3615. [cleanup] "configure" now finishes by printing a summary
of optional BIND features and whether they are
active or inactive. ("configure --enable-full-report"
increases the verbosity of the summary.) [RT #31777]
(cherry picked from commit 71697fd082)
3611. [bug] Improved resistance to a theoretical authentication
attack based on differential timing. [RT #33939]
(cherry picked from commit 5b7abbef51)
This incorporates the following changes, plus a new configure
option "--enable-rrl" to turn them on:
3575. [func] Changed the logging category for RRL events from
'queries' to 'query-errors'. [RT #33540]
3554. [bug] RRL failed to correctly rate-limit upward
referrals and failed to count dropped error
responses in the statistics. [RT #33225]
3545. [bug] RRL slip behavior was incorrect when set to 1.
[RT #33111]
3518. [bug] Increase the size of dns_rrl_key.s.rtype by one bit
so that all dns_rrl_rtype_t enum values fit regardless
of whether it is teated as signed or unsigned by
the compiler. [RT #32792]
3494. [func] DNS RRL: Blunt the impact of DNS reflection and
amplification attacks by rate-limiting substantially-
identical responses. To enable, use "configure
--enable-rrl". [RT #28130]
3528. [func] New "dnssec-coverage" command scans the timing
metadata for a set of DNSSEC keys and reports if a
lapse in signing coverage has been scheduled
inadvertently. (Note: This tool depends on python;
it will not be built or installed on systems that
do not have a python interpreter.) [RT #28098]
(cherry picked from commit 831f59eb43)
3496. [func] Improvements to RPZ performance. The "response-policy"
syntax now includes a "min-ns-dots" clause, with
default 1, to exclude top-level domains from
NSIP and NSDNAME checking. --enable-rpz-nsip and
--enable-rpz-nsdname are now the default. [RT #32251]
Response policy (rpz) changes to
- add zone statistics
- speed up by adding min-ns-dots to the response-policy syntax
with a default of 1
- detect and reject policy zones with a database other than rbt
only rbtdb has rpz hooks
- allow empty response-policy{} statement
- make --enable-rpz-nsip and --enable-rpz-nsdname the default
dns_dlzcreate() failed to properly initialize
dlzdb.link. When cloning a rdataset do not copy
the link contents. [RT #32651]
Squashed commit of the following:
commit c36c49cbdaeec8b2506dffadbffa543283702fa2
Author: Mark Andrews <marka@isc.org>
Date: Mon Feb 18 23:24:57 2013 +1100
don't copy the link when cloning a rdataset
commit 9fef5827edcc925075832dcce900eeca9057456d
Author: Mark Andrews <marka@isc.org>
Date: Mon Feb 18 23:23:25 2013 +1100
initialise the dlzdb link; don't return a stale pointer on error
commit a13c584732eae2dde48920a73886b54f1fe6b030
Author: Mark Andrews <marka@isc.org>
Date: Mon Feb 18 23:21:59 2013 +1100
turn on ISC_LIST_CHECKINIT
Conflicts:
lib/dns/dlz.c
