3265. [bug] Address lock order reversal with inline-signing support. [27557] 3264. [bug] Automatic regeneration of signatures in an inline-signing zone could stall when the server was restarted. [RT #27344] 3263. [bug] "rndc sync" did not affect the unsigned side of an inline-signing zone. [RT #27337] 3262. [bug] Signed responses were handled incorrectly by RPZ. [RT #27316] 3252. [bug] When master zones using inline-signing were updated while the server was offline, the source zone could fall out of sync with the signed copy. They can now resynchronize. [RT #26676] 3248. [bug] Configure options --enable-fixed-rrset and --enable-exportlib were incompatible with each other. [RT #27087] 3246. [bug] Named failed to start with a empty also-notify list. [RT #27087] 3243. [port] freebsd,netbsd,bsdi: the thread defaults were not being properly set. 3239. [bug] dns_dnssec_findmatchingkeys needs to use a consistent timestamp. [RT #26883] 3236. [bug] Backed out changes #3182 and #3202, related to EDNS(0) fallback behavior. [RT #26416] 3233. [bug] 'rndc freeze/thaw' didn't work for inline zones. [RT #26632] 3220. [bug] Change #3186 was incomplete; dns_db_rpz_findips() could fail to set the database version correctly, causing an assertion failure. [RT #26180] 3198. [doc] Clarified that dnssec-settime can alter keyfile permissions. [RT #24866] 3195. [cleanup] Silence "file not found" warnings when loading managed-keys zone. [RT #26340] 3186. [bug] Version/db mis-match in rpz code. [RT #26180] 3184. [bug] named had excessive cpu usage when a redirect zone was configured. [RT #26013] 3182. [bug] Auth servers behind firewalls which block packets greater than 512 bytes may cause other servers to perform poorly. Now, adb retains edns information and caches noedns servers. [RT #23392/24964] 3172. [port] darwin 10.* and freebsd [89] are now built threaded by default. 3171. [bug] Exclusively lock the task when adding a zone using 'rndc addzone'. [RT #25600] 3168. [bug] Nxdomain redirection could trigger an assert with a ANY query. [RT #26017] 3160. [bug] When printing out a NSEC3 record in multiline form the newline was not being printed causing type codes to be run together. [RT #25873] 3141. [bug] Silence spurious "zone serial (0) unchanged" messages associated with empty zones. [RT #25079] 3131. [tuning] Improve scalability by allocating one zone task per 100 zones at startup time, rather than using a fixed-size task table. [RT #24406] 3129. [bug] Named could crash on 'rndc reconfig' when allow-new-zones was set to yes and named ACLs were used. [RT #22739] 3126. [security] Using DNAME record to generate replacements caused RPZ to exit with a assertion failure. [RT #24766] 3125. [security] Using wildcard CNAME records as a replacement with RPZ caused named to exit with a assertion failure. [RT #24715] 3100. [security] Certain response policy zone configurations could trigger an INSIST when receiving a query of type RRSIG. [RT #24280] 3005. [port] Solaris: Work around the lack of gsskrb5_register_acceptor_identity() by setting the KRB5_KTNAME environment variable to the contents of tkey-gssapi-keytab. Also fixed test errors on MacOSX. [RT #22853] 3003. [experimental] Added update-policy match type "external", enabling named to defer the decision of whether to allow a dynamic update to an external daemon. (Contributed by Andrew Tridgell.) [RT #22758] 3000. [bug] More TKEY/GSS fixes: - nsupdate can now get the default realm from the user's Kerberos principal - corrected gsstest compilation flags - improved documentation - fixed some NULL dereferences [RT #22795] 2992. [contrib] contrib/check-secure-delegation.pl: A simple tool for looking at a secure delegation. [RT #22059] 2991. [contrib] contrib/zone-edit.sh: A simple zone editing tool for dynamic zones. [RT #22365] 2990. [bug] 'dnssec-settime -S' no longer tests prepublication interval validity when the interval is set to 0. [RT #22761] 2988. [experimental] Added a "dlopen" DLZ driver, allowing the