3312.	[bug]		named-checkconf didn't detect a bad dns64 clients acl.
			[RT #27631]

3306.	[bug]		Improve DNS64 reverse zone performance. [RT #28563]

3305.	[func]		Add wire format lookup method to sdb. [RT #28563]

3303.	[bug]		named could die when reloading. [RT #28606]

3302.	[bug]		dns_dnssec_findmatchingkeys could fail to find
			keys if the zone name contained character that
			required special mappings. [RT #28600]

3296.	[bug]		Named could die with a INSIST failure in
			client.c:exit_check. [RT #28346]

3289.	[bug]		'rndc retransfer' failed for inline zones. [RT #28036]

3288.	[bug]		dlz_destroy() function wasn't correctly registered
			by the DLZ dlopen driver. [RT #28056]

3286.	[bug]		Managed key maintenance timer could fail to start
			after 'rndc reconfig'. [RT #26786]

3280.	[bug]		Potential double free of a rdataset on out of memory
			with DNS64. [RT #27762]

3279.	[bug]		Hold a internal reference to the zone while performing
			a asynchronous load.  Address potential memory leak
			if the asynchronous is cancelled. [RT #27750]

3278.	[bug]		Make sure automatic key maintenance is started
			when "auto-dnssec maintain" is turned on during
			"rndc reconfig". [RT #26805]

3277.	[bug]		win32: isc_socket_dup is not implemented. [RT #27696]

3276.	[bug]		win32: ns_os_openfile failed to return NULL on
			safe_open failure. [RT #27696]

3275.	[bug]		Corrected rndc -h output; the 'rndc sync -clean'
			option had been misspelled as '-clear'.  (To avoid
			future confusion, both options now work.) [RT #27173]

3273.	[bug]		AAAA responses could be returned in the additional
			section even when filter-aaaa-on-v4 was in use.
			[RT #27292]

3271.	[port]		darwin: mksymtbl is not always stable, loop several
			times before giving up.  mksymtbl was using non
			portable perl to covert 64 bit hex strings. [RT #27653]

3270.	[bug]		"rndc reload" didn't reuse existing zones correctly
			when inline-signing was in use. [RT #27650]

3269.	[port]		darwin 11 and later now built threaded by default.

3265.	[bug]		Address lock order reversal with inline-signing
			support. [27557]

3264.	[bug]		Automatic regeneration of signatures in an
			inline-signing zone could stall when the server
			was restarted. [RT #27344]

3263.	[bug]		"rndc sync" did not affect the unsigned side of an
			inline-signing zone. [RT #27337]

3262.	[bug]		Signed responses were handled incorrectly by RPZ.
			[RT #27316]

3258.	[test]		Add "forcing full sign with unreadable keys" test.
			[RT #27153]

3252.	[bug]		When master zones using inline-signing were
			updated while the server was offline, the source
			zone could fall out of sync with the signed
			copy. They can now resynchronize. [RT #26676]

3248.	[bug]		Configure options --enable-fixed-rrset and
			--enable-exportlib were incompatible with each
			other. [RT #27087]

3246.	[bug]		Named failed to start with a empty also-notify list.
			[RT #27087]

3245.	[bug]		Don't report a error unchanged serials unless there
			were other changes when thawing a zone with
			ixfr-fromdifferences. [RT #26845]

3243.	[port]		freebsd,netbsd,bsdi: the thread defaults were not
			being properly set.

3240.	[bug]		DNSKEY state change events could be missed. [RT #26874]

3239.	[bug]		dns_dnssec_findmatchingkeys needs to use a consistent
			timestamp. [RT #26883]

3236.	[bug]		Backed out changes #3182 and #3202, related to
			EDNS(0) fallback behavior. [RT #26416]

3233.	[bug]		'rndc freeze/thaw' didn't work for inline zones.
			[RT #26632]

3225.	[bug]		Silence spurious "setsockopt(517, IPV6_V6ONLY) failed"
			messages. [RT #26507]

3224.	[bug]		'rndc signing' argument parsing was broken. [RT #26684]

3223.	[bug]		'task_test privilege_drop' generated false positives.
			[RT #26766]

3222.	[cleanup]	Replace dns_journal_{get,set}_bitws with
			dns_journal_{get,set}_sourceserial. [RT #26634]

3220.	[bug]		Change #3186 was incomplete; dns_db_rpz_findips()
			could fail to set the database version correctly,
			causing an assertion failure. [RT #26180]

3220.	[bug]		Change #3186 was incomplete; dns_db_rpz_findips()
			could fail to set the database version correctly,
			causing an assertion failure. [RT #26180]
3219.	[bug]		Disable NOEDNS caching following a timeout.

