ComputerSurge/bind9
3
0
Fork 0
Code Pull Requests 1 Activity
Files
b0a795525051578a31171515e0bbf9f267c185c0
bind9/EXCLUDED
Mark Andrews 9b01b03fd6 9.6-ESV-R5b1
2011-04-08 02:19:06 +00:00

520 lines
21 KiB
Plaintext
Raw Blame History

3005. [port] Solaris: Work around the lack of
gsskrb5_register_acceptor_identity() by setting
the KRB5_KTNAME environment variable to the
contents of tkey-gssapi-keytab. Also fixed
test errors on MacOSX. [RT #22853]
3003. [experimental] Added update-policy match type "external",
enabling named to defer the decision of whether to
allow a dynamic update to an external daemon.
(Contributed by Andrew Tridgell.) [RT #22758]
3000. [bug] More TKEY/GSS fixes:
- nsupdate can now get the default realm from
the user's Kerberos principal
- corrected gsstest compilation flags
- improved documentation
- fixed some NULL dereferences
[RT #22795]
2992. [contrib] contrib/check-secure-delegation.pl: A simple tool
for looking at a secure delegation. [RT #22059]
2991. [contrib] contrib/zone-edit.sh: A simple zone editing tool for
dynamic zones. [RT #22365]
2990. [bug] 'dnssec-settime -S' no longer tests prepublication
interval validity when the interval is set to 0.
[RT #22761]
2988. [experimental] Added a "dlopen" DLZ driver, allowing the creation
of external DLZ drivers that can be loaded as
shared objects at runtime rather than linked with
named. Currently this is switched on via a
compile-time option, "configure --with-dlz-dlopen".
Note: the syntax for configuring DLZ zones
is likely to be refined in future releases.
(Contributed by Andrew Tridgell of the Samba
project.) [RT #22629]
2985. [bug] Add a regression test for change #2896. [RT #21324]
2983. [bug] Include "loadkeys" in rndc help output. [RT #22493]
2980. [bug] named didn't properly handle UPDATES that changed the
TTL of the NSEC3PARAM RRset. [RT #22363]
2977. [bug] 'nsupdate -l' report if the session key is missing.
[RT #21670]
2973. [bug] bind.keys.h was being removed by the "make clean"
at the end of configure resulting in build failures
where there is very old version of perl installed.
Move it to "make maintainer-clean". [RT #22230]
2963. [security] The allow-query acl was being applied instead of the
allow-query-cache acl to cache lookups. [RT #22114]
2961. [bug] Be still more selective about the non-authoritative
answers we apply change 2748 to. [RT #22074]
2949. [bug] dns_view_setnewzones() contained a memory leak if
it was called multiple times. [RT #21942]
2948. [port] MacOS: provide a mechanism to configure the test
interfaces at reboot. See bin/tests/system/README
for details.
2940. [port] Remove connection aborted error message on
Windows. [RT #21549]
2938. [bug] When generating signed responses, from a signed zone
that uses NSEC3, named would use a uninitialised
pointer if it needed to skip a NSEC3 record because
it didn't match the selected NSEC3PARAM record for
zone. [RT# 21868]
2930. [experimental] New "rndc addzone" and "rndc delzone" commads
allow dynamic addition and deletion of zones.
To enable this feature, specify a "new-zone-file"
option at the view or options level in named.conf.
Zone configuration information for the new zones
will be written into that file. To make the new
zones persist after a restart, "include" the file
into named.conf in the appropriate view. (Note:
This feature is not yet documented, and its syntax
is expected to change.) [RT #19447]
2928. [bug] Be more selective about the non-authoritative
answer we apply change 2748 to. [RT #21594]
2914. [bug] Make the "autosign" system test more portable.
[RT #20997]
2909. [bug] named-checkconf -p could die if "update-policy local;"
was specified in named.conf. [RT #21416]
2907. [bug] The export version of libdns had undefined references.
[RT #21444]
2906. [bug] Address RFC 5011 implementation issues. [RT #20903]
2903. [bug] managed-keys-directory missing from namedconf.c.
[RT #21370]
2897. [bug] NSEC3 chains could be left behind when transitioning
to insecure. [RT #21040]
2896. [bug] "rndc sign" failed to properly update the zone
when adding a DNSKEY for publication only. [RT #21045]
2893. [bug] Improve managed keys support. New named.conf option
managed-keys-directory. [RT #20924]
2892. [bug] Handle REVOKED keys better. [RT #20961]
2887. [bug] Report the keytag times in UTC in the .key file,
local time is presented as a comment within the
comment. [RT #21223]
2886. [bug] ctime() is not thread safe. [RT #21223]
2880. [cleanup] Make the output of dnssec-keygen and dnssec-revoke
consistent. [RT #21078]
2873. [bug] Cancelling a dynamic update via the dns/client module
could trigger an assertion failure. [RT #21133]
2872. [bug] Modify dns/client.c:dns_client_createx() to only
require one of IPv4 or IPv6 rather than both.