creation of external DLZ drivers that can be loaded as shared objects at runtime rather than linked with named. Currently this is switched on via a compile-time option, "configure --with-dlz-dlopen". Note: the syntax for configuring DLZ zones is likely to be refined in future releases. (Contributed by Andrew Tridgell of the Samba project.) [RT #22629] 2985. [bug] Add a regression test for change #2896. [RT #21324] 2983. [bug] Include "loadkeys" in rndc help output. [RT #22493] 2980. [bug] named didn't properly handle UPDATES that changed the TTL of the NSEC3PARAM RRset. [RT #22363] 2977. [bug] 'nsupdate -l' report if the session key is missing. [RT #21670] 2973. [bug] bind.keys.h was being removed by the "make clean" at the end of configure resulting in build failures where there is very old version of perl installed. Move it to "make maintainer-clean". [RT #22230] 2963. [security] The allow-query acl was being applied instead of the allow-query-cache acl to cache lookups. [RT #22114] 2961. [bug] Be still more selective about the non-authoritative answers we apply change 2748 to. [RT #22074] 2949. [bug] dns_view_setnewzones() contained a memory leak if it was called multiple times. [RT #21942] 2948. [port] MacOS: provide a mechanism to configure the test interfaces at reboot. See bin/tests/system/README for details. 2940. [port] Remove connection aborted error message on Windows. [RT #21549] 2938. [bug] When generating signed responses, from a signed zone that uses NSEC3, named would use a uninitialised pointer if it needed to skip a NSEC3 record because it didn't match the selected NSEC3PARAM record for zone. [RT# 21868] 2930. [experimental] New "rndc addzone" and "rndc delzone" commads allow dynamic addition and deletion of zones. To enable this feature, specify a "new-zone-file" option at the view or options level in named.conf. Zone configuration information for the new zones will be written into that file. To make the new zones persist after a restart, "include" the file into named.conf in the appropriate view. (Note: This feature is not yet documented, and its syntax is expected to change.) [RT #19447] 2928. [bug] Be more selective about the non-authoritative answer we apply change 2748 to. [RT #21594] 2914. [bug] Make the "autosign" system test more portable. [RT #20997] 2909. [bug] named-checkconf -p could die if "update-policy local;" was specified in named.conf. [RT #21416] 2907. [bug] The export version of libdns had undefined references. [RT #21444] 2906. [bug] Address RFC 5011 implementation issues. [RT #20903] 2903. [bug] managed-keys-directory missing from namedconf.c. [RT #21370] 2897. [bug] NSEC3 chains could be left behind when transitioning to insecure. [RT #21040] 2896. [bug] "rndc sign" failed to properly update the zone when adding a DNSKEY for publication only. [RT #21045] 2893. [bug] Improve managed keys support. New named.conf option managed-keys-directory. [RT #20924] 2892. [bug] Handle REVOKED keys better. [RT #20961] 2887. [bug] Report the keytag times in UTC in the .key file, local time is presented as a comment within the comment. [RT #21223] 2886. [bug] ctime() is not thread safe. [RT #21223] 2880. [cleanup] Make the output of dnssec-keygen and dnssec-revoke consistent. [RT #21078] 2873. [bug] Cancelling a dynamic update via the dns/client module could trigger an assertion failure. [RT #21133] 2872. [bug] Modify dns/client.c:dns_client_createx() to only require one of IPv4 or IPv6 rather than both. [RT #21122] 2871. [bug] Type mismatch in mem_api.c between the definition and the header file, causing build failure with --enable-exportlib. [RT #21138] 2861. [doc] dnssec-settime man pages didn't correctly document the inactivation time. [RT #21039] 2860. [bug] named-checkconf's usage was out of date. [RT #21039] 2848. [doc] Moved README.dnssec, README.libdns, README.pkcs11 and README.rfc5011 into the ARM. [RT #20899] 2847. [cleanup] Corrected usage message in dnssec-settime. [RT #20921] 2845. [bug] RFC 