3217.	[cleanup]	Fix build problem with --disable-static. [RT #26476]

3215.	[bug]		'rndc recursing' could cause a core dump.  [RT #26495]

3210.	[bug]		Canceling the oldest query due to recursive-client
			overload could trigger an assertion failure. [RT #26463]

3202.	[bug]		NOEDNS caching on timeout was too agressive.
			[RT #26416]

3198.	[doc]		Clarified that dnssec-settime can alter keyfile
			permissions. [RT #24866]

3195.	[cleanup]	Silence "file not found" warnings when loading
			managed-keys zone. [RT #26340]

3186.	[bug]		Version/db mis-match in rpz code. [RT #26180]

3184.	[bug]		named had excessive cpu usage when a redirect zone was
			configured. [RT #26013]

3183.	[bug]		Added RTLD_GLOBAL flag to dlopen call. [RT #26301]

3182.	[bug]		Auth servers behind firewalls which block packets
			greater than 512 bytes may cause other servers to
			perform poorly. Now, adb retains edns information
			and caches noedns servers. [RT #23392/24964]

3178.	[bug]		A race condition introduced by change #3163 could
			cause an assertion failure on shutdown. [RT #26271]

3176.	[doc]		Corrected example code and added a README to the
			sample external DLZ module in contrib/dlz/example.
			[RT #26215]

3172.	[port]		darwin 10.* and freebsd [89] are now built threaded by
			default.

3171.	[bug]		Exclusively lock the task when adding a zone using
			'rndc addzone'.  [RT #25600]

3168.	[bug]		Nxdomain redirection could trigger an assert with
			a ANY query. [RT #26017]

3166.	[bug]		Upgrading a zone to support inline-signing failed.
			[RT #26014]

3165.	[bug]		dnssec-signzone could generate new signatures when
			resigning, even when valid signatures were already
			present. [RT #26025]

3163.	[bug]		Use finer-grained locking in client.c to address
			concurrency problems with large numbers of threads.
			[RT #26044]

3160.	[bug]		When printing out a NSEC3 record in multiline form
			the newline was not being printed causing type codes
			to be run together. [RT #25873]

3159.	[bug]		On some platforms, named could assert on startup
			when running in a chrooted environment without
			/proc. [RT #25863]

3158.	[bug]		Recursive servers would prefer a particular UDP
			socket instead of using all available sockets.
			[RT #26038]

3155.	[bug]		Fixed a build failure when using contrib DLZ
			drivers (e.g., mysql, postgresql, etc). [RT #25710]

3152.	[cleanup]	Some versions of gcc and clang failed due to
			incorrect use of __builtin_expect. [RT #25183]

3142.	[bug]		NAPTR is class agnostic. [RT #25429]

3141.	[bug]		Silence spurious "zone serial (0) unchanged" messages
			associated with empty zones. [RT #25079]

3131.	[tuning]	Improve scalability by allocating one zone task
			per 100 zones at startup time, rather than using a
			fixed-size task table. [RT #24406]

3129.	[bug]		Named could crash on 'rndc reconfig' when
			allow-new-zones was set to yes and named ACLs
			were used. [RT #22739]

3127.	[bug]		'rndc thaw' will now remove a zone's journal file
			if the zone serial number has been changed and
			ixfr-from-differences is not in use.  [RT #24687]

3126.	[security]	Using DNAME record to generate replacements caused
			RPZ to exit with a assertion failure. [RT #24766]

3125.	[security]	Using wildcard CNAME records as a replacement with
			RPZ caused named to exit with a assertion failure.
			[RT #24715]

3122.	[cleanup]	dnssec-settime: corrected usage message. [RT #24664]

