4034. [func] When added, negative trust anchors (NTA) are now
saved to files (viewname.nta), in order to
persist across restarts of the named server.
[RT #37087]
4030. [func] "rndc delzone" is now applicable to zones that were
configured in named.conf, as well as zones that
were added via "rndc addzone". (Note, however, that
if named.conf is not also modified, the deleted zone
will return when named is reloaded.) [RT #37887]
4029. [func] "rndc showzone" displays the current configuration
of a specified zone. [RT #37887]
- hpux returns EADDRINUSE when listening on UDP sockets, so
we need to check for that
- also need to ensure that subsidiary named processes are shut
down in the runtime system test
Conflicts:
bin/tests/system/conf.sh.in
lib/dns/win32/libdns.def.in
lib/isc/win32/file.c
The merge also needed to update files in legacy and tcp system tests
(newly introduced in master after branch was created) to introduce use
of lockfile.
4006. [security] A flaw in delegation handling could be exploited
to put named into an infinite loop. This has
been addressed by placing limits on the number
of levels of recursion named will allow (default 7),
and the number of iterative queries that it will
send (default 50) before terminating a recursive
query (CVE-2014-8500).
The recursion depth limit is configured via the
"max-recursion-depth" option. [RT #35780]
4003. [security] When geoip-directory was reconfigured during
named run-time, the previously loaded GeoIP
data could remain, potentially causing wrong
ACLs to be used or wrong results to be served
based on geolocation. [RT #37720]
4002. [security] Lookups in GeoIP databases that were not
loaded could cause an assertion failure.
[RT #37679]
4001. [security] The caching of GeoIP lookups did not always
handle address families correctly, potentially
resulting in an assertion failure. [RT #37672]
4005. [func] The buffer used for returning text from rndc
commands is now dynamically resizable, allowing
arbitrarily large amounts of text to be sent back
to the client. (Prior to this change, it was
possible for the output of "rndc tsig-list" to be
truncated.) [RT #37731]
3999. [func] "mkeys" and "nzf" files are now named after
their corresponding views, unless the view name
contains characters that would be incompatible
with use in a filename (i.e., slash, backslash,
or capital letters). If a view name does contain
these characters, the files will still be named
using a cryptographic hash of the view name.
Regardless of this, if a file using the old name
format is found to exist, it will continue to be
used. [RT #37704]
