[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Advance notice - H-root address change on December 1, 2015
In message <A94D98ED-538E-4B0E-B91D-AD63D485DB0F at lboro.ac.uk>, Alan Buxey writes:
> >
> No. CentOS follows RedHat. They backport fixes to older versions rather
> than put the new version out. It appears that have aversion to new
> feature and just want to put the fixes onto the older versions. So that
> 9.9.4 probably has 60% of the changes that the diff of 9.9.4 has to 9.9.8
> . This action confuses most.
>
> alan
The point of putting out maintainence releases is to fix bugs in
the existing code not to introduce features. We leave features to
the .0 releases. The [func] below are bug fixes / security fixes.
Even with 60% of the changes one is missing a huge number of bug
fixes.
Mark
diff --git a/CHANGES b/CHANGES
index e3c5595..5929d64 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,8 +1,1220 @@
+ --- 9.9.8 released ---
+
+ --- 9.9.8rc1 released ---
+
+4193. [bug] Handle broken servers that return BADVERS incorrectly.
+ [RT #40427]
+
+4192. [bug] The default rrset-order of random was not always being
+ applied. [RT #40456]
+
+4191. [protocol] Accept DNS-SD non LDH PTR records in reverse zones
+ as per RFC 6763. [RT #37889]
+
+4190. [protocol] Accept Active Diretory gc._msdcs.<forest> name as
+ valid with check-names. <forest> still needs to be
+ LDH. [RT #40399]
+
+4189. [cleanup] Don't exit on overly long tokens in named.conf.
+ [RT #40418]
+
+4188. [bug] Support HTTP/1.0 client properly on the statistics
+ channel. [RT #40261]
+
+4187. [func] When any RR type implementation doesn't
+ implement totext() for the RDATA's wire
+ representation and returns ISC_R_NOTIMPLEMENTED,
+ such RDATA is now printed in unknown
+ presentation format (RFC 3597). RR types affected
+ include LOC(29) and APL(42). [RT #40317].
+
+4183. [cleanup] Use timing-safe memory comparisons in cryptographic
+ code. Also, the timing-safe comparison functions have
+ been renamed to avoid possible confusion with
+ memcmp(). Thanks to Loganaden Velvindron of
+ AFRINIC. [RT #40148]
+
+4182. [cleanup] Use mnemonics for RR class and type comparisons.
+ [RT #40297]
+
+4181. [bug] Queued notify messages could be dequeued from the
+ wrong rate limiter queue. [RT #40350]
+
+4179. [bug] Fix double frees in getaddrinfo() in libirs.
+ [RT #40209]
+
+4178. [bug] Fix assertion failure in parsing UNSPEC(103) RR from
+ text. [RT #40274]
+
+4177. [bug] Fix assertion failure in parsing NSAP records from
+ text. [RT #40285]
+
+4176. [bug] Address race issues with lwresd. [RT #40284]
+
+4175. [bug] TKEY with GSS-API keys needed bigger buffers.
+ [RT #40333]
+
+4174. [bug] "dnssec-coverage -r" didn't handle time unit
+ suffixes correctly. [RT #38444]
+
+4173. [bug] dig +sigchase was not properly matching the trusted
+ key. [RT #40188]
+
+4172. [bug] Named / named-checkconf didn't handle a view of CLASS0.
+ [RT #40265]
+
+4171. [bug] Fixed incorrect class checks in TSIG RR
+ implementation. [RT #40287]
+
+4170. [security] An incorrect boundary check in the OPENPGPKEY
+ rdatatype could trigger an assertion failure.
+ (CVE-2015-5986) [RT #40286]
+
+4169. [test] Added a 'wire_test -d' option to read input as
+ raw binary data, for use as a fuzzing harness.
+ [RT #40312]
+
+4168. [security] A buffer accounting error could trigger an
+ assertion failure when parsing certain malformed
+ DNSSEC keys. (CVE-2015-5722) [RT #40212]
+
+ --- 9.9.8b1 released ---
+
+4165. [security] A failure to reset a value to NULL in tkey.c could
+ result in an assertion failure. (CVE-2015-5477)
+ [RT #40046]
+
+4164. [bug] Don't rename slave files and journals on out of memory.
+ [RT #40033]
+
+4163. [bug] Address compiler warnings. [RT #40024]
+
+4162. [bug] httpdmgr->flags was not being initialized. [RT #40017]
+
+4159. [cleanup] Alphabetize dig's help output. [RT #39966]
+
+4158. [protocol] Support the printing of EDNS COOKIE and EXPIRE options.
+ [RT #39928]
+
+4154. [bug] A OPT record should be included with the FORMERR
+ response when there is a malformed EDNS option.
+ [RT #39647]
+
+4153. [bug] Check that non significant ECS bits are zero on
+ receipt. [RT #39647]
+
+4151. [bug] 'rndc flush' could cause a deadlock. [RT #39835]
+
+4150. [bug] win32: listen-on-v6 { any; }; was not working. Apply
+ minimal fix. [RT #39667]
+
+4149. [bug] Fixed a race condition in the getaddrinfo()
+ implementation in libirs. [RT #39899]
+
+4148. [bug] Fix a bug when printing zone names with '/' character
+ in XML and JSON statistics output. [RT #39873]
+
+4147. [bug] Filter-aaaa / filter-aaaa-on-v4 / filter-aaaa-on-v6
+ was returning referrals rather than nodata responses
+ when the AAAA records were filtered. [RT #39843]
+
+4146. [bug] Address reference leak that could prevent a clean
+ shutdown. [RT #37125]
+
+4145. [bug] Not all unassociated adb entries where being printed.
+ [RT #37125]
+
+4143. [bug] serial-query-rate was not effective for notify.
