3514. [bug] The ranges for valid key sizes in ddns-confgen and rndc-confgen were too constrained. Keys up to 512 bits are now allowed for most algorithms, and up to 1024 bits for hmac-sha384 and hmac-sha512. [RT #32753] 3511. [doc] Improve documentation of redirect zones. [RT #32756] 3507. [bug] Statistics channel XSL had a glitch when attempting to chart query data before any queries had been received. [RT #32620] 3505. [bug] When setting "max-cache-size" and "max-acache-size", larger values than 4 gigabytes could not be set explicitly, though larger sizes were available when setting cache size to 0. This has been corrected; the full range is now available. [RT #32358] 3500. [port] Support NAPTR regular expression validation on all platforms. [RT #32688] 3493. [contrib] Added BDBHPT dynamically-lodable DLZ module, contributed by Mark Goldfinch. [RT #32549] 3492. [bug] Fixed a regression in zone loading performance due to lock contention. [RT #30399] 3491. [bug] Slave zones using inline-signing must specify a file name. [RT #31946] 3490. [bug] When logging RDATA during update, truncate if it's too long. [RT #32365] 3489. [bug] --enable-developer now turns on ISC_LIST_CHECKINIT. When cloning a rdataset do not copy the link contents. [RT #32651] 3488. [bug] Use after free error with DH generated keys. [RT #32649] 3486. [bug] named could crash when using TKEY-negotiated keys that had been deleted and then recreated. [RT #32506] 3485. [cleanup] Only compile openssl_gostlink.c if we support GOST. 3484. [bug] Some statistics were incorrectly rendered in XML. [RT #32587] 3480. [bug] Silence logging noise when setting up zone statistics. [RT #32525] 3476. [bug] "rndc zonestatus" could report a spurious "not found" error on inline-signing zones. [RT #29226] 3475. [cleanup] Changed name of 'map' zone file format (previously 'fast'). [RT #32458] 3473. [bug] dnssec-signzone/verify could incorrectly report an error condition due to an empty node above an opt-out delegation lacking an NSEC3. [RT #32072] 3472. [bug] The active-connections counter in the socket statistics could underflow. [RT #31747] 3471. [bug] The number of UDP dispatches now defaults to the number of CPUs even if -n has been set to a higher value. [RT #30964] 3469. [bug] Handle DLZ lookup failures more gracefully. Improve backward compatibility between versions of DLZ dlopen API. [RT #32275] 3468. [security] RPZ rules to generate A records (but not AAAA records) could trigger an assertion failure when used in conjunction with DNS64 (CVE-2012-5689). [RT #32141] 3467. [bug] Added checks in dnssec-keygen and dnssec-settime to check for delete date < inactive date. [RT #31719] 3466. [contrib] Corrected the DNS_CLIENTINFOMETHODS_VERSION check in DLZ example driver. [RT #32275] 3464. [maint] Updates to PKCS#11 openssl patches, supporting versions 0.9.8x, 1.0.0j, 1.0.1c [RT #29749] 3463. [doc] Clarify managed-keys syntax in ARM. [RT 32232] 3460. [bug] Only link against readline where needed. [RT #29810] 3453. [bug] 'rndc addzone' of a zone with 'inline-signing yes;' failed. [RT #31960] 3443. [bug] ddns-confgen: Some TSIG algorithms were incorrectly rejected when generating keys. [RT #31927] 3434. [bug] Pass client info to the DLZ findzone() entry point in addition to lookup(). This makes it possible for a database to answer differently whether it's authoritative for a name depending on the address of the client. [RT #31775] 3433. [bug] dlz_findzone() did not correctly handle ISC_R_NOMORE. [RT #31172] 3431. [bug] ddns-confgen: Some valid key algorithms were not accepted. [RT #31927] 3426. [bug] dnssec-checkds: Clearer output when records are not found. [RT #31968] 3423. [bug] "rndc signing -nsec3param" didn't accept the full range of possible values. Address portability issues. [RT #31938] 3422. [bug] Added a clear error message for when the SOA does not match the referral. [RT #31281] 3416. [bug] Named could die on shutdown if running with 128 UDP dispatches per interface. [RT #31743] 3414. [bug] Address locking issues found by Coverity. [RT #31626] 3408. [bug] Some DNSSEC-related options (update-check-ksk, dnssec-loadkeys-interval, dnssec-dnskey-kskonly) are now legal in slave zones as long as inline-signing is in use. [RT #31078] 