3117.	[cleanup]	Remove doc and parser references to the
			never-implemented 'auto-dnssec create' option.
			[RT #24533]

3115.	[bug]		Named could fail to return requested data when
			following a CNAME that points into the same zone.
			[RT #24455]

3108.	[cleanup]	dnssec-signzone: Clarified some error and
			warning messages; removed #ifdef ALLOW_KSKLESS_ZONES
			code (use -P instead). [RT #20852]

3105.	[bug]		GOST support can be suppressed by "configure
			--without-gost" [RT #24367]

3103.	[bug]		Configuring 'dnssec-validation auto' in a view
			instead of in the options statement could trigger
			an assertion failure in named-checkconf. [RT #24382]

3100.	[security]	Certain response policy zone configurations could
			trigger an INSIST when receiving a query of type
			RRSIG. [RT #24280]

3098.	[bug]		DLZ zones were answering without setting the AA bit.
			[RT #24146]

3096.	[bug]		Set KRB5_KTNAME before calling log_cred() in
			dst_gssapi_acceptctx(). [RT #24004]

3094.	[doc]		Expand dns64 documentation.

3093.	[bug]		Fix gssapi/kerberos dependencies [RT #23836]

3091.	[bug]		Fixed a bug in which zone keys that were published
			and then subsequently activated could fail to trigger
			automatic signing. [RT #22911]

3087.	[bug]		DDNS updates using SIG(0) with update-policy match
			type "external" could cause a crash. [RT #23735]

3086.	[bug]		Running dnssec-settime -f on an old-style key will
			now force an update to the new key format even if no
			other change has been specified, using "-P now -A now"
			as default values.  [RT #22474]

3082.	[port]		strtok_r is threads only. [RT #23747]

3077.	[bug]		zone.c:zone_refreshkeys() incorrectly called
			dns_zone_attach(), use zone->irefs instead. [RT #23303]

3075.	[bug]		dns_dnssec_findzonekeys{2} used a inconsistant
			timestamp when determining which keys are active.
			[RT #23642]

3073.	[bug]		managed-keys changes were not properly being recorded.
			[RT #20256]

3072.	[bug]		dns_dns64_aaaaok() potential NULL pointer dereference.
			[RT #20256]

3057.	[bug]		"rndc secroots" would abort after the first error
			and so could miss some views. [RT #23488]

3054.	[bug]		Added elliptic curve support check in
			GOST OpenSSL engine detection. [RT #23485]

3052.	[test]		Fixed last autosign test report. [RT #23256]

3050.	[bug]		The autosign system test was timing dependent.
			Wait for the initial autosigning to complete
			before running the rest of the test. [RT #23035]

3048.	[bug]		Fully separate view key mangement. [RT #23419]

3045.	[removed]	Replaced by change #3050.

3038.	[bug]		Install <dns/rpz.h>.  [RT #23342]

3022.	[bug]		Fixed rpz SERVFAILs after failed zone transfers
			[RT #23246]

3021.	[bug]		Change #3010 was incomplete. [RT #22296]

3020.	[bug]		auto-dnssec failed to correctly update the zone when
			changing the DNSKEY RRset. [RT #23232]

3017.	[doc]		dnssec-keyfromlabel -I was not properly documented.
			[RT #22887]

3013.	[bug]		The DNS64 ttl was not always being set as expected.
			[RT #23034]

3010.	[bug]		Fixed a bug where "rndc reconfig" stopped the timer
			for refreshing managed-keys. [RT #22296]

3005.	[port]		Solaris: Work around the lack of
			gsskrb5_register_acceptor_identity() by setting
			the KRB5_KTNAME environment variable to the
			contents of tkey-gssapi-keytab.  Also fixed
			test errors on MacOSX.  [RT #22853]

3003.	[experimental]	Added update-policy match type "external",
			enabling named to defer the decision of whether to
			allow a dynamic update to an external daemon.
			(Contributed by Andrew Tridgell.) [RT #22758]

3000.	[bug]		More TKEY/GSS fixes:
			 - nsupdate can now get the default realm from
			   the user's Kerberos principal
			 - corrected gsstest compilation flags
			 - improved documentation
			 - fixed some NULL dereferences
			[RT #22795]

