0a2 released ---
2644. [bug] Change #2628 caused a regression on some systems;
named was unable to write the PID file and would
fail on startup. [RT #20001]
2643. [bug] Stub zones interacted badly with NSEC3 support.
[RT #19777]
2642. [bug] nsupdate could dump core on solaris when reading
improperly formatted key files. [RT #20015]
2641. [bug] Fixed an error in parsing update-policy syntax,
added a regression test to check it. [RT #20007]
2640. [security] A specially crafted update packet will cause named
to exit. [RT #20000]
2639. [bug] Silence compiler warnings in gssapi code. [RT #19954]
2638. [bug] Install arpaname. [RT #19957]
2637. [func] Rationalize dnssec-signzone's signwithkey() calling.
[RT #19959]
2636. [func] Simplify zone signing and key maintenance with the
dnssec-* tools. Major changes:
- all dnssec-* tools now take a -K option to
specify a directory in which key files will be
stored
- DNSSEC can now store metadata indicating when
they are scheduled to be published, activated,
revoked or removed; these values can be set by
dnssec-keygen or overwritten by the new
dnssec-settime command
- dnssec-signzone -S (for "smart") option reads key
metadata and uses it to determine automatically
which keys to publish to the zone, use for
signing, revoke, or remove from the zone
[RT #19816]
2635. [bug] isc_inet_ntop() incorrectly handled 0.0/16 addresses.
[RT #19716]
2634. [port] win32: Add support for libxml2, enable
statschannel. [RT #19773]
2633. [bug] Handle 15 bit rand() functions. [RT #19783]
2632. [func] util/kit.sh: warn if documentation appears to be out of
date. [RT #19922]
2631. [bug] Handle "//", "/./" and "/../" in mkdirpath().
[RT #19926 ]
2630. [func] Improved syntax for DDNS autoconfiguration: use
"update-policy local;" to switch on local DDNS in a
zone. (The "ddns-autoconf" option has been removed.)
[RT #19875]
2629. [port] Check for seteuid()/setegid(), use setresuid()/
setresgid() if not present. [RT #19932]
2628. [port] linux: Allow /var/run/named/named.pid to be opened
at startup with reduced capabilities in operation.
[RT #19884]
2627. [bug] Named aborted if the same key was included in
trusted-keys more than once. [RT #19918]
2626. [bug] Multiple trusted-keys could trigger an assertion
failure. [RT #19914]
2625. [bug] Missing UNLOCK in rbtdb.c. [RT #19865]
2624. [func] 'named-checkconf -p' will print out the parsed
configuration. [RT #18871]
2623. [bug] Named started seaches for DS non-optimally. [RT #19915]
2622. [bug] Printing of named.conf grammar was broken. [RT #19919]
2621. [doc] Made copyright boilterplate consistent. [RT #19833]
2620. [bug] Delay thawing the zone until the reload of it has
completed successfully. [RT #19750]
2619. [func] Add support for RFC 5011, automatic trust anchor
maintenance. The new "managed-keys" statement can
be used in place of "trusted-keys" for zones which
support this protocol. (Note: this syntax is
expected to change prior to 9.7.0 final.) [RT #19248]
2618. [bug] The sdb and sdlz db_interator_seek() methods could
loop infinitely. [RT #19847]
2617. [bug] ifconfig.sh failed to emit an error message when
run from the wrong location. [RT #19375]
2616. [bug] 'host' used the nameservers from resolv.conf even
when a explicit nameserver was specified. [RT #19852]
2615. [bug] "__attribute__((unused))" was in the wrong place
for ia64 gcc builds. [RT #19854]
2614. [port] win32: 'named -v' should automatically be executed
in the foreground. [RT #19844]
2613. [placeholder]
--- 9.7.0a1 released ---
2612. [func] Add default values for the arguments to
dnssec-keygen. Without arguments, it will now
generate a 1024-bit RSASHA1 zone-signing key,
or with the -f KSK option, a 2048-bit RSASHA1
key-signing key. [RT #19300]
2611. [func] Add -l option to dnssec-dsfromkey to generate
DLV records instead of DS records. [RT #19300]
2610. [port] sunos: Change #2363 was not complete. [RT #19796]
2609. [func] Simplify the configuration of dynamic zones:
- add ddns-confgen command to generate
configuration text for named.conf
- add zone option "ddns-autoconf yes;", which
causes named to generate a TSIG session key
and allow updates to the zone using that key
- add '-l' (localhost) option to nsupdate, which
causes nsupdate to connect to a locally-running
named process using the session key generated
by named
[RT #19284]
2608. [func] Perform post signing verification checks in
dnssec-signzone. These can be disabled with -P.