3399. [port] netbsd: rename 'bool' parameter to avoid namespace clash. [RT #31515] 3398. [bug] SOA parameters were not being updated with inline signed zones if the zone was modified while the server was offline. [RT #29272] 3385. [bug] named-checkconf didn't detect missing master lists in also-notify clauses. [RT #30810] 3384. [bug] Improved logging of crypto errors. [RT #30963] 3378. [bug] Handle missing 'managed-keys-directory' better. [RT #30625] 3377. [bug] Removed spurious newline from NSEC3 multiline output. [RT #31044] 3375. [bug] 'rndc dumpdb' failed on empty caches. [RT #30808] 3370. [bug] Address use after free while shutting down. [RT #30241] 3368. [bug] , and were not C++ safe. 3367. [bug] dns_dnsseckey_create() result was not being checked. [RT #30685] 3363. [bug] Need to allow "forward" and "fowarders" options in static-stub zones; this had been overlooked. [RT #30482] 3361. [bug] "rndc signing -nsec3param" didn't work correctly when salt was set to '-' (no salt). [RT #30099] 3356. [bug] Cap the TTL of signed RRsets when RRSIGs are approaching their expiry, so they don't remain in caches after expiry. [RT #26429] 3355. [port] Use more portable awk in verify system test. 3353. [bug] Use a single task for task exclusive operations. [RT #29872] 3351. [bug] isc_mem_put and isc_mem_putanddetach didn't report caller if either ISC_MEM_DEBUGSIZE or ISC_MEM_DEBUGCTX memory debugging flags are set. [RT #30243] 3349. [bug] Change #3345 was incomplete. [RT #30233] 3347. [bug] dnssec-settime: Issue a warning when writing a new private key file would cause a change in the permissions of the existing file. [RT #27724] 3345. [bug] Addressed race condition when removing the last item or inserting the first item in an ISC_QUEUE. [RT #29539] 3338. [bug] Address race condition in units tests: asyncload_zone and asyncload_zt. [RT #26100] 3334. [bug] Hold a zone table reference while performing a asyncronous load of a zone. [RT #28326] 3333. [bug] Setting resolver-query-timeout too low can cause named to not recover if it loses connectivity. [RT #29623] 3324. [test] Add better tests for ADB stats [RT #27057] 3317. [protocol] Add ECDSA support (RFC 6605). [RT #21918] 3316. [tuning] Improved locking performance when recursing. [RT #28836] 3315. [tuning] Use multiple dispatch objects for sending upstream queries; this can improve performance on busy multiprocessor systems by reducing lock contention. [RT #28605] 3312. [bug] named-checkconf didn't detect a bad dns64 clients acl. [RT #27631] 3306. [bug] Improve DNS64 reverse zone performance. [RT #28563] 3305. [func] Add wire format lookup method to sdb. [RT #28563] 3303. [bug] named could die when reloading. [RT #28606] 3302. [bug] dns_dnssec_findmatchingkeys could fail to find keys if the zone name contained character that required special mappings. [RT #28600] 3296. [bug] Named could die with a INSIST failure in client.c:exit_check. [RT #28346] 3289. [bug] 'rndc retransfer' failed for inline zones. [RT #28036] 3288. [bug] dlz_destroy() function wasn't correctly registered by the DLZ dlopen driver. [RT #28056] 3286. [bug] Managed key maintenance timer could fail to start after 'rndc reconfig'. [RT #26786] 3280. [bug] Potential double free of a rdataset on out of memory with DNS64. [RT #27762] 3279. [bug] Hold a internal reference to the zone while performing a asynchronous load. Address potential memory leak if the asynchronous is cancelled. [RT #27750] 3278. [bug] Make sure automatic key maintenance is started when "auto-dnssec maintain" is turned on during "rndc reconfig". [RT #26805] 3277. [bug] win32: isc_socket_dup is not implemented. [RT #27696] 3276. [bug] win32: ns_os_openfile failed to return NULL on safe_open failure. [RT #27696] 3275. [bug] Corrected rndc -h output; the 'rndc sync -clean' option had been misspelled as '-clear'. (To avoid future confusion, both options now work.) [RT #27173] 3273. [bug] AAAA responses could be returned in the additional section even when filter-aaaa-on-v4 was in use. [RT #27292] 3271. [port] darwin: mksymtbl is not always stable, loop several times before giving up. mksymtbl was using non portable perl to covert 64 bit hex strings. [RT #27653] 3270. [bug] "rndc reload" didn't reuse existing zones correctly when inline-signing was in use. [RT #27650] 3269. [port] darwin 11 and later now built threaded by default. 