+ [RT #39858]
+
+4142. [bug] rndc addzone with view specified saved NZF config
+ that could not be read back by named. This has now
+ been fixed. [RT #39845]
+
+4138. [security] An uninitialized value in validator.c could result
+ in an assertion failure. (CVE-2015-4620) [RT #39795]
+
+4137. [bug] Make rndc reconfig report configuration errors the
+ same way rndc reload does. [RT #39635]
+
+4132. [cleanup] dig: added +rd as a synonym for +recurse,
+ added +class as an unabbreviated alternative
+ to +cl. [RT #39686]
+
+4130. [bug] The compatibility shim for *printf() misprinted some
+ large numbers. [RT #39586]
+
+4129. [port] Address API changes in OpenSSL 1.1.0. [RT #39532]
+
+4128. [bug] Address issues raised by Coverity 7.6. [RT #39537]
+
+4127. [protocol] CDS and CDNSKEY need to be signed by the key signing
+ key as per RFC 7344, Section 4.1. [RT #37215]
+
+4123. [port] Added %z (size_t) format options to the portable
+ internal printf/sprintf implementation. [RT #39586]
+
+4118. [bug] Teach isc-config.sh about irs. [RT #39213]
+
+4117. [protocol] Add EMPTY.AS112.ARPA as per RFC 7534.
+
+4113. [test] Check for Net::DNS is some system test
+ prerequisites. [RT #39369]
+
+4112. [bug] Named failed to load when "root-delegation-only"
+ was used without a list of domains to exclude.
+ [RT #39380]
+
+4111. [doc] Alphabetize rndc man page. [RT #39360]
+
+4110. [bug] Address memory leaks / null pointer dereferences
+ on out of memory. [RT #39310]
+
+4109. [port] linux: support reading the local port range from
+ net.ipv4.ip_local_port_range. [RT # 39379]
+
+4107. [bug] Address potential deadlock when updating zone content.
+ [RT #39269]
+
+4106. [port] Improve readline support. [RT #38938]
+
+4105. [port] Misc fixes for Microsoft Visual Studio
+ 2015 CTP6 in 64 bit mode. [RT #39308]
+
+4104. [bug] Address uninitialized elements. [RT #39252]
+
+4102. [bug] Fix a use after free bug introduced in change
+ #4094. [RT #39281]
+
+4101. [bug] dig: the +split option didn't work with +short.
+ [RT #39291]
+
+4100. [bug] Inherited owernames on the line immediately following
+ a $INCLUDE were not working. [RT #39268]
+
+4099. [port] clang: make unknown commandline options hard errors
+ when determining what options are supported.
+ [RT #39273]
+
+4098. [bug] Address use-after-free issue when using a
+ predecessor key with dnssec-settime. [RT #39272]
+
+4097. [func] Add additional logging about xfrin transfer status.
+ [RT #39170]
+
+4096. [bug] Fix a use after free of query->sendevent.
+ [RT #39132]
+
+4094. [bug] A race during shutdown or reconfiguration could
+ cause an assertion in mem.c. [RT #38979]
+
+4091. [cleanup] Some cleanups in isc mem code. [RT #38896]
+
+4090. [bug] Fix a crash while parsing malformed CAA RRs in
+ presentation format, i.e., from text such as
+ from master files. Thanks to John Van de
+ Meulebrouck Brendgard for discovering and
+ reporting this problem. [RT #39003]
+
+4089. [bug] Send notifies immediately for slave zones during
+ startup. [RT #38843]
+
+4088. [port] Fixed errors when building with libressl. [RT #38899]
+
+4087. [bug] Fix a crash due to use-after-free due to sequencing
+ of tasks actions. [RT #38495]
+
+4085. [bug] ISC_PLATFORM_HAVEXADDQ could be inconsistently set.
+ [RT #38828]
+
+4084. [bug] Fix a possible race in updating stats counters.
+ [RT #38826]
+
+4082. [bug] Incrementally sign large inline zone deltas.
+ [RT #37927]
+
+4081. [cleanup] Use dns_rdatalist_init consistently. [RT #38759]
+
+4077. [test] Add static-stub regression test for DS NXDOMAIN
+ return making the static stub disappear. [RT #38564]
+
+4076. [bug] Named could crash on shutdown with outstanding
+ reload / reconfig events. [RT #38622]
+
+4075. [bug] Increase nsupdate's input buffer to accomodate
+ very large RRs. [RT #38689]
+
+4074. [cleanup] Cleaned up more warnings from gcc -Wshadow. [RT #38708]
+
+4073. [cleanup] Add libjson-c version number reporting to
+ "named -V"; normalize version number formatting.
+ [RT #38056]
+
+4072. [func] Add a --enable-querytrace configure switch for
+ very verbose query trace logging. (This option
+ has a negative performance impact and should be
+ used only for debugging.) [RT #37520]
+
+4070. [bug] Fix a segfault in nslookup in a query such as
+ "nslookup isc.org AMS.SNS-PB.ISC.ORG -all".
+ [RT #38548]
+
+4069. [doc] Reorganize options in the nsupdate man page.
+ [RT #38515]
+
+4067. [cleanup] Reduce noise from RRL when query logging is
+ disabled. [RT #38648]
+
+4066. [doc] Reorganize options in the dig man page. [RT #38516]
+
+4064. [contrib] dnssec-keyset.sh: Generates a specified number
+ of DNSSEC keys with timing set to implement a
+ pre-publication key rollover strategy. Thanks
+ to Jeffry A. Spain. [RT #38459]
+
+4063. [bug] Asynchronous zone loads were not handled
+ correctly when the zone load was already in
+ progress; this could trigger a crash in zt.c.
