upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-02-13 15:53:52 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions
bind9/EXCLUDED
Mark Andrews 91d9a51e44 9.6-ESV-R10rc2
2013-08-19 12:03:21 +10:00

1173 lines
40 KiB
Text
Raw Permalink Blame History

3635. [bug] Signatures were not being removed from a zone with
only KSK keys for a algorithm. [RT #24439]
3632. [bug] Signature from newly inactive keys were not being
removed. [RT #32178]
3627. [bug] RPZ changes were not effective on slaves. [RT #34450]
3624. [bug] Look for 'json_object_new_int64' when looking for a
the json library. [RT #34449]
3622. [tuning] Eliminate an unnecessary lock when incrementing
cache statistics. [RT #34339]
3621. [security] Incorrect bounds checking on private type 'keydata'
can lead to a remotely triggerable REQUIRE failure
(CVE-2013-4854). [RT #34238]
3619. [bug] Fixed a bug in RPZ with "recursive-only no;"
[RT #33776]
3617. [bug] Named was failing to answer queries during
"rndc reload" [RT #34098]
3616. [bug] Change #3613 was incomplete. [RT #34177]
3613. [bug] named could crash when deleting inline-signing
zones with "rndc delzone". [RT #34066]
3612. [port] Check whether to use -ljson or -ljson-c. [RT #34115]
3610. [cleanup] win32: Some executables had been omitted from the
installer. [RT #34116]
3609. [bug] Corrected a possible deadlock in applications using
the export version of the isc_app API. [RT #33967]
3607. [bug] dnssec-keygen had broken 'Invalid keyfile' error
message. [RT #34045]
3604. [bug] Fixed a compile-time error when building with
JSON but not XML. [RT #33959]
3602. [contrib] Added DLZ Perl module, allowing Perl scripts to
integrate with named and serve DNS data.
(Contributed by John Eaglesham of Yahoo.)
3601. [bug] Added to PKCS#11 openssl patches a value len
attribute in DH derive key. [RT #33928]
3598. [cleanup] Improved portability of map file code. [RT #33820]
3597. [bug] Ensure automatic-resigning heaps are reconstructed
when loading zones in map format. [RT #33381]
3596. [port] Updated win32 build documentation, added
dnssec-verify. [RT #22067]
3595. [port] win32: Fix build problems introduced by change #3550.
[RT #33807]
3590. [bug] When using RRL on recursive servers, defer
rate-limiting until after recursion is complete;
also, use correct rcode for slipped NXDOMAIN
responses. [RT #33604]
3582. [bug] Silence false positive warning regarding missing file
directive for inline slave zones. [RT #33662]
3579. [maint] Updates to PKCS#11 openssl patches, supporting
versions 0.9.8y, 1.0.0k, 1.0.1e [RT #33463]
3573. [bug] "rndc addzone" and "rndc delzone" incorrectly handled
zone names containing punctuation marks and other
nonstandard characters. [RT #33419]
3571. [bug] Address race condition in dns_client_startresolve().
[RT #33234]
3570. [bug] Check internal pointers are valid when loading map
files. [RT #33403]
3569. [contrib] Ported mysql DLZ driver to dynamically-loadable
module, and added multithread support. [RT #33394]
3564. [bug] Improved handling of corrupted map files. [RT #33380]
3557. [bug] Reloading redirect zones was broken. [RT #33292]
3554. [bug] RRL failed to correctly rate-limit upward
referrals and failed to count dropped error
responses in the statistics. [RT #33225]
3544. [contrib] check5011.pl: Script to report the status of
managed keys as recorded in managed-keys.bind.
Contributed by Tony Finch <dot@dotat.at>
3551. [bug] resolver.querydscp[46] were uninitialized. [RT #32686]
3545. [bug] RRL slip behavior was incorrect when set to 1.
[RT #33111]
3537. [tuning] Slave zones, when updated, now send NOTIFY messages
to peers before being dumped to disk rather than
after. [RT #27242]
3527. [compat] Add a URI to allow applications to explicitly
request a particular XML schema from the statistics
channel, returning 404 if not supported. [RT #32481]
3523. [contrib] Ported filesystem and ldap DLZ drivers to
dynamically-loadable modules, and added the
"wildcard" module based on a contribution from
Vadim Goncharov <vgoncharov@nic.ru>. [RT #23569]
3522. [bug] DLZ lookups could fail to return SERVFAIL when
they ought to. [RT #32685]
3521. [bug] Address memory leak in opensslecdsa_link.c. [RT #32249]
3518. [bug] Increase the size of dns_rrl_key.s.rtype by one bit
so that all dns_rrl_rtype_t enum values fit regardless
of whether it is teated as signed or unsigned by
the compiler. [RT #32792]
3514. [bug] The ranges for valid key sizes in ddns-confgen and
rndc-confgen were too constrained. Keys up to 512
bits are now allowed for most algorithms, and up
to 1024 bits for hmac-sha384 and hmac-sha512.
[RT #32753]
3511. [doc] Improve documentation of redirect zones. [RT #32756]
3507. [bug] Statistics channel XSL had a glitch when attempting
to chart query data before any queries had been
received. [RT #32620]
3505. [bug] When setting "max-cache-size" and "max-acache-size",
larger values than 4 gigabytes could not be set
explicitly, though larger sizes were available
when setting cache size to 0. This has been
corrected; the full range is now available.