3265. [bug] Address lock order reversal with inline-signing support. [27557] 3264. [bug] Automatic regeneration of signatures in an inline-signing zone could stall when the server was restarted. [RT #27344] 3263. [bug] "rndc sync" did not affect the unsigned side of an inline-signing zone. [RT #27337] 3262. [bug] Signed responses were handled incorrectly by RPZ. [RT #27316] 3258. [test] Add "forcing full sign with unreadable keys" test. [RT #27153] 3252. [bug] When master zones using inline-signing were updated while the server was offline, the source zone could fall out of sync with the signed copy. They can now resynchronize. [RT #26676] 3248. [bug] Configure options --enable-fixed-rrset and --enable-exportlib were incompatible with each other. [RT #27087] 3246. [bug] Named failed to start with a empty also-notify list. [RT #27087] 3245. [bug] Don't report a error unchanged serials unless there were other changes when thawing a zone with ixfr-fromdifferences. [RT #26845] 3243. [port] freebsd,netbsd,bsdi: the thread defaults were not being properly set. 3240. [bug] DNSKEY state change events could be missed. [RT #26874] 3239. [bug] dns_dnssec_findmatchingkeys needs to use a consistent timestamp. [RT #26883] 3236. [bug] Backed out changes #3182 and #3202, related to EDNS(0) fallback behavior. [RT #26416] 3233. [bug] 'rndc freeze/thaw' didn't work for inline zones. [RT #26632] 3229. [bug] Fix local variable to struct var assignment found by CLANG warning. 3225. [bug] Silence spurious "setsockopt(517, IPV6_V6ONLY) failed" messages. [RT #26507] 3224. [bug] 'rndc signing' argument parsing was broken. [RT #26684] 3223. [bug] 'task_test privilege_drop' generated false positives. [RT #26766] 3222. [cleanup] Replace dns_journal_{get,set}_bitws with dns_journal_{get,set}_sourceserial. [RT #26634] 3220. [bug] Change #3186 was incomplete; dns_db_rpz_findips() could fail to set the database version correctly, causing an assertion failure. [RT #26180] 3220. [bug] Change #3186 was incomplete; dns_db_rpz_findips() could fail to set the database version correctly, causing an assertion failure. [RT #26180] 3219. [bug] Disable NOEDNS caching following a timeout. 3217. [cleanup] Fix build problem with --disable-static. [RT #26476] 3215. [bug] 'rndc recursing' could cause a core dump. [RT #26495] 3210. [bug] Canceling the oldest query due to recursive-client overload could trigger an assertion failure. [RT #26463] 3202. [bug] NOEDNS caching on timeout was too agressive. [RT #26416] 3198. [doc] Clarified that dnssec-settime can alter keyfile permissions. [RT #24866] 3195. [cleanup] Silence "file not found" warnings when loading managed-keys zone. [RT #26340] 3188. [bug] zone.c:zone_refreshkeys() could fail to detach references correctly when errors occurred, causing a hang on shutdown. [RT #26372] 3186. [bug] Version/db mis-match in rpz code. [RT #26180] 3184. [bug] named had excessive cpu usage when a redirect zone was configured. [RT #26013] 3183. [bug] Added RTLD_GLOBAL flag to dlopen call. [RT #26301] 3182. [bug] Auth servers behind firewalls which block packets greater than 512 bytes may cause other servers to perform poorly. Now, adb retains edns information and caches noedns servers. [RT #23392/24964] 3178. [bug] A race condition introduced by change #3163 could cause an assertion failure on shutdown. [RT #26271] 3176. [doc] Corrected example code and added a README to the sample external DLZ module in contrib/dlz/example. [RT #26215] 3174. [bug] Always compute to revoked key tag from scratch. [RT #26186] 3172. [port] darwin 10.* and freebsd [89] are now built threaded by default. 