In certain configurations, named could crash with an assertion failure if nxdomain-redirect was in use and a redirected query resulted in an NXDOMAIN from the cache. This flaw is disclosed in CVE-2019-6467. [GL #880] The TCP client quota set using the tcp-clients option could be exceeded in some cases. This could lead to exhaustion of file descriptors. This flaw is disclosed in CVE-2018-5743. [GL #615]

The new add-soa option specifies whether or not the response-policy zone's SOA record should be included in the additional section of RPZ responses. [GL #865]

The dnssec-enable option has been obsoleted and no longer has any effect. DNSSEC responses are always enabled if signatures and other DNSSEC data are present. [GL #866]

When static and managed DNSSEC keys were both configured for the same name, or when a static key was used to configure a trust anchor for the root zone and dnssec-validation was set to the default value of auto, automatic RFC 5011 key rollovers would be disabled. This combination of settings was never intended to work, but there was no check for it in the parser. This has been corrected, and it is now a fatal configuration error. [GL #868] DS and CDS records are now generated with SHA-256 digests only, instead of both SHA-1 and SHA-256. This affects the default output of dnssec-dsfromkey, the dsset files generated by dnssec-signzone, the DS records added to a zone by dnssec-signzone based on keyset files, the CDS records added to a zone by named and dnssec-signzone based on "sync" timing parameters in key files, and the checks performed by dnssec-checkds.

The allow-update and allow-update-forwarding options were inadvertently treated as configuration errors when used at the options or view level. This has now been corrected. [GL #913]