4006. [security] A flaw in delegation handling could be exploited
to put named into an infinite loop. This has
been addressed by placing limits on the number
of levels of recursion named will allow (default 7),
and the number of iterative queries that it will
send (default 50) before terminating a recursive
query (CVE-2014-8500).
The recursion depth limit is configured via the
"max-recursion-depth" option. [RT #35780]
3935. [bug] "geoip asnum" ACL elements would not match unless
the full organization name was specified. They
can now match against the AS number alone (e.g.,
AS1234). [RT #36945]
3817. [func] The "delve" command is now spelled "delv" to avoid
a namespace collision with the Xapian project.
[RT #35801]
(cherry picked from commit 2ae159b376)
3746. [func] New "max-zone-ttl" option enforces maximum
TTLs for zones. If loading a zone containing a
higher TTL, the load fails. DDNS updates with
higher TTLs are accepted but the TTL is truncated.
(Note: Currently supported for master zones only;
inline-signing slaves will be added.) [RT #38405]
(which are similar to DNS Cookies by Donald Eastlake)
and are designed to help clients detect off path
spoofed responses and for servers to detect legitimate
clients.
SIT use a experimental EDNS option code (65001).
SIT can be enabled via --enable-developer or
--enable-sit. It is on by default in Windows.
RRL processing as been updated to know about SIT with
legitimate clients not being rate limited. [RT #35389]
3741. [func] "delve" (domain entity lookup and validation engine):
A new tool with dig-like semantics for performing DNS
lookups, with internal DNSSEC validation, using the
same resolver and validator logic as named. This
allows easy validation of DNSSEC data in environments
with untrustworthy resolvers, and assists with
troubleshooting of DNSSEC problems. (Note: not yet
available on win32.) [RT #32406]
information will be automatically updated if the
OS supports routing sockets. Use
"automatic-interface-scan no;" to disable.
Add "rndc scan" to trigger a scan. [RT #23027]
3731. [func] Added a "no-case-compress" ACL, which causes
named to use case-insensitive compression
(disabling change #3645) for specified
clients. (This is useful when dealing
with broken client implementations that
use case-sensitive name comparisons,
rejecting responses that fail to match the
capitalization of the query that was sent.)
[RT #35300]
