diff options
| author | Brad Smith <brad@cvs.openbsd.org> | 2014-09-15 19:36:44 +0000 |
|---|---|---|
| committer | Brad Smith <brad@cvs.openbsd.org> | 2014-09-15 19:36:44 +0000 |
| commit | 6e950f1ad9b9b02c4c07f770b5395a56956e12c7 (patch) | |
| tree | 4b29abdd8fc96aae37403376b6008c00ef043d3e | |
| parent | d501a4d11c4ddbbda2648a1b99b18b3ba5c517c9 (diff) | |
Garbage collecting some further bits that are not necessary
within the BIND directory and for Makefile.in removing some
files that no longer exist for the distclean target.
ok sthen@
| -rw-r--r-- | usr.sbin/bind/CHANGES | 7168 | ||||
| -rw-r--r-- | usr.sbin/bind/COPYRIGHT | 30 | ||||
| -rw-r--r-- | usr.sbin/bind/FAQ | 781 | ||||
| -rw-r--r-- | usr.sbin/bind/FAQ.xml | 1007 | ||||
| -rw-r--r-- | usr.sbin/bind/Makefile.in | 1 | ||||
| -rw-r--r-- | usr.sbin/bind/README | 601 | ||||
| -rw-r--r-- | usr.sbin/bind/README.OpenBSD | 16 | ||||
| -rw-r--r-- | usr.sbin/bind/docutil/HTML_COPYRIGHT | 16 | ||||
| -rw-r--r-- | usr.sbin/bind/docutil/MAN_COPYRIGHT | 16 |
9 files changed, 0 insertions, 9636 deletions
diff --git a/usr.sbin/bind/CHANGES b/usr.sbin/bind/CHANGES deleted file mode 100644 index a8d3857a8c9..00000000000 --- a/usr.sbin/bind/CHANGES +++ /dev/null @@ -1,7168 +0,0 @@ - --- 9.4.2-P2 released --- - -2406. [bug] Some operating systems have FD_SETSIZE set to a - low value by default, which can cause resource - exhaustion when many simultaneous connections are - open. Linux in particular makes it difficult to - increase this value. To use more sockets with - select(), set ISC_SOCKET_FDSETSIZE. Example: - STD_CDEFINES="-DISC_SOCKET_FDSETSIZE=4096" ./configure - (This should not be necessary in most cases, and - never for an authoritative-only server.) [RT #18328] - -2404. [port] hpux: files unlimited support. - -2403. [bug] TSIG context leak. [RT #18341] - -2402. [port] Support Solaris 2.11 and over. [RT #18362] - -2401. [bug] Expect to get E[MN]FILE errno internal_accept() - (from accept() or fcntl() system calls). [RT #18358] - -2399. [bug] Abort timeout queries to reduce the number of open - UDP sockets. [RT #18367] - -2398. [bug] Improve file descriptor management. New, - temporary, named.conf option reserved-sockets, - default 512. [RT #18344] - -2396. [bug] Don't set SO_REUSEADDR for randomized ports. - [RT #18336] - -2395. [port] Avoid warning and no effect from "files unlimited" - on Linux when running as root. [RT #18335] - -2394. [bug] Default configuration options set the limit for - open files to 'unlimited' as described in the - documentation. [RT #18331] - -2392. [bug] remove 'grep -q' from acl test script, some platforms - don't support it. [RT #18253] - -2322. [port] MacOS: work around the limitation of setrlimit() - for RLIMIT_NOFILE. [RT #17526] - - --- 9.4.2-P1 released --- - -2375. [security] Fully randomize UDP query ports to improve - forgery resilience. [RT #17949] - - --- 9.4.2 released --- - --- 9.4.2rc2 released --- - -2259. [bug] Reverse incorrect LIBINTERFACE bump of libisc - in 9.4.2rc1. Applications built against 9.4.2rc1 - will need to be rebuilt. - -2258. [bug] Fallback from IXFR/TSIG to SOA/AXFR/TSIG broken. - [RT #17241] - -2257. [bug] win32: Use the full path to vcredist_x86.exe when - calling it. [RT #17222] - -2256. [bug] win32: Correctly register the installation location of - bindevt.dll. [RT #17159] - -2255. [bug] L.ROOT-SERVERS.NET is now 199.7.83.42. - -2254. [bug] timer.c:dispatch() failed to lock timer->lock - when reading timer->idle allowing it to see - intermediate values as timer->idle was reset by - isc_timer_touch(). [RT #17243] - - --- 9.4.2rc1 released --- - -2251. [doc] Update memstatistics-file documentation to reflect - reality. Note there is behaviour change for BIND 9.5. - [RT #17113] - -2249. [bug] Only set Authentic Data bit if client requested - DNSSEC, per RFC 3655 [RT #17175] - -2248. [cleanup] Fix several errors reported by Coverity. [RT #17160] - -2245. [bug] Validating lack of DS records at trust anchors wasn't - working. [RT #17151] - -2238. [bug] It was possible to trigger a REQUIRE when a - validation was cancelled. [RT #17106] - -2237. [bug] libbind: res_init() was not thread aware. [RT #17123] - -2236. [bug] dnssec-signzone failed to preserve the case of - of wildcard owner names. [RT #17085] - -2235. [bug] <isc/atomic.h> was not being installed. [RT #17135] - -2234. [port] Correct some compiler warnings on SCO OSr5 [RT #17134] - -2232. [bug] dns_adb_findaddrinfo() could fail and return - ISC_R_SUCCESS. [RT #17137] - -2231. [bug] Building dlzbdb (contrib/dlz/bin/dlzbdb) was broken. - [RT #17088] - -2230. [bug] We could INSIST reading a corrupted journal. - [RT #17132] - -2228. [contrib] contrib: Change 2188 was incomplete. - -2227. [cleanup] Tidied up the FAQ. [RT #17121] - -2225. [bug] More support for systems with no IPv4 addresses. - [RT #17111] - -2224. [bug] Defer journal compaction if a xfrin is in progress. - [RT #17119] - -2223. [bug] Make a new journal when compacting. [RT #17119] - -2221. [bug] Set the event result code to reflect the actual - record returned to caller when a cache update is - rejected due to a more credible answer existing. - [RT #17017] - -2220. [bug] win32: Address a race condition in final shutdown of - the Windows socket code. [RT #17028] - -2219. [bug] Apply zone consistancy checks to additions, not - removals, when updating. [RT #17049] - -2218. [bug] Remove unnecessary REQUIRE from dns_validator_create(). - [RT #16976] - -2216. [cleanup] Fix a number of errors reported by Coverity. - [RT #17094] - -2215. [bug] Bad REQUIRE check isc_hmacsha1_verify(). [RT #17094] - -2214. [bug] Deregister OpenSSL lock callback when cleaning - up. Reorder OpenSSL cleanup so that RAND_cleanup() - is called before the locks are destroyed. [RT #17098] - -2213. [bug] SIG0 diagnostic failure messages were looking at the - wrong status code. [RT #17101] - -2212. [func] 'host -m' now causes memory statistics and active - memory to be printed at exit. [RT 17028] - -2210. [bug] Deleting class specific records via UPDATE could - fail. [RT #17074] - -2209. [port] osx: linking against user supplied static OpenSSL - libraries failed as the system ones were still being - found. [RT #17078] - -2208. [port] win32: make sure both build methods produce the - same output. [RT #17058] - -2207. [port] Some implementations of getaddrinfo() fail to set - ai_canonname correctly. [RT #17061] - - --- 9.4.2b1 released --- - -2206. [security] "allow-query-cache" and "allow-recursion" now - cross inherit from each other. - - If allow-query-cache is not set in named.conf then - allow-recursion is used if set, otherwise allow-query - is used if set, otherwise the default (localnets; - localhost;) is used. - - If allow-recursion is not set in named.conf then - allow-query-cache is used if set, otherwise allow-query - is used if set, otherwise the default (localnets; - localhost;) is used. - - [RT #16987] - -2205. [bug] libbind: change #2119 broke thread support. [RT #16982] - -2203. [security] Query id generation was cryptographically weak. - [RT # 16915] - -2202. [security] The default acls for allow-query-cache and - allow-recursion were not being applied. [RT #16960] - -2200. [bug] The search for cached NSEC records was stopping to - early leading to excessive DLV queries. [RT #16930] - -2199. [bug] win32: don't call WSAStartup() while loading dlls. - [RT #16911] - -2198. [bug] win32: RegCloseKey() could be called when - RegOpenKeyEx() failed. [RT #16911] - -2197. [bug] Add INSIST to catch negative responses which are - not setting the event result code appropriately. - [RT #16909] - -2196. [port] win32: yield processor while waiting for once to - to complete. [RT #16958] - -2194. [bug] Close journal before calling 'done' in xfrin.c. - -2193. [port] win32: BINDInstall.exe is now linked statically. - [RT #16906] - -2192. [port] win32: use vcredist_x86.exe to install Visual - Studio's redistributable dlls if building with - Visual Stdio 2005 or later. - -2189. [bug] Handle socket() returning EINTR. [RT #15949] - -2188. [contrib] queryperf: autoconf changes to make the search for - libresolv or libbind more robust. [RT #16299] - -2187. [bug] query_addds(), query_addwildcardproof() and - query_addnxrrsetnsec() should take a version - arguement. [RT #16368] - -2186. [port] cygwin: libbind: check for struct sockaddr_storage - independently of IPv6. [RT #16482] - -2185. [port] sunos: libbind: check for ssize_t, memmove() and - memchr(). [RT #16463] - -2183. [bug] dnssec-signzone didn't handle offline private keys - well. [RT #16832] - -2182. [bug] dns_dispatch_createtcp() and dispatch_createudp() - could return ISC_R_SUCCESS when they ran out of - memory. [RT #16365] - -2181. [port] sunos: libbind: add paths.h from BIND 8. [RT #16462] - -2180. [cleanup] Remove bit test from 'compress_test' as they - are no longer needed. [RT #16497] - -2178. [bug] 'rndc reload' of a slave or stub zone resulted in - a reference leak. [RT #16867] - -2177. [bug] Array bounds overrun on read (rcodetext) at - debug level 10+. [RT #16798] - -2176. [contrib] dbus update to handle race condition during - initialisation (Bugzilla 235809). [RT #16842] - -2175. [bug] win32: windows broadcast condition variable support - was broken. [RT #16592] - -2174. [bug] I/O errors should always be fatal when reading - master files. [RT #16825] - -2173. [port] win32: When compiling with MSVS 2005 SP1 we also - need to ship Microsoft.VC80.MFCLOC. - -2171. [bug] Handle breaks in DNSSEC trust chains where the parent - servers are not DS aware (DS queries to the parent - return a referral to the child). - -2170. [func] Add acache processing to test suite. [RT #16711] - -2169. [bug] host, nslookup: when reporting NXDOMAIN report the - given name and not the last name searched for. - [RT #16763] - -2168. [bug] nsupdate: in non-interactive mode treat syntax errors - as fatal errors. [RT #16785] - -2167. [bug] When re-using a automatic zone named failed to - attach it to the new view. [RT #16786] - -2166. [bug] When running in batch mode, dig could misinterpret - a server address as a name to be looked up, causing - unexpected output. [RT #16743] - -2164. [bug] The code to determine how named-checkzone / - named-compilezone was called failed under windows. - [RT #16764] - -2162. [func] Allow "rrset-order fixed" to be disabled at compile - time. [RT #16665] - -2161. [bug] 'rndc flush' could report a false success. [RT #16698] - -2160. [bug] libisc wasn't handling NULL ifa_addr pointers returned - from getifaddrs(). [RT #16708] - -2159. [bug] Array bounds overrun in acache processing. [RT #16710] - -2158. [bug] ns_client_isself() failed to initialise key - leading to a REQUIRE failure. [RT #16688] - -2156. [bug] Fix node reference leaks in lookup.c:lookup_find(), - resolver.c:validated() and resolver.c:cache_name(). - Fix a memory leak in rbtdb.c:free_noqname(). - Make lookup.c:lookup_find() robust against - event leaks. [RT #16685] - -2155. [contrib] SQLite sdb module from jaboydjr@netwalk.com. - [RT #16694] - -2153. [bug] nsupdate could leak memory. [RT #16691] - -2152. [cleanup] Use sizeof(buf) instead of fixed number in - dighost.c:get_trusted_key(). [RT #16678] - -2151. [bug] Missing newline in usage message for journalprint. - [RT #16679] - -2150. [bug] 'rrset-order cyclic' uniformly distribute the - starting point for the first response for a given - RRset. [RT #16655] - -2149. [bug] isc_mem_checkdestroyed() failed to abort on - if there were still active memory contexts. - [RT #16672] - -2147. [bug] libbind: remove potential buffer overflow from - hmac_link.c. [RT #16437] - -2146. [cleanup] Silence Linux's spurious "obsolete setsockopt - SO_BSDCOMPAT" message. [RT #16641] - -2145. [bug] Check DS/DLV digest lengths for known digests. - [RT #16622] - -2144. [cleanup] Suppress logging of SERVFAIL from forwarders. - [RT #16619] - -2143. [bug] We failed to restart the IPv6 client when the - kernel failed to return the destination the - packet was sent to. [RT #16613] - -2142. [bug] Handle master files with a modification time that - matches the epoch. [RT# 16612] - -2141. [bug] dig/host should not be setting IDN_ASCCHECK (IDN - equivalent of LDH checks). [RT #16609] - -2140. [bug] libbind: missing unlock on pthread_key_create() - failures. [RT #16654] - -2139. [bug] dns_view_find() was being called with wrong type - in adb.c. [RT #16670] - -2119. [compat] libbind: allow res_init() to succeed enough to - return the default domain even if it was unable - to allocate memory. - - --- 9.4.1 released --- - -2172. [bug] query_addsoa() was being called with a non zone db. - [RT #16834] - - --- 9.4.0 released --- - -2138. [bug] Lock order reversal in resolver.c. [RT #16653] - -2137. [port] Mips little endian and/or mips 64 bit are now - supported for atomic operations. [RT#16648] - -2136. [bug] nslookup/host looped if there was no search list - and the host didn't exist. [RT #16657] - -2135. [bug] Uninitialised rdataset in sdlz.c. [RT# 16656] - -2133. [port] powerpc: Support both IBM and MacOS Power PC - assembler syntaxes. [RT #16647] - -2132. [bug] Missing unlock on out of memory in - dns_dispatchmgr_setudp(). - -2131. [contrib] dlz/mysql: AXFR was broken. [RT #16630] - -2128. [doc] xsltproc --nonet, update DTD versions. [RT #16635] - - --- 9.4.0rc2 released --- - -2127. [port] Improved OpenSSL 0.9.8 support. [RT #16563] - -2126. [security] Serialise validation of type ANY responses. [RT #16555] - -2125. [bug] dns_zone_getzeronosoattl() REQUIRE failure if DLZ - was defined. [RT #16574] - -2124. [security] It was possible to dereference a freed fetch - context. [RT #16584] - -2120. [doc] Fix markup on nsupdate man page. [RT #16556] - - --- 9.4.0rc1 released --- - -2118. [bug] Handle response with long chains of domain name - compression pointers which point to other compression - pointers. [RT #16427] - -2117. [bug] DNSSEC fixes: named could fail to cache NSEC records - which could lead to validation failures. named didn't - handle negative DS responses that were in the process - of being validated. Check CNAME bit before accepting - NODATA proof. To be able to ignore a child NSEC there - must be SOA (and NS) set in the bitmap. [RT #16399] - -2116. [bug] 'rndc reload' could cause the cache to continually - be cleaned. [RT #16401] - -2115. [bug] 'rndc reconfig' could trigger a INSIST if the - number of masters for a zone was reduced. [RT #16444] - -2114. [bug] dig/host/nslookup: searches for names with multiple - labels were failing. [RT #16447] - -2113. [bug] nsupdate: if a zone is specified it should be used - for server discover. [RT# 16455] - -2112. [security] Warn if weak RSA exponent is used. [RT #16460] - -2111. [bug] Fix a number of errors reported by Coverity. - [RT #16507] - -2110. [bug] "minimal-response yes;" interacted badly with BIND 8 - priming queries. [RT #16491] - -2109. [port] libbind: silence aix 5.3 compiler warnings. [RT #16502] - -2107. [bug] dighost.c: more cleanup of buffers. [RT #16499] - -2104. [port] Fix Solaris SMF error message. - -2103. [port] Add /usr/sfw to list of locations for OpenSSL - under Solaris. - -2102. [port] Silence solaris 10 warnings. - - --- 9.4.0b4 released --- - -2101. [bug] OpenSSL version checks were not quite right. - [RT #16476] - -2100. [port] win32: copy libeay32.dll to Build\Debug. - Copy Debug\named-checkzone to Debug\named-compilezone. - -2099. [port] win32: more manifiest issues. - -2098. [bug] Race in rbtdb.c:no_references(), which occasionally - triggered an INSIST failure about the node lock - reference. [RT #16411] - - --- 9.4.0b3 released --- - -2097. [bug] named could reference a destroyed memory context - after being reloaded / reconfigured. [RT #16428] - -2096. [bug] libbind: handle applications that fail to detect - res_init() failures better. - -2095. [port] libbind: alway prototype inet_cidr_ntop_ipv6() and - net_cidr_ntop_ipv6(). [RT #16388] - -2094. [contrib] Update named-bootconf. [RT# 16404] - -2093. [bug] named-checkzone -s was broken. - -2092. [bug] win32: dig, host, nslookup. Use registry config - if resolv.conf does not exist or no nameservers - listed. [RT #15877] - -2091. [port] dighost.c: race condition on cleanup. [RT #16417] - -2090. [port] win32: Visual C++ 2005 command line manifest support. - [RT #16417] - -2089. [security] Raise the minimum safe OpenSSL versions to - OpenSSL 0.9.7l and OpenSSL 0.9.8d. Versions - prior to these have known security flaws which - are (potentially) exploitable in named. [RT #16391] - -2088. [security] Change the default RSA exponent from 3 to 65537. - [RT #16391] - -2087. [port] libisc failed to compile on OS's w/o a vsnprintf. - [RT #16382] - -2086. [port] libbind: FreeBSD now has get*by*_r() functions. - [RT #16403] - -2085. [doc] win32: added index.html and README to zip. [RT #16201] - -2084. [contrib] dbus update for 9.3.3rc2. - -2083. [port] win32: Visual C++ 2005 support. - -2082. [doc] Document 'cache-file' as a test only option. - - --- 9.4.0b2 released --- - -2081. [port] libbind: minor 64-bit portability fix in memcluster.c. - [RT #16360] - -2080. [port] libbind: res_init.c did not compile on older versions - of Solaris. [RT #16363] - -2079. [bug] The lame cache was not handling multiple types - correctly. [RT #16361] - -2078. [bug] dnssec-checkzone output style "default" was badly - named. It is now called "relative". [RT #16326] - -2077. [bug] 'dnssec-signzone -O raw' wasn't outputing the - complete signed zone. [RT #16326] - -2076. [bug] Several files were missing #include <config.h> - causing build failures on OSF. [RT #16341] - -2075. [bug] The spillat timer event hander could leak memory. - [RT #16357] - -2074. [bug] dns_request_createvia2(), dns_request_createvia3(), - dns_request_createraw2() and dns_request_createraw3() - failed to send multiple UDP requests. [RT #16349] - -2073. [bug] Incorrect semantics check for update policy "wildcard". - [RT #16353] - -2072. [bug] We were not generating valid HMAC SHA digests. - [RT #16320] - -2071. [port] Test whether gcc accepts -fno-strict-aliasing. - [RT #16324] - -2070. [bug] The remote address was not always displayed when - reporting dispatch failures. [RT #16315] - -2069. [bug] Cross compiling was not working. [RT #16330] - -2068. [cleanup] Lower incremental tuning message to debug 1. - [RT #16319] - -2067. [bug] 'rndc' could close the socket too early triggering - a INSIST under Windows. [RT #16317] - -2066. [security] Handle SIG queries gracefully. [RT #16300] - -2065. [bug] libbind: probe for HPUX prototypes for - endprotoent_r() and endservent_r(). [RT 16313] - -2064. [bug] libbind: silence AIX compiler warnings. [RT #16218] - -2063. [bug] Change #1955 introduced a bug which caused the first - 'rndc flush' call to not free memory. [RT #16244] - -2062. [bug] 'dig +nssearch' was reusing a buffer before it had - been returned by the socket code. [RT #16307] - -2061. [bug] Accept expired wildcard message reversed. [RT #16296] - -2060. [bug] Enabling DLZ support could leave views partially - configured. [RT #16295] - - --- 9.4.0b1 released --- - -2059. [bug] Search into cache rbtdb could trigger an INSIST - failure while cleaning up a stale rdataset. - [RT #16292] - -2058. [bug] Adjust how we calculate rtt estimates in the presence - of authoritative servers that drop EDNS and/or CD - requests. Also fallback to EDNS/512 and plain DNS - faster for zones with less than 3 servers. [RT #16187] - -2057. [bug] Make setting "ra" dependent on both allow-query-cache - and allow-recursion. [RT #16290] - -2056. [bug] dig: ixfr= was not being treated case insensitively - at all times. [RT #15955] - -2055. [bug] Missing goto after dropping multicast query. - [RT #15944] - -2054. [port] freebsd: do not explicitly link against -lpthread. - [RT #16170] - -2053. [port] netbsd:libbind: silence compiler warnings. [RT #16220] - -2052. [bug] 'rndc' improve connect failed message to report - the failing address. [RT #15978] - -2051. [port] More strtol() fixes. [RT #16249] - -2050. [bug] Parsing of NSAP records was not case insensitive. - [RT #16287] - -2049. [bug] Restore SOA before AXFR when falling back from - a attempted IXFR when transfering in a zone. - Allow a initial SOA query before attempting - a AXFR to be requested. [RT #16156] - -2048. [bug] It was possible to loop forever when using - avoid-v4-udp-ports / avoid-v6-udp-ports when - the OS always returned the same local port. - [RT #16182] - -2047. [bug] Failed to initialise the interface flags to zero. - [RT #16245] - -2046. [bug] rbtdb.c:rdataset_setadditional() could cause duplicate - cleanup [RT #16247]. - -2045. [func] Use lock buckets for acache entries to limit memory - consumption. [RT #16183] - -2044. [port] Add support for atomic operations for Itanium. - [RT #16179] - -2043. [port] nsupdate/nslookup: Force the flushing of the prompt - for interactive sessions. [RT#16148] - -2042. [bug] named-checkconf was incorrectly rejecting the - logging category "config". [RT #16117] - -2041. [bug] "configure --with-dlz-bdb=yes" produced a bad - set of libraries to be linked. [RT #16129] - -2040. [bug] rbtdb no_references() could trigger an INSIST - failure with --enable-atomic. [RT #16022] - -2039. [func] Check that all buffers passed to the socket code - have been retrieved when the socket event is freed. - [RT #16122] - -2038. [bug] dig/nslookup/host was unlinking from wrong list - when handling errors. [RT #16122] - -2037. [func] When unlinking the first or last element in a list - check that the list head points to the element to - be unlinked. [RT #15959] - -2036. [bug] 'rndc recursing' could cause trigger a REQUIRE. - [RT #16075] - -2034. [bug] gcc: set -fno-strict-aliasing. [RT #16124] - -2033. [bug] We wern't creating multiple client memory contexts - on demand as expected. [RT #16095] - - --- 9.4.0a6 released --- - -2032. [bug] Remove a INSIST in query_addadditional2(). [RT #16074] - -2031. [bug] Emit a error message when "rndc refresh" is called on - a non slave/stub zone. [RT # 16073] - -2030. [bug] We were being overly conservative when disabling - openssl engine support. [RT #16030] - -2029. [bug] host printed out the server multiple times when - specified on the command line. [RT #15992] - -2028. [port] linux: socket.c compatability for old systems. - [RT #16015] - -2027. [port] libbind: Solaris x86 support. [RT #16020] - -2026. [bug] Rate limit the two recursive client exceeded messages. - [RT #16044] - -2025. [func] Update "zone serial unchanged" message. [RT #16026] - -2024. [bug] named emited spurious "zone serial unchanged" - messages on reload. [RT #16027] - -2023. [bug] "make install" should create ${localstatedir}/run and - ${sysconfdir} if they do not exist. [RT #16033] - -2022. [bug] If dnssec validation is disabled only assert CD if - CD was requested. [RT #16037] - -2021. [bug] dnssec-enable no; triggered a REQUIRE. [RT #16037] - -2020. [bug] rdataset_setadditional() could leak memory. [RT #16034] - -2019. [tuning] Reduce the amount of work performed per quantum - when cleaning the cache. [RT #15986] - -2018. [bug] Checking if the HMAC MD5 private file was broken. - [RT #15960] - -2017. [bug] allow-query default was not correct. [RT #15946] - -2016. [bug] Return a partial answer if recursion is not - allowed but requested and we had the answer - to the original qname. [RT #15945] - - --- 9.4.0a5 released --- - -2015. [cleanup] use-additional-cache is now acache-enable for - consistancy. Default acache-enable off in BIND 9.4 - as it requires memory usage to be configured. - It may be enabled by default in BIND 9.5 once we - have more experience with it. - -2014. [func] Statistics about acache now recorded and sent - to log. [RT #15976] - -2013. [bug] Handle unexpected TSIGs on unsigned AXFR/IXFR - responses more gracefully. [RT #15941] - -2012. [func] Don't insert new acache entries if acache is full. - [RT #15970] - -2011. [func] dnssec-signzone can now update the SOA record of - the signed zone, either as an increment or as the - system time(). [RT #15633] - - --- 9.4.0a4 released --- - -2009. [bug] libbind: coverity fixes. [RT #15808] - -2008. [func] It is now posssible to enable/disable DNSSEC - validation from rndc. This is useful for the - mobile hosts where the current connection point - breaks DNSSEC (firewall/proxy). [RT #15592] - - rndc validation newstate [view] - -2007. [func] It is now possible to explicitly enable DNSSEC - validation. default dnssec-validation no; to - be changed to yes in 9.5.0. [RT #15674] - -2006. [security] Allow-query-cache and allow-recursion now default - to the builtin acls "localnets" and "localhost". - - This is being done to make caching servers less - attractive as reflective amplifying targets for - spoofed traffic. This still leave authoritative - servers exposed. - - The best fix is for full BCP 38 deployment to - remove spoofed traffic. - -2005. [bug] libbind: Retransmission timeouts should be - based on which attempt it is to the nameserver - and not the nameserver itself. [RT #13548] - -2004. [bug] dns_tsig_sign() could pass a NULL pointer to - dst_context_destroy() when cleaning up after a - error. [RT #15835] - -2003. [bug] libbind: The DNS name/address lookup functions could - occasionally follow a random pointer due to - structures not being completely zeroed. [RT #15806] - -2002. [bug] libbind: tighten the constraints on when - struct addrinfo._ai_pad exists. [RT #15783] - -2001. [func] Check the KSK flag when updating a secure dynamic zone. - New zone option "update-check-ksk yes;". [RT #15817] - -2000. [bug] memmove()/strtol() fix was incomplete. [RT #15812] - -1999. [func] Implement "rrset-order fixed". [RT #13662] - -1998. [bug] Restrict handling of fifos as sockets to just SunOS. - This allows named to connect to entropy gathering - daemons that use fifos instead of sockets. [RT #15840] - -1997. [bug] Named was failing to replace negative cache entries - when a positive one for the type was learnt. - [RT #15818] - -1996. [bug] nsupdate: if a zone has been specified it should - appear in the output of 'show'. [RT #15797] - -1995. [bug] 'host' was reporting multiple "is an alias" messages. - [RT #15702] - -1994. [port] OpenSSL 0.9.8 support. [RT #15694] - -1993. [bug] Log messsage, via syslog, were missing the space - after the timestamp if "print-time yes" was specified. - [RT #15844] - -1992. [bug] Not all incoming zone transfer messages included the - view. [RT #15825] - -1991. [cleanup] The configuration data, once read, should be treated - as readonly. Expand the use of const to enforce this - at compile time. [RT #15813] - -1990. [bug] libbind: isc's override of broken gettimeofday() - implementions was not always effective. - [RT #15709] - -1989. [bug] win32: don't check the service password when - re-installing. [RT #15882] - -1988. [bug] Remove a bus error from the SHA256/SHA512 support. - [RT #15878] - -1987. [func] DS/DLV SHA256 digest algorithm support. [RT #15608] - -1986. [func] Report when a zone is removed. [RT #15849] - -1985. [protocol] DLV has now been assigned a official type code of - 32769. [RT #15807] - - Note: care should be taken to ensure you upgrade - both named and dnssec-signzone at the same time for - zones with DLV records where named is the master - server for the zone. Also any zones that contain - DLV records should be removed when upgrading a slave - zone. You do not however have to upgrade all - servers for a zone with DLV records simultaniously. - -1984. [func] dig, nslookup and host now advertise a 4096 byte - EDNS UDP buffer size by default. [RT #15855] - -1983. [func] Two new update policies. "selfsub" and "selfwild". - [RT #12895] - -1982. [bug] DNSKEY was being accepted on the parent side of - a delegation. KEY is still accepted there for - RFC 3007 validated updates. [RT #15620] - -1981. [bug] win32: condition.c:wait() could fail to reattain - the mutex lock. - -1980. [func] dnssec-signzone: output the SOA record as the - first record in the signed zone. [RT #15758] - -1979. [port] linux: allow named to drop core after changing - user ids. [RT #15753] - -1978. [port] Handle systems which have a broken recvmsg(). - [RT #15742] - -1977. [bug] Silence noisy log message. [RT #15704] - -1976. [bug] Handle systems with no IPv4 addresses. [RT #15695] - -1975. [bug] libbind: isc_gethexstring() could misparse multi-line - hex strings with comments. [RT #15814] - -1974. [doc] List each of the zone types and associated zone - options separately in the ARM. - -1973. [func] TSIG HMACSHA1, HMACSHA224, HMACSHA256, HMACSHA384 and - HMACSHA512 support. [RT #13606] - -1972. [contrib] DBUS dynamic forwarders integation from - Jason Vas Dias <jvdias@redhat.com>. - -1971. [port] linux: make detection of missing IF_NAMESIZE more - robust. [RT #15443] - -1970. [bug] nsupdate: adjust UDP timeout when falling back to - unsigned SOA query. [RT #15775] - -1969. [bug] win32: the socket code was freeing the socket - structure too early. [RT #15776] - -1968. [bug] Missing lock in resolver.c:validated(). [RT #15739] - -1967. [func] dig/nslookup/host: warn about missing "QR". [RT #15779] - -1966. [bug] Don't set CD when we have fallen back to plain DNS. - [RT #15727] - -1965. [func] Suppress spurious "recusion requested but not - available" warning with 'dig +qr'. [RT #15780]. - -1964. [func] Separate out MX and SRV to CNAME checks. [RT #15723] - -1963. [port] Tru64 4.0E doesn't support send() and recv(). - [RT #15586] - -1962. [bug] Named failed to clear old update-policy when it - was removed. [RT #15491] - -1961. [bug] Check the port and address of responses forwarded - to dispatch. [RT #15474] - -1960. [bug] Update code should set NSEC ttls from SOA MINIMUM. - [RT #15465] - -1959. [func] Control the zeroing of the negative response TTL to - a soa query. Defaults "zero-no-soa-ttl yes;" and - "zero-no-soa-ttl-cache no;". [RT #15460] - -1958. [bug] Named failed to update the zone's secure state - until the zone was reloaded. [RT #15412] - -1957. [bug] Dig mishandled responses to class ANY queries. - [RT #15402] - -1956. [bug] Improve cross compile support, 'gen' is now built - by native compiler. See README for additional - cross compile support information. [RT #15148] - -1955. [bug] Pre-allocate the cache cleaning interator. [RT #14998] - -1954. [func] Named now falls back to advertising EDNS with a - 512 byte receive buffer if the initial EDNS queries - fail. [RT #14852] - -1953. [func] The maximum EDNS UDP response named will send can - now be set in named.conf (max-udp-size). This is - independent of the advertised receive buffer - (edns-udp-size). [RT #14852] - -1952. [port] hpux: tell the linker to build a runtime link - path "-Wl,+b:". [RT #14816]. - -1951. [security] Drop queries from particular well known ports. - Don't return FORMERR to queries from particular - well known ports. [RT #15636] - -1950. [port] Solaris 2.5.1 and earlier cannot bind() then connect() - a TCP socket. This prevents the source address being - set for TCP connections. [RT #15628] - -1949. [func] Addition memory leakage checks. [RT #15544] - -1948. [bug] If was possible to trigger a REQUIRE failure in - xfrin.c:maybe_free() if named ran out of memory. - [RT #15568] - -1947. [func] It is now possible to configure named to accept - expired RRSIGs. Default "dnssec-accept-expired no;". - Setting "dnssec-accept-expired yes;" leaves named - vulnerable to replay attacks. [RT #14685] - -1946. [bug] resume_dslookup() could trigger a REQUIRE failure - when using forwarders. [RT #15549] - -1945. [cleanup] dnssec-keygen: RSA (RSAMD5) is nolonger recommended. - To generate a RSAMD5 key you must explicitly request - RSAMD5. [RT #13780] - -1944. [cleanup] isc_hash_create() does not need a read/write lock. - [RT #15522] - -1943. [bug] Set the loadtime after rolling forward the journal. - [RT #15647] - -1597. [func] Allow notify-source and query-source to be specified - on a per server basis similar to transfer-source. - [RT #6496] - - --- 9.4.0a3 released --- - -1942. [bug] If the name of a DNSKEY match that of one in - trusted-keys do not attempt to validate the DNSKEY - using the parents DS RRset. [RT #15649] - -1941. [bug] ncache_adderesult() should set eresult even if no - rdataset is passed to it. [RT #15642] - -1940. [bug] Fixed a number of error conditions reported by - Coverity. - -1939. [bug] The resolver could dereference a null pointer after - validation if all the queries have timed out. - [RT #15528] - -1938. [bug] The validator was not correctly handling unsecure - negative responses at or below a SEP. [RT #15528] - -1937. [bug] sdlz doesn't handle RRSIG records. [RT #15564] - -1936. [bug] The validator could leak memory. [RT #15544] - -1935. [bug] 'acache' was DO sensitive. [RT #15430] - -1934. [func] Validate pending NS RRsets, in the authority section, - prior to returning them if it can be done without - requiring DNSKEYs to be fetched. [RT #15430] - -1919. [contrib] queryperf: a set of new features: collecting/printing - response delays, printing intermediate results, and - adjusting query rate for the "target" qps. - - --- 9.4.0a2 released --- - -1933. [bug] dump_rdataset_raw() had a incorrect INSIST. [RT #15534] - -1932. [bug] hpux: LDFLAGS was getting corrupted. [RT #15530] - -1931. [bug] Per-client mctx could require a huge amount of memory, - particularly for a busy caching server. [RT #15519] - -1930. [port] HPUX: ia64 support. [RT #15473] - -1929. [port] FreeBSD: extend use of PTHREAD_SCOPE_SYSTEM. - -1928. [bug] Race in rbtdb.c:currentversion(). [RT #15517] - -1927. [bug] Access to soanode or nsnode in rbtdb violated the - lock order rule and could cause a dead lock. - [RT# 15518] - -1926. [bug] The Windows installer did not check for empty - passwords. BINDinstall was being installed in - the wrong place. [RT #15483] - -1925. [port] All outer level AC_TRY_RUNs need cross compiling - defaults. [RT #15469] - -1924. [port] libbind: hpux ia64 support. [RT #15473] - -1923. [bug] ns_client_detach() called too early. [RT #15499] - -1922. [bug] check-tool.c:setup_logging() missing call to - dns_log_setcontext(). - -1921. [bug] Client memory contexts were not using internal - malloc. [RT# 15434] - -1920. [bug] The cache rbtdb lock array was too small to - have the desired performance characteristics. - [RT #15454] - - --- 9.4.0a1 released --- - -1918. [bug] Memory leak when checking acls. [RT #15391] - -1917. [doc] funcsynopsisinfo wasn't being treated as verbatim - when generating man pages. [RT #15385] - -1916. [func] Integrate contibuted IDN code from JPNIC. [RT #15383] - -1915. [bug] dig +ndots was broken. [RT #15215] - -1914. [protocol] DS is required to accept mnemonic algorithms - (RFC 4034). Still emit numeric algorithms for - compatability with RFC 3658. [RT #15354] - -1913. [func] Integrate contibuted DLZ code into named. [RT #11382] - -1912. [port] aix: atomic locking for powerpc. [RT #15020] - -1911. [bug] Update windows socket code. [RT #14965] - -1910. [bug] dig's +sigchase code overhauled. [RT #14933] - -1909. [bug] The DLV code has been re-worked to make no longer - query order sensitive. [RT #14933] - -1908. [func] dig now warns if 'RA' is not set in the answer when - 'RD' was set in the query. host/nslookup skip servers - that fail to set 'RA' when 'RD' is set unless a server - is explicitly set. [RT #15005] - -1907. [func] host/nslookup now continue (default)/fail on SERVFAIL. - [RT #15006] - -1906. [func] dig now has a '-q queryname' and '+showsearch' options. - [RT #15034] - -1905. [bug] Strings returned from cfg_obj_asstring() should be - treated as read-only. The prototype for - cfg_obj_asstring() has been updated to reflect this. - [RT #15256] - -1904. [func] Automatic empty zone creation for D.F.IP6.ARPA and - friends. Note: RFC 1918 zones are not yet covered by - this but are likely to be in a future release. - - New options: empty-server, empty-contact, - empty-zones-enable and disable-empty-zone. - -1903. [func] ISC string copy API. - -1902. [func] Attempt to make the amount of work performed in a - iteration self tuning. The covers nodes clean from - the cache per iteration, nodes written to disk when - rewriting a master file and nodes destroyed per - iteration when destroying a zone or a cache. - [RT #14996] - -1901. [cleanup] Don't add DNSKEY records to the additional section. - -1900. [bug] ixfr-from-differences failed to ensure that the - serial number increased. [RT #15036] - -1899. [func] named-checkconf now validates update-policy entries. - [RT #14963] - -1898. [bug] Extend ISC_SOCKADDR_FORMATSIZE and - ISC_NETADDR_FORMATSIZE to allow for scope details. - -1897. [func] x86 and x86_64 now have separate atomic locking - implementations. - -1896. [bug] Recursive clients soft quota support wasn't working - as expected. [RT #15103] - -1895. [bug] A escaped character is, potentially, converted to - the output character set too early. [RT #14666] - -1894. [doc] Review ARM for BIND 9.4. - -1893. [port] Use uintptr_t if available. [RT #14606] - -1892. [func] Support for SPF rdata type. [RT #15033] - -1891. [port] freebsd: pthread_mutex_init can fail if it runs out - of memory. [RT #14995] - -1890. [func] Raise the UDP recieve buffer size to 32k if it is - less than 32k. [RT #14953] - -1889. [port] sunos: non blocking i/o support. [RT #14951] - -1888. [func] Support for IPSECKEY rdata type. [RT #14967] - -1887. [bug] The cache could delete expired records too fast for - clients with a virtual time in the past. [RT #14991] - -1886. [bug] fctx_create() could return success even though it - failed. [RT #14993] - -1885. [func] dig: report the number of extra bytes still left in - the packet after processing all the records. - -1884. [cleanup] dighost.c: move external declarations into <dig/dig.h>. - -1883. [bug] dnssec-signzone, dnssec-keygen: handle negative debug - levels. [RT #14962] - -1882. [func] Limit the number of recursive clients that can be - waiting for a single query (<qname,qtype,qclass>) to - resolve. New options clients-per-query and - max-clients-per-query. - -1881. [func] Add a system test for named-checkconf. [RT #14931] - -1880. [func] The lame cache is now done on a <qname,qclass,qtype> - basis as some servers only appear to be lame for - certain query types. [RT #14916] - -1879. [func] "USE INTERNAL MALLOC" is now runtime selectable. - [RT #14892] - -1878. [func] Detect duplicates of UDP queries we are recursing on - and drop them. New stats category "duplicate". - [RT #2471] - -1877. [bug] Fix unreasonably low quantum on call to - dns_rbt_destroy2(). Remove unnecessay unhash_node() - call. [RT #14919] - -1876. [func] Additional memory debugging support to track size - and mctx arguments. [RT #14814] - -1875. [bug] process_dhtkey() was using the wrong memory context - to free some memory. [RT #14890] - -1874. [port] sunos: portability fixes. [RT #14814] - -1873. [port] win32: isc__errno2result() now reports its caller. - [RT #13753] - -1872. [port] win32: Handle ERROR_NETNAME_DELETED. [RT #13753] - -1870. [func] Added framework for handling multiple EDNS versions. - [RT #14873] - -1869. [func] dig can now specify the EDNS version when making - a query. [RT #14873] - -1868. [func] edns-udp-size can now be overridden on a per - server basis. [RT #14851] - -1867. [bug] It was possible to trigger a INSIST in - dlv_validatezonekey(). [RT #14846] - -1866. [bug] resolv.conf parse errors were being ignored by - dig/host/nslookup. [RT #14841] - -1865. [bug] Silently ignore nameservers in /etc/resolv.conf with - bad addresses. [RT #14841] - -1864. [bug] Don't try the alternative transfer source if you - got a answer / transfer with the main source - address. [RT #14802] - -1863. [bug] rrset-order "fixed" error messages