3265.   [bug]           Address lock order reversal with inline-signing
                        support. [27557]

3264.   [bug]           Automatic regeneration of signatures in an
                        inline-signing zone could stall when the server
                        was restarted. [RT #27344]

3263.   [bug]           "rndc sync" did not affect the unsigned side of an
                        inline-signing zone. [RT #27337]

3262.   [bug]           Signed responses were handled incorrectly by RPZ.
                        [RT #27316]

3252.   [bug]           When master zones using inline-signing were
                        updated while the server was offline, the source
                        zone could fall out of sync with the signed
                        copy. They can now resynchronize. [RT #26676]

3248.   [bug]           Configure options --enable-fixed-rrset and
                        --enable-exportlib were incompatible with each
                        other. [RT #27087]

3246.   [bug]           Named failed to start with a empty also-notify list.
                        [RT #27087]

3243.   [port]          freebsd,netbsd,bsdi: the thread defaults were not
                        being properly set.

3239.   [bug]           dns_dnssec_findmatchingkeys needs to use a consistent
                        timestamp. [RT #26883]

3236.   [bug]           Backed out changes #3182 and #3202, related to
                        EDNS(0) fallback behavior. [RT #26416]

3233.   [bug]           'rndc freeze/thaw' didn't work for inline zones.
                        [RT #26632]

3220.   [bug]           Change #3186 was incomplete; dns_db_rpz_findips()
                        could fail to set the database version correctly,
                        causing an assertion failure. [RT #26180]

3198.   [doc]           Clarified that dnssec-settime can alter keyfile
                        permissions. [RT #24866]

3195.   [cleanup]       Silence "file not found" warnings when loading
                        managed-keys zone. [RT #26340]

3186.   [bug]           Version/db mis-match in rpz code. [RT #26180]

3184.   [bug]           named had excessive cpu usage when a redirect zone was
                        configured. [RT #26013]

3182.   [bug]           Auth servers behind firewalls which block packets
                        greater than 512 bytes may cause other servers to
                        perform poorly. Now, adb retains edns information
                        and caches noedns servers. [RT #23392/24964]

3172.   [port]          darwin 10.* and freebsd [89] are now built threaded by
                        default.

3171.   [bug]           Exclusively lock the task when adding a zone using
                        'rndc addzone'.  [RT #25600]

3168.   [bug]           Nxdomain redirection could trigger an assert with
                        a ANY query. [RT #26017]

3160.   [bug]           When printing out a NSEC3 record in multiline form
                        the newline was not being printed causing type codes
                        to be run together. [RT #25873]

3141.   [bug]           Silence spurious "zone serial (0) unchanged" messages
                        associated with empty zones. [RT #25079]

3131.   [tuning]        Improve scalability by allocating one zone task
                        per 100 zones at startup time, rather than using a
                        fixed-size task table. [RT #24406]

3129.   [bug]           Named could crash on 'rndc reconfig' when
                        allow-new-zones was set to yes and named ACLs
                        were used. [RT #22739]

3126.   [security]      Using DNAME record to generate replacements caused
                        RPZ to exit with a assertion failure. [RT #24766]

3125.   [security]      Using wildcard CNAME records as a replacement with
                        RPZ caused named to exit with a assertion failure.
                        [RT #24715]

3100.   [security]      Certain response policy zone configurations could
                        trigger an INSIST when receiving a query of type
                        RRSIG. [RT #24280]

3005.   [port]          Solaris: Work around the lack of
                        gsskrb5_register_acceptor_identity() by setting
                        the KRB5_KTNAME environment variable to the
                        contents of tkey-gssapi-keytab.  Also fixed
                        test errors on MacOSX.  [RT #22853]

3003.   [experimental]  Added update-policy match type "external",
                        enabling named to defer the decision of whether to
                        allow a dynamic update to an external daemon.
                        (Contributed by Andrew Tridgell.) [RT #22758]

