1
--- 9.8.1-P1 released ---
3
3218. [security] Cache lookup could return RRSIG data associated with
4
nonexistent records, leading to an assertion
9
--- 9.8.1rc1 released ---
11
3141. [bug] Silence spurious "zone serial (0) unchanged" messages
12
associated with empty zones. [RT #25079]
14
3138. [bug] Address memory leaks and out-of-order operations when
15
shutting named down. [RT #25210]
17
3136. [func] Add RFC 1918 reverse zones to the list of built-in
18
empty zones switched on by the 'empty-zones-enable'
21
Note: empty-zones-enable must be "yes;" or a empty
22
zone needs to be disabled in named.conf for RFC 1918
23
zones to be activated. This requirement may be
24
removed in future releases.
26
3135. [port] FreeBSD: workaround broken IPV6_USE_MIN_MTU processing.
27
See http://www.freebsd.org/cgi/query-pr.cgi?pr=158307
30
3134. [bug] Improve the accuracy of dnssec-signzone's signing
31
statistics. [RT #16030]
33
--- 9.8.1b3 released ---
35
3133. [bug] Change #3114 was incomplete. [RT #24577]
37
3131. [tuning] Improve scalability by allocating one zone task
38
per 100 zones at startup time, rather than using a
39
fixed-size task table. [RT #24406]
41
3129. [bug] Named could crash on 'rndc reconfig' when
42
allow-new-zones was set to yes and named ACLs
43
were used. [RT #22739]
45
--- 9.8.1b2 released ---
47
3126. [security] Using DNAME record to generate replacements caused
48
RPZ to exit with a assertion failure. [RT #24766]
50
3125. [security] Using wildcard CNAME records as a replacement with
51
RPZ caused named to exit with a assertion failure.
54
3124. [bug] Use an rdataset attribute flag to indicate
55
negative-cache records rather than using rrtype 0;
56
this will prevent problems when that rrtype is
57
used in actual DNS packets. [RT #24777]
59
3123. [security] Change #2912 exposed a latent flaw in
60
dns_rdataset_totext() that could cause named to
61
crash with an assertion failure. [RT #24777]
63
3122. [cleanup] dnssec-settime: corrected usage message. [RT #24664]
65
3121. [security] An authoritative name server sending a negative
66
response containing a very large RRset could
67
trigger an off-by-one error in the ncache code
68
and crash named. [RT #24650]
70
3120. [bug] Named could fail to validate zones listed in a DLV
71
that validated insecure without using DLV and had
72
DS records in the parent zone. [RT #24631]
74
3119. [bug] When rolling to a new DNSSEC key, a private-type
75
record could be created and never marked complete.
78
3118. [bug] nsupdate could dump core on shutdown when using
79
SIG(0) keys. [RT #24604]
81
3117. [cleanup] Remove doc and parser references to the
82
never-implemented 'auto-dnssec create' option.
85
3115. [bug] Named could fail to return requested data when
86
following a CNAME that points into the same zone.
89
3114. [bug] Retain expired RRSIGs in dynamic zones if key is
90
inactive and there is no replacement key. [RT #23136]
92
3113. [doc] Document the relationship between serial-query-rate
95
--- 9.8.1b1 released ---
97
3112. [doc] Add missing descriptions of the update policy name
98
types "ms-self", "ms-subdomain", "krb5-self" and
99
"krb5-subdomain", which allow machines to update
100
their own records, to the BIND 9 ARM.
102
3111. [bug] Improved consistency checks for dnssec-enable and
103
dnssec-validation, added test cases to the
104
checkconf system test. [RT #24398]
106
3110. [bug] dnssec-signzone: Wrong error message could appear
107
when attempting to sign with no KSK. [RT #24369]
109
3107. [bug] dnssec-signzone: Report the correct number of ZSKs
110
when using -x. [RT #20852]
112
3105. [bug] GOST support can be suppressed by "configure
113
--without-gost" [RT #24367]
115
3104. [bug] Better support for cross-compiling. [RT #24367]
117
3103. [bug] Configuring 'dnssec-validation auto' in a view
118
instead of in the options statement could trigger
119
an assertion failure in named-checkconf. [RT #24382]
121
3101. [bug] Zones using automatic key maintenance could fail
122
to check the key repository for updates. [RT #23744]
124
3100. [security] Certain response policy zone configurations could
125
trigger an INSIST when receiving a query of type
128
3099. [test] "dlz" system test now runs but gives R:SKIPPED if
129
not compiled with --with-dlz-filesystem. [RT #24146]
131
3098. [bug] DLZ zones were answering without setting the AA bit.
134
3097. [test] Add a tool to test handling of malformed packets.
137
3096. [bug] Set KRB5_KTNAME before calling log_cred() in
138
dst_gssapi_acceptctx(). [RT #24004]
140
3095. [bug] Handle isolated reserved ports in the port range.
143
3094. [doc] Expand dns64 documentation.