+ [RT #37573]
+
+4062. [bug] Fix an out-of-bounds read in RPZ code. If the
+ read succeeded, it doesn't result in a bug
+ during operation. If the read failed, named
+ could segfault. [RT #38559]
+
+3938. [func] Added quotas to be used in recursive resolvers
+ that are under high query load for names in zones
+ whose authoritative servers are nonresponsive or
+ are experiencing a denial of service attack.
+
+ - "fetches-per-server" limits the number of
+ simultaneous queries that can be sent to any
+ single authoritative server. The configured
+ value is a starting point; it is automatically
+ adjusted downward if the server is partially or
+ completely non-responsive. The algorithm used to
+ adjust the quota can be configured via the
+ "fetch-quota-params" option.
+ - "fetches-per-zone" limits the number of
+ simultaneous queries that can be sent for names
+ within a single domain. (Note: Unlike
+ "fetches-per-server", this value is not
+ self-tuning.)
+ - New stats counters have been added to count
+ queries spilled due to these quotas.
+
+ These options are not available by default;
+ use "configure --enable-fetchlimit" (or
+ --enable-developer) to include them in the build.
+
+ See the ARM for details of these options. [RT #37125]
+
+3937. [func] Added some debug logging to better indicate the
+ conditions causing SERVFAILs when resolving.
+ [RT #35538]
+
+ --- 9.9.7 released ---
+
+ --- 9.9.7rc2 released ---
+
+4061. [bug] Handle timeout in legacy system test. [RT #38573]
+
+4060. [bug] dns_rdata_freestruct could be called on a
+ uninitialized structure when handling a error.
+ [RT #38568]
+
+4059. [bug] Addressed valgrind warnings. [RT #38549]
+
+4058. [bug] UDP dispatches could use the wrong pseudorandom
+ number generator context. [RT #38578]
+
+4056. [bug] Fixed several small bugs in automatic trust anchor
+ management, including a memory leak and a possible
+ loss of key state information. [RT #38458]
+
+4057. [bug] 'dnssec-dsfromkey -T 0' failed to add ttl field.
+ [RT #38565]
+
+4053. [security] Revoking a managed trust anchor and supplying
+ an untrusted replacement could cause named
+ to crash with an assertion failure.
+ (CVE-2015-1349) [RT #38344]
+
+4052. [bug] Fix a leak of query fetchlock. [RT #38454]
+
+4050. [bug] RPZ could send spurious SERVFAILs in response
+ to duplicate queries. [RT #38510]
+
+4049. [bug] CDS and CDNSKEY had the wrong attributes. [RT #38491]
+
+4048. [bug] adb hash table was not being grown. [RT #38470]
+
+ --- 9.9.7rc1 released ---
+
+4047. [cleanup] "named -V" now reports the current running versions
+ of OpenSSL and the libxml2 libraries, in addition to
+ the versions that were in use at build time.
+
+4046. [bug] Accounting of "total use" in memory context
+ statistics was not correct. [RT #38370]
+
+4045. [bug] Skip to next master on dns_request_createvia4 failure.
+ [RT #25185]
+
+4044. [bug] Change 3955 was not complete, resulting in an assertion
+ failure if the timing was just right. [RT #38352]
+
+4039. [cleanup] Cleaned up warnings from gcc -Wshadow. [RT #37381]
+
+4038. [bug] Add 'rpz' flag to node and use it to determine whether
+ to call dns_rpz_delete. This should prevent unbalanced
+ add / delete calls. [RT #36888]
+
+4037. [bug] also-notify was ignoring the tsig key when checking
+ for duplicates resulting in some expected notify
+ messages not being sent. [RT #38369]
+
+4035. [bug] Close temporary and NZF FILE pointers before moving
+ the former into the latter's place, as required on
+ Windows. [RT #38332]
+
+4032. [bug] Built-in "empty" zones did not correctly inherit the
+ "allow-transfer" ACL from the options or view.
+ [RT #38310]
+
+4031. [bug] named-checkconf -z failed to report a missing file
+ with a hint zone. [RT #38294]
+
+4028. [bug] $GENERATE with a zero step was not being caught as a
+ error. A $GENERATE with a / but no step was not being
+ caught as a error. [RT #38262]
+
+3973. [test] Added hooks for Google Performance Tools CPU profiler,
+ including real-time/wall-clock profiling. Use
+ "configure --with-gperftools-profiler" to enable.
+ [RT #37339]
+
+ --- 9.9.7b1 released ---
+
+4027. [port] Net::DNS 0.81 compatibility. [RT #38165]
+
+4026. [bug] Fix RFC 3658 reference in dig +sigchase. [RT #38173]
+
+4025. [port] bsdi: failed to build. [RT #38047]
+
+4024. [bug] dns_rdata_opt_first, dns_rdata_opt_next,
+ dns_rdata_opt_current, dns_rdata_txt_first,
+ dns_rdata_txt_next and dns_rdata_txt_current were
+ documented but not implemented. These have now been
+ implemented.
+
+ dns_rdata_spf_first, dns_rdata_spf_next and
+ dns_rdata_spf_current were documented but not
+ implemented. The prototypes for these
+ functions have been removed. [RT #38068]
+
+4023. [bug] win32: socket handling with explicit ports and
+ invoking named with -4 was broken for some
+ configurations. [RT #38068]
+
+4021. [bug] Adjust max-recursion-queries to accommodate
+ the need for more queries when the cache is
+ empty. [RT #38104]
+
+4020. [bug] Change 3736 broke nsupdate's SOA MNAME discovery
+ resulting in updates being sent to the wrong server.
+ [RT #37925]
+
+4019. [func] If named is not configured to validate the answer
+ then allow fallback to plain DNS on timeout even
+ when we know the server supports EDNS. [RT #37978]
+
+4018. [bug] Fall back to plain DNS when EDNS queries are being
+ dropped was failing. [RT #37965]
+
+4017. [test] Add system test to check lookups to legacy servers
+ with broken DNS behavior. [RT #37965]
+
+4016. [bug] Fix a dig segfault due to bad linked list usage.