[RT #32358]
3500. [port] Support NAPTR regular expression validation on
all platforms. [RT #32688]
3493. [contrib] Added BDBHPT dynamically-lodable DLZ module,
contributed by Mark Goldfinch. [RT #32549]
3492. [bug] Fixed a regression in zone loading performance
due to lock contention. [RT #30399]
3491. [bug] Slave zones using inline-signing must specify a
file name. [RT #31946]
3490. [bug] When logging RDATA during update, truncate if it's
too long. [RT #32365]
3489. [bug] --enable-developer now turns on ISC_LIST_CHECKINIT.
When cloning a rdataset do not copy the link contents.
[RT #32651]
3488. [bug] Use after free error with DH generated keys. [RT #32649]
3486. [bug] named could crash when using TKEY-negotiated keys
that had been deleted and then recreated. [RT #32506]
3485. [cleanup] Only compile openssl_gostlink.c if we support GOST.
3484. [bug] Some statistics were incorrectly rendered in XML.
[RT #32587]
3480. [bug] Silence logging noise when setting up zone
statistics. [RT #32525]
3476. [bug] "rndc zonestatus" could report a spurious "not
found" error on inline-signing zones. [RT #29226]
3475. [cleanup] Changed name of 'map' zone file format (previously
'fast'). [RT #32458]
3473. [bug] dnssec-signzone/verify could incorrectly report
an error condition due to an empty node above an
opt-out delegation lacking an NSEC3. [RT #32072]
3472. [bug] The active-connections counter in the socket
statistics could underflow. [RT #31747]
3471. [bug] The number of UDP dispatches now defaults to
the number of CPUs even if -n has been set to
a higher value. [RT #30964]
3470. [bug] Slave zones could fail to dump when successfully
refreshing after an initial failure. [RT #31276]
3469. [bug] Handle DLZ lookup failures more gracefully. Improve
backward compatibility between versions of DLZ dlopen
API. [RT #32275]
3468. [security] RPZ rules to generate A records (but not AAAA records)
could trigger an assertion failure when used in
conjunction with DNS64 (CVE-2012-5689). [RT #32141]
3467. [bug] Added checks in dnssec-keygen and dnssec-settime
to check for delete date < inactive date. [RT #31719]
3466. [contrib] Corrected the DNS_CLIENTINFOMETHODS_VERSION check
in DLZ example driver. [RT #32275]
3464. [maint] Updates to PKCS#11 openssl patches, supporting
versions 0.9.8x, 1.0.0j, 1.0.1c [RT #29749]
3463. [doc] Clarify managed-keys syntax in ARM. [RT 32232]
3460. [bug] Only link against readline where needed. [RT #29810]
3453. [bug] 'rndc addzone' of a zone with 'inline-signing yes;'
failed. [RT #31960]
3443. [bug] ddns-confgen: Some TSIG algorithms were incorrectly
rejected when generating keys. [RT #31927]
3434. [bug] Pass client info to the DLZ findzone() entry
point in addition to lookup(). This makes it
possible for a database to answer differently
whether it's authoritative for a name depending
on the address of the client. [RT #31775]
3433. [bug] dlz_findzone() did not correctly handle
ISC_R_NOMORE. [RT #31172]
3431. [bug] ddns-confgen: Some valid key algorithms were
not accepted. [RT #31927]
3426. [bug] dnssec-checkds: Clearer output when records are not
found. [RT #31968]
3423. [bug] "rndc signing -nsec3param" didn't accept the full
range of possible values. Address portability issues.
[RT #31938]
3422. [bug] Added a clear error message for when the SOA does not
match the referral. [RT #31281]
3416. [bug] Named could die on shutdown if running with 128 UDP
dispatches per interface. [RT #31743]
3414. [bug] Address locking issues found by Coverity. [RT #31626]
3408. [bug] Some DNSSEC-related options (update-check-ksk,
dnssec-loadkeys-interval, dnssec-dnskey-kskonly)
are now legal in slave zones as long as
inline-signing is in use. [RT #31078]
3399. [port] netbsd: rename 'bool' parameter to avoid namespace
clash. [RT #31515]
3398. [bug] SOA parameters were not being updated with inline
signed zones if the zone was modified while the
server was offline. [RT #29272]
3385. [bug] named-checkconf didn't detect missing master lists
in also-notify clauses. [RT #30810]
3384. [bug] Improved logging of crypto errors. [RT #30963]
3378. [bug] Handle missing 'managed-keys-directory' better.
[RT #30625]
3377. [bug] Removed spurious newline from NSEC3 multiline
output. [RT #31044]
3375. [bug] 'rndc dumpdb' failed on empty caches. [RT #30808]
3370. [bug] Address use after free while shutting down. [RT #30241]
3368. [bug] <dns/iptable.h>, <dns/private.h> and <dns/zone.h>
were not C++ safe.
3367. [bug] dns_dnsseckey_create() result was not being checked.