not complete. - -1862. [func] Add additional zone data constancy checks. - named-checkzone has extended checking of NS, MX and - SRV record and the hosts they reference. - named has extended post zone load checks. - New zone options: check-mx and integrity-check. - [RT #4940] - -1861. [bug] dig could trigger a INSIST on certain malformed - responses. [RT #14801] - -1860. [port] solaris 2.8: hack_shutup_pthreadmutexinit was - incorrectly set. [RT #14775] - -1859. [func] Add support for CH A record. [RT #14695] - -1858. [bug] The flush-zones-on-shutdown option wasn't being - parsed. [RT #14686] - -1857. [bug] named could trigger a INSIST() if reconfigured / - reloaded too fast. [RT #14673] - -1856. [doc] Switch Docbook toolchain from DSSSL to XSL. - [RT #11398] - -1855. [bug] ixfr-from-differences was failing to detect changes - of ttl due to dns_diff_subtract() was ignoring the ttl - of records. [RT #14616] - -1854. [bug] lwres also needs to know the print format for - (long long). [RT #13754] - -1853. [bug] Rework how DLV interacts with proveunsecure(). - [RT #13605] - -1852. [cleanup] Remove last vestiges of dnssec-signkey and - dnssec-makekeyset (removed from Makefile years ago). - -1851. [doc] Doxygen comment markup. [RT #11398] - -1850. [bug] Memory leak in lwres_getipnodebyaddr(). [RT #14591] - -1849. [doc] All forms of the man pages (docbook, man, html) should - have consistant copyright dates. - -1848. [bug] Improve SMF integration. [RT #13238] - -1847. [bug] isc_ondestroy_init() is called too late in - dns_rbtdb_create()/dns_rbtdb64_create(). - [RT #13661] - -1846. [contrib] query-loc-0.3.0 from Stephane Bortzmeyer - <bortzmeyer@nic.fr>. - -1845. [bug] Improve error reporting to distingish between - accept()/fcntl() and socket()/fcntl() errors. - [RT #13745] - -1844. [bug] inet_pton() accepted more that 4 hexadecimal digits - for each 16 bit piece of the IPv6 address. The text - representation of a IPv6 address has been tighted - to disallow this (draft-ietf-ipv6-addr-arch-v4-02.txt). - [RT #5662] - -1843. [cleanup] CINCLUDES takes precedence over CFLAGS. This helps - when CFLAGS contains "-I /usr/local/include" - resulting in old header files being used. - -1842. [port] cmsg_len() could produce incorrect results on - some platform. [RT #13744] - -1841. [bug] "dig +nssearch" now makes a recursive query to - find the list of nameservers to query. [RT #13694] - -1840. [func] dnssec-signzone can now randomize signature end times - (dnssec-signzone -j jitter). [RT #13609] - -1839. [bug] <isc/hash.h> was not being installed. - -1838. [cleanup] Don't allow Linux capabilities to be inherited. - [RT #13707] - -1837. [bug] Compile time option ISC_FACILITY was not effective - for 'named -u <user>'. [RT #13714] - -1836. [cleanup] Silence compiler warnings in hash_test.c. - -1835. [bug] Update dnssec-signzone's usage message. [RT #13657] - -1834. [bug] Bad memset in rdata_test.c. [RT #13658] - -1833. [bug] Race condition in isc_mutex_lock_profile(). [RT #13660] - -1832. [bug] named fails to return BADKEY on unknown TSIG algorithm. - [RT #13620] - -1831. [doc] Update named-checkzone documentation. [RT#13604] - -1830. [bug] adb lame cache has sence of test reversed. [RT #13600] - -1829. [bug] win32: "pid-file none;" broken. [RT #13563] - -1828. [bug] isc_rwlock_init() failed to properly cleanup if it - encountered a error. [RT #13549] - -1827. [bug] host: update usage message for '-a'. [RT #37116] - -1826. [bug] Missing DESTROYLOCK() in isc_mem_createx() on out - of memory error. [RT #13537] - -1825. [bug] Missing UNLOCK() on out of memory error from in - rbtdb.c:subtractrdataset(). [RT #13519] - -1824. [bug] Memory leak on dns_zone_setdbtype() failure. - [RT #13510] - -1823. [bug] Wrong macro used to check for point to point interface. - [RT#13418] - -1822. [bug] check-names test for RT was reversed. [RT #13382] - -1820. [bug] Gracefully handle acl loops. [RT #13659] - -1819. [bug] The validator needed to check both the algorithm and - digest types of the DS to determine if it could be - used to introduce a secure zone. [RT #13593] - -1818. [bug] 'named-checkconf -z' triggered an INSIST. [RT #13599] - -1817. [func] Add support for additional zone file formats for - improving loading performance. The masterfile-format - option in named.conf can be used to specify a - non-default format. A separate command - named-compilezone was provided to generate zone files - in the new format. Additionally, the -I and -O options - for dnssec-signzone specify the input and output - formats. - -1816. [port] UnixWare: failed to compile lib/isc/unix/net.c. - [RT #13597] - -1815. [bug] nsupdate triggered a REQUIRE if the server was set - without also setting the zone and it encountered - a CNAME and was using TSIG. [RT #13086] - -1814. [func] UNIX domain controls are now supported. - -1813. [func] Restructured the data locking framework using - architecture dependent atomic operations (when - available), improving response performance on - multi-processor machines significantly. - x86, x86_64, alpha, powerpc, and mips are currently - supported. - -1812. [port] win32: IN6_IS_ADDR_UNSPECIFIED macro is incorrect. - [RT #13453] - -1811. [func] Preserve the case of domain names in rdata during - zone transfers. [RT #13547] - -1810. [bug] configure, lib/bind/configure make different default - decisions about whether to do a threaded build. - [RT #13212] - -1809. [bug] "make distclean" failed for libbind if the platform - is not supported. - -1808. [bug] zone.c:notify_zone() contained a race condition, - zone->db could change underneath it. [RT #13511] - -1807. [bug] When forwarding (forward only) set the active domain - from the forward zone name. [RT #13526] - -1806. [bug] The resolver returned the wrong result when a CNAME / - DNAME was encountered when fetching glue from a - secure namespace. [RT #13501] - -1805. [bug] Pending status was not being cleared when DLV was - active. [RT #13501] - -1804. [bug] Ensure that if we are queried for glue that it fits - in the additional section or TC is set to tell the - client to retry using TCP. [RT #10114] - -1803. [bug] dnssec-signzone sometimes failed to remove old - RRSIGs. [RT #13483] - -1802. [bug] Handle connection resets better. [RT #11280] - -1801. [func] Report differences between hints and real NS rrset - and associated address records. - -1800. [bug] Changes #1719 allowed a INSIST to be triggered. - [RT #13428] - -1799. [bug] 'rndc flushname' failed to flush negative cache - entries. [RT #13438] - -1798. [func] The server syntax has been extended to support a - range of servers. [RT #11132] - -1797. [func] named-checkconf now check acls to verify that they - only refer to existing acls. [RT #13101] - -1796. [func] "rndc freeze/thaw" now freezes/thaws all zones. - -1795. [bug] "rndc dumpdb" was not fully documented. Minor - formating issues with "rndc dumpdb -all". [RT #13396] - -1794. [func] Named and named-checkzone can now both check for - non-terminal wildcard records. - -1793. [func] Extend adjusting TTL warning messages. [RT #13378] - -1792. [func] New zone option "notify-delay". Specify a minimum - delay between sets of NOTIFY messages. - -1791. [bug] 'host -t a' still printed out AAAA and MX records. - [RT #13230] - -1790. [cleanup] Move lib/dns/sec/dst up into lib/dns. This should - allow parallel make to succeed. - -1789. [bug] Prerequisite test for tkey and dnssec could fail - with "configure --with-libtool". - -1788. [bug] libbind9.la/libbind9.so needs to link against - libisccfg.la/libisccfg.so. - -1787. [port] HPUX: both "cc" and "gcc" need -Wl,+vnocompatwarnings. - -1786. [port] AIX: libt_api needs to be taught to look for - T_testlist in the main executable (--with-libtool). - [RT #13239] - -1785. [bug] libbind9.la/libbind9.so needs to link against - libisc.la/libisc.so. - -1784. [cleanup] "libtool -allow-undefined" is the default. - Leave hooks in configure to allow it to be set - if needed in the future. - -1783. [cleanup] We only need one copy of libtool.m4, ltmain.sh in the - source tree. - -1782. [port] OSX: --with-libtool + --enable-libbind broke on - __evOptMonoTime. [RT #13219] - -1781. [port] FreeBSD 5.3: set PTHREAD_SCOPE_SYSTEM. [RT #12810] - -1780. [bug] Update libtool to 1.5.10. - -1779. [port] OSF 5.1: libtool didn't handle -pthread correctly. - -1778. [port] HUX 11.11: fix broken IN6ADDR_ANY_INIT and - IN6ADDR_LOOPBACK_INIT macros. - -1777. [port] OSF 5.1: fix broken IN6ADDR_ANY_INIT and - IN6ADDR_LOOPBACK_INIT macros. - -1776. [port] Solaris 2.9: fix broken IN6ADDR_ANY_INIT and - IN6ADDR_LOOPBACK_INIT macros. - -1775. [bug] Only compile getnetent_r.c when threaded. [RT #13205] - -1774. [port] Aix: Silence compiler warnings / build failures. - [RT #13154] - -1773. [bug] Fast retry on host / net unreachable. [RT #13153] - -1770. [bug] named-checkconf failed to report missing a missing - file clause for rbt{64} master/hint zones. [RT#13009] - -1769. [port] win32: change compiler flags /MTd ==> /MDd, - /MT ==> /MD. - -1768. [bug] nsecnoexistnodata() could be called with a non-NSEC - rdataset. [RT #12907] - -1767. [port] Builds on IPv6 platforms without IPv6 Advanced API - support for (struct in6_pktinfo) failed. [RT #13077] - -1766. [bug] Update the master file timestamp on successful refresh - as well as the journal's timestamp. [RT# 13062] - -1765. [bug] configure --with-openssl=auto failed. [RT #12937] - -1764. [bug] dns_zone_replacedb failed to emit a error message - if there was no SOA record in the replacment db. - [RT #13016] - -1763. [func] Perform sanity checks on NS records which refer to - 'in zone' names. [RT #13002] - -1762. [bug] isc_interfaceiter_create() could return ISC_R_SUCCESS - even when it failed. [RT #12995] - -1761. [bug] 'rndc dumpdb' didn't report unassociated entries. - [RT #12971] - -1760. [bug] Host / net unreachable was not penalising rtt - estimates. [RT #12970] - -1759. [bug] Named failed to startup if the OS supported IPv6 - but had no IPv6 interfaces configured. [RT #12942] - -1758. [func] Don't send notify messages to self. [RT #12933] - -1757. [func] host now can turn on memory debugging flags with '-m'. - -1756. [func] named-checkconf now checks the logging configuration. - [RT #12352] - -1755. [func] allow-update is now settable at the options / view - level. [RT #6636] - -1754. [bug] We wern't always attempting to query the parent - server for the DS records at the zone cut. - [RT #12774] - -1753. [bug] Don't serve a slave zone which has no NS records. - [RT #12894] - -1752. [port] Move isc_app_start() to after ns_os_daemonise() - as some fork() implementations unblock the signals - that are blocked by isc_app_start(). [RT #12810] - -1751. [bug] --enable-getifaddrs failed under linux. [RT #12867] - -1750. [port] lib/bind/make/rules.in:subdirs was not bash friendly. - [RT #12864] - -1749. [bug] 'check-names response ignore;' failed to ignore. - [RT #12866] - -1748. [func] dig now returns the byte count for axfr/ixfr. - -1747. [bug] BIND 8 compatability: named/named-checkconf failed - to parse "host-statistics-max" in named.conf. - -1746. [func] Make public the function to read a key file, - dst_key_read_public(). [RT #12450] - -1745. [bug] Dig/host/nslookup accept replies from link locals - regardless of scope if no scope was specified when - query was sent. [RT #12745] - -1744. [bug] If tuple2msgname() failed to convert a tuple to - a name a REQUIRE could be triggered. [RT #12796] - -1743. [bug] If isc_taskmgr_create() was not able to create the - requested number of worker threads then destruction - of the manager would trigger an INSIST() failure. - [RT #12790] - -1742. [bug] Deleting all records at a node then adding a - previously existing record, in a single UPDATE - transaction, failed to leave / regenerate the - associated RRSIG records. [RT #12788] - -1741. [bug] Deleting all records at a node in a secure zone - using a update-policy grant failed. [RT #12787] - -1740. [bug] Replace rbt's hash algorithm as it performed badly - with certain zones. [RT #12729] - - NOTE: a hash context now needs to be established - via isc_hash_create() if the application was not - already doing this. - -1739. [bug] dns_rbt_deletetree() could incorrectly return - ISC_R_QUOTA. [RT #12695] - -1738. [bug] Enable overrun checking by default. [RT #12695] - -1737. [bug] named failed if more than 16 masters were specified. - [RT #12627] - -1736. [bug] dst_key_fromnamedfile() could fail to read a - public key. [RT #12687] - -1735. [bug] 'dig +sigtrace' could die with a REQUIRE failure. - [RE #12688] - -1734. [cleanup] 'rndc-confgen -a -t' remove extra '/' in path. - [RT #12588] - -1733. [bug] Return non-zero exit status on initial load failure. - [RT #12658] - -1732. [bug] 'rrset-order name "*"' wasn't being applied to ".". - [RT #12467] - -1731. [port] darwin: relax version test in ifconfig.sh. - [RT #12581] - -1730. [port] Determine the length type used by the socket API. - [RT #12581] - -1729. [func] Improve check-names error messages. - -1728. [doc] Update check-names documentation. - -1727. [bug] named-checkzone: check-names support didn't match - documentation. - -1726. [port] aix5: add support for aix5. - -1725. [port] linux: update error message on interaction of threads, - capabilities and setuid support (named -u). [RT #12541] - -1724. [bug] Look for DNSKEY records with "dig +sigtrace". - [RT #12557] - -1723. [cleanup] Silence compiler warnings from t_tasks.c. [RT #12493] - -1722. [bug] Don't commit the journal on malformed ixfr streams. - [RT #12519] - -1721. [bug] Error message from the journal processing were not - always identifing the relevent journal. [RT #12519] - -1720. [bug] 'dig +chase' did not terminate on a RFC 2308 Type 1 - negative response. [RT #12506] - -1719. [bug] named was not correctly caching a RFC 2308 Type 1 - negative response. [RT #12506] - -1718. [bug] nsupdate was not handling RFC 2308 Type 3 negative - responses when looking for the zone / master server. - [RT #12506] - -1717. [port] solaris: ifconfig.sh did not support Solaris 10. - "ifconfig.sh down" didn't work for Solaris 9. - -1716. [doc] named.conf(5) was being installed in the wrong - location. [RT# 12441] - -1715. [func] 'dig +trace' now randomly selects the next servers - to try. Report if there is a bad delegation. - -1714. [bug] dig/host/nslookup were only trying the first - address when a nameserver was specified by name. - [RT #12286] - -1713. [port] linux: extend capset failure message to say: - please ensure that the capset kernel module is - loaded. see insmod(8) - -1712. [bug] Missing FULLCHECK for "trusted-key" in dig. - -1711. [func] 'rndc unfreeze' has been deprecated by 'rndc thaw'. - -1710. [func] 'rndc notify zone [class [view]]' resend the NOTIFY - messages for the specified zone. [RT #9479] - -1709. [port] solaris: add SMF support from Sun. - -1708. [cleanup] Replaced dns_fullname_hash() with dns_name_fullhash() - for conformance to the name space convention. Binary - backward compatibility to the old function name is - provided. [RT #12376] - -1707. [contrib] sdb/ldap updated to version 1.0-beta. - -1706. [bug] 'rndc stop' failed to cause zones to be flushed - sometimes. [RT #12328] - -1705. [func] Allow the journal's name to be changed via named.conf. - -1704. [port] lwres needed a snprintf() implementation for - platforms without snprintf(). Add missing - "#include <isc/print.h>". [RT #12321] - -1703. [bug] named would loop sending NOTIFY messages when it - failed to receive a response. [RT #12322] - -1702. [bug] also-notify should not be applied to builtin zones. - [RT #12323] - -1701. [doc] A minimal named.conf man page. - -1700. [func] nslookup is no longer to be treated as deprecated. - Remove "deprecated" warning message. Add man page. - -1699. [bug] dnssec-signzone can generate "not exact" errors - when resigning. [RT #12281] - -1698. [doc] Use reserved IPv6 documentation prefix. - -1697. [bug] xxx-source{,-v6} was not effective when it - specified one of listening addresses and a - different port than the listening port. [RT #12257] - -1696. [bug] dnssec-signzone failed to clean out nodes that - consisted of only NSEC and RRSIG records. - [RT #12154] - -1695. [bug] DS records when forwarding require special handling. - [RT #12133] - -1694. [bug] Report if the builtin views of "_default" / "_bind" - are defined in named.conf. [RT #12023] - -1693. [bug] max-journal-size was not effective for master zones - with ixfr-from-differences set. [RT# 12024] - -1692. [bug] Don't set -I, -L and -R flags when libcrypto is in - /usr/lib. [RT #11971] - -1691. [bug] sdb's attachversion was not complete. [RT #11990] - -1690. [bug] Delay detaching view from the client until UPDATE - processing completes when shutting down. [RT #11714] - -1689. [bug] DNS_NAME_TOREGION() and DNS_NAME_SPLIT() macros - contained gratuitous semicolons. [RT #11707] - -1688. [bug] LDFLAGS was not supported. - -1687. [bug] Race condition in dispatch. [RT #10272] - -1686. [bug] Named sent a extraneous NOTIFY when it received a - redundant UPDATE request. [RT #11943] - -1685. [bug] Change #1679 loop tests weren't quite right. - -1684. [func] ixfr-from-differences now takes master and slave in - addition to yes and no at the options and view levels. - -1683. [bug] dig +sigchase could leak memory. [RT #11445] - -1682. [port] Update configure test for (long long) printf format. - [RT #5066] - -1681. [bug] Only set SO_REUSEADDR when a port is specified in - isc_socket_bind(). [RT #11742] - -1680. [func] rndc: the source address can now be specified. - -1679. [bug] When there was a single nameserver with multiple - addresses for a zone not all addresses were tried. - [RT #11706] - -1678. [bug] RRSIG should use TYPEXXXXX for unknown types. - -1677. [bug] dig: +aaonly didn't work, +aaflag undocumented. - -1676. [func] New option "allow-query-cache". This lets - allow-query be used to specify the default zone - access level rather than having to have every - zone override the global value. allow-query-cache - can be set at both the options and view levels. - If allow-query-cache is not set allow-query applies. - -1675. [bug] named would sometimes add extra NSEC records to - the authority section. - -1674. [port] linux: increase buffer size used to scan - /proc/net/if_inet6. - -1673. [port] linux: issue a error messages if IPv6 interface - scans fails. - -1672. [cleanup] Tests which only function in a threaded build - now return R:THREADONLY (rather than R:UNTESTED) - in a non-threaded build. - -1671. [contrib] queryperf: add NAPTR to the list of known types. - -1670. [func] Log UPDATE requests to slave zones without an acl as - "disabled" at debug level 3. [RT# 11657] - -1668. [bug] DIG_SIGCHASE was making bin/dig/host dump core. - -1667. [port] linux: not all versions have IF_NAMESIZE. - -1666. [bug] The optional port on hostnames in dual-stack-servers - was being ignored. - -1665. [func] rndc now allows addresses to be set in the - server clauses. - -1664. [bug] nsupdate needed KEY for SIG(0), not DNSKEY. - -1663. [func] Look for OpenSSL by default. - -1662. [bug] Change #1658 failed to change one use of 'type' - to 'keytype'. - -1661. [bug] Restore dns_name_concatenate() call in - adb.c:set_target(). [RT #11582] - -1660. [bug] win32: connection_reset_fix() was being called - unconditionally. [RT #11595] - -1659. [cleanup] Cleanup some messages that were referring to KEY vs - DNSKEY, NXT vs NSEC and SIG vs RRSIG. - -1658. [func] Update dnssec-keygen to default to KEY for HMAC-MD5 - and DH. Tighten which options apply to KEY and - DNSKEY records. - -1657. [doc] ARM: document query log output. - -1656. [doc] Update DNSSEC description in ARM to cover DS, NSEC - DNSKEY and RRSIG. [RT #11542] - -1655. [bug] Logging multiple versions w/o a size was broken. - [RT #11446] - -1654. [bug] isc_result_totext() contained array bounds read - error. - -1653. [func] Add key type checking to dst_key_fromfilename(), - DST_TYPE_KEY should be used to read TSIG, TKEY and - SIG(0) keys. - -1652. [bug] TKEY still uses KEY. - -1651. [bug] dig: process multiple dash options. - -1650. [bug] dig, nslookup: flush standard out after each command. - -1649. [bug] Silence "unexpected non-minimal diff" message. - [RT #11206] - -1648. [func] Update dnssec-lookaside named.conf syntax to support - multiple dnssec-lookaside namespaces (not yet - implemented). - -1647. [bug] It was possible trigger a INSIST when chasing a DS - record that required walking back over a empty node. - [RT #11445] - -1646. [bug] win32: logging file versions didn't work with - non-UNC filenames. [RT#11486] - -1645. [bug] named could trigger a REQUIRE failure if multiple - masters with keys are specified. - -1644. [bug] Update the journal modification time after a - sucessfull refresh query. [RT #11436] - -1643. [bug] dns_db_closeversion() could leak memory / node - references. [RT #11163] - -1642. [port] Support OpenSSL implementations which don't have - DSA support. [RT #11360] - -1641. [bug] Update the check-names description in ARM. [RT #11389] - -1640. [bug] win32: isc_socket_cancel(ISC_SOCKCANCEL_ACCEPT) was - incorrectly closing the socket. [RT #11291] - -1639. [func] Initial dlv system test. - -1638. [bug] "ixfr-from-differences" could generate a REQUIRE - failure if the journal open failed. [RT #11347] - -1637. [bug] Node reference leak on error in addnoqname(). - -1636. [bug] The dump done callback could get ISC_R_SUCCESS even if - a error had occured. The database version no longer - matched the version of the database that was dumped. - -1635. [bug] Memory leak on error in query_addds(). - -1634. [bug] named didn't supply a useful error message when it - detected duplicate views. [RT #11208] - -1633. [bug] named should return NOTIMP to update requests to a - slaves without a allow-update-forwarding acl specified. - [RT #11331] - -1632. [bug] nsupdate failed to send prerequisite only UPDATE - messages. [RT #11288] - -1631. [bug] dns_journal_compact() could sometimes corrupt the - journal. [RT #11124] - -1630. [contrib] queryperf: add support for IPv6 transport. - -1629. [func] dig now supports IPv6 scoped addresses with the - extended format in the local-server part. [RT #8753] - -1628. [bug] Typo in Compaq Trucluster support. [RT# 11264] - -1627. [bug] win32: sockets were not being closed when the - last external reference was removed. [RT# 11179] - -1626. [bug] --enable-getifaddrs was broken. [RT#11259] - -1625. [bug] named failed to load/transfer RFC2535 signed zones - which contained CNAMES. [RT# 11237] - -1624. [bug] zonemgr_putio() call should be locked. [RT# 11163] - -1623. [bug] A serial number of zero was being displayed in the - "sending notifies" log message when also-notify was - used. [RT #11177] - -1622. [func] probe the system to see if IPV6_(RECV)PKTINFO is - available, and suppress wildcard binding if not. - -1621. [bug] match-destinations did not work for IPv6 TCP queries. - [RT# 11156] - -1620. [func] When loading a zone report if it is signed. [RT #11149] - -1619. [bug] Missing ISC_LIST_UNLINK in end_reserved_dispatches(). - [RT# 11118] - -1618. [bug] Fencepost errors in dns_name_ishostname() and - dns_name_ismailbox() could trigger a INSIST(). - -1617. [port] win32: VC++ 6.0 support. - -1616. [compat] Ensure that named's version is visible in the core - dump. [RT #11127] - -1615. [port] Define ISC_SOCKADDR_LEN_T based on _BSD_SOCKLEN_T_ if - it is defined. - -1614. [port] win32: silence resource limit messages. [RT# 11101] - -1613. [bug] Builds would fail on machines w/o a if_nametoindex(). - Missing #ifdef ISC_PLATFORM_HAVEIFNAMETOINDEX/#endif. - [RT #11119] - -1612. [bug] check-names at the option/view level could trigger - an INSIST. [RT# 11116] - -1611. [bug] solaris: IPv6 interface scanning failed to cope with - no active IPv6 interfaces. - -1610. [bug] On dual stack machines "dig -b" failed to set the - address type to be looked up with "@server". - [RT #11069] - -1609. [func] dig now has support to chase DNSSEC signature chains. - Requires -DDIG_SIGCHASE=1 to be set in STD_CDEFINES. - - DNSSEC validation code in dig coded by Olivier Courtay - (olivier.courtay@irisa.fr) for the IDsA project - (http://idsa.irisa.fr). - -1608. [func] dig and host now accept -4/-6 to select IP transport - to use when making queries. - -1607. [bug] dig, host and nslookup were still using random() - to generate query ids. [RT# 11013] - -1606. [bug] DLV insecurity proof was failing. - -1605. [func] New dns_db_find() option DNS_DBFIND_COVERINGNSEC. - -1604. [bug] A xfrout_ctx_create() failure would result in - xfrout_ctx_destroy() being called with a - partially initialized structure. - -1603. [bug] nsupdate: set interactive based on isatty(). - [RT# 10929] - -1602. [bug] Logging to a file failed unless a size was specified. - [RT# 10925] - -1601. [bug] Silence spurious warning 'both "recursion no;" and - "allow-recursion" active' warning from view "_bind". - [RT# 10920] - -1600. [bug] Duplicate zone pre-load checks were not case - insensitive. - -1599. [bug] Fix memory leak on error path when checking named.conf. - -1598. [func] Specify that certain parts of the namespace must - be secure (dnssec-must-be-secure). - -1596. [func] Accept 'notify-source' style syntax for query-source. - -1595. [func] New notify type 'master-only'. Enable notify for - master zones only. - -1594. [bug] 'rndc dumpdb' could prevent named from answering - queries while the dump was in progress. [RT #10565] - -1593. [bug] rndc should return "unknown command" to unknown - commands. [RT# 10642] - -1592. [bug] configure_view() could leak a dispatch. [RT# 10675] - -1591. [bug] libbind: updated to BIND 8.4.5. - -1590. [port] netbsd: update thread support. - -1589. [func] DNSSEC lookaside validation. - -1588. [bug] win32: TCP sockets could become blocked. [RT #10115] - -1587. [bug] dns_message_settsigkey() failed to clear existing key. - [RT #10590] - -1586. [func] "check-names" is now implemented. - -1585. [placeholder] - -1584. [bug] "make test" failed with a read only source tree. - [RT #10461] - -1583. [bug] Records add via UPDATE failed to get the correct trust - level. [RT #10452] - -1582. [bug] rrset-order failed to work on RRsets with more - than 32 elements. [RT #10381] - -1581. [func] Disable DNSSEC support by default. To enable - DNSSEC specify "dnssec-enable yes;" in named.conf. - -1580. [bug] Zone destruction on final detach takes a long time. - [RT #3746] - -1579. [bug] Multiple task managers could not be created. - -1578. [bug] Don't use CLASS E IPv4 addresses when resolving. - [RT #10346] - -1577. [bug] Use isc_uint32_t in ultrasparc optimizer bug - workaround code. [RT #10331] - -1576. [bug] Race condition in dns_dispatch_addresponse(). - [RT# 10272] - -1575. [func] Log TSIG name on TSIG verify failure. [RT #4404] - -1574. [bug] Don't attempt to open the controls socket(s) when - running tests. [RT #9091] - -1573. [port] linux: update to libtool 1.5.2 so that - "make install DESTDIR=/xx" works with - "configure --with-libtool". [RT #9941] - -1572. [bug] nsupdate: sign the soa query to find the enclosing - zone if the server is specified. [RT #10148] - -1571. [bug] rbt:hash_node() could fail leaving the hash table - in an inconsistent state. [RT #10208] - -1570. [bug] nsupdate failed to handle classes other than IN. - New keyword 'class' which sets the default class. - [RT #10202] - -1569. [func] nsupdate new command 'answer' which displays the - complete answer message to the last update. - -1568. [bug] nsupdate now reports that the update failed in - interactive mode. [RT# 10236] - -1567. [bug] B.ROOT-SERVERS.NET is now 192.228.79.201. - -1566. [port] Support for the cmsg framework on Solaris and HP/UX. - This also solved the problem that match-destinations - for IPv6 addresses did not work on these systems. - [RT #10221] - -1565. [bug] CD flag should be copied to outgoing queries unless - the query is under a secure entry point in which case - CD should be set. - -1564. [func] Attempt to provide a fallback entropy source to be - used if named is running chrooted and named is unable - to open entropy source within the chroot area. - [RT #10133] - -1563. [bug] Gracefully fail when unable to obtain neither an IPv4 - nor an IPv6 dispatch. [RT #10230] - -1562. [bug] isc_socket_create() and isc_socket_accept() could - leak memory under error conditions. [RT #10230] - -1561. [bug] It was possible to release the same name twice if - named ran out of memory. [RT #10197] - -1560. [port] FreeBSD: work around FreeBSD 5.2 mapping EAI_NODATA - and EAI_NONAME to the same value. - -1559. [port] named should ignore SIGFSZ. - -1558. [func] New DNSSEC 'disable-algorithms'. Support entry into - child zones for which we don't have a supported - algorithm. Such child zones are treated as unsigned. - -1557. [func] Implement missing DNSSEC tests for - * NOQNAME proof with wildcard answers. - * NOWILDARD proof with NXDOMAIN. - Cache and return NOQNAME with wildcard answers. - -1556. [bug] nsupdate now treats all names as fully qualified. - [RT #6427] - -1555. [func] 'rrset-order cyclic' no longer has a random starting - point per query. [RT #7572] - -1554. [bug] dig, host, nslookup failed when no nameservers - were specified in /etc/resolv.conf. [RT #8232] - -1553. [bug] The windows socket code could stop accepting - connections. [RT#10115] - -1552. [bug] Accept NOTIFY requests from mapped masters if - matched-mapped is set. [RT #10049] - -1551. [port] Open "/dev/null" before calling chroot(). - -1550. [port] Call tzset(), if available, before calling chroot(). - -1549. [func] named-checkzone can now write out the zone contents - in a easily parsable format (-D and -o). - -1548. [bug] When parsing APL records it was possible to silently - accept out of range ADDRESSFAMILY values. [RT# 9979] - -1547. [bug] Named wasted memory recording duplicate lame zone - entries. [RT #9341] - -1546. [bug] We were rejecting valid secure CNAME to negative - answers. - -1545. [bug] It was possible to leak memory if named was unable to - bind to the specified transfer source and TSIG was - being used. [RT #10120] - -1544. [bug] Named would logged a single entry to a file despite it - being over the specified size limit. - -1543. [bug] Logging using "versions unlimited" did not work. - -1542. [placeholder] - -1541. [func] NSEC now uses new bitmap format. - -1540. [bug] "rndc reload <dynamiczone>" was silently accepted. - [RT #8934] - -1539. [bug] Open UDP sockets for notify-source and transfer-source - that use reserved ports at startup. [RT #9475] - -1538. [placeholder] rt9997 - -1537. [func] New option "querylog". If set specify whether query - logging is to be enabled or disabled at startup. - -1536. [bug] Windows socket code failed to log a error description - when returning ISC_R_UNEXPECTED. [RT #9998] - -1535. [placeholder] - -1534. [bug] Race condition when priming cache. [RT# 9940] - -1533. [func] Warn if both "recursion no;" and "allow-recursion" - are active. [RT# 4389] - -1532. [port] netbsd: the configure test for <sys/sysctl.h> - requires <sys/param.h>. - -1531. [port] AIX more libtool fixes. - -1530. [bug] It was possible to trigger a INSIST() failure if a - slave master file was removed at just the correct - moment. [RT #9462] - -1529. [bug] "notify explicit;" failed to log that NOTIFY messages - were being sent for the zone. [RT# 9442] - -1528. [cleanup] Simplify some dns_name_ functions based on the - deprecation of bitstring labels. - -1527. [cleanup] Reduce the number of gettimeofday() calls without - losing necessary timer granularity. - -1526. [func] Implemented "additional section caching (or acache)", - an internal cache framework for additional section - content to improve response performance. Several - configuration options were provided to control the - behavior. - -1525. [bug] dns_cache_create() could trigger a REQUIRE - failure in isc_mem_put() during error cleanup. - [RT# 9360] - -1524. [port] AIX needs to be able to resolve all symbols when - creating shared libraries (--with-libtool). - -1523. [bug] Fix race condition in rbtdb. [RT# 9189] - -1522. [bug] dns_db_findnode() relax the requirements on 'name'. - [RT# 9286] - -1521. [bug] dns_view_createresolver() failed to check the - result from isc_mem_create(). [RT# 9294] - -1520. [protocol] Add SSHFP (SSH Finger Print) type. - -1519. [bug] dnssec-signzone:nsec_setbit() computed the wrong - length of the new bitmap. - -1518. [bug] dns_nsec_buildrdata(), and hence dns_nsec_build(), - contained a off-by-one error when working out the - number of octets in the bitmap. - -1517. [port] Support for IPv6 interface scanning on HP/UX and - TrueUNIX 5.1. - -1516. [func] Roll the DNSSEC types to RRSIG, NSEC and DNSKEY. - -1515. [func] Allow transfer source to be set in a server statement. - [RT #6496] - -1514. [bug] named: isc_hash_destroy() was being called too early. - [RT #9160] - -1513. [doc] Add "US" to root-delegation-only exclude list. - -1512. [bug] Extend the delegation-only logging to return query - type, class and responding nameserver. - -1511. [bug] delegation-only was generating false positives - on negative answers from subzones. - -1510. [func] New view option "root-delegation-only". Apply - delegation-only check to all TLDs and root. - Note there are some TLDs that are NOT delegation - only (e.g. DE, LV, US and MUSEUM) these can be excluded - from the checks by using exclude. - - root-delegation-only exclude { - "DE"; "LV"; "US"; "MUSEUM"; - }; - -1509. [bug] Hint zones should accept delegation-only. Forward - zone should not accept delegation-only. - -1508. [bug] Don't apply delegation-only checks to answers from - forwarders. - -1507. [bug] Handle BIND 8 style returns to NS queries to parents - when making delegation-only checks. - -1506. [bug] Wrong return type for dns_view_isdelegationonly(). - -1505. [bug] Uninitialized rdataset in sdb. [RT #8750] - -1504. [func] New zone type "delegation-only". - -1503. [port] win32: install libeay32.dll outside of system32. - -1502. [bug] nsupdate: adjust timeouts for UPDATE requests over TCP. - -1501. [func] Allow TCP queue length to be specified via - named.conf, tcp-listen-queue. - -1500. [bug] host failed to lookup MX records. Also look up - AAAA records. - -1499. [bug] isc_random need to be seeded better if arc4random() - is not used. - -1498. [port] bsdos: 5.x support. - -1497. [placeholder] - -1496. [port] test for pthread_attr_setstacksize(). - -1495. [cleanup] Replace hash functions with universal hash. - -1494. [security] Turn on RSA BLINDING as a precaution. - -1493. [placeholder] - -1492. [cleanup] Preserve rwlock quota context when upgrading / - downgrading. [RT #5599] - -1491. [bug] dns_master_dump*() would produce extraneous $ORIGIN - lines. [RT #6206] - -1490. [bug] Accept reading state as well as working state in - ns_client_next(). [RT #6813] - -1489. [compat] Treat 'allow-update' on slave zones as a warning. - [RT #3469] - -1488. [bug] Don't override trust levels for glue addresses. - [RT #5764] - -1487. [bug] A REQUIRE() failure could be triggered if a zone was - queued for transfer and the zone was then removed. - [RT #6189] - -1486. [bug] isc_print_snprintf() '%%' consumed one too many format - characters. [RT# 8230] - -1485. [bug] gen failed to handle high type values. [RT #6225] - -1484. [bug] The number of records reported after a AXFR was wrong. - [RT #6229] - -1483. [bug] dig axfr failed if the message id in the answer failed - to match that in the request. Only the id in the first - message is required to match. [RT #8138] - -1482. [bug] named could fail to start if the kernel supports - IPv6 but no interfaces are configured. Similarly - for IPv4. [RT #6229] - -1481. [bug] Refresh and stub queries failed to use masters keys - if specified. [RT #7391] - -1480. [bug] Provide replay protection for rndc commands. Full - replay protection requires both rndc and named to - be updated. Partial replay protection (limited - exposure after restart) is provided if just named - is updated. - -1479. [bug] cfg_create_tuple() failed to handle out of - memory cleanup. parse_list() would leak memory - on syntax errors. - -1478. [port] ifconfig.sh didn't account for other virtual - interfaces. It now takes a optional argument - to specify the first interface number. [RT #3907] - -1477. [bug] memory leak using stub zones and TSIG. - -1476. [placeholder] - -1475. [port] Probe for old sprintf(). - -1474. [port] Provide strtoul() and memmove() for platforms - without them. - -1473. [bug] create_map() and create_string() failed to handle out - of memory cleanup. [RT #6813] - -1472. [contrib] idnkit-1.0 from JPNIC, replaces mdnkit. - -1471. [bug] libbind: updated to BIND 8.4.0. - -1470. [bug] Incorrect length passed to snprintf. [RT #5966] - -1469. [func] Log end of outgoing zone transfer at same level - as the start of transfer is logged. [RT #4441] - -1468. [func] Internal zones are no longer counted for - 'rndc status'. [RT #4706] - -1467. [func] $GENERATES now supports optional class and ttl. - -1466. [bug] lwresd configuration errors resulted in memory - and lock leaks. [RT #5228] - -1465. [bug] isc_base64_decodestring() and isc_base64_tobuffer() - failed to check that trailing bits were zero allowing - some invalid base64 strings to be accepted. [RT #5397] - -1464. [bug] Preserve "out of zone" data for outgoing zone - transfers. [RT #5192] - -1463. [bug] dns_rdata_from{wire,struct}() failed to catch bad - NXT bit maps. [RT #5577] - -1462. [bug] parse_sizeval() failed to check the token type. - [RT #5586] - -1461. [bug] Remove deadlock from rbtdb code. [RT #5599] - -1460. [bug] inet_pton() failed to reject certain malformed - IPv6 literals. - -1459. [placeholder] - -1458. [cleanup] sprintf() -> snprintf(). - -1457. [port] Provide strlcat() and strlcpy() for platforms without - them. - -1456. [contrib] gen-data-queryperf.py from Stephane Bortzmeyer. - -1455. [bug] <netaddr> missing from server grammar in - doc/misc/options. [RT #5616] - -1454. [port] Use getifaddrs() if available for interface scanning. - --disable-getifaddrs to override. Glibc currently - has a getifaddrs() that does not support IPv6. - Use --enable-getifaddrs=glibc to force the use of - this version under linux machines. - -1453. [doc] ARM: $GENERATE example wasn't accurate. [RT #5298] - -1452. [placeholder] - -1451. [bug] rndc-confgen didn't exit with a error code for all - failures. [RT #5209] - -1450. [bug] Fetching expired glue failed under certain - circumstances. [RT #5124] - -1449. [bug] query_addbestns() didn't handle running out of memory - gracefully. - -1448. [bug] Handle empty wildcards labels. - -1447. [bug] We were casting (unsigned int) to and from (void *). - rdataset->private4 is now rdataset->privateuint4 - to reflect a type change. - -1446. [func] Implemented undocumented alternate transfer sources - from BIND 8. See use-alt-transfer-source, - alt-transfer-source and alt-transfer-source-v6. - - SECURITY: use-alt-transfer-source is ENABLED unless - you are using views. This may cause a security risk - resulting in accidental disclosure of wrong zone - content if the master supplying different source - content based on IP address. If you are not certain - ISC recommends setting use-alt-transfer-source no; - -1445. [bug] DNS_ADBFIND_STARTATROOT broke stub zones. This has - been replaced with DNS_ADBFIND_STARTATZONE which - causes the search to start using the closest zone. - -1444. [func] dns_view_findzonecut2() allows you to specify if the - cache should be searched for zone cuts. - -1443. [func] Masters lists can now be specified and referenced - in zone masters clauses and other masters lists. - -1442. [func] New functions for manipulating