5011 client could crash on shutdown. [RT #20903] 2841. [bug] Change 2836 was not complete. [RT #20883] 2839. [bug] A KSK revoked by named could not be deleted. [RT #20881] 2836. [bug] Keys that were scheduled to become active could be delayed. [RT #20874] 2835. [bug] Key inactivity dates were inadvertently stored in the private key file with the outdated tag "Unpublish" rather than "Inactive". This has been fixed; however, any existing keys that had Inactive dates set will now need to have them reset, using 'dnssec-settime -I'. [RT #20868] 2833. [cleanup] Fix usage messages in dnssec-keygen and dnssec-settime. [RT #20851] 2832. [bug] Modify "struct stat" in lib/export/samples/nsprobe.c to avoid redefinition in some OSs [RT 20831] 2824. [bug] "rndc sign" was not being run by the correct task. [RT #20759] 2821. [doc] Add note that named-checkconf doesn't automatically read rndc.key and bind.keys [RT #20758] 2816. [bug] previous_closest_nsec() could fail to return data for NSEC3 nodes [RT #29730] 2811. [cleanup] Add "rndc sign" to list of commands in rndc usage output. [RT #20733] 2809. [cleanup] Restored accidentally-deleted text in usage output in dnssec-settime and dnssec-revoke [RT #20739] 2808. [bug] Remove the attempt to install atomic.h from lib/isc. atomic.h is correctly installed by the architecture specific subdirectories. [RT #20722] 2807. [bug] Fixed a possible ASSERT when reconfiguring zone keys. [RT #20720] 2806. [bug] "rdnc sign" could delay re-signing the DNSKEY when it had changed. [RT #20703] 2805. [bug] Fixed namespace problems encountered when building external programs using non-exported BIND9 libraries (i.e., built without --enable-exportlib). [RT #20679] 2804. [bug] Send notifies when a zone is signed with "rndc sign" or as a result of a scheduled key change. [RT #20700] 2803. [port] win32: Install named-journalprint, nsec3hash, arpaname and genrandom under windows. [RT #20670] 2802. [cleanup] Rename journalprint to named-journalprint. [RT #20670] 2799. [cleanup] Changed the "secure-to-insecure" option to "dnssec-secure-to-insecure", and "dnskey-ksk-only" to "dnssec-dnskey-kskonly", for clarity. [RT #20586] 2798. [bug] Addressed bugs in managed-keys initialization and rollover. [RT #20683] 2796. [bug] Missing dns_rdataset_disassociate() call in dns_nsec3_delnsec3sx(). [RT #20681] 2795. [cleanup] Add text to differentiate "update with no effect" log messages. [RT #18889] 2794. [bug] Install . [RT #20677] 2791. [bug] The installation of isc-config.sh was broken. [RT #20667] 2788. [bug] dnssec-signzone could sign with keys that were not requested [RT #20625] 2787. [bug] Spurious log message when zone keys were dynamically reconfigured. [RT #20659] 2785. [bug] Revoked keys could fail to self-sign [RT #20652] 2781. [bug] Inactive keys could be used for signing. [RT #20649] 2780. [bug] dnssec-keygen -A none didn't properly unset the activation date in all cases. [RT #20648] 2779. [bug] Dynamic key revokation could fail. [RT #20644] 2778. [bug] dnssec-signzone could fail when a key was revoked without deleting the unrevoked version. [RT #20638] 2763. [bug] "rndc sign" didn't create an NSEC chain. [RT #20591] 2761. [cleanup] Enable internal symbol table for backtrace only for systems that are known to work. Currently, BSD variants, Linux and Solaris are supported. [RT# 20202] 2775. [bug] Accept RSASHA256 and RSASHA512 as NSEC3 compatible in dnssec-keyfromlabel. [RT #20643] 2773. [bug] In autosigned zones, the SOA could be signed with the KSK. [RT #20628] 2771. [bug] dnssec-signzone: DNSKEY records could be corrupted when importing from key files [RT #20624] 2770. [cleanup] Add log messages to resolver.c to indicate events causing FORMERR responses. [RT #20526] 2769. [cleanup] Change #2742 was incomplete. [RT #19589] 2768. [bug] dnssec-signzone: -S no longer implies -g [RT #20568] 2767. [bug] named could crash on startup if a zone was configured with auto-dnssec and there was no key-directory. [RT #20615] 