[RT #30685]
3363. [bug] Need to allow "forward" and "fowarders" options
in static-stub zones; this had been overlooked.
[RT #30482]
3361. [bug] "rndc signing -nsec3param" didn't work correctly
when salt was set to '-' (no salt). [RT #30099]
3356. [bug] Cap the TTL of signed RRsets when RRSIGs are
approaching their expiry, so they don't remain
in caches after expiry. [RT #26429]
3355. [port] Use more portable awk in verify system test.
3353. [bug] Use a single task for task exclusive operations.
[RT #29872]
3351. [bug] isc_mem_put and isc_mem_putanddetach didn't report
caller if either ISC_MEM_DEBUGSIZE or ISC_MEM_DEBUGCTX
memory debugging flags are set. [RT #30243]
3349. [bug] Change #3345 was incomplete. [RT #30233]
3347. [bug] dnssec-settime: Issue a warning when writing a new
private key file would cause a change in the
permissions of the existing file. [RT #27724]
3345. [bug] Addressed race condition when removing the last item
or inserting the first item in an ISC_QUEUE.
[RT #29539]
3338. [bug] Address race condition in units tests: asyncload_zone
and asyncload_zt. [RT #26100]
3334. [bug] Hold a zone table reference while performing a
asyncronous load of a zone. [RT #28326]
3333. [bug] Setting resolver-query-timeout too low can cause
named to not recover if it loses connectivity.
[RT #29623]
3324. [test] Add better tests for ADB stats [RT #27057]
3317. [protocol] Add ECDSA support (RFC 6605). [RT #21918]
3316. [tuning] Improved locking performance when recursing.
[RT #28836]
3315. [tuning] Use multiple dispatch objects for sending upstream
queries; this can improve performance on busy
multiprocessor systems by reducing lock contention.
[RT #28605]
3312. [bug] named-checkconf didn't detect a bad dns64 clients acl.
[RT #27631]
3306. [bug] Improve DNS64 reverse zone performance. [RT #28563]
3305. [func] Add wire format lookup method to sdb. [RT #28563]
3303. [bug] named could die when reloading. [RT #28606]
3302. [bug] dns_dnssec_findmatchingkeys could fail to find
keys if the zone name contained character that
required special mappings. [RT #28600]
3296. [bug] Named could die with a INSIST failure in
client.c:exit_check. [RT #28346]
3289. [bug] 'rndc retransfer' failed for inline zones. [RT #28036]
3288. [bug] dlz_destroy() function wasn't correctly registered
by the DLZ dlopen driver. [RT #28056]
3286. [bug] Managed key maintenance timer could fail to start
after 'rndc reconfig'. [RT #26786]
3280. [bug] Potential double free of a rdataset on out of memory
with DNS64. [RT #27762]
3279. [bug] Hold a internal reference to the zone while performing
a asynchronous load. Address potential memory leak
if the asynchronous is cancelled. [RT #27750]
3278. [bug] Make sure automatic key maintenance is started
when "auto-dnssec maintain" is turned on during
"rndc reconfig". [RT #26805]
3277. [bug] win32: isc_socket_dup is not implemented. [RT #27696]
3276. [bug] win32: ns_os_openfile failed to return NULL on
safe_open failure. [RT #27696]
3275. [bug] Corrected rndc -h output; the 'rndc sync -clean'
option had been misspelled as '-clear'. (To avoid
future confusion, both options now work.) [RT #27173]
3273. [bug] AAAA responses could be returned in the additional
section even when filter-aaaa-on-v4 was in use.
[RT #27292]
3271. [port] darwin: mksymtbl is not always stable, loop several
times before giving up. mksymtbl was using non
portable perl to covert 64 bit hex strings. [RT #27653]
3270. [bug] "rndc reload" didn't reuse existing zones correctly
when inline-signing was in use. [RT #27650]
3269. [port] darwin 11 and later now built threaded by default.
3265. [bug] Address lock order reversal with inline-signing
support. [27557]
3264. [bug] Automatic regeneration of signatures in an
inline-signing zone could stall when the server
was restarted. [RT #27344]
3263. [bug] "rndc sync" did not affect the unsigned side of an
inline-signing zone. [RT #27337]
3262. [bug] Signed responses were handled incorrectly by RPZ.
[RT #27316]
3258. [test] Add "forcing full sign with unreadable keys" test.
[RT #27153]
3252. [bug] When master zones using inline-signing were
updated while the server was offline, the source
zone could fall out of sync with the signed
copy. They can now resynchronize. [RT #26676]
3248. [bug] Configure options --enable-fixed-rrset and
--enable-exportlib were incompatible with each
other. [RT #27087]
3246. [bug] Named failed to start with a empty also-notify list.
[RT #27087]
3245. [bug] Don't report a error unchanged serials unless there
were other changes when thawing a zone with
ixfr-fromdifferences. [RT #26845]
3243. [port] freebsd,netbsd,bsdi: the thread defaults were not
being properly set.
3240. [bug] DNSKEY state change events could be missed. [RT #26874]
3239. [bug] dns_dnssec_findmatchingkeys needs to use a consistent
timestamp. [RT #26883]
3236. [bug] Backed out changes #3182 and #3202, related to
EDNS(0) fallback behavior. [RT #26416]
3233. [bug] 'rndc freeze/thaw' didn't work for inline zones.