3171. [bug] Exclusively lock the task when adding a zone using 'rndc addzone'. [RT #25600] 3168. [bug] Nxdomain redirection could trigger an assert with a ANY query. [RT #26017] 3166. [bug] Upgrading a zone to support inline-signing failed. [RT #26014] 3165. [bug] dnssec-signzone could generate new signatures when resigning, even when valid signatures were already present. [RT #26025] 3163. [bug] Use finer-grained locking in client.c to address concurrency problems with large numbers of threads. [RT #26044] 3161. [bug] zone.c:del_sigs failed to always reset rdata leading assertion failures. [RT #25880] 3160. [bug] When printing out a NSEC3 record in multiline form the newline was not being printed causing type codes to be run together. [RT #25873] 3159. [bug] On some platforms, named could assert on startup when running in a chrooted environment without /proc. [RT #25863] 3158. [bug] Recursive servers would prefer a particular UDP socket instead of using all available sockets. [RT #26038] 3155. [bug] Fixed a build failure when using contrib DLZ drivers (e.g., mysql, postgresql, etc). [RT #25710] 3152. [cleanup] Some versions of gcc and clang failed due to incorrect use of __builtin_expect. [RT #25183] 3142. [bug] NAPTR is class agnostic. [RT #25429] 3141. [bug] Silence spurious "zone serial (0) unchanged" messages associated with empty zones. [RT #25079] 3133. [bug] Change #3114 was incomplete. [RT #24577] 3131. [tuning] Improve scalability by allocating one zone task per 100 zones at startup time, rather than using a fixed-size task table. [RT #24406] 3129. [bug] Named could crash on 'rndc reconfig' when allow-new-zones was set to yes and named ACLs were used. [RT #22739] 3127. [bug] 'rndc thaw' will now remove a zone's journal file if the zone serial number has been changed and ixfr-from-differences is not in use. [RT #24687] 3126. [security] Using DNAME record to generate replacements caused RPZ to exit with a assertion failure. [RT #24766] 3125. [security] Using wildcard CNAME records as a replacement with RPZ caused named to exit with a assertion failure. [RT #24715] 3122. [cleanup] dnssec-settime: corrected usage message. [RT #24664] 3119. [bug] When rolling to a new DNSSEC key, a private-type record could be created and never marked complete. [RT #23253] 3117. [cleanup] Remove doc and parser references to the never-implemented 'auto-dnssec create' option. [RT #24533] 3115. [bug] Named could fail to return requested data when following a CNAME that points into the same zone. [RT #24455] 3114. [bug] Retain expired RRSIGs in dynamic zones if key is inactive and there is no replacement key. [RT #23136] 3111. [bug] Improved consistency checks for dnssec-enable and dnssec-validation, added test cases to the checkconf system test. [RT #24398] 3108. [cleanup] dnssec-signzone: Clarified some error and warning messages; removed #ifdef ALLOW_KSKLESS_ZONES code (use -P instead). [RT #20852] 3107. [bug] dnssec-signzone: Report the correct number of ZSKs when using -x. [RT #20852] 3105. [bug] GOST support can be suppressed by "configure --without-gost" [RT #24367] 3103. [bug] Configuring 'dnssec-validation auto' in a view instead of in the options statement could trigger an assertion failure in named-checkconf. [RT #24382] 3101. [bug] Zones using automatic key maintenance could fail to check the key repository for updates. [RT #23744] 3100. [security] Certain response policy zone configurations could trigger an INSIST when receiving a query of type RRSIG. [RT #24280] 3098. [bug] DLZ zones were answering without setting the AA bit. [RT #24146] 3096. [bug] Set KRB5_KTNAME before calling log_cred() in dst_gssapi_acceptctx(). [RT #24004] 3094. [doc] Expand dns64 documentation. 3093. [bug] Fix gssapi/kerberos dependencies [RT #23836] 3092. [bug] Signatures for records at the zone apex could go stale due to an incorrect timer setting. [RT #23769] 3091. [bug] Fixed a bug in which zone keys that were published and then subsequently activated could fail to trigger automatic signing. [RT #22911] 3087. [bug] DDNS updates using SIG(0) with update-policy match type "external" could cause a crash. [RT #23735] 3086. [bug] Running dnssec-settime -f on an old-style key will now force an update to the new key format even if no other change has been specified, using "-P now -A now" as default values. [RT #22474] 3082. [port] strtok_r is threads only. [RT #23747] 3077. [bug] zone.c:zone_refreshkeys() incorrectly called dns_zone_attach(), use zone->irefs instead. [RT #23303] 3075. [bug] dns_dnssec_findzonekeys{2} used a inconsistant timestamp when determining which keys are active. [RT #23642] 3073. [bug] managed-keys changes were not properly being recorded. [RT #20256] 3072. [bug] dns_dns64_aaaaok() potential