2766. [bug] isc_socket_fdwatchpoke() should only update the socketmgr state if the socket is not pending on a read or write. [RT #20603] 2764. [bug] "rndc-confgen -a" could trigger a REQUIRE. [RT #20610] 2756. [bug] Fixed corrupt logfile message in update.c. [RT# 20597] 2753. [bug] Removed an unnecessary warning that could appear when building an NSEC chain. [RT #20589] 2776. [bug] Change #2762 was not correct. [RT #20647] 2762. [bug] DLV validation failed with a local slave DLV zone. [RT #20577] 2752. [bug] Locking violation. [RT #20587] 2751. [bug] Fixed a memory leak in dnssec-keyfromlabel. [RT #20588] 2746. [port] hpux: address signed/unsigned expansion mismatch of dns_rbtnode_t.nsec. [RT #20542] 2745. [bug] configure script didn't probe the return type of gai_strerror(3) correctly. [RT #20573] 2774. [bug] Existing cache DB wasn't being reused after reconfiguration. [RT #20629] 2742. [cleanup] Clarify some DNSSEC-related log messages in validator.c. [RT #19589] 2739. [cleanup] Clean up API for initializing and clearing trust anchors for a view. [RT #20211] 2735. [bug] dnssec-signzone could fail to read keys that were specified on the command line with full paths, but weren't in the current directory. [RT #20421] 2734. [port] cygwin: arpaname did not compile. [RT #20473] 2733. [cleanup] Clean up coding style in pkcs11-* tools. [RT #20355] 2728. [bug] dssec-keygen, dnssec-keyfromlabel and dnssec-signzone now warn immediately if asked to write into a nonexistent directory. [RT #20278] 2725. [doc] Added information about the file "managed-keys.bind" to the ARM. [RT #20235] 2724. [bug] Updates to a existing node in secure zone using NSEC were failing. [RT #20448] 2720. [bug] RFC 5011 trust anchor updates could trigger an assert if the DNSKEY record was unsigned. [RT #20406] 2717. [bug] named failed to update the NSEC/NSEC3 record when the last private type record was removed as a result of completing the signing the zone with a key. [RT #20399] 2711. [port] win32: Add the bin/pkcs11 tools into the full build. [RT #20372] 2694. [bug] Reduce default NSEC3 iterations from 100 to 10. [RT #19970] 2693. [port] Add some noreturn attributes. [RT #20257] 2687. [bug] Fixed dnssec-signzone -S handling of revoked keys. Also, added warnings when revoking a ZSK, as this is not defined by protocol (but is legal). [RT #19943] 2685. [contrib] Update contrib/zkt to version 0.99c. [RT #20054] 2684. [cleanup] dig: formalize +ad and +cd as synonyms for +adflag and +cdflag. [RT #19305] 2682. [bug] "configure --enable-symtable=all" failed to build. [RT #20282] 2676. [bug] --with-export-installdir should have been --with-export-includedir. [RT #20252] 2675. [bug] dnssec-signzone could crash if the key directory did not exist. [RT #20232] 2674. [bug] "dnssec-lookaside auto;" crashed if named was built without openssl. [RT #20231] 2673. [bug] The managed-keys.bind zone file could fail to load due to a spurious result from sync_keyzone() [RT #20045] 2671. [bug] Add support for PKCS#11 providers not returning the public exponent in RSA private keys (OpenCryptoki for instance) in dnssec-keyfromlabel. [RT #19294] 2664. [bug] create_keydata() and minimal_update() in zone.c didn't properly check return values for some functions. [RT #19956] 2658. [bug] dnssec-settime and dnssec-revoke didn't process key file paths correctly. [RT #20078] 2657. [cleanup] Lower "journal file does not exist, creating it" log level to debug 1. [RT #20058] 2654. [bug] Improve error reporting on duplicated names for deny-answer-xxx. [RT #20164] 2651. [bug] Dates could print incorrectly in K*.key files on 64-bit systems. [RT #20076] 2650. [bug] Assertion failure in dnssec-signzone when trying to read keyset-* files. [RT #20075] 2644. [bug] Change #2628 caused a regression on some systems; named was unable to write the PID file and would fail on startup. [RT #20001] 2641. [bug] Fixed an error in parsing update-policy syntax, added a regression test to check it. [RT #20007] 2638. [bug] Install