2992.	[contrib]	contrib/check-secure-delegation.pl:  A simple tool
			for looking at a secure delegation. [RT #22059]

2991.	[contrib]	contrib/zone-edit.sh: A simple zone editing tool for
			dynamic zones. [RT #22365]

2990.	[bug]		'dnssec-settime -S' no longer tests prepublication
			interval validity when the interval is set to 0.
			[RT #22761]

2988.	[experimental]	Added a "dlopen" DLZ driver, allowing the creation
			of external DLZ drivers that can be loaded as
			shared objects at runtime rather than linked with
			named.  Currently this is switched on via a
			compile-time option, "configure --with-dlz-dlopen".
			Note: the syntax for configuring DLZ zones
			is likely to be refined in future releases.
			(Contributed by Andrew Tridgell of the Samba
			project.) [RT #22629]

2985.	[bug]		Add a regression test for change #2896. [RT #21324]

2983.	[bug]		Include "loadkeys" in rndc help output. [RT #22493]

2980.	[bug]		named didn't properly handle UPDATES that changed the
			TTL of the NSEC3PARAM RRset. [RT #22363]

2977.	[bug]		'nsupdate -l' report if the session key is missing.
			[RT #21670]

2973.	[bug]		bind.keys.h was being removed by the "make clean"
			at the end of configure resulting in build failures
			where there is very old version of perl installed.
			Move it to "make maintainer-clean". [RT #22230]

2963.	[security]	The allow-query acl was being applied instead of the
			allow-query-cache acl to cache lookups. [RT #22114]

2961.	[bug]		Be still more selective about the non-authoritative
			answers we apply change 2748 to. [RT #22074]

2949.	[bug]		dns_view_setnewzones() contained a memory leak if
			it was called multiple times. [RT #21942]

2948.	[port]		MacOS: provide a mechanism to configure the test
			interfaces at reboot. See bin/tests/system/README
			for details.

2940.	[port]		Remove connection aborted error message on
			Windows. [RT #21549]

2938.	[bug]		When generating signed responses, from a signed zone
			that uses NSEC3, named would use a uninitialised
			pointer if it needed to skip a NSEC3 record because
			it didn't match the selected NSEC3PARAM record for
			zone. [RT# 21868]

2930.	[experimental]	New "rndc addzone" and "rndc delzone" commads
			allow dynamic addition and deletion of zones.
			To enable this feature, specify a "new-zone-file"
			option at the view or options level in named.conf.
			Zone configuration information for the new zones
			will be written into that file.  To make the new
			zones persist after a restart, "include" the file
			into named.conf in the appropriate view.  (Note:
			This feature is not yet documented, and its syntax
			is expected to change.) [RT #19447]

2928.	[bug]		Be more selective about the non-authoritative
			answer we apply change 2748 to. [RT #21594]

2914.	[bug]		Make the "autosign" system test more portable.
			[RT #20997]

2909.	[bug]		named-checkconf -p could die if "update-policy local;"
			was specified in named.conf. [RT #21416]

2907.	[bug]		The export version of libdns had undefined references.
			[RT #21444]

2906.	[bug]		Address RFC 5011 implementation issues. [RT #20903]

2903.	[bug]		managed-keys-directory missing from namedconf.c.
			[RT #21370]

2897.	[bug]		NSEC3 chains could be left behind when transitioning
			to insecure. [RT #21040]

2896.	[bug]		"rndc sign" failed to properly update the zone
			when adding a DNSKEY for publication only. [RT #21045]

2893.	[bug]		Improve managed keys support.  New named.conf option
			managed-keys-directory. [RT #20924]

2892.	[bug]		Handle REVOKED keys better. [RT #20961]

2887.	[bug]		Report the keytag times in UTC in the .key file,
			local time is presented as a comment within the
			comment.  [RT #21223]

2886.	[bug]		ctime() is not thread safe. [RT #21223]

2880.	[cleanup]	Make the output of dnssec-keygen and dnssec-revoke
			consistent. [RT #21078]

2873.	[bug]		Cancelling a dynamic update via the dns/client module
			could trigger an assertion failure. [RT #21133]