3000.   [bug]           More TKEY/GSS fixes:
                         - nsupdate can now get the default realm from
                           the user's Kerberos principal
                         - corrected gsstest compilation flags
                         - improved documentation
                         - fixed some NULL dereferences
                        [RT #22795]

2992.   [contrib]       contrib/check-secure-delegation.pl:  A simple tool
                        for looking at a secure delegation. [RT #22059]

2991.   [contrib]       contrib/zone-edit.sh: A simple zone editing tool for
                        dynamic zones. [RT #22365]

2990.   [bug]           'dnssec-settime -S' no longer tests prepublication
                        interval validity when the interval is set to 0.
                        [RT #22761]

2988.   [experimental]  Added a "dlopen" DLZ driver, allowing the creation
                        of external DLZ drivers that can be loaded as
                        shared objects at runtime rather than linked with
                        named.  Currently this is switched on via a
                        compile-time option, "configure --with-dlz-dlopen".
                        Note: the syntax for configuring DLZ zones
                        is likely to be refined in future releases.
                        (Contributed by Andrew Tridgell of the Samba
                        project.) [RT #22629]

2985.   [bug]           Add a regression test for change #2896. [RT #21324]

2983.   [bug]           Include "loadkeys" in rndc help output. [RT #22493]

2980.   [bug]           named didn't properly handle UPDATES that changed the
                        TTL of the NSEC3PARAM RRset. [RT #22363]

2977.   [bug]           'nsupdate -l' report if the session key is missing.
                        [RT #21670]

2973.   [bug]           bind.keys.h was being removed by the "make clean"
                        at the end of configure resulting in build failures
                        where there is very old version of perl installed.
                        Move it to "make maintainer-clean". [RT #22230]

2963.   [security]      The allow-query acl was being applied instead of the
                        allow-query-cache acl to cache lookups. [RT #22114]

2961.   [bug]           Be still more selective about the non-authoritative
                        answers we apply change 2748 to. [RT #22074]

2949.   [bug]           dns_view_setnewzones() contained a memory leak if
                        it was called multiple times. [RT #21942]

2948.   [port]          MacOS: provide a mechanism to configure the test
                        interfaces at reboot. See bin/tests/system/README
                        for details.

2940.   [port]          Remove connection aborted error message on
                        Windows. [RT #21549]

2938.   [bug]           When generating signed responses, from a signed zone
                        that uses NSEC3, named would use a uninitialised
                        pointer if it needed to skip a NSEC3 record because
                        it didn't match the selected NSEC3PARAM record for
                        zone. [RT# 21868]

2930.   [experimental]  New "rndc addzone" and "rndc delzone" commads
                        allow dynamic addition and deletion of zones.
                        To enable this feature, specify a "new-zone-file"
                        option at the view or options level in named.conf.
                        Zone configuration information for the new zones
                        will be written into that file.  To make the new
                        zones persist after a restart, "include" the file
                        into named.conf in the appropriate view.  (Note:
                        This feature is not yet documented, and its syntax
                        is expected to change.) [RT #19447]

2928.   [bug]           Be more selective about the non-authoritative
                        answer we apply change 2748 to. [RT #21594]

2914.   [bug]           Make the "autosign" system test more portable.
                        [RT #20997]

2909.   [bug]           named-checkconf -p could die if "update-policy local;"
                        was specified in named.conf. [RT #21416]

2907.   [bug]           The export version of libdns had undefined references.
                        [RT #21444]

2906.   [bug]           Address RFC 5011 implementation issues. [RT #20903]

2903.   [bug]           managed-keys-directory missing from namedconf.c.
                        [RT #21370]

2897.   [bug]           NSEC3 chains could be left behind when transitioning
                        to insecure. [RT #21040]

2896.   [bug]           "rndc sign" failed to properly update the zone
                        when adding a DNSKEY for publication only. [RT #21045]

2893.   [bug]           Improve managed keys support.  New named.conf option
                        managed-keys-directory. [RT #20924]

