[RT #16417]
2089. [security] Raise the minimum safe OpenSSL versions to
OpenSSL 0.9.7l and OpenSSL 0.9.8d. Versions
prior to these have known security flaws which
are (potentially) exploitable in named. [RT #16391]
2088. [security] Change the default RSA exponent from 3 to 65537.
[RT #16391]
2083. [port] win32: Visual C++ 2005 support.
negative response. [RT #12506]
1719. [bug] named was not correctly caching a RFC 2308 Type 1
negative response. [RT #12506]
1718. [bug] nsupdate was not handling RFC 2308 Type 3 negative
responses when looking for the zone / master server.
[RT #12506]
lookup SOA record w/o TSIG if initial SOA lookup w/ TSIG fails due
to TSIG err. Required for nsupdate to discover the zone when using
a server which is forwarding updates but doesn't share the secret.
1581. [func] Disable DNSSEC support by default. To enable
DNSSEC specify "enable-dnssec yes;" in named.conf.
1565. [bug] CD flag should be copied to outgoing queries unless
the query is under a secure entry point in which case
CD should be set.
1558. [func] New DNSSEC 'disable-algorithms'. Support entry into
child zones for which we don't have a supported
algorithm. Such child zones are treated as unsigned.
1557. [func] Implement missing DNSSEC tests for
* NOQNAME proof with wildcard answers.
* NOWILDARD proof with NXDOMAIN.
Cache and return NOQNAME with wildcard answers.
1541. [func] NSEC now uses new bitmap format.
1519. [bug] dnssec-signzone:nsec_setbit() computed the wrong
length of the new bitmap.
1516. [func] Roll the DNSSEC types to RRSIG, NSEC and DNSKEY.
the port, timeout, and retry options were
valid integers and in range. [RT #2099]
1150. [bug] named incorrectly accepted TTL values
containing plus or minus signs, such as
1d+1h-1s.
1149. [func] New function isc_parse_uint32().
@Add bind9_getaddresses(), a consistent version of the get_address function
from dig/host/nslookup, nsupdate, and rndc. This should make it
easier to have the various programs support multiple addresses for a hostname.