arpaname. [RT #19957] 2634. [port] win32: Add support for libxml2, enable statschannel. [RT #19773] 2631. [bug] Handle "//", "/./" and "/../" in mkdirpath(). [RT #19926 ] 2629. [port] Check for seteuid()/setegid(), use setresuid()/ setresgid() if not present. [RT #19932] 2628. [port] linux: Allow /var/run/named/named.pid to be opened at startup with reduced capabilities in operation. [RT #19884] 2627. [bug] Named aborted if the same key was included in trusted-keys more than once. [RT #19918] 2626. [bug] Multiple trusted-keys could trigger an assertion failure. [RT #19914] 2622. [bug] Printing of named.conf grammar was broken. [RT #19919] 2600. [doc] ARM: miscellaneous reformatting for different page widths. [RT #19574] 2566. [cleanup] Clarify logged message when an insecure DNSSEC response arrives from a zone thought to be secure: "insecurity proof failed" instead of "not insecure". [RT #19400] 2525. [experimental] New logging category "query-errors" to provide detailed internal information about query failures, especially about server failures. [RT #19027] 2537. [func] Added more statistics counters including those on socket I/O events and query RTT histograms. [RT #18802] 2655. [doc] Document that key-directory does not affect rndc.key. [RT #20155] 2834. [bug] HMAC-SHA* keys that were longer than the algorithm digest length were used incorrectly, leading to interoperability problems with other DNS implementations. This has been corrected. (Note: If an oversize key is in use, and compatibility is needed with an older release of BIND, the new tool "isc-hmac-fixup" can convert the key secret to a form that will work with all versions.) [RT #20751] 2840. [bug] Temporary fixed pkcs11-destroy usage check. [RT #20760] 3010. [bug] Fixed a bug where "rndc reconfig" stopped the timer for refreshing managed-keys. [RT #22296] 3013. [bug] The DNS64 ttl was not always being set as expected. [RT #23034] 3017. [doc] dnssec-keyfromlabel -I was not properly documented. [RT #22887] 3020. [bug] auto-dnssec failed to correctly update the zone when changing the DNSKEY RRset. [RT #23232] 3021. [bug] Change #3010 was incomplete. [RT #22296] 3022. [bug] Fixed rpz SERVFAILs after failed zone transfers [RT #23246] 3038. [bug] Install . [RT #23342] 3045. [removed] Replaced by change #3050. 3048. [bug] Fully separate view key mangement. [RT #23419] 3050. [bug] The autosign system test was timing dependent. Wait for the initial autosigning to complete before running the rest of the test. [RT #23035] 3052. [test] Fixed last autosign test report. [RT #23256] 3054. [bug] Added elliptic curve support check in GOST OpenSSL engine detection. [RT #23485] 3057. [bug] "rndc secroots" would abort after the first error and so could miss some views. [RT #23488] 3072. [bug] dns_dns64_aaaaok() potential NULL pointer dereference. [RT #20256] 3073. [bug] managed-keys changes were not properly being recorded. [RT #20256] 3075. [bug] dns_dnssec_findzonekeys{2} used a inconsistant timestamp when determining which keys are active. [RT #23642] 3077. [bug] zone.c:zone_refreshkeys() incorrectly called dns_zone_attach(), use zone->irefs instead. [RT #23303] 3082. [port] strtok_r is threads only. [RT #23747] 3086. [bug] Running dnssec-settime -f on an old-style key will now force an update to the new key format even if no other change has been specified, using "-P now -A now" as default values. [RT #22474] 3087. [bug] DDNS updates using SIG(0) with update-policy match type "external" could cause a crash. [RT #23735] 3091. [bug] Fixed a bug in which zone keys that were published and then subsequently activated could fail to trigger automatic signing. [RT #22911] 3094. [doc] Expand dns64 documentation. 3096. [bug] Set KRB5_KTNAME before calling log_cred() in dst_gssapi_acceptctx(). [RT #24004] 2655. [doc] Document that key-directory does not affect bind.keys, rndc.key or session.key. [RT #20155] 2810. [doc] Clarified the process of transitioning an NSEC3 zone to insecure. [RT #20746]