port lists: - dns_portlist_create(), dns_portlist_add(), - dns_portlist_remove(), dns_portlist_match(), - dns_portlist_attach() and dns_portlist_detach(). - -1441. [func] It is now possible to tell dig to bind to a specific - source port. - -1440. [func] It is now possible to tell named to avoid using - certain source ports (avoid-v4-udp-ports, - avoid-v6-udp-ports). - -1439. [bug] Named could return NOERROR with certain NOTIFY - failures. Return NOTAUTH if the NOTIFY zone is - not being served. - -1438. [func] Log TSIG (if any) when logging NOTIFY requests. - -1437. [bug] Leave space for stdio to work in. [RT #5033] - -1436. [func] dns_zonemgr_resumexfrs() can be used to restart - stalled transfers. - -1435. [bug] zmgr_resume_xfrs() was being called read locked - rather than write locked. zmgr_resume_xfrs() - was not being called if the zone was being - shutdown. - -1434. [bug] "rndc reconfig" failed to initiate the initial - zone transfer of new slave zones. - -1433. [bug] named could trigger a REQUIRE failure if it could - not get a file descriptor when attempting to write - a master file. [RT #4347] - -1432. [func] The advertised EDNS UDP buffer size can now be set - via named.conf (edns-udp-size). - -1431. [bug] isc_print_snprintf() "%s" with precision could walk off - end of argument. [RT #5191] - -1430. [port] linux: IPv6 interface scanning support. - -1429. [bug] Prevent the cache getting locked to old servers. - -1428. [placeholder] - -1427. [bug] Race condition in adb with threaded build. - -1426. [placeholder] - -1425. [port] linux/libbind: define __USE_MISC when testing *_r() - function prototypes in netdb.h. [RT #4921] - -1424. [bug] EDNS version not being correctly printed. - -1423. [contrib] queryperf: added A6 and SRV. - -1422. [func] Log name/type/class when denying a query. [RT #4663] - -1421. [func] Differentiate updates that don't succeed due to - prerequisites (unsuccessful) vs other reasons - (failed). - -1420. [port] solaris: work around gcc optimizer bug. - -1419. [port] openbsd: use /dev/arandom. [RT #4950] - -1418. [bug] 'rndc reconfig' did not cause new slaves to load. - -1417. [func] ID.SERVER/CHAOS is now a built in zone. - See "server-id" for how to configure. - -1416. [bug] Empty node should return NOERROR NODATA, not NXDOMAIN. - [RT #4715] - -1415. [func] DS TTL now derived from NS ttl. NXT TTL now derived - from SOA MINIMUM. - -1414. [func] Support for KSK flag. - -1413. [func] Explicitly request the (re-)generation of DS records - from keysets (dnssec-signzone -g). - -1412. [func] You can now specify servers to be tried if a nameserver - has IPv6 address and you only support IPv4 or the - reverse. See dual-stack-servers. - -1411. [bug] empty nodes should stop wildcard matches. [RT #4802] - -1410. [func] Handle records that live in the parent zone, e.g. DS. - -1409. [bug] DS should have attribute DNS_RDATATYPEATTR_DNSSEC. - -1408. [bug] "make distclean" was not complete. [RT #4700] - -1407. [bug] lfsr incorrectly implements the shift register. - [RT #4617] - -1406. [bug] dispatch initializes one of the LFSR's with a incorrect - polynomial. [RT #4617] - -1405. [func] Use arc4random() if available. - -1404. [bug] libbind: ns_name_ntol() could overwrite a zero length - buffer. - -1403. [func] dnssec-signzone, dnssec-keygen, dnssec-makekeyset - dnssec-signkey now report their version in the - usage message. - -1402. [cleanup] A6 has been moved to experimental and is no longer - fully supported. - -1401. [bug] adb wasn't clearing state when the timer expired. - -1400. [bug] Block the addition of wildcard NS records by IXFR - or UPDATE. [RT #3502] - -1399. [bug] Use serial number arithmetic when testing SIG - timestamps. [RT #4268] - -1398. [doc] ARM: notify-also should have been also-notify. - [RT #4345] - -1397. [bug] J.ROOT-SERVERS.NET is now 192.58.128.30. - -1396. [func] dnssec-signzone: adjust the default signing time by - 1 hour to allow for clock skew. - -1395. [port] OpenSSL 0.9.7 defines CRYPTO_LOCK_ENGINE but doesn't - have a working implementation. [RT #4079] - -1394. [func] It is now possible to check if a particular element is - in a acl. Remove duplicate entries from the localnets - acl. - -1393. [port] Bind to individual IPv6 interfaces if IPV6_IPV6ONLY - is not available in the kernel to prevent accidently - listening on IPv4 interfaces. - -1392. [bug] named-checkzone: update usage. - -1391. [func] Add support for IPv6 scoped addresses in named. - -1390. [func] host now supports ixfr. - -1389. [bug] named could fail to rotate long log files. [RT #3666] - -1388. [port] irix: check for sys/sysctl.h and NET_RT_IFLIST before - defining HAVE_IFLIST_SYSCTL. [RT #3770] - -1387. [bug] named could crash due to an access to invalid memory - space (which caused an assertion failure) in - incremental cleaning. [RT #3588] - -1386. [bug] named-checkzone -z stopped on errors in a zone. - [RT #3653] - -1385. [bug] Setting serial-query-rate to 10 would trigger a - REQUIRE failure. - -1384. [bug] host was incompatible with BIND 8 in its exit code and - in the output with the -l option. [RT #3536] - -1383. [func] Track the serial number in a IXFR response and log if - a mismatch occurs. This is a more specific error than - "not exact". [RT #3445] - -1382. [bug] make install failed with --enable-libbind. [RT #3656] - -1381. [bug] named failed to correctly process answers that - contained DNAME records where the resulting CNAME - resulted in a negative answer. - -1380. [func] 'rndc recursing' dump recursing queries to - 'recursing-file = "named.recursing";'. - -1379. [func] 'rndc status' now reports tcp and recursion quota - states. - -1378. [func] Improved positive feedback for 'rndc {reload|refresh}. - -1377. [func] dns_zone_load{new}() now reports if the zone was - loaded, queued for loading to up to date. - -1376. [func] New function dns_zone_logc() to log to specified - category. - -1375. [func] 'rndc dumpdb' now dumps the adb cache along with the - data cache. - -1374. [func] dns_adb_dump() now logs the lame zones associated - with each server. - -1373. [bug] Recovery from expired glue failed under certain - circumstances. - -1372. [bug] named crashes with an assertion failure on exit when - sharing the same port for listening and querying, and - changing listening addresses several times. [RT# 3509] - -1371. [bug] notify-source-v6, transfer-source-v6 and - query-source-v6 with explicit addresses and using the - same ports as named was listening on could interfere - with named's ability to answer queries sent to those - addresses. - -1370. [bug] dig '+[no]recurse' was incorrectly documented. - -1369. [bug] Adding an NS record as the lexicographically last - record in a secure zone didn't work. - -1368. [func] remove support for bitstring labels. - -1367. [func] Use response times to select forwarders. - -1366. [contrib] queryperf usage was incomplete. Add '-h' for help. - -1365. [func] "localhost" and "localnets" acls now include IPv6 - addresses / prefixes. - -1364. [func] Log file name when unable to open memory statistics - and dump database files. [RT# 3437] - -1363. [func] Listen-on-v6 now supports specific addresses. - -1362. [bug] remove IFF_RUNNING test when scanning interfaces. - -1361. [func] log the reason for rejecting a server when resolving - queries. - -1360. [bug] --enable-libbind would fail when not built in the - source tree for certain OS's. - -1359. [security] Support patches OpenSSL libraries. - http://www.cert.org/advisories/CA-2002-23.html - -1358. [bug] It was possible to trigger a INSIST when debugging - large dynamic updates. [RT #3390] - -1357. [bug] nsupdate was extremely wasteful of memory. - -1356. [tuning] Reduce the number of events / quantum for zone tasks. - -1355. [bug] Fix DNSSEC wildcard proof for CNAME/DNAME. - -1354. [doc] lwres man pages had illegal nroff. - -1353. [contrib] sdb/ldap to version 0.9. - -1352. [bug] dig, host, nslookup when falling back to TCP use the - current search entry (if any). [RT #3374] - -1351. [bug] lwres_getipnodebyname() returned the wrong name - when given a IPv4 literal, af=AF_INET6 and AI_MAPPED - was set. - -1350. [bug] dns_name_fromtext() failed to handle too many labels - gracefully. - -1349. [security] Minimum OpenSSL version now 0.9.6e (was 0.9.5a). - http://www.cert.org/advisories/CA-2002-23.html - -1348. [port] win32: Rewrote code to use I/O Completion Ports - in socket.c and eliminating a host of socket - errors. Performance is enhanced. - -1347. [placeholder] - -1346. [placeholder] - -1345. [port] Use a explicit -Wformat with gcc. Not all versions - include it in -Wall. - -1344. [func] Log if the serial number on the master has gone - backwards. - If you have multiple machines specified in the masters - clause you may want to set 'multi-master yes;' to - suppress this warning. - -1343. [func] Log successful notifies received (info). Adjust log - level for failed notifies to notice. - -1342. [func] Log remote address with TCP dispatch failures. - -1341. [func] Allow a rate limiter to be stalled. - -1340. [bug] Delay and spread out the startup refresh load. - -1339. [func] dig, host and nslookup now use IP6.ARPA for nibble - lookups. Bit string lookups are no longer attempted. - -1338. [placeholder] - -1337. [placeholder] - -1336. [func] Nibble lookups under IP6.ARPA are now supported by - dns_byaddr_create(). dns_byaddr_createptrname() is - deprecated, use dns_byaddr_createptrname2() instead. - -1335. [bug] When performing a nonexistence proof, the validator - should discard parent NXTs from higher in the DNS. - -1334. [bug] When signing/verifying rdatasets, duplicate rdatas - need to be suppressed. - -1333. [contrib] queryperf now reports a summary of returned - rcodes (-c), rcodes are printed in mnemonic form (-v). - -1332. [func] Report the current serial with periodic commits when - rolling forward the journal. - -1331. [func] Generate DNSSEC wildcard proofs. - -1330. [bug] When processing events (non-threaded) only allow - the task one chance to use to use its quantum. - -1329. [func] named-checkzone will now check if nameservers that - appear to be IP addresses. Available modes "fail", - "warn" (default) and "ignore" the results of the - check. - -1328. [bug] The validator could incorrectly verify an invalid - negative proof. - -1327. [bug] The validator would incorrectly mark data as insecure - when seeing a bogus signature before a correct - signature. - -1326. [bug] DNAME/CNAME signatures were not being cached when - validation was not being performed. [RT #3284] - -1325. [bug] If the tcpquota was exhausted it was possible to - to trigger a INSIST() failure. - -1324. [port] darwin: ifconfig.sh now supports darwin. - -1323. [port] linux: Slackware 4.0 needs <asm/unistd.h>. [RT #3205] - -1322. [bug] dnssec-signzone usage message was misleading. - -1321. [bug] If the last RRset in a zone is glue, dnssec-signzone - would incorrectly duplicate its output and sign it. - -1320. [doc] query-source-v6 was missing from options section. - [RT #3218] - -1319. [func] libbind: log attempts to exploit #1318. - -1318. [bug] libbind: Remote buffer overrun. - -1317. [port] libbind: TrueUNIX 5.1 does not like __align as a - element name. - -1316. [bug] libbind: gethostans() could get out of sync parsing - the response if there was a very long CNAME chain. - -1315. [bug] Options should apply to the internal _bind view. - -1314. [port] Handle ECONNRESET from sendmsg() [unix]. - -1313. [func] Query log now says if the query was signed (S) or - if EDNS was used (E). - -1312. [func] Log TSIG key used w/ outgoing zone transfers. - -1311. [bug] lwres_getrrsetbyname leaked memory. [RT #3159] - -1310. [bug] 'rndc stop' failed to cause zones to be flushed - sometimes. [RT #3157] - -1309. [func] Log that a zone transfer was covered by a TSIG. - -1308. [func] DS (delegation signer) support. - -1307. [bug] nsupdate: allow white space base64 key data. - -1306. [bug] Badly encoded LOC record when the size, horizontal - precision or vertical precision was 0.1m. - -1305. [bug] Document that internal zones are included in the - rndc status results. - -1304. [func] New function: dns_zone_name(). - -1303. [func] Option 'flush-zones-on-shutdown <boolean>;'. - -1302. [func] Extended rndc dumpdb to support dumping of zones and - view selection: 'dumpdb [-all|-zones|-cache] [view]'. - -1301. [func] New category 'update-security'. - -1300. [port] Compaq Trucluster support. - -1299. [bug] Set AI_ADDRCONFIG when looking up addresses - via getaddrinfo() (affects dig, host, nslookup, rndc - and nsupdate). - -1298. [bug] The CINCLUDES macro in lib/dns/sec/dst/Makefile - could be left with a trailing "\" after configure - has been run. - -1297. [port] linux: make handling EINVAL from socket() no longer - conditional on #ifdef LINUX. - -1296. [bug] isc_log_closefilelogs() needed to lock the log - context. - -1295. [bug] isc_log_setdebuglevel() needed to lock the log - context. - -1294. [func] libbind: no longer attempts bit string labels for - IPv6 reverse resolution. Try IP6.ARPA then IP6.INT - for nibble style resolution. - -1293. [func] Entropy can now be retrieved from EGDs. [RT #2438] - -1292. [func] Enable IPv6 support when using ioctl style interface - scanning and OS supports SIOCGLIFADDR using struct - if_laddrreq. - -1291. [func] Enable IPv6 support when using sysctl style interface - scanning. - -1290. [func] "dig axfr" now reports the number of messages - as well as the number of records. - -1289. [port] See if -ldl is required for OpenSSL? [RT #2672] - -1288. [bug] Adjusted REQUIRE's in lib/dns/name.c to better - reflect written requirements. - -1287. [bug] REQUIRE that DNS_DBADD_MERGE only be set when adding - a rdataset to a zone db in the rbtdb implementation of - addrdataset. - -1286. [bug] dns_name_downcase() enforce requirement that - target != NULL or name->buffer != NULL. - -1285. [func] lwres: probe the system to see what address families - are currently in use. - -1284. [bug] The RTT estimate on unused servers was not aged. - [RT #2569] - -1283. [func] Use "dataready" accept filter if available. - -1282. [port] libbind: hpux 11.11 interface scanning. - -1281. [func] Log zone when unable to get private keys to update - zone. Log zone when NXT records are missing from - secure zone. - -1280. [bug] libbind: escape '(' and ')' when converting to - presentation form. - -1279. [port] Darwin uses (unsigned long) for size_t. [RT #2590] - -1278. [func] dig: now supports +[no]cl +[no]ttlid. - -1277. [func] You can now create your own customized printing - styles: dns_master_stylecreate() and - dns_master_styledestroy(). - -1276. [bug] libbind: const pointer conflicts in res_debug.c. - -1275. [port] libbind: hpux: treat all hpux systems as BIG_ENDIAN. - -1274. [bug] Memory leak in lwres_gnbarequest_parse(). - -1273. [port] libbind: solaris: 64 bit binary compatibility. - -1272. [contrib] Berkeley DB 4.0 sdb implementation from - Nuno Miguel Rodrigues <nmr@co.sapo.pt>. - -1271. [bug] "recursion available: {denied,approved}" was too - confusing. - -1270. [bug] Check that system inet_pton() and inet_ntop() support - AF_INET6. - -1269. [port] Openserver: ifconfig.sh support. - -1268. [port] Openserver: the value FD_SETSIZE depends on whether - <sys/param.h> is included or not. Be consistent. - -1267. [func] isc_file_openunique() now creates file using mode - 0666 rather than 0600. - -1266. [bug] ISC_LINK_INIT, ISC_LINK_UNLINK, ISC_LIST_DEQUEUE, - __ISC_LINK_UNLINKUNSAFE and __ISC_LIST_DEQUEUEUNSAFE - are not C++ compatible, use *_TYPE versions instead. - -1265. [bug] libbind: LINK_INIT and UNLINK were not compatible with - C++, use LINK_INIT_TYPE and UNLINK_TYPE instead. - -1264. [placeholder] - -1263. [bug] Reference after free error if dns_dispatchmgr_create() - failed. - -1262. [bug] ns_server_destroy() failed to set *serverp to NULL. - -1261. [func] libbind: ns_sign2() and ns_sign_tcp() now provide - support for compressed TSIG owner names. - -1260. [func] libbind: res_update can now update IPv6 servers, - new function res_findzonecut2(). - -1259. [bug] libbind: get_salen() IPv6 support was broken for OSs - w/o sa_len. - -1258. [bug] libbind: res_nametotype() and res_nametoclass() were - broken. - -1257. [bug] Failure to write pid-file should not be fatal on - reload. [RT #2861] - -1256. [contrib] 'queryperf' now has EDNS (-e) + DNSSEC DO (-D) support. - -1255. [bug] When verifying that an NXT proves nonexistence, check - the rcode of the message and only do the matching NXT - check. That is, for NXDOMAIN responses, check that - the name is in the range between the NXT owner and - next name, and for NOERROR NODATA responses, check - that the type is not present in the NXT bitmap. - -1254. [func] preferred-glue option from BIND 8.3. - -1253. [bug] The dnssec system test failed to remove the correct - files. - -1252. [bug] Dig, host and nslookup were not checking the address - the answer was coming from against the address it was - sent to. [RT# 2692] - -1251. [port] win32: a make file contained absolute version specific - references. - -1250. [func] Nsupdate will report the address the update was - sent to. - -1249. [bug] Missing masters clause was not handled gracefully. - [RT #2703] - -1248. [bug] DESTDIR was not being propagated between makes. - -1247. [bug] Don't reset the interface index for link/site local - addresses. [RT #2576] - -1246. [func] New functions isc_sockaddr_issitelocal(), - isc_sockaddr_islinklocal(), isc_netaddr_issitelocal() - and isc_netaddr_islinklocal(). - -1245. [bug] Treat ENOBUFS, ENOMEM and ENFILE as soft errors for - accept(). - -1244. [bug] Receiving a TCP message from a blackhole address would - prevent further messages being received over that - interface. - -1243. [bug] It was possible to trigger a REQUIRE() in - dns_message_findtype(). [RT #2659] - -1242. [bug] named-checkzone failed if a journal existed. [RT #2657] - -1241. [bug] Drop received UDP messages with a zero source port - as these are invariably forged. [RT #2621] - -1240. [bug] It was possible to leak zone references by - specifying an incorrect zone to rndc. - -1239. [bug] Under certain circumstances named could continue to - use a name after it had been freed triggering - INSIST() failures. [RT #2614] - -1238. [bug] It is possible to lockup the server when shutting down - if notifies were being processed. [RT #2591] - -1237. [bug] nslookup: "set q=type" failed. - -1236. [bug] dns_rdata{class,type}_fromtext() didn't handle non - NULL terminated text regions. [RT #2588] - -1235. [func] Report 'out of memory' errors from openssl. - -1234. [bug] contrib/sdb: 'zonetodb' failed to call - dns_result_register(). DNS_R_SEENINCLUDE should not - be fatal. - -1233. [bug] The flags field of a KEY record can be expressed in - hex as well as decimal. - -1232. [bug] unix/errno2result() didn't handle EADDRNOTAVAIL. - -1231. [port] HPUX 11.11 recvmsg() can return spurious EADDRNOTAVAIL. - -1230. [bug] isccc_cc_isreply() and isccc_cc_isack() were broken. - -1229. [bug] named would crash if it received a TSIG signed - query as part of an AXFR response. [RT #2570] - -1228. [bug] 'make install' did not depend on 'make all'. [RT #2559] - -1227. [bug] dns_lex_getmastertoken() now returns ISC_R_BADNUMBER - if a number was expected and some other token was - found. [RT#2532] - -1226. [func] Use EDNS for zone refresh queries. [RT #2551] - -1225. [func] dns_message_setopt() no longer requires that - dns_message_renderbegin() to have been called. - -1224. [bug] 'rrset-order' and 'sortlist' should be additive - not exclusive. - -1223. [func] 'rrset-order' partially works 'cyclic' and 'random' - are supported. - -1222. [bug] Specifying 'port *' did not always result in a system - selected (non-reserved) port being used. [RT #2537] - -1221. [bug] Zone types 'master', 'slave' and 'stub' were not being - compared case insensitively. [RT #2542] - -1220. [func] Support for APL rdata type. - -1219. [func] Named now reports the TSIG extended error code when - signature verification fails. [RT #1651] - -1218. [bug] Named incorrectly returned SERVFAIL rather than - NOTAUTH when there was a TSIG BADTIME error. [RT #2519] - -1217. [func] Report locations of previous key definition when a - duplicate is detected. - -1216. [bug] Multiple server clauses for the same server were not - reported. [RT #2514] - -1215. [port] solaris: add support to ifconfig.sh for x86 2.5.1 - -1214. [bug] Win32: isc_file_renameunique() could leave zero length - files behind. - -1213. [func] Report view associated with client if it is not a - standard view (_default or _bind). - -1212. [port] libbind: 64k answer buffers were causing stack space - to be exceeded for certain OS. Use heap space instead. - -1211. [bug] dns_name_fromtext() incorrectly handled certain - valid octal bitlabels. [RT #2483] - -1210. [bug] libbind: getnameinfo() failed to lookup IPv4 mapped / - compatible addresses. [RT #2461] - -1209. [bug] Dig, host, nslookup were not checking the message ids - on the responses. [RT #2454] - -1208. [bug] dns_master_load*() failed to log a error message if - an error was detected when parsing the ownername of - a record. [RT #2448] - -1207. [bug] libbind: getaddrinfo() could call freeaddrinfo() with - an invalid pointer. - -1206. [bug] SERVFAIL and NOTIMP responses to an EDNS query should - trigger a non-EDNS retry. - -1205. [bug] OPT, TSIG and TKEY cannot be used to set the "class" - of the message. [RT #2449] - -1204. [bug] libbind: res_nupdate() failed to update the name - server addresses before sending the update. - -1203. [func] Report locations of previous acl and zone definitions - when a duplicate is detected. - -1202. [func] New functions: cfg_obj_line() and cfg_obj_file(). - -1201. [bug] Require that if 'callbacks' is passed to - dns_rdata_fromtext(), callbacks->error and - callbacks->warn are initialized. - -1200. [bug] Log 'errno' that we are unable to convert to - isc_result_t. [RT #2404] - -1199. [doc] ARM reference to RFC 2157 should have been RFC 1918. - [RT #2436] - -1198. [bug] OPT printing style was not consistent with the way the - header fields are printed. The DO bit was not reported - if set. Report if any of the MBZ bits are set. - -1197. [bug] Attempts to define the same acl multiple times were not - detected. - -1196. [contrib] update mdnkit to 2.2.3. - -1195. [bug] Attempts to redefine builtin acls should be caught. - [RT #2403] - -1194. [bug] Not all duplicate zone definitions were being detected - at the named.conf checking stage. [RT #2431] - -1193. [bug] dig +besteffort parsing didn't handle packet - truncation. dns_message_parse() has new flag - DNS_MESSAGE_IGNORETRUNCATION. - -1192. [bug] The seconds fields in LOC records were restricted - to three decimal places. More decimal places should - be allowed but warned about. - -1191. [bug] A dynamic update removing the last non-apex name in - a secure zone would fail. [RT #2399] - -1190. [func] Add the "rndc freeze" and "rndc unfreeze" commands. - [RT #2394] - -1189. [bug] On some systems, malloc(0) returns NULL, which - could cause the caller to report an out of memory - error. [RT #2398] - -1188. [bug] Dynamic updates of a signed zone would fail if - some of the zone private keys were unavailable. - -1187. [bug] named was incorrectly returning DNSSEC records - in negative responses when the DO bit was not set. - -1186. [bug] isc_hex_tobuffer(,,length = 0) failed to unget the - EOL token when reading to end of line. - -1185. [bug] libbind: don't assume statp->_u._ext.ext is valid - unless RES_INIT is set when calling res_*init(). - -1184. [bug] libbind: call res_ndestroy() if RES_INIT is set - when res_*init() is called. - -1183. [bug] Handle ENOSR error when writing to the internal - control pipe. [RT #2395] - -1182. [bug] The server could throw an assertion failure when - constructing a negative response packet. - -1181. [func] Add the "key-directory" configuration statement, - which allows the server to look for online signing - keys in alternate directories. - -1180. [func] dnssec-keygen should always generate keys with - protocol 3 (DNSSEC), since it's less confusing - that way. - -1179. [func] Add SIG(0) support to nsupdate. - -1178. [bug] Follow and cache (if appropriate) A6 and other - data chains to completion in the additional section. - -1177. [func] Report view when loading zones if it is not a - standard view (_default or _bind). [RT #2270] - -1176. [doc] Document that allow-v6-synthesis is only performed - for clients that are supplied recursive service. - [RT #2260] - -1175. [bug] named-checkzone and named-checkconf failed to call - dns_result_register() at startup which could - result in runtime exceptions when printing - "out of memory" errors. [RT #2335] - -1174. [bug] Win32: add WSAECONNRESET to the expected errors - from connect(). [RT #2308] - -1173. [bug] Potential memory leaks in isc_log_create() and - isc_log_settag(). [RT #2336] - -1172. [doc] Add CERT, GPOS, KX, NAPTR, NSAP, PX and TXT to - table of RR types in ARM. - -1171. [func] Added function isc_region_compare(), updated files in - lib/dns to use this function instead of local one. - -1170. [bug] Don't attempt to print the token when a I/O error - occurs when parsing named.conf. [RT #2275] - -1169. [func] Identify recursive queries in the query log. - -1168. [bug] Empty also-notify clauses were not handled. [RT #2309] - -1167. [contrib] nslint-2.1a3 (from author). - -1166. [bug] "Not Implemented" should be reported as NOTIMP, - not NOTIMPL. [RT #2281] - -1165. [bug] We were rejecting notify-source{-v6} in zone clauses. - -1164. [bug] Empty masters clauses in slave / stub zones were not - handled gracefully. [RT #2262] - -1163. [func] isc_time_formattimestamp() now includes the year. - -1162. [bug] The allow-notify option was not accepted in slave - zone statements. - -1161. [bug] named-checkzone looped on unbalanced brackets. - [RT #2248] - -1160. [bug] Generating Diffie-Hellman keys longer than 1024 - bits could fail. [RT #2241] - -1159. [bug] MD and MF are not permitted to be loaded by RFC1123. - -1158. [func] Report the client's address when logging notify - messages. - -1157. [func] match-clients and match-destinations now accept - keys. [RT #2045] - -1156. [port] The configure test for strsep() incorrectly - succeeded on certain patched versions of - AIX 4.3.3. [RT #2190] - -1155. [func] Recover from master files being removed from under - us. - -1154. [bug] Don't attempt to obtain the netmask of a interface - if there is no address configured. [RT #2176] - -1153. [func] 'rndc {stop|halt} -p' now reports the process id - of the instance of named being shutdown. - -1152. [bug] libbind: read buffer overflows. - -1151. [bug] nslookup failed to check that the arguments to - the port, timeout, and retry options were - valid integers and in range. [RT #2099] - -1150. [bug] named incorrectly accepted TTL values - containing plus or minus signs, such as - 1d+1h-1s. - -1149. [func] New function isc_parse_uint32(). - -1148. [func] 'rndc-confgen -a' now provides positive feedback. - -1147. [func] Set IPV6_V6ONLY on IPv6 sockets if supported by - the OS. listen-on-v6 { any; }; should no longer - result in IPv4 queries be accepted. Similarly - control { inet :: ... }; should no longer result - in IPv4 connections being accepted. This can be - overridden at compile time by defining - ISC_ALLOW_MAPPED=1. - -1146. [func] Allow IPV6_IPV6ONLY to be set/cleared on a socket if - supported by the OS by a new function - isc_socket_ipv6only(). - -1145. [func] "host" no longer reports a NOERROR/NODATA response - by printing nothing. [RT #2065] - -1144. [bug] rndc-confgen would crash if both the -a and -t - options were specified. [RT #2159] - -1143. [bug] When a trusted-keys statement was present and named - was built without crypto support, it would leak memory. - -1142. [bug] dnssec-signzone would fail to delete temporary files - in some failure cases. [RT #2144] - -1141. [bug] When named rejected a control message, it would - leak a file descriptor and memory. It would also - fail to respond, causing rndc to hang. - [RT #2139, #2164] - -1140. [bug] rndc-confgen did not accept IPv6 addresses as arguments - to the -s option. [RT #2138] - -1139. [func] It is now possible to flush a given name from the - cache(s) via 'rndc flushname name [view]'. [RT #2051] - -1138. [func] It is now possible to flush a given name from the - cache by calling the new function - dns_cache_flushname(). - -1137. [func] It is now possible to flush a given name from the - ADB by calling the new function dns_adb_flushname(). - -1136. [bug] CNAME records synthesized from DNAMEs did not - have a TTL of zero as required by RFC2672. - [RT #2129] - -1135. [func] You can now override the default syslog() facility for - named/lwresd at compile time. [RT #1982] - -1134. [bug] Multi-threaded servers could deadlock in ferror() - when reloading zone files. [RT #1951, #1998] - -1133. [bug] IN6_IS_ADDR_LOOPBACK was not portably defined on - platforms without IN6_IS_ADDR_LOOPBACK. [RT #2106] - -1132. [func] Improve UPDATE prerequisite failure diagnostic messages. - -1131. [bug] The match-destinations view option did not work with - IPv6 destinations. [RT #2073, #2074] - -1130. [bug] Log messages reporting an out-of-range serial number - did not include the out-of-range number but the - following token. [RT #2076] - -1129. [bug] Multi-threaded servers could crash under heavy - resolution load due to a race condition. [RT #2018] - -1128. [func] sdb drivers can now provide RR data in either text - or wire format, the latter using the new functions - dns_sdb_putrdata() and dns_sdb_putnamedrdata(). - -1127. [func] rndc: If the server to contact has multiple addresses, - try all of them. - -1126. [bug] The server could access a freed event if shut - down while a client start event was pending - delivery. [RT #2061] - -1125. [bug] rndc: -k option was missing from usage message. - [RT #2057] - -1124. [doc] dig: +[no]dnssec, +[no]besteffort and +[no]fail - are now documented. [RT #2052] - -1123. [bug] dig +[no]fail did not match description. [RT #2052] - -1122. [tuning] Resolution timeout reduced from 90 to 30 seconds. - [RT #2046] - -1121. [bug] The server could attempt to access a NULL zone - table if shut down while resolving. - [RT #1587, #2054] - -1120. [bug] Errors in options were not fatal. [RT #2002] - -1119. [func] Added support in Win32 for NTFS file/directory ACL's - for access control. - -1118. [bug] On multi-threaded servers, a race condition - could cause an assertion failure in resolver.c - during resolver shutdown. [RT #2029] - -1117. [port] The configure check for in6addr_loopback incorrectly - succeeded on AIX 4.3 when compiling with -O2 - because the test code was optimized away. - [RT #2016] - -1116. [bug] Setting transfers in a server clause, transfers-in, - or transfers-per-ns to a value greater than - 2147483647 disabled transfers. [RT #2002] - -1115. [func] Set maximum values for cleaning-interval, - heartbeat-interval, interface-interval, - max-transfer-idle-in, max-transfer-idle-out, - max-transfer-time-in, max-transfer-time-out, - statistics-interval of 28 days and - sig-validity-interval of 3660 days. [RT #2002] - -1114. [port] Ignore more accept() errors. [RT #2021] - -1113. [bug] The allow-update-forwarding option was ignored - when specified in a view. [RT #2014] - -1112. [placeholder] - -1111. [bug] Multi-threaded servers could deadlock processing - recursive queries due to a locking hierarchy - violation in adb.c. [RT #2017] - -1110. [bug] dig should only accept valid abbreviations of +options. - [RT #2003] - -1109. [bug] nsupdate accepted illegal ttl values. - -1108. [bug] On Win32, rndc was hanging when named was not running - due to failure to select for exceptional conditions - in select(). [RT #1870] - -1107. [bug] nsupdate could catch an assertion failure if an - invalid domain name was given as the argument to - the "zone" command. - -1106. [bug] After seeing an out of range TTL, nsupdate would - treat all TTLs as out of range. [RT #2001] - -1105. [port] OpenUNIX 8 enable threads by default. [RT #1970] - -1104. [bug] Invalid arguments to the transfer-format option - could cause an assertion failure. [RT #1995] - -1103. [port] OpenUNIX 8 support (ifconfig.sh). [RT #1970] - -1102. [doc] Note that query logging is enabled by directing the - queries category to a channel. - -1101. [bug] Array bounds read error in lwres_gai_strerror. - -1100. [bug] libbind: DNSSEC key ids were computed incorrectly. - -1099. [cleanup] libbind: defining REPORT_ERRORS in lib/bind/dst caused - compile time errors. - -1098. [bug] libbind: HMAC-MD5 key files are now mode 0600. - -1097. [func] libbind: RES_PRF_TRUNC for dig. - -1096. [func] libbind: "DNSSEC OK" (DO) support. - -1095. [func] libbind: resolver option: no-tld-query. disables - trying unqualified as a tld. no_tld_query is also - supported for FreeBSD compatibility. - -1094. [func] libbind: add support gcc's format string checking. - -1093. [doc] libbind: miscellaneous nroff fixes. - -1092. [bug] libbind: get*by*() failed to check if res_init() had - been called. - -1091. [bug] libbind: misplaced va_end(). - -1090. [bug] libbind: dns_ho.c:add_hostent() was not returning - the amount of memory consumed resulting in garbage - address being returned. Alignment calculations were - wasting space. We weren't suppressing duplicate - addresses. - -1089. [func] libbind: inet_{cidr,net}_{pton,ntop}() now have IPv6 - support. - -1088. [port] libbind: MPE/iX C.70 (incomplete) - -1087. [bug] libbind: struct __res_state too large on 64 bit arch. - -1086. [port] libbind: sunos: old sprintf. - -1085. [port] libbind: solaris: sys_nerr and sys_errlist do not - exist when compiling in 64 bit mode. - -1084. [cleanup] libbind: gai_strerror() rewritten. - -1083. [bug] The default control channel listened on the - wildcard address, not the loopback as documented. - [RT #1975] - -1082. [bug] The -g option to named incorrectly caused logging - to be sent to syslog in addition to stderr. - [RT #1974] - -1081. [bug] Multicast queries were incorrectly identified - based on the source address, not the destination - address. - -1080. [bug] BIND 8 compatibility: accept bare IP prefixes - as the second element of a two-element top level - sort list statement. [RT #1964] - -1079. [bug] BIND 8 compatibility: accept bare elements at top - level of sort list treating them as if they were - a single element list. [RT #1963] - -1078. [bug] We failed to correct bad tv_usec values in one case. - [RT #1966] - -1077. [func] Do not accept further recursive clients when - the total number of recursive lookups being - processed exceeds max-recursive-clients, even - if some of the lookups are internally generated. - [RT #1915, #1938] - -1076. [bug] A badly defined global key could trigger an assertion - on load/reload if views were used. [RT #1947] - -1075. [bug] Out-of-range network prefix lengths were not - reported. [RT #1954] - -1074. [bug] Running out of memory in dump_rdataset() could - cause an assertion failure. [RT #1946] - -1073. [bug] The ADB cache cleaning should also be space driven. - [RT #1915, #1938] - -1072. [bug] The TCP client quota could be exceeded when - recursion occurred. [RT #1937] - -1071. [bug] Sockets listening for TCP DNS connections - specified an excessive listen backlog. [RT #1937] - -1070. [bug] Copy DNSSEC OK (DO) to response as specified by - draft-ietf-dnsext-dnssec-okbit-03.txt. - -1069. [placeholder] - -1068. [bug] errno could be overwritten by catgets(). [RT #1921] - -1067. [func] Allow quotas to be soft, isc_quota_soft(). - -1066. [bug] Provide a thread safe wrapper for strerror(). - [RT #1689] - -1065. [func] Runtime support to select new / old style interface - scanning using ioctls. - -1064. [bug] Do not shut down active network interfaces if we - are unable to scan the interface list. [RT #1921] - -1063. [bug] libbind: "make install" was failing on IRIX. - [RT #1919] - -1062. [bug] If the control channel listener socket was shut - down before server exit, the listener object could - be freed twice. [RT #1916] - -1061. [bug] If periodic cache cleaning happened to start - while cleaning due to reaching the configured - maximum cache size was in progress, the server - could catch an assertion failure. [RT #1912] - -1060. [func] Move refresh, stub and notify UDP retry processing - into dns_request. - -1059. [func] dns_request now support will now retry UDP queries, - dns_request_createvia2() and dns_request_createraw2(). - -1058. [func] Limited lifetime ticker timers are now available, - isc_timertype_limited. - -1057. [bug] Reloading the server after adding a "file" clause - to a zone statement could cause the server to - crash due to a typo in change 1016. - -1056. [bug] Rndc could catch an assertion failure on SIGINT due - to an uninitialized variable. [RT #1908] - -1055. [func] Version and hostname queries can now be disabled - using "version none;" and "hostname none;", - respectively. - -1054. [bug] On Win32, cfg_categories and cfg_modules need to be - exported from the libisccfg DLL. - -1053. [bug] Dig did not increase its timeout when receiving - AXFRs unless the +time option was used. [RT #1904] - -1052. [bug] Journals were not being created in binary mode - resulting in "journal format not recognized" error - under Win32. [RT #1889] - -1051. [bug] Do not ignore a network interface completely just - because it has a noncontiguous netmask. Instead, - omit it from the localnets ACL and issue a warning. - [RT #1891] - -1050. [bug] Log messages reporting malformed IP addresses in - address lists such as that of the forwarders option - failed to include the correct error code, file - name, and line number. [RT #1890] - -1049. [func] "pid-file none;" will disable writing a pid file. - [RT #1848] - -1048. [bug] Servers built with -DISC_MEM_USE_INTERNAL_MALLOC=1 - didn't work. - -1047. [bug] named was incorrectly refusing all requests signed - with a TSIG key derived from an unsigned TKEY - negotiation with a NOERROR response. [RT #1886] - -1046. [bug] The help message for the --with-openssl configure - option was inaccurate. [RT #1880] - -1045. [bug] It was possible to skip saving glue for a nameserver - for a stub zone. - -1044. [bug] Specifying allow-transfer, notify-source, or - notify-source-v6 in a stub zone was not treated - as an error. - -1043. [bug] Specifying a transfer-source or transfer-source-v6 - option in the zone statement for a master zone was - not treated as an error. [RT #1876] - -1042. [bug] The "config" logging category did not work properly. - [RT #1873] - -1041. [bug] Dig/host/nslookup could catch an assertion failure - on SIGINT due to an uninitialized variable. [RT #1867] - -1040. [bug] Multiple listen-on-v6 options with different ports - were not accepted. [RT #1875] - -1039. [bug] Negative responses with CNAMEs in the answer section - were cached incorrectly. [RT #1862] - -1038. [bug] In servers configured with a tkey-domain option, - TKEY queries with an owner name other than the root - could cause an assertion failure. [RT #1866, #1869] - -1037. [bug] Negative responses whose authority section contain - SOA or NS records whose owner names are not equal - equal to or parents of the query name should be - rejected. [RT #1862] - -1036. [func] Silently drop requests received via multicast as - long as there is no final multicast DNS standard. - -1035. [bug] If we respond to multicast queries (which we - currently do not), respond from a unicast address - as specified in RFC 1123. [RT #137] - -1034. [bug] Ignore the RD bit on multicast queries as specified - in RFC 1123. [RT #137] - -1033. [bug] Always respond to requests with an unsupported opcode - with NOTIMP, even if we don't have a matching view - or cannot determine the class. - -1032. [func] hostname.bind/txt/chaos now returns the name of - the machine hosting the nameserver. This is useful - in diagnosing problems with anycast servers. - -1031. [bug] libbind.a: isc__gettimeofday() infinite recursion. - [RT #1858] - -1030. [bug] On systems with no resolv.conf file, nsupdate - exited with an error rather than defaulting - to using the loopback address. [RT #1836] - -1029. [bug] Some named.conf errors did not cause the loading - of the configuration file to return a failure - status even though they were logged. [RT #1847] - -1028. [bug] On Win32, dig/host/nslookup looked for resolv.conf - in the wrong directory. [RT #1833] - -1027. [bug] RRs having the reserved type 0 should be rejected. - [RT #1471] - -1026. [placeholder] - -1025. [bug] Don't use multicast addresses to resolve iterative - queries. [RT #101] - -1024. [port] Compilation failed on HP-UX 11.11 due to - incompatible use of the SIOCGLIFCONF macro - name. [RT #1831] - -1023. [func] Accept hints without TTLs. - -1022. [bug] Don't report empty root hints as "extra data". - [RT #1802] - -1021. [bug] On Win32, log message timestamps were one month - later than they should have been, and the server - would exhibit unspecified behavior in December. - -1020. [bug] IXFR log messages did not distinguish between - true IXFRs, AXFR-style IXFRs, and mere version - polls. [RT #1811] - -1019. [bug] The value of the lame-ttl option was limited to 18000 - seconds, not 1800 seconds as documented. [RT #1803] - -1018. [bug] The default log channel was not always initialized - correctly. [RT #1813] - -1017. [bug] When specifying TSIG keys to dig and nsupdate using - the -k option, they must be HMAC-MD5 keys. [RT #1810] - -1016. [bug] Slave zones with no backup file were re-transferred - on every server reload. - -1015. [bug] Log channels that had a "versions" option but no - "size" option failed to create numbered log - files. [RT #1783] - -1014. [bug] Some queries would cause statistics counters to - increment more than once or not at all. [RT #1321] - -1013. [bug] It was possible to cancel a query twice when marking - a server as bogus or by having a blackhole acl. - [RT #1776] - -1012. [bug] The -p option to named did not behave as documented. - -1011. [cleanup] Removed isc_dir_current(). - -1010. [bug] The server could attempt to execute a command channel - command after initiating server shutdown, causing - an assertion failure. [RT #1766] - -1009. [port] OpenUNIX 8 support. [RT #1728] - -1008. [port] libtool.m4, ltmain.sh from libtool-1.4.2. - -1007. [port] config.guess, config.sub from autoconf-2.52. - -1006. [bug] If a KEY RR was found missing during DNSSEC validation, - an assertion failure could subsequently be triggered - in the resolver. [RT #1763] - -1005. [bug] Don't copy nonzero RCODEs from request to response. - [RT #1765] - -1004. [port] Deal with recvfrom() returning EHOSTDOWN. [RT #1770] - -1003. [func] Add the +retry option to dig. - -1002. [bug] When reporting an unknown class name in named.conf, - including the file name and line number. [RT #1759] - -1001. [bug] win32 socket code doio_recv was not catching a - WSACONNRESET error when a client was timing out - the request and closing its socket. [RT #1745] - -1000. [bug] BIND 8 compatibility: accept "HESIOD" as an alias - for class "HS". [RT #1759] - - 999. [func] "rndc retransfer zone [class [view]]" added. - [RT #1752] - - 998. [func] named-checkzone now has arguments to specify the - chroot directory (-t) and working directory (-w). - [RT #1755] - - 997. [func] Add support for RSA-SHA1 keys (RFC3110). - - 996. [func] Issue warning if the configuration filename contains - the chroot path. - - 995. [bug] dig, host, nslookup: using a raw IPv6 address as a - target address should be fatal on a IPv4 only system. - - 994. [func] Treat non-authoritative responses to queries for type - NS as referrals even if the NS records are in the - answer section, because BIND 8 servers incorrectly - send them that way. This is necessary for DNSSEC - validation of the NS records of a secure zone to - succeed when the parent is a BIND 8 server. [RT #1706] - - 993. [func] dig: -v now reports the version. - - 992. [doc] dig: ~/.digrc is now documented. - - 991. [func] Lower UDP refresh timeout messages to level - debug 1. - - 990. [bug] The rndc-confgen man page was not installed. - - 989. [bug] Report filename if $INCLUDE fails for file related - errors. [RT #1736] - - 988. [bug] 'additional-from-auth no;' did not work reliably - in the case of queries answered from the cache. - [RT #1436] - - 987. [bug] "dig -help" didn't show "+[no]stats". - - 986. [bug] "dig +noall" failed to clear stats and command - printing. - - 985. [func] Consider network interfaces to be up iff they have - a nonzero IP address rather than based on the - IFF_UP flag. [RT #1160] - - 984. [bug] Multi-threading should be enabled by default on - Solaris 2.7 and newer, but it wasn't. - - 983. [func] The server now supports generating IXFR difference - sequences for non-dynamic zones by comparing zone - versions, when enabled using the new config - option "ixfr-from-differences". [RT #1727] - - 982. [func] If "memstatistics-file" is set in options the memory - statistics will be written to it. - - 981. [func] The dnssec tools can now take multiple '-r randomfile' - arguments. - - 980. [bug] Incoming zone transfers restarting after an error - could trigger an assertion failure. [RT #1692] - - 979. [func] Incremental master file dumping. dns_master_dumpinc(), - dns_master_dumptostreaminc(), dns_dumpctx_attach(), - dns_dumpctx_detach(), dns_dumpctx_cancel(), - dns_dumpctx_db() and dns_dumpctx_version(). - - 978. [bug] dns_db_attachversion() had an invalid REQUIRE() - condition. - - 977. [bug] Improve "not at top of zone" error message. - - 976. [func] named-checkconf can now test load master zones - (named-checkconf -z). [RT #1468] - - 975. [bug] "max-cache-size default;" as a view option - caused an assertion failure. - - 974. [bug] "max-cache-size unlimited;" as a global option - was not accepted. - - 973. [bug] Failed to log the question name when logging: - "bad zone transfer request: non-authoritative zone - (NOTAUTH)". - - 972. [bug] The file modification time code in zone.c was using the - wrong epoch. [RT #1667] - - 971. [placeholder] - - 970. [func] 'max-journal-size' can now be used to set a target - size for a journal. - - 969. [func] dig now supports the undocumented dig 8 feature - of allowing arbitrary labels, not just dotted - decimal quads, with the -x option. This can be - used to conveniently look up RFC2317 names as in - "dig -x 10.0.0.0-127". [RT #827, #1576, #1598] - - 968. [bug] On win32, the isc_time_now() function was unnecessarily - calling strtime(). [RT #1671] - - 967. [bug] On win32, the link for bindevt was not including the - required resource file to enable the event viewer - to interpret the error messages in the event log, - [RT #1668] - - 966. [placeholder] - - 965. [bug] Including data other than root server NS and A - records in the root hint file could cause a rbtdb - node reference leak. [RT #1581, #1618] - - 964. [func] Warn if data other than root server NS and A records - are found in the root hint file. [RT #1581, #1618] - - 963. [bug] Bad ISC_LANG_ENDDECLS. [RT #1645] - - 962. [bug] libbind: bad "#undef", don't attempt to install - non-existant nlist.h. [RT #1640] - - 961. [bug] Tried to use a IPV6 feature when ISC_PLATFORM_HAVEIPV6 - was not defined. [RT #1482] - - 960. [port] liblwres failed to build on systems with support for - getrrsetbyname() in the OS. [RT #1592] - - 959. [port] On FreeBSD, determine the number of CPUs by calling - sysctlbyname(). [RT #1584] - - 958. [port] ssize_t is not available on all platforms. [RT #1607] - - 957. [bug] sys/select.h inclusion was broken on older platforms. - [RT #1607] - - 956. [bug] ns_g_autorndcfile changed to ns_g_keyfile - in named/win32/os.c due to code changes in - change #953. win32 .make file for rndc-confgen - updated to add include path for os.h header. - - --- 9.2.0rc1 released --- - - 955. [bug] When using views, the zone's class was not being - inherited from the view's class. [RT #1583] - - 954. [bug] When requesting AXFRs or IXFRs using dig, host, or - nslookup, the RD bit should not be set as zone - transfers are inherently nonrecursive. [RT #1575] - - 953. [func] The /var/run/named.key file from change #843 - has been replaced by /etc/rndc.key. Both - named and rndc will look for this file and use - it to configure a default control channel key - if not already configured using a different - method (rndc.conf / controls). Unlike - named.key, rndc.key is not created automatically; - it must be created by manually running - "rndc-confgen -a". - - 952. [bug] The server required manual intervention to serve the - affected zones if it died between creating a journal - and committing the first change to it. - - 951. [bug] CFLAGS was not passed to the linker when - linking some of the test programs under - bin/tests. [RT #1555]. - - 950. [bug] Explicit TTLs did not properly override $TTL - due to a bug in change 834. [RT #1558] - - 949. [bug] host was unable to print records larger than 512 - bytes. [RT #1557] - - --- 9.2.0b2 released --- - - 948. [port] Integrated support for building on Windows NT / - Windows 2000. - - 947. [bug] dns_rdata_soa_t had a badly named element "mname" which - was really the RNAME field from RFC1035. To avoid - confusion and silent errors that would occur it the - "origin" and "mname" elements were given their correct - names "mname" and "rname" respectively, the "mname" - element is renamed to "contact". - - 946. [cleanup] doc/misc/options is now machine-generated from the - configuration parser syntax tables, and therefore - more likely to be correct. - - 945. [func] Add the new view-specific options - "match-destinations" and "match-recursive-only". - - 944. [func] Check for expired signatures on load. - - 943. [bug] The server could crash when receiving a command - via rndc if the configuration file listed only - nonexistent keys in the controls statement. [RT #1530] - - 942. [port] libbind: GETNETBYADDR_ADDR_T was not correctly - defined on some platforms. - - 941. [bug] The configuration checker crashed if a slave - zone didn't contain a masters statement. [RT #1514] - - 940. [bug] Double zone locking failure on error path. [RT #1510] - - --- 9.2.0b1 released --- - - 939. [port] Add the --disable-linux-caps option to configure for - systems that manage capabilities outside of named. - [RT #1503] - - 938. [placeholder] - - 937. [bug] A race when shutting down a zone could trigger a - INSIST() failure. [RT #1034] - - 936. [func] Warn about IPv4 addresses that are not complete - dotted quads. [RT #1084] - - 935. [bug] inet_pton failed to reject leading zeros. - - 934. [port] Deal with systems where accept() spuriously returns - ECONNRESET. - - 933. [bug] configure failed doing libbind on platforms not - supported by BIND 8. [RT #1496] - - --- 9.2.0a3 released --- - - 932. [bug] Use INSTALL_SCRIPT, not INSTALL_PROGRAM, - when installing isc-config.sh. - [RT #198, #1466] - - 931. [bug] The controls statement only attempted to verify - messages using the first key in the key list. - (9.2.0a1/a2 only). - - 930. [func] Query performance testing tool added as - contrib/queryperf. - - 929. [placeholder] - - 928. [bug] nsupdate would send empty update packets if the - send (or empty line) command was run after - another send but before any new updates or - prerequisites were specified. It should simply - ignore this command. - - 927. [bug] Don't hold the zone lock for the entire dump to disk. - [RT #1423] - - 926. [bug] The resolver could deadlock with the ADB when - shutting down (multi-threaded builds only). - [RT #1324] - - 925. [cleanup] Remove openssl from the distribution; require that - --with-openssl be specified if DNSSEC is needed. - - 924. [port] Extend support for pre-RFC2133 IPv6 implementation. - [RT #987] - - 923. [bug] Multiline TSIG secrets (and other multiline strings) - were not accepted in named.conf. [RT #1469] - - 922. [func] Added two new lwres_getrrsetbyname() result codes, - ERR_NONAME and ERR_NODATA. - - 921. [bug] lwres returned an incorrect error code if it received - a truncated message. - - 920. [func] Increase the lwres receive buffer size to 16K. - [RT #1451] - - 919. [placeholder] - - 918. [func] In nsupdate, TSIG errors are no longer treated as - fatal errors. - - 917. [func] New nsupdate command 'key', allowing TSIG keys to - be specified in the nsupdate command stream rather - than the command line. - - 916. [bug] Specifying type ixfr to dig without specifying - a serial number failed in unexpected ways. - - 915. [func] The named-checkconf and named-checkzone programs - now have a '-v' option for printing their version. - [RT #1151] - - 914. [bug] Global 'server' statements were rejected when - using views, even though they were accepted - in 9.1. [RT #1368] - - 913. [bug] Cache cleaning was not sufficiently aggressive. - [RT #1441, #1444] - - 912. [bug] Attempts to set the 'additional-from-cache' or - 'additional-from-auth' option to 'no' in a - server with recursion enabled will now - be ignored and cause a warning message. - [RT #1145] - - 911. [placeholder] - - 910. [port] Some pre-RFC2133 IPv6 implementations do not define - IN6ADDR_ANY_INIT. [RT #1416] - - 909. [placeholder] - - 908. [func] New program, rndc-confgen, to simplify setting up rndc. - - 907. [func] The ability to get entropy from either the - random device, a user-provided file or from - the keyboard was migrated from the DNSSEC tools - to libisc as isc_entropy_usebestsource(). - - 906. [port] Separated the system independent portion of - lib/isc/unix/entropy.c into lib/isc/entropy.c - and added lib/isc/win32/entropy.c. - - 905. [bug] Configuring a forward "zone" for the root domain - did not work. [RT #1418] - - 904. [bug] The server would leak memory if attempting to use - an expired TSIG key. [RT #1406] - - 903. [bug] dig should not crash when receiving a TCP packet - of length 0. - - 902. [bug] The -d option was ignored if both -t and -g were also - specified. - - 901. [placeholder] - - 900. [bug] A config.guess update changed the system identification - string of FreeBSD systems; configure and - bin/tests/system/ifconfig.sh now recognize the new - string. - - --- 9.2.0a2 released --- - - 899. [bug] lib/dns/soa.c failed to compile on many platforms - due to inappropriate use of a void value. - [RT #1372, #1373, #1386, #1387, #1395] - - 898. [bug] "dig" failed to set a nonzero exit status - on UDP query timeout. [RT #1323] - - 897. [bug] A config.guess update changed the system identification - string of UnixWare systems; configure now recognizes - the new string. - - 896. [bug] If a configuration file is set on named's command line - and it has a relative pathname, the current directory - (after any possible jailing resulting from named -t) - will be prepended to it so that reloading works - properly even when a directory option is present. - - 895. [func] New function, isc_dir_current(), akin to POSIX's - getcwd(). - - 894. [bug] When using the DNSSEC tools, a message intended to warn - when the keyboard was being used because of the lack - of a suitable random device was not being printed. - - 893. [func] Removed isc_file_test() and added isc_file_exists() - for the basic functionality that was being added - with isc_file_test(). - - 892. [placeholder] - - 891. [bug] Return an error when a SIG(0) signed response to - an unsigned query is seen. This should actually - do the verification, but it's not currently - possible. [RT #1391] - - 890. [cleanup] The man pages no longer require the mandoc macros - and should now format cleanly using most versions of - nroff, and HTML versions of the man pages have been - added. Both are generated from DocBook source. - - 889. [port] Eliminated blank lines before .TH in nroff man - pages since they cause problems with some versions - of nroff. [RT #1390] - - 888. [bug] Don't die when using TKEY to delete a nonexistent - TSIG key. [RT #1392] - - 887. [port] Detect broken compilers that can't call static - functions from inline functions. [RT #1212] - - 886. [placeholder] - - 885. [placeholder] - - 884. [placeholder] - - 883. [placeholder] - - 882. [placeholder] - - 881. [placeholder] - - 880. [placeholder] - - 879. [placeholder] - - 878. [placeholder] - - 877. [placeholder] - - 876. [placeholder] - - 875. [placeholder] - - 874. [placeholder] - - 873. [placeholder] - - 872. [placeholder] - - 871. [placeholder] - - 870. [placeholder] - - 869. [placeholder] - - 868. [placeholder] - - 867. [placeholder] - - 866. [func] Close debug only file channels when debug is set to - zero. [RT #1246] - - 865. [bug] The new configuration parser did not allow - the optional debug level in a "severity debug" - clause of a logging channel to be omitted. - This is now allowed and treated as "severity - debug 1;" like it does in BIND 8.2.4, not as - "severity debug 0;" like it did in BIND 9.1. - [RT #1367] - - 864. [cleanup] Multi-threading is now enabled by default on - OSF1, Solaris 2.7 and newer, AIX, IRIX, and HP-UX. - - 863. [bug] If an error occurred while an outgoing zone transfer - was starting up, the server could access a domain - name that had already been freed when logging a - message saying that the transfer was starting. - [RT #1383] - - 862. [bug] Use after realloc(), non portable pointer arithmetic in - grmerge(). - - 861. [port] Add support for Mac OS X, by making it equivalent - to Darwin. This was derived from the config.guess - file shipped with Mac OS X. [RT #1355] - - 860. [func] Drop cross class glue in zone transfers. - - 859. [bug] Cache cleaning now won't swamp the CPU if there - is a persistent overlimit condition. - - 858. [func] isc_mem_setwater() no longer requires that when the - callback function is non-NULL then its hi_water - argument must be greater than its lo_water argument - (they can now be equal) or that they be non-zero. - - 857. [cleanup] Use ISC_MAGIC() to define all magic numbers for - structs, for our friends in EBCDIC-land. - - 856. [func] Allow partial rdatasets to be returned in answer and - authority sections to help non-TCP capable clients - recover from truncation. [RT #1301] - - 855. [bug] Stop spurious "using RFC 1035 TTL semantics" warnings. - - 854. [bug] The config parser didn't properly handle config - options that were specified in units of time other - than seconds. [RT #1372] - - 853. [bug] configure_view_acl() failed to detach existing acls. - [RT #1374] - - 852. [bug] Handle responses from servers which do not know - about IXFR. - - 851. [cleanup] The obsolete support-ixfr option was not properly - ignored. - - --- 9.2.0a1 released --- - - 850. [bug] dns_rbt_findnode() would not find nodes that were - split on a bitstring label somewhere other than in - the last label of the node. [RT #1351] - - 849. [func] <isc/net.h> will ensure INADDR_LOOPBACK is defined. - - 848. [func] A minimum max-cache-size of two megabytes is enforced - by the cache cleaner. - - 847. [func] Added isc_file_test(), which currently only has - some very basic functionality to test for the - existence of a file, whether a pathname is absolute, - or whether a pathname is the fundamental representation - of the current directory. It is intended that this - function can be expanded to test other things a - programmer might want to know about a file. - - 846. [func] A non-zero 'param' to dst_key_generate() when making an - hmac-md5 key means that good entropy is not required. - - 845. [bug] The access rights on the public file of a symmetric - key are now restricted as soon as the file is opened, - rather than after it has been written and closed. - - 844. [func] <isc/net.h> will ensure INADDR_LOOPBACK is defined, - just as <lwres/net.h> does. - - 843. [func] If no controls statement is present in named.conf, - or if any inet phrase of a controls statement is - lacking a keys clause, then a key will be automatically - generated by named and an rndc.conf-style file - named named.key will be written that uses it. rndc - will use this file only if its normal configuration - file, or one provided on the command line, does not - exist. - - 842. [func] 'rndc flush' now takes an optional view. - - 841. [bug] When sdb modules were not declared threadsafe, their - create and destroy functions were not serialized. - - 840. [bug] The config file parser could print the wrong file - name if an error was detected after an included file - was parsed. [RT #1353] - - 839. [func] Dump packets for which there was no view or that the - class could not be determined to category "unmatched". - - 838. [port] UnixWare 7.x.x is now suported by - bin/tests/system/ifconfig.sh. - - 837. [cleanup] Multi-threading is now enabled by default only on - OSF1, Solaris 2.7 and newer, and AIX. - - 836. [func] Upgraded libtool to 1.4. - - 835. [bug] The dispatcher could enter a busy loop if - it got an I/O error receiving on a UDP socket. - [RT #1293] - - 834. [func] Accept (but warn about) master files beginning with - an SOA record without an explicit TTL field and - lacking a $TTL directive, by using the SOA MINTTL - as a default TTL. This is for backwards compatibility - with old versions of BIND 8, which accepted such - files without warning although they are illegal - according to RFC1035. - - 833. [cleanup] Moved dns_soa_*() from <dns/journal.h> to - <dns/soa.h>, and extended them to support - all the integer-valued fields of the SOA RR. - - 832. [bug] The default location for named.conf in named-checkconf - should depend on --sysconfdir like it does in named. - [RT #1258] - - 831. [placeholder] - - 830. [func] Implement 'rndc status'. - - 829. [bug] The DNS_R_ZONECUT result code should only be returned - when an ANY query is made with DNS_DBFIND_GLUEOK set. - In all other ANY query cases, returning the delegation - is better. - - 828. [bug] The errno value from recvfrom() could be overwritten - by logging code. [RT #1293] - - 827. [bug] When an IXFR protocol error occurs, the slave - should retry with AXFR. - - 826. [bug] Some IXFR protocol errors were not detected. - - 825. [bug] zone.c:ns_query() detached from the wrong zone - reference. [RT #1264] - - 824. [bug] Correct line numbers reported by dns_master_load(). - [RT #1263] - - 823. [func] The output of "dig -h" now goes to stdout so that it - can easily be piped through "more". [RT #1254] - - 822. [bug] Sending nxrrset prerequisites would crash nsupdate. - [RT #1248] - - 821. [bug] The program name used when logging to syslog should - be stripped of leading path components. - [RT #1178, #1232] - - 820. [bug] Name server address lookups failed to follow - A6 chains into the glue of local authoritative - zones. - - 819. [bug] In certain cases, the resolver's attempts to - restart an address lookup at the root could cause - the fetch to deadlock (with itself) instead of - restarting. [RT #1225] - - 818. [bug] Certain pathological responses to ANY queries could - cause an assertion failure. [RT #1218] - - 817. [func] Adjust timeouts for dialup zone queries. - - 816. [bug] Report potential problems with log file accessibility - at configuration time, since such problems can't - reliably be reported at the time they actually occur. - - 815. [bug] If a log file was specified with a path separator - character (i.e. "/") in its name and the directory - did not exist, the log file's name was treated as - though it were the directory name. [RT #1189] - - 814. [bug] Socket objects left over from accept() failures - were incorrectly destroyed, causing corruption - of socket manager data structures. - - 813. [bug] File descriptors exceeding FD_SETSIZE were handled - badly. [RT #1192] - - 812. [bug] dig sometimes printed incomplete IXFR responses - due to an uninitialized variable. [RT #1188] - - 811. [bug] Parentheses were not quoted in zone dumps. [RT #1194] - - 810. [bug] The signer name in SIG records was not properly - downcased when signing/verifying records. [RT #1186] - - 809. [bug] Configuring a non-local address as a transfer-source - could cause an assertion failure during load. - - 808. [func] Add 'rndc flush' to flush the server's cache. - - 807. [bug] When setting up TCP connections for incoming zone - transfers, the transfer-source port was not - ignored like it should be. - - 806. [bug] DNS_R_SEENINCLUDE was failing to propagate back up - the calling stack to the zone maintence level, causing - zones to not reload when an included file was touched - but the top-level zone file was not. - - 805. [bug] When using "forward only", missing root hints should - not cause queries to fail. [RT #1143] - - 804. [bug] Attempting to obtain entropy could fail in some - situations. This would be most common on systems - with user-space threads. [RT #1131] - - 803. [bug] Treat all SIG queries as if they have the CD bit set, - otherwise no data will be returned [RT #749] - - 802. [bug] DNSSEC key tags were computed incorrectly in almost - all cases. [RT #1146] - - 801. [bug] nsupdate should treat lines beginning with ';' as - comments. [RT #1139] - - 800. [bug] dnssec-signzone produced incorrect statistics for - large zones. [RT #1133] - - 799. [bug] The ADB didn't find AAAA glue in a zone unless A6 - glue was also present. - - 798. [bug] nsupdate should be able to reject bad input lines - and continue. [RT #1130] - - 797. [func] Issue a warning if the 'directory' option contains - a relative path. [RT #269] - - 796. [func] When a size limit is associated with a log file, - only roll it when the size is reached, not every - time the log file is opened. [RT #1096] - - 795. [func] Add the +multiline option to dig. [RT #1095] - - 794. [func] Implement the "port" and "default-port" statements - in rndc.conf. - - 793. [cleanup] The DNSSEC tools could create filenames that were - illegal or contained shell metacharacters. They - now use a different text encoding of names that - doesn't have these problems. [RT #1101] - - 792. [cleanup] Replace the OMAPI command channel protocol with a - simpler one. - - 791. [bug] The command channel now works over IPv6. - - 790. [bug] Wildcards created using dynamic update or IXFR - could fail to match. [RT #1111] - - 789. [bug] The "localhost" and "localnets" ACLs did not match - when used as the second element of a two-element - sortlist item. - - 788. [func] Add the "match-mapped-addresses" option, which - causes IPv6 v4mapped addresses to be treated as - IPv4 addresses for the purpose of acl matching. - - 787. [bug] The DNSSEC tools failed to downcase domain - names when mapping them into file names. - - 786. [bug] When DNSSEC signing/verifying data, owner names were - not properly downcased. - - 785. [bug] A race condition in the resolver could cause - an assertion failure. [RT #673, #872, #1048] - - 784. [bug] nsupdate and other programs would not quit properly - if some signals were blocked by the caller. [RT #1081] - - 783. [bug] Following CNAMEs could cause an assertion failure - when either using an sdb database or under very - rare conditions. - - 782. [func] Implement the "serial-query-rate" option. - - 781. [func] Avoid error packet loops by dropping duplicate FORMERR - responses. [RT #1006] - - 780. [bug] Error handling code dealing with out of memory or - other rare errors could lead to assertion failures - by calling functions on unitialized names. [RT #1065] - - 779. [func] Added the "minimal-responses" option. - - 778. [bug] When starting cache cleaning, cleaning_timer_action() - returned without first pausing the iterator, which - could cause deadlock. [RT #998] - - 777. [bug] An empty forwarders list in a zone failed to override - global forwarders. [RT #995] - - 776. [func] Improved error reporting in denied messages. [RT #252] - - 775. [placeholder] - - 774. [func] max-cache-size is implemented. - - 773. [func] Added isc_rwlock_trylock() to attempt to lock without - blocking. - - 772. [bug] Owner names could be incorrectly omitted from cache - dumps in the presence of negative caching entries. - [RT #991] - - 771. [cleanup] TSIG errors related to unsynchronized clocks - are logged better. [RT #919] - - 770. [func] Add the "edns yes_or_no" statement to the server - clause. [RT #524] - - 769. [func] Improved error reporting when parsing rdata. [RT #740] - - 768. [bug] The server did not emit an SOA when a CNAME - or DNAME chain ended in NXDOMAIN in an - authoritative zone. - - 767. [placeholder] - - 766. [bug] A few cases in query_find() could leak fname. - This would trigger the mpctx->allocated == 0 - assertion when the server exited. - [RT #739, #776, #798, #812, #818, #821, #845, - #892, #935, #966] - - 765. [func] ACL names are once again case insensitive, like - in BIND 8. [RT #252] - - 764. [func] Configuration files now allow "include" directives - in more places, such as inside the "view" statement. - [RT #377, #728, #860] - - 763. [func] Configuration files no longer have reserved words. - [RT #731, #753] - - 762. [cleanup] The named.conf and rndc.conf file parsers have - been completely rewritten. - - 761. [bug] _REENTRANT was still defined when building with - --disable-threads. - - 760. [contrib] Significant enhancements to the pgsql sdb driver. - - 759. [bug] The resolver didn't turn off "avoid fetches" mode - when restarting, possibly causing resolution - to fail when it should not. This bug only affected - platforms which support both IPv4 and IPv6. [RT #927] - - 758. [bug] The "avoid fetches" code did not treat negative - cache entries correctly, causing fetches that would - be useful to be avoided. This bug only affected - platforms which support both IPv4 and IPv6. [RT #927] - - 757. [func] Log zone transfers. - - 756. [bug] dns_zone_load() could "return" success when no master - file was configured. - - 755. [bug] Fix incorrectly formatted log messages in zone.c. - - 754. [bug] Certain failure conditions sending UDP packets - could cause the server to retry the transmission - indefinitely. [RT #902] - - 753. [bug] dig, host, and nslookup would fail to contact a - remote server if getaddrinfo() returned an IPv6 - address on a system that doesn't support IPv6. - [RT #917] - - 752. [func] Correct bad tv_usec elements returned by - gettimeofday(). - - 751. [func] Log successful zone loads / transfers. [RT #898] - - 750. [bug] A query should not match a DNAME whose trust level - is pending. [RT #916] - - 749. [bug] When a query matched a DNAME in a secure zone, the - server did not return the signature of the DNAME. - [RT #915] - - 748. [doc] List supported RFCs in doc/misc/rfc-compliance. - [RT #781] - - 747. [bug] The code to determine whether an IXFR was possible - did not properly check for a database that could - not have a journal. [RT #865, #908] - - 746. [bug] The sdb didn't clone rdatasets properly, causing - a crash when the server followed delegations. [RT #905] - - 745. [func] Report the owner name of records that fail - semantic checks while loading. - - 744. [bug] When returning DNS_R_CNAME or DNS_R_DNAME as the - result of an ANY or SIG query, the resolver failed - to setup the return event's rdatasets, causing an - assertion failure in the query code. [RT #881] - - 743. [bug] Receiving a large number of certain malformed - answers could cause named to stop responding. - [RT #861] - - 742. [placeholder] - - 741. [port] Support openssl-engine. [RT #709] - - 740. [port] Handle openssl library mismatches slightly better. - - 739. [port] Look for /dev/random in configure, rather than - assuming it will be there for only a predefined - set of OSes. - - 738. [bug] If a non-threadsafe sdb driver supported AXFR and - received an AXFR request, it would deadlock or die - with an assertion failure. [RT #852] - - 737. [port] stdtime.c failed to compile on certain platforms. - - 736. [func] New functions isc_task_{begin,end}exclusive(). - - 735. [doc] Add BIND 4 migration notes. - - 734. [bug] An attempt to re-lock the zone lock could occur if - the server was shutdown during a zone tranfer. - [RT #830] - - 733. [bug] Reference counts of dns_acl_t objects need to be - locked but were not. [RT #801, #821] - - 732. [bug] Glue with 0 TTL could also cause SERVFAIL. [RT #828] - - 731. [bug] Certain zone errors could cause named-checkzone to - fail ungracefully. [RT #819] - - 730. [bug] lwres_getaddrinfo() returns the correct result when - it fails to contact a server. [RT #768] - - 729. [port] pthread_setconcurrency() needs to be called on Solaris. - - 728. [bug] Fix comment processing on master file directives. - [RT# 757] - - 727. [port] Work around OS bug where accept() succeeds but - fails to fill in the peer address of the accepted - connection, by treating it as an error rather than - an assertion failure. [RT #809] - - 726. [func] Implement the "trace" and "notrace" commands in rndc. - - 725. [bug] Installing man pages could fail. - - 724. [func] New libisc functions isc_netaddr_any(), - isc_netaddr_any6(). - - 723. [bug] Referrals whose NS RRs had a 0 TTL caused the resolver - to return DNS_R_SERVFAIL. [RT #783] - - 722. [func] Allow incremental loads to be canceled. - - 721. [cleanup] Load manager and dns_master_loadfilequota() are no - more. - - 720. [bug] Server could enter infinite loop in - dispatch.c:do_cancel(). [RT #733] - - 719. [bug] Rapid reloads could trigger an assertion failure. - [RT #743, #763] - - 718. [cleanup] "internal" is no longer a reserved word in named.conf. - [RT #753, #731] - - 717. [bug] Certain TKEY processing failure modes could - reference an uninitialized variable, causing the - server to crash. [RT #750] - - 716. [bug] The first line of a $INCLUDE master file was lost if - an origin was specified. [RT #744] - - 715. [bug] Resolving some A6 chains could cause an assertion - failure in adb.c. [RT #738] - - 714. [bug] Preserve interval timers across reloads unless changed. - [RT# 729] - - 713. [func] named-checkconf takes '-t directory' similar to named. - [RT #726] - - 712. [bug] Sending a large signed update message caused an - assertion failure. [RT #718] - - 711. [bug] The libisc and liblwres implementations of - inet_ntop contained an off by one error. - - 710. [func] The forwarders statement now takes an optional - port. [RT #418] - - 709. [bug] ANY or SIG queries for data with a TTL of 0 - would return SERVFAIL. [RT #620] - - 708. [bug] When building with --with-openssl, the openssl headers - included with BIND 9 should not be used. [RT #702] - - 707. [func] The "filename" argument to named-checkzone is no - longer optional, to reduce confusion. [RT #612] - - 706. [bug] Zones with an explicit "allow-update { none; };" - were considered dynamic and therefore not reloaded - on SIGHUP or "rndc reload". - - 705. [port] Work out resource limit type for use where rlim_t is - not available. [RT #695] - - 704. [port] RLIMIT_NOFILE is not available on all platforms. - [RT #695] - - 703. [port] sys/select.h is needed on older platforms. [RT #695] - - 702. [func] If the address 0.0.0.0 is seen in resolv.conf, - use 127.0.0.1 instead. [RT #693] - - 701. [func] Root hints are now fully optional. Class IN - views use compiled-in hints by default, as - before. Non-IN views with no root hints now - provide authoritative service but not recursion. - A warning is logged if a view has neither root - hints nor authoritative data for the root. [RT #696] - - 700. [bug] $GENERATE range check was wrong. [RT #688] - - 699. [bug] The lexer mishandled empty quoted strings. [RT #694] - - 698. [bug] Aborting nsupdate with ^C would lead to several - race conditions. - - 697. [bug] nsupdate was not compatible with the undocumented - BIND 8 behavior of ignoring TTLs in "update delete" - commands. [RT #693] - - 696. [bug] lwresd would die with an assertion failure when passed - a zero-length name. [RT #692] - - 695. [bug] If the resolver attempted to query a blackholed or - bogus server, the resolution would fail immediately. - - 694. [bug] $GENERATE did not produce the last entry. - [RT #682, #683] - - 693. [bug] An empty lwres statement in named.conf caused - the server to crash while loading. - - 692. [bug] Deal with systems that have getaddrinfo() but not - gai_strerror(). [RT #679] - - 691. [bug] Configuring per-view forwarders caused an assertion - failure. [RT #675, #734] - - 690. [func] $GENERATE now supports DNAME. [RT #654] - - 689. [doc] man pages are now installed. [RT #210] - - 688. [func] "make tags" now works on systems with the - "Exuberant Ctags" etags. - - 687. [bug] Only say we have IPv6, with sufficent functionality, - if it has actually been tested. [RT #586] - - 686. [bug] dig and nslookup can now be properly aborted during - blocking operations. [RT #568] - - 685. [bug] nslookup should use the search list/domain options - from resolv.conf by default. [RT #405, #630] - - 684. [bug] Memory leak with view forwarders. [RT #656] - - 683. [bug] File descriptor leak in isc_lex_openfile(). - - 682. [bug] nslookup displayed SOA records incorrectly. [RT #665] - - 681. [bug] $GENERATE specifying output format was broken. [RT #653] - - 680. [bug] dns_rdata_fromstruct() mishandled options bigger - than 255 octets. - - 679. [bug] $INCLUDE could leak memory and file descriptors on - reload. [RT #639] - - 678. [bug] "transfer-format one-answer;" could trigger an assertion - failure. [RT #646] - - 677. [bug] dnssec-signzone would occasionally use the wrong ttl - for database operations and fail. [RT #643] - - 676. [bug] Log messages about lame servers to category - 'lame-servers' rather than 'resolver', so as not - to be gratuitously incompatible with BIND 8. - - 675. [bug] TKEY queries could cause the server to leak - memory. - - 674. [func] Allow messages to be TSIG signed / verified using - a offset from the current time. - - 673. [func] The server can now convert RFC1886-style recursive - lookup requests into RFC2874-style lookups, when - enabled using the new option "allow-v6-synthesis". - - 672. [bug] The wrong time was in the "time signed" field when - replying with BADTIME error. - - 671. [bug] The message code was failing to parse a message with - no question section and a TSIG record. [RT #628] - - 670. [bug] The lwres replacements for getaddrinfo and - getipnodebyname didn't properly check for the - existence of the sockaddr sa_len field. - - 669. [bug] dnssec-keygen now makes the public key file - non-world-readable for symmetric keys. [RT #403] - - 668. [func] named-checkzone now reports multiple errors in master - files. - - 667. [bug] On Linux, running named with the -u option and a - non-world-readable configuration file didn't work. - [RT #626] - - 666. [bug] If a request sent by dig is longer than 512 bytes, - use TCP. - - 665. [bug] Signed responses were not sent when the size of the - TSIG + question exceeded the maximum message size. - [RT #628] - - 664. [bug] The t_tasks and t_timers module tests are now skipped - when building without threads, since they require - threads. - - 663. [func] Accept a size_spec, not just an integer, in the - (unimplemented and ignored) max-ixfr-log-size option - for compatibility with recent versions of BIND 8. - [RT #613] - - 662. [bug] dns_rdata_fromtext() failed to log certain errors. - - 661. [bug] Certain UDP IXFR requests caused an assertion failure - (mpctx->allocated == 0). [RT #355, #394, #623] - - 660. [port] Detect multiple CPUs on HP-UX and IRIX. - - 659. [performance] Rewrite the name compression code to be much faster. - - 