The post sign verification test ensures that for each
algorithm in use there is at least one non revoked
self signed KSK key. That all revoked KSK keys are
self signed. That all records in the zone are signed
by the algorithm. [RT #19653]
2607. [bug] named could incorrectly delete NSEC3 records for
empty nodes when processing a update request.
[RT #19749]
2606. [bug] "delegation-only" was not being accepted in
delegation-only type zones. [RT #19717]
2605. [bug] Accept DS responses from delegation only zones.
[RT # 19296]
2604. [func] Add support for DNS rebinding attack prevention through
new options, deny-answer-addresses and
deny-answer-aliases. Based on contributed code from
JD Nurmi, Google. [RT #18192]
2603. [port] win32: handle .exe extension of named-checkzone and
named-comilezone argv[0] names under windows.
[RT #19767]
2602. [port] win32: fix debugging command line build of libisccfg.
[RT #19767]
2601. [doc] Mention file creation mode mask in the
named manual page.
2600. [doc] ARM: miscellaneous reformatting for different
page widths. [RT #19574]
2599. [bug] Address rapid memory growth when validation fails.
[RT #19654]
2598. [func] Reserve the -F flag. [RT #19657]
2597. [bug] Handle a validation failure with a insecure delegation
from a NSEC3 signed master/slave zone. [RT #19464]
2596. [bug] Stale tree nodes of cache/dynamic rbtdb could stay
long, leading to inefficient memory usage or rejecting
newer cache entries in the worst case. [RT #19563]
2595. [bug] Fix unknown extended rcodes in dig. [RT #19625]
2594. [func] Have rndc warn if using its default configuration
file when the key file also exists. [RT #19424]
2593. [bug] Improve a corner source of SERVFAILs [RT #19632]
2592. [bug] Treat "any" as a type in nsupdate. [RT #19455]
2591. [bug] named could die when processing a update in
removed_orphaned_ds(). [RT #19507]
2590. [func] Report zone/class of "update with no effect".
[RT #19542]
2589. [bug] dns_db_unregister() failed to clear '*dbimp'.
[RT #19626]
2588. [bug] SO_REUSEADDR could be set unconditionally after failure
of bind(2) call. This should be rare and mostly
harmless, but may cause interference with other
processes that happen to use the same port. [RT #19642]
2587. [func] Improve logging by reporting serial numbers for
when zone serial has gone backwards or unchanged.
[RT #19506]
2586. [bug] Missing cleanup of SIG rdataset in searching a DLZ DB
or SDB. [RT #19577]
2585. [bug] Uninitialized socket name could be referenced via a
statistics channel, triggering an assertion failure in
XML rendering. [RT #19427]
2584. [bug] alpha: gcc optimization could break atomic operations.
[RT #19227]
2583. [port] netbsd: provide a control to not add the compile
date to the version string, -DNO_VERSION_DATE.
2582. [bug] Don't emit warning log message when we attempt to
remove non-existant journal. [RT #19516]
2581. [contrib] dlz/mysql set MYSQL_OPT_RECONNECT option on connection.
Requires MySQL 5.0.19 or later. [RT #19084]
2580. [bug] UpdateRej statistics counter could be incremented twice
for one rejection. [RT #19476]
2579. [bug] DNSSEC lookaside validation failed to handle unknown
algorithms. [RT #19479]
2578. [bug] Changed default sig-signing-type to 65534, because
65535 turns out to be reserved. [RT #19477]
2577. [doc] Clarified some statistics counters. [RT #19454]
2576. [bug] NSEC record were not being correctly signed when
a zone transitions from insecure to secure.