+ [RT #37591]
+
+4015. [bug] Nameservers that are skipped due to them being
+ CNAMEs were not being logged. They are now logged
+ to category 'cname' as per BIND 8. [RT #37935]
+
+4014. [bug] When including a master file origin_changed was
+ not being properly set leading to a potentially
+ spurious 'inherited owner' warning. [RT #37919]
+
+4012. [bug] Check returned status of OpenSSL digest and HMAC
+ functions when they return one. Note this applies
+ only to FIPS capable OpenSSL libraries put in
+ FIPS mode and MD5. [RT #37944]
+
+4011. [bug] master's list port inheritance was not properly
+ implemented. [RT #37792]
+
+4007. [doc] Remove acl forward reference restriction. [RT #37772]
+
+4006. [security] A flaw in delegation handling could be exploited
+ to put named into an infinite loop. This has
+ been addressed by placing limits on the number
+ of levels of recursion named will allow (default 7),
+ and the number of iterative queries that it will
+ send (default 50) before terminating a recursive
+ query (CVE-2014-8500).
+
+ The recursion depth limit is configured via the
+ "max-recursion-depth" option, and the query limit
+ via the "max-recursion-queries" option. [RT #37580]
+
+4004. [bug] When delegations had AAAA glue but not A, a
+ reference could be leaked causing an assertion
+ failure on shutdown. [RT #37796]
+
+4000. [bug] NXDOMAIN redirection incorrectly handled NXRRSET
+ from the redirect zone. [RT #37722]
+
+3998. [bug] isc_radix_search was returning matches that were
+ too precise. [RT #37680]
+
+3997. [protocol] Add OPENGPGKEY record. [RT# 37671]
+
+3996. [bug] Address use after free on out of memory error in
+ keyring_add. [RT #37639]
+
+3995. [bug] receive_secure_serial holds the zone lock for too
+ long. [RT #37626]
+
+3990. [testing] Add tests for unknown DNSSEC algorithm handling.
+ [RT #37541]
+
+3989. [cleanup] Remove redundant dns_db_resigned calls. [RT #35748]
+
+3987. [func] Handle future Visual Studio 14 incompatible changes.
+ [RT #37380]
+
+3986. [doc] Add the BIND version number to page footers
+ in the ARM. [RT #37398]
+
+3985. [doc] Describe how +ndots and +search interact in dig.
+ [RT #37529]
+
+3982. [doc] Include release notes in product documentation.
+ [RT #37272]
+
+3981. [bug] Cache DS/NXDOMAIN independently of other query types.
+ [RT #37467]
+
+3978. [test] Added a unit test for Diffie-Hellman key
+ computation, completing change #3974. [RT #37477]
+
+3976. [bug] When refreshing managed-key trust anchors, clear
+ any cached trust so that they will always be
+ revalidated with the current set of secure
+ roots. [RT #37506]
+
+3974. [bug] Handle DH_compute_key() failure correctly in
+ openssldh_link.c. [RT #37477]
+
+3972. [bug] Fix host's usage statement. [RT #37397]
+
+3971. [bug] Reduce the cascading failures due to a bad $TTL line
+ in named-checkconf / named-checkzone. [RT #37138]
+
+3970. [contrib] Fixed a use after free bug in the SDB LDAP driver.
+ [RT #37237]
+
+3968. [bug] Silence spurious log messages when using 'named -[46]'.
+ [RT #37308]
+
+3967. [test] Add test for inlined signed zone in multiple views
+ with different DNSKEY sets. [RT #35759]
+
+3966. [bug] Missing dns_db_closeversion call in receive_secure_db.
+ [RT #35746]
+
+3962. [bug] 'dig +topdown +trace +sigchase' address unhandled error
+ conditions. [RT #34663]
+
+3961. [bug] Forwarding of SIG(0) signed UPDATE messages failed with
+ BADSIG. [RT #37216]
+
+3960. [bug] 'dig +sigchase' could loop forever. [RT #37220]
+
+3959. [bug] Updates could be lost if they arrived immediately
+ after a rndc thaw. [RT #37233]
+
+3958. [bug] Detect when writeable files have multiple references
+ in named.conf. [RT #37172]
+
+3957. [bug] "dnssec-keygen -S" failed for ECCGOST, ECDSAP256SHA256
+ and ECDSAP384SHA384. [RT #37183]
+
+3955. [bug] Notify messages due to changes are no longer queued
+ behind startup notify messages. [RT #24454]
+
+3954. [bug] Unchecked mutex init in dlz_dlopen_driver.c [RT #37112]
+
+3953. [bug] Don't escape semi-colon in TXT fields. [RT #37159]
+
+3952. [bug] dns_name_fullcompare failed to set *nlabelsp when the
+ two name pointers were the same. [RT #37176]
+
+ --- 9.9.6 released ---
+
+3950. [port] Changed the bin/python Makefile to work around a
+ bmake bug in FreeBSD 10 and NetBSD 6. [RT #36993]
+
+ --- 9.9.6rc2 released ---
+
+3947. [cleanup] Set the executable bit on libraries when using
+ libtool. [RT #36786]
+
+3946. [cleanup] Improved "configure" search for a python interpreter.