658. [cleanup] Remove all vestiges of 16 bit global compression. - - 657. [bug] When a listen-on statement in an lwres block does not - specify a port, use 921, not 53. Also update the - listen-on documentation. [RT #616] - - 656. [func] Treat an unescaped newline in a quoted string as - an error. This means that TXT records with missing - close quotes should have meaningful errors printed. - - 655. [bug] Improve error reporting on unexpected eof when loading - zones. [RT #611] - - 654. [bug] Origin was being forgotten in TCP retries in dig. - [RT #574] - - 653. [bug] +defname option in dig was reversed in sense. - [RT #549] - - 652. [bug] zone_saveunique() did not report the new name. - - 651. [func] The AD bit in responses now has the meaning - specified in <draft-ietf-dnsext-ad-is-secure>. - - 650. [bug] SIG(0) records were being generated and verified - incorrectly. [RT #606] - - 649. [bug] It was possible to join to an already running fctx - after it had "cloned" its events, but before it sent - them. In this case, the event of the newly joined - fetch would not contain the answer, and would - trigger the INSIST() in fctx_sendevents(). In - BIND 9.0, this bug did not trigger an INSIST(), but - caused the fetch to fail with a SERVFAIL result. - [RT #588, #597, #605, #607] - - 648. [port] Add support for pre-RFC2133 IPv6 implementations. - - 647. [bug] Resolver queries sent after following multiple - referrals had excessively long retransmission - timeouts due to incorrectly counting the referrals - as "restarts". - - 646. [bug] The UnixWare ISC_PLATFORM_FIXIN6INADDR fix in isc/net.h - didn't _cleanly_ fix the problem it was trying to fix. - - 645. [port] BSD/OS 3.0 needs pthread_init(). [RT #603] - - 644. [bug] #622 needed more work. [RT #562] - - 643. [bug] xfrin error messages made more verbose, added class - of the zone. [RT# 599] - - 642. [bug] Break the exit_check() race in the zone module. - [RT #598] - - --- 9.1.0b2 released --- - - 641. [bug] $GENERATE caused a uninitialized link to be used. - [RT #595] - - 640. [bug] Memory leak in error path could cause - "mpctx->allocated == 0" failure. [RT #584] - - 639. [bug] Reading entropy from the keyboard would sometimes fail. - [RT #591] - - 638. [port] lib/isc/random.c needed to explicitly include time.h - to get a prototype for time() when pthreads was not - being used. [RT #592] - - 637. [port] Use isc_u?int64_t instead of (unsigned) long long in - lib/isc/print.c. Also allow lib/isc/print.c to - be compiled even if the platform does not need it. - [RT #592] - - 636. [port] Shut up MSVC++ about a possible loss of precision - in the ISC__BUFFER_PUTUINT*() macros. [RT #592] - - 635. [bug] Reloading a server with a configured blackhole list - would cause an assertion. [RT #590] - - 634. [bug] A log file will completely stop being written when - it reaches the maximum size in all cases, not just - when versioning is also enabled. [RT #570] - - 633. [port] Cope with rlim_t missing on BSD/OS systems. [RT #575] - - 632. [bug] The index array of the journal file was - corrupted as it was written to disk. - - 631. [port] Build without thread support on systems without - pthreads. - - 630. [bug] Locking failure in zone code. [RT #582] - - 629. [bug] 9.1.0b1 dereferenced a null pointer and crashed - when responding to a UDP IXFR request. - - 628. [bug] If the root hints contained only AAAA addresses, - named would be unable to perform resolution. - - 627. [bug] The EDNS0 blackhole detection code of change 324 - waited for three retransmissions to each server, - which takes much too long when a domain has many - name servers and all of them drop EDNS0 queries. - Now we retry without EDNS0 after three consecutive - timeouts, even if they are all from different - servers. [RT #143] - - 626. [bug] The lightweight resolver daemon no longer crashes - when asked for a SIG rrset. [RT #558] - - 625. [func] Zones now inherit their class from the enclosing view. - - 624. [bug] The zone object could get timer events after it had - been destroyed, causing a server crash. [RT #571] - - 623. [func] Added "named-checkconf" and "named-checkzone" program - for syntax checking named.conf files and zone files, - respectively. - - 622. [bug] A canceled request could be destroyed before - dns_request_destroy() was called. [RT #562] - - 621. [port] Disable IPv6 at runtime if IPv6 sockets are unusable. - This mostly affects Red Hat Linux 7.0, which has - conflicts between libc and the kernel. - - 620. [bug] dns_master_load*inc() now require 'task' and 'load' - to be non-null. Also 'done' will not be called if - dns_master_load*inc() fails immediately. [RT #565] - - 619. [placeholder] - - 618. [bug] Queries to a signed zone could sometimes cause - an assertion failure. - - 617. [bug] When using dynamic update to add a new RR to an - existing RRset with a different TTL, the journal - entries generated from the update did not include - explicit deletions and re-additions of the existing - RRs to update their TTL to the new value. - - 616. [func] dnssec-signzone -t output now includes performance - statistics. - - 615. [bug] dnssec-signzone did not like child keysets signed - by multiple keys. - - 614. [bug] Checks for uninitialized link fields were prone - to false positives, causing assertion failures. - The checks are now disabled by default and may - be re-enabled by defining ISC_LIST_CHECKINIT. - - 613. [bug] "rndc reload zone" now reloads primary zones. - It previously only updated slave and stub zones, - if an SOA query indicated an out of date serial. - - 612. [cleanup] Shutup a ridiculously noisy HP-UX compiler that - complains relentlessly about how its treatment - of 'const' has changed as well as how casting - sometimes tightens alignment constraints. - - 611. [func] allow-notify can be used to permit processing of - notify messages from hosts other than a slave's - masters. - - 610. [func] rndc dumpdb is now supported. - - 609. [bug] getrrsetbyname() would crash lwresd if the server - found more SIGs than answers. [RT #554] - - 608. [func] dnssec-signzone now adds a comment to the zone - with the time the file was signed. - - 607. [bug] nsupdate would fail if it encountered a CNAME or - DNAME in a response to an SOA query. [RT #515] - - 606. [bug] Compiling with --disable-threads failed due - to isc_thread_self() being incorrectly defined - as an integer rather than a function. - - 605. [func] New function isc_lex_getlasttokentext(). - - 604. [bug] The named.conf parser could print incorrect line - numbers when long comments were present. - - 603. [bug] Make dig handle multiple types or classes on the same - query more correctly. - - 602. [func] Cope automatically with UnixWare's broken - IN6_IS_ADDR_* macros. [RT #539] - - 601. [func] Return a non-zero exit code if an update fails - in nsupdate. - - 600. [bug] Reverse lookups sometimes failed in dig, etc... - - 599. [func] Added four new functions to the libisc log API to - support i18n messages. isc_log_iwrite(), - isc_log_ivwrite(), isc_log_iwrite1() and - isc_log_ivwrite1() were added. - - 598. [bug] An update-policy statement would cause the server - to assert while loading. [RT #536] - - 597. [func] dnssec-signzone is now multi-threaded. - - 596. [bug] DNS_RDATASLAB_FORCE and DNS_RDATASLAB_EXACT are - not mutually exclusive. - - 595. [port] On Linux 2.2, socket() returns EINVAL when it - should return EAFNOSUPPORT. Work around this. - [RT #531] - - 594. [func] sdb drivers are now assumed to not be thread-safe - unless the DNS_SDBFLAG_THREADSAFE flag is supplied. - - 593. [bug] If a secure zone was missing all its NXTs and - a dynamic update was attempted, the server entered - an infinite loop. - - 592. [bug] The sig-validity-interval option now specifies a - number of days, not seconds. This matches the - documentation. [RT #529] - - --- 9.1.0b1 released --- - - 591. [bug] Work around non-reentrancy in openssl by disabling - precomputation in keys. - - 590. [doc] There are now man pages for the lwres library in - doc/man/lwres. - - 589. [bug] The server could deadlock if a zone was updated - while being transferred out. - - 588. [bug] ctx->in_use was not being correctly initialized when - when pushing a file for $INCLUDE. [RT #523] - - 587. [func] A warning is now printed if the "allow-update" - option allows updates based on the source IP - address, to alert users to the fact that this - is insecure and becoming increasingly so as - servers capable of update forwarding are being - deployed. - - 586. [bug] multiple views with the same name were fatal. [RT #516] - - 585. [func] dns_db_addrdataset() and and dns_rdataslab_merge() - now support 'exact' additions in a similar manner to - dns_db_subtractrdataset() and dns_rdataslab_subtract(). - - 584. [func] You can now say 'notify explicit'; to suppress - notification of the servers listed in NS records - and notify only those servers listed in the - 'also-notify' option. - - 583. [func] "rndc querylog" will now toggle logging of - queries, like "ndc querylog" in BIND 8. - - 582. [bug] dns_zone_idetach() failed to lock the zone. - [RT #199, #463] - - 581. [bug] log severity was not being correctly processed. - [RT #485] - - 580. [func] Ignore trailing garbage on incoming DNS packets, - for interoperability with broken server - implementations. [RT #491] - - 579. [bug] nsupdate did not take a filename to read update from. - [RT #492] - - 578. [func] New config option "notify-source", to specify the - source address for notify messages. - - 577. [func] Log illegal RDATA combinations. e.g. multiple - singlton types, cname and other data. - - 576. [doc] isc_log_create() description did not match reality. - - 575. [bug] isc_log_create() was not setting internal state - correctly to reflect the default channels created. - - 574. [bug] TSIG signed queries sent by the resolver would fail to - have their responses validated and would leak memory. - - 573. [bug] The journal files of IXFRed slave zones were - inadvertantly discarded on server reload, causing - "journal out of sync with zone" errors on subsequent - reloads. [RT #482] - - 572. [bug] Quoted strings were not accepted as key names in - address match lists. - - 571. [bug] It was possible to create an rdataset of singleton - type which had more than one rdata. [RT #154] - [RT #279] - - 570. [bug] rbtdb.c allowed zones containing nodes which had - both a CNAME and "other data". [RT #154] - - 569. [func] The DNSSEC AD bit will not be set on queries which - have not requested a DNSSEC response. - - 568. [func] Add sample simple database drivers in contrib/sdb. - - 567. [bug] Setting the zone transfer timeout to zero caused an - assertion failure. [RT #302] - - 566. [func] New public function dns_timer_setidle(). - - 565. [func] Log queries more like BIND 8: query logging is now - done to category "queries", level "info". [RT #169] - - 564. [func] Add sortlist support to lwresd. - - 563. [func] New public functions dns_rdatatype_format() and - dns_rdataclass_format(), for convenient formatting - of rdata type/class mnemonics in log messages. - - 562. [cleanup] Moved lib/dns/*conf.c to bin/named where they belong. - - 561. [func] The 'datasize', 'stacksize', 'coresize' and 'files' - clauses of the options{} statement are now implemented. - - 560. [bug] dns_name_split did not properly the resulting prefix - when a maximal length bitstring label was split which - was preceded by another bitstring label. [RT #429] - - 559. [bug] dns_name_split did not properly create the suffix - when splitting within a maximal length bitstring label. - - 558. [func] New functions, isc_resource_getlimit and - isc_resource_setlimit. - - 557. [func] Symbolic constants for libisc integral types. - - 556. [func] The DNSSEC OK bit in the EDNS extended flags - is now implemented. Responses to queries without - this bit set will not contain any DNSSEC records. - - 555. [bug] A slave server attempting a zone transfer could - crash with an assertion failure on certain - malformed responses from the master. [RT #457] - - 554. [bug] In some cases, not all of the dnssec tools were - properly installed. - - 553. [bug] Incoming zone transfers deferred due to quota - were not started when quota was increased but - only when a transfer in progress finished. [RT #456] - - 552. [bug] We were not correctly detecting the end of all c-style - comments. [RT #455] - - 551. [func] Implemented the 'sortlist' option. - - 550. [func] Support unknown rdata types and classes. - - 549. [bug] "make" did not immediately abort the build when a - subdirectory make failed [RT #450]. - - 548. [func] The lexer now ungets tokens more correctly. - - 547. [placeholder] - - 546. [func] Option 'lame-ttl' is now implemented. - - 545. [func] Name limit and counting options removed from dig; - they didn't work properly, and cannot be correctly - implemented without significant changes. - - 544. [func] Add statistics option, enable statistics-file option, - add RNDC option "dump-statistics" to write out a - query statistics file. - - 543. [doc] The 'port' option is now documented. - - 542. [func] Add support for update forwarding as required for - full compliance with RFC2136. It is turned off - by default and can be enabled using the - 'allow-update-forwarding' option. - - 541. [func] Add bogus server support. - - 540. [func] Add dialup support. - - 539. [func] Support the blackhole option. - - 538. [bug] fix buffer overruns by 1 in lwres_getnameinfo(). - - 537. [placeholder] - - 536. [func] Use transfer-source{-v6} when sending refresh queries. - Transfer-source{-v6} now take a optional port - parameter for setting the UDP source port. The port - parameter is ignored for TCP. - - 535. [func] Use transfer-source{-v6} when forwarding update - requests. - - 534. [func] Ancestors have been removed from RBT chains. Ancestor - information can be discerned via node parent pointers. - - 533. [func] Incorporated name hashing into the RBT database to - improve search speed. - - 532. [func] Implement DNS UPDATE pseudo records using - DNS_RDATA_UPDATE flag. - - 531. [func] Rdata really should be initialized before being assigned - to (dns_rdata_fromwire(), dns_rdata_fromtext(), - dns_rdata_clone(), dns_rdata_fromregion()), - check that it is. - - 530. [func] New function dns_rdata_invalidate(). - - 529. [bug] 521 contained a bug which caused zones to always - reload. [RT #410] - - 528. [func] The ISC_LIST_XXXX macros now perform sanity checks - on their arguments. ISC_LIST_XXXXUNSAFE can be use - to skip the checks however use with caution. - - 527. [func] New function dns_rdata_clone(). - - 526. [bug] nsupdate incorrectly refused to add RRs with a TTL - of 0. - - 525. [func] New arguments 'options' for dns_db_subtractrdataset(), - and 'flags' for dns_rdataslab_subtract() allowing you - to request that the RR's must exist prior to deletion. - DNS_R_NOTEXACT is returned if the condition is not met. - - 524. [func] The 'forward' and 'forwarders' statement in - non-forward zones should work now. - - 523. [doc] The source to the Administrator Reference Manual is - now an XML file using the DocBook DTD, and is included - in the distribution. The plain text version of the - ARM is temporarily unavailable while we figure out - how to generate readable plain text from the XML. - - 522. [func] The lightweight resolver daemon can now use - a real configuration file, and its functionality - can be provided by a name server. Also, the -p and -P - options to lwresd have been reversed. - - 521. [bug] Detect master files which contain $INCLUDE and always - reload. [RT #196] - - 520. [bug] Upgraded libtool to 1.3.5, which makes shared - library builds almost work on AIX (and possibly - others). - - 519. [bug] dns_name_split() would improperly split some bitstring - labels, zeroing a few of the least signficant bits in - the prefix part. When such an improperly created - prefix was returned to the RBT database, the bogus - label was dutifully stored, corrupting the tree. - [RT #369] - - 518. [bug] The resolver did not realize that a DNAME which was - "the answer" to the client's query was "the answer", - and such queries would fail. [RT #399] - - 517. [bug] The resolver's DNAME code would trigger an assertion - if there was more than one DNAME in the chain. - [RT #399] - - 516. [bug] Cache lookups which had a NULL node pointer, e.g. - those by dns_view_find(), and which would match a - DNAME, would trigger an INSIST(!search.need_cleanup) - assertion. [RT #399] - - 515. [bug] The ssu table was not being attached / detached - by dns_zone_[sg]etssutable. [RT#397] - - 514. [func] Retry refresh and notify queries if they timeout. - [RT #388] - - 513. [func] New functionality added to rdnc and server to allow - individual zones to be refreshed or reloaded. - - 512. [bug] The zone transfer code could throw an execption with - an invalid IXFR stream. - - 511. [bug] The message code could throw an assertion on an - out of memory failure. [RT #392] - - 510. [bug] Remove spurious view notify warning. [RT #376] - - 509. [func] Add support for write of zone files on shutdown. - - 508. [func] dns_message_parse() can now do a best-effort - attempt, which should allow dig to print more invalid - messages. - - 507. [func] New functions dns_zone_flush(), dns_zt_flushanddetach() - and dns_view_flushanddetach(). - - 506. [func] Do not fail to start on errors in zone files. - - 505. [bug] nsupdate was printing "unknown result code". [RT #373] - - 504. [bug] The zone was not being marked as dirty when updated via - IXFR. - - 503. [bug] dumptime was not being set along with - DNS_ZONEFLG_NEEDDUMP. - - 502. [func] On a SERVFAIL reply, DiG will now try the next server - in the list, unless the +fail option is specified. - - 501. [bug] Incorrect port numbers were being displayed by - nslookup. [RT #352] - - 500. [func] Nearly useless +details option removed from DiG. - - 499. [func] In DiG, specifying a class with -c or type with -t - changes command-line parsing so that classes and - types are only recognized if following -c or -t. - This allows hosts with the same name as a class or - type to be looked up. - - 498. [doc] There is now a man page for "dig" - in doc/man/bin/dig.1. - - 497. [bug] The error messages printed when an IP match list - contained a network address with a nonzero host - part where not sufficiently detailed. [RT #365] - - 496. [bug] named didn't sanity check numeric parameters. [RT #361] - - 495. [bug] nsupdate was unable to handle large records. [RT #368] - - 494. [func] Do not cache NXDOMAIN responses for SOA queries. - - 493. [func] Return non-cachable (ttl = 0) NXDOMAIN responses - for SOA queries. This makes it easier to locate - the containing zone without polluting intermediate - caches. - - 492. [bug] attempting to reload a zone caused the server fail - to shutdown cleanly. [RT #360] - - 491. [bug] nsupdate would segfault when sending certain - prerequisites with empty RDATA. [RT #356] - - 490. [func] When a slave/stub zone has not yet successfully - obtained an SOA containing the zone's configured - retry time, perform the SOA query retries using - exponential backoff. [RT #337] - - 489. [func] The zone manager now has a "i/o" queue. - - 488. [bug] Locks weren't properly destroyed in some cases. - - 487. [port] flockfile() is not defined on all systems. - - 486. [bug] nslookup: "set all" and "server" commands showed - the incorrect port number if a port other than 53 - was specified. [RT #352] - - 485. [func] When dig had more than one server to query, it would - send all of the messages at the same time. Add - rate limiting of the transmitted messages. - - 484. [bug] When the server was reloaded after removing addresses - from the named.conf "listen-on" statement, sockets - were still listening on the removed addresses due - to reference count loops. [RT #325] - - 483. [bug] nslookup: "set all" showed a "search" option but it - was not settable. - - 482. [bug] nslookup: a plain "server" or "lserver" should be - treated as a lookup. - - 481. [bug] nslookup:get_next_command() stack size could exceed - per thread limit. - - 480. [bug] strtok() is not thread safe. [RT #349] - - 479. [func] The test suite can now be run by typing "make check" - or "make test" at the top level. - - 478. [bug] "make install" failed if the directory specified with - --prefix did not already exist. - - 477. [bug] The the isc-config.sh script could be installed before - its directory was created. [RT #324] - - 476. [bug] A zone could expire while a zone transfer was in - progress triggering a INSIST failure. [RT #329] - - 475. [bug] query_getzonedb() sometimes returned a non-null version - on failure. This caused assertion failures when - generating query responses where names subject to - additional section processing pointed to a zone - to which access had been denied by means of the - allow-query option. [RT #336] - - 474. [bug] The mnemonic of the CHAOS class is CH according to - RFC1035, but it was printed and read only as CHAOS. - We now accept both forms as input, and print it - as CH. [RT #305] - - 473. [bug] nsupdate overran the end of the list of name servers - when no servers could be reached, typically causing - it to print the error message "dns_request_create: - not implemented". - - 472. [bug] Off-by-one error caused isc_time_add() to sometimes - produce invalid time values. - - 471. [bug] nsupdate didn't compile on HP/UX 10.20 - - 470. [func] $GENERATE is now supported. See also - doc/misc/migration. - - 469. [bug] "query-source address * port 53;" now works. - - 468. [bug] dns_master_load*() failed to report file and line - number in certain error conditions. - - 467. [bug] dns_master_load*() failed to log an error if - pushfile() failed. - - 466. [bug] dns_master_load*() could return success when it failed. - - 465. [cleanup] Allow 0 to be set as an omapi_value_t value by - omapi_value_storeint(). - - 464. [cleanup] Build with openssl's RSA code instead of dnssafe. - - 463. [bug] nsupdate sent malformed SOA queries to the second - and subsequent name servers in resolv.conf if the - query sent to the first one failed. - - 462. [bug] --disable-ipv6 should work now. - - 461. [bug] Specifying an unknown key in the "keys" clause of the - "controls" statement caused a NULL pointer dereference. - [RT #316] - - 460. [bug] Much of the DNSSEC code only worked with class IN. - - 459. [bug] Nslookup processed the "set" command incorrectly. - - 458. [bug] Nslookup didn't properly check class and type values. - [RT #305] - - 457. [bug] Dig/host/hslookup didn't properly handle connect - timeouts in certain situations, causing an - unnecessary warning message to be printed. - - 456. [bug] Stub zones were not resetting the refresh and expire - counters, loadtime or clearing the DNS_ZONE_REFRESH - (refresh in progress) flag upon successful update. - This disabled further refreshing of the stub zone, - causing it to eventually expire. [RT #300] - - 455. [doc] Document IPv4 prefix notation does not require a - dotted decimal quad but may be just dotted decimal. - - 454. [bug] Enforce dotted decimal and dotted decimal quad where - documented as such in named.conf. [RT #304, RT #311] - - 453. [bug] Warn if the obsolete option "maintain-ixfr-base" - is specified in named.conf. [RT #306] - - 452. [bug] Warn if the unimplemented option "statistics-file" - is specified in named.conf. [RT #301] - - 451. [func] Update forwarding implememted. - - 450. [func] New function ns_client_sendraw(). - - 449. [bug] isc_bitstring_copy() only works correctly if the - two bitstrings have the same lsb0 value, but this - requirement was not documented, nor was there a - REQUIRE for it. - - 448. [bug] Host output formatting change, to match v8. [RT #255] - - 447. [bug] Dig didn't properly retry in TCP mode after - a truncated reply. [RT #277] - - 446. [bug] Confusing notify log message. [RT #298] - - 445. [bug] Doing a 0 bit isc_bitstring_copy() of an lsb0 - bitstring triggered a REQUIRE statement. The REQUIRE - statement was incorrect. [RT #297] - - 444. [func] "recursion denied" messages are always logged at - debug level 1, now, rather than sometimes at ERROR. - This silences these warnings in the usual case, where - some clients set the RD bit in all queries. - - 443. [bug] When loading a master file failed because of an - unrecognized RR type name, the error message - did not include the file name and line number. - [RT #285] - - 442. [bug] TSIG signed messages that did not match any view - crashed the server. [RT #290] - - 441. [bug] Nodes obscured by a DNAME were inaccessible even - when DNS_DBFIND_GLUEOK was set. - - 440. [func] New function dns_zone_forwardupdate(). - - 439. [func] New function dns_request_createraw(). - - 438. [func] New function dns_message_getrawmessage(). - - 437. [func] Log NOTIFY activity to the notify channel. - - 436. [bug] If recvmsg() returned EHOSTUNREACH or ENETUNREACH, - which sometimes happens on Linux, named would enter - a busy loop. Also, unexpected socket errors were - not logged at a high enough logging level to be - useful in diagnosing this situation. [RT #275] - - 435. [bug] dns_zone_dump() overwrote existing zone files - rather than writing to a temporary file and - renaming. This could lead to empty or partial - zone files being left around in certain error - conditions involving the initial transfer of a - slave zone, interfering with subsequent server - startup. [RT #282] - - 434. [func] New function isc_file_isabsolute(). - - 433. [func] isc_base64_decodestring() now accepts newlines - within the base64 data. This makes it possible - to break up the key data in a "trusted-keys" - statement into multiple lines. [RT #284] - - 432. [func] Added refresh/retry jitter. The actual refresh/ - retry time is now a random value between 75% and - 100% of the configured value. - - 431. [func] Log at ISC_LOG_INFO when a zone is successfully - loaded. - - 430. [bug] Rewrote the lightweight resolver client management - code to handle shutdown correctly and general - cleanup. - - 429. [bug] The space reserved for a TSIG record in a response - was 2 bytes too short, leading to message - generation failures. - - 428. [bug] rbtdb.c:find_closest_nxt() erroneously returned - DNS_R_BADDB for nodes which had neither NXT nor SIG NXT - (e.g. glue). This could cause SERVFAILs when - generating negative responses in a secure zone. - - 427. [bug] Avoid going into an infinite loop when the validator - gets a negative response to a key query where the - records are signed by the missing key. - - 426. [bug] Attempting to generate an oversized RSA key could - cause dnssec-keygen to dump core. - - 425. [bug] Warn about the auth-nxdomain default value change - if there is no auth-nxdomain statement in the - config file. [RT #287] - - 424. [bug] notify_createmessage() could trigger an assertion - failure when creating the notify message failed, - e.g. due to corrupt zones with multiple SOA records. - [RT #279] - - 423. [bug] When responding to a recusive query, errors that occur - after following a CNAME should cause the query to fail. - [RT #274] - - 422. [func] get rid of isc_random_t, and make isc_random_get() - and isc_random_jitter() use rand() internally - instead of local state. Note that isc_random_*() - functions are only for weak, non-critical "randomness" - such as timing jitter and such. - - 421. [bug] nslookup would exit when given a blank line as input. - - 420. [bug] nslookup failed to implement the "exit" command. - - 419. [bug] The certificate type PKIX was misspelled as SKIX. - - 418. [bug] At debug levels >= 10, getting an unexpected - socket receive error would crash the server - while trying to log the error message. - - 417. [func] Add isc_app_block() and isc_app_unblock(), which - allow an application to handle signals while - blocking. - - 416. [bug] Slave zones with no master file tried to use a - NULL pointer for a journal file name when they - received an IXFR. [RT #273] - - 415. [bug] The logging code leaked file descriptors. - - 414. [bug] Server did not shut down until all incoming zone - transfers were finished. - - 413. [bug] Notify could attempt to use the zone database after - it had been unloaded. [RT#267] - - 412. [bug] named -v didn't print the version. - - 411. [bug] A typo in the HS A code caused an assertion failure. - - 410. [bug] lwres_gethostbyname() and company set lwres_h_errno - to a random value on success. - - 409. [bug] If named was shut down early in the startup - process, ns_omapi_shutdown() would attempt to lock - an unintialized mutex. [RT #262] - - 408. [bug] stub zones could leak memory and reference counts if - all the masters were unreachable. - - 407. [bug] isc_rwlock_lock() would needlessly block - readers when it reached the read quota even - if no writers were waiting. - - 406. [bug] Log messages were occasionally lost or corrupted - due to a race condition in isc_log_doit(). - - 405. [func] Add support for selective forwarding (forward zones) - - 404. [bug] The request library didn't completely work with IPv6. - - 403. [bug] "host" did not use the search list. - - 402. [bug] Treat undefined acls as errors, rather than - warning and then later throwing an assertion. - [RT #252] - - 401. [func] Added simple database API. - - 400. [bug] SIG(0) signing and verifying was done incorrectly. - [RT #249] - - 399. [bug] When reloading the server with a config file - containing a syntax error, it could catch an - assertion failure trying to perform zone - maintenance on, or sending notifies from, - tentatively created zones whose views were - never fully configured and lacked an address - database and request manager. - - 398. [bug] "dig" sometimes caught an assertion failure when - using TSIG, depending on the key length. - - 397. [func] Added utility functions dns_view_gettsig() and - dns_view_getpeertsig(). - - 396. [doc] There is now a man page for "nsupdate" - in doc/man/bin/nsupdate.8. - - 395. [bug] nslookup printed incorrect RR type mnemonics - for RRs of type >= 21 [RT #237]. - - 394. [bug] Current name was not propagated via $INCLUDE. - - 393. [func] Initial answer while loading (awl) support. - Entry points: dns_master_loadfileinc(), - dns_master_loadstreaminc(), dns_master_loadbufferinc(). - Note: calls to dns_master_load*inc() should be rate - be rate limited so as to not use up all file - descriptors. - - 392. [func] Add ISC_R_FAMILYNOSUPPORT. Returned when OS does - not support the given address family requested. - - 391. [clarity] ISC_R_FAMILY -> ISC_R_FAMILYMISMATCH. - - 390. [func] The function dns_zone_setdbtype() now takes - an argc/argv style vector of words and sets - both the zone database type and its arguments, - making the functions dns_zone_adddbarg() - and dns_zone_cleardbargs() unnecessary. - - 389. [bug] Attempting to send a reqeust over IPv6 using - dns_request_create() on a system without IPv6 - support caused an assertion failure [RT #235]. - - 388. [func] dig and host can now do reverse ipv6 lookups. - - 387. [func] Add dns_byaddr_createptrname(), which converts - an address into the name used by a PTR query. - - 386. [bug] Missing strdup() of ACL name caused random - ACL matching failures [RT #228]. - - 385. [cleanup] Removed functions dns_zone_equal(), dns_zone_print(), - and dns_zt_print(). - - 384. [bug] nsupdate was incorrectly limiting TTLs to 65535 instead - of 2147483647. - - 383. [func] When writing a master file, print the SOA and NS - records (and their SIGs) before other records. - - 382. [bug] named -u failed on many Linux systems where the - libc provided kernel headers do not match - the current kernel. - - 381. [bug] Check for IPV6_RECVPKTINFO and use it instead of - IPV6_PKTINFO if found. [RT #229] - - 380. [bug] nsupdate didn't work with IPv6. - - 379. [func] New library function isc_sockaddr_anyofpf(). - - 378. [func] named and lwresd will log the command line arguments - they were started with in the "starting ..." message. - - 377. [bug] When additional data lookups were refused due to - "allow-query", the databases were still being - attached causing reference leaks. - - 376. [bug] The server should always use good entropy when - performing cryptographic functions needing entropy. - - 375. [bug] Per-zone "allow-query" did not properly override the - view/global one for CNAME targets and additional - data [RT #220]. - - 374. [bug] SOA in authoritative negative responses had wrong TTL. - - 373. [func] nslookup is now installed by "make install". - - 372. [bug] Deal with Microsoft DNS servers appending two bytes of - garbage to zone transfer requests. - - 371. [bug] At high debug levels, doing an outgoing zone transfer - of a very large RRset could cause an assertion failure - during logging. - - 370. [bug] The error messages for rollforward failures were - overly terse. - - 369. [func] Support new named.conf options, view and zone - statements: - - max-retry-time, min-retry-time, - max-refresh-time, min-refresh-time. - - 368. [func] Restructure the internal ".bind" view so that more - zones can be added to it. - - 367. [bug] Allow proper selection of server on nslookup command - line. - - 366. [func] Allow use of '-' batch file in dig for stdin. - - 365. [bug] nsupdate -k leaked memory. - - 364. [func] Added additional-from-{cache,auth} - - 363. [placeholder] - - 362. [bug] rndc no longer aborts if the configuration file is - missing an options statement. [RT #209] - - 361. [func] When the RBT find or chain functions set the name and - origin for a node that stores the root label - the name is now set to an empty name, instead of ".", - to simplify later use of the name and origin by - dns_name_concatenate(), dns_name_totext() or - dns_name_format(). - - 360. [func] dns_name_totext() and dns_name_format() now allow - an empty name to be passed, which is formatted as "@". - - 359. [bug] dnssec-signzone occasionally signed glue records. - - 358. [cleanup] Rename the intermediate files used by the dnssec - programs. - - 357. [bug] The zone file parser crashed if the argument - to $INCLUDE was a quoted string. - - 356. [cleanup] isc_task_send no longer requires event->sender to - be non-null. - - 355. [func] Added isc_dir_createunique(), similar to mkdtemp(). - - 354. [doc] Man pages for the dnssec tools are now included in - the distribution, in doc/man/dnssec. - - 353. [bug] double increment in lwres/gethost.c:copytobuf(). - [RT# 187] - - 352. [bug] Race condition in dns_client_t startup could cause - an assertion failure. - - 351. [bug] Constructing a response with rcode SERVFAIL to a TSIG - signed query could crash the server. - - 350. [bug] Also-notify lists specified in the global options - block were not correctly reference counted, causing - a memory leak. - - 349. [bug] Processing a query with the CD bit set now works - as expected. - - 348. [func] New boolean named.conf options 'additional-from-auth' - and 'additional-from-cache' now supported in view and - global options statement. - - 347. [bug] Don't crash if an argument is left off options in dig. - - 346. [placeholder] - - 345. [bug] Large-scale changes/cleanups to dig: - * Significantly improve structure handling - * Don't pre-load entire batch files - * Add name/rr counting/limiting - * Fix SIGINT handling - * Shorten timeouts to match v8's behavior - - 344. [bug] When shutting down, lwresd sometimes tried - to shut down its client tasks twice, - triggering an assertion. - - 343. [bug] Although zone maintenance SOA queries and - notify requests were signed with TSIG keys - when configured for the server in case, - the TSIG was not verified on the response. - - 342. [bug] The wrong name was being passed to - dns_name_dup() when generating a TSIG - key using TKEY. - - 341. [func] Support 'key' clause in named.conf zone masters - statement to allow authentication via TSIG keys: - - masters { - 10.0.0.1 port 5353 key "foo"; - 10.0.0.2 ; - }; - - 340. [bug] The top-level COPYRIGHT file was missing from - the distribution. - - 339. [bug] DNSSEC validation of the response to an ANY - query at a name with a CNAME RR in a secure - zone triggered an assertion failure. - - 338. [bug] lwresd logged to syslog as named, not lwresd. - - 337. [bug] "dig" did not recognize "nsap-ptr" as an RR type - on the command line. - - 336. [bug] "dig -f" used 64 k of memory for each line in - the file. It now uses much less, though still - proportionally to the file size. - - 335. [bug] named would occasionally attempt recursion when - it was disallowed or undesired. - - 334. [func] Added hmac-md5 to libisc. - - 333. [bug] The resolver incorrectly accepted referrals to - domains that were not parents of the query name, - causing assertion failures. - - 332. [func] New function dns_name_reset(). - - 331. [bug] Only log "recursion denied" if RD is set. [RT #178] - - 330. [bug] Many debugging messages were partially formatted - even when debugging was turned off, causing a - significant decrease in query performance. - - 329. [func] omapi_auth_register() now takes a size_t argument for - the length of a key's secret data. Previously - OMAPI only stored secrets up to the first NUL byte. - - 328. [func] Added isc_base64_decodestring(). - - 327. [bug] rndc.conf parser wasn't correctly recognising an IP - address where a host specification was required. - - 326. [func] 'keys' in an 'inet' control statement is now - required and must have at least one item in it. - A "not supported" warning is now issued if a 'unix' - control channel is defined. - - 325. [bug] isc_lex_gettoken was processing octal strings when - ISC_LEXOPT_CNUMBER was not set. - - 324. [func] In the resolver, turn EDNS0 off if there is no - response after a number of retransmissions. - This is to allow queries some chance of succeeding - even if all the authoritative servers of a zone - silently discard EDNS0 requests instead of - sending an error response like they ought to. - - 323. [bug] dns_rbt_findname() did not ignore empty rbt nodes. - Because of this, servers authoritative for a parent - and grandchild zone but not authoritative for the - intervening child zone did not correctly issue - referrals to the servers of the child zone. - - 322. [bug] Queries for KEY RRs are now sent to the parent - server before the authoritative one, making - DNSSEC insecurity proofs work in many cases - where they previously didn't. - - 321. [bug] When synthesizing a CNAME RR for a DNAME - response, query_addcname() failed to intitialize - the type and class of the CNAME dns_rdata_t, - causing random failures. - - 320. [func] Multiple rndc changes: parses an rndc.conf file, - uses authentication to talk to named, command - line syntax changed. This will all be described - in the ARM. - - 319. [func] The named.conf "controls" statement is now used - to configure the OMAPI command channel. - - 318. [func] dns_c_ndcctx_destroy() could never return anything - except ISC_R_SUCCESS; made it have void return instead. - - 317. [func] Use callbacks from libomapi to determine if a - new connection is valid, and if a key requested - to be used with that connection is valid. - - 316. [bug] Generate a warning if we detect an unexpected <eof> - but treat as <eol><eof>. - - 315. [bug] Handle non-empty blanks lines. [RT #163] - - 314. [func] The named.conf controls statement can now have - more than one key specified for the inet clause. - - 313. [bug] When parsing resolv.conf, don't terminate on an - error. Instead, parse as much as possible, but - still return an error if one was found. - - 312. [bug] Increase the number of allowed elements in the - resolv.conf search path from 6 to 8. If there - are more than this, ignore the remainder rather - than returning a failure