[RT #26632]
3229. [bug] Fix local variable to struct var assignment
found by CLANG warning.
3225. [bug] Silence spurious "setsockopt(517, IPV6_V6ONLY) failed"
messages. [RT #26507]
3224. [bug] 'rndc signing' argument parsing was broken. [RT #26684]
3223. [bug] 'task_test privilege_drop' generated false positives.
[RT #26766]
3222. [cleanup] Replace dns_journal_{get,set}_bitws with
dns_journal_{get,set}_sourceserial. [RT #26634]
3220. [bug] Change #3186 was incomplete; dns_db_rpz_findips()
could fail to set the database version correctly,
causing an assertion failure. [RT #26180]
3220. [bug] Change #3186 was incomplete; dns_db_rpz_findips()
could fail to set the database version correctly,
causing an assertion failure. [RT #26180]
3219. [bug] Disable NOEDNS caching following a timeout.
3217. [cleanup] Fix build problem with --disable-static. [RT #26476]
3215. [bug] 'rndc recursing' could cause a core dump. [RT #26495]
3210. [bug] Canceling the oldest query due to recursive-client
overload could trigger an assertion failure. [RT #26463]
3202. [bug] NOEDNS caching on timeout was too agressive.
[RT #26416]
3198. [doc] Clarified that dnssec-settime can alter keyfile
permissions. [RT #24866]
3195. [cleanup] Silence "file not found" warnings when loading
managed-keys zone. [RT #26340]
3188. [bug] zone.c:zone_refreshkeys() could fail to detach
references correctly when errors occurred, causing
a hang on shutdown. [RT #26372]
3186. [bug] Version/db mis-match in rpz code. [RT #26180]
3184. [bug] named had excessive cpu usage when a redirect zone was
configured. [RT #26013]
3183. [bug] Added RTLD_GLOBAL flag to dlopen call. [RT #26301]
3182. [bug] Auth servers behind firewalls which block packets
greater than 512 bytes may cause other servers to
perform poorly. Now, adb retains edns information
and caches noedns servers. [RT #23392/24964]
3178. [bug] A race condition introduced by change #3163 could
cause an assertion failure on shutdown. [RT #26271]
3176. [doc] Corrected example code and added a README to the
sample external DLZ module in contrib/dlz/example.
[RT #26215]
3174. [bug] Always compute to revoked key tag from scratch.
[RT #26186]
3172. [port] darwin 10.* and freebsd [89] are now built threaded by
default.
3171. [bug] Exclusively lock the task when adding a zone using
'rndc addzone'. [RT #25600]
3168. [bug] Nxdomain redirection could trigger an assert with
a ANY query. [RT #26017]
3166. [bug] Upgrading a zone to support inline-signing failed.
[RT #26014]
3165. [bug] dnssec-signzone could generate new signatures when
resigning, even when valid signatures were already
present. [RT #26025]
3163. [bug] Use finer-grained locking in client.c to address
concurrency problems with large numbers of threads.
[RT #26044]
3161. [bug] zone.c:del_sigs failed to always reset rdata leading
assertion failures. [RT #25880]
3160. [bug] When printing out a NSEC3 record in multiline form
the newline was not being printed causing type codes
to be run together. [RT #25873]
3159. [bug] On some platforms, named could assert on startup
when running in a chrooted environment without
/proc. [RT #25863]
3158. [bug] Recursive servers would prefer a particular UDP
socket instead of using all available sockets.
[RT #26038]
3155. [bug] Fixed a build failure when using contrib DLZ
drivers (e.g., mysql, postgresql, etc). [RT #25710]
3152. [cleanup] Some versions of gcc and clang failed due to
incorrect use of __builtin_expect. [RT #25183]
3142. [bug] NAPTR is class agnostic. [RT #25429]
3141. [bug] Silence spurious "zone serial (0) unchanged" messages
associated with empty zones. [RT #25079]
3133. [bug] Change #3114 was incomplete. [RT #24577]
3131. [tuning] Improve scalability by allocating one zone task
per 100 zones at startup time, rather than using a
fixed-size task table. [RT #24406]
3129. [bug] Named could crash on 'rndc reconfig' when
allow-new-zones was set to yes and named ACLs
were used. [RT #22739]
3127. [bug] 'rndc thaw' will now remove a zone's journal file
if the zone serial number has been changed and
ixfr-from-differences is not in use. [RT #24687]
3126. [security] Using DNAME record to generate replacements caused
RPZ to exit with a assertion failure. [RT #24766]
3125. [security] Using wildcard CNAME records as a replacement with
RPZ caused named to exit with a assertion failure.
[RT #24715]
3122. [cleanup] dnssec-settime: corrected usage message. [RT #24664]
3119. [bug] When rolling to a new DNSSEC key, a private-type
record could be created and never marked complete.
[RT #23253]
3117. [cleanup] Remove doc and parser references to the
never-implemented 'auto-dnssec create' option.
[RT #24533]
3115. [bug] Named could fail to return requested data when
following a CNAME that points into the same zone.