+ [RT #36992]
+
+3945. [bug] Invalid wildcard expansions could be incorrectly
+ accepted by the validator. [RT #37093]
+
+3944. [test] Added a regression test for "server-id". [RT #37057]
+
+3942. [bug] Wildcard responses from a optout range should be
+ marked as insecure. [RT #37072]
+
+3941. [doc] Include the BIND version number in the ARM. [RT #37067]
+
+ --- 9.9.6rc1 released ---
+
+3933. [bug] Corrected the implementation of dns_rdata_casecompare()
+ for the HIP rdata type. [RT #36911]
+
+3932. [test] Improved named-checkconf tests. [RT #36911]
+
+3931. [cleanup] Cleanup how dlz grammar is defined. [RT #36879]
+
+3929. [bug] 'host -a' needed to clear idnoptions. [RT #36963]
+
+3928. [test] Improve rndc system test. [RT #36898]
+
+3925. [bug] DS lookup of RFC 1918 empty zones failed. [RT #36917]
+
+3924. [bug] Improve 'rndc addzone' error reporting. [RT #35187]
+
+3923. [bug] Sanity check the xml2-config output. [RT #22246]
+
+3922. [bug] When resigning, dnssec-signzone was removing
+ all signatures from delegation nodes. It now
+ retains DS and (if applicable) NSEC signatures.
+ [RT #36946]
+
+3921. [bug] AD was inappropriately set on RPZ responses. [RT #36833]
+
+3919. [bug] dig: continue to next line if a address lookup fails
+ in batch mode. [RT #36755]
+
+3918. [doc] Update check-spf documentation. [RT #36910]
+
+3917. [bug] dig, nslookup and host now continue on names that are
+ too long after applying a search list elements.
+ [RT #36892]
+
+3916. [contrib] zone2sqlite checked wrong result code. Address
+ compiler warnings. [RT #36931]
+
+ --- 9.9.6b2 released ---
+
+3914. [bug] Allow the URI target and CAA value fields to
+ be zero length. [RT #36737]
+
+3913. [bug] Address race issue in dispatch. [RT #36731]
+
+3910. [bug] Fix races to free event during shutdown. [RT #36720]
+
+3909. [bug] When computing the number of elements required for a
+ acl count_acl_elements could have a short count leading
+ to a assertion failure. Also zero out new acl elements
+ in dns_acl_merge. [RT #36675]
+
+3908. [bug] rndc now differentiates between a zone in multiple
+ views and a zone that doesn't exist at all. [RT #36691]
+
+3907. [cleanup] Alphabetize rndc help. [RT #36683]
+
+3906. [protocol] Update URI record format to comply with
+ draft-faltstrom-uri-08. [RT #36642]
+
+3905. [bug] Address deadlock between view.c and adb.c. [RT #36341]
+
+3904. [func] Add the RPZ SOA to the additional section. [RT36507]
+
+3903. [bug] Improve the accuracy of DiG's reported round trip
+ time. [RT 36611]
+
+3902. [bug] liblwres wasn't handling link-local addresses in
+ nameserver clauses in resolv.conf. [RT #36039]
+
+3901. [protocol] Added support for CAA record type (RFC 6844).
+ [RT #36625]
+
+3900. [bug] Fix a crash in PostgreSQL DLZ driver. [RT #36637]
+
+3899. [bug] "request-ixfr" is only applicable to slave and redirect
+ zones. [RT #36608]
+
+3898. [bug] Too small a buffer in tohexstr() calls in test code.
+ [RT #36598]
+
+3894. [bug] Buffers in isc_print_vsnprintf were not properly
+ initialized leading to potential overflows when
+ printing out quad values. [RT #36505]
+
+3892. [bug] Setting '-t aaaa' in .digrc had unintended side
+ effects. [RT #36452]
+
+3891. [bug] Use ${INSTALL_SCRIPT} rather than ${INSTALL_PROGRAM}
+ to install python programs.
+
+3890. [bug] RRSIG sets that were not loaded in a single transaction
+ at start up where not being correctly added to
+ re-signing heaps. [RT #36302]
+
+3889. [port] hurd: configure fixes as per:
+ https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=746540
+
+3887. [cleanup] Make all static symbols in rbtdb64 end in "64" so
+ they are easier to use in a debugger. [RT #36373]
+
+ --- 9.9.6b1 released ---
+
+3885. [port] Use 'open()' rather than 'file()' to open files in
+ python.
+
+3884. [protocol] Add CDS and CDNSKEY record types. [RT #36333]
+
+3881. [bug] Address memory leak with UPDATE error handling.
+ [RT #36303]
+
+3880. [test] Update ans.pl to work with new TSIG support in
+ Net::DNS; add additional Net::DNS version prerequisite
+ checks. [RT #36327]
+
+3879. [func] Add version printing option to various BIND utilities.
+ [RT #10686]
+
+3878. [bug] Using the incorrect filename for a DLZ module
+ caused a segmentation fault on startup. [RT #36286]
+
+3874. [test] Check that only "check-names master" is needed for
+ updates to be accepted.
+
+3873. [protocol] Only warn for SPF without TXT spf record. [RT #36210]
+
+3872. [bug] Address issues found by static analysis. [RT #36209]
+
+3871. [bug] Don't publish an activated key automatically before
+ its publish time. [RT #35063]
+
+3868. [bug] isc_mem_setwater incorrectly cleared hi_called
+ potentially leaving over memory cleaner running.
+ [RT #35270]
+
+3866. [bug] Named could die on disk full in generate_session_key.
+ [RT #36119]
+
+3864. [bug] RPZ didn't work well when being used as forwarder.
+ [RT #36060]
+
+3862. [cleanup] Return immediately if we are not going to log the
+ message in ns_client_dumpmessage.
+
+3861. [bug] Benign missing isc_buffer_availablelength check in
+ dns_message_pseudosectiontotext. [RT #36078]
+
+3860. [bug] ioctl(DP_POLL) array size needs to be determined
+ at run time as it is limited to {OPEN_MAX}.
+ [RT #35878]
+
+3858. [bug] Disable GCC 4.9 "delete null pointer check".