in lwres_conf_parse. - - 311. [bug] lwres_conf_parse failed when the first line of - resolv.conf was empty or a comment. - - 310. [func] Changes to named.conf "controls" statement (inet - subtype only) - - - support "keys" clause - - controls { - inet * port 1024 - allow { any; } keys { "foo"; } - } - - - allow "port xxx" to be left out of statement, - in which case it defaults to omapi's default port - of 953. - - 309. [bug] When sending a referral, the server did not look - for name server addresses as glue in the zone - holding the NS RRset in the case where this zone - was not the same as the one where it looked for - name server addresses as authoritative data. - - 308. [bug] Treat a SOA record not at top of zone as an error - when loading a zone. [RT #154] - - 307. [bug] When canceling a query, the resolver didn't check for - isc_socket_sendto() calls that did not yet have their - completion events posted, so it could (rarely) end up - destroying the query context and then want to use - it again when the send event posted, triggering an - assertion as it tried to cancel an already-canceled - query. [RT #77] - - 306. [bug] Reading HMAC-MD5 private key files didn't work. - - 305. [bug] When reloading the server with a config file - containing a syntax error, it could catch an - assertion failure trying to perform zone - maintenance on tentatively created zones whose - views were never fully configured and lacked - an address database. - - 304. [bug] If more than LWRES_CONFMAXNAMESERVERS servers - are listed in resolv.conf, silently ignore them - instead of returning failure. - - 303. [bug] Add additional sanity checks to differentiate a AXFR - response vs a IXFR response. [RT #157] - - 302. [bug] In dig, host, and nslookup, MXNAME should be large - enough to hold any legal domain name in presentation - format + terminating NULL. - - 301. [bug] Uninitialized pointer in host:printmessage(). [RT #159] - - 300. [bug] Using both <isc/net.h> and <lwres/net.h> didn't work - on platforms lacking IPv6 because each included their - own ipv6 header file for the missing definitions. Now - each library's ipv6.h defines the wrapper symbol of - the other (ISC_IPV6_H and LWRES_IPV6_H). - - 299. [cleanup] Get the user and group information before changing the - root directory, so the administrator does not need to - keep a copy of the user and group databases in the - chroot'ed environment. Suggested by Hakan Olsson. - - 298. [bug] A mutex deadlock occurred during shutdown of the - interface manager under certain conditions. - Digital Unix systems were the most affected. - - 297. [bug] Specifying a key name that wasn't fully qualified - in certain parts of the config file could cause - an assertion failure. - - 296. [bug] "make install" from a separate build directory - failed unless configure had been run in the source - directory, too. - - 295. [bug] When invoked with type==CNAME and a message - not constructed by dns_message_parse(), - dns_message_findname() failed to find anything - due to checking for attribute bits that are set - only in dns_message_parse(). This caused an - infinite loop when constructing the response to - an ANY query at a CNAME in a secure zone. - - 294. [bug] If we run out of space in while processing glue - when reading a master file and commit "current name" - reverts to "name_current" instead of staying as - "name_glue". - - 293. [port] Add support for FreeBSD 4.0 system tests. - - 292. [bug] Due to problems with the way some operating systems - handle simultaneous listening on IPv4 and IPv6 - addresses, the server no longer listens on IPv6 - addresses by default. To revert to the previous - behavior, specify "listen-on-v6 { any; };" in - the config file. - - 291. [func] Caching servers no longer send outgoing queries - over TCP just because the incoming recursive query - was a TCP one. - - 290. [cleanup] +twiddle option to dig (for testing only) removed. - - 289. [cleanup] dig is now installed in $bindir instead of $sbindir. - host is now installed in $bindir. (Be sure to remove - any $sbindir/dig from a previous release.) - - 288. [func] rndc is now installed by "make install" into $sbindir. - - 287. [bug] rndc now works again as "rndc 127.1 reload" (for - only that task). Parsing its configuration file and - using digital signatures for authentication has been - disabled until named supports the "controls" statement, - post-9.0.0. - - 286. [bug] On Solaris 2, when named inherited a signal state - where SIGHUP had the SIG_IGN action, SIGHUP would - be ignored rather than causing the server to reload - its configuration. - - 285. [bug] A change made to the dst API for beta4 inadvertently - broke OMAPI's creation of a dst key from an incoming - message, causing an assertion to be triggered. Fixed. - - 284. [func] The DNSSEC key generation and signing tools now - generate randomness from keyboard input on systems - that lack /dev/random. - - 283. [cleanup] The 'lwresd' program is now a link to 'named'. - - 282. [bug] The lexer now returns ISC_R_RANGE if parsed integer is - too big for an unsigned long. - - 281. [bug] Fixed list of recognized config file category names. - - 280. [func] Add isc-config.sh, which can be used to more - easily build applications that link with - our libraries. - - 279. [bug] Private omapi function symbols shared between - two or more files in libomapi.a were not namespace - protected using the ISC convention of starting with - the library name and two underscores ("omapi__"...) - - 278. [bug] bin/named/logconf.c:category_fromconf() didn't take - note of when isc_log_categorybyname() wasn't able - to find the category name and would then apply the - channel list of the unknown category to all categories. - - 277. [bug] isc_log_categorybyname() and isc_log_modulebyname() - would fail to find the first member of any category - or module array apart from the internal defaults. - Thus, for example, the "notify" category was improperly - configured by named. - - 276. [bug] dig now supports maximum sized TCP messages. - - 275. [bug] The definition of lwres_gai_strerror() was missing - the lwres_ prefix. - - 274. [bug] TSIG AXFR verify failed when talking to a BIND 8 - server. - - 273. [func] The default for the 'transfer-format' option is - now 'many-answers'. This will break zone transfers - to BIND 4.9.5 and older unless there is an explicit - 'one-answer' configuration. - - 272. [bug] The sending of large TCP responses was canceled - in mid-transmission due to a race condition - caused by the failure to set the client object's - "newstate" variable correctly when transitioning - to the "working" state. - - 271. [func] Attempt to probe the number of cpus in named - if unspecified rather than defaulting to 1. - - 270. [func] Allow maximum sized TCP answers. - - 269. [bug] Failed DNSSEC validations could cause an assertion - failure by causing clone_results() to be called with - with hevent->node == NULL. - - 268. [doc] A plain text version of the Administrator - Reference Manual is now included in the distribution, - as doc/arm/Bv9ARM.txt. - - 267. [func] Nsupdate is now provided in the distribution. - - 266. [bug] zone.c:save_nsrrset() node was not initialized. - - 265. [bug] dns_request_create() now works for TCP. - - 264. [func] Dispatch can not take TCP sockets in connecting - state. Set DNS_DISPATCHATTR_CONNECTED when calling - dns_dispatch_createtcp() for connected TCP sockets - or call dns_dispatch_starttcp() when the socket is - connected. - - 263. [func] New logging channel type 'stderr' - - channel some-name { - stderr; - severity error; - } - - 262. [bug] 'master' was not initialized in zone.c:stub_callback(). - - 261. [func] Add dns_zone_markdirty(). - - 260. [bug] Running named as a non-root user failed on Linux - kernels new enough to support retaining capabilities - after setuid(). - - 259. [func] New random-device and random-seed-file statements - for global options block of named.conf. Both accept - a single string argument. - - 258. [bug] Fixed printing of lwres_addr_t.address field. - - 257. [bug] The server detached the last zone manager reference - too early, while it could still be in use by queries. - This manifested itself as assertion failures during the - shutdown process for busy name servers. [RT #133] - - 256. [func] isc_ratelimiter_t now has attach/detach semantics, and - isc_ratelimiter_shutdown guarantees that the rate - limiter is detached from its task. - - 255. [func] New function dns_zonemgr_attach(). - - 254. [bug] Suppress "query denied" messages on additional data - lookups. - - --- 9.0.0b4 released --- - - 253. [func] resolv.conf parser now recognises ';' and '#' as - comments (anywhere in line, not just as the beginning). - - 252. [bug] resolv.conf parser mishandled masks on sortlists. - It also aborted when an unrecognized keyword was seen, - now it silently ignores the entire line. - - 251. [bug] lwresd caught an assertion failure on startup. - - 250. [bug] fixed handling of size+unit when value would be too - large for internal representation. - - 249. [cleanup] max-cache-size config option now takes a size-spec - like 'datasize', except 'default' is not allowed. - - 248. [bug] global lame-ttl option was not being printed when - config structures were written out. - - 247. [cleanup] Rename cache-size config option to max-cache-size. - - 246. [func] Rename global option cachesize to cache-size and - add corresponding option to view statement. - - 245. [bug] If an uncompressed name will take more than 255 - bytes and the buffer is sufficiently long, - dns_name_fromwire should return DNS_R_FORMERR, - not ISC_R_NOSPACE. This bug caused cause the - server to catch an assertion failure when it - received a query for a name longer than 255 - bytes. - - 244. [bug] empty named.conf file and empty options statement are - now parsed properly. - - 243. [func] new cachesize option for named.conf - - 242. [cleanup] fixed incorrect warning about auth-nxdomain usage. - - 241. [cleanup] nscount and soacount have been removed from the - dns_master_*() argument lists. - - 240. [func] databases now come in three flavours: zone, cache - and stub. - - 239. [func] If ISC_MEM_DEBUG is enabled, the variable - isc_mem_debugging controls whether messages - are printed or not. - - 238. [cleanup] A few more compilation warnings have been quieted: - + missing sigwait prototype on BSD/OS 4.0/4.0.1. - + PTHREAD_ONCE_INIT unbraced initializer warnings on - Solaris 2.8. - + IN6ADDR_ANY_INIT unbraced initializer warnings on - BSD/OS 4.*, Linux and Solaris 2.8. - - 237. [bug] If connect() returned ENOBUFS when the resolver was - initiating a TCP query, the socket didn't get - destroyed, and the server did not shut down cleanly. - - 236. [func] Added new listen-on-v6 config file statement. - - 235. [func] Consider it a config file error if a listen-on - statement has an IPv6 address in it, or a - listen-on-v6 statement has an IPv4 address in it. - - 234. [bug] Allow a trusted-key's first field (domain-name) be - either a quoted or an unquoted string, instead of - requiring a quoted string. - - 233. [cleanup] Convert all config structure integer values to unsigned - integer (isc_uint32_t) to match grammer. - - 232. [bug] Allow slave zones to not have a file. - - 231. [func] Support new 'port' clause in config file options - section. Causes 'listen-on', 'masters' and - 'also-notify' statements to use its value instead of - default (53). - - 230. [func] Replace the dst sign/verify API with a cleaner one. - - 229. [func] Support config file sig-validity-interval statement - in options, views and zone statements (master - zones only). - - 228. [cleanup] Logging messages in config module stripped of - trailing period. - - 227. [cleanup] The enumerated identifiers dns_rdataclass_*, - dns_rcode_*, dns_opcode_*, and dns_trust_* are - also now cast to their appropriate types, as with - dns_rdatatype_* in item number 225 below. - - 226. [func] dns_name_totext() now always prints the root name as - '.', even when omit_final_dot is true. - - 225. [cleanup] The enumerated dns_rdatatype_* identifiers are now - cast to dns_rdatatype_t via macros of their same name - so that they are of the proper integral type wherever - a dns_rdatatype_t is needed. - - 224. [cleanup] The entire project builds cleanly with gcc's - -Wcast-qual and -Wwrite-strings warnings enabled, - which is now the default when using gcc. (Warnings - from confparser.c, because of yacc's code, are - unfortunately to be expected.) - - 223. [func] Several functions were reprototyped to qualify one - or more of their arguments with "const". Similarly, - several functions that return pointers now have - those pointers qualified with const. - - 222. [bug] The global 'also-notify' option was ignored. - - 221. [bug] An uninitialized variable was sometimes passed to - dns_rdata_freestruct() when loading a zone, causing - an assertion failure. - - 220. [cleanup] Set the default outgoing port in the view, and - set it in sockaddrs returned from the ADB. - [31-May-2000 explorer] - - 219. [bug] Signed truncated messages more correctly follow - the respective specs. - - 218. [func] When an rdataset is signed, its ttl is normalized - based on the signature validity period. - - 217. [func] Also-notify and trusted-keys can now be used in - the 'view' statement. - - 216. [func] The 'max-cache-ttl' and 'max-ncache-ttl' options - now work. - - 215. [bug] Failures at certain points in request processing - could cause the assertion INSIST(client->lockview - == NULL) to be triggered. - - 214. [func] New public function isc_netaddr_format(), for - formatting network addresses in log messages. - - 213. [bug] Don't leak memory when reloading the zone if - an update-policy clause was present in the old zone. - - 212. [func] Added dns_message_get/settsigkey, to make TSIG - key management reasonable. - - 211. [func] The 'key' and 'server' statements can now occur - inside 'view' statements. - - 210. [bug] The 'allow-transfer' option was ignored for slave - zones, and the 'transfers-per-ns' option was - was ignored for all zones. - - 209. [cleanup] Upgraded openssl files to new version 0.9.5a - - 208. [func] Added ISC_OFFSET_MAXIMUM for the maximum value - of an isc_offset_t. - - 207. [func] The dnssec tools properly use the logging subsystem. - - 206. [cleanup] dst now stores the key name as a dns_name_t, not - a char *. - - 205. [cleanup] On IRIX, turn off the mostly harmless warnings 1692 - ("prototyped function redeclared without prototype") - and 1552 ("variable ... set but not used") when - compiling in the lib/dns/sec/{dnssafe,openssl} - directories, which contain code imported from outside - sources. - - 204. [cleanup] On HP/UX, pass +vnocompatwarnings to the linker - to quiet the warnings that "The linked output may not - run on a PA 1.x system." - - 203. [func] notify and zone soa queries are now tsig signed when - appropriate. - - 202. [func] isc_lex_getsourceline() changed from returning int - to returning unsigned long, the type of its underlying - counter. - - 201. [cleanup] Removed the test/sdig program, it has been - replaced by bin/dig/dig. - - --- 9.0.0b3 released --- - - 200. [bug] Failures in sending query responses to clients - (e.g., running out of network buffers) were - not logged. - - 199. [bug] isc_heap_delete() sometimes violated the heap - invariant, causing timer events not to be posted - when due. - - 198. [func] Dispatch managers hold memory pools which - any managed dispatcher may use. This allows - us to avoid dipping into the memory context for - most allocations. [19-May-2000 explorer] - - 197. [bug] When an incoming AXFR or IXFR completes, the - zone's internal state is refreshed from the - SOA data. [19-May-2000 explorer] - - 196. [func] Dispatchers can be shared easily between views - and/or interfaces. [19-May-2000 explorer] - - 195. [bug] Including the NXT record of the root domain - in a negative response caused an assertion - failure. - - 194. [doc] The PDF version of the Administrator's Reference - Manual is no longer included in the ISC BIND9 - distribution. - - 193. [func] changed dst_key_free() prototype. - - 192. [bug] Zone configuration validation is now done at end - of config file parsing, and before loading - callbacks. - - 191. [func] Patched to compile on UnixWare 7.x. This platform - is not directly supported by the ISC. - - 190. [cleanup] The DNSSEC tools have been moved to a separate - directory dnssec/ and given the following new, - more descriptive names: - - dnssec-keygen - dnssec-signzone - dnssec-signkey - dnssec-makekeyset - - Their command line arguments have also been changed to - be more consistent. dnssec-keygen now prints the - name of the generated key files (sans extension) - on standard output to simplify its use in automated - scripts. - - 189. [func] isc_time_secondsastimet(), a new function, will ensure - that the number of seconds in an isc_time_t does not - exceed the range of a time_t, or return ISC_R_RANGE. - Similarly, isc_time_now(), isc_time_nowplusinterval(), - isc_time_add() and isc_time_subtract() now check the - range for overflow/underflow. In the case of - isc_time_subtract, this changed a calling requirement - (ie, something that could generate an assertion) - into merely a condition that returns an error result. - isc_time_add() and isc_time_subtract() were void- - valued before but now return isc_result_t. - - 188. [func] Log a warning message when an incoming zone transfer - contains out-of-zone data. - - 187. [func] isc_ratelimter_enqueue() has an additional argument - 'task'. - - 186. [func] dns_request_getresponse() has an additional argument - 'preserve_order'. - - 185. [bug] Fixed up handling of ISC_MEMCLUSTER_LEGACY. Several - public functions did not have an isc__ prefix, and - referred to functions that had previously been - renamed. - - 184. [cleanup] Variables/functions which began with two leading - underscores were made to conform to the ANSI/ISO - standard, which says that such names are reserved. - - 183. [func] ISC_LOG_PRINTTAG option for log channels. Useful - for logging the program name or other identifier. - - 182. [cleanup] New commandline parameters for dnssec tools - - 181. [func] Added dst_key_buildfilename and dst_key_parsefilename - - 180. [func] New isc_result_t ISC_R_RANGE. Supersedes DNS_R_RANGE. - - 179. [func] options named.conf statement *must* now come - before any zone or view statements. - - 178. [func] Post-load of named.conf check verifies a slave zone - has non-empty list of masters defined. - - 177. [func] New per-zone boolean: - - enable-zone yes | no ; - - intended to let a zone be disabled without having - to comment out the entire zone statement. - - 176. [func] New global and per-view option: - - max-cache-ttl number - - 175. [func] New global and per-view option: - - additional-data internal | minimal | maximal; - - 174. [func] New public function isc_sockaddr_format(), for - formatting socket addresses in log messages. - - 173. [func] Keep a queue of zones waiting for zone transfer - quota so that a new transfer can be dispatched - immediately whenever quota becomes available. - - 172. [bug] $TTL directive was sometimes missing from dumped - master files because totext_ctx_init() failed to - initialize ctx->current_ttl_valid. - - 171. [cleanup] On NetBSD systems, the mit-pthreads or - unproven-pthreads library is now always used - unless --with-ptl2 is explicitly specified on - the configure command line. The - --with-mit-pthreads option is no longer needed - and has been removed. - - 170. [cleanup] Remove inter server consistancy checks from zone, - these should return as a separate module in 9.1. - dns_zone_checkservers(), dns_zone_checkparents(), - dns_zone_checkchildren(), dns_zone_checkglue(). - - Remove dns_zone_setadb(), dns_zone_setresolver(), - dns_zone_setrequestmgr() these should now be found - via the view. - - 169. [func] ratelimiter can now process N events per interval. - - 168. [bug] include statements in named.conf caused syntax errors - due to not consuming the semicolon ending the include - statement before switching input streams. - - 167. [bug] Make lack of masters for a slave zone a soft error. - - 166. [bug] Keygen was overwriting existing keys if key_id - conflicted, now it will retry, and non-null keys - with key_id == 0 are not generated anymore. Key - was not able to generate NOAUTHCONF DSA key, - increased RSA key size to 2048 bits. - - 165. [cleanup] Silence "end-of-loop condition not reached" warnings - from Solaris compiler. - - 164. [func] Added functions isc_stdio_open(), isc_stdio_close(), - isc_stdio_seek(), isc_stdio_read(), isc_stdio_write(), - isc_stdio_flush(), isc_stdio_sync(), isc_file_remove() - to encapsulate nonportable usage of errno and sync. - - 163. [func] Added result codes ISC_R_FILENOTFOUND and - ISC_R_FILEEXISTS. - - 162. [bug] Ensure proper range for arguments to ctype.h functions. - - 161. [cleanup] error in yyparse prototype that only HPUX caught. - - 160. [cleanup] getnet*() are not going to be implemented at this - stage. - - 159. [func] Redefinition of config file elements is now an - error (instead of a warning). - - 158. [bug] Log channel and category list copy routines - weren't assigning properly to output parameter. - - 157. [port] Fix missing prototype for getopt(). - - 156. [func] Support new 'database' statement in zone. - - database "quoted-string"; - - 155. [bug] ns_notify_start() was not detaching the found zone. - - 154. [func] The signer now logs libdns warnings to stderr even when - not verbose, and in a nicer format. - - 153. [func] dns_rdata_tostruct() 'mctx' is now optional. If 'mctx' - is NULL then you need to preserve the 'rdata' until - you have finished using the structure as there may be - references to the associated memory. If 'mctx' is - non-NULL it is guaranteed that there are no references - to memory associated with 'rdata'. - - dns_rdata_freestruct() must be called if 'mctx' was - non-NULL and may safely be called if 'mctx' was NULL. - - 152. [bug] keygen dumped core if domain name argument was omitted - from command line. - - 151. [func] Support 'disabled' statement in zone config (causes - zone to be parsed and then ignored). Currently must - come after the 'type' clause. - - 150. [func] Support optional ports in masters and also-notify - statements: - - masters [ port xxx ] { y.y.y.y [ port zzz ] ; } - - 149. [cleanup] Removed usused argument 'olist' from - dns_c_view_unsetordering(). - - 148. [cleanup] Stop issuing some warnings about some configuration - file statements that were not implemented, but now are. - - 147. [bug] Changed yacc union size to be smaller for yaccs that - put yacc-stack on the real stack. - - 146. [cleanup] More general redundant header file cleanup. Rather - than continuing to itemize every header which changed, - this changelog entry just notes that if a header file - did not need another header file that it was including - in order to provide its advertized functionality, the - inclusion of the other header file was removed. See - util/check-includes for how this was tested. - - 145. [cleanup] Added <isc/lang.h> and ISC_LANG_BEGINDECLS/ - ISC_LANG_ENDDECLS to header files that had function - prototypes, and removed it from those that did not. - - 144. [cleanup] libdns header files too numerous to name were made - to conform to the same style for multiple inclusion - protection. - - 143. [func] Added function dns_rdatatype_isknown(). - - 142. [cleanup] <isc/stdtime.h> does not need <time.h> or - <isc/result.h>. - - 141. [bug] Corrupt requests with multiple questions could - cause an assertion failure. - - 140. [cleanup] <isc/time.h> does not need <time.h> or <isc/result.h>. - - 139. [cleanup] <isc/net.h> now includes <isc/types.h> instead of - <isc/int.h> and <isc/result.h>. - - 138. [cleanup] isc_strtouq moved from str.[ch] to string.[ch] and - renamed isc_string_touint64. isc_strsep moved from - strsep.c to string.c and renamed isc_string_separate. - - 137. [cleanup] <isc/commandline.h>, <isc/mem.h>, <isc/print.h> - <isc/serial.h>, <isc/string.h> and <isc/offset.h> - made to conform to the same style for multiple - inclusion protection. - - 136. [cleanup] <isc/commandline.h>, <isc/interfaceiter.h>, - <isc/net.h> and Win32's <isc/thread.h> needed - ISC_LANG_BEGINDECLS/ISC_LANG_ENDDECLS. - - 135. [cleanup] Win32's <isc/condition.h> did not need <isc/result.h> - or <isc/boolean.h>, now uses <isc/types.h> in place - of <isc/time.h>, and needed ISC_LANG_BEGINDECLS - and ISC_LANG_ENDDECLS. - - 134. [cleanup] <isc/dir.h> does not need <limits.h>. - - 133. [cleanup] <isc/ipv6.h> needs <isc/platform.h>. - - 132. [cleanup] <isc/app.h> does not need <isc/task.h>, but does - need <isc/eventclass.h>. - - 131. [cleanup] <isc/mutex.h> and <isc/util.h> need <isc/result.h> - for ISC_R_* codes used in macros. - - 130. [cleanup] <isc/condition.h> does not need <pthread.h> or - <isc/boolean.h>, and now includes <isc/types.h> - instead of <isc/time.h>. - - 129. [bug] The 'default_debug' log channel was not set up when - 'category default' was present in the config file - - 128. [cleanup] <isc/dir.h> had ISC_LANG_BEGINDECLS instead of - ISC_LANG_ENDDECLS at end of header. - - 127. [cleanup] The contracts for the comparision routines - dns_name_fullcompare(), dns_name_compare(), - dns_name_rdatacompare(), and dns_rdata_compare() now - specify that the order value returned is < 0, 0, or > 0 - instead of -1, 0, or 1. - - 126. [cleanup] <isc/quota.h> and <isc/taskpool.h> need <isc/lang.h>. - - 125. [cleanup] <isc/eventclass.h>, <isc/ipv6.h>, <isc/magic.h>, - <isc/mutex.h>, <isc/once.h>, <isc/region.h>, and - <isc/resultclass.h> do not need <isc/lang.h>. - - 124. [func] signer now imports parent's zone key signature - and creates null keys/sets zone status bit for - children when necessary - - 123. [cleanup] <isc/event.h> does not need <stddef.h>. - - 122. [cleanup] <isc/task.h> does not need <isc/mem.h> or - <isc/result.h>. - - 121. [cleanup] <isc/symtab.h> does not need <isc/mem.h> or - <isc/result.h>. Multiple inclusion protection - symbol fixed from ISC_SYMBOL_H to ISC_SYMTAB_H. - isc_symtab_t moved to <isc/types.h>. - - 120. [cleanup] <isc/socket.h> does not need <isc/boolean.h>, - <isc/bufferlist.h>, <isc/task.h>, <isc/mem.h> or - <isc/net.h>. - - 119. [cleanup] structure definitions for generic rdata structures do - not have _generic_ in their names. - - 118. [cleanup] libdns.a is now namespace-clean, on NetBSD, excepting - YACC crust (yyparse, etc) [2000-apr-27 explorer] - - 117. [cleanup] libdns.a changes: - dns_zone_clearnotify() and dns_zone_addnotify() - are replaced by dns_zone_setnotifyalso(). - dns_zone_clearmasters() and dns_zone_addmaster() - are replaced by dns_zone_setmasters(). - - 116. [func] Added <isc/offset.h> for isc_offset_t (aka off_t - on Unix systems). - - 115. [port] Shut up the -Wmissing-declarations warning about - <stdio.h>'s __sputaux on BSD/OS pre-4.1. - - 114. [cleanup] <isc/sockaddr.h> does not need <isc/buffer.h> or - <isc/list.h>. - - 113. [func] Utility programs dig and host added. - - 112. [cleanup] <isc/serial.h> does not need <isc/boolean.h>. - - 111. [cleanup] <isc/rwlock.h> does not need <isc/result.h> or - <isc/mutex.h>. - - 110. [cleanup] <isc/result.h> does not need <isc/boolean.h> or - <isc/list.h>. - - 109. [bug] "make depend" did nothing for - bin/tests/{db,mem,sockaddr,tasks,timers}/. - - 108. [cleanup] DNS_SETBIT/DNS_GETBIT/DNS_CLEARBIT moved from - <dns/types.h> to <dns/bit.h> and renamed to - DNS_BIT_SET/DNS_BIT_GET/DNS_BIT_CLEAR. - - 107. [func] Add keysigner and keysettool. - - 106. [func] Allow dnssec verifications to ignore the validity - period. Used by several of the dnssec tools. - - 105. [doc] doc/dev/coding.html expanded with other - implicit conventions the developers have used. - - 104. [bug] Made compress_add and compress_find static to - lib/dns/compress.c. - - 103. [func] libisc buffer API changes for <isc/buffer.h>: - Added: - isc_buffer_base(b) (pointer) - isc_buffer_current(b) (pointer) - isc_buffer_active(b) (pointer) - isc_buffer_used(b) (pointer) - isc_buffer_length(b) (int) - isc_buffer_usedlength(b) (int) - isc_buffer_consumedlength(b) (int) - isc_buffer_remaininglength(b) (int) - isc_buffer_activelength(b) (int) - isc_buffer_availablelength(b) (int) - Removed: - ISC_BUFFER_USEDCOUNT(b) - ISC_BUFFER_AVAILABLECOUNT(b) - isc_buffer_type(b) - Changed names: - isc_buffer_used(b, r) -> - isc_buffer_usedregion(b, r) - isc_buffer_available(b, r) -> - isc_buffer_available_region(b, r) - isc_buffer_consumed(b, r) -> - isc_buffer_consumedregion(b, r) - isc_buffer_active(b, r) -> - isc_buffer_activeregion(b, r) - isc_buffer_remaining(b, r) -> - isc_buffer_remainingregion(b, r) - - Buffer types were removed, so the ISC_BUFFERTYPE_* - macros are no more, and the type argument to - isc_buffer_init and isc_buffer_allocate were removed. - isc_buffer_putstr is now void (instead of isc_result_t) - and requires that the caller ensure that there - is enough available buffer space for the string. - - 102. [port] Correctly detect inet_aton, inet_pton and inet_ptop - on BSD/OS 4.1. - - 101. [cleanup] Quieted EGCS warnings from lib/isc/print.c. - - 100. [cleanup] <isc/random.h> does not need <isc/int.h> or - <isc/mutex.h>. isc_random_t moved to <isc/types.h>. - - 99. [cleanup] Rate limiter now has separate shutdown() and - destroy() functions, and it guarantees that all - queued events are delivered even in the shutdown case. - - 98. [cleanup] <isc/print.h> does not need <stdarg.h> or <stddef.h> - unless ISC_PLATFORM_NEEDVSNPRINTF is defined. - - 97. [cleanup] <isc/ondestroy.h> does not need <stddef.h> or - <isc/event.h>. - - 96. [cleanup] <isc/mutex.h> does not need <isc/result.h>. - - 95. [cleanup] <isc/mutexblock.h> does not need <isc/result.h>. - - 94. [cleanup] Some installed header files did not compile as C++. - - 93. [cleanup] <isc/msgcat.h> does not need <isc/result.h>. - - 92. [cleanup] <isc/mem.h> does not need <stddef.h>, <isc/boolean.h>, - or <isc/result.h>. - - 91. [cleanup] <isc/log.h> does not need <sys/types.h> or - <isc/result.h>. - - 90. [cleanup] Removed unneeded ISC_LANG_BEGINDECLS/ISC_LANG_ENDDECLS - from <named/listenlist.h>. - - 89. [cleanup] <isc/lex.h> does not need <stddef.h>. - - 88. [cleanup] <isc/interfaceiter.h> does not need <isc/result.h> or - <isc/mem.h>. isc_interface_t and isc_interfaceiter_t - moved to <isc/types.h>. - - 87. [cleanup] <isc/heap.h> does not need <isc/boolean.h>, - <isc/mem.h> or <isc/result.h>. - - 86. [cleanup] isc_bufferlist_t moved from <isc/bufferlist.h> to - <isc/types.h>. - - 85. [cleanup] <isc/bufferlist.h> does not need <isc/buffer.h>, - <isc/list.h>, <isc/mem.h>, <isc/region.h> or - <isc/int.h>. - - 84. [func] allow-query ACL checks now apply to all data - added to a response. - - 83. [func] If the server is authoritative for both a - delegating zone and its (nonsecure) delegatee, and - a query is made for a KEY RR at the top of the - delegatee, then the server will look for a KEY - in the delegator if it is not found in the delegatee. - - 82. [cleanup] <isc/buffer.h> does not need <isc/list.h>. - - 81. [cleanup] <isc/int.h> and <isc/boolean.h> do not need - <isc/lang.h>. - - 80. [cleanup] <isc/print.h> does not need <stdio.h> or <stdlib.h>. - - 79. [cleanup] <dns/callbacks.h> does not need <stdio.h>. - - 78. [cleanup] lwres_conftest renamed to lwresconf_test for - consistency with other *_test programs. - - 77. [cleanup] typedef of isc_time_t and isc_interval_t moved from - <isc/time.h> to <isc/types.h>. - - 76. [cleanup] Rewrote keygen. - - 75. [func] Don't load a zone if its database file is older - than the last time the zone was loaded. - - 74. [cleanup] Removed mktemplate.o and ufile.o from libisc.a, - subsumed by file.o. - - 73. [func] New "file" API in libisc, including new function - isc_file_getmodtime, isc_mktemplate renamed to - isc_file_mktemplate and isc_ufile renamed to - isc_file_openunique. By no means an exhaustive API, - it is just what's needed for now. - - 72. [func] DNS_RBTFIND_NOPREDECESSOR and DNS_RBTFIND_NOOPTIONS - added for dns_rbt_findnode, the former to disable the - setting of the chain to the predecessor, and the - latter to make clear when no options are set. - - 71. [cleanup] Made explicit the implicit REQUIREs of - isc_time_seconds, isc_time_nanoseconds, and - isc_time_subtract. - - 70. [func] isc_time_set() added. - - 69. [bug] The zone object's master and also-notify lists grew - longer with each server reload. - - 68. [func] Partial support for SIG(0) on incoming messages. - - 67. [performance] Allow use of alternate (compile-time supplied) - OpenSSL libraries/headers. - - 66. [func] Data in authoritative zones should have a trust level - beyond secure. - - 65. [cleanup] Removed obsolete typedef of dns_zone_callbackarg_t - from <dns/types.h>. - - 64. [func] The RBT, DB, and zone table APIs now allow the - caller find the most-enclosing superdomain of - a name. - - 63. [func] Generate NOTIFY messages. - - 62. [func] Add UDP refresh support. - - 61. [cleanup] Use single quotes consistently in log messages. - - 60. [func] Catch and disallow singleton types on message - parse. - - 59. [bug] Cause net/host unreachable to be a hard error - when sending and receiving. - - 58. [bug] bin/named/query.c could sometimes trigger the - (client->query.attributes & NS_QUERYATTR_NAMEBUFUSED) - == 0 assertion in query_newname(). - - 57. [func] Added dns_nxt_typepresent() - - 56. [bug] SIG records were not properly returned in cached - negative answers. - - 55. [bug] Responses containing multiple names in the authority - section were not negatively cached. - - 54. [bug] If a fetch with sigrdataset==NULL joined one with - sigrdataset!=NULL or vice versa, the resolver - could catch an assertion or lose signature data, - respectively. - - 53. [port] freebsd 4.0: lib/isc/unix/socket.c requires - <sys/param.h>. - - 52. [bug] rndc: taskmgr and socketmgr were not initialized - to NULL. - - 51. [cleanup] dns/compress.h and dns/zt.h did not need to include - dns/rbt.h; it was needed only by compress.c and zt.c. - - 50. [func] RBT deletion no longer requires a valid chain to work, - and dns_rbt_deletenode was added. - - 49. [func] Each cache now has its own mctx. - - 48. [func] isc_task_create() no longer takes an mctx. - isc_task_mem() has been eliminated. - - 47. [func] A number of modules now use memory context reference - counting. - - 46. [func] Memory contexts are now reference counted. - Added isc_mem_inuse() and isc_mem_preallocate(). - Renamed isc_mem_destroy_check() to - isc_mem_setdestroycheck(). - - 45. [bug] The trusted-key statement incorrectly loaded keys. - - 44. [bug] Don't include authority data if it would force us - to unset the AD bit in the message. - - 43. [bug] DNSSEC verification of cached rdatasets was failing. - - 42. [cleanup] Simplified logging of messages with embedded domain - names by introducing a new convenience function - dns_name_format(). - - 41. [func] Use PR_SET_KEEPCAPS on Linux 2.3.99-pre3 and later - to allow 'named' to run as a non-root user while - retaining the ability to bind() to privileged - ports. - - 40. [func] Introduced new logging category "dnssec" and - logging module "dns/validator". - - 39. [cleanup] Moved the typedefs for isc_region_t, isc_textregion_t, - and isc_lex_t to <isc/types.h>. - - 38. [bug] TSIG signed incoming zone transfers work now. - - 37. [bug] If the first RR in an incoming zone transfer was - not an SOA, the server died with an assertion failure - instead of just reporting an error. - - 36. [cleanup] Change DNS_R_SUCCESS (and others) to ISC_R_SUCCESS - - 35. [performance] Log messages which are of a level too high to be - logged by any channel in the logging configuration - will not cause the log mutex to be locked. - - 34. [bug] Recursion was allowed even with 'recursion no'. - - 33. [func] The RBT now maintains a parent pointer at each node. - - 32. [cleanup] bin/lwresd/client.c needs <string.h> for memset() - prototype. - - 31. [bug] Use ${LIBTOOL} to compile bin/named/main.@O@. - - 30. [func] config file grammer change to support optional - class type for a view. - - 29. [func] support new config file view options: - - auth-nxdomain recursion query-source - query-source-v6 transfer-source - transfer-source-v6 max-transfer-time-out - max-transfer-idle-out transfer-format - request-ixfr provide-ixfr cleaning-interval - fetch-glue notify rfc2308-type1 lame-ttl - max-ncache-ttl min-roots - - 28. [func] support lame-ttl, min-roots and serial-queries - config global options. - - 27. [bug] Only include <netinet6/in6.h> on BSD/OS 4.