NULL pointer dereference. [RT #20256] 3070. [bug] dnssec-signzone potential NULL pointer dereference. [RT #20256] 3057. [bug] "rndc secroots" would abort after the first error and so could miss some views. [RT #23488] 3054. [bug] Added elliptic curve support check in GOST OpenSSL engine detection. [RT #23485] 3052. [test] Fixed last autosign test report. [RT #23256] 3050. [bug] The autosign system test was timing dependent. Wait for the initial autosigning to complete before running the rest of the test. [RT #23035] 3049. [bug] Save and restore the gid when creating creating named.pid at startup. [RT #23290] 3048. [bug] Fully separate view key mangement. [RT #23419] 3047. [bug] DNSKEY NODATA responses not cached fixed in validator.c. Tests added to dnssec system test. [RT #22908] 3045. [removed] Replaced by change #3050. 3038. [bug] Install . [RT #23342] 3022. [bug] Fixed rpz SERVFAILs after failed zone transfers [RT #23246] 3021. [bug] Change #3010 was incomplete. [RT #22296] 3020. [bug] auto-dnssec failed to correctly update the zone when changing the DNSKEY RRset. [RT #23232] 3017. [doc] dnssec-keyfromlabel -I was not properly documented. [RT #22887] 3013. [bug] The DNS64 ttl was not always being set as expected. [RT #23034] 3010. [bug] Fixed a bug where "rndc reconfig" stopped the timer for refreshing managed-keys. [RT #22296] 3005. [port] Solaris: Work around the lack of gsskrb5_register_acceptor_identity() by setting the KRB5_KTNAME environment variable to the contents of tkey-gssapi-keytab. Also fixed test errors on MacOSX. [RT #22853] 3003. [experimental] Added update-policy match type "external", enabling named to defer the decision of whether to allow a dynamic update to an external daemon. (Contributed by Andrew Tridgell.) [RT #22758] 3000. [bug] More TKEY/GSS fixes: - nsupdate can now get the default realm from the user's Kerberos principal - corrected gsstest compilation flags - improved documentation - fixed some NULL dereferences [RT #22795] 2992. [contrib] contrib/check-secure-delegation.pl: A simple tool for looking at a secure delegation. [RT #22059] 2991. [contrib] contrib/zone-edit.sh: A simple zone editing tool for dynamic zones. [RT #22365] 2990. [bug] 'dnssec-settime -S' no longer tests prepublication interval validity when the interval is set to 0. [RT #22761] 2988. [experimental] Added a "dlopen" DLZ driver, allowing the creation of external DLZ drivers that can be loaded as shared objects at runtime rather than linked with named. Currently this is switched on via a compile-time option, "configure --with-dlz-dlopen". Note: the syntax for configuring DLZ zones is likely to be refined in future releases. (Contributed by Andrew Tridgell of the Samba project.) [RT #22629] 2985. [bug] Add a regression test for change #2896. [RT #21324] 2983. [bug] Include "loadkeys" in rndc help output. [RT #22493] 2980. [bug] named didn't properly handle UPDATES that changed the TTL of the NSEC3PARAM RRset. [RT #22363] 2977. [bug] 'nsupdate -l' report if the session key is missing. [RT #21670] 2974. [bug] Some valid UPDATE requests could fail due to a consistency check examining the existing version of the zone rather than the new version resulting from the UPDATE. [RT #22413] 2973. [bug] bind.keys.h was being removed by the "make clean" at the end of configure resulting in build failures where there is very old version of perl installed. Move it to "make maintainer-clean". [RT #22230] 2963. [security] The allow-query acl was being applied instead of the allow-query-cache acl to cache lookups. [RT #22114] 2961. [bug] Be still more selective about the non-authoritative answers we apply change 2748 to. [RT #22074] 2958. [bug] named failed to start with a missing master file. [RT #22076] 2949. [bug] dns_view_setnewzones() contained a memory leak if it was called multiple times. [RT #21942] 2948. [port] MacOS: provide a mechanism to configure the test interfaces at reboot. See bin/tests/system/README for details. 