+ [RT #35968]
+
+3857. [bug] Make it harder for a incorrect NOEDNS classification
+ to be made. [RT #36020]
+
+3855. [bug] Limit smoothed round trip time aging to no more than
+ once a second. [RT #32909]
+
+3854. [cleanup] Report unrecognized options, if any, in the final
+ configure summary. [RT #36014]
+
+3853. [cleanup] Refactor dns_rdataslab_fromrdataset to separate out
+ the handling of a rdataset with no records. [RT #35968]
+
+3849. [doc] Alphabetized dig's +options. [RT #35992]
+
+3847. [bug] 'configure --with-dlz-postgres' failed to fail when
+ there is not support available.
+
+3846. [bug] "dig +notcp ixfr=<serial>" should result in a UDP
+ ixfr query. [RT #35980]
+
+3844. [bug] Use the x64 version of the Microsoft Visual C++
+ Redistributable when built for 64 bit Windows.
+ [RT #35973]
+
+3843. [protocol] Check EDNS EXPIRE option in dns_rdata_fromwire.
+ [RT #35969]
+
+3842. [bug] Adjust RRL log-only logging category. [RT #35945]
+
+3841. [cleanup] Refactor zone.c:add_opt to use dns_message_buildopt.
+ [RT #35924]
+
+3840. [port] Check for arc4random_addrandom() before using it;
+ it's been removed from OpenBSD 5.5. [RT #35907]
+
+3839. [test] Use only posix-compatible shell in system tests.
+ [RT #35625]
+
+3838. [protocol] EDNS EXPIRE as been assigned a code point of 9.
+
+3836. [bug] Address C++ keyword usage in header file.
+
+3834. [bug] The re-signing heaps were not being updated soon enough
+ leading to multiple re-generations of the same RRSIG
+ when a zone transfer was in progress. [RT #35273]
+
+3833. [bug] Cross compiling was broken due to calling genrandom at
+ build time. [RT #35869]
+
+3827. [contrib] The example DLZ driver (a version of which is
+ also used in the dlzexternal system test) could
+ use absolute names as relative. [RT #35802]
+
+3826. [bug] Corrected bad INSIST logic in isc_radix_remove().
+ [RT #35870]
+
+3825. [bug] Address sign extension bug in isc_regex_validate.
+ [RT #35758]
+
+3824. [bug] A collision between two flag values could cause
+ problems with cache cleaning. [RT #35858]
+
+3822. [bug] Log the correct type of static-stub zones when
+ removing them. [RT #35842]
+
+3819. [bug] NSEC3 hashes need to be able to be entered and
+ displayed without padding. This is not a issue for
+ currently defined algorithms but may be for future
+ hash algorithms. [RT #27925]
+
+3818. [bug] Stop lying to the optimizer that 'void *arg' is a
+ constant in isc_event_allocate.
+
+3815. [doc] Clarify "nsupdate -y" usage in man page. [RT #35808]
+
+3809. [doc] Fix NSID documentation.
+
+3807. [bug] Fix sign extension bug in dns_name_fromtext when
+ lowercase is set. [RT #35743]
+
+3806. [test] Improved system test portability. [RT #35625]
+
+3805. [contrib] Added contrib/perftcpdns, a performance testing tool
+ for DNS over TCP. [RT #35710]
+
+3804. [bug] Corrected a race condition in dispatch.c in which
+ portentry could be reset leading to an assertion
+ failure in socket_search(). (Change #3708
+ addressed the same issue but was incomplete.)
+ [RT #35128]
+
+3803. [bug] "named-checkconf -z" incorrectly rejected zones
+ using alternate data sources for not having a "file"
+ option. [RT #35685]
+
+3802. [bug] Various header files were not being installed.
+
+3801. [port] Fix probing for gssapi support on FreeBSD. [RT #35615]
+
+3799. [bug] Improve named's command line error reporting.
+ [RT #35603]
+
+3796. [bug] Register dns error codes. [RT #35629]
+
+3795. [bug] Make named-checkconf detect raw masterfiles for
+ hint zones and reject them. [RT #35268]
+
+3794. [maint] Added AAAA for C.ROOT-SERVERS.NET.
+
+3793. [bug] zone.c:save_nsec3param() could assert when out of
+ memory. [RT #35621]
+
+3792. [func] Provide links to the alternate statistics views when
+ displaying in a browser. [RT #35605]
+
+3791. [bug] solaris: remove extraneous return. [RT #35589]
+
+3787. [bug] The code that checks whether "auto-dnssec" is
+ allowed was ignoring "allow-update" ACLs set at
+ the options or view level. [RT #29536]
+
+3780. [bug] $GENERATE handled negative numbers incorrectly.
+ [RT #25528]
+
+3779. [cleanup] Clarify the error message when using an option
+ that was not enabled at compile time. [RT #35504]
+
+3778. [bug] Log a warning when the wrong address family is
+ used in "listen-on" or "listen-on-v6". [RT #17848]
+
+3775. [bug] dlz_dlopen driver could return the wrong error
+ code on API version mismatch, leading to a segfault.
+ [RT #35495]
+
+3773. [func] "host", "nslookup" and "nsupdate" now have
+ options to print the version number and exit.
+ [RT #26057]
+
+3770. [bug] "dig +trace" could fail with an assertion when it
+ needed to fall back to TCP due to a truncated
+ response. [RT #24660]
+
+3769. [doc] Improved documentation of "rndc signing -list".
+ [RT #30652]
+
+3768. [bug] "dnssec-checkds" was missing the SHA-384 digest
+ algorithm. [RT #34000]
+
+3767. [func] Log explicitly when using rndc.key to configure
+ command channel. [RT #35316]
+
+3765. [bug] Fixed a bug in "rndc secroots" that could crash
+ named when dumping an empty keynode. [RT #35469]
+
+3764. [bug] The dnssec-keygen/settime -S and -i options
+ (to set up a successor key and set the prepublication
+ interval) were missing from dnssec-keyfromlabel.