2872.	[bug]		Modify dns/client.c:dns_client_createx() to only
			require one of IPv4 or IPv6 rather than both.
			[RT #21122]

2871.	[bug]		Type mismatch in mem_api.c between the definition and
			the header file, causing build failure with
			--enable-exportlib. [RT #21138]

2861.	[doc]		dnssec-settime man pages didn't correctly document the
			inactivation time. [RT #21039]

2860.	[bug]		named-checkconf's usage was out of date. [RT #21039]

2848.	[doc]		Moved README.dnssec, README.libdns, README.pkcs11 and
			README.rfc5011 into the ARM. [RT #20899]

2847.	[cleanup]	Corrected usage message in dnssec-settime. [RT #20921]

2845.	[bug]		RFC 5011 client could crash on shutdown. [RT #20903]

2841.	[bug]		Change 2836 was not complete. [RT #20883]

2840.	[bug]		Temporary fixed pkcs11-destroy usage check.
			[RT #20760]

2839.	[bug]		A KSK revoked by named could not be deleted.
			[RT #20881]

2836.	[bug]		Keys that were scheduled to become active could
			be delayed. [RT #20874]

2835.	[bug]		Key inactivity dates were inadvertently stored in
			the private key file with the outdated tag
			"Unpublish" rather than "Inactive".  This has been
			fixed; however, any existing keys that had Inactive
			dates set will now need to have them reset, using
			'dnssec-settime -I'. [RT #20868]

2834.	[bug]		HMAC-SHA* keys that were longer than the algorithm
			digest length were used incorrectly, leading to
			interoperability problems with other DNS
			implementations.  This has been corrected.
			(Note: If an oversize key is in use, and
			compatibility is needed with an older release of
			BIND, the new tool "isc-hmac-fixup" can convert
			the key secret to a form that will work with all
			versions.) [RT #20751]

2833.	[cleanup]	Fix usage messages in dnssec-keygen and dnssec-settime.
			[RT #20851]

2832.	[bug]		Modify "struct stat" in lib/export/samples/nsprobe.c
			to avoid redefinition in some OSs [RT 20831]

2824.	[bug]		"rndc sign" was not being run by the correct task.
			[RT #20759]

2822.	[bug]		rbtdb.c:loadnode() could return the wrong result.
			[RT #20802]

2821.	[doc]		Add note that named-checkconf doesn't automatically
			read rndc.key and bind.keys [RT #20758]

2816.	[bug]		previous_closest_nsec() could fail to return
			data for NSEC3 nodes [RT #29730]

2812.	[bug]		Make sure updates can't result in a zone with
			NSEC-only keys and NSEC3 records. [RT #20748]

2811.	[cleanup]	Add "rndc sign" to list of commands in rndc usage
			output. [RT #20733]

2810.	[doc]		Clarified the process of transitioning an NSEC3 zone
			to insecure. [RT #20746]

2809.	[cleanup]	Restored accidentally-deleted text in usage output
			in dnssec-settime and dnssec-revoke [RT #20739]

2808.	[bug]		Remove the attempt to install atomic.h from lib/isc.
			atomic.h is correctly installed by the architecture
			specific subdirectories.  [RT #20722]

2807.	[bug]		Fixed a possible ASSERT when reconfiguring zone
			keys. [RT #20720]

2806.	[bug]		"rdnc sign" could delay re-signing the DNSKEY
			when it had changed. [RT #20703]

2805.	[bug]		Fixed namespace problems encountered when building
			external programs using non-exported BIND9 libraries
			(i.e., built without --enable-exportlib). [RT #20679]

2804.	[bug]		Send notifies when a zone is signed with "rndc sign"
			or as a result of a scheduled key change. [RT #20700]

2803.	[port]		win32: Install named-journalprint, nsec3hash, arpaname
			and genrandom under windows. [RT #20670]

2802.	[cleanup]	Rename journalprint to named-journalprint. [RT #20670]

2799.	[cleanup]	Changed the "secure-to-insecure" option to
			"dnssec-secure-to-insecure", and "dnskey-ksk-only"
			to "dnssec-dnskey-kskonly", for clarity. [RT #20586]

2798.	[bug]		Addressed bugs in managed-keys initialization
			and rollover. [RT #20683]