2940. [port] Remove connection aborted error message on Windows. [RT #21549] 2938. [bug] When generating signed responses, from a signed zone that uses NSEC3, named would use a uninitialised pointer if it needed to skip a NSEC3 record because it didn't match the selected NSEC3PARAM record for zone. [RT# 21868] 2930. [experimental] New "rndc addzone" and "rndc delzone" commads allow dynamic addition and deletion of zones. To enable this feature, specify a "new-zone-file" option at the view or options level in named.conf. Zone configuration information for the new zones will be written into that file. To make the new zones persist after a restart, "include" the file into named.conf in the appropriate view. (Note: This feature is not yet documented, and its syntax is expected to change.) [RT #19447] 2928. [bug] Be more selective about the non-authoritative answer we apply change 2748 to. [RT #21594] 2914. [bug] Make the "autosign" system test more portable. [RT #20997] 2909. [bug] named-checkconf -p could die if "update-policy local;" was specified in named.conf. [RT #21416] 2907. [bug] The export version of libdns had undefined references. [RT #21444] 2906. [bug] Address RFC 5011 implementation issues. [RT #20903] 2903. [bug] managed-keys-directory missing from namedconf.c. [RT #21370] 2897. [bug] NSEC3 chains could be left behind when transitioning to insecure. [RT #21040] 2896. [bug] "rndc sign" failed to properly update the zone when adding a DNSKEY for publication only. [RT #21045] 2893. [bug] Improve managed keys support. New named.conf option managed-keys-directory. [RT #20924] 2892. [bug] Handle REVOKED keys better. [RT #20961] 2887. [bug] Report the keytag times in UTC in the .key file, local time is presented as a comment within the comment. [RT #21223] 2886. [bug] ctime() is not thread safe. [RT #21223] 2880. [cleanup] Make the output of dnssec-keygen and dnssec-revoke consistent. [RT #21078] 2873. [bug] Cancelling a dynamic update via the dns/client module could trigger an assertion failure. [RT #21133] 2872. [bug] Modify dns/client.c:dns_client_createx() to only require one of IPv4 or IPv6 rather than both. [RT #21122] 2871. [bug] Type mismatch in mem_api.c between the definition and the header file, causing build failure with --enable-exportlib. [RT #21138] 2861. [doc] dnssec-settime man pages didn't correctly document the inactivation time. [RT #21039] 2860. [bug] named-checkconf's usage was out of date. [RT #21039] 2848. [doc] Moved README.dnssec, README.libdns, README.pkcs11 and README.rfc5011 into the ARM. [RT #20899] 2847. [cleanup] Corrected usage message in dnssec-settime. [RT #20921] 2845. [bug] RFC 5011 client could crash on shutdown. [RT #20903] 2841. [bug] Change 2836 was not complete. [RT #20883] 2840. [bug] Temporary fixed pkcs11-destroy usage check. [RT #20760] 2839. [bug] A KSK revoked by named could not be deleted. [RT #20881] 2836. [bug] Keys that were scheduled to become active could be delayed. [RT #20874] 2835. [bug] Key inactivity dates were inadvertently stored in the private key file with the outdated tag "Unpublish" rather than "Inactive". This has been fixed; however, any existing keys that had Inactive dates set will now need to have them reset, using 'dnssec-settime -I'. [RT #20868] 2834. [bug] HMAC-SHA* keys that were longer than the algorithm digest length were used incorrectly, leading to interoperability problems with other DNS implementations. This has been corrected. (Note: If an oversize key is in use, and compatibility is needed with an older release of BIND, the new tool "isc-hmac-fixup" can convert the key secret to a form that will work with all versions.) [RT #20751] 2833. [cleanup] Fix usage messages in dnssec-keygen and dnssec-settime. [RT #20851] 2832. [bug] Modify "struct stat" in lib/export/samples/nsprobe.c to avoid redefinition in some OSs [RT 20831] 2830. [bug] Changing the OPTOUT setting could take multiple passes. [RT #20813] 2829. [bug] Fixed potential node inconsistency in rbtdb.c. [RT #20808] 2826. [bug] NSEC3->NSEC transitions could fail due to a lock not being released. [RT #20740] 2824. [bug] "rndc sign" was not being run by the correct task. [RT #20759] 2822. [bug] rbtdb.c:loadnode() could return the wrong result. [RT #20802] 2821. [doc] Add note that named-checkconf doesn't automatically read rndc.key and bind.keys [RT #20758] 2816. [bug] previous_closest_nsec() could fail to return data for NSEC3 nodes [RT #29730] 2813. [bug] Better handling of unreadable