+ [RT #35394]
+
+3761. [bug] Address dangling reference bug in dns_keytable_add.
+ [RT #35471]
+
+3757. [port] Enable Python tools (dnssec-coverage,
+ dnssec-checkds) to run on Windows. [RT #34355]
+
+3756. [bug] GSSAPI Kerberos realm checking was broken in
+ check_config leading to spurious messages being
+ logged. [RT #35443]
+
+3754. [cleanup] win32: Installer now places files in the
+ Program Files area rather than system services.
+ [RT #35361]
+
+3753. [bug] allow-notify was ignoring keys. [RT #35425]
+
+3751. [tuning] The default setting for the -U option (setting
+ the number of UDP listeners per interface) has
+ been adjusted to improve performance. [RT #35417]
+
+3747. [bug] A race condition could lead to a core dump when
+ destroying a resolver fetch object. [RT #35385]
+
+3743. [bug] delegation-only flag wasn't working in forward zone
+ declarations despite being documented. This is
+ needed to support turning off forwarding and turning
+ on delegation only at the same name. [RT #35392]
+
+3742. [port] linux: libcap support: declare curval at start of
+ block. [RT #35387]
+
+3740. [contrib] Minor fixes to configure --with-dlz-bdb,
+ --with-dlz-postgres and --with-dlz-odbc. [RT #35340]
+
+3737. [bug] 'rndc retransfer' could trigger a assertion failure
+ with inline zones. [RT #35353]
+
+3736. [bug] nsupdate: When specifying a server by name,
+ fall back to alternate addresses if the first
+ address for that name is not reachable. [RT #25784]
+
+3734. [bug] Improve building with libtool. [RT #35314]
+
+3732. [contrib] Fixed a type mismatch causing the ODBC DLZ
+ driver to dump core on 64-bit systems. [RT #35324]
+
+3731. [func] Added a "no-case-compress" ACL, which causes
+ named to use case-insensitive compression
+ (disabling change #3645) for specified
+ clients. (This is useful when dealing
+ with broken client implementations that
+ use case-sensitive name comparisons,
+ rejecting responses that fail to match the
+ capitalization of the query that was sent.)
+ [RT #35300]
+
+3730. [cleanup] Added "never" as a synonym for "none" when
+ configuring key event dates in the dnssec tools.
+ [RT #35277]
+
+3729. [bug] dnssec-keygen could set the publication date
+ incorrectly when only the activation date was
+ specified on the command line. [RT #35278]
+
+3724. [bug] win32: Fixed a bug that prevented dig and
+ host from exiting properly after completing
+ a UDP query. [RT #35288]
+
+3720. [bug] Address compiler warnings. [RT #35261]
+
+3719. [bug] Address memory leak in in peer.c. [RT #35255]
+
+3718. [bug] A missing ISC_LINK_INIT in log.c. [RT #35260]
+
+3714. [test] System tests that need to test for cryptography
+ support before running can now use a common
+ "testcrypto.sh" script to do so. [RT #35213]
+
+3713. [bug] Save memory by not storing "also-notify" addresses
+ in zone objects that are configured not to send
+ notify requests. [RT #35195]
+
+ --- 9.9.5 released ---
+
+ --- 9.9.5rc2 released ---
+
+3710. [bug] Address double dns_zone_detach when switching to
+ using automatic empty zones from regular zones.
+ [RT #35177]
+
+3709. [port] Use built-in versions of strptime() and timegm()
+ on all platforms to avoid portability issues.
+ [RT #35183]
+
+3708. [bug] Address a portentry locking issue in dispatch.c.
+ [RT #35128]
+
+3707. [bug] irs_resconf_load now returns ISC_R_FILENOTFOUND
+ on a missing resolv.conf file and initializes the
+ structure as if it had been configured with:
+
+ nameserver ::1
+ nameserver 127.0.0.1
+
+ Note: Callers will need to be updated to treat
+ ISC_R_FILENOTFOUND as a qualified success or else
+ they will leak memory. The following code fragment
+ will work with both old and new versions without
+ changing the behaviour of the existing code.
+
+ resconf = NULL;
+ result = irs_resconf_load(mctx, "/etc/resolv.conf",
+ &resconf);
+ if (result != ISC_SUCCESS) {
+ if (resconf != NULL)
+ irs_resconf_destroy(&resconf);
+ ....
+ }
+
+ [RT #35194]
+
+3706. [contrib] queryperf: Fixed a possible integer overflow when
+ printing results. [RT #35182]
+
+3704. [protocol] Accept integer timestamps in RRSIG records. [RT #35185]
+
+ --- 9.9.5rc1 released ---
+
+3701. [func] named-checkconf can now obscure shared secrets
+ when printing by specifying '-x'. [RT #34465]
+
+3699. [bug] Improvements to statistics channel XSL stylesheet:
+ the stylesheet can now be cached by the browser;
+ section headers are omitted from the stats display
+ when there is no data in those sections to be
+ displayed; counters are now right-justified for
+ easier readability. (Only available with
+ configure --enable-newstats.) [RT #35117]
+
+3698. [cleanup] Replaced all uses of memcpy() with memmove().
+ [RT #35120]
+
+3697. [bug] Handle "." as a search list element when IDN support
+ is enabled. [RT #35133]
+
+3696. [bug] dig failed to handle AXFR style IXFR responses which
+ span multiple messages. [RT #35137]
+
+3695. [bug] Address a possible race in dispatch.c. [RT #35107]
+
+3694. [bug] Warn when a key-directory is configured for a zone,
+ but does not exist or is not a directory. [RT #35108]
+
+3693. [security] memcpy was incorrectly called with overlapping
+ ranges resulting in malformed names being generated
+ on some platforms. This could cause INSIST failures
+ when serving NSEC3 signed zones (CVE-2014-0591).