[RT #24455]
3114. [bug] Retain expired RRSIGs in dynamic zones if key is
inactive and there is no replacement key. [RT #23136]
3111. [bug] Improved consistency checks for dnssec-enable and
dnssec-validation, added test cases to the
checkconf system test. [RT #24398]
3108. [cleanup] dnssec-signzone: Clarified some error and
warning messages; removed #ifdef ALLOW_KSKLESS_ZONES
code (use -P instead). [RT #20852]
3107. [bug] dnssec-signzone: Report the correct number of ZSKs
when using -x. [RT #20852]
3105. [bug] GOST support can be suppressed by "configure
--without-gost" [RT #24367]
3103. [bug] Configuring 'dnssec-validation auto' in a view
instead of in the options statement could trigger
an assertion failure in named-checkconf. [RT #24382]
3101. [bug] Zones using automatic key maintenance could fail
to check the key repository for updates. [RT #23744]
3100. [security] Certain response policy zone configurations could
trigger an INSIST when receiving a query of type
RRSIG. [RT #24280]
3098. [bug] DLZ zones were answering without setting the AA bit.
[RT #24146]
3096. [bug] Set KRB5_KTNAME before calling log_cred() in
dst_gssapi_acceptctx(). [RT #24004]
3094. [doc] Expand dns64 documentation.
3093. [bug] Fix gssapi/kerberos dependencies [RT #23836]
3092. [bug] Signatures for records at the zone apex could go
stale due to an incorrect timer setting. [RT #23769]
3091. [bug] Fixed a bug in which zone keys that were published
and then subsequently activated could fail to trigger
automatic signing. [RT #22911]
3087. [bug] DDNS updates using SIG(0) with update-policy match
type "external" could cause a crash. [RT #23735]
3086. [bug] Running dnssec-settime -f on an old-style key will
now force an update to the new key format even if no
other change has been specified, using "-P now -A now"
as default values. [RT #22474]
3082. [port] strtok_r is threads only. [RT #23747]
3077. [bug] zone.c:zone_refreshkeys() incorrectly called
dns_zone_attach(), use zone->irefs instead. [RT #23303]
3075. [bug] dns_dnssec_findzonekeys{2} used a inconsistant
timestamp when determining which keys are active.
[RT #23642]
3073. [bug] managed-keys changes were not properly being recorded.
[RT #20256]
3072. [bug] dns_dns64_aaaaok() potential NULL pointer dereference.
[RT #20256]
3070. [bug] dnssec-signzone potential NULL pointer dereference.
[RT #20256]
3057. [bug] "rndc secroots" would abort after the first error
and so could miss some views. [RT #23488]
3054. [bug] Added elliptic curve support check in
GOST OpenSSL engine detection. [RT #23485]
3052. [test] Fixed last autosign test report. [RT #23256]
3050. [bug] The autosign system test was timing dependent.
Wait for the initial autosigning to complete
before running the rest of the test. [RT #23035]
3049. [bug] Save and restore the gid when creating creating
named.pid at startup. [RT #23290]
3048. [bug] Fully separate view key mangement. [RT #23419]
3047. [bug] DNSKEY NODATA responses not cached fixed in
validator.c. Tests added to dnssec system test.
[RT #22908]
3045. [removed] Replaced by change #3050.
3038. [bug] Install <dns/rpz.h>. [RT #23342]
3022. [bug] Fixed rpz SERVFAILs after failed zone transfers
[RT #23246]
3021. [bug] Change #3010 was incomplete. [RT #22296]
3020. [bug] auto-dnssec failed to correctly update the zone when
changing the DNSKEY RRset. [RT #23232]
3017. [doc] dnssec-keyfromlabel -I was not properly documented.
[RT #22887]
3013. [bug] The DNS64 ttl was not always being set as expected.
[RT #23034]
3010. [bug] Fixed a bug where "rndc reconfig" stopped the timer
for refreshing managed-keys. [RT #22296]
3005. [port] Solaris: Work around the lack of
gsskrb5_register_acceptor_identity() by setting
the KRB5_KTNAME environment variable to the
contents of tkey-gssapi-keytab. Also fixed
test errors on MacOSX. [RT #22853]
3003. [experimental] Added update-policy match type "external",
enabling named to defer the decision of whether to
allow a dynamic update to an external daemon.
(Contributed by Andrew Tridgell.) [RT #22758]
3000. [bug] More TKEY/GSS fixes:
- nsupdate can now get the default realm from
the user's Kerberos principal
- corrected gsstest compilation flags
- improved documentation
- fixed some NULL dereferences
[RT #22795]
2992. [contrib] contrib/check-secure-delegation.pl: A simple tool
for looking at a secure delegation. [RT #22059]
2991. [contrib] contrib/zone-edit.sh: A simple zone editing tool for
dynamic zones. [RT #22365]
2990. [bug] 'dnssec-settime -S' no longer tests prepublication
interval validity when the interval is set to 0.
[RT #22761]
2988. [experimental] Added a "dlopen" DLZ driver, allowing the creation
of external DLZ drivers that can be loaded as
shared objects at runtime rather than linked with
named. Currently this is switched on via a
compile-time option, "configure --with-dlz-dlopen".