2892.   [bug]           Handle REVOKED keys better. [RT #20961]

2887.   [bug]           Report the keytag times in UTC in the .key file,
                        local time is presented as a comment within the
                        comment.  [RT #21223]

2886.   [bug]           ctime() is not thread safe. [RT #21223]

2880.   [cleanup]       Make the output of dnssec-keygen and dnssec-revoke
                        consistent. [RT #21078]

2873.   [bug]           Cancelling a dynamic update via the dns/client module
                        could trigger an assertion failure. [RT #21133]

2872.   [bug]           Modify dns/client.c:dns_client_createx() to only
                        require one of IPv4 or IPv6 rather than both.
                        [RT #21122]

2871.   [bug]           Type mismatch in mem_api.c between the definition and
                        the header file, causing build failure with
                        --enable-exportlib. [RT #21138]

2861.   [doc]           dnssec-settime man pages didn't correctly document the
                        inactivation time. [RT #21039]

2860.   [bug]           named-checkconf's usage was out of date. [RT #21039]

2848.   [doc]           Moved README.dnssec, README.libdns, README.pkcs11 and
                        README.rfc5011 into the ARM. [RT #20899]

2847.   [cleanup]       Corrected usage message in dnssec-settime. [RT #20921]

2845.   [bug]           RFC 5011 client could crash on shutdown. [RT #20903]

2841.   [bug]           Change 2836 was not complete. [RT #20883]

2839.   [bug]           A KSK revoked by named could not be deleted.
                        [RT #20881]

2836.   [bug]           Keys that were scheduled to become active could
                        be delayed. [RT #20874]

2835.   [bug]           Key inactivity dates were inadvertently stored in
                        the private key file with the outdated tag
                        "Unpublish" rather than "Inactive".  This has been
                        fixed; however, any existing keys that had Inactive
                        dates set will now need to have them reset, using
                        'dnssec-settime -I'. [RT #20868]

2833.   [cleanup]       Fix usage messages in dnssec-keygen and dnssec-settime.
                        [RT #20851]

2832.   [bug]           Modify "struct stat" in lib/export/samples/nsprobe.c
                        to avoid redefinition in some OSs [RT 20831]

2824.   [bug]           "rndc sign" was not being run by the correct task.
                        [RT #20759]

2821.   [doc]           Add note that named-checkconf doesn't automatically
                        read rndc.key and bind.keys [RT #20758]

2816.   [bug]           previous_closest_nsec() could fail to return
                        data for NSEC3 nodes [RT #29730]

2811.   [cleanup]       Add "rndc sign" to list of commands in rndc usage
                        output. [RT #20733]

2809.   [cleanup]       Restored accidentally-deleted text in usage output
                        in dnssec-settime and dnssec-revoke [RT #20739]

2808.   [bug]           Remove the attempt to install atomic.h from lib/isc.
                        atomic.h is correctly installed by the architecture
                        specific subdirectories.  [RT #20722]

2807.   [bug]           Fixed a possible ASSERT when reconfiguring zone
                        keys. [RT #20720]

2806.   [bug]           "rdnc sign" could delay re-signing the DNSKEY
                        when it had changed. [RT #20703]

2805.   [bug]           Fixed namespace problems encountered when building
                        external programs using non-exported BIND9 libraries
                        (i.e., built without --enable-exportlib). [RT #20679]

2804.   [bug]           Send notifies when a zone is signed with "rndc sign"
                        or as a result of a scheduled key change. [RT #20700]

2803.   [port]          win32: Install named-journalprint, nsec3hash, arpaname
                        and genrandom under windows. [RT #20670]

2802.   [cleanup]       Rename journalprint to named-journalprint. [RT #20670]

2799.   [cleanup]       Changed the "secure-to-insecure" option to
                        "dnssec-secure-to-insecure", and "dnskey-ksk-only"
                        to "dnssec-dnskey-kskonly", for clarity. [RT #20586]