Handle such incorrectly signed zones. [RT #19114]
2575. [func] New functions dns_name_fromstring() and
dns_name_tostring(), to simplify conversion
of a string to a dns_name structure and vice
versa. [RT #19451]
2574. [doc] Document nsupdate -g and -o. [RT #19351]
2573. [bug] Replacing a non-CNAME record with a CNAME record in a
single transaction in a signed zone failed. [RT #19397]
2572. [func] Simplify DLV configuration, with a new option
"dnssec-lookaside auto;" This is the equivalent
of "dnssec-lookaside . trust-anchor dlv.isc.org;"
plus setting a trusted-key for dlv.isc.org.
Note: The trusted key is hard-coded into named,
but is also stored in (and can be overridden
by) $sysconfdir/bind.keys. As the ISC DLV key
rolls over it can be kept up to date by replacing
the bind.keys file with a key downloaded from
https://www.isc.org/solutions/dlv. [RT #18685]
2571. [func] Add a new tool "arpaname" which translates IP addresses
to the corresponding IN-ADDR.ARPA or IP6.ARPA name.
[RT #18976]
2570. [func] Log the destination address the query was sent to.
[RT #19209]
2569. [func] Move journalprint, nsec3hash, and genrandom
commands from bin/tests into bin/tools;
"make install" will put them in $sbindir. [RT #19301]
2568. [bug] Report when the write to indicate a otherwise
successful start fails. [RT #19360]
2567. [bug] dst__privstruct_writefile() could miss write errors.
write_public_key() could miss write errors.
dnssec-dsfromkey could miss write errors.
[RT #19360]
2566. [cleanup] Clarify logged message when an insecure DNSSEC
response arrives from a zone thought to be secure:
"insecurity proof failed" instead of "not
insecure". [RT #19400]
2565. [func] Add support for HIP record. Includes new functions
dns_rdata_hip_first(), dns_rdata_hip_next()
and dns_rdata_hip_current(). [RT #19384]
2564. [bug] Only take EDNS fallback steps when processing timeouts.
[RT #19405]
2563. [bug] Dig could leak a socket causing it to wait forever
to exit. [RT #19359]
2562. [doc] ARM: miscellaneous improvements, reorganization,
and some new content.
2561. [doc] Add isc-config.sh(1) man page. [RT #16378]
2560. [bug] Add #include <config.h> to iptable.c. [RT #18258]
2559. [bug] dnssec-dsfromkey could compute bad DS records when
reading from a K* files. [RT #19357]
2558. [func] Set the ownership of missing directories created
for pid-file if -u has been specified on the command
line. [RT #19328]
2557. [cleanup] PCI compliance:
* new libisc log module file
* isc_dir_chroot() now also changes the working
directory to "/".
* additional INSISTs
* additional logging when files can't be removed.
2556. [port] Solaris: mkdir(2) on tmpfs filesystems does not do the
error checks in the correct order resulting in the
wrong error code sometimes being returned. [RT #19249]
2555. [func] dig: when emitting a hex dump also display the
corresponding characters. [RT #19258]
2554. [bug] Validation of uppercase queries from NSEC3 zones could
fail. [RT #19297]
2553. [bug] Reference leak on DNSSEC validation errors. [RT #19291]
2552. [bug] zero-no-soa-ttl-cache was not being honoured.
[RT #19340]
2551. [bug] Potential Reference leak on return. [RT #19341]
2550. [bug] Check --with-openssl=<path> finds <openssl/opensslv.h>.
[RT #19343]
2549. [port] linux: define NR_OPEN if not currently defined.
[RT #19344]
2548. [bug] Install iterated_hash.h. [RT #19335]
2547. [bug] openssl_link.c:mem_realloc() could reference an
out-of-range area of the source buffer. New public
function isc_mem_reallocate() was introduced to address
this bug. [RT #19313]
2546. [func] Add --enable-openssl-hash configure flag to use
OpenSSL (in place of internal routine) for hash
functions (MD5, SHA[12] and HMAC). [RT #18815]
2545. [doc] ARM: Legal hostname checking (check-names) is
for SRV RDATA too. [RT #19304]
2544. [cleanup] Removed unused structure members in adb.c. [RT #19225]
2543. [contrib] Update contrib/zkt to version 0.98. [RT #19113]
2542. [doc] Update the description of dig +adflag. [RT #19290]
2541. [bug] Conditionally update dispatch manager statistics.
