dns_rdata_opt_current, dns_rdata_txt_first,
dns_rdata_txt_next and dns_rdata_txt_current were
documented but not implemented. These have now been
implemented.
dns_rdata_spf_first, dns_rdata_spf_next and
dns_rdata_spf_current were document but not
implemented. The prototypes for these
functions have been removed. [RT #38068]
4023. [bug] win32: socket handling with explict ports and
invoking named with -4 was broken for some
configurations. [RT #38068]
4006. [security] A flaw in delegation handling could be exploited
to put named into an infinite loop. This has
been addressed by placing limits on the number
of levels of recursion named will allow (default 7),
and the number of iterative queries that it will
send (default 50) before terminating a recursive
query (CVE-2014-8500).
The recursion depth limit is configured via the
"max-recursion-depth" option. [RT #35780]
4005. [func] The buffer used for returning text from rndc
commands is now dynamically resizable, allowing
arbitrarily large amounts of text to be sent back
to the client. (Prior to this change, it was
possible for the output of "rndc tsig-list" to be
truncated.) [RT #37731]
startup-notify-rate instead of serial-query-rate.
[RT #24454]
3955. [bug] Notify messages due to changes are no longer queued
behind startup notify messages. [RT #24454]
EDNS(1) queries (define DRAFT_ANDREWS_EDNS1 when
building). Add support for limiting the EDNS version
advertised to servers: server { edns-version 0; };
Log the EDNS version received in the query log.
[RT #35864]
3943. [func] SERVFAIL responses can now be cached for a
limited time (configured by "servfail-ttl",
default 10 seconds, limit 30). This can reduce
the frequency of retries when an authoritative
server is known to be failing, e.g., due to
ongoing DNSSEC validation problems. [RT #21347]
3936. [func] Added authoritative support for the EDNS Client
Subnet (ECS) option.
ACLs can now include "ecs" elements which specify
an address or network prefix; if an ECS option is
included in a DNS query, then the address encoded
in the option will be matched against "ecs" ACL
elements.
Also, if an ECS address is included in a query,
then it will be used instead of the client source
address when matching "geoip" ACL elements. This
behavior can be overridden with "geoip-use-ecs no;".
When "ecs" or "geoip" ACL elements are used to
select a view for a query, the response will include
an ECS option to indicate which client network the
answer is valid for.
(Thanks to Vincent Bernat.) [RT #36781]
3882. [func] By default, negative trust anchors will be tested
periodically to see whether data below them can be
validated, and if so, they will be allowed to
expire early. The "rndc nta -force" option
overrides this behvaior. The default NTA lifetime
and the recheck frequency can be configured by the
"nta-lifetime" and "nta-recheck" options. [RT #36146]
3867. [func] "rndc nta" can now be used to set a temporary
negative trust anchor, which disables DNSSEC
validation below a specified name for a specified
period of time (not exceeding 24 hours). This
can be used when validation for a domain is known
to be failing due to a configuration error on
the part of the domain owner rather than a
spoofing attack. [RT #29358]
No CHANGES entry was added as this commit mainly adds tests related
code.
Squashed commit of the following:
commit d3d44508daa128fb8b60f64b3a8c81f80602273d
Author: Evan Hunt <each@isc.org>
Date: Wed May 7 09:36:41 2014 -0700
[rt35904] remove private non-static names from .def file
commit dbca45661c3939f21c3bb3f405d08cfe1b35d7aa
Author: Mukund Sivaraman <muks@isc.org>
Date: Wed May 7 21:39:32 2014 +0530
Remove test for shortcut findnode()
The implementation was not included in this review branch, but the tests
erroneously made it through.
This functionality will be addressed in a different ticket (RT#35906).
commit 94ff14576ab3407f2612d34727b7eacfefc3668c
Author: Mukund Sivaraman <muks@isc.org>
Date: Wed May 7 21:36:50 2014 +0530
Minor indent fix
commit 50972f17697bb222996e433faa8224843366f9b2
Author: Evan Hunt <each@isc.org>
Date: Tue May 6 20:05:21 2014 -0700
[rt35904] style
commit 5c4d5d41fcc5bfecdeebc008896974385c841b8d
Author: Mukund Sivaraman <muks@isc.org>
Date: Sun May 4 19:19:36 2014 +0530
RBT related updates
* Add various RBT unit tests
* Add some helper methods useful in unit testing RBT code
* General cleanup
a REQUIRE assertion failure when a fetch is actually
initiated. [ RT #35899]
Squashed commit of the following:
commit 7f4e1f3917d743089c42cc52ec2c0eea598d2c00
Author: Mukund Sivaraman <muks@isc.org>
Date: Sun May 4 22:34:34 2014 +0530
Fix a comment
commit 6a35a6a2346013fa8e3798b9b680d8a3031fcb03
Author: Mark Andrews <marka@isc.org>
Date: Sun May 4 23:34:25 2014 +1000
pass the correct name to query_prefetch
3829. [func] "dig +ttlunits" causes dig to print TTL values
with time-unit suffixes: w, d, h, m, s for
weeks, days, hours, minutes, and seconds. (Thanks
to Tony Finch.) [RT #35823]
3821. [contrib] Added a new "mysqldyn" DLZ module with dynamic
update and transaction support. Thanks to Marty
Lee for the contribution. [RT #35656]
3820. [func] The DLZ API doesn't pass the database version to
the lookup() function; this can cause DLZ modules
that allow dynamic updates to mishandle prerequisite
checks. This has been corrected by adding a
'dbversion' field to the dns_clientinfo_t
structure. [RT #35656]
3814. [func] The "masterfile-style" zone option controls the
formatting of dumped zone files. Options are
"relative" (multiline format) and "full" (one
record per line). The default is "relative".
[RT #20798]
3811. [func] "serial-update-method date;" sets serial number
on dynamic update to today's date in YYYYMMDDNN
format. (Thanks to Bradley Forschinger.) [RT #24903]