DNSSEC key files. [RT #20710] 2812. [bug] Make sure updates can't result in a zone with NSEC-only keys and NSEC3 records. [RT #20748] 2811. [cleanup] Add "rndc sign" to list of commands in rndc usage output. [RT #20733] 2810. [doc] Clarified the process of transitioning an NSEC3 zone to insecure. [RT #20746] 2809. [cleanup] Restored accidentally-deleted text in usage output in dnssec-settime and dnssec-revoke [RT #20739] 2808. [bug] Remove the attempt to install atomic.h from lib/isc. atomic.h is correctly installed by the architecture specific subdirectories. [RT #20722] 2807. [bug] Fixed a possible ASSERT when reconfiguring zone keys. [RT #20720] 2806. [bug] "rdnc sign" could delay re-signing the DNSKEY when it had changed. [RT #20703] 2805. [bug] Fixed namespace problems encountered when building external programs using non-exported BIND9 libraries (i.e., built without --enable-exportlib). [RT #20679] 2804. [bug] Send notifies when a zone is signed with "rndc sign" or as a result of a scheduled key change. [RT #20700] 2803. [port] win32: Install named-journalprint, nsec3hash, arpaname and genrandom under windows. [RT #20670] 2802. [cleanup] Rename journalprint to named-journalprint. [RT #20670] 2799. [cleanup] Changed the "secure-to-insecure" option to "dnssec-secure-to-insecure", and "dnskey-ksk-only" to "dnssec-dnskey-kskonly", for clarity. [RT #20586] 2798. [bug] Addressed bugs in managed-keys initialization and rollover. [RT #20683] 2796. [bug] Missing dns_rdataset_disassociate() call in dns_nsec3_delnsec3sx(). [RT #20681] 2795. [cleanup] Add text to differentiate "update with no effect" log messages. [RT #18889] 2794. [bug] Install . [RT #20677] 2791. [bug] The installation of isc-config.sh was broken. [RT #20667] 2788. [bug] dnssec-signzone could sign with keys that were not requested [RT #20625] 2787. [bug] Spurious log message when zone keys were dynamically reconfigured. [RT #20659] 2785. [bug] Revoked keys could fail to self-sign [RT #20652] 2781. [bug] Inactive keys could be used for signing. [RT #20649] 2780. [bug] dnssec-keygen -A none didn't properly unset the activation date in all cases. [RT #20648] 2779. [bug] Dynamic key revokation could fail. [RT #20644] 2778. [bug] dnssec-signzone could fail when a key was revoked without deleting the unrevoked version. [RT #20638] 2776. [bug] Change #2762 was not correct. [RT #20647] 2775. [bug] Accept RSASHA256 and RSASHA512 as NSEC3 compatible in dnssec-keyfromlabel. [RT #20643] 2774. [bug] Existing cache DB wasn't being reused after reconfiguration. [RT #20629] 2773. [bug] In autosigned zones, the SOA could be signed with the KSK. [RT #20628] 2771. [bug] dnssec-signzone: DNSKEY records could be corrupted when importing from key files [RT #20624] 2770. [cleanup] Add log messages to resolver.c to indicate events causing FORMERR responses. [RT #20526] 2769. [cleanup] Change #2742 was incomplete. [RT #19589] 2768. [bug] dnssec-signzone: -S no longer implies -g [RT #20568] 2767. [bug] named could crash on startup if a zone was configured with auto-dnssec and there was no key-directory. [RT #20615] 2766. [bug] isc_socket_fdwatchpoke() should only update the socketmgr state if the socket is not pending on a read or write. [RT #20603] 2764. [bug] "rndc-confgen -a" could trigger a REQUIRE. [RT #20610] 2763. [bug] "rndc sign" didn't create an NSEC chain. [RT #20591] 2762. [bug] DLV validation failed with a local slave DLV zone. [RT #20577] 2761. [cleanup] Enable internal symbol table for backtrace only for systems that are known to work. Currently, BSD variants, Linux and Solaris are supported. [RT# 20202] 2756. [bug] Fixed corrupt logfile message in update.c. [RT# 20597] 2753. [bug] Removed an unnecessary warning that could appear when building an NSEC chain. [RT #20589] 2752. [bug] Locking violation. [RT #20587] 2751. [bug] Fixed a memory leak in dnssec-keyfromlabel. [RT #20588] 2746. [port] hpux: address signed/unsigned expansion mismatch of dns_rbtnode_t.nsec. [RT #20542] 2745. [bug] configure script didn't probe the return type of gai_strerror(3) correctly. [RT #20573] 2742. [cleanup] Clarify some DNSSEC-related log messages in validator.c. [RT #19589] 2739. [cleanup] Clean up API for initializing and clearing trust anchors