2798.   [bug]           Addressed bugs in managed-keys initialization
                        and rollover. [RT #20683]

2796.	[bug]		Missing dns_rdataset_disassociate() call in
			dns_nsec3_delnsec3sx(). [RT #20681]

2795.	[cleanup]	Add text to differentiate "update with no effect"
			log messages. [RT #18889]

2794.	[bug]		Install <isc/namespace.h>.  [RT #20677]

2791.	[bug]		The installation of isc-config.sh was broken.
			[RT #20667]

2788.	[bug]		dnssec-signzone could sign with keys that were
			not requested [RT #20625]

2787.   [bug]           Spurious log message when zone keys were
                        dynamically reconfigured. [RT #20659]

2785.	[bug]		Revoked keys could fail to self-sign [RT #20652]

2781.	[bug]		Inactive keys could be used for signing. [RT #20649]

2780.	[bug]		dnssec-keygen -A none didn't properly unset the
			activation date in all cases. [RT #20648]

2779.	[bug]		Dynamic key revokation could fail. [RT #20644]

2778.	[bug]		dnssec-signzone could fail when a key was revoked
			without deleting the unrevoked version. [RT #20638]

2763.	[bug]		"rndc sign" didn't create an NSEC chain. [RT #20591]

2761.	[cleanup]	Enable internal symbol table for backtrace only for
			systems that are known to work.  Currently, BSD
			variants, Linux and Solaris are supported. [RT# 20202]

2775.	[bug]		Accept RSASHA256 and RSASHA512 as NSEC3 compatible
			in dnssec-keyfromlabel. [RT #20643]

2773.	[bug]		In autosigned zones, the SOA could be signed
			with the KSK. [RT #20628]

2771.	[bug]		dnssec-signzone: DNSKEY records could be
			corrupted when importing from key files [RT #20624]

2770.	[cleanup]	Add log messages to resolver.c to indicate events
			causing FORMERR responses. [RT #20526]

2769.   [cleanup]       Change #2742 was incomplete. [RT #19589]

2768.	[bug]		dnssec-signzone: -S no longer implies -g [RT #20568]

2767.	[bug]		named could crash on startup if a zone was
			configured with auto-dnssec and there was no
			key-directory. [RT #20615]

2766.	[bug]		isc_socket_fdwatchpoke() should only update the
			socketmgr state if the socket is not pending on a
			read or write.  [RT #20603]

2764.   [bug]           "rndc-confgen -a" could trigger a REQUIRE. [RT #20610]

2756.   [bug]           Fixed corrupt logfile message in update.c. [RT# 20597]

2753.   [bug]           Removed an unnecessary warning that could appear when
                        building an NSEC chain. [RT #20589]

2776.   [bug]           Change #2762 was not correct. [RT #20647]

2762.   [bug]           DLV validation failed with a local slave DLV zone.
                        [RT #20577]

2752.   [bug]           Locking violation. [RT #20587]

2751.   [bug]           Fixed a memory leak in dnssec-keyfromlabel. [RT #20588]

2746.	[port]		hpux: address signed/unsigned expansion mismatch of
			dns_rbtnode_t.nsec. [RT #20542]

2745.   [bug]           configure script didn't probe the return type of
                        gai_strerror(3) correctly. [RT #20573]

2774.   [bug]           Existing cache DB wasn't being reused after
                        reconfiguration. [RT #20629]

2742.   [cleanup]       Clarify some DNSSEC-related log messages in
                        validator.c. [RT #19589]

2739.	[cleanup]	Clean up API for initializing and clearing trust
			anchors for a view. [RT #20211]

2735.	[bug]		dnssec-signzone could fail to read keys
			that were specified on the command line with
			full paths, but weren't in the current
			directory. [RT #20421]

2734.	[port]		cygwin: arpaname did not compile. [RT #20473]