[01]*. - Including it on other platforms (eg, NetBSD) can - cause a forced #error from the C preprocessor. - - 26. [func] new match-clients statement in config file view. - - 25. [bug] make install failed to install <isc/log.h> and - <isc/ondestroy.h>. - - 24. [cleanup] Eliminate some unnecessary #includes of header - files from header files. - - 23. [cleanup] Provide more context in log messages about client - requests, using a new function ns_client_log(). - - 22. [bug] SIGs weren't returned in the answer section when - the query resulted in a fetch. - - 21. [port] Look at STD_CINCLUDES after CINCLUDES during - compilation, so additional system include directories - can be searched but header files in the bind9 source - tree with conflicting names take precedence. This - avoids issues with installed versions of dnssafe and - openssl. - - 20. [func] Configuration file post-load validation of zones - failed if there were no zones. - - 19. [bug] dns_zone_notifyreceive() failed to unlock the zone - lock in certain error cases. - - 18. [bug] Use AC_TRY_LINK rather than AC_TRY_COMPILE in - configure.in to check for presence of in6addr_any. - - 17. [func] Do configuration file post-load validation of zones. - - 16. [bug] put quotes around key names on config file - output to avoid possible keyword clashes. - - 15. [func] Add dns_name_dupwithoffsets(). This function is - improves comparison performance for duped names. - - 14. [bug] free_rbtdb() could have 'put' unallocated memory in - an unlikely error path. - - 13. [bug] lib/dns/master.c and lib/dns/xfrin.c didn't ignore - out-of-zone data. - - 12. [bug] Fixed possible unitialized variable error. - - 11. [bug] axfr_rrstream_first() didn't check the result code of - db_rr_iterator_first(), possibly causing an assertion - to be triggered later. - - 10. [bug] A bug in the code which makes EDNS0 OPT records in - bin/named/client.c and lib/dns/resolver.c could - trigger an assertion. - - 9. [cleanup] replaced bit-setting code in confctx.c and replaced - repeated code with macro calls. - - 8. [bug] Shutdown of incoming zone transfer accessed - freed memory. - - 7. [cleanup] removed 'listen-on' from view statement. - - 6. [bug] quote RR names when generating config file to - prevent possible clash with config file keywords - (such as 'key'). - - 5. [func] syntax change to named.conf file: new ssu grant/deny - statements must now be enclosed by an 'update-policy' - block. - - 4. [port] bin/named/unix/os.c didn't compile on systems with - linux 2.3 kernel includes due to conflicts between - C library includes and the kernel includes. We now - get only what we need from <linux/capability.h>, and - avoid pulling in other linux kernel .h files. - - 3. [bug] TKEYs go in the answer section of responses, not - the additional section. - - 2. [bug] Generating cryptographic randomness failed on - systems without /dev/random. - - 1. [bug] The installdirs rule in - lib/isc/unix/include/isc/Makefile.in had a typo which - prevented the isc directory from being created if it - didn't exist. - - --- 9.0.0b2 released --- - -# This tells Emacs to use hard tabs in this file. -# Local Variables: -# indent-tabs-mode: t -# End: diff --git a/usr.sbin/bind/COPYRIGHT b/usr.sbin/bind/COPYRIGHT deleted file mode 100644 index e1e223c9758..00000000000 --- a/usr.sbin/bind/COPYRIGHT +++ /dev/null @@ -1,30 +0,0 @@ -Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC") -Copyright (C) 1996-2003 Internet Software Consortium. - -Permission to use, copy, modify, and/or distribute this software for any -purpose with or without fee is hereby granted, provided that the above -copyright notice and this permission notice appear in all copies. - -THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH -REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY -AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, -INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM -LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE -OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR -PERFORMANCE OF THIS SOFTWARE. - -$ISC: COPYRIGHT,v 1.9.18.4.10.1 2008/07/23 07:28:54 tbox Exp $ - -Portions Copyright (C) 1996-2001 Nominum, Inc. - -Permission to use, copy, modify, and distribute this software for any -purpose with or without fee is hereby granted, provided that the above -copyright notice and this permission notice appear in all copies. - -THE SOFTWARE IS PROVIDED "AS IS" AND NOMINUM DISCLAIMS ALL WARRANTIES -WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF -MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL NOMINUM BE LIABLE FOR -ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES -WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN -ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT -OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. diff --git a/usr.sbin/bind/FAQ b/usr.sbin/bind/FAQ deleted file mode 100644 index 90b3ca04538..00000000000 --- a/usr.sbin/bind/FAQ +++ /dev/null @@ -1,781 +0,0 @@ -Frequently Asked Questions about BIND 9 - -Copyright © 2004-2007 Internet Systems Consortium, Inc. ("ISC") - -Copyright © 2000-2003 Internet Software Consortium. - ------------------------------------------------------------------------ - -1. Compilation and Installation Questions - -Q: I'm trying to compile BIND 9, and "make" is failing due to files not - being found. Why? - -A: Using a parallel or distributed "make" to build BIND 9 is not - supported, and doesn't work. If you are using one of these, use normal - make or gmake instead. - -Q: Isn't "make install" supposed to generate a default named.conf? - -A: Short Answer: No. - - Long Answer: There really isn't a default configuration which fits any - site perfectly. There are lots of decisions that need to be made and - there is no consensus on what the defaults should be. For example - FreeBSD uses /etc/namedb as the location where the configuration files - for named are stored. Others use /var/named. - - What addresses to listen on? For a laptop on the move a lot you may - only want to listen on the loop back interfaces. - - Who do you offer recursive service to? Is there are firewall to - consider? If so is it stateless or stateful. Are you directly on the - Internet? Are you on a private network? Are you on a NAT'd network? The - answers to all these questions change how you configure even a caching - name server. - -2. Configuration and Setup Questions - -Q: Why does named log the warning message "no TTL specified - using SOA - MINTTL instead"? - -A: Your zone file is illegal according to RFC1035. It must either have a - line like: - - $TTL 86400 - - at the beginning, or the first record in it must have a TTL field, like - the "84600" in this example: - - example.com. 86400 IN SOA ns hostmaster ( 1 3600 1800 1814400 3600 ) - -Q: Why do I get errors like "dns_zone_load: zone foo/IN: loading master - file bar: ran out of space"? - -A: This is often caused by TXT records with missing close quotes. Check - that all TXT records containing quoted strings have both open and close - quotes. - -Q: How do I restrict people from looking up the server version? - -A: Put a "version" option containing something other than the real version - in the "options" section of named.conf. Note doing this will not - prevent attacks and may impede people trying to diagnose problems with - your server. Also it is possible to "fingerprint" nameservers to - determine their version. - -Q: How do I restrict only remote users from looking up the server version? - -A: The following view statement will intercept lookups as the internal - view that holds the version information will be matched last. The - caveats of the previous answer still apply, of course. - - view "chaos" chaos { - match-clients { <those to be refused>; }; - allow-query { none; }; - zone "." { - type hint; - file "/dev/null"; // or any empty file - }; - }; - -Q: What do "no source of entropy found" or "could not open entropy source - foo" mean? - -A: The server requires a source of entropy to perform certain operations, - mostly DNSSEC related. These messages indicate that you have no source - of entropy. On systems with /dev/random or an equivalent, it is used by - default. A source of entropy can also be defined using the - random-device option in named.conf. - -Q: I'm trying to use TSIG to authenticate dynamic updates or zone - transfers. I'm sure I have the keys set up correctly, but the server is - rejecting the TSIG. Why? - -A: This may be a clock skew problem. Check that the the clocks on the - client and server are properly synchronised (e.g., using ntp). - -Q: I see a log message like the following. Why? - - couldn't open pid file '/var/run/named.pid': Permission denied - -A: You are most likely running named as a non-root user, and that user - does not have permission to write in /var/run. The common ways of - fixing this are to create a /var/run/named directory owned by the named - user and set pid-file to "/var/run/named/named.pid", or set pid-file to - "named.pid", which will put the file in the directory specified by the - directory option (which, in this case, must be writable by the named - user). - -Q: I can query the nameserver from the nameserver but not from other - machines. Why? - -A: This is usually the result of the firewall configuration stopping the - queries and / or the replies. - -Q: How can I make a server a slave for both an internal and an external - view at the same time? When I tried, both views on the slave were - transferred from the same view on the master. - -A: You will need to give the master and slave multiple IP addresses and - use those to make sure you reach the correct view on the other machine. - - Master: 10.0.1.1 (internal), 10.0.1.2 (external, IP alias) - internal: - match-clients { !10.0.1.2; !10.0.1.4; 10.0.1/24; }; - notify-source 10.0.1.1; - transfer-source 10.0.1.1; - query-source address 10.0.1.1; - external: - match-clients { any; }; - recursion no; // don't offer recursion to the world - notify-source 10.0.1.2; - transfer-source 10.0.1.2; - query-source address 10.0.1.2; - - Slave: 10.0.1.3 (internal), 10.0.1.4 (external, IP alias) - internal: - match-clients { !10.0.1.2; !10.0.1.4; 10.0.1/24; }; - notify-source 10.0.1.3; - transfer-source 10.0.1.3; - query-source address 10.0.1.3; - external: - match-clients { any; }; - recursion no; // don't offer recursion to the world - notify-source 10.0.1.4; - transfer-source 10.0.1.4; - query-source address 10.0.1.4; - - You put the external address on the alias so that all the other dns - clients on these boxes see the internal view by default. - -A: BIND 9.3 and later: Use TSIG to select the appropriate view. - - Master 10.0.1.1: - key "external" { - algorithm hmac-md5; - secret "xxxxxxxx"; - }; - view "internal" { - match-clients { !key external; 10.0.1/24; }; - ... - }; - view "external" { - match-clients { key external; any; }; - server 10.0.1.2 { keys external; }; - recursion no; - ... - }; - - Slave 10.0.1.2: - key "external" { - algorithm hmac-md5; - secret "xxxxxxxx"; - }; - view "internal" { - match-clients { !key external; 10.0.1/24; }; - ... - }; - view "external" { - match-clients { key external; any; }; - server 10.0.1.1 { keys external; }; - recursion no; - ... - }; - -Q: I get error messages like "multiple RRs of singleton type" and "CNAME - and other data" when transferring a zone. What does this mean? - -A: These indicate a malformed master zone. You can identify the exact - records involved by transferring the zone using dig then running - named-checkzone on it. - - dig axfr example.com @master-server > tmp - named-checkzone example.com tmp - - A CNAME record cannot exist with the same name as another record except - for the DNSSEC records which prove its existence (NSEC). - - RFC 1034, Section 3.6.2: "If a CNAME RR is present at a node, no other - data should be present; this ensures that the data for a canonical name - and its aliases cannot be different. This rule also insures that a - cached CNAME can be used without checking with an authoritative server - for other RR types." - -Q: I get error messages like "named.conf:99: unexpected end of input" - where 99 is the last line of named.conf. - -A: Some text editors (notepad and wordpad) fail to put a line title - indication (e.g. CR/LF) on the last line of a text file. This can be - fixed by "adding" a blank line to the end of the file. Named expects to - see EOF immediately after EOL and treats text files where this is not - met as truncated. - -Q: How do I share a dynamic zone between multiple views? - -A: You choose one view to be master and the second a slave and transfer - the zone between views. - - Master 10.0.1.1: - key "external" { - algorithm hmac-md5; - secret "xxxxxxxx"; - }; - - key "mykey" { - algorithm hmac-md5; - secret "yyyyyyyy"; - }; - - view "internal" { - match-clients { !key external; 10.0.1/24; }; - server 10.0.1.1 { - /* Deliver notify messages to external view. */ - keys { external; }; - }; - zone "example.com" { - type master; - file "internal/example.db"; - allow-update { key mykey; }; - notify-also { 10.0.1.1; }; - }; - }; - - view "external" { - match-clients { key external; any; }; - zone "example.com" { - type slave; - file "external/example.db"; - masters { 10.0.1.1; }; - transfer-source { 10.0.1.1; }; - // allow-update-forwarding { any; }; - // allow-notify { ... }; - }; - }; - -Q: I get a error message like "zone wireless.ietf56.ietf.org/IN: loading - master file primaries/wireless.ietf56.ietf.org: no owner". - -A: This error is produced when a line in the master file contains leading - white space (tab/space) but the is no current record owner name to - inherit the name from. Usually this is the result of putting white - space before a comment, forgetting the "@" for the SOA record, or - indenting the master file. - -Q: Why are my logs in GMT (UTC). - -A: You are running chrooted (-t) and have not supplied local timezone - information in the chroot area. - - FreeBSD: /etc/localtime - Solaris: /etc/TIMEZONE and /usr/share/lib/zoneinfo - OSF: /etc/zoneinfo/localtime - - See also tzset(3) and zic(8). - -Q: I get "rndc: connect failed: connection refused" when I try to run - rndc. - -A: This is usually a configuration error. - - First ensure that named is running and no errors are being reported at - startup (/var/log/messages or equivalent). Running "named -g <usual - arguments>" from a title can help at this point. - - Secondly ensure that named is configured to use rndc either by - "rndc-confgen -a", rndc-confgen or manually. The Administrators - Reference manual has details on how to do this. - - Old versions of rndc-confgen used localhost rather than 127.0.0.1 in / - etc/rndc.conf for the default server. Update /etc/rndc.conf if - necessary so that the default server listed in /etc/rndc.conf matches - the addresses used in named.conf. "localhost" has two address - (127.0.0.1 and ::1). - - If you use "rndc-confgen -a" and named is running with -t or -u ensure - that /etc/rndc.conf has the correct ownership and that a copy is in the - chroot area. You can do this by re-running "rndc-confgen -a" with - appropriate -t and -u arguments. - -Q: I get "transfer of 'example.net/IN' from 192.168.4.12#53: failed while - receiving responses: permission denied" error messages. - -A: These indicate a filesystem permission error preventing named creating - / renaming the temporary file. These will usually also have other - associated error messages like - - "dumping master file: sl/tmp-XXXX5il3sQ: open: permission denied" - - Named needs write permission on the directory containing the file. - Named writes the new cache file to a temporary file then renames it to - the name specified in named.conf to ensure that the contents are always - complete. This is to prevent named loading a partial zone in the event - of power failure or similar interrupting the write of the master file. - - Note file names are relative to the directory specified in options and - any chroot directory ([<chroot dir>/][<options dir>]). - - If named is invoked as "named -t /chroot/DNS" with the following - named.conf then "/chroot/DNS/var/named/sl" needs to be writable by the - user named is running as. - - options { - directory "/var/named"; - }; - - zone "example.net" { - type slave; - file "sl/example.net"; - masters { 192.168.4.12; }; - }; - -Q: I want to forward all DNS queries from my caching nameserver to another - server. But there are some domains which have to be served locally, via - rbldnsd. - - How do I achieve this ? - -A: options { - forward only; - forwarders { <ip.of.primary.nameserver>; }; - }; - - zone "sbl-xbl.spamhaus.org" { - type forward; forward only; - forwarders { <ip.of.rbldns.server> port 530; }; - }; - - zone "list.dsbl.org" { - type forward; forward only; - forwarders { <ip.of.rbldns.server> port 530; }; - }; - - -Q: Can you help me understand how BIND 9 uses memory to store DNS zones? - - Some times it seems to take several times the amount of memory it needs - to store the zone. - -A: When reloading a zone named my have multiple copies of the zone in - memory at one time. The zone it is serving and the one it is loading. - If reloads are ultra fast it can have more still. - - e.g. Ones that are transferring out, the one that it is serving and the - one that is loading. - - BIND 8 destroyed the zone before loading and also killed off outgoing - transfers of the zone. - - The new strategy allows slaves to get copies of the new zone regardless - of how often the master is loaded compared to the transfer time. The - slave might skip some intermediate versions but the transfers will - complete and it will keep reasonably in sync with the master. - - The new strategy also allows the master to recover from syntax and - other errors in the master file as it still has an in-core copy of the - old contents. - -3. General Questions - -Q: I keep getting log messages like the following. Why? - - Dec 4 23:47:59 client 10.0.0.1#1355: updating zone 'example.com/IN': - update failed: 'RRset exists (value dependent)' prerequisite not - satisfied (NXRRSET) - -A: DNS updates allow the update request to test to see if certain - conditions are met prior to proceeding with the update. The message - above is saying that conditions were not met and the update is not - proceeding. See doc/rfc/rfc2136.txt for more details on prerequisites. - -Q: I keep getting log messages like the following. Why? - - Jun 21 12:00:00.000 client 10.0.0.1#1234: update denied - -A: Someone is trying to update your DNS data using the RFC2136 Dynamic - Update protocol. Windows 2000 machines have a habit of sending dynamic - update requests to DNS servers without being specifically configured to - do so. If the update requests are coming from a Windows 2000 machine, - see http://support.microsoft.com/support/kb/articles/q246/8/04.asp for - information about how to turn them off. - -Q: When I do a "dig . ns", many of the A records for the root servers are - missing. Why? - -A: This is normal and harmless. It is a somewhat confusing side effect of - the way BIND 9 does RFC2181 trust ranking and of the efforts BIND 9 - makes to avoid promoting glue into answers. - - When BIND 9 first starts up and primes its cache, it receives the root - server addresses as additional data in an authoritative response from a - root server, and these records are eligible for inclusion as additional - data in responses. Subsequently it receives a subset of the root server - addresses as additional data in a non-authoritative (referral) response - from a root server. This causes the addresses to now be considered - non-authoritative (glue) data, which is not eligible for inclusion in - responses. - - The server does have a complete set of root server addresses cached at - all times, it just may not include all of them as additional data, - depending on whether they were last received as answers or as glue. You - can always look up the addresses with explicit queries like "dig - a.root-servers.net A". - -Q: Why don't my zones reload when I do an "rndc reload" or SIGHUP? - -A: A zone can be updated either by editing zone files and reloading the - server or by dynamic update, but not both. If you have enabled dynamic - update for a zone using the "allow-update" option, you are not supposed - to edit the zone file by hand, and the server will not attempt to - reload it. - -Q: Why is named listening on UDP port other than 53? - -A: Named uses a system selected port to make queries of other nameservers. - This behaviour can be overridden by using query-source to lock down the - port and/or address. See also notify-source and transfer-source. - -Q: I get warning messages like "zone example.com/IN: refresh: failure - trying master 1.2.3.4#53: timed out". - -A: Check that you can make UDP queries from the slave to the master - - dig +norec example.com soa @1.2.3.4 - - You could be generating queries faster than the slave can cope with. - Lower the serial query rate. - - serial-query-rate 5; // default 20 - -Q: I don't get RRSIG's returned when I use "dig +dnssec". - -A: You need to ensure DNSSEC is enabled (dnssec-enable yes;). - -Q: Can a NS record refer to a CNAME. - -A: No. The rules for glue (copies of the *address* records in the parent - zones) and additional section processing do not allow it to work. - - You would have to add both the CNAME and address records (A/AAAA) as - glue to the parent zone and have CNAMEs be followed when doing - additional section processing to make it work. No nameserver - implementation supports either of these requirements. - -Q: What does "RFC 1918 response from Internet for 0.0.0.10.IN-ADDR.ARPA" - mean? - -A: If the IN-ADDR.ARPA name covered refers to a internal address space you - are using then you have failed to follow RFC 1918 usage rules and are - leaking queries to the Internet. You should establish your own zones - for these addresses to prevent you querying the Internet's name servers - for these addresses. Please see http://as112.net/ for details of the - problems you are causing and the counter measures that have had to be - deployed. - - If you are not using these private addresses then a client has queried - for them. You can just ignore the messages, get the offending client to - stop sending you these messages as they are most probably leaking them - or setup your own zones empty zones to serve answers to these queries. - - zone "10.IN-ADDR.ARPA" { - type master; - file "empty"; - }; - - zone "16.172.IN-ADDR.ARPA" { - type master; - file "empty"; - }; - - ... - - zone "31.172.IN-ADDR.ARPA" { - type master; - file "empty"; - }; - - zone "168.192.IN-ADDR.ARPA" { - type master; - file "empty"; - }; - - empty: - @ 10800 IN SOA <name-of-server>. <contact-email>. ( - 1 3600 1200 604800 10800 ) - @ 10800 IN NS <name-of-server>. - - Note - - Future versions of named are likely to do this automatically. - -Q: Will named be affected by the 2007 changes to daylight savings rules in - the US. - -A: No, so long as the machines internal clock (as reported by "date -u") - remains at UTC. The only visible change if you fail to upgrade your OS, - if you are in a affected area, will be that log messages will be a hour - out during the period where the old rules do not match the new rules. - - For most OS's this change just means that you need to update the - conversion rules from UTC to local time. Normally this involves - updating a file in /etc (which sets the default timezone for the - machine) and possibly a directory which has all the conversion rules - for the world (e.g. /usr/share/zoneinfo). When updating the OS do not - forget to update any chroot areas as well. See your OS's documentation - for more details. - - The local timezone conversion rules can also be done on a individual - basis by setting the TZ environment variable appropriately. See your - OS's documentation for more details. - -Q: Is there a bugzilla (or other tool) database that mere mortals can have - (read-only) access to for bind? - -A: No. The BIND 9 bug database is kept closed for a number of reasons. - These include, but are not limited to, that the database contains - proprietory information from people reporting bugs. The database has in - the past and may in future contain unfixed bugs which are capable of - bringing down most of the Internet's DNS infrastructure. - - The release pages for each version contain up to date lists of bugs - that have been fixed post release. That is as close as we can get to - providing a bug database. - -4. Operating-System Specific Questions - -4.1. HPUX - -Q: I get the following error trying to configure BIND: - - checking if unistd.h or sys/types.h defines fd_set... no - configure: error: need either working unistd.h or sys/select.h - -A: You have attempted to configure BIND with the bundled C compiler. This - compiler does not meet the minimum compiler requirements to for - building BIND. You need to install a ANSI C compiler and / or teach - configure how to find the ANSI C compiler. The later can be done by - adjusting the PATH environment variable and / or specifying the - compiler via CC. - - ./configure CC=<compiler> ... - -4.2. Linux - -Q: Why do I get the following errors: - - general: errno2result.c:109: unexpected error: - general: unable to convert errno to isc_result: 14: Bad address - client: UDP client handler shutting down due to fatal receive error: unexpected error - -A: This is the result of a Linux kernel bug. - - See: http://marc.theaimsgroup.com/?l=linux-netdev&m=113081708031466&w=2 - -Q: Why do I see 5 (or more) copies of named on Linux? - -A: Linux threads each show up as a process under ps. The approximate - number of threads running is n+4, where n is the number of CPUs. Note - that the amount of memory used is not cumulative; if each process is - using 10M of memory, only a total of 10M is used. - - Newer versions of Linux's ps command hide the individual threads and - require -L to display them. - -Q: Why does BIND 9 log "permission denied" errors accessing its - configuration files or zones on my Linux system even though it is - running as root? - -A: On Linux, BIND 9 drops most of its root privileges on startup. This - including the privilege to open files owned by other users. Therefore, - if the server is running as root, the configuration files and zone - files should also be owned by root. - -Q: I get the error message "named: capset failed: Operation not permitted" - when starting named. - -A: The capability module, part of "Linux Security Modules/LSM", has not - been loaded into the kernel. See insmod(8). - -Q: I'm running BIND on Red Hat Enterprise Linux or Fedora Core - - - Why can't named update slave zone database files? - - Why can't named create DDNS journal files or update the master zones - from journals? - - Why can't named create custom log files? - -A: Red Hat Security Enhanced Linux (SELinux) policy security protections : - - Red Hat have adopted the National Security Agency's SELinux security - policy ( see http://www.nsa.gov/selinux ) and recommendations for BIND - security , which are more secure than running named in a chroot and - make use of the bind-chroot environment unnecessary . - - By default, named is not allowed by the SELinux policy to write, create - or delete any files EXCEPT in these directories: - - $ROOTDIR/var/named/slaves - $ROOTDIR/var/named/data - $ROOTDIR/var/tmp - - - where $ROOTDIR may be set in /etc/sysconfig/named if bind-chroot is - installed. - - The SELinux policy particularly does NOT allow named to modify the - $ROOTDIR/var/named directory, the default location for master zone - database files. - - SELinux policy overrules file access permissions - so even if all the - files under /var/named have ownership named:named and mode rw-rw-r--, - named will still not be able to write or create files except in the - directories above, with SELinux in Enforcing mode. - - So, to allow named to update slave or DDNS zone files, it is best to - locate them in $ROOTDIR/var/named/slaves, with named.conf zone - statements such as: - - zone "slave.zone." IN { - type slave; - file "slaves/slave.zone.db"; - ... - }; - zone "ddns.zone." IN { - type master; - allow-updates {...}; - file "slaves/ddns.zone.db"; - }; - - - To allow named to create its cache dump and statistics files, for - example, you could use named.conf options statements such as: - - options { - ... - dump-file "/var/named/data/cache_dump.db"; - statistics-file "/var/named/data/named_stats.txt"; - ... - }; - - - You can also tell SELinux to allow named to update any zone database - files, by setting the SELinux tunable boolean parameter - 'named_write_master_zones=1', using the system-config-securitylevel - GUI, using the 'setsebool' command, or in /etc/selinux/targeted/ - booleans. - - You can disable SELinux protection for named entirely by setting the - 'named_disable_trans=1' SELinux tunable boolean parameter. - - The SELinux named policy defines these SELinux contexts for named: - - named_zone_t : for zone database files - $ROOTDIR/var/named/* - named_conf_t : for named configuration files - $ROOTDIR/etc/{named,rndc}.* - named_cache_t: for files modifiable by named - $ROOTDIR/var/{tmp,named/{slaves,data}} - - - If you want to retain use of the SELinux policy for named, and put - named files in different locations, you can do so by changing the - context of the custom file locations . - - To create a custom configuration file location, e.g. '/root/ - named.conf', to use with the 'named -c' option, do: - - # chcon system_u:object_r:named_conf_t /root/named.conf - - - To create a custom modifiable named data location, e.g. '/var/log/ - named' for a log file, do: - - # chcon system_u:object_r:named_cache_t /var/log/named - - - To create a custom zone file location, e.g. /root/zones/, do: - - # chcon system_u:object_r:named_zone_t /root/zones/{.,*} - - - See these man-pages for more information : selinux(8), named_selinux - (8), chcon(1), setsebool(8) - -4.3. Windows - -Q: Zone transfers from my BIND 9 master to my Windows 2000 slave fail. - Why? - -A: This may be caused by a bug in the Windows 2000 DNS server where DNS - messages larger than 16K are not handled properly. This can be worked - around by setting the option "transfer-format one-answer;". Also check - whether your zone contains domain names with embedded spaces or other - special characters, like "John\032Doe\213s\032Computer", since such - names have been known to cause Windows 2000 slaves to incorrectly - reject the zone. - -Q: I get "Error 1067" when starting named under Windows. - -A: This is the service manager saying that named exited. You need to - examine the Application log in the EventViewer to find out why. - - Common causes are that you failed to create "named.conf" (usually "C:\ - windows\dns\etc\named.conf") or failed to specify the directory in - named.conf. - - options { - Directory "C:\windows\dns\etc"; - }; - -4.4. FreeBSD - -Q: I have FreeBSD 4.x and "rndc-confgen -a" just sits there. - -A: /dev/random is not configured. Use rndcontrol(8) to tell the kernel to - use certain interrupts as a source of random events. You can make this - permanent by setting rand_irqs in /etc/rc.conf. - - /etc/rc.conf - rand_irqs="3 14 15" - - See also http://people.freebsd.org/~dougb/randomness.html - -4.5. Solaris - -Q: How do I integrate BIND 9 and Solaris SMF - -A: Sun has a blog entry describing how to do this. - - http://blogs.sun.com/roller/page/anay/Weblog?catname=%2FSolaris - -4.6. Apple Mac OS X - -Q: How do I run BIND 9 on Apple Mac OS X? - -A: If you run Tiger(Mac OS 10.4) or later then this is all you need to do: - - % sudo rndc-confgen > /etc/rndc.conf - - Copy the key statement from /etc/rndc.conf into /etc/rndc.key, e.g.: - - key "rndc-key" { - algorithm hmac-md5; - secret "uvceheVuqf17ZwIcTydddw=="; - }; - - Then start the relevant service: - - % sudo service org.isc.named start - - This is persistent upon a reboot, so you will have to do it only once. - -A: Alternatively you can just generate /etc/rndc.key by running: - - % sudo rndc-confgen -a - - Then start the relevant service: - - % sudo service org.isc.named start - - Named will look for /etc/rndc.key when it starts if it doesn't have a - controls section or the existing controls are missing keys sub-clauses. - This is persistent upon a reboot, so you will have to do it only once. - diff --git a/usr.sbin/bind/FAQ.xml b/usr.sbin/bind/FAQ.xml deleted file mode 100644 index 97c5be4d12c..00000000000 --- a/usr.sbin/bind/FAQ.xml +++ /dev/null @@ -1,1007 +0,0 @@ -<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" - "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" []> -<!-- - - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") - - Copyright (C) 2000-2003 Internet Software Consortium. - - - - Permission to use, copy, modify, and distribute this software for any - - purpose with or without fee is hereby granted, provided that the above - - copyright notice and this permission notice appear in all copies. - - - - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, - - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM - - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE - - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - - PERFORMANCE OF THIS SOFTWARE. ---> - -<!-- $ISC: FAQ.xml,v 1.4.6.3 2005/11/02 22:53:51 marka Exp $ --> - -<article class="faq"> - <title>Frequently Asked Questions about BIND 9</title> - <qandaset defaultlabel='qanda'> - <qandaentry> - <question> - <para> - Why doesn't -u work on Linux 2.2.x when I build with - --enable-threads? - </para> - </question> - <answer> - <para> - Linux threads do not fully implement the Posix threads - (pthreads) standard. In particular, setuid() operates only - on the current thread, not the full process. Because of - this limitation, BIND 9 cannot use setuid() on Linux as it - can on all other supported platforms. setuid() cannot be - called before creating threads, since the server does not - start listening on reserved ports until after threads have - started. - </para> - <para> - In the 2.2.18 or 2.3.99-pre3 and newer kernels, the ability - to preserve capabilities across a setuid() call is present. - This allows BIND 9 to call setuid() early, while retaining - the ability to bind reserved ports. This is a Linux-specific - hack. - </para> - <para> - On a 2.2 kernel, BIND 9 does drop many root privileges, so - it should be less of a security risk than a root process - that has not dropped privileges. - </para> - <para> - If Linux threads ever work correctly, this restriction will - go away. - </para> - <para> - Configuring BIND9 with the --disable-threads option (the - default) causes a non-threaded version to be built, which - will allow -u to be used. - </para> - </answer> - </qandaentry> - - <qandaentry> - <question> - <para> - Why does named log the warning message <quote>no TTL specified - - using SOA MINTTL instead</quote>? - </para> - </question> - <answer> - <para> - Your zone file is illegal according to RFC1035. It must either - have a line like: - </para> - <informalexample> - <programlisting> -$TTL 86400</programlisting> - </informalexample> - <para> - at the beginning, or the first record in it must have a TTL field, - like the "84600" in this example: - </para> - <informalexample> - <programlisting> -example.com. 86400 IN SOA ns hostmaster ( 1 3600 1800 1814400 3600 )</programlisting> - </informalexample> - </answer> - </qandaentry> - - <qandaentry> - <question> - <para> - Why do I see 5 (or more) copies of named on Linux? - </para> - </question> - <answer> - <para> - Linux threads each show up as a process under ps. The - approximate number of threads running is n+4, where n is - the number of CPUs. Note that the amount of memory used - is not cumulative; if each process is using 10M of memory, - only a total of 10M is used. - </para> - </answer> - </qandaentry> - - <qandaentry> - <question> - <para> - Why does BIND 9 log <quote>permission denied</quote> errors accessing - its configuration files or zones on my Linux system even - though it is running as root? - </para> - </question> - <answer> - <para> - On Linux, BIND 9 drops most of its root privileges on - startup. This including the privilege to open files owned - by other users. Therefore, if the server is running as - root, the configuration files and zone files should also - be owned by root. - </para> - </answer> - </qandaentry> - - <qandaentry> - <question> - <para> - Why do I get errors like <quote>dns_zone_load: zone foo/IN: loading - master file bar: ran out of space</quote>? - </para> - </question> - <answer> - <para> - This is often caused by TXT records with missing close - quotes. Check that all TXT records containing quoted strings - have both open and close quotes. - </para> - </answer> - </qandaentry> - - <qandaentry> - <question> - <para> - How do I produce a usable core file from a multithreaded - named on Linux? - </para> - </question> - <answer> - <para> - If the Linux kernel is 2.4.7 or newer, multithreaded core - dumps are usable (that is, the correct thread is dumped). - Otherwise, if using a 2.2 kernel, apply the kernel patch - found in contrib/linux/coredump-patch and rebuild the kernel. - This patch will cause multithreaded programs to dump the - correct thread. - </para> - </answer> - </qandaentry> - - <qandaentry> - <question> - <para> - How do I restrict people from looking up the server version? - </para> - </question> - <answer> - <para> - Put a "version" option containing something other than the - real version in the "options" section of named.conf. Note - doing this will not prevent attacks and may impede people - trying to diagnose problems with your server. Also it is - possible to "fingerprint" nameservers to determine their - version. - </para> - </answer> - </qandaentry> - - <qandaentry> - <question> - <para> - How do I restrict only remote users from looking up the - server version? - </para> - </question> - <answer> - <para> - The following view statement will intercept lookups as the - internal view that holds the version information will be - matched last. The caveats of the previous answer still - apply, of course. - </para> - <informalexample> - <programlisting> -view "chaos" chaos { - match-clients { <those to be refused>; }; - allow-query { none; }; - zone "." { - type hint; - file "/dev/null"; // or any empty file - }; -};</programlisting> - </informalexample> - </answer> - </qandaentry> - - <qandaentry> - <question> - <para> - What do <quote>no source of entropy found</quote> or <quote>could not - open entropy source foo</quote> mean? - </para> - </question> - <answer> - <para> - The server requires a source of entropy to perform certain - operations, mostly DNSSEC related. These messages indicate - that you have no source of entropy. On systems with - /dev/random or an equivalent, it is used by default. A - source of entropy can also be defined using the random-device - option in named.conf. - </para> - </answer> - </qandaentry> - - <qandaentry> - <question> - <para> - I installed BIND 9 and restarted named, but it's still BIND 8. Why? - </para> - </question> - <answer> - <para> - BIND 9 is installed under /usr/local by default. BIND 8 - is often installed under /usr. Check that the correct named - is running. - </para> - </answer> - </qandaentry> - - <qandaentry> - <question> - <para> - I'm trying to use TSIG to authenticate dynamic updates or - zone transfers. I'm sure I have the keys set up correctly, - but the server is rejecting the TSIG. Why? - </para> - </question> - <answer> - <para> - This may be a clock skew problem. Check that the the clocks - on the client and server are properly synchronised (e.g., - using ntp). - </para> - </answer> - </qandaentry> - - <qandaentry> - <question> - <para> - I'm trying to compile BIND 9, and "make" is failing due to - files not being found. Why? - </para> - </question> - <answer> - <para> - Using a parallel or distributed "make" to build BIND 9 is - not supported, and doesn't work. If you are using one of - these, use normal make or gmake instead. - </para> - </answer> - </qandaentry> - - <qandaentry> - <question> - <para> - I have a BIND 9 master and a BIND 8.2.3 slave, and the - master is logging error messages like <quote>notify to 10.0.0.1#53 - failed: unexpected end of input</quote>. What's wrong? - </para> - </question> - <answer> - <para> - This error message is caused by a known bug in BIND 8.2.3 - and is fixed in BIND 8.2.4. It can be safely ignored - the - notify has been acted on by the slave despite the error - message. - </para> - </answer> - </qandaentry> - - <qandaentry> - <question> - <para> - I keep getting log messages like the following. Why? - </para> - <para> - Dec 4 23:47:59 client 10.0.0.1#1355: updating zone - 'example.com/IN': update failed: 'RRset exists (value - dependent)' prerequisite not satisfied (NXRRSET) - </para> - </question> - <answer> - <para> - DNS updates allow the update request to test to see if - certain conditions are met prior to proceeding with the - update. The message above is saying that conditions were - not met and the update is not proceeding. See doc/rfc/rfc2136.txt - for more details on prerequisites. - </para> - </answer> - </qandaentry> - - <qandaentry> - <question> - <para> - I keep getting log messages like the following. Why? - </para> - <para> - Jun 21 12:00:00.000 client 10.0.0.1#1234: update denied - </para> - </question> - <answer> - <para> - Someone is trying to update your DNS data using the RFC2136 - Dynamic Update protocol. Windows 2000 machines have a habit - of sending dynamic update requests to DNS servers without - being specifically configured to do so. If the update - requests are coming from a Windows 2000 machine, see - <ulink - url="http://support.microsoft.com/support/kb/articles/q246/8/04.asp"> - http://support.microsoft.com/support/kb/articles/q246/8/04.asp - </ulink> - for information about how to turn them off. - </para> - </answer> - </qandaentry> - - <qandaentry> - <question> - <para> - I see a log message like the following. Why? - </para> - <para> - couldn't open pid file '/var/run/named.pid': Permission denied - </para> - </question> - <answer> - <para> - You are most likely running named as a non-root user, and - that user does not have permission to write in /var/run. - The common ways of fixing this are to create a /var/run/named - directory owned by the named user and set pid-file to - "/var/run/named/named.pid", or set pid-file to "named.pid", - which will put the file in the directory specified by the - directory option (which, in this case, must be writable by - the named user). - </para> - </answer> - </qandaentry> - - <qandaentry> - <question> - <para> - When