2796.	[bug]		Missing dns_rdataset_disassociate() call in
			dns_nsec3_delnsec3sx(). [RT #20681]

2795.	[cleanup]	Add text to differentiate "update with no effect"
			log messages. [RT #18889]

2794.	[bug]		Install <isc/namespace.h>.  [RT #20677]

2791.	[bug]		The installation of isc-config.sh was broken.
			[RT #20667]

2788.	[bug]		dnssec-signzone could sign with keys that were
			not requested [RT #20625]

2787.	[bug]		Spurious log message when zone keys were
			dynamically reconfigured. [RT #20659]

2785.	[bug]		Revoked keys could fail to self-sign [RT #20652]

2781.	[bug]		Inactive keys could be used for signing. [RT #20649]

2780.	[bug]		dnssec-keygen -A none didn't properly unset the
			activation date in all cases. [RT #20648]

2779.	[bug]		Dynamic key revokation could fail. [RT #20644]

2778.	[bug]		dnssec-signzone could fail when a key was revoked
			without deleting the unrevoked version. [RT #20638]

2776.	[bug]		Change #2762 was not correct. [RT #20647]

2775.	[bug]		Accept RSASHA256 and RSASHA512 as NSEC3 compatible
			in dnssec-keyfromlabel. [RT #20643]

2774.	[bug]		Existing cache DB wasn't being reused after
			reconfiguration. [RT #20629]

2773.	[bug]		In autosigned zones, the SOA could be signed
			with the KSK. [RT #20628]

2771.	[bug]		dnssec-signzone: DNSKEY records could be
			corrupted when importing from key files [RT #20624]

2770.	[cleanup]	Add log messages to resolver.c to indicate events
			causing FORMERR responses. [RT #20526]

2769.	[cleanup]	Change #2742 was incomplete. [RT #19589]

2768.	[bug]		dnssec-signzone: -S no longer implies -g [RT #20568]

2767.	[bug]		named could crash on startup if a zone was
			configured with auto-dnssec and there was no
			key-directory. [RT #20615]

2766.	[bug]		isc_socket_fdwatchpoke() should only update the
			socketmgr state if the socket is not pending on a
			read or write.  [RT #20603]

2764.	[bug]		"rndc-confgen -a" could trigger a REQUIRE. [RT #20610]

2763.	[bug]		"rndc sign" didn't create an NSEC chain. [RT #20591]

2762.	[bug]		DLV validation failed with a local slave DLV zone.
			[RT #20577]

2761.	[cleanup]	Enable internal symbol table for backtrace only for
			systems that are known to work.  Currently, BSD
			variants, Linux and Solaris are supported. [RT# 20202]

2756.	[bug]		Fixed corrupt logfile message in update.c. [RT# 20597]

2753.	[bug]		Removed an unnecessary warning that could appear when
			building an NSEC chain. [RT #20589]

2752.	[bug]		Locking violation. [RT #20587]

2751.	[bug]		Fixed a memory leak in dnssec-keyfromlabel. [RT #20588]

2746.	[port]		hpux: address signed/unsigned expansion mismatch of
			dns_rbtnode_t.nsec. [RT #20542]

2745.	[bug]		configure script didn't probe the return type of
			gai_strerror(3) correctly. [RT #20573]

2742.	[cleanup]	Clarify some DNSSEC-related log messages in
			validator.c. [RT #19589]

2739.	[cleanup]	Clean up API for initializing and clearing trust
			anchors for a view. [RT #20211]

2735.	[bug]		dnssec-signzone could fail to read keys
			that were specified on the command line with
			full paths, but weren't in the current
			directory. [RT #20421]

2734.	[port]		cygwin: arpaname did not compile. [RT #20473]

2733.	[cleanup]	Clean up coding style in pkcs11-* tools. [RT #20355]

2728.	[bug]		dssec-keygen, dnssec-keyfromlabel and
			dnssec-signzone now warn immediately if asked to
			write into a nonexistent directory. [RT #20278]

2725.	[doc]		Added information about the file "managed-keys.bind"
			to the ARM. [RT #20235]

2724.	[bug]		Updates to a existing node in secure zone using NSEC
			were failing. [RT #20448]