2733.	[cleanup]	Clean up coding style in pkcs11-* tools. [RT #20355]

2728.	[bug]		dssec-keygen, dnssec-keyfromlabel and
			dnssec-signzone now warn immediately if asked to
			write into a nonexistent directory. [RT #20278]

2725.	[doc]		Added information about the file "managed-keys.bind"
			to the ARM. [RT #20235]

2724.   [bug]           Updates to a existing node in secure zone using NSEC
                        were failing. [RT #20448]

2720.	[bug]		RFC 5011 trust anchor updates could trigger an
			assert if the DNSKEY record was unsigned. [RT #20406]

2717.	[bug]		named failed to update the NSEC/NSEC3 record when
			the last private type record was removed as a result
			of completing the signing the zone with a key.
			[RT #20399]

2711.	[port]		win32: Add the bin/pkcs11 tools into the full
			build. [RT #20372]

2694.	[bug]		Reduce default NSEC3 iterations from 100 to 10.
			[RT #19970]

2693.	[port]		Add some noreturn attributes. [RT #20257]

2687.	[bug]		Fixed dnssec-signzone -S handling of revoked keys.
			Also, added warnings when revoking a ZSK, as this is
			not defined by protocol (but is legal).  [RT #19943]

2685.	[contrib]	Update contrib/zkt to version 0.99c. [RT #20054]

2684.	[cleanup]	dig: formalize +ad and +cd as synonyms for
			+adflag and +cdflag.  [RT #19305]

2682.	[bug]		"configure --enable-symtable=all" failed to
			build. [RT #20282]

2676.	[bug]		--with-export-installdir should have been
			--with-export-includedir. [RT #20252]

2675.	[bug]		dnssec-signzone could crash if the key directory
			did not exist. [RT #20232]

2674.	[bug]		"dnssec-lookaside auto;" crashed if named was built
			without openssl. [RT #20231]

2673.   [bug]           The managed-keys.bind zone file could fail to
                        load due to a spurious result from sync_keyzone()
                        [RT #20045]

2671.	[bug]		Add support for PKCS#11 providers not returning
			the public exponent in RSA private keys
			(OpenCryptoki for instance) in
			dnssec-keyfromlabel. [RT #19294]

2664.	[bug]		create_keydata() and minimal_update() in zone.c
			didn't properly check return values for some
			functions.  [RT #19956]

2658.	[bug]		dnssec-settime and dnssec-revoke didn't process
			key file paths correctly. [RT #20078]

2657.	[cleanup]	Lower "journal file <path> does not exist, creating it"
			log level to debug 1. [RT #20058]

2654.   [bug]           Improve error reporting on duplicated names for
                        deny-answer-xxx. [RT #20164]

2651.   [bug]           Dates could print incorrectly in K*.key files on
                        64-bit systems. [RT #20076]

2650.   [bug]           Assertion failure in dnssec-signzone when trying
                        to read keyset-* files. [RT #20075]

2644.   [bug]           Change #2628 caused a regression on some systems;
                        named was unable to write the PID file and would
                        fail on startup. [RT #20001]

2641.   [bug]           Fixed an error in parsing update-policy syntax,
                        added a regression test to check it. [RT #20007]

2638.	[bug]		Install arpaname. [RT #19957]

2634.	[port]		win32: Add support for libxml2, enable
			statschannel. [RT #19773]

2631.   [bug]           Handle "//", "/./" and "/../" in mkdirpath().
                        [RT #19926 ]

2629.   [port]          Check for seteuid()/setegid(), use setresuid()/
                        setresgid() if not present. [RT #19932]

2628.   [port]          linux: Allow /var/run/named/named.pid to be opened
                        at startup with reduced capabilities in operation.
                        [RT #19884]

2627.   [bug]           Named aborted if the same key was included in
                        trusted-keys more than once. [RT #19918]

2626.   [bug]           Multiple trusted-keys could trigger an assertion
                        failure. [RT #19914]