[RT #21122]
2871. [bug] Type mismatch in mem_api.c between the definition and
the header file, causing build failure with
--enable-exportlib. [RT #21138]
2861. [doc] dnssec-settime man pages didn't correctly document the
inactivation time. [RT #21039]
2860. [bug] named-checkconf's usage was out of date. [RT #21039]
2848. [doc] Moved README.dnssec, README.libdns, README.pkcs11 and
README.rfc5011 into the ARM. [RT #20899]
2847. [cleanup] Corrected usage message in dnssec-settime. [RT #20921]
2845. [bug] RFC 5011 client could crash on shutdown. [RT #20903]
2841. [bug] Change 2836 was not complete. [RT #20883]
2839. [bug] A KSK revoked by named could not be deleted.
[RT #20881]
2836. [bug] Keys that were scheduled to become active could
be delayed. [RT #20874]
2835. [bug] Key inactivity dates were inadvertently stored in
the private key file with the outdated tag
"Unpublish" rather than "Inactive". This has been
fixed; however, any existing keys that had Inactive
dates set will now need to have them reset, using
'dnssec-settime -I'. [RT #20868]
2833. [cleanup] Fix usage messages in dnssec-keygen and dnssec-settime.
[RT #20851]
2832. [bug] Modify "struct stat" in lib/export/samples/nsprobe.c
to avoid redefinition in some OSs [RT 20831]
2824. [bug] "rndc sign" was not being run by the correct task.
[RT #20759]
2821. [doc] Add note that named-checkconf doesn't automatically
read rndc.key and bind.keys [RT #20758]
2816. [bug] previous_closest_nsec() could fail to return
data for NSEC3 nodes [RT #29730]
2811. [cleanup] Add "rndc sign" to list of commands in rndc usage
output. [RT #20733]
2809. [cleanup] Restored accidentally-deleted text in usage output
in dnssec-settime and dnssec-revoke [RT #20739]
2808. [bug] Remove the attempt to install atomic.h from lib/isc.
atomic.h is correctly installed by the architecture
specific subdirectories. [RT #20722]
2807. [bug] Fixed a possible ASSERT when reconfiguring zone
keys. [RT #20720]
2806. [bug] "rdnc sign" could delay re-signing the DNSKEY
when it had changed. [RT #20703]
2805. [bug] Fixed namespace problems encountered when building
external programs using non-exported BIND9 libraries
(i.e., built without --enable-exportlib). [RT #20679]
2804. [bug] Send notifies when a zone is signed with "rndc sign"
or as a result of a scheduled key change. [RT #20700]
2803. [port] win32: Install named-journalprint, nsec3hash, arpaname
and genrandom under windows. [RT #20670]
2802. [cleanup] Rename journalprint to named-journalprint. [RT #20670]
2799. [cleanup] Changed the "secure-to-insecure" option to
"dnssec-secure-to-insecure", and "dnskey-ksk-only"
to "dnssec-dnskey-kskonly", for clarity. [RT #20586]
2798. [bug] Addressed bugs in managed-keys initialization
and rollover. [RT #20683]
2796. [bug] Missing dns_rdataset_disassociate() call in
dns_nsec3_delnsec3sx(). [RT #20681]
2795. [cleanup] Add text to differentiate "update with no effect"
log messages. [RT #18889]
2794. [bug] Install <isc/namespace.h>. [RT #20677]
2791. [bug] The installation of isc-config.sh was broken.