145
3093. [bug] Fix gssapi/kerberos dependencies [RT #23836]
147
3092. [bug] Signatures for records at the zone apex could go
148
stale due to an incorrect timer setting. [RT #23769]
150
3091. [bug] Fixed a bug in which zone keys that were published
151
and then subsequently activated could fail to trigger
152
automatic signing. [RT #22911]
154
3090. [func] Make --with-gssapi default [RT #23738]
156
3088. [bug] Remove bin/tests/system/logfileconfig/ns1/named.conf
157
and add setup.sh in order to resolve changing
158
named.conf issue. [RT #23687]
160
3087. [bug] DDNS updates using SIG(0) with update-policy match
161
type "external" could cause a crash. [RT #23735]
163
3086. [bug] Running dnssec-settime -f on an old-style key will
164
now force an update to the new key format even if no
165
other change has been specified, using "-P now -A now"
166
as default values. [RT #22474]
168
3083. [bug] NOTIFY messages were not being sent when generating
169
a NSEC3 chain incrementally. [RT #23702]
171
3082. [port] strtok_r is threads only. [RT #23747]
173
3081. [bug] Failure of DNAME substitution did not return
174
YXDOMAIN. [RT #23591]
176
3080. [cleanup] Replaced compile time constant by STDTIME_ON_32BITS.
179
3079. [bug] Handle isc_event_allocate failures in t_tasks.
182
3078. [func] Added a new include file with function typedefs
183
for the DLZ "dlopen" driver. [RT #23629]
185
3077. [bug] zone.c:zone_refreshkeys() incorrectly called
186
dns_zone_attach(), use zone->irefs instead. [RT #23303]
188
3075. [bug] dns_dnssec_findzonekeys{2} used a inconsistant
189
timestamp when determining which keys are active.
192
3074. [bug] Make the adb cache read through for zone data and
193
glue learn for zone named is authoritative for.
196
3073. [bug] managed-keys changes were not properly being recorded.
199
3072. [bug] dns_dns64_aaaaok() potential NULL pointer dereference.
202
3071. [bug] has_nsec could be used unintialised in
203
update.c:next_active. [RT #20256]
205
3070. [bug] dnssec-signzone potential NULL pointer dereference.
208
3069. [cleanup] Silence warnings messages from clang static analysis.
211
3068. [bug] Named failed to build with a OpenSSL without engine
214
3067. [bug] ixfr-from-differences {master|slave}; failed to
215
select the master/slave zones. [RT #23580]
217
3066. [func] The DLZ "dlopen" driver is now built by default,
218
no longer requiring a configure option. To
219
disable it, use "configure --without-dlopen".
220
(Note: driver not supported on win32.) [RT #23467]
222
3065. [bug] RRSIG could have time stamps too far in the future.
225
3064. [bug] powerpc: add sync instructions to the end of atomic
226
operations. [RT #23469]
228
3063. [contrib] More verbose error reporting from DLZ LDAP. [RT #23402]
230
3059. [test] Added a regression test for change #3023.
232
3058. [bug] Cause named to terminate at startup or rndc reconfig/
233
reload to fail, if a log file specified in the conf
234
file isn't a plain file. [RT #22771]
236
3057. [bug] "rndc secroots" would abort after the first error
237
and so could miss some views. [RT #23488]
239
3054. [bug] Added elliptic curve support check in
240
GOST OpenSSL engine detection. [RT #23485]
242
3053. [bug] Under a sustained high query load with a finite
243
max-cache-size, it was possible for cache memory
244
to be exhausted and not recovered. [RT #23371]
246
3052. [test] Fixed last autosign test report. [RT #23256]
248
3051. [bug] NS records obsure DNAME records at the bottom of the
249
zone if both are present. [RT #23035]
251
3050. [bug] The autosign system test was timing dependent.
252
Wait for the initial autosigning to complete
253
before running the rest of the test. [RT #23035]
255
3049. [bug] Save and restore the gid when creating creating
256
named.pid at startup. [RT #23290]
258
3048. [bug] Fully separate view key mangement. [RT #23419]
260
3047. [bug] DNSKEY NODATA responses not cached fixed in
261
validator.c. Tests added to dnssec system test.
264
3046. [bug] Use RRSIG original TTL to compute validated RRset
265
and RRSIG TTL. [RT #23332]
267
3044. [bug] Hold the socket manager lock while freeing the socket.
270
3043. [test] Merged in the NetBSD ATF test framework (currently
271
version 0.12) for development of future unit tests.
272
Use configure --with-atf to build ATF internally
273
or configure --with-atf=prefix to use an external
276
3042. [bug] dig +trace could fail attempting to use IPv6
277
addresses on systems with only IPv4 connectivity.
280
3041. [bug] dnssec-signzone failed to generate new signatures on
281
ttl changes. [RT #23330]
283
3040. [bug] Named failed to validate insecure zones where a node
284
with a CNAME existed between the trust anchor and the
285
top of the zone. [RT #23338]
287
3038. [bug] Install <dns/rpz.h>. [RT #23342]
289
3037. [doc] Update COPYRIGHT to contain all the individual
290
copyright notices that cover various parts.