I do a "dig . ns", many of the A records for the root - servers are missing. Why? - </para> - </question> - <answer> - <para> - This is normal and harmless. It is a somewhat confusing - side effect of the way BIND 9 does RFC2181 trust ranking - and of the efforts BIND 9 makes to avoid promoting glue - into answers. - </para> - <para> - When BIND 9 first starts up and primes its cache, it receives - the root server addresses as additional data in an authoritative - response from a root server, and these records are eligible - for inclusion as additional data in responses. Subsequently - it receives a subset of the root server addresses as - additional data in a non-authoritative (referral) response - from a root server. This causes the addresses to now be - considered non-authoritative (glue) data, which is not - eligible for inclusion in responses. - </para> - <para> - The server does have a complete set of root server addresses - cached at all times, it just may not include all of them - as additional data, depending on whether they were last - received as answers or as glue. You can always look up the - addresses with explicit queries like "dig a.root-servers.net A". - </para> - </answer> - </qandaentry> - - <qandaentry> - <question> - <para> - Zone transfers from my BIND 9 master to my Windows 2000 - slave fail. Why? - </para> - </question> - <answer> - <para> - This may be caused by a bug in the Windows 2000 DNS server - where DNS messages larger than 16K are not handled properly. - This can be worked around by setting the option "transfer-format - one-answer;". Also check whether your zone contains domain - names with embedded spaces or other special characters, - like "John\032Doe\213s\032Computer", since such names have - been known to cause Windows 2000 slaves to incorrectly - reject the zone. - </para> - </answer> - </qandaentry> - - <qandaentry> - <question> - <para> - Why don't my zones reload when I do an "rndc reload" or SIGHUP? - </para> - </question> - <answer> - <para> - A zone can be updated either by editing zone files and - reloading the server or by dynamic update, but not both. - If you have enabled dynamic update for a zone using the - "allow-update" option, you are not supposed to edit the - zone file by hand, and the server will not attempt to reload - it. - </para> - </answer> - </qandaentry> - - <qandaentry> - <question> - <para> - I can query the nameserver from the nameserver but not from other - machines. Why? - </para> - </question> - <answer> - <para> - This is usually the result of the firewall configuration stopping - the queries and / or the replies. - </para> - </answer> - </qandaentry> - - <qandaentry> - <question> - <para> - How can I make a server a slave for both an internal and - an external view at the same time? When I tried, both views - on the slave were transferred from the same view on the master. - </para> - </question> - <answer> - <para> - You will need to give the master and slave multiple IP - addresses and use those to make sure you reach the correct - view on the other machine. - </para> - <informalexample> - <programlisting> -Master: 10.0.1.1 (internal), 10.0.1.2 (external, IP alias) - internal: - match-clients { !10.0.1.2; !10.0.1.4; 10.0.1/24; }; - notify-source 10.0.1.1; - transfer-source 10.0.1.1; - query-source address 10.0.1.1; - external: - match-clients { any; }; - recursion no; // don't offer recursion to the world - notify-source 10.0.1.2; - transfer-source 10.0.1.2; - query-source address 10.0.1.2; - -Slave: 10.0.1.3 (internal), 10.0.1.4 (external, IP alias) - internal: - match-clients { !10.0.1.2; !10.0.1.4; 10.0.1/24; }; - notify-source 10.0.1.3; - transfer-source 10.0.1.3; - query-source address 10.0.1.3; - external: - match-clients { any; }; - recursion no; // don't offer recursion to the world - notify-source 10.0.1.4; - transfer-source 10.0.1.4; - query-source address 10.0.1.4;</programlisting> - </informalexample> - <para> - You put the external address on the alias so that all the other - dns clients on these boxes see the internal view by default. - </para> - </answer> - <answer> - <para> - BIND 9.3 and later: Use TSIG to select the appropriate view. - </para> - <informalexample> - <programlisting> -Master 10.0.1.1: - key "external" { - algorithm hmac-md5; - secret "xxxxxxxx"; - }; - view "internal" { - match-clients { !key external; 10.0.1/24; }; - ... - }; - view "external" { - match-clients { key external; any; }; - server 10.0.0.2 { keys external; }; - recursion no; - ... - }; - -Slave 10.0.1.2: - key "external" { - algorithm hmac-md5; - secret "xxxxxxxx"; - }; - view "internal" { - match-clients { !key external; 10.0.1/24; }; - ... - }; - view "external" { - match-clients { key external; any; }; - server 10.0.0.1 { keys external; }; - recursion no; - ... - };</programlisting> - </informalexample> - </answer> - </qandaentry> - - <qandaentry> - <question> - <para> - I have FreeBSD 4.x and "rndc-confgen -a" just sits there. - </para> - </question> - <answer> - <para> - /dev/random is not configured. Use rndcontrol(8) to tell - the kernel to use certain interrupts as a source of random - events. You can make this permanent by setting rand_irqs - in /etc/rc.conf. - </para> - <informalexample> - <programlisting> -/etc/rc.conf -rand_irqs="3 14 15"</programlisting> - </informalexample> - <para> - See also - <ulink url="http://people.freebsd.org/~dougb/randomness.html"> - http://people.freebsd.org/~dougb/randomness.html - </ulink> - </para> - </answer> - </qandaentry> - - <qandaentry> - <question> - <para> - Why is named listening on UDP port other than 53? - </para> - </question> - <answer> - <para> - Named uses a system selected port to make queries of other - nameservers. This behaviour can be overridden by using - query-source to lock down the port and/or address. See - also notify-source and transfer-source. - </para> - </answer> - </qandaentry> - - <qandaentry> - <question> - <para> - I get error messages like <quote>multiple RRs of singleton type</quote> - and <quote>CNAME and other data</quote> when transferring a zone. What - does this mean? - </para> - </question> - <answer> - <para> - These indicate a malformed master zone. You can identify - the exact records involved by transferring the zone using - dig then running named-checkzone on it. - </para> - <informalexample> - <programlisting> -dig axfr example.com @master-server > tmp -named-checkzone example.com tmp</programlisting> - </informalexample> - <para> - A CNAME record cannot exist with the same name as another record - except for the DNSSEC records which prove its existance (NSEC). - </para> - <para> - RFC 1034, Section 3.6.2: <quote>If a CNAME RR is present at a node, - no other data should be present; this ensures that the data for a - canonical name and its aliases cannot be different. This rule also - insures that a cached CNAME can be used without checking with an - authoritative server for other RR types.</quote> - </para> - </answer> - </qandaentry> - - <qandaentry> - <question> - <para> - I get error messages like <quote>named.conf:99: unexpected end - of input</quote> where 99 is the last line of named.conf. - </para> - </question> - <answer> - <para> - Some text editors (notepad and wordpad) fail to put a line - title indication (e.g. CR/LF) on the last line of a - text file. This can be fixed by "adding" a blank line to - the end of the file. Named expects to see EOF immediately - after EOL and treats text files where this is not met as - truncated. - </para> - </answer> - </qandaentry> - - <qandaentry> - <question> - <para> - I get warning messages like <quote>zone example.com/IN: refresh: - failure trying master 1.2.3.4#53: timed out</quote>. - </para> - </question> - <answer> - <para> - Check that you can make UDP queries from the slave to the master - </para> - <informalexample> - <programlisting> -dig +norec example.com soa @1.2.3.4</programlisting> - </informalexample> - <para> - You could be generating queries faster than the slave can - cope with. Lower the serial query rate. - </para> - <informalexample> - <programlisting> -serial-query-rate 5; // default 20</programlisting> - </informalexample> - </answer> - </qandaentry> - - <qandaentry> - <question> - <para> - How do I share a dynamic zone between multiple views? - </para> - </question> - <answer> - <para> - You choose one view to be master and the second a slave and - transfer the zone between views. - </para> - <informalexample> - <programlisting> -Master 10.0.1.1: - key "external" { - algorithm hmac-md5; - secret "xxxxxxxx"; - }; - - key "mykey" { - algorithm hmac-md5; - secret "yyyyyyyy"; - }; - - view "internal" { - match-clients { !external; 10.0.1/24; }; - server 10.0.1.1 { - /* Deliver notify messages to external view. */ - keys { external; }; - }; - zone "example.com" { - type master; - file "internal/example.db"; - allow-update { key mykey; }; - notify-also { 10.0.1.1; }; - }; - }; - - view "external" { - match-clients { external; any; }; - zone "example.com" { - type slave; - file "external/example.db"; - masters { 10.0.1.1; }; - transfer-source { 10.0.1.1; }; - // allow-update-forwarding { any; }; - // allow-notify { ... }; - }; - };</programlisting> - </informalexample> - </answer> - </qandaentry> - - <qandaentry> - <question> - <para> - I get a error message like <quote>zone wireless.ietf56.ietf.org/IN: - loading master file primaries/wireless.ietf56.ietf.org: no - owner</quote>. - </para> - </question> - <answer> - <para> - This error is produced when a line in the master file - contains leading white space (tab/space) but the is no - current record owner name to inherit the name from. Usually - this is the result of putting white space before a comment. - Forgeting the "@" for the SOA record or indenting the master - file. - </para> - </answer> - </qandaentry> - - <qandaentry> - <question> - <para> - Why are my logs in GMT (UTC). - </para> - </question> - <answer> - <para> - You are running chrooted (-t) and have not supplied local timzone - information in the chroot area. - </para> - <simplelist> - <member>FreeBSD: /etc/localtime</member> - <member>Solaris: /etc/TIMEZONE and /usr/share/lib/zoneinfo</member> - <member>OSF: /etc/zoneinfo/localtime</member> - </simplelist> - <para> - See also tzset(3) and zic(8). - </para> - </answer> - </qandaentry> - - <qandaentry> - <question> - <para> - I get the error message <quote>named: capset failed: Operation - not permitted</quote> when starting named. - </para> - </question> - <answer> - <para> - The capability module, part of "Linux Security Modules/LSM", - has not been loaded into the kernel. See insmod(8). - </para> - </answer> - </qandaentry> - - <qandaentry> - <question> - <para> - I get <quote>rndc: connect failed: connection refused</quote> when - I try to run rndc. - </para> - </question> - <answer> - <para> - This is usually a configuration error. - </para> - <para> - First ensure that named is running and no errors are being - reported at startup (/var/log/messages or equivalent). - Running "named -g <usual arguments>" from a title - can help at this point. - </para> - <para> - Secondly ensure that named is configured to use rndc either - by "rndc-confgen -a", rndc-confgen or manually. The - Administrators Reference manual has details on how to do - this. - </para> - <para> - Old versions of rndc-confgen used localhost rather than - 127.0.0.1 in /etc/rndc.conf for the default server. Update - /etc/rndc.conf if necessary so that the default server - listed in /etc/rndc.conf matches the addresses used in - named.conf. "localhost" has two address (127.0.0.1 and - ::1). - </para> - <para> - If you use "rndc-confgen -a" and named is running with -t or -u - ensure that /etc/rndc.conf has the correct ownership and that - a copy is in the chroot area. You can do this by re-running - "rndc-confgen -a" with appropriate -t and -u arguments. - </para> - </answer> - </qandaentry> - - <qandaentry> - <question> - <para> - I don't get RRSIG's returned when I use "dig +dnssec". - </para> - </question> - <answer> - <para> - You need to ensure DNSSEC is enabled (dnssec-enable yes;). - </para> - </answer> - </qandaentry> - - <qandaentry> - <question> - <para> - I get <quote>Error 1067</quote> when starting named under Windows. - </para> - </question> - <answer> - <para> - This is the service manager saying that named exited. You - need to examine the Application log in the EventViewer to - find out why. - </para> - <para> - Common causes are that you failed to create "named.conf" - (usually "C:\windows\dns\etc\named.conf") or failed to - specify the directory in named.conf. - </para> - <informalexample> - <programlisting> -options { - Directory "C:\windows\dns\etc"; -};</programlisting> - </informalexample> - </answer> - </qandaentry> - - <qandaentry> - <question> - <para> - I get <quote>transfer of 'example.net/IN' from 192.168.4.12#53: - failed while receiving responses: permission denied</quote> error - messages. - </para> - </question> - <answer> - <para> - These indicate a filesystem permission error preventing - named creating / renaming the temporary file. These will - usually also have other associated error messages like - </para> - <informalexample> - <programlisting> -"dumping master file: sl/tmp-XXXX5il3sQ: open: permission denied"</programlisting> - </informalexample> - <para> - Named needs write permission on the directory containing - the file. Named writes the new cache file to a temporary - file then renames it to the name specified in named.conf - to ensure that the contents are always complete. This is - to prevent named loading a partial zone in the event of - power failure or similar interrupting the write of the - master file. - </para> - <para> - Note file names are relative to the directory specified in - options and any chroot directory ([<chroot - dir>/][<options dir>]). - </para> - <informalexample> - <para> - If named is invoked as "named -t /chroot/DNS" with - the following named.conf then "/chroot/DNS/var/named/sl" - needs to be writable by the user named is running as. - </para> - <programlisting> -options { - directory "/var/named"; -}; - -zone "example.net" { - type slave; - file "sl/example.net"; - masters { 192.168.4.12; }; -};</programlisting> - </informalexample> - </answer> - </qandaentry> - - <qandaentry> - <question> - <para> - How do I intergrate BIND 9 and Solaris SMF - </para> - </question> - <answer> - <para> - Sun has a blog entry describing how to do this. - </para> - <para> - <ulink - url="http://blogs.sun.com/roller/page/anay/Weblog?catname=%2FSolaris"> - http://blogs.sun.com/roller/page/anay/Weblog?catname=%2FSolaris - </ulink> - </para> - </answer> - </qandaentry> - - <qandaentry> - <question> - <para> - Can a NS record refer to a CNAME. - </para> - </question> - <answer> - <para> - No. The rules for glue (copies of the *address* records - in the parent zones) and additional section processing do - not allow it to work. - </para> - <para> - You would have to add both the CNAME and address records - (A/AAAA) as glue to the parent zone and have CNAMEs be - followed when doing additional section processing to make - it work. No namesever implementation supports either of - these requirements. - </para> - </answer> - </qandaentry> - - <qandaentry> - <question> - <para> - What does <quote>RFC 1918 response from Internet for - 0.0.0.10.IN-ADDR.ARPA</quote> mean? - </para> - </question> - <answer> - <para> - If the IN-ADDR.ARPA name covered refers to a internal address - space you are using then you have failed to follow RFC 1918 - usage rules and are leaking queries to the Internet. You - should establish your own zones for these addresses to prevent - you quering the Internet's name servers for these addresses. - Please see <ulink url="http://as112.net/">http://as112.net/</ulink> - for details of the problems you are causing and the counter - measures that have had to be deployed. - </para> - <para> - If you are not using these private addresses then a client - has queried for them. You can just ignore the messages, - get the offending client to stop sending you these messages - as they are most probably leaking them or setup your own zones - empty zones to serve answers to these queries. - </para> - <informalexample> - <programlisting> -zone "10.IN-ADDR.ARPA" { - type master; - file "empty"; -}; - -zone "16.172.IN-ADDR.ARPA" { - type master; - file "empty"; -}; - -... - -zone "31.172.IN-ADDR.ARPA" { - type master; - file "empty"; -}; - -zone "168.192.IN-ADDR.ARPA" { - type master; - file "empty"; -}; - -empty: -@ 10800 IN SOA <name-of-server>. <contact-email>. ( - 1 3600 1200 604800 10800 ) -@ 10800 IN NS <name-of-server>.</programlisting> - </informalexample> - <note> - Future versions of named are likely to do this automatically. - </note> - </answer> - </qandaentry> - - </qandaset> -</article> diff --git a/usr.sbin/bind/Makefile.in b/usr.sbin/bind/Makefile.in index cecca354248..05045d9e2e6 100644 --- a/usr.sbin/bind/Makefile.in +++ b/usr.sbin/bind/Makefile.in @@ -36,7 +36,6 @@ distclean:: distclean:: rm -f config.cache config.h config.log config.status TAGS rm -f libtool isc-config.sh configure.lineno - rm -f util/conf.sh docutil/docbook2man-wrapper.sh # XXX we should clean libtool stuff too. Only do this after we add rules # to make it. diff --git a/usr.sbin/bind/README b/usr.sbin/bind/README deleted file mode 100644 index 20fd84a13e4..00000000000 --- a/usr.sbin/bind/README +++ /dev/null @@ -1,601 +0,0 @@ -BIND 9 - - BIND version 9 is a major rewrite of nearly all aspects of the - underlying BIND architecture. Some of the important features of - BIND 9 are: - - - DNS Security - DNSSEC (signed zones) - TSIG (signed DNS requests) - - - IP version 6 - Answers DNS queries on IPv6 sockets - IPv6 resource records (AAAA) - Experimental IPv6 Resolver Library - - - DNS Protocol Enhancements - IXFR, DDNS, Notify, EDNS0 - Improved standards conformance - - - Views - One server process can provide multiple "views" of - the DNS namespace, e.g. an "inside" view to certain - clients, and an "outside" view to others. - - - Multiprocessor Support - - - Improved Portability Architecture - - - BIND version 9 development has been underwritten by the following - organizations: - - Sun Microsystems, Inc. - Hewlett Packard - Compaq Computer Corporation - IBM - Process Software Corporation - Silicon Graphics, Inc. - Network Associates, Inc. - U.S. Defense Information Systems Agency - USENIX Association - Stichting NLnet - NLnet Foundation - Nominum, Inc. - - -BIND 9.4.2 - - BIND 9.4.2 is a maintenance release, containing fixes for - a number of bugs in 9.4.1. - - Warning: If you installed BIND 9.4.2rc1 then any applications - linked against this release candidate will need to be rebuilt. - -BIND 9.4.1 - - BIND 9.4.1 is a security release, containing a fix for - a security bugs in 9.4.0. - -BIND 9.4.0 - - BIND 9.4.0 has a number of new features over 9.3, - including: - - Implemented "additional section caching" (or "acache"), an - internal cache framework for additional section content to - improve response performance. Several configuration options - were provided to control the behavior. - - New notify type 'master-only'. Enable notify for master - zones only. - - Accept 'notify-source' style syntax for query-source. - - rndc now allows addresses to be set in the server clauses. - - New option "allow-query-cache". This lets allow-query be - used to specify the default zone access level rather than - having to have every zone override the global value. - allow-query-cache can be set at both the options and view - levels. If allow-query-cache is not set then allow-recursion - is used if set, otherwise allow-query is used if set, otherwise - the default (localhost; localnets;) is used. - - rndc: the source address can now be specified. - - ixfr-from-differences now takes master and slave in addition - to yes and no at the options and view levels. - - Allow the journal's name to be changed via named.conf. - - 'rndc notify zone [class [view]]' resend the NOTIFY messages - for the specified zone. - - 'dig +trace' now randomly selects the next servers to try. - Report if there is a bad delegation. - - Improve check-names error messages. - - Make public the function to read a key file, dst_key_read_public(). - - dig now returns the byte count for axfr/ixfr. - - allow-update is now settable at the options / view level. - - named-checkconf now checks the logging configuration. - - host now can turn on memory debugging flags with '-m'. - - Don't send notify messages to self. - - Perform sanity checks on NS records which refer to 'in zone' names. - - New zone option "notify-delay". Specify a minimum delay - between sets of NOTIFY messages. - - Extend adjusting TTL warning messages. - - Named and named-checkzone can now both check for non-terminal - wildcard records. - - "rndc freeze/thaw" now freezes/thaws all zones. - - named-checkconf now check acls to verify that they only - refer to existing acls. - - The server syntax has been extended to support a range of - servers. - - Report differences between hints and real NS rrset and - associated address records. - - Preserve the case of domain names in rdata during zone - transfers. - - Restructured the data locking framework using architecture - dependent atomic operations (when available), improving - response performance on multi-processor machines significantly. - x86, x86_64, alpha, powerpc, and mips are currently supported. - - UNIX domain controls are now supported. - - Add support for additional zone file formats for improving - loading performance. The masterfile-format option in - named.conf can be used to specify a non-default format. A - separate command named-compilezone was provided to generate - zone files in the new format. Additionally, the -I and -O - options for dnssec-signzone specify the input and output - formats. - - dnssec-signzone can now randomize signature end times - (dnssec-signzone -j jitter). - - Add support for CH A record. - - Add additional zone data consistancy checks. named-checkzone - has extended checking of NS, MX and SRV record and the hosts - they reference. named has extended post zone load checks. - New zone options: check-mx and integrity-check. - - edns-udp-size can now be overridden on a per server basis. - - dig can now specify the EDNS version when making a query. - - Added framework for handling multiple EDNS versions. - - Additional memory debugging support to track size and mctx - arguments. - - Detect duplicates of UDP queries we are recursing on and - drop them. New stats category "duplicates". - - Memory management. "USE INTERNAL MALLOC" is now runtime selectable. - - The lame cache is now done on a <qname,qclass,qtype> basis - as some servers only appear to be lame for certain query - types. - - Limit the number of recursive clients that can be waiting - for a single query (<qname,qtype,qclass>) to resolve. New - options clients-per-query and max-clients-per-query. - - dig: report the number of extra bytes still left in the - packet after processing all the records. - - Support for IPSECKEY rdata type. - - Raise the UDP receive buffer size to 32k if it is less than 32k. - - x86 and x86_64 now have separate atomic locking implementations. - - named-checkconf now validates update-policy entries. - - Attempt to make the amount of work performed in a iteration - self tuning. The covers nodes clean from the cache per - iteration, nodes written to disk when rewriting a master - file and nodes destroyed per iteration when destroying a - zone or a cache. - - ISC string copy API. - - Automatic empty zone creation for D.F.IP6.ARPA and friends. - Note: RFC 1918 zones are not yet covered by this but are - likely to be in a future release. - - New options: empty-server, empty-contact, empty-zones-enable - and disable-empty-zone. - - dig now has a '-q queryname' and '+showsearch' options. - - host/nslookup now continue (default)/fail on SERVFAIL. - - dig now warns if 'RA' is not set in the answer when 'RD' - was set in the query. host/nslookup skip servers that fail - to set 'RA' when 'RD' is set unless a server is explicitly - set. - - Integrate contributed DLZ code into named. - - Integrate contributed IDN code from JPNIC. - - Validate pending NS RRsets, in the authority section, prior - to returning them if it can be done without requiring DNSKEYs - to be fetched. - - It is now possible to configure named to accept expired - RRSIGs. Default "dnssec-accept-expired no;". Setting - "dnssec-accept-expired yes;" leaves named vulnerable to - replay attacks. - - Additional memory leakage checks. - - The maximum EDNS UDP response named will send can now be - set in named.conf (max-udp-size). This is independent of - the advertised receive buffer (edns-udp-size). - - Named now falls back to advertising EDNS with a 512 byte - receive buffer if the initial EDNS queries fail. - - Control the zeroing of the negative response TTL to a soa - query. Defaults "zero-no-soa-ttl yes;" and - "zero-no-soa-ttl-cache no;". - - Separate out MX and SRV to CNAME checks. - - dig/nslookup/host: warn about missing "QR". - - TSIG HMACSHA1, HMACSHA224, HMACSHA256, HMACSHA384 and - HMACSHA512 support. - - dnssec-signzone: output the SOA record as the first record - in the signed zone. - - Two new update policies. "selfsub" and "selfwild". - - dig, nslookup and host now advertise a 4096 byte EDNS UDP - buffer size by default. - - Report when a zone is removed. - - DS/DLV SHA256 digest algorithm support. - - Implement "rrset-order fixed". - - Check the KSK flag when updating a secure dynamic zone. - New zone option "update-check-ksk yes;". - - It is now possible to explicitly enable DNSSEC validation. - default dnssec-validation no; to be changed to yes in 9.5.0. - - It is now possible to enable/disable DNSSEC validation - from rndc. This is useful for the mobile hosts where the - current connection point breaks DNSSEC (firewall/proxy). - - rndc validation newstate [view] - - dnssec-signzone can now update the SOA record of the signed - zone, either as an increment or as the system time(). - - Statistics about acache now recorded and sent to log. - - libbind: corresponds to that from BIND 8.4.7. - -BIND 9.3.0 - - BIND 9.3.0 has a number of new features over 9.2, - including: - - DNSSEC is now DS based (RFC 3658). - See also RFC 3845, doc/draft/draft-ietf-dnsext-dnssec-*. - - DNSSEC lookaside validation. - - check-names is now implemented. - rrset-order in more complete. - - IPv4/IPv6 transition support, dual-stack-servers. - - IXFR deltas can now be generated when loading master files, - ixfr-from-differences. - - It is now possible to specify the size of a journal, max-journal-size. - - It is now possible to define a named set of master servers to be - used in masters clause, masters. - - The advertised EDNS UDP size can now be set, edns-udp-size. - - allow-v6-synthesis has been obsoleted. - - NOTE: - * Zones containing MD and MF will now be rejected. - * dig, nslookup name. now report "Not Implemented" as - NOTIMP rather than NOTIMPL. This will have impact on scripts - that are looking for NOTIMPL. - - libbind: corresponds to that from BIND 8.4.5. - -BIND 9.2.0 - - BIND 9.2.0 has a number of new features over 9.1, - including: - - - The size of the cache can now be limited using the - "max-cache-size" option. - - - The server can now automatically convert RFC1886-style - recursive lookup requests into RFC2874-style lookups, - when enabled using the new option "allow-v6-synthesis". - This allows stub resolvers that support AAAA records - but not A6 record chains or binary labels to perform - lookups in domains that make use of these IPv6 DNS - features. - - - Performance has been improved. - - - The man pages now use the more portable "man" macros - rather than the "mandoc" macros, and are installed - by "make install". - - - The named.conf parser has been completely rewritten. - It now supports "include" directives in more - places such as inside "view" statements, and it no - longer has any reserved words. - - - The "rndc status" command is now implemented. - - - rndc can now be configured automatically. - - - A BIND 8 compatible stub resolver library is now - included in lib/bind. - - - OpenSSL has been removed from the distribution. This - means that to use DNSSEC, OpenSSL must be installed and - the --with-openssl option must be supplied to configure. - This does not apply to the use of TSIG, which does not - require OpenSSL. - - - The source distribution now builds on Windows NT/2000. - See win32utils/readme1.txt and win32utils/win32-build.txt - for details. - - This distribution also includes a new lightweight stub - resolver library and associated resolver daemon that fully - support forward and reverse lookups of both IPv4 and IPv6 - addresses. This library is considered experimental and - is not a complete replacement for the BIND 8 resolver library. - Applications that use the BIND 8 res_* functions to perform - DNS lookups or dynamic updates still need to be linked against - the BIND 8 libraries. For DNS lookups, they can also use the - new "getrrsetbyname()" API. - - BIND 9.2 is capable of acting as an authoritative server - for DNSSEC secured zones. This functionality is believed to - be stable and complete except for lacking support for - verifications involving wildcard records in secure zones. - - When acting as a caching server, BIND 9.2 can be configured - to perform DNSSEC secure resolution on behalf of its clients. - This part of the DNSSEC implementation is still considered - experimental. For detailed information about the state of the - DNSSEC implementation, see the file doc/misc/dnssec. - - There are a few known bugs: - - On some systems, IPv6 and IPv4 sockets interact in - unexpected ways. For details, see doc/misc/ipv6. - To reduce the impact of these problems, the server - no longer listens for requests on IPv6 addresses - by default. If you need to accept DNS queries over - IPv6, you must specify "listen-on-v6 { any; };" - in the named.conf options statement. - - FreeBSD prior to 4.2 (and 4.2 if running as non-root) - and OpenBSD prior to 2.8 log messages like - "fcntl(8, F_SETFL, 4): Inappropriate ioctl for device". - This is due to a bug in "/dev/random" and impacts the - server's DNSSEC support. - - OS X 10.1.4 (Darwin 5.4), OS X 10.1.5 (Darwin 5.5) and - OS X 10.2 (Darwin 6.0) reports errors like - "fcntl(3, F_SETFL, 4): Operation not supported by device". - This is due to a bug in "/dev/random" and impacts the - server's DNSSEC support. - - --with-libtool does not work on AIX. - - --with-libtool does not work on SunOS 4. configure - requires "printf" which is not available. - - A bug in the Windows 2000 DNS server can cause zone transfers - from a BIND 9 server to a W2K server to fail. For details, - see the "Zone Transfers" section in doc/misc/migration. - - For a detailed list of user-visible changes from - previous releases, see the CHANGES file. - - -Building - - BIND 9 currently requires a UNIX system with an ANSI C compiler, - basic POSIX support, and a 64 bit integer type. - - We've had successful builds and tests on the following systems: - - COMPAQ Tru64 UNIX 5.1B - FreeBSD 4.10, 5.2.1, 6.2 - HP-UX 11.11 - NetBSD 1.5 - Slackware Linux 8.1 - Solaris 8, 9, 9 (x86) - Windows NT/2000/XP/2003 - - Additionally, we have unverified reports of success building - previous versions of BIND 9 from users of the following systems: - - AIX 5L - SuSE Linux 7.0 - Slackware Linux 7.x, 8.0 - Red Hat Linux 7.1 - Debian GNU/Linux 2.2 and 3.0 - Mandrake 8.1 - OpenBSD 2.6, 2.8, 2.9, 3.1, 3.6, 3.8 - UnixWare 7.1.1 - HP-UX 10.20 - BSD/OS 4.2 - Mac OS X 10.1, 10.3.8 - - To build, just - - ./configure - make - - Do not use a parallel "make". - - Several environment variables that can be set before running - configure will affect compilation: - - CC - The C compiler to use. configure tries to figure - out the right one for supported systems. - - CFLAGS - C compiler flags. Defaults to include -g and/or -O2 - as supported by the compiler. - - STD_CINCLUDES - System header file directories. Can be used to specify - where add-on thread or IPv6 support is, for example. - Defaults to empty string. - - STD_CDEFINES - Any additional preprocessor symbols you want defined. - Defaults to empty string. - - Possible settings: - Change the default syslog facility of named/lwresd. - -DISC_FACILITY=LOG_LOCAL0 - Enable DNSSEC signature chasing support in dig. - -DDIG_SIGCHASE=1 (sets -DDIG_SIGCHASE_TD=1 and - -DDIG_SIGCHASE_BU=1) - Disable dropping queries from particular well known ports. - -DNS_CLIENT_DROPPORT=0 - Disable support for "rrset-order fixed". - -DDNS_RDATASET_FIXED=0 - - LDFLAGS - Linker flags. Defaults to empty string. - - The following need to be set when cross compiling. - - BUILD_CC - The native C compiler. - BUILD_CFLAGS (optional) - BUILD_CPPFLAGS (optional) - Possible Settings: - -DNEED_OPTARG=1 (optarg is not declared in <unistd.h>) - BUILD_LDFLAGS (optional) - BUILD_LIBS (optional) - - To build shared libraries, specify "--with-libtool" on the - configure command line. - - For the server to support DNSSEC, you need to build it - with crypto support. You must have OpenSSL 0.9.5a - or newer installed and specify "--with-openssl" on the - configure command line. If OpenSSL is installed under - a nonstandard prefix, you can tell configure where to - look for it using "--with-openssl=/prefix". - - To build libbind (the BIND 8 resolver library), specify - "--enable-libbind" on the configure command line. - - On some platforms, BIND 9 can be built with multithreading - support, allowing it to take advantage of multiple CPUs. - You can specify whether to build a multithreaded BIND 9 - by specifying "--enable-threads" or "--disable-threads" - on the configure command line. The default is operating - system dependent. - - If your operating system has integrated support for IPv6, it - will be used automatically. If you have installed KAME IPv6 - separately, use "--with-kame[=PATH]" to specify its location. - - "make install" will install "named" and the various BIND 9 libraries. - By default, installation is into /usr/local, but this can be changed - with the "--prefix" option when running "configure". - - You may specify the option "--sysconfdir" to set the directory - where configuration files like "named.conf" go by default, - and "--localstatedir" to set the default parent directory - of "run/named.pid". For backwards compatibility with BIND 8, - --sysconfdir defaults to "/etc" and --localstatedir defaults to - "/var" if no --prefix option is given. If there is a --prefix - option, sysconfdir defaults to "$prefix/etc" and localstatedir - defaults to "$prefix/var". - - To see additional configure options, run "configure --help". - Note that the help message does not reflect the BIND 8 - compatibility defaults for sysconfdir and localstatedir. - - If you're planning on making changes to the BIND 9 source, you - should also "make depend". If you're using Emacs, you might find - "make tags" helpful. - - If you need to re-run configure please run "make distclean" first. - This will ensure that all the option changes take. - - Building with gcc is not supported, unless gcc is the vendor's usual - compiler (e.g. the various BSD systems, Linux). - - Known compiler issues: - * gcc-3.2.1 and gcc-3.1.1 is known to cause problems with solaris-x86. - * gcc prior to gcc-3.2.3 ultrasparc generates incorrect code at -02. - * gcc-3.3.5 powerpc generates incorrect code at -02. - * Irix, MipsPRO 7.4.1m is known to cause problems. - - A limited test suite can be run with "make test". Many of - the tests require you to configure a set of virtual IP addresses - on your system, and some require Perl; see bin/tests/system/README - for details. - - -Documentation - - The BIND 9 Administrator Reference Manual is included with the - source distribution in DocBook XML and HTML format, in the - doc/arm directory. - - Some of the programs in the BIND 9 distribution have man pages - in their directories. In particular, the command line - options of "named" are documented in /bin/named/named.8. - There is now also a set of man pages for the lwres library. - - If you are upgrading from BIND 8, please read the migration - notes in doc/misc/migration. If you are upgrading from - BIND 4, read doc/misc/migration-4to9. - - Frequently asked questions and their answers can be found in - FAQ. - - -Bug Reports and Mailing Lists - - Bugs reports should be sent to - - bind9-bugs@isc.org - - To join the BIND Users mailing list, send mail to - - bind-users-request@isc.org - - archives of which can be found via - - http://www.isc.org/ops/lists/ - - If you're planning on making changes to the BIND 9 source - code, you might want to join the BIND Forum as a Worker. - This gives you access to the bind-workers@isc.org mailing - list and pre-release access to the code. - - http://www.isc.org/sw/guild/bf/ diff --git a/usr.sbin/bind/README.OpenBSD b/usr.sbin/bind/README.OpenBSD deleted file mode 100644 index 4678058cd5e..00000000000 --- a/usr.sbin/bind/README.OpenBSD +++ /dev/null @@ -1,16 +0,0 @@ -$OpenBSD: README.OpenBSD,v 1.10 2009/08/16 13:17:24 stsp Exp $ - -additional features - -- write pid-file before chroot -- privilege separation for binding to privileged ports from within chroot -- add 64K entry shuffle (somewhat like Fisher-Yates) implementation to libisc -- use shuffle instead of LFSR for ID generation -- strlcpy/strlcat/snprintf fixes -- parse "nameserver [host]:port" syntax in /etc/resolv.conf - -default parameter changes - -- chroot to /var/named by default -- setuid to user named by default -- listen to IPv6 interfaces by default diff --git a/usr.sbin/bind/docutil/HTML_COPYRIGHT b/usr.sbin/bind/docutil/HTML_COPYRIGHT deleted file mode 100644 index e610f542f15..00000000000 --- a/usr.sbin/bind/docutil/HTML_COPYRIGHT +++ /dev/null @@ -1,16 +0,0 @@ -<!-- - - Copyright (C) 2000, 2001 Internet Software Consortium. - - - - Permission to use, copy, modify, and distribute this software for any - - purpose with or without fee is hereby granted, provided that the above - - copyright notice and this permission notice appear in all copies. - - - - THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM - - DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL - - IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL - - INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, - - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING - - FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, - - NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION - - WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. ---> diff --git a/usr.sbin/bind/docutil/MAN_COPYRIGHT b/usr.sbin/bind/docutil/MAN_COPYRIGHT deleted file mode 100644 index a2f01431380..00000000000 --- a/usr.sbin/bind/docutil/MAN_COPYRIGHT +++ /dev/null @@ -1,16 +0,0 @@ -.\" -.\" Copyright (C) 2000, 2001 Internet Software Consortium. -.\" -.\" Permission to use, copy, modify, and distribute this software for any -.\" purpose with or without fee is hereby granted, provided that the above -.\" copyright notice and this permission notice appear in all copies. -.\" -.\" THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM -.\" DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL -.\" INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, -.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING -.\" FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, -.\" NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION -.\" WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. -.\" |