[RT #20667]
2788. [bug] dnssec-signzone could sign with keys that were
not requested [RT #20625]
2787. [bug] Spurious log message when zone keys were
dynamically reconfigured. [RT #20659]
2785. [bug] Revoked keys could fail to self-sign [RT #20652]
2781. [bug] Inactive keys could be used for signing. [RT #20649]
2780. [bug] dnssec-keygen -A none didn't properly unset the
activation date in all cases. [RT #20648]
2779. [bug] Dynamic key revokation could fail. [RT #20644]
2778. [bug] dnssec-signzone could fail when a key was revoked
without deleting the unrevoked version. [RT #20638]
2763. [bug] "rndc sign" didn't create an NSEC chain. [RT #20591]
2761. [cleanup] Enable internal symbol table for backtrace only for
systems that are known to work. Currently, BSD
variants, Linux and Solaris are supported. [RT# 20202]
2775. [bug] Accept RSASHA256 and RSASHA512 as NSEC3 compatible
in dnssec-keyfromlabel. [RT #20643]
2773. [bug] In autosigned zones, the SOA could be signed
with the KSK. [RT #20628]
2771. [bug] dnssec-signzone: DNSKEY records could be
corrupted when importing from key files [RT #20624]
2770. [cleanup] Add log messages to resolver.c to indicate events
causing FORMERR responses. [RT #20526]
2769. [cleanup] Change #2742 was incomplete. [RT #19589]
2768. [bug] dnssec-signzone: -S no longer implies -g [RT #20568]
2767. [bug] named could crash on startup if a zone was
configured with auto-dnssec and there was no
key-directory. [RT #20615]
2766. [bug] isc_socket_fdwatchpoke() should only update the
socketmgr state if the socket is not pending on a
read or write. [RT #20603]
2764. [bug] "rndc-confgen -a" could trigger a REQUIRE. [RT #20610]
2756. [bug] Fixed corrupt logfile message in update.c. [RT# 20597]
2753. [bug] Removed an unnecessary warning that could appear when
building an NSEC chain. [RT #20589]
2776. [bug] Change #2762 was not correct. [RT #20647]
2762. [bug] DLV validation failed with a local slave DLV zone.
[RT #20577]
2752. [bug] Locking violation. [RT #20587]
2751. [bug] Fixed a memory leak in dnssec-keyfromlabel. [RT #20588]
2746. [port] hpux: address signed/unsigned expansion mismatch of
dns_rbtnode_t.nsec. [RT #20542]
2745. [bug] configure script didn't probe the return type of
gai_strerror(3) correctly. [RT #20573]
2774. [bug] Existing cache DB wasn't being reused after
reconfiguration. [RT #20629]
2742. [cleanup] Clarify some DNSSEC-related log messages in
validator.c. [RT #19589]
2739. [cleanup] Clean up API for initializing and clearing trust
anchors for a view. [RT #20211]
2735. [bug] dnssec-signzone could fail to read keys
that were specified on the command line with
full paths, but weren't in the current
directory. [RT #20421]
2734. [port] cygwin: arpaname did not compile. [RT #20473]
2733. [cleanup] Clean up coding style in pkcs11-* tools. [RT #20355]
2728. [bug] dssec-keygen, dnssec-keyfromlabel and
dnssec-signzone now warn immediately if asked to
write into a nonexistent directory. [RT #20278]
2725. [doc] Added information about the file "managed-keys.bind"
to the ARM. [RT #20235]
2724. [bug] Updates to a existing node in secure zone using NSEC
were failing. [RT #20448]
2720. [bug] RFC 5011 trust anchor updates could trigger an
assert if the DNSKEY record was unsigned. [RT #20406]
2717. [bug] named failed to update the NSEC/NSEC3 record when
the last private type record was removed as a result
of completing the signing the zone with a key.
[RT #20399]
2711. [port] win32: Add the bin/pkcs11 tools into the full
build. [RT #20372]
2694. [bug] Reduce default NSEC3 iterations from 100 to 10.
[RT #19970]
2693. [port] Add some noreturn attributes. [RT #20257]
2687. [bug] Fixed dnssec-signzone -S handling of revoked keys.
Also, added warnings when revoking a ZSK, as this is
not defined by protocol (but is legal). [RT #19943]
2685. [contrib] Update contrib/zkt to version 0.99c. [RT #20054]
2684. [cleanup] dig: formalize +ad and +cd as synonyms for
+adflag and +cdflag. [RT #19305]
2682. [bug] "configure --enable-symtable=all" failed to
build. [RT #20282]
2676. [bug] --with-export-installdir should have been
--with-export-includedir. [RT #20252]
2675. [bug] dnssec-signzone could crash if the key directory
did not exist. [RT #20232]
2674. [bug] "dnssec-lookaside auto;" crashed if named was built
without openssl. [RT #20231]
2673. [bug] The managed-keys.bind zone file could fail to
load due to a spurious result from sync_keyzone()
[RT #20045]
2671. [bug] Add support for PKCS#11 providers not returning
the public exponent in RSA private keys
(OpenCryptoki for instance) in
dnssec-keyfromlabel. [RT #19294]
2664. [bug] create_keydata() and minimal_update() in zone.c
didn't properly check return values for some
functions. [RT #19956]
2658. [bug] dnssec-settime and dnssec-revoke didn't process
key file paths correctly. [RT #20078]
2657. [cleanup] Lower "journal file <path> does not exist, creating it"
log level to debug 1. [RT #20058]
2654. [bug] Improve error reporting on duplicated names for
deny-answer-xxx. [RT #20164]
2651. [bug] Dates could print incorrectly in K*.key files on
64-bit systems. [RT #20076]
2650. [bug] Assertion failure in dnssec-signzone when trying
to read keyset-* files. [RT #20075]
2644. [bug] Change #2628 caused a regression on some systems;
named was unable to write the PID file and would
fail on startup. [RT #20001]
2641. [bug] Fixed an error in parsing update-policy syntax,
added a regression test to check it. [RT #20007]
2638. [bug] Install arpaname. [RT #19957]
2634. [port] win32: Add support for libxml2, enable
statschannel. [RT #19773]
2631. [bug] Handle "//", "/./" and "/../" in mkdirpath().