292
3036. [bug] Check built-in zone arguments to see if the zone
293
is re-usable or not. [RT #21914]
295
3035. [cleanup] Simplify by using strlcpy. [RT #22521]
297
3034. [cleanup] nslookup: use strlcpy instead of safecopy. [RT #22521]
299
3033. [cleanup] Add two INSIST(bucket != DNS_ADB_INVALIDBUCKET).
302
3032. [bug] rdatalist.c: add missing REQUIREs. [RT #22521]
304
3031. [bug] dns_rdataclass_format() handle a zero sized buffer.
307
3030. [bug] dns_rdatatype_format() handle a zero sized buffer.
310
3029. [bug] isc_netaddr_format() handle a zero sized buffer.
313
3028. [bug] isc_sockaddr_format() handle a zero sized buffer.
316
3027. [bug] Add documented REQUIREs to cfg_obj_asnetprefix() to
317
catch NULL pointer dereferences before they happen.
320
3026. [bug] lib/isc/httpd.c: check that we have enough space
321
after calling grow_headerspace() and if not
322
re-call grow_headerspace() until we do. [RT #22521]
324
--- 9.8.0 released ---
326
3025. [bug] Fixed a possible deadlock due to zone resigning.
329
3024. [func] RTT Banding removed due to minor security increase
330
but major impact on resolver latency. [RT #23310]
332
3023. [bug] Named could be left in an inconsistent state when
333
receiving multiple AXFR response messages that were
334
not all TSIG-signed. [RT #23254]
336
3022. [bug] Fixed rpz SERVFAILs after failed zone transfers
339
3021. [bug] Change #3010 was incomplete. [RT #22296]
341
3020. [bug] auto-dnssec failed to correctly update the zone when
342
changing the DNSKEY RRset. [RT #23232]
344
3019. [test] Test: check apex NSEC3 records after adding DNSKEY
345
record via UPDATE. [RT #23229]
347
--- 9.8.0rc1 released ---
3
349
3018. [bug] Named failed to check for the "none;" acl when deciding
4
350
if a zone may need to be re-signed. [RT #23120]
11
357
3015. [port] win32: fix IN6_IS_ADDR_LINKLOCAL and
12
358
IN6_IS_ADDR_SITELOCAL macros. [RT #22724]
360
3013. [bug] The DNS64 ttl was not always being set as expected.
14
363
3012. [bug] Remove DNSKEY TTL change pairs before generating
15
364
signing records for any remaining DNSKEY changes.
367
3011. [func] Allow setting this in named.conf using the new
368
'resolver-query-timeout' option, which specifies a max
369
time in seconds. 0 means 'default' and anything longer
370
than 30 will be silently set to 30. [RT #22852]
18
372
3010. [bug] Fixed a bug where "rndc reconfig" stopped the timer
19
373
for refreshing managed-keys. [RT #22296]
21
375
3009. [bug] clients-per-query code didn't work as expected with
22
376
particular query patterns. [RT #22972]
24
--- 9.7.3rc1 released ---
378
--- 9.8.0b1 released ---
380
3008. [func] Response policy zones (RPZ) support. [RT #21726]
26
382
3007. [bug] Named failed to preserve the case of domain names in
27
383
rdata which is not compressible when writing master
28
384
files. [RT #22863]
386
3006. [func] Allow dynamically generated TSIG keys to be preserved
387
across restarts of named. Initially this is for
388
TSIG keys generated using GSSAPI. [RT #22639]
390
3005. [port] Solaris: Work around the lack of
391
gsskrb5_register_acceptor_identity() by setting
392
the KRB5_KTNAME environment variable to the
393
contents of tkey-gssapi-keytab. Also fixed
394
test errors on MacOSX. [RT #22853]
396
3004. [func] DNS64 reverse support. [RT #22769]
398
3003. [experimental] Added update-policy match type "external",
399
enabling named to defer the decision of whether to
400
allow a dynamic update to an external daemon.
401
(Contributed by Andrew Tridgell.) [RT #22758]
30
403
3002. [bug] isc_mutex_init_errcheck() failed to destroy attr.
406
3001. [func] Added a default trust anchor for the root zone, which
407
can be switched on by setting "dnssec-validation auto;"
408
in the named.conf options. [RT #21727]
410
3000. [bug] More TKEY/GSS fixes:
411
- nsupdate can now get the default realm from
412
the user's Kerberos principal
413
- corrected gsstest compilation flags
414
- improved documentation
415
- fixed some NULL dereferences
418
2999. [func] Add GOST support (RFC 5933). [RT #20639]
420
2998. [func] Add isc_task_beginexclusive and isc_task_endexclusive
421
to the task api. [RT #22776]
423
2997. [func] named -V now reports the OpenSSL and libxml2 verions
424
it was compiled against. [RT #22687]
33
426
2996. [security] Temporarily disable SO_ACCEPTFILTER support.
added
removed
CHANGES