2622.   [bug]           Printing of named.conf grammar was broken. [RT #19919]

2600.   [doc]           ARM: miscellaneous reformatting for different
                        page widths. [RT #19574]

2566.	[cleanup]	Clarify logged message when an insecure DNSSEC
			response arrives from a zone thought to be secure:
			"insecurity proof failed" instead of "not
			insecure". [RT #19400]

2525.   [experimental]	New logging category "query-errors" to provide detailed
			internal information about query failures, especially
			about server failures. [RT #19027]

2537.	[func]		Added more statistics counters including those on socket
			I/O events and query RTT histograms. [RT #18802]

2655.	[doc]		Document that key-directory does not affect
			rndc.key.  [RT #20155]

2834.	[bug]		HMAC-SHA* keys that were longer than the algorithm
			digest length were used incorrectly, leading to
			interoperability problems with other DNS
			implementations.  This has been corrected.
			(Note: If an oversize key is in use, and
			compatibility is needed with an older release of
			BIND, the new tool "isc-hmac-fixup" can convert
			the key secret to a form that will work with all
			versions.) [RT #20751]

2840.	[bug]		Temporary fixed pkcs11-destroy usage check.
			[RT #20760]

3010.	[bug]		Fixed a bug where "rndc reconfig" stopped the timer
			for refreshing managed-keys. [RT #22296]

3013.	[bug]		The DNS64 ttl was not always being set as expected.
			[RT #23034]

3017.	[doc]		dnssec-keyfromlabel -I was not properly documented.
			[RT #22887]

3020.	[bug]		auto-dnssec failed to correctly update the zone when
			changing the DNSKEY RRset. [RT #23232]

3021.	[bug]		Change #3010 was incomplete. [RT #22296]

3022.	[bug]		Fixed rpz SERVFAILs after failed zone transfers
                        [RT #23246]

3038.	[bug]		Install <dns/rpz.h>.  [RT #23342]

3045.	[removed]	Replaced by change #3050.

3048.	[bug]		Fully separate view key mangement. [RT #23419]

3050.	[bug]		The autosign system test was timing dependent.
			Wait for the initial autosigning to complete
			before running the rest of the test. [RT #23035]

3052.	[test]		Fixed last autosign test report. [RT #23256]

3054.	[bug]		Added elliptic curve support check in
			GOST OpenSSL engine detection. [RT #23485]

3057.	[bug]		"rndc secroots" would abort after the first error
			and so could miss some views. [RT #23488]

3072.	[bug]		dns_dns64_aaaaok() potential NULL pointer dereference.
			[RT #20256]

3073.	[bug]		managed-keys changes were not properly being recorded.
			[RT #20256]

3075.	[bug]		dns_dnssec_findzonekeys{2} used a inconsistant
			timestamp when determining which keys are active.
			[RT #23642]

3077.	[bug]		zone.c:zone_refreshkeys() incorrectly called
			dns_zone_attach(), use zone->irefs instead. [RT #23303]

3082.	[port]		strtok_r is threads only. [RT #23747]

3086.	[bug]		Running dnssec-settime -f on an old-style key will
			now force an update to the new key format even if no
			other change has been specified, using "-P now -A now"
			as default values.  [RT #22474]

3087.	[bug]		DDNS updates using SIG(0) with update-policy match
			type "external" could cause a crash. [RT #23735]

3091.	[bug]		Fixed a bug in which zone keys that were published
			and then subsequently activated could fail to trigger
			automatic signing. [RT #22911]

3094.	[doc]		Expand dns64 documentation.

3096.	[bug]		Set KRB5_KTNAME before calling log_cred() in
			dst_gssapi_acceptctx(). [RT #24004]

2655.	[doc]		Document that key-directory does not affect
			bind.keys, rndc.key or session.key.  [RT #20155]

2810.   [doc]           Clarified the process of transitioning an NSEC3 zone
                        to insecure. [RT #20746]