+ [RT #35120]
+
+3692. [bug] Two calls to dns_db_getoriginnode were fatal if there
+ was no data at the node. [RT #35080]
+
+3690. [bug] Iterative responses could be missed when the source
+ port for an upstream query was the same as the
+ listener port (53). [RT #34925]
+
+3689. [bug] Fixed a bug causing an insecure delegation from one
+ static-stub zone to another to fail with a broken
+ trust chain. [RT #35081]
+
+ --- 9.9.5b1 released ---
+
+3688. [bug] loadnode could return a freed node on out of memory.
+ [RT #35106]
+
+3687. [bug] Address null pointer dereference in zone_xfrdone.
+ [RT #35042]
+
+3686. [func] "dnssec-signzone -Q" drops signatures from keys
+ that are still published but no longer active.
+ [RT #34990]
+
+3685. [bug] "rndc refresh" didn't work correctly with slave
+ zones using inline-signing. [RT #35105]
+
+3683. [cleanup] Add a more detailed "not found" message to rndc
+ commands which specify a zone name. [RT #35059]
+
+3682. [bug] Correct the behavior of rndc retransfer to allow
+ inline-signing slave zones to retain NSEC3 parameters
+ instead of reverting to NSEC. [RT #34745]
+
+3681. [port] Update the Windows build system to support feature
+ selection and WIN64 builds. This is a work in
+ progress. [RT #34160]
+
+3679. [bug] dig could fail to clean up TCP sockets still
+ waiting on connect(). [RT #35074]
+
+3678. [port] Update config.guess and config.sub. [RT #35060]
+
+3677. [bug] 'nsupdate' leaked memory if 'realm' was used multiple
+ times. [RT #35073]
+
+3676. [bug] "named-checkconf -z" now checks zones of type
+ hint and redirect as well as master. [RT #35046]
+
+3675. [misc] Provide a place for third parties to add version
+ information for their extensions in the version
+ file by setting the EXTENSIONS variable.
+
+3674. [bug] RPZ zeroed ttls if the query type was '*'. [RT #35026]
+
+3672. [func] Local address can now be specified when using
+ dns_client API. [RT #34811]
+
+3671. [bug] Don't allow dnssec-importkey overwrite a existing
+ non-imported private key.
+
+3670. [bug] Address read after free in server side of
+ lwres_getrrsetbyname. [RT #29075]
+
+3669. [port] freebsd: --with-gssapi needs -lhx509. [RT #35001]
+
+3668. [bug] Fix cast in lex.c which could see 0xff treated as eof.
+ [RT #34993]
+
+3667. [test] dig: add support to keep the TCP socket open between
+ successive queries (+[no]keepopen). [RT #34918]
+
+3665. [bug] Failure to release lock on error in receive_secure_db.
+ [RT #34944]
+
+3664. [bug] Updated OpenSSL PKCS#11 patches to fix active list
+ locking and other bugs. [RT #34855]
+
+3663. [bug] Address bugs in dns_rdata_fromstruct and
+ dns_rdata_tostruct for WKS and ISDN types. [RT #34910]
+
+3662. [bug] 'host' could die if a UDP query timed out. [RT #34870]
+
+3661. [bug] Address lock order reversal deadlock with inline zones.
+ [RT #34856]
+
+3660. [cleanup] Changed the name of "isc-config.sh" to "bind9-config".
+ [RT #23825]
+
+3659. [port] solaris: don't add explicit dependencies/rules for
+ python programs as make won't use the implicit rules.
+ [RT #34835]
+
+3658. [port] linux: Address platform specific compilation issue
+ when libcap-devel is installed. [RT #34838]
+
+3657. [port] Some readline clones don't accept NULL pointers when
+ calling add_history. [RT #34842]
+
+3656. [security] Treat an all zero netmask as invalid when generating
+ the localnets acl. (The prior behavior could
+ allow unexpected matches when using some versions
+ of Winsock: CVE-2013-6320.) [RT #34687]
+
+3655. [cleanup] Simplify TCP message processing when requesting a
+ zone transfer. [RT #34825]
+
+3654. [bug] Address race condition with manual notify requests.
+ [RT #34806]
+
+3653. [func] Create delegations for all "children" of empty zones
+ except "forward first". [RT #34826]
+
+3651. [tuning] Adjust when a master server is deemed unreachable.
+ [RT #27075]
+
+3650. [tuning] Use separate rate limiting queues for refresh and
+ notify requests. [RT #30589]
+
+3649. [cleanup] Include a comment in .nzf files, giving the name of
+ the associated view. [RT #34765]
+
+3648. [test] Updated the ATF test framework to version 0.17.
+ [RT #25627]
+
+3647. [bug] Address a race condition when shutting down a zone.
+ [RT #34750]
+
+3646. [bug] Journal filename string could be set incorrectly,
+ causing garbage in log messages. [RT #34738]
+
+3645. [protocol] Use case sensitive compression when responding to
+ queries. [RT #34737]
+
+3644. [protocol] Check that EDNS subnet client options are well formed.
+ [RT #34718]
+
+3642. [func] Allow externally generated DNSKEY to be imported
+ into the DNSKEY management framework. A new tool
+ dnssec-importkey is used to do this. [RT #34698]
+
+3641. [bug] Handle changes to sig-validity-interval settings
+ better. [RT #34625]
+
+3640. [bug] ndots was not being checked when searching. Only
+ continue searching on NXDOMAIN responses. Add the
+ ability to specify ndots to nslookup. [RT #34711]
+
+3639. [bug] Treat type 65533 (KEYDATA) as opaque except when used
+ in a key zone. [RT #34238]
+
--- 9.9.4 released ---
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org