Note: the syntax for configuring DLZ zones
is likely to be refined in future releases.
(Contributed by Andrew Tridgell of the Samba
project.) [RT #22629]
2985. [bug] Add a regression test for change #2896. [RT #21324]
2983. [bug] Include "loadkeys" in rndc help output. [RT #22493]
2980. [bug] named didn't properly handle UPDATES that changed the
TTL of the NSEC3PARAM RRset. [RT #22363]
2977. [bug] 'nsupdate -l' report if the session key is missing.
[RT #21670]
2974. [bug] Some valid UPDATE requests could fail due to a
consistency check examining the existing version
of the zone rather than the new version resulting
from the UPDATE. [RT #22413]
2973. [bug] bind.keys.h was being removed by the "make clean"
at the end of configure resulting in build failures
where there is very old version of perl installed.
Move it to "make maintainer-clean". [RT #22230]
2963. [security] The allow-query acl was being applied instead of the
allow-query-cache acl to cache lookups. [RT #22114]
2961. [bug] Be still more selective about the non-authoritative
answers we apply change 2748 to. [RT #22074]
2958. [bug] named failed to start with a missing master file.
[RT #22076]
2949. [bug] dns_view_setnewzones() contained a memory leak if
it was called multiple times. [RT #21942]
2948. [port] MacOS: provide a mechanism to configure the test
interfaces at reboot. See bin/tests/system/README
for details.
2940. [port] Remove connection aborted error message on
Windows. [RT #21549]
2938. [bug] When generating signed responses, from a signed zone
that uses NSEC3, named would use a uninitialised
pointer if it needed to skip a NSEC3 record because
it didn't match the selected NSEC3PARAM record for
zone. [RT# 21868]
2930. [experimental] New "rndc addzone" and "rndc delzone" commads
allow dynamic addition and deletion of zones.
To enable this feature, specify a "new-zone-file"
option at the view or options level in named.conf.
Zone configuration information for the new zones
will be written into that file. To make the new
zones persist after a restart, "include" the file
into named.conf in the appropriate view. (Note:
This feature is not yet documented, and its syntax
is expected to change.) [RT #19447]
2928. [bug] Be more selective about the non-authoritative
answer we apply change 2748 to. [RT #21594]
2914. [bug] Make the "autosign" system test more portable.
[RT #20997]
2909. [bug] named-checkconf -p could die if "update-policy local;"
was specified in named.conf. [RT #21416]
2907. [bug] The export version of libdns had undefined references.
[RT #21444]
2906. [bug] Address RFC 5011 implementation issues. [RT #20903]
2903. [bug] managed-keys-directory missing from namedconf.c.
[RT #21370]
2897. [bug] NSEC3 chains could be left behind when transitioning
to insecure. [RT #21040]
2896. [bug] "rndc sign" failed to properly update the zone
when adding a DNSKEY for publication only. [RT #21045]
2893. [bug] Improve managed keys support. New named.conf option
managed-keys-directory. [RT #20924]
2892. [bug] Handle REVOKED keys better. [RT #20961]
2887. [bug] Report the keytag times in UTC in the .key file,
local time is presented as a comment within the
comment. [RT #21223]
2886. [bug] ctime() is not thread safe. [RT #21223]
2880. [cleanup] Make the output of dnssec-keygen and dnssec-revoke
consistent. [RT #21078]
2873. [bug] Cancelling a dynamic update via the dns/client module
could trigger an assertion failure. [RT #21133]
2872. [bug] Modify dns/client.c:dns_client_createx() to only
require one of IPv4 or IPv6 rather than both.
[RT #21122]
2871. [bug] Type mismatch in mem_api.c between the definition and
the header file, causing build failure with
--enable-exportlib. [RT #21138]
2861. [doc] dnssec-settime man pages didn't correctly document the
inactivation time. [RT #21039]
2860. [bug] named-checkconf's usage was out of date. [RT #21039]
2848. [doc] Moved README.dnssec, README.libdns, README.pkcs11 and
README.rfc5011 into the ARM. [RT #20899]
2847. [cleanup] Corrected usage message in dnssec-settime. [RT #20921]
2845. [bug] RFC 5011 client could crash on shutdown. [RT #20903]
2841. [bug] Change 2836 was not complete. [RT #20883]
2840. [bug] Temporary fixed pkcs11-destroy usage check.
[RT #20760]
2839. [bug] A KSK revoked by named could not be deleted.
[RT #20881]
2836. [bug] Keys that were scheduled to become active could
be delayed. [RT #20874]
2835. [bug] Key inactivity dates were inadvertently stored in
the private key file with the outdated tag
"Unpublish" rather than "Inactive". This has been
fixed; however, any existing keys that had Inactive
dates set will now need to have them reset, using
'dnssec-settime -I'. [RT #20868]
2834. [bug] HMAC-SHA* keys that were longer than the algorithm
digest length were used incorrectly, leading to
interoperability problems with other DNS
implementations. This has been corrected.
(Note: If an oversize key is in use, and
compatibility is needed with an older release of
BIND, the new tool "isc-hmac-fixup" can convert
the key secret to a form that will work with all
versions.) [RT #20751]
2833. [cleanup] Fix usage messages in dnssec-keygen and dnssec-settime.