2720.	[bug]		RFC 5011 trust anchor updates could trigger an
			assert if the DNSKEY record was unsigned. [RT #20406]

2717.	[bug]		named failed to update the NSEC/NSEC3 record when
			the last private type record was removed as a result
			of completing the signing the zone with a key.
			[RT #20399]

2711.	[port]		win32: Add the bin/pkcs11 tools into the full
			build. [RT #20372]

2694.	[bug]		Reduce default NSEC3 iterations from 100 to 10.
			[RT #19970]

2693.	[port]		Add some noreturn attributes. [RT #20257]

2687.	[bug]		Fixed dnssec-signzone -S handling of revoked keys.
			Also, added warnings when revoking a ZSK, as this is
			not defined by protocol (but is legal).  [RT #19943]

2685.	[contrib]	Update contrib/zkt to version 0.99c. [RT #20054]

2684.	[cleanup]	dig: formalize +ad and +cd as synonyms for
			+adflag and +cdflag.  [RT #19305]

2682.	[bug]		"configure --enable-symtable=all" failed to
			build. [RT #20282]

2676.	[bug]		--with-export-installdir should have been
			--with-export-includedir. [RT #20252]

2675.	[bug]		dnssec-signzone could crash if the key directory
			did not exist. [RT #20232]

2674.	[bug]		"dnssec-lookaside auto;" crashed if named was built
			without openssl. [RT #20231]

2673.	[bug]		The managed-keys.bind zone file could fail to
			load due to a spurious result from sync_keyzone()
			[RT #20045]

2671.	[bug]		Add support for PKCS#11 providers not returning
			the public exponent in RSA private keys
			(OpenCryptoki for instance) in
			dnssec-keyfromlabel. [RT #19294]

2664.	[bug]		create_keydata() and minimal_update() in zone.c
			didn't properly check return values for some
			functions.  [RT #19956]

2658.	[bug]		dnssec-settime and dnssec-revoke didn't process
			key file paths correctly. [RT #20078]

2657.	[cleanup]	Lower "journal file <path> does not exist, creating it"
			log level to debug 1. [RT #20058]

2655.	[doc]		Document that key-directory does not affect
			bind.keys, rndc.key or session.key.  [RT #20155]

2654.	[bug]		Improve error reporting on duplicated names for
			deny-answer-xxx. [RT #20164]

2651.	[bug]		Dates could print incorrectly in K*.key files on
			64-bit systems. [RT #20076]

2650.	[bug]		Assertion failure in dnssec-signzone when trying
			to read keyset-* files. [RT #20075]

2644.	[bug]		Change #2628 caused a regression on some systems;
			named was unable to write the PID file and would
			fail on startup. [RT #20001]

2641.	[bug]		Fixed an error in parsing update-policy syntax,
			added a regression test to check it. [RT #20007]

2638.	[bug]		Install arpaname. [RT #19957]

2634.	[port]		win32: Add support for libxml2, enable
			statschannel. [RT #19773]

2631.	[bug]		Handle "//", "/./" and "/../" in mkdirpath().
			[RT #19926 ]

2629.	[port]		Check for seteuid()/setegid(), use setresuid()/
			setresgid() if not present. [RT #19932]

2628.	[port]		linux: Allow /var/run/named/named.pid to be opened
			at startup with reduced capabilities in operation.
			[RT #19884]

2627.	[bug]		Named aborted if the same key was included in
			trusted-keys more than once. [RT #19918]

2626.	[bug]		Multiple trusted-keys could trigger an assertion
			failure. [RT #19914]

2622.	[bug]		Printing of named.conf grammar was broken. [RT #19919]

2600.	[doc]		ARM: miscellaneous reformatting for different
			page widths. [RT #19574]

2566.	[cleanup]	Clarify logged message when an insecure DNSSEC
			response arrives from a zone thought to be secure:
			"insecurity proof failed" instead of "not
			insecure". [RT #19400]

2537.	[func]		Added more statistics counters including those on socket
			I/O events and query RTT histograms. [RT #18802]

2525.	[experimental]	New logging category "query-errors" to provide detailed
			internal information about query failures, especially
			about server failures. [RT #19027]

