4639.	[bug]		Fix a regression in --with-tuning reporting introduced
			by change 4488. [RT #45396]

4638.	[bug]		Reloading or reconfiguring named could fail on
			some platforms when LMDB was in use. [RT #45203]

4630.	[bug]		"dyndb" is dependent on dlopen existing / being
			enabled. [RT #45291]

4625.	[bug]		Running "rndc addzone" and "rndc delzone" at close
			to the same time could trigger a deadlock if using
			LMDB. [RT #45209]

4619.	[bug]		Call isc_mem_put instead of isc_mem_free in
			bin/named/server.c:setup_newzones. [RT #45202]

4618.	[bug]		Check isc_mem_strdup results in dns_view_setnewzones.
			Add logging for lmdb call failures. [RT #45204]

4540.	[bug]		Correctly handle ecs entries in dns_acl_isinsecure.
			[RT #43601]

4531.	[security]	'is_zone' was not being properly updated by redirect2
			and subsequently preserved leading to an assertion
			failure. (CVE-2016-9778) [RT #43837]

4520.	[cleanup]	Alphabetize more of the grammar when printing it
			out. Fix unbalanced indenting. [RT #43755]

4471.	[cleanup]	Render client/query logging format consistent for
			ease of log file parsing. (Note that this affects
			"querylog" format: there is now an additional field
			indicating the client object address.) [RT #43238]

4425.	[bug]		arpaname, dnstap-read and named-rrchecker were not
			being installed into ${prefix}/bin.  Tidy up
			installation issues with CHANGE 4421. [RT #42910]

4348.	[func]		dnssec-keymgr: A new python-based DNSSEC key
			management utility, which reads a policy definition
			file and can create or update DNSSEC keys as needed
			to ensure that a zone's keys match policy, roll over
			correctly on schedule, etc.  Thanks to Sebastian
			Castro for assistance in development. [RT #39211]

4307.	[bug]		"dig +subnet" and "mdig +subnet" could send
			incorrectly-formatted Client Subnet options
			if the prefix length was not divisible by 8.
			Also fixed a memory leak in "mdig". [RT #45178]

4303.	[bug]		"dig +subnet" was unable to send a prefix length of
			zero, as it was incorrectly changed to 32 for v4
			prefixes or 128 for v6 prefixes. In addition to
			fixing this, "dig +subnet=0" has been added as a
			short form for 0.0.0.0/0. The same changes have
			also been made in "mdig". [RT #41553]

4300.	[bug]		A flag could be set in the wrong field when setting
			up non-recursive queries; this could cause the
			SERVFAIL cache to cache responses it shouldn't.
			New querytrace logging has been added which
			identified this error. [RT #41155]

4161.	[test]		Add JSON test for traffic size stats; also test
			for consistency between "rndc stats" and the XML
			and JSON statistics channel contents. [RT #38700]

4135.	[cleanup]	Log expired NTA at startup. [RT #39680]

4056.	[bug]		Expanded automatic testing of trust anchor
			management and fixed several small bugs including
			a memory leak and a possible loss of key state
			information. [RT #38458]

3983.	[bug]		Change #3940 was incomplete: negative trust anchors
			could be set to last up to a week, but the
			"nta-lifetime" and "nta-recheck" options were
			still limited to one day. [RT #37522]

3979.	[bug]		Negative trust anchor fetches were not properly
			managed. [RT #37488]

3977.	[cleanup]	"rndc secroots" reported a "not found" error when
			there were no negative trust anchors set. [RT #37506]

3949.	[experimental]	Experimental support for draft-andrews-edns1 by sending
			EDNS(1) queries (define DRAFT_ANDREWS_EDNS1 when
			building).  Add support for limiting the EDNS version
			advertised to servers: server { edns-version 0; };
			Log the EDNS version received in the query log.
			[RT #35864]

3938.	[func]		Added quotas to be used in recursive resolvers
			that are under high query load for names in zones
			whose authoritative servers are nonresponsive or
			are experiencing a denial of service attack.

			- "fetches-per-server" limits the number of
			  simultaneous queries that can be sent to any
			  single authoritative server.  The configured
			  value is a starting point; it is automatically
			  adjusted downward if the server is partially or
			  completely non-responsive. The algorithm used to
			  adjust the quota can be configured via the
			  "fetch-quota-params" option.
			- "fetches-per-zone" limits the number of
			  simultaneous queries that can be sent for names
			  within a single domain.  (Note: Unlike
			  "fetches-per-server", this value is not
			  self-tuning.)
			- New stats counters have been added to count
			  queries spilled due to these quotas.

			See the ARM for details of these options. [RT #37125]

3930.	[bug]		"rndc nta -r" could cause a server hang if the
			NTA was not found. [RT #36909]

3920.	[doc]		Added doc for masterfile-style. [RT #36823]

3876.	[bug]		Improve efficiency of DLZ redirect zones by
			suppressing unnecessary database lookups. [RT #35835]

3875.	[cleanup]	Clarify log message when unable to read private
			key files. [RT #24702]

3821.	[contrib]	Added a new "mysqldyn" DLZ module with dynamic
			update and transaction support. Thanks to Marty
			Lee for the contribution. [RT #35656]