for a view. [RT #20211] 2735. [bug] dnssec-signzone could fail to read keys that were specified on the command line with full paths, but weren't in the current directory. [RT #20421] 2734. [port] cygwin: arpaname did not compile. [RT #20473] 2733. [cleanup] Clean up coding style in pkcs11-* tools. [RT #20355] 2728. [bug] dssec-keygen, dnssec-keyfromlabel and dnssec-signzone now warn immediately if asked to write into a nonexistent directory. [RT #20278] 2725. [doc] Added information about the file "managed-keys.bind" to the ARM. [RT #20235] 2724. [bug] Updates to a existing node in secure zone using NSEC were failing. [RT #20448] 2720. [bug] RFC 5011 trust anchor updates could trigger an assert if the DNSKEY record was unsigned. [RT #20406] 2717. [bug] named failed to update the NSEC/NSEC3 record when the last private type record was removed as a result of completing the signing the zone with a key. [RT #20399] 2711. [port] win32: Add the bin/pkcs11 tools into the full build. [RT #20372] 2694. [bug] Reduce default NSEC3 iterations from 100 to 10. [RT #19970] 2693. [port] Add some noreturn attributes. [RT #20257] 2687. [bug] Fixed dnssec-signzone -S handling of revoked keys. Also, added warnings when revoking a ZSK, as this is not defined by protocol (but is legal). [RT #19943] 2685. [contrib] Update contrib/zkt to version 0.99c. [RT #20054] 2684. [cleanup] dig: formalize +ad and +cd as synonyms for +adflag and +cdflag. [RT #19305] 2682. [bug] "configure --enable-symtable=all" failed to build. [RT #20282] 2676. [bug] --with-export-installdir should have been --with-export-includedir. [RT #20252] 2675. [bug] dnssec-signzone could crash if the key directory did not exist. [RT #20232] 2674. [bug] "dnssec-lookaside auto;" crashed if named was built without openssl. [RT #20231] 2673. [bug] The managed-keys.bind zone file could fail to load due to a spurious result from sync_keyzone() [RT #20045] 2671. [bug] Add support for PKCS#11 providers not returning the public exponent in RSA private keys (OpenCryptoki for instance) in dnssec-keyfromlabel. [RT #19294] 2664. [bug] create_keydata() and minimal_update() in zone.c didn't properly check return values for some functions. [RT #19956] 2658. [bug] dnssec-settime and dnssec-revoke didn't process key file paths correctly. [RT #20078] 2657. [cleanup] Lower "journal file does not exist, creating it" log level to debug 1. [RT #20058] 2655. [doc] Document that key-directory does not affect bind.keys, rndc.key or session.key. [RT #20155] 2654. [bug] Improve error reporting on duplicated names for deny-answer-xxx. [RT #20164] 2651. [bug] Dates could print incorrectly in K*.key files on 64-bit systems. [RT #20076] 2650. [bug] Assertion failure in dnssec-signzone when trying to read keyset-* files. [RT #20075] 2644. [bug] Change #2628 caused a regression on some systems; named was unable to write the PID file and would fail on startup. [RT #20001] 2641. [bug] Fixed an error in parsing update-policy syntax, added a regression test to check it. [RT #20007] 2638. [bug] Install arpaname. [RT #19957] 2634. [port] win32: Add support for libxml2, enable statschannel. [RT #19773] 2631. [bug] Handle "//", "/./" and "/../" in mkdirpath(). [RT #19926 ] 2629. [port] Check for seteuid()/setegid(), use setresuid()/ setresgid() if not present. [RT #19932] 2628. [port] linux: Allow /var/run/named/named.pid to be opened at startup with reduced capabilities in operation. [RT #19884] 2627. [bug] Named aborted if the same key was included in trusted-keys more than once. [RT #19918] 2626. [bug] Multiple trusted-keys could trigger an assertion failure. [RT #19914] 2622. [bug] Printing of named.conf grammar was broken. [RT #19919] 2600. [doc] ARM: miscellaneous reformatting for different page widths. [RT #19574] 2566. [cleanup] Clarify logged message when an insecure DNSSEC response arrives from a zone thought to be secure: "insecurity proof failed" instead of "not insecure". [RT #19400] 2537. [func] Added more statistics counters including those on socket I/O events and query RTT histograms. [RT #18802] 2525. [experimental] New logging category "query-errors" to provide detailed internal information about query failures, especially about server failures. [RT #19027]