3514. [bug] The ranges for valid key sizes in ddns-confgen and
rndc-confgen were too constrained. Keys up to 512
bits are now allowed for most algorithms, and up
to 1024 bits for hmac-sha384 and hmac-sha512.
[RT #32753]
(cherry picked from commit 33b8db1bb3)
3507. [bug] Statistics channel XSL (when built with
--enable-newstats) had a glitch when attempting
to chart query data before any queries had been
received. [RT #32620]
3505. [bug] When setting "max-cache-size" and "max-acache-size",
larger values than 4 gigabytes could not be set
explicitly, though larger sizes were available
when setting cache size to 0. This has been
corrected; the full range is now available.
[RT #32358]
(cherry picked from commit 2a184ff865)
3501. [func] zone-statistics now takes three options: full,
terse, and none. "yes" and "no" are retained as
synonyms for full and terse, respectively. [RT #29165]
(cherry picked from commit 40a7e85f3e)
3496. [func] Improvements to RPZ performance. The "response-policy"
syntax now includes a "min-ns-dots" clause, with
default 1, to exclude top-level domains from
NSIP and NSDNAME checking. --enable-rpz-nsip and
--enable-rpz-nsdname are now the default. [RT #32251]
Response policy (rpz) changes to
- add zone statistics
- speed up by adding min-ns-dots to the response-policy syntax
with a default of 1
- detect and reject policy zones with a database other than rbt
only rbtdb has rpz hooks
- allow empty response-policy{} statement
- make --enable-rpz-nsip and --enable-rpz-nsdname the default
place where the NOQNAME proof needed to be saved.
[RT #32629]
Squashed commit of the following:
commit cdef844f57bd3eb30b1f77135b89b6f9360e8bee
Author: Mark Andrews <marka@isc.org>
Date: Sat Feb 16 00:27:14 2013 +1100
whitespace
commit 60eb7e3f6cdd102d6aaf0fb4ada8c552576e4502
Author: Mark Andrews <marka@isc.org>
Date: Sat Feb 16 00:19:51 2013 +1100
return noqname proof with +cd and dlv
3486. [bug] named could crash when using TKEY-negotiated keys
that had been deleted and then recreated. [RT #32506]
(cherry picked from commit 0b8bd3a4ae)
- check for NSEC3 in empty nodes when not due to optout delegations
- fixed typo in output ("Bad record NSEC record")
- incidentally fixed an error in signzone that caused an
incorrect warning about missing DNSKEYs when using -S
and -3 together
3473. [bug] dnssec-signzone/verify could incorrectly report
an error condition due to an empty node above an
opt-out delegation lacking an NSEC3. [RT #32072]
(cherry picked from commit 9a0dd99a75)
3471. [bug] The number of UDP dispatches now defaults to
the number of CPUs even if -n has been set to
a higher value. [RT #30964]
(cherry picked from commit 2154c01912)
3468. [security] RPZ rules to generate A records (but not AAAA records)
could trigger an assertion failure when used in
conjunction with DNS64. [RT #32141]
(cherry picked from commit 71f8edccba)