[RT #20851]
2832. [bug] Modify "struct stat" in lib/export/samples/nsprobe.c
to avoid redefinition in some OSs [RT 20831]
2830. [bug] Changing the OPTOUT setting could take multiple
passes. [RT #20813]
2829. [bug] Fixed potential node inconsistency in rbtdb.c.
[RT #20808]
2826. [bug] NSEC3->NSEC transitions could fail due to a lock not
being released. [RT #20740]
2824. [bug] "rndc sign" was not being run by the correct task.
[RT #20759]
2822. [bug] rbtdb.c:loadnode() could return the wrong result.
[RT #20802]
2821. [doc] Add note that named-checkconf doesn't automatically
read rndc.key and bind.keys [RT #20758]
2816. [bug] previous_closest_nsec() could fail to return
data for NSEC3 nodes [RT #29730]
2813. [bug] Better handling of unreadable DNSSEC key files.
[RT #20710]
2812. [bug] Make sure updates can't result in a zone with
NSEC-only keys and NSEC3 records. [RT #20748]
2811. [cleanup] Add "rndc sign" to list of commands in rndc usage
output. [RT #20733]
2810. [doc] Clarified the process of transitioning an NSEC3 zone
to insecure. [RT #20746]
2809. [cleanup] Restored accidentally-deleted text in usage output
in dnssec-settime and dnssec-revoke [RT #20739]
2808. [bug] Remove the attempt to install atomic.h from lib/isc.
atomic.h is correctly installed by the architecture
specific subdirectories. [RT #20722]
2807. [bug] Fixed a possible ASSERT when reconfiguring zone
keys. [RT #20720]
2806. [bug] "rdnc sign" could delay re-signing the DNSKEY
when it had changed. [RT #20703]
2805. [bug] Fixed namespace problems encountered when building
external programs using non-exported BIND9 libraries
(i.e., built without --enable-exportlib). [RT #20679]
2804. [bug] Send notifies when a zone is signed with "rndc sign"
or as a result of a scheduled key change. [RT #20700]
2803. [port] win32: Install named-journalprint, nsec3hash, arpaname
and genrandom under windows. [RT #20670]
2802. [cleanup] Rename journalprint to named-journalprint. [RT #20670]
2799. [cleanup] Changed the "secure-to-insecure" option to
"dnssec-secure-to-insecure", and "dnskey-ksk-only"
to "dnssec-dnskey-kskonly", for clarity. [RT #20586]
2798. [bug] Addressed bugs in managed-keys initialization
and rollover. [RT #20683]
2796. [bug] Missing dns_rdataset_disassociate() call in
dns_nsec3_delnsec3sx(). [RT #20681]
2795. [cleanup] Add text to differentiate "update with no effect"
log messages. [RT #18889]
2794. [bug] Install <isc/namespace.h>. [RT #20677]
2791. [bug] The installation of isc-config.sh was broken.
[RT #20667]
2788. [bug] dnssec-signzone could sign with keys that were
not requested [RT #20625]
2787. [bug] Spurious log message when zone keys were
dynamically reconfigured. [RT #20659]
2785. [bug] Revoked keys could fail to self-sign [RT #20652]
2781. [bug] Inactive keys could be used for signing. [RT #20649]
2780. [bug] dnssec-keygen -A none didn't properly unset the
activation date in all cases. [RT #20648]
2779. [bug] Dynamic key revokation could fail. [RT #20644]
2778. [bug] dnssec-signzone could fail when a key was revoked
without deleting the unrevoked version. [RT #20638]
2776. [bug] Change #2762 was not correct. [RT #20647]
2775. [bug] Accept RSASHA256 and RSASHA512 as NSEC3 compatible
in dnssec-keyfromlabel. [RT #20643]
2774. [bug] Existing cache DB wasn't being reused after
reconfiguration. [RT #20629]
2773. [bug] In autosigned zones, the SOA could be signed
with the KSK. [RT #20628]
2771. [bug] dnssec-signzone: DNSKEY records could be
corrupted when importing from key files [RT #20624]
2770. [cleanup] Add log messages to resolver.c to indicate events
causing FORMERR responses. [RT #20526]
2769. [cleanup] Change #2742 was incomplete. [RT #19589]
2768. [bug] dnssec-signzone: -S no longer implies -g [RT #20568]
2767. [bug] named could crash on startup if a zone was
configured with auto-dnssec and there was no
key-directory. [RT #20615]
2766. [bug] isc_socket_fdwatchpoke() should only update the
socketmgr state if the socket is not pending on a
read or write. [RT #20603]
2764. [bug] "rndc-confgen -a" could trigger a REQUIRE. [RT #20610]
2763. [bug] "rndc sign" didn't create an NSEC chain. [RT #20591]
2762. [bug] DLV validation failed with a local slave DLV zone.