[RT #19926 ]
2629. [port] Check for seteuid()/setegid(), use setresuid()/
setresgid() if not present. [RT #19932]
2628. [port] linux: Allow /var/run/named/named.pid to be opened
at startup with reduced capabilities in operation.
[RT #19884]
2627. [bug] Named aborted if the same key was included in
trusted-keys more than once. [RT #19918]
2626. [bug] Multiple trusted-keys could trigger an assertion
failure. [RT #19914]
2622. [bug] Printing of named.conf grammar was broken. [RT #19919]
2600. [doc] ARM: miscellaneous reformatting for different
page widths. [RT #19574]
2566. [cleanup] Clarify logged message when an insecure DNSSEC
response arrives from a zone thought to be secure:
"insecurity proof failed" instead of "not
insecure". [RT #19400]
2525. [experimental] New logging category "query-errors" to provide detailed
internal information about query failures, especially
about server failures. [RT #19027]
2537. [func] Added more statistics counters including those on socket
I/O events and query RTT histograms. [RT #18802]
2655. [doc] Document that key-directory does not affect
rndc.key. [RT #20155]
2834. [bug] HMAC-SHA* keys that were longer than the algorithm
digest length were used incorrectly, leading to
interoperability problems with other DNS
implementations. This has been corrected.
(Note: If an oversize key is in use, and
compatibility is needed with an older release of
BIND, the new tool "isc-hmac-fixup" can convert
the key secret to a form that will work with all
versions.) [RT #20751]
2840. [bug] Temporary fixed pkcs11-destroy usage check.
[RT #20760]
3010. [bug] Fixed a bug where "rndc reconfig" stopped the timer
for refreshing managed-keys. [RT #22296]
3013. [bug] The DNS64 ttl was not always being set as expected.
[RT #23034]
3017. [doc] dnssec-keyfromlabel -I was not properly documented.
[RT #22887]
3020. [bug] auto-dnssec failed to correctly update the zone when
changing the DNSKEY RRset. [RT #23232]
3021. [bug] Change #3010 was incomplete. [RT #22296]
3022. [bug] Fixed rpz SERVFAILs after failed zone transfers
[RT #23246]
3038. [bug] Install <dns/rpz.h>. [RT #23342]
3045. [removed] Replaced by change #3050.
3048. [bug] Fully separate view key mangement. [RT #23419]
3050. [bug] The autosign system test was timing dependent.
Wait for the initial autosigning to complete
before running the rest of the test. [RT #23035]
3052. [test] Fixed last autosign test report. [RT #23256]
3054. [bug] Added elliptic curve support check in
GOST OpenSSL engine detection. [RT #23485]
3057. [bug] "rndc secroots" would abort after the first error
and so could miss some views. [RT #23488]
3072. [bug] dns_dns64_aaaaok() potential NULL pointer dereference.
[RT #20256]
3073. [bug] managed-keys changes were not properly being recorded.
[RT #20256]
3075. [bug] dns_dnssec_findzonekeys{2} used a inconsistant
timestamp when determining which keys are active.
[RT #23642]
3077. [bug] zone.c:zone_refreshkeys() incorrectly called
dns_zone_attach(), use zone->irefs instead. [RT #23303]
3082. [port] strtok_r is threads only. [RT #23747]
3086. [bug] Running dnssec-settime -f on an old-style key will
now force an update to the new key format even if no
other change has been specified, using "-P now -A now"
as default values. [RT #22474]
3087. [bug] DDNS updates using SIG(0) with update-policy match
type "external" could cause a crash. [RT #23735]
3091. [bug] Fixed a bug in which zone keys that were published
and then subsequently activated could fail to trigger
automatic signing. [RT #22911]
3094. [doc] Expand dns64 documentation.
3096. [bug] Set KRB5_KTNAME before calling log_cred() in
dst_gssapi_acceptctx(). [RT #24004]
2655. [doc] Document that key-directory does not affect
bind.keys, rndc.key or session.key. [RT #20155]
2810. [doc] Clarified the process of transitioning an NSEC3 zone
to insecure. [RT #20746]
View Git Blame Copy Permalink