[RT #19247]
2540. [func] Add a nibble mode to $GENERATE. [RT #18872]
2539. [security] Update the interaction between recursion, allow-query,
allow-query-cache and allow-recursion. [RT #19198]
2538. [bug] cache/ADB memory could grow over max-cache-size,
especially with threads and smaller max-cache-size
values. [RT #19240]
2537. [func] Added more statistics counters including those on socket
I/O events and query RTT histograms. [RT #18802]
2536. [cleanup] Silence some warnings when -Werror=format-security is
specified. [RT #19083]
2535. [bug] dig +showsearch and +trace interacted badly. [RT #19091]
2534. [func] Check NAPTR records regular expressions and
replacement strings to ensure they are syntactically
valid and consistant. [RT #18168]
2533. [doc] ARM: document @ (at-sign). [RT #17144]
2532. [bug] dig: check the question section of the response to
see if it matches the asked question. [RT #18495]
2531. [bug] Change #2207 was incomplete. [RT #19098]
2530. [bug] named failed to reject insecure to secure transitions
via UPDATE. [RT #19101]
2529. [cleanup] Upgrade libtool to silence complaints from recent
version of autoconf. [RT #18657]
2528. [cleanup] Silence spurious configure warning about
--datarootdir [RT #19096]
2527. [placeholder]
2526. [func] New named option "attach-cache" that allows multiple
views to share a single cache to save memory and
improve lookup efficiency. Based on contributed code
from Barclay Osborn, Google. [RT #18905]
2525. [func] New logging category "query-errors" to provide detailed
internal information about query failures, especially
about server failures. [RT #19027]
2524. [port] sunos: dnssec-signzone needs strtoul(). [RT #19129]
2523. [bug] Random type rdata freed by dns_nsec_typepresent().
[RT #19112]
2522. [security] Handle -1 from DSA_do_verify() and EVP_VerifyFinal().
2521. [bug] Improve epoll cross compilation support. [RT #19047]
2520. [bug] Update xml statistics version number to 2.0 as change
#2388 made the schema incompatible to the previous
version. [RT #19080]
2519. [bug] dig/host with -4 or -6 didn't work if more than two
nameserver addresses of the excluded address family
preceded in resolv.conf. [RT #19081]
2518. [func] Add support for the new CERT types from RFC 4398.
[RT #19077]
2517. [bug] dig +trace with -4 or -6 failed when it chose a
nameserver address of the excluded address type.
[RT #18843]
2516. [bug] glue sort for responses was performed even when not
needed. [RT #19039]
2515. [port] win32: build dnssec-dsfromkey and dnssec-keyfromlabel.
[RT #19063]
2514. [bug] dig/host failed with -4 or -6 when resolv.conf contains
a nameserver of the excluded address family.
[RT #18848]
2513. [bug] Fix windows cli build. [RT #19062]
2512. [func] Print a summary of the cached records which make up
the negative response. [RT #18885]
2511. [cleanup] dns_rdata_tofmttext() add const to linebreak.
[RT #18885]
2510. [bug] "dig +sigchase" could trigger REQUIRE failures.
[RT #19033]
2509. [bug] Specifying a fixed query source port was broken.
[RT #19051]
2508. [placeholder]
2507. [func] Log the recursion quota values when killing the
oldest query or refusing to recurse due to quota.
[RT #19022]
2506. [port] solaris: Check at configure time if
hack_shutup_pthreadonceinit is needed. [RT #19037]
2505. [port] Treat amd64 similarly to x86_64 when determining
atomic operation support. [RT #19031]
2504. [bug] Address race condition in the socket code. [RT #18899]
2503. [port] linux: improve compatibility with Linux Standard
Base. [RT #18793]
2502. [cleanup] isc_radix: Improve compliance with coding style,
document function in <isc/radix.h>. [RT #18534]
2501. [func] $GENERATE now supports all rdata types. Multi-field
rdata types need to be quoted. See the ARM for
details. [RT #18368]
2500. [contrib] contrib/sdb/pgsql/zonetodb.c called non-existent
function. [RT #18582]
2499. [port] solaris: lib/lwres/getaddrinfo.c namespace clash.
[RT #18837]
--
Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.
More information about the bind-users
mailing list