[RT #20577]
2761. [cleanup] Enable internal symbol table for backtrace only for
systems that are known to work. Currently, BSD
variants, Linux and Solaris are supported. [RT# 20202]
2756. [bug] Fixed corrupt logfile message in update.c. [RT# 20597]
2753. [bug] Removed an unnecessary warning that could appear when
building an NSEC chain. [RT #20589]
2752. [bug] Locking violation. [RT #20587]
2751. [bug] Fixed a memory leak in dnssec-keyfromlabel. [RT #20588]
2746. [port] hpux: address signed/unsigned expansion mismatch of
dns_rbtnode_t.nsec. [RT #20542]
2745. [bug] configure script didn't probe the return type of
gai_strerror(3) correctly. [RT #20573]
2742. [cleanup] Clarify some DNSSEC-related log messages in
validator.c. [RT #19589]
2739. [cleanup] Clean up API for initializing and clearing trust
anchors for a view. [RT #20211]
2735. [bug] dnssec-signzone could fail to read keys
that were specified on the command line with
full paths, but weren't in the current
directory. [RT #20421]
2734. [port] cygwin: arpaname did not compile. [RT #20473]
2733. [cleanup] Clean up coding style in pkcs11-* tools. [RT #20355]
2728. [bug] dssec-keygen, dnssec-keyfromlabel and
dnssec-signzone now warn immediately if asked to
write into a nonexistent directory. [RT #20278]
2725. [doc] Added information about the file "managed-keys.bind"
to the ARM. [RT #20235]
2724. [bug] Updates to a existing node in secure zone using NSEC
were failing. [RT #20448]
2720. [bug] RFC 5011 trust anchor updates could trigger an
assert if the DNSKEY record was unsigned. [RT #20406]
2717. [bug] named failed to update the NSEC/NSEC3 record when
the last private type record was removed as a result
of completing the signing the zone with a key.
[RT #20399]
2711. [port] win32: Add the bin/pkcs11 tools into the full
build. [RT #20372]
2694. [bug] Reduce default NSEC3 iterations from 100 to 10.
[RT #19970]
2693. [port] Add some noreturn attributes. [RT #20257]
2687. [bug] Fixed dnssec-signzone -S handling of revoked keys.
Also, added warnings when revoking a ZSK, as this is
not defined by protocol (but is legal). [RT #19943]
2685. [contrib] Update contrib/zkt to version 0.99c. [RT #20054]
2684. [cleanup] dig: formalize +ad and +cd as synonyms for
+adflag and +cdflag. [RT #19305]
2682. [bug] "configure --enable-symtable=all" failed to
build. [RT #20282]
2676. [bug] --with-export-installdir should have been
--with-export-includedir. [RT #20252]
2675. [bug] dnssec-signzone could crash if the key directory
did not exist. [RT #20232]
2674. [bug] "dnssec-lookaside auto;" crashed if named was built
without openssl. [RT #20231]
2673. [bug] The managed-keys.bind zone file could fail to
load due to a spurious result from sync_keyzone()
[RT #20045]
2671. [bug] Add support for PKCS#11 providers not returning
the public exponent in RSA private keys
(OpenCryptoki for instance) in
dnssec-keyfromlabel. [RT #19294]
2664. [bug] create_keydata() and minimal_update() in zone.c
didn't properly check return values for some
functions. [RT #19956]
2658. [bug] dnssec-settime and dnssec-revoke didn't process
key file paths correctly. [RT #20078]
2657. [cleanup] Lower "journal file <path> does not exist, creating it"
log level to debug 1. [RT #20058]
2655. [doc] Document that key-directory does not affect
bind.keys, rndc.key or session.key. [RT #20155]
2654. [bug] Improve error reporting on duplicated names for
deny-answer-xxx. [RT #20164]
2651. [bug] Dates could print incorrectly in K*.key files on
64-bit systems. [RT #20076]
2650. [bug] Assertion failure in dnssec-signzone when trying
to read keyset-* files. [RT #20075]
2644. [bug] Change #2628 caused a regression on some systems;
named was unable to write the PID file and would
fail on startup. [RT #20001]
2641. [bug] Fixed an error in parsing update-policy syntax,
added a regression test to check it. [RT #20007]
2638. [bug] Install arpaname. [RT #19957]
2634. [port] win32: Add support for libxml2, enable
statschannel. [RT #19773]
2631. [bug] Handle "//", "/./" and "/../" in mkdirpath().
[RT #19926 ]
2629. [port] Check for seteuid()/setegid(), use setresuid()/
setresgid() if not present. [RT #19932]
2628. [port] linux: Allow /var/run/named/named.pid to be opened
at startup with reduced capabilities in operation.
[RT #19884]
2627. [bug] Named aborted if the same key was included in
trusted-keys more than once. [RT #19918]
2626. [bug] Multiple trusted-keys could trigger an assertion
failure. [RT #19914]
2622. [bug] Printing of named.conf grammar was broken. [RT #19919]
2600. [doc] ARM: miscellaneous reformatting for different
page widths. [RT #19574]
2566. [cleanup] Clarify logged message when an insecure DNSSEC
response arrives from a zone thought to be secure:
"insecurity proof failed" instead of "not
insecure". [RT #19400]
2537. [func] Added more statistics counters including those on socket
I/O events and query RTT histograms. [RT #18802]
2525. [experimental] New logging category "query-errors" to provide detailed
internal information about query failures, especially
about server failures. [RT #19027